[SERVER] System File Integrity

eyeLikeCarrots · 24th July 2009, 9:12 AM

Looking for some ideas here:

Lets say your corp network was broken into. You know it was broken into because you identified the compromised account, you know the external host that the penetration was launch from, you've even identified and patched the vulnetability that the cheeky bugger used to get into your network.

You've checked various logs and things but you just cannot establish if any damage or change was done.

So now you have to recover from the situation.

Do you compare all system files against the trusted hashes that your sys admin guys generated when they installed and configured the servers, or do you go into the whole messy shebang and reinstall and reconfigure every single server OS and application?

The question is: What services or applications exists to ensure the integrity of Microsoft Server system files ?

Thanks is anyone can provide advice on this.

NSanity · 24th July 2009, 10:47 AM

If indoubt, rebuild it.

Incredibly serious about this - Rootkits are bad.

eyeLikeCarrots · 24th July 2009, 12:20 PM

Absolutley, the term 'reinstall from trusted media' is in the policy documentation I currently have, and there is a cost in rebuilding and reconfiguring.

However... sometimes you 'need' to know that a file's signature was changed.

24th July 2009, 9:12 AM	#1
eyeLikeCarrots Member Join Date: Jan 2002 Location: Canberra Is Shit Sex: Yes Posts: 3,791	System File Integrity Looking for some ideas here: Lets say your corp network was broken into. You know it was broken into because you identified the compromised account, you know the external host that the penetration was launch from, you've even identified and patched the vulnetability that the cheeky bugger used to get into your network. You've checked various logs and things but you just cannot establish if any damage or change was done. So now you have to recover from the situation. Do you compare all system files against the trusted hashes that your sys admin guys generated when they installed and configured the servers, or do you go into the whole messy shebang and reinstall and reconfigure every single server OS and application? The question is: What services or applications exists to ensure the integrity of Microsoft Server system files ? Thanks is anyone can provide advice on this. __________________ All your Carrotine are belong to me! \| Big O notation has nothing to do with Roy Orbison... Its not 'your' Internet! \| Follow me my children & FUM$ \| [Agg edit] count = 1 Internet Champion - fallen_dragon said so!

24th July 2009, 10:47 AM	#2
NSanity Member Join Date: Mar 2002 Location: Bathurst, NSW Posts: 6,850	If indoubt, rebuild it. Incredibly serious about this - Rootkits are bad. __________________ Intel i7-3770k @ stock \| Asus P8Z77 WS \| 32GB Corsair Vengeance 1866 10-11-10-30 \| 2x EVGA GTX670 SLI FTW @ stock \| 1x Dell U3011 \| OCZ Revodrive3 X2 MAXIOPS 480GB \| Western Digital 2TB Caviar Black \| Asus Essence STX \| Audio-Technica ATH-AD900 \| Antec HCP-1200 \| Enermax Fulmo GT Midtower \| Synology DS2411+ NAS \| 12x Seagate 2TB 7200.12 i'm in your noun, verbing your related noun.

24th July 2009, 12:20 PM	#3
eyeLikeCarrots Member Join Date: Jan 2002 Location: Canberra Is Shit Sex: Yes Posts: 3,791	Absolutley, the term 'reinstall from trusted media' is in the policy documentation I currently have, and there is a cost in rebuilding and reconfiguring. However... sometimes you 'need' to know that a file's signature was changed. __________________ All your Carrotine are belong to me! \| Big O notation has nothing to do with Roy Orbison... Its not 'your' Internet! \| Follow me my children & FUM$ \| [Agg edit] count = 1 Internet Champion - fallen_dragon said so!