Securing Microsoft Windows NT for Secure Environments - PowerPoint PPT Presentation

Loading...

PPT – Securing Microsoft Windows NT for Secure Environments PowerPoint presentation | free to download - id: 47324c-ZjZmZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Securing Microsoft Windows NT for Secure Environments

Description:

Microsoft Windows NT for Secure Environments Securing Microsoft Windows NT for Secure Environments Continued ... SHOWACLS.EXE Showacls.exe displays NTFS permissions ... – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 105
Provided by: Jame396
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Securing Microsoft Windows NT for Secure Environments


1
SecuringMicrosoft Windows NTforSecure
Environments
2
Who Am I?
  • Christopher Cantrell
  • Total Network Security Systems Engineer
  • Email Address chris_cantrell_at_nai.com
  • Professional Experience includes
  • Regions Financial Corporation
  • MindSpring Enterprises
  • Virtual Resources
  • United States Government Contractor
  • Network Associates
  • 10 Plus Years Industry Experience with Microsoft
    and Network Security

3
Overview
  • Purpose
  • High Level Outline
  • Understanding the Enemy
  • Security Policies
  • Installing Windows NT
  • Windows NT File Systems
  • Windows NT Registry
  • Windows NT Accounts
  • Windows NT Networking
  • Miscellaneous

4
Understanding the Enemy
  • Who are todays hackers?

Students Teachers Professors Employees Professiona
ls Almost anyone No Single Profile
5
Facts or Fiction?
Todays hackers are not just kids. Hacking today
is organized and fueled by the Internet. Hacking
is increasing dramatically. Security efforts
cannot just focus on external hackers or
threats. Security must be a priority within an
organization.
6
Categorizing Hackers
  • Hackers can be described and categorized in three
    areas.
  • Amateurs
  • Skilled
  • Elite

7
Amateur Hackers
  • Amateur hackers are not experts by most
    measurements.
  • They use many of the freely available tools found
    on the Internet.
  • Do things such as
  • Perform Denial of Service attacks (DoS)
  • Port Scans against public servers
  • Mail Spoofing
  • Spreading viruses

8
Continued
  • Almost everyone at some time has tried some form
    of hacking.
  • Have you ever ...
  • Installed or used a pirated copy of software?
  • Illegally registered a product?
  • Tried guessing a password to a file or system?
  • Ran a scanning tool like CyberCop Scanner?
  • If you said YES to any of the above, you have
    participated in a form of hacking.

9
Skilled Hackers
  • Skilled Hackers are those individuals who contain
    a strong knowledge of systems.
  • Use their skills for both pleasure and reward.
  • Cause more damage and are harder to catch.
  • Do things such as
  • Write Viruses
  • Spoof Email
  • Modify WEB Sites and their content
  • Change or delete data

10
Advanced / Elite Hackers
  • Highly skilled and trained in their area of
    expertise.
  • Very small in numbers. Less than 2000 Word Wide.
  • Do not communicate with others outside their
    inner circle.
  • Driven by money, greed, challenge, and
    excitement.
  • Are the hardest to catch.
  • Do things such as
  • Set up back doors for future hacking
  • Hack with the intent to destroy or cause damage
  • Work with organized crime
  • Sell information
  • Write programs

11
Hacking Events
  • Todays hackers hold organized events to share
    experiences and ideas.
  • Some of the events include
  • DEFCON - Las Vegas
  • Beyond - New York
  • HoHo Con - New York

12
Hacking Sites
  • The best way to stay current is to keep current
    with the hacking community via the WEB.
  • www.rootshell.com
  • www.l0pht.com
  • www.microsoft.com/security
  • www.ntbugtraq.com
  • www.ntsecurity.net

13
Common Security Holes
  • Hackers look for obvious security holes or
    mis-configurations.
  • These include
  • Default username and passwords
  • Older versions of software or operating systems

14
How do they find the holes?
  • Hackers use many methods to find security holes.
  • These include
  • Social Engineering
  • Applications and Tools
  • Traceroute
  • Ping
  • DNS
  • Hacking Applications

15
1.0 General Security Guidelines
  • After this section, you should have a solid
    understanding of what basic security guidelines
    should be followed when securing any system.
  • This includes
  • Service Packs hotfixes
  • Domain Trusts
  • User Accounts and Groups
  • Services and Applications
  • Physical Security
  • Security Policies

