The Crayon Community!

Welcome to The Crayon Community! Sign in | Join | Help
in Search

Ragnar Harper`s blog on Microsoft technology and security

April 2009 - Posts

  • Exporting security events to csv files using Powershell

    One questions I see multiple times is how to read eventlogs (especially security logs) from multiple computers and save them in another format, mostly csv. This is something that could easily be done with Powershell, and the following script shows how:

       1: # ==============================================================================================
       2: # 
       3: # NAME: Export-SecurityEventAsCsv.ps1
       4: # 
       5: # AUTHOR: Ragnar Harper , Harper Labs
       6: # DATE  : 28.04.2009
       7: # 
       8: # COMMENT: Get the securityevents and saves them to file as csv
       9: #
      10: # Filename should be a simple file containing one computername on each line
      11: # 
      12: # ============================================================================================== 
      13:  
      14: param( 
      15:     [string] $Filename = $(throw "File with computernames to query needs to be supplied.") 
      16:     )
      17: function SaveComputerSecurityLog($computer)
      18: {
      19:     $CsvFile="$computer.csv"
      20:     Write-Host $CsvFile
      21:     get-wmiobject -query "Select * from Win32_NTLogEvent Where Logfile = 'Security'" -computername $computer | Export-Csv -Path $csvfile -NoTypeInformation
      22: } 
      23:  
      24: $computers=Get-Content $Filename
      25: foreach($computer in $computers)
      26: {
      27:     SaveComputerSecurityLog($computer)
      28: } 
      29:  

    The input file with computernames should be as simple as this:

    ComputerName1
    ComputerName2
    ComputerName3
    ComputerNameN

    Have fun :)

    You can download the script here: http://blog.crayon.no/files/folders/scripts/entry12984.aspx

    Digg This
  • Powershell script to read AD RMS information from documents

    I thought that I should post my Powershell script to read information about a RMS protected document.

    This information checks for the XrML tags inside the document, and reads the information into a XmlDocument. Then I use the simple XmlDocument functionality inside Powershell to write out some of the interesting information.

       1: # ==============================================================================================
       2: # 
       3: # NAME: Get-ADRMSDocumentInfo.ps1
       4: # 
       5: # AUTHOR: Ragnar Harper
       6: # DATE  : 18.04.2009
       7: # 
       8: # COMMENT: A simple script to read some of the RMS attributes in the document.
       9: # 
      10: # ==============================================================================================
      11:  
      12: function WriteRMSInfo($xmlDoc)
      13: {
      14:     Write-Host "Issuer:"  $xmlDoc.xml.XrML[0].Body.Issuer.Object.Name
      15:     Write-Host "Issued Time:" $xmlDoc.xml.XrML[0].Body.issuedtime
      16:     
      17:     $xmlDoc.xml.XrML[0].Body.Descriptor.Object.Name -match "DESCRIPTION.*" | Out-Null
      18:     $description = $matches[0].SubString(12,$matches[0].Length-14)
      19:     Write-Host "Description:"  $description
      20:     Write-Host "License Acquisition URL:" $xmlDoc.xml.XrML[0].Body.Distributionpoint[0].Object.Address."#text"
      21:     Write-Host "Distribution contact person:" $xmlDoc.xml.XrML[0].Body.Distributionpoint[1].Object.Address."#text"
      22:     Write-Host "Owner:"  $xmlDoc.xml.XrML[0].Body.work.metadata.owner.object.name
      23:     Write-Host "Object Type:" $xmlDoc.xml.XrML[0].Body.work.object.name
      24:     Write-Host "Issued Principals:" $xmlDoc.xml.XrML[1].Body.IssuedPrincipals.Principal.Object.name
      25: }
      26: trap 
      27: {
      28:     Write-Host "Please Check that file exists."
      29:     exit
      30: }
      31: if ($args.count -ne 1) 
      32: {
      33:     Write-Host "USAGE: Get-ADRMSDOcumentInfo.ps1 <file>"
      34:     Write-Host "<file> is the file to test."    
      35:     exit
      36: }
      37:  
      38: $file = $args[0]
      39: $content=Get-Content $file
      40: $line=[string]::join(" ",$content) # Build all lines as a simple string. 
      41:  
      42: if($line -match "<XrML version=.*</XrML>") #Find XrML tags
      43: {
      44:     $xrml="<xml>"+$matches[0]+"</xml>" #add outer Xml tags (multiple xrml tags could be found)
      45:     #$xrml | Out-File test.xml
      46:     $xmlDoc=[xml]$xrml
      47:     WriteRMSInfo($xmlDoc)
      48:     #$xmlDoc
      49: }
      50: else
      51: {
      52:     Write-Host "Not RMS protected. (No XrML tags found.)"
      53: }

    If you remove the comment on line 45 then you save the XrML document for a file for further investigation. You could easily change this functionality so that it is parameter based – maybe I will post a updated version of the script if someone is interested. Also if you remove the comment from line 48, then you will get the XmlDocument out from the script. This could also be nice if you want to play further with the XmlDocument containing the XrML information.

