initial commit of SVN release repo

2018-05-07 10:51:08 -04:00
parent 2c25d5e577
commit 8c38a6cdb9
4369 changed files with 728576 additions and 0 deletions
--- a/Tools/Unix/OSE-Unix-MD5.tar.gz
+++ b/Tools/Unix/OSE-Unix-MD5.tar.gz
--- a/Tools/Unix/linux-data-collection.sh
+++ b/Tools/Unix/linux-data-collection.sh
@ -0,0 +1,182 @@
+#!/bin/bash
+# Script to collect the major security configuration files on a Linux system
+# RUN AS ROOT!
+# tested on RHEL 5.2, SUSE 11
+
+# Jeff A. Odegard, CISSP, CPT, CEH
+# AFSPC SMC/GPEVA
+# 20 Aug 13
+# Rewritten 16 Sep 14
+# Update 31 Mar 15:  Use find -xdev to limit the ffile-permissions.txt to local filesystems only.
+	# Erik Wohlgemuth (Raytheon) and Jeff Odegard
+
+# Add to this list as necessary (get copies of these files)
+FILELIST="/.cshrc
+/.profile
+/etc/aide.conf
+/etc/apache
+/etc/apache2
+/etc/audit/audit.rules
+/etc/audit/auditd.conf
+/etc/cron.allow
+/etc/cron.d
+/etc/cron.deny
+/etc/crontab
+/etc/default
+/etc/ftpusers
+/etc/gshadow
+/etc/hosts
+/etc/hosts.allow
+/etc/hosts.deny
+/etc/hosts.equiv
+/etc/httpd
+/etc/inetd.conf
+/etc/inittab
+/etc/motd
+/etc/newsyslog.conf
+/etc/nsswitch.conf
+/etc/ntp.conf
+/etc/ntp.conf
+/etc/pam.conf
+/etc/pam.d
+/etc/passwd
+/etc/profile
+/etc/redhat-release
+/etc/resolv.conf
+/etc/securetty
+/etc/security
+/etc/shells
+/etc/ssh_config
+/etc/sshd_config
+/etc/ssh/ssh_config
+/etc/ssh/sshd_config
+/etc/SuSE-brand
+/etc/SuSE-release
+/etc/syslog-ng
+/etc/sysconfig/apache2
+/etc/sysconfig/selinux
+/etc/sysctl.conf
+/etc/syslog.conf
+/etc/syslog-ng
+/etc/xinetd.conf
+/etc/xinetd.d
+/proc/cmdline
+/root/.cshrc
+/root/.profile"
+
+
+#HOSTNAME=`uname -a | cut -d" " -f2`
+HOSTNAME=`hostname`
+DIR="$HOSTNAME-baseline"
+echo ""
+echo "Results will be in ./$DIR"
+mkdir -p $DIR
+cd $DIR
+FILEDIR="system-files"
+echo "System files will be in ./$DIR/system-files"
+mkdir -p system-files
+rm -f $HOSTNAME-errors.txt
+echo "Linux Data collection started on `date`" >> $HOSTNAME-errors.txt
+echo ""
+echo "Collecting some system information..."
+echo "	uname -a"
+uname -a > uname.txt
+echo "	ifconfig -a"
+ifconfig -a > ifconfig.txt
+echo "	netstat -nr"
+netstat -nr > netstat-nr.txt
+echo "	netstat -nap"
+netstat -nap > netstat-nap.txt
+echo "	ps aux"
+ps aux > ps-aux.txt
+echo "	last -a"
+last -a -i > last-a-i.txt
+echo "	who -a"
+who -a > who-a.txt
+echo "	df -ak"
+df -ak > df-ak.txt
+echo "	mount"
+mount > mount.txt
+echo "	rpcinfo -p"
+rpcinfo -p > rpcinfo-p.txt
+if [ `grep "nfs" rpcinfo-p.txt` ] ; then
+	echo "	showmount"
+	showmount 2>showmount.txt > showmount.txt
+	echo "	showmount -e"
+	showmount -e 2>showmount.txt > showmount-e.txt
+else
+	echo "	Skipping showmount. NFS does not appear in rpcinfo."
+	echo "	NFS does not appear in rpcinfo.  Skipping showmount." >> $HOSTNAME-errors.txt
+fi
+
+echo "	rpm -qa -last"
+rpm -qa -last > rpm-qa-last.txt
+echo "	crontab -l"
+crontab -l 2>crontab-l.txt > crontab-l.txt
+echo "	pwck -r"
+pwck -r > pwck-r.txt
+
+echo ""
+echo "Gathering file listing/permissions for STIG checks"
+echo "   NOTE: find errors are normal"
+rm -f file-permissions.txt
+FSTYPE=`mount | egrep "on \/ type" | awk '{print $5}'`
+for MOUNTPT in `mount | grep $FSTYPE | awk '{print $3}'`; do
+	find $MOUNTPT -xdev -fstype $FSTYPE -ls >> file-permissions.txt
+done
+FILESIZE=`ls -sh file-permissions.txt | cut -d" " -f1`
+if [ $FILESIZE -eq "0" ]; then # SuSE Linux 
+	echo "  Hmmm, might be a SuSE Linux system"
+	find / -fstype rootfs -ls > file-permissions.txt
+fi
+ls -sh file-permissions.txt
+
+echo ""
+echo "Collecting some security configuration files and folders."
