558 Chapter 12 • Using Security-Related Tools Start Starts a service Stop Stops a service ServiceName Specifies the name of the service Registry key, which is not the same as the name found in services (start, programs, administrative tools, services) OptionName The name of an optional command parameter OptionValue The value of OptionName parameter Using ScList ScList shows all services on a computer.The services can be running or stopped. You can use ScList on the local machine or on remote machines.The require- ments for using ScList are that the ScList.exe file is loaded from the Resource Kit and that the server service is running on the computer that you want to query. ScList used the following syntax: sclist [-?] [-r] [-s] [MachineName] Table 12.2 lists the ScList syntax options. Table 12.2 Syntax Options for ScList Options Description -? Displays help -r Display running services -s Display stopped services MachineName The name of the remote computer that you want to list services on; not required for the local machine Here is sample output from ScList: running Alerter Alerter stopped AppMgmt Application Management stopped Ati HotKey Poller Ati HotKey Poller running Browser Computer Browser stopped cisvc Indexing Service www.syngress.com Table 12.1 Continued Option Description 181_SerSec2e_12 9/6/01 9:09 AM Page 558 Using Security-Related Tools • Chapter 12 559 running Client for NFS Client for NFS stopped ClipSrv ClipBook running CronService Cron Service running Dfs Distributed File System running Dhcp DHCP Client stopped dmadmin Logical Disk Manager Administrative Service running dmserver Logical Disk Manager running DNS DNS Server running Dnscache DNS Client running Eventlog Event Log running EventSystem COM+ Event System stopped Fax Fax Service running IISADMIN IIS Admin Service running IsmServ Intersite Messaging running kdc Kerberos Key Distribution Center running lanmanserver Server running lanmanworkstation Workstation running LicenseService License Logging Service running LmHosts TCP/IP NetBIOS Helper Service running LPDSVC TCP/IP Print Server running MacFile File Server for Macintosh running MacPrint Print Server for Macintosh running MapSvc User Name Mapping running Messenger Messenger stopped mnmsrvc NetMeeting Remote Desktop Sharing stopped MSDSS Directory Synchronization Service running MSDTC Distributed Transaction Coordinator running MSFTPSVC FTP Publishing Service stopped MSIServer Windows Installer stopped NetDDE Network DDE stopped NetDDEdsdm Network DDE DSDM running Netlogon Net Logon running Netman Network Connections running NfsSvc Server for NFS www.syngress.com 181_SerSec2e_12 9/6/01 9:09 AM Page 559 560 Chapter 12 • Using Security-Related Tools running ngdbserv NGDatabase running NGServer NGServer running NisSvc Server for NIS running NntpSvc Network News Transport Protocol (NNTP) running NtFrs File Replication Service running NtLmSsp NT LM Security Support Provider running NtmsSvc Removable Storage running NWCWorkstation Gateway Service for NetWare running Pcnfsd Server for PCNFS stopped PerlSock Perl Socket Service running PlugPlay Plug and Play running PolicyAgent IPSEC Policy Agent running ProtectedStorage Protected Storage running Ptreesvc Process Tree Service stopped RasAuto Remote Access Auto Connection Manager running RasMan Remote Access Connection Manager stopped RemoteAccess Routing and Remote Access running RemoteRegistry Remote Registry Service running RpcLocator Remote Procedure Call (RPC) Locator running RpcSs Remote Procedure Call (RPC) stopped RshSvc Remote Shell Service stopped RSVP QoS RSVP running SamSs Security Accounts Manager stopped SCardDrv Smart Card Helper stopped SCardSvr Smart Card running Schedule Task Scheduler running seclogon RunAs Service running SENS System Event Notification stopped SharedAccess Internet Connection Sharing running SMTPSVC Simple Mail Transport Protocol (SMTP) running Spooler Print Spooler stopped SysmonLog Performance Logs and Alerts running TapiSrv Telephony running TermService Terminal Services www.syngress.com 181_SerSec2e_12 9/6/01 9:09 AM Page 560 Using Security-Related Tools • Chapter 12 561 running TlntSvr Microsoft Telnet Service running TrkSvr Distributed Link Tracking Server running TrkWks Distributed Link Tracking Client stopped UPS Uninterruptible Power Supply stopped UtilMan Utility Manager running W32Time Windows Time running W3SVC World Wide Web Publishing Service running WinMgmt Windows Management Instrumentation running Wmi Windows Management Instrumentation Driver Extensions Using the Service Monitoring Tool The Service Monitoring tool (svcmon) monitors