    The reason why I add <xml> tags at line 44 is because it would return multiple XrML sets. (and there should only be one root in a valid Xml document).

    You can download it here : http://blog.crayon.no/files/folders/scripts/entry12981.aspx

    Have fun!

  • A short note on Vbootkit 2.0

    Today I was asked about my opinion about Windows 7 security. Quote “What do you think about Windows 7 security, now that it is already hacked (Vbootkit 2.0)”

    Truth is, I strongly belive you should go for Windows 7 anyway. And why is that?

    If you read about the hack you will see that it requires physical access to your computer during boot (CD, USB etc). It will not survive a reboot, and at least it will not work if you are using a TPM chip to guarantee the integrity for boot files.

    “There’s no fix for this. It cannot be fixed. It’s a design problem,” Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack.

    It´s my belief that TPM is a fix to just this…even though what Vipin and Nikun shows is interesting, I would not rate it as a serious, as I think you could mitigate this.

    Also remember the good old “Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore” from the Ten Immutable laws of security 

    So, feel comfortable and enjoy Windows 7!

    Whats your take on this?

  • Steve Riley talk about Windows 7 Security

    Listen to Steve Riley talk about his favorite Windows 7 security features

    http://windowsteamblog.com/blogs/windowssecurity/archive/2009/04/22/steve-riley-on-windows-7-security.aspx

  • Overview of AD RMS

    Overview

    AD RMS helps protect information through persistent usage policies by establishing the following essential elements:

    • Trusted entities
      Organizations can specify the entities, including individuals, groups of users, computers, and applications that are trusted participants in an AD RMS system. By establishing trusted entities, AD RMS can help protect information by enabling access only to properly trusted participants.
    • Usage rights and conditions
      Organizations and individuals can assign usage rights and conditions that define how a specific trusted entity can use rights-protected content. Examples of usage rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire. Organizations can exclude applications and entities from accessing the rights-protected content.
    • Encryption
      Encryption is the process by which data is locked by using electronic keys. AD RMS encrypts information, making access conditional on the successful validation of the trusted entities. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information in an AD RMS-enabled application or browser. The defined usage rights and conditions will then be enforced by the application.
    Workflow of Active Directory Rights Management Services

    The involved actors in a AD RMS workflow is shown in figure 1. The RMS Server is the licencsing server, the author is the one producing content, and the recipient is the one consuming the content.

    clip_image002

    Figure 1

    The AD RMS Server is the licensing server. This server role provides licensing and certification services. It stores RMS User IDs , account certificates and activity log entries in SQL Server. The RMS Server does not store identifiers or records of files that have been encrypted.

    clip_image004

    Figure 2

    The author receives a client licensor certificate from the RMS server the first time they rights-protect information. This is a one-time step that enables offline publishing of rights-protected information in the future.

    clip_image006

    Figure 3

    Using an RMS-enabled application, an author creates a file and defines a set of usage rights and conditions for that file. A publishing license is then generated that contains the usage policies. The application encrypts the file with a symmetric key which is then encrypted to the public key of the author’s Windows RMS server. The key is inserted into the publishing license and the publishing license is bound to the file. Only the author’s Windows RMS server can issue use licenses to decrypt this file.

    clip_image008

    Figure 4

    The author then distributes the file. The file can be distributed in any manner: a file that is emailed, placed on FTP, or copied to removable media retains RMS policies. When the recipient receives the file and opens it using an RMS-enabled application, and he does not have an account certificate on the current computer, the RMS server will now issue one. The RMS document itself will notify the application of the RMS server URL.

    clip_image010

    Figure 5

    The application then sends a request for a use license to the RMS server that issued the publishing license for the protected information. The request includes the recipient's account certificate, including their public key, and the publishing license which encrypted the file.
    A publishing license issued by a client licensor certificate includes the URL of the server that issued the certificate. In this case, the request for a use license goes to the Windows RMS server that issued the client licensor certificate and not to the actual computer that issued the publishing license.

    clip_image012

    Figure 6

    The Windows RMS licensing server validates that the recipient is authorized, checks that the recipient is a named user, and creates a use license.

