Monitor your systems with XP's enhanced command-line utilities
Windows XP is the first release of a new generation of Microsoft OSs that combine the strength and security of Windows 2000 and Windows NT with the flexibility and ease of use of Windows Me and Windows 98. To further enhance XP's security and ease of use, Microsoft has beefed up several familiar GUI and command-line tools and added some new ones. Microsoft has chosen not to ship utilities with the Microsoft Windows XP Resource Kit. Instead, the company has moved the more useful utilities from the Microsoft Windows 2000 Resource Kit and the Microsoft Windows NT Resource Kit into the base XP OS and into the Support Tools folder on the installation CD-ROM. If you've rolled out XP in your organization or you plan to do so, these tools will help you monitor, manage, and secure your XP installations.
Gathering System Information
The first step in securing your organization's XP systems is to determine their configuration. In the past, administrators had to visit each system and run a battery of utilities to discover which OS, service packs, and hotfixes were installed and to determine the network configuration. XP simplifies this task with the introduction of the Systeminfo command-line tool (systeminfo.exe). Systeminfo enumerates system configuration information by using the Windows Management Instrumentation (WMI) API and formats the results into OS, hardware platform, installation configuration, and installed hotfix sections. You can use the tool's /s (system) switch to run Systeminfo against remote systems; you can also use the tool's /u (username) and /p (password) switches to specify the security context under which to run the command. If you supply a username but no password, the system prompts you to enter a password—a prompt that's especially useful when you need to run the command interactively with others watching. (The password isn't echoed as you type it.)
Another useful utility for determining a system's configuration is the Spcheck tool (spcheck.exe), which is included in XP's Support Tools. (Previously, this utility was available only from Microsoft Product Support Services—PSS.) Although Spcheck's output can be cryptic, it's helpful when you want to make sure that key XP networking components such as drivers, DLLs, and the command-line tools you use to monitor networking components are up-to-date. Spcheck uses a data file called spcheck.ini, which contains information about the individual files in each networking component. Spcheck.ini doesn't come with XP; you must obtain the latest version from Microsoft's Web site. The Microsoft article "How to Use the SPCheck Tool to Determine the Service Pack Level of Components" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q279631) contains a link to the data file for XP, Win2K, NT 4.0, and Microsoft Exchange Server 5.5 as well as instructions for using Spcheck. The Microsoft article "How to Use the SPCheck Tool in Windows XP" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q312646) contains more information about using this handy utility with XP.
Monitoring Your Systems
I'm amazed by the number of people and organizations who don't proactively monitor their systems and networks, giving intruders free reign to attempt to circumvent security without anyone knowing. Routine monitoring is useful not only for thwarting intruders but also for discovering potential configuration problems that might cause difficulties for users.
When you monitor running processes on your system, you probably use Task Manager. If, however, you want to determine which processes have started subprocesses or which processes services are running, you probably use the tlist.exe command-line utility. Unfortunately, this useful tool isn't available in XP, so you need to use the Tasklist tool (tasklist.exe) instead. Tasklist, which developers created for XP's multiuser environment, reports session information about each running process. However, unlike tlist.exe, Tasklist doesn't list subprocesses under their parent process. (I hope Microsoft will reintroduce this useful feature in a future version.) You can use Tasklist to query remote systems and use the /v switch to get a verbose listing of useful information such as Windows Titles and usernames. As Figure 1 shows, you can use the tool's /m switch to display processes that have loaded a particular DLL—a particularly useful ability when you suspect that a DLL is actually a Trojan horse.
I often see a lot of network activity on my firewall/router. With earlier versions of Windows systems, I use the Netstat utility (netstat.exe) to show me which TCP or UDP endpoints are in use on my system, then I work out in my head which process or processes are likely to be sending and receiving data. If I want to accurately correlate endpoints to processes, however, I need to use third-party tools. XP's updated Netstat tool has a new feature that lets me see which processes are using endpoints. When you use the /o switch, Netstat shows the process identifier (PID) next to the endpoint information, as Figure 2 shows. When you use the tool with the /a switch, you can see all endpoints, whether active or listening.
I also like to monitor the files that each process has open. In previous versions of Windows, you can install and use the resource kit's oh.exe utility. Although the XP Support Tools' Help file documents oh.exe, the Support Tools installation doesn't include the tool. You can, however, use the new Openfiles command-line tool (openfiles.exe), which lets you view files that processes have open. Like oh.exe, Openfiles requires you to turn on monitoring in the kernel, which will consume more memory and might degrade performance on systems such as file, print, email, and database servers. To turn on monitoring, go to a command prompt and type
openfiles /local on
This command creates the global flag "Maintain a list of objects for each type" in the registry. (You can view what flags are set in the registry or in a running kernel by using gflags.exe.) Reboot the system to activate the flag. Then, to view a list of processes and the files they have open, go to a command prompt and type
openfiles
To see which user is running the processes that have the open files, type
openfiles /query /v