Using Sysinternals tools in security management scenarios

1. Scanning for open network shares that users have haphazardly enabled
2. Monitoring system activity during a suspected intrusion or malware infection
3. Analyzing TCP sessions to determine who's talking to what and vice versa

Be forewarned that you shouldn't jump in head first with Sysinternals tools. I suggest you read the documentation that comes with each tool and proceed with cautious enthusiasm. These tools are not for the faint of heart. They aren't difficult to use, but you may end up making Windows do more than you intended and crash your system or lose important data.

Scenario 1: Scanning for open network shares that users have haphazardly enabled

I've noticed that users often take advantage of the power of networked computers and file sharing. While this function can serve a legitimate purpose, it can be easily exploited by users with malicious intent. By using the ShareEnum tool, you can put a stop to this unnecessary sharing out of directories and files to those who don't need access. Proceed as follows:

1. Load the program
2. Enter an IP address range or Windows domain to scan
3. Click "refresh"

This tool will uncover open shares that everyone and every group has access to, similar to my findings in Figure 1.

Figure 1 Using Sysinternals' ShareEnum to enumerate open and exposed network shares. (Click on image for enlarged view.)

Armed with this information, you can revoke unnecessary rights and lock down your sensitive files. If you would like to check access rights to directories, files or even registry keys on a specific system, then check out the similar AccessEnum tool.

Has someone or something compromised one of your Windows systems and you want to see the activity under the hood? Formal forensics methodologies aside, you can download and run Sysinternals Process Monitor, which shows you anything and everything taking place on Windows systems from registry access to file writes to network connections and beyond as shown in Figure 2.

Figure 2 Using Sysinternals' ProcessMonitor shows exactly what's going on in Windows at any given time. (Click on image for enlarged view.)

With its filtering and logging capabilities, as well as process tree exploration (similar to that in Process Explorer), Process Monitor allows you to do things that typically only very advanced people would dare to try or advanced tools would allow. The best part: Process Monitor is free. After running Process Monitor and experiencing first-hand the benefits this tool provides, you'll understand why Microsoft acquired Sysinternals.

Check out a review on the FREE security testing toolkit: BackTrack 3.

Let's say you have a system acting up, transmitting and receiving a lot of network packets but you don't know where they're headed or coming from. You may also be curious about what application or process is generating the traffic. This would be a perfect scenario in which the Sysinternals TCPView tool would be useful. As shown in Figure 3, TCPView can drill down to help you monitor and troubleshoot both TCP and UDP connections in a happy-clicky-GUI fashion without having to do it the archaic way by using netstat –an from a command line.

Figure 3 Using Systinternals' TCPView to analyze Windows-based network communications. (Click on image for enlarged view.)

The possibilities for using the Sysinternals tools are unlimited, so check out what Microsoft has to offer in this gem of a toolset. The tools mentioned in this tip are, most often, my personal choice in security-related scenarios. However, you won't want to overlook the value of PsTools and the utility of BgInfo. (On a side note: The humor of BlueScreen -- what a clever prank for April Fools' Day. We've got to have fun to take the edge off, right?)

ABOUT THE AUTHOR:

Kevin Beaver Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows desktop security tips The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Endpoint security management tools The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise How to get -- and keep -- user support with security MDOP for Windows 7 available now Microsoft's Online Desktop Manager caters to small IT shops Monitoring user activity with network analyzers Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary system tray  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.