Windows Auditing Tools

1
Windows Auditing Tools

• Ken Johnson
• Whitehat Systems

2
Tools That I Use Personally For Window Network
Audits

• Nessus
• Helix
• Cain and Able
• Ethereal
• MBSA 2.0.1
• EventCombMT
• DSACLS
• Pen and Paper

3
Why do I use Multiple Tools?

• To Scan for different information
• To limit auditing errors
• To verify GPO are enforced
• To map the network
• To verify password policies are enforced
• To document things outside the normal that is
  questionable

4
Why Nessus?

• Up-to-date security vulnerability database
• Remote AND local security
• Extremely scalable
• Smart service recognition
• Multiples services
• Full SSL support
• Non-destructive OR thorough

5
Why Helix?

• Helix is a customized distribution of the Knoppix
  Live Linux CD. Helix is more than just a bootable
  live CD. You can still boot into a customized
  Linux environment that includes customized linux
  kernels, excellent hardware detection and many
  applications dedicated to Incident Response and
  Forensics.

6
Why Cain and Able?

• Password Cracking Utility
• VOIP Capabilities
• Packet Sniffer
• SecurID Cracker

7
Why Ethereal?

• Data can be captured "off the wire" from a live
  network connection, or read from a capture file
• 759 protocols can currently be dissected
• All or part of each captured network trace can be
  saved to disk.

8
Why MBSA 2.0.1?

• Can perform local or remote scans of Windows
  systems
• Compatible with the new Windows Update offline
  scan file
• Features found in MBSA 2.0.1
• Severity Ratings
• Locally and remotely scan for Office XP or later
  security updates
• Added guidance for locating updates and necessary
  actions
• CVE-IDs for supported updatesImproved help
  content
• Windows Server Update Services compatibility
• Automatic Microsoft Update registration and agent
  update
• Support for detection of updates on 64bit Windows
  and Windows XP Embedded

9
Why EventCombMT?

• A multithreaded tool that you can use to search
  the event logs of several different computers for
  specific events, all from one central location.
• You can configure EventCombMT to search the event
  logs in a very detailed fashion.

10
Why DSACLS?

• Audits Active Directory object permissions
• Command-line tool
• Equivalent of the Security tab

11
Why Pen and Paper?

• Allows Documentation and Notes of unexpected
  information or traffic.
• Allows documentation for questions to ask or
  answer in the audit.

12
Conclusion

• Auditing is a Multi-factor, Multi-tool Approach
• A lot of high quality and powerful freeware tools
  out there
• If you rely on a single tool you will miss
  something
• Each tool has their own purpose.
• Never forget the pen and paper