Microsoft Technet Summer Scripting Games : Javelin Throw

I was invited to be a guest commentator for the Javelin Throw event during the recently concluded Microsoft Technet's Summer Scripting Games. For this scenario, I had to write a time logger with time-stamped text entries that describe a particular activity. I created a VB script that accepts user inputs as arguments, stores these together with the date and time of the activity, amount of time spent on the activity, the status of the activity and some remarks onto a CSV file.

You can find my write-up and solution at this link:

http://blogs.technet.com/heyscriptingguy/archive/2009/06/24/hey-scripting-guy-event-9-solutions-from-expert-commentators-beginner-and-advanced-the-javelin-throw.aspx

Checking for Remote Desktop Status of a Remote Server

Here's a script that checks for the Remote Desktop feature status of a remote server. The server hostnames are read off a servers.ini file. The server's registry is then queried for the DWORD value of fDenyTSConnections under the server's HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server registry key.

List Local Users of Remote Systems (Powershell)

Here's a Powershell script that reads the hostnames off a text file (hosts.ini) and lists all the local users of the remote host:

Rebooting a computer (VBS)

The script shown in this post pops up a message to the current logged-in user informing him that a reboot is required.




The user has the option to proceed with the reboot or he can choose to click the "No" button and abort the reboot. Clicking "Yes" will invoke the ShutMeDown procedure which uses the .Reboot method to reboot the computer. Clicking "No" will display the following pop-up:



Not clicking on either the "Yes" or "No" after 60 seconds will abort the script from continuing.



For what possible situations can this script be used? Follow the discussing from the following thread in The Official Scripting Guys Forum on Technet:

http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/65e8699f-fca4-4e08-a181-8b621acbf963

Enumerating Members of a Group (including Nested Groups)

Here's another simple and straightforward script that queries and enumerates the members of an active directory group. If there are nested groups within the groups being queried, these will also be subsequently checked and their members listed.

This is the main body of the script. I have, for this example, three sites where two groups are being queried (one group, for example, is EU-ServerAdmins-G). There is a call in the main body to the EnumGroups function where three parameters are passed - strSite, strDN and strGroupName).



The EnumGroups function queries the strDN parameter where its members are checked. In the Select-Case loop, the object class is further checked; if the object is a group by itself, the function executes again with this group as part of the parameters passed (hence, nested groups will also be queried).



The output of this script is written onto a file (groups.csv). An example output file would look like this:

Stopping and Restarting Multiple Services using VBS

Here's a script that will stop and then restart multiple services using VB script. It stores the services under an array (in this example, I was working on the BITS, Browser, and wuauserv services). Do note that the Win32_Service.Name property should be used and not the Win32_Service.DisplayName; if you want to make use of the more user-friendly or readable .DisplayName property, you have to modify the query for the variable colListOfServices. This script can also be enhanced to accept arguments from the CLI or read off an input file for a list of services to stop.



This script was created for the following thread from the Microsoft Technet's The Official Scripting Guys Forum:

http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/3db5d54d-1d7f-46c5-9129-2130a7bdfaa8/

Moderating the "The Official Scripting Guys" Forum in Technet

Yep, I am now one of the moderators of "The Official Scripting Guys Forum" in Technet. I feel humbled to be in the company of the other moderators, the best of the best, whom I have looked up to in the past. This is my own little way of "paying it forward"...

Checking for the Uptime of a Remote Computer

I've created this script to query for the uptime of a remote computer. It takes, for an argument, the hostname or IP address of the remote machine. Here's the main body of the script:

The main body checks for 1 argument passed when the script is ran; if the number of arguments is not equal to 1, then the script exits. It then calls for the GetUptime procedure:

The GetUptime procedure queries WMI for the Win32_PerfRawData_PerfOS_System class, in particular the Timestamp_Object, Frequency_Object, and the SystemUpTime properties. To calculate for the system uptime in seconds (in my example, I used the iUptimeInSec variable), the following formula was used:

iUptimeInSec = (intPerfTimeStamp - intCounter)/intPerfTimeFreq

This value is then passed to the ConvertTime(seconds) function.

The iUptimeInSec variable was converted to an easier-t0-read format, eg. days, hours, minutes and seconds.

