Re: Microsoft Software Auditing ?

[Times Enemy <times () krr org>]

Greetings.

I like the idea of manually checking for executables using a batch
script.  To take it a step further, for known, critical, "special", or
all grep'ed ... er ... listed executables, a hash can be done, and kept
on the network, a la Tripwire style.  So, the batch file could list all
executables, generate a hash, store the results on the network, then
next time it is run, the hashes can be compared.  When anomalies exist,
it can contact the Admin..

This would be fun to play with.

Good luck, and when you are done, i would like to see your final script
and overall process design.  If i come up with anything i think might be
useful, i'll either post to this list, or to entities directly.

.times enemy


Depp, Dennis M. wrote:

> I'm not sure why this is so "incredibly daunting and scary."  You can
> parse the output with a script, remove all the known programs that you
> don't want to worry about, such as all the OS executables, and you are
> left with a much more managable set of files.  Also if you parse the
> output on the machine that generates the file, you can look at the
> attributes of the file to gather additional infromation. I'm not saying
> this would be the best, but it is not an impossible task simply because
> of the number of .exe files this would find.
>
> Dennis 
>
> -----Original Message-----
> From: Jacob Bresciani [mailto:jacob () bresciani ca] 
> Sent: Thursday, April 07, 2005 11:20 AM
> To: Depp, Dennis M.
> Cc: security-basics () securityfocus com
> Subject: RE: Microsoft Software Auditing ?
>
> simple inefficiency. I just did a search on a windows 2000 (sp4) server.
> The only thing installed is an AV program and some minor tools to help
> me maintain the server. A search for exe files returned 2100 hits.
>
> Now you have to figure out which exe file matches what program. And as
> we've all seen not all programs follow a standard install routine. i.e.
> some of the exe's in c:\winnt where put there by installers from other
> applications, these applications might not have anything anywhere else.
>
> Some tools are simply dll's and a few registry entries to extend
> functionality, again they may not have their own directory somewhere to
> make them distinct.
>
> I'm not saying this way would not work, I'm takes a relatively simple
> task (once you find the tools) and makes it incredibly daunting and
> scary.
>
> On Thu, 2005-04-07 at 07:31 -0400, Depp, Dennis M. wrote:
>  
>
> > So why is that a problem.  Store the file on a network share and parse
> > the file with a perl or vbscript program.  It woln't be elegant, but
> >    
> it
>  
>
> > will work.
> >
> > Dennis
> >
> >
> > -----Original Message-----
> > From: Jacob Bresciani [mailto:jacob () bresciani ca] 
> > Sent: Tuesday, April 05, 2005 11:21 AM
> > To: security-basics () securityfocus com
> > Subject: Re: Microsoft Software Auditing ?
> >
> > Dear god, I can only imagine how many exe files that would bring up.
> >
> > On Tue, 2005-04-05 at 08:23 -0500, Robert Holtz wrote:
> >    
> >
> > > You could do something as simple as:
> > >
> > > dir *.exe /s > foo.all.of.the.exe.files.txt
> > >
> > > On Apr 1, 2005 10:36 PM, Michael Gale
> > >      
> <michael.gale () bluesuperman com>
>  
>
> > wrote:
> >    
> >
> > > > Hello,
> > > >
> > > >       Does any body know of any free / cheap Microsoft auditing
> > > >        
> > software ?
> >    
> >
> > > > Ideally I would like something that could be run from a login
> > > >        
> > script,
> >    
> >
> > > > that would find all the software currently installed and either:
> > > >
> > > > store it in a network drive (excel, html,txt)
> > > > e-mail the data
> > > >
> > > > I do not want to have to take out a loan to buy this software.
> > > >
> > > > preferably open source :)
> > > >
> > > > Michael
> > > >        


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------