Category: Tips & Tricks

Your favorite tools and utilities always available everywhere (almost)

ingmar.koecher 0 Comment Tips & Tricks, Tools & Utilities

If you are managing more than a handful of servers
and workstations in an Active Directory domain then you have probably come to
rely on a small set of utilities to help you with your daily tasks of managing
your servers and workstations. You probably carry those apps with you on a USB
stick (check out PortableApps.com) or have them sitting on some network drive for access when you need them,
and most of these tools are probably from different
developers and vendors.

 

I personally like a lot of the Windows Sysinternals tools such as
psexec, process monitor, Microsoft Network Monitor and of course the NTToolkit tools that we develop – but
everybody has his or her own preference as to what they need to get the job
done. And that’s exactly my point.

 

Wouldn’t it be great that every computer you manage –
workstation or server – always had
the tools you need automatically pre-installed? That way, they could be used in scheduled tasks, batch scripts etc. without you having to worry whether the tool is installed or not.

 

Well, it is possible – and you can do it without spending a
dime – thanks to
Active Directory and the folks at Caphyon in Romania
that provide a freeware edition of their Advanced Installer.

 

You probably see where I am getting at. Combine a MSI
created by Advanced Installer with your favorite tools and Active Directory’s
“Software Distribution” feature, and you get all your tools at your fingertips
– whenever you need them. In this post I’ll show you how to create a MSI with
your favorite tools and automatically publish that to some or all computers in
your AD domain. This approach also supports updates, so that you can publish
revised MSI packages with new tools and/or updates.

 

The nice thing about this solution is that the only
prerequisite is Active Directory, and even if you don’t have AD you still end
up with a MSI that you can easily install on any computer.

 

  1. Download
    & Install Advanced Installer Freeware. You can also go with one of
    their commercial products of course, but the freeware version is enough
    for our purposes here.

 

  1. Organize
    all of your tools into one location so that they can easily be added to
    the installer. This is not absolutely necessary but will make working on the installer a bit easier.

 

  1. Open Advanced Installer. It should open a dialog to create a new project. If not, go to File -> New.
  2. Select a project type of Simple and make sure “Use wizard to create the project” is checked.

    advanced_installer_create_project.png

  3. The New Simple Project Wizard comes up. Click next to continue, and give your project a descriptive name.
  4. Browse to the folder containing all your tools.
  5. The next box allows you to create shortcuts to specific programs. If you have any GUI programs in there then you may want to check them and then hit Next.

    advanced_installer_select_source_files.png

  6. Now you can hit Finish on the final screen to build the project. It will save it as a .aip file in the location of your choice.
  7. At this point we can just call it a day and compile the MSI file. I like having my command-line tools in the PATH environment variable however, so that I can access them conveniently from any folder. Keep reading for more info on this, otherwise just skip to step 12.
  8. Click on the “Environment” link in the left panel. Now right click anywhere in the blank space on the left side and choose “New Variable”.
  9. In the screen shot below you can see what settings to use to add it to the Path system variable.

    advanced_installer_environment_variables.png

  10. Now just click the “Build” button to create your MSI file.

Now that you have the MSI file, you can roll it out using Active Directory. If you need a refresher on how to do this, then please see the earlier blog post Applying Patches and Updates with Active Directory that shows how to distribute MSI-based patches with Active Directory – essentially the same concept.

Drawbacks & Considerations

Now, I have to admit that there are some drawbacks to using Active Directory to publish your MSI. Currently, group policy can only apply software installations in the foreground, which means that you will have to reboot a computer in order to have your new MSI installed. If you know a way around that – other than using a 3rd party software deployment suite – then please let me know.

Also keep in mind that any tool you install on your servers and/or workstations will, by default, be available to any user on that machine unless you adjust the permissions of the target folder manually. As such, I would refrain from including utilities in your MSI that make gaining unauthorized access easier, and also ensure that you always have the latest version of your tools in your MSI.

I hope this tip helps managing your servers and workstations a bit easier. Until next time,

Ingmar.

