krypted.com

Tiny Deathstars of Foulness

Tomcat logs events into the system log. You can use the get-wmiobject commandlet to see events. Here, we’ll look at a JSS and view only system events: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' We can then use AND to further constrain to specific messages, in this case those containing Tomcat: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') We can then further constrain output to those with a specific EventCode with another compound statement: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') AND (EventCode=1024) For a comprehensive list of Windows event codes, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx. You could instead use get-eventlog to see system logs. For example, the following will list the latest 100 entries in the system log: Get-Eventlog -LogName system -Newest 1000 And the following lists the number of unique entries in descending order using Sort-Object, along with the -Property option set to count: Get-Eventlog -LogName system -Newest 1000 | Sort-Object -Property count -Descending And the following would additionally constrain the output to entries with the word Tomcat using the -Message option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" | Sort-Object -Property count -Descending And to focus on a server called jss, use the -ComputerName option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" -ComputerName "localhost" | Sort-Object -Property count -Descending

July 11th, 2017

Posted In: JAMF, Windows Server

Tags: , , , , , , ,

I covered managing devices based on policy in http://krypted.com/microsoft-exchange-server/manage-activesync-policies-on-ios-using-powershell-in-exchange-2016/. One of those policies is “modern authentication”, Azure Passthrough Authentication, or OAuth if you will. To enable it, log into Exchange Online via PowerShell and run the set-OrganizationConfig to set -OAuth2ClientProfileEnabled to True: Set-OrganizationConfig -OAuth2ClientProfileEnabled $true If you’re using Skype, do an override: Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed Now check that OAuth was enabled properly: Get-CsOAuthConfiguration And viola, you’ve caught up to where WordPress was at with OAuth 8 years ago! Next, check the global ADFS authentication rule: Get-AdfsAdditionalAuthenticationRule And you can use Set-AdfsAdditionalAuthenticationRule. Now, you should be able to check the ADFS rules required for a given MFA requirement: Get-AdfsRelyingPartyTrust –Name "Krypted" And then if necessary, set them: Set-AdfsRelyingPartyTrust –TargetRelyingParty Krypted –AdditionalAuthenticationRules ‘c: [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-Insert your Group SID here"] && [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");’ You can then check groups: GetADGroup -Identity "Krypted Users"

May 9th, 2017

Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , ,

IIS Express is a simple web server that can run on Windows with a couple of easy features for developers of Windows applications. This includes things like, webhooks, a modern way of accepting POST requests and responding to them. Each IIS Express site is managed on a user basis, as it’s written as a tool to assist with development. Many web applications will attempt to communicate with one another via a specific port. And when you’re using IIS Express, you’ll need to create a socket binding to that port and allow external users to connect (again, by default, IIS Express is configured for developers to test code on their own machines). To do so, open the IIS Express config file at %userprofile%\documents\iisexpress\config\applicationhost.config (note that the userprofile is here as it’s again, per user). By default, bindings will restrict to localhost as you can see below: <binding protocol="http" bindingInformation="*:8443:localhost" /> Copy this line and paste it below the first instance, replacing the localhost with * (make sure to leave the first line or your dev tools can’t connect to the server): <binding protocol="http" bindingInformation="*:8443:*" /> Again, make sure to leave the first binding in place. Then restart the server and you’re good.

