Re: MS binary integrity baseline
From: Mark Burnett (mb_at_xato.net)
Date: 08/19/04
- Previous message: Harlan Carvey: "Re: MS binary integrity baseline"
- In reply to: Chris Conacher: "MS binary integrity baseline"
- Next in thread: dave kleiman: "RE: MS binary integrity baseline"
- Reply: dave kleiman: "RE: MS binary integrity baseline"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Thu, 19 Aug 2004 08:45:52 -0600
There are several ways I check the integrity of files in Windows:
1. To verify the digital signatures of drivers, you can use sigverif.exe. This tool is meant to verify the HCL signature from Microsoft to verify Windows compatibility, but it is useful nonetheless.
2. To verify all files protected by Windows File Protection, you can use sfc /scannow (note: look inside sfcfiles.dll to see what it checks).
3. To check the authenticode certificate of signed files, use chktrust (found in various resource kits and sdk's)
4. You can also check the NTFS file journal of a file to see if a file has changed, if you have the journal enabled for that volume: fsutil usn readdata c:\windows\notepad.exe
5. Most hotfix scanners use hashes, file dates, etc. to check file versions and are quite good at verifying that the files are authentic.
But there's no built-in method to verify hash signatures of files. You can use a tool like fsum (http://www.slavasoft.com/fsum/) to create and verify hashes but it isn't easy to directly compare them to the files on the install CD because the files on the CD are all compressed. You would have to build a baseline system and compare them to that.
One other note: In Windows XP and 2003 you can use Group Policy to set software restriction policies to only run programs that you specify. You can set hash rules for the policy so that the file only runs if the MD5 and SHA-1 hashes match that in the policy. Setting this up would obviously be time-consuming but would probably be worth it when protecting a critical server.
Hope this helps,
Mark Burnett
On Wed, 18 Aug 2004 16:55:06 +0000, Chris Conacher wrote:
> Dear List
>
> Is there anything that performs binary integrity checks for Windows
> OS such as rpm does for Redhat or apt does for Debian?
>
> I want something that will check Windows binaries against a trusted
> source - MS site, install cd, etc so that I can determine integrity
> baselines of current production systems before deploying an
> integrity checking application.
>
> I would have thought that this would be something Microsoft would
> provide, but have not seen anything.
>
> Thanks for any input
>
> Chris
>
> _________________________________________________________________
> Express yourself with cool new emoticons
> http://www.msn.co.uk/specials/myemo
>
>
> --------------------------------------------------------------------
> ------- ------------------------------------------------------------
> ---------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Harlan Carvey: "Re: MS binary integrity baseline"
- In reply to: Chris Conacher: "MS binary integrity baseline"
- Next in thread: dave kleiman: "RE: MS binary integrity baseline"
- Reply: dave kleiman: "RE: MS binary integrity baseline"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
