Why cant I read the status of NTDS (Active Directory Domain Services) without elevation

I don’t like anything running with more privileges than needed.. So as I am to cheap to buy a real monitoring solution I went for Nagios Core. Nagios cant really do checks on windows by it self (ot of the box). Most people seem tu be running nsclient++ to do the real check over nrpe. Ofcourse we can do more magic with RPC etc if we want.

So back to the story. So I let nsclient++ run as LocalService instead. Much rejoicing later.. Why have some simple checks have become broken.

One thing that broke was the possibility of checking services on our domain controllers.

So I logged on to the domain controller and started a cmd.exe windows without escalating my permissions.

So why didn’t i just run Powershell? Sometimes older things works better, powershell gave me this:

So instead of getting a Access denied, I got there is no spoon.. Sorry I meant service. So what is happening. Lets dig in shall we? By running the cmd.exe as Administrator we can run more helpful commands:

So what does this mean? CCDCLCSWRPWPDTLOCRSDRCWDWO = what… Well to be honest it just every value that can exists. So just look at the table SDDL permissions for services.

StringHexNameName in GUI
CC0x0001SERVICE_QUERY_CONFIGQuery template
DC0x0002SERVICE_CHANGE_CONFIGChange template
LC0x0004SERVICE_QUERY_STATUSQuery status
SW0x0008SERVICE_ENUMERATE_DEPENDENTSEnumerate dependents
RP0x0010SERVICE_STARTStart
WP0x0020SERVICE_STOPStop
DT0x0040SERVICE_PAUSE_CONTINUEPause and continue
LO0x0080SERVICE_INTERROGATEInterrogate
CR0x0100SERVICE_USER_DEFINED_CONTROLUser-defined control
SD0x10000DELETEDelete
RC0x20000READ_CONTROLRead permissions
WD0x40000WRITE_DACChange permissions
WO0x80000WRITE_OWNERTake ownership

So all of those permissions for the “BUILTIN\Administrators” and “LocalSystem”. Backup operators have a bit fewer permissions but still a lot compared to the rest of us they have:

  • SERVICE_QUERY_CONFIG
  • SERVICE_QUERY_STATUS
  • SERVICE_ENUMERATE_DEPENDENTS
  • SERVICE_INTERROGATE
  • READ_CONTROL

But don’t give make your monitoring software part of Backup operators because that grants a whole lot more permissions.

Cross sign certificates with Windows PKI

Last year I wrote an blog article about how to trust somebody else’s root certificate with name restrictions. This allows you to trust a vendor/partner/etc root certificate without giving them the possibility of spoof google or any other company they shouldn’t sign for.

Same notice goes on this post. Not all operating systems honor name restrictions. So are you running mostly MacOS machines this won’t help that much.

So let’s get going.

The simple solution:

  1. Get root certificate from vendor/partner
  2. Create CSR from certificate
  3. Verify CSR
  4. Sign CSR
  5. Push intermediate certificate to clients, automatic with Windows and use of correct Template.

[Read more…]

Guessing the locale of a logfile

I got a question about my DNS Debug script, which parses the DNS logfile so it is easier to find what is happening in the DNS. A nice guy was having issues with a log file. So he sent over a few row.

Okey lets be honest it took me to get around to it. There is a thing called Corona making all the headlines right now 🙁

Anyway since he sent it in on the 6 of March 2020.. I had good guess about the date formatting being dd-MM-yyyy. But that didn’t really help me. So I sent Marc a message, but then I thought.. I know that Windows knows about 428 locales. I’m in a quarantine anyway, I can do this. Then I thought again, I have a computer with Powershell.

And this is the 52 entries i got:

NameDisplayNameDateTimeFormat
azAzerbaijanidd.MM.yyyy
az-CyrlAzerbaijani (Cyrillic)dd.MM.yyyy
az-Cyrl-AZAzerbaijani (Cyrillic, Azerbaijan)dd.MM.yyyy
az-LatnAzerbaijani (Latin)dd.MM.yyyy
az-Latn-AZAzerbaijani (Latin, Azerbaijan)dd.MM.yyyy
csCzechdd.MM.yyyy
cs-CZCzech (Czech Republic)dd.MM.yyyy
deGermandd.MM.yyyy
de-ATGerman (Austria)dd.MM.yyyy
de-CHGerman (Switzerland)dd.MM.yyyy
de-DEGerman (Germany)dd.MM.yyyy
de-LIGerman (Liechtenstein)dd.MM.yyyy
de-LUGerman (Luxembourg)dd.MM.yyyy
etEstoniandd.MM.yyyy
et-EEEstonian (Estonia)dd.MM.yyyy
foFaroesedd.MM.yyyy
fo-FOFaroese (Faroe Islands)dd.MM.yyyy
fr-CHFrench (Switzerland)dd.MM.yyyy
gswAlsatiandd.MM.yyyy
hyArmeniandd.MM.yyyy
hy-AMArmenian (Armenia)dd.MM.yyyy
it-CHItalian (Switzerland)dd.MM.yyyy
kaGeorgiandd.MM.yyyy
ka-GEGeorgian (Georgia)dd.MM.yyyy
kkKazakhdd.MM.yyyy
kk-KZKazakh (Kazakhstan)dd.MM.yyyy
lvLatviandd.MM.yyyy
lv-LVLatvian (Latvia)dd.MM.yyyy
nbNorwegian (BokmÄl)dd.MM.yyyy
nb-NONorwegian, BokmÄl (Norway)dd.MM.yyyy
nnNorwegian (Nynorsk)dd.MM.yyyy
nn-NONorwegian, Nynorsk (Norway)dd.MM.yyyy
noNorwegiandd.MM.yyyy
plPolishdd.MM.yyyy
pl-PLPolish (Poland)dd.MM.yyyy
roRomaniandd.MM.yyyy
ro-MDRomanian (Moldova)dd.MM.yyyy
ro-RORomanian (Romania)dd.MM.yyyy
ruRussiandd.MM.yyyy
ru-MDRussian (Moldova)dd.MM.yyyy
ru-RURussian (Russia)dd.MM.yyyy
sahSakhadd.MM.yyyy
sah-RUSakha (Russia)dd.MM.yyyy
sma-NOSami, Southern (Norway)dd.MM.yyyy
smj-NOSami, Lule (Norway)dd.MM.yyyy
tgTajikdd.MM.yyyy
tg-CyrlTajik (Cyrillic)dd.MM.yyyy
tg-Cyrl-TJTajik (Cyrillic, Tajikistan)dd.MM.yyyy
ttTatardd.MM.yyyy
tt-RUTatar (Russia)dd.MM.yyyy
ukUkrainiandd.MM.yyyy
uk-UAUkrainian (Ukraine)dd.MM.yyyy

So when I had gotten the list I could just try with a Locale and it worked. I later learned that the server was a German with the locale de-DE.

But now I know how to easy see what locale it might be 🙂

Overheads getting a member

A while ago I wrote a blogentry about different ways of obtaining the hostname. When I wrote that one I thought wonder how the different way of accessing the member values increases the cost. So this is a blogentry about that. There are different overheads depending on how you get your objects member. To illustrate this I have made a simple single WMI query and saved in a variable, from which we will now get the name of the computer.

First lets get the WMI object:

So now we have the wmi object in the variable $wmics. So how do we get the name. Well here there are a few ways all giving the same answer.

[Read more…]

Converting from Two’s complement using powershell

So first what is Two’s complement? Super simple simplification: It is how you can use the MSB (most significant bit) to define if the number is positive or negative. More complete and technical please read the Wikipedia article.

So why do I need this, Well in most cases you dont. But sometimes you get a int that should be unsigned but it was mangled, so you need a way to convert it to the true form. This cmdlet does that. Of course you could also just use the class System.BitConverter same way the cmdlet does.

Using the BitConverter to convert [int16] -1 to [uint16]:

For those that want to include a simple way of doing that in their profiles etc, I wrote a script.

What it does it takes input with with the name integer just the first argument and does its magic. I will show by int16 with the value -32000 but that should have been an unsigned int.

 

Debuggex saved my sanity

When fiddling around with the regexps in my DNS Debug module I almost went mad before finding this tool: https://www.debuggex.com/.

I just want to give them the credit they are worth. They make understanding and following a RegEx understandable.

 

screenshot of debuggex in action

You enter your regexp’s and some sample data and they visualize what is happening.

Partially trusting somebody else’s Certificate Root (Cross sign)

So when I come to a customer it isn’t that unusual that they have a Certificate Authority that they use for internal systems. But I don’t want to install their CA as a trusted CA on my laptop. Who knows what they have been up to.

There are some kinks. Not all SSL implementations have support or care about nameConstraints that I am using. But luckily for me Windows does. So I have my own CA that I use to sign all my customers CA’s and limit them to domains I see fit.

So first of lets get openssl installed on your machine. Lets go to Shining Light Productions, now you might ask why not take it from the source OpenSSL. The reason is that OpenSSL does not distribute compiled versions, so you can get the source and compile or get it from Shining Light and be happy.

Now lets start with creating our own private CA and key. We will install this one on our machine as a Root CA. The key we need to keep if we want to sign other CA’s down the road. Also if anyone gets your key they can create fake certificates to trick you, so putting it on your homepage is a bad idea.

[Read more…]

Maximum number of allowed sessions reached. Juniper SRX

So I was working from a locked down Windows server in a remote site. And then I had issues with Edge and Internet Explorer. In the end I had used up all sessions in the Firewall. I didn’t want to wait until my sessions got diconnected. So what to do.

maximum number of allowed sessions reached

So lets fix this. First log into the firewall using SSH. Then start the CLI using the command ‘cli’.

First lets list what users are currently connected, just to make sure we know who we are kicking out.

So now we know when I managed to screw this up and from where.. but does that really help? Then we can go ahead and kick the session one by one, or all. The following options exist and can use the data from above.

 

Sometimes I dont like you System.Security.AccessControl.AccessRule.FileSystemAccessRule

Im writing my own little module to help remove sidhistories on mailny fileservers. But im thinking about throwing in stuff about Sharepoint and local groups too. Many people forget to change the ACLs after using sidhistories, this means they are stuck with the sidhistory entries.

So what has that to do with FileSystemAccessRule. In my first incarnation I was manually modifying the SDDL. This worked but I felt that Powershell must be able to do this better.

So I gave it some thought. Then I tried to re implement it using Get-ACL which returns a System.Security.AccessControl.FileSystemSecurity. Perfect but there are some issues.

I have a perfect example here:

This went without a hitch.

So lets see how .NET interprets the only ACE in the ACL above:

Well that didnt really look like what I wanted. We gave it SDGXGWGR and I got -536805376.
SDGXGWGR should have given us: Delete, Generic Execute, Generic Write, Generic Read

Okey, but it perhaps is just a display glitch. Lets try to create an ACE using the data in the $ACL variable.

So now lets create a grant rule with the same permissions for the Builtin Administrators group.

So for now I will continue to parse my SDDL as strings in my Remove Sid History module.

A short story about date formats

So I was updating my script to read DNS debug logs. I had gotten some comment’s on it in the technet gallery. So I wanted to include all in the script for easier usage.

This is when I realized how many variations there are to the ShortDatePattern used in the local Cultures. Microsoft uses the local culture in the DNS debug log, big sadness. So how many cultures are there?

Okey with 428 different possible cultures I dont think I will go through them one by one. So lets just list all cultures and their ShortDatePattern. And see if we see anything [Read more…]