Commands
One great benefit of command line tools is that the output can be captured to text logs for auditing. They often can be scripted as well, which automates the audit process.- netstat - lists current TCP and UDP connections
- -ano flags list all connections and listening ports, win numerical form, with the process id
- wmic - Windows Management Instrumentation Command-line
- Once in the cli, you can execute various commands
- 'process X list' - lists process from the object ID X (from netstat -ano)
- 'product list' - lists installed software with version
- netsh - network shell
- quick scripting interface to network interfaces
- gives quick information on firewall configuration
- can save information to a text file for auditing
- scwcmd - server command line configuration tooll
- gives text output for auditing
- read reports with "scwcmd /view c:/temp/report.xml"
Software restriction
Starting in Windows XP, there are software restriction policies (SRP). It can be used to deny all executables unless there is an approved MD5 hash. In Windows 7 and later, moved to AppLocker instead of SRP. Uses SHA-256 hashes instead of MD5 for fewer collisions. AppLocker has an audit mode.Conclusion
This was a good webinar with a good overview of various tools. I did not know about some of them, so it was very useful.When auditing, get a list of authorized services and software. Check to see if IPv6 enabled and supported officiall. FInd out how is patching managed.
Reporting CPEs
- Go to isc.org
- Log in
- Click "Submit CPEs"
- On the CPE Report page, click "Add CPEs"
- Fill out the questionnaire
- Apply CPE to Credential/Concentration: CISSP
- Domain for CPE Credit: Usually "Multiple Domains (Group A)" unless webinar is specific to one domain
- Activity Start Date: the data that the webinar was watched
- CPE Type: Self Study, Computer-Based Training [CBT] or Web Cast
- Course Name: Name of Webinar. I put (SANS) at the end so I know where I watched it
- Number of hours: length of webinar
No comments:
Post a Comment