CERT® Coordination Center
Windows NT Intruder Detection Checklist
This document is being published jointly by the CERT Coordination
Center and AusCERT (Australian Computer Emergency Response Team).
Introduction
- Look for Signs That Your System May Have Been Compromised
- Examine log files
- Check for odd user accounts and groups
- Look for incorrect group memberships
- Look for incorrect user rights
- Check for unauthorized applications from starting
- Check system binaries
- Check network configuration and activity
- Check for unauthorized shares
- Examine jobs run by the scheduler service.
- Check for unauthorized processes
- Look everywhere for unusual or hidden files
- Check for altered permissions on files or registry keys
- Check for changes in user or computer policies
- Make sure the system has not been moved to a different Workgroup or Domain
- Examine all machines on the local network
- Review Other AusCERT and CERT Documents
- CERT Summaries
- ``Steps for Recovering from a Windows NT Compromise''
- Contacting AusCERT
- Contacting CERT®/CC
- Consider running intrusion detection systems if possible
Document revision history
This document outlines suggested steps for
determining whether or not your system has been compromised. System
administrators can use this information to look for several types of
break-ins. We encourage you to review all sections of this document
and modify your systems to address potential weaknesses.
In addition to the information in this document, we provide three companion
documents that may help you:
We also encourage you to check regularly with your vendor(s) for any
updates or new patches that relate to your systems.
Note: All action taken during the course of an investigation
should be in accordance with your organization's policies and
procedures.
- Look For Signs That Your System May Have Been Compromised
- Examine log files for connections
from unusual locations or for other unusual
activity. You can use the Event Viewer to check for
odd logon entries, failures of services, or odd system
restarts. If your firewall, web server, or router
writes logs to a different location than the
compromised system, remember to check these logs as
well. But remember that this is not foolproof
unless you log to append-only media; many intruders
edit log files in an attempt to hide their activity.
- Check for odd user accounts and
groups. You can use the User Manager tool or the `net
user', `net group' and `net localgroup' commands at
the command line. Ensure that the built-in GUEST
account is disabled if the system does not require
guest access.
- Check all groups for invalid user
membership. Some of the default NT groups give
special privileges to the members of those groups.
Members of the Administrators group can do anything to
the local system. Backup operators can read any file
on the system. PowerUsers can create shares.
- Look for invalid user rights. To
examine user rights use the User Manager tool under
Policies, User Rights. There are 27 different rights
that can be assigned to users or groups. Generally
the default configuration for these rights is secure.
- Check to see if unauthorized
applications are starting. There are a number of
different methods an intruder could use to start a
back door program, so be sure to
- Check the Startup folders. Check all items in
c:\winnt\profiles\*\start menu\programs\startup
folders. You can also examine all the shortcuts by
selecting Start, Programs, Startup. Note that there
are two startup folders, one for the local user and
one for all users. When a user logs on, all of the
applications in both the "All Users" and in the
users startup folder are started. Because of this it
is important to check all of the startup folders for
suspicious applications.
- Check the
registry. The most common locations for
applications to start through the registry are
LISTING 1
- Check for invalid services. Some backdoor
programs will install themselves as a service that
is started when the system boots up. Services can
then run as any user with the "Logon as Service"
user right. Check services that are started
automatically and be sure that they are necessary.
Also check that the services executable file is not
a Trojan horse or backdoor program.
The following batch file will help gather
information about NT Services running on a system
from the registry. The output will list the service
key, startup value, and the executed file. This
batch file uses the REG.EXE command, which is part of
the NT Resource Kit. Files and the registry are not
modified with this batch file.
LISTING 2
- Check your system binaries for
alterations. Compare the versions on your systems
with copies you know that have not been altered, such
as those from your initial installation media. Be
cautious of trusting backups; they could also contain
Trojan horses.
Trojan horse programs may produce the same file size
and timestamp as the legitimate version. Because of
this, just checking file properties and timestamps
associated with the programs is not sufficient for
determining whether or not the programs have been
replaced. Instead, use MD5, Tripwire, and other
cryptographic checksum tools to detect these Trojan
horse programs, (provided that the checksum tools
themselves are kept secure and are not available for
modification by the intruder.) You may want to
consider using a tool (PGP, for example) to "sign" the
output generated by MD5 or Tripwire, for future
reference.
Using anti-virus software will also help you check for
computer viruses, backdoors, and Trojan horse
programs. But remember that malicious programs are
continuously created, so it is important to keep your
anti-virus software up to date constantly.
- Check your system and network
configurations for unauthorized entries. Look for
invalid entries for settings like WINS, DNS, IP
forwarding, etc. These settings can be checked
using the Network Properties tool or using the
"ipconfig /all" command at the command prompt.
Make sure that only the Network Services you want to
have running on your system are listed in the Network
Services configuration.
Check for odd ports listening for connections from
other hosts by using the "netstat -an" command. The
following batch file parses out ports that are in a
listen state and then tries to show what service may
be running on that port. This batch file uses the
well-known port numbers file which can be retrieved
from following location.
- http://www.isi.edu/in-notes/iana/assignments/port-numbers
Additional ports used by Microsoft products can be
found in the following Microsoft Knowledgebase
articles. You may want to build a file in the format
of the previous port numbers file that lists various
services that are running on your NT systems.
