Exercise 6: Auditing Your System
After a system has been secured and all unnecessary files have been deleted, the system is in a hardened state. Before it is put into production, one last thing needs to be done. The final step is to baseline it so that changes that might be indicative of a successful intrusion can be detected. Many tools are available for this purpose, but running them can be a time-consuming task. However, with the use of scripting and scheduling tools, effective baselines can be established and used for auditing your systems.
The system logs are an invaluable source of information regarding activity on your systems. However, the logs can provide an overwhelming amount of information. There is also no standard mechanism for consolidating the logs of several systems. However, tools such as dumpel can dump the contents of the logs to files that can be consolidated into a database of events.
The objective of this exercise is to introduce you to simple tools that can be used to create powerful baseline and auditing methods for your systems.
Windows NT 4.0 or Windows 2000-based PC
dumpel, available in the Windows NT Resource Kit or from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp
Fport, available at http://www.foundstone.com/rdlabs/termsofuse.php?filename=FportNG.zip
The following are the steps that you will perform for this exercise:
- Analyze log files.
- Baseline open ports.
- Baseline running services.
- Schedule baseline audits.
Challenge Procedure Step-by-Step
The following are the detailed steps that you will perform for this exercise:
Analyze log files. To do this, first download and install dumpel. Download dumpel from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp. Next, install dumpel. Then, open a command prompt and navigate to the directory that you installed dumpel in.
In the wizard's first screen, click the Delimited radio button; then click Next.
In the wizard's second screen, click the Tab check box; then click Finish.
Sort the data by date and time in descending order by selecting Data, Sort.
To apply a filter to view only failed logins (Event ID 7013), select Data, Filter, AutoFilter.
Down arrow icons appear at the top of each column. Click the arrow icon for column E, scroll down, and select 7013. If it's not available, choose another event number.
The following screen shows the filtered output.
Now, you'll baseline open ports. Download and install Fport. Open a command prompt, and navigate to the directory where you installed Fport. Execute Fport and view its output.
Execute Fport and redirect its output to a file for future reference. This is done by typing the following:
Next, baseline the running services. To do this, open a command prompt and execute netsvc with the following parameters:
Execute netsvc and redirect its output to a file for future reference.
Next, you'll schedule baseline audits. With your favorite text editor, create the following bat file:
Type baseline at a command prompt to test the bat file. Type the following command to review baseline's output:
Open the Windows Scheduler by clicking the icon under Windows.
The Scheduled Task Wizard starts. Click Next.
In the program selection screen, click Browse.
In the Select Program to Schedule screen, navigate to the directory where you created the baseline.bat file, and then click Open.
Enter a name for the task and click off the Daily radio button.
In the Start Time field, enter the time the baseline should run at; then click Next.
Enter the username and password that should be used to run the baseline operation; then click Next.
Click Finish to schedule the task.
Dump the system log by executing the following command:
dumpel f event.out l system t
Finally, start Microsoft Excel and open the output file. The Convert Text to Columns Wizard should start automatically. If not, select Data, Text to Columns.
Next, click OK to bring up the spreadsheet.
Fport > baseport.txt
Livingston, Gene. "How to Develop Your Company's First Security Baseline Standard," SANS Institute, http://www.sans.org/infosecFAQ/policy/baseline.htm.
Montcrief, George. "Scripting as a Method of Establishing a Reliable Baseline Posture," SANS Institute, http://www.sans.org/infosecFAQ/start/scripting.htm.
Before a hardened system is put into production, a baseline of the system should be taken for future audit purposes. Simple tools can then be scripted to easily monitor the system for unexpected changes.
Additionally, it is vital to review logs to detect attempts to compromise a system before a breach actually occurs. Since neither Windows NT nor Windows 2000 have standard mechanisms to consolidate log files, and both are capable of generating vast amounts of data, tools such as dumpel work to export the log data in a form that can be imported into a database for easier manipulation.