[336] in winnt
Meeting Notes - 3/22/99
daemon@ATHENA.MIT.EDU (Leonard Kimble Jr)
Thu Mar 25 10:58:16 1999
Date: Thu, 25 Mar 1999 10:58:02 -0500
To: ntpartners@mit.edu
From: Leonard Kimble Jr <lkimble@MIT.EDU>
Hello Partners.
Here are notes on the topics we discussed at the last NT Partners Meeting...
March 22, 1999
------
1. NT BugTraq Mailing list
2. Updating Dat files with Network Associates VirusScan (and NetShield)
3. NT utilities, netwatch and netstat
4. ADSM backup and schedule errors
5. NT Auditing
------
1. NT BugTraq is a mailing list created to invite the free and open
discussion of Windows NT Security Exploits/Bugs. (As taken from the
description given me when I subscribed.) This list is one of a few sources
we use to maintain a high level of knowledge about security concerns.
Information on joining can be found at <
http://tile.net/lists/ntbugtraq.html >
(To subscribe to this list send the text:
subscribe NTBUGTRAQ your name
in the body of the message to:
listserv@LISTSERV.NTBUGTRAQ.COM)
2. Updating Dat files with Network Associates VirusScan (and NetShield).
A few of you are probably familiar with VirusScan's (and NetShield's)
ability to do auto-updates of the virus dat file. If you've looked into it
you may have noticed that the default ftp site to check for and download
new dat files is < ftp://ftp.mcafee.com/pub/antivirus/datfiles/4.x >. I
now know that this is the place for the release of supported dat files.
Beta releases of dat files can be found at <
http://www.avertlabs.com/public/datafiles/4xupdates.asp >. In the words of
Network Associates', "Please remember these DAT files are BETA, and may
cause unexpected results." The currently supported dat file is 4014. I am
currently using 4016 with no problems. The most recent beta is version
4018 (posted 3/23/99).
I also would recommend administrators keep apprised of current Network
Associates virus alerts at <
http://www.avertlabs.com/public/datafiles/valerts/ > which is off the main
beta page, < http://beta.nai.com >.
3. NetWatch and NetStat.
We discussed ways to monitor current connections to your system and others
on the network, including servers.
Netwatch.exe comes with the NT Resource kit. As taken from the resource
kit documentation:
NETWATCH:EXE: Net Watch shows which users are connected to shared folders.
It also enables you to disconnect users and un-share folders. It can now
simultaneously monitor multiple computers.
Note To use Net Watch, the Server service must be started and you must be
logged on as a member of the Administrators group for any computer you are
trying to watch.
Netstat.exe (comes with NT, located in C:\winnt\system32) is a diagnostic
command that displays protocol statistics and current TCP/IP network
connections. Information on the tool can be found at <
http://msdn.microsoft.com/library/winresource/dnwinnt/html/s77ab.htm >.
4. ADSM backup and schedule errors.
There are two files installed with ADSM that log activities dealing with
the ADSM scheduler server and backup errors. DSMERROR.log and DSMSCHED.log
are both located at C:\win32app\ibm\adsm\baclient (default locations).
Along with your NT system's application log (viewed with Event Viewer),
these files contain useful information that can help to diagnose ADSM
backup and scheduling problems. If you see errors in either of these files
and see that your system is either not getting it's schedule or failing
backups, please contact the help desk (computing-help@mit.edu) for assistance.
5. Auditing.
We also discussed how NT auditing can be another (heavy-handed) way to
monitor access to systems. The scenario we worked on in the meeting was
monitoring access to a particular folder on an NTFS drive. In User Manager
(for Domains), go to Policies, Audit. Here you can specify what kinds of
activities to monitor. (Note that doing this using User Manager for
Domains on a Domain Controller affects the auditing policy on all of your
domain controllers.) In our test, we enabled auditing on "Success of File
and Object Access". After closing this dialog box, using explorer we went
to a directory to audit. Bringing up the Properties' Security tab for a
file or folder, we clicked on auditing. Here you add users and/or
usergroups on which to perform auditing. Then, for each user or usergroup
added, you select specifically what to audit. I'd suggest trying not to be
too heavy-handed here, because your Security event log will quickly get
packed with data as users touch files. Experiment with settings here and
see what best suits your needs.
------------------------
Please send any questions or comments to the list...
Thanks,
Leonard
---------------------------------------------------------------------------
Leonard Kimble Jr MIT - Information Systems
lkimble@mit.edu Departmental Computing Support
E40-329, 258-7932 Consultant
http://web.mit.edu/lkimble/www/
---------------------------------------------------------------------------