    During this process, the server decrypts the symmetric key using the private key of the server, re-encrypts the symmetric key using the public key of the recipient, and adds the encrypted session key to the use license. This step ensures that only the intended recipient can decrypt the symmetric key and thus decrypt the protected file. The server also adds any relevant conditions to the use license, such as the expiration, or an application or operating system exclusion that the creator imposed.

    When the validation is complete, the licensing server returns the use license to the recipient's client computer.

    After receiving the use license, the application examines both the license and the recipient's account certificate to determine whether any certificate in either chain of trust requires a revocation list.

    clip_image014

    Figure 7

    The recipient can now perform whatever actions the creator specified.

    Posted Apr 27 2009, 10:39 PM by ragnar with no comments
    Filed under:
  • A bit more on why use Active Directory Rights Mangement Services

    These days, organizations and individuals store a great deal of private data in digital documents. They want to be able to share it with those that need it, but to be able to control who can access it. On a network, we can use ACLs, NTFS, and Active Directory to control access. Unfortunately, digital data, such as Microsoft Word documents and e-mail messages, are easy to duplicate and pass on. There are numerous examples of business, personal, and government files being read by the wrong people, due to accidental distribution or malicious espionage. Microsoft offers a solution to this challenge of information rights management, often referred to as IRM.

    Microsoft Windows Rights Management Services, or RMS, is information-protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use-both online and offline, inside and outside of the firewall.

    RMS augments an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it goes. Organizations can use RMS to help prevent sensitive information-such as financial reports, product specifications, customer data, and confidential e-mail messages-from misuse.

    The great advantage of RMS over simply encrypting a document is the persistent nature of RMS. Because it is integrated into the document, the application, and the operating system, RMS rights remain with a document for that document's entire life. This is a more extensive protection than simply encrypting a file. When decrypted, a file is accessible in all the ways that an unprotected file would be.

    RMS has features such as the capability to operate without Internet access, federal FIPS 140-2 certification, and the ability to use multi-factor authentication like smart cards.

    Posted Apr 27 2009, 10:37 PM by ragnar with no comments
    Filed under:
  • A simple script to see which folders are consuming space

    I created this simple script to see which of my folders where growing underneath my windows folder structure. The script takes a path as input, and then calculates all the child folders, as well as the given folder. The result is displayed in MB, largest folders at bottom. You can easily pipe output to csv file for further processsing in for example Excel:

    .\Get-DirectorySize.ps1 c:\scripts | Select name,value | ConvertTo-Csv –NoTypeInformation | out-file test.csv

    image 

    # ==============================================================================================
    #
    # NAME: Get-DirectorySize.ps1
    #
    # AUTHOR: Ragnar Harper , Crayon as
    # DATE  : 08.04.2009
    #
    #        http://blog.crayon.no/blogs/ragnar
    # COMMENT: Takes a directory as input, walks recursive through all directories
    #           calculates and displays size for each folder.
    #             Size displayed in Megabytes.
    # ==============================================================================================

    function Get-DirectoryInfo($path)
    {
        $size=dir $path | where {$_.PsIsContainer -ne $true} | Measure-Object -Sum Length
        $sizeinmb=$size.sum / 1mb
        $DirectorySize.Add($path.Replace("Microsoft.PowerShell.Core\FileSystem::",""),$sizeinmb)
        foreach($d in (dir $path | where {$_.PsIsContainer -eq $true}))
        {
            Get-DirectoryInfo($d.PsPath)
        }   
    }
    $StartDir = $args[0]
    $DirectorySize=@{}
    Get-DirectoryInfo($StartDir)
    $DirectorySize.GetEnumerator() | sort -property Value

    You can also download the script from http://blog.crayon.no/files/folders/scripts/entry12956.aspx

  • Pin applications to Windows 7 Taskbar

     

    Lately I seen some posts on the net about how to pin applications to the taskbar in Windows 7. As there is no direct API to do this, you could use the Shell Objects, well known from VBScript. As for me, I like to use Powershell (no surprise) and I created a Powershell script that could pin applications to the Windows 7 taskbar using the Shell Objects.

    # ==============================================================================================
    #
    #
    # NAME: Add-ToTaskbar.ps1
    #
    # AUTHOR: Ragnar Harper , Crayon
    # DATE  : 17.04.2009
    #
    # COMMENT: This version only supports English locale. You need to change $PinVerb to support
    #           other locale.
    #
    #    http://blog.crayon.no/blogs/ragnar
    # ==============================================================================================

