|
|
April 2009 - Posts
-
One questions I see multiple times is how to read eventlogs (especially security logs) from multiple computers and save them in another format, mostly csv. This is something that could easily be done with Powershell, and the following script shows how:
1: # ============================================================================================== 2: # 3: # NAME: Export-SecurityEventAsCsv.ps1 4: # 5: # AUTHOR: Ragnar Harper , Harper Labs 6: # DATE : 28.04.2009 7: # 8: # COMMENT: Get the securityevents and saves them to file as csv 9: # 10: # Filename should be a simple file containing one computername on each line 11: # 12: # ============================================================================================== 13: 14: param( 15: [string] $Filename = $(throw "File with computernames to query needs to be supplied.") 16: ) 17: function SaveComputerSecurityLog($computer) 18: { 19: $CsvFile="$computer.csv" 20: Write-Host $CsvFile 21: get-wmiobject -query "Select * from Win32_NTLogEvent Where Logfile = 'Security'" -computername $computer | Export-Csv -Path $csvfile -NoTypeInformation 22: } 23: 24: $computers=Get-Content $Filename 25: foreach($computer in $computers) 26: { 27: SaveComputerSecurityLog($computer) 28: } 29:
The input file with computernames should be as simple as this:
ComputerName1
ComputerName2
ComputerName3
ComputerNameN
Have fun :)
You can download the script here: http://blog.crayon.no/files/folders/scripts/entry12984.aspx
|
-
I thought that I should post my Powershell script to read information about a RMS protected document. This information checks for the XrML tags inside the document, and reads the information into a XmlDocument. Then I use the simple XmlDocument functionality inside Powershell to write out some of the interesting information. 1: # ==============================================================================================
2: #
3: # NAME: Get-ADRMSDocumentInfo.ps1
4: #
5: # AUTHOR: Ragnar Harper
6: # DATE : 18.04.2009
7: #
8: # COMMENT: A simple script to read some of the RMS attributes in the document.
9: #
10: # ==============================================================================================
11:
12: function WriteRMSInfo($xmlDoc)
13: {
14: Write-Host "Issuer:" $xmlDoc.xml.XrML[0].Body.Issuer.Object.Name
15: Write-Host "Issued Time:" $xmlDoc.xml.XrML[0].Body.issuedtime
16:
17: $xmlDoc.xml.XrML[0].Body.Descriptor.Object.Name -match "DESCRIPTION.*" | Out-Null
18: $description = $matches[0].SubString(12,$matches[0].Length-14)
19: Write-Host "Description:" $description
20: Write-Host "License Acquisition URL:" $xmlDoc.xml.XrML[0].Body.Distributionpoint[0].Object.Address."#text"
21: Write-Host "Distribution contact person:" $xmlDoc.xml.XrML[0].Body.Distributionpoint[1].Object.Address."#text"
22: Write-Host "Owner:" $xmlDoc.xml.XrML[0].Body.work.metadata.owner.object.name
23: Write-Host "Object Type:" $xmlDoc.xml.XrML[0].Body.work.object.name
24: Write-Host "Issued Principals:" $xmlDoc.xml.XrML[1].Body.IssuedPrincipals.Principal.Object.name
25: }
26: trap
27: {
28: Write-Host "Please Check that file exists."
29: exit
30: }
31: if ($args.count -ne 1)
32: {
33: Write-Host "USAGE: Get-ADRMSDOcumentInfo.ps1 <file>"
34: Write-Host "<file> is the file to test."
35: exit
36: }
37:
38: $file = $args[0]
39: $content=Get-Content $file
40: $line=[string]::join(" ",$content) # Build all lines as a simple string.
41:
42: if($line -match "<XrML version=.*</XrML>") #Find XrML tags
43: {
44: $xrml="<xml>"+$matches[0]+"</xml>" #add outer Xml tags (multiple xrml tags could be found)
45: #$xrml | Out-File test.xml
46: $xmlDoc=[xml]$xrml
47: WriteRMSInfo($xmlDoc)
48: #$xmlDoc
49: }
50: else
51: {
52: Write-Host "Not RMS protected. (No XrML tags found.)"
53: }
If you remove the comment on line 45 then you save the XrML document for a file for further investigation. You could easily change this functionality so that it is parameter based – maybe I will post a updated version of the script if someone is interested. Also if you remove the comment from line 48, then you will get the XmlDocument out from the script. This could also be nice if you want to play further with the XmlDocument containing the XrML information.
The reason why I add <xml> tags at line 44 is because it would return multiple XrML sets. (and there should only be one root in a valid Xml document).
You can download it here : http://blog.crayon.no/files/folders/scripts/entry12981.aspx
Have fun!
|
-
Today I was asked about my opinion about Windows 7 security. Quote “What do you think about Windows 7 security, now that it is already hacked (Vbootkit 2.0)” Truth is, I strongly belive you should go for Windows 7 anyway. And why is that? If you read about the hack you will see that it requires physical access to your computer during boot (CD, USB etc). It will not survive a reboot, and at least it will not work if you are using a TPM chip to guarantee the integrity for boot files. “There’s no fix for this. It cannot be fixed. It’s a design problem,” Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. It´s my belief that TPM is a fix to just this…even though what Vipin and Nikun shows is interesting, I would not rate it as a serious, as I think you could mitigate this. Also remember the good old “Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore” from the Ten Immutable laws of security So, feel comfortable and enjoy Windows 7! Whats your take on this?
|
-
Listen to Steve Riley talk about his favorite Windows 7 security features http://windowsteamblog.com/blogs/windowssecurity/archive/2009/04/22/steve-riley-on-windows-7-security.aspx
|
-
AD RMS helps protect information through persistent usage policies by establishing the following essential elements: - Trusted entities
Organizations can specify the entities, including individuals, groups of users, computers, and applications that are trusted participants in an AD RMS system. By establishing trusted entities, AD RMS can help protect information by enabling access only to properly trusted participants. - Usage rights and conditions
Organizations and individuals can assign usage rights and conditions that define how a specific trusted entity can use rights-protected content. Examples of usage rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire. Organizations can exclude applications and entities from accessing the rights-protected content. - Encryption
Encryption is the process by which data is locked by using electronic keys. AD RMS encrypts information, making access conditional on the successful validation of the trusted entities. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information in an AD RMS-enabled application or browser. The defined usage rights and conditions will then be enforced by the application. The involved actors in a AD RMS workflow is shown in figure 1. The RMS Server is the licencsing server, the author is the one producing content, and the recipient is the one consuming the content. 
Figure 1 The AD RMS Server is the licensing server. This server role provides licensing and certification services. It stores RMS User IDs , account certificates and activity log entries in SQL Server. The RMS Server does not store identifiers or records of files that have been encrypted. 
Figure 2 The author receives a client licensor certificate from the RMS server the first time they rights-protect information. This is a one-time step that enables offline publishing of rights-protected information in the future. 
Figure 3 Using an RMS-enabled application, an author creates a file and defines a set of usage rights and conditions for that file. A publishing license is then generated that contains the usage policies. The application encrypts the file with a symmetric key which is then encrypted to the public key of the author’s Windows RMS server. The key is inserted into the publishing license and the publishing license is bound to the file. Only the author’s Windows RMS server can issue use licenses to decrypt this file. 
Figure 4 The author then distributes the file. The file can be distributed in any manner: a file that is emailed, placed on FTP, or copied to removable media retains RMS policies. When the recipient receives the file and opens it using an RMS-enabled application, and he does not have an account certificate on the current computer, the RMS server will now issue one. The RMS document itself will notify the application of the RMS server URL. 
Figure 5 The application then sends a request for a use license to the RMS server that issued the publishing license for the protected information. The request includes the recipient's account certificate, including their public key, and the publishing license which encrypted the file.
A publishing license issued by a client licensor certificate includes the URL of the server that issued the certificate. In this case, the request for a use license goes to the Windows RMS server that issued the client licensor certificate and not to the actual computer that issued the publishing license. 
Figure 6 The Windows RMS licensing server validates that the recipient is authorized, checks that the recipient is a named user, and creates a use license. During this process, the server decrypts the symmetric key using the private key of the server, re-encrypts the symmetric key using the public key of the recipient, and adds the encrypted session key to the use license. This step ensures that only the intended recipient can decrypt the symmetric key and thus decrypt the protected file. The server also adds any relevant conditions to the use license, such as the expiration, or an application or operating system exclusion that the creator imposed. When the validation is complete, the licensing server returns the use license to the recipient's client computer. After receiving the use license, the application examines both the license and the recipient's account certificate to determine whether any certificate in either chain of trust requires a revocation list. 
Figure 7 The recipient can now perform whatever actions the creator specified.
|
-
These days, organizations and individuals store a great deal of private data in digital documents. They want to be able to share it with those that need it, but to be able to control who can access it. On a network, we can use ACLs, NTFS, and Active Directory to control access. Unfortunately, digital data, such as Microsoft Word documents and e-mail messages, are easy to duplicate and pass on. There are numerous examples of business, personal, and government files being read by the wrong people, due to accidental distribution or malicious espionage. Microsoft offers a solution to this challenge of information rights management, often referred to as IRM. Microsoft Windows Rights Management Services, or RMS, is information-protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use-both online and offline, inside and outside of the firewall. RMS augments an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it goes. Organizations can use RMS to help prevent sensitive information-such as financial reports, product specifications, customer data, and confidential e-mail messages-from misuse. The great advantage of RMS over simply encrypting a document is the persistent nature of RMS. Because it is integrated into the document, the application, and the operating system, RMS rights remain with a document for that document's entire life. This is a more extensive protection than simply encrypting a file. When decrypted, a file is accessible in all the ways that an unprotected file would be. RMS has features such as the capability to operate without Internet access, federal FIPS 140-2 certification, and the ability to use multi-factor authentication like smart cards.
|
-
I created this simple script to see which of my folders where growing underneath my windows folder structure. The script takes a path as input, and then calculates all the child folders, as well as the given folder. The result is displayed in MB, largest folders at bottom. You can easily pipe output to csv file for further processsing in for example Excel: .\Get-DirectorySize.ps1 c:\scripts | Select name,value | ConvertTo-Csv –NoTypeInformation | out-file test.csv 
# ==============================================================================================
#
# NAME: Get-DirectorySize.ps1
#
# AUTHOR: Ragnar Harper , Crayon as
# DATE : 08.04.2009
#
# http://blog.crayon.no/blogs/ragnar
# COMMENT: Takes a directory as input, walks recursive through all directories
# calculates and displays size for each folder.
# Size displayed in Megabytes.
# ============================================================================================== function Get-DirectoryInfo($path)
{
$size=dir $path | where {$_.PsIsContainer -ne $true} | Measure-Object -Sum Length
$sizeinmb=$size.sum / 1mb
$DirectorySize.Add($path.Replace("Microsoft.PowerShell.Core\FileSystem::",""),$sizeinmb)
foreach($d in (dir $path | where {$_.PsIsContainer -eq $true}))
{
Get-DirectoryInfo($d.PsPath)
}
}
$StartDir = $args[0]
$DirectorySize=@{}
Get-DirectoryInfo($StartDir)
$DirectorySize.GetEnumerator() | sort -property Value You can also download the script from http://blog.crayon.no/files/folders/scripts/entry12956.aspx
|
-
Lately I seen some posts on the net about how to pin applications to the taskbar in Windows 7. As there is no direct API to do this, you could use the Shell Objects, well known from VBScript. As for me, I like to use Powershell (no surprise) and I created a Powershell script that could pin applications to the Windows 7 taskbar using the Shell Objects. # ==============================================================================================
#
#
# NAME: Add-ToTaskbar.ps1
#
# AUTHOR: Ragnar Harper , Crayon
# DATE : 17.04.2009
#
# COMMENT: This version only supports English locale. You need to change $PinVerb to support
# other locale.
#
# http://blog.crayon.no/blogs/ragnar
# ============================================================================================== $PinVerb="Pin to Taskbar"
if($args.count -ne 1)
{
Write-Host "Wrong number of arguments."
