Republished with permission from WatchGuard Technologies, Inc.

WatchGuard LiveSecurity

Automating NT Auditing, Affordably
by Dave Piscitello, President, Core Competence

If you're expected to run a reliable network while short on money, and your primary "assistant" is the person you see in the mirror, you might like to know how to automate some of your network and system auditing tasks -- dirt cheap. (In contrast, if you're reading this and have a multi-million dollar annual budget to spend on network management tools, you can skip this article and resume that leisurely conversation with your thirteen assistants.)

A Helping Hand – from Your Enemy?
If there’s a silver lining in this dark age of hacking, it’s that you can use many attack tools proactively for anti-hacking, and some -- freely available on the Internet -- are particularly useful for auditing. Attackers scan or map networks to accumulate details about its composition and configuration. When an attacker develops a clever and useful network mapping or host scanning tool, he or she will often share the tool with others, and it’s common today to find such tools on public servers. Security consultants routinely use these tools to audit networks and perform penetration testing. My favorite tool sites are SecurityPortal and Packet Storm, but there are hundreds more.

I've detailed a few of my favorite inexpensive management tools below. Each of them starts from a DOS command line. That means you can create a batch file to initiate each of these tools in turn. (A batch file is a set of commands you might enter from a DOS window and save in one file, so that you can execute the commands automatically by simply running the file.) Are you so busy you often forget to launch tools like these? No problem. Using the Windows Task Scheduler Wizard (accessible via My Computer/ Scheduled Tasks/ Add Scheduled Task), choose the batch file you created, then specify when and how frequently you wish to perform it. Task Scheduler will automatically launch your batch file, and regularly perform several mundane yet important tasks that will help you maintain an accurate picture of your Windows NT machines.

Tool 1: SPCheck
SPCheck by Altus Network Solutions is a simple yet effective command line freeware utility. List the names of your NT hosts in a text file, and SPCheck will use it to scan your network and report the NT Service Packs and Hotfixes on local and remote machines. SPCheck generates reports in your choice of comma-delimited or HTML files. The HTML output is especially convenient, because if SPCheck finds a Hotfix on one machine that you don't recognize, you simply click a live link to the appropriate Microsoft Product Support page and read Microsoft's description of the fix. Then you can make an informed decision about whether to leave it installed.

How do you use this for auditing? Suppose you have twenty or so servers, and you want to be certain you're maintaining a consistent Service Pack and Hotfix environment on your network. Run SPCheck from a batch file. The result from this first audit becomes your baseline. On subsequent runs of SPCheck, compare the newer output file against your original baseline output to determine whether any of your server configurations have been changed, perhaps by an authorized user who failed to incorporate all the service packs and Hotfixes you feel are necessary.   

One caveat: if you’ve gone through the effort of hardening your NT hosts against registry scans, you may not find this sort of auditing possible. This is the “open versus secured” conundrum we all face.

Tool 2: NetBIOS Auditing Tools
Another free command line utility, NetBIOS Auditing Tool (Windows NT) by Secure Networks, Inc., monitors your NetBIOS file sharing service. How easily can a hacker break into the shared resources on your server? Nat attempts to connect to your shares by trying combinations of easily-guessable or default usernames and passwords (e.g., username "administrator," "guest," or "user;" password "password," "test," etc.). If it succeeds in accessing your files, Nat warns you in its report. 

This password checking feature is rather simplistic. But the simplest, and thus one of the most frequently attempted, attacks is to compromise a legitimate account, so even a rudimentary password check is better than no check. Remember, no matter what your password policy may be, the temptation to make passwords easy to remember is strong, and default accounts and passwords are left enabled on servers more frequently than we care to admit. If you’re “making do,” you can edit the file of default, guessable, and expired passwords as time passes. (You might start by adding your company's name, product names, and employee names to the "lame passwords" list.) Nat will help you find the staff in your organization who are weakening your security, so you can put them back on the straight and narrow with a judicious phone call or e-mail.

Nat also enumerates file shares and browse lists, and will report whether directories are write-able. A sample output file can be viewed here.

You can configure NetBIOS Auditing Tool to audit each of your servers. Following its documentation (a ReadMe.txt file), it's easy to enter the proper command lines in the same batch file as SPCheck. You’ll generate a separate output file to examine for each of your servers, revealing any anomalies in your file sharing configuration. And you'll have a broader picture of how file sharing services are configured on your NT machines.

Compared to Nat's humble password-cracking attempts, L0phtCrack  (Win95/NT, $100, free evaluation for 15 days) is downright steroidal. Though it doesn't launch from a command line, this awesome tool, adored by hackers and administrators everywhere, sniffs out password hashes on your network, captures them, and decrypts them. Weak passwords decrypt in mere seconds -- and for L0phtCrack, any word in the English dictionary is a weak password. This is a great tool for discovering that your buddy Nimrod's username and password are both Nimrod1 so you can give him some version of the "Importance of Creating Good Passwords" speech.

Pushing the Envelope
Over time, you can expand this batch auditing process I’ve been describing. Simply incorporate additional free- or shareware tools to your batch file. You can add Ellicit’s GNIT vulnerability scanner utility (Win2K/NT) to check for Web, ftp, POP and SMTP vulnerabilities on your servers. (Editor's note: Dave discussed this tool earlier. For more, visit this link.) If you’ve enabled Auditing in your NT Domain(s), you might want to add the NTLast command line utility (Win NT) by Foundstone, which will search the Event Log and report the last ten Interactive, Remote, and Failed logon attempts on enumerated hosts. You can add command line utilities that back up log and event files or dump drivers installed and processes running on your NT machines.

I have the luxury of having time to browse and tinker with these and virtually any free, shareware, and commercial software. You probably don’t. Before you visit the tools area at SecurityPortal to download these and other intriguing utilities, pause and consider, “What am I doing manually that I’d really love to automate?” Generate a shopping list, download and test drive utilities that appear to satisfy your needs, and automate your way.

From a modest beginning of one command line suitably scripted in a DOS batch file, you can customize a fairly complete auditing and vulnerability scanning system for a very small cash outlay. The expensive, high-end commercial host and network scanners are based on sophisticated versions of these same kinds of command line utilities. No network and system administrator has unlimited time for programming. But any time you can afford to invest in automation today pays off in a more efficient tomorrow. ##

Copyright © 1996 - 2001 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use