Walkthrough: Boot WinPE on a USB Thumbdrive

I was in a bind. I had onhand, a Lenovo X200 which I was trying to install a Vista image on. But this unit had neither a built-in nor an external CD or DVD drive. And all I had my trusted {Insiders} USB thumbdrive:



The WinPE image I was using to boot up is in an ISO format. I used MagicISO to mount the ISO file to access the image's folder structure and its files. Once I had the files and folders ready, I had to do the following steps to be able to boot from my USB thumbdrive:

1. list disk - displays disk information including disk number, size, and status
2. select disk x - focuses all subsequent commands on a particular disk
3. clean - cleans and removes all configuration information from the disk
4. create partition primary - create a partition (of type primary in our example)
5. list partition - displays partition information of the disk in focus
6. select partition y - moves the focus to the partition y
7. active - marks the partition in focus as the active boot partition
8. format fs=fat32 - formats the active partition with the FAT32 file system
9. assign - assigns a drive letter (the next available one) to the disk

I then copied mounted my WinPE ISO and copied the files/folders to the USB thumbdrive. And off I go, booting up WinPE from my {Insiders} USB thumbdrive.

Microsoft To Phase-out Live OneCare

Two years after a very hyped launching of Windows Live OneCare, Microsoft just announced today that the product will be phased out next year and a free security solution (codenamed "Morro") will be released to replace it. The yet-to-be-announced product will offer realtime anti-malware protection solution. OneCare, on the other hand, offers this capability on top of backup and management features. This is to be expected given the fact that Morro, according to Microsoft, is designed to use minimal computing resources to make it amenable to low-bandwidth scenarios and less powerful PCs hence the smaller footprint.

Microsoft also announced that sales of the Windows Live OneCare subscription service as well as Windows Live OneCare for Server on SBS 2008 will end on June 30, 2009. OneCare users will have the option to move to Morro (it will be available everywhere OneCare currently is). The fact that Morro is FOC may also entice end-user adoption. However, I doubt it is capable of dislodging the industry leaders off their roosts in the enterprise security field.

Microsoft's entry to the consumer/enterprise security market way back in 2006 was met with mixed reactions. And with this setback, whatever is left of Microsoft's foothold on this arena has taken a major beating.

Deleting *.bak Files When the Computer Turns Idle (VBS)

A similar thread from the Technet Forums:
http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/2991aa59-07c6-413e-8bf0-9ffa2bd8f0d3

Here is a script that deletes all *.bak files on a computer's D: drive when the computer becomes idle after 10 minutes.



There is actually a trick behind this script. Using a script to check whether a computer is idle is not really straightforward, but rather relatively complicated (read my lips, I don't know how to do it). I made use of the Screen Saver timeout property via a registry hack, setting it to trigger after 10 minutes (600 seconds) via the sub procedure SetScrSvrTime():



The script checks if the screen saver process is running (it is implied that in this example, the computer is configured with the "Mystify.scr" screen saver). A connection to the WMI service on the local computer is made and an event notification query which fetches within 20 seconds a list of running processes:



The Do-While loop processes the information gathered from this query and checks for the screen saver "Mystify.scr" process. If found, it goes to another loop where a call to the DelFiles(strDrv) sub procedure is launched (strDrv is the parameter passed to the sub procedure which is actually the drive where the *.bak files are going to be deleted). This sub procedure then recursively checks and deletes all *.bak files found:



This script can be further customize to accomplish other things when the computer goes idle. For example, you may want to send out notification, defrag the hard disk, run a back-up and so on. The possibilities are endless, let your imagination loose!

For those interested to have a copy of this script, please drop this post a comment.

Microsoft Fixes 7-Year Old Flaw + MS08-068 Exploit

One of the two patches released by Microsoft for the month of November addresses a vulnerability first reported in 2001 by Josh Buchbinder, better known as Sir Dystic from the Cult of the Dead Cow (cDc). He found a vulnerability in Microsoft operating systems which enables an attacker to gain complete access to a user's computer. He wrote a utility, SMBRelay (and its NETBIOS-bound brother, SMBRelay2), which demonstrates the flaw. Employing man-in-the-middle tactics, the program receives a connection on port 139, connects back to the connecting computer's port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary. On top of that, SMBRelay collects the NTLM password hashes and saves it to a file readable by L0pthcrack for cracking.

Apparently, it took Microsoft 7 years to finally address this vulnerability as mentioned here. According to this article, exploit code of this flaw is currently available in the internet. In fact, Metasploit has a PoC/working exploit which runs under the 'sploit framework.

The released patch, although given just a criticality rating of "Important" (whereas, MS08-069 was rated "Critical"), appears more interesting given the fact that this fixes a 7-year old flaw.

Going back to the SMBRelay tool, here are some switches and parameters that the tool uses:

Usage: smbrelay [options]
Options:

/D num - Set debug level, current valid levels: 0 (none), 1, 2 (Default is 0)
/E - Enumerates interfaces and their indexes
/IL num - Set the interface index to use when adding local IP addresses
/IR num - Set the interface index to use when adding relay IP addresses
Defaults to 1. Use /E to display the adapter indexes
/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections
Use + to first add the IP address to the NIC
Defaults to primary host IP
/R[-] IP - Set the starting relay IP address to use
Use - to NOT first add each relay IP address to the NIC
Defaults to 192.1.1.1
/S name - Set the source machine name
Defaults to CDC4EVER

SMBRelay2, on the other hand, has the following switches and parameters:

SMBRelay2 [Options]
Options:
/A LanaNum - Use LanaNum
Defaults to 0
/D DebugLevel - Level of debug messages, valid levels 0 - 3
Defaults to 0
/L LocalName - Listen for primary connection on LocalName
Defaults to SERVER
/R RelayName - Listen for relay connection on RelayName
Defaults to RELAY
/S SourceName - Use SourceName when connecting to target
Defaults to CDC4EVER
/T TargetName - Connect to TargetName for relay
Defaults to connecting back to client

Microsoft Security Bulletin Advance Notification for November 2008

The usual heads-up from Microsoft for this month mentions two vulnerabilities, one critical and one important. The patches which will address these vulnerabilities will be released on 11 November 2008 (12 November for those in Asia-Pac) during the routine "Patch Tuesday" cycle. Both the vulnerabilities affect the Windows OS from Windows 2000 Pro/Server up to Windows Server 2008 including Windows XP/Vista and Windows Server 2003. Furthermore, a Microsoft Office component is affected. For more information on the affected OS and application plus other relevant information pertaining to the release, please visit the following link:

http://www.microsoft.com/technet/security/Bulletin/MS08-nov.mspx

Expect another busy week ahead, what with all the regression testing, deployment tests, and more that the sys admins and application owners/testers will go through prior to the productive release of the patches in an enterprise. No rest. For the wicked admins.

Offline Files Synchronization Errors (Sync Center)

This has got me stumped. My users' home folders are stored on a NetApp filer (cifs). "My Documents" and "Favorites" are redirected and are made available offline. On the filer, oplocks has been set to "on". When a user syncs his offline files from his Windows Vista Enterprise computer, the "view sync results" windows displays a lot of errors (Details: "The process cannot access the file because it is being used by another process."). On a Windows XP computer, synchronization works like a charm.

KB296264 mentions about modifying the registry of Windows Servers so this doesn't apply in my case. I'm on a quest to find a solution for this. =)

Follow the ongoing thread in the Technet File Services and Storage forum:
http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/26bc65ca-5663-4183-b15b-f49a4cb664d0

Script to Track Local Logins (VBS)

Event 528 is logged whenever an account logs on to the local computer whereas Event ID 540 is generated in the event of network logons. It is oftentimes tedious and a tad straining to the eyes to go through the tons of events stored in the event viewer even if you filter out those events you are not interested with.

I would suggest saving the login/logoff events on a log file in a more user-friendly format for easier analysis. For example, one may want to keep track of login time for monitoring purposes while another may do this to ensure optimal usage, for example, on a shared PC where users are allocated certain hours of access.

Heres a script that saves the login information (event ID 528) on a CSV file; the user name, hostname, and the time of login are captured.

The script opens a file (or creates one if the file does not exist) for appending wherein the captured data are stored. It then calls a sub procedure called Main to extract these information. Note that users must have modify rights on the C:\LogFile\Login.csv file.



The Main sub procedure captures the current logged in user's name, domain and the hostname of the computer and then writes these information, together with the type of action (Login) and time, to the log file:

Simple. Next, we will look at this scripts partner, the logoff script to capture the logoff time of the user (logoff time - login time = total usage time).

Out-of-Band Microsoft Patch (MS08-067) Released

I had to rush back from the TechFest HOLs earlier in the afternoon due to the Out-of-Band security update from Microsoft (MS08-067) which needed to be pushed to all of our machines in view of its criticality and the proliferation of exploits in the wild. Here are the contents of the email from CERT:

Original release date: October 23, 2008

Overview

Microsoft has released updates that address a vulnerability in Microsoft Windows 2000, Windows XP, and Windows Vista.  A vulnerability in the way the Microsoft Windows server service handles RPC requests could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.

Description

A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable system to crash. Since the Server service runs with SYSTEM privileges, an attacker could take complete control of a vulnerable system. 

Microsoft has released Microsoft Security Bulletin MS08-067 to address a buffer overflow vulnerability in the Windows Server service.  The vulnerability is caused by a flaw in the way the Server service handles Remote Procedure Call (RPC) requests.  For systems running Windows 2000, XP, and Server 2003, a remote, unauthenticated attacker could exploit this vulnerability.  For systems running Windows Vista and Server 2008, a remote attacker would most likely need to authenticate. 

Microsoft Security Bulletin MS08-067 rates this vulnerability as "Critical" for Windows 2000, XP, and Server 2003. The bulletin also notes "…limited, targeted attacks attempting to exploit the vulnerability." 

This vulnerability has been assigned CVE-2008-4250. Further information is available in a Security Vulnerability & Research blog entry and US-CERT Vulnerability Note VU#827267.

Impact

A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable system to crash. Since the Server service runs with SYSTEM privileges, an attacker could take complete control of a vulnerable system.

References

US-CERT Vulnerability Note VU#827267 -  

US-CERT Technical Cyber Security Alert TA08-297A -

Microsoft Security Bulletin MS08-067 -  

Microsoft Security Response Center (MSRC) -

Windows 2008 Server Core Installation Guide

What is Server Core?

A Server Core installation, a new installation option available with Windows Server 2008, provides a scaled-down, minimal environment for runing specific server roles. It reduces the maintenance and management requirements and, due to the lesser binary footprint, minimizes the relative OS attack surface. All configuration and maintenance of a Server Core installation is done entirely through command line interface windows, or by connecting to the machine remotely using Microsoft Management Console (via the Remote Server Administration Tools or RSAT). Notepad and a few control panel applets, such as Regional Settings, are available, however.

A server running a Server Core installation supports the following server roles:

Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), DHCP Server, DNS Server, File Services, Hyper-V, Print Services, Streaming Media Services, Web Server (IIS)

The Server Core installation option installs only the subset of the binary files that are required by the supported server roles. For example, the Explorer shell is not installed as part of a Server Core installation. Instead, the default user interface for a server running a Server Core installation is the command prompt.

What’s new in the Server Core installation option?

The Server Core installation option of Windows Server 2008 requires initial configuration at a command prompt. A Server Core installation does not include the traditional full graphical user interface. Once you have configured the server, you can manage it locally at a command prompt or remotely using a Terminal Server connection. You can also manage the server remotely using the Microsoft Management Console (MMC) or command-line tools that support remote use.

Benefits of a Server Core installation

The Server Core installation option of Windows Server 2008 provides the following benefits:

Reduced maintenance. Because the Server Core installation option installs only what is required to have a manageable server for the AD DS, AD LDS, DHCP Server, DNS Server, File Services, Print Services, and Streaming Media Services roles, less maintenance is required than on a full installation of Windows Server 2008.

Reduced attack surface. Because Server Core installations are minimal, there are fewer applications running on the server, which decreases the attack surface.

Reduced management. Because fewer applications and services are installed on a server running the Server Core installation, there is less to manage.

Less disk space required. A Server Core installation requires only about 1 gigabyte (GB) of disk space to install and approximately 2 GB for operations after the installation.

Steps for configuring a Server Core installation

The following procedures explain how to configure a computer running a Server Core installation. The steps include:

1. Setting the administrative password
2. Setting a static IP address
3. Joining a domain
4. Activating the server
5. Configuring the firewall

1. Setting the administrative password

When your computer starts for the first time after the installation completes, press CTRL+ALT+DELETE. Type Administrator for the user name and leave the password blank.

The system will inform you that the password has expired and will prompt you to enter a new password. Type an appropriate password.

2. Setting a static IP address

At a command prompt, type the following:

netsh interface ipv4 show interfaces

Make a note of the number shown in the Idx column of the output for your network adapter. If your computer has more than one network adapter, make a note of the number corresponding to the network adapter for which you wish to set a static IP address.

3. Joining a domain

At a command prompt, type:

netdom join /domain: /userd: /passwordd:*

Where:

ComputerName is the name of the server that is running the Server Core installation.

DomainName is the name of the domain to join.

UserName is a domain user account with permission to join the domain.

When prompted to enter the password, type the password for the domain user account specified by UserName.

If you need to add a domain user account to the local Administrators group, type the following command:

net localgroup administrators /add \

Restart the computer by typing the following at a command prompt:

shutdown /r /t 0

To rename the server

Determine the current name of the server with the hostname or ipconfig command.

At a command prompt, type:

netdom renamecomputer /NewName:

Restart the computer.

4. Activate the server

At a command prompt, type:

slmgr.vbs -ato

If activation is successful, no message will return in the command prompt.

5. Configure the firewall

To configure the firewall

Use the netsh advfirewall command. For example, to enable remote management from any MMC snap-in, type the following:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

Server Roles

After the Server Core installation is complete and the server is configured, you can install one or more server roles. The Server Core installation of Windows Server 2008 supports the following server roles:

Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), DHCP Server, DNS Server, File Services, Hyper-V, Print Services, Streaming Media Services, Web Server (IIS)

I'll try to cover the topic of managing a Server Core installation and installing additional server roles on Server Core with another post.

Installing Virtual Machine Additions on Server Core

The intrinsic beauty of running a number of virtual machines on a single host lies in the ability to simulate, through a test lab, for example, how an IT infrastructure works without investing heavily on hardware and going through the multifarious tasks of OS installations as well as application setups. Get a fast multi-core processor, a motherboard that supports hardware virtualization, rev up on the RAM, get fast harddisks (as many as the computer's mobo can support), and one can already start building his test lab with, say, a domain controller, an application server and a couple of clients. Fact is, one can even go as far as running multiple virtual machines on different physical computers to generate, as complex as possible, his test IT infrastructure.

Sifting through a number of active virtual PCs/servers can be a drag if the Virtual Machine Additions is not installed on the virtual machine. This excerpt from the Technet details the importance of the VM Additions. To quote:

Virtual Machine Additions is a very important component to running a virtual machine. You must install Virtual Machine Additions on all virtual machines.

Virtual Machine Additions adds the following enhancements to a guest operating system:

• Improved mouse cursor tracking and control

• Greatly improved overall performance

• Virtual machine heartbeat generator

• Optional time synchronization with the clock of the physical computer

To install the VM Additions, navigate to the D:\Windows directory of the D: drive of the virtual machine. Execute the Virtual Machine Additions msi package using msiexec.exe as shown in the first screenshot. At the end of the installation, reboot the virtual machine. Do this for all the virtual machines.

"Command-Prompt" Ninjitsu

Not since the olden DOS days have I been fascinated with the command line interface (CLI) as with the advent of the CLI-only Windows Server 2008 Server Core.

Back then, I used to dabble in scripting batch files to automate a lot of routine tasks. For example, I would run a script to format a floppy diskette, prompt the user to insert a source diskette to be copied, runs diskcopy and labels the diskette. It was considered l33t to be able to come up with complex scripts, passing parameters and arguments, catching errorlevels and other stuff. Even the prompt itself was not spared; intricate designs were the norm back then.

This interest in CLI carried on when I worked on Solaris stuff some years back. Around this period, I also ventured in the world of different Linux distros and *nix; working on bash, sh, ksh and the other sh were part and parcel of my weekend projects mostly on perl snippets.

When Powershell was introduced two years ago, I was one of the early adopters from my team. I thought integrating a full-pledged OOP platform through scripting was heaven-sent; running cmdlets from the shell, piping results to other cmdlets was rather nifty. And the script-debugging feature available in version 2.0 is, to the syntax-challenged me, a huge huge plus.

I had my fair share of ups and downs with the different CLIs I have had the chance to play around with. But still, the good-ol' cmd.exe is my main choice, hands down. It is THE CLI for me; the one CLI to rule 'em all. In fact, at any given time, I will have a minimum of two elevated cmd.exe windows on my desktop. Be it querying the registry of a remote machine, modifying the properties of an AD account, copying files to multiple target hosts, to name a few, this is the CLI for me.

And while I'm on a CLI-induced stupor, I would like to share this  Windows Command Reference from Microsoft. Again, every administrator worth his skin should be adept at using command-line tools to perform routine administrative tasks; in fact, in my case, I have an elevated command prompt (where I run all admin-related checks, scripts, tools, etc.) on my desktop as part and parcel of my day-to-day work. There seems to be a command-line tool for every admin task, be it fiddling with DNS management (dnscmd), managing AD trusts (netdom), parsing event trace logs (tracerpt), directory copying on steroids (robocopy), backing-up (wbadmin), and so on. Incorporating these tools in scripts is likewise key in automating a lot of tasks thereby allowing an administrator to do more work in a more efficient manner and in lesser amount of time. Mastery of these tools is essential for an administrator; mastering the CLI is godly.