HEPNTHEPIX Sept, 1999

1
Use of SPQuery and STAT At FNAL

• HEPNT/HEPIX Sept, 1999

2
SPQuery

• SPQuery is a useful tool for
• Reporting Service pack and hotfix information for
  an entire domain or a select group of machines.
• Downloading of hotfixes from Internet for NT,
  IIS, Exchange, SQL and Site Server to a central
  repository
• Applying Workstation/Server hotfixes to remote
  machines

3
Query Systems

• Ability to check single machine, entire domains,
  or use machine list files.
• Information on date Service Pack and hotfixes
  were applied
• Information on available hotfixes for applied
  service pack

4
Systems Information
5
Importing Machine Lists
6
Hotfix Info

• Get information on files replaced or added by the
  hotfix
• Query Internet for newest hotfix information
• View Knowledge Base Article

7
Affected Files
8
Knowledge Base Information
9
Applying Fixes

• Three Basic Steps
• Download hot fixes to a local repository
• Multiple downloads possible.
• Install
• Must have admin rights to install to remote
  system
• Schedules hotfix to be applied at next login.
  User must have local admin
• Hotfix files and an agent copied to remote
  system and run on next login.
• Pop up box during login gives user choice to
  apply patch or not.
• Only visible for 20 seconds
• Only supports singular patch application
• Reboot
• NOTE User has the ability to decide if patch is
  applied!

10
Downloading Fix
11
Fix Scheduled
12
User Login
13
Hotfix Applied
14
Profile Creation

• Offers the ability to create service pack/hotfix
  profiles.
• Test your NT machine(s) against these profiles to
  determine if they pass or fail.
• We have Profiles for SP4 and SP5 with appropriate
  security hotfixes.

15
Profiles
16
Reporting

• Print reports (very detailed)
• Save reports for future reference in SPQuery or
  save them to a csv file and import into Excel

17
Options
18
SPQuery

• Stuff Id like to see
• Notify if user selects Never apply patch.
• Ability to load patches in correct order.
• Ability to apply more than one patch at a time.
• More details when downloading from Internet
• Customization of Report Printing
• Inexpensive- 595 for a site license!
• http//www.mtesoft.com

19
STAT (Security Test and Analysis Tool)

• Detects 600 Vulnerabilities from NT 3.51 to
  NT4 SP5
• Can Examine specific machine, multiple machines
  or Entire Domain
• Automatic Vulnerability Fix
• Configuration Templates available
• Password Strength testing

20
Account requirements

• To analyze systems on the network must be Domain
  Admin.
• To analyze workgroups must be in local admin for
  machines you wish to access

21
Analysis Overview

• Analyze single machine, multiple machines or
  domains
• Machine analysis can be saved and compared to new
  analysis
• Systems must appear in Network Neighborhood
• Domain examination is time-consuming
• Checking all vulnerabilities takes an average of
  one gigabyte per minute.
• 4 Levels of Vulnerability
• High- May grant unauthorized administrative
  access.
• Medium- May provide access to sensitive data
  leading to further exploitation.
• Low- May be used for information gathering or
  preventative security measures that could lead to
  higher risk levels.
• Warning- Recommended good security practices.

22
4 Warnings

• There are 4 warnings in the STAT database that
  will always be displayed
• ID 87 boot enabled (anyone can boot system
  from floppy)
• ID 403 clipboard ( clear clipboard before
  logging off or locking computer
• ID 409 emergency repair disk (ERD has
  compressed version of SAM. Make sure to lock it
  up!)
• ID 421 administrators group (check
  administrators group for unknown account names)

23
Analysis
24
Vulnerability Info
25
Fixing Vulnerability
26
Vulnerability Fixed
27
Configuration Files

• Ability to define templates to check for only
  specific vulnerabilities.
• Description field helps identify vulnerability.
• Eight templates provided
• All- 600 vulnerabilities.
• Autofix- Check only what can be fixed.
• Filechecks- Check only file related
  vulnerabilities.
• High- Check only vulnerabilities defined as high.
• Low- Check only vulnerabilities defined as low.
• Medium- Check only vulnerabilities defined as
  medium.
• Nofilechecks- Check only vulnerabilities not
  related to files.
• Warning- Check only vulnerabilities not related
  to files.

28
Configuration
29
Password Cracking

• Uses simple text file to check passwords
• Cracked passwords not displayed. Just Username.
• File can be modified to your requirements.
• Note Software upgrade could overwrite the file.

30
Report Print Options

• Executive
• Pie-chart representing the percentage of
  vulnerabilities by level of risk found in a
  selected network or machine.
• Network
• Bar chart representing percentages of discovered
  vulnerabilities with respect to total possible
  vulnerabilities tested per machine.
• Vulnerability
• Bar chart representing each vulnerability
  detected and how many machines contain that
  specific vulnerability.
• Detailed
• Report shows all vulnerabilities found per
  machine. The report provides a brief description
  of each vulnerability, along with the applicable
  risk each represent.

31
STAT Wish List

• Ability to import machine lists
• Better documentation
• Improve speed of analysis
• Problems analyzing domain with 95/98 systems
• Canceling a vulnerability assessment takes too
  long
• Cost- 1797 per Admin License does not include
  yearly maintenance
• http//www.statonline.com