Travis Schack, CISSP - ISACA Denver Chapter
advertisement
Auditing Toolkit for
Windows NT and 2000
Denver ISACA
April 25, 2003
Travis Schack, CISSP
Travis@Vitalisec.com
Audit Areas
•
•
•
•
•
•
•
•
•
•
•
System Information
Patches/Hotfixes
Scheduled Tasks
Registry Permissions
Registry Values
User Accounts
Group Accounts
User Rights
Account Policies
Auditing
Log Settings
•
•
•
•
•
•
•
•
•
•
•
Event Log
Services
Service Permissions
Processes
Drives
Share Permissions
Directory Permissions
Device Drivers
Printer Permissions
Remote Access
Trusted Relationships
Tool Types
• OS
• Resource Kit
• 3rd Party
• Local
• Remote
• GUI
• Command Line
NT vs. 2000
WinNT vs. Win2k
• Most of core features of architecture and
object-oriented design of Win2k came
from WinNT.
• Win2k is a tuned, tweaked, and extended
WinNT, but is not new.
• Security – Active Directory, Group
Policies, Encrypted File System, Kerberos,
CryptoAPI, IP Security, PKI, and Kernel
security enhancements.
Overview
of
Windows Security
Kernel Mode (0-2 GB)
User Mode (2-4 GB)
System Architecture
DOS
client
Logon
process
(Winlogon)
Windows16
client
Other clients
(OS/2, Posix,
RAS)
Windows32
client
WOW
Security
subsystem
(LSA)
Other
subsystems
(OS/2, Posix,
RAS)
Windows32
subsystem
VDM
Executive Services
I/O
Mgr
Obj
Mgr
SRM
LPC
Facility
Proc
Mgr
VMM
GDI
Win32
P&P
Micro Kernel
Hardware Abstraction Layer (HAL)
Hardware
Pwr
Mgr
Cfg
Mgr
Cache
Mgr
Auditing System Information
Useful Commands
Command
Results
ver
Displays the Windows version
set
Displays Windows environment variables
ipconfig /all
Shows detailed IP configuration
nbtstat -an
Local Server name, MAC address, domain, logged on user
nbtstat –A
nbtstat –a
Remote Server name, MAC address, domain, logged on user
netstat –rn
route print
Display routing table
netstat -an
Displays all connections and listening ports
findstr
Searches for strings in files, can use regular expressions
find
Searches for a text string in a file or files
comp
Compares the contents of two files or sets of files byte to byte
fc
Compares two files or sets of files and displays the differences
between them
Windows Command Reference
•
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/win
dows2000/en/server/help/ntcmds.htm
netstat –an (Ports)
• IANA port assignments
– http://www.isi.edu/in-notes/iana/ assignments/port-numbers
• Possible Trojans
– http://www.simovits.com/nyheter9902.html
Environment Variables - set
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Roger Rabbit\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=Acme-Lap
ComSpec=C:\WINNT\system32\cmd.exe
DIRCMD=/o/a
HOMEDRIVE=H:
HOMEPATH=\
HOMESHARE=\\carrot\Roger Rabbit$
include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual
Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\V
C98\lib
LOGONSERVER=\\Acme-Lap
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=1
ORACLE_HOME=c:\oracle\ora81
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\oracle\ora81\bin;C:\Program Files\Oracle\jre\1.1.7\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\S
ystem32\Wbem;C:\PROGRA~1\MICROS~2\Office;C:\perl\bin;c:\sectools;C:\Program Files\Common Files\Adapt
ec Shared\System;C:\MSSQL7\BINN;C:\Program Files\Resource Pro Kit\;C:\NTOFW;C:\Program Files\Microso
ft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\P
rogram Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$P$G
SMS_LOCAL_DIR=C:\WINNT
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\Temp
TMP=C:\Temp
USERDOMAIN=Acme
USERNAME=Roger Rabbit
USERPROFILE=C:\Documents and Settings\Roger Rabbit
windir=C:\WINNT
nbtstat -an (local)
Local Area Connection:
Node IpAddress: [192.168.0.1] Scope Id: []
NetBIOS Local Name Table
Name
Type
Status
------------------------------------------------------------------Acme-Lap
<00> UNIQUE
Registered
Acme
<00> GROUP
Registered
Acme
<1E> GROUP
Registered
Acme
<1D> UNIQUE
Registered
..__MSBROWSE__.<01> GROUP
Registered
Carrot
<00> GROUP
Registered
nbtstat –A <IP>
Local Area Connection:
Node IpAddress: [192.168.0.1] Scope Id: []
NetBIOS Remote Machine Name Table
Name
Type
Status
----------------------------------------------------------------Acme-PDC
<00> UNIQUE
Registered
Acme-PDC
<20> UNIQUE
Registered
Acme
<00> GROUP
Registered
Acme
<1C> GROUP
Registered
Carrot
<00> GROUP
Registered
Acme
<1B> UNIQUE
Registered
Acme
<1E> GROUP
Registered
Acme-PDC
<03> UNIQUE
Registered
Acme
<1D> UNIQUE
Registered
..__MSBROWSE__.<01> GROUP
Registered
Acme-PDC
<01> UNIQUE
Registered
MAC Address = 00-80-5F-65-AC-A8
Meaning of NetBIOS Names
Value Meaning or Status
00
Computer names and workgroup names
01
Master Browser
03
20
Messaging/alerter service; username of
user with logon session
Names of available resources on server
1B
Name of domain master browser
1C
Name of domain controller
1E
Response to election announcement
find/findstr – audit tool?
find/findstr – audit tool?
• Search files for passwords, sensitive information that should be
encrypted, etc.
• Pipe output of utilities and search for specific information.
• findstr is more powerful than find.
Examples:
• Search all files on system for “password”
C:\findstr /I /S /M "password" *.* > results.out
• Search all files on system for “password”, “pwd”, and “passwd”
C:\findstr /I /S /M "password pwd passwd" *.* > results.out
• If you want to search for several different items in the same set of
files, create a text file that contains each search criterion on a new
line.
C:\findstr /I /S /M /g:finddata.txt *.* > results.out
Msinfo32
• Windows 2000 includes Microsoft System Information
(Msinfo32.exe), which is an updated version of the Microsoft
Windows NT Diagnostics tool (Winmsd.exe).