when services are started or stopped. Svcmon works locally and remotely. It will send you an e-mail when a service is changed. Svcmon polls the services every 10 minutes (this is the default and can be changed) to determine that they are in the same state as they were in the previous poll. Svcmon is not completely installed when you install the Resource Kit.You must copy the svcmon executable file from the Resource Kit installation location to %windir%\system32.The following files are required for svcmon: ■ Svcmon.exe The Service Monitoring tool executable file. ■ Smconfig.exe The Service Monitor Configuration Wizard. Exercise 12.6 walks you through using smconfig.exe. Exercise 12.6 Running the Service Monitor Configuration Wizard 1. After copying svcmon.exe into the system32 directory, you are ready to configure the Service Monitoring tool by using the Service Monitor Configuration Wizard. 2. Click Start and choose Run. 3. In the Open line, type in smconfig.exe and click OK.This starts the Service Monitor Configuration Wizard, shown in Figure 12.31. 4. Click Next to start the wizard.This will give you the Exchange Information window shown in Figure 12.32. www.syngress.com 181_SerSec2e_12 9/6/01 9:09 AM Page 561 562 Chapter 12 • Using Security-Related Tools 5. In the Exchange Information window, you need to enter the following components: ■ Domain Name ■ User Name ■ Password www.syngress.com Figure 12.31 The Welcome to Service Monitor Configuration Wizard Window Figure 12.32 The E-Mail Information Section of the Service Monitor Configuration Wizard 181_SerSec2e_12 9/6/01 9:09 AM Page 562 Using Security-Related Tools • Chapter 12 563 ■ Exchange Profile ■ The names of the Exchange Recipients to receive the srvmon e-mail messages 6. After entering this information, click Next to take you to the window where you choose which services to monitor.This window is shown in Figure 12.33. 7. Enter the services to be monitored and the server on which to do the monitoring by typing in the Machine Name that you want to monitor and choosing the Service from the list. 8. After choosing the Service, you can configure the Polling Interval.The default time is 600 seconds (10 minutes). 9. Select Restart it if stopped (optional) if you want to have the service restarted if it fails; select Reboot server if restart failed to have the server reboot if the service cannot be restarted. 10. After making your choices, click Add Service.This will add the service to the list of services to be monitored.You must go through Steps 7 through 9 for each service that you want to monitor. If you add a ser- vice incorrectly, select the service and click Remove to remove the service from the list. www.syngress.com Figure 12.33 The Service Selection Section of the Service Monitor Configuration Wizard 181_SerSec2e_12 9/6/01 9:09 AM Page 563 564 Chapter 12 • Using Security-Related Tools 11. After adding all of the services that you want to monitor, click Finish. This will save your selections. Using Registry Tools Properly maintaining the Registry is important for not only security, but stability as well. If you make changes incorrectly to the Registry, you could bring down your computer completely. Certain authors have been known to make this mistake themselves. Editing the Registry is usually accomplished through the Registry edi- tors—Regedit or Regedt32.When you have lots of servers to maintain, being able to make changes from the command prompt is nice.This can speed up the process of modifying multiple remote registries. Before you make changes, you should always back up your Registry.This way if you destroy it past the point of repair, you can restore it, and everything is fine.The Registry Console tool from the Support Tools allows you to change the Registry from the command prompt. Registry Backup and Registry Restore from the Windows 2000 Resource Kit allow you to back up and restore the Registry. Using Registry Backup The preferred method of backing up the Registry is through the system state data within NTBackup (Start | Programs | Accessories | System Tools | Backup or Start | Run and then typing Ntbackup). Unfortunately, you can’t just back up the Registry using NTBackup. Registry Backup (RegBack) allows you to back up only the Registry. It allows you to save this information to a folder without having to use a tape backup. RegBack backs up only open keys. You can copy any keys that aren’t currently being used by using xcopy. RegBack saves the entire Registry hive, including the access control lists. Using RegBack requires that you have the Backup Files And Folders privilege.The