DumpSec's Shortcomings Mask the Full Security Picture
Don’t let DumpSec fool you into a security comfort zone
- By Derek Melber
Every time I deliver a training class or conference session on auditing Windows, I talk about how wonderful DumpSec is as an auditing tool. However, I always talk about the shortcomings of DumpSec, too. You don't need to throw out DumpSec just because it has shortcomings. Instead, become aware of the limitations and work around them so your audit on the full story and you can provide the most accurate and appropriate recommendations.
To understand why DumpSec misses the boat on many audit control points, you must remember that it was designed for Windows NT, not Windows 2000/2003. Also, the domain structure for Windows NT was much simpler than the Active Directory structure that most organizations now possess. Keep in mind that auditing for Active Directory is a higher calling than auditing Windows NT domains. There is more interaction between domains, the administration between domains, and the security controlling the enterprise. Here are three of the top areas where DumpSec falls short of producing the full audit picture.
Shortcoming #1: Files and folders can only be audited relative to the computer running DumpSec
This is important as you attempt to use DumpSec from a client to audit a server or domain controller. When you try to view the available files and folders to audit, you might not have the full picture of what the folder structure is on the target computer. The reason is that DumpSec takes the local folder structure from the client as an option list of folders and files to audit.
For example, assume that you need to audit the directory that houses the Active Directory database, c:\windows\system32\ntds. This folder will not be available on the local client, no matter what operating system it is running, even Windows Server 2003. Only domain controllers have this folder by default.
You can trick DumpSec by adding the folder structure that the domain controller has on the local computer. Then, when you try to view the ntds folder, it will be there locally, allowing the application to remotely access the permissions from the domain controllers.
Shortcoming #2: DumpSec reports only NT permissions
DumpSec can only report on the following permissions:
- Take Ownership
- Change Permission
However, Windows 2000, 2003, and XP have a much more granular set of permissions. The new permissions for files and folders on these newer operating systems include:
- Traverse Folder/Execute File
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Create Files/Write Data
- Create Folders/Append Data
- Write Attributes
- Write Extended Attributes
- Delete Subfolders and Files
- Read Permissions
- Change Permissions
- Take Ownership
If permission is set that is out of the scope of the DumpSec library of permissions, it will put the binary code for the newer permission, which is almost impossible to evaluate. All you can really gather from that output is the fact that there is a special permission set on the resource.
To solve this, you will need to use a tool that can support the advanced permissions that come with the newer OSs, such as showacls.exe. You can obtain this tool from the Audit Tools section on http://www.auditingwindows.com.
Shortcoming #3: DumpSec can’t report on Active Directory objects
DumpSec can report on files, folders, and registry keys. However, it can’t handle Active Directory objects (such as organizational units or user accounts). I find that many auditors feel that if they don’t have tools that can report on Active Directory objects, then it is not essential to audit them. However, with Active Directory, the delegation that occurs on these objects configures who can manage the objects in Active Directory. It is critical to audit Active Directory objects.
To solve the problem, you will need to get a tool like dsacls.exe, which is a Windows Resource Kit tool. You can find a link to this tool from http://www.auditingwindows.com under the Audit Tools section.
DumpSec is a wonderful tool for providing insight into some of the key control points for your enterprise. However, there are some shortcomings of the tool that can leave a false impression of the state of the security of some resources. Be sure to understand these limitations when you use DumpSec and replace those control points with another tool that can correctly report on the control points.
Additional articles by Derek Melber
Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.