Write-Host "usage: Add-ToTaskbar.ps1 [program to pin]"
Write-Host "example: Add-ToTaskBar.ps1 c:\windows\system32\calc.exe"
Write-Host "You must include folderpath to program"
}
else
{
$file=$args[0]
$path=$file.SubString(0,$file.Length-($file.Split("\")[$file.Split("\").Count-1].Length))
$shell=new-object -com "Shell.Application"
$folder=$shell.Namespace($path)
$item=$folder.ParseName($file.SubString($file.Length-($file.Split("\")[$file.Split("\").Count-1].Length)))
$verbs=$item.Verbs()
foreach($v in $verbs){if($v.Name.Replace("&","") -match $PinVerb){$v.DoIt()}}
} You could also download the script from http://blog.crayon.no/files/folders/scripts/entry12955.aspx
|
-
-
These days I´m working on a AD RMS deployment , and I thought I write something about it. This starts with a short introduction, and if popular (enough people asks for it), I will go more deeply. There is no doubt that how we approach security needs to change. For too long now we have been thinking about building a castle to protect us with DMZ, Network firewalls and so on. Then we are challenged to face the needs of our mobile users, and we need to be able to talk with “the cloud”. There used to be a time when access control at the folder level was enough. Today, you might have no clue of where your information is. So, how is your folder structure going to protect you? The truth is, it wont. You need to protect your information, but you don't know where it goes, or how it gets there. Using AD RMS the document is secured the same, inside or outside, on your SAN, or on someone's USB dongle. Even when send through email, your information policy is still travelling with the document. The document is encrypted, so people who want to open the document needs to talk with your AD RMS service to get the necessary approval (or use license, if you will). The AD RMS will based on the settings in the document give the user rights, for example to read, but nothing more. Or to read and print, but not forward. You can also place expiration dates on the content, so you know that the user is not using old information. The functionality is integrated with Microsoft Office, Sharepoint and Exchange Server. It also works together with Windows Mobile, and through third party there is support for a broad number of document formats. It is also a SDK to build your own support. Following is a list of typical rights you can set with AD RMS: • View • View permissions • Print • Save • Save as • Cut & Paste • Edit • Run macro • Forward (email) • Reply(email) • Reply all(email) • Expiration date • Expire after N days Using AD RMS you can get reporting on who is accessing what documents, and you can also revoke permissions already given. If you compare AD RMS with traditional encryption, you will find AD RMS more dynamic, and it also gives you more granular control over the information – not only encryption. Does it protect against everything? Heck no! If you have granted the user access, he might go around your protection – for example using “the analogue hole” or virtualization.
|
-
As you might know, Remote Server Administration Tools (RSAT) will let you administer your Windows Servers from a Windows client.
RSAT gives you all the GUI tools – also the ServerManager. But it also gives you the providers for Powershell to work with Active Directory, Group Policy, Failover Clusters and NLB. 
After you have downloaded RSAT from Microsoft Downloads you have to go to the
Add/Remove Windows Features to choose what components you want. For the Windows Server 2008 R2 Servers you want to manage you also need to activate remote management: 1. On the remote computer that you want to manage, open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Summary area, click Configure Server Manager Remote Management.
3. Select Allow remote management of this server from other computers by using Server Manager and Windows PowerShell. Click OK. You probably also need to activate WS-Management on your client computer:
Open a Powershell session with elevated user rights (right click Powershell icon, and choose Run Windows Powershell As Administrator). Then start the Windows Remote Management (WinRM) service.Type the following: Start-service winrm (then Enter). You can check if the service is running by typing: Get-Service winrm.  You can choose to Import All Modules by right-clicking the Poweshell Icon  or you could just start Powershell and use the command Get-Module –ListAvailable to see what you have available. Then you could easily import this modules with the command Import-Module, for example:
Import-Module ActiveDirectory Import-Module GroupPolicy Then, to see what commands are available in the module, you could run the following command: Get-Command –Module GroupPolicy By now you have figured out how to get started with Powershell Remote Administration with the RSAT tools. Download link to RSAT for Windows 7:
http://www.microsoft.com/downloads/details.aspx?FamilyID=82516c35-c7dc-4652-b2ea-2df99ea83dbb&displaylang=en
|
|
|