• System Information displays a comprehensive view of your
hardware, system components, and software environment.
• Msinfo32.exe is located in the Program Files\Common
Files\Microsoft Shared\MSInfo folder.
Msinfo32.exe Usage:
/? - Displays the Help dialog box
/msinfo_file=filename - Opens the specified .nfo or .cab file
/nfo or /s filename - Outputs a .nfo file to the specified file
/report filename - Outputs a text-format file to the specified file
/computer computername - Connects to the specified computer
/categories (+|-)(all | categoryname) +|-(categoryname)... - Displays or
outputs specified categories
/category categoryname - Sets focus to a specific category at startup
Msinfo32 Example
• The following example gathers each high-level category into a
separate .nfo file, which can be read by Msinfo32.exe.
start /wait msinfo32.exe /nfo syssum.nfo /categories +SystemSummary
start /wait msinfo32.exe /nfo cmpnt.nfo /categories +components
start /wait msinfo32.exe /nfo swenv.nfo /categories +swenv
start /wait msinfo32.exe /nfo hwdres.nfo /categories +resources
start /wait msinfo32.exe /nfo ie.nfo /categories +internetexplorer
start /wait msinfo32.exe /nfo apps.nfo /categories +Apps
• The start /wait switch is used in the examples for batch file and/or
command-line execution from a Cmd.exe command prompt. The
start switch is required to start Msinfo32.exe and the /wait switch
does not process the next item until the current item completes.
Using the start /wait switches ensures that the computer is not
overloaded because some of the Msinfo32.exe categories can use a
large amount of CPU time.
How to start Msinfo32
Msinfo32 (local)
Msinfo32 (remote)
Click on Action and Propterties
srvinfo (Resource Kit)
SrvInfo for NT
Version 2.50
=====================================================
Remotely gather information about a target server.
Assume local machine if no computer name is provided.
=====================================================
Usage: SRVINFO [[-?|-ns|-d|-v|-s] \\computer_name]
-?: Show usage
-ns: Do NOT show any service information
-d: Show service drivers and service
-v: Get version info for Exchange, IIS, SQL
-s: Show shares
Srvinfo (truncated)
C:\>srvinfo -ns
Server Name: Acme-Lap
Security: Users
NT Type: NT Advanced Server Version: 5.0
Build: 2195, Service Pack 2
Current Type: Uniprocessor Free
Product Name: Microsoft Windows 2000
Registered Owner: Acme
Registered Organization: Acme
ProductID: 51874-OEM-0000696-50052
Original Install Date: Thu Dec 31 17:47:17 1998
Domain: Acme
PDC: \\Acme-PDC
CPU[0]: x86 Family 6 Model 8 Stepping 6: 696 MHz
Dumpwin (3rd Party)
• http://www.nii.co.in/research/tools.html#sysinfo
• Command line tool (local only)
$ DumpWin
DumpWin v2.00 (Windows NT/2K)
Network Intelligence India Pvt. Ltd.
http://www.nii.co.in
Arjun Pednekar (arjunp@nii.co.in)
Parameters :
-i : List installed Programs.
-s : System Information.
-h : List shares present.
-p : List active Processes.
-g : List Local Group Accounts
-l : dumpACL
-a : All of above.
-d : Drive Information.
-m : Check for Modem Drivers.
-t : List Startup Programs.
-v : List of Services.
-u : List User Accounts.
-n : Account Lockout Policy
Dumpwin – System Information
$ DumpWin -s
=====================
System Information
=====================
Microsoft Windows 2000 Workstation version 5.0 Service Pack 2 (Build
2195)
Computer name
: Acme-Lap
User name
: Roger Rabbit
System directory
: C:\WINNT\System32
Windows directory
: C:\WINNT
Network Card IP Address :
0
192.168.0.1
Memory Information
Total Physical Memory(RAM) : 327152 KB
Free Physical Memory(RAM) : 119948 KB
Total Virtual Memory
: 2097024 KB
Free Virtual Memory
: 2073252 KB
Dumpwin – System Information (cont’d)
Hardware information:
OEM ID
:0
Number of processors
:1
Page size
: 4096
Processor type
: 586
Minimum application address : 10000
Maximum application address : 7ffeffff
Active processor mask
:1
Keyboard Manufacturer : IBM enhanced (101- or 102-key) keyboard
No. of Function Keys : 12
Dumpwin – Installed Software
$ DumpWin -i
=====================
List of Installed Programs
=====================
Reg Key : Ad-aware 5.83
Product : Ad-aware 5.83
Reg Key : AddressBook
Reg Key : Adobe Acrobat 5.0
Product : Adobe Acrobat 5.0
Reg Key : AOL Instant Messenger
Product : AOL Instant Messenger
Psinfo (3rd Party)
• http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
• Command line tool (local or remote)
• PsInfo returns information about a local or remote Windows
NT/2000/XP system.
Usage: psinfo [-h] [-s] [-d] [-c] [\\RemoteComputer [-u Username [-p
Password]]]
-u
Specifies optional user name for login to
remote computer.
-p
Specifies password for user name.
-h
Show installed hotfixes.
-s
Show installed software.
-d
Show disk volume information.