-
Windows NT, Terminal Server, and Microsoft Exchange Services Use TCP/IP Ports
http://support.microsoft.com/support/kb/articles/q150/5/43.asp
SMS: Network Ports Used by Remote Helpdesk Functions
http://support.microsoft.com/support/kb/articles/q167/1/28.asp
XGEN: TCP Ports and Microsoft Exchange: In-depth Discussion
http://support.microsoft.com/support/kb/articles/q176/4/66.asp
How to Configure a Firewall for Windows NT and Trusts
http://support.microsoft.com/support/kb/articles/q179/4/42.asp
In the batch file make sure you replace the word "TAB"
with an actual tab. This file does not modify or
write to any files. It does require a file named
"port-number.txt." This file lists port numbers as
well as possible services listening on that port.
LISTING 3
- Check for unauthorized shares. You
can use the "net share" command at the command prompt
or use the Server Manager tool to list all the shares
on a system. NT provides a way to show hidden shares
by adding a '$' to the end of a share name. There are
a few default share names that NT uses (such as
PRINT$), but if you are not sharing a printer with
other users, check to see why that share was created.
If you notice an odd share name the tools will show
you the actual location on the system that is being
shared. A drive or directory can have multiple share
names. Each of these shares can have different
permissions associated with them.
- Check for any jobs scheduled to run.
Intruders can leave back doors in files that are
scheduled to run at a future time. This technique can
let an intruder back on the system (even after you
believe you had addressed the original
compromise). Also, verify that all files/programs
referenced (directly or indirectly) by the scheduler
and the job files themselves, are not world-writable.
To check for jobs currently pending use the "at"
command or the WINAT tool from the NT resource
kit.
- Check for odd processes. You can
use the Task Manager tool or the pulist.exe and
tlist.exe commands from the NT resource kit at the
command prompt to gather information about the
processes running on your system. pulist.exe and
tlist.exe are included in the NT resource kit. A
number of shareware/freeware applications also exist
to show what files are in use.
With the pulist command, you can see who started each
process. Services are usually associated with the
SYSTEM account. The tlist command with the -t flag
will show you what processes started child processes.
- Look throughout the system for
unusual or hidden files. These can be used to hide
tools and information (password cracking programs,
password files from other systems, etc.). Hidden
files can be seen with the NT Explorer. Select View,
Options, Show all Files. To view hidden files at the
command prompt type `dir /ah.'
- Check for altered permissions on
files or registry keys. Part of properly securing an
NT system is to set the proper permissions on files
and registry keys so that unauthorized users cannot
start unauthorized programs (eg. backdoors or
keyloggers) or change system files.
In order to check many files throughout your directory
tree you can use the XCACLS.EXE program that is part
of the NT Resource Kit. The NT Security Configuration
Manager can also be used to analyze your system
against a configuration you have defined previously.
This would help to determine what may have been
modified.
- Check for changes in user or
computer policies. Policies are used on NT systems to
define a wide variety of configurations and can be
used to control what users can and cannot do. Since a
number of items are configured in the policy editor
(poledit.exe) it is recommended to keep a current copy
of the policies you create in case they are altered and
you need to determine what was changed.
- Make sure the system has not been
redefined to a different Domain. An intruder may
attempt to gain Domain Administrator access to a
workstation by changing the current domain to a domain
that the intruder has control over.
- When searching for signs of
intrusion, examine all machines on the local network.
Most of the time, if one host has been compromised, others
on the network have also been compromised.
- Review Other AusCERT and CERT Documents
- For further information about the
types of attack that have recently been reported to the
CERT Coordination Center and for a list of new or updated
files available for anonymous FTP, see our past CERT
Summaries at
http://www.cert.org/summaries/
- If you suspect that your system has
been compromised, please review "Steps for Recovering
from a System Compromise" at
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
You can also review other appropriate files in our tech_tips
directory.
- Incidents involving Australian and New
Zealand sites should be reported to AusCERT (Australian
Computer Emergency Response Team). To report a computer
security incident to AusCERT use the following contact
information.
- Internet: auscert@auscert.org.au monitored during
business hours (GMT+10:00)
Telephone: +61 7 3365 4417 monitored during
business hours (GMT+10:00)
Hotline: +61 7 3365 4417 monitored 24 hours, 7
days for emergencies (GMT+10:00)
Facsimile: +61 7 3365 7031
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
- To report a computer security incident to the
CERT Coordination Center, please complete and return a copy of
our Incident Reporting Form, available from
http://www.cert.org/ftp/incident_reporting_form
The information on the form helps us provide the best
assistance. It enables us to understand the scope of the
incident, to determine if your incident may be related to
any other incidents that have been reported to us, and to
identify trends in intruder activities.
- Consider running intrusion detection systems if possible
- Freeware/shareware intrusion detection systems:
The COAST Intrusion Detection System Resources web page has a list
of some freeware/shareware intrusion detection systems. It is
available at:
http://www.cerias.purdue.edu/coast/ids/
- Commercial intrusion detection systems:
There are a number of commercial intrusion detection tools
available, we only list some herein:
Kane Security Monitor (KSM)
http://centauri.ods.com/security/products/ksm.shtml
OmniGuard/ITA (OmniGuard/Intruder Alert)
http://www.axent.com/Axent/Products/IntruderAlert
Real Secure
http://solutions.iss.net/products/rsecure/rs.php
CyberCop Monitor
http://solutions.sun.com/catalogs/all/Internet_and_Intranet/Security/42189.html
Intact
http://pedestalsoftware.com/intact/
This document is available from:
http://www.cert.org/tech_tips/win_intruder_detection_checklist.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
-
CERT® Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
To subscribe to the CERT mailing list for advisories and bulletins, send email to
majordomo@cert.org. Please include
subscribe cert-advisory
in the body of your message.
Copyright 2000 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.