[Word Native Format] [RTF Format] --------------------------------------------------------------------------- Raymond P. Galloni:23467 MTR 97B0000056 MITRE TECHNICAL REPORT Evaluation of Security Assessment Tools for Windows NT Dumpel.exe August 1997 Raymond P. Galloni Air Force - Sponsor: C2 Protect Contract F19628-94-C-0001 Lab MOIE No.: Dept. No.: G021 Project 039774520B No.: This document was prepared for authorized distribution only. It has not been approved for public release. MITRE Center for Integrated Intelligence Systems Bedford, Massachusetts MITRE Department Approval: Marion C. Michaud Department Head MITRE Project Approval: Michelle J. Gosselin Project Leader Abstract This report is an evaluation of the dumpel utility included in the Windows NT Resource Kit. It describes the usability of the utility and its features. Dumpelís merit is based on a wide range of criteria, including the documentation, user interface, and the depth of its features compared to a features checklist that was developed for event log analyzers. The document is divided into sections that correspond with each of the mentioned areas. The conclusion section supplies an overall feel for Dumpel and includes some recommendations for using the tool. KEYWORDS: Dumpel, event logs, event log analyzers, auditing Table of Contents Section Page * 1 Introduction 1 o 1.1 Background 1 o 1.2 Purpose and Scope 2 o 1.3 Approach 2 o 1.4 Event Log Analyzers 2 + 1.4.1 Relationship of Auditing and Event Logs 2 + 1.4.2 Event Log Contents 2 + 1.4.3 Description of Event Log Analyzers 3 + 1.4.4 Event VieweróBaseline Tool 3 o 1.5 Description of DUMPEL.EXE 4 o 1.6 System Requirements 4 + 1.6.1 Software 4 + 1.6.2 Hardware 4 o 1.7 Description of Evaluation Testbed 4 + 1.7.1 Hardware Configuration 4 + 1.7.2 Operating System (OS) Version 4 + 1.7.3 Network/Domain Configuration 4 * 2 Evaluation Results 5 o 2.1 Software Acquisition 5 o 2.2 Installation and Configuration 5 + 2.2.1 Documentation 5 + 2.2.2 Technical Support 5 + 2.2.3 User Interface 5 o 2.3 Description of Features 5 * 3 Conclusion 7 o Appendix A Features Checklist 9 o Appendix B Dumpel Text File 13 * Glossary 15 * Distribution List 17 Section 1 Introduction 1.1 Background Windows NT is gaining popularity worldwide as an inexpensive and user-friendly operating system for servers and workstations. Windows NT is still relatively new and vulnerabilities are being discovered frequently. In response, many tools are being developed to assess the security of Windows NT networks and alert the administrators of any potential vulnerabilities. Other tools are being developed to assist the administrators in managing the security of their NT systems. The objective of our research is to provide information about these tools to the sponsors so that they can establish a Windows NT security toolkit composed of commercial off-the-shelf (COTS) applications. Our focus is to keep our sponsors up to date on the latest COTS security products and to evaluate their value. We have combined the efforts of several projects on security tools to provide an effective and timely evaluation of these tools. The funding sources for the projects are the National Security Agency (NSA), Space and Naval Warfare Systems Command (SPAWAR) Information Security (INFOSEC) Program Office (PMW-161), Defense Information Infrastructure Common Operating Environment (DII COE), and the MITRE C2 Protect Lab Mission-Oriented Investigation and Experimentation (MOIE). The evaluation approach was to compile a list of tools, divide them into categories, and conduct tests of each tool. Thirteen categories were established, and five (Port Scanners, Event Log Analyzers, Access Control Analyzers, Registry Analyzers, and Security Assessment Tools) were chosen as priorities for evaluation. As time permits, the tools in the other categories will also be evaluated. A series of checklists was developed to ensure consistent evaluation. The checklists define desired features for each tool category. Portions of the checklists are generic as they address features found across several tool categories, such as Installation/Configuration and Reporting features; other portions are specific to the tool category, such as Port-Scanning features. Completed versions of these checklists are provided in the appendix of each report. Each tool selected for evaluation is compared to the appropriate checklist and the results are documented in an individual report for each tool. Information provided in these reports will serve as a basis for the sponsors to select the tools they need to help secure their networks. In-depth evaluation of selected tools may be conducted on an on-demand basis. The selection of specific tools to undergo this level of testing will be based on sponsor requests. This testing would focus on performance in simulated operating environments and against known attacks and vulnerabilities. 1.2 Purpose and Scope The purpose of this document is to provide an evaluation of the dumpel utility, an Event Log Analyzer produced by Microsoft, for use with the Windows NT operating system. This document is one in a series describing the evaluation of security tools that can be used with Windows NT, as identified in the section above. 1.3 Approach The approach of this document is to describe each tool, identify relevant system requirements, describe the testbed environment, document each toolís use and functionality, and provide a features checklist. 1.4 Event Log Analyzers 1.4.1 Relationship of Auditing and Event Logs Auditing is a method used by System Administrators to keep track of the events that occur on a host and allows an administrator to hold individuals accountable for their actions. Windows NT displays audit events in one of the three event logs: Application, Security, and System. The Application Log shows problems or issues concerning the applications on a host. The Security Log shows issues concerning the security policy of a host. The System Log shows problems or issues with the operating system or hardware for a host. The System Administrator can customize security auditing through the User Manager for Domains (for Domain Controllers) application and the User Manager (for stand-alone servers and workstations) application. The choices the administrator has for auditing are in terms of success and failure on event categories. The Security Log categories are Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart and Shutdown, and Process Tracking. Choosing to audit the success or failure of these event types causes event information to be recorded in the Security Log. The information for the Application Log comes from settings that are selected from within compliant applications. System Log information comes from basic operating system services and configurations. 1.4.2 Event Log Contents Event Logs contain records of audited information. Windows NT does a good job of standardizing the type of information included in the three main event logs: Application, Security, and System. This information contains the type of event, the name of the event, the time and date of event occurrence, the event ID, the event source, the event category, the computer the event occurred on, and a brief description of the event. From this information an administrator is able to isolate the cause of the problem and initiate any possible corrective actions. 1.4.3 Description of Event Log Analyzers Event Log Analyzers offer NT System Administrators a useful way to organize and correlate the excessive amounts of information that can be stored within the event logs. They allow the administrator to isolate critical problems with a host, whether they are related to security, an application, or operating system functionality. Once the problem has been identified, the administrator can take the necessary steps to correct the problem. The ideal event log analyzer should be easy to install and configure. It should also be able to analyze different types of logs, such as the three main NT logs, in addition to special purpose logs like Internet Information Server (IIS) or Point-to-Point Protocol (PPP) Logs. The analyzer should also be able to get information from remote machines, in addition to the local host. The console for the tools should display the status of all the machines that are analyzed. The ideal event log analyzer would come with some pre-defined alerts and allow the administrator to define certain event types for inclusion or exclusion in analysis. The administrator should be able to specify the severity level (high to low or critical to informational) of the included events. The analyzer would then take these definitions and automatically parse through the various logs and identify events accordingly. Upon identification of critical events, the analyzer should alert the appropriate user and relay the event information. The administrator should be able to apply these alerts to all hosts or on an individual host basis. It should be able to generate comprehensive reports on its findings, include a variety of default reports to assist the administrator, and also allow for customizable reports. In addition, it would apply an intelligent assessment of the situation and suggest to the administrator a means of correcting the situation and ensuring that the host is in a secured, stable state. All of these properties would increase in significance if the events could be identified as they happen and allow the tool to be a proactive monitor. 1.4.4 Event VieweróBaseline Tool The Windows NT Native Event Viewer runs on all Windows NT machines. When run by a Domain Administrator, all of the Application, Security, and System Logs for all machines within a domain can be viewed. The logs display the date, time, source, category, event ID, user, and the computer the event occurred on. The events can also be viewed through a user-defined filter to limit the amount of information presented to the administrator. This information is displayed on the monitor but cannot be dumped into report format or into a database. The information can be saved into a different log name, in three different formats; .evt files, which only the Event Viewer can properly display, .txt text files, and .txt comma-delimited files, which only restructure part of the event data. There are some other applications that dump the information from the specific event logs into other useable formats, but the Event Viewer does not include this feature. 1.5 Description of DUMPEL.EXE Dumpel is a command-line utility that extracts data from the Application, Security, and System Logs into a format that can be imported into a database. It allows the user to set some filtering options to either include or exclude specific events. It can also extract data from the event logs of remote machines. 1.6 System Requirements 1.6.1 Software The hosts need to have had Windows NT Server or Workstation 4.0 installed. 1.6.2 Hardware The host platform needs to be able to support Windows NT 4.0. 1.7 Description of Evaluation Testbed 1.7.1 Hardware Configuration The two hosts used for testing were both Compaq Pentium 90s with 32 MB RAM. 1.7.2 Operating System (OS) Version One host operated as the server and was running Windows NT Server Version 4.0 with Service Pack 3 (SP3) and the Out-of-Band (OOB) hotfix, Domain Name Service (DNS) hotfix, and the JAVA hotfix for SP3. The second machine operated as a client and was running Windows NT Workstation 4.0 with SP3 and the OOB hotfix, DNS hotfix, and the JAVA hotfix for SP3. 1.7.3 Network/Domain Configuration These machines were the sole participants within the domain. One of the machines was acting as the Primary Domain Controller while the other was a stand-alone server within the domain Section 2 Evaluation Results This section describes the results of the assessment of the dumpel utility. The assessment was done with the aid of a checklist that has been compiled for Event Log Analyzers. Included in the appendix is the completed checklist for dumpel. 2.1 Software Acquisition The dumpel utility comes with the Windows NT 4.0 Resource Kit. 2.2 Installation and Configuration Dumpel can either be installed with the Resource Kit installation, by selecting the ìutilitiesî category, accessed directly from the CD-ROM, or it can be copied from the CD-ROM to a local hard disk and run from the directory in which it resides. 2.2.1 Documentation The dumpel utility has a limited amount of documentation. Basic syntax and use information is accessed through the command line. By simply typing dumpel, a list of the switches is displayed on the screen. The other documentation source is the dumpel.txt file. This also contains the same description of the switches that the command line help does, plus it includes a few examples. The dumpel.txt file is included in Appendix B. 2.2.2 Technical Support Additional information about dumpel can be found in the Windows NT Resource Kit on-line help utility, or within the Microsoft Knowledge Base at http://www.microsoft.com/kb. 2.2.3 User Interface Dumpel is a command line utility which is simple in nature. There are a limited amount of switches that can be appended to the command, which allow for a variety of results in the output. These switches are explained in the Description of Features section and in the appendices. 2.3 Description of Features The dumpel utility allows the data from the three main event logs, Application, Security, and System, to be extracted from their event log format and placed into a file in a tab-delimited form. The delimited form allows the newly created file to be imported into a database. In extracting the data, dumpel can perform some filtering to specify what to include or exclude based on some defining characteristics. These filters allow the administrator to specify which host the log is coming from, which of the event logs the data is dumped from, which source (e.g., Serial, Winlogon, etc.) the event came from, an event id, how the data is organized in the file, and the name of the new file. However, Dumpel can only apply one filter to one log at a time. After the utility is run, the file created can be imported into a database. Some practice with the created file structure may be needed to ensure smooth importation into the database. At that point, the data can be manipulated to the extent of the database. This means reports can be generated and the data can be used effectively and efficiently. Other sophisticated functions, such as alerting or user notification through E-mail, are also dependent upon the database. Dumpel just provides a means to manually extract the complex data from the event logs so it can be used by a database management system. Section 3 Conclusion Dumpel is a simple yet effective utility for taking the contents of the three main event logs and restructuring them into a format that can be used in a database. By transferring event log data to a database, the information can be made more valuable to the administrator. Critical events can be identified easily by using the database query and reporting mechanisms instead of manually parsing through the logs using the Event Viewer, thus freeing up the administrators time. The simplicity of its interface means that learning to use dumpel is not an issue. It can be put to effective use immediately. It also comes at no extra cost, provided the Windows NT Resource Kit has been purchased as an added staple to the NT system. The simplicity can also be construed as a limitation. It does not provide the administrator with the capability to analyze special purpose event logs, filter all different types of events, and to dump the logs from multiple machines at once. While dumpel is effective in its job, it can be very time consuming to use. That is, every time a new log needs to be dumped to a file, the command must be changed slightly to account for the new log name or new host from which it is being read. In addition, there is a slight learning curve involved in importing the created file into a database. The structure of the data in the created file may need to be fine-tuned to ensure that it is imported neatly into the database. This is dependent upon the way the database handles text file importation. As a result of the manual importation and extraction procedure, dumpel is not able to function as a real-time monitor of the event logs. The recommended use of dumpel is restricted. If there is a need to extract event log information quickly and infrequently, then dumpel is useful. For day-to-day event log management, a simpler and less cumbersome extraction method will be required to get event log data into a database. For a simple extraction method and more sophisticated analysis of event logs, other tools should be used. Appendix A Features Checklist This appendix is a checklist documenting the evaluation results of the dumpel utility, Version 5.00.1399.1. The checklist contains several components corresponding to the areas of focus during the evaluation. The checklist has been structured in a question-and-answer format. Software Acquisition * Is the software available for download? * Is an evaluation copy of the software available for download? * Where is the software available? The utility is available in the Windows NT Resource Kit. * What is the length of trial period? * Can the trial version be converted to permanent version? * Are there differences between the evaluation copy and the commercial copy? * Who is the vendor? Microsoft * What is the price of the commercial version? * Is the download in a compressed format? o Uses self-extracting utility or o Conventional .zip files o Can the software be extended through plug-ins? o Can a licensed version of the software be upgraded? o How is the software licensed? Installation and Configuration * Is an Installation Wizard used to install the software? Documentation * Was printed documentation available for the version you evaluated? Technical Support * Does the vendor provide telephonic support? o Is a toll-free number available? o Are download trial versions supported? * Is on-line help available for the software? Just type dumpel from the command-line to receive a list of switches or read the dumpel.txt file which also lists the switches and includes some examples. * Is a URL provided for WWW based support? Refer to the Microsoft Knowledge Base at http://www.microsoft.com. User Interface * Is a graphical user interface available? o Is the interface intuitive (are the functions of the buttons, toolbars, and menu options easy to determine from the graphic or words)? * Is there a command line capability? It can only be run from the command line. Filtering * Can you specify to include/exclude events? Use the ì-rî switch to filter for specific records or sources, or to filter them out. * Can you filter by event logs? o Can you filter by Application Log? o Can you filter by Security Log? o Can you filter by System Log? o Can you filter by Special Purpose Logs? + Can you filter by PPP Logs? + Can you filter by IIS Logs? + Can you filter by Communication Logs? * Can you filter by event type? * Can you filter by event number? Use the ì-e nnî switch to specify an event number. This must be used with the ì-mî switch. * Can you filter by event source? Use the ì-mî switch to specify an event source. * Can you filter by user id? * Can you filter by alert status? * Can you filter by text? Network Viewing * Is there the ability to view event logs of remote machines? Use the ì-s ì switch to extract information from remote machines. * Are filters and alerts applied globally? * Are filters and alerts applied to specific machines? You can only dump one filter from one log for one machine at a time. * Can you view events in hierarchical form? * Is the alert status displayed alongside each machine/subnet? * Is there a global alert status displayed as well? * Is there an option to reset alert status? * Is there an alert counter? * Is there an option to reset the alert counter? Event Viewing * Is the alert status displayed alongside each event? * Is the following information available for each event? o Event log name? o Event types? o Event numbers? o Event sources? o User ids? o Other? The short description is also included in the output. Reporting * Is there database support (ODBC)? The output is dumped into a delimited text file that can be imported into a database. * Does the software generate reports? o Are there pre-defined reports? o Are there pre-defined graphs? o Can the user generate custom reports? + Describe the ease of the custom report design. + Are the reports output to the screen? + Are the reports printable? + Can you generate reports in other formats (e.g., HTML)? * Does the software provide an alerting option? o Does the software support user notification methods? + Does the alarm initiate an E-mail message? + Does the alarm initiate a page? + Can the alarms notify different receivers at different times? + Does the alert sound an alarm? + List other methods here: o Are there pre-defined alerts? o Can the user define alert conditions? + Can alert conditions be specified by an event log condition? + Can alert conditions be specified by an event type condition? + Can alert conditions be specified by an event number condition? + Can alert conditions be specified by an event source condition? + Can alert conditions be specified by a user id condition? + Can alert conditions be specified by a text condition? * Does the software store Activity in a log file? The output can be directed into a file using the ì-f ì switch, the standard is ìstdoutî if the switch is not used. * Does the software suggest "fixes" for improved security? * Does the software offer comparisons with previous assessments? Appendix B Dumpel Text File Event Log Dump Utility This is a command line utility that can be used to dump an eventlog into a tab-separated text file. It can also be used to filter for certain event types, or to filter out certain event types. This utility can be used to dump the event log of both local and remote systems. The options for this utility are: -s Specifies the server to dump the event log of. Leading backslashes on the servername are optional. -f Specifies the output file. The default is stdout. -l Specifies which log (system, application, security) to dump. If an invalid logname is specified, the application log will be dumped. -m Specifies which source (such as, Rdr, Serial, ...) to dump records of. Only one source can be supplied. If this switch is not used, all events are dumped. If a source that is not registered in the registry is used, the Application Log will be searched for records of this type. -e n1 n2 n3 ... Filters for event id nn (up to 10 may be specified). If the -r switch is not used, only records of these types are dumped, if -r is used, all records EXCEPT records of these types are dumped. If this switch is not used, all events from the specified sourcename are selected. You cannot use this switch without the -m switch. -r Specifies whether to filter for specified sources or records, or to filter them out. -t If this is specified, individual strings are separated by tabs. If not, they are specified by spaces. So, to dump the system eventlog on server \\Eventsvr to a file event.out, use: dumpel -s eventsvr -l system -f event.out To dump the local system eventlog, but only get rdr events 2013, use: dumpel -l system -m rdr -e 2013 To dump the local application log, and get all events EXCEPT ones from the garbase source, use: dumpel -l application -m garbase -r Glossary COTS commercial off-the-shelf DII COE Defense Information Infrastructure Common Operating Environment DNS Domain Name Service INFOSEC Information Security IIS Internet Information Server MOIE Mission-Oriented Investigation and Experimentation NSA National Security Agency OOB Out-of-Band OS Operating System PPP Point-to-Point Protocol SP3 Service Pack 3 SPAWAR Space and Naval Warfare Systems Command Distribution List Internal (Electronic Notification) D. M. Alders K. L. Arndt D. A. Baldauf K. M. Bitting C. L. Boeckman C. H. Bonneau L. J. Bretzfelder K. L. Bricker N. L. Broome S. L. Chapin M. S. Collins R. A. Duncan G. C. Everhart S. L. Ficklin J. S. Firey G. J. Gagnon R. A. Galloni R. P. Galloni W. R. Gerhart M. J. Gosselin T. A. Gregg J. D. Guttman H. L. Hannickel W. H. Hill D. M. Johnson K. G. Jones L. K. Jones M. S. Kannel C. D. McCollum B. W. McKenney M. C. Michaud P. D. Miller S. L. Miravelle L. Montella S. J. Moore M. J. Morrison H. W. Neugent L. A. Noble D. S. Nottingham J-P. F. Otin J. Picciotto S. Polk C. L. Pratt R. C. Reopell K. K. Rollison R. S. Rudman H. H. Rubinovitz S. I. Schaen L. M. Schlipper J. R. Sebring D. B. Smith L. M. Sosnosky D. W. Sparrow J. L. Tavares P. B. Taylor S. A. Trioli J. M. Vasak D. F. Vukelich R. J. Watro M. M. Zuk (Hardcopy) K. King (without enclosure) C. R. Oakes G023 File (2) External Commander Space and Warfare Systems Command 53560 Hull Street San Diego, CA 92152-5002 CAPT M. Shupack, SPAWAR PMW 161A Mr. S. Henderson, SPAWAR PMW 161E Mr. M. Hunter, SPAWAR PMW 161 Mr. S. McCardle, SPAWAR PMW 161 Mr. P. Moylan, SPAWAR PMW 161 Mr. F. Ottaviano, SPAWAR PMW 161 Mr. J. Patterson, SPAWAR PMW 161 Mr. J. Stawiski, SPAWAR PMW 161 Mr. D. Terhune, SPAWAR PMW 161 Naval Research Laboratory 4555 Overlook Avenue SW Washington, DC 20375-5000 LT G. Winter, SPAWAR PMW 161L Mr. R. Hale, NRL 5544 Mr. D. Mihelcic, NRL Defense Information Systems Agency 5600 Columbia Pike Arlington, VA 22204 CDR C. Cameron, DISA JEXF Mr. D. Cunningham, DISA JEXF Ms. D. Hartley, DISA JEXF LTC A. Froede, DISA JEXG Mr. J. Humphery, DISA JEXG Mr. R. Hutten, DISA D5 (without enclosure) Defense Intelligence Agency Bolling AFB Building 6000 Washington, DC 20340 Mr. L. Lebahn, DIA/SYA-1 Mr. M. Zajdek, DIA/SYA-1 FCRC Management Division Headquarters, US Army CECOM AMSEL-PE-FC Ft. Monmouth, NJ 07703-5000 Mr. G. Guattare (without enclosure) ESC/IYW 50 Griffiss Street Hanscom AFB, MA 01731 Maj W. Dotts Maj R. Simpson Lt M. Pruss Rome Operating Location of the Air Force Research Lab 525 Brooks Road Rome, NY 13441-4505 Mr. D. Allain, AFRL/IWT Mr. J. Feldman, AFRL/IWT Mr. J. Girodano, AFRL/IWT Mr. J. Pirog, AFRL/IWT National Security Agency CH/C43 9800 Savage Road, STE 6704 Ft. Meade, MD 20755-6704 Curtis Dukes, C43