+echo "   NOTE: Inability to find some files is normal":
+for FILE in $FILELIST ; do
+   if [ -f  $FILE -o -d $FILE ] ; then
+	DEST=`echo $FILE | sed "s/\//\-/g" | sed "s/^\-//"`
+      echo " cp -af $FILE ./$FILEDIR/$DEST"
+      cp -af $FILE ./$FILEDIR/$DEST
+   else
+	#egrep "\/passwd$" ehud-baseline/file-permissions.txt | awk '{print $11}'
+     echo "	  Could not find $FILE" >> $HOSTNAME-errors.txt
+     echo "	  Could not find $FILE"
+   fi
+done
+
+# We don't want to collect password hashes, but need to know if the accounts are locked.
+# Note: this "for LINE in" hack only works because there are no spaces in /etc/shadow... :o}
+
+rm -f shadow-trimmed
+echo ""
+echo "Trimming /etc/shadow for safety..."
+for LINE in `cat /etc/shadow` ; do
+   HASH=`echo $LINE | cut -d":" -f2`
+   # Typical password hash is 34 characters
+   if [ ${#HASH} -lt 13 ] ; then
+	echo $LINE >> shadow-trimmed.txt
+   elif [ ${#HASH} -lt 34 ] ; then
+	echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"SHORT/WEAK HASH",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
+   else
+        echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"FILTERED",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
+   fi
+done
+
+echo ""
+echo "Please review to ensure hashes are filtered"
+echo ""
+cat shadow-trimmed.txt
+echo ""
+echo "Linux Data collection ended on `date`" >> $HOSTNAME-errors.txt
+cd ..
+echo "Tarring and Gzipping the results"
+tar -zcvf $DIR.tgz ./$DIR
+
+echo ""
+echo "All packaged up and ready to go in $DIR.tgz"
+ls -sh $DIR.tgz
+echo "Have a nice day!"
+echo ""
+
--- a/Tools/Unix/solaris-data-collection.sh
+++ b/Tools/Unix/solaris-data-collection.sh
@ -0,0 +1,165 @@
+#!/bin/ksh
+# Script to collect the major security configuration files on a Solaris system
+# RUN AS ROOT!
+# tested on Solaris 10
+
+# Jeff A. Odegard, CISSP
+# AFSPC SMC/GPEA
+# 20 Aug 13
+# Updated 4 Sep 14
+
+# Add to this list as necessary (get copies of these files)
+FILELIST="/.cshrc
+/.profile
+/etc/access.conf
+/etc/apache
+/etc/apache2
+/etc/cron.allow
+/etc/cron.d
+/etc/cron.deny
+/etc/default
+/etc/dfs
+/etc/ftpd
+/etc/ftpusers
+/etc/hosts
+/etc/hosts.allow
+/etc/hosts.deny
+/etc/hosts.equiv
+/etc/httpd
+/etc/inet/inetd.conf
+/etc/inet/ntp.conf
+/etc/inetd.conf
+/etc/issue
+/etc/issue.net
+/etc/motd
+/etc/nsswitch.conf
+/etc/ntp.conf
+/etc/pam.conf
+/etc/passwd
+/etc/passwd
+/etc/profile
+/etc/resolv.conf
+/etc/securetty
+/etc/security
+/etc/shells
+/etc/snmp/conf/snmpd.conf
+/etc/snmpd.conf
+/etc/syslog.conf
+/etc/system
+/noshell"
+
+#HOSTNAME=`uname -a | cut -d" " -f2`
+HOSTNAME=`hostname`
+DIR="$HOSTNAME-baseline"
+echo ""
+echo "Results will be in ./$DIR"
+mkdir -p $DIR
+cd $DIR
+FILEDIR="system-files"
+echo "System files will be in ./$DIR/system-files"
+mkdir -p system-files
+rm -f $HOSTNAME-errors
+
+echo ""
+echo "Collecting some system information..."
+echo "	uname -a"
+uname -a > uname.txt
+echo "	ifconfig -a"
+ifconfig -a > ifconfig.txt
+echo "	netstat -nr"
+netstat -nr > netstat-nr.txt
+echo "	netstat -nap"
+netstat -nap > netstat-nap.txt
+echo "	ps -eaf"
+ps -eaf > ps-eaf.txt
+echo "	last -a"
+last -a > last-a.txt
+echo "	who -a"
+who -a > who-a.txt
+echo "	df -ak"
+df -ak > df-ak.txt
+echo "	mount -p"
+mount -p > mount-p.txt
+echo "	rpcinfo -p"
+rpcinfo -p >rpcinfo-p.txt
+if [ `grep "nfs" rpcinfo-p.txt` ] ; then
+	echo "	showmount"
+	showmount 2>&1 > showmount.txt
+	echo "	showmount -e"
+	showmount -e 2>&1 > showmount-e.txt
+else
+	echo "	Skipping showmount. NFS does not appear in rpcinfo."
