SANS Joint Written Project August 22nd, 2006 Rodney Caudle Eric Conrad James Voorhees Task 1: Group meets virtually to discuss which are the most important tools in the context of auditing as defined in this module and why. Please summarize your discussion. We met virtually over the week of August 20th to 25th holding discussions via email on the merit of the tools listed on the slides 21 and 22 of the powerpoint. A summary list of each tool and their merits are listed below. Each group member received a section to capture their thoughts on each of the tools. The consensus reflects the group decision to include or exclude each tool. Dumpel.exe This tool is used to dump or query logs from local/remote system and export as tab separated file. http://support.microsoft.com/kb/274305/EN-US/ Rodney Caudle: This tool would be useful for remotely querying log information from a central location. However, for newer versions of Windows this is probably replaced with the WSH capability. Since this is difficult to add to baseline information if we need space I’d leave this out. Eric Conrad: slide 10. Auditing logs is critical; addresses ‘Other checks’ bullet on James Voorhees: As Rodney says, this has been replaced by scripting in Windows 2003. It works well in Win 2k. It only does one box at a time (that's true of most of these). Plus the syntax (like most things about Windows logs) is a little cryptic. Consensus: This is a useful tool and should be included for further research. netsvc.exe This tool is used to control/query services. http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q140378& Rodney Caudle: This tool would be useful for remotely querying running service information from a central location. However, I think the sc.exe tool would provide better information and this tool should be updated to reflect sc.exe or a newer version of the tool. Eric Conrad: Seems partnered with sc.exe in the sites I researched. Given that’s networkable, and can document drivers and running services (addresses ‘running services’ bullet on slide 9), it seems like a winner. James Voorhees: But I vote to just use sclist.exe. It does show running services. Netsvc make no distinction. sclist.exe, which seems made for auditing—it is the simplest of the three tools mentioned here and gives simple output. Sc.exe gives more information, but most of it extraneous to the purpose. Consensus: This is useful functionality to have but newer tools make netsvc.exe replaceable. Further research will replace this tool with the appropriate tool for the job. addusers.exe This tool automates the creation of a large number of users using a bulk load technique. In addition it allows the dumping of the user and group information to a delimited file. http://support.microsoft.com/?kbid=199878 Rodney Caudle: I like this tool and think it should be used unless there is another way to query user information that is more efficient or works better with Windows 2003. This tool lists support for Windows 2000 and Windows NT 4.0. No mention of Windows 2003 so it would need to be researched. Eric Conrad: Running this against a PDC or BDC to audit all global account information would provide critical auditing information (addressing the “new users or groups” bullet on slide 9. James Voorhees: For Win2003, there is a sample script AddUsers.wsf in the Automation Toolkit. The output I got from running addusers.exe against a domain controller is a little scruffy, with too much extraneous information. Consensus: The functionality is good but newer scripts have replaced this. Further research will propose the correct tool for the job with examples. rasusers.exe This tool enumerates SAM db to determine who has dialin capabilities. http://wettberg.home.texas.net/rasusers.htm Rodney Caudle: Determining which users have remote access capability could be important but with the acceptance of ADS and LDAP directories this information is readily available from other sources. There have been some issues with rasusers stopping after 5000 users (http://support.microsoft.com/kb/176964/en-us) so its benefit may be of limited interest. Also the tool shipped with NT 4.0 and queries the SAM DB so the functionality has probably been replaced or not used in future versions. I would pass on this tool. Eric Conrad: RAS auditing is important, but given limited space to discuss these tools; I feel other tools are more worthy of slide ‘real estate’. James Voorhees: I concur, other things are more important. Consensus: This tool is not as important as other tools in the list. This information is available in other places and represents a single attribute of a user. For the scope of this learning object this is too focused and a more broad focus is needed. raslist.exe This tool displays RAS server announces from a network by actively monitoring on all interfaces where the server is run. This tool is based on broadcast announcements occurring from various servers. http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/ Rodney Caudle: Interestingly I could not find any information by searching Microsoft’s Knowledge Base. A search on google showed several links referencing the Windows 2000 Resource Kit that this was included with. This is more of a monitoring tool and requires an active listener. I would pass on this tool since this information is probably readily available from other sources (searching for specific services). Eric Conrad: RAS auditing is important, but given limited space to discuss these tools; I feel other tools are more worthy of slide ‘real estate’. James Voorhees: Once again, I concur. Consensus: This tool is not as important as other tools in the list. This is an active listener and for the scope of this learning object active listeners are not appropriate. sysdiff.exe This too is used to preinstall applications as part of an automated setup. Sysdiff is not included with Windows XP. Support is listed for Windows NT only. http://support.microsoft.com/?kbid=156795 Rodney Caudle: This is of little use for auditing purposes. Possibly no support past NT 4.0 and doesn’t add to the information needed for base lining an environment. Skip this tool. Eric Conrad: Apparently not available for XP (http://support.microsoft.com/?kbid=298389), which limits its usefulness for many environments. James Voorhees: I agree that this is of little use in auditing. Consensus: This tool is not appropriate for auditing because the functionality of this tool does not align with any of the objectives. regdump.exe This utility dumps the registry on local or remote system. http://www.lbl.gov/cyber/systems/nt-tools.html Rodney Caudle: This tool would be useful to compare differences between two versions of the registry. While not as useful for finding information if a difference is discovered it can be looked into more carefully. Other tools like scanreg.exe or regfind.exe provide more searching capabilities but this tool would probably be more useful for base lining. Eric Conrad: Tracking registry changes is important from a security and auditing standpoint and addresses the ‘unsuspected registry changes’ on slide 9. James Voorhees: Registry change are important to track. I could not find the tool on the Microsoft site, nor the actual tool on the Berkeley Lab site linked to. So I question whether it is a tool easily available and, of course, I'm not sure whether the output will serve our purpose. Consensus: This tool is appropriate for tracking changes to the registry. Further research may yield a replacement tool with more appropriate formatting or functionality. xcacls.exe This tool allows the user to display or modify ACLs in NTFS filesystems. This tool cannot be run remotely and probably requires administrative access. http://support.microsoft.com/?kbid=318754 Rodney Caudle: This is very helpful to be able to audit this level of permissions with a script. Automating the query using the “/T” option would recursively display information for a set of folders and files. The format is not the best but with a little bit of Perl the information could be extracted. The lack of remote capability is troubling as well. Eric Conrad: (is there a halfway smiley between thumbs up and down?). This tool and perms.exe seem useful as a pair, and if we had more space to work, I would include them (most likely as a pair). Auditing files is very important. Not sure if they make this cut. James Voorhees: Given that it cannot be run remotely, and thus does not meet one of the criteria of a good tool (p. 11). This is one case where another tool, like DumpReg, would clearly be better. Consensus: This tool does not meet the criteria of a good tool because of the lack of a remote execution option. This tool will not be included. perms.exe This tool displays permissions on a file or directory for a local NTFS file system volume on Windows 2003 Server. This tool may replace xcalcs.exe or it may produce identical information… more research is needed. http://technet2.microsoft.com/WindowsServer/en/library/c84df90e-7ef6-470e-b564656e2547186a1033.mspx?mfr=true Rodney Caudle: This is the Windows 2003 version of xcalcs.exe I believe. The two tools could be combined into one section of the learning object to demonstrate auditing of file permissions. Or one could be used and the other mentioned. However, lack of a remote capability is troubling. Eric Conrad: (is there a halfway smiley between thumbs up and down?). This tool and xcacls.exe seem useful as a pair, and if we had more space to work, I would include them (most likely as a pair). Auditing files is very important. Not sure if they make this cut. James Voorhees: single user only. From what I can find out, this gets the permissions for a Consensus: This tool does not meet the criteria of a good tool because of the lack of a remote execution option. This tool will not be included. dommon.exe This tool displays secure channels (trust relationships) between domain controllers of a Windows NT 4.0 domain. This may not work for future versions, more research is needed to determine if the functionality has been replaced. This would be useful for Auditing if it could be automated. http://support.microsoft.com/kb/158388/EN-US/ Rodney Caudle: This is a monitoring tool and listens for NT 4.0 Trust relationships for PDCs and BDCs. Since PDCs and BDCs are replaced by Active Directory Servers and the relationships for ADS are automatically calculated using Microsoft Pixie Dust 4.0 we should drop this utility from the slide. Eric Conrad: Better tools (such as Nltest.exe) are available directly from Microsoft (for free, for the poor man’s audit). http://support.microsoft.com/kb/158388/EN-US/ James Voorhees: Dommon is inadequate. The version from the Win 2k toolkit only gives a GUI, and the data is on the status of the Dcs (replication status, connection to PDC[sic], etc. From what I can gather from http://support.microsoft.com/kb/158148/EN-US/ (different KB article), Nltest.exe collects only a minimal amount of data that would be useful in an audit. Consensus: This tool is inadequate due to lack of a command line interface and it’s role as an active listener. For the scope of this learning object active listeners are not appropriate. Project Plan Once consensus has been reached on the tools to include in the slides each tool needs to be researched and information for the slide and notes section included. This information will be collapsed back into a single set of 10 slides and submitted for initial review. Individual Research (08/28/2006 ~ 09/03/2006) During this phase each group member will conduct individual research on a subset of the tools listed above. During this stage each group member will be in charge of dividing the collected information into summary points (main slide) and supporting data (notes section). This will more easily allow consolidation in the next step. Rodney Caudle: research dumpel.exe Eric Conrad: research regdump.exe James Voorhees: research netsvc.exe research addusers.exe Status: COMPLETED Research showed that another tool, sclist.exe would be easier to use and provide data in a better format than netsvc.exe with a second alternative of sc.exe. In addition regdump.exe will be replaced with a tool reg.exe which is more readily available. The group is concerned with proposing tools that are not readily available with Windows or a link to download the tool from an authorized site can be found. Research Consolidation and Review (09/04/2006 ~ 09/08/2006) During this phase the group will meet (virtually) to turn in the information collected through their individual research. A copy of the researched information will be handed over to each group member. Each group member will be tasked with reviewing the information and a consensus will be made to determine how many slides to dedicate to each of the tools. Rodney Caudle: forward research information to Eric,James build slides for dumpel.exe Eric Conrad: forward research information to James,Rodney build slides for regdump.exe James Voorhees: forward research information to Rodney,Eric build slides for netsvc.exe and addusers.exe Status: COMPLETED On finding that sclist.exe cannot be downloaded from Microsoft or any other clearly authorized site, the group decided that the secondary alternative tool, sc.exe, would be used in its place. Sc.exe is readily available and ships as part of Windows 2003 and Windows XP. The last minute replacement of sclist.exe with sc.exe required that the schedule be adjusted. As we could still make our deadline for delivery, the group agreed that the new slides would be submitted to the group for review on the morning of 09/09/06. Draft Build, Review (09/04/2006 ~ 09/08/2006) During this phase each group member will be in charge of building the determined number of slides for the tool(s) they originally researched. These slides will be consolidated into a single set of slides for Draft submission. The group will meet (virtually) to review the completed set of slides prior to submission. Once the group has reached consensus the slides will be ready for draft submission. Rodney Caudle: forward slides to Eric for consolidation review slides and provide feedback Eric Conrad: consolidate slides from Jim and Rodney redistribute for review and consolidate comments James Voorhees: forward slides to Eric for consolidation review slides and provide feedback Status: COMPLETED Draft Submission – Deliverable #2 (09/10/2006) During this phase the consolidated draft version of the deliverable is submitted to SANS for review. If any revisions are requested additional steps will be needed to provide for enhanced research and updating of the draft. Rodney Caudle: N/A Eric Conrad: Submit slides for initial review, cc other members James Voorhees: N/A Status: COMPLETED Due to scheduling conflicts Rodney Caudle will submit this deliverable instead of Eric Conrad. Review and Update (2006-09-14) During this phase any updates or revisions will be processed by the member of the group originally responsible for the slides. In the case that the group member is unavailable to perform the revisions another group member may elect to fill in for the group member to facilitate the process. The group will meet (virtually) to finalize and accept any changes that were made based on the recommendations. Rodney Caudle: review comments, update slides and forward to others for review Eric Conrad: review comments, update slides and forward to others for review James Voorhees: review comments, update slides and forward to others for review Status: IN-PROGRESS We have incorporated comments and feedback from the draft submission. The following slides have been changed either partially or significantly: 1,3,4,5,8,9,10 Final Submission (2006-09-14) During this phase any updates or revisions will be processed by the member of the group originally responsible for the slides. In the case that the group member is unavailable to perform the revisions another group member may elect to fill in for the group member to facilitate the process. Rodney Caudle: N/A Eric Conrad: Submit final version of slides James Voorhees: N/A Status: NOT STARTED This project plan can be amended at any time by a majority vote within the group members. Changes should be submitted to the group via email and, once a consensus is reached, the changes will be added to the project plan.