Windows Patch Level
Lists installed packages:
wmic qfe list wmic qfe list | find “KBxxxxxxx you are after”
List open file shares:
net share wmic share get name,path
The default Windows shares are: C$, IPC$, ADMIN$
If these are present that is fine. If there are any more then investigate what they are and try to determine if they are sharing sensitive information. If you find it is sharing a CD-ROM drive this might appear odd but it can be an indication that the server is a VMWare as this is how VMWare tools gets installed.
File System Configuration
List available drives:
fsutil fsinfo drives
Find drive type (replace C: with appropriate drive):
fsutil fsinfo drivetype C:
List file system of a drive (replace C: with appropriate drive):
fsutil fsinfo volumeinfo C:
List installed software and versions:
You probably only need to know the product, version and vendor. You can pipe this output through “get” to filter those columns:
wmic product get name,version,vendor
To save the output to a file:
<!-- wp:paragraph --> <p>To save the output to a file:</p> <!-- /wp:paragraph -->
Review the list produced, looking for:
- Anything that may be unnecessary for the role of the device. (i.e., you don’t need Windows Media Player on a Server)
- Things that are “Internet Facing” such as; Web Browsers, FTP Clients etc and browser plugins like; Silverlight, Flash Player and Java. Determine if these are outdated. The quickest way to do this is to supply Local Administrator credentials to Nessus as it will do most of the work for you, otherwise google is your friend. A list of CVEs can be obtained for most products by going to www.cvedetails.com and looking up the version.
- Things that are susceptible to file type exploits such as; Windows Media Player, Microsoft Office Suite, Adobe Acrobat Reader, and Java etc. Same methodology applies here. But the risk requires the user to engage with a file in a vulnerable piece of software.
You can usually find the installed anti-virus by checking for icons in the system tray. Follow the steps below for analysis:
- Right click on the icon and see if you can find the “about” screen to observe the version. Verify that this is the latest version and if not advise upgrading
- Check the revision\version of the virus definition database. Also check that this is updated regularly, anything more than a few weeks is likely to be dangerous. Ask how machines receive updates. Is this straight to the vendor or via an internal update server? Google to see if you can find the most recent definition database from the vendor. If the update server itself is not being supplied with updates then your workstations could be at risk while the GUI happily tells you that it is bang up to date.
- Determine what the solution is configured to scan. You want it to be configured for “active” scanning and ideally a full hard disk scan should be scheduled regularly
- For extra points upload an “eicar” anti malware test file to trigger an anti-virus alert. This is a non-malicious file that all AV vendors should recognise. This can be used to prove that no-AV solution is configured when you are in doubt. In a secure environment this check should cause an alert to someone within the organisation. If you don’t get a phone call then ask if they have logging and response procedures for AV alerts. If not then recommend that they do!
Exploit Mitigation Technologies
System DEP Policy
Check System Data Execution Prevention Policy:
wmic os get /format:value
The key parameters to look to work out if DEP is available and how it’s set are:
Active Local Processes
To list running processes, PIDs and owners:
For a more detailed look at processes, push Process Explorer to the host.
For bonus points, do View > Select Columns and enable the following:
- DEP Status
- Integrity Level
- ASLR Enabled
Check status of the personal firewall:
netsh firewall show opmode netsh firewall show state netsh firewall show config
For Windows Vista, Windows 7 and Server 2008, Microsoft recommends the netsh advfirewall firewall. In particular, the following can be used to show all firewall rules:
netsh advfirewall firewall name=all verbose
Check that the firewall logs both accepted and blocked packets to a log file of a reasonable size. By default, the firewall logs nothing and the default log file is only 4MB.
Binary Permissions – PowerScript
Use the .ps1 script found here: INSERT GitLab URL
Save as bin_perms.ps1 and execute as follows:
powershell -ExecutionPolicy ByPass .\bin_perms.ps1 > service_bin_perms.txt