I need a tool that can check the integrity of crucial files (e.g., registry files) on my Windows NT 4.0 file servers so that I can detect unauthorized changes to these files. I also want the tool to detect any malicious mobile code (e.g., a Trojan horse) that intruders might have loaded onto my file servers. Which integrity-checking tools might I use?
Checking the integrity of crucial files can help you determine whether certain files have been altered and detect intruder attacks. Intruders might try to alter audit logs or install their own versions of crucial system files to erase their tracks. Table 1 lists three integrity-checking tools for NT 4.0, all of which use a hashing algorithm to detect changes. The tools compare file hashes after an incident with previously recorded file hashes to determine whether someone has tampered with the file.
Of the products that Table 1 lists, Tripwire's Tripwire for Servers is the only commercial product. (The other two are freeware tools that you can download from the Internet.) Tripwire is the most widely deployed integrity-checking tool for the NT platform. Among Tripwire's key strengths is its ability to check NTFS file streams and to administer the integrity-checking settings on multiple machines from a central console. Tripwire also uses a secure database to store the integrity-checking data. Simtel.Net's CHK-SAFE is a command-line integrity-checking tool. Vacuum's Versioner uses a GUI to set the scope of the integrity check and stores the results in a Microsoft Excel spreadsheet. Figure 2 shows Versioner's GUI.