Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 2:51 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 32 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Thu May 22, 2008 7:16 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Currently the script will only return valid drive mappings if the script is run locally, I would like to return ALL drive mappings if the script is run for the domain.

I think I need something like ... set colDrives = objWMIService.ExecQuery("select * from Win32_MappedLogicalDisk") does anybody know if this will work?
If not how do I set about it?

The idea is to see not only what is shared on each machine, but also which users on each machine are using which shares.

I was thinking of a section

User Name1...
Drive Letter1.. Share name1... Size.. etc...
Drive Letter2.. Share name2... Size.. etc...
Drive Letter3.. Share name3... Size.. etc...
Drive Letter4.. Share name4... Size.. etc...

User Name2...
Drive Letter5.. Share name5... Size.. etc...
Drive Letter2.. Share name2... Size.. etc...
Drive Letter6.. Share name6... Size.. etc...
Drive Letter4.. Share name4... Size.. etc...

And so forth.. thus I can see who is affected by removing a particular server, and which resources need re-mapping.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri May 23, 2008 12:04 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Well, I may be talking to myself here, but I have added All Windows Shares to the main Query menu. This gives us all of the Server details, i.e. which machines are offering which shares. All I need now is to be able to do the same for the users, in other words I need to see who is using which share.

Any thoughts?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri May 23, 2008 4:09 am 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
The "all shares" list is very useful for security auditing purposes.
Glad to see that you revamped the old drive mappings topic (take a look at our discussion at viewtopic.php?f=9&t=2306&p=10040&hilit=mapped&sid=fd677db0a7a533cd3cda673ea1b5f364#p10040 )
We already have every local user's SID in the OA DB, so we could read from the "HKEY_USERS\SID\Network" registry key on each computer:
- every mapped drive letter (each subkey name), but only if persistent
- the UNC of the remote resource (the RemotePath value)
- the username used to connect (the UserName value)
Then we could create an "all drive mappings" list. What do you think?

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Fri May 23, 2008 6:59 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Looks good to me. All we need now is some code..... :lol:

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri May 23, 2008 6:00 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
...but we need also all SIDs from each domain user who logged on our workstations and created their "HKEY_USERS\SID\Network" registry keys, otherwise we can't associate those SIDs to "human-readable" usernames, like we could with local users...

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Fri May 23, 2008 9:59 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Why is life never simple... :? OK lets think how we figure that out, presumably we can trawl that from the registry too, since the workstation must know how to associate the drive mappings with the correct user profile.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Gives us the profile list, but we still need to work back to the user name (or cheat by looking at ProfileImagePath, since that contains a user name, but not necessarily the correct user name).

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri May 23, 2008 10:44 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Having thought about it, we can work things out using the above information..

We can see the SIDs from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and the drive mappings (using this sid) from

HKEY_USERS\{this SID}\Network

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri May 23, 2008 10:53 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
[quote="A_Hull"]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Gives us the profile list, but we still need to work back to the user name (or cheat by looking at ProfileImagePath, since that contains a user name, but not necessarily the correct user name).

Yes, for example when you rename a user, its profile path remains the same, so it's useless.
But what about the new table ad_users you added to the db? You could store there all domain users SIDs (probably adding another field), if it's intended to help inventory domain objects.

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Fri May 23, 2008 11:02 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
[quote="A_Hull"]We can see the SIDs from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and the drive mappings (using this sid) from

HKEY_USERS\{this SID}\Network

The problem is we don't have a list of domain users' SIDs/usernames to compare with {this SID}, for now we can do that only for local users (that list is already in the users table).

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Sat May 24, 2008 12:16 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
We can also look at HKEY_USERS\{each sid}\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name

This should be the login name (without the domain name)

Also HKEY_USERS\{each sid}\VolatileEnvironment\USERDNSDOMAIN (and a few others) should give us any other info we need.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Sat May 24, 2008 12:20 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
[quote="ef"][quote="A_Hull"]We can see the SIDs from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and the drive mappings (using this sid) from

HKEY_USERS\{this SID}\Network

The problem is we don't have a list of domain users' SIDs/usernames to compare with {this SID}, for now we can do that only for local users (that list is already in the users table).

The AD stuff will tell us the SID for AD users, and only if we have audited the AD (new feature, don't tell anybody :twisted: ).. It wont show info for local users, or for workgroup users... or Samba users.... or Netware.... As I said, why is life never simple...

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Sat May 24, 2008 1:32 am 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
OK, the "HKEY_USERS\{each sid}\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name" value could be interesting for what we want to do: I will take a look at it next week.

