krypted.com

Tiny Deathstars of Foulness

Tomcat logs events into the system log. You can use the get-wmiobject commandlet to see events. Here, we’ll look at a JSS and view only system events: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' We can then use AND to further constrain to specific messages, in this case those containing Tomcat: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') We can then further constrain output to those with a specific EventCode with another compound statement: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') AND (EventCode=1024) For a comprehensive list of Windows event codes, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx. You could instead use get-eventlog to see system logs. For example, the following will list the latest 100 entries in the system log: Get-Eventlog -LogName system -Newest 1000 And the following lists the number of unique entries in descending order using Sort-Object, along with the -Property option set to count: Get-Eventlog -LogName system -Newest 1000 | Sort-Object -Property count -Descending And the following would additionally constrain the output to entries with the word Tomcat using the -Message option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" | Sort-Object -Property count -Descending And to focus on a server called jss, use the -ComputerName option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" -ComputerName "localhost" | Sort-Object -Property count -Descending

July 11th, 2017

Posted In: JAMF, Windows Server

Tags: , , , , , , ,

As an author of technical books, I’ve been very interested in the comings and goings of technical books for a long time. This new Instagram feed is an expedition into what once was and how quickly the times change. Feed is embedded into a page on krypted to make it easier to see. Curious how many of my books are now “Dead Tech Books”… Screen Shot 2015-01-31 at 7.11.24 PM

February 1st, 2015

Posted In: Articles and Books, public speaking

Tags: , , , , , , , ,

The default logs in Windows Server can be tweaked to provide a little better information. This is really helpful, for example, if you’re dumping your logs to a syslog server. Here’s a script that can make it happen with a few little tweaks to how we interpret data (to be run per host, just paste into a Powershell interface as an administrator): auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Logoff" /success:enable /failure:enable auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable auditpol /set /subcategory:"File System" /success:enable /failure:enable auditpol /set /subcategory:"Registry" /success:enable /failure:enable auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable auditpol /set /subcategory:"SAM" /success:disable /failure:disable auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable auditpol /set /subcategory:"File Share" /success:enable /failure:enable auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable eventviewer

April 23rd, 2014

Posted In: Windows Server

Tags: , , , , , , , , , , ,

You can use PowerShell to pretty much get anything you want out of Active Directory. Let’s say you want to see when the last time a user changed their password was. You can use the Get-ADUser commandlet to obtain any attribute for a user in the Active Directory schema. To use Get-ADUser, you’ll need to define a scope. In this example, we’ll do so using the -filter option and filter for everyone, using an *. That could be a lot of data, so we’re also going to look for the property, or attribute of PasswordLastSet using the -Properties option: Get-ADUser –filter * -Properties PasswordLastSet We can then add a little more logic and pipe the output to a conditional statement that just looks at who hasn’t ever changed their password. Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null } A more common task, we could also look for the last 90 days, using “(get-date).adddays(-90)” in our filter. We don’t want to display disabled users, so we could do something like this (note the curly brackets allow us to compound search): Get-ADUser -filter {(passwordlastset -le $90days) -AND (enabled -eq $True)}

April 1st, 2014

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

I recently needed to check and see whether a backup drive (which was just a 4TB USB drive) was plugged into a server. But the server had no GUI, so I had to use the command line. There was no drive letter mapped to this drive, so I needed to use something else and I needed to make a script that could be used long-term. Luckily, PowerShell can be used to obtain WMI information on the hardware installed on a computer. This allows administrators to query WMI about the USB devices currently installed on a server. In the following command, we’re going to use gwmi from PowerShell and we’re going to query for Win32_USBControllerDevice. We’re going to run the command against the computer name in question (example here is host.krypted.com although if we left the -computername option off it would run against the host the command is run on). Get-WMiObject Win32_USBControllerDevice -computername host.krypted.com | fl Antecedent,Dependent This will apply a filter, similar to using grep in bash. That filters only the antecedent and dependent fields from the host.krypted.com computer. You could also remove the pipe and pull a full export, but if I’m using this in a script the less data to parse the better. If you think of WMI as containing a big tree about the hardware installed, the filter for Antecedent brings back what must be running in order for the drive to be present and the Dependent returns those that are dependent on the drive. You can also obtain a lot more information through WMI. For example, you can pull information from any of the WMI classes, such as win32_bios Get-WmiObject win32_bios -computername host.krypted.com Note, you can derive properties and methods for a given class by using the get-member commandlet: Get-WmiObject win32_bios | get-member Once you know which property you need, you can then parse the information a little further to get a very specific answer: get-wmiobject win32_bios -computername host.krypted.com | Select-Object displayname Finally, you can shorten this by replacing the Get-WmiObject commandlet with gwmi, which is an alias for that command. Test it out, if you like: gwmi win32_bios | get-member

