Share Scan. By selecting the Share Scan check box, you can configure System Scanner to track changes to hidden shares (i.e., those shares in which the name ends with $), share permissions, and the NTFS permissions on shared folders and shared printers. Tracking changes to shares is valuable because shared folders provide a doorway into your file system.
After you've finished configuring the scan types and options, click Finish. The New Policy Wizard creates your policy, then exits.
Running Scans
With the policy in hand, you're ready to generate the baseline scan against which System Scanner will compare subsequent scans. System Scanner automatically generates a policy's baselines the first time you use that policy to run a scan. To manually run the baseline scan, select File, Scan Now. Choose DetectChanges and enter Initial Baseline Generation. Click OK to start the scan.
After the scan finishes, your baselines are set and you can schedule the daily scan. Under the Start menu, select Programs, Accessories, System Tools, Scheduled Tasks. Double-click Add Scheduled Task to open the Scheduled Task Wizard. Click Next, then click Browse. Maneuver to \program files\iss\sysscan\bin and double-click sscli.exe, which is the command-line interface program for System Scanner. Enter System Scanner Baseline Scan as the task's name, and select Daily in the Perform this task option. (You can also schedule the task to run weekly.) Click Next, specify your desired start day and time, then click Next again. Enter an administrative username and password under which System Scanner will run. Click Next, select the Open advanced properties for this task when I click Finish check box, and click Finish.
In the Properties dialog box that appears, you need to specify several parameters so that sscli.exe knows which policy and report to run. Select the Run option and enter -p DetectChanges -r v -f C:\NewBaselineScan.htm -o hmldf after the task's path. The -p DetectChanges parameter tells System Scanner to use the DetectChanges policy for the scan, and the -r v parameter tells the program to produce a Vulnerabilities report. The -f C:\NewBaselineScan.htm parameter specifies the report's filename and location. The -o hmldf parameter specifies that you want the report to include high, medium, and low vulnerabilities; full descriptions for the vulnerabilities; and information about how to fix them. Click OK. Depending on your system, you might need to enter the administrative username and password again.
Your scan is now configured to run each day. It will produce an HTML-formatted report called NewBaselineScan on your C drive.
To verify that System Scanner will successfully detect changes to your Web server, create a new user account and disable it. If you want, you can also make other changes, such as changing a file's contents—just remember not to weaken your Web server. Run a scan on demand by returning to the Scheduled Tasks folder, right-clicking System Scanner Baseline Scan, and selecting Run. When the task finishes, open NewBaselineScan. You should see the System Scanner Vulnerabilities report.
After a few iterations of the System Scanner Vulnerabilities report, you might find that your policy is tracking areas in which legitimate changes constantly occur. You'll want to weed out these dynamic areas by editing your policy, then resetting your baseline. To reset a baseline, select Policy, Reset Baselines. Select your policy, click Reset, then click Close.
Using the Script
If you run scans daily, you might consider using a script to check the reports for you. Listing 1, page 4, contains such a script called CheckSysScanReport.vbs. This script checks the NewBaselineScan report for vulnerabilities each night and sends an email message that tells you whether no vulnerabilities were found, vulnerabilities were found, or the report was missing.
When CheckSysScanReport.vbs starts, it sets the reportFileName variable to the pathname for the NewBaselineScan report. Currently, the script sets this variable to C:\CheckSysScan\NewBaselineScan.htm, as the code at callout A shows. If you've configured System Scanner to create the report elsewhere or under a different name, you must change C:\CheckSysScan\NewBaselineScan.htm to the appropriate pathname.
Next, the script tries to open the NewBaselineScan report. If the script can't find the report because the System Scanner Baseline Scan task failed to run or didn't finish, the script sets the subject variable (which is later used for the email message's subject line) to System Scanner Report Missing. Scheduled task may have failed. If the script finds the report, the script scans it line by line for the word vulnerability. If that word is present, the script sets the subject variable to ALERT! Vulnerabilities found in System Scanner report. Otherwise, the script sets the variable to Good News! No vulnerabilities found in System Scanner report. The script then uses the Blat utility to create and send the email message. Blat retrieves the body of the email message from the body.txt file in C:\CheckSysScan.
The script then copies the NewBaselineScan report's contents into a file named BaselineScan.htm and deletes NewBaselineScan.htm. That way, if the System Scanner Baseline Scan task fails to run or doesn't complete, the next time CheckSysScanReport.vbs runs, it will notice the report is missing and alert you to that fact.
Before you can use CheckSysScanReport.vbs, you need to make several preparations. Follow these steps:
- Create a folder on your C drive called CheckSysScan. Copy the code in Listing 1 into an editor, and save the file as CheckSysScanReport.vbs. Place the script in the CheckSysScan folder.
- Edit the script. In the line at callout B, replace youraddress@yourcompany.com with your email address. If you've configured System Scanner to create the NewBaselineScan report elsewhere or under a different name, replace C:\CheckSysScan\NewBaselineScan.htm in the line at callout A with the appropriate pathname.
- Create a file named body.txt in C:\CheckSysScan. Enter whatever information you'd like to appear in the body of the email message when the script sends a message. For example, you might include a link to the BaselineScan file.
- Download blat.exe and its associated files to C:\CheckSysScan. Blat is a freeware utility that sends email messages from scripts. You can find Blat at http://www.interlog.com/~tcharron/blat.html. Set up Blat to use your SMTP server. If you're unfamiliar with how to use Blat, I explain how to set it up in "Use WMI to Monitor Your Web Site for Changes," July 2002, http://www.windowswebsolutions.com, InstantDoc ID 25235.
- Set up a scheduled task to run CheckSysScanReport.vbs every day an hour or two after the System Scanner Baseline Scan task runs.
Effective Yet Inexpensive
Because you likely already have the resource kit, the only cost of setting up this security monitoring system is your time—and it's time well spent. You'll know sooner rather than later when someone is tampering with your Web server's processes, services, shares, files, users, and groups.
End of Article
Prev. page
1
[2]
next page -->
