Document local security policies - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Document local security policies

Page 1 of 1

Topic Options

#133728 - 2005-02-13 06:44 PM Document local security policies
Cybex Cybex Getting the hang of it Registered: 2004-07-21 Posts: 81 Loc: Brandon, FL.	Hello all, long time no post.... I have been super busy at work and the birth of our first child as kept me busy at home. Anyway I find myself in need of a quick way to document the local security policies and certain other information on several systems (Win XP & Win2k3). They are not part of a domain, more of a workgroup setting. I know... talk to the engineers not me. Any I am trying to document as much information as I can about each system for a security review process. I have a collection of tools like PSINFO, PSLIST and FPORT to help me along. However if anyone knows a way to pull the info via WMI I would rather script it so I could customize the output. Basically I need to document all open ports, active protocols, currently running processes, and the information listed in the Local Computer Policy MMC snapin "Local Computer Policy\Computer Configuration\security\Windows Settings\Security Settings". If anyone knows hot to enumerate these (security policies) I would appreciate the help in building a script to list them out into a file I can use in final report. Also if there is an easier way or this has already been done please let me know, no since reinventing the wheel. The only thing is that it must be freeware or open source code. I know my company would buy a tool like Hyena, that would make too much sense. Also if anyone knows anything else I missed that would be good to document for a security report on a system please let me know. I don't want to go overboard like complete file hashes or anything. But information that upon review would show that the proper steps have been taken to secure a box or that they have not been taken. I.e. unnecessary ports have been closed, unnecessary services stopped... You get the idea. Thanks Cybex _________________________ Common sense isn't so common.
Top

#133729 - 2005-02-13 08:03 PM Re: Document local security policies
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	The best thing would to be locally on the box and run Microsoft Baseline Security Analyzer V1.2.1 however if that is not really feasible then at least get temporary admin rights on these systems and scan them remotely with the tool. It will tell and log a boat load of stuff about the systems. Microsoft Baseline Security Analyzer V1.2.1 http://www.microsoft.com/technet/security/tools/mbsahome.mspx If you get on the box locally you could also run my Helpdesk script http://www.kixhelp.com/Downloads/MyComputerInfo.zip You could also mail them the script and have them run it and mail it back to you if wanted. You could also use a tool like LANGuard Scanner to get back a ton of info about the systems. Hyena will gather a lot of info as well. http://www.systemtools.com/
Top

#133730 - 2005-02-13 09:10 PM Re: Document local security policies
Cybex Cybex Getting the hang of it Registered: 2004-07-21 Posts: 81 Loc: Brandon, FL.	I like (and have used) your script! Is there a way to incorporate the output from FPORT Found Here into the script to be used as data to be input into the html as it it written? Maybe in a section called "Ports". _________________________ Common sense isn't so common.
Top

#133731 - 2005-02-13 09:14 PM Re: Document local security policies
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Have not used it myself, but if it is command line you could probably put it all in the report. Originally made my script to run locally, but I may try to convert it to run as a remote Admin tool some day, but trying to work on SIM that hopefully will do all that and more some day.
Top

#133732 - 2005-02-13 09:37 PM

Re: Document local security policies

Cybex

Getting the hang of it

Registered: 2004-07-21
Posts: 81
Loc: Brandon, FL.

Local works for me.

The command line output from FPORT looks like this. Not sure how to get the output into Kix.
Code:


FPort v2.0 - TCP/IP Process to Port Mapper

Copyright 2000 by Foundstone, Inc.

http://www.foundstone.com



Pid   Process            Port  Proto Path                          

1172  inetinfo       ->  25    TCP   C:\WINNT\system32\inetsrv\inetinfo.exe

1172  inetinfo       ->  80    TCP   C:\WINNT\system32\inetsrv\inetinfo.exe

544   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe 

8     System         ->  139   TCP                                 

1172  inetinfo       ->  443   TCP   C:\WINNT\system32\inetsrv\inetinfo.exe

8     System         ->  445   TCP                                 

968   MSTask         ->  1026  TCP   C:\WINNT\system32\MSTask.exe  

1172  inetinfo       ->  1027  TCP   C:\WINNT\system32\inetsrv\inetinfo.exe

8     System         ->  1029  TCP                                 

8     System         ->  2969  TCP                                 

1248  DkService      ->  31038 TCP   C:\Program Files\Executive Software\Diskeeper\DkService.exe

 

544   svchost        ->  135   UDP   C:\WINNT\system32\svchost.exe 

8     System         ->  137   UDP                                 

8     System         ->  138   UDP                                 

8     System         ->  445   UDP                                 

1172  inetinfo       ->  1028  UDP   C:\WINNT\system32\inetsrv\inetinfo.exe

544   svchost        ->  1292  UDP   C:\WINNT\system32\svchost.exe 

1172  inetinfo       ->  3456  UDP   C:\WINNT\system32\inetsrv\inetinfo.exe

2448  Maxthon        ->  3846  UDP   C:\Program Files\Maxthon\Maxthon.exe

Also the usage:
Code:

FPort v2.0 - TCP/IP Process to Port Mapper

Copyright 2000 by Foundstone, Inc.

http://www.foundstone.com

Usage:

        /p       sort by port

        /a       sort by application

        /i       sort by pid

        /ap      sort by application path

Edited by Cybex (2005-02-13 09:40 PM)

