The Win32_CDROMDrive class allows you to query CD-ROM information through WMI. To collect CD-ROM information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set CDSet = GetObject("winmgmts:").InstancesOf ("Win32_CDROMDrive") For each CD in CDSet WScript.Echo "Name: " & CD.Name & VBlf & _ "Drive: " & CD.Drive & VBlf & _ "Status: " & CD.Status Next Note The highlighted code above must be placed on one line. Collecting Drive Information The Win32_LogicalDisk class allows you to query disk information through WMI. To inventory disks on a system using WMI, proceed as follows: 1. 2. Download and install the latest version of Windows Script Host, from Create a new directory to store all files included in this example. www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set DiskSet = GetObject("winmgmts:").InstancesOf ("Win32_LogicalDisk") For each Disk in DiskSet Select Case Disk.DriveType Case 0 DType = "Unknown" Case 1 DType = "No Root Directory" Case 2 DType = "Removable Disk" Case 3 DType = "Local Disk" Case 4 DType = "Network Drive" Case 5 DType = "Compact Disc" Case 6 DType = "RAM Disk" End Select WScript.Echo "Drive: " & Disk.DeviceID & VBlf & _ "Name: " & Disk.Description & VBlf & _ "Type: " & DType & VBlf & _ "File System: " & Disk.FileSystem & VBlf & _ "Size: " & Disk.Size & VBlf & _ "Free Space: " & Disk.FreeSpace & VBlf & _ "Compressed: " & Disk.Compressed Next Note The highlighted code above must be placed on one line. Collecting Memory Information The Win32_LogicalMemoryConfiguration class allows you to query memory information through WMI. To collect memory information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set MemorySet = GetObject("winmgmts:").InstancesOf ("Win32_LogicalMemoryConfiguration") For each Memory in MemorySet 1. WScript.Echo "Total: " & _ Memory.TotalPhysicalMemory/1024 & VBlf & _ "Virtual: " & Memory.TotalVirtualMemory/1024 & VBlf & _ "Page: " & Memory.TotalPageFileSpace/1024 Next Note The highlighted code above must be placed on one line. Collecting Modem Information The Win32_POTSModem class allows you to query modem information through WMI. To collect modem information on a system using WMI, proceed as follows: Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set ModemSet = GetObject("winmgmts:").InstancesOf ("Win32_POTSModem") For each Modem in ModemSet WScript.Echo "Name: " & Modem.Name & VBlf & _ "Port: " & Modem.AttachedTo & VBlf & _ "Type: " & Modem.DeviceType & VBlf & _ "Status: " & Modem.Status Next Note The highlighted code above must be placed on one line. Collecting Monitor Information The Win32_DesktopMonitor class allows you to query information on computer monitors through WMI. To collect monitor information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set MonitorSet = GetObject("winmgmts:").InstancesOf ("Win32_DesktopMonitor") For each Monitor in MonitorSet WScript.Echo "Name: " & Monitor.Name & VBlf & _ "Height: " & Monitor.ScreenHeight & VBlf & _ "Width: " & Monitor.ScreenWidth & VBlf & _ "Status: " & Monitor.Status Next Note The highlighted code above must be placed on one line. Collecting Mouse Information The Win32_PointingDevice class allows you to query mouse, track-ball, touch screen, touch pad, and other pointing device information through WMI. To collect pointing device information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set MouseSet = GetObject("winmgmts:").InstancesOf ("Win32_PointingDevice") For each Mouse in MouseSet WScript.Echo "Name: " & Mouse.Name & VBlf & _ "Manufacturer: " & Mouse.Manufacturer & VBlf & _ "Type: " & Mouse.HardwareType & VBlf & _ "Buttons: " & Mouse.NumberofButtons & VBlf & _ "Status: " & Mouse.Status Next Note The highlighted code above must be placed on one line. Collecting Network Adapter Information The Win32_NetworkAdapter class allows you to query information on network adapters through WMI. To collect Network Interface Card (NIC) information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set NICSet = GetObject("winmgmts:").InstancesOf ("Win32_NetworkAdapter") For each NIC in NICSet WScript.Echo "Name: " & NIC.Name & VBlf & _ "Type: " & NIC.AdapterType & VBlf & _ "Speed: " & NIC.Speed & VBlf & _ "MAC: " & NIC.MACAddress & VBlf & _ "Addresses: " & NIC.NetworkAddresses Next Note The highlighted code above must be placed on one line. Collecting Operating System Information The Win32_OperatingSystem class allows you to query various operating system information through WMI. To collect CD-ROM information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set OSSet = GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem") For each OS in OSSet WScript.Echo "OS: " & OS.Caption & VBlf & _ "Build: " & OS.BuildNumber & VBlf & _ "Version: " & OS.Version & VBlf & _ "Service Pack: " & OS.CSDVersion & VBlf & _ "ProdID: " & OS.SerialNumber & VBlf & _ "Install Date: " & OS.InstallDate & VBlf & _ "Last Bootup: " & OS.LastBootUpTime Next Note The highlighted code above must be placed on one line. Collecting Printer Information The Win32_Printer class allows you to query printer information through WMI. To collect printer information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set PrinterSet = GetObject("winmgmts:").InstancesOf ("Win32_Printer") For each Printer in PrinterSet WScript.Echo "Name: " & Printer.Name & VBlf & _ "Location: " & Printer.Location & VBlf & _ "Share: " & Printer.ShareName & VBlf & _ "Status: " & Printer.Status Next Note The highlighted code above must be placed on one line. Collecting Processor Information The Win32_Processor class allows you to query processor information through