Skip navigation

STANFORD UNIVERSITY

INFORMATION TECHNOLOGY SERVICES

Health Check Tool Actions

screenshot

Download Programs

Program Load

  • Save the Start time for later use (metrics).
  • PC: See if the computer is running  64 bit Windows.  If it is display an error message and end.
  • PC:  If the computer is running Windows 2000 Service pack 2 or below display an error message (the Microsoft Baseline Security Analyzer requires a minimum OS of Windows 2000 SP3).
  • See if the user that is logged in has administrator rights (note that the OSX version will always be running as admin because the installer authenticates the user before program load).
    • If the user does not have administrator rights display an error message and end.
  • Log all program activity to the activity log file
    • PC: “C:\Program Files\Common Files\Stanford\Config\Logs\self-reg_activity_log.txt
    • Mac: “/Library/Application Support/Stanford/Config/Logs/self-reg_activity_log.txt
  • Get all of the Network hardware addresses
  • Download the latest configuration file from the web.
  • Contact the hostreg server and get the subnet options:
    • The final completion URL (optional)
    • Is BigFix required?
    • Is Symantec AntiVirus required?
  • PC: Download the latest Microsoft Malicious Software Removal tool
  • PC: See if it is safe to look for weak administrator passwords. If an Account lockout threshold has been assigned, it is not safe, so disable the password checking functions.
  • Get the computer name
  • Get the user's SUnet ID (if they are logged in to PC-Leland or MacLeland)
  • Get the user's login name (short name)
  • Get the operating system version
  • Get the computer Make, Model and Type
  • Get the name and version of the user's virus protection program (if a known program exists).  This is currently being done by using the McAfee VirusScan uninst.inf file which attempts to identify 90 Virus Protection programs.
  • See if the user is missing any important patches.
    • PC: Critical patches as defined by mbsacli
    • Mac: “required” updates as defined by Software Update
    If missing patches are found, and missing patches have not be previously recorded, save the names of the missing patches to the drive for later use (metrics).
    • PC: “C:\Program Files\Common Files\Stanford\Config\Self-Reg\patch.lst”
    • Mac: “/Library/Application Support/Stanford/Config/Self-Reg/patch.lst”
  • PC: If it is safe to do so, get the names and passwords of all administrator users that have been assigned weak passwords.
    If weak passwords are found, and weak passwords have not be previously recorded, save the names of the administrator accounts to the drive for later use (metrics).
    • PC: “C:\Program Files\Common Files\Stanford\Config\Self-Reg\admin.lst”
    • Mac: “/Library/Application Support/Stanford/Config/Self-Reg/admin.lst”
  • PC: See if BigFix has been installed
  • PC: Run the “Microsoft Malicious Software Remover” in quiet mode
    • If a worm or virus was found and removed, record the event for inclusion in the metrics.
  • Alter the UI to reflect the status of:
    • PC, and Mac: Virus Protection
    • PC, and Mac: Security Patches
    • PC, and Mac: Administrator Passwords
    • PC: BigFix

Command Button Actions

Virus Protection Download Button

Open the default browser and navigate to the ESS Virus protection page appropriate for the OS.  The URL is read from the configuration file.

Software Update Button

PC: Launch Internet Explorer and go to http://update.microsoft.com/micosoftupdate

Mac: Launch the “Software Update” System Preferences application

Change Passwords Button

Load a window that will allow the user to change the passwords:

screenshot

Download BigFix Button

Open the default browser and navigate to the ESS BigFix information page.  The URL is read from the configuration file.

Cancel Button

 Ask the user if they really want to exit because the computer will not be registered if they do

If they confirm that they really want to exit, then end the program

RunTests Again

If the user is required to patch the computer before registering, this button will appear after they visit Windows update.  If a reboot is not required, they can click on “Run Tests Again” to check for compliance again.  If all required patches are found, they will be able to continue with registration.

Continue Button

PC: Make the registry changes necessary to security-harden the computer

PC and Mac: Write the data that was collected to a comma separated file:

  • PC:  “C:\Program Files\Common Files\Stanford\Config\self-reg-results.csv”
  • Mac: “/Library/Application Support/Stanford/Config/self-reg-results.csv”

PC and Mac: Build an HTTP GET URL containing the computer MAC addresses ("MAC"), OS version ("OS"), IP Addresses ("IP"), Make of the computer ("MAKE"), Model of the computer ("MODEL"), Computer Type ("TYPE"), and system metrics (“CHK”) and send it to the server.

