Tip

Security OK? Check your baseline

Once you've finished tweaking, tuning, and hardening your Windows systems to ready them for production use, it's also a good idea to capture a baseline of the system so as to have a "healthy snapshot" against which to compare other, later snapshots to look for signs of potential pathology or compromise. You can't tell if things are OK unless you know what OK means. That requires a baseline.

Windows built-in system logs -- available through the Event Monitor utility (a key element in Administrative Tools) -- can provide lots of useful information, but they typically tend to contain lots of irrelevant "noise" as well. Proper use of resource kit tools to consolidate and massage log file contents can be scripted to help automate the drudgery involved in baselining.

Three basic tools can be integrated with Windows Scheduler to handle this task more or less automatically (once setup and configuration are complete):

  • The dumpel (short for "dump event log") utility is part of the Windows 2000 Resource kit; it's available online at

    Requires Free Membership to View

The basic process is to take a snapshot of system log files by executing the command dumpel -f event.out -l system -t after attaching a new system to the network and letting it run for a day or two (obviously, this also requires downloading and using the dumpel utility). If you use the Excel Convert Text to Columns Wizard to read the tab-delimited event.out file, sort the data by date and time in descending order. At this point you can define filters by event ID (for example, filter on event ID 7013 to examine failed login attempts) using the Data Filter, AutoFilter menu entries.

You can also baseline open ports by installing and running Fport, piping its output to a designated file as in the command line entry: Fport > portbase.txt (this assumes that Fport is in a directory in your PATH definition, or that you change directory context to the folder where the Fport.exe file resides).

Next, you can use the Services utility in Administrative Tools to make a snapshot of all services currently running on your Windows 2000 machine. To launch the Services utility, launch Administrative Services, then pick the Services Utility. When it's running select the Export List… entry in the Action menu, and choose a filename like BaseServices.txt (leave the tab delimited text option as-is) in the File name: field. (Note: if you have access to the Windows NT Resource Kit CDs, you can use the netsvc.exe command line utility to capture a services baseline instead.)

By creating a directory where all such files reside and using a scripting tool like Windows Scripting Shell or the Windows Scheduler, or some third party tool like Wilson WindowWare' Winbatch or the excellent Opalis Robot, you can automate and schedule capture of these various baselines at regular intervals. By comparing a known good baseline against current characteristics, it's easy to see if untoward events (like attempted password cracks), Trojans, or unwanted protocols and services have popped up on a specific machine. Crafty administrators can even make use of comparison tools like grep to help them figure out what's new and different on their machines. Baselining and comparisons should become part and parcel of your regular security routine!


Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in September 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.