Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Policy Guidelines

	Scan Information

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

PROCEDURES FOR SECURING SYSTEMS

The NT Security Tool Kit

<< Back to Windows Security

_____________

Windows NT out of the box is one of the least secure operating systems. One of the most important things you can do to secure Windows NT systems is ensure they are properly configured. Visit http://www.trustedsystems.com/tss_nsa_guide.htm for a checklist of steps to be performed to correctly configure Windows NT systems for the sake of security. Additionally, installing the latest Service Pack and hot fixes is essential. You can obtain the latest Service Pack, SP6a, and bundled post-SP6a hotfixes from http://www.lbl.gov/download/.

Once you have configured your Windows NT systems correctly and have installed the latest Service Pack and hotfixes, you may have special security-related needs that cannot be fulfilled by Windows NT itself. This Resource Kit has a number of tools that are potentially very useful, particularly in security administration tasks. Some of the most useful of these tools and a brief description of their functionality appear below. (Send questions to cppm@lbl.gov.)

addusers.exe

addusers.exe enables system administrators to easily create and remove user accounts without having to use the User Manager or User Manager for Domains.

delsrv.exe

This tool deletes services, obviating the need to go to the Control Panel to do so.

diskmap.exe

This tool reports information about disk configuration by reading the Registry. It precludes the need to go to the Disk Administrator.

diskuse.exe

This tool dumps information about how much disk space each user is using. This is particularly useful because setting user quotas is not a built-in capability in Windows NT.

dommon.exe

dommon.exe shows trust relationships between domains. It can help spot cases of “runaway trust” (in which too many domains trust too many other domains even though there is no real need for such pervasive trust).

dumpel.exe

By default Windows NT log data are written in a special format that is readable only via the Event Viewer. Dumpel.exe dumps log data to a text file, allowing you to read log files using a text editor as well as selectively choose among data using sorting and other operations.

findgrp.exe

Groups are the major basis for assigning access in Windows NT. Keeping track of the groups to which any user belongs can be cumbersome in Windows NT, however. This tool reports all group memberships for each user within a domain.

floplock.exe

Anyone with access to the floppy drive of a Windows NT system can do undesirable things such as load unauthorized programs or boot from a Linux boot disk to gain access to the contents of the hard drive. The floplock.exe tool protects against unauthorized remote access to the floppy drive by allowing administrators to set Access Control Lists. Note that this tool does not protect against unauthorized local access to the floppy drive. The best protection against unauthorized local access to the floppy drive besides normal physical security measures (e.g., locked server rooms) is assigning a ROM BIOS password.

getsid.exe

getsid.exe compares SIDs for accounts. This can be useful in performing tasks such as spotting accounts with Administrator privileges. (Note that the last part of the SID of any account that is copied from the default Administrator account ends in 500.)

global.exe

This tool shows global group memberships on remote servers/domains.

local.exe

local.exe is similar to global.exe, but it shows local group members.

monitor.exe

monitor.exe records log and alert data on remote machines, allowing system administrators to set up a central monitoring console.

netdom.exe

This tool provides a command line for managing all kinds of domain properties, including trust relationships. It is extremely useful for checking and changing trust relationships

netsvc.exe

netsvc.exe allows system administrators to remotely start and stop services as well as to determine their status.

nlmon.exe

nlmon shows trust relationships between domains.

ntrights.exe

This tool enables system administrators to manage user rights by adding or deleting them.

perms.exe

This one enables system administrators to display permissions for any given user.

rasusers.exe

Unauthorized access via RAS is one of the greatest threats to network security. The rasusers.exe tool displays the names of all users who have RAS access within a server or domain, thus helping system administrators identify unauthorized dial-ins and other, related problems.

reg.exe

This tool allows you to edit the Registry from a command line.

regback.exe

regback.exe backs up the Registry in a compressed format. The fact that the backup is compressed is very advantageous in the case of domain controllers that have a large SAM (authentication) database.

regdump.exe

regdump.exe enables system administrators to get a dump of the Registry contents on both local and remote machines.

regfind.exe

This tool allows system administrators to find and edit Registry keys using a command line. The alternative is to use a more cumbersome Registry editing tool.

regmon.exe

regmon.exe allows system administrators to track Registry changes. This functionality is extremely useful because Registry changes are otherwise impossible to trace. Attackers often make Registry changes; regmon.exe can help system administrators quickly find these changes. regmon.exe also produces a traceability trail of Registry changes, something that is extremely useful for troubleshooting purposes. Each administrator can use the output of this tool to identify each Registry change as well as who made it.

rkill.exe

rkill.exe enables system administrators to find and kill processes on remote hosts. This functionality is particularly useful in dealing with denial of service attacks caused by runaway processes on hosts.

scanreg.exe

This tool supports searching for specific keys and entries in Registries of remote hosts. This makes it possible to analyze and change Registry settings from a single host.

sclist.exe

sclist shows all services on both local and remote hosts.

secadd.exe

secadd.exe allows modifying permissions for Registry keys. This precludes the need for using regedt32.exe, the built-in (but cumbersome) Windows NT Registry editor.

setacl.exe

In Windows NT “system ACLs” are a misnomer for audit settings. This tool enables system administrators to configure audit settings without having to use the User Manager for Domains or User Manager.

soon.exe

This tool enables system administrators to schedule commands and programs on both local and remote hosts.

su.exe

This tool allows system administrators to switch to other user accounts without having to actually log on to them. (Note: there are some bugs in this tool that restrict its usefulness. You may want to do a Google or other search to find better versions of this tool.)

subinacl.exe

subinacl.exe shows permissions, Registry settings, services, etc., and also allows system administrators to duplicate settings locally and remotely (even across domain boundaries).

xcacls.exe

xcacls.exe displays permissions and allows system administrators to modify them. This tool is particularly useful because, although the built-in cacls.exe command reliably displays permissions, cacls.exe is not always reliable in changing permissions. xcacls.exe is reliable in both displaying and changing permissions.