Windows Auditing Tools - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Windows Auditing Tools

Description:

To verify password policies are enforced. To document things outside the normal that is questionable. Why Nessus? ... Helix is more than just a bootable live CD. ... – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 13
Provided by: J558
Category:

less

Transcript and Presenter's Notes

Title: Windows Auditing Tools


1
Windows Auditing Tools
  • Ken Johnson
  • Whitehat Systems

2
Tools That I Use Personally For Window Network
Audits
  • Nessus
  • Helix
  • Cain and Able
  • Ethereal
  • MBSA 2.0.1
  • EventCombMT
  • DSACLS
  • Pen and Paper

3
Why do I use Multiple Tools?
  • To Scan for different information
  • To limit auditing errors
  • To verify GPO are enforced
  • To map the network
  • To verify password policies are enforced
  • To document things outside the normal that is
    questionable

4
Why Nessus?
  • Up-to-date security vulnerability database
  • Remote AND local security
  • Extremely scalable
  • Smart service recognition
  • Multiples services
  • Full SSL support
  • Non-destructive OR thorough

5
Why Helix?
  • Helix is a customized distribution of the Knoppix
    Live Linux CD. Helix is more than just a bootable
    live CD. You can still boot into a customized
    Linux environment that includes customized linux
    kernels, excellent hardware detection and many
    applications dedicated to Incident Response and
    Forensics.

6
Why Cain and Able?
  • Password Cracking Utility
  • VOIP Capabilities
  • Packet Sniffer
  • SecurID Cracker

7
Why Ethereal?
  • Data can be captured "off the wire" from a live
    network connection, or read from a capture file
  • 759 protocols can currently be dissected
  • All or part of each captured network trace can be
    saved to disk.

8
Why MBSA 2.0.1?
  • Can perform local or remote scans of Windows
    systems
  • Compatible with the new Windows Update offline
    scan file
  • Features found in MBSA 2.0.1
  • Severity Ratings
  • Locally and remotely scan for Office XP or later
    security updates
  • Added guidance for locating updates and necessary
    actions
  • CVE-IDs for supported updatesImproved help
    content
  • Windows Server Update Services compatibility
  • Automatic Microsoft Update registration and agent
    update
  • Support for detection of updates on 64bit Windows
    and Windows XP Embedded

9
Why EventCombMT?
  • A multithreaded tool that you can use to search
    the event logs of several different computers for
    specific events, all from one central location.
  • You can configure EventCombMT to search the event
    logs in a very detailed fashion.

10
Why DSACLS?
  • Audits Active Directory object permissions
  • Command-line tool
  • Equivalent of the Security tab

11
Why Pen and Paper?
  • Allows Documentation and Notes of unexpected
    information or traffic.
  • Allows documentation for questions to ask or
    answer in the audit.

12
Conclusion
  • Auditing is a Multi-factor, Multi-tool Approach
  • A lot of high quality and powerful freeware tools
    out there
  • If you rely on a single tool you will miss
    something
  • Each tool has their own purpose.
  • Never forget the pen and paper
Write a Comment
User Comments (0)
About PowerShow.com