[110] in Best-of-Security
BoS: Alert: PWAudit now available
daemon@ATHENA.MIT.EDU (Russ)
Wed Apr 9 03:03:35 1997
Date: Tue, 8 Apr 1997 20:46:27 -0400
Reply-To: Windows NT BugTraq Mailing List <NTBUGTRAQ@RC.ON.CA>,
Russ <Russ.Cooper@RC.ON.CA>
From: Russ <Russ.Cooper@RC.ON.CA>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
Jeremy Allison has create an extremely useful utility called PWAudit.
PWAudit will programmatically place auditing on the keys that PWDump
accesses to enable security event monitoring of those keys by the
Administrator. This means that should some attempt to be made to alter
the permissions on those keys (i.e. enable read access to
Administrator), an event log entry will be generated.
The code, as it stands, could use a bit of additional programming and
Jeremy would love to see someone, anyone, augment it's functionality.
Some additional enhancements could be made in what users it indicates
should be audited, whether WRITE_DAC auditing is sufficient or if it
should be stronger, and maybe something to ensure it could only be run
locally by making it check for the Interactive SID for example.
For those of you with a few spare programming cycles, your contributions
would be greatly appreciated.
The source code is now available via email at PWAudit@rc.on.ca. Don't
bother to put anything in your messages as this account is simply
sending the source out to any message it receives.
I'll offer to relay any source suggestions to Jeremy so we don't flood
the list with tons of talk of how to change it programmatically, but
discussion about what else it could or should do is encouraged (just
keep the technical validity of your suggestions high please so it
doesn't degrade into an NT wish list discussion). We won't bother with
an upgrade daily or anything like that, but new releases can be planned
depending on the contributors. If enough people indicate they are
interested in contributing and discussing this, I can set up a separate
list for it for the short-term so those discussions can take place
without bothering everyone else.
Please understand that Jeremy has other work to do, and has done this
program to offer a starting point. Its up to you if you want to turn it
into something more or not.
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
owner of the NTBugTraq mailing list:
Send SUBSCRIBE NTBUGTRAQ Yourname to Listserv@rc.on.ca