only file required to use RegBack is the regback.exe file. RegBack uses the fol- lowing syntax: regback [destination_dir] [filename hivetype hivename] Table 12.3 lists the syntax options for RegBack. www.syngress.com 181_SerSec2e_12 9/6/01 9:09 AM Page 564 Using Security-Related Tools • Chapter 12 565 Table 12.3 Syntax Options for the Registry Backup Tool Option Description destination_dir Lists the location of the backup files. filename Determines the name of the backup file. hivetype The two possible hive types are machine and users. hivename Lists the name of the hive to be backed up. You can back up only hive roots. The Registry Backup tool has the following limitations: ■ Backs up only files that are in the CONFIG folder, by default ■ Cannot back up files to a folder if that folder already has files with the same names ■ Backs up only active hives ■ Fails if the hive files don’t all fit on the target ■ Will stop at the first bug ■ Reports one of three errors: ■ 0 Backup was successful. ■ 1 There is a hive that requires manual backup. ■ 2 Used for all other errors. Using Registry Restoration Registry Restoration (RegRest) restores Registry files backed up with RegBack. Just like with RegBack, you must have the Backup Files And Folders privilege to use RegRest. RegRest takes the backed up file and uses it to replace the file on the local hard drive.You must restart your computer for these changes to take effect.The only file required to use Registry Restoration is the RegRest exe- cutable file. RegRest uses the following syntax: regrest [newfile savefile] [hivetype hivename] Table 12.4 shows the RegRest syntax options. www.syngress.com 181_SerSec2e_12 9/6/01 9:09 AM Page 565 566 Chapter 12 • Using Security-Related Tools Table 12.4 The Registry Restore Tool Syntax Options Option Description newfile The backed up hive file will be renamed and used to replace the old hivename file. savefile The old hive file will be renamed with a .sav extension and moved to the location specified here. hivetype The two possible hive types are machine and users. hivename List the name of the hive to be restored up. You can restore only hive roots. Be aware of the following before you use RegRest: ■ RegRest restores only files that are in the CONFIG folder. ■ RegRest restores only active hives (hives that are loaded). ■ You must have enough free disk space to hold the SAV files. ■ RegRest will stop at the first bug. ■ RegRest reloads the entire hive, including access control lists (ACLs). You may restore a hive and find that you have different permissions than before. ■ RegRest reports one of three errors: ■ 0 The backup was successful. ■ 1 There is a hive that requires manual backup. ■ 2 Used for all other errors. Running the Registry Console Tool The Registry Console tool (Reg) allows you to work with the Registry from the command prompt.You can use Reg to script changes to the Registry on local or remote computers. Reg is included with the Support Tools.You can use Reg to make changes to the following Registry locations: ■ HKEY_CLASSES_ROOT (HKCR) Available only on local computers. ■ HKEY_CURRENT_CONFIGURATION (HKCC) Available only on local computers. www.syngress.com 181_SerSec2e_12 9/6/01 9:09 AM Page 566 Using Security-Related Tools • Chapter 12 567 ■ HKEY_CURRENT_USER (HKCU) Available on both local and remote computers. ■ HKEY_LOCAL_MACHINE (HKLM) Available on both local and remote computers. Reg supports the following Registry values: ■ REG_BINARY ■ REG_DWORD ■ REG_DWORD_LITTLE_ENDIAN ■ REG_DWORD_BIG_ENDIAN ■ REG_EXPAND_SZ ■ REG_MULTI_SZ ■ REG_NONE ■ REG_SZ Reg supports the following commands: ■ Add Makes an addition to the Registry. ■ Compare Compares two Registry entries with each other.The entries can both be on the same computer or on remote computers. ■ Copy Copies an entry to a different location. ■ Delete Deletes an entry, subkey, or keys. ■ Export Exports an entry to a file. Can only be used on local computers. ■ Import Imports an entry from a file. Can only be used on local computers. ■ Load Temporarily loads a key or hive into the root of the Registry. Loads the information from a Reg Save file. ■ Query Displays information about entries under a subkey, key, or hive. ■ Restore Restores an entry, subkey, key, or hive from a Reg Save file. ■ Save Copies an entry, subkey, key, or hive to a file.The HKLM\Security subkey is system protected, so you cannot save it. www.syngress.com 181_SerSec2e_12 9/6/01 9:09 AM Page 567 [...]... llssrv.exe 94 8 dbserv.exe 96 0 ntfrs.exe 96 8 rteng6.exe 98 8 ptreesvc.exe 1012 regsvc.exe 1024 locator.exe 1040 mstask.exe 1084 SSAgent.exe 1160 termsrv.exe 1184 winmgmt.exe 1236 dns.exe 1244 inetinfo.exe NetDDE Agent www.syngress.com SYSTEM AGENT COM WINDOW 181_SerSec2e_12 9/ 6/01 9: 09 AM Page 573 Using Security-Related Tools • Chapter 12 1320 ngserver.exe 1572 svchost.exe ModemDeviceChange 190 4 explorer.exe... one server to another, you could copy off the data and use Permcopy to put back all of the permissions.The only file required is Permcopy.exe Permcopy uses the following syntax: permcopy \\SourceServer ShareName \\DestinationServer ShareName Table 12. 19 shows the syntax for Permcopy Table 12. 19 Permcopy Syntax Option Description \\SourceServer ShareName \\DestinationServer ShareName The source server. .. (804) rteng6.exe (2304) dfssvc.exe (876) dns.exe (1 496 ) inetinfo.exe (1504) ismserv.exe (93 2) llssrv.exe (94 4) locator.exe (1232) mapsvc.exe (1548) msdtc.exe (524) msiexec.exe (620) mstask.exe (1320) nfsclnt.exe (840) nfssvc.exe (1148) ngserver.exe (2332) nissvc.exe (1568) ntfrs.exe (1168) pcnfsd.exe (1616) www.syngress.com 181_SerSec2e_12 9/ 6/01 9: 09 AM Page 575 Using Security-Related Tools • Chapter... with the following tools to help manage your processes: s Process Viewer s Task List Viewer s Task Killing utility The Windows 2000 Server Resource Kit provides with the following process management tools: s Process Tree s PuList www.syngress.com 5 69 181_SerSec2e_12 570 9/ 6/01 9: 09 AM Page 570 Chapter 12 • Using Security-Related Tools Running the Process Viewer Process Viewer is a graphical tool that shows... 577 181_SerSec2e_12 578 9/ 6/01 9: 10 AM Page 578 Chapter 12 • Using Security-Related Tools 8 Figure 12. 39 shows the Ready to Install window As the name indicates, this window is making sure that you are ready to install Ptree Click Back to make any necessary changes.When you are ready to perform the actual installation, click Install Figure 12. 39 The Ready to Install Window 9 The progress bar shown... processes It does, however, have one nice feature that www.syngress.com 5 79 181_SerSec2e_12 580 9/ 6/01 9: 10 AM Page 580 Chapter 12 • Using Security-Related Tools Ptree does not have PuList shows the name of the user running the process The only file required to run PuList is pulist.exe PuList has the following syntax: pulist [\\servername] [\\servername] … Table 12.11 explains the syntax for PuList Table 12.11... going on just to be safe.The most common way to www.syngress.com 581 181_SerSec2e_12 582 9/ 6/01 9: 10 AM Page 582 Chapter 12 • Using Security-Related Tools view Windows 2000 logging is with the Event Viewer (Start | Programs | Administrative Tools | Event Viewer or Start | Run and then typing Eventvwr).The Windows 2000 Server Resource Kit provides you with many tools to do detailed logging.You can do logging... aren’t working just right.The tools discussed in this section help you accomplish these goals.The following tools are provided with the Windows 2000 Server Resource Kit: s Service ACL Editor s Permcopy www.syngress.com 181_SerSec2e_12 9/ 6/01 9: 10 AM Page 5 89 Using Security-Related Tools • Chapter 12 The following tools are provided with Support Tools: s ACL Diagnostics s DsAcls Using the Service ACL... always wins Service Grant Set Revoke Deny The permissions apply to the trustee.There are two types of permissions: s General s Execute s Full Control s Read s Write www.syngress.com 5 89 181_SerSec2e_12 590 9/ 6/01 9: 10 AM Page 590 Chapter 12 • Using Security-Related Tools s Specific s Allow User-Defined Control Commands s Change Service Configuration s Continue or Pause Service s Enumerate Dependent Services... can kill running processes.There are many components to Process Tree: www.syngress.com 573 181_SerSec2e_12 574 9/ 6/01 9: 09 AM Page 574 Chapter 12 • Using Security-Related Tools s Ptreedrv.sys The kernel driver s Ptreesvc.exe and Ptreesvcps.dll A Windows 2000 service s Ptreesvr.dll The COM+ server s Ptree.exe The console client s Ptreeg.exe Allows managing multiple computers at the same time Here is . NFS www.syngress.com 181_SerSec2e_12 9/ 6/01 9: 09 AM Page 5 59 560 Chapter 12 • Using Security-Related Tools running ngdbserv NGDatabase running NGServer NGServer running NisSvc Server for NIS running NntpSvc. Continued Option Description 181_SerSec2e_12 9/ 6/01 9: 09 AM Page 558 Using Security-Related Tools • Chapter 12 5 59 running Client for NFS Client for NFS stopped ClipSrv ClipBook running CronService Cron Service running. Windows 2000 Server Resource Kit provides with the following process management tools: ■ Process Tree ■ PuList www.syngress.com Table 12.6 Continued Option Definition 181_SerSec2e_12 9/ 6/01 9: 09 AM