 

Weak Password List

The following words will be used when attempting to spoof the administrator account passwords.  All words will be attempted using lowercase: “my password”, uppercase: “MY PASSWORD”, and mixed case: “My Password”

  • “”
  • “guest”
  • “password”
  • “stanford”
  • “oper”
  • “administrator”
  • “admin”
  • “user”
  • “asdfghjkl;”
  • “lexis”
  • “test”
  • “nopassword”
  • “rescomp”
  • “123”
  • “abc”
  • “asdf”
  • “football”
  • “secret”
  • “a”
  • “1234”
  • The Computer Name
  • The User’s SUnetID
  • The user name (short name)
  • The user name (long name)

 

Registry Changes

Registry Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters”
Registry Item: “EnableICMPRedirect”, 0
Registry Item: “KeepAliveTime”, 30000
Registry Item: “PerformRouterDiscovery”, 0

Registry Key: “HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson”
Registry Item: “CreateCrashDump”, 0

Registry Key: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AEDebug”
Registry Item: “Auto”, 0

Registry Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters”
Registry Item: “DisableIPSourceRouting”, 2

Registry Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters”
Registry Item: “EnableDeadGWDetect”, 0

Registry Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters”
Registry Item: “EnablePMTUDiscovery”, 1

Registry Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters”
Registry Item: “NoNameReleaseOnDemand”, 1

Registry Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters”
Registry Item: “SynAttackProtect”, 2

Registry Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters”
Registry Item: “TcpMaxHalfOpen”, 100

Registry Key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters”
Registry Item: “TcpMaxHalfOpenRetired”, 80

Registry Key: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager”
Registry Item: “SafeDllSearchMode”, 1

Registry Key: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}”
Registry Item: “Compatibility Flags”, 1024

Registry Key: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”
Registry Item: “limitblankpassworduse”, 1

Enable SAV Live Update
Registry Key: “HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager\Schedule”
Registry Item: “Enabled”, 1

Set SAV Live Update to Check Daily
Registry Key: “HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager\Schedule”
Registry Item: “Type”, 1

Turn On Windows Update (automatic mode)
Registry Key: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update”
Registry Item: “AUOptions”, 4

Have Windows Update Check Daily
Registry Key: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update”
Registry Item: “ScheduledInstallDay”, 0
 

CSV File Contents

The CSV file will contain the following data:

  • Date
  • Time
  • Minutes” (the number of minutes that elapsed between the time that the user started the desktop tool and the tool sent data to the server).
  • Computer Name
  • OS Version
  • MAC Address” (if there is more than one MAC address, the MAC addresses will be separated by the pipe character: “|”)
  • User Name
  • Virus Protection” (The name and version of the virus protection program, or blank if there was none found)
  • Missing Patches” (If the computer is missing more than one patch, then they will be separated by the pipe character: “|”)
  • BigFix Installed” (1 if BigFix is installed, or 0 if it is not)
  • Bad Passwords” (The admin account name with a weak password.  If more than one account has been assigned a weak password, then they will be separated by the pipe character: “|”)
  • Symantec AntiVirus Downloaded” (1 if the user downloaded the SAV installer, 0 if they did not)
  • BigFixDownloaded” (1 if the user downloaded the BigFix installer, 0 if they did not)
  • Windows Update OK” (PC: 1 if Windows update was set to the standard before the tool made any changes.  0 if Windows update was not set to the standard, Mac: Always “0”)
  • Computer Make” (i.e. “Dell Computer Corporation”, “Apple”, etc.)
  • Computer Model” (i.e. “OptiPlex GX270”, “PowerMac3,6”)
  • Computer Type” (i.e. “Mini Tower”, “Desktop”)
  • Virus Cleaned” (1 if the Malicious Software Removal tool found a virus and removed it, 0 if no virus was found)

 

Example Log File

============================================================
Stanford University Host Self Registration Start Windows Version
------------------------------------------------------------
Program Version: 1.0.1
[6/17/2005 - 7:24 AM] Download configuration file...
[6/17/2005 - 7:24 AM] MAC Addresses: 00:b0:d0:e8:90:fc
[6/17/2005 - 7:24 AM] Get Machine Name
[6/17/2005 - 7:24 AM] Machine Name: SILVEIRA-PBDSL2
[6/17/2005 - 7:24 AM] Get SUNet ID
[6/17/2005 - 7:24 AM] SUNet ID: tonysil@tanford.edu
[6/17/2005 - 7:24 AM] Get User ID
[6/17/2005 - 7:24 AM] User ID: tonysil
[6/17/2005 - 7:24 AM] Get OS Version
[6/17/2005 - 7:24 AM] OS Version: Windows XP
[6/17/2005 - 7:24 AM] Check Virus Protection Status...
[6/17/2005 - 7:24 AM] Virus Protection: Symantec AntiVirus 9.0.2.1000
[6/17/2005 - 7:25 AM] Check Patch Level...
[6/17/2005 - 7:25 AM] Missing Patches:
MS05-016 (Q893086)
MS05-017 (Q893087)

[6/17/2005 - 7:25 AM] CheckAdmin Password Strength...
[6/17/2005 - 7:25 AM] Users with weak passwords: Administrator, Admin2
[6/17/2005 - 7:25 AM] Check BigFix Status...
[6/17/2005 - 7:25 AM] BigFix is NOT installed.
[6/17/2005 - 7:25 AM] (Do)Write collected data to the csv file: C:\Program Files\Common Files\Stanford\Config\Self-Reg\self-reg-results.csv
[6/17/2005 - 7:25 AM] (Do)Run the Microsoft Malicious Software Removal Tool: D:\Code\REMOTE~1\Windows-KB890830-V1.4-ENU.exe /q
[6/17/2005 - 7:26 AM] (Do)Microsoft Malicious Software Removal Tool Returned: 0
[6/17/2005 - 7:26 AM] (Do)No Malicious Software found
[6/17/2005 - 7:26 AM] (Do)Apply PC Hardening:
[6/17/2005 - 7:26 AM] (Do)Enable Symantec AntiVirus Auto Update and Check for virus def updates daily
[6/17/2005 - 7:26 AM] (Do)Enable Windows Update and set Windows Update to check daily
[6/17/2005 - 7:26 AM] (Do)Misc Registry Changes
[6/17/2005 - 7:26 AM] (Do)Send MAC Address, IP Address, OS version and results to Server
------------------------------------------------------------
Done, exit program. End Windows Version
============================================================
 

Computer Model Details

PC

PC model information is obtained by a WMI call that retrieves computer model information provided by the manufacturer.

Mac

Mac model information is obtained by running “sysctl hw.model” from the command line and retrieving the model from the sysctl output.  Sysctl gets this string from OpenFirmware and will necessarily change as new models are released.  The string that is returned is a representation of the actual Model name.  For example, “PowerMac3,6” is a PowerMac G4 and "PowerMac7,2” is a PowerMac G5 See Apple documentation for an up-to-date list of translations.

 

Computer Type Details

PC

PC Type information is obtained by a WMI call that will retrieve one of the following:

  • “Other” Could use Virtual here for VM machine.
  • “Unknown”
  • “Desktop”
  • “Low Profile Desktop”
  • “Pizza Box”
  • “Mini Tower”
  • “Tower”
  • “Portable”
  • “Laptop”
  • “Notebook”
  • “Hand Held”
  • “Docking Station”
  • “All in One”
  • “Sub Notebook”
  • “Space-Saving”
  • “Lunch Box”
  • “Main System Chassis”
  • “Expansion Chassis”
  • “SubChassis”
  • “Bus Expansion Chassis”
  • “Peripheral Chassis”
  • “Storage Chassis”
  • “Rack Mount Chassis”
  • “Sealed-Case PC”
     

Mac

Mac typw information is obtained by running “sysctl hw.model” from the command line and parsing the model from the sysctl output (if the model contains the string “book” it is assumed to be a laptop).  The Mac type will be either “Desktop” or “Laptop”

 

Configuration INI File

The configuration INI file is included with the binary that is downloaded to the computer and is updated from the network at runtime.  It contains information that the program will use to access support file.

