Thursday, November 19, 2009

FREE Windows Utilities for Scanning, Auditing, and Monitoring

Many applications keep detailed logging data in straight text files because the Windows event logs aren't appropriate for certain types of data (e.g., IIS log files). In the course of monitoring or troubleshooting these types of applications, it's often helpful to watch these log files in real time. However, because they're text files, that process typically consists of opening the file in Notepad or another text editor, looking at the contents, closing the file, then reopening the file to see what's changed.

In the UNIX world, a utility that serves this purpose has been available for quite some time: It's called tail. Fortunately, the good folks at Bare Metal Software have developed a free version of the tool called BareTail.

BareTail is a great utility for watching log files, such as IIS logs, cluster logs, and any other type of logs that can generate a lot of data quickly. BareTail can keep up with large log files (e.g., greater than 2GB) just as quickly as with smaller files, and—for easier visual recognition—it can selectively highlight specific entries that appear in a file based on matching text strings. For example, suppose you want to highlight references to cmd.exe in an IIS log file to easily spot which incoming connections are attempting to exploit known vulnerabilities.

One of BareTail's most compelling qualities is that it's a completely standalone executable. There's no installer package to work with, so you can use the utility on a client's system and feel safe that you've had little or no impact on the system after you complete your work.

When I have security on the brain, I generally look to the open-source community for answers, rather than to specific vendors. After all, the open-source community can be voracious in its efforts to find and understand every aspect of a vulnerability or flaw. A shining example of this security consciousness is the open-source vulnerability scanner called Nessus.

Nessus is the world's most popular opensource vulnerability scanner. An estimated 75,000 organizations worldwide rely on Nessus to assess their networks and check for vulnerabilities. Originally launched in 1998 for UNIX, Nessus has been ported over to Windows by Tenable Network Security in a version called NeWT.

Tenable Network Security provides the standard version of NeWT free for anyone to use for any reason. The only limitation is that the host that NeWT runs on can scan only its local subnet. With more than 6000 known vulnerabilities that it can test for, NeWT is now the best vulnerability scanner available for the Windows platform.

When you unleash NeWT on your local subnet, it starts its process of testing each host it finds for vulnerabilities in its database. You can configure NeWT to test only for certain vulnerabilities—for example, if you're a 100 percent Microsoft shop, you don't need to test for UNIX vulnerabilities—and whether to attempt to fully exploit any vulnerabilities found to confirm its tests. NeWT can check for buffer-overflow vulnerabilities, watch for misconfigured application services (e.g., mail, Web), find all the listening ports on a server and determine the OS type, look for backdoors installed on an infected host, and more.

If you provide NeWT with appropriate administrative credentials, it will dive even deeper into your systems and check for local patching or the existence of malicious software. For example, on a test "victim" system in my lab, NeWT detected several spyware and adware packages that I intentionally installed on that host for some tests. NeWT recommended that I remove those applications. NeWT is the first tool I grab when I start a security assessment for a client, and it should be in every administrator's toolbox.

If you're looking for a quick and simple way to obtain information about a remote system, Winfingerprint is the tool of choice. Winfingerprint is a network scanner that runs on Windows. Unlike most network scanners, Winfingerprint is specifically designed to obtain information about Microsoft hosts and applications. Winfingerprint can use ICMP, RPC, SMB, SNMP, TCP, and UDP to obtain information (e.g., OS version, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks) about target systems. Winfingerprint comes in both a GUI version and a command-line version, so however you prefer to work, there's a version of Winfingerprint for you.

Winfingerprint determined the number of drives I had installed on my target system, as well as the MAC addresses of the interfaces and the OS and patch level. What you can't see in the figure, however, is that Winfingerprint went on to enumerate all the share names on that system, as well as the services that were installed and the names of the users. The tool obtained all that data in about 20 seconds, making Winfingerprint a terrific tool for quickly collecting inventory data about networked systems.

No comments:

Post a Comment