January 28th, 2017

Posted In: Windows Server

Tags: , , , , ,

Here ya’ go! netsh advfirewall firewall add rule name=”KryptedWebhook” dir=in protocol=tcp localport=8443 profile=private remoteip=any action=allow Wait, what’s that?!?! Let’s break down the options I used here:
  • advfirewall: Yup, it’s the new firewall.
  • firewall: Yup, it’s a firewall.
  • add: I’m adding a new rule. I also could have used delete along with the rule name and removed one. Or show to see one. Or set to augment one.
  • rule: It’s all about rules. Each rule allows for a port and/or an action.
  • name: Every rule needs a unique name. Namespace conflicts will result in errors. If programmatically creating rules, I’ve found it undesirable to use a counter and instead moved to using GUIDs and a hash table.
  • dir: The direction traffic is flowing. In is for incoming traffic or out would be to block outgoing traffic.
  • protocol: Use the protocol, typically tcp or ump, but if pings, might be one of the icmps.
  • localport: The port that is being used (there’s also a remoteport operator for reflections).
  • profile: I mostly use profile of private.
  • remoteip: Set to any but could be set to a given IP for increased security (yes, I know people can spoof these – so your version of the word might be different.
  • action: I used allow, but could have been block (which denies traffic) or bypass.
For further security, I might add a security operator, to allow for an authentication string. You can You might also need to allow traffic for a given app. To do so, let’s add a rule that does so, the only option for which not mentioned above is program, which is the path to the binary we’re allowing: netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\kryptedscripts\kryptedcompiledwebapp.exe" enable=yes To then see the rules and validate that your rules were indeed installed, use: netsh advfirewall firewall show rule name=all The reason I call this quick and dirty is that I’m really only covering a small subset of options. Additionally, it would be a bit more modern to do this via powershell using New-NetFirewallRule or one of the many, many other commandlets, such as Copy-NetFirewallRule, Enable-NetFirewallRule, Disable-NetFirewallRule, Get-NetFirewallAddressFilter, Get-NetFirewallApplicationFilter, Get-NetFirewallInterfaceFilter, Get-NetFirewallInterfaceTypeFilter, Get-NetFirewallPortFilter, Get-NetFirewallRule, Get-NetFirewallSecurityFilter, New-NetFirewallRule, Open-NetGPO (cause you can configure the firewall through a GPO), Remove-NetFirewallRule, Rename-NetFirewallRule, Save-NetGPO, Set-NetFirewallRule, Set-NetFirewallSetting, and Show-NetFirewallRule.

January 27th, 2017

Posted In: Windows Server, Windows XP

Tags: , ,

A number of environments need to disable the Notification Center and Action Center features in Windows 10. This can be done using the registry editor or using a Group Policy Object (GPO). First let’s look at doing so with the registry. As with any mucking around with the registry, when editing, I strongly recommend backing up the registry and/or creating a restore point first. Once done, click Run, enter regedit and hit Enter to open the Registry Editor. Next, right-click on the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer registry key and create a new DWORD (32-bit) key. Call the key DisableNotificationCenter and provide the number 1 as the value. Then quit the Registry Editor and restart. Notification Center and Action Center should then be disabled. Simply delete that key and reboot in order to go back. If the Group Policy Editor is available, click Run and enter gpedit.msc. Then open the User Configuration, navigate to Administrative Templates, click on Start Menu and then choose Taskbar. Open Remove Notifications and Action Center, and move the Enabled option to Disable (if disabling of course). You can then run gpupdate or reboot to see the change.

January 2nd, 2017

Posted In: Windows Server, Windows XP

Tags: , ,

I’ve now installed Windows Server 2012 without a GUI a number of times. And I always seem to end up needing that GUI eventually. So, to get Windows as a feature in Windows Server, use the following command to fire up a powershell environment, entering the admin password when prompted: runas /user:administrator powershell.exe Then let’s install all the Windows Features with the word GUI in them: Get-WindowsFeature -Name *gui* | Install-WindowsFeature -Restart The server will then reboot and you’ll be looking at a login window. To remove, you can just enter the following: Get-WindowsFeature -Name *gui* | Remove-WindowsFeature -Restart

May 8th, 2016

Posted In: Windows Server

Tags: , , , ,

May 4th, 2016

Posted In: Active Directory, Windows Server

Tags: ,

One of the easiest things to do in OS X is to remotely run an installation package using the installer command. You can do some similar tasks in Windows, although the commands aren’t quite as cut and dry. The Start-Process command can be used to kick off an executable. Here, we will kick off the msiexec.exe and feed it an argument, which is the msi file to install silently. We’ll then wait for it to complete: {Start-Process -FilePath "msiexec.exe" -ArgumentList "/i TEST.msi /qb" -Wait -Passthru}

August 19th, 2015

Posted In: Windows Server, Windows XP

Tags: , , , , ,

Next Page »