Detecting information leakage in Windows Server

Archive for October, 2004

Detecting information leakage in Windows Server

Posted by

Information leakage can occur when people with access to sensitive information copy the information to an insecure location. For example, a company’s financials may be stored on a file server. This server has restricted CIFS share permissions and restricted NTFS file system permissions. An employee with access copies these financials down and burns them to a CD. As there are no permissions or restrictions on the CD, anyone now has access to this sensitive information.

Detective controls exist in Windows Server and Windows XP to catch these types of situations.

Simply setup SACL (system access control lists) permissions on the file server. Right-click the folder, choose Properties, click the Security tab and then click Advanced. On the Advanced dialog, click the Auditing tab and then click Edit. I recommend checking “List Folder / Read Data”, “Create Files / Write Data”, “Create Folders / Append Data”, and “Delete Subfolders and Files”. This will generate events in the Security logs when files are accessed. For example:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: DOMAIN\username
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume20\Share\Sensitive Files\Financials.xls
Handle ID: 20492
Operation ID: {0,1917999625}
Process ID: 4
Image File Name:
Primary User Name: SERVER$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: username
Client Domain: DOMAIN
Client Logon ID: (0x0,0x6CEC6800)
Accesses: ReadData (or ListDirectory)

The event log will now tell you when files are opened, copied, or modified by employees. Now watch the Window desktops to see what they are doing with these files.

The registry contains a wealth of information on external storage devices. Monitor the following keys to see if external devices are being attached.

Floppy disks – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\FDC]
Firewire Devices– [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\sbp2]
USB – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\usbstor]

Monitor other registry keys to see what programs are being run. In particular, look for bulk copy utilities, backup programs, FTP clients, CD burners, and so on. Open the user’s registry file (ntuser.dat) and browse to:


This UserAssist key will have several entries that represent recently used programs. Each entry is encoded (rot13) and formatted as follows: GUID, Index, ACTION, Session key, Number of times the app has executed, date time last executed.  The section you want is the action. Specifically, the UEME_RUNPAT<executable> entries.


In summary, enable SACL auditing on the Windows Servers and be prepared to spot-check Windows XP clients. By combining server-side auditing and client-side forensics, you will be able to curtail information disclosure.

Tip: Identifying file types

Posted by

Suppose you have a good chunk of binary and you are not sure what it is. The bits could be an executable, an image, a sound file, or simply random ones and zeroes. How do you identify the file?

One means is by opening the file in a hex editor and inspecting the first few bytes for a magic number. These characters indicate to the operating system and applications how to treat the files. Some common ones are 0xCAFEBAB for Java, MZ (0x4D5A) for Windows apps, and ELF (0x7F454C) for Linux executables. So there you go. Memorize a few dozen magic numbers and get quick with the hex editor.

There is a slightly easier method. Check out the File cmd in Unix, Linux, and Cygwin. “File tests each argument in an attempt to classify it. There are three sets of tests, performed in this order: filesystem tests, magic number tests, and language tests. The first test that succeeds causes the file type to be printed.” File is rather handy and does not require memorization.

For example:

Administrator@myhome ~
$ file windows.exe
regedit.exe: PE32+ executable (GUI) x86-64, for MS Windows

Administrator@myhome ~
$ file ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8ac30d36c853cf70fdfb9eb8182305e4ee68a609, stripped