After you lock down your Web server, how do you make sure it stays locked down? Inadvertently misconfiguring or disabling a security feature while administering a server is, unfortunately, easy to do. And installing updates and software can reenable services or features that you've disabled for security reasons. Therefore, recognizing changes to your Web server as soon as possible is important.
To detect changes, you can use System Scanner 1.1, a Microsoft Windows 2000 Server Resource Kit utility. This host-based security scanner performs several vulnerability checks, including baseline comparisons in which Microsoft IIS detects changes to processes, services, shares, files, users, and groups. After you secure your Web server, you can use System Scanner to take a snapshot of the server configurations, then compare new scans against the baseline snapshot to identify changes. Unlike running a security template in analyze mode, System Scanner sees changes to files' contents and attributes.
Microsoft developers wrote System Scanner 1.1 for Windows NT, but its baseline comparison feature works great on Win2K. To make baseline comparisons, System Scanner uses policies. A policy defines which checks System Scanner should perform and the correct value for each check. After you create a policy, System Scanner uses that policy to scan the computer and create a baseline with which to compare future scans. System Scanner saves scan results to an internal database and provides several reports, including the Vulnerabilities, Service, Trend, and Differential reports. The Vulnerabilities report is the simplest way to receive notification of important system changes. You can even use a script to check this report for you and send you an email-message notification about the results. Let's take a closer look at how to use System Scanner, including how to install it, create a policy, run scans, and use a script.
Installing System Scanner
To install System Scanner, load the resource kit CD-ROM and run sysscansetup.exe, which is in the \apps\systemscanner directory. The System Scanner Installation Wizard will appear. Follow the wizard's instructions, accepting all the defaults. When the wizard asks whether it should install System Scanner as an agent, click Yes.
System Scanner doesn't typically create a shortcut on the Start menu. To launch the program, go to the \%systemdrive%\programfiles\iss\sysscan\bin folder and double-click syscan.exe.
Creating a Policy
After you install System Scanner, you need to create a policy. To do so, select Policy, New to launch the New Policy Wizard. In the opening dialog box, the wizard prompts you for the name of the policy. Enter DetectChanges in the text box, then select the Let me choose all settings for myself option and click Next.
In the next dialog box, expand the Baselines folder in the left pane. As Figure 1 shows, the folder contains seven types of scans for which System Scanner can create a baseline. Selecting a check box in the left pane brings up scan options in the right pane. The following briefly describes the seven types of scans and the configuration options they offer.
Registry Scan. Registry Scan tracks changes to registry keys and values. I had trouble with System Scanner reporting false positives on this type of scan. Therefore, I recommend that you leave the Registry Scan check box cleared until you have time to experiment with this feature and make sure it works in your environment.
File Scan. File Scan tracks changes to files. After you select the File Scan check box, you need to specify what to track on the General, Directories, and Extensions tabs in the right pane. On the General tab, you specify the data to track. For example, you can track changes to a file's attributes, contents, ownership, and permissions. On the Directories tab, you control which folders to track, and on the Extensions tab, you specify the types of files to track in those directories. By default, System Scanner scans .bas, .class, .cpl, .dll, .drv, .exe, .ocx, .pl, .scr, and .vxd files.
Which folders, file types, and data types should you track on your Web server? One obvious folder to track is the folder in which you store your Web site's static and dynamic content files, including .html, .gif, and .asp files. By default, this folder is inetpub. You'll want to know whenever someone changes the files' attributes, contents, ownership, or permissions. A change to any of this data might indicate that someone is tampering with your site. You might also want to monitor .exe and .dll files in %systemroot% and any important .ini or other configuration file types that aren't updated by the system's day-to-day activities.
You can be pretty liberal with which directories you track because within those folders, System Scanner tracks only those files selected on the Extensions tab. However, don't track databases, logs, or other file types that constantly change; otherwise, System Scanner will report a vulnerability every time you run a scan.
Services. By selecting the Services check box, you can configure System Scanner to track application (e.g., FTP, RRAS, Schedule) and driver services. Tracking application services is useful because intruders can use these services as doorways into the server. Because drivers run as a SYSTEM account, intruders can use them to compromise computers by loading a rogue driver. Therefore, you should select both the Application Services and Driver Services check boxes.
Processes. If you select the Processes check box, System Scanner detects changes to programs that have been configured to automatically start. Catching changes to startup processes is important because intruders who install back doors and Trojan horses often configure the system to automatically start the malicious attack every time a user logs on or the system restarts. To detect changes to startup programs, System Scanner checks the
- Common Startup folder
- Startup folder for the current user
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry subkey
- HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Run registry subkey
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows registry subkey's load value
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows registry subkey's run value
These locations aren't all the places you can configure a startup process in Win2K, but selecting them can't hurt.
User Scan. User Scan checks new, deleted, and changed user accounts; changes to the groups to which a user belongs; logon information (e.g., logon script, home directory); RAS dial-in access; and call-back number and user rights. User Scan also catches other changes, such as disabled user accounts that have been reenabled. I recommend that you select all the User Scan check boxes. These checks are valuable because intruders often create user accounts for future access. You definitely want to know when someone grants a user account the Act as part of the operating system or Take ownership of files and folders right. These checks are also valuable if you create a user account to give someone temporary access but forget to delete it later as you had intended.
Group Scan. Group Scan detects any user-right assignment changes to groups and any group-membership changes. Both of these checks are important. A change in group membership—for example, if you mistakenly add a user to the Administrators group—can greatly affect security.
Share Scan. By selecting the Share Scan check box, you can configure System Scanner to track changes to hidden shares (i.e., those shares in which the name ends with $), share permissions, and the NTFS permissions on shared folders and shared printers. Tracking changes to shares is valuable because shared folders provide a doorway into your file system.
After you've finished configuring the scan types and options, click Finish. The New Policy Wizard creates your policy, then exits.
With the policy in hand, you're ready to generate the baseline scan against which System Scanner will compare subsequent scans. System Scanner automatically generates a policy's baselines the first time you use that policy to run a scan. To manually run the baseline scan, select File, Scan Now. Choose DetectChanges and enter Initial Baseline Generation. Click OK to start the scan.
After the scan finishes, your baselines are set and you can schedule the daily scan. Under the Start menu, select Programs, Accessories, System Tools, Scheduled Tasks. Double-click Add Scheduled Task to open the Scheduled Task Wizard. Click Next, then click Browse. Maneuver to \program files\iss\sysscan\bin and double-click sscli.exe, which is the command-line interface program for System Scanner. Enter System Scanner Baseline Scan as the task's name, and select Daily in the Perform this task option. (You can also schedule the task to run weekly.) Click Next, specify your desired start day and time, then click Next again. Enter an administrative username and password under which System Scanner will run. Click Next, select the Open advanced properties for this task when I click Finish check box, and click Finish.
In the Properties dialog box that appears, you need to specify several parameters so that sscli.exe knows which policy and report to run. Select the Run option and enter -p DetectChanges -r v -f C:\NewBaselineScan.htm -o hmldf after the task's path. The -p DetectChanges parameter tells System Scanner to use the DetectChanges policy for the scan, and the -r v parameter tells the program to produce a Vulnerabilities report. The -f C:\NewBaselineScan.htm parameter specifies the report's filename and location. The -o hmldf parameter specifies that you want the report to include high, medium, and low vulnerabilities; full descriptions for the vulnerabilities; and information about how to fix them. Click OK. Depending on your system, you might need to enter the administrative username and password again.
Your scan is now configured to run each day. It will produce an HTML-formatted report called NewBaselineScan on your C drive.
To verify that System Scanner will successfully detect changes to your Web server, create a new user account and disable it. If you want, you can also make other changes, such as changing a file's contents—just remember not to weaken your Web server. Run a scan on demand by returning to the Scheduled Tasks folder, right-clicking System Scanner Baseline Scan, and selecting Run. When the task finishes, open NewBaselineScan. You should see the System Scanner Vulnerabilities report.
After a few iterations of the System Scanner Vulnerabilities report, you might find that your policy is tracking areas in which legitimate changes constantly occur. You'll want to weed out these dynamic areas by editing your policy, then resetting your baseline. To reset a baseline, select Policy, Reset Baselines. Select your policy, click Reset, then click Close.
Using the Script
If you run scans daily, you might consider using a script to check the reports for you. Listing 1, page 4, contains such a script called CheckSysScanReport.vbs. This script checks the NewBaselineScan report for vulnerabilities each night and sends an email message that tells you whether no vulnerabilities were found, vulnerabilities were found, or the report was missing.
When CheckSysScanReport.vbs starts, it sets the reportFileName variable to the pathname for the NewBaselineScan report. Currently, the script sets this variable to C:\CheckSysScan\NewBaselineScan.htm, as the code at callout A shows. If you've configured System Scanner to create the report elsewhere or under a different name, you must change C:\CheckSysScan\NewBaselineScan.htm to the appropriate pathname.
Next, the script tries to open the NewBaselineScan report. If the script can't find the report because the System Scanner Baseline Scan task failed to run or didn't finish, the script sets the subject variable (which is later used for the email message's subject line) to System Scanner Report Missing. Scheduled task may have failed. If the script finds the report, the script scans it line by line for the word vulnerability. If that word is present, the script sets the subject variable to ALERT! Vulnerabilities found in System Scanner report. Otherwise, the script sets the variable to Good News! No vulnerabilities found in System Scanner report. The script then uses the Blat utility to create and send the email message. Blat retrieves the body of the email message from the body.txt file in C:\CheckSysScan.
The script then copies the NewBaselineScan report's contents into a file named BaselineScan.htm and deletes NewBaselineScan.htm. That way, if the System Scanner Baseline Scan task fails to run or doesn't complete, the next time CheckSysScanReport.vbs runs, it will notice the report is missing and alert you to that fact.
Before you can use CheckSysScanReport.vbs, you need to make several preparations. Follow these steps:
- Create a folder on your C drive called CheckSysScan. Copy the code in Listing 1 into an editor, and save the file as CheckSysScanReport.vbs. Place the script in the CheckSysScan folder.
- Edit the script. In the line at callout B, replace firstname.lastname@example.org with your email address. If you've configured System Scanner to create the NewBaselineScan report elsewhere or under a different name, replace C:\CheckSysScan\NewBaselineScan.htm in the line at callout A with the appropriate pathname.
- Create a file named body.txt in C:\CheckSysScan. Enter whatever information you'd like to appear in the body of the email message when the script sends a message. For example, you might include a link to the BaselineScan file.
- Download blat.exe and its associated files to C:\CheckSysScan. Blat is a freeware utility that sends email messages from scripts. You can find Blat at http://www.interlog.com/~tcharron/blat.html. Set up Blat to use your SMTP server. If you're unfamiliar with how to use Blat, I explain how to set it up in "Use WMI to Monitor Your Web Site for Changes," July 2002, http://www.windowswebsolutions.com, InstantDoc ID 25235.
- Set up a scheduled task to run CheckSysScanReport.vbs every day an hour or two after the System Scanner Baseline Scan task runs.
Effective Yet Inexpensive
Because you likely already have the resource kit, the only cost of setting up this security monitoring system is your time—and it's time well spent. You'll know sooner rather than later when someone is tampering with your Web server's processes, services, shares, files, users, and groups.