Copenhagens Setech: January 2008

Thursday, January 31, 2008

Windows IT Pro dec07 notes

It was a while since I read december 2007 Windows IT Pro issue, but here goes some notes from stuff I found particular useful, or otherwise hard to remember :-)

PDF utilities, similar to PDFcreator (that does not work on Vista), and working on Vista: CutePDF and PDFTools. I use PDFcreator all the time, but I dont use Vista just yet, but this is good to keep in mind! Some quotes from PDFTools features:

• encrypt a PDF file by assigning it a password
• create a protection-free version of encrypted PDF file
• create a PDF file by joining multiple PDF files
• split a PDF file in multiple ways, such as splitting each page to new PDF file and splitting a file after a given page number
• arrange pages in a PDF file
• overlay text or an image over a PDF file
• convert an XML file into a PDF file
Note that you need Java Runtime Environment/Java Development Kit (JRE/JDK) 1.4 or later to use PDFTools.

It was interesting to read "Are IT Pros Steering Their Children Away From IT" and "A Good Career For Your Kids", as since I recently became a dad I have actually been thinking about this several times!

I am certainly not recommending IT business to just anyone. I like to think of IT as being a "call", a desire, for helping people, deliver results, services and service to people, a call to engineer stable and innovative IT systems. For my daughter I will encourage her to do what ever she likes, and if that is IT, that is OK. I think an IT developer, administrator or project manager can be a happy job, but you have to be very aware of the all the factors. This is a hard topic to just put down some notes on, I definately have to give it some more thoughts and its own post, its really interesting and worth dicussing with wife, family and friends!

As you probably know Windows 2008 will have the Server Core option, which has a very limited GUI. This will be exciting to use, and undoubtly we will have to get used to many new command line utils and new/better usage of existing ones. One of the new tools we will get used to is the script SCRegEdit (Server Core RegEdit). Although regedit is a gui that will work in Server Core, SCRegEdit will help edit many registry keys, eg.:
scregedit /ar 0 enables remote desktop
scregedit /au 4 will download and install updates
scregedit /cs will allow Pre-Vista clients to connect with terminal services
... check out Microsofts Server Core guide, there are good tips:

Managing a Server Core installation: Overview
...
The script is located in the \Windows\System32 folder of a server running a Server Core installation. At a command prompt, open the folder, and then use the following command to display the usage instructions for the previous options:

cscript scregedit.wsf /?

Note:
You can use this command with the /cli option to display a list of common command-line tools and their usage.

Some VMware Server and VMware Workstation differences. So far I have managed fine with Server version. ESX will be next, the Workstation is never considered! But anyways interesting:

Price, VMware Server is free :-)
Server is service, Workstation is a desktop application
Multiuser access for Server, not for Workstation. Server has a webinterface too!
Workstation supports virtuals machines (VM) up to 8 GB RAM, Server only 3.6 GB RAM.
Server can have only one snapshot, Workstation can have many.
You can clone a Workstation virtual machine. In Server copying a VM is a manual process, but works fine.
Workstation lets you manage several VMs in teams, eg. to have certain VMs startup before others. Server dont have VM Teams.
Drag and drop objects from your desktop to the Workstation VMs. Server can not.
You can capture an .avi movie of all activity in a Workstation VM.

So it was another great Windows IT Pro issue :-)

UPDATE: It was brought to my attention that VMWare workstation can be set up as a service [http://blogs.techrepublic.com.com/datacenter/?p=429&tag=nl.e101]

Query MSSQL from batch

Sometimes you want to perform the same batch task on several servers. For that I need a list of the servers that will need some job done. So I want to get the serverlist from the serverdatabase, instead of hardcoding the scripts. The most obvious would probably be using VBscript, but in this case turned to osql.exe for a quick solution:

set sqlbinary="\\someserver\c$\Program Files\Microsoft SQL Server\80\Tools\Binn\osql.exe"
set sqlserverinstance=HOSTNAME\INSTANCE
FOR /F "usebackq" %%A IN (`tempfile`) DO set sqltmp=%%A
set sqltmp=%sqltmp:/=\%
if exist %sqltmp% del %sqltmp%
echo Creating sql inputfile : %sqltmp%
echo set nocount on > %sqltmp%
echo select ServerName+^'::^'+ServerDesc >> %sqltmp%
echo from ServerTable where ServerType = 1 AND ServerGroup = 11 >> %sqltmp%
echo go >> %sqltmp%
%sqlbin% -d ServerDatabase -i %sqltmp% -n -E -S %sqlserverinstance% | egrep "^ [sS][0-9]" | sort | sed 's/^[ \t]*//'

Now I have a list with servernames and descriptions, which I can pipe to a .txt file or perform something on each :)

By the way, I stumbled upon an awesome Batch FAQ, really old, but with some very good points and links to more info. Here are some quotes:

*** How do I perform if-then-else in batch?

if not .%1==.help goto else
rem then commands here
goto endif
:else
rem else conditions here
:endif

...

*** What do all those }{ and $ things mean?

They're uniquely named temp files or variable names. It is
desirable to make the filenames as weird as possible to avoid
overwriting files that happen to have the same name. Also,
confusion is found in spacing and where the redirection
characters are, these all write "hey!" to a temp file...

echo>[myfile] hey!
>$$$tmp$$.$ echo hey!
echo hey! > tempfile

...

*** Utility programs for batch files

Batch simply wasn't designed to do the kinds of things users
want to do, although us batch hackers ignore this and try to
do them anyway. Batch input routines are especially kludgy
and incompatible, often it's easier to just use a utility
designed for the purpose and avoid the hassle.

SENVAR by Ed Schwartz makes it very easy to set an environment
variable to standard-input...

senvar evar - input from keyboard
program senvar evar > nul - input from program
senvar evar <> nul - input from file

SENVAR is at http://www.infionline.net/~wtnewton/batch/senvar.txt

The shareware XSET program by Marc Stern has many extra options,
like reading a file from a specific column and line number...

xset /mid 6 2 /line 3 evar <> nul

XSET is at http://members.tripod.com/~marcstern/xset.htm

ASET by Richard Breuer, free, makes mathematical operations as
easy as ASET result=2+2, functions for math, string handling,
file/kb input and more. File aset10.zip at Simtel.

Strings by Douglas Boling, free, provides commands for string
handling, modifying memory and master environment, reading files,
math, keyboard input and more. File string25.zip at Simtel.

