Re: Auditing a Win2K box
From: H Carvey (keydet89_at_yahoo.com)
Date: 10/07/04
- Previous message: Fernando Gont: "Re: TCP/IP CRC question"
- Maybe in reply to: xyberpix: "Auditing a Win2K box"
- Next in thread: Jason Allred: "RE: Auditing a Win2K box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 7 Oct 2004 17:33:16 -0000 To: security-basics@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <41638.81.144.180.200.1096993085.squirrel@81.144.180.200>
>I've been asked to audit a Win2k server, and being used to *nix boxes, I
>could really do with some pointers here. Aside from Nessus,nmap and the
>likes thereof, can anyone please point me to some decent
>software(preferably free), and or docs/sites to do a security audit of a
>Win2k Server, and the various things to look out for?
Well, I guess it all depends upon the visibility you have into the system. If all you have is network access, running nmap and Nessus are a great start, adding on things like Nikto, rpcdump, etc., depending upon the ports you find open, of course.
However, if you have (or can get) admin-level access to the box, then you can provide a much greater service to your client. Using Perl or VBScript, you can implement WMI to retrieve processes, service info, a list of installed patches and applications, etc. Yes, you can also use a variety of freeware tools, as well, but sometimes it's quicker to write your own than it is to search the Net looking for the right tool.
Things to consider/look for - depending upon the purpose of the system, how is it configured? What apps/services are running? Is IIS installed? If so, are unnecessary script mappings disabled? Is the system configured from a Least Privilege point of view? How about file system and Registry ACLs? How is auditing/logging configured? Who has what type of access to the machine?
Another thing to consider is this...if you're doing an audit, to what standard is the system being audited? Does the customer have a standard? If so, you're golden. If not, are you going to use "best business practices", and if so, what is your customer's business? How does this system fit into the rest of the infrastructure? These are all things that need to be considered...
If you have specific requirements or questions, feel free to contact me directly.
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/
"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."
"The simplicity of this game amuses me.
Bring me your finest meats and cheeses."
------------------------------------------
- Previous message: Fernando Gont: "Re: TCP/IP CRC question"
- Maybe in reply to: xyberpix: "Auditing a Win2K box"
- Next in thread: Jason Allred: "RE: Auditing a Win2K box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
