Recently, a new law in my state forced us to get a top-to-bottom analysis of all
of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality.
That was my job.
Being a lazy sort, there was no way I was going to walk around to each individual workstation for fifty-plus client sites and run utilities.
There's a hack for that.
1. Gather the tools
You'll need some software to be able to complete all the tasks in this guide:
* Visio 2007
* Microsoft Active Directory Topology Diagrammer (ADTD)
* Microsoft Baseline Security Analyzer (MBSA)
* Lansurveyor Express (registration required for trial version)
* The USERS+GROUPS.BAT file, listed below:
REM Gets all users by sam
dsquery user -o samid -limit 0 >users.txt
REM Gets all users with 90+day passwords by sam
dsquery user -stalepwd 90 -o samid -limit 0 >staleUserPasswords.txt
REM saves all groups and members of that group
if exist membership.txt del membership.txt
dsquery group -limit 0 >groups.txt
:: The FOR command is one single line
for /f "tokens=*" %%g in (groups.txt) do @echo %%g >>membership.txt && echo Members: >>membership.txt && dsget group %%g -members >>membership.txt && echo **************************************** >>membership.txt
REM If Dumpsec is installed, this dumps most of what you'll need
"C:\Program Files\SystemTools\dumpsec.exe" /rpt=Policy /outfile=Policy.txt /computer=%logonserver% /saveas=tsv
"C:\Program Files\SystemTools\dumpsec.exe" /rpt=users /outfile=allUsers.txt /computer=%logonserver% /saveas=tsv
"C:\Program Files\SystemTools\dumpsec.exe" /rpt=Groups /outfile=allGroups.txt /computer=%logonserver% /saveas=tsv
You'll need to install all but USERS+GROUPS.BAT, MBSA and DumpSEC on your laptop. These three get used on the client's server directly.
2. Get the client to buy in
In order to do the total analysis, you need the client to allow some things.
Get them to sign off on the analysis!
While I haven't had complaints from clients, the analysis process is
intrusive and has the potential to slow down their network or crash dodgy equipment. Additionally, you'll be essentially attacking their network, and without this sign-off you really don't have authorization to test anything.
You'll need an enterprise admin logon.
Active Directory Topology Diagrammer and MBSA require it, and DumpSEC runs better with it.
All systems need to be powered on.
You can't analyze a system that's off.
3. On-site analysis
From your laptop, jack into their network and get an IP address from their DHCP server. If you don't get one, you'll need to determine their IP addressing and set yourself up with a static address.
Run Lansurveyor Express with these options:
15 router hops
Check all boxes except
Click on Start Network Discovery
Save the drawing.
Run ADTD with these options:
1. In the server field, enter the name of any DC on the network. Unfortunately, Active Directory Topology Diagrammer does not auto-detect this.
2. On all tabs, make sure the Update existing Visio Drawing tab is unchecked.
3. On the Domains tab, check all boxes. For Domain Details, select the Use DNS… option.
4. On the OU tab, ensure the Draw Organizational Units checkbox is checked and select Draw OU Structure for every Domain is chosen.
5. On the site tab, leave Suppress Empty Sites unchecked. Check all other boxes.
6. On the Exchange tab, leave only the Draw Active Directory Sites… box unchecked.
7. On the Applications tab, make sure the drop-down has Draw Entire Application Partition Structure.
8. On the Servers tab, check everything.
9. When all that’s done, Click the Discover! button and wait for it to allow you to click Draw!
This drops all the Visio docs into your My Documents folder by default.
On any domain controller:
Install DumpSEC, omitting Hyena installation.
Copy USERS+GROUPS.BAT to the server.
Run MBSA with the default options, choosing their domain name as the criteria.
For each server detected with MBSA:
a. Click on Report and enter the server name.
b. Click on Report and select Dump Permissions for All Shared Directories.
c. Click on the file menu and select Save reports as….
d. For the file name, enter the server’s name.
e. For the file type, choose tab separated columns.
f. Save the report. I use SERVERNAME.txt.
Point MSIE to http://www.ipchicken.com
and record the external IP address.
Make sure you copy the results of all of these to your laptop or a USB drive. You'll be wanting them later. MBSA stores the security scans in %userprofile%\securityscans.
DumpSEC's dump permissions report takes the longest time on the on-site analysis - sometimes eight hours or more against a server with large numbers of shares or nested folders, so be prepared to make a return trip if necessary. I usually run concurrent instances of DumpSEC against multiple servers to speed things along.
4. Off-site analysis
With the IP address you've gotten from ipchicken, head to http://who.is and enter it there. This can pull additional IP addresses for the client and give you further insight into their public IP addressing and possibly other points of interest. Usually, there's only the one routable IP address, but I've seen small clients with a class-C public range for reasons no one could explain.
Fire up the GUI Zenmap.
In the command field, type nmap -PN --top-ports 2000
In the target field, enter all public IP addresses you've found; note that NMAP understands CIDR addressing.
Click on Scan and wait.
5. Now what?
Now you've got all this data. What do you do with it?
USERS+GROUPS.BAT produces seven text files.
* Users - the RDNs of all user accounts
* staleUserPasswords - all user accounts with passwords older than ninety days
* groups - the DNs of all groups
* membership - a human-readable list of all groups and their members
* policy - the domain password policy
* allUsers - all users with their attributes in tab-delimited format
* allGroups - all groups and their members in tab-delimited format
With Microsoft Excel (or Openoffice Calc, if you prefer) you can filter allUsers.txt to find which users are disabled, have old passwords, haven't logged on in a while, and other useful pieces of information.
MBSA produces a stack of information as well, such as the patch levels of all systems.
DumpSEC made a log of all shares on each server and their security. This is inherently useful for analyzing who has access to what data. You'll need to go over the shares with the client to determine if they really want all users having read access to their Quickbooks files.
The NMAP analysis should point out any obvious weaknesses in their firewall. Typical open ports are 25, 80 and 443 (for their Exchange server) and 3389 (for terminal services).
That pretty well sums up the process I use to map a network, gather all relevant information, and have all the information I need to produce a report that outlines the deficincies of a client's network.