16
1.1 Service Packs
  • Microsoft releases security fixes and updates to
    Windows NT with Service Packs and hotfixes.
  • Staying current with Service Packs and hotfixes,
    the system is less vulnerable to security
    threats.
  • Service Pack 5 - Current SP
  • Always test Service Packs and hotfixes on
    non-production systems before deploying on
    production systems.
  • Alternative Download Site to Microsoft
  • http//www-nt.stanford.edu/Files/Hotfixes.html

17
1.2 Domain Trusts
  • Trusts are probably one of the easiest methods to
    utilize to bypass security.
  • Trusts by nature add complexity to any NT
    environment.
  • If trusts are used, establish a procedure to
    monitor and audit them on a regular basis.

18
1.3 User Accounts and Groups
  • Use the Least Privilege methodology.
  • Only allow users access to what they require for
    their job.
  • Maintain two accounts for System Administrators
  • One for their Administrative duties.
  • One for normal, daily activities.
  • Develop and maintain easy to understand Groups.
  • Review all Group Memberships on a regular basis.

19
1.3 Continued
  • Do not assign or use the default Administrator
    Account
  • Assign unique usernames for each system
    administrator.
  • Monitor access to the default Administrator
    account.

20
1.5 Physical Security
  • Physical security is one of the most effective
    methods to protect any Microsoft Windows NT
    system.
  • Theft of physical disks
  • Denial of Service
  • Corruption of data
  • Backups
  • Windows NT Backup does not provide any security
  • Emergency Repair Disks (ERDs) contain sensitive
    information about each NT system.

21
1.5 General Security Policy
  • Develop a General Security Policy
  • Defines User Rights and Expectations
  • Security Procedures
  • Responsibilities
  • System Administrators Responsibilities
  • System Administrators are required to attend a
    Security Awareness Seminar every 6 months.
  • System Administrators are required to pass the
    Security Awareness Test every 6 months.
  • System Administrator are required to document and
    report all suspicious activity to the Security
    Department
  • System Administrators are required to maintain
    Domain Users and Group Records.
  • System Administrators are required to maintain
    separate Domain Accounts 1 for System
    Administrative Activities and 1 for normal system
    activity.

22
1.6 System Security Policy
  • Develop a System Security Policy
  • If the Security Policy must be modified for the
    proper and secure operation of the operating
    environment and infrastructure, it must be
    authorized and documented.
  • All revisions are required to be authorized by
    the director of Security.

23
1.6.1 Sample System Security Policy.
  • Microsoft Windows NT 4.0 systems are required to
    be installed with only one Network Interface
    Card, unless approved.
  • Microsoft Windows NT 4.0 systems are not to be
    installed with any protocol other than TCP/IP,
    unless approved.
  • Microsoft Windows NT 4.0 systems are required to
    be configured to not allow a server to be booted
    from any other device than the primary hard
    drive.
  • Microsoft Windows NT 4.0 systems are required to
    have static IP Address.
  • Microsoft Windows NT 4.0 systems are required to
    have the latest APPROVED Anti-Virus software
    installed and running.

24
1.6.1 Continued ...
  • Microsoft Windows NT 4.0 systems are required to
    be installed on a separate NTFS File System
    partition.
  • Microsoft Windows NT 4.0 systems are required to
    store data and applications on a separate NTFS
    File System Partition separate from the operating
    system partition.
  • Microsoft Windows NT 4.0 systems are required to
    have all partitions formatted as NTFS File
    Systems.
  • Microsoft Windows NT 4.0 systems are required to
    have a full backup performed at least weekly.
  • Microsoft Windows NT 4.0 systems are required to
    have incremental backups performed daily.
  • Microsoft Windows NT 4.0 Server backups are
    required to kept for a minimum of 1 year from the
    date of backup.

25
1.6.1 Continued ...
  • Microsoft Windows NT 4.0 systems are required not
    to be installed with Microsoft Internet
    Information Server, unless approved.
  • Microsoft Windows NT 4.0 systems Security and
    Application Logs are required to be archived for
    1 year.
  • Microsoft Windows NT Domain Accounts are required
    to enforce a minimum of 8 characters for
    passwords.
  • Microsoft Windows NT 4.0 Primary Domain
    Controllers are required to maintain a history of
    the last 10 Domain User Account passwords and not
    allow for Domain Users to reuse those passwords.
  • Microsoft Windows NT 4.0 systems are required to
    lock and log any account after 3 unsuccessful
    logon attempts

26
1.6.2 Conclusion
  • Security Policies are living documents.
  • Always review the documents on a quarterly basis.
  • Get management approval on all published
    documentation.
  • Always maintain a written record of all system
    changes.

