Automating NT Auditing, Affordably
by Dave Piscitello, President, Core Competence
If you're expected to run a
reliable network while short on money, and your primary "assistant" is the
person you see in the mirror, you might like to know how to automate some
of your network and system auditing tasks -- dirt cheap. (In contrast, if
you're reading this and have a multi-million dollar annual budget to spend
on network management tools, you can skip this article and resume that
leisurely conversation with your thirteen assistants.)
If there’s a silver lining in
this dark age of hacking, it’s that you can use many attack tools
proactively for anti-hacking, and some -- freely available on the Internet
-- are particularly useful for auditing. Attackers scan or map networks to accumulate details
about its composition and configuration. When an attacker develops a
clever and useful network mapping or host scanning tool, he or she will
often share the tool with others, and it’s common today to find such tools
on public servers. Security consultants routinely use these tools to audit
networks and perform penetration testing. My favorite tool sites are SecurityPortal and Packet Storm, but there are
hundreds more.
I've detailed a few of my
favorite inexpensive management tools below. Each of them starts from a
DOS command line. That means you can create a batch file to initiate each
of these tools in turn. (A batch file is a set of commands you might enter
from a DOS window and save in one file, so that you can execute the
commands automatically by simply running the file.) Are you so busy you
often forget to launch tools like these? No problem. Using the Windows
Task Scheduler Wizard (accessible via My
Computer/ Scheduled Tasks/ Add Scheduled Task), choose the batch
file you created, then specify when and how frequently you wish to perform
it. Task Scheduler will
automatically launch your batch file, and regularly perform several
mundane yet important tasks that will help you maintain an accurate
picture of your Windows NT machines.
Tool 1: SPCheck
SPCheck by Altus Network
Solutions is a simple yet effective command line freeware utility. List
the names of your NT hosts in a text file, and SPCheck will use it to scan
your network and report the NT Service Packs and Hotfixes on local and
remote machines. SPCheck generates reports in your choice of
comma-delimited or HTML files. The HTML output is
especially convenient, because if SPCheck finds a Hotfix on one machine
that you don't recognize, you simply click a live link to the appropriate
Microsoft Product Support page and read Microsoft's description of the
fix. Then you can make an informed decision about whether to leave it
installed.
How do you use this for
auditing? Suppose you have twenty or so servers, and you want to be
certain you're maintaining a consistent Service Pack and Hotfix
environment on your network. Run SPCheck from a batch file. The result
from this first audit becomes your baseline. On subsequent runs of
SPCheck, compare the newer output file against your original baseline
output to determine whether any of your server configurations have been
changed, perhaps by an authorized user who failed to incorporate all the
service packs and Hotfixes you feel are necessary.
One caveat: if you’ve gone
through the effort of hardening your NT hosts against registry scans, you
may not find this sort of auditing possible. This is the “open versus
secured” conundrum we all face.
Tool 2: NetBIOS Auditing
Tools
Another free command line
utility, NetBIOS Auditing
Tool (Windows NT) by Secure Networks, Inc., monitors your NetBIOS file
sharing service. How easily can a hacker break into the shared resources
on your server? Nat attempts to connect to your shares by trying
combinations of easily-guessable or default usernames and passwords (e.g.,
username "administrator," "guest," or "user;" password "password," "test,"
etc.). If it succeeds in accessing your files, Nat warns you in its
report.
This password checking feature
is rather simplistic. But the simplest, and thus one of the most
frequently attempted, attacks is to compromise a legitimate account, so
even a rudimentary password check is better than no check. Remember, no
matter what your password policy may be, the temptation to make passwords
easy to remember is strong, and default accounts and passwords are left
enabled on servers more frequently than we care to admit. If you’re
“making do,” you can edit the file of default, guessable, and expired
passwords as time passes. (You might start by adding your company's name,
product names, and employee names to the "lame passwords" list.) Nat will
help you find the staff in your organization who are weakening your
security, so you can put them back on the straight and narrow with a
judicious phone call or e-mail.
Nat also enumerates file shares
and browse lists, and will report whether directories are write-able. A
sample output file can be viewed here.
You can configure NetBIOS
Auditing Tool to audit each of your servers. Following its documentation
(a ReadMe.txt file), it's easy to enter the proper command lines in the
same batch file as SPCheck. You’ll generate a separate output
file to examine for each of your servers, revealing any anomalies in your
file sharing configuration. And you'll have a broader picture of how file
sharing services are configured on your NT machines.
Compared to Nat's humble
password-cracking attempts, L0phtCrack (Win95/NT, $100, free evaluation
for 15 days) is downright steroidal. Though it doesn't launch from a
command line, this awesome tool, adored by hackers and administrators
everywhere, sniffs out password hashes on your network, captures them, and
decrypts them. Weak passwords decrypt in mere seconds -- and for
L0phtCrack, any word in the English dictionary is a weak password. This is
a great tool for discovering that your buddy Nimrod's username and
password are both Nimrod1 so you can give him some version of the "Importance of Creating Good
Passwords" speech
Pushing the Envelope
Over time, you can expand this batch auditing
process I’ve been describing. Simply incorporate additional free- or
shareware tools to your batch file. You can add Ellicit’s GNIT vulnerability scanner utility
(Win2K/NT) to check for Web, ftp, POP and SMTP vulnerabilities on your
servers. (Editor's note: Dave discussed this tool earlier. For more, visit this link.) If you’ve enabled Auditing in your NT Domain(s),
you might want to
add the NTLast command
line utility (Win NT) by Foundstone, which will search the Event Log and
report the last ten Interactive, Remote, and Failed logon attempts on
enumerated hosts. You can add command line utilities that back up log and
event files or dump drivers installed and processes running on your NT
machines.
I have the luxury of having time to browse and
tinker with these and virtually any free, shareware, and commercial
software. You probably don’t. Before you visit the tools area at
SecurityPortal to download these and other intriguing utilities, pause and
consider, “What am I doing manually that I’d really love to automate?”
Generate a shopping list, download and test drive utilities that appear to
satisfy your needs, and automate your way.
From a modest beginning of one command line
suitably scripted in a DOS batch file, you can customize a fairly complete
auditing and vulnerability scanning system for a very small cash outlay.
The expensive, high-end commercial host and network scanners are based on
sophisticated versions of these same kinds of command line utilities. No
network and system administrator has unlimited time for programming. But
any time you can afford to invest in automation today pays off in a more
efficient tomorrow.