Re: reporting local security problems for WinNT (Re: Escalation of privileges)

[H Carvey <keydet89 () YAHOO COM>]

> Checking permissions at install time isn't sufficient.  

Since the subject line contains NT, I thought I would chime
in here...

I agree that some sort of scanning program or process, as 
part of a policy-based security management architecture, is 
necessary.  The scanning program would go out to a machine 
or multiple machines and verify policy compliance. 

This is just what I presented in my paper at the recent 
Usenix LISA-NT conference:

http://patriot.net/~carvdawg/publications.html

Checking file integrity, ACLs (for files, dirs, Reg keys, 
and shares), Reg key values, services, etc....it's all quite 
simple.  Another step beyond that is to alert on those 
things that need it (failure of integrity check) and correct 
those that can be corrected automagically...depending upon 
policy.  

My current architecture for this is to have a central 
security management station and run all checks from there.  
If this doesn't work for you, it's quite simple to move to 
an agent-based system, with agents (or services) running on 
remote systems.  Or some combination thereof...

I've got the code written up for such an app and I'm working 
on the documentation.  The thing that I've found is that my 
research and efforts have identified certain Registry keys 
as very important to the security posture of a system...and 
yet, most folks I run into (a) don't know about it, and (b) 
don't want to research it themselves.

I've got a small demo available now, located at:

http://patriot.net/~carvdawg/projects.html

It's small b/c it uses only those Perl modules that ship 
with the install of ActiveState's ActivePerl build 61x.  The 
full-blown app uses other modules that are relatively simple 
to install...

The whole purpose of this app is to fill the gap that I've 
seen mentioned here and on other forums..."It would be cool 
to have an app to do this or that..."...

Carv
keydet89 () yahoo com