27
2.0 Installing Windows NT
  • After this section, you should understand the
    important security risks and concerns before,
    during, and post installation of a Windows NT
    system.
  • The following is an outline on the suggested
    steps to install and secure a Windows NT system.
  • Pre-Installation Tasks
  • Configure Hardware
  • Install Windows NT
  • Apply Recommended Security Enhancements
  • Install Third-Party Applications

28
2.1 Pre-Installation
  • Before beginning the NT installation process, the
    following pre-installation items should be
    completed.
  • Create a written document containing the
    following information
  • Hardware Requirements and Configuration
  • Software Requirements and Configuration
  • Network Configuration Information
  • SA Contact Information
  • Support Information
  • Change Control Documents

29
2.1.1 Hardware Requirements
  • CPU
  • Memory
  • Hard Drive
  • Network Cards

30
2.1.2 Hardware Configuration
  • BIOS Passwords
  • Not 100 effective
  • Reboot issues
  • BIOS Settings
  • Disabling devices
  • Floppy Drive
  • CD-ROM Drive

31
2.1.3 Software Requirements
  • Windows NT
  • Registration Information
  • Service Packs and hotfixes
  • 3rd Party Applications
  • AntiVirus
  • System Monitoring Tools

32
2.1.4 Software Configuration
  • Network Information
  • IP Address
  • Subnet Mask
  • Default Gateway
  • DNS Servers
  • WINS Servers
  • NBT Name
  • IP Name
  • Registration Information
  • Specific configuration options

33
2.1.5 SA Contact Information
  • Who is responsible for this system
  • Phone Numbers
  • Office Location
  • Office Hours
  • Emergency Contact Information
  • Management

34
2.1.6 Support Information
  • Hardware Support Contracts
  • Software Support Contracts
  • Escalation Procedures

35
2.1.7 Change Control Documents
  • Two copies
  • One with each physical system
  • One with the central documentation

36
2.3 Windows NT Installation
  • Windows NT can be installed with
  • Boot Disks
  • cdrom\winnt.exe /x /o
  • AutoStart CDROM
  • BIOS Dependent
  • Two Step Process
  • Blue Screen
  • GUI
  • Install Windows NT on a separate NTFS partition.

37
2.3 Continued ...
  • During the installation of Windows NT, the
    following should be followed
  • Only install the necessary Windows NT Components
  • Accessories
  • Windows Messaging
  • Only install the necessary protocols - TCP/IP and
    IPX selected by default.
  • Ensure IP Routing is turned off.
  • Dont install Microsoft Internet Information
    Server - Selected by default.

38
2.4 Install Service Pack
  • Service Pack 5 - Latest Microsoft Service Pack
  • Service Packs should always be tested on
    non-production systems before installing on
    production systems.

39
2.5 Install Hotfixes
  • Hotfixes are released to address specific issues.
  • Service Packs contain all previous hotfixes.
  • Multiple hotfixes can be rolled up into one
    installation package.

40
2.6 ERD
  • The Emergency Repair Disk (ERD) is a critical
    part of the recovery process which helps system
    administrators recover the Windows NT
    configuration from a normally unrecoverable
    state.
  • The ERD contains
  • the hives of the registry
  • copies of the MS-DOS subsystem initialization
    files
  • autoexec.nt
  • config.nt
  • SAM database.

41
Continued ...
  • The ERD assists in recovery by
  • Repairing bad registry data
  • Restoring corrupted or missing files on the
    system partition
  • Replacing a corrupt Kernel, which is the core of
    the Windows NT operating system
  • Replacing a bad boot sector for a FAT partition
  • The ERD is not a complete solution for recovering
    the system. A Backup utility must be used in
    conjunction with the ERD to fully recover from a
    disaster.

42
Continued ...
  • The ERD ...
  • Does not contain a full backup of the registry
  • Cannot fully restore the system partition
    information
  • Cannot repair unmountable partitions except for
    the system partition (normally C)
  • Does not replace a damaged NTFS boot sector.
  • Create baseline ERD before applying any
    additional security recommendations.

43
2.7 Install C2 Configuration Tool
  • C2 is not 100 C2.
  • Great Start for Securing a system.
  • GUI can performs many of the same manual registry
    recommendations.

44
2.7.1 Run C2Config.exe
45
2.7.2 Configure System for C2
  • File Systems - All NTFS
  • OS Configuration
  • OS/2 Posix Subsystem - Not Installed
  • Security Log - Dont Overwrite Events
  • Halt on Audit Failure
  • Display Logon Message
  • Last Username Display
  • Shutdown Button
  • Password Length
  • Guest Account
  • Networking
  • Drive Letters and Printers
  • Removable Media Drive

46
2.8 Create ERD
  • After using the C2 Configuration tool, it is
    recommended a second ERD is created and
    maintained.
  • Maintain two copies.
  • Usage
  • rdisk.exe /s-
  • /s backs up the current SAM
  • /s- No emergency repair disk is created - Only
    updates the /SystemRoot/repair directory

47
3.0 File Permissions
  • A number of file permissions should be set to
    establish a high degree of security.

48
3.0 Continued
  • Apply the following permissions with the ACL
    editor.

49
(No Transcript)
50
3.1 Specific File Permission
  • A number of root directory files permission need
    to be set in secure installations
  • These include the following

51
3.2 DHCP
  • c\SystemRoot\System32\DHCP.EXE
  • Everyone - Read
  • Administrators - Full Control
  • System - Full Control
  • System Admin - Full Control
  • Creator / Owner - Full Control

52
4.0 Windows NT Registry
  • Windows NT uses the registry to store many
    parameters which control the security and
    behavior of NT.
  • Ensure only trained system administrators modify
    the Windows NT registry.
  • By modifying the default Windows NT registry,
    many additional security benefits can be gained.
  • The C2 Application performs many of the same
    manual registry changes.

53
4.0 Continued ...
  • Two applications can be used to modify the
    Windows NT registry.
  • REGEDIT.EXE
  • REGEDT32.EXE
  • Each applications can benefits and limitations.
  • Most System Administrators use both applications

To run Registry Editor 1. Click Start, and then
click Run. 2. Type regedt32 in Open. To run
Registry Editor from Windows NT Explorer,
double-click Reget32.exe in the
SystemRoot/System32 folder.
54
4.1 REGEDT32
  • REGEDT32.EXE is the native Windows NT registry
    editor. This application can be used to

Set registry permissions.
Create keys with all allowed data types.
Access remote Windows NT registries.
55
4.2 REGEDIT
  • REGEDIT.EXE is the older, Window 9x registry
    editor.

Displays registry as a tree-structure.
Has a find feature.
56
Manual Registry Modifications
  • In addition to using the C2 Configuration tool, a
    number of manual registry modifications are
    required. This includes
  • Remove OS/2 and POSIX
  • Logon Caching
  • Disable the Floppy Drive
  • CDROM AutoRun
  • Netware DLL Trojan Horse
  • Auditing Backups
  • Remote Registry Access
  • Remote Network Access
  • System Page File
  • Scheduler
  • Guest Access to Event Logs
  • Registry File Association

57
OS/2 Posix
  • The C2 Configuration Manager disables the OS/2
    and POSIX subsystems by deleting the executables,
    but leaves the registry settings intact for these
    two subsystems.
  • With these keys in place a user could potentially
    reinstall the subsystem executables, enabling the
    subsystems on next system restart.
  • This leaves the system vulnerable to many
    attacks, thereby circumventing C2 security.

58
Continued ...
  • To fully prevent any OS/2 or POSIX based attacks,
    all registry keys dealing with these subsystems
    must be removed.
  • Remove the following keys
  • HKEY_LOCAL_MACHINE\SoftwareMicrosoft\OS/2
    Subsystem for NT
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro
    l\Session\Manager\Environment\Os2LibPath
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro
    l\Session Manager\SubSystems\Os2
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro
    l\Session Manager\SubSystems\Posix
  • Remove the following files
  • SystemRoot\System32\os2.exe
  • SystemRoot\System32\os2ss.exe
  • SystemRoot\System32\os2srv.exe
  • SystemRoot\System32\psxss.exe
  • SystemRoot\System32\posix.exe
  • SystemRoot\System32\psxdll.dll

59
4.5 Logon Caching
  • By default, Windows NT caches the previous 10
    logon sessions. In many secure environments, it
    is recommended to disable cached logons.
  • NOTE Disabling this feature could cause
    authentication issues if a domain controller
    cannot be contacted.
  • Set the following registry key
  • HIVE HKEY_LOCAL_MACHINE
  • KEY Software\Microsoft\Windows NT\Current
    Version\Winlogon
  • NAME CachedLogonsCount
  • TYPE REG_SZ
  • VALUE 0

60
Disable the Floppy Drive
  • In many secure environments, it is recommended
    the floppy drive is limited to only the system
    administrators.
  • To disable the floppy drive for all users except
    the Administrators, perform the following
  • Run FLOPLOCK from the Resource Kit
  • On Windows NT Workstations, this will allow
    members of the Administrator and Power Users
    groups to have access to the floppy drive.
  • On Windows NT Servers, this will allow only the
    Administrators group access to the floppy drive.

61
CDROM AutoRun
  • To disable the AutoRun feature, edit the
    following registry keys with any registry editor.

HIVE HKEY_LOCAL_MACHINE KEY
System\CurrentControlSet\Services\CDRom NAME
AutoRun TYPE REG_DWORD VALUE 0
62
Netware DLL Trojan Horse
  • If you dont require Netware support and dont
    run IPX/SPX, remove the following key
  • Run REGEDT32
  • REMOVE the following registry key
  • HIVE HKEY_LOCAL_MACHINE\SYSTEM
  • KEY CurrentControlSet\Lsa\Notification Packages
  • NAME FPNWCLNT
  • Monitor this registry key with CyberCop Monitor

63
Auditing Backups and Restores
  • The following registry key is used to audit the
    user performing system backups. This key value
    should be set to 1 to enable auditing.

Hive HKEY_LOCAL_MACHINE Key \System\Currentcontr
olSet\Control\Lsa Name FullPrivilegeAuditing Type
REG_DWORD Value 1
64
Remote Registry Access
  • The Registry Editor supports remote access to the
    Windows NT registry.
  • The following registry key restricts remote
    registry access.
  • By default, Windows NT Servers this key exists.
    In Windows NT Workstations however, this key must
    be manually added.
  • The security permissions set on this key will
    determine which users or groups can access the
    registry remotely.
  • Reference Microsoft Article ID Q155363

65
Anonymous Network Access
  • Windows NT 4.0 Service Pack 3 provides a
    mechanism for administrators to restrict the
    ability for anonymous logon users (also known as
    NULL session connections) to list account names
    and enumerate share names. The registry key
    value to enable this feature is

Hive HKEY_LOCAL_MACHINE Key \System\CurrentContr
olSet\Control\LSA Name RestrictAnonymous Type RE
G_DWORD Value 1
66
System Page File
  • Virtual Memory support of Windows NT uses a
    system page file to swap pages from memory of
    different processes onto disk when they are not
    being actively used. On a running system, this
    page file is opened exclusively by the operating
    system and hence is well-protected.
  • In secure environments, Windows NTs system page
    file should be wiped clean when Windows NT shuts
    down. This ensures sensitive information that
    may be in the page file is not available to a
    malicious user. This can be achieved by
    modifying the following key

Hive HKEY_LOCAL_MACHINE Key \System\CurrentContr
olSet\Control\Session Manager\Memory
Management Name ClearPageFileAtShutdown Type REG
_DWORD Value 1
67
Scheduler Service
  • By default, Windows NT restricts the AT command
    to Administrators.
  • To enable System Operators to submit AT commands,
    edit the registry with a registry editor.

HIVE HKEY_LOCAL_MACHINE KEY
\System\CurrentControlSet\Control\Lsa NAME
Submit Control TYPE REG_DWORD VALUE 1
68
Guest Access to the Event Log
  • By default, Windows NT allows guest and null
    sessions to view both the system and application
    event logs.
  • By default, Windows NT disables guest access to
    the security event log.
  • To disable guest access to the system and
    application event logs, edit the registry with
    REGEDT32.EXE.

69
Continued
HIVE HKEY_LOCAL_MACHINE KEY
\System\CurrentControlSet\Services\EventLog\LogNa
me NAME RestrictGuestAccess TYPE
REG_DWORD VALUE 1
  • In addition, set the registry permission for
    only Administrators and SYSTEM. This will ensure
    other users cannot reset these values.
  • After setting this value for each log, reboot the
    system to enable.