March 28th, 2014

Posted In: Windows Server, Windows XP

Tags: , , , ,

Microsoft doesn’t want any old tool to execute PowerShell scripts. But sometimes when we’re running a tool, we need the tool to be run in a way that violates the default execution policy. In order to facilitate this, Microsoft has also provided four levels of security for the PowerShell execution policy. These include:
  • Restricted: The default execution policy, which forces commands to be entered interactively.
  • All Signed: Only signed scripts can be run by a trusted publisher.
  • Remote Signed: Any scripts created locally can run.
  • Unrestricted: Any script can run.
To configure an execution policy interactively, simply use the Set-ExecutionPolicy command followed by the name of the execution policy you wish to use. So to run the policy as unrestricted (e.g. while you’re in the midst of a deployment), you could run the following: Set-ExecutionPolicy Unrestricted Once run, use the Get-ExecutionPolicy with no options to see that the execution policy is configured as desired: Get-ExecutionPolicy

March 27th, 2014

Posted In: Windows Server

Tags: , , , , , , ,

On a Mac, I frequently use the tail command to view files as they’re being written to or in use. You can use the Get-EventLog cmdlet to view logs. The Get-EventLog cmdlet has two options I’ll point out in this article. The first is -list and -newest. The first is used to view a list of event logs, along with retention cycles for logs, log sizes, etc. Get-EventLog -list You can then take any of the log types and view information about them. To see System information: Get-EventLog System There will be too much information in many of these cases, so use the -newest option to see just the latest: Get-EventLog system -newest 5 The list will have an Index number and an EventID. The EventID can then be used to research information about each error code. For example, at http://eventid.net.

February 8th, 2014

Posted In: Microsoft Exchange Server, Windows Server, Windows XP

Tags: , , , , , , , , , , ,

If you use Symantec’s Enterprise Vault solution and you need to migrate the SQL tables for Enterprise Vault to another server, you might have noticed that it’s not as simple as dumping tables from one host, restoring tables to another and changing some information on the Enterprise Vault server. This process takes a lot of time and is a relatively painful endeavor. But now Symantec has made the process much simpler, releasing a migration tool just for the database, available here: http://www.symantec.com/business/support//index?page=content&id=TECH214373 I guess they were listening to customers who complained about the process. Good for them!

January 28th, 2014

Posted In: Microsoft Exchange Server

Tags: , , , , , ,

Windows Server tracks the sessions that have been authenticated into the system, those that have been timed out, those that have errored, kb sent/received, response time, errors, permission problems, password problems, files opened, print job spooling and buffers quickly and easily. Simply use the net command we’ve all been using for 20 years, followed by stats or statistics: net statistics When prompted choose server or workstation. In this case, we’ll use Server. net statistics Server Here’s the output from a new server: Screen Shot 2013-12-01 at 11.21.50 PM And if you’re trying to troubleshoot client/server communications, keep in mind that you can look at much of this on the workstation side as well, but from the client perspective: net statistics Workstation Screen Shot 2013-12-01 at 11.23.34 PM

December 16th, 2013

Posted In: Windows Server, Windows XP

Tags: , , , , , , , ,

By default, when you require an SSL certificate in IIS on an Exchange server, if users hit the page without providing an https:// in front they will get an error. Rather than require certificates, it’s better in most cases to redirect unsecured traffic to a secured login page. In order to do so, first configure the redirect. To do so, open IIS Manager and click on the Default Web Site. At the bottom of the pane for the Default Web Site, click Features View if not already selected. Screen Shot 2013-12-02 at 1.17.09 PM Then open HTTP Redirect. Here, check the box for “Redirect requests to this destination” and provide the path to the owa virtual directory (e.g. https://krypted.com/owa). Screen Shot 2013-12-02 at 1.18.03 PMIn the Redirect Behavior section, select the “Only redirect requests to content in this directory (not subdirectories)” check box and set the Status code to “Found (302)”. In the Actions pane to the right of the screen, click Apply. Then click on Default Web Site again and open the SSL Settings pane. Here, uncheck the box for Require SSL. Screen Shot 2013-12-02 at 1.17.19 PMOnce done, restart IIS by right-clicking on the service and choosing Restart or by running iisreset: iisreset /noforce Next, edit the offline address book web.config file on the CAS, stored by default at (assuming Exchange is installed on the C drive) C:\Program Files\Microsoft\Exchange Server\\ClientAccess\oab. To edit, right-click web.config and click Properties. Then click Security and then Edit. Under Group, click on Authenticated Users. Then click Read & execute for Authenticated Users in Permissions. Then click OK to save your changes. Finally, if you have any issues with any messages not working, start the IIS Manager. Then browse to the virtual directories and open HTTP Redirect. Then uncheck “Redirect requests to this destination” and click Apply. When you’re done, restart IIS again and test the ability to send and receive emails to make sure that mail flow functions without error from within the web interface.

December 6th, 2013

Posted In: Microsoft Exchange Server, Windows Server

Tags: , , , , , , , , ,

Next Page »