+	echo "	NFS does not appear in rpcinfo.  Skipping showmount." >> $HOSTNAME-errors.log
+fi
+echo "	pkginfo -l"
+pkginfo -l > pkginfo-l.txt
+echo "	crontab -l"
+crontab -l > crontab-l.txt
+echo "	showrev -a"
+showrev -a > showrev-a.txt
+echo "	xhost"
+xhost 2>&1 1>xhost.txt
+echo "	eeprom security-mode"
+eeprom security-mode 2>&1 1>eeprom-security-mode.txt
+echo "	prtconf -D"
+prtconf -D 2>&1 1>prtconf-D.txt
+
+echo ""
+echo "Gathering file listing/permissions for STIG checks"
+echo "   NOTE: find errors are normal"
+rm -f file-permissions.txt
+# Get FStype for /
+#FSTYPE=`mount -p | egrep " \/ [a-z]+" | awk '{print $4}'`
+find / -local -ls > file-permissions.txt
+ls -sh file-permissions.txt
+
+echo ""
+echo "Collecting some security configuration files and folders."
+echo "   NOTE: Inability to find some files is normal":
+# use cp -R - cron.d has a named pipe
+for FILE in $FILELIST ; do
+   if [ -f  $FILE -o -d $FILE ] ; then
+	  DEST=`echo $FILE | sed "s/\//\-/g" | sed "s/^\-//"`
+      echo "cp -R $FILE ./$FILEDIR/$DEST"
+      cp -R $FILE ./$FILEDIR/$DEST
+   else
+     echo "   Could not find $FILE" >> $HOSTNAME-errors.log
+     echo "   Could not find $FILE"
+   fi
+done
+
+# We don't want to collect password hashes, but need to know if the accounts are locked.
+# Note: this "for LINE in" hack only works because there are no spaces in /etc/shadow... :o}
+
+rm -f shadow-trimmed
+echo ""
+echo "Trimming /etc/shadow for safety..."
+for LINE in `cat /etc/shadow` ; do
+   HASH=`echo $LINE | cut -d":" -f2`
+   # Typical password hash is 34 characters
+   if [ ${#HASH} -lt 13 ] ; then
+	echo $LINE >> shadow-trimmed.txt
+   elif [ ${#HASH} -lt 34 ] ; then
+        echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"SHORT/WEAK HASH",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
+   else
+        echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"FILTERED",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
+   fi
+done
+
+echo ""
+echo "Please review to ensure hashes are filtered"
+echo ""
+cat shadow-trimmed.txt
+echo ""
+
+cd ..
+echo "Tarring and Gzipping the results"
+tar -cvf $DIR.tar ./$DIR
+gzip $DIR.tar
+
+echo ""
+echo "All packaged up and ready to go in $DIR.tar.gz"
+ls -sh $DIR.tar.gz
+echo "Have a nice day!"
+echo ""
+
--- a/Tools/Windows/Windows
+++ b/Tools/Windows/Windows
--- a/Tools/Windows/Windows
+++ b/Tools/Windows/Windows
--- a/Collection/DUMPSEC.exe
+++ b/Collection/DUMPSEC.exe
--- a/Tools/Windows/Windows
+++ b/Tools/Windows/Windows
--- a/Collection/files-to-version.txt
+++ b/Collection/files-to-version.txt
@ -0,0 +1,4 @@
+C:\Windows\system32\notepad.exe
+C:\Program Files (x86)\Notepad++\notepad++.exe
+c:\Windows\system32\EnPasFltV2x86.dll
+c:\Windows\system32\EnPasFltV2x64.dll
--- a/Collection/filever.vbs
+++ b/Collection/filever.vbs
@ -0,0 +1,10 @@
+Set fso = WScript.CreateObject("Scripting.FileSystemObject")
+Set objArgs = WScript.Arguments
+if objArgs.Count<>1 then WScript.Quit()
+if NOT fso.FileExists(objArgs(0)) then WScript.Echo("File " & objArgs(0) & " does not exist") & WScript.Quit()
+set f = fso.GetFile(objArgs(0))
+WScript.Echo objArgs(0) & "," & fso.GetFileVersion(objArgs(0)) & "," & f.DateLastModified
+
+rem to call the script just use
+rem cscript -nologo filever.vbs "c:\WINNT\system32\notepad.exe" 
+
--- a/Collection/reg-perms-to-check.txt
+++ b/Collection/reg-perms-to-check.txt
@ -0,0 +1,2 @@
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
--- a/Collection/reg-values-to-check.txt
+++ b/Collection/reg-values-to-check.txt
@ -0,0 +1,175 @@
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,RestrictAnonymous
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,LmCompatibilityLevel
+HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa,DisableDomainCreds
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa,ForceGuest
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy
+hkey_local_machine\system\CurrentControlSet\control\lsa,usemachineid
+hkey_local_machine\system\CurrentControlSet\control\lsa\msv1_0,allownullsessionfallback
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec
+hkey_local_machine\system\CurrentControlSet\Control\lsa\pku2u,AllowOnlineID
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager,SafeDllSearchMode
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security,WarningLevel
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC,NoDefaultExempt
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters,Hidden
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters,SmbServerNameHardeningLevel
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIpSourceRouting
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters,DisabledComponents
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,AutoAdminLogon
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon,ScreenSaverGracePeriod
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole,SecurityLevel
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf,(Default)
+hkey_local_machine\Software\Policies\Microsoft\EMET\SysSettings,ASLR
+hkey_local_machine\Software\Policies\Microsoft\EMET\SysSettings,DEP
+hkey_local_machine\Software\Policies\Microsoft\EMET\SysSettings,SEHOP
+hkey_local_machine\Software\Policies\Microsoft\EMET\Defaults,IE
+hkey_local_machine\Software\Policies\Microsoft\EMET\Defaults
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client,CEIP
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisbleHTTPPrinting
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc,RestrictRemoteClients
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc,EnableAuthEpResolution
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fAllowToGetHelp
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fAllowUnsolicited
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fPromptForPassword
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fDenyTSConnections
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fDisableCdm
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,MinEncryptionLevel
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,PerSessionTempDir
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,DeleteTempDirsOnExit
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,MaxDisconnectionTime
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,MaxIdleTime
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,DisablePasswordSaving
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet,Disabled
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings,AllowRemoteRPC
+hkey_local_machine\Software\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention
+hkey_local_machine\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize
+hkey_local_machine\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize
+hkey_local_machine\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize
+hkey_local_machine\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOONdomain
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOndomain
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections,NC_AllowNetBridge_NLA
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition,6to4_State
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition,ISATAP_State
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition,Teredo_State
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface,IPHTTPS_ClientState
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2},NoGPOListChanges
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer,DisableAutoupdate
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer,NoDriveTypeAutorun
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInternetOpenWith
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior
+hkey_local_machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU,Disabled
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecurityUIAPaths
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,ValidateAdminCodeSignatures
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system,DisableBkGndGroupPolicy
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system,LogonType
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\System,ReportControllerMissing
+hkey_local_machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar,TurnOffUnsignedGadgets
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar,OverrideMoreGadgetsLink
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar,TurnOffUserInstalledGadgets
+hkey_local_machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon,AllocateCDRoms
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
+HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer,MicrosoftEventVwrDisableLinks
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds,DisableEnclosureDownload
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex
+hkey_local_machine\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot,DisableRootAutoUpdate
+hkey_local_machine\Software\Policies\Microsoft\WMDRM,DisableOnline
+hkey_local_machine\Software\Policies\Microsoft\Windows\AppCompat,DisableInventory
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings,WarnOnBadCertRecving
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3,1E05
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4,1E05
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching,DontSearchWindowsUpdate
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching,DontPromptForWindowsUpdate
+hkey_local_machine\Software\Policies\Microsoft\Windows\DriverSearching,SearchOrderConfig
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings,DisableSystemRestore
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings,DisableSendGenericDriverNotFoundToWER
+hkey_local_machine\Software\Policies\Microsoft\Windows\Device Metadata,PreventDeviceMetadataFromNetwork
+hkey_local_machine\Software\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption
+hkey_local_machine\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameUX,DownloadGameInfo
+hkey_local_machine\Software\Policies\Microsoft\Windows\GameUX,GameUpdateOptions
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports
+hkey_local_machine\Software\Policies\Microsoft\Windows\Homegroup,DisableHomeGroup
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard,ExitOnMSICW
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated
+hkey_local_machine\Software\Policies\Microsoft\Windows\Installer,SafeForScripting
+hkey_local_machine\Software\Policies\Microsoft\Windows\Installer,EnableUserControl
+hkey_local_machine\Software\Policies\Microsoft\Windows\Installer,DisableLUAPatching
+hkey_local_machine\Software\Policies\Microsoft\Windows\Network Connections,NC_StdDomainUserSetInstaller
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control,NoRegistration
+hkey_local_machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer
+hkey_local_machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,EnableQueryRemoteServer
+hkey_local_machine\Software\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition,Force_Tunneling
+hkey_local_machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting,LoggingDisabled
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting,Disabled
+hkey_local_machine\Software\Policies\Microsoft\Windows\Windows Error Reporting,DontSendAdditionalData
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search,AllowIndexingEncryptedStoresOrItems
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search,PreventIndexingUncachedExchangeFolders
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU,NoAutoUpdate
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,WUServer
+hkey_local_machine\Software\Policies\Microsoft\WindowsMediaPlayer,GroupPrivacyAcceptance
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet,SpyNetReporting
+hkey_local_machine\Software\Policies\Microsoft\Windows NT\Printers,DoNotInstallCompatibleDriverFromWindowsUpdate
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,LoggingEnabled
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\Parameters,Type
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\Parameters,NTPServer
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main,Use FormSuggest
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions,NoExternalBranding
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main,FormSuggest Passwords
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop,ScreenSaveActive
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop,ScreenSaverIsSecure
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop,ScreenSaveTimeOut
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0,NoExplicitFeedback
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,HideZoneInfoOnProperties
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInPlaceSharing
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings,SecureProtocols
--- a/Tools/Windows/Windows
+++ b/Tools/Windows/Windows
@ -0,0 +1,27 @@
+::tee.cmd, by Ken Henderson
+:: http://blogs.msdn.com/khen1234/archive/2005/10/27/486031.aspx
+:: modified to append the file rather than over-write
+@echo off
+
+IF (%1)==() GOTO help
+
+::Overwrite the file (W2K/XP require /Y)
+:: SET slash_y=
+:: ver <20> find "Windows NT" >nul
+:: if ERRORLEVEL 1 set slash_y=/Y
+
+:: ::Overwrite the file
+:: copy %slash_y% nul %1 >nul 2>&1
+
+for /f "tokens=1* delims=]" %%A in ('find /V /N ""') do (
+ >con echo.%%B
+ >>%1 echo.%%B
+)
+
+GOTO :eof
+
+:help
+ECHO.
+ECHO Pipe text to the console and redirect to a file simultaneously
+ECHO.
+ECHO Usage:  command | tee filename
--- a/Collection/windows-data-collection.bat
+++ b/Collection/windows-data-collection.bat
@ -0,0 +1,299 @@
+@echo off
+REM ########################################################################
+REM windows-data-collection.bat - collects ST&E relevant data
+REM Jeff A. Odegard, CISSP  15 May 13
+REM 
+REM ########################################################################
+
+HOSTNAME >HOSTNAME.txt
+for /F "eol=; tokens=1* delims= " %%i in (HOSTNAME.txt) do @set HOSTNAME=%%i
+set OUTDIR=C:\temp\%HOSTNAME%
+mkdir %OUTDIR% >nul 2>&1
+set originaldir=%cd%
+echo.
+echo Results will be in %OUTDIR%
+echo.
+echo  Admin privilege required.  Checking access
+net session >nul 2>&1
+if %errorlevel% NEQ 0 (
+	echo.
+	echo.     ERROR:  Script must run with administrative privileges!
+	goto end_of_script
+) 
+echo.   - Success
+echo.
+set VERSION="0.1, 15 May 13"
+echo. | date /t >C:\temp\%HOSTNAME%\date.txt
+echo. | time /t >C:\temp\%HOSTNAME%\time.txt
+set dt=
+set tm=
+for /F "eol=; tokens=* delims= " %%i in (C:\temp\%HOSTNAME%\date.txt) do @set dt=%%i
+for /F "eol=; tokens=5 delims= " %%i in (C:\temp\%HOSTNAME%\time.txt) do @set tm=%%i
+rem This is the way you do string substitution in Batch...
+set dt=%dt:/=-%
+set dt=%dt: =%
+REM set tm=%tm =%
+REM set tm=%tm: =%
+
+del /F C:\temp\%HOSTNAME%\date.txt C:\temp\%HOSTNAME%\time.txt HOSTNAME.txt
+set OUTBASE=%HOSTNAME%.txt
+set SUMMARYFILE=%OUTDIR%\%HOSTNAME%-data-collection-summary-%dt%.txt
+set CHECKSUMS=%OUTDIR%\%HOSTNAME%-checksums-%dt%.txt
+setlocal enableextensions enabledelayedexpansion
+REM ########################################################################
+REM Data Gathering Starts Here
+REM ########################################################################
+
+del /f /q c:\temp\%HOSTNAME%\*
+
+echo User List  | tee.cmd %SUMMARYFILE%
+wmic useraccount get name,sid 2>&1 > %OUTDIR%\user_list.txt
+
+echo Windows Registry Permissions
+REM This produces a 60Meg file.  Need to modify to only pull perms required for STIG
+echo   * DUMPSEC.exe /rpt=registry=HKEY_LOCAL_MACHINE /outfile=%OUTDIR%\HKLM-permissions.csv /saveas=csv >> %SUMMARYFILE%
+echo   * dumpsec.exe HKEY_LOCAL_MACHINE to HKLM-permissions.csv
+DUMPSEC.exe /rpt=registry=HKEY_LOCAL_MACHINE /outfile=%OUTDIR%\HKLM-permissions.csv /saveas=csv
+echo   * DUMPSEC.exe /rpt=registry=HKEY_USERS /outfile=%OUTDIR%\HKU-permissions.csv /saveas=csv >> %SUMMARYFILE%
+echo   * dumpsec.exe HKEY_USERS to HKU-permissions.csv
+DUMPSEC.exe /rpt=registry=HKEY_USERS /outfile=%OUTDIR%\HKU-permissions.csv /saveas=csv
+echo.
+
+echo   * 1.006, net localgroup "Administrators" | tee.cmd %OUTDIR%\admin_group.txt
+echo     -- net localgroup "Administrators" | tee.cmd %SUMMARYFILE%
+net localgroup "Administrators" > %OUTDIR%\admin_group.txt
+echo.
+
+echo   * 1.007, Backup Operators Group | tee.cmd %OUTDIR%\backup_group.txt
+echo     -- net localgroup "Backup Operators" | tee.cmd %SUMMARYFILE%
+net localgroup "Backup Operators" > %OUTDIR%\backup_group.txt
+echo.
+
+echo   * 2.001, Log File Permissions | tee.cmd %OUTDIR%\log_permissions.txt
+echo     -- icacls C:\Windows\System32\winevt\Logs\Application.evtx | tee.cmd %SUMMARYFILE%
+icacls C:\Windows\System32\winevt\Logs\Application.evtx > %OUTDIR%\log_permissions.txt
+echo     -- icacls C:\Windows\System32\winevt\Logs\Security.evtx | tee.cmd %SUMMARYFILE%
+icacls C:\Windows\System32\winevt\Logs\Security.evtx >> %OUTDIR%\log_permissions.txt
+echo     -- icacls C:\Windows\System32\winevt\Logs\System.evtx | tee.cmd %SUMMARYFILE%
+icacls C:\Windows\System32\winevt\Logs\System.evtx >> %OUTDIR%\log_permissions.txt
+echo.
+
+echo   * 2.008 NTFS Requirement | tee.cmd %OUTDIR%\disk_partitions.txt
+echo list volume > listvol.scr
+echo     -- diskpart /s listvol.scr | tee.cmd %SUMMARYFILE%
+diskpart /s listvol.scr > %OUTDIR%\disk_partitions.txt
+del listvol.scr
+
+echo   * 2.015 File Share ACLs | tee.cmd %OUTDIR%\net_shares.txt
+echo     -- net share | tee.cmd %SUMMARYFILE%
+net share > %OUTDIR%\net_shares.txt
+for /F "eol=; tokens=1 delims= " %%i in (%OUTDIR%\net_shares.txt) do (
+	set mytest=foo
+	if %%i == "2.015" set mytest=bar 
+	if "%%i" == "Share" set mytest=bar
+	if "%%i" == "The" set mytest=bar
+	if "%%i" == "-------------------------------------------------------------------------------" set mytest=bar
+	if '%%i' == '*' set mytest =bar
+	if "!mytest!"=="foo" (
+		echo.    - Permissions for %%i
+		echo    - net share %%i >> %SUMMARYFILE%
+		net share %%i >> %OUTDIR%\net_shares.txt 2>&1
+	)
+)
+echo.
+
+echo   * 2.005, Unsupported Service Packs | tee.cmd %OUTDIR%\os_info.txt
+echo     -- systeminfo OS Name, Version, Type, Domain, Logon Server | tee.cmd %SUMMARYFILE%
+systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Logon Server" > %OUTDIR%\os_info.txt
+echo.
+
+echo   * 2.019 Security Related Software Patches | tee.cmd %OUTDIR%\hotfixes.txt
+echo     -- wmic /output:hotfixes.txt qfe list | tee.cmd %SUMMARYFILE%
+wmic qfe list > %OUTDIR%\hotfixes.txt
+echo.
+
+echo   * 2.021, Software Certificate Installation Files | tee.cmd %OUTDIR%\hotfixes.txt
+echo     -- dir /s /b *.p12 *.pfs (C:\) | tee.cmd %SUMMARYFILE%
+cd C:\
+dir /s /b *.p12 *.pfs > %OUTDIR%\hotfixes.txt
+cd %originaldir%
+echo.
+
+REM Miscellaneous info
+echo Miscellaneous Information | tee.cmd %SUMMARYFILE%
+echo   * tasklist.exe - process list | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\tasklist.txt
+echo     -- tasklist.exe | tee.cmd %SUMMARYFILE%
+tasklist.exe > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net.exe start - Running Windows Services | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\net-start.txt
+echo     -- net.exe start | tee.cmd %SUMMARYFILE%
+net.exe start > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * tasklist /svc - Services Associated with Processes | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\tasklist-svc.txt
+echo     -- tasklist.exe /svc | tee.cmd %SUMMARYFILE%
+tasklist.exe /svc > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * wmic process list full - detailed process information  | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\wmic-process-list-full.txt
+echo     -- wmic.exe process list full | tee.cmd %SUMMARYFILE%
+wmic.exe process list full > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * wmic startup list full - List all startup tasks | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\wmic-startup-list-full.txt
+echo     -- wmic.exe startup list full | tee.cmd %SUMMARYFILE%
+wmic.exe startup list full > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * reg query  - list contents of startup registry keys | tee.cmd %SUMMARYFILE%
+echo      - reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+echo      - reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\reg-query-Run.txt
+echo     -- reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | tee.cmd %SUMMARYFILE%
+reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run  2>&1 > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo      - reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce | tee.cmd %SUMMARYFILE% 
+set OUTFILE=%OUTDIR%\reg-query-Runonce.txt
+echo     -- reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce | tee.cmd %SUMMARYFILE%
+reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce 2>&1 > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+ 
+echo      - reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\reg-query-Runonce-Ex.txt
+echo     -- reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx | tee.cmd %SUMMARYFILE%
+reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx 2>&1 > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * netstat -naob - list network services, connections and processes | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\netstat-naob.txt
+echo     -- netstat -naob | tee.cmd %SUMMARYFILE%
+netstat -naob > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+ 
+echo   * nbtstat -S - record active NetBIOS connections | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\nbtstat-S.txt
+echo     -- nbtstat -S | tee.cmd %SUMMARYFILE%
+nbtstat -S > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * nbtstat -c - record cached NetBIOS connections | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\nbtstat-c.txt
+echo     -- nbtstat -c | tee.cmd %SUMMARYFILE%
+nbtstat -c > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * arp -a - record Arp Table  | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\arp-a.txt
+echo     -- arp -a | tee.cmd %SUMMARYFILE%
+arp -a > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * ipconfig /all - List all network devices | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\ipconfig-all.txt
+echo     -- ipconfig /all | tee.cmd %SUMMARYFILE%
+ipconfig /all > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net view \\127.0.0.1  - list file shares | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\file-shares.txt
+echo     -- net view \\127.0.0.1 | tee.cmd %SUMMARYFILE%
+net view \\127.0.0.1 > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net sessions - list open NetBIOS sessions | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\net-sessions.txt
+echo     -- net sessions | tee.cmd %SUMMARYFILE%
+net sessions > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * netsh firewall show config - display firewall configuration | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\netsh-firewall-show-config.txt
+echo     -- netsh firewall show config | tee.cmd %SUMMARYFILE%
+netsh firewall show config > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net user - list system users | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\system-users.txt
+echo     -- net user | tee.cmd %SUMMARYFILE%
+net user > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net localgroup administrators - list local system administrator accounts | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\local-administrators.txt
+echo     -- net localgroup administrator | tee.cmd %SUMMARYFILE%
+net localgroup administrators > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * Installed Software | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\installed-software.csv
+echo     -- wmic product /format:csv get name,version | tee.cmd %SUMMARYFILE%
+wmic product get /format:csv name,version > %OUTFILE%
+
+echo   * Query the registry for values | tee.cmd  %SUMMARYFILE%
+for /F "eol=; tokens=1,2 delims=," %%i in (reg-values-to-check.txt) do (
+	echo     - reg query "%%i" | tee.cmd  %SUMMARYFILE%
+	if "%%j" NEQ "" (
+		if "%%j" EQU "(Default)" (reg query "%%i" /v 2>&1 >> %OUTDIR%\registry-values.txt
+		) else (reg query "%%i" /v "%%j" 2>&1 >> %OUTDIR%\registry-values.txt)
+	) else (reg query "%%i" 2>&1 >> %OUTDIR%\registry-values.txt)
+)
+
+echo   * Gather file version information | tee.cmd  %SUMMARYFILE%
+for /F "eol=; tokens=* delims= " %%i in (files-to-version.txt) do (
+	echo     -- filever.vbs %%i | tee.cmd  %SUMMARYFILE%
+	cscript -nologo "%originaldir%\filever.vbs" "%%i" >> %OUTDIR%\file-version-results.txt
+)
+
+echo   * Gather auditing information | tee.cmd  %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\audit_information.csv
+echo     -- auditpol /get /category:* /r
+auditpol /get /category:* /r > %OUTFILE%
+
+echo   * Gather Security Policy Information | tee.cmd %SUMMARYFILE%
+echo     -- secedit /export /cfg security_policy.inf /areas SECURITYPOLICY
+secedit /export /cfg %OUTDIR%\security_policy.inf /areas SECURITYPOLICY /quiet
+
+REM Do this last, so they can save off the policy, zip everything up and finish the script.
+REM echo Security Policy Checks | tee.cmd  %SUMMARYFILE%
+REM echo   gpedit.msc will open.