Example file contents:

<su-config-file>

[Network]
IsTestServer=1
HostServer=hostreg.stanford.edu
HostServerTest=hostreg-dev1.stanford.edu
HostServerProxyName=%HostServer%
HostServerProxyPort=80
HostServerProxyNameTest=%HostServer%
HostServerProxyPortTest=80

[SupportFiles]
master_config_file=http://%HostServer%/patches/supportfiles/selfreg-config.ini

self-reg-server=https://%HostServer%/cgi-bin/hostreg/hostreg-request
self-reg-server-chk=http://%HostServer%/cgi-bin/hc_post
template_var_request=https://%HostServer%/cgi-bin/hostreg/getvars

windows_update_help=http://update.microsoft.com/microsoftupdate

sav_pc_url=http://www.stanford.edu/dept/itss/ess/pc/sav.html
sav_mac_url=http://www.stanford.edu/dept/itss/ess/mac/nav10.html
bigfix_pc_url=http://www.stanford.edu/dept/itss/ess/pc/bigfix.html
bigfix_mac_url=

msrt_pc_file=http://%HostServer%/patches/supportfiles/Windows-MSRT.exe
msrt_pc_file_size=1483616

</su-config-file>

 

Detected Virus Protection Programs

The program will attempt to detect the presence of the following virus protection software:

  • McAfee VirusScan Enterprise
  • McAfee VirusScan Enterprise
  • McAfee VirusScan Enterprise
  • McAfee VirusScan for NetApp
  • McAfee VirusScan TC
  • McAfee VirusScan ASAP
  • McAfee VirusScan Online
  • McAfee VirusScan v4.5.1
  • McAfee VirusScan v4.5.1 (German)
  • McAfee VirusScan v4.5.1 (French)
  • McAfee VirusScan v4.5.1 (Spanish)
  • McAfee VirusScan v4.5.1 (Italian)
  • McAfee VirusScan v4.5.1 (Dutch)
  • McAfee VirusScan v4.5.1 (Portuguese)
  • McAfee VirusScan v4.5.1 (Swedish)
  • McAfee VirusScan v4.5.1 (Polish)
  • McAfee VirusScan v4.5.1 (Traditional Chinese)
  • McAfee VirusScan v4.5.1 (Simplified Chinese)
  • McAfee VirusScan v4.5.1 (Korean)
  • McAfee VirusScan v4.5.0
  • McAfee VirusScan v4.0.3
  • McAfee VirusScan v4.0.2
  • McAfee VirusScan v4.0.1
  • McAfee VirusScan v5.0.0
  • McAfee VirusScan v5.1.X
  • McAfee VirusScan v5.2.X
  • McAfee Firewall 3.0
  • McAfee VirusScan v6.0.X
  • McAfee Firewall 4.0
  • McAfee VirusScan Home Edition 7.0
  • Dr Solomon's Anti-Virus
  • Dr Solomon's VirusScan v4.0.3
  • Dr Solomon's VirusScan v4.0.2
  • Dr Solomon's VirusScan v4.0.1
  • Dr Solomon's Anti-Virus Toolkit
  • McAfee VirusScan v4.0.3
  • McAfee VirusScan v4.0.2
  • Dr Solomon's Virusscan v4.0.3
  • McAfee NetShield v4.5.0
  • NetShield For NetApp__
  • McAfee NetShield v4.0.3
  • McAfee NetShield v4.0.2
  • Dr Solomon's NetShield 4.5.0
  • Dr Solomon's NetShield v4.0.3
  • Dr Solomon's Anti-Virus Toolkit
  • Alert Manager4.6.0
  • Norton/Symantec AntiVirus (All Versions)
  • PC-cillin 2002/VirusBuster
  • Trend PC-cillin 2000
  • PC-cillin 2000 for NT
  • Trend ServerProtect 4.8
  • Trend ServerProtect 5.X
  • Trend PC-cillin/VirusBuster 2003
  • Trend Office Scan
  • Trend Office Scan 3.51
  • Trend Office Scan95 3.51
  • Trend Micro OfficeScan Corporate Edition 5.x
  • Trend Micro Internet Security
  • Sophos Anti-Virus version 3.X
  • Sophos Remote Update
  • Panda Antivirus Titanium
  • Panda Antivirus Platinum
  • Panda AdminSecure
  • Panda Titanium AntiVirus 2004
  • Panda Platinum Internet Security
  • V3Pro 2002 Deluxe
  • V3Net for Windows Server
  • Smart Update Utility
  • V3Pro 2002 Deluxe
  • CA eTrust Antivirus
  • CA eTrust InoculateIT
Last modified Thursday, 13-Nov-2008 02:26:03 PM

Stanford University Home Page