WMI. To collect processor information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set ProSet = GetObject("winmgmts:").InstancesOf ("Win32_Processor") For each Pro in ProSet WScript.Echo "Name: " & Pro.Name & VBlf & _ "Speed: " & Pro.MaxClockSpeed & VBlf & _ "Cache: " & Pro.L2CacheSize & " Cache" & VBlf & _ "Processor ID: " & Pro.ProcessorId Next Note The highlighted code above must be placed on one line. Collecting Sound Card Information The Win32_SoundDevice class allows you to query sound card information through WMI. To collect sound card information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set SoundSet = GetObject("winmgmts:").InstancesOf ("Win32_SoundDevice") For each Sound in SoundSet WScript.Echo "Card: " & Sound.ProductName & VBlf & _ "Manufacturer: " & Sound.Manufacturer Next Note The highlighted code above must be placed on one line. Collecting Tape Drive Information The Win32_TapeDrive class allows you to query tape drive information through WMI. To collect tape drive information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com , to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set TapeSet = GetObject("winmgmts:").InstancesOf ("Win32_TapeDrive") For each Tape in TapeSet WScript.Echo "Name: " & Tape.Name & VBlf & _ "Hardware Compression: " & Tape.Compression & VBlf & _ "Needs Cleaning: " & Tape.NeedsCleaning & VBlf & _ "Status: " & Tape.Status Next Note The highlighted code above must be placed on one line. Collecting Video Card Information The Win32_VideoController class allows you to query video card information through WMI. To collect video card information on a system using WMI, proceed as follows: 1. Create a new directory to store all files included in this example. 2. Download and install the latest version of Windows Script Host, from www.microsoft.com, to the new directory. 3. Select Start|Run and enter “cscript scriptfile.vbs”. Here, scriptfile is the full path and file name of a script file that contains the following: Set VideoSet = GetObject("winmgmts:").InstancesOf ("Win32_VideoController") For each Video in VideoSet WScript.Echo "Card: " & Video.Description & VBlf & _ "Current: " & Video.VideoModeDescription Next Note The highlighted code above must be placed on one line. Chapter 10: Security In Brief As sad as I am to admit this, the attitude of most administrators is “security through obscurity.” This expression means that the best way of dealing with security holes is ignoring them, hoping no one will find them, and praying they will go away. Unfortunately, this attitude never works. It seems nowadays there is a new virus or security hole being publicized daily. The days of merely running FDISK /MBR or deleting PWL files are over. Viruses and intruders are more sophisticated than ever. In this chapter, you will learn about the Windows security architecture and how to decrease the chances of unauthorized entry. Hackers and Crackers If you can think of system security as a war, then hackers and crackers are your opponents. Before you go into battle, it’s always good to know a little about your opponents. Here is the truth about a common myth: Hackers never intentionally damage data. Hackers are knowledgeable computer users whose pure goal is to solve problems and continually learn about the inner workings of operating systems, applications, and transmission methods. Although their methods of obtaining information may be questionable, they tend to create tools to identify or improve upon system weaknesses. Hackers like to document and publicly share their information with all who are willing to learn. Hackers usually receive bad press because people don’t understand the difference between the terms “hackers” and “crackers.” Crackers are knowledgeable computer users whose goal is to break into systems and damage or steal data. They tend to reverse-engineer programs and illegally use them for even more illicit purposes. Cracking techniques usually do not involve skillful or complicated methods, but rather crude methods such as stealing files from trash bins or tricking other users into handing them information. Examples of crackers are users who sniff the network for passwords, pirate software, write Trojan horse programs or viruses, or crash the network with broadcasts or email bombs. Tip For more information about hackers and crackers, visit www.hackers.com . The Infamous Rainbow Series In order to protect the nation’s interest against the attacks of crackers, the National Computer Security Center (NCSC) was born. The NCSC was created by the National Security Agency (NSA) to aggressively evaluate computer system security. NCSC works with various cooperating computer and telecommunication companies to ensure that their services are meeting the country’s security requirements. Note The NSA is part of the Department of Defense (DOD). The “Rainbow Series” is a collection of publications, created by the NCSC to evaluate various aspects of computer security. The cover of each report varies in color, hence the name “Rainbow Series.” Over 30 security reports are available from www.radium.ncsc.mil . Here is a brief overview of the three key Rainbow books that were used in Windows NT C2 compliance testing. The Orange Book The Orange Book is an NCSC publication called Department of Defense Trusted Computer System Evaluation Criteria. This is the publication that sets the standards for C2 security. The Red Book The Red Book is an extension of the Orange Book. Its title is Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria, and it covers the security of networks (LANs/WANs). The Light Blue Book The Light Blue Book is an extension of the Orange Book. Its title is A Guide to Understanding Identification and Authentication in Trusted Systems, and it discusses the security of user identification and authentication. Tip You can visit www.radium.ncsc.mil/tpep/library/rainbow/index.html to download or view all of the rainbow books. C2 Security C2 is a collection of security policies defined by the NCSC publication Trusted Computer System Evaluation Criteria (TCSEC), known as the Orange Book. The basic guidelines of the C2 standard are: All users must have a unique logon easily identifiable in audits. Deleted files must not be readable. Security auditing must be included. The contents of memory must not be readable after a process has terminated. The system must be able to control resource access by granting or denying individual users or groups. The system must be protected from external tampering. Using C2CONFIG C2CONFIG (C2 Configuration) is an NT resource kit utility designed to analyze and modify system security to comply to C2 security standards. C2CONFIG is a graphical utility that analyzes your system and allows you to easily modify system settings through a file menu. Figure 10.1 shows the C2CONFIG screen. Figure 10.1: The Windows NT Resource Kit Utility C2CONFIG. Note C2CONFIG is an NT resource kit utility and is not meant to be run on Windows 2000. Windows Authentication Protocols Authentication is the process of validating a known user account and password and is the most important aspect of system security. Authentication happens every time you log on or access a network resource. Depending on your flavor of Windows, an authentication protocol specifies how account and password validation and resource access are to be handled. Challenge Handshake Authentication Protocol Windows NT uses a challenge/response scheme called Challenge Handshake Authentication Protocol (CHAP) to ensure that only authenticated users can access resources. These exchanges are encrypted based on the account password to prevent unauthorized users from intercepting them. When a user logs on, the password is stored as an encrypted registry entry called the hash. The process of translating a password into a hash is called a one-way hash because you supposedly cannot extract the password from the hash (more on this later in the section “Using the SYSKEY Utility”). A hash encrypts its information using a predefined mathematical algorithm. LAN Manager Authentication Windows NT also includes the less secure LAN Manager authentication protocol that Windows 3.x and 9x use. Passwords are not case sensitive, so before the password is encrypted and stored in the hash, it is first transformed to all uppercase. This password scheme is less secure than that of Windows NT. The security risk increases when these systems are allowed to communicate on unregulated mediums, such as the Internet. A security downfall of both the Challenge/Response and LAN Manager protocols is the lack of a random salt value when encrypting and storing passwords to the hash. A random salt value is a random number that is incorporated into the encrypted password version stored in the hash. Several other operating systems already use salt values in their encryption schemes (I’ll give you a hint; one of them rhymes with Unix). Because both NT password schemes do not use random salt values, intruders can use simple passwords and analyze them against the hash to decrypt other stored passwords on a system (more on this later). Kerberos v5 Windows 2000 uses the more secure Kerberos v5 authentication protocol, while still supporting the LAN Manager authentication protocol. Kerberos was originally created by Massachusetts Institute of Technology (MIT) and provides faster authentication access times and a more secure authentication process. As opposed to LAN Manager, which uses shared passwords, Kerberos uses a shared cryptographic key that is used to encrypt and decrypt transmitted data. This is more secure than the earlier Windows authentication protocols because the password is never transmitted over the network. Security Configuration and Analysis Tool Windows NT uses many utilities, such as User Manager, Server Manager, and Policy Editor, to control system security. With the birth of NT Service Pack 4, the Microsoft Security Configuration and Analysis tool (MSSCE) provides a centralized method to analyze or modify a system’s security settings. Figure 10.2 shows this tool. MSSCE is a Microsoft Management Console (MMC) snap-in that allows you to create or use security templates to apply to your environment. These security settings are stored in configuration files and can be applied to all the machines in your environment. Figure 10.2: The Security Configuration and Analysis tool. Predefined Security Templates The MSSCE includes several predefined templates in the %WINDIR%\Security\Templates directory. The security templates included with the MSSCE are: Basicdc.inf—Default domain controller . screen. Figure 10.1: The Windows NT Resource Kit Utility C2CONFIG. Note C2CONFIG is an NT resource kit utility and is not meant to be run on Windows 2000. Windows Authentication Protocols. flavor of Windows, an authentication protocol specifies how account and password validation and resource access are to be handled. Challenge Handshake Authentication Protocol Windows NT uses. predefined mathematical algorithm. LAN Manager Authentication Windows NT also includes the less secure LAN Manager authentication protocol that Windows 3.x and 9x use. Passwords are not case sensitive,