There's a much under-hyped and overlooked set of Windows security tools that you should be taking advantage of as a Windows administrator. You've already paid for them but may not realize that you have them. I'm talking about a handful of
Security tools for Windows VistaLearn about Windows Vista's new security features, like BitLocker and the Security Center, with these tips by industry experts.
nifty command-line tools that are extremely powerful in practically any information security context. If your experience goes back to the good old DOS days, you'll feel right at home. And if the command line is a little outside your comfort zone, relax -- what you need to know is really straightforward.
The following Windows command-line tools can be a big help. Hardly a day passes that I'm not using several of them. To get rolling, simply click Start/Run, run cmd.exe, and you're ready to start entering these commands:
Command toolHow to use this command for securitydirdir /od to find the most recently modified files on the hard drivepingping -a and ping –t to determine hostnames and whether or not the host is alivetracerttracert –d for determining how your system is communicating with a remote hostfinddir c:\ /s /b | find "SSN" to search your local hard drive for sensitive text such as "SSN"findstrfindstr /s /i confidential *.* to search the current directory and all subdirectories for sensitive text such as "confidential"nslookupnslookup –type=ANY domain_name to display all DNS records for a specific domainnbtstatnbtstat –A remote_host_IP_address to display a remote system's NetBIOS name table, computer name, domain name, MAC address and possibly the currently logged on usernet
netsh interface ip set address "Local Area Connection" dhcp for quickly obtaining IP configuration information via DHCPnetstatnetstat –a –o to determine TCP and UDP connections currently in use along with the process ID that owns each connection. Use to find out which application is talking to whomscsc stop service_name to stop a Windows service
sc start service_name to start a Windows servicetaskkilltaskkill /pid and taskkill /im for killing hung processes, such as a security scanner that you've maxed out or potential malware loaded in memorytasklisttasklist /svc shows services associated with each Windows process
tasklist /n dll_name shows all processes using a specified DLL
tasklist /fi /m "imagename eq process" shows the DLLs loaded into the specified Windows processwmicWindows Management Interface Command-line (WMIC), literally an entire control system in and of itself, allows you to control both local and remote systems. Commands of interest for security include:
The following Windows command-line tools can be a big help. Hardly a day passes that I'm not using several of them. To get rolling, simply click Start/Run, run cmd.exe, and you're ready to start entering these commands:
Command toolHow to use this command for securitydirdir /od to find the most recently modified files on the hard drivepingping -a and ping –t to determine hostnames and whether or not the host is alivetracerttracert –d for determining how your system is communicating with a remote hostfinddir c:\ /s /b | find "SSN" to search your local hard drive for sensitive text such as "SSN"findstrfindstr /s /i confidential *.* to search the current directory and all subdirectories for sensitive text such as "confidential"nslookupnslookup –type=ANY domain_name to display all DNS records for a specific domainnbtstatnbtstat –A remote_host_IP_address to display a remote system's NetBIOS name table, computer name, domain name, MAC address and possibly the currently logged on usernet
- net view hostname to display shares on a remote system
- net accounts to display local user account policies for passwords, etc.
- net share to display local shares
- net user to display local user names.
netsh interface ip set address "Local Area Connection" dhcp for quickly obtaining IP configuration information via DHCPnetstatnetstat –a –o to determine TCP and UDP connections currently in use along with the process ID that owns each connection. Use to find out which application is talking to whomscsc stop service_name to stop a Windows service
sc start service_name to start a Windows servicetaskkilltaskkill /pid and taskkill /im for killing hung processes, such as a security scanner that you've maxed out or potential malware loaded in memorytasklisttasklist /svc shows services associated with each Windows process
tasklist /n dll_name shows all processes using a specified DLL
tasklist /fi /m "imagename eq process" shows the DLLs loaded into the specified Windows processwmicWindows Management Interface Command-line (WMIC), literally an entire control system in and of itself, allows you to control both local and remote systems. Commands of interest for security include:
- wmic /output:c:\temp\stuff.html process list /format:htable for displaying all currently running processes in an HTML table
- wmic /record:c:\temp\investigate.xml process list full for recording your commands. Write them to a file for an investigative trail that includes the date, time, user name, command entered and output of the command.
- wmic useraccount list full for displaying a list of users on the local machine
- wmic /user:userID /password:password /node:hostname share list full for displaying a list of shares on the remote machine (administrator access required)
- wmic qfe list full for displaying a list of patches and service packs installed on the local machine
