Use of SPQuery and STAT At FNAL HEPNT/HEPIX Sept, 1999
SPQuery • SPQuery is a useful tool for: • Reporting Service pack and hotfix information for an entire domain or a select group of machines. • Downloading of hotfixes from Internet for NT, IIS, Exchange, SQL and Site Server to a central repository • Applying Workstation/Server hotfixes to remote machines
Query Systems • Ability to check single machine, entire domains, or use machine list files. • Information on date Service Pack and hotfixes were applied • Information on available hotfixes for applied service pack
Hotfix Info • Get information on files replaced or added by the hotfix • Query Internet for newest hotfix information • View Knowledge Base Article
Applying Fixes Three Basic Steps • Download hot fixes to a local repository • Multiple downloads possible. • Install • Must have admin rights to install to remote system • Schedules hotfix to be applied at next login. User must have local admin • Hotfix files and an ‘agent’ copied to remote system and run on next login. • Pop up box during login gives user choice to apply patch or not. • Only visible for 20 seconds • Only supports singular patch application • Reboot NOTE: User has the ability to decide if patch is applied!
Profile Creation • Offers the ability to create service pack/hotfix profiles. • Test your NT machine(s) against these profiles to determine if they pass or fail. • We have Profiles for SP4 and SP5 with appropriate security hotfixes.
Reporting • Print reports (very detailed) • Save reports for future reference in SPQuery or save them to a csv file and import into Excel
SPQuery Stuff I’d like to see • Notify if user selects ‘Never’ apply patch. • Ability to load patches in correct order. • Ability to apply more than one patch at a time. • More details when downloading from Internet • Customization of Report Printing Inexpensive- $595 for a site license! http://www.mtesoft.com
STAT (Security Test and Analysis Tool) • Detects 600 + Vulnerabilities from NT 3.51 to NT4 SP5 • Can Examine specific machine, multiple machines or Entire Domain • Automatic Vulnerability Fix • Configuration Templates available • Password Strength testing
Account requirements • To analyze systems on the network must be Domain Admin. • To analyze workgroups must be in local admin for machines you wish to access
Analysis Overview • Analyze single machine, multiple machines or domains • Machine analysis can be saved and compared to new analysis • Systems must appear in Network Neighborhood • Domain examination is time-consuming • Checking all vulnerabilities takes an average of one gigabyte per minute. • 4 Levels of Vulnerability • High- May grant unauthorized administrative access. • Medium- May provide access to sensitive data leading to further exploitation. • Low- May be used for information gathering or preventative security measures that could lead to higher risk levels. • Warning- Recommended good security practices.
4 Warnings • There are 4 warnings in the STAT database that will always be displayed: • ID# 87 boot enabled (anyone can boot system from floppy) • ID# 403 clipboard ( clear clipboard before logging off or locking computer • ID# 409 emergency repair disk (ERD has compressed version of SAM. Make sure to lock it up!) • ID# 421 administrators group (check administrators group for unknown account names)
Configuration Files • Ability to define ‘templates’ to check for only specific vulnerabilities. • Description field helps identify vulnerability. • Eight ‘templates’ provided: • All- ~600 vulnerabilities. • Autofix- Check only what can be fixed. • Filechecks- Check only file related vulnerabilities. • High- Check only vulnerabilities defined as high. • Low- Check only vulnerabilities defined as low. • Medium- Check only vulnerabilities defined as medium. • Nofilechecks- Check only vulnerabilities not related to files. • Warning- Check only vulnerabilities not related to files.
Uses simple text file to check passwords Cracked passwords not displayed. Just Username. File can be modified to your requirements. Note: Software upgrade could overwrite the file. Password Cracking
Report Print Options Executive • Pie-chart representing the percentage of vulnerabilities by level of risk found in a selected network or machine. Network • Bar chart representing percentages of discovered vulnerabilities with respect to total possible vulnerabilities tested per machine. Vulnerability • Bar chart representing each vulnerability detected and how many machines contain that specific vulnerability. • Detailed • Report shows all vulnerabilities found per machine. The report provides a brief description of each vulnerability, along with the applicable risk each represent.
STAT Wish List • Ability to import machine lists • Better documentation • Improve speed of analysis • Problems analyzing domain with 95/98 systems • Canceling a vulnerability assessment takes too long Cost- $1797 per Admin License does not include yearly maintenance http://www.statonline.com