Securing Windows services and Windows security logs
Our IT security under attack campaign has been a continuous effort to help you verify and validate if your detection mechanism, your SIEM strategy, is configured according to the recent security trends. In this week's post, we are going to be talking about two critical features of your Windows OS: Windows services and Windows security logs.
Windows services: Used to create long-term executable applications that run in their own Windows sessions, Windows services run network, security, and system monitoring functions and also handle the syncing and logging for applications.
Service accounts are like robots that:
Perform tasks automatically in the background.
Don’t need a human to log in or interact.
Run with specific permissions to access files, networks, or services.
Are tied to services or applications, not people.
But permissions, which are the context under which the service accounts run, need to be defined somewhere. Here is how we do it:
The account configured in the Log On tab is the context under which the service account will run.
This could quickly become a problem in two ways: First, allowing service accounts to run with excessive privileges that they don't necessarily need, and second, allowing explicit domain accounts, used in the Log On tab of service accounts, that could lead to credential theft of those accounts in more than one way.
Security logs: We work with security logs, perhaps without even recognizing them. Once auditing is enabled via group policies on an Active Directory domain, any change to the objects or configuration of the domain is logged or recorded in a central location, a security log. Even an activity, such as an end user logging on, is recorded here. Now expand this concept to all the workstations, servers, and domain controllers in your network.
IT administrators, security analysts, and security auditors use it to backtrack events that could be the reason for a genuine mishap, suspicion, threat-hunting, digital forensics, or perhaps even compliance or auditing.
In other words, the events are the breadcrumbs of clues that lead us to the source of origination. If these events are erased or wiped, it leaves the organization blind and event-based tracking becomes impossible.
It's important to ensure these critical components of your Windows OS are configured in a secure manner and are also monitored for critical modifications and changes.
Visit IT Security Under Attack to learn how these components of your Windows OS can be exploited, and how you can detect suspicious activity using a SIEM and stay protected.