Admin’s Arsenal: PSTools

The PSTools suite is one of those things that you’ll find new uses for every time you play with it. The PSTools suite was developed by Mark Russinovich who worked on the original NTFS file system, and hence has a rather unique insight into the inner workings of Windows systems.

The PSTools suite is comprised of the following utilities:

* PsExec – execute processes remotely
* PsFile – shows files opened remotely
* PsGetSid – display the SID of a computer or a user
* PsInfo – list information about a system
* PsKill – kill processes by name or process ID
* PsList – list detailed information about processes
* PsLoggedOn – see who’s logged on locally and via resource sharing (full source is included)
* PsLogList – dump event log records
* PsPasswd – changes account passwords
* PsService – view and control services
* PsShutdown – shuts down and optionally reboots a computer
* PsSuspend – suspends processes
* PsUptime – shows you how long a system has been running since its last reboot (PsUptime’s functionality has been incorporated into PsInfo)

While these tools work locally (and in most cases work better than the native Windows utilities, or provide functionality that is not available natively), they really shine when it comes to working with remote machines. If I had nothing else but a fresh (default) Windows install, I could probably continue to administer my network using the PSTools.

Notice I said nothing but a default windows install. Microsoft has done something rather unique with the PSTools suite (in fact with the entire Sysinternals utilities collection), and made them usable from a “live” website (to get an overview of what is available, just type \\live.sysinternals.com\tools into your browser’s address bar).

Now all these tools are stand alone executables (no need to install), so they can be run from a USB drive (SWEET!!!), however being able to run them without even having the executables on the machine is just awesome!

end

Admin’s Arsenal: KeePass v1.x

Someone asked me today what tool I would say helps me most in my day to day job duties. Man was that a tough question to answer! I have about 30-40 tools that I use on a daily (or at least every other day) basis, so to pick one is like having to choose what finger you like best (no snickering back there).

I guess what it all comes down to is what tool I use most. Hands down that tool is KeePass Password Safe.

It’s hard to cover everything that KeePass does, but this quote from the official site does a better job than I can:

KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

I use KeePass more than any other tool in my Arsenal simply because I have so many passwords to remember.

One of the features that makes KeePass better than other password managers is that you can attach files to entries, which are then encrypted with the KeePass Database. I personally use this to keep all of our VPN keys handy so that when a user complains that they are having problems with their VPN, I can log in as them and see if it is in fact an issue with their VPN tunnel or just user error.

My absolute favorite feature though is its portabliity. Here is a short list of all the different platforms that KeePass works on:

* Windows
* Linux
* Mac OSX
* BlackBerry (huge score here as I love being able to access all my passwords from my phone)
* PocketPC and Smart Devices (including Windows Mobile 6.0)
* Symbian
* PalmOS
* USB drives (specifically portableapps.com)
* USB drives (U3 platform)
* PE environments (WinPE and BARTPE)

Pretty much anywhere you are likely to need it from. I specifically call out the 1.x versions as the 2.x ALPHA versions require the DotNET framework, and are not as portable as a side effect. No need to worry though, 1.x is still in active development, and is open source, so even if the current devs stop work on it, development will continue.

KeePass also has quite an extensive plugin library, which further enhances it’s functionality. If you’re looking for a password manager that you can use anywhere, you would be hard pressed to find one better at it than KeePass.

end

Of Licensing Agreements and such

Have you ever looked at a software EULA? It’s almost enough to make me want to puke, and I’m quite certain that most of the “clauses” in most of the software EULA’s out there are completely unenforceable (it’s like the people that write these things have never heard of the First Sale Doctrine).

Recently I’ve been forced to deal with Microsoft licensing, as well as licensing for several other major software packages, and I feel like I need to hire a lawyer to ensure that I am not violating the license agreements by looking at the software funny (don’t laugh – it is entirely possible that there is a clause in there somewhere that voids the license if I were to glare at the software).

I’ve had enough. While researching some of this stuff I came across a website that was apparently created by people that also are not too fond of the ridiculous direction that software licensing has taken of late, I give you Reasonable Agreement.

From this I’ve created a new email signature (I absolutely loathe the fact that I have to put a disclaimer on my work email – trust me they are totally and completely unenforceable anyway), for my personal email which reads like this:

Best regards,

Joe Glessner
__________________
READ CAREFULLY. By receiving this email you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies (”BOGUS AGREEMENTS”) that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.




This site is more than just the anti-EULA, it is a collection of experiences of people dealing with these terrible license agreements in the real world. If you’re looking to waste some time and get a good laugh, there is some pretty funny stuff there.

end

Admin’s Arsenal: Notepad++

Ok, so anyone that knows me (or has dealt with me for anything technical that involves a text file of any kind) knows that I loathe Windows Notepad. If you are just going to write a quick couple lines of notes it’s ok, but anything beyond that, it’s just the wrong tool for the job. That’s where Notepad++ comes in.

Notepad++ is an open source text editor extraordinaire, making short work of even the most convoluted of text files with the greatest of ease. Here is just a partial list of the features of Notepad++:

  • Syntax Highlighting and Syntax Folding
  • WYSIWYG editor (if you have color source code, print it in color)
  • Auto Completion
  • Multi-Document (tabbed view)
  • Multi-View (view multiple documents at the same time)
  • Regular Expression Search/Replace supported
  • Full Drag & Drop support
  • Zoom in and Zoom out
  • Bookmark
  • Line numbering
  • Macro recording and playback
  • FTP support

And that’s not even all of the features!

However for me the best features are the syntax highlighting and the line numbering. Do you have any idea how easy it is to explain a (printed out) script to someone when you can just tell them, “and starting on line 324…”? It’s GREAT!!!

For this feature alone it’s worth the download, but it gets even better. There is a portable version! You don’t even have to install it, you can run it right from your USB drive (as I’ve mentioned before I am a big fan of having all the software I use on a daily basis on a USB drive)!

Anyone that has to regularly deal with text files will greatly benefit from the robust features of Notepad++.

Notepad++ can be downloaded from here.

Notepad++ Portable can be downloaded from here.

end

Be the ball (or the Local System Account)

So I got a call this morning about a file on our main file server being “open” by “no one”, and of course one of my users was in dire need of access to said file.

No problem I thought to myself, I’ll just log in as the Domain Admin, find out who has the file open, and close it. Turns out it wasn’t quite so easy. Apparently the file in question was opened by the NT AUTHORITY\SYSTEM account, or in layman’s terms, the LOCAL SYSTEM account. Odd, nothing that should have been running as the LOCAL SYSTEM account should have that file locked.

This presented an interesting challenge, as the LOCAL SYSTEM account trumps the authority of the Local Administrators group (which is the group that the Domain Administrators group has membership in). Think of the LOCAL SYSTEM account as the machine itself rather than a user account, and you’ll have a pretty good grasp of why this is an issue (without an account that trumps the LOCAL SYSTEM account a reboot is pretty much the only way to release a locked file – and rebooting a production file server in the middle of business hours is a big no no here).

Finding things like this always makes me a bit nervous, so it was time to investigate. As it turns out, I had inadvertently found a way to become the LOCAL SYSTEM account. On Sunday I was testing a script in our live environment (already tested in our test environment, but I always run a test on live too, as funny things happen when you make that move to live), and had at random picked this particular file as a test file (doesn’t contain any important information, and it was the first file I happened to lay eyes on).

This particular script scheduled another script that would then read a specific file and act depending on the information contained in it. Well it seems that the scheduled script had hung (I forgot to change a variable, and what worked in our test environment could not find a folder it needed in our live environment), and locked this particular file because it had run as (you guessed it) the LOCAL SYSTEM account.

So how did all this happen, and how did I get the script running as the LOCAL SYSTEM account? The answer lies in the magic of the AT command.

Apparently when you schedule something using the AT command, it will execute in the NT AUTHORITY\LOCAL SYSTEM account context. This is actually pretty useful, as there are times when it would be extremely beneficial to be able to operate as the LOCAL SYSTEM account (like when the LOCAL SYSTEM account is locking a file). More importantly I figured out a way to gain LOCAL SYSTEM account context interactively.

Ok, so to become the LOCAL SYSTEM account, here is what we do:

  1. Start > Run > type: cmd {ENTER}
  2. Type: at 14:05 /interactive “cmd.exe” {ENTER} (replace 14:05 with a time 5 minutes from now – using the 24 hour time format).
  3. Close the command prompt.
  4. When the time you specified in the above command occurs, a command prompt will launch.

This command prompt is running in the LOCAL SYSTEM context (you can confirm this by running Process Explorer from Sysinternals)! So, now you can use this command prompt to say, relaunch Windows Explorer in the LOCAL SYSTEM account context:

  1. In the command prompt type: taskkill /F explorer.exe {ENTER}.
  2. Type: explorer.exe {ENTER}.

This will kill Windows Explorer, and relaunch it in the LOCAL SYSTEM account context. Now anything you do will be executed in the context of the LOCAL SYSTEM account (so be careful, you can easily permanently delete files or damage your system).

To get back to the context of your regular user simply log off, and log back in.

Now, I immediately started having thoughts about the security implications of this, but then realized that Microsoft had already thought of this. To run the AT command, you must be a member of the local Administrators group. So not to worry, your users are not going to start wreaking havoc on your systems if they should happen across this post (at least probably no more so than if they already have membership in the local Administrators group).

end

Admin’s Arsenal: lsgrab.exe

Several months ago I found myself with a unique need; I needed to take screenshots of a remote machine at specified times during the day (don’t ask, it’s a long story filled with management douchebaggery). I did quite a bit of searching, and eventually settled on lsgrab.exe by Geert Moernaut.

This little gem is a console application designed to do one thing: take screenshots of remote computers.

There are a few caveats (but it filled the need I had):

  • It is NOT free. It is donation ware, the author requests a €5 donation (about $9 USD), however this is not stated anywhere before you download it (it’s in the readme file in the .zip download).
  • You must have administrative permissions on the target computer.
  • Someone must be logged on to the target computer.
  • Works on Windows 2000, Windows 2003, XP (I haven’t tested it on Vista or 2008 yet).

Since it’s a console app I just copied it into the C:\Windows directory on my workstation, and then wrote a script to use it to take timestamped screenshots (you can view the script I used here). Worked great. I’m not sure what other uses I might find for it, but for the $9 buy in, it is definitely something I will drop into my bag of tricks.

You can download lsgrab.exe here

end

A rant on the importance of properly securing sensitive data

This morning started off as a typical workday for me, sitting in my office banging away on the keyboard, reading system logs, and chatting with three different colleagues via IM, while on hold with tech support (I multi task very well sometimes).

Without warning I suddenly had this feeling that something VERY bad was happening. I can’t really explain it, but a chill ran down my spine and I just knew something freaking dire was transpiring at that very moment.

I stopped everything I was doing and closed my eyes trying to figure out what had set me on edge, and then I heard it. Wafting from down the hall (I work in the accounting building) I heard the following “… can you email me that text file with all the credit card numbers in it again? I think I accidentally deleted it from my email.”

WHAT!?!?!?!? GAH!!!!!!

And so I went charging out into the hall to put an immediate halt to this nonsense.

Now I have explained multiple times that no one (I mean that literally – myself included) is to ever store any passwords or access codes (including credit card numbers) in an unencrypted format, for any reason (this is quite clearly laid out in our IT policy manual, which every employee has read and signed). Apparently some of the office staff thought I didn’t really mean that, it was just filler in the policy manual.

GRRRRRRRRRRRRRRRRRR

So 45 minutes later I sat in an emergency all hands meeting yet again explaining (in detail) why this is a no no, with the usual push back (it’s too hard to lock a spreadsheet, etc.).

I just don’t understand what is so difficult about this, after all I have provided them with the necessary tools to secure this… kind… of… informa… DOH!

Every now and then I have one of those moments when I realize that I have done everything I can think of to prevent some problem (in this case potential data loss, and/or financial abuse), except one simple thing to ensure that everyone plays along; in this case I forgot to give them the tools!

Hey you’re not perfect either, so back off!

As I realized my mistake, I smoothly (seriously I don’t think anyone even realized this was not part of my planned topic) plugged my laptop into the projector and continued on to explain the answer to all of these issues; KeePass Password Safe.

For anyone that has not used KeePass, this little tool is a little piece of file/password encrypting goodness. It’s free (as in open source free), and the files created with it can be viewed on Windows and Linux/Mac OSX machines. You can download KeePass here.

Personally I use version 1.11, as it is also available in a portable version from PortableApps.com, and I always try to keep all of the utilities I use on a daily basis on my USB drive.

The Linux version is called KeePassX, and can be found here.

I love this program because it only requires the user to remember two passwords; their logon password, and the Master password for KeePass. Everything else can be kept in the KeePass database.

I seriously cannot say enough about how awesome this tool is, I use it to secure every piece of sensitive information that I have. If you’ve been looking for something to protect your sensitive information, I would highly suggest you give KeePass a spin, I think you’ll find it’s really unobtrusive, and definitely safer than using a text file to store credit card numbers.

end

%d bloggers like this: