Once you've finished tweaking, tuning, and hardening your Windows systems to ready them for production use, it's also a good idea to capture a baseline of the system so as to have a "healthy snapshot" against which to compare other, later snapshots to look for signs of potential pathology or compromise. You can't tell if things are OK unless you know what OK means. That requires a baseline.
Windows built-in system logs -- available through the Event Monitor utility (a key element in Administrative Tools) -- can provide lots of useful information, but they typically tend to contain lots of irrelevant "noise" as well. Proper use of resource kit tools to consolidate and massage log file contents can be scripted to help automate the drudgery involved in baselining.
Three basic tools can be integrated with Windows Scheduler to handle this task more or less automatically (once setup and configuration are complete):
- The dumpel (short for "dump event log") utility is part of the Windows 2000 Resource kit; it's available online at
- www.microsoft.com/ windows2000/techinfo/reskit/tools/existing/dumpel-o.asp.
- Foundstone (the company behind the excellent Hacking Exposed books) offers its Fport port scanning utility online at www.foundstone.com/knowledge/intrusion_detection.html
- Access to some kind of spreadsheet program to filter log files is necessary; here it's assumed you have access to Microsoft Excel.
The basic process is to take a snapshot of system log files by executing the command dumpel -f event.out -l system -t after attaching a new system to the network and letting it run for a day or two (obviously, this also requires downloading and using the dumpel utility). If you use the Excel Convert Text to Columns Wizard to read the tab-delimited event.out file, sort the data by date and time in descending order. At this point you can define filters by event ID (for example, filter on event ID 7013 to examine failed login attempts) using the Data Filter, AutoFilter menu entries.
You can also baseline open ports by installing and running Fport, piping its output to a designated file as in the command line entry: Fport > portbase.txt (this assumes that Fport is in a directory in your PATH definition, or that you change directory context to the folder where the Fport.exe file resides).
Next, you can use the Services utility in Administrative Tools to make a snapshot of all services currently running on your Windows 2000 machine. To launch the Services utility, launch Administrative Services, then pick the Services Utility. When it's running select the Export List… entry in the Action menu, and choose a filename like BaseServices.txt (leave the tab delimited text option as-is) in the File name: field. (Note: if you have access to the Windows NT Resource Kit CDs, you can use the netsvc.exe command line utility to capture a services baseline instead.)
By creating a directory where all such files reside and using a scripting tool like Windows Scripting Shell or the Windows Scheduler, or some third party tool like Wilson WindowWare' Winbatch or the excellent Opalis Robot, you can automate and schedule capture of these various baselines at regular intervals. By comparing a known good baseline against current characteristics, it's easy to see if untoward events (like attempted password cracks), Trojans, or unwanted protocols and services have popped up on a specific machine. Crafty administrators can even make use of comparison tools like grep to help them figure out what's new and different on their machines. Baselining and comparisons should become part and parcel of your regular security routine!
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in September 2002