Good afternoon all my
I normally do not combine both sets of questions and answers into the same blog entry. However, when I was going through the list of questions from the events, the questions were surprisingly the same with some subtle variations. So I made a decision to combine both entries into one blog post, to hopefully, save everyone some time and give them some more knowledge about the topics we discussed. So without any adieu here goes…BTW GO BROWNS!
Please comment if you have any further questions or if I missed any.
Q: One of the attendees that mentioned another great detection tool called TCPView, where can I find more information on that?
A: The tool can be found here: http://www.sysinternals.com/utilities/tcpview.html , it is another tool showing you show you detailed listings of all TCP and UDP endpoints on your system. Overall, sysinternals.com has a lot of great tools that you should check out.
Q: What are the command lines for the Microsoft Baseline Security Analyzer?
A: The Microsoft Baseline Security Analyzer is a great free tool that you can download here: Download MBSA The tool will help you evaluate your systems from a security viewpoint as well as help you “plug the holes”. The tool also offers some great command line functionality. There are tons of command switches; you can find more information in the release notes for the MBSA tool.
Q: Where can I watch the TV show, that I saw a preview of during break?
Q: Where is the command line tools reference for the tools I used to help with detection?
A: This has been a common question I have gotten in all the shows that I delivered this quarter. I blogged all the information here: Tools Reference. Since that entry was back in April, I have copied the particular information here as well:
- One of the important tools to learn how to use is a packet sniffer. I used Ethereal during my session: http://ethereal.planetmirror.com/ It is a good utility to help find some good information on packets
- Event viewer holds a wealth of information but sometimes is hard to find the information you want. I recommend use EventCombMT. EventCombMT is a free download here: http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en .
- Finding new files created at the system root. I used good old DIR with a few switches from the system root to see what’s been added anywhere in that root. The command that I used during the show was: Dir /q /-c /o:d /t:a /s >recentfile.txt
/q – display owner
/-c – disable the “thousands” separator in file sizes
/o:d – sort by date/time (oldest first)
/t:a – last access
/s – displays files in directory and all sub-directories
I piped the results out to a recentfile.TXT file.
For a complete list for the DIR command: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/dir.mspx?mfr=true
- I also used Netstat -an to find active connections to the server. For more details on Netstat take a look here: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true
- Lastly a couple of free tools for you.
First please download and use the MBSA tool. It is a fantastic tool for helping you make sure your servers are “buttoned up”. It is on the event DVD here: Security Tools\Downloads\MBSA2.0 or you can download it here: http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Also if you have Windows 2003 SP1, take a look at the Security Configuration Wizard (SCW). Learn more about the SCW here: http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
Q: In Small Business Accounting Server how do I work with the SQL Server 2005 password?
A: You treat the SA and similar account passwords the same way you treat any other SQL ID’s. In other words, enforce password length and complexity. With SQL 2005 you have some added security with the SA account. For more information click here: SQL 2005 SA Info