Many more useful batch utilities can be found at...
Garbo: http://garbo.uwasa.fi/pc/batchutil.html
SimTel: ftp://ftp.simtel.net/pub/simtelnet/msdos/batchutl/

Wednesday, January 30, 2008

Playing with cmd, start and exit commands and parameters

If you are playing with Windows batch files you are probably using cmd parameters, such as /k to keep cmd box, or /c to close it after command completes, eg:
psexec \\server -e cmd /c "reg import d:\registry_setting.reg"

And similar, you are probably using "exit /b 1" to set errorlevel (returncode) of your script to 1 if it somehow failed.

I havnt used "start" before, but i had a bunch of scheduled tasks and one of those is running every minute, so I figured I would use "start /MIN". This workaround came to mind, because I have no idea how to make sure a tasks is running in session 0 for example, so the repeating task (every minute) can popup with stuff it is doing.. very annoying!

So I added "start /MIN" before my .bat script, but that was not enough. Running the scheduled task would not really start the script. So i added "cmd /C start /MIN somescript.bat", ugly but it worked! Now the scheduled task is minimized on every run.

I noticed that the start command creates its own "cmd /K" process, so my solution results in a process command line like this: "cmd /K somescript.bat". This means that because I am starting the somescript.bat with "start", I now have to add a trailing "exit" in the somescript.bat. Also ugly, but it works.

Now the weird thing I have been puzzled about is a bunch of cmd.exe processes hanging! Using procexp (part of pstools) I can see they are all started from within a Batch control system by running command "start anotherscript.bat". But the anotherscript.bat *does* actually have an exit at the end, so it seems strange that it is hanging. Perhaps it is a hickup in the batch control system!

I can not reproduce a hanging cmd.exe exit command, but I did manage somehow, with a bunch of start, cmd, exit, exit /b 1, etc etc, to create a hanging cmd.exe, where exit command would NOT complete! I dont know how, but in process explorer (procexp), I could see the cmd that was hanging. What could be happening is that exit hangs it self if a child process has disappeared. From the procexp I can not bring window for hanging cmd.exe pid 4696 to front. And then exit command inside cmd.exe pid 4448 is hanging for ever! It did not help to kill 4696 manually, exit of 4448 is still hanging! I had to kill 4448 manually, very annoying!

I suspect it being something weird with start and exit usage, but I am not sure. The exit /? puzzles me, and i am always using exit /B 1 instead of just exit 1. Maybe thats wrong?
exit /?
Quits the CMD.EXE program (command
interpreter) or the current batch
script.

EXIT [/B] [exitCode]

/B specifies to exit the current batch script instead of
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE

exitCode
specifies a numeric number. if /B is specified, sets
ERRORLEVEL that number.
If quitting CMD.EXE, sets the process
exit code with that number.

Tuesday, January 29, 2008

Windows users and groups information

Being part of a Windows administrator group, responsible for a bunch of Windows server, where there is more than one administrator can be quite challenging!

We have a bunch of scripts that does some automatic documentation of:

Server shares
Server scheduled tasks
Server services with sc.exe
Ntfs permissions of selected directories.

Now I want add a script for documentation of the server users and groups!

Here is my first thoughts of what I would like:

1) given a username, script should return:
show group membership
show username details

2) given a groupname, script must give:
show members
show username details for each member

3) given a servername, return list of:
local users and run 1) for each username
local groupnames and run 2) for each groupname

I did some Google searches:

enumerate group memberslist of members in a local group, eg. who is member
of "administrators"
backup and recovery of windows users and groups
list of users and groups on windows server
enumerate local users and their membership
enumerate windows users with wmi

I ended up with a simple vbscript that combines a good userinfomation binary with some user and group info vbscript code. The output from the script is text, easily diffable, so changes can quickly be spottet.

Someone else surely should have cooked up something smart, as this task seems like something many administrators would appreciate. If you know of such script or application, please leave a comment :-)

A thing that puzzled me for a while was how to get output from the binary into the same STDOUT where I would be starting my script with cscript.exe listusersandgroups.wsf. This was needed as I want to pipe script output to a text file for version control commit and change management :-) So this was easily worked around like this:
set objWshShell = CreateObject("WScript.Shell")
set objWshShell = objWshShell.Exec(strCommand)
Do While objWshShell.StdOut.AtEndOfStream<>True
' running a file from inside vbscript and get output in same command window
strLine=objWshShell.StdOut.ReadLine
WScript.Echo strLine
Loop

The usual way I have started programs from inside VBscript, would be to have them hidden, similar to this:
set objWshShell = objWshShell.Exec(strCommand)
intRC = objWshShell.Run(StrCommand, 0, TRUE)
' parm 1 = command line
' parm 2 = window style (1 = normal, 0 = hidden)
' parm 3 = if true, waits for command
If intRC <> 0 Then ...
' and destroy it properly:
if isObject(objWshShell) then set objWshShell = nothing

Read more about the normal .Run method.

Thursday, January 24, 2008

Software Inspector for personal Windows package management

Windows package management is not an easy task, often left only to WSUS server, WPKG, group policies or simply the individual applications automatic updates.

Leaving updates to only the applications and users themselves obviously is not good enough! Although this has gotten better the last years, some sort of action and verification is needed.

For example the Java Runtime Environment does not deinstall old versions when new versions are installed. Probably as a service for you, so your old java applications can decide which one they want to use, avoiding problems with incompatibility. But this update strategy also leaves a hole for crackers to potentially abuse!

I did mention installing and updating Windows applications with win-get, but it probably is not a option for anyone else than the tech geek at home.

How much package management Microsofts new NAP service can handle is unknown to me. What I have read so far sounds like it can do limited checks, such as if Windows hotfixes are applied and Firewall is on. I need hands on to know more I guess.

Well, here is something worth trying Software Inspector from Secunia:

Online version:
http://secunia.com/software_inspector/
Secunia Software Inspector
Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.

Offline, for installation on your PC:
https://psi.secunia.com/
Version: 0.9.0.0 / Size: 444,892 bytes / Changelog
The Secunia PSI is only free for private individuals
The Secunia PSI is available free of charge.
Secure your PC. Patch your applications. Be proactive.
Scan for Insecure and End-of-Life applications.
Track your patch-performance week by week.
Direct and easy access to security patches.
Detect more than 300,000 unique application versions

For work, it would be perfect to have a central Software Inspector server (ala WSUS server) which has info of all computers where an agent was installed. Great for reporting and verification of your Windows package management tools actually does its thing as you are expecting!

