Biblio

Intrusion detection systems installed on the information security devices that control the internal and external perimeter of the demilitarized zones are not able to detect the vulnerability of ZeroLogon after the successful penetration of the intruder into the zone. Component solution for ZeroLogon control is offered. The paper presents the research results of the capabilities for built-in Active Directory audit mechanisms and open source intrusion detection/prevention systems, which allow identification of the critical vulnerability CVE-2020-1472. These features can be used to improve the quality of cyber-physical systems management, to perform audits, as well as to check corporate domains for ZeroLogon vulnerabilities.

The purpose of this work is to implement a universal system for collecting and analyzing event logs from sources that use the Windows operating system. The authors use event-forwarding technology to collect data from logs. Security information and event management detects incidents from received events. The authors analyze existing methods for transmitting event log entries from sources running the Windows operating system. This article describes in detail how to connect event sources running on the Windows operating system to the event collector without connecting to a domain controller. Event sources are authenticated using certificates created by the event collector. The authors suggest a scheme for connecting the event collector to security information and event management. Security information and event management must meet the requirements for use in conjunction with event forwarding technology. The authors of the article demonstrate the scheme of the test stand and the result of testing the event forwarding technology.