Why cant I read the status of NTDS (Active Directory Domain Services) without elevation

I don’t like anything running with more privileges than needed.. So as I am to cheap to buy a real monitoring solution I went for Nagios Core. Nagios cant really do checks on windows by it self (ot of the box). Most people seem tu be running nsclient++ to do the real check over nrpe. Ofcourse we can do more magic with RPC etc if we want.

So back to the story. So I let nsclient++ run as LocalService instead. Much rejoicing later.. Why have some simple checks have become broken.

One thing that broke was the possibility of checking services on our domain controllers.

So I logged on to the domain controller and started a cmd.exe windows without escalating my permissions.

So why didn’t i just run Powershell? Sometimes older things works better, powershell gave me this:

So instead of getting a Access denied, I got there is no spoon.. Sorry I meant service. So what is happening. Lets dig in shall we? By running the cmd.exe as Administrator we can run more helpful commands:

So what does this mean? CCDCLCSWRPWPDTLOCRSDRCWDWO = what… Well to be honest it just every value that can exists. So just look at the table SDDL permissions for services.

StringHexNameName in GUI
CC0x0001SERVICE_QUERY_CONFIGQuery template
DC0x0002SERVICE_CHANGE_CONFIGChange template
LC0x0004SERVICE_QUERY_STATUSQuery status
SW0x0008SERVICE_ENUMERATE_DEPENDENTSEnumerate dependents
RP0x0010SERVICE_STARTStart
WP0x0020SERVICE_STOPStop
DT0x0040SERVICE_PAUSE_CONTINUEPause and continue
LO0x0080SERVICE_INTERROGATEInterrogate
CR0x0100SERVICE_USER_DEFINED_CONTROLUser-defined control
SD0x10000DELETEDelete
RC0x20000READ_CONTROLRead permissions
WD0x40000WRITE_DACChange permissions
WO0x80000WRITE_OWNERTake ownership

So all of those permissions for the “BUILTIN\Administrators” and “LocalSystem”. Backup operators have a bit fewer permissions but still a lot compared to the rest of us they have:

  • SERVICE_QUERY_CONFIG
  • SERVICE_QUERY_STATUS
  • SERVICE_ENUMERATE_DEPENDENTS
  • SERVICE_INTERROGATE
  • READ_CONTROL

But don’t give make your monitoring software part of Backup operators because that grants a whole lot more permissions.

Cross sign certificates with Windows PKI

Last year I wrote an blog article about how to trust somebody else’s root certificate with name restrictions. This allows you to trust a vendor/partner/etc root certificate without giving them the possibility of spoof google or any other company they shouldn’t sign for.

Same notice goes on this post. Not all operating systems honor name restrictions. So are you running mostly MacOS machines this won’t help that much.

So let’s get going.

The simple solution:

  1. Get root certificate from vendor/partner
  2. Create CSR from certificate
  3. Verify CSR
  4. Sign CSR
  5. Push intermediate certificate to clients, automatic with Windows and use of correct Template.

[Read more…]

Convenience rollup KB3125574 with bonus powershell [W7 & W2K8R2]

So Microsoft has released a convenience rollup that contains loads of updates..

There are a few issues, especially one connected to vNics. So they also released a small VB Script to help remove the offending parts from the registry.
But I hate VBscript and love Powershell so I rewrote it. It went from 30 lines to 8. I know I can sqeeze it into 2 without loosing to much readability but I like it like that.

You can find information about the update at KB3125574. The download is available through the Microsoft Update Catalog (requires IE).

Nothing lasts forever

For the last 3 years I have been employed by Knowledge Factory Consulting AB based here in Stockholm, Sweden. But nothing lasts forever, last year KF was purchased by Advania AB. Working in a small companies means that you know everyone, but working at a large company gives you an entirely different possibilities. This is change, one of my first consultant companies had an internal motto “the only constant is change”. You cannot expect things not to change.

