Windows Auditing Basics

There are some key things that you need to know about auditing Windows that will make you more accurate and efficient. Remember that Windows is just a platform, and you have to consider the overlying applications that make use of the platform before you can bless off a machine as passing an audit. Take a look at Figure 6-1, which we like to use when teaching classes to hammer home this concept. Notice the applications across the top. The more applications you add to the platform, the more potential trouble areas you have as an auditor. Consider the other chapters in this book as a supplement to get you started in considering the challenges the other applications bring to the table. This concept is true for any platform, including Unix, Solaris, Mac, and others. If you understand this concept, then you understand why an external security scanner cannot see everything you need to check for without logging onto the host.

image from book
Figure 6-1: Auditing hosts model.

Most Windows hosts in a company are part of a domain. This automatically suggests there are other attack vectors that can be exploited, intentionally or not, to access or violate the integrity of your host. For example, if an employee doesn't have access to the payroll server but he or she has domain administrator rights for the domain that the payroll server belongs to-and he or she has a bad day-oops!

There are mitigating controls for situations like this. This is part of your responsibility as an auditor to ensure that mitigating controls are in place. In this situation, removing the Domain Administrators group from the local Administrators group and adding an application-specific group will mitigate these types of implicit/inherited security permissions.

The point is to carefully consider the trust relationships implicitly and explicitly (indirect and direct) that affect your host. The scope of your audit may be just one host. But you may miss vulnerable avenues of attack if you blind yourself too much.

Consider scheduling some time on your calendar to finally learn what the tools listed below actually do. There are many more than what we present here. You might be surprised at how easy most of them are to use and how much more efficient you become because you know the shortcuts to getting just the information you want. As auditors, it's easy to get tied down into "knowing what you gotta know" to get the job done. Most administrators of any caliber actually enjoy showing others the ropes. You can be assured that if you show up to an administrator's office asking about an obscure tool, you'll get his or her attention, and one of you will walk away a little wiser for the visit.

Command-Line Tips

For those of you who are comfortable with the command line on a Unix-flavored host, you will appreciate installing Unix functionality with GnuWin32 utilities from The benefit is that several utilities you miss such as ls, sed, grep, more, and cat now will work from your command line in Windows. You could also install Cygwin or other toolkits that provide similar functionality. It's also possible to create scripts based on these binaries to manipulate the text output from standard Windows utilities.


If you like the command line and enjoy scripting, make sure to take advantage of the resources located in Microsoft's scripting center website. It is located at

Essential Command-Line Tools

There are several tools that should be in every administrator's back pocket, even beyond the scope of the extensive adminpak (Administrator's Pack) and reskit (Resource Kit) tools that Microsoft makes available. Some of these are listed below. Keep in mind that with today's complex networks and firewalls, not all these will work the way they did a few years ago. Test every tool in a lab environment prior to running them on a production network.

Microsoft has an outstanding built-in command-line help file available by typing HH "ntcmds.chm" at the command line (with the quotes exactly as shown). Type help cmd for general information about using the command line in Windows. The company has more information on its website. Search for "Command-Line Reference" using Google, and visit the first Microsoft website that comes up: resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true.


The various tools discussed below can be powerful. More than likely you are going to be just fine installing and running the tools on your own personal machine. However, follow best practices. You should learn how these tools work on another computer off the network in a test environment prior to using them on your production network and systems. Often you can use VMWare or Virtual PC to do this.

Resource Kit Tools

The Resource Kit contains more than 120 different tools for administering systems, troubleshooting systems, managing Active Directory, configuring security features, and much more. You can download the Resource Kit tools from Microsoft's website. The quickest way to find these is to go to Google and type in "Microsoft Resource Kit Tools." Select and download the Windows Server 2003 version of the tools. Given time, you may find some of the tools from the old NT or 2000 reskits useful that are no longer carried in the Windows 2003 reskit. These are beyond this chapter's scope and will not be discussed here.

SysInternals Tools

The SysInternals tools quickly dissect the inner workings of the operating system and produce meaningful results. These are essential to help administrators manage servers. Download SysInternals tools from the website

Several organizations make the decision to include some of the pstools as part of the standard build for servers and clients. You should think out this decision carefully because it's not appropriate for all situations. For example, your DMZ servers and other bastion hosts should be stripped of everything that isn't necessary.

For auditing purposes, you can always load the tools you need into a folder on the server, open a command prompt, and go to that folder to run the tools from the command line.

Other Tools

There are many, many other tools available. Some of these are listed below and discussed in the different audit steps. A free tool at the time of this writing is the Windows Forensic Toolchest (WFT), written by Monty McDougal. This tool serves as a wrapper for command-line tools listed below or others you may want to add. It is currently part of the SANS forensic track. Download and learn more about it at

Common Commands

Table 6-1 presents a list of command-line tools used throughout this chapter.

Table 6-1: List of Common Commands Used in This Chapter



Where to Get It


List system information, including installed service packs, patches, applications, and drive information


List system information

Native command


List running processes


List all installed services


Brings up the Windows Security Center

Native command


Display or modify network configuration

Native command


Provides network information

Native command

ps service

List service information


Tool for talking with service controller

Native command


GUI and command-line "Swiss army knife" of the security settings


GUI view of processes mapped to ports


Very powerful GUI process explorer


Command line view of processes mapped to ports proddesc/fport.html


Lists scheduled tasks at the command line

Native command


Lists boot partition information

Native command


Lists file move operations scheduled for the next reboot


Lists everything scheduled to start when your computer starts up. This is the GUI version.


Lists everything scheduled to start when your computer starts up. This is the command line version.


Opens the resulting set of security policies on your host when run from the Start | Run box or command line

Native command


Opens just the local computer policy

Native command


Dumps Windows password hashes into a format usable by nearly all free and commercial password crackers

Server Administrative Tools

The Windows Server 2003 administrative tools (adminpak.exe) installs on Windows XP and Windows Server 2003. Most of the tools in the Adminpak are used for AD domain-specific administration. If the subject of the audit is part of the AD infrastructure, then these tools may be of use. The Adminpak allows administrators to perform remote server management functions and includes several great tools that are otherwise difficult to duplicate in functionality.


You can easily add the Microsoft Windows Server 2003 administrative tools to your desktop or laptop computer. Just visit Google, type "Microsoft adminpak," and follow the link to Microsoft's downloads page for the Windows Server 2003 Administration Tools Pack. After downloading the .msi package onto your computer, you need to run the file to install the tools onto your system.

IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
Year: 2004
Pages: 159 © 2008-2017.
If you may any questions please contact us: