OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Integrity checking of Registry keys
From: H Carvey (keydet89YAHOO.COM)
Date: Tue Nov 14 2000 - 15:51:55 CST

Integrity checking can be performed on critical system
files, in order to determine if these files have been
altered or "trojaned". This is a technique that is
used in the Un*x world...and it's implemented by
generating a checksum for a "known good" copy of the
file in question (on Un*x platforms, this includes
executables such as ls, ps, etc). When a change to
the file is suspected, the admin regenerates the
checksum using the same algorithm and compares it to
the baseline scan.

On NT, this can be done w/ DLLs, etc. It can also be
done with Registry keys. For example, an NT admin can
specify specific keys that she'd like to 'watch' for
changes. Maybe she's been able to set ACLs on the
keys so that users can modify them, but she wants
multiple layers of protection. So what she does is
use an automated means to perform regular scans of the
Registry keys, and generating checksums after first
generating a baseline checksum. In this way, she can
determine if a change has been made to the key.

If she does detect a change, then she can look for
other evidence to indicate whether the user performed
a privilege-escalation attack, or it's the result of
some other actions.

My question to the group at large is then this...are
NT admins interested in a utility that will allow them
to perform integrity checking of Registry keys? Would
you, as an NT admin, find such a thing useful?

./Carv

__________________________________________________
Do You Yahoo!?
Yahoo! Calendar - Get organized for the holidays!
http://calendar.yahoo.com/