Agenda for Misuse Detection Project Meeting: Monday 10-Feb-97, 10am-12pm

Select a timekeeper.

Equipment issues (0:15)
    HD for julie
    HD for notebook
    Backup
    Insurance
    more RAM for Gateway (32MB)
    Network Card (keep or return?)

Auditing base objects in NT 4.0 (0:10)

NT seminar (0:05)
    no news is good news

Julie's thesis proposal (0:15)

KDD talk (0:20)

Healtheon letter (0:05)

Topics for next agenda (0:05)

10-Feb-97 Meeting Notes

Attendees: Steven Templeton, Chris, Julie, Brant, Raymond
Notes taken by Chris Wee
Meeting began @ 10:15am and ended @ 11:30pm 
Julie was the timekeeper

Equipment issues (0:10)
    Julie discovered that 1.4G cost $500, 2.1G $600. We need to
    find one under $500 incl. S/H & tax.
    Ultra SCSI-3 68 pin: Does Gateway have an adaptor?
    Steven will find out about a rider on his personal insurance.
    We want to get the Network card, but it has been transferred
    to Dipak. Pat has been asked to order another one.

Auditing base objects in NT 4.0 (0:10)
    On a subsequent attempt, Brant has discovered that NT base object
    auditing works.
    >Purpose: To discover how base object auditing works.


    Hypothesis: It is possible to audit base objects making
    the given
    change to the registry.


    Procedure:


    Turned on normal auditing to detect success and fail for file
    and object access and detailed tracking using the user manager.
    Cleared the audit log using the event viewer.
    Started the user manager and saved the audit log.
    Added the following value to the registry key,
    KEY_LOCAL_MACHINE\System\CurrentControlSe\Control\Lsa

    Name: AuditBaseObjects

    Type: REG_DWORD

    Value: 1

    Started user manager again. Checked event viewer to see if
    base objects were also audited. They weren't.

    Rebooted.

    Cleared the audit log using the event viewer.

    Started user manager again. Checked event viewer. Base objects
    are now being audited. 

    Saved the audit log for starting the user manager. This file
    also contains the audit log of saving this file.

    Turned off normal auditing using the user manager. Base object
    auditing is now turned off.

    Results:

    The audit log of
    starting the user manager with base objects not audited.

    The audit log of starting
    the user manager with base objects audited.

    Conclusion: It works!


	
Julie's thesis proposal (0:15)
	Julie has completed her thesis proposal. She presented her
	approaches to detecting polymorphic viruses.

Healtheon letter. (0:05)
	It looks like it will not be written after all.

NT seminar (0:05)
    no news is good news

KDD talk (0:20)
	postponed to next week.

Topics for next agenda (0:05)
	next meeting on 17-Feb-97. Since it is a holiday, we're
	meeting at 11am at Cafe Bernado
	KDD talk
	equipment
	Proving safety of mobile code - brant