Defense-in-Depth Security Tools/Guides

Date of Document: August 29, 2006

TOOLS: Thefollowing tools are free.

• BGInfo - This fully-configurable program automatically generates desktop backgrounds that include important information about the system including IP addresses, computer name, network adapters, and more.
• AccessEnum - This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions.
• RootKit Revealer - Scan your system for rootkit-based malware.
• Sophos Anti-Rootkit - This software will detect and remove both known and unknown rootkits, and it will also warn system administrators if removing the software might harm operating system integrity.
• Handle 3.2 - This handy command-line utility will show you what files are open by which processes, and much more.
• PSInfo- A command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date.
• System Profiler - Faronics System Profiler is a unique software utility that generates a detailed inventory of a workstation's configuration and properties.
• Microsoft Malicious Software Removal Tool - The Microsoft Windows Malicious Software Removal Tool checks computers running Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software-including Blaster, Sasser, and Mydoom-and helps remove any infection found.
• Password Safe - Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords.
• DropMyRights - DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context-that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla's Firefox, Eudora, or Lotus Notes e-mail.
• MSBA 2.0 - An easy-to-use tool that helps you determine your security state in accordance with Microsoft security recommendations and offers specific remediation guidance. It can detect common security misconfigurations and missing security updates on your computer systems. The download is available to customers running genuine Windows and you have to validate Windows on the Microsoft website before downloading.
• File Watch - A small utility that can monitor a given file for changes. Monitoring can detect file size changes or simply file writes, both with minimal impact on system resources (no polling is performed).
• Fport - Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.
• Attacker - A TCP/UDP port listener. You provide a list of ports to listen on and the program will notify you when a connection or data arrives at the port(s). Can minimize to the system tray and play an audible alert. This program is intended to act as a guard dog to notify you of attempted probes to your computer via the Internet.
• WinMD5Sum - This is a utility to calculate the MD5 checksum of a file using L. Peter Deutsch's MD5 code.
• PsKill - This is a kill utility that not only does what the Resource Kit's version does, but can also kill processes on remote systems. You don't even have to install a client on the target computer to use PsKill to terminate a remote process.
• Spider - This is an Open Source tool from Cornell University that will examine Windows or Linux systems for files containing any number of confidential data types. Follow instructions carefully and be sure to remove and/or protect Spider log files since they can contain pointers to some very sensitive information on your system.

Cheat Sheets and Guides

• SANS Windows Cheat Sheet - Steps for finding anomalous behavior that might be indicative of computer intrusion.
• SANS Linux Cheat Sheet - Steps for finding anomalous behavior that might be indicative of computer intrusion
• SANS TCP/IP Pocket Reference Guide - Protocol headers, acronyms, etc.
• SANS IPv6 Pocket Reference Guide - Protocol headers, acronyms, etc.
• Open Web Application Security Project (OWASP) - great source for information on building secure web applications and web services.