Detecting information leakage in Windows Server

Archive for the ‘Security Information Management’ Category

Detecting information leakage in Windows Server

Posted by

Information leakage can occur when people with access to sensitive information copy the information to an insecure location. For example, a company’s financials may be stored on a file server. This server has restricted CIFS share permissions and restricted NTFS file system permissions. An employee with access copies these financials down and burns them to a CD. As there are no permissions or restrictions on the CD, anyone now has access to this sensitive information.

Detective controls exist in Windows Server and Windows XP to catch these types of situations.

Simply setup SACL (system access control lists) permissions on the file server. Right-click the folder, choose Properties, click the Security tab and then click Advanced. On the Advanced dialog, click the Auditing tab and then click Edit. I recommend checking “List Folder / Read Data”, “Create Files / Write Data”, “Create Folders / Append Data”, and “Delete Subfolders and Files”. This will generate events in the Security logs when files are accessed. For example:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: DOMAIN\username
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume20\Share\Sensitive Files\Financials.xls
Handle ID: 20492
Operation ID: {0,1917999625}
Process ID: 4
Image File Name:
Primary User Name: SERVER$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: username
Client Domain: DOMAIN
Client Logon ID: (0x0,0x6CEC6800)
Accesses: ReadData (or ListDirectory)

The event log will now tell you when files are opened, copied, or modified by employees. Now watch the Window desktops to see what they are doing with these files.

The registry contains a wealth of information on external storage devices. Monitor the following keys to see if external devices are being attached.

Floppy disks – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\FDC]
Firewire Devices– [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\sbp2]
USB – [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\usbstor]

Monitor other registry keys to see what programs are being run. In particular, look for bulk copy utilities, backup programs, FTP clients, CD burners, and so on. Open the user’s registry file (ntuser.dat) and browse to:


This UserAssist key will have several entries that represent recently used programs. Each entry is encoded (rot13) and formatted as follows: GUID, Index, ACTION, Session key, Number of times the app has executed, date time last executed.  The section you want is the action. Specifically, the UEME_RUNPAT<executable> entries.


In summary, enable SACL auditing on the Windows Servers and be prepared to spot-check Windows XP clients. By combining server-side auditing and client-side forensics, you will be able to curtail information disclosure.

Recover Office XP and Office 2003 passwords

Posted by

Excel and Word, as part of Microsoft Office XP or Office 2003, have an option to password protect the file. Sometimes you may need to recover a forgotten password, or to test the strength of a password.

I use the following free utility whenever I need to brute force these Office passwords:

Free Word / Excel Password Recovery Wizard offers the same functionality and performance as expensive commercial Word password / Excel password software, but is a completely free download.  Unlike other supposedly “free” downloads, it is a full product, not a demo version or shareware. It contains no spyware or other malware.

We developed our own free password recovery package specifically to address the high cost of commercial password software.

Our easy to use software runs on any Windows 9x and later PC and recovers file open passwords (not sheet passwords though) for Word / Excel 97 to Word / Excel XP 2003 files.  It works by trying words from a large dictionary (included with the download) against the file, then tries character combinations to find most common file open passwords.