Sunday, January 30, 2011

Steamlining the manual Windows checklist process with regards to the findings checks

I just came off an auditing engagement (and have to go right back out again.)  On this past trip, we ran into a Windows 7 machine; and I did not have Oval (in order to use the xml file.)  So, it was off to the checklist to perform a manual audit.  I don't mind performing a manual audit, however.....

I wish the checklist was broken out by the relevant area of the machine being audited.  For example, when looking at the Local Security policy, let's look at ALL of the policies at one time.  Or, when looking at the registry, stay in one hive and look at all of the pertinent keys at once; instead of jumping all over the place.  I found it extremely frustrating to be in HKLM\Software\Policies\Microsoft..... and then have to switch to HKLM\Software\Microsoft\CurrentVersion....only to have to switch back to the Policies subkey.  It seems it would be easier to cover all of the keys in one shot before moving out of the particular hive or key set.  The same goes with the DumpSec checks.

Certainly, performing the manual checks is not too difficult.  I believe, though, it would be easier to group all like-checks together so as not to jump around so much and introduce potential errors or omissions.  Just my $0.02.

If anyone knows why the checklists are grouped in the order that they are grouped, I would love to know.

Tuesday, January 25, 2011

Finding MS SQL servers that are listening

I learned a new trick today to find potentially listening MS SQL servers in a networked environment.  Currently, I have a process where I go through netstat results, gathered from the audited servers, looking for servers that have a MS SQL server listening.  However, a co-worker taught me a neat trick.  From a sql server, issue the following command from a command prompt:
osql -l

This will return a list of servers that are listening.  I know that you still have to check out the servers, but it is a good quick and dirty method of finding other SQL servers.  This has already proven helpful when the client is not the most forthcoming about how many SQL servers they have, or does not know all of the SQL servers on their network.

DISA first quarter 2011 STIGs release has been delayed

A note on DISA's STIG page indicates that the quarterly STIG release has been pushed to the first week of February, 2011.  I did not see a reason for the delay and if I hear of the reason for the delay,; I will update this post.

Auditing IIS 7 web servers - I'm looking for suggestions

DISA has said, via their FAQ, that the TIM for the IIS 7 STIG is not scheduled until March 1, 2011.  My question is, how do you audit IIS 7 installations?  I have seen that there are differences between IIS 6 and IIS 7 that preclude using the IIS 6 STIG on an IIS 7 server.  Any suggestions?

Saturday, January 22, 2011

The circle is complete

"Army...Navy...Air Force...Marines.  What a great place, it's a greaaaat place, To Start!"

A funny scene from Stripes.

My first auditing trip was to a Marine installation.  After that, I worked on two large Army assignments.  When those projects finished I moved to a very long Air Force project encompassing many accreditations.  This week I travel to perform my first Navy audit.

I do not really have a favorite, or a branch that I do not like to work for.  Each branch has their own unique nuance and idiosyncrasies that make it a little different.

Wednesday, January 19, 2011

IAVM Analysis

I have worked on a couple of tasks just recently where I have had to perform one form of IAVM analysis or another. Typically in the past, I perform the application development interview for the GOTS application. In the past, I have used the JTF-GNO site (linked off of DISA's site) in order to find detailed information on the particular IAVM.  However, I've noticed recently that not only does one need a CAC, but now you have to come from a .mil domain.  So, my question is:  besides the actual STIGs, where else can you get good information on particular IAVMs?  CAC-enabled sites are ok.

Saturday, January 15, 2011

Badass LEGO Guns

I was reading the latest edition of Linux Journal today, and came across a review of this book.  This is immediately entering my book wish list to aid in the defense of my office.  I've mentioned some other books along the same topic.

Tuesday, January 11, 2011

Fiscal Year 2011 STIG release schedule

I went looking for a STIG the today, and happened to see the notice regarding when the Gold Disk and checklists are being updated.  I seem to recall updates six to times a year, but this year it appears to be four times.  This page has the dates.  The page was updated in early December, so must have missed it when it was released.
The dates are:
  • 28 January 2011
  • 29 April 2011
  • 29 July 2011
  • 28 October 2011

Also, I noticed that the TIM and DSAWG schedule was released, and included IIS 7 and Sharepoint 2010.  Those are two applications that I have seen more and more of on recent testing trips.  Sharepoint has always been tricky to test, sort of a blend between database and web checks.  And with more and more Windows 2008 servers in data centers, I'm seeing more IIS 7 than 6.  The schedule is listed here.

Monday, January 10, 2011

Tidying Up

I've been pruning here and there just to tidy the place up a bit in preparation for a more productive 2011.  Sometimes, I feel like I'm at a crossroads, never sure what direction I want to move.  As my travel schedule starts to fill up, I try to stay as focused on the task at hand as possible, and do the best job I can.

Sunday, January 2, 2011

Kudos to my bank

Brian Krebs has detailed many many occurrences of small business losing money to bank fraud; typically due to accounts being hacked from a trojan or other malware.  If you read through the articles, you'll find many mitigations to help ensure you do not lose money.

So, I was a little surprised when I received a flyer tucked into my bank account.  It contained the following bullet points:
  • Maintain current anti-virus software, firewalls and malware removal tools on computers that access the internet.
  • Update and "patch" your software regularly to make certain you are protected from the latest threats.
  • Use unique, difficult passwords that contain a mix of letters and numbers with upper and lower-case letters.
  • Never open suspicious emails or click on links within emails from unknown senders.
  • Watch the URL in browser's address bar as you go to websites.  Criminals can redirect you to a counterfeit website that looks like the real thing.
  • Frequently reconcile your bank accounts in order to detect suspicious account activity.
  • Consider dedicating a computer specifically for online banking; one that is never used for email or web browsing.

That's a pretty good list.  I'm sure you could add to it.  I wonder if they've read Brian's site?