One of the services I provide to clients is proactive server and network maintenance. Part of my monthly routine involves checking to make sure that the security measures remain effective and haven’t been compromised. For the longest time, I had a series of five things I checked. One day, while researching a security issue, I stumbled upon SANS’ excellent cheat sheet, Intrusion Discovery Cheat Sheet v1.4 for Windows. I noticed that they specified two additional things to check, so I added those to my list as well. (It’s gratifying when such a respected authority as SANS Institute publishes something that validates what you have been doing.) Here are the checks and the order I do them in:
- Event logs: Anything unusual or suspicious in any log gets my attention. I am particularly sensitive to entries in the security log.
- Running processes and services: I sort task manager processes by user name and look for anything unusual (SANS recommends checking the performance for anything unusual). Then I examine the services using both
- Network usage: I look for unusual shares, open sessions, listening ports and NetBIOS over TCP/IP activity. Anything that doesn’t look normal is suspect.
- Registry keys: Strange entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, Runonce and RunonceEx are suspect.
- File system: Unusually large files and sudden disk space changes can indicate system compromise.
- User manager: The SANS cheat sheet says to look for new, unexpected accounts in the Administrators group.
- Scheduled tasks: SANS recommends using both the command line and GUI for look for unusual scheduled tasks, especially those that run with Administrator privileges, as SYSTEM, or with blank user name. The cheat sheet also recommends checking autostart items in msconfig.exe.
This is by no means a comprehensive list of security checks, but if there has been a system intrusion, some indication is likely to be found in one or more of the above items. Sys Admins generally get a feel for how their systems operate and often simply “get the feeling” that something isn’t right. It certainly happens to me sometimes; that’s when I start looking for unusual behavior. Often, it turns out to be nothing, sometimes I catch something before it becomes an issue.
These checks can be applied to any system including workstations. You can even do them on your personal computers. If you’re not already doing checks like these, I highly recommend you start. You’ll enjoy even greater peace of mind if you do.