-c
Print in CSV format
Psinfo – No Arguments
$ psinfo
PsInfo 1.34 - local and remote system information viewer
Copyright (C) 2001-2002 Mark Russinovich
Sysinternals - www.sysinternals.com
System information for \\Acme-Lap:
Uptime:
1 day, 2 hours, 40 minutes, 13 seconds
Kernel version:
Microsoft Windows 2000, Uniprocessor
Free
Product type:
Professional
Product version:
5.0
Service pack:
2
Kernel build number:
2195
Registered organization: Acme
Registered owner:
Acme
Install date:
5/22/2000, 10:14:21 AM
IE version:
5.5000
System root:
C:\WINNT
Processors:
1
Processor speed:
700 MHz
Processor type:
Intel Pentium III
Physical memory:
320 MB
Psinfo – Software Installed
$ psinfo -s
System information for \\Acme-Lap:
Uptime:
1 day, 2 hours, 58 minutes, 2 seconds
Kernel version:
Microsoft Windows 2000, Uniprocessor Free
Product type:
Professional
Product version:
5.0
Service pack:
2
Kernel build number:
2195
Registered organization: Acme
Registered owner:
Acme
Install date:
5/22/2000, 10:14:21 AM
IE version:
5.5000
System root:
C:\WINNT
Processors:
1
Processor speed:
700 MHz
Processor type:
Intel Pentium III
Physical memory:
320 MB
Applications:
AOL Instant Messenger
ATI Display Driver Utilities
ATI Win2k Display Driver
ActivePerl 5.6.1 Build 633 5.6.633
Ad-aware 5.83 5.83
Adobe Acrobat 5.0 5.0
Patches/Hotfixes
Psinfo – Hotfixes
$ psinfo -h
System information for \\Acme-Lap:
Uptime:
1 day, 2 hours, 55 minutes, 53 seconds
Kernel version:
Microsoft Windows 2000, Uniprocessor
Free
Product type:
Professional
Product version:
5.0
Service pack:
2
Kernel build number:
2195
Registered organization: Acme
Registered owner:
Acme
Install date:
5/22/2000, 10:14:21 AM
IE version:
5.5000
System root:
C:\WINNT
Processors:
1
Processor speed:
700 MHz
Processor type:
Intel Pentium III
Physical memory:
320 MB
OS Hot Fix Installed
Q147222
1/1/1999
Q295688
4/15/2002
Q296185
11/21/2002
Q298012
9/7/2001
Q299553
11/21/2002
Q300845
4/15/2002
Microsoft Baseline Security Analyzer
(MBSA)
• http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/tools/Tools/MBSAhome.asp
• Command line or GUI - Administrator access is required
• The Microsoft® Baseline Security Analyzer (MBSA) is a tool that
allows users to scan one or more Windows®-based computers for
common security misconfigurations.
• MBSA determines which critical security updates are applied to a
system by referring to an Extensible Markup Language (XML) file
(mssecure.xml) that's continuously updated by Microsoft and using
the HFNetChk tool technology.
• Windows NT 4.0
• Windows 2000
• Windows XP
• Internet Explorer 5.01 and later
• Windows Media Player 6.4 and later
• IIS 4.0 and 5.0
• SQL Server 7.0 and 2000 (including Microsoft Data Engine)
• Exchange 5.5 and 2000 (including Exchange Admin Tools)
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Command Line
C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli /?
Examples:
MBSACLI
MBSACLI /n Password
MBSACLI /c MyDomain\MyComputer /n Password+Updates+SQL
MBSACLI /d MyDomain
MBSACLI /i 200.0.0.1
MBSACLI /r "200.0.0.1-200.0.0.50"
MBSACLI /l
MBSACLI /ld "Domain - Computer (03-01-2002 12-00 AM)"
MBSACLI /f "C:\results.txt"
MBSACLI /sus "http://corp_sus"
MBSACLI /hf -?
Microsoft Baseline Security Analyzer
Command Line
C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli
Version 1.1
Engine version 3.7.0.5
Security update checker version 3.81.0.9
Attempting to load XML from
https://www.microsoft.com/technet/security/search/mssecure.xml
XML successfully loaded.
===============================================================
Scan performed Mon Mar 17 05:25:58 2003
Using XML data version = 1.0.1.464 Last modified on 2/25/2003.
Scanning...
[
] 0 of 1 computer scan(s) complete.......................................................
......................[..........] 1 of 1 computer scan(s) complete.
Scan Complete.
Computer Name, IP Address, Assessment, Report Name
------------------------------------------------------------------------------\Acme-Lap, 192.168.0.1, Severe Risk, Acme – Acme-Lap (03-17-2003 05-27 AM)
Microsoft Baseline Security Analyzer
Command Line
C:\Program Files\Microsoft Baseline Security Analyzer>MBSACLI /hf
--------------------------------------Acme-Lap (192.168.0.1)
--------------------------------------* WINDOWS 2000 SP2
Warning
The latest service pack for this product is not installed.
Currently SP2 is installed. The latest service pack is SP3.
Note
MS01-022
296441
Note
MS02-008
318202
Note
MS02-008
318203
Note
MS02-008
317244
Note
MS02-053
324096
Patch NOT Found MS02-055
323255
Note
MS02-064
327522
Note
MS02-065
329414
* INTERNET EXPLORER 5.5 SP2
Warning
MS02-009
318089
* WINDOWS MEDIA PLAYER 7.1 GOLD
Information All necessary hotfixes have been applied.
Auditing Scheduled Tasks
OS command - at
• The AT command schedules commands and programs to run on a
computer at a specified time and date.
• The Schedule service must be running to use the AT command.
AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]
AT [\\computername] time [/INTERACTIVE]
[ /EVERY:date[,...] | /NEXT:date[,...]] "command“
• Run at from command line to view current schedule
Great tool to run periodic audits!
Resource Kit – jt.exe
Resource Kit – jt.exe
• http://www.jsifaq.com/subf/tip2600/rh2621.htm
• The Microsoft ® Task Scheduler Command Line Utility, jt.exe, allows
you to manage the Task Scheduler from the command line.
Examples
C:\>jt /se
[TRACE] Enumerating jobs and queues
JSI005_State.job
Windows Critical Update Notification.job
C:\>jt /se p
[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'JSI005_State.job'
[TRACE] Printing all job properties
Resource Kit – jt.exe
Generate a CSV file of scheduled tasks and their credentials
• http://www.jsifaq.com/SUBL/tip5700/rh5712.htm
• Batch file called Credentials.bat
The CSV file contains:
"\\ComputerName","Credentials","JobName“
The syntax for using Credentials.bat is:
Credentials ComputerName ReportFile
where:
ComputerName is the NetBIOS computer name, without leading \\.
ReportFile is the path to the output CSV file.
dumpwin (3rd Party)
Auditing Registry Permissions
Registry
• A central hierarchical database used in Microsoft Windows 9x,
Windows CE, Windows NT, and Windows 2000 used to store
information necessary to configure the system for one or more
users, applications and hardware devices.
• The Registry contains information that Windows continually
references during operation, such as profiles for each user, the
applications installed on the computer and the types of documents
that each can create, property sheet settings for folders and
application icons, what hardware exists on the system, and which
ports are being used.
• The Registry replaces most of the text-based .ini files used in
Windows 3.x and MS-DOS configuration files, such as the
Autoexec.bat and Config.sys. Although the Registry is common to
several Windows platforms, there are some differences among
them.
• Registry isn't simply one large file but a set of discrete files called
hives.
Registry Root Keys
Key
Description
HKEY_CLASSES_ROOT
Symbolic link to HKEY_LOCAL_MACHINE
\SOFTWARE \Classes.
HKEY_CURRENT_USER
Symbolic link to a key under HKEY_USERS
representing a user's profile hive.
HKEY_LOCAL_MACHINE
Placeholder with no corresponding physical
hive. This key contains other keys that are
hives.
HKEY_USERS
Placeholder that contains the user-profile
hives of logged-on accounts.
HKEY_CURRENT_CONFIG
Symbolic link to the key of the current
hardware profile under
HKEY_LOCAL_MACHINE \SYSTEM
CurrentControlSet\
Control\IDConfigDB\Hardware Profiles.
HKEY_DYN_DATA
Placeholder for performance data lookups.
This key has no corresponding physical hive.
Hive Registry Paths
Hive Registry Path
Hive File Path
HKEY_LOCAL_MACHINE \SYSTEM
\winnt\system32\config\system
HKEY_LOCAL_MACHINE \SAM
\winnt\system32\config\sam
HKEY_LOCAL_MACHINE \SECURITY
\winnt\system32\config\security
HKEY_LOCAL_MACHINE \SOFTWARE
\winnt\system32\config\software
HKEY_LOCAL_MACHINE \HARDWARE
Volatile hive
HKEY_LOCAL_MACHINE \SYSTEM \Clone
Volatile hive
HKEY_USERS \UserProfile
Profile; usually under \winnt\profiles\users
HKEY_USERS.DEFAULT
\winnt\system32\config\default
Slow Way!!!!
regedt32
Faster Way!!!
Resource Kit - subinacl
verbose=1
verbose=2 (default)
subinacl with wildcards
• Subinacl allows you to use wildcards for objects (all services, all
registry subkeys, etc.)
Examples
• All top-level registry keys
– subinacl /verbose=1 /keyreg * > c:\registryanalyze.txt
• Remote all top-level registry keys (authentication already in place)
– subinacl /verbose=1 /regkey \\s-rwv2\*
• Every subkey of the Windows registry on the local system
– subinacl /verbose=1 /subkey * > c:\registryanalyze.txt
Caution - processor-intensive and takes a while to execute
• Subinacl Reference Sheet
http://www.asia.cnet.com/i/it/2002/itm_downloads/Subinacl_Usage.zip
• http://www.kouti.com/samplescripts/AllConstants.vbs.txt
Fastest & Easiest Way!!!!!!
Dumpsec (3rd Party)
• http://www.somarsoft.com/
• GUI and command-line
Reports
–
–
–
–
–
–
–
–
–
–
–
File System Permissions
Registry Permissions
Printer Permissions
Shares Permissions
Shared Directory Permissions
All Shared Directories Permissions
Users
Groups
Policies
Rights
Services
Dumpsec (3rd Party)
Select and WAIT! =)
Examples:
•
DumpSec.exe c:\temp\users.dcl
•
Start Somarsoft DumpSec interactively, load and display a report that was
previously saved in native format in c:\temp\users.dcl.
•
DumpSec.exe /rpt=dir=c:\users /showaudit /outfile=c:\temp\users.dcl
•
Run Somarsoft DumpSec batch mode, produce a report of directory
permissions for the c:\users directory showing owner, permissions and audit
settings and store the report in native file format in c:\temp\users.dcl. The
report will show only those directories and files whose permissions or audit
settings differ from those of parent directory.
•
DumpSec.exe /computer=\\server1 /rpt=users /saveas=csv
/outfile=c:\temp\users.txt
•
Run Somarsoft DumpSec in batch mode, produce a report showing all user
information in table format for users defined on \\server1, and store the report
in comma separated columns format in c:\temp\users.txt.
•
DumpSec.exe /computer=\\server1 /rpt=share=sales /outfile=c:\temp\users.dcl
/showalldirs
•
Run Somarsoft DumpSec in batch mode, produce a report of permissions for
the \\server1\sales shared directory, showing owner and permissions but not
audit settings, and store the report in native file format in c:\temp\users.dcl.
The report will show all directories under the \\server1\sales tree, and only
those files whose permissions differ from those of the parent directory.
Auditing Registry Values
Resource Kit - reg
reg query
reg query
reg query
reg query - remote
RestrictAnonymous
• System Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
• Value
RestrictAnonymous
Legal Notice
• System Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
• Value
LegalNoticeText
Other Registry Tools
Tool
Source
Description
Regdump
Resource Kit
Dump the registry on
both local and remote
machines.
Regfind
Resource Kit
Find and edit registry
keys.
Scanreg
Resource Kit
Search specific keys
and entries on remote
hosts.
regfind
http://www.winguides.com/registry/
Auditing User Accounts
Useful OS Commands
Command
Results
net user
Displays the current local users on the
server
net user <user_name>
Displays information on local user
net user /domain
Displays current users on the domain
net user <user_name>
/domain
Displays information on domain user
net user syntax
$ net user /?
The syntax of this command is:
NET USER [username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
net user
C:\>net user
User accounts for \\Acme-Lap
------------------------------------------------------------------------------Guest_Disabled
RogerRabbit
Administrator
VUSR_Acme-Lap
The command completed successfully.
C:\>net user VUSR_Acme-Lap
User name
VUSR_Acme-Lap
Full Name
VSA Server Account
Comment
Account for the Visual Studio Analyzer server
components
User's comment
Country code
000 (System Default)
Account active
No
Account expires
Never
Password last set
2/7/2002 10:08 PM
Password expires
Never
Password changeable
2/7/2002 10:08 PM
Password required
No
User may change password Yes
Workstations allowed
All
Logon script
User profile
Home directory
Last logon
Never
Logon hours allowed
All
Local Group Memberships
Global Group memberships *None
The command completed successfully.
Net user (domain information)
C:\>net user /domain
The request will be processed at a domain controller for
domain Acme.
User accounts for \\Acme-PDC
------------------------------------------------------------------------------Roger Rabbit
Baby Herman
Eddie Valiant
Maroon
Dolores
Jessica
C:\isaca>net user Jessica /domain
The request will be processed at a domain controller for domain
Acme.