    $PinVerb="Pin to Taskbar"
    if($args.count -ne 1)
    {
        Write-Host "Wrong number of arguments."
        Write-Host "usage: Add-ToTaskbar.ps1 [program to pin]"
        Write-Host "example: Add-ToTaskBar.ps1 c:\windows\system32\calc.exe"
        Write-Host "You must include folderpath to program"
    }
    else
    {
        $file=$args[0]
        $path=$file.SubString(0,$file.Length-($file.Split("\")[$file.Split("\").Count-1].Length))
        $shell=new-object -com "Shell.Application"
        $folder=$shell.Namespace($path)
        $item=$folder.ParseName($file.SubString($file.Length-($file.Split("\")[$file.Split("\").Count-1].Length)))
        $verbs=$item.Verbs()
        foreach($v in $verbs){if($v.Name.Replace("&","") -match $PinVerb){$v.DoIt()}}
    }

     

    You could also download the script from http://blog.crayon.no/files/folders/scripts/entry12955.aspx

  • Free e-book on virtualization

    Microsoft has made available a free download of “Understanding Microsoft Virtualization Solutions” at http://csna01.libredigital.com/?urmvs17u33

    Something to read for the weekend :)

  • Why AD Rights Management Services?

    These days I´m working on a AD RMS deployment , and I thought I write something about it. This starts with a short introduction, and if popular (enough people asks for it), I will go more deeply.

    There is no doubt that how we approach security needs to change. For too long now we have been thinking about building a castle to protect us with DMZ, Network firewalls and so on. Then we are challenged to face the needs of our mobile users, and we need to be able to talk with “the cloud”. There used to be a time when access control at the folder level was enough. Today, you might have no clue of where your information is. So, how is your folder structure going to protect you? The truth is, it wont. You need to protect your information, but you don't know where it goes, or how it gets there.

    Using AD RMS the document is secured the same, inside or outside, on your SAN, or on someone's USB dongle. Even when send through email, your information policy is still travelling with the document.

    The document is encrypted, so people who want to open the document needs to talk with your AD RMS service to get the necessary approval (or use license, if you will). The AD RMS will based on the settings in the document give the user rights, for example to read, but nothing more. Or to read and print, but not forward. You can also place expiration dates on the content, so you know that the user is not using old information.

    The functionality is integrated with Microsoft Office, Sharepoint and Exchange Server. It also works together with Windows Mobile, and through third party there is support for a broad number of document formats. It is also a SDK to build your own support.

    Following is a list of typical rights you can set with AD RMS:

    • View

    • View permissions

    • Print

    • Save

    • Save as

    • Cut & Paste

    • Edit

    • Run macro

    • Forward (email)

    • Reply(email)

    • Reply all(email)

    • Expiration date

    • Expire after N days

    Using AD RMS you can get reporting on who is accessing what documents, and you can also revoke permissions already given.

    If you compare AD RMS with traditional encryption, you will find AD RMS more dynamic, and it also gives you more granular control over the information – not only encryption.

    Does it protect against everything? Heck no! If you have granted the user access, he might go around your protection – for example using “the analogue hole” or virtualization.

    Posted Apr 07 2009, 02:20 PM by ragnar with 3 comment(s)
    Filed under: ,
  • Remote Administration from Windows 7

    As you might know, Remote Server Administration Tools (RSAT) will let you administer your Windows Servers from a Windows client.
    RSAT gives you all the GUI tools – also the ServerManager. But it also gives you the providers for Powershell to work with Active Directory, Group Policy, Failover Clusters and NLB.

    image

    After you have downloaded RSAT from Microsoft Downloads you have to go to the
    Add/Remove Windows Features to choose what components you want.

    For the Windows Server 2008 R2 Servers you want to manage you also need to activate remote management:

    1. On the remote computer that you want to manage, open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
    2. In the Server Summary area, click Configure Server Manager Remote Management.
    3. Select Allow remote management of this server from other computers by using Server Manager and Windows PowerShell. Click OK.

     

    You probably also need to activate WS-Management on your client computer:
    Open a Powershell session with elevated user rights (right click Powershell icon, and choose Run Windows Powershell As Administrator).  Then start the Windows Remote Management (WinRM) service.Type the following: Start-service winrm (then Enter). You can check if the service is running by typing: Get-Service winrm.

    image You can  choose to Import All Modules by right-clicking the Poweshell Icon image or you could just start Powershell and use the command Get-Module –ListAvailable  to see what you have available. Then you could easily import this modules with the command Import-Module, for example:

      Import-Module ActiveDirectory

      Import-Module GroupPolicy

     Then, to see what commands are available in the module, you could run the following command:

     Get-Command –Module GroupPolicy

    By now you have figured out how to get started with Powershell Remote Administration with the RSAT tools.

    Download link to RSAT for Windows 7:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=82516c35-c7dc-4652-b2ea-2df99ea83dbb&displaylang=en

Powered by Community Server (Commercial Edition), by Telligent Systems