Wednesday, January 23, 2008

Blogger.com post editor

In my recent batch post I had to use the pipe symbol (|) in some example listings. It turned out that the blogger.com editor removes the pipe symbols when switching from HTML to wysiwyg editing.

Worse is that if you are in Wysiwyg mode and looking at the pipe symbol in your text, it will disapear from your post if you publish from there!!

I tried to escape the pipe symbol with \ and other ways, but it simply disappeared!

I looked at wikipedia "vertical bar article" and found the ASCII value for the pipe symbol:

ASCII
decimal (base-10): 124, or hexadecimal (base-16): 7C

Then i looked for HTML article on how to escape symbols, similar to the &. It was an XML guide that really putted it simple:

XML has the same syntax as HTML for escape symbols like "&"="&", "<"="<", ">"=">", ascii(nnn)=&#nnn;", etc.

The solution was write all pipe symbols (|) as "&#124" from the HTML view of the editor, then not switching back to GUI, simply publising from HTML view at once:

For this article it looked like this when I pushed publish: (notice how the text for < is written):

And the result on blogspot.com was as i wanted:

Batch script userinput checking

I have to run a script with the runas command, but since the script is running commands toward several servers there is the danger of locking out the runas user if the password given is wrong. Simply because runas does not verify the password, it just executes the commands.

So to avoid problems I would like to ask the user for the password, verify the password, and only actually run the runas command if the password is as expected.

At a first glance this sounded good, I just had to put in the checksum of the expected userinput in the script, then calculate the checksum of the userinput, and compare the two inside the script.

At second thought this solution was not really acceptable, because if the users password changes, you would have to update the script! Not very robust or elegant. So instead a colleague pointed out the obvious, which of course is to check errorlevel of a single run of runas. That should not lock out the user:
runas /user:domain\username net >nul 2>&1
if not errorlevel 0 (set status=failure & goto exiting)

To make any of above approaches work, we needed a method of getting users input, and a method of sending that input to runas.

Getting the users input in a .batch file was solved by using a special .com file:
echo hP1X500P[PZBBBfh#b##fXf-V@`$fPf]f3/f1/5++u5>%inputfile%
echo Enter a string (it will not echo here):
for /f "tokens=*" %%i in ('%inputfile%') do set userinput=%%i
if "%userinput%"=="" (set status=stringempty & goto exiting)
if "%userinput%"=="^C" (set status=stringcancel & goto exiting)

Sending the %userinput% content back to runas could not be done with a redirection like <, so a mini vbscript for pasting a string was made: Set oArgs=wscript.Arguments
WScript.sleep(1000)
Set WshShell = CreateObject("WScript.Shell")
WshShell.SendKeys oArgs(0)&VBCRLF

Others have been discussing how to pipe passwords into runas, but i dont want to use the approaches described.

So problem was solved without using hardcodet md5 or sha256 checksums! But just to have the hardcoded approach for optional other use, here is how it was done:
FOR /F "usebackq" %%A IN (`echo %userinput% ^| md5deep.exe`) DO set md5hash=%%A
echo debug: md5hash of userinput is: %md5hash%
if "%md5hash%" == "77e2d91aa21a4158d889fb9836f38288" (set status=ok_string_is_hej & goto dosomething)
if "%md5hash%" == "291013bf3a3c543625a2777073f91799" (set status=ok_string_is_password & goto dosomething)

In the above i used md5deep to calculate a checksum of the batch string, and it could easily have been sha256deep.exe which is part of md5deep package.

I would have used Microsofts own Windows checksum util FCIV (FILE CHECKSUM INTEGRITY VERIFIER), but there are at least 2 problems with the current version 2.05:

First, fciv.exe does not take input from STDIN, which means you can not run like this:
echo foobar | fciv.exe

You have to echo into a file and then calculate the checksum:
echo foobar > foobar.txt
fciv.exe foobar.txt
//
// File Checksum Integrity Verifier version 2.05.
//
5e963b88334c3c4487572cce68496989 foobar.txt

So I used md5deep package, which actually does calculate checksum of input from stdin, useful for strings:
echo foobar | sha256deep.exe
791132eb55910a285d5bfeae94b49ead8d5184d7ecf70bccdeafd0e456c2916d
echo foobar | md5deep.exe
5e963b88334c3c4487572cce68496989

The second problem with fciv.exe is the output: it is too verbose! I would need only the checksum so I can put it into a variable. So md5deep it is!

The trick to actually get the output from external md5deep command into a batch variable, is to use a for loop, and escape the pipe () with a ^ instead of a \ which was what I tried first.

Apparently the hat (^) is the dos char for escaping, eg. used if you want to echo the following characters from a .batch file into another file: ^@, ^> and ^&. For example:
echo ^@echo off > c:\tempscript.bat
echo dir c:\ ^> c:\dirlist.txt >> c:\tempscript.bat
echo del c:\tempfile.log /F /Q >> c:\tempscript.bat
echo exit >> c:\tempscript.bat

Another md5 sum checker, built in java (source available), which can check a dir and subdirs, like md5deep.exe can be found here.

Monday, January 21, 2008

Secure data handling - the power to raid!

When I read that another laptop with personal data was missing, in Britain again, I remembered reading TaoSecurity predictions for 2008, there was something about an initiative about giving power to raid Governmen departments. It looks like that initiative really needs to get going!

I really hope this power is moving toward companies as well. If you handle personal data, you should be suspect to unexpected tests! Much similar to internal revision and penetration testing.

But should the results from such a new "data protection department" be public, similar to the smiley for restaurents and cafes? If so, should it be public before or after problems are fixed? Like full disclosure, it has it pros and cons. But customers would know if a particular company took data security and handling seriously! Maybe if something is a bit more expensive, but has a better "data handling smiley", I as a customer could make the choice myself. Opposed to now, I really dont know how good or bad companies handle my personal data!

The Information Commissioner’s Office (ICO), which polices the security of the nation’s data, is to be given the power to raid Government departments suspected of breaching protection laws.

