Tripwire 2.1 for Windows NT

Catch the wily intruder

Imagine it's Friday night, and you're out having a great time. But one of your employees is working late, modifying Registry entries on various Windows NT machines to ensure continued access to the system in case you fire him. Meanwhile, an intruder discovers the security holes your employee is creating. By Monday morning, the intruder has turned all your sensitive corporate information into an illegible mess. On Friday, you're out of business.

Unlikely, you say? You're probably right—if you're using Tripwire Security Systems' Tripwire 2.1 for Windows NT. Tripwire is an intrusion-detection system that monitors NT file systems and Registry key integrity. The product sits stealthily on the network to detect even the slightest system change, ready to instantly alert an administrator of any suspicious activity.

Under the Hood
Tripwire runs as a command-line tool that you can automate using various scheduling tools, including the NT Scheduler service. To detect integrity violations, the product employs a user-definable policy database as a baseline to gauge a system's status. By comparing its policy database to files and Registry entries and values, Tripwire can determine whether the system policy deviates from the defined baseline. When the software detects a policy violation, it sends an email alert to a predetermined administrator. To guard against tampering with the baseline policy database, Tripwire cryptographically signs its configuration files using the MD5, SHA, or HAVAL one-way hash algorithms or a less secure CRC32 checksum.

Using Tripwire isn't a challenge for seasoned network administrators, but because the software doesn't sport a GUI, less-experienced users might find the command-line interface cumbersome. Tripwire produces reports of its activity and findings; however, sorting through all this information isn't easy. You can use a text editor and its Search command to locate items of interest—but you must know what you're looking for.

Set the Trap
Tripwire's initial installation is easy and straightforward. I chose an installation directory path, selected a mail transport for sending alerts (during my tests, I used SMTP instead of Messaging API—MAPI), defined a text editor for editing and updating reports, and chose a few basic options.

Basic options include Late Prompting, Loose Directory Checking, Reset Access Time, and Mail No Violations. With Late Prompting, a feature for the more paranoid administrator, Tripwire waits to prompt users until it needs passphrases, which the software uses to control access to files during some system operations. This way, the passphrase is in memory for less time, which guards against memory attacks. The Loose Directory Checking setting reduces redundant items in the reports. Reset Access Time maintains the original access time for objects that Tripwire touches to better maintain forensics. Mail No Violations instructs Tripwire not to send its regularly scheduled report if it finds no policy violations.

With the basic configuration defined, I was ready to set up my policy database. During my tests, I used Tripwire's preconfigured policy, as Screen 1 shows, which I found effective for standard NT installations. However, making changes to the policy to include monitoring for NT add-ons is simple. The Tripwire policy configuration looks rather cryptic at first glance, but learning the correct syntax isn't difficult. For example, I found it easy to make policy modifications that monitor particular files and Registry data for a Microsoft Site Server test installation, which includes Microsoft Internet Information Server (IIS) and Microsoft SQL Server.

Keep Wily Intruders at Bay
Tripwire is an effective tool for protecting your network. The product is a great security add-on, regardless of your primary intrusion-detection software. And at $495, you can't beat the value for the added level of security this software provides.