Government Security
Network Security Resources

Jump to content

Auditing Window's 2000

- - - - - security windows server tools audit auditing
  • Please log in to reply
3 replies to this topic

#1 Guest_Jay_*

  • Guests

Posted 24 June 2003 - 12:58 PM

A friend of mine was running a window's 2000 server with IIS enabled and was informed it was using too much bandwith and was beleived to be hacked. Has asked me to run a audit.Has been taken of line now.Don't know anything re IIS log files etc so any tips would help but here's what i came up with.Am i missing anything ??

To map every open TCP and UDP port to a running executable.

2 Netstat -an to retrieve the conected IP addresses and opened port info. As it's off line not going to gain anything ??

3 Nbtstat -c Not much help as it's off line

4 PSLIST List processes on the machine.

5 Dir /a /t:a /o:d /s c:\ The a switch will list all files including hidden one's. The /t switch tells dir which time stamps you want to see. The /o:d switch tells the command you want it to be sorted by date.

6NTLAST Check's the logon and log off events and tells you when they where executed.

Retrieving the event log's

8 REGDMP which comes with NT/200 resource kit for dumping the registry into readable format.

This is going to be my first audit so will post later how i got on and the problem's i faced. :blink:

#2 Jeremy


    Commander in Chief

  • Retired Admin
  • 2,459 posts

Posted 24 June 2003 - 01:18 PM

It is also recommended to audit user accounts and always audit both Success and Failures of Account Management. This enables you to see if someone has created a account for themself, or tried to. Also audit logons. Looking for a success at an odd time, or a large amount of failures will show if someone is trying to connect that shouldnt be. A hack through IIS doesnt let you do too much that would increase bandwidth that much, until you are able to logon to the server. These are more efficient if done prior to getting hacked though.

#3 Travis



  • Sergeant Major
  • 2,101 posts

Posted 24 June 2003 - 04:54 PM

Netstat can be hacked...

#4 Blake


    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 25 June 2003 - 09:28 AM

Good start.... But my actual first place I would start is with the http logs. Default location.C:\winnt\LogFiles\W3SVC1

Now you could look through them manually but that would take forever. So load them up into webalizer which is free and does have a windows distro (I believe).

After the report has run you can view which IP address requested the most by KB. Here you can determine if there was an abnormal spike. Which would be a dead giveaway.

I'll think of some more in a bit. Keep me posted on progress and I'll give you some tips.

Also tagged with one or more of these keywords: security, windows, server, tools, audit, auditing