The move, announced today by Gordon Brown, comes in response to the loss by HM Revenue & Customs (HMRC) of personal details of some 25 million Britons. The Prime Minister said the ICO would be given extra powers to carry out “spot checks” of government departments.

He added: "For some time I have been pressing the government to give my Office the power to audit and inspect organisations that process people’s personal information without first having to get their consent."

Friday, January 11, 2008

Defensible Network Architecture 2.0

Taosecurity starts off 2008 with another great "tasks/topics to consider for IT administrations", similar to "IT security - determine your score of the game".

Once again, any administrator should read his blog :-)

This time its a version 2.0 of how to have a network architecture that gives you "the best chance to resist intrusion, since perfect intrusion prevention is impossible":

A Defensible Network Architecture is an information architecture that is:

Monitored. The easiest and cheapest way to begin developing DNA on an existing enterprise is to deploy Network Security Monitoring sensors capturing session data (at an absolute minimum), full content data (if you can get it), and statistical data. If you can access other data sources, like firewall/router/IPS/DNS/proxy/whatever logs, begin working that angle too. Save the tougher data types (those that require reconfiguring assets and buying mammoth databases) until much later. This needs to be a quick win with the data in the hands of a small, centralized group. You should always start by monitoring first, as Bruce Schneier proclaimed so well in 2001.

Inventoried. This means knowing what you host on your network. If you've started monitoring you can acquire a lot of this information passively. This is new to DNA 2.0 because I assumed it would be already done previously. Fat chance!

Controlled. Now that you know how your network is operating and what is on it, you can start implementing network-based controls. Take this anyway you wish -- ingress filtering, egress filtering, network admission control, network access control, proxy connections, and so on. The idea is you transition from an "anything goes" network to one where the activity is authorized in advance, if possible. This step marks the first time where stakeholders might start complaining.

Claimed. Now you are really going to reach out and touch a stakeholder. Claimed means identifying asset owners and developing policies, procedures, and plans for the operation of that asset. Feel free to swap this item with the previous. In my experience it is usually easier to start introducing control before making people take ownership of systems. This step is a prerequisite for performing incident response. We can detect intrusions in the first step. We can only work with an asset owner to respond when we know who owns the asset and how we can contain and recover it.

Minimized. This step is the first to directly impact the configuration and posture of assets. Here we work with stakeholders to reduce the attack surface of their network devices. You can apply this idea to clients, servers, applications, network links, and so on. By reducing attack surface area you improve your ability to perform all of the other steps, but you can't really implement minimization until you know who owns what.

Assessed. This is a vulnerability assessment process to identify weaknesses in assets. You could easily place this step before minimization. Some might argue that it pays to begin with an assessment, but the first question is going to be: "What do we assess?" I think it might be easier to start disabling unnecessary services first, but you may not know what's running on the machines without assessing them. Also consider performing an adversary simulation to test your overall security operations. Assessment is the step where you decide if what you've done so far is making any difference.

Current. Current means keeping your assets configured and patched such that they can resist known attacks by addressing known vulnerabilities. It's easy to disable functionality no one needs. However, upgrades can sometimes break applications. That's why this step is last. It's the final piece in DNA 2.0.

Event log ID to description and vice versa

Where do you go for event log id information? Google it - as anything else :-) Today i wanted to know the event ID for a Windows 2003 server rebooting, how do i find that?

Besides google it, I could look in an event log around the time of a reboot for a server.

I can not search it on Microsofts Events and Errors Message Center. It is useful if you have the event id, but not really for free text search.

I came closer when looking at Ultimate Windows Security website, but the lists are not complete and I didnt see an option for search.

512
All Versions

Windows NT is starting up

513
Win2003
XP

Windows NT is shutting downI

I thought EventID.net would be the place, but i can also only look up know ID numbers. They do require a registration fee for the more exotic search options, so perhaps I need to go there, I dont know. Besides that looking up info about eg. event id 513 gives really useful information:

Source	Security
Type	Success Audit
Description	Windows NT is shutting down. All logon sessions will be terminated by this shutdown.
English please!	Request a translation of the event description in plain English! An example of "English please" is available here.
Details	Comments and links for event id 513 from source Security

I will give the 3 scripts evtstats.pl/lsevt2.pl/lsevt.pl from Windows Security Analysis a try, as with that i can run a query toward a Windows 2003 server and grep for the word reboot. Perhaps this is the best way :-)

Other than this, i am not sure how to find this information, besides Googling of course :-)

Oh, while I am at it, i will leave a link to Stephen Bunting guide of repairing event log files.

Book review: Windows Forensic Analysis

I finally had a chance to finish reading Windows Forensic

Analysis. From the start I was happy with the way the book is written, and I give it 5 of 5 possible. I am not working with forensics in my daily administration work, but I learned a lot about security methods and tools in general, something that can be of great help for normal administration too.

The book is flooded with tools worth trying, and with examples usage. The examples illustrates the topic really well, and the tools are perfect to get started on your own.

In addition to tool suggestions the author provides the reader with many perl scripts, which further helps in better understanding of the topic, and makes you want to learn more! The scripts are also simply useful and saves you a lot of time when you want to try the stuff discussed in the book. I just loooved the scripts!

I consider myself an okay experienced Windows administrator (since 1999), and many of the topics was not new. But I liked another explanation of the topics, and I also learned a lot of totally new stuff.

I recommend all Windows administrators reading this book! And dont forget to read Richard Bejtlichs review (TaoSecurity), he knows how to wrote really useful reviews!

Monday, January 7, 2008

Apache, disable debugging functions

I want to disable debugging function TRACE as recommended by Nessus rule 11213.

The Nessus rule has very precise guide for disabling:

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACETRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

So in my Apache main config file I putted TraceEnable off.

I will check the Nessus scan results after these changes.
If you can not wait for that, you can use telnet to check if TRACE is actually off:
telnet your.server 80
TRACE / HTTP/1.1
Host: a.valid.hostname
sometext

Apache, restrict connections to SSL 3.0 and ensure strong encryption

For my Apache I wanted disable SSL 2.0 as recommended by Nessus rules 20007 , and to disable weak SSL ciphers as recommended by Nessus rule 26928.

When looking around I found a nice description at Novell:

Use only High and Medium security cipher suites, such as RC4 and RSA.
Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.
Use SSL 3.0, and disable SSL 2.0.
Disable the Low, Export, and Null cipher suites.

