What is Windows File Integrity Monitoring?
In order to maintain the integrity of a Windows file system, File Integrity Monitoring is applied to ensure no unauthorized changes are made to files, folders or configuration settings.
What should it cover?
The monitoring approach needs to cover all file and folder attributes, including the file or folder properties (and in particular the security and permissions) as well as the file contents or composition. Enterprise Windows File Integrity monitoring solutions should use a cryptographic hash value, calculated for each file, to detect changes. This provides a unique 'DNA fingerprint' for each file, generated using a secure hash algorithm such as MD5, SHA1, SHA256 or SHA512, and provides a means by which even a minute change to a file will be detected.
It is also necessary to monitor Windows Registry hives, keys, and values as Windows configuration settings are controlled via Registry entries. In this way, all significant configuration attributes can be audited for compliance and tracked for changes – installed updates and programs, local user accounts, and the local security and audit policies, which cover everything from the screensaver being used through BitLocker and Windows Firewall settings.
Why is it important?
Several reasons – security, compliance, data protection and change control.
Security: any change to a system file could be as a result of a malware infection, for example, Trojan malware replacing legitimate system files. Security breaches will also leave other clues, such as registry changes, changes to services, with new DLL and other system files being created. By detecting and reporting any of these irregular changes, file integrity monitoring provides a Windows HIDS (host intrusion detection system) function.
Compliance: to maintain operational and access security, for example, tracking special Windows config files such as the registry and security policy. Password policy and user rights/permissions - for example, Remote Desktop or remote network share access - are all controlled via settings in the registry and local security policy. In other words, file integrity monitoring for Windows will track configuration drift and help enforce a hardened build standard.
However, for compliance, FIM goes further and can be used to analyze configuration settings and ensure that cyber security vulnerabilities have been mitigated from the host.
All governance, regulatory and compliance standards like NIST 800-53, SOX, PCI DSS, NERC CIP mandate the need for a hardened build standard and breach detection, for example, using the CIS Benchmark for Windows or NIST resources. All Windows versions are catered for including Server 2012, Windows 8.1, Windows 7, 2008R2, Vista, XP and 2003.
Data Protection: Windows FIM can also show who has accessed or changed files, useful for data protection audit trail purposes.
Change Control: by tracking file and configuration changes, change control is re-enforced by providing a 'closed loop' of change approval, followed by implementation, followed by change detection and change quality assurance.
How does Windows File Integrity Monitoring work?
The principle means of operation is to establish an initial inventory of files to be monitored, including all metadata such as
- Name and Path
- Attributes, Audit, and Security
- Created and File Write dates
- Cryptographic Hash Value
In addition, the File Contents may be tracked which allows the details of the actual changes made to a text-based configuration file can be exposed. This is not always practical – binary file contents changes cannot be usefully reported and even for human-interpretable file types, the file contents may be impractical to track if too large. By contrast, tracking metadata and a hash value give an infallible means of detecting changes in a highly consistent manner regardless of the file type or size.
Traditional file integrity monitoring solutions such as Tripwire® work on a file system baseline being established comprising all file metadata and hash values, against which subsequently updated baselines were compared, allowing any changes to be detected. This is a host resource-intensive operation and only allows changes to be detected daily or weekly.
Alternatively, modern file integrity solutions like NNT Change Tracker work from an initial, one-time baseline against which changes only are detected using a continuous, real-time FIM agent resident on the host. Agent-based file integrity monitoring for Windows not only provides real-time, instantaneous detection of malware and breach activity, but a substantially gentler FIM technology in terms of host resource requirements, only using resources when changes need to be assessed, for just those files that have changed without needing a repeated full inventory/baseline process to be run.
How does Windows FIM detect zero day malware?
In order to detect a Trojan replacement, including zero day malware that signature-based Anti-Virus systems will miss, it is necessary to track file integrity using a cryptographic hash value for each file.
This approach means even the slightest change to a file composition will result in a large change to the hash value. Tracking Windows file integrity using hash values will govern any file type, including binary files like .exe, .dll, .sys and .drv, but also any other file type, including zipped archive files (for example archived log files) or text-based configuration files (for example, XML, .aspx or .js files)
Which Windows files and folders should be tracked?
On a Windows system, file integrity monitoring should be applied to at least the Program Files, Program Files (x86), System 32 and SysWOW64 (operating system files, exe, driver, and DLL files). Applying FIM to the Windows System Drive C:\Windows is also a legitimate approach but as ever, the broader the reach of the monitoring net, the more false positives that will need to be managed.
To this end, it will be necessary to then exclude any files that are known and expected to change regularly, such as live log and database files, for example, C:\Windows\Logs. This ensures that the 'noise' from the regular activity is removed and therefore providing focus on irregular, unexpected changes.
A good Windows FIM tool will allow filters to be applied by file type/extension or through pattern matches based on regular expressions to fully/partially match a file/folder name, both for inclusion and exclusion of files for monitoring.
Likewise for the Registry – the registry comprises millions of values, many of which change frequently during regular operation of the Windows server. Similarly 'fine-grain' inclusion/exclusion configuration for registry file integrity monitoring is essential in order to provide a low maintenance but forensically precise FIM solution.
Agent-Based or Agentless? Which is better for Windows FIM?
Quick summary: Agent-based FIM for Windows will give a more powerful solution, but Agentless FIM for Windows will be simpler to install.
Agentless FIM will not require any files to be deployed to, nor any programs to be installed on, the endpoints. An agentless FIM operation will employ some form of 'dissolvable' agent used in conjunction with a scripted PSExec-type interaction with the host. In other words, a temporary, transient binary is copied over to the host which is used to generate hash values of files. The baseline database and 'diff' functions are performed back at the Agentless FIM appliance, so the process can often be resource-intensive, both for the network and the host under test.
Conversely, as described in the earlier 'How does Windows File Integrity Monitoring work?' section, using an intelligent locally run Agent for Windows FIM is considerably more efficient, working from a one-time baseline operation.
Agent-based FIM also has two other major advantages - Firstly, the breach detection can be performed in real-time, reporting file changes seconds after they have been made. Secondly, the Agent can augment the file change information with kernel-sourced intelligence, such as 'Who Made the Change?' and 'Which process was used?', making investigations easier and faster.
The best Windows File Integrity Monitoring solutions provide both Agent-based and Agentless options, allowing full freedom of choice and deployment flexibility.
How often should Windows File Integrity checks be made?
Security compliance standards such as the PCI DSS mandate the need to run weekly file integrity checks. However, this weekly period has been determined not because this is necessarily sufficiently frequent to prevent a serious data security breach, which it isn't.
In fact, the weekly period was derived more as a compromise between the need for frequent FIM checks being balanced against the (traditionally) high resource loads placed on a server during the repeated inventory or baseline process as discussed earlier.
However, with security breaches being so potentially damaging within days or even hours, the need for prompt detection is paramount, therefore any delay to detection may prove costly.
Real-time file integrity monitoring, with continuous detection, should be the minimum level of expectation in order to counteract contemporary cyber security threats.
And the number one solution that delivers all the key security and compliance benefits of file integrity monitoring is NNT Change Tracker™
Learn more about NNT Change Tracker here
For a free automated system compliance audit: