Articles
- “Using PowerShell to Continuously Audit Security of Active Directory” by Derek Melber (WindowsSecurity.com; 2010.12.15+20) – http://www.windowsecurity.com/articles/Using-PowerShell-Continuously-Audit-Security-Active-Directory.html
- Get-AD by Niklas Goude (2010.01.04) – http://gallery.technet.microsoft.com/scriptcenter/en-us/81865fd8-6bdf-44d6-844b-01f262dc853e
- “Checklist: Top 5 Windows domain settings to audit” by Derek Melber (SearchWindowsServer.com; 2005.12.08) – http://searchwindowsserver.techtarget.com/feature/Checklist-Top-5-Windows-domain-settings-to-audit
- 1) Domain Account Policy: Password Policy, Account Lockout Policy and Kerberos Policy. Password complexity, minimal length of the passwords, password expiration, password reuse.
- 2) Local user rights on domain member servers.
- 3) Anonymous Connections: Computer Configuration > Windows Settings > Security Settings > Local Policies >Security Options
- 4) Authentication Protocols
- 5) Administrator Account
- “Windows 2000 Auditing” – http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
- “Windows & Active Directory Auditing” by Derek Melber (WindowsSecurity.com; 2005.11.22) – http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html
- “Auditing user accounts ” by Derek Melber (WindowsSecurity.com; 2005.08.04)- http://www.windowsecurity.com/articles/auditing-user-accounts.html
- “Auditing Users and Groups with the Windows Security Log” by Randall F. Smith (WindowsSecurity.com; 2004.09.02) – http://www.windowsecurity.com/articles/auditing-users-groups-windows-security-log.html
- SANS Institute: Automated Auditing in a Windows 2000 Environment – http://www.sans.org/security-resources/auto_audit.php
Tools
- Windows Inventory – Windows PC Auditing Software – http://winventory.sourceforge.net/ – superseded by Open-AudIT [OR NOT since that project still does not have available Windows script]
- Open-AudIT – http://www.open-audit.org/ – the replacement for Windows Inventory
- Script Repository (Microsoft TechNet) – http://gallery.technet.microsoft.com/ScriptCenter/
- WMI tools:
- Scriptomatic 2.0 (Microsoft) – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12028 – Utility that helps you write WMI scripts for system administration.
- Windows PowerShell Scriptomatic – http://www.microsoft.com/download/en/details.aspx?id=24121
- WMI Administrative Tools – http://www.microsoft.com/download/en/details.aspx?id=24045
- The WMI Diagnosis Utility – http://www.microsoft.com/download/en/details.aspx?id=7684
- WMI Code Creator v1.0 – http://www.microsoft.com/download/en/details.aspx?id=8572
- MBSA – http://technet.microsoft.com/en-us/security/cc184924.aspx [FREE}
- Shavlik’s NetCheck – http://www.shavlik.com/products.aspx [COMMERCIAL]
- Oval Interpreter – http://oval.mitre.org
- Nessus Local Plug-ins
- Use of Powershell in Nessus scripts:
- “Compliance Auditing with PowerShell” by Paul Asadoorian (Tenable blog; 2012.04.26) – http://blog.tenablesecurity.com/2012/04/compliance-auditing-with-microsoft-powershell.html
- “File Integrity Auditing with Nessus” by Paul Asadoorian (Tenable blog; 2012.05.18) – http://blog.tenablesecurity.com/2012/05/file-integrity-auditing-with-nessus.html
- Sysinternals suite – http://technet.microsoft.com/sysinternals [FREE}
What to audit
- 1) List of domain users. Their user groups (who belongs to what groups).
- 2) Logging parameters: number of unsuccessful retries before account lock-out, number of minutes the account is temporary disabled (due to sequence of failed logon attempts), …
- 3) Password parameters: minimal password length, used character sets, password complexity requirement (is it enforced or not), password expiration, …
- 4) Auditing parameters: are all account logon attempts being logged? Are changes in account privileges (e.g. adding users to different groups) being logged? Are additions, removals or renaming of accounts being logged? Are privilege violations being logged (e.g. user trying to access resources [files, applications, shares] that they do not have right to access)? Are changes to security policies being logged? Are changes to user passwords being logged? Are changes in account status (e.g. disabling and enabling accounts) logged? etc
- 5) Inspect the content of system logs.
- Manual inspection
- use dumpevt by SomarSoft (http://www.systemtools.com/somarsoft/?somarsoft.com)
- 6) List of services
- 7) Look at the open network connections.