So for Apache I did the following:
Open the /etc/httpd/conf/httpd.conf file in a text editor, then locate the SSLCipherSuite directive in the Virtual Hosts section:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL

I will check Nessus scan output after the changes.

Friday, January 4, 2008

Fetchlog alternatives for Windows and 2003/2000/NT resource kit tools

I am looking for an alternative to the simple fetchlog util on unix, which tails a file and has a bookmark of how far it has checked in the file. When a string is found, i can do action, such as launch script, send mail or restart services. Works well for some simple purposes :-)

I am not looking for full blown log analysis, such as OSSEC which I really like though.

I havnt found anything that I really want to use, but here is my list of things to try:

WinTail. $49.95, with basics such as send notify mails, but can it run a script, eg. a restart of a service? That is really often needed. 30 day trial, worth a try I guess.

Some more simple tail tools:
Tail4Win. Also 30 day trial, $45, looks similar to normal tail, there seems no notify option.
MakeLogic Tail. Freeware, tails more than one file, requires JRE 5.0, has no notifications it seems.
tail.exe. Windows 2003 resource kit (see below), does not tail more than one file!
Tail Ace. Freeware, multiple logfiles, but no notifications, java based, requires JRE 6.0.
Tail XP. Freeware. Tails more than one file, but you can not see difference, and it is showing in a gui which can not be piped to a grep for example. Only takes one file from commandline -f argument, and still opens it in a gui. No notifications.

None of the above really meets what I at least need of a fetchlog tool. If I can not find a fetchlog alike tool, I would at least need a grep tool that can tail -f more than one file, and from commandline. And output must be possible to send to STDOUT for more processing and use in scripts, eg. based on errorlevel. So far I havnt found anything that does this!

Some of the more full blown tools I stumbled upon was:
http://www.xpolog.com/home/products/xpologCenter.jsp

A comprehensive loganalyzer tool overview is available at download32.com, but it is all the stuff, not just what I am looking for, this tail -f specifics overview is not much better. Perhaps using a unix tools on Windows would be better than using the simple tools above, because those tools can be piped into other commands, which i really need.

Of course a normal tail without -f wont do, but since it has so nice batch example code here it is (for more of the same, take a look here and here):

@echo off
if {%1}=={} @echo FileName parameter requied.&goto :EOF
if not exist %1 @echo %1 does NOT exist.&goto :EOF
setlocal
set file=%1
set /a number=10
if not {%2}=={} set /a number=%2
for /f %%i in ('find /v /c "" ^< %file%') do set /a lines=%%i @echo %lines% lines in file %file%. if %number% GEQ %lines% set /a start=0&goto console set /a start=%lines% - %number% :console more /e +%start% %file% endlocal

It was a surprise to me that the Windows 2003 resource kit free tools has a tail.exe, of course it is not enough for notifications and actions, and it can not tail more than one file! For completeness, here is the Windows 2003 resource kit tool list:

Acctinfo.dll (documented in Readme.htm)
Adlb.exe: Active Directory Load Balancing Tool
Admx.msi: ADM File Parser
Atmarp.exe: Windows ATM ARP Server Information Tool
Atmlane.exe: Windows ATM LAN Emulation Client Information
Autoexnt.exe: AutoExNT Service
Cdburn.exe: ISO CD-ROM Burner Tool
Checkrepl.vbs: Check Replication
Chklnks.exe: Link Check Wizard
Chknic.exe: Network Interface Card Compliance Tool for Network Load Balancing
Cleanspl.exe: Spooler Cleaner
Clearmem.exe: Clear Memory
Clusdiag.msi: Cluster Diagnostics and Verification Tool
Clusfileport.dll: Cluster Print File Port
Clusterrecovery.exe: Server Cluster Recovery Utility
Cmdhere.inf: Command Here
Cmgetcer.dll: Connection Manager Certificate Deployment Tool
Compress.exe: Compress Files
Confdisk.exe: Disk Configuration Tool
Consume.exe: Memory Consumers Tool
Creatfil.exe: Create File
Csccmd.exe: Client-Side Caching Command-Line Options
Custreasonedit.exe: Custom Reason Editor (documented in Readme.htm)
Delprof.exe: User Profile Deletion Utility
Dh.exe: Display Heap
Diskraid.exe: RAID Configuration Tool
Diskuse.exe: User Disk Usage Tool
Dnsdiag.exe: SMTP DNS Diagnostic Tool (documented in Readme.htm)
Dumpfsmos.cmd: Dump FSMO Roles
Dvdburn.exe: ISO DVD Burner Tool
Empty.exe: Free Working Set Tool
Eventcombmt.exe: Check Replication
Fcopy.exe: File Copy Utility for Message Queuing
Frsflags.vbs
Getcm.exe: Connection Manager Profile Update
Gpmonitor.exe: Group Policy Monitor
Gpotool.exe: Group Policy Objects
Hlscan.exe: Hard Link Display Tool
Ifilttst.exe: IFilter Test Suite
Ifmember.exe: User Membership Tool
Inetesc.adm: Internet Explorer Enhanced Security Configuration
Iniman.exe: Initialization Files Manipulation Tool
Instcm.exe: Install Connection Manager Profile
Instsrv.exe: Service Installer
Intfiltr.exe: Interrupt Affinity Tool
Kerbtray.exe: Kerberos Tray
Kernrate.exe: Kernel Profiling Tool
Klist.exe: Kerberos List
Krt.exe: Certification Authority Key Recovery
Lbridge.cmd: L-Bridge
Linkd.exe
Linkspeed.exe: Link Speed
List.exe: List Text File Tool
Lockoutstatus.exe: Account Lockout Status (documented in Readme.htm)
Logtime.exe
Lsreport.exe: Terminal Services Licensing Reporter
Lsview.exe: Terminal Services License Server Viewer
Mcast.exe: Multicast Packet Tool
Memmonitor.exe: Memory Monitor
Memtriage.exe: Resource Leak Triage Tool
Mibcc.exe: SNMP MIB Compiler
Moveuser.exe: Move Users
Mscep.dll: Certificate Services Add-on for Simple Certificate Enrollment Protocol
Nlsinfo.exe: Locale Information Tool
Now.exe: STDOUT Current Date and Time
Ntimer.exe: Windows Program Timer
Ntrights.exe
Oh.exe: Open Handles
Oleview.exe: OLE/COM Object Viewer
Pathman.exe: Path Manager
Permcopy.exe: Share Permissions Copy
Perms.exe: User File Permissions Tool
Pfmon.exe: Page Fault Monitor
Pkiview.msc: PKI Health Tool
Pmon.exe: Process Resource Monitor
Printdriverinfo.exe: Drivers Source
Prnadmin.dll: Printer Administration Objects
Qgrep.exe
Qtcp.exe: QoS Time Stamp
Queryad.vbs: Query Active Directory
Rassrvmon.exe: RAS Server Monitor
Rcontrolad.exe: Active Directory Remote Control Add-On
Regini.exe: Registry Change by Script
Regview.exe (documented in Readme.htm)
Remapkey.exe: Remap Windows Keyboard Layout
Robocopy.exe: Robust File Copy Utility
Rpccfg.exe: RPC Configuration Tool
Rpcdump.exe
Rpcping.exe
RPing: RPC Connectivity Verification Tool
Rqc.exe: Remote Access Quarantine Client
Rqs.exe: Remote Access Quarantine Agent
Setprinter.exe: Spooler Configuration Tool
Showacls.exe
Showperf.exe: Performance Data Block Dump Utility
Showpriv.exe: Show Privilege
Sleep.exe: Batch File Wait
Sonar.exe: FRS Status Viewer
Splinfo.exe: Print Spooler Information
Srvany.exe: Applications as Services Utility
Srvcheck.exe: Server Share Check
Srvinfo.exe: Remote Server Information
Srvmgr.exe: Server Manager
Ssdformat.exe: System State Data Formatter
Subinacl.exe
Tail.exe
Tcmon.exe: Traffic Control Monitor
Timeit.exe (documented in Readme.htm)
Timezone.exe: Daylight Saving Time Update Utility
Tsctst.exe: Terminal Server Client License Dump Tool
Tsscalling.exe: Terminal Services Scalability Planning Tools
Uddicatschemeeditor.exe: UDDI Services Categorization Scheme Editor
Uddiconfig.exe: UDDI Services Command-line Configuration Utility
Uddidataexport.exe: UDDI Data Export Wizard
Usrmgr.exe: User Manager for Domains
Vadump.exe: Virtual Address Dump
Vfi.exe: Visual File Information
Volperf.exe: Shadow Copy Performance Counters
Volrest.exe: Shadow Copies for Shared Folders Restore Tool
Vrfydsk.exe: Verify Disk
Winexit.scr: Windows Exit Screen Saver
Winhttpcertcfg.exe: WinHTTP Certificate Configuration Tool
Winhttptracecfg.exe: WinHTTP Tracing Facility Configuration Tool
Winpolicies.exe: Policy Spy
Wins.dll: WINS Replication Network Monitor Parser
Wlbs_hb.dll & Wlbs_rc.dll: Windows Load Balancing Server Network Monitor Parsers

