Windows Baseline Audit Script Lab

profilefrankcozy
WindowsBaselineAuditScriptLabWeek1.docx

Windows Baseline Audit Script Lab

Class: CYB.6010

Name:

Date:

This lab provides a real-world hands-on example of performing a baseline audit of a Windows system. In this lab you will use wmic and batch commands to query a Windows system for installed software, NICs, startup items, boot list, disk drives, environment variables, jobs, logons, network protocols, mapped drives, type of OS, installed hotfixes, running servers, shares, installed hardware, running services, user accounts, security groups, running processes, TCP/UDP connections, NetBIOS connections, system information, and scheduled tasks. As you can see, this basic baseline script captures a great deal of information for an auditor.

There are two reasons this baseline script uses basic wmic and batch file commands. The first reason is that any Windows system is able to run this script. There are no dependencies that need to be installed. The second reason is that even the most sensitive of Windows systems, systems that have been configured for unique use such as controllers or instruments, will not lock up or crash when this script is run. It is important to know that this script may cause a system that is already using most of its resources for other operations to slow down considerably so execute the script with caution.

1. Right-click on the file titled “baseline.bat” and select “edit”. Notice the wmic commands and batch file commands being used to query the Windows system.

2. Right-click on the file titled “baseline.bat” and select “Run as administrator”.

3. A command prompt should have opened.

4. Press these buttons: ctrl+alt+del

5. Click: “Select Task Manager”

6. Click on the tab labeled: “Performance”

7. Click on the button labeled: “Resource Monitor”

8. Observe the resources being consumed, specifically, observe the CPU usage. What is taking up the most average CPU time?

a. Answer:

9. Wait for the script to finish running. When the script is finished running you should have two documents. One titled “baseline.html” and another titled “baseline.txt”.

10. Open the document “baseline.html” and scroll through it. What do you see in terms of various key outputs evident in the baseline.html file?

a. Answer:

11. Open the document “baseline.txt” and scroll through it. What do you see in this file regarding a holistic view of the currently active environment that can be used to assess and analyze vulnerabilities and threats?

a. Answer:

You now have an audit script to take with you and use during audits.