Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


December 2000

Top 10 Security Tools in the Win2K Server Resource Kit


From the December 2000 Edition
of Windows IT Pro
Randy Franklin Smith
Feature
InstantDoc #15969
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Resource Kit Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Before you administer Win2K, INSTALL THESE essential security-related utilities

When you peruse the Microsoft Windows 2000 Server Resource Kit, you'll find the usual wealth of additional documentation and utilities that constitute a Microsoft resource kit. However, this resource kit is especially valuable to administrators who put a premium on security. In this article, I highlight just 10 of the many security-related reasons the resource kit is well worth its $300 price tag. Along the way, I point out several gotchas and drawbacks that you need to be aware of. (Be careful not to confuse the Win2K Server resource kit with the Microsoft Windows 2000 Professional Resource Kit, which is only a subset of the former.)

10. Analyze Security Logs with CLA
When I discovered that the valuable CyberSafe Log Analyst (CLA) is included in the Win2K Server resource kit, I did a double-take. CLA is a Microsoft Management Console (MMC) snap-in that lets you analyze the scattered Security logs of the systems in your domain as a whole. CLA has 11 prebuilt reports that provide useful views of your systems' security activity, but you can also design custom reports. To use CLA, you must first run setup.exe from the resource kit CD-ROM's \apps\loganalyst directory. Then, you can use the new shortcut in Administrative Tools to open CLA.

Using CLA is a three-step process. First, you need to tell CLA which event logs to analyze. To test CLA, you can copy the local system's current event log by right-clicking Logs to be Analyzed and selecting Cut Live Local Event Log. If you want to run reports on the merged activity of multiple systems, you'll first need to use Event Viewer to save each system's event log to an .evt file. (You can also use an event-log-dumping utility. For information about such utilities, see "Archiving and Analyzing the NT Security Log," August 2000.) After saving your logs, add them to CLA by selecting Add Event Log File from the Logs to be Analyzed context menu. Second, to tell CLA to analyze selected logs, select Analyze from the Logs to be Analyzed context menu. This action imports all the selected logs into CLA's native format, from which CLA can then run reports. Third, select and generate the desired report from the Report Templates folder. Figure 1 shows the prebuilt reports you can choose from.

CLA fills an important gap in Win2K's security-monitoring capabilities. Not only does CLA generate sophisticated reports (e.g., failed logon activity) but it gives you an enterprise view of your entire network's combined activity—not just one system at a time.

9. Control PKI with DSStore
Directory Services Store (DS-Store) is a general-purpose command-line utility that helps you diagnose and maintain a Win2K public key infrastructure (PKI) integrated with Active Directory (AD). If you aren't using enterprise root Certificate Authorities (CAs) to run a PKI in Win2K, you won't need this tool. But if you are, this tool is a godsend. DSStore is part of the resource kit's Security Tools component.

Although you can handle most PKI tasks from within the MMC Active Directory Users and Computers snap-in and the MMC Certificate Services snap-in, some operations aren't available from these MMC locations. DSStore lets you list, add, and delete Enterprise Root CAs and maintain certificate revocation lists (CRLs) in AD. DSStore also lets you add Win2K CAs or offline CAs to your enterprise PKI published in AD.

Win2K automatically enrolls users and computers with certificates the first time they perform an operation that requires a certificate. However, you've probably discovered that this process can be time-consuming in large networks. To speed up the process, DSStore lets you pulse auto-enrollment events, which proactively enroll users with appropriate certificates. You can also check the status of domain controller (DC) certificates and verify the validity of smart cards. Look in the resource kit's Tools Help document for more information about DSStore.

8. Manage EFS with EFSinfo
Encrypting File System (EFS) is a new and valuable Win2K feature that lets you protect confidential files—even from intruders who gain physical access to the disk while remaining transparent to the user. (For more information about EFS, see Mark Russinovich, NT Internals, "Inside Encrypting File System, Part 1," June 1999, and "Inside Encrypting File System, Part 2," July 1999.)

EFS currently lets one user per file designate a file or entire directory as encrypted. To encrypt a directory, you simply open the directory's Properties menu, click Advanced, then select the Encrypt contents to secure data check box, as Figure 2 shows. After you encrypt the directory, you can use the files as you usually do, without thinking about encryption. Win2K automatically encrypts and decrypts file data in memory as applications write to and read the file.

Win2K also supports data-recovery agents so that you can recover data that a user encrypted. You can use Group Policy to assign data-recovery agents to computers. If a user uses EFS to encrypt a file, only the data-recovery agents specified in Group Policy can access that file. Therefore, server administrators might feasibly encounter files they can't read on their own servers.

What if a server administrator needs to recover data but can't determine who originally encrypted it? EFSinfo, a command-line utility that installs with the resource kit's Security Tools component, solves this problem. EFSinfo displays encryption information for a specified directory or file. If you don't specify a pathname, EFSinfo displays encryption information for each file in the current directory.

If you type

efsinfo /u

you learn whether the file is encrypted and who can decrypt it (i.e., who originally encrypted the file). To display a file's authorized data-recovery agents, use the /r switch. In the following example, secret formula.txt was encrypted by Administrator, who is also the data-recovery agent for this system.

D:\confidential>efsinfo /r "secret formula.txt"

D:\confidential

secret formula.txt: Encrypted
 Recovery Agents:
 MTG\Administrator (OU=EFS File 
 Encryption Certificate, L=EFS,
  CN=Administrator)
   Previous  [1]  2  3  Next 


Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement