SANS Joint Written Project
August 22nd, 2006
Rodney Caudle
Eric Conrad
James Voorhees
Task 1:
Group meets virtually to discuss which are the most important
tools in the context of auditing as defined in this module and why.
Please summarize your discussion.
We met virtually over the week of August 20th to 25th holding discussions via email on the merit of
the tools listed on the slides 21 and 22 of the powerpoint. A summary list of each tool and their
merits are listed below. Each group member received a section to capture their thoughts on each
of the tools. The consensus reflects the group decision to include or exclude each tool.
Dumpel.exe
This tool is used to dump or query logs from local/remote system and export as tab separated file.
http://support.microsoft.com/kb/274305/EN-US/
Rodney Caudle:
This tool would be useful for remotely querying log
information from a central location. However, for newer versions of Windows this is
probably replaced with the WSH capability. Since this is difficult to add to baseline
information if we need space I’d leave this out.
Eric Conrad:
slide 10.
Auditing logs is critical; addresses ‘Other checks’ bullet on
James Voorhees:
As Rodney says, this has been replaced by scripting in
Windows 2003. It works well in Win 2k. It only does one box at a time (that's true of most
of these). Plus the syntax (like most things about Windows logs) is a little cryptic.
Consensus:
This is a useful tool and should be included for further research.
netsvc.exe
This tool is used to control/query services.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q140378&
Rodney Caudle:
This tool would be useful for remotely querying running
service information from a central location. However, I think the sc.exe tool would
provide better information and this tool should be updated to reflect sc.exe or a newer
version of the tool.
Eric Conrad:
Seems partnered with sc.exe in the sites I researched.
Given that’s networkable, and can document drivers and running services (addresses
‘running services’ bullet on slide 9), it seems like a winner.
James Voorhees:
But I vote to just use sclist.exe. It does show running
services. Netsvc make no distinction. sclist.exe, which seems made for auditing—it is
the simplest of the three tools mentioned here and gives simple output. Sc.exe gives
more information, but most of it extraneous to the purpose.
Consensus:
This is useful functionality to have but newer tools make
netsvc.exe replaceable. Further research will replace this tool with the appropriate tool
for the job.
addusers.exe
This tool automates the creation of a large number of users using a bulk load technique. In
addition it allows the dumping of the user and group information to a delimited file.
http://support.microsoft.com/?kbid=199878
Rodney Caudle:
I like this tool and think it should be used unless there is
another way to query user information that is more efficient or works better with
Windows 2003. This tool lists support for Windows 2000 and Windows NT 4.0. No
mention of Windows 2003 so it would need to be researched.
Eric Conrad:
Running this against a PDC or BDC to audit all global
account information would provide critical auditing information (addressing the “new
users or groups” bullet on slide 9.
James Voorhees:
For Win2003, there is a sample script AddUsers.wsf in the
Automation Toolkit. The output I got from running addusers.exe against a domain
controller is a little scruffy, with too much extraneous information.
Consensus:
The functionality is good but newer scripts have replaced this.
Further research will propose the correct tool for the job with examples.
rasusers.exe
This tool enumerates SAM db to determine who has dialin capabilities.
http://wettberg.home.texas.net/rasusers.htm
Rodney Caudle:
Determining which users have remote access capability
could be important but with the acceptance of ADS and LDAP directories this information
is readily available from other sources. There have been some issues with rasusers
stopping after 5000 users (http://support.microsoft.com/kb/176964/en-us) so its benefit
may be of limited interest. Also the tool shipped with NT 4.0 and queries the SAM DB so
the functionality has probably been replaced or not used in future versions. I would pass
on this tool.
Eric Conrad:
RAS auditing is important, but given limited space to
discuss these tools; I feel other tools are more worthy of slide ‘real estate’.
James Voorhees:
I concur, other things are more important.
Consensus:
This tool is not as important as other tools in the list. This
information is available in other places and represents a single attribute of a user. For
the scope of this learning object this is too focused and a more broad focus is needed.
raslist.exe
This tool displays RAS server announces from a network by actively monitoring on all interfaces
where the server is run. This tool is based on broadcast announcements occurring from various
servers.
http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/
Rodney Caudle:
Interestingly I could not find any information by searching
Microsoft’s Knowledge Base. A search on google showed several links referencing the
Windows 2000 Resource Kit that this was included with. This is more of a monitoring
tool and requires an active listener. I would pass on this tool since this information is
probably readily available from other sources (searching for specific services).
Eric Conrad:
RAS auditing is important, but given limited space to
discuss these tools; I feel other tools are more worthy of slide ‘real estate’.
James Voorhees:
Once again, I concur.
Consensus:
This tool is not as important as other tools in the list. This is an
active listener and for the scope of this learning object active listeners are not
appropriate.
sysdiff.exe
This too is used to preinstall applications as part of an automated setup. Sysdiff is not included
with Windows XP. Support is listed for Windows NT only.
http://support.microsoft.com/?kbid=156795
Rodney Caudle:
This is of little use for auditing purposes. Possibly no
support past NT 4.0 and doesn’t add to the information needed for base lining an
environment. Skip this tool.
Eric Conrad:
Apparently not available for XP
(http://support.microsoft.com/?kbid=298389), which limits its usefulness for many
environments.
James Voorhees:
I agree that this is of little use in auditing.
Consensus:
This tool is not appropriate for auditing because the functionality of
this tool does not align with any of the objectives.
regdump.exe
This utility dumps the registry on local or remote system.
http://www.lbl.gov/cyber/systems/nt-tools.html
Rodney Caudle:
This tool would be useful to compare differences between
two versions of the registry. While not as useful for finding information if a difference is
discovered it can be looked into more carefully. Other tools like scanreg.exe or
regfind.exe provide more searching capabilities but this tool would probably be more
useful for base lining.
Eric Conrad:
Tracking registry changes is important from a security and
auditing standpoint and addresses the ‘unsuspected registry changes’ on slide 9.
James Voorhees:
Registry change are important to track. I could not find the
tool on the Microsoft site, nor the actual tool on the Berkeley Lab site linked to. So I
question whether it is a tool easily available and, of course, I'm not sure whether the
output will serve our purpose.
Consensus:
This tool is appropriate for tracking changes to the registry.
Further research may yield a replacement tool with more appropriate formatting or
functionality.
xcacls.exe
This tool allows the user to display or modify ACLs in NTFS filesystems. This tool cannot be run
remotely and probably requires administrative access.
http://support.microsoft.com/?kbid=318754
Rodney Caudle:
This is very helpful to be able to audit this level of
permissions with a script. Automating the query using the “/T” option would recursively
display information for a set of folders and files. The format is not the best but with a
little bit of Perl the information could be extracted. The lack of remote capability is
troubling as well.
Eric Conrad:
(is there a halfway smiley between thumbs up and
down?). This tool and perms.exe seem useful as a pair, and if we had more space to
work, I would include them (most likely as a pair). Auditing files is very important. Not
sure if they make this cut.
James Voorhees:
Given that it cannot be run remotely, and thus does not
meet one of the criteria of a good tool (p. 11). This is one case where another tool, like
DumpReg, would clearly be better.
Consensus:
This tool does not meet the criteria of a good tool because of the
lack of a remote execution option. This tool will not be included.
perms.exe
This tool displays permissions on a file or directory for a local NTFS file system volume on
Windows 2003 Server. This tool may replace xcalcs.exe or it may produce identical
information… more research is needed.
http://technet2.microsoft.com/WindowsServer/en/library/c84df90e-7ef6-470e-b564656e2547186a1033.mspx?mfr=true
Rodney Caudle:
This is the Windows 2003 version of xcalcs.exe I believe.
The two tools could be combined into one section of the learning object to demonstrate
auditing of file permissions. Or one could be used and the other mentioned. However,
lack of a remote capability is troubling.
Eric Conrad:
(is there a halfway smiley between thumbs up and
down?). This tool and xcacls.exe seem useful as a pair, and if we had more space to
work, I would include them (most likely as a pair). Auditing files is very important. Not
sure if they make this cut.
James Voorhees:
single user only.
From what I can find out, this gets the permissions for a
Consensus:
This tool does not meet the criteria of a good tool because of the
lack of a remote execution option. This tool will not be included.
dommon.exe
This tool displays secure channels (trust relationships) between domain controllers of a
Windows NT 4.0 domain. This may not work for future versions, more research is
needed to determine if the functionality has been replaced. This would be useful for
Auditing if it could be automated.
http://support.microsoft.com/kb/158388/EN-US/
Rodney Caudle:
This is a monitoring tool and listens for NT 4.0 Trust
relationships for PDCs and BDCs. Since PDCs and BDCs are replaced by Active
Directory Servers and the relationships for ADS are automatically calculated using
Microsoft Pixie Dust 4.0 we should drop this utility from the slide.
Eric Conrad:
Better tools (such as Nltest.exe) are available directly from
Microsoft (for free, for the poor man’s audit).
http://support.microsoft.com/kb/158388/EN-US/
James Voorhees:
Dommon is inadequate. The version from the Win 2k toolkit
only gives a GUI, and the data is on the status of the Dcs (replication status, connection
to PDC[sic], etc. From what I can gather from
http://support.microsoft.com/kb/158148/EN-US/ (different KB article), Nltest.exe collects
only a minimal amount of data that would be useful in an audit.
Consensus:
This tool is inadequate due to lack of a command line interface and
it’s role as an active listener. For the scope of this learning object active listeners are not
appropriate.
Project Plan
Once consensus has been reached on the tools to include in the slides each tool needs to be
researched and information for the slide and notes section included. This information will be
collapsed back into a single set of 10 slides and submitted for initial review.
Individual Research (08/28/2006 ~ 09/03/2006)
During this phase each group member will conduct individual research on a subset of the tools
listed above. During this stage each group member will be in charge of dividing the collected
information into summary points (main slide) and supporting data (notes section). This will more
easily allow consolidation in the next step.
Rodney Caudle:
research dumpel.exe
Eric Conrad:
research regdump.exe
James Voorhees:
research netsvc.exe
research addusers.exe
Status:
COMPLETED
Research showed that another tool, sclist.exe would be easier to use and provide data in a better
format than netsvc.exe with a second alternative of sc.exe. In addition regdump.exe will be
replaced with a tool reg.exe which is more readily available. The group is concerned with
proposing tools that are not readily available with Windows or a link to download the tool from an
authorized site can be found.
Research Consolidation and Review (09/04/2006 ~ 09/08/2006)
During this phase the group will meet (virtually) to turn in the information collected through their
individual research. A copy of the researched information will be handed over to each group
member. Each group member will be tasked with reviewing the information and a consensus will
be made to determine how many slides to dedicate to each of the tools.
Rodney Caudle:
forward research information to Eric,James
build slides for dumpel.exe
Eric Conrad:
forward research information to James,Rodney
build slides for regdump.exe
James Voorhees:
forward research information to Rodney,Eric
build slides for netsvc.exe and addusers.exe
Status:
COMPLETED
On finding that sclist.exe cannot be downloaded from Microsoft or any other clearly authorized
site, the group decided that the secondary alternative tool, sc.exe, would be used in its place.
Sc.exe is readily available and ships as part of Windows 2003 and Windows XP. The last minute
replacement of sclist.exe with sc.exe required that the schedule be adjusted. As we could still
make our deadline for delivery, the group agreed that the new slides would be submitted to the
group for review on the morning of 09/09/06.
Draft Build, Review (09/04/2006 ~ 09/08/2006)
During this phase each group member will be in charge of building the determined number of
slides for the tool(s) they originally researched. These slides will be consolidated into a single set
of slides for Draft submission. The group will meet (virtually) to review the completed set of slides
prior to submission. Once the group has reached consensus the slides will be ready for draft
submission.
Rodney Caudle:
forward slides to Eric for consolidation
review slides and provide feedback
Eric Conrad:
consolidate slides from Jim and Rodney
redistribute for review and consolidate comments
James Voorhees:
forward slides to Eric for consolidation
review slides and provide feedback
Status:
COMPLETED
Draft Submission – Deliverable #2 (09/10/2006)
During this phase the consolidated draft version of the deliverable is submitted to SANS for
review. If any revisions are requested additional steps will be needed to provide for enhanced
research and updating of the draft.
Rodney Caudle:
N/A
Eric Conrad:
Submit slides for initial review, cc other members
James Voorhees:
N/A
Status:
COMPLETED
Due to scheduling conflicts Rodney Caudle will submit this deliverable instead of Eric
Conrad.
Review and Update (2006-09-14)
During this phase any updates or revisions will be processed by the member of the group
originally responsible for the slides. In the case that the group member is unavailable to perform
the revisions another group member may elect to fill in for the group member to facilitate the
process. The group will meet (virtually) to finalize and accept any changes that were made based
on the recommendations.
Rodney Caudle:
review comments, update slides and forward to others for review
Eric Conrad:
review comments, update slides and forward to others for review
James Voorhees:
review comments, update slides and forward to others for review
Status:
IN-PROGRESS
We have incorporated comments and feedback from the draft submission. The following
slides have been changed either partially or significantly: 1,3,4,5,8,9,10
Final Submission (2006-09-14)
During this phase any updates or revisions will be processed by the member of the group
originally responsible for the slides. In the case that the group member is unavailable to perform
the revisions another group member may elect to fill in for the group member to facilitate the
process.
Rodney Caudle:
N/A
Eric Conrad:
Submit final version of slides
James Voorhees:
N/A
Status:
NOT STARTED
This project plan can be amended at any time by a majority vote
within the group members. Changes should be submitted to the
group via email and, once a consensus is reached, the changes
will be added to the project plan.