_________________________
Common sense isn't so common.

Top

#133733 - 2005-02-14 02:13 AM Re: Document local security policies
Cybex Cybex Getting the hang of it Registered: 2004-07-21 Posts: 81 Loc: Brandon, FL.	Ok, let me rephrase that I know how to start to read the data into Kix. Characters 1-5 are the PID, 7-21 is the process name, 26-30 is the port number, 32-37 is the protocol, 38-carriage return is the program path. How would the code look to have it recursively read in each line of the TCP, recognize the separating "NULL" line, and then read each UDP line? Am I making this harder than it should be? Should I just loose the tables and read the whole text file into the html page without any additional separation? Cybex Edited by Cybex (2005-02-14 02:14 AM) _________________________ Common sense isn't so common.
Top

#133734 - 2005-02-14 02:26 AM Re: Document local security policies
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Use WSHPipe() to get everything into an array and go from there. _________________________ There are two types of vessels, submarines and targets.
Top

#133735 - 2005-02-14 07:22 AM Re: Document local security policies
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Fport does not appear to support remote system scans, so I assume you have it figured out how to run this locally on systems that are not in your Domain.
Top

#133736 - 2005-02-14 08:58 AM

Re: Document local security policies

NTDOC

Administrator

Registered: 2000-07-28
Posts: 11631
Loc: CA

Well here is some code to get you started... or to at least give you an idea of one way to do it, there are other ways.

Break On
Dim $SO,$Pause
$SO=SetOption('Explicit','On')
$SO=SetOption('NoVarsInStrings','On')
$SO=SetOption('WrapAtEOL','On')
 
Dim $Results,$Entry
$Results = ArrayPack(Split(SubStr(Join(wshpipe(@ScriptDir+'\Fport.exe',1),@CRLF),184),@CRLF))
 
For Each $Entry In $Results
  ? $Entry
Next
 
Get $Pause 

Function WshPipe($ShellCMD, OPTIONAL $NoEcho)
  Dim $oExec, $Output
  $oExec = CreateObject("WScript.Shell").Exec($ShellCMD)
  If Not VarType($oExec)=9 $WshPipe="WScript.Shell Exec Unsupported" Exit 10 EndIf
  $Output = $oExec.StdOut.ReadAll + $oExec.StdErr.ReadAll
  If Not $NoEcho $Output Endif
  $WshPipe=Split(Join(Split($Output,CHR(13)),CHR(32)),CHR(10))
  Exit($oExec.ExitCode)
EndFunction

Function ArrayPack($array)
  Dim $loop, $element
  Dim $arrTemp[0]
  If Not VarType($Array) &amp; 8192 Exit 1 EndIf
    $loop = -1
    For Each $Element In $Array
      If $Element > ' '
        $Loop = $Loop + 1
        ReDim PreServe $ArrTemp[$Loop]
        $ArrTemp[$Loop] = $Element
      EndIf
    Next
    If UBound($ArrTemp) = -1 Exit 2 Endif
     $ArrayPack = $ArrTemp
EndFunction

Top

#133737 - 2005-02-14 03:20 PM Re: Document local security policies
Cybex Cybex Getting the hang of it Registered: 2004-07-21 Posts: 81 Loc: Brandon, FL.	Thanks, I'll give it try right now. I have to run this locally along with many other verification tests to ensure the systems are secure and do not negatively effect to overall security of the network prior to the systems ever being networked. The scans are the equivalent of the Microsoft Baseline Security Analyzer. This script will help in the gathering of information that is put into a report, along with the scan results and submitted to a configuration review board who then approves or disapproves if the systems can be added to the network. _________________________ Common sense isn't so common.
Top

#133738 - 2005-02-14 03:38 PM Re: Document local security policies
Cybex Cybex Getting the hang of it Registered: 2004-07-21 Posts: 81 Loc: Brandon, FL.	Regarding the WSH 5.6 Dependency, I am currently not near any of the systems, will I have to install this on the XP and 2003 boxes or is it included in these versions? I have had to download it to my WIN2K workstation. Without it the script stalls with a blinking cursor. So i guess it is the WSH that I need. _________________________ Common sense isn't so common.
Top

#133739 - 2005-02-14 05:16 PM Re: Document local security policies
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Win2k3 and XP have wsh 5.6 or up included. So does Win2k SP4 (don't know about Win2k with sp older then 4). _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#133740 - 2005-02-14 09:27 PM Re: Document local security policies
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Unless you or some other Admin has run a tool to remove WSH it has been installed on all Windows systems since Windows 98 Many organizations though removed it after the Melissa outbreak from years ago. 2000/XP does have it installed by default.
Top

#133741 - 2005-02-14 09:43 PM Re: Document local security policies
Anonymous Anonymous Unregistered	You are correct, I was using an older lab system that WSH had been removed from. I have corrected the issue and will attempt to try it again later today.
Top

#133742 - 2005-02-15 04:24 AM Re: Document local security policies
Cybex Cybex Getting the hang of it Registered: 2004-07-21 Posts: 81 Loc: Brandon, FL.	Ok, that works. I get the fport results when I kill the $NoEcho. With the $NoEcho back in place how would I call each piece of the array in order to populate the html table in the html creation process? I have done this before with arrays but for the life of me I can't seem to follow the logic. Perhaps it is the lack of sleep from all the crying at both work and home. Babies are great, they just don't seem to care that you are right in the middle of something. _________________________ Common sense isn't so common.
Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org