f HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL

f SPQuery F SPQuery is a useful tool for: F Reporting Service pack and hotfix information for an entire domain or a select group of machines. F Downloading of hotfixes from Internet for NT, IIS, Exchange, SQL and Site Server to a central repository F Applying Workstation/Server hotfixes to remote machines

f Query Systems F Ability to check single machine, entire domains, or use machine list files. F Information on date Service Pack and hotfixes were applied F Information on available hotfixes for applied service pack

f Systems Information

f Importing Machine Lists

f Hotfix Info F Get information on files replaced or added by the hotfix F Query Internet for newest hotfix information F View Knowledge Base Article

f Affected Files

f Knowledge Base Information

f Applying Fixes Three Basic Steps FDownload hot fixes to a local repository u Multiple downloads possible. FInstall u Must have admin rights to install to remote system u Schedules hotfix to be applied at next login. User must have local admin u Hotfix files and an ‘agent’ copied to remote system and run on next login. u Pop up box during login gives user choice to apply patch or not. uOnly visible for 20 seconds u Only supports singular patch application FReboot NOTE: User has the ability to decide if patch is applied!

f Downloading Fix

f Fix Scheduled

f User Login

f Hotfix Applied

f Profile Creation F Offers the ability to create service pack/hotfix profiles. F Test your NT machine(s) against these profiles to determine if they pass or fail. F We have Profiles for SP4 and SP5 with appropriate security hotfixes.

f Profiles

f Reporting F Print reports (very detailed) F Save reports for future reference in SPQuery or save them to a csv file and import into Excel

f Options

f SPQuery Stuff I’d like to see FNotify if user selects ‘Never’ apply patch. FAbility to load patches in correct order. FAbility to apply more than one patch at a time. FMore details when downloading from Internet FCustomization of Report Printing Inexpensive- $595 for a site license!

f STAT (Security Test and Analysis Tool) F Detects Vulnerabilities from NT 3.51 to NT4 SP5 F Can Examine specific machine, multiple machines or Entire Domain F Automatic Vulnerability Fix F Configuration Templates available F Password Strength testing

f Account requirements F To analyze systems on the network must be Domain Admin. F To analyze workgroups must be in local admin for machines you wish to access

f Analysis Overview F Analyze single machine, multiple machines or domains F Machine analysis can be saved and compared to new analysis F Systems must appear in Network Neighborhood F Domain examination is time-consuming FChecking all vulnerabilities takes an average of one gigabyte per minute. F 4 Levels of Vulnerability FHigh- May grant unauthorized administrative access. FMedium- May provide access to sensitive data leading to further exploitation. FLow- May be used for information gathering or preventative security measures that could lead to higher risk levels. FWarning- Recommended good security practices.

f 4 Warnings F There are 4 warnings in the STAT database that will always be displayed: F ID# 87 boot enabled (anyone can boot system from floppy) F ID# 403 clipboard ( clear clipboard before logging off or locking computer F ID# 409 emergency repair disk (ERD has compressed version of SAM. Make sure to lock it up!) F ID# 421 administrators group (check administrators group for unknown account names)

f Analysis

f Vulnerability Info

f Fixing Vulnerability

f Vulnerability Fixed

f Configuration Files F Ability to define ‘templates’ to check for only specific vulnerabilities. F Description field helps identify vulnerability. F Eight ‘templates’ provided: FAll- ~600 vulnerabilities. FAutofix- Check only what can be fixed. FFilechecks- Check only file related vulnerabilities. FHigh- Check only vulnerabilities defined as high. FLow- Check only vulnerabilities defined as low. FMedium- Check only vulnerabilities defined as medium. FNofilechecks- Check only vulnerabilities not related to files. FWarning- Check only vulnerabilities not related to files.

f Configuration

f Password Cracking F Uses simple text file to check passwords F Cracked passwords not displayed. Just Username. F File can be modified to your requirements. FNote: Software upgrade could overwrite the file.

f Report Print Options Executive FPie-chart representing the percentage of vulnerabilities by level of risk found in a selected network or machine. Network FBar chart representing percentages of discovered vulnerabilities with respect to total possible vulnerabilities tested per machine. Vulnerability FBar chart representing each vulnerability detected and how many machines contain that specific vulnerability. F Detailed FReport shows all vulnerabilities found per machine. The report provides a brief description of each vulnerability, along with the applicable risk each represent.

f STAT Wish List F Ability to import machine lists F Better documentation F Improve speed of analysis F Problems analyzing domain with 95/98 systems F Canceling a vulnerability assessment takes too long Cost- $1797 per Admin License does not include yearly maintenance