Now that we are looking at Windows 2003, I am reminded that i have previously gotten help (RMTSHARE.EXE) from Windows NT resource kit tools! So here is that list. Some of the Windows NT resource kit tools can be downloaded from Microsoft.

ADDUSERS.EXE: AddUsers - Command-line utility, creates or writes user accounts to a comma delimited file.
(Updated) ANIEDIT.EXE: Animated Cursor Creator - Windows-based tool for drawing and editing animated cursors.
APIMON.EXE: API Monitor
ASSOCIATE.EXE
(Updated) ATANALYZR.EXE: AppleTalk network device ANaLYZeR
AUDITCAT.HLP: Audit Categories Help
(New) AUDITPOL.EXE: AuditPol
AUTOEXNT.EXE: AutoExNT Service - Enables you to start a batch file, AUTOEXNT.BAT, at boot time without having to log on to the computer on which it will run.
(Updated) AUTOLOG.EXE: Windows NT Auto Logon Setter

BREAKFTM.EXE: Automated Mirror Break/Restore Utility
BROWMON.EXE: Browser Monitor - Windows-based tool, shows browser status.
BROWSTAT.EXE: Browser Status - Command-line utility, diagnoses browser problems and shows browser status.

C2CONFIG.EXE: Windows NT C2 Configuration Manager
CHOICE.EXE: Input from Batch Files - (MS-DOS 6.0 utility).
(Updated) CLIP.EXE: Clip
(New) CLIPSTOR.EXE
CMDHERE.EXE: Command Prompt Here
COMPREG.EXE - A Win32 character-based/command-line "Registry DIFF" that enables you to compare any two local and/or remote Registry keys in both Windows NT and Windows 95.
COMPRESS.EXE: File Compress - Command-line utility, compresses files. Needed for Setup customization.
(Updated) COUNTERS.HLP : Windows NT Performance Counters Help
Crystal Reports Event Log Viewer - Provides an easy way to extract, view, save, and publish information from the Windows NT system, application, and security event logs in a variety of formats.

dbWeb
(New) DEFPTR.EXE: Default Printer
DELPROF.EXE: User Profile Deletion Utility
DELSRV.EXE
(New) DEPENDS.EXE: Dependency Walker
Desktop Themes for Windows NT 4.0
DESKTOPS.EXE: DeskTops
DFLYDIST.EXE: Compound File Layout User Tool
(Updated) DH.EXE - Command-line utility, enables you to lock heaps, tags, stacks, and objects.
DHCPCMD.EXE: DHCP Administrator's Tool - Command-line utility.
(Updated) DHCPLOC.EXE: DHCP Server Locator Utility - Command-line utility, detects unauthorized DHCP servers on a subnet.
(Updated) DIRUSE.EXE: Directory Disk Usage - Command-line utility, shows disk space used per directory.
DISKMAP.EXE
DISKSAVE.EXE - Enables you to save the Master Boot Record and Boot Sector as binary image files.
DISKUSE.EXE - Command-line utility, scans directories on a hard disk and reports on space used by each user.
(New) DNSCMD.EXE
DOMMON.EXE: Domain Monitor - Windows-based tool, gives status on domains, domain controllers, trust relationships.
DRIVERS.EXE: Device Driver Information - Command-line utility, shows what drivers have loaded.
DSKPROBE.EXE: DiskProbe
DUMPEL.EXE: Dump Event Log - Command-line utility, dumps the event log to a file.

