The first step in evaluating application security is to baseline the system. The purpose is to evaluate what happens when you install the software. There are several interesting things you want to know:
You need to use various tools to do this. One very useful one is InCtrl5, which does most of the work automatically for you. You can get it at http://www.pcmag.com/article2/0,4149,9882,00.asp. However, we have had problems running certain installers under tools like this, not to mention how slow the installer gets, so we usually prefer to baseline the system first and then create a second snapshot afterward, letting the installer work the way it should. InCtrl5 also does not track some of the things we list above because it is primarily written as a troubleshooting tool for advanced end users. To that end, we usually use a series of other tools that can track all this information.
Few tools in the operating system will help you here, but a couple are worth pointing out. The secedit.exe tool in Windows Server 2003 contains a /generaterollback switch. It is used to snapshot the security state of a system. Run secedit.exe with that switch prior to installing anything. Save the log file as baseline.log and copy it to a different system. It will contain a list of privileges and security settings currently set on the system.
To determine the ACLs, use the showaccs.exe tool from the Windows Server 2003 or Windows 2000 Support Tools. The syntax is relatively self-explanatory:
Showaccs V1.0 Copyright 1998 Microsoft Corporation Usage: Showaccs <access profile file> [/f [<path>] /r /s /p /g /m <map file> /no builtins] <access profile file> path of the .csv file to be generated /f [<path>] for all NTFS files /r for Registry /s for file shares /p for printer shares /g for local groups /m generate a map file <map file> map file path for /m option /nobuiltins for no built-in groups
Use the appropriate options to generate the right log files. For instance, to find out what happens to the ACLs in the Program Files directory, use this command:
showaccs c:\progfiles.csv /f "c:\program files"
A map file is very useful because it contains a mapping from SIDs to usernames that are used in the directory or Registry structure. Run this tool five times, once each for the file system, the Registry, the file shares, the printer shares, and, finally, once for a list of the local groups. Save each of the log files (which will usually be huge).
The last thing we need is the user list. A simple net user will give us that list, but keep in mind that it will not show any user that has a $ at the end of the name . You will only see those in the GUI users and groups management tools.
Now install the software. Then run the same tools again. At this point, you have a before and after snapshot. Use some file differencing tool to find out what the differences are. For instance, windiff .exe, also shipped with the support tools, will do this nicely . The Windows ports of the UNIX diff tools are more powerful, however, because they enable us to create a text file with just the differences. You can get those tools in several places, including the free Interix toolkit, part of the Service for UNIX, from Microsoft. You can get those at http://www.microsoft.com/windows/sfu/productinfo/overview/default.asp.
After you have a list of the changes, you are ready to analyze what was done by the software installer. Make a list of all the changes, and look for anything that seems suspicious, such as full control ACLs, new privileges added to users, new administrators, new services, new databases, and so on. In the following section, we examine a number of things that should be red flags.