- netstat -a
- netstat -a -b -o -v
- FPort by FoundStone – http://www.mcafee.com/us/downloads/free-tools/index.aspx
- APorts – http://download.cnet.com/1770-20_4-0.html?query=Active+Ports&searchtype=downloads
- \8) Registry checkup
- DumpReg (dump registry) by SomarSoft – http://www.systemtools.com/somarsoft/?somarsoft.com
Tools
DumpSec
SomarSoft’s DumpSec/DumpAcl – http://www.systemtools.com/somarsoft/?somarsoft.com
DumpEvt
DumpEvt is a command line tool by SomarSoft – http://www.systemtools.com/somarsoft/?somarsoft.com
Syntax:
c:>dumpevt 2011.01.06 13:23:28 Somarsoft DumpEvt V1.7.6, Copyright ▒ 1995-2007 by Somarsoft, Inc. Copy 07353, registered to (this program is now free of charge) ==>Missing /logfile parameter Dump eventlog in format suitable for importing into database Messages written to stdout Dump output written to file specified by /outfile or /outdir Parameters: /logfile=type eventlog to dump; can be app, sec, sys, dns, dir, or rpl /logfile=type=path backed up eventlog file to dump /outfile=path create new file or append to end of existing file /outdir=path create new .tmp file in specified directory /all dump all recs (default is recs added since last dump /computer=name dump eventlog for specified computer (default is local) /reg=local_machine use HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER /clear clear event log after successful dump Specify formatting parameters in DUMPEVT.INI file See dumpevt.hlp for complete documentation Visit http://www.somarsoft.com for latest version |
Example:
c>dumpevt /logfile=sec /outfile=20100106-system7-seclog.txt 2011.01.06 13:31:36 Somarsoft DumpEvt V1.7.6, Copyright ▒ 1995-2007 by Somarsoft, Inc. Copy 07353, registered to (this program is now free of charge) LogType=Security Computer=(local) SystemRoot=C:\WINDOWS Outfile=20100106-system7-seclog.txt Use HKEY_CURRENT_USER for saving record number Format=yes DateFormat=(locale dependent) TimeFormat=HH':'mm':'ss FieldSeparator=, ReplaceFieldSeparator= (blank) ReplaceCR=^ ReplaceLF=` StringSeparator=; MaxMessageLen=32000 MaxFragmentLen=32000 DumpData=none SplitDateTime=yes UseGmtTime=no DumpRecnum=no ==>LastProcessed (0) < Oldest (1), log records lost process event log records starting with 1 last event log record processed = 1018 Elapsed time= 0.594 seconds, NumRecs=1018 |
Fport
Example:
c>fport FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 508 -> 135 TCP 4 System -> 139 TCP 4 System -> 445 TCP 1644 dirmngr -> 1059 TCP C:\Program Files\GNU\GnuPG\dirmngr.exe 4084 -> 1080 TCP 3856 -> 1192 TCP 2428 ccApp -> 1202 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe 0 System -> 1212 TCP 3652 firefox -> 2036 TCP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 2037 TCP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 2044 TCP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 2045 TCP C:\Program Files\Mozilla Firefox\firefox.exe 4 System -> 6846 TCP 3652 firefox -> 6896 TCP C:\Program Files\Mozilla Firefox\firefox.exe 3856 -> 6938 TCP 3856 -> 6939 TCP 0 System -> 6945 TCP 4456526 -> 123 UDP 4 System -> 123 UDP 5177412 -> 137 UDP 4 System -> 137 UDP 6029362 -> 138 UDP 4 System -> 138 UDP 3652 firefox -> 138 UDP C:\Program Files\Mozilla Firefox\firefox.exe 508 -> 445 UDP 4 System -> 500 UDP 3652 firefox -> 1069 UDP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 1103 UDP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 1357 UDP C:\Program Files\Mozilla Firefox\firefox.exe 3652 firefox -> 1520 UDP C:\Program Files\Mozilla Firefox\firefox.exe 4 System -> 2576 UDP 3856 -> 62514 UDP |
netstat
On Windows XP:
c>netstat -a Active Connections Proto Local Address Foreign Address State TCP server7:epmap interesting.website.org:0 LISTENING TCP server7:microsoft-ds interesting.website.org:0 LISTENING TCP server7:5556 interesting.website.org:0 LISTENING TCP server7:1059 interesting.website.org:0 LISTENING TCP server7:1080 interesting.website.org:0 LISTENING TCP server7:1202 interesting.website.org:0 LISTENING TCP server7:2036 localhost:2037 ESTABLISHED TCP server7:2037 localhost:2036 ESTABLISHED TCP server7:2044 localhost:2045 ESTABLISHED TCP server7:2045 localhost:2044 ESTABLISHED TCP server7:62514 interesting.website.org:0 LISTENING TCP server7:netbios-ssn interesting.website.org:0 LISTENING TCP server7:1192 strangemachine:netbios-ssn ESTABLISHED TCP server7:6846 alphaomega.com:microsoft-ds ESTABLISHED TCP server7:7061 server2:8585 ESTABLISHED TCP server7:7062 server2:8585 ESTABLISHED TCP server7:netbios-ssn interesting.website.org:0 LISTENING TCP server7:7067 strangemachine:netbios-ssn SYN_SENT TCP server7:netbios-ssn interesting.website.org:0 LISTENING TCP server7:7068 strangemachine:netbios-ssn SYN_SENT UDP server7:microsoft-ds *:* UDP server7:isakmp *:* UDP server7:4500 *:* UDP server7:52311 *:* UDP server7:ntp *:* UDP server7:1025 *:* UDP server7:1069 *:* UDP server7:1103 *:* UDP server7:1357 *:* UDP server7:1520 *:* UDP server7:1900 *:* UDP server7:2576 *:* UDP server7:62514 *:* UDP server7:ntp *:* UDP server7:netbios-ns *:* UDP server7:netbios-dgm *:* UDP server7:1900 *:* UDP server7:ntp *:* UDP server7:netbios-ns *:* UDP server7:netbios-dgm *:* UDP server7:1900 *:* UDP server7:ntp *:* UDP server7:netbios-ns *:* UDP server7:netbios-dgm *:* UDP server7:1900 *:* |
Getting list of users and groups
Inside Cygwin, there are commands mkpasswd and mkgroup. These can build the Cygwin’s /etc/passwd and /etc/group from either local system or from the domain the system is on.
mkpasswd -l > local-users.txt mkpasswd -d -l > domain-users.txt mkgroup -l > local-groups.txt mkgroup -d -l > domain-groups.txt |