User name
Full Name
Comment
User's comment
Country code
Account active
Account expires
Jessica
Jessica Rabbit
Cabaret Singer
000 (System Default)
Yes
Never
Password last set
12/27/2002 8:36 AM
Password expires
3/27/2003 8:36 AM
Password changeable
12/27/2002 8:36 AM
Password required
Yes
User may change password Yes
Workstations allowed
All
Logon script
Acme.bat
User profile
Home directory
\\carrot\Jessica$
Last logon
3/17/2003 1:39 PM
Logon hours allowed
All
Local Group Memberships
Global Group memberships
*Domain Users
*GRP_Bar_Users
The command completed successfully.
*GRP_Singers
Enum (3rd Party)
• http://razor.bindview.com/tools/files/enum.tar.gz
• Using null sessions, enum can retrieve userlists, machine lists,
sharelists, namelists, group and member lists, password and LSA
policy information. enum is also capable of a rudimentary brute force
dictionary attack on individual accounts.
C:\isaca>enum
usage: enum [switches] [hostname|ip]
-U: get userlist
-M: get machine list
-N: get namelist dump (different from -U|M)
-S: get sharelist
-P: get password policy information
-G: get group and member list
-L: get LSA policy information
-D: dictionary crack, needs -u and -f
-d: be detailed, applies to -U and -S
-c: don't cancel sessions
-u: specify username to use (default "")
-p: specify password to use (default "")
-f: specify dictfile to use (wants -D)
What is a null session?
• ID named SYSTEM exists on every Windows system.
• Has almost unlimited privileges on the local computer and has no
password.
• You cannot log on to this account.
• Privileged processes in Windows run as SYSTEM
PROBLEM
• When a service that runs as SYSTEM need to access a remote
computer.
• Destination computer does not recognize the local SYSTEM ID.
SOLUTION
• Through SMB, a connection is made using NULL as the user ID and
password.
net use \\<system>\IPC$ “” /user:””
enum user list
C:\isaca>enum -U Acme-PDC
server: Acme-PDC
setting up session... success.
getting user list (pass 1, index 0)... success, got 6.
Roger Rabbit
Baby Herman
Eddie Valiant
Maroon
Dolores
Jessica
cleaning up... success.
Accessed Denied?
C:\isaca>enum -U Acme-PDC
server: Acme-PDC
setting up session... success.
getting user list (pass 1, index 0)... fail
return 5, Access is denied.
cleaning up... success.
RestrictAnonymous
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Value
Data type
Range
Default value
REG_DWORD
0|1|2
0
Meaning
0
Disabled. Anonymous users are not restricted.
1
Enabled. Users who log on anonymously (also known as null
session connections) cannot display lists of domain user names or
share names. Also, these users cannot view security permissions,
and they cannot use all of the features of Windows Explorer, Local
Users and Groups, and other programs that enumerate users or
shares.
2
Anonymous users have no access without explicit anonymous
permissions.
enum user list
C:\isaca>enum -U –u Roger Rabbit –p ToonTown Acme-PDC
username: Roger Rabbit
password: ToonTown
server: Acme-PDC
setting up session... success.
getting user list (pass 1, index 0)... success, got 6.
Roger Rabbit
Baby Herman
Eddie Valiant
Maroon
Dolores
Jessica
cleaning up... success.
RestrictAnonymous=1 has no meaning!
Userdump
• http://www.hammerofgod.com/download/userdump.zip
• Command-line tool that performs SID walking
• Must know at least one account name or group name on system
Walksam
• http://razor.bindview.com/tools/files/rpctools-1.0.zip
• Command-line tool that performs SID walking
GetAcct
• http://www.securityfriday.com/ToolDownload/GetAcct/getacct_doc.html
• GetAcct sidesteps "RestrictAnonymous=1" and acquires account
information on Windows NT/2000 machines
• GUI tool that performs SID walking
SID Walking?
• Security Identifiers (SIDs)
• Three Types
– Account SIDs
– Group SIDs
– Computer SIDs
•SIDs are assigned automatically and
are unique within every domain, server,
and workstation (exception!)
•They remain the same if the name of
the account changes, but once deleted,
they are gone forever
S-1-5-21-917267712-1342860078-1792151419-500
A SID contains:
•User and group security descriptors
•48-bit ID authority
•Revision level
•Variable sub-authority values
RID
Account
500
Default
Administrator
501
Guest
1000+
Nondefault
account
Userdump
C:\isaca>userdump
UserDump v1.11 - thor@hammerofgod.com
Usage: userdump \\servername guest MaxQueries
Where \\servername is the name of a DC
guest is the name of an known user or group
MaxQueries is number of user loops to try
UserDump will always get SID 500 (Admin) first,
and then begins at 1001 + MaxQueries
MaxQueries of 0 or blank returns SID 500 and 1001
Walksam
Usage: walksam [options] <target>
options:
-p protocol_sequence
-e endpoint
examples:
walksam 192.168.1.1
walksam -p ncacn_ip_tcp -e 1054 192.168.1.2
It supports both the 'traditional' method of doing this via Named Pipes, but
also supports the additional protseqs that are used by W2K's Domain
Controllers.
By default, walksam will use the named pipes approach, and so will use
either your current credentials, or whatever credentials have been
specified with a "net use \\target\ipc$ ..." command. If an alternative
protocol sequence is specified, then walksam will always attempt to use a
null session.
GetAcct
Dumpsec (3rd Party)
Auditing Group Accounts
Useful OS Commands
Command
Results
net group
This command can be used only on a
Windows 2000 Domain Controller.
net group <group>
Displays users that are a member of a
global group.
net group /domain
Displays global groups for domain.
net group /domain <group>
Displays users that are a member of a
global group.
net localgroup
Displays the local groups on the
computer.
net localgroup <group>
Displays users that are a member of the
local group on the machine.
net localgroup /domain
Displays the local groups on a domain
controller.
net localgroup /domain
<group>
Displays users that are a member of the
domain local group.
net group syntax
The syntax of this command is:
NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE}
[/DOMAIN]
groupname username [...] {/ADD | /DELETE} [/DOMAIN]
net group /domain
C:\isaca>net group /domain
The request will be processed at a domain controller for domain Acme.
Group Accounts for \\Acme-PDC
------------------------------------------------------------------------------*Toon_Administrators
*Toon_Legal
*Toon_Executives
*Toon_Stunts
*Toon_Accountants
*Toon_Marketing
net group /domain <group>
C:\isaca>net group /domain Toon_Legal
The request will be processed at a domain controller for domain Acme.
Group name Toon_Legal
Comment
Toon Town Legal Department
Members
------------------------------------------------------------------------------Judge_Juddy
Harry_Larry
Judge_Dread
The command completed successfully.
net localgroup
C:\isaca>net localgroup
Aliases for \\WKS-RR
------------------------------------------------------------------------------*Administrators *Backup Operators *Debugger Users
*Guests
*Power Users
*Users
The command completed successfully.
net localgroup <group>
C:\isaca>net localgroup Administrators
Alias name Administrators
Comment
Administrators have complete and unrestricted access to
the computer/domain
Members
------------------------------------------------------------------------------Acme\Toon_Administrators
Acme\Roger_Rabbit
Roger_Rabbit
Administrator
SMSCliSvcAcct&
The command completed successfully.
net localgroup /domain
C:\isaca>net localgroup /domain
The request will be processed at a domain controller for domain Acme.
Aliases for \\Acme-PDC
------------------------------------------------------------------------------*Administrators
*Backup Operators
*Guests
*Helpdesk
*Print Operators
*Replicator
*Server Operators
*Users
The command completed successfully.
net localgroup /domain <group>
C:\isaca>net localgroup /domain Helpdesk
The request will be processed at a domain controller for domain Acme.
Alias name
Comment
Helpdesk
Phone Reps
Members
------------------------------------------------------------------------------HD0001
HD0002
HD0003
HD0004
The command completed successfully.
Useful Resource Kit Commands
Command
Results
showgrps
Displays the groups to which a given user
belongs, optionally within a given network
domain.
showmbrs
Displays the usernames of members of a
given group, optionally within a given
network domain.
local
Displays members of local groups on
remote servers or domains.
global
Displays members of global groups on
remote servers or domains.
showgrps
C:\isaca>showgrps /?
Usage:
showgrps [/A] domain\user or
showgrps [/A] user
/A - Check all known trusted
domains
C:\isaca>showgrps Acme\RR
User: [Acme\RR], is a member of:
Acme\Toon_Marketing
Acme\Toon_Land
Acme\Toon_Executives
Acme\Toon_Operators
Acme\Toon_Guests
Acme\Toon_Cleaning
Acme\Toon_Movies
Acme\Domain Users
\Everyone
showmbrs
C:\isaca>showmbrs /?
Usage:
showmbrs domain\group or
showmbrs \\domain\group or
showmbrs group
C:\isaca>showmbrs Acme\Toon_Cleaning
Members of global group
[Acme\Toon_Cleaning]:
RR
Sam
Gweedo
Ralphy
Bubba
Leon
Doc
MisterM
Sonny
Sid
Don_Don
ECapizzi
RockyB
JackieC
local
global
getuserinfo (3rd Party)
• http://www.joeware.net/
• Free Win32 C++ Based Tools section
Usage:
GetUserInfo [(domain)(\\servername)\]userid [/p]
domain
server
userid
/p
Domain to execute command against
Server to execute command against
Userid to get info for.
Displays primary group info.
If domain/server not specifed uses local machine
If . specified for userid, enumerate all local/global accounts
Dumpsec (3rd Party)
Auditing User Rights
User Rights
Two Categories
• Logon rights
• User privileges
Logon Rights
Right
Access this computer from the
network
Description
The user can connect to the
computer remotely.
Deny access to this computer from The user cannot connect to the
the network
computer remotely.
Deny logon as a batch job
Deny logon as a service
Logon as a batch job
Logon as a service
Log on locally
This right is used by background
applications. The rights are
required for the service to function
User Privileges
Privilege
Permits user to
SeAssignPrimaryTokenPrivilege
Replace a process level token.
SeAuditPrivilege
Generate security audits.
SeBackupPrivilege
Back up files and directories.
SeBatchLogonRight
Logon as a batch job.
SeChangeNotifyPrivilege
Bypass traverse checking.
SeCreatePagefilePrivilege
Create a pagefile.
SeCreatePermanentPrivilege
Create permanent shared objects.
SeCreateTokenPrivilege
Create a token object.
SeDebugPrivilege
Debug programs.
SeIncreaseBasePriorityPrivilege
Increase scheduling priority.
SeIncreaseQuotaPrivilege
Increase quotas.
SeInteractiveLogonRight
Log on locally.
User Privileges
Privilege
Permits user to
SeAssignPrimaryTokenPrivilege
Replace a process level token.
SeAuditPrivilege
Generate security audits.
SeBackupPrivilege
Back up files and directories.
SeBatchLogonRight
Logon as a batch job.
SeChangeNotifyPrivilege
Bypass traverse checking.
SeCreatePagefilePrivilege
Create a pagefile.
SeCreatePermanentPrivilege
Create permanent shared objects.
SeCreateTokenPrivilege
Create a token object.
SeDebugPrivilege
Debug programs.
SeIncreaseBasePriorityPrivilege
Increase scheduling priority.
SeIncreaseQuotaPrivilege
Increase quotas.
SeInteractiveLogonRight
Log on locally.
User Privileges
Privilege
Permits user to
SeLoadDriverPrivilege
Load and unload device drivers.
SeLockMemoryPrivilege
Lock pages in memory.
SeMachineAccountPrivilege
Add workstations to domain.
SeNetworkLogonRight
Access this computer from the
network.
SeProfileSingleProcessPrivilege
Profile single process.
SeRemoteShutdownPrivilege
Force shutdown from a remote
system.
SeRestorePrivilege
Restore files and directories.
SeSecurityPrivilege
Manage auditing and security log.
SeServiceLogonRight
Log on as a service.
SeShutdownPrivilege
Shut down the system.
SeSystemEnvironmentPrivilege
Modify firmware environment
values.
User Privileges
Privilege
Permits user to
SeSystemProfilePrivilege
Profile system performance.
SeSystemtimePrivilege
Change the system time.
SeTakeOwnershipPrivilege
Take ownership of files or other
objects.
SeTcbPrivilege
Act as part of the operating
system.
SeUnsolicitedInputPrivilege
Read unsolicited input from a
terminal device.
Resource Kit - showpriv
SeTakeOwnershipPrivilege
Resource Kit - whoami
WHOAMI [/option] [/option] ...
Where /option is one of the following:
/ALL
= Display all information in the current access
token.
/NOVERBOSE = Display minimal information. *
/USER
= Display user.
/GROUPS = Display groups.
/PRIV
= Display privileges.
/LOGONID = Display Logon ID.
/SID
= Display SIDs. *
/HELP
= Display help.
* Must be used with option /USER, /GROUPS, /PRIV
or/LOGONID
Samples are as follows:
WHOAMI
WHOAMI /ALL
WHOAMI /USER /SID
WHOAMI /GROUPS
WHOAMI /GROUPS /NOVERBOSE
WHOAMI /USER /GROUPS /SID
WHOAMI /PRIV /NOVERBOSE
WHOAMI /USER /GROUPS /PRIV
WHOAMI /HELP
Dumpsec (3rd Party)
http://www.somarsoft.com/
Auditing Account Policies
Useful OS command
Command
Results
net accounts
Displays the current settings for
password, logon limitations, and domain
information.
net accounts /domain
Displays the current domain settings for
password, logon limitations, and domain
information.
net accounts
The syntax of this command is:
NET ACCOUNTS [/FORCELOGOFF:{minutes | NO}] [/MINPWLEN:length]
[/MAXPWAGE:{days | UNLIMITED}] [/MINPWAGE:days]
[/UNIQUEPW:number] [/DOMAIN]
dumpwin (3rd Party)
Auditing “Auditing”
Resource Kit - auditpol
AuditPol [\\computer] [/enable | /disable] [/help | /?] [/Category:Option] ...
/Enable = Enable audit (default).
/Disable = Disable audit.
Category = System : System events
Logon : Logon/Logoff events
Object : Object access
Privilege : Use of privileges
Process : Process tracking
Policy : Security policy changes
Sam
: SAM changes
Option
= Success : Audit success events
Failure : Audit failure events
All
: Audit success and failure events
None
: Do not audit these events
Samples are as follows:
AUDITPOL \\MyComputer
AUDITPOL \\MyComputer /enable /system:all /object:failure
AUDITPOL \\MyComputer /disable
AUDITPOL /logon:failure /system:all /sam:success /privilege:none
AUDITPOL /HELP | MORE displays Help one screen at a time.
Dumpsec (3rd Party)
Auditing Log Settings
Windows Logging
Three Types
• System Log
– Tracks miscellaneous system events, e.g. track events during
system startup and hardware and controller failures.
• Application Log
– Tracks application related events, e.g. applications generate
informational such as failing to load a DLL will appear in the log.
• Security Log
– Tracks events such as logon, logoff, changes to access rights,
and system startup and shutdown. NOTE: By default the security
log is turned off.
%SYSTEMROOT%\system32\config\SysEvent.Evt
%SYSTEMROOT%\system32\config\SecEvent.Evt
%SYSTEMROOT%\system32\config\AppEvent.Evt
Event Viewer
Using the Event Log for Auditing
ntlast (3rd Party)
http://www.foundstone.com
Resource Kit - dumpel
• dumpel.exe - create ASCII log files
– can be imported into Excel or Access
– eliminate acceptable entries
– sort by workstation or login ID
• Track unique Logon ID for each session
– match logon/logoff
Logon Types
•
•
•
•
•
•
2 - Interactive
3 - Network
4 - Batch Process
5 - Service
6 - Proxy
7 - Screen Saver
Resource Kit - dumpel
Eldump (3rd Party)
• http://www.ibt.ku.dk/jesper/ELDump/default.htm
• It is very much like the tool DumpEL from the NT Resource Kit, but
ELDump is more versatile and sometimes quite a lot faster. Most
important ELDump can:
– Dump from active event logs or from saved event logs with full
message texts.
– Filter on all the same fields as the Event Viewer.
– Dump only the message strings instead of the full message
texts. This is a lot faster and also makes it easier to parse the
messages with other programs.
– Look for the message texts on an other server. This means you
get message text even if all the applications and drivers that has
logged messages are not installed on the machine where you
are running ELDump.
– Dump several logs from several servers with one invocation of
the ELDump command.
Dump the application log from the current machine to the file el-appl.txt:
eldump >el-appl.txt
Dump the system log from server \\serv1:
eldump -s \\serv1 -l system
or the same but shorter:
eldump \\serv1 sys
Dump error messages about node1 from a single day:
eldump -T error -c node1 -a 19970109000000 -b 1997010000000
or the same but shorter:
eldump err -cnode1 -a970109 -b97010
Dump messages saved from the system log at \\serv1 in file \\serv1\d$\system.log, with centuries in the event dates
and GMT times:
eldump -F \\serv1\d$\system.log -l system -x \\serv1 -K -G
or the same but shorter:
eldump \\serv1\d$\system.log sys -KG
Dump error messages saved from the system and application logs at the servers \\serv1 and \\serv2:
eldump -s \\serv1 -s \\serv2 -l system -l application -T error
or the same but shorter:
eldump \\serv1 \\serv2 sys app err
Event IDs
Event ID
Description
517
Audit log cleared
532
User account has expired
608/609
User rights assigned/removed
610/611
New trusted domain/removed
612
Audit policy changed
624/629
User account created/disabled
630
User account deleted
643
Domain policy changed
http://www.counterpane.com/log-windows.html
Auditing Processes
Resource Kit - pulist
Resource Kit - tlist
pslist (3rd Party)
http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
dumpwin (3rd Party)
dumpwin (3rd Party)
Auditing Drives
Psinfo – Disk Information
$ psinfo -d
System information for \\Acme-Lap:
Uptime:
1 day, 2 hours, 54 minutes, 25 seconds
Kernel version:
Microsoft Windows 2000, Uniprocessor Free
Product type:
Professional
Product version:
5.0
Service pack:
2
Kernel build number:
2195
Registered organization: Acme
Registered owner:
Acme
Install date:
5/22/2000, 10:14:21 AM
IE version:
5.5000
System root:
C:\WINNT
Processors:
1
Processor speed:
700 MHz
Processor type:
Intel Pentium III
Physical memory:
320 MB
Volume Type
Format Label
Size
Free Free
C: Fixed
NTFS
11.2 GB 5.8 GB 52%
D: CD-ROM
0%
E: Fixed
FAT
PGPDISK
499.7 MB 326.8 MB 65%
K: Remote NTFS
440.9 GB 108.0 GB 25%
P: Remote NTFS
Drive_E
339.2 GB 166.0 GB 49%
Dumpwin – Drive Information
$ DumpWin.exe -d
=====================
Drive Information
=====================
Drive C:\ : Fixed
Volume Name :
File System : NTFS
Free Clusters : 1523887
Total Clusters : 2946502
Drive D:\ : CD-ROM
Drive E:\ : Fixed
Volume Name : PGPDISK
File System : FAT
Free Clusters : 41826
Total Clusters : 63966
Drive H:\ : Network drive
Drive K:\ : Network drive
Drive P:\ : Network drive
Auditing Share Permissions
Useful OS command
net share
• Lists resources being shared on computer
dumpwin (3rd Party)
Resource Kit - srvcheck
Dumpsec (3rd Party)
Net use \\<machine>\IPC$ /user:<domain>\<user ID>
Auditing Directory Permissions
Resource Kit - xcacls
Resource Kit - subinacl
Auditing Services
Resource Kit - sclist
Resource Kit - netsvc
netsvc list services
netsvc service status
psservice (3rd Party)
http://www.sysinternals.com/ntw2k/freeware/psservice.shtml
Dumpsec (3rd Party)
dumpwin (3rd Party)
NetViewX (3rd Party)
• http://www.ibt.ku.dk/jesper/NetViewX
• It is a bit like the NT "net view /domain" command, but it allows you
to list only servers with specific services, and it uses a list format
that is easily parsable.
Netviewx
rd
(3
Party)
Auditing Service Permissions
Resource Kit - subinacl
Resource Kit - subinacl
Auditing Device Drivers
dumpsec
Auditing Printer Permissions
Resource Kit - subinacl
Dumpsec (3rd Party)
Auditing Remote Access
Resource Kit - raslist
• Displays the names of all hosts within a domain network that are
running RAS
Resource Kit - rasusers
Auditing Trusted Relationships
Resource Kit - nltest
Resource Kit - nlmon
DNS
• Zone Transfers
• Internet Accessible
• http://www.nscan.org/?index=dns
Where Credit is Due . . .
This following script was created by James M. Hackett
Administrative ISO, Yale University.
This script demonstrates the resulting audit process
based on the tools that have been discussed.
shd_srv_audit01.bat
@echo off
REM dump system, security and application logs
e:\audit\tools\dumpel -l system -f g:\audit\%1_sys_log.txt -s %1 -c
e:\audit\tools\dumpel -l security -f g:\audit\%1_sec_log.txt -s %1 -c
e:\audit\tools\dumpel -l application -f g:\audit\%1_app_log.txt -s %1 -c
e:\audit\tools\dumpel -l security -m security -e 639 640 641 642 643
-f g:\audit\%1_acct_chg.txt -s %1 -c
REM dump port information
e:\audit\tools\netstat -a > g:\audit\%1_ports_a.txt
e:\audit\tools\netstat -r > g:\audit\%1_ports_r.txt
REM dump service information
e:\audit\tools\netsvc \\%1 /list > g:\audit\%1_services.txt
REM dump users and groups
e:\audit\tools\addusers /d g:\audit\%1_usr_grps.txt /s:, \\%1
shd_srv_audit01.bat
REM sysdiff the system
e:\audit\tools\sysdiff /diff e:\audit\base\%1\base.img g:\audit\%1_diff.img
e:\audit\tools\sysdiff /dump g:\audit\%1_diff.img g:\audit\%1_diff.txt
REM dump ACL’s
e:\audit\tools\xcacls %systemroot%\*.* /T > g:\audit\%1_acl.txt
REM dump file stamps
dir %systemroot% /s/t:c > g:\audit\%1_stamps.txt
REM ** End Data Gathering **
REM **********************************
REM ** Begin Report Generation **
echo Audit Report shd_srv_audit01 for %1 >g:\audit\%1_report.txt
time /t >>g:\audit\%1_report.txt
date /t >>g:\audit\%1_report.txt
shd_srv_audit01.bat
echo @@@ Service Ports @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_ports_a.txt e:\audit\base\%1\ports_a.txt
>>g:\audit\%1_report.txt
echo @@@ Route Table @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_ports_r.txt e:\audit\base\%1\ports_r.txt
>>g:\audit\%1_report.txt
echo @@@ Services @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_services.txt e:\audit\base\%1\services.txt
>>g:\audit\%1_report.txt
echo @@@ Users and Groups @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_usr_grps.txt e:\audit\base\%1\ usr_grps.txt
>>g:\audit\%1_report.txt
shd_srv_audit01.bat
echo @@@ SYS DIFF @@@ >> g:\audit\%1_report.txt
type g:\audit\%1_diff.txt >>g:\audit\%1_report.txt
echo @@@ ACLs @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_acl.txt e:\audit\base\%1\acl.txt >>g:\audit\%1_report.txt
echo @@@ File Stamps @@@ >> g:\audit\%1_report.txt
fc -n g:\audit\%1_stamps.txt e:\audit\base\%1\stamps.txt
>>g:\audit\%1_report.txt
echo @@@ Account Changes @@@ >> g:\audit\%1_report.txt
type g:\audit\%1_acct_chg.txt >> g:\audit\%1_report.txt
echo End Audit Report shd_srv_audit01 for %1 >>g:\audit\%1_report.txt
time /t >>g:\audit\%1_report.txt
date /t >>g:\audit\%1_report.txt
The Audit Report
The Audit Report
Reference Sites
Resource Kit
• http://www.dynawell.com/support/ResKit/win2k.asp
Windows Ports
• http://www.poopoccurs.com/windows/2kports.html
Tool Repository
• http://packetstormsecurity.com/
• http://www.securiteam.com/tools/archive.html
• http://www.somarsoft.com/
• http://www.sysinternals.com
Security and SA Sites
• http://www.labmice.net/Security/default.htm
• http://is-it-true.org/nt/
Reference Sites
•
•
•
•
•
•
http://www.yale.edu/its/security/
http://www.cert.org/
http://www.ciac.org/
ftp://coast.cs.purdue.edu/pub/tools/ windows/windowsNT/
http://www.microsoft.com/security/
http://www.sans.org/
Windows Scripting
• http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.
asp?contentid=28001169
• http://www.jsifaq.com/
• http://www.roth.net/
Questions?
Thank You!
