Michael Starks responded with the Windows command to determine account availability.
net user account_name | find "Account active Yes" This could be placed the the full_command syntax on the agent machine's ossec.conf. This would need to be distributed to all agent machines by some means. Scott On Nov 29, 2012, at 2:56 AM, Michiel van Es <[email protected]> wrote: > Hmm the code is from 2010 and there are 2 beta versions..doesn't look there > is a lot of progress on the development of this product. > I might try OpenVAS but it would be great if there was a check, since we do > check files for Linux with OSSEC, I would imagine you could do something > similar with OSSEC, Windows Accounts are stored (at least on older version) > in the SAM database. > > Op dinsdag 27 november 2012 18:20:47 UTC+1 schreef sklauminzer het volgende: >> >> Something like this might be a better tool for your needs: >> SSA - Security System Analyzer 2.0 >> http://code.google.com/p/ssa/ >> >> You could tie it into OSSEC with the full_command option. >> >> If all you need to t o determine the Admin account status, then use a >> PowerShell command in full_command. >> >> Scott >> >> On Nov 27, 2012, at 4:02 AM, Michiel van Es <[email protected]> wrote: >> >> > Hi, >> > >> > We want to check for hardening and one of our Windows hardening rules is >> > to rename the Administrator account and create a decoy Administrator >> > account, not part of any group and disabled. >> > One of the things we want to check is to see if the Administrator account >> > is enabled on Windows machines. >> > >> > Is there a check of simple script how I can establish this on the Windows >> > machines? >> > >> > Regards, >> > >> > Michiel >>