+REM echo      Expand: Computer Configuration 
+REM echo                       - Windows Settings 
+REM echo                                 -- Security Settings 
+REM echo                                             --- Local Policies
+REM echo.
+REM echo   * Audit Policy - single click, right click - export list, 
+REM echo      -- save as audit_policy.txt
+REM echo   * User Rights - single click, right click - export list, 
+REM echo      -- save as user_rights.txt
+REM echo   * Security Options - single click, right click - export list, 
+REM echo      -- save as security_options.txt
+REM echo   * Under Account Policies, save Password Policies and Account Lockout Policies
+REM echo      -- save as password_policy.txt
+REM echo      -- save as account_policy.txt
+REM echo.
+REM echo   Close the Policy editor when you're finished.
+REM echo   * gpedit.msc | tee.cmd %SUMMARYFILE%
+REM gpedit.msc 
+REM echo. 
+
+REM ########################################################################
+REM End Data Gathering
+REM ########################################################################
+
+echo Windows data collection complete.  Normality has been restored...
+REM echo Zip and copy %OUTDIR% to the PTL for further analysis.
+REM dir %OUTDIR%
+REM PAUSE
+
+7z u -y -tzip DataCollection.zip %OUTDIR%
+
+cd %originaldir%
+:end_of_script
+cd !originaldir!
--- a/Tools/Windows/Windows-Manual-Tools/Fport-readme.txt
+++ b/Tools/Windows/Windows-Manual-Tools/Fport-readme.txt
@ -0,0 +1,38 @@
+Readme for fport v2.0
+
+fport supports Windows NT4, Windows 2000 and Windows XP
+
+fport reports all open TCP/IP and UDP ports and maps them to the owning application.
+This is the same information you would see using the 'netstat -an' command, but it also
+maps those ports to running processes with the PID, process name and path.  Fport can be
+used to quickly identify unknown open ports and their associated applications.
+
+Usage:  
+C:\>fport
+FPort v2.0 - TCP/IP Process to Port Mapper
+Copyright 2000 by Foundstone, Inc.
+http://www.foundstone.com
+Pid   Process            Port  Proto Path
+392   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe
+8     System         ->  139   TCP
+8     System         ->  445   TCP
+508   MSTask         ->  1025  TCP   C:\WINNT\system32\MSTask.exe
+
+392   svchost        ->  135   UDP   C:\WINNT\system32\svchost.exe
+8     System         ->  137   UDP
+8     System         ->  138   UDP
+8     System         ->  445   UDP
+224   lsass          ->  500   UDP   C:\WINNT\system32\lsass.exe
+212   services       ->  1026  UDP   C:\WINNT\system32\services.exe
+
+The program contains five (5) switches.  The switches may be utilized using either a '/' 
+or a '-' preceding the switch.  The switches are;
+
+Usage:
+	/?	 usage help
+        /p       sort by port
+        /a       sort by application
+        /i       sort by pid
+        /ap      sort by application path
+
+For updates visit:  www.foundstone.com
--- a/Tools/Windows/Windows-Manual-Tools/Fport.exe
+++ b/Tools/Windows/Windows-Manual-Tools/Fport.exe
--- a/Tools/Windows/Windows-Manual-Tools/tee.cmd
+++ b/Tools/Windows/Windows-Manual-Tools/tee.cmd
@ -0,0 +1,28 @@
+::tee.cmd, by Ken Henderson
+:: http://blogs.msdn.com/khen1234/archive/2005/10/27/486031.aspx
+:: modified to append the file rather than over-write
+@echo off
+
+IF (%1)==() GOTO help
+IF (%1)==(-a) (SET FILE=%2) || (SET FILE=%1)
+
+::Overwrite the file (W2K/XP require /Y)
+:: SET slash_y=
+:: ver <20> find "Windows NT" >nul
+:: if ERRORLEVEL 1 set slash_y=/Y
+
+:: ::Overwrite the file
+:: copy %slash_y% nul %1 >nul 2>&1
+
+for /f "tokens=1* delims=]" %%A in ('find /V /N ""') do (
+ >con echo.%%B
+ >>%FILE% echo.%%B
+)
+
+GOTO :eof
+
+:help
+ECHO.
+ECHO Pipe text to the console and redirect to a file simultaneously
+ECHO.
+ECHO Usage:  command | tee filename
--- a/Tools/Windows/Windows-Manual-Tools/u_active-directory-utilities.zip
+++ b/Tools/Windows/Windows-Manual-Tools/u_active-directory-utilities.zip
--- a/Tools/Windows/Windows-Manual-Tools/u_dumpsec.zip
+++ b/Tools/Windows/Windows-Manual-Tools/u_dumpsec.zip
--- a/Tools/Windows/Windows-Manual-Tools/u_net-framework-tools.zip
+++ b/Tools/Windows/Windows-Manual-Tools/u_net-framework-tools.zip