It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
There are some key things that you need to know about auditing Windows that will make you more accurate and efficient. Remember that Windows is just a platform, and you have to consider the overlying applications that make use of the platform before you can bless off a machine as passing an audit. Take a look at Figure 6-1, which we like to use when teaching classes to hammer home this concept. Notice the applications across the top. The more applications you add to the platform, the more potential trouble areas you have as an auditor. Consider the other chapters in this book as a supplement to get you started in considering the challenges the other applications bring to the table. This concept is true for any platform, including Unix, Solaris, Mac, and others. If you understand this concept, then you understand why an external security scanner cannot see everything you need to check for without logging onto the host.
Most Windows hosts in a company are part of a domain. This automatically suggests there are other attack vectors that can be exploited, intentionally or not, to access or violate the integrity of your host. For example, if an employee doesn't have access to the payroll server but he or she has domain administrator rights for the domain that the payroll server belongs to-and he or she has a bad day-oops!
There are mitigating controls for situations like this. This is part of your responsibility as an auditor to ensure that mitigating controls are in place. In this situation, removing the Domain Administrators group from the local Administrators group and adding an application-specific group will mitigate these types of implicit/inherited security permissions.
The point is to carefully consider the trust relationships implicitly and explicitly (indirect and direct) that affect your host. The scope of your audit may be just one host. But you may miss vulnerable avenues of attack if you blind yourself too much.
Consider scheduling some time on your calendar to finally learn what the tools listed below actually do. There are many more than what we present here. You might be surprised at how easy most of them are to use and how much more efficient you become because you know the shortcuts to getting just the information you want. As auditors, it's easy to get tied down into "knowing what you gotta know" to get the job done. Most administrators of any caliber actually enjoy showing others the ropes. You can be assured that if you show up to an administrator's office asking about an obscure tool, you'll get his or her attention, and one of you will walk away a little wiser for the visit.
Command-Line Tips
For those of you who are comfortable with the command line on a Unix-flavored host, you will appreciate installing Unix functionality with GnuWin32 utilities from http://www.gnuwin32.sourceforge.net. The benefit is that several utilities you miss such as ls, sed, grep, more, and cat now will work from your command line in Windows. You could also install Cygwin or other toolkits that provide similar functionality. It's also possible to create scripts based on these binaries to manipulate the text output from standard Windows utilities.
| Note | If you like the command line and enjoy scripting, make sure to take advantage of the resources located in Microsoft's scripting center website. It is located at http://www.microsoft.com/technet/scriptcenter/default.mspx |
Essential Command-Line Tools
There are several tools that should be in every administrator's back pocket, even beyond the scope of the extensive adminpak (Administrator's Pack) and reskit (Resource Kit) tools that Microsoft makes available. Some of these are listed below. Keep in mind that with today's complex networks and firewalls, not all these will work the way they did a few years ago. Test every tool in a lab environment prior to running them on a production network.
Microsoft has an outstanding built-in command-line help file available by typing HH "ntcmds.chm" at the command line (with the quotes exactly as shown). Type help cmd for general information about using the command line in Windows. The company has more information on its website. Search for "Command-Line Reference" using Google, and visit the first Microsoft website that comes up: http://www.microsoft.com/ resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true.
| Note | The various tools discussed below can be powerful. More than likely you are going to be just fine installing and running the tools on your own personal machine. However, follow best practices. You should learn how these tools work on another computer off the network in a test environment prior to using them on your production network and systems. Often you can use VMWare or Virtual PC to do this. |
Resource Kit Tools
The Resource Kit contains more than 120 different tools for administering systems, troubleshooting systems, managing Active Directory, configuring security features, and much more. You can download the Resource Kit tools from Microsoft's website. The quickest way to find these is to go to Google and type in "Microsoft Resource Kit Tools." Select and download the Windows Server 2003 version of the tools. Given time, you may find some of the tools from the old NT or 2000 reskits useful that are no longer carried in the Windows 2003 reskit. These are beyond this chapter's scope and will not be discussed here.
SysInternals Tools
The SysInternals tools quickly dissect the inner workings of the operating system and produce meaningful results. These are essential to help administrators manage servers. Download SysInternals tools from the website http://www.sysinternals.com.
Several organizations make the decision to include some of the pstools as part of the standard build for servers and clients. You should think out this decision carefully because it's not appropriate for all situations. For example, your DMZ servers and other bastion hosts should be stripped of everything that isn't necessary.
For auditing purposes, you can always load the tools you need into a folder on the server, open a command prompt, and go to that folder to run the tools from the command line.
Other Tools
There are many, many other tools available. Some of these are listed below and discussed in the different audit steps. A free tool at the time of this writing is the Windows Forensic Toolchest (WFT), written by Monty McDougal. This tool serves as a wrapper for command-line tools listed below or others you may want to add. It is currently part of the SANS forensic track. Download and learn more about it at http://www.foolmoon.net/security.
Common Commands
Table 6-1 presents a list of command-line tools used throughout this chapter.
| Tool | Description | Where to Get It |
|---|---|---|
| psinfo | List system information, including installed service packs, patches, applications, and drive information | http://www.sysinternals.com |
| Systeminfo | List system information | Native command |
| Pslist | List running processes | http://www.sysinternals.com |
| psservice | List all installed services | http://www.sysinternals.com |
| wscui.cpl | Brings up the Windows Security Center | Native command |
| Netsh | Display or modify network configuration | Native command |
| netstat | Provides network information | Native command |
| ps service | List service information | http://www.sysinternals.com |
| sc | Tool for talking with service controller | Native command |
| DumpSec | GUI and command-line "Swiss army knife" of the security settings | http://www.somarsoft.com |
| tcpview | GUI view of processes mapped to ports | http://www.sysinternals.com |
| procexp | Very powerful GUI process explorer | http://www.sysinternals.com |
| Fport | Command line view of processes mapped to ports | http://www.foundstone.com/knowledge/ proddesc/fport.html |
| schtasks | Lists scheduled tasks at the command line | Native command |
| bootcfg | Lists boot partition information | Native command |
| pendmoves | Lists file move operations scheduled for the next reboot | http://www.sysinternals.com |
| autoruns | Lists everything scheduled to start when your computer starts up. This is the GUI version. | http://www.sysinternals.com |
| autorunsc | Lists everything scheduled to start when your computer starts up. This is the command line version. | http://www.sysinternals.com |
| rsop.msc | Opens the resulting set of security policies on your host when run from the Start | Run box or command line | Native command |
| secpol.msc | Opens just the local computer policy | Native command |
| pwdump | Dumps Windows password hashes into a format usable by nearly all free and commercial password crackers | http://www.openwall.com/passwords |
Server Administrative Tools
The Windows Server 2003 administrative tools (adminpak.exe) installs on Windows XP and Windows Server 2003. Most of the tools in the Adminpak are used for AD domain-specific administration. If the subject of the audit is part of the AD infrastructure, then these tools may be of use. The Adminpak allows administrators to perform remote server management functions and includes several great tools that are otherwise difficult to duplicate in functionality.
| Note | You can easily add the Microsoft Windows Server 2003 administrative tools to your desktop or laptop computer. Just visit Google, type "Microsoft adminpak," and follow the link to Microsoft's downloads page for the Windows Server 2003 Administration Tools Pack. After downloading the .msi package onto your computer, you need to run the file to install the tools onto your system. |