EM2MS.EXE
EMWAC Server CGI Gateway Scripts
ENUMPRN.EXE
EXCTRLST.EXE: Extensible Performance Counter List
EXETYPE.EXE: Finding the Executable Type - Command-line utility, identifies the hardware platform of a .EXE file.
EXPNDW32.EXE: File Expansion Utility - File Expansion utility, expands the compressed files on Windows NT distribution media.

FILEVER.EXE: FileVer - Command-line utility, examines the version resource structure of a file or a directory of files and displays information on the versions of executable files.
(New) FILEWISE.EXE
FINDGRP.EXE: Find Group - Command-line utility, finds all group memberships of a specified user.
(Updated) FIXACLS.EXE: Reset System File Permissions
FLOPLOCK.EXE: Lock Floppy Disk Drives - Command-line utility or service that restricts access to floppy drives.
FORFILES.EXE
FREEDISK.EXE
FTEDIT.EXE: FT Registry Information Editor - Windows-based tool, enables you to create, edit, and delete fault tolerance sets for disk drives and partitions of local and remote computers.

GETMAC.EXE
GETSID.EXE
GFLAGS.EXE
(Updated) GLOBAL.EXE
GRPCPY.EXE: Group Copy

HCLNT4.HLP: Hardware Compatibility List - HCL in online Help format
(Updated) HEAPMON.EXE

IFMEMBER.EXE - Command-line utility, checks whether the current user is a member of a specified group
. IMAGEDIT.EXE: Image Editor - Windows-based tool, enables the creation of icons and cursors, and also used by the Animated Cursor Creator.
Index Server
INSTALLD.CMD (NTDETECT.COM): Startup Hardware Detector
INSTSRV.EXE: Service Installer - Installs any service.

KERNPROF.EXE: Kernel Profiler
KILL.EXE: Task Killing Utility - Command-line utility, use to end one or more tasks, or processes.
KIX32.EXE: KiXtart 95
(New) KIXGRP.EXE

LAYOUT.DLL
LEAKYAPP.EXE: LeakyApp
LINKCK.EXE: Link Checker
(Updated) LOCAL.EXE
LOGEVENT.EXE: Event Logging Utility
(New) LOGOFF.EXE
LOGTIME.EXE

MIBCC.EXE: SNMP MIB compiler
MONITOR.EXE: Performance Data Logging Service and Configuration Tool
(Updated) MUNGE.EXE

NETCLIP.EXE: Remote Clipboard Viewer
NETCONS.EXE: Net Connections
(New) NETDOM.EXE
NETSVC.EXE: Command-line Service Controller - Command-line utility, remotely starts, stops, and queries the status of services.
(Updated) NetTime for Macintosh
NETWATCH.EXE: Net Watcher - Windows-based tool, shows who is connected to shared directories.
NLMON.EXE
NLTEST.EXE
NOW.EXE: Now - Displays the current date and time on STDOUT, followed by any command-line arguments you add.
(Updated) NTCARD40.HLP: Adapter Help - Describes settings for hardware supported under Windows NT.
NTDETECT.COM (INSTALLD.CMD): Startup Hardware Detector
(Updated) NTEVNTLG.MDB
(Updated) NTIMER.EXE
(Updated) NTMSG.HLP
(New) NTRIGHTS.EXE
NTUUCODE.EXE: 32-Bit UUDecode and UUEncode Utility

OH.EXE
OLEVIEW.EXE: OLE/COM Object Viewer
OS2API.TXT - List of compatible APIs in the OS/2 subsystem.

PASSPROP.EXE
(Updated) PATHMAN.EXE: Pathman
(Updated) PERF2MIB.EXE: Performance Monitor MIB Builder Tool
(Updated) PerfLog: Performance Data Log Service
PERFMTR.EXE: Performance Meter - Text-mode utility, provides performance information.
(Updated) Performance Tools
Perl 5 Scripting Language
PERMCOPY.EXE
PERMS.EXE: File Access Permissions per User - Command-line utility.
PFMON.EXE: Page Fault Monitor
PMON.EXE: Process Resource Monitor - Command-line utility.
POLEDIT.EXE: Windows NT System Policy Editor
POSIX Utilities
Power Toys
PSTAT.EXE: Process and Thread Status - Command-line utility, shows process statistics. Useful for debugging problems.
PULIST.EXE
PVIEWER.EXE: Process Viewer - Windows-based tool, shows the processes running in the system and allows ending processes and boosting priority.

QSLICE.EXE: CPU Usage by Processes - Windows-based tool.
QUICKRES.EXE: Quick Resolution Changer

RASLIST.EXE
RASUSERS.EXE: Enumerating Remote Access Users - Command-line utility.
RCMD.EXE: Remote Command Service - Remotely administers and runs command-line programs, client program. Used with RCMDSVC.EXE.
(New) REG.EXE
REGBACK.EXE: Registry Backup - Command-line utility, backs up Registry hives to files without the use of tape.
REGDMP.EXE
(Updated) REGENTRY.HLP: Windows NT Registry Entries - Online Help file
REGFIND.EXE
Regina REXX Scripting Language
REGINI.EXE: Registry Change by Script - Command-line utility, good for Setup programs.
REGKEY.EXE: Logon and FAT File System Settings - Windows-based tool, sets new Registry settings without actually editing the Registry. (Not on PPC RISC-based computers)
REGREST.EXE: Registry Restoration - Command-line utility, restores Registry hives from files.
Remote Access Manager
(Updated) Remote Console
(Updated) REMOTE.EXE: Remote Command Line - Command-line utility, runs command-line programs on remote computers.
Remote Kill
RIPROUTE.WRI: Routing with Windows NT Server
RMTSHARE.EXE: Remote Share - Command-line utility, sets up or deletes shares remotely and can grant and remove ACLs on those shares.
ROBOCOPY.EXE: Enhanced Network File-Copying Utility - Command-line utility.
RSHSVC.EXE: TCP/IP Remote Shell Service
RSHXMENU.EXE: Security Power Toy
RUNEXT: Run Extension