70
Registry File Association
  • By default Windows NT associates registry files
    (.reg) with REGEDIT.EXE. It is required to
    associate all .reg files with NOTEPAD.EXE instead

Hive HKEY_LOCAL_MACHINE Key \Software\Classes\re
gfile\shell\open\command Name No
Name Type REG_SZ Value notepad.exe "1
71
Update ERD
72
Windows NT Account Security
  • Windows NT Account Security consists of
  • Account Policy
  • User Rights
  • Auditing
  • Account Security effects both Domain Controllers
    and Member Servers.

73
Account Policy
  • Maximum Password Age
  • Minimum Password Age
  • Minimum Password Length
  • Password Uniqueness
  • Account Lockout

74
Users Accounts
  • Administrator Account
  • On the PDC and all Member Servers, the
    Administrator account is recommend to be changed.
  • Rename the default Administrator account
  • SA_Administrator
  • Create fake Administrator account
  • Administrator
  • Add to the Guest Group
  • Disable Account
  • Add Password

75
Continued ...
  • Guest Account
  • On the PDC and all Member Servers, the Guest
    account is recommend to be changed.
  • Rename default Guest account
  • SA_Guest
  • Create fake Guest account
  • Guest
  • Add to the Guest Group
  • Disable Account
  • Add Password

76
Account Policies
77
User Rights
  • User Rights effect either Domain Controllers or
    Stand-Alone systems.
  • If you change the User Rights on a Domain
    Controller, this rights will effect both the PDC
    and all BDCs.
  • Most rights are secure by default.

78
Log on Locally
  • Domain Controllers
  • Groups assigned this right by default
  • Account Operators
  • Administrators
  • Backup Operators
  • Server Operators
  • Print Operators
  • Stand-alone servers and Workstations
  • Groups assigned this right by default
  • Administrator
  • Everyone
  • Guests
  • Power Users
  • Users

79
Continued
  • Recommend changes to
  • Domain Controllers
  • NONE
  • Stand-alone and Workstations
  • Remove Everyone and Guests

80
Shutdown the System
  • Domain Controllers
  • Groups assigned this right by default
  • Account Operators
  • Administrators
  • Backup Operators
  • Server Operators
  • Print Operators
  • Stand-alone servers and Workstations
  • Groups assigned this right by default
  • Administrator
  • Everyone
  • Guests
  • Power Users
  • Users

81
Continued
  • Recommend changes to
  • Domain Controllers
  • NONE
  • Stand-alone and Workstations
  • Remove Everyone and Guests

82
Access this Computer from the Network
  • Recommend changes to
  • Domain Controllers
  • Remove Guests

83
Windows NT File Permissions
  • After this section, you will be able to apply
    security to the following areas.

84
Windows NT Auditing
  • Develop a process to audit the NT event logs.
  • Always archive NT event logs.
  • Ensure the audit log configuration adheres to the
    corporate security policy.

85
Windows NT Networking
  • Only run the necessary network services
  • Many services are not required for NT to function
  • SNMP
  • Simple TCP/IP Services
  • Alerter
  • Messenger

86
Miscellaneous
  • The following miscellaneous security tips
    increase the overall security of any NT system.
  • Rollback
  • Virus Software
  • System Monitor
  • Resource Kit

87
Remove ROLLBACK
88
Virus Software
  • McAfee AntiVirus
  • NetShield

89
System Monitoring
  • CyberCop Scanner
  • CyberCop Monitor 2.0 for NT

90
Windows NT Resource Kit
  • ADDUSERS.EXE
  • Addusers.exe dumps and imports user and group
    accounts in an Windows NT user account data base
    to a text file. Passwords are not included.
  • AUTOLOG.EXE
  • Autolog.exe is a graphical utility to automate
    the registry settings for Auto-logon.
  • BROWMON.EXE
  • Browmon.exe is a graphical browser monitoring
    utility.
  • BROWSTAT.EXE
  • Browstat.exe is a more powerful command-line
    browser monitoring and querying tool.
  • DELPROF.EXE
  • Delprof.exe is used to delete user profiles.

91
Continued ...
  • DOMMON.EXE
  • Dommon.exe is a graphical domain monitoring tool.
    Displays secure channels between Windows NT
    computers that are members of a domain, and
    between domain controllers that are trusting
    other domains. This utility shows the same
    information as the command-line utility
    Nlmon.exe.
  • FINDGRP.EXE
  • Findgrp.exe is used to find all local and global
    group memberships for a user in both an accounts
    domain and a resource domain.
  • GETSID.EXE
  • Getsid.exe is used to dump the users SID
    (includes the RID) for users or groups.