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Sat May 24, 2008 1:48 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Have a good weekend, speak to you Monday (or Tuesday if you have the same Holidays as the UK).

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Sat May 24, 2008 6:34 am 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Thanks, you too (unfortunately short weekend here...)

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Mon May 26, 2008 7:44 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Hi Andrew, these are my mods to audit.vbs for now:
[code]
'''''''''''''''''''''''''''
' Mapped Drives '
'''''''''''''''''''''''''''
' This commented code lists only current users's mapped drives

'if audit_location = "l" then
' comment = "Mapped Drives Info"
' Echo(comment)
' On Error Resume Next
' Set colItems = objWMIService.ExecQuery("Select * from Win32_LogicalDisk ",,48)
' For Each objItem in colItems
' if Left(objItem.ProviderName,2)="\\" then
' form_input = "mapped^^^" & clean(objItem.DeviceID) & "^^^" _
' & clean(objItem.FileSystem) & "^^^" _
' & int(Round(objItem.FreeSpace /1024 /1024 /1024 ,1)) & "^^^" _
' & clean(objItem.ProviderName) & "^^^" _
' & int(Round(objItem.Size /1024 /1024 /1024 ,1)) & "^^^"
' entry form_input,comment,objTextFile,oAdd,oComment
' form_input = ""
' end if
' Next
'end if

comment = "Mapped Drives Info"
Echo(comment)
On Error Resume Next

'Searching the registry for stored profiles
strKeyPath = ""
oReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
' Filtering out some well-known SIDs
Select Case subkey
Case ".DEFAULT"
Case "S-1-5-18" 'Local System
Case "S-1-5-19" 'Local Service
Case "S-1-5-20" 'Network service
Case Else
If Instr(subkey, "_Classes") = 0 Then
'Searching for mapped drives
'Echo("SID: " & subkey)
strKeyPath2 = subkey & "\Network"
oReg.EnumKey HKEY_USERS, strKeyPath2, arrSubKeys2
For Each subkey2 in arrSubKeys2
If subkey2 <> "" Then
'Found mapped drive
'Searching for the username matching the SID
Set colItems = objWMIService.ExecQuery("Select Name, Domain from Win32_UserAccount where SID = '" & subkey & "'",,48)
If colItems <> "" Then
' Found user
For Each objItem in colItems
MapUserName = objItem.Domain & "\" & objItem.Name
Next
Else
'Searching the registry for user info
strKeyPath3 = subkey & "\Software\Microsoft\Windows\CurrentVersion\Explorer"
oReg.GetStringValue HKEY_USERS, strKeyPath3, "Logon User name", MapUserName
strKeyPath4 = subkey & "\Volatile Environment"
oReg.GetStringValue HKEY_USERS, strKeyPath4, "USERDNSDOMAIN", MapUserDomain
MapUserName = MapUserName & "@" & MapUserDomain
End If
Echo ("MapUserName: " & MapUserName)
'Reading mapped drive details
DeviceId = subkey2
strKeyPath5 = strKeyPath2 & "\" & subkey2
oReg.GetStringValue HKEY_USERS, strKeyPath5, "RemotePath", ProviderName
oReg.GetStringValue HKEY_USERS, strKeyPath5, "UserName", ConnectAs
Echo("DeviceID: " & DeviceId)
Echo("ProviderName: " & ProviderName)
Echo("ConnectAs: " & ConnectAs)
FileSystem = ""
FreeSpace = ""
Size = ""
form_input = "mapped^^^" & DeviceID & "^^^" & FileSystem & "^^^" & FreeSpace & "^^^" _
& ProviderName & "^^^" & Size & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
End If 'subkey2 <> ""
Next 'subkey2 in arrSubKeys2
End If 'Instr(subkey, "_Classes") = 0
End Select
Next ' subkey In arrSubKeys

[/code]
Take a look at what is displayed on screen during the "mapped drives info": we are retrieving:
- each user who has persistent mapped drives for his/her profile
- the drive letter assigned to the mapped resource
- the UNC remote path
- the user account name used to connect
If it's OK we could:
- delete the "audit_location" value from the audit.config file (it's no more needed)
- drop "mapped_file_system", "mapped_free_space" and "mapped_size" columns from the "mapped" table (or leave them there, but we don't use them)
- add "mapped_username" and "mapped_connect_as" columns to the "mapped" table
- modify accordingly system_viewdef_os.php and include_menu_array.php

_________________
Edoardo


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 32 posts ]  Go to page 1, 2, 3  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group