Syncio Blog favicon.ico 2008-07-16T10:24:00.9375-05:00 Chris Misztur little tiny electrons http://sync-io.net:83/ DasBlog EventCollector: Intercepting the Forwarded Events log with System.Diagnostics.Eventlog class (Post 2) http://sync-io.net:83/PermaLink,guid,d5a63229-e712-42ec-a294-770972c12b7b.aspx 2008-07-16T10:21:58.343-05:00 2008-07-16T10:24:00.9375-05:00

Otto's recent post on event log triggers explains how to: start a program, send an email or show a message on the occurence of an event in the Event Log.  This is a great step forward, however, some might feel that it is not enough to deploy a large scale logging and notification environment with a focus on autonomy. 

The alternative is to develop a piece of code that will subscribe to the __InstanceCreationEvent of the Forwarded Events log.  The obstacle to using the existing System.Diagnostics.Eventlog class is that the class does not interface with the channeled structure of the new Event Log in Vista/2008.  (The Forwarded Event log is not visible to Eventlog.GetEventLogs() because it is a channel.

The following steps rectify this shortcoming:

1.   Create an overlapping ForwardedEvents classic log.
      EventLog.CreateEventSource("ForwardedEvents", "ForwardedEvents")
 
2.   Export and Remove ForwardedEvents channel from registry.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents
 
3.   Recreate the Source Initiated subscription on the server.   
 
4.   Restart the Windows Event Collector service on the server.
 
5.   Restart the WINRM service on the client.
 

If everything worked, you should see incoming events in the ForwardedEvents log.  Notice that the log name does not contain a space anymore.  This was done to match the full name of our new event log to that of the removed channel.

ForwardedEvents log will now be part of the Eventlog.GetEventLogs() array.  You can deploy a ManagementEventWatcher to successfully intercept, parse and take action on incoming events.

ISA 2006 Cache and HTTP Kaspersky Antivirus http://sync-io.net:83/PermaLink,guid,ddb0e831-f195-42f0-8975-85851e39eb9f.aspx 2008-06-18T14:15:11.234-05:00 2008-06-18T14:31:26.890625-05:00

Using the FPCCacheContents Object I was able to force-cache any file I wanted for any duration I wanted. 

1.  I downloaded Cain&Abel executable from source #1 and Kaspersky blocked it.  I verified that traffic was coming from souce #1 with Wireshark.
2.  I force-cached Cain&Abel executable from source #2 to avoid IE caching or anything that might invalidate this test.  The item now exists in ISA cache.
3.  I downloaded Cain&Abel executable from source #2 again.  I verified that traffic was indeed coming from ISA Cache with Wireshark. 
I turned up KAV log files to Debug and verified that the Cain&Abel executable has not been flagged the first time it was downloaded.  Kaspersky blocked Cain&Abel from ISA Cache.
 
Conclusion:

  • HTTP Kaspersky engine interfaces with cache and routed requests. 
  • Anything can be forced into ISA cache.

See the ISA Monitor Utility for cache control.  http://sync-io.net/IsaTools.aspx

 EventCollector: Subscribing HTTP XP/2003 clients (Post 1) http://sync-io.net:83/PermaLink,guid,3a6627d1-946a-4c8a-b786-f3735703e32b.aspx 2008-06-18T11:08:50.734-05:00 2008-07-16T09:52:31.171875-05:00

Setting up a Collector Initiated Subscription:

1. Download and install WS-Management/WINRM on client and collector computers.  Configure WINRM using command "winrm quickconfig".  Event Viewer will be appended with a Microsoft-Windows-Forwarding/Operational log.

2. Configure WECUTIL on collector computer using command "WECutil QC".

3. Import subscription using command 'WECUTIL cs sub_CI_Pull0.xml' on the collector computer.

NOTE: Modify sub_CI_Pull0.xml before importing it.  I used a domain account with administrative privilages.  The Event Selection xpath syntax is sensitive.  I was unable to create a query for the Security log.  (Security Log Permissions)

4.  Run eventvwr.msc on the collector computer.  Right click on your subscription and view Runtime Status.  Specified clients have to display a green, Active status.  You will see events appearing in the Windows Logs\Forwarded Events log shortly.

Setting up a Source Initiated Subscription:

Source Initiated subscription is the preferred way of forwarding events as it is much easier deployed via Group Policy.

Repeat above steps 1 through 4, replacing sub_CI_Pull0.xml in step 3 with sub_SI0.xml.

The extra step to perform on XP/2003 clients is to tattoo the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

Type: REG_SZ
Name: 1
Data: Server=collector.domain.com (FQDN of your collector, HTTP transport only.  A valid URI is required for HTTPS, e.g. "Server=https://<FQDN>/wsman/SubscriptionManager/WEC")

and then restart the WINRM service on the client.  These extra steps should produce event 104 in your client's Windows Logs\Forwarded Events log with the message: "The forwarder has successfully connected to the subscription manager at address <FQDN>.", followed by event 100 with the message: "The subscription <sub_name> is created successfully."