Mr. Fix It: Reviving a relative’s computer

ingmar.koecher Tips & Tricks, Tools & Utilities

Let’s face it, whether you’re a DBA, IT Manager or sys admin – you are eventually asked the inevitable by your parents, mother-in-law (hint) or brother-in-law: The computer is soooo slow – is there something we can do?

What you will probably find is a computer running Windows XP, an out-of-date Anti Virus software that was pre-installed, missing patches, 17 toolbars for Internet Explorer, some AdWare and a boatload of other software that nobody needs. If it’s bad then you’ll also find some SpyWare and viruses.

It unfortunately requires multiple steps of corrective action to get garbled systems like that back up to normal, and so I created this list for myself so not forget steps along the way. You can change the order, but this order should be most effective. If most of the items listed are obvious to you, then you can still use the list as a simple check list.

1. Uninstall all unneeded software: This should speed up the computer right away and get rid of some of the resource hogs. Don’t forget to get rid of any outdated AntiVirus software as well at this point.

2. Autoruns: Use the Sysinternals Autoruns tool to remove any applications that have nested themselves into one of the many autorun locations. I found the “Logons” and the “Services” tab to be most effective, though I recommend you check all of them. I also recommend saving the current setup prior to disabling things. After a reboot the computer should already be faster.

3. Remove Spyware: It’s generally a good idea to make sure that no Spyware is present, and I recommend running Super Antispyware on the computer. They have a free home edition that works quite well – and don’t get suspicious because of their cheesy web site.

4. Apply Updates: Now it’s time to switch to Microsoft Update and install any available critical updates and hardware updates that are relevant. You can switch to Microsoft Update by navigating to Windows Update and clicking the “Microsoft Update” link on that page on the left or right hand side. I generally recommend including optional updates, such as IE 7 and Windows Media Player as well. They might not use them, but this ensures that they are only using software that is going to be patched.

5. Anti-Virus: If the computer does not have Anti-Virus software installed at this point, download either a free package (e.g. Avast, AVG, etc.) or purchase a commercial one if they don’t mind paying an annual fee. Avast has the option to do an offline virus scan of your hard drive before the system boots, which I found quite useful.

6. Drivers & BIOS: Depending on the age of the system, chances are that at least some drivers are out of date, though it’s much more likely on a new computer than it is on an old one. A first start is Windows Update, but checking the vendor’s web site (some of them come with update software as well) usually yields better results and offers more recent drivers.

7. Defrag: I have a sort of love-hate relationship with defragging tools, and think that the benefits are often overstated. I have however seen many cases over my career where defragging does indeed improve performance. I don’t think a daily defrag is necessary on a workstation, but a computer that has never been defragged in years can definitely benefit from it. I have used Raxco’s PerfectDisk successfully on servers and workstations, and they have a fully functional 30-day trial available.

8. Hardware: In some cases, especially with older systems, it might help to upgrade the hardware. Upgrading memory is usually most effective, since it’s both cheap and easy to install. I listed it as a last step, even though upgrading it right-away might make performing all the other steps more enjoyable (=faster). Don’t just throw memory at the problem though, cleaning the machine up is the most important!

Or, you can do a re-install :-). Depending on the state of the OS, the above steps can sometimes take a very long time, and a re-install might be a better option – especially when the computer is infected with viruses and Spyware. As a matter of fact, if you still have access to the recovery CD and the computer wasn’t overly customized (e.g. used only for email, web and pictures), then a re-install will almost certainly be a better option and take less of your time.

Hope this helps – and if all else fails then you can always install Linux 😉

NTFS Alternate Data Streams: Hiding data in plain sight since 1993

ingmar.koecher 0 Comment Event Log, EventSentry, Tips & Tricks, Tools & Utilities

I recently read an article in the Hackin9 magazine (worth taking a look if you haven’t heard about it) about alternate data streams (ADS) in NTFS. I had heard about this hidden feature in NTFS a long time ago actually, but over the years forgot about its existence again.