92
Continued ...
  • IFMEMBER.EXE
  • Ifmember.exe is used to list the groups a user is
    a member of.
  • LOGOFF.EXE
  • Logoff.exe allows the user to logoff from the
    command prompt.
  • NETDOM.EXE
  • Netdom.exe is a powerful command-line utility can
    be used to join a domain, manage computer
    accounts for members and BDCs, reset secure
    channels, establish trust relationships, and
    manage resource domain computer accounts.

93
Continued ...
  • NLMON.EXE
  • Nlmon.exe is a command-line domain monitoring
    tool. Displays secure channels between Windows NT
    computers that are members of a domain, and
    between domain controllers that are trusting
    other domains. Shows the same information as the
    graphical utility Dommon.exe
  • NLTEST.EXE
  • Nltest.exe is command-line domain monitoring
    utility. Does much more than Nlmon.exe or
    Dommon.exe.

94
Continued ...
  • PASSPROP.EXE
  • Passprop.exe provides functionality not available
    in User Manager. Allows policies to force
    complex passwords that contain a mix of upper and
    lowercase letters and numbers or symbols, and the
    ability to lock out an administrator's account
    over the network, but still allowing an
    administrator to log on interactively on domain
    controllers.
  • REGBACK.EXE
  • Regback.exe is a utility to backup the registry.
  • REGREST.EXE
  • Regrest.exe is a utility to restore the registry.
  • SHOWGRPS.EXE
  • Showgrps.exe shows the groups that a user is a
    member of.

95
Continued ...
  • USRSTAT.EXE
  • Usrstat.exe displays user name, full name, and
    last logon date and time for each user account
    across all domain controllers.
  • USRTOGRP.EXE
  • Usrtogrp.exe adds users to local and global
    groups from a text file.
  • DUMPEL.EXE
  • Dumpel.exe dumps an event log to a file.
  • NETWATCH.EXE
  • Netwatch.exe is a graphical utility shows shares
    and connected users for one or more servers in a
    single window.

96
Continued ...
  • PATHMAN.EXE
  • Pathman.exe is a command-line utility to modify
    the system and user path environment statements.
  • PERMCOPY.EXE
  • PERMCOPY.exe copies permissions from one share to
    another.
  • PERMS.EXE
  • Perms.exe displays a user's permissions to files
    and directories on an NTFS volume.

97
Continued ...
  • REGKEY.EXE
  • Regkey.exe is a graphical utility to modify the
    registry to change settings for the shutdown
    button on the logon screen, to display the last
    logged on user, whether to parse the Autoexec.bat
    file for path and environment
    variables, to specify the number of profiles
    cached, to specify the default wallpaper, and
    whether to generate long file names on the FAT
    file system.
  • RMTSHARE.EXE
  • Rmtshare.exe remotely view and create shares.
  • SCOPY.EXE
  • Scopy.exe copies files between NTFS file systems
    and retains all file and directory permissions.

98
Continued ...
  • SHOWACLS.EXE
  • Showacls.exe displays NTFS permissions for files,
    folders, and directory trees.
  • SHUTDOWN.EXE
  • Shutdown.exe is a command-line utility to
    remotely shut down and reboot Windows NT
    computers.
  • SHUTGUI.EXE
  • Shutgui.exe is a graphical utility to remotely
    shutdown and reboot Windows NT computers.

99
Continued ...
  • SRVINFO.EXE
  • Srvinfo.exe is a utility that lists lots of
    information for local and remote Windows NT
    computers. To get all the information, you must
    be an administer of the remote machine. Some of
    the information listed includes Windows NT type,
    build number, domain name, Primary Domain
    Controller (PDC), IP address, drive space, and
    services running.
  • TIMESERV.EXE
  • Timeserv.exe is a service that keeps the local
    system clock synchronized with a Time server that
    is independent of a logged on user.

100
Continued ...
  • WHOAMI.EXE
  • Whoami.exe lists the user account who spawned the
    CMD process.
  • WINAT.EXE
  • Winat.exe is a graphical utility to administer
    and schedule processes using the Scheduler
    service.

101
Log files
102
Permissions - Shared Directories
103
Security Configuration Manager
104
(No Transcript)
About PowerShow.com