WINRM notes:

  •    WINRM configuration has not been altered from the default.  It seems that setting TrustedHosts variable is not necessary (winrm set winrm/config/client @{TrustedHosts="wildcard_machine_name_here"})

EventCollector notes:

  •    The Create Subscription GUI did not work for me at creating a collector initiated subscription.
  •    For some reason I started getting an Access Denied error with this set up and I had to either: change the User Account in Advanced Subscription Settings from Machine Account to a Specific User account OR restart the WINRM service on the client.

Please post comments and ideas you have.  I am interested in how far we can go with this XP<-->2008 collector setup.

 

Reference Links:

http://blogs.technet.com/otto/default.aspx

http://support.microsoft.com/kb/936059

http://msdn.microsoft.com/en-us/library/aa384291%28VS.85%29.aspx

http://certcities.com/editorial/columns/story.asp?EditorialsID=292

http://technet2.microsoft.com/windowsserver/en/library/30757b93-7291-4254-b15e-f0aa5f45ac541033.mspx?mfr=true

http://technet.microsoft.com/en-us/magazine/cc137748.aspx

http://support.microsoft.com/kb/912309

http://openwsman.org/book/export/html/17

http://blogs.technet.com/otto/archive/2007/02/09/sample-vista-ws-man-winrm-commands.aspx

http://msdn.microsoft.com/en-us/library/bb870973%28VS.85%29.aspx

http://msdn.microsoft.com/en-us/library/bb736545%28VS.85%29.aspx

http://msdn.microsoft.com/en-us/library/bb427443%28VS.85%29.aspx

http://www.microsoft.com/downloads/details.aspx?familyid=845289ca-16cc-4c73-8934-dd46b5ed1d33&displaylang=en

http://support.microsoft.com/kb/912030

http://www.microsoft.com/technet/scriptcenter/newswire/winrm.mspx

http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/wsm.doc

http://en.wikipedia.org/wiki/WS-Management

http://technet2.microsoft.com/WindowsVista/en/library/8fd4aad5-50bc-4389-bdae-e09ee464e46d1033.mspx?mfr=true

http://msdn.microsoft.com/en-us/library/aa385231%28VS.85%29.aspx

Reference Posts:

http://forums.technet.microsoft.com/en-US/winserverManagement/thread/d6fd73ed-2e6d-43d1-943b-a45f9d81a461/

http://forums.technet.microsoft.com/en-US/winserverManagement/thread/a4e8122a-3dc1-4954-bee7-bafed1fdb08e/

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.networking&tid=7dd38777-19d5-464d-aaeb-f31424b04ce1&cat=&lang=&cr=&sloc=&p=1

Attachments:

sub_CI_Pull0.xml (1.30 KB) 

sub_SI0.xml (1.46 KB)
Stopping Malware with ISA 2006 http://sync-io.net:83/PermaLink,guid,2e4ee447-abe3-4ba5-98c0-f8a8d1876179.aspx 2008-04-22T20:09:16.218-05:00 2008-06-18T14:07:27.828125-05:00

I recently came across MalwareDomains.com.  They provide a list of domain names that have been associated with malware.  The list contains over 21000 valid entries and I have decided to integrate it with ISA 2006 since it's rare to find such a free resource that is actually kept up to date.

The import tool is available here: http://sync-io.net/IsaTools.aspx

Basically, you're able to import the domain.txt file into ISA as a URL or DNS set.  Then you just set your deny access rule and away you go.  This utility can run as a scheduled task.

CreateProcessAsUser from System Service (VB.NET) http://sync-io.net:83/PermaLink,guid,d71d00da-05d7-4832-86fc-eeaf416cd7be.aspx 2008-03-27T16:00:07.546-05:00 2008-06-24T16:11:06.046875-05:00

The following code has been tested on Windows 2003 SP2.  The calling user account must have 'Assign Primary Token' and 'Increase Quota' permissions to properly execute CreateProcessAsUser; see MS KB285879.  

          
            Public
            Function RunProc(ByVal CMD AsString, ByVal ARG AsString) AsStringDim er As Int16 Dim exitCode As System.UInt32 = Convert.ToUInt32(123) Dim saThreadAttributes As SECURITY_ATTRIBUTES =New SECURITY_ATTRIBUTES
saThreadAttributes.nLength = Marshal.SizeOf(saThreadAttributes) Dim impToken As System.IntPtr = IntPtr.Zero Dim priToken As System.IntPtr = IntPtr.Zero If LogonUser("DomainUser", "Domain", "Passwd",
LogonType.LOGON32_LOGON_INTERACTIVE, _ LogonProvider.LOGON32_PROVIDER_DEFAULT, impToken) ThenIf DuplicateTokenEx(impToken,
&H2000000, Nothing,
SecurityImpersonationLevel.SecurityDelegation, TOKEN_TYPE.TokenPrimary, priToken) ThenDim pi As PROCESS_INFORMATION =New PROCESS_INFORMATION Dim si As STARTUPINFO =New STARTUPINFO
si.cb = Marshal.SizeOf(si)
si.lpDesktop = IntPtr.Zero Dim saProcessAttributes As SECURITY_ATTRIBUTES =New SECURITY_ATTRIBUTES
saProcessAttributes.nLength = Marshal.SizeOf(saProcessAttributes) IfNot CreateProcessAsUser(priToken,
CMD, CMD & "
" & ARG, saProcessAttributes, _ saThreadAttributes, False,
0, IntPtr.Zero, "c:\",
si, pi) Then er = Marshal.GetLastWin32Error
RunProc = ("err
runas " & er) Else WaitForSingleObject(pi.hProcess,
Infinite) GetExitCodeProcess(pi.hProcess, exitCode) EndIf CloseHandle(priToken)
CloseHandle(impToken) CloseHandle(pi.hProcess) CloseHandle(pi.hThread) EndIfEndIfEndFunction
Protecting CIFS from unauthorized access with IPSEC http://sync-io.net:83/PermaLink,guid,edb235b1-c20b-41c7-b2b8-a9ad90893f37.aspx 2008-03-20T13:34:45.718-05:00 2008-03-20T13:34:45.71875-05:00

Let's pretend that Joe Smith working for company A just got an offer from company B to steal company A's products database for one million dollars.  However company A already has aleady secured their system pretty tightly.  All external storage such as USB has been blocked, there are no floppies and Joe does not even have outside email access.  Joe, however, does have CIFS access to the precious database.  So he decides to bring a laptop from home, plugs into the network and obtains an IP from the DHCP server.  He attempts to join Company A domain but is denied since he is not an administrator.  Joe decides to navigate to '\\FileServer\Databases'.  Windows prompts him for a username and password, so Joe types in 'CompanyA\JoeSmith' and his usual domain password.  Voila, he gained access to the Databases share and now is copying data from the file server onto his laptop; hands the data to company B and receives a million dollars.  Scary, isn't it?

Wouldn't it be much better if Joe brought his laptop, obtained and IP but when he tried to access the shared folder all he would receive was an Access Denied message?  Here is how:

First of all this setup works because the Windows machine itself is a security principal with an account name and password in Active Directory Services.

We need to create two IPSEC policies, one for the file server and the second one for all clients. 

File Server Setup:

IP Filter List will contain the following source ports:
TCP 137
TCP 139
TCP 445
UDP 137
UDP 139
The source IP address will be the file server's IP address and the destination subnet will be any client grouping you choose. 

The Filter Action will be a custom filter to negotiate security.  Inside the Custom Security Methods use MD5 to protect 'data and address integrity without encryption'.  Note: Enabling encryption will affect SMB/CIFS performance.

Client Setup:
The IP Filter List will contain the same source ports as the File Server setup did.  However the source address will be the File Server's IP address and the destination address will be My IP Address.
The Filter Action will be the same custom filter as in the setup above.

After applying the IPSEC policy through GPO, you can use the IPSEC Monitor MMC to view statistics and associations.  Sniffing the cable should produce ISAKMP protocol between the client and server.  Any existing CIFS connections will not survive IPSEC taking effect, so remember to do this overnight or force a client reboot.  Turning up event logging is also a good way to debug any failed key exchanges.

Another approach is individual share protection by using the 'NTLM Authenticator' user.

Anti-malware products are a scam! http://sync-io.net:83/PermaLink,guid,4b1b52ce-132a-4d5d-9e9b-70a2df823f6c.aspx 2008-03-20T12:58:14.453-05:00 2008-03-21T21:09:55.078125-05:00

Every software company seems to be coming out with the next best way to protect your computer from malware, including viruses.  What happened to educating users on the risks of downloaded content execution and strategies of malware distribution? 

I have included on Syncio's web site a guide to malware identification.  This article is aimed at the more knowledgable user who wishes to identify the infection prior to removing it. 

http://sync-io.net/Community/Rainbow/MalwareIdentity.mht

A great resource for computing and networking concepts can be found at about.com.

http://compnetworking.about.com/od/basicnetworkingconcepts/

http://www.about.com/compute/

NSA has developed guides to securing your operating system.

http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.

 

In an upcoming blog I will describe the practical ways of recognizing malware before it infects your computer...