A few weeks ago I was asked to check every single workstation in the organisation for unwanted files. The types of files I was asked to look for were media files such as music and video, but also torrent files. The main objective was to identify breaches of policy and to allow removal of the unwanted files from the network. I will take you through what I did, which achieved the main objective relatively painlessly. Undoubtedly there better methods than what I'm about to describe and in fact I'm kind of counting on it, so feel free to share how you deal with the challenge. In the mean time this is what I ended up doing. nmap -sP <ip-range>/<mask> -oG <filename> The the grep output from nmap looks as follows : Host: aaa.bbb.ccc.20 (machine1.domain.com) Status: Up Host: aaa.bbb.ccc.45 (machine45.domain.com) Status: Up Host: aaa.bbb.ccc.62 (machine62.domain.com) Status: Up … snip ... Host: aaa.bbb.ccc.100 (print01.domain.com) Status: Up Host: aaa.bbb.ccc.101 (print02.domain.com) Status: Up Host: aaa.bbb.ccc.102 (machine102.domain.com) Status: Up Host: aaa.bbb.ccc.115 (machine115.domain.com) Status: Up Host: aaa.bbb.ccc.150 (switch01.domain.com) Status: Up … snip ... From the list I culled those devices that I was not interested in, e.g. the printers and the switch, before building the commands and creating the batch file.
PsExec.exe aaa.bbb.ccc.45 -w C:\ cmd.exe /c "dir *.mp3 *.avi *.mkv *.mov *torrent* /s /b " > audit-machine45.txt Save the file as a .bat file extension, make sure psexec is in the path of the user who will be running the batch file. C:\Documents and Settings\jdoe\ Desktop\MUSAK\The Police\Greatest Hits\11 - The Police - Spirits In The Material World - Greatest H.mp3 Desktop\MUSAK\The Police\Greatest Hits\12 - The Police - Synchronicity II - Greatest Hits_120113005.mp3 Desktop\MUSAK\The Police\Greatest Hits\13 - The Police - Every Breath You Take - Greatest Hits_1201.mp3 Desktop\MUSAK\The Police\Greatest Hits\14 - The Police - King Of Pain - Greatest Hits_1201130115.mp3 Local Settings\Temporary Internet Files\Content.IE5\HKNBKI0L\novotelrestc[1].mov My Documents\private\vids\SouthPark DVDiv\X 809-814\813 - Cartman's Incredible Gift-AERiAL_mrtwig.net.avi Someone will need to inspect each of the result files and check to see if the materials are permitted to remain on corporate machines or whether they should be removed. Sometimes the owner wil not be obvious and you might need to examine the machine a little bit closer to determine the owner of the files. Once unwanted files have been identified I usually send the person a policy reminder and a request to have the materials removed. Second/third/nth offences however are passed on to the appropriate area to deal with.
All in all a reasonably straight forward process and easily adapted to different file types, or file names. PS the diary editor seems to strip slashes so if it looks like there should be a backslash, you are probably right. |
Mark 392 Posts ISC Handler Aug 15th 2011 |
Thread locked Subscribe |
Aug 15th 2011 1 decade ago |
Well, first off, I have not needed to do such a thing. Second, my network is considerably smaller. But... I do run complete system backups over the network every night to a disk array, so I can just search the array, essentially at my leisure, and get the answers. Furthermore, I can also answer the question whether a given file was present on a given machine on a particular night, and produce its contents -- even it it has since been deleted from that machine. Of course, there is a price: my method does all the work on a single machine, and a task such as this is mainly limited by disk thruput, so I will not get answers as quickly, but I do have more flexibility in the kinds of questions I can answer.
|
Moriah 133 Posts |
Quote |
Aug 15th 2011 1 decade ago |
You backup up all your workstations? Excellent, not many organisations do. A good reminder though, many backup products allow you to search for this kind of information. There are also a number of commercial products on the market that will go and collect the information for you.
M |
Mark 392 Posts ISC Handler |
Quote |
Aug 15th 2011 1 decade ago |
We typically use something like SMS/SCCM to run reports.