SC.EXE
SCANREG.EXE - A Win32 character-based/command-line "Registry GREP" that enables you to search for any string in keynames, valuenames, and/or valuedata in local or remote Registries keys in both Windows NT and Windows 95.
SCLIST.EXE
SCOPY.EXE: File Copy with Security - Command-line utility.
SECADD.EXE
SECEDIT.EXE
(Updated) SETEDIT.EXE
SETUPMGR.EXE: Setup Manager - Windows-based tool, enables Windows NT to be installed or upgraded remotely.
SETX.EXE
ShareUI
SHORTCUT.EXE
(Updated) SHOWACLS.EXE
SHOWDISK.EXE
SHOWGRPS.EXE
SHOWMBRS.EXE
SHUTDOWN.EXE and SHUTGUI.EXE: Remote Shutdown - Command-line and GUI utilities, remotely shut down a server.
(New) SIPANEL.EXE: Soft Input Panel
SLEEP.EXE: Batch File Wait - Command-line utility, waits for a specified amount of time. Useful in batch files.
SNMPMON.EXE: SNMP Monitor
SNMPUTIL.EXE: SNMP Browser
SOON.EXE: Near-Future Command Scheduler
SRVANY.EXE: Applications as Services Utility
SRVCHECK.EXE
SRVINFO.EXE
SRVINSTW.EXE: Service Installer Wizard
(New) SRVMON.EXE: Service Monitor
(Updated) SU.EXE - Enables you to start a process running as an arbitrary user.
(Updated) SUBINACL.EXE: SubInAcl
SYSDIFF.EXE

TDISHOW.EXE: TDI Tracing Utility - Command-line utility, traces packets going across the TDI layer.
TELNETD.EXE: Telnet Server Beta
TEXTVIEW.EXE: TextViewer
TIMEOUT.EXE
(Updated) TIMESERV.EXE: Time Synchronizing Service - Command-line utility or service.
TIMETHIS.EXE: TimeThis
TIMEZONE.EXE
TLIST.EXE: Task List Viewer
TLOCMGR.EXE: Telephony Location Manager
TOPDESK.EXE: Multiple Desktops - Windows-based tool.
(Updated) TOTLPROC.EXE
TweakUI
TZEDIT.EXE: Time Zone Editor - Windows-based tool.

UPTOMP.EXE: Uni to Multiprocessor Upgrade Utility
USRSTAT.EXE
USRTOGRP.EXE: Add Users to Groups - Command-line utility, adds users to local or global groups from a user-specified input text file.

VDESK.EXE

(New) WAITFOR.EXE
WCAT: Web Capacity Analysis Tool
Web Administration of Microsoft Windows NT Server
WhoAmI
(Updated) WINAT.EXE: Command Scheduler
WINDIFF.EXE: File and Directory Comparison - Windows-based tool.
WINEXIT.SCR: Windows Exit Screen Saver - Logs the current user off after a specified time has elapsed.
(Updated) WINLOGO.DOC: "Designed for Windows NT and Windows 95" Logo Handbook
(Updated) WinMsdP.EXE - Command-line utility, generates a text file of all the information in WINMSD.
WINSCHK.EXE
WINSCL.EXE
WINSDMP.EXE: WinsDump
WNTIPCFG.EXE: Graphical IPConfig Utility

XCACLS.EXE

The Windows 2000 resource kit tools are equally important(jt.exe), here is a (not complete list). You can download some of the Windows 2000 resource kit tools from Microsoft.

Active Directory Sizer (adsizer.exe)
Application Programming Interface monitor (apimon.exe)
Application Security (appsec.exe)
Cluster Quorum Restore Utility (clusrest.exe)
Counter List (ctrlist.exe)
Cluster Verification Utility (clustsim.exe)
Domain Controller Diagnostic Tool (dcdiag.exe)
Delete File and Reparse Points (delrp.exe)
Delete Server (delsrv.exe)
Display Heap (dh.exe)
DHCP Database Export Import Tool (dhcpexim.exe)
Directory Disk Usage (diruse.exe)
Disk Map (diskmap.exe)
Disk Partition (diskpart.exe)
Disk Manager Diagnostics (dmdiag.exe)
List Loaded Drivers (drivers.exe)
Drive Share (drmapsrv.exe)
Dump Event Log (dumpel.exe)
Dump FSMO Roles (dumpfsmos.cmd)
Registry Size Estimator (dureg.exe)
Encrypting File System Information (efsinfo.exe)
Extensible Performance Counter List (exctrlst.exe)
Extract Cabinet (extract.exe)
FAZAM 2000
GetMAC (getmac.exe)
Get Security ID (getsid.exe)
Group Policy Verification Tool (gpotool.exe)
Group Policy Results (gpresult.exe)
GUID to Object (guid2obj.exe)
Heap Monitor (heapmon.exe)
Hard link display tool (hlscan.exe)
If Member (Ifmember.exe)
IIS Migration Wizard (IISMIGrationWizard_Setup.exe)
Installation Monitor (instaler_setup.exe)
File-In-Use Replace Utility (inuse.exe)
Internet Protocol Security Policies Tool (lpsecpol.exe)
Kerberos Tray (kerbtray.exe)
Kerberos List (klist.exe)
Network Connectivity Tester (netdiag.exe)
Now (now.exe)
NT Detect (ntdetect.com)
Open Handles (oh.exe)
OLE/COM Object Viewer (oleview.exe)
Path Manager (pathman.exe)
File Access Permissions per User (perms.exe)
Page Fault Monitor (pfmon.exe)
Process and Thread Status (pstat.exe)
PuList (pulist.exe)
File Copy (rdpclip.exe)
Relog (relog.exe)
RPC Configuration Tool (rpccfg.exe)
RPC Dump (rpcdump.exe)
RPC Connectivity Verification Tool (rpings.exe)
Manipulate Service Principal Names for Accounts (setspn.exe)
SetX (setx.exe)
Performance Data Block Dump Utility (showperf.exe)
File Replication Service (FRS) Status Viewer (sonar.exe)
Near-Future Command Scheduler (soon.exe)
Automated Installation Tool (sysdiff.exe)
Timethis (timethis.exe)
Trace Dump (tracedmp.exe)
Trace Enable (traceenable.exe)
Trace Log (tracelog.exe)
Terminal Server Capacity Planning Tools (tscpt.exe)
User State Migration Tool (usmt.exe)
Virtual Address Dump (vadump.exe)
Who Am I (whoami.exe)
WinStation Monitor (winsta.exe)
Windows NT IPConfig Utility (wntipcfg.exe)
XCacls (xcacls.exe)

Maybe someone knows of a website that does "Windows alternatives for open source tools", similar to "Open source alternative for Windows (commercial) tools"?

Copenhagens Setech