Registry Analyzers
The Registry plays a crucial role in NT security because it holds almost all of NT's security configuration settings, in addition to other important information and settings. Therefore, you need to routinely check your Registry settings to reveal incorrectly set permissions and parameters before they lead to disaster.
Manually cruising the Registry is incredibly painful work. An analyzer automates this task and produces reports that are easy to read and understand. Also, such a tool lets you see Registry entries that new software makes during installation, and track changes. In most cases, I prefer Somarsoft's DumpReg tool. DumpReg lets you easily locate keys by finding the last modification date or by matching strings.
When I need to learn which Registry keys programs are reading, creating, or writing to, I use Regmon from Systems Internals. Regmon is a powerful desktop application that intercepts Registry access in realtime. You can filter for specific Registry items or let the product operate in a catchall mode so that nothing slips past. Regmon runs on NT and Windows 9x. I highly recommend you add Regmon and DumpReg to your toolkit.
In addition to these two tools, consider getting a copy of Systems Internals' Filemon software. Filemon will watch all file system activity in the same way Regmon watches all Registry activity. With Filemon, you'll discover every file a program touches, including setup programs that install new software. (While you are collecting tools, you should also get Systems Internals' SDelete, which securely deletes files and is US Department of Defense (DOD)-compliant, and Undelete for Windows NT, which can sometimes recover deleted files.)
Access Control Analyzer
Checking ACLs on your shared resources is incredibly important. But similar to working with the Registry, working with the ACL can be tedious. To simplify this task, I use Somarsoft's DumpACL. This analyzer dumps the permissions (or ACLs) for the file system, Registry, shares, and printers into a concise and readable format. The report shows any apparent holes in system security, if you know what you're looking for. In addition to DumpACL, the NT resource kit includes the Cacls utility, which performs a similar function to DumpACL.
Packet Sniffer
A packet sniffer grabs packets off your network for further analysis. Packet capture is a great capability when your network is acting up or when you need to determine what data a particular program is transmitting over the network. Another good reason to use a packet sniffer is to head off intruders who attempt to penetrate your network without leaving traces in the NT event log—a packet sniffer will catch this activity. In addition, intrusion attempts can sometimes confuse your network or make it behave in strange ways. If you suspect something is amiss, a packet sniffer can quickly lead you directly to the source of the problem.
Cinco Networks developed my favorite sniffer: NetXRay. Network Associates bought Cinco Networks and renamed the product Sniffer Total Network Visibility (TNV). As with most packet sniffers, Sniffer TNV requires that your network card support promiscuous mode, so Sniffer TNV can collect packets destined for any address on your network. Most network cards support this mode of operation. Sniffer TNV runs on 10/100 Ethernets and asynchronous transfer mode (ATM) networks. Sniffer TNV also comes in several varieties that offer different feature sets, including Sniffer Basic, Sniffer Pro LAN, Sniffer Pro WAN, and Sniffer Pro High Speed.
Password Crackers
Testing password strength is another important task to perform when analyzing network security. When I started in NT security, no NT password cracker tools were available, but today several tools are available. The best password cracker tool that I've found is L0phtCrack from L0pht Heavy Industries. L0phtCrack is easy to use and fast. L0phtCrack can perform dictionary cracks or brute force cracks, making it a well-rounded tool to have in your toolkit. And at $100, L0phtCrack offers a heck of a value.
L0phtCrack lets you dump the SAM and perform password strength testing on the password hashes. In addition, L0phtCrack 2.5 uses SMB Packet Capture Output, an integrated packet sniffer that grabs Server Message Block (SMB) packets sent across the network. Network authentication uses the SMB protocol when authenticating connections to network resources. The sniffer grabs the packets sent during SMB sessions that contain the authentication information. After L0phtCrack's SMB Packet Capture Output obtains the packets, the software then attempts to crack the password hashes. (For information about how NT 4.0 with Service Pack 4—SP4—stands up to cracks on authentication by L0phtCrack, see R. Franklin Smith, "Inside SP4 NTLMv2 Security Enhancements," September 1999.)
