Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Compliance Auditing with Microsoft PowerShell

Compliance Auditing with PowerShell

Microsoft's PowerShell framework has been part of their product line for quite some time. In recent years, it has played a major role in new operating system versions (such as Window 7 and Windows Server 2008) thanks to its inclusion in common engineering criteria. All future Microsoft server products will have PowerShell support integrated in them by default. This means Microsoft products will benefit from a single management interface, rather than a mixed usage of the registry, WMI, or other system files/utilities.

For those unfamiliar with PowerShell, it's a command-line shell meant to perform administrative tasks using cmdlets. Cmdlets are purpose-built commands designed to accomplish specific tasks for reading registry keys, files, wmi-objects, starting and stopping Windows services and a host of other tasks. A wide range of cmdlets and their usage are documented on Microsoft's website.

The ability to run PowerShell cmdlets remotely opens up interesting possibilities from a compliance perspective. For example, it's now possible to read a file, apply several different filters and determine compliance. You can also run a cmdlet and let the user review the output, then tailor the output as needed. Tenable recently added an AUDIT_POWERSHELL check to Windows compliance checks which allows users to do just that, right from an .audit file. Below is the basic syntax:

<custom_item>
type: AUDIT_POWERSHELL
description: "Powershell check"
value_type: [value_type]
value_data: [value]
powershell_args: ["arguments for powershell.exe"]
(optional) only_show_cmd_output : YES or NO
(optional) check_type : [CHECK_TYPE]
(optional) severity : ["HIGH" or "MEDIUM" or "LOW"]
(optional) powershell_option : CAN_BE_NULL
(optional) powershell_console_file : ["Location of PowerShell console file"]
</item>

Users can opt to audit a specific value or have the check report the entire output of the cmdlet being run. When reporting the output of the cmdlet, users have the option to set the severity of the result using the 'severity' tag.

Powershell Auditing Examples

1. Review security patches

<custom_item>
type: AUDIT_POWERSHELL
description: "Show Installed Hotfix"
value_type: POLICY_TEXT
value_data: ""
powershell_args  : "get-hotfix | Where-Object {$_.Description -ne ''} | select Description,HotFixID,InstalledBy | format-list"
only_show_cmd_output : YES
severity : LOW
</item>

2. Audit a specific value

<custom_item>
type: AUDIT_POWERSHELL
description: "Audit Service Status"
value_type: POLICY_TEXT
value_data: "Running"
powershell_args  : "Get-Service | Where-Object {$_.name -eq 'browser'} | select status"
check_type : CHECK_REGEX
</item>

3. Review system log

<custom_item>
type: AUDIT_POWERSHELL
description: "Review System Log files "
value_type: POLICY_TEXT
value_data: ""
powershell_args  : 'get-eventlog -newest 5 -logname system | format-list'
only_show_cmd_output : YES
</item>

4. Show power settings

<custom_item>
type: AUDIT_POWERSHELL
description: "Show Power settings"
value_type: POLICY_TEXT
value_data: ""
powershell_args  : 'get-wmiobject -namespace root\\cimv2\\power -class Win32_powerplan | select Description,IsActive | format-list'
only_show_cmd_output : YES
</item>

5. Run a WMI method

<custom_item>
type: AUDIT_POWERSHELL
description: "Run WMI method ListWebServiceExtensions() on IIsWebService object"
value_type: POLICY_TEXT
value_data: ""
powershell_args  : '(get-WmiObject -namespace root\\MicrosoftIISv2 -Class IIsWebService).ListWebServiceExtensions().Extensions'
only_show_cmd_output : YES
</item>

6. Get a list of files in a directory

<custom_item>
type: AUDIT_POWERSHELL
description: "Get list of all files within a directory"
value_type: POLICY_TEXT
value_data: ""
powershell_args  : 'Get-ChildItem "C:\\Program Files\\Common Files'
only_show_cmd_output : YES
</item>

7. Review contents of a file

<custom_item>
type : AUDIT_POWERSHELL
description : "Review contents of a file"
value_type : POLICY_TEXT
value_data : ""
powershell_option : CAN_BE_NULL
powershell_args  : "get-content 'D:\Apache2.2\conf\httpd.conf' | \ select-string -pattern '^ *<Directory' -context 0,10"
severity : MEDIUM
only_show_cmd_output: YES
</item>

The listed examples leverage cmdlets typically found in Windows operating systems which supports PowerShell. But, what if we need to audit a product which has its own set of PowerShell cmdlets (e.g., Exchange 2007 or SharePoint 2010)? For such products we need to specify Windows PowerShell Console Files located on the target system. A PowerShell Console File contains properties and registered snap-ins that extend PowerShell’s ability or features. Many of these files also add cmdlets for administering software installed on the system.

An example PowerShell snap-in is Microsoft.Exchange.Management.PowerShell.Admin provided by Microsoft Exchange 2007, which provides useful commands for administering Exchange via PowerShell. By adding support for Powershell Console Files to AUDIT_POWERSHELL, the Windows Compliance Checks plugin can now audit software products like Exchange 2007, SharePoint and others. The “powershell_console_file” keyword can now be used with the AUDIT_POWERSHELL to call a specific PowerShell Console File located on the target system to run various get-* cmdlets, which allows a user to audit the target for compliance.

Exchange Configuration Audit Example #1 – Report Exchange 2007 Server Role:

[root@test]# cat powershell_test.audit
<check_type: "Windows" version : "2">
<group_policy: "Example Powershell Console File Audit">
<custom_item>
type       : AUDIT_POWERSHELL
description: "Disable Unnecessary Exchange Services and Roles"
value_type : POLICY_TEXT
value_data : ""
powershell_args: "get-exchangeserver | select identity,serverrole| format-list"
only_show_cmd_output: YES
powershell_console_file: "C:\Microsoft\Exchange Server\Bin\ExShell.psc1"
info: "Review the server's roles and ensure only necessary services are listed."
</custom_item>
</group_policy>
</check_type>
[root@test bin]# ./nasl -aXt 192.168.1.2 compliance_check.nbin
Windows Compliance Checks, version 2.0.28
Which file contains your security policy : powershell_test.audit
SMB login : administrator
SMB password : ********
SMB domain (optional) : testdomain
"Disable Unnecessary Exchange Services and Roles": [INFO]
Review the server's roles and ensure only necessary services are listed.
Output :
Identity   : EdgeExchange
ServerRole : Edge

Requirements

  • PowerShell must be installed on the target (older OSes do not have it installed by default).
  • WMI must be enabled on the target.
  • Firewall setting "Windows Firewall: Allow inbound remote administration exception" must be enabled.
  • Note: At this time, only get-* cmdlets can be run. Cmdlet aliases (e.g., gwmi) are not supported.

Conclusion

Several compliance audit policies distributed by Tenable are already using the PowerShell functionality described above. For more information, and to download the policies themselves, log in to the Tenable Support Portal and go to the downloads area.