Practical system administration…
{ Category Archives }
The actual name of this is Intel(R) Processor Identification Utility and can be found by searching at http://downloadfinder.intel.com. However, I have to poke around Intel’s site for a few minutes every time I want to download the utility. For convenience, here is the URL - http://www.intel.com/support/processors/tools/piu/
This error is the result of either Windows restricting access to a file downloaded from the Internet or a zip file that contains unexpected path separators. In case number one, go to the properties of the file and select Unblock. Your group policies may need to be adjusted for you to see this button. In case number two, the path separators may start with a leading backslash. If this is the case, download WinRAR and use the Extract without confirmation option to unpack the contents of the zip file.
Today, I happened upon a customer’s Windows server that had a broken firewall. The firewall was not even enabled which explained why it was not working (duh). But when I went to enable it, the selection was grayed out! A check of the group policies revealed that a GPO was not controlling the setting. At this point it was clear that the server’s security had been compromised.
After a rootkit and antivirus scan came up clean I proceeded to get the firewall up and running until a replacement server could be brought online later that day. Here is the process I used to get it back online. Incidentally, I did these steps over a Remote Desktop connection and maintained connectivity (except for reboots) the entire time. I performed these steps on a Windows Server but I believe they will work for a Windows XP computer. Another error I have seen is “Due to an unidentified problem, Windows cannot display Windows Firewall settings.”
If you just want to re-enable the ability to turn on the firewall, delete the following registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
However, to re-install the Windows firewall, copy the following text into a Notepad document and name the file Sharedaccess.reg.
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
“DependOnGroup”=hex(7):00,00
“DependOnService”=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
“Description”=”Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.”
“DisplayName”=”Windows Firewall/Internet Connection Sharing (ICS)”
“ErrorControl”=dword:00000001
“ImagePath”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
“ObjectName”=”LocalSystem”
“Start”=dword:00000002
“Type”=dword:00000020[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
“Epoch”=dword:00002cd0[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
“ServiceDll”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019″[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019″[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
“ServiceUpgrade”=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
“All”=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
“0″=”Root\\LEGACY_SHAREDACCESS\\0000″
“Count”=dword:00000001
“NextInstance”=dword:00000001
Right-click Sharedaccess.reg and select merge.
Reboot the server.
Reset the firewall rules back to the default settings to get rid of any unwanted rules the attacker may have configured.
netsh reset firewall
Configure the firewall to allow approved network traffic such as Remote Deskop and Web connections.
Get rid of any unwanted Winsock Layered Service Providers (LSP).
netsh winsock reset catalog
Double-check to make sure Remote Desktop connections are allowed by the firewall.
Reboot
The server should still be considered “contaminated”, so get a fresh installation of Windows up and running as soon as possible to replace the current server.
I’ve been saving event log files for a long time. But doing this with Windows event logs has always been awkward. I have used third party solutions and self-written scripts but neither have been ideal. So here’s the latest solution I’m trying out. It’s simple, elegant and uses group policy. Event logs archiving with GPO
So Windows Server Service Pack 2 is out now. One of the new features it includes is Asynchronous UI. It sounds intriguing but what is it?
If you are creating a Microsoft® Windows® Forms application, and have an object with methods that may take some time to execute, you may want to consider writing an asynchronous API. Say, for instance, you have an object that downloads large files from a remote location. Without an asynchronous API, a client’s UI would freeze for the duration of the call. With an asynchronous UI, the client’s UI would not freeze. You could even construct the asynchronous API in such as way as to give progress updates to the caller, and give the client the opportunity cancel the call. Few situations are as frustrating as a frozen UI that can only be cancelled by resorting to Task Manager.
Programmers will have to write this into their applications but it sounds promising.
A quick note on the Windows Server 2003 SP2. I did a fresh install of an x64 server and ran the Service Pack 2 update. After rebooting, I ran Windows Updates and it turns out that KB931836 is not included in the service pack. It’s not a big deal to me but I did find it interesting and thought I would share.
For Windows, this is way more difficult than it should be. Unix/Linux solved this problem solved many, many years ago. The fact that Microsoft still hasn’t solved it is amazing to me. Fortunately, there are some third party products to help out the everyday, hardworking Windows sysadmin.
RunAs Professional
RunAs Professional is a substitute for Microsoft’s command runas.
RunAs Professional solves the problem that normal runas does not support the commandline parameter password.
RUNADMINBAT
Create a batch file (for example a logon script) for users. The batch file contains commands that require administrative privileges. Five steps to use the “runas” function from Windows 2000 and Windows XP pro with “runadminbat” in your scripts. No additional installation on your clients is necessary.
Encrypted RunAs
Encrypted RunAs is a small utility that is designed to make the job of Administrators a little easier, it can be used to run applications or software installations with access rights a standard user does not have.
TqcRunas
The power of RUNAS made scriptable, easy and secure.
NetExec
NetExec is a multisession extension for Windows NT and Windows 2000. Using NetExec it is possible to log on to a system with multiple accounts at the same time. So you can work with more than one user account simultaneously and switch between them without logging off and on.
CPAU
Command line tool for starting process in alternate security context. Basically this is a runas replacement. Also allows you to create job files and encode the id, password, and command line in a file so it can be used by normal users.
I’ve been following the Windows/Exchange DST issue for some time now and finally got around to doing the updates on my systems. Throughout February, I followed KB articles which were updated almost daily, Web seminars, blogs, chats and newsgroups.
Microsoft’s documentation has settled down and most of the conflicting or ambiguous sections have been resolved so I thought it was a good time to update everyone’s computers and calendars. Besides, March 11th is right around the corner. So after going through volumes of Microsoft’s information, I followed KB 930879, step-by-step and it was all I needed! Oh well. At least I was prepared.
Microsoft says, “TAPI is not terminal services aware.” Apparently, this applies to using HyperTerminal to connect a serial port to a SAN, router or any other device through an RDP session. It will redirect the local COM ports to the server without any issues though. I lost thirty minutes of quality time to this issue today. Uninstalling Terminal Services resolved the issue. Thank goodness it was just a lab server. Maybe this post will help some other hard-working IT professional get home on time. See TAPI is Not Terminal Services Aware for details.
There are times that that Windows makes it difficult to do tasks that are trivial to accomplish on Linux. Simple text processing is a perfect example. I recently had the need to find out all the unique host IP addresses that had used SMTP to connect to an Exchange server during a period of time. I use an advanced reporting package on my Exchange servers but it is geared toward business decisions and capacity planning. It works very well but does not analyze data at this level which leaves me to find a solution to this problem on my own.
Fortunately, I have GnuWin32 installed on my workstation and it gives me the use of traditional Linux/Unix utilities such as cut, sort, uniq and grep. Looking at the SMTP logs I see that the fields are separated by a space and the IP address of each connection is listed in the third column. So I copy the log files for the period to my desktop computer where I have GnuWin32 installed. I cd to the directory where the log files are located and run the following command:
cut -f 3 -d ” ” *.log | sort | uniq > results.txt
I modify it slightly to find all of the unique internal hosts that have connected to the SMTP server.
cut -f 3 -d ” ” *.log | sort | uniq | grep “172.16.” > results.txt
GnuWin32 makes it a simple and fun task where Windows has no easy equivilant.