So in this series of blog articles so far we have identified a number of different baseline scripts written in PowerShell. We hope that auditors and others will be able to take this scripts, modify them for their own purposes and use them for baselining the systems that they are evaluating.

This week we found ourselves in the position of having to gather some information about both the MAC addresses and the logical (IP) addresses of the adapters on a set of machines. Unfortunately that meant we had to change our strategy from using simple WMI calls of the Win32 namespace. Since we’re dealing with Microsoft Windows machines, we thought, why not go to the grand-daddy of all network configuration utilities – NETSH? So this week we primarily will use NETSH to gather the information.

We didn’t do much parsing this week (we do have day jobs too), but to query the information on a system’s adapters, we would use the following script:

echo "The following is the list of adapters and MAC Addresses as supplied by WMI calls:"
Get-WmiObject win32_networkadapter | Select-Object Name,MACAddress

echo "The following is the IPv4 network configuration as supplied by the netsh command:"
netsh interface ip show config

echo "The following is the IPv6 network configuration as supplied by the netsh command:"
netsh interface ipv6 show interfaces
netsh interface ipv6 show subinterfaces
netsh interface ipv6 show dnsservers
netsh interface ipv6 show addresses
netsh interface ipv6 show global
netsh interface ipv6 show teredo

There will be more NETSH scripts to come, but we figured we would show you the basics first. Enjoy!

Today we’re going to continue blogging about scripts that we can use to create system baselines. (For a primer on why you might want to consider performing a system baseline or for a process for performing system baselines, check out our previous blog entries here.)

As we discussed earlier as well, we are going to rely primarily on PowerShell to pull this information for us. So all of the scripts you will see in this series will be written as PowerShell scripts. For your sake, make your life easy, and install PowerShell version 2.0, that will give you the latest and greatest functionality and give you the same development environment we’re primarily using to write these scripts.

Today’s script should give you a list of the shares installed on an individual machine and that share’s path on the local file system. In other words, this script gives us a snapshot of the local directories on a machine that are shared on the network. Again for this script we are going to access the WMIObject via PowerShell and access the Win32 component. Eventually we’ll explore other namespaces, but when this space is so productive, why make it harder than we need to? So here is the script you would run if you want to query this share data:

Get-WmiObject win32_share | Select-Object Name,Path

Enjoy! We look forward to providing you more fully featured scripts as the year progresses. If you do have any requests, don’t be shy, and feel free to make requests too.

Today we’re going to continue blogging about scripts that we can use to create system baselines. (For a primer on why you might want to consider performing a system baseline or for a process for performing system baselines, check out our previous blog entries here.)

As we discussed earlier as well, we are going to rely primarily on PowerShell to pull this information for us. So all of the scripts you will see in this series will be written as PowerShell scripts. For your sake, make your life easy, and install PowerShell version 2.0, that will give you the latest and greatest functionality and give you the same development environment we’re primarily using to write these scripts.

The script we’re going to use today will be useful if you want to discover what software is installed on a given machine. This will not detect stand alone binaries that are copied to a computer (for that we would need to reference a file system object and look for all applications). But if you’re just looking for a basic listing of all the installed applications on a machine, then this is the script for you:

Get-WmiObject win32_product | Select-Object Name,Vendor,Version

Enjoy! We look forward to providing you more fully featured scripts as the year progresses. If you do have any requests, don’t be shy, and feel free to make requests too.

In keeping with my New Year’s resolutions, I want to continue posting information on how an auditor might take advantage of baselines when performing an Information System (IS) audit. Certainly I hope system administrators will be able to take advantage of this information as well when performing their own Control Self Assessments (CSAs).

As we discussed earlier as well, we are going to rely primarily on PowerShell to pull this information for us. So all of the scripts you will see in this series will be written as PowerShell scripts. For your sake, make your life easy, and install PowerShell version 2.0, that will give you the latest and greatest functionality and give you the same development environment we’re primarily using to write these scripts.

So to get started with our baseline scripts, we are going to use a couple easy scripts to produce a list of the user accounts and the groups on a local Microsoft Windows machine (Windows 2000 or later). In order to produce a list of local user accounts, try the following command:

Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | Select-Object Domain,Name,Disabled

For a list of groups on a local machine, try the following command:

Get-WmiObject Win32_Group -filter "LocalAccount=True" | Select-Object Domain,Name

Now, could we have used WMIC to do much of the same work, of course! But for the sake of this series we are going to use PowerShell instead. Once everyone gets a taste for the simple scripts, then we’ll move on to slightly more difficult ones next. So let’s stay in the same language to be consistent.

Enjoy! We look forward to providing you more fully featured scripts as the year progresses. If you do have any requests, don’t be shy, and feel free to make requests too.

Ok, it sounds like we should have one more point of clarification. In our last blog post we posted about a process to follow for creating and maintaining system baselines. But after thinking about it, one more thing auditors, or administrators performing Control Self Assessments (CSAs) might want to consider what types of baselines could be gathered to comprehensively asses a system.

Some baselines an auditor might want to gather would be:

·         User accounts / Group memberships

·         Running services

·         Installed software

·         System security configurations

·         Installed hardware devices

·         Removable devices

·         System performance

Most definitely there are more baselines than this that we might consider gathering. But this should be a good place to start on a system. Network devices or applications might want to consider other criteria, but this is a good starting point for systems.

For the rest of the year we have decided to post specific methods for gathering baselines. We want to provide practical methods and scripts for gathering information from systems. We hope they’re helpful to everyone. If you have any requests, please don’t hesitate to drop us a line and let us know!

So I’ve had some questions about exactly what I mean by baselining and what types of things an auditor should be baselining when they’re examining a system. So let me take a few words to clarify what I meant.

First of all remember, the reason we perform a baseline is to determine if changes to the system change the security level of the system being examined. Ideally we are establishing a baseline of a system in a “known good” or secure state. In government terms this might be likened to a certification and accreditation process. But the idea is to identify a snapshot of what “secure” looks like for a given system. Then by performing subsequent baselines of the system and comparing them to the original, we will be able to see if there are any unauthorized changes to the system and if those unauthorized changes lower the overall security level of the system. This process works for auditors, incident handlers, forensicators, and others looking to assess the security level of a system.

So the baselining process would be:

1. Build a clean system / declare a system to be secure.
2. Create a baseline of the system in the “known good” state.
3. Engage in a healthy change / configuration management process.
4. Update system baselines after every approved change.
5. Periodically create a new baseline of the system’s current state.
6. Compare the most recent baseline to the last “known good” baseline.
7. Analyze the two baselines for differences.
8. Repeat / remediate risk if necessary.

We can use this process to look for unauthorized changes. Unauthorized changes to a system very likely can be indicators of a bigger problem, and most definitely something an auditor would want to be aware of when performing an assessment.

Next we’ll cover what to baseline and how…