HostedDB - Dedicated UNIX Servers

nt-part2_89 Analysis of the Security of  Windows NT 1 March 1999 89 D.2.5  NT File System Monitor (NTFilemon) NTFilemon can be used to monitor file system activity for NT 3.51 and NT 4.0. This utility consists of a device driver and GUI, like NTRegmon. The device driver is a type of driver known as a filter driver, which means that it layers itself above the file system drivers. After installation, NTFilemon can see I/O requests pass to, and from, the file systems. All types of file system drivers that have an associated driver letter may be monitored, e.g. FAT and NTFS partitions. The GUI application will automatically load the driver. D.2.6  NT Process Monitor (NTPmon) With NTPmon, information about all process activity on an NT 4.0 system can be gath- ered and displayed in a window. The utility program consists of a device driver and a GUI, like NTRegmon and NTFilemon. The driver uses a number of undocumented hooking functions, which collects information about activity such as process creation, process deletion, thread creation, thread deletion, and optional context switches. The latter is only present in multiprocessor builds of NT, and is by default disabled. D.2.7  Object Manager Name Space Viewer (WinObj) WinObj is an NT application that displays information on the NT object manager's name space. This means that the program shows information about various operating system components. WinObj uses the native NT API, which, for example, provides routines to allow user programs to browse the name space. It is also possible to query the status of objects located there. D.2.8  Microsoft Network Monitor The Microsoft Network Monitor is Microsoft’s own program for monitoring network activities. It comes in two variants. One of the variants is on the server installation CD. This program has sever limitations. It can only read broadcast messages and traffic directed to the machine that runs the program. Microsoft claims that this is for security reasons. It also has limitations in how it interprets the messages it receives. The copy we tried did for example not translate the RPC messages. The other variant is part of Microsoft SMS. This program is a proper monitor that monitors all traffic on the net as long as the network interface card can handle promiscuous mode. It also, as far as we could see, parses the messages fully except for password fields. The network monitor also has the ability to fetch information from network agents across the network. This could come in handy, e.g. in a switched network environment where an agent could pickup traffic on a switched segment. The program can also detect other instances of Microsoft Network Monitor that is active on the network.