RE: Windows Reverification
From: deepblue (news@inlynx.com)Date: 06/11/02
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #90"
- In reply to: Kit: "RE: Windows Reverification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "deepblue" <news@inlynx.com> To: <focus-ms@securityfocus.com> Date: Mon, 10 Jun 2002 18:34:39 -0700
So far as enumerating permissions whether in the registry or shares and
all the way down to NTFS I have always used dumpsec form Somarsoft.
It's a free ute and strong. It's a light lead in to Hyena, which is
super strong but spendy. SomarSoft's DumpSec is a security auditing
program for Microsoft
Windows nt/2000/xp. It dumps the permissions (DACLs) and audit settings
(SACLs) for the file system, registry, printers and shares in a concise,
readable listbox format, so that holes in system security are readily
apparent. DumpSec also dumps user, group and replication information.
www.somarsoft.com. Enjoy!!! Very nice ute.
-----Original Message-----
From: Kit [mailto:kit@smallfoxx.com]
Sent: Monday, June 10, 2002 1:33 PM
To: Markiewicz, Douglas; focus-ms@securityfocus.com
Subject: RE: Windows Reverification
Well, there are a lot of security documentation of best practices and
base-lines found at Microsoft's Security Site
(http://www.microsoft.com/technet/security). As for assisting in
Auditing
permissions, consider setting up a Security Template and then using that
to
audit the machines. For sending messages to owners of certain groups,
you
could write an application to query the AD using ADSI then send an SMTP
or
CDO message to notify them. You could do this with either WSH or most
compiled languages, but it requires some programming knowledge.
I think there are some security auditing tools that will do things like
that. For instance, I think Retina from eEye will do a lot of the
auditing
for you, but I could be mistaken so check them out.
-K
> -----Original Message-----
> From: Markiewicz, Douglas [mailto:dma2p@allstate.com]
> Sent: Monday, June 10, 2002 7:45 AM
> To: 'focus-ms@securityfocus.com'
> Subject: Windows Reverification
>
>
> I am looking to reverify access controls in the Windows
> environment. There
> are two major components involved in the efforts: 1) reverifying
access to
> global security groups, 2) file system access reverification.
>
> The biggest problem with even getting this effort off the ground is
> scalability. We have approximately 16,000+ global security
> groups all with
> different owners based on the area using the global group. Some
> don't even
> have owners listed in AD. All we'd like from the effort is to
> send an email
> or some other notification to the group owner, have them reverify the
> members of the group, and send back notice giving an OK with any
changes
> that have been made. Has anybody done anything like this in the past?
>
> Once this is done, we'd like to perform file system access
reverification.
> As in, what does any one user have access to on their workstation.
Seems
> like the best way to do this is to set permission standards based on
the
> type of access you have. Our base image centralizes most user
> settings (my
> documents, local settings, temp, etc.) so denying write access to
> everything
> but the personal folder would make the effort much more simplified.
Not
> sure what kind of problems this may bring up though. Thoughts on this
as
> well?
>
> I haven't found any good documentation from Microsoft on this (e.g.
Best
> Practices) nor have I found a really good tool to assist in our
efforts.
> Any feedback would be appreciated.
>
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #90"
- In reply to: Kit: "RE: Windows Reverification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
