Responses in-line... On Fri, Mar 20, 2015 at 5:37 AM, Kelley, Matthew <[email protected]> wrote: > Is this a one-time data capture, or something you need to do on a recurring > basis?
Recurring, minimum once a week. > Do you have any systems management software, like SCCM, in your > environment? We have no systems management software, though we have an EA agreement (my manager doesn't like SCCM - I have no experience with it, though I'd love to get my hands dirty with it, and with SCOM, but we do have PRTG, which would get very expensive if we tried to monitor workstations with it.) > If not, do your machines run a startup script through Group > Policies? The best solution would be SCCM or something similar, where you > can easily inventory registry keys and wmi data. Second best would be a > logon or shutdown script that mines this data and writes it to a network > share that your computer accounts (domain computers in AD) have write > permissions on. We have lots of people who never log off or shut down their machines, except when we patch (me included!). It will be better (IMHO) to have all of this gathered and processed in a more controlled fashion. > Then you would just need a script to compile all these > results into whatever format you want for viewing, like an excel > spreadsheet. Having one machine open connections to all other machines in > your environment is cumbersome, but it will work if some of the other > options are unavailable, or if this is just a one-time event. I'm intent on building a management station, as a counterpart to our SecurityOnion installation. It'll be performing some other tasks as well - this is just the first step. BTW - if you're interested, the SANS webcast (which requires free registration) is here: https://www.sans.org/webcasts/seamless-continuous-monitoring-defend-organization-cyber-attacks-99472 Kurt ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