Background
In a nutshell, the NTFS file system, which was introduced with Windows NT 3.1, supports ADS – sometimes also referred to as “hidden streams”. This means that you can attach or associate any number of files to an existing file, yet those files will not be visible to the vast majority of file management applications – including explorer and the “dir” command (Vista can show ADS with a parameter). One thing I find interesting about streams is that a lot of people in IT do not seem to
know about them, even people otherwise very familiar with the Windows
Operating System.

Now, streams are created and accessed by appending the “host” file name with a colon, followed by the name of the stream. Let’s say you want to create a text file called financials.txt and hide it with winhelp.exe, you would run notepad C:\Windows\winhelp.exe:financials.txt. This will bring up notepad which will prompt you to create the file since it doesn’t exist (since the alternate stream is basically a file). You can then save any text in the hidden file and save it. You will notice that the file you just created will not show up when you do a directory list (dir C:\Windows) and will also not show up in the Windows Explorer. Note that the timestamp of the host file will change however.

Now there are of course a variety of utilities that have been developed in the last 15 (!) years that will allow you to find hidden streams, but more on that later. Hidden streams still exist on Vista and later, though the feature seems to have become more restrictive.

There are apparently no limits as to how many streams one can associate with a file, or the type of file that can be associated. This means that you can associate an executable as much as you can an ASCII file. There are however some limitations as to how user mode applications (e.g. notepad) can access hidden streams. Let’s go back to the previous example where we created the file financials.txt in winhelp.exe. If you open a command prompt and execute type C:\Windows\winhelp.exe:financials.txt, then you will not be able to see the contents of the hidden file. If you use notepad instead however, you will be able to see the file (notepad C:\Windows\winhelp.exe:financials.txt). This is probably because cmd.exe and its built-in commands up until Windows XP are not aware of alternate streams. ON a Windows XP machine I also could not open that same file if I tried to open it from inside notepad with the File -> Open command.

Creating Streams
Things get more interesting when you attach executables to files – and execute them! Let’s say I wanted to hide popular windows game solitaire inside the file C:\Windows\wganotify.log and call the stream “calc.exe”. Here is what you do:

type system32\sol.exe > C:\Windows\WgaNotify.log:calc.exe
start C:\windows\WgaNotify.log:calc.exe

Auditing Alternate Data Streams
Those of you interested in auditing will probably wonder how Windows tracks access to hidden streams in the event log. Well, there is good and bad news. The bad news is that object tracking (the famous event 560) does not show hidden streams, and instead only shows the “host” file name being accessed. Process Tracking on the other hand shows hidden streams in the expected manner. For the above example, a 592 event will show that file C:\windows\WgaNotify.log:calc.exe was executed.

Exploiting Streams
Scary, huh? This opens up a can of worms when you think about malware hiding inside otherwise innocent files – such as a log file. At appears as if most AntiVirus products do not detect hidden streams, at the same time there doesn’t seems to be a significant number of mainstream malware applications out there are that rely on hidden streams. I’m not sure why that is, since this feature seems almost too good to be true for the writer of any malicious applications. One reason might be that malware writers mostly target home machines, and many of those computers are still formatted with the FAT(32) file system, which of course doesn’t support ADS. This might change over time though, as more (home) computers use NTFS as their file system.

So after reading up on ADS, playing around with it last week, scanning my computer for hidden streams, I arrived at the inevitable question: What is the higher purpose of Alternate Data Streams? I mean, many applications don’t support it, most people don’t know about it, and a scan didn’t reveal any hidden streams besides a couple inside some Microsoft installers that apparently use them as some sort of meta data.

As it turns out, ADS was created for compatibility with the Macintosh HFS file system, which uses a data fork and resource fork to store data in a file (OS X now uses the HFS+ file system). But over the years (it’s been 15 after all) some developers at Microsoft decided to utilize this feature. For example, when you specify summary information about a file (right-click -> properties -> summary), then this information will be stored in ADS.

As mentioned earlier, there have been some improvements in regards to ADS with Vista and later. Vista can now show alternate streams with the /R switch of the “dir” command. My preliminary research also shows that hidden streams can no longer be executed in Vista or later – so what we did in the above example will not work. I think that’s a good thing, since there really is no practical reason (unless you develop malware) to do this. The screen shot below shows the output of a regular dir command and the dir /R command on a Windows 2008 server (note the file setupact.log).

ADS_Win2k8.jpgIn my humble opinion, Microsoft should get rid of alternate streams in future versions of Windows, and instead come up with some sort of structured way of embedding meta data in files. Anything contained in meta data should be non-executable and limited in size, e.g. 256kb.

Discovering Streams
So what does all this mean for you, the person responsible for security in your network? How can you find hidden streams and detect if streams are being added to files?

There are many free third-party utilities out there that show and manipulate hidden streams, but the discovery of this feature led us to extend the functionality of the File Monitoring feature of EventSentry to include the automatic detection of hidden streams in real-time. This means that any stream added, modified or removed from a file in a monitored location will be detected by EventSentry.

We have also developed a new command-line tool, adslist.exe, that will list all alternate data streams on a directory and optionally its sub directories. The tool is part of the NTToolkit v1.96 and I recommend that you schedule to run this tool with the Application Scheduler feature of EventSentry on a regular basis, or schedule it with the Windows Task Scheduler and email the results (adslist.exe C:\ /s). The advantage of using EventSentry is that the results of adslist.exe can automatically be emailed to you only if alternate streams were found. You can do this because the %ERRORLEVEL% is set to 1 by adslist.exe when one or more streams are found. The screenshot below shows what this would look like in the email sent by EventSentry:

EventSentry_ApplicationScheduler_ADSList.pngManipulating Streams
While Microsoft doesn’t offer a tool to search for and discover alternate data streams, they do offer a good explorer-extension that allows you to view and delete alternate data streams. You can download it from https://docs.microsoft.com/en-us/sysinternals/downloads/streams, the zip file contains the source code as well as another utility to create hard links on NTFS volumes. After extracting the archive, navigate to the \StrmExt\ReleaseMinDependency folder and run regsvr32 StrmExt.dll. You will then have an additional tab when viewing file properties in explorer called “Streams”:

StrmExt.jpgAnother way to get rid of hidden streams is to copy a file to a FAT[32] volume and then back to the NTFS volume, or – if you don’t have a FAT[32] volume available – simply compress and uncompress the file again.

Well, I hope this gives you a better understanding of alternate data streams, even if you were already familiar with them. Like I mentioned earlier, it doesn’t appear as if ADS is used for evil in a large scale quite yet (so no reason to panic!), but I believe it is better to be safe than sorry.

Applying Patches and Updates with Group Policy

tames.mctigue 0 Comment Tips & Tricks

Recently, Adobe published security bulletin APSB08-15 that affects almost all versions of the Adobe Reader and could allow attackers take control of a machine. Since most corporate computers have Adobe Reader installed, patching a vulnerability like this quickly and efficiently is crucial. If the computers running Adobe Reader are part of a Windows 2000 (or later) domain, then you can easily utilize the Active Directory’s Software Installation feature to push this patch out. Deploying updates and patches through Group Policy is easier than you think and can save you hours of work.

Note: You can use Group Policy to deploy any application update, as long as the patch is available as a MSI file. We’re just using this particular patch as an example.

Since the Adobe Reader Updates comes in an executable instead of an MSI, we need to first extract the MSI file. Luckily, Adobe does give you the steps needed to do this here. After following those steps, you will have a folder which includes the MSI and some other needed files. Put these on a share that all computers can reach. It is generally a good idea to give everybody READ access to this share and the underlying NTFS permissions.

Next, we need to open Active Directory Users and Computers. Right click on an OU you want this to apply to, in our case it is called “Workstations”. Then choose properties and click on the “Group Policy” tab.

Now you should see a list of GP objects that apply to that group (if any). Click “New” to create a new policy. Give it a descriptive name such as “Security Update for Adobe Reader”. Click on it and choose “Edit”.

GroupPolicySoftwareInstallation.jpgThe Group Policy Editor will now come up and allow us to choose the options we want. Expand “Computer Configuration” -> “Software Settings”. Then, right-click “Software installation” and choose New -> Package.We need to browse to the network share (e.g. \\YOURFILESERVER\SoftwareUpdates) that contains the MSI file for Adobe Reader, then pick the MSI file and click Open. It will ask you which deployment method to use, you can choose Assigned for this. Remember that this file share needs to be accessible to all computers that need to install this update.

The newest version of Adobe Reader will now be deployed to that group. You can also assign that Group Policy to other groups of computers that you want it to apply to.

Using a mechanism like Group Policy to deploy application updates has several advantages of course:

  1. It’s included with Windows for “free”, so there is no additional cost.
  2. Updates are installed automatically, no reason to physically touch the workstation.
  3. The updates are always installed, you don’t have to rely on the users to patch their applications

Most updates that are assigned to computers are installed when the computer reboots, so it will take a day before this update will be installed. If you are running EventSentry, then you can use the Software Inventory feature to make sure that the update has been installed on all computers.

P.S.: You can also deploy Firefox this way using FrontMotion’s Firefox MSI.

Event 4964: Special Groups Feature for Vista + Windows 2008 Entrepreneurs

ingmar.koecher 0 Comment Event Log, EventSentry, Pure Knowledge, Tips & Tricks

There is certainly a lot of talk about the benefits of using Vista, but a lot of administrators and users seem to be avoiding it and instead hold on to Windows XP – which now appears to have a better reputation than ever! Well, here is a small reason to upgrade to Vista or Windows Server 2008.

Microsoft introduced a new event, 4964, called the Special Groups Feature. The purpose of this feature is to log event 4964 to the security event log when a member of a group you specify logs on to a computer.

So let’s say you want to know when a member of a local Administrator group logs on to a computer (and with EventSentry you could get an email when that happens for example), then you can accomplish that with the special groups feature.

In order to use this feature you need to do three things:

  • Determine the SID of the group(s) you want to monitor
  • Specify the SID(s) of the groups you want to monitor in a registry key
  • Ensure that you are auditing the Special Logon Feature (enabled by default)

One way to obtain the SID of a group is to use the getsid.exe tool which is part of the Windows XP SP2 Support Tools and other Microsoft Resource Kits. Note that the primary purpose of this tool is to compare the SID of two user accounts (so it requires you to specify two user/group accounts), but you can just enter the same group name twice to get around this. Here is an example output of the tool:

getsid \\mydc “Domain Admins” \\mydc “Domain Admins”

The SID for account BUILTIN\Domain Admins matches account BUILTIN\Domain Admins
The SID for account BUILTIN\Domain Admins is S-1-5-21-9817441204-4587651373-9817264971-512
The SID for account BUILTIN\Domain Admins is S-1-5-21-9817441204-4587651373-9817264971-512

As you can see you need to point to tool to computer where the group exists, in our case I used a domain controller since I want to monitor if somebody from the Domain Admins group logs on to the computer. If you monitor a built-in group (e.g. Administrators) then you will see that the SID is much shorter and the same across all your computers.

Now that we know the SID, we can specify it in the registry. Navigate to key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit and create a new String with the name SpecialGroups.

The value for this new string will be the SID of the group you want to monitor, and you can separate multiple SIDs with a semicolon. For example:

S-1-5-32-544;S-1-5-32-123-54-65

You do not have to reboot after making this change, it is effective immediately with the first subsequent login. The event that is being logged will look similar to this (screen shot from the EventSentry Web Reports):

Special Groups Logon 4964 ScreenshotThe relevant information is shown in the lower part of the event in the New Logon section. Security ID shows the user that logged on, and Special Groups Assigned shows the group the account is a member of (of course this group has to be specified in the registry).

Voila. This feature probably makes most sense on critical servers, though I would recommend enabling it on all workstations as well since you probably want to know if a member of the local Administrators group logs on. But of course this also means that you need to be running Vista on your network :-).

Since this feature needs to be activated using the registry, you can use AutoAdministrator to push this registry change to multiple computers. AutoAdministrator has actually been rewritten from scratch and we will be releasing a new version 2.0 very soon.