• Home
• Membership
• Meetings
• Announcements
• Contact Us

Information Systems Security Association, Inland Empire Chapter

Sys-Secure Request List for Windows

Copyright © 2008 Rodney Kocot, All Rights Reserved

This document describes the files required from a Windows domain controller to generate a complete Sys-Secure report. A directory should be created and the output from all the commands and scripts should be put into the directory. Many of the commands can be put into BAT files to save time.

Caution. The following commands have been tested and used on hundreds of systems in tens of shops with no problems. Prior to running in a production environment each command should be reviewed and tested to ensure a complete understanding of the command and identify any possible impact to your environment. If misused, some of the following commands could make a system unusable.

This information is very sensitive. Protect the directory containing this information. Encrypt the data while it is stored and while in transit. After this data has been processed back up an encrypted copy of the data to CD or DVD and delete it from the network.

Note that depending on the configuration of your system some of these files can be very large. Make sure that you have enough disk space. (The largest system reviewed to date used 800 megabytes. The smallest system used 250 kilobytes)

Most of the following commands require Administrator, Domain Administrator and/or Enterprise Administrator access. The RunAs command can be used to specify a userid to be used for execution of a command.

1. Use LDIFDE to dump the contents of Active Directory from the domain controller. The output file name should be the name of your domain controller and an ldf extension.

          ldifde -f < DomainControllerName >.ldf -s <DomainControllerName>
   

2. Use the script '"getlocaluserinformation.vbs" to list the characteristics of each user on the system. Pipe this output to the file <DomainControllerName>UserInfo.txt

          Cscript getlocaluserinformation.vbs > <DomainControllerName>UserInfo.txt
   

3. Use the script '"GetAllTSAccounts.vbs" to list the characteristics of each TS Account on the system. Pipe this output to the file <DomainControllerName>TSAccountInfo.txt:

          Cscript GetAllTSAccounts.vbs > <DomainControllerName> TSAccountInfo.txt
   

4. Use GPMC.MSC to export GPOs to HTML documents. Select each GPO and use the menu option <Action><Save Report>, specify the directory, file name (should be the name of the GPO), and Save As HTML Type.
5. Use GPRESULT to show the Group Policy Objects in effect on each server in the environment.
6. Use the following command line commands to generate information about computer specific information on the domain controller and selected servers. (The following commands have been put into a BAT file named "runallnetcommands.bat".)
   1. Net Accounts > NetAccounts.Log
   2. Net Config Server > NetConfigServer.Log
   3. Net Config WorkStation > NetConfigWorkstation.Log
   4. Net Group > NetGroup.Log
   5. Net LocalGroup > NetLocalGroup.Log
   6. Net Share > NetShare.log
   7. Net Statistics Server > NetStatisticsServer.Log
   8. Net Statistics WorkStation > NetStatisticsWorkStation.Log
   9. Net Time > NetTime.Log
   10. Net Use > NetUse.Log
   11. Net User > NetUser.Log
   12. Net View /Domain > NetViewDomain.Log
   13. Net View > NetView.Log
   14. NetStat -a > NetStatA.Log
   15. NetStat -a -b -n > NetStatABN.Log
   16. arp -a > ArpA.Log
   17. tasklist /V /FO CSV > TaskListVFOCSV.Log
   18. netsh show helper > netshShowHelper.txt
   19. netsh show alias > netshShowAlias.txt
   20. schtasks /query > schtasksquery.txt
7. Run the script "GetServicesWMIQuery.vbs" using CScript to list all services running on the server. Pipe the output to <SystemName>ServicesWMI.txt:

         cscript GetServicesWMIQuery.vbs > <SystemName>ServicesWMI.txt
   

8. Export the registry to a reg file using Regedit.exe or Regedt32.exe.
9. Use SubInAcl.exe (Available from Microsoft) to generate a report of registry key security.

         SubInACL /verbose=1 /outputlog=SubInACLKeyReg<SystemName>.txt /keyreg *
   /display
   

10. Use SubInAcl.exe (Available from Microsoft) to generate a report of registry sub-key security.

          SubInACL /verbose=1 /outputlog=subinaclSubKeyReg<SystemName>.txt /keyreg *
    /display
    

11. Use the CACLS command to generate a report of file security for every file on the system to <SystemName>-<DriveLetter>-FilesCACLS.Log where <SystemName> is the name of the system the file list is from. DriveLetter is the letter of the drive the list is from. Use the /T and /C options. For Example:

          Cacls C:*.* /T /C >> <SystemName>-C-FilesCACLS.Log
    

12. Use the CACLS command to generate a report of file security for each disk on the system to <SystemName>-<DriveLetter>-DiskCACLS.Log where <SystemName> is the name of the system the file list is from. DriveLetter is the letter of the drive the list is from. For Example:

          Cacls C:  >> <SystemName>-C-DiskCACLS.log
    

13. Use the script "SystemInfoWMIQuery.vbs" to get system information. For Example:

          Cscript SystemInfoWMIQuery.vbs > <SystemName>SystemInfo.txt
    

14. Use the script "OSInfoWMIQuery.vbs" to get system information. For Example:

          Cscript OSInfoWMIQuery.vbs > <SystemName>OSInfo.txt
    

15. Use the script "LogicalShareInfoWMIQuery.vbs" to get system information. For example:

          Cscript LogicalShareInfoWMIQuery.vbs > <SystemName>LogicalShareInfo.txt
    

16. Use the script "DomainInfoWMIQuery.vbs" to get domain information. For example:

          Cscript DomainInfoWMIQuery.vbs > <SystemName>DomainInfo.txt
    

17. Use the Java -version command to get the Java version number. For example:

          Java -version > <SystemName>JavaVersion.txt
    

18. Use one of the following methods to provide information about the trust relationships of this computer:
    1. Use the Active Directory Domains and Trusts MMC snap-in. Expand all the nodes and press the print screen <PrtSc> button. Save the screen print by opening a word document and using Control-V (<Ctl><V>) to paste the screen print into the document. For each domain listed, right click and select Properties. Click the Trust tab and then press the print screen <PrtSC> button. Save all the print screens from his step to a Word Document named <ComputerName>ADTrusts.Doc.
    2. Use the Active Directory Users and Computers MMC Snap-in. On the View menu option click Advanced. In the left pane expand the contents and locate the System container. In the right pane locate all the entries that have the value "Trusted Domain" in the Type column. Right click each "Trusted Domain" and select Properties. Press the print screen <PrtSc> keyboard button. Save the screen print by going to a word document and using Control-V (<Ctl><V>) to paste the screen print into the document.
    3. Use the NLTest tool from the resource kit to report on all the trusted domains.

• Chapter By-laws
• Membership
• Contact Us

Copyright © 2008 Rodney Kocot, All Rights Reserved