These Intruder Alert Policies were designed for the Windows 2000 Operating System. They detect changes to IIS configuration settings and to monitored system files.

Download W2K File Tampering policy
Download W2K IIS 5.0 Security policy

Affected Platforms

Windows 2000 Agents

Description

Win2k File Tampering policy detects a change of status for all system files monitored by Intruder Alert File Watch file list. Critical files are monitored for change every hour and non-critical system files are monitored for change every 8 hours. For more information on File Watch and how to create user defined file watch lists, refer to the Intruder Alert User's Guide, Section 9.

Policy rules include:

• Critical File-Missing
  Detects the deletion of a critical operating system file as defined by Intruder Alert's "File Watch" list of files to monitor.
  
  
• Critical File-Reappeared
  Detects the reappearance of a critical operating system file as defined by Intruder Alert's "File Watch" list of files to monitor.
  
  
• Critical File-Replaced/Changed
  Detects a change to a critical operating system file as defined by Intruder Alert's "File Watch" list of files to monitor.
  
  
• File-Missing
  Detects the deletion of a non-critical operating system file as defined by Intruder Alert's "File Watch" list of files to monitor
  
  
• File-Reappeared
  Detects the reappearance of a non-critical operating system file as defined by Intruder Alert's "File Watch" list of files to monitor.
  
  
• File-Replaced/Changed
  Detects a change to a critical operating system file as defined by Intruder Alert's "File Watch" list of files to monitor.
  
  

IIS 5.0 Security Policy detects changes to the configuration of a Microsoft IIS server.

Policy rules include:

• FTP-AllowGuestAccess
  Detects the registry change needed to allow Guest access to FTP.
  
  
• FTP-EnablePortAttack
  Detects changes to the EnablePortAttack registry key. Changes to this key may indicate that the allowable FTP ports have been changed.
  
  
• CheckCertRevocation
  Detects changes to the CheckCertRevocation registry key. By default this key is disabled due to severe performance impact when enabled.
  
  
• LogSuccessfulRequests
  Detects changes made to the LogSuccessfulRequests registry key. This key determines whether or not to record successful activities in the log file.
  
  
• SSIEnableCmdDirective
  Detects changes to the SSIEnableCmdDirective. Security-conscious sites may wish to disable the \#exec cmd directive, especially when untrusted parties are allowed to place files on the server.
  
  
• LogErrorRequests
  Detects changes to the LogErrorRequests registry key. This key determines whether or not to record errors in the log file.
  
  
• MaxClientRequestBuffer
  This value designates the maximum size of the request line and header fields accepted by IIS. The IIS administrator can reduce to amount of attacks on IIS by limiting the size of this value.