July 19, 2008: Poor Man’s Tripwire for Windows

I’ve been thinking lately: one of the more frustrating experiences in sysadmin is when you find some configuration item changed on a server, and you wish you’d known about it when it happened.

Imagine, for instance, you log on to SERVER17 and by happenstance you check the members of the local Administrators group, finding 27 accounts listed there. But you remember setting the server up a year ago with only 2 people in that group. So when did it change, and who did it, and why did they do that? But alas, your audit logs don’t go back that far, so you’ll never know. All you can do is clean it up and keep a closer watch on the server in the future.

We have monitoring solutions for uptime and performance. We have audit logs, but few people proactively monitor these (they are very verbose!). We have security auditing tools like MBSA. But these aren’t what I am thinking of. There is Tripwire for Windows, which is what I am thinking of, but it’s not inexpensive (a 2005 price quote has it at $4000 to get started, and more per monitored device).

So I set out to roll my own. And here is a first beta, which will monitor the items listed below. The idea here is that you run it via a scheduled task at regular intervals (perhaps daily or hourly), and it checks the current configuration of the server against the configuration as it was during the prior check. So when someone adds a local Administrator, or changes a service from Auto-start to Disabled, it can notify, say, a lead administrator of those changes.

  •  OSVersionServicePack ‘OS Name, major service pack version, minor service pack version
  •  GetLocalAdmins ‘list members of local Administrators group
  •  AdministratorLastPasswordChange ‘finds date when Administrator account last changed password TODO: is account disabled?
  •  ListServices ‘list all installed services and their startmode
  •  ListSoftware ‘list software installed (via Windows Installer)
  •  ListHardware ‘list installed hardware that has a PCI vendor code
  •  ListDisks ‘list disks (except network drives)
  •  ListRAM ‘list each RAM stick, size, and status (if available)
  •  ListNetwork ‘list each IP-enabled NIC and the first IP/Gateway bound to it
  •  ListScheduledTasks ‘TODO list Scheduled tasks with status and minimal schedule
  •  EventLogCriticalErrors ‘TODO return critical errors since last run (maybe this is out of scope)
  •  WinsatPerfTests ‘TODO if Vista/2008, run winsat perf (maybe this is out of scope)
  •  OpenPorts ‘TODO ports listening on the server
  •  NTRights ‘TODO NT Rights assignments
  •  GPOs ‘TODO domain and local policies
  •  BootIni ‘TODO Boot.ini
  •  LocalUsers ‘TODO all local users (on nonDCs!)
  •  Reboot ‘TODO notify if system was rebooted. Can we notify *before* system gets rebooted?
  •  EnvironmentVariables ‘TODO track system level env vars
  •  Routes ‘TODO route print info
  •  FirewallConfig ‘TODO firewall configuration
  •  TimeService ‘TODO time service config
  •  HostsFile ‘TODO check Hosts file
  •  LmHostsFile ‘TODO check LmHosts file
  •  AuditConfig ‘TODO check auditing configuration
  •  BackupOccurred ‘TODO see if backups are happening
  •  EventLogConfig ‘TODO check Event Logging configuration
  •  DomainRoles ‘Determines domain membership, if system is domain controller, and if yes, some DC properties
  •  FSMOroles ‘if DC, list FSMO roles

Right now the script has no way to send mail or SMS or whatever; I’ll be adding that later. I’d love to get your feedback on this thing. Again, you can download it here.

Comments (View)
blog comments powered by Disqus