IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
It should be noted that accesses to the registry are only recorded if the auditing
of file and object accesses is activated in the General Audit Policy.
When access to the registry is monitored, a large amount of auditing data is
generated which must also be evaluated. Furthermore, recording these events
usually has a negative effect on the system performance. In some cases, taking
the security requirements into account, the following alternative procedure is
recommended. Rejected attempts to access the keys
HKEY_LOCAL_MACHINE and HKEY_USERS, are recorded as described
above. Successful accesses to these keys are not recorded. Rather, a suitable
integrity protection program is used. In this way, changes to these keys are
easily recognised. However, the disadvantage of this method is that the
program does not recognise who has made the changes.
By stipulating appropriate specifications with the utility Event display, the log
file should be created to be so large that all entries occurring within a specified
period (for example, in one week) can be stored reliably. When doing this,
provision should be made for a security margin, so that in general a maximum
of around 30% of the log file is filled. After the specified period has elapsed,
each log file should be analysed, filed and then cleared to create space for new
entries.
In order to avoid system failures as a result of fully writing the log file, under
normal circumstances one of the options "Overwrite events as needed" or
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000