In addition to testing your password's strength, you need the ability to recover passwords. And although L0phtCrack can crack almost any password, this intruder tool can't crack the password without access to hashes from the SAM (e.g., you must be able to log on to the system or have remote Registry access). So, if you lose your NT administrator password and don't have the password to any accounts in the administrator's group, you won't be able to log on. In these cases, I use Systems Internals' NTLocksmith.
NTLocksmith is an ingenious tool that uses two NT systems to recover a locked-out system. You can use Systems Internals' NTRecover to connect a working NT system and a locked-out NT system. With NTRecover, you can run NTLocksmith, which directly accesses the NT Registry and lets you reset the administrator account password. A slick feature of NTLocksmith is that it works on any system, even systems with NT 4.0 SP3's Syskey utility in place. If you don't own NTRecover and NTLocksmith, I highly recommend you obtain copies of each because these products will save you sooner or later. At $189 and $49, respectively, these tools are worth every cent.
Overall Security Scanners
What the above tools can't do, system security scanners will do. Security scanners ordinarily include more features than the tools I mentioned earlier, and in most cases, security scanners look for numerous problems with your network security. Most NT-based security scanners are aware of the security risks to NT, which makes them an ideal tool for discovering the state of your NT systems' security.
Of the system security scanners available, I recommend the SAFEsuite kit from ISS. ISS products are valuable because they do a fantastic job of surveying your systems' vulnerabilities. However, a couple of other products have also caught my attention.
Network Associates has a great tool called CyberCop, which, similar to Internet Scanner from ISS, performs vulnerability testing against NT systems. I found CyberCop to be easy to use and a great complement to the Sniffer TNV products. CyberCop also has good support from Network Associates.
An up-and-coming security product from WebTrends is called WebTrends Security Analyzer. WebTrends Security Analyzer performs vulnerability testing in a similar fashion to Internet Scanner and CyberCop. What I really like about WebTrends Security Analyzer is the reporting interface. WebTrends' experience in developing reporting interfaces shines with this product. The reports are well designed and easy to read. WebTrends Security Analyzer also sports a custom API that lets users develop customized vulnerability checks for in-house use, and other WebTrends Security Analyzer users can share the customized checks.
And if your network is rooted into BindView's network management platform, check out the company's new NOSadmin tool. NOSadmin adds security vulnerability testing to the BindView Enterprise Management Station (EMS) console.
While you're checking your NT systems for vulnerabilities, don't forget your Microsoft SQL Server machines. In this area, ISS's Database Scanner stands alone. At press time, I hadn't found any other database security scanners on the market. And although Database Scanner is the only product in this category, it's a great tool for the job. Database Scanner can examine your SQL Server configuration and make recommendations for changes to consider. Database Scanner performs checks that include security permissions and dangerous embedded procedures.
In addition to examining systems to find vulnerabilities, you'll also want to learn which service packs and hotfixes your NT-based systems have installed. One of the best tools for this task is MTE Software's SPQuery. (For a review of service-pack management products, see David Chernicoff, "Service Pack Management," August 1999.) SPQuery checks the Registry on NT systems to discover which service packs and hotfixes are loaded. When necessary, the product can also download missing service packs and hotfixes and help install them. The product is a genuine timesaver. If you don't have a copy of SPQuery, I suggest you get one because it will save you a ton of time and headaches.
An Ounce of Prevention
Now you know some of my security secrets, which often reside with the tools that I have in my toolbox. Keep in mind that the security industry is evolving at a blistering pace, with new tools and techniques surfacing every month. You can do yourself a big favor by obtaining the tools I mentioned, closely monitoring vendor updates, and watching the security industry for new developments. While you're mulling over security, remember that an ounce of prevention is worth a pound of cure, except in the case of security, when an ounce of prevention might be worth a few tons of cure.