Category Archives: windows

Windows

Excluding Windows 7 from Startup Scripts

Windows 7/Server 2008 comes with a host of new GPO settings that fill in the gaps that were left with Server 2003. Things like mapped drives, desktop shortcuts, and many of the other tasks that we used to handle with VBScripts are no longer necessary with Windows 7 and Server 2008.

You may find the need to exclude specific version of windows from startup scripts. Insert the following to the top of your VB script to exclude Windows 7


strComputer = "."
 Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")

Set colOperatingSystems = objWMIService.ExecQuery _
 ("Select * from Win32_OperatingSystem")

 For Each objOperatingSystem in colOperatingSystems

 msg = objOperatingSystem.Caption & " " & _
 objOperatingSystem.Version
if instr(msg, "Microsoft Windows 7") > 0 then
 wscript.quit(0)

end if
Next

This can also be used to quickly exclude any version of windows from XP to 2000 if necessary.

Automated domain password expiration notifications through email

In an environment where every computer that you have is a PC and every computer is attached to your domain, password expiration is handled for you. If a users password is about to expire they are notified every time they log on and are forced to change it after it has expired.

Today, a network full of PC’s isn’t always feasible and, in some cases, adding the machine to the domain isn’t acceptable. I have worked in environments where every user had a laptop which could not be added to the domain. I have also worked in an environment where there were just as many Macs as PCs. I had to answer a question that I feel many admins will have to face in the next few years:

How do you manage password expiration for users that cannot be added to the domain?

There are a few restrictions that I placed on myself for this:

1) The solution should have a minimal impact on security.

2) The solution should preserve the use of SSL IMAP and SSL STMP for the users that require it.

3) The solution should require minimal maintenance.

4) The solution should be automated.

My answer to this was an automated password expiration email reminder and enabling password changing through OWA.

Scouring the web, I found a few pay for solutions, but I truly felt like this should be a feature that was included within windows.

Then I came across this:

http://bassplayerdoc.blogspot.com/2007/11/identify-password-expiration-in-active.html

It seemed perfect, if it worked.

After a bit of research I got the script to work and added a few things to it. The download link is below and the configuration options are as follows:


'====================================
'Script Configuration Options
Const EMAIL_SERVER = "exchange.domain.local"
Const EMAIL_FROM = "administrator@domain.com"
Const OWA_STRING = "at https://exchange.domain.com"

Const FIRST_REMINDER_DAY = 10
Const START_REMINDER_DAYS = 7

'Where log files will be stored
'Remember to end with 
Const LOG_PATH = "C:EMAIL_REMINDER"
'This setting allows you to append the date to the log file so that you get an Archive
Const APPEND_DATE = 0

'SET DEBUG MODE to 1 to send all emails to debug_email
DEBUG_MODE = 1
DEBUG_EMAIL = "jayt@domain.com"
'====================================

EMAIL_SERVER sets the SMTP server that the email should be sent through
EMAIL_FROM sets the from address
OWA_STRING sets the owa address
FIRST_REMINDER_DAY sets the first day that the reminder should go out
START_REMINDER_DAYS sets the first day that the user should receive continuous reminders until the password has expired
In this case, the user would receive a reminder 10 days before the password expired and then on the 7th, 6th, 5th… until the password did expire.
LOG_PATH sets where the logs will be stored
APPEND_DATE allows you to append the run date to the end of the log so that you can have an archive
DEBUG_MODE sends all of the emails to the DEBUG_EMAIL if it is not set to 0
DEBUG_EMAIL is where you would get the password expiration emails if DEBUG_MODE is set

Set this vb script to run as a scheduled task under a domain admin account every day and your users will now get password expiration emails.

DOWNLOAD: Email_Reminder

Where you at? – Privilege escalation in windows

Privilege escalation is usually a topic when discussing UNIX based systems. Due to the fact that the default setting in windows is to run as a full administrator escalating your privileges seems fairly pointless. Most exploits in windows systems occur on service accounts which generally have full control on a system, most services in UNIX based systems, on the other hand, run under dedicated accounts with limited rights.

So the questions are:

1) What are the benefits of escalating your privileges in windows?

2) How do you escalate your privileges?

What are the benefits of escalating your privileges?

When you are already running as a full administrator on your system where can you go from there? Isn’t administrator the top echelon of the rights totem pole?

While the administrator account has the highest user privileges on a system, there is one account that has slightly higher privileges, the windows system account. When running as the windows system account you are essentially running as the system.

How do you escalate your privileges?

The process is quite simple actually; you need to get the system account to run a program that you can interact with. This is where the “at” command comes into play. The “at” command schedules a task as a specific time, unlike the “schtasks” command which runs a job under the account that scheduled it, the “at” command runs it as “SYSTEM”.

Open a command prompt and type:


at 13:01 /interactive cmd

This schedules a task to open up a command prompt window at 1:01 pm and sets it to run in interactive mode. You will notice that a standard command prompt has the title of “C:WINDOWSsystem32cmd.exe”, the new command prompt window will have a title of “C:WINDOWSSystem32svchost.exe”.

When loading task manager you will notice that the “cmd.exe” process is running under the “SYSTEM” account.

From here you can end your explorer.exe process and run explorer in the escalated command prompt. This will run explorer as the system, you can confirm this using the task manager or if you have a theme that shows your username in the start menu you will notice that in place of your username, it will say “SYSTEM”.

How-to: Disable the log-in background

One of the most annoying things about Dell servers is the log-in background. To get rid of it create a text document with the following and rename it to clearwp.reg.

Windows Registry Editor Version 5.00

[HKEY_USERS.DEFAULTControl PanelDesktop]
"Wallpaper"="(None)"

You can now run this on individual machines or deploy it via Group Policy. Alternatively, you can manually change this setting using regedit.