© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.04-1 Configuring Rules Configuring Windows-Only Rules. - презентация

1 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring Windows-Only Rules

2 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Objectives At the end of this lesson, you will be able to meet these objectives: Identify the rules that are available to Windows hosts only Describe how to configure the Clipboard access control rule Describe how to configure the COM Component access control rule Configure the COM Component access control rule Describe how to configure the File version control rule Configure the File Version control rule Describe how to configure the Kernel Protection rule Describe how to configure the NT Event Log rule Describe how to configure the Registry access control rule Describe how to configure the Service Restart rule Describe how to configure the Sniffer and Protocol Detection rule

3 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Windows-Only Rules Clipboard Access Control rule COM Component Access Control rule File Version Control rules Kernel Protection rule NT Event Log rule Registry Access Control rule Service Restart rule Sniffer and Protocol Detection rule

4 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Clipboard Access Control Rule Clipboard Access Control Rule Clipboard

5 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Clipboard Access Control Rule

6 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v The COM Component Access Control Rule COM Component Access Control Rule VB Script

7 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the COM Component Access Control Rule

8 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Practice: Configuring the COM Component Access Control Rule

9 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v The File Version Control Rule IE 5.0 IE 4.5 File Version Control Rule

10 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the File Version Control Rule

11 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Practice: Configuring the File Version Control Rule

12 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Kernel Protection Rule Kernel Protection Rule Access denied Attempt to access operating system

13 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Kernel Protection Rule

14 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Kernel Protection Rule (Cont.)

15 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v The NT Event Log Rule NT Event Log Rule CSA MC Event Log

16 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the NT Event Log Rule

17 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Registry Access Control Rule Registry Access Control Rule Registry VB

18 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Registry Access Control Rule

19 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Service Restart Rule Service Restart Rule Service restarted Service terminated

20 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Service Restart Rule

21 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Sniffer and Protocol Detection Rule IP NetBIOS Sniffer and Protocol Detection Rule CSA MC Event Log

22 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Sniffer and Protocol Detection Rule

23 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v Summary CSA MC provides several rules that can be used to protect Windows-specific components. The Clipboard Access Control rule is used to allow or deny access to the data written to the clipboard by a specific set of applications. The COM Component Access Control rule is used to prevent unauthorized applications from accessing COM components. The File Version Control rule is used to control the software versions of applications that can run on hosts. The Kernel Protection rule is used to prevent unauthorized access to the operating system. The NT Event Log rule is used to make specific NT Event Log items appear in the CSA MC Event Log. The Registry Access Control rule is used to allow or deny applications from writing to specified registry keys. The Service Restart rule is used to restart Windows services that have stopped or are not responding to service requests. The Sniffer and Protocol Detection rule is used to log an event when non-IP protocols and packet sniffer programs are detected to be running on a system.

24 © 2006 Cisco Systems, Inc. All rights reserved. HIPS v