A previous organisation that I worked for used a logon script with AIDA32 to keep an updated audit of all machines. |
AshD 2 Posts |
Quote |
Aug 15th 2011 1 decade ago |
i assume you didn't publish there the real commands used by the script because there are a few key issues with that dir command:
a) it only searches the current directory and any subdirectories below it (where "current" when used with psexec means user profile directory) b) will not look for removable media or other partitions. point (b) is especially important because often users will bring in removable media (e.g. dvds with ripped movies or flash drives/portable media players if you don't have access controls enabled for usbstor devices) Also, (b) is important when users are told to never save important data on the c: partition and instead are told to use another location for user data. This is my case too, i configure the machines i manage to keep the "desktop" and "my documents" folders on a different partition. This way i can have a few systems with the c: partition frozen (deep freeze) while others can be re-imaged when needed without affecting user data. |
JustAMouse 12 Posts |
Quote |
Aug 15th 2011 1 decade ago |
oops.. didn't notice the -w c: psexec parameter, this means it only searches on the entire c:\ but still it doesn't look for other drives.
|
JustAMouse 12 Posts |
Quote |
Aug 15th 2011 1 decade ago |
@A. Looks like the diary editor strips the slash. You are right it will only search the one drive in this case. In this instance I was only interested in the C drive which is the configuration at this particular site. The SOE is fairly strict so users don't get the opportunity to move things to other partitions. Mydocuments and other directories are redirected to a network share. A separate process picks up the files on the network drives. This was purely to find those files people were attempting to "hide" files on their workstation.
|
Mark 392 Posts ISC Handler |
Quote |
Aug 15th 2011 1 decade ago |
Ok, well if you are using nmap in ping mode:
you may not detect any computer that has Windows Firewall enabled, which defaults to blocking ICMP echo. If you continuously utilize a monitoring tool such as ARPWatch on every LAN, you might want to use the IP address database from that tool as well as the nmap results. |
Mysid 146 Posts |
Quote |
Aug 15th 2011 1 decade ago |
i would use psloggedin when running the psexec directory search command so I can see who's workstation it is.
|
Mysid 2 Posts |
Quote |
Aug 15th 2011 1 decade ago |
here's a sample command that i use to audit and delete:
FOR /R "%USERPROFILE%\Desktop" %%i in (*.xls *.xlsx *.xlsm *.xltx *.xltm *.xlsb *.xlam *.doc *.docx *.docm *.dotx *.dotm *.ppt *.pptx *.pptm *.potx *.potm *.ppam *.ppsx *.ppsm *.pdf *.txt *.log *.rtf *.csv *.zip) do echo deleted %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% && del %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% 2>&1 |
Mysid 3 Posts |
Quote |
Aug 15th 2011 1 decade ago |
it screwed up that command pretty bad when i posted it., here's another try:
FOR /R "%USERPROFILE%\Desktop" %%i in (*.xls *.xlsx *.xlsm *.xltx *.xltm *.xlsb *.xlam) do echo deleted %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% && del %%~si |
Mysid 3 Posts |
Quote |
Aug 15th 2011 1 decade ago |
I give up
|
Mysid 3 Posts |
Quote |
Aug 15th 2011 1 decade ago |
# find /home \( -iname '*.mp3' -o -iname '*.avi' -o ... \)
I wish... |
Steven C. 171 Posts |
Quote |
Aug 15th 2011 1 decade ago |
I imagine most here know this already, but it might be worth mentioning that psexec might transmit credentials in clear text. I am typically a bit more paranoid than the average bear, but this is especially troubling given that this use case will leverage a privileged. domain account. Obviously, someone abusing this would need to be suitably positioned inside your network already...
A workaround is to first establish a connection to the remote system's IPC$ share in advance of psexec being launched. I will mention that I was not able to reproduce the clear-text in my lab if launched from a Windows 7 box connecting to a remote WinXP box, so perhaps some change in Windows 7 has resolved this clear text issue. However, using the latest psexec binary, from WinXP to WinXP still results in clear-text credentials. |
Steven C. 1 Posts |
Quote |
Aug 15th 2011 1 decade ago |
Yes, I back up all workstations every night. I have consulted at organizations that said to keep important stuff on a designated server instead of your workstation so it would get backed up, but all too frequently, the sysadms do not give you nearly enough storage on that server. Also, you never really know what is important until its not there anymore. Allowing users to use their workstations like the personal computers they were intended to be, and just backing up the world every night, seems so much safer to me. There are also obvious forensic advantages to such an approach.
|
Moriah 133 Posts |
Quote |
Aug 16th 2011 1 decade ago |
I did this kind of search eons ago, using a similar fashion of batch files. In thoses days (surely it's still possible) there was a utility to list Active Directory content, one param was domain members, ie workstations. Using that command, I was getting a batch running with \\machinename\c$\...\*.mp3 etc |
Moriah 17 Posts |
Quote |
Aug 16th 2011 1 decade ago |
For the UNIX folk forced to work this issue... (from Steven's comment above)
One option is to map a drive from the system with a privileged credential, then run the "find" command or a variant of it. The mount command to use: ---------------------------------------- mount -t smbfs -o username=mywindows_username,password=xxxxxxx,uid=xx,gid=xx,rw //fileservername/share_name /mountpoint_for_audit -Kevin |
Kevin Shortt 85 Posts ISC Handler |
Quote |
Aug 17th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!