Windows shares and NTFS file permissions, show/create/modify

Recently I had to make an share analysis of about 50 servers, mixed Windows 2000 and 2003. The shares was to be recreated on a new set of servers, including a change for some to Windows cluster server shares.

There turned out to be at least several possibilities:

• Export shares, including permissions from registry, and restore on new servers.
• Use net share, but it is only good for creating shares, it can not list or modify share permissions.
• RMTSHARE.EXE from WinNT ressource kit can do all we need.
• Use a VBS script to list and create shares, Win32_LogicalShareSecuritySetting and Win32_ACE.

I went down the VBS script path, and it worked out fine, created a bunch of command oneliners I could use on the new servers or on the new clusters, eg:

cluster . res "share" /priv security="domain\group",grant,F:security
cluster . res "share" /priv security="domain\user",grant,R:security
net share="d:\path\to\share" /GRANT:"domain\user1",READ /GRANT:"domain\user2",FULL

The net share command creates the share, but on the cluster share was created with a wrapper script was made from a Microsoft example, only changing ShareSubDirs=0. Then the above cluster command works fine.

The problem with the script method was that if there was no ACL for a share, my script did not list the share. And i didnt make the script query remote servers, so i used a little psexec workaround in the scripts:
copy listshares.vbs \\server\d$\
psexec \\server -e cmd /C "cscript d:\listshares.vbs"
psexec \\server -e cmd /C del d:\listshares.vbs

Anyway, in the future I recommend using RMTSHARE.EXE which works fine on 2000/2003/xp, can query shares remote, modify permissions, create and all I need. Some examples:

List shares: RMTSHARE \\server
List permissions of a share: RMTSHARE \\server\share /users
Add a user to a share remote: RMTSHARE \\server\share /grant "domain\user":F
Revoke a user permissions: RMTSHARE \\server\share /grant "domain\user"

By the way, note that "net share" command is different on Windows 2003 and on XP. There are permissions options on the Windows 2003 version:
The syntax of this command is:

NET SHARE
sharename
sharename=drive:path [/GRANT:user,[READ CHANGE FULL]]
[/USERS:number /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual Documents Programs None ]
sharename [/USERS:number /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual Documents Programs None]
{sharename devicename drive:path} /DELETE


There is no permission option on the XP version:
net share /?
The syntax of this command is:


NET SHARE sharename
sharename=drive:path [/USERS:number /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual Automatic No ]
sharename [/USERS:number /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual Automatic No ]
{sharename devicename drive:path} /DELETE

For NTFS file permissions setting, remove and modify, I use XCACLS.VBS, which can do all we need. It also works on the clusters. Some examples:

Listing access, if you want subdirs add /s /t:
cscript c:\bin\XCACLS.vbs d:\dat\ /server server

Give access, with /e so other users are left as they were:
cscript c:\bin\XCACLS.vbs d:\dat\ /e /g "domain\user":F /server server

Revoke (/r) example, remote: !!! WARNING !!! remember the /e or every permission will be gone:
cscript c:\bin\XCACLS.vbs d:\dat\ /e /r "domain\user" /server server

My only problem with XCACLS.VBS so far, is that it it truncates output of the users, so its hard to wrap into a script for recreation. Eg, it shows only "Domain\Some_domain_gruo" below and not the full groupname:

"Allowed Domain\Some_domain_gruo Modify..."

Ideas for solving this are very welcome :-)

More FreeBSD 7 goodies

As if the binary upgrade posibilites in FreeBSD 7 (and 6 to 7 if you like) was not enough (and actually working), there are plenty of goodies to look forward to:

SQL database performance ... MySQL 5.0.45 (thread-based)
New filesystems ... ZFS
Network stack changes...Complete elimination of giant lock from network stack
Intel wireless drivers: ... iwi (2200BG/2225BG/2915ABG)...Works out of the box
Atheros protocol extensions...802.11n support (forthcoming standard)...I higher performance: up to 135 Mb/sec
Security subsystems...Audit subsystem... Fine-grained, configurable logging of security-relevant events...System calls, application and user space activities
Performance ... If you find a workload that FreeBSD 7.0 performs poorly on, we want to hear about it!
IPMI (Intelligent Platform Management Interface); monitoring
system hardware

Oh and then some teasers of what to expect in the horizon:

FreeBSD 8.0-CURRENT, due some time in 2009 (maybe)

Some of the features that seem to be lurking on the horizon:
Continued performance optimization, also targetting 16-core
systems (AMD/Intel)
Improved network performance on parallel workloads
Improved filesystem performance
Virtualization support: xen, network stack virtualization, ...
BLUFFS: BSD Logging Updated Fast File System. UFS with
filesystem-level journalling.
Serial Attached SCSI, SATA integrated under CAM (storage
layer also used for SCSI)
DTrace support from Sun; powerful and extensible debugging
and system analysis framework
Stuff we haven't even thought of yet!

I wish i could use FreeBSD for more of my everyday work hehe... :-)

UPDATE: O'Reilly ONLamp had a really great article with loots of details of Whats New In FreeBSD 7.0.

Sysadmin sites to include in your own searchengine crawl

During the everyday life of a sysadmin Google plays a large role, but also the internal knowledge base is important as there are (should be!) cases related to your specific systems. So hopefully you are providing search for that internal knowledge, or it could go unused!!

I am thinking of collecting a set of external sites to include in our internal search engine crawling, as those sites seems to pop up again and again.

I will build a list of sites to include here, bare in mind this is a raw list, i will update it when they are actually put in the search crawler!

Windows adminstrator/script related so far:
http://www.jsifaq.com/
http://www.windowsitpro.com/topics/index.cfm?action=ArticleList&ChildTopicID=72
http://www.windowsitpro.com/Articles/ArticleID/14459/14459.html?Ad=1
http://www.windowsitpro.com/windowsnt20002003faq/
http://www.ss64.com/nt/
http://www.computerperformance.co.uk/vbscript/
http://www.robvanderwoude.com/
http://cwashington.netreach.net/
http://www.ericphelps.com/batch/index.htm
...
From ss64.com link page there are many *very* good sites, a lot I didnt know before, here some snips:

CommandLine.co.uk - Batch File examples and Utilities
FP Schultze - Batch files
OldNewThing - Raymond Chen's weblog

Heise-security.co.uk - Manage Win XP updates without an internet connection.
Timo Salmi - FAQ's - Useful NT/2000/XP script tricks and tips (tscmd)
Steve Hardy - NT/2K command line scripting
Rick Lively - Commands for every version of Windows and DOS
List of TCP and UDP port numbers

Joeware.net - Admin, AD and Exchange tools.
FP Westlake - Free Win32 console utilities.
Alexander Frink - NT Security Utils, Logoff, Change password.
Bill Stewart - Batch script and Windows admin tools.

Poor Mans SMS - scan a pre defined IP range and list all installed software.
Microsoft App Compatibility - command line tool to collect application info.

Agent Ransack - File Search for Win XP
AnalogX - Screen capture, Terminal Server copy, etc

Autohotkey - Automate keystrokes, mouse clicks.
AutoIT - GUI scripting
Bamboo Software - Scheduled Tasks and other command line utils.
DumpSec, DumpEvt - Dump Event Log, Registry or Security info.
OCS Inventory - Open Source System Management
Filezilla - FTP
Lost NT password
NTFS undelete - undelete files
nu2/Barts Bootable CDs - Admin/Recovery
Trinity Rescue Kit - for recovery and repair of Windows machines
Netikus - Password, Ping, FTP tools.
OptimumX - Utilities by Marty List
UnDelete - Diskeeper

And perhaps:

http://www.microsoft.com/technet/scriptcenter/default.mspx

FreeBSD sysadmin so far:
http://taosecurity.blogspot.com/
...

Windows 3GB limit and applications using > 2GB

Windows servers with more than 3 GB ram should have a special setting in their boot.ini. This is examples where %systemroot% is c:\winnt\ even on Windows 2003:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows Server 2003, Enterprise"
/noexecute=optout /fastdetect /3GB /PAE

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Advanced Server" /fastdetect /PAE /3GB

Also after booting with this setting, check your application is actually enabled to use more than 2 GB mem, that is, if you want it to :-) You should be able to enable an application to use more than 2 gb. Microsoft has a nice description:

You can use the Imagecfg.exe file to provide selective use of application memory
tuning in Microsoft Windows 2000. Executable files that can access the 3-GB
address space must have the IMAGE_FILE_LARGE_ADDRESS_AWARE bit set in their image headers. You can set this bit by using the Imagecfg.exe utility; this
utility is included on the Windows 2000 Server Supplement One Resource Kit
CD-ROM . For example, to modify an executable file that is named Test.exe, use
the following command syntax:
Imagecfg -l test.exe

You can check an exe file by running imagecfg test.exe and look for this string:
Image can handle large (>2GB) addresses

For your reference my copy of imagecfg.exe has this info:
5.0.1556.1
835A3281EAC25F18B9A859F68776F167 imagecfg.exe

Of course this will not be a problem when everyone is running 64 bit, which will happen sooner or later. As you might know Windows Server 2008 is the last version to support 32 bit.

Getting 750 GB SATA drives working

When i got some new 750 Gb drives, I attached them to my standard SATA controller where i had two 300 Gb SATA drives, but then my computer would not start! It did not help to limit the disks by jumper setting:


Moving the drives to the Promise Fasttrak controller got the PC booting, but Windows XP couldnt recognize the drives.

I knew i had to update some BIOS or drivers, but i did not know what motherboard i had. So i turned to a friend, he recommended the freeware CPU-Z tool:
http://www.cpuid.com/cpuz.php

CPU-Z produces all kind of info, you can use the gui, or export to file or html, so run it before you upgrade:

cpuz.exe -txt=%computername%-%date%-before_upgrade

I needed the motherboard info model and current BIOS version:

Mainboard Model MS-6702E (0x1E1 - 0xBE28EE)

DMI BIOS
--------
vendor American Megatrends Inc.
version 080011
date 06/08/2005

I entered the model number into MSI CPU support form and got all kind of nice info about drivers and BIOS. But I also saw the LiveUpdate, which i used instead.

After using driver for the SATA and rebooting, the drives added to the Promise controller was visible to XP :-) And it turned out that my bios was uptodate.

I did not need more support from MSI.

So buttom line is, I got the drives working from the non-standard sata controller :-)

Printkey 2000

I got a copy of Printkey 2000 5.10 Full from a friend, he has these md5sums:

93C16AF42A3D508F90AED5CCA1DB5D5B PrintKey.exe
DB4BC1B5BF470886D7C495E2E45C8553 Printkey2000.exe

This way i dont have to rely on some download, which I am not sure is safe:

http://www.zdnet.de/downloads/prg/6/y/de000H6Y-wc.html
3033b0d05c7e37999b4b9644f53785af *prntky.zip

SQL queries

Today I made a view with a simple join, its very easy once you get the hang of it:

select b.column-name-1,a.column-name-2 from table1 a, table2 b where
b.somecolumn = a.somecolumn

Open source alternatives, for MS Project

I dont think I mentioned osalt.com open source alternatives here before, and today i used it again :-)

It is a great website for your business collegues or management who might not be so familiar with open source and the alternatives available. Please check the osalt sections, and send suggestions to them!

Osalt.com gives you a great overview of commercial software and the alternatives, and even include a list supported operating systems.

Osalt.com does not have everything, as not all great software is open source. My favorite freeware editor pspad is one example, and can not be found on the osalt ultraedit alternative list.

Recently we needed alternatives to MS Project, or at least a .mpp viewer, as the license costs for MS Project is insane. The export to webpage wizard is just not my friend, so a viewer for my collegues is needed!

I would have used openproj, as that works on Mac and Unix and I really just need a viewer, but it requires JRE > 1.5 which I dont have here at work. Besides it was a beta, and if you really need to work with project management, go for Ganttproject which also is available for Mac.

OpenWorkbench which only needs 1.3.1 or later of Sun's Java Runtime Engine, but beware there has not been a release since december 2005.

If you can live with a shareware MS Project viewer, you might checkout Projette. I dont know it will nag or stop working after some days, so far there has been no problems.

Datestring in batch regardless of regional date setting

A while back I mentioned a collection of advanced batch commands, and today I actually needed the good old env variable %TimeStamp%, so here it is:

@echo off
:: Works on any NT/2K/XP machine independent of regional date settings
FOR /f "tokens=1-4 delims=/-. " %%G IN ('date /t') DO (call :s_fixdate %%G %%H %%I %%J)
for /F "delims=: tokens=1-2" %%i in ('time /t') do (call :settimeenvvars %%i %%j)
goto :s_print_the_date

:s_fixdate
if "%1:~0,1%" GTR "9" shift
FOR /f "skip=1 tokens=2-4 delims=(-)" %%G IN ('echo.^date') DO (
set %%G=%1&set %%H=%2&set %%I=%3)
goto :eof

:settimeenvvars
set hour=%1
set minute=%2
IF 1%hour% LSS 20 SET hour=0%hour%
IF 1%minute% LSS 20 SET minute=0%minute%
goto :eof

:s_print_the_date
set timestamp=%yy%%mm%%dd%
if "%1" == "dateonly" goto :end
set timestamp=%timestamp%-%hour%%minute%

:end
echo %timestamp%

I have mentioned it before, but much inspiration for batch can be found at robvanderwoude.com.

One Windows program I have never had a use for before is c:\windows\system32\attrib.exe, which displays or changes file attributes:

ATTRIB [+R -R] [+A -A ] [+S -S] [+H -H] [drive:][path][filename] [/S [/D]]

+ Sets an attribute.
- Clears an attribute.
R Read-only file attribute.
A Archive file attribute.
S System file attribute.
H Hidden file attribute.
[drive:][path][filename] Specifies a file or files for attrib to process.
/S Processes matching files in the current folder and all subfolders.
/D Processes folders as well.

Example:
attrib file://servername/d$/%2 -r -s -h

FreeBSD binary upgrades

Finally it looks like there will be a binary upgrade possibility in FreeBSD even for major versions going from 6.x to 7.x. Very cool work, I will definately test it!

An interesting side notes is the recommended method for portupgrade of all ports, it deals with the ruby and ruby18-dbd problems we all know:

Using portupgrade to rebuild everything is a bit tricky since it can get a bit confused when upgrading the programs it uses (ruby and ruby18-bdb), but the following procedure should work:
# portsnap -I update
# portupgrade -f ruby
...
# rm /var/db/pkg/pkgdb.db
# portupgrade -f ruby18-bdb
...
# rm /var/db/pkg/pkgdb.db /usr/ports/INDEX-*.db
# portupgrade -af

Wuala and cryptographic Snake Oil

A very interesting post on the free community based online harddisk project Wuala, which also has a pointer to the very good post on 9 signs you might be dealing with cryptographic Snake Oil:

These snake-oil warning signs are neither necessary nor sufficient criteria for separating the good cryptography from the snake oil. Just as there could be insecure products that don't trigger any of these nine warning signs, there could be secure products that look very much like snake oil. But most people don't have the time, patience, or expertise to perform the kind of analysis necessary to make an educated determination. In the absence of a Food-and-Drug-Administration-like body to regulate cryptography, the only thing a reasonable person can do is to use warning signs like these as guides.

All is of course recommended reading :-)

As for Wuala I wouldnt mind giving it a try, I just dont have use for it right now.

Sitemeter stastistics

When I started writing here I added Google Analytics to the blog, it works really well.

In the past I have been very happy with some simple web statistics like Webalizer and AWStats, so now I have added something similar to those: Sitemeter.

Sitemeter Basic is free, it is simple, plus it can send you stat overview by e-mail. It can also act as a good old counter.

As for added the script code to the HTML on your website it is as simple as for Google Analytics.

Windows media on Mac

Just found something I need for my Macbook, to view Windows media in Firefox:

http://www.microsoft.com/windows/windowsmedia/player/wmcomponents.mspx
http://www.flip4mac.com/

There was no plugin for Firefox, so i installed it manually.

NSM readup, for later use

I am still behind my own schedule for my NSM setup, guess my wife and our newborn (2 months old) is taking up most of my time :-)

Anyway, I want to keep a few pointers to good articles and websites for later. Once again from Taosecurity :-)

Russ McRee followed his excellent discussion of NSM and Sguil in the October InfoSecMag with a new article called Argus – Auditing network activity (.pdf), published in the November 2007 ISSA Journal. It's another great read.

UPDATE 1:
Great NSM demo from Taosecurity, using session analysis and full content, basically perfect for education: http://taosecurity.blogspot.com/2007/11/analyzing-protocol-hopping-covert.html


UPDATE2:
Taosecurity again of course: What is NSM? NSM vs. IDS, with pointer to a slide show from 2002 :-) It still holds water! One of the good ones:

“IDS” is only a product; NSM is an operation
incorporating products, people, and processes

Get PCI compliance, and become a better administrator and a stronger team

In the spring and summer of 2006 I was part of completing a PCI compliance. This was a great a great experience. We achieved and learned so much from the process, and in a very short amount of time, because we had deadline before we was going to be audited. I can only recommend the process to anyone!

Here is a quick rundown of what we used:

• Osiris for HIM, on both Windows and FreeBSD. At the time there was no OSSEC.
• Central syslog.
• Snort with syslog reporting, also to SMS. We played with Sguil as NSM but it was too much network data for the server we had setup. If I was to improve and redo something, this would be it, a server with more CPU and diskspace for.
  
• Improved the FreeBSD (ipfw) and Windows (ipsec) firewall administration by rules being pulled from central CVS server.
  
• Nessus 2.x at the time for penetration testing and remote scanning. Later fully automated and reports sent to Subversion for diff, and to to certain e-mail adresses for completeness.
• Webservers, mailservers, dns servers etc got a security check, there was not much to improve.
• ClamAV on Windows, antivirus, which does not seem necessary, but it was a demand.
  
• All software/webpages and documentation and scripts (setup/upgrade/changes) goes to CVS for ease of diff and review by the different people responsible of the entire setup.

All in all, it was a great experience for myself, and for the team of people involved. It brought us together in a new way while working toward the goal :-)

I am not the only one who is happy about the learning from being PCI compliant. Here are some snips from his experience, it is very similar to my

I'm using OSSEC (http://www.ossec.net) to monitor the individual
SysLog
files for perceived security issues. OSSEC understands Snort, Cisco PIX,
IPTables, and a host of others.
Additionally, I have OSSEC agents running on each of my servers
(including Windoze), which report back to a central OSSEC Server.

Network Intrusion Detection (Snort):
If you are going to use Snort, I highly recommend that you use the
latest version You'll probably have to compile it from source, but it's
worth it. Snort is sending alerts to my central SysLog server, which
provides a nice and easy central logging repository for Snort alerts.
I'm then using OSSEC to monitor the SysLogs for Snort messages, and
generate alert emails.

Rootkit detection and scanning (RKHunter and CHKRootKit [and OSSEC]):
Never trust a single Rootkit scanner. Both RKHunter and CHKRootKit are
excellent tools, but one could have more/different signatures at
different times.

Network Penetration testing (Nessus 3.x):
I can't stress this enough. If you're going to use Nessus
(http://www.nessus.org), do yourself a favor and install the latest
version.

Layer-7 Firewall (ModSecurity / Apache Proxy):
If you're really serious about CISP, spend the $5000 to purchase a
1-year support contract for ModSecurity (Breach Security
http://www.breach.com). In addition to an immense amount of help with
writing custom rules, you also get a really fast ruleset that's
specifically geared towards PCI Compliance.
One caveat, however, is that you should know a good deal about Perl
Regular expressions if you're going to implement ModSecurity. If this is
an issue for you, you may need to look into other (closed-source,
bleck!) alternatives like F5.
Another Firewall solution that I've been playing around with lately is
Untangle (http://www.untangle.com). Unfortunately, I require ethernet
bonding and 802.1q support, so it's not yet a feasable solution for me
yet. That being said, their Snort front-end can't be beat. And I talked
with a couple of the guys at their Linux World booth recently, who said
that they were going to start bundling Untangle with Ubuntu and other
distros (most of which provide the tools and kernel modules for 802.1q
and bonding).

Per machine firewall (IPTables with Shorewall front-end):
Shorewall is extremely powerful, if not a bit difficult to use. I
wouldn't use it for a gateway machine (although I use it as a
router-firewall between networks on my Corporate network), but it makes
a very good Host-based firewall. The idea here is to only leave the
ports that need to be open, open, and only allow access from the
machines/networks that need access to them. You will need other separate
physical firewalls between you and the rest of the world, as well as
between your servers and your database servers, but you can limit who
and what has access to a specific machine.
Secure Central Backups and Archving (Bacula):
I really love Bacula. It's a bit of a learning curve, but it's GPL'ed,
and it runs on multiple platforms. The features of Bacula rival
NetBackup and Legato, although the interface can be cumbersome to use.
The most important feature is Archival encryption. This indemnifies you
against having to report a lost or stolen tape to all of your customers
(which you shouldn't need to worry too much about if you have a good
backup policy).
Of course, you need to have a solid policy for handling tapes that your
employees must adhere to, that a PCI/CISP auditor must sign off on.
Don't be too wordy. All they need to know is: that machines are backed
up on a regular basis, that certain backup sets are retained for XXX
days/years, that you have a compliant offsite archival policy.

Also, if you've never gone through CISP/PCI before, be prepared for a
lot of long nights, headaches, etc. Try not to get discouraged. It will
be worth it in the end. I can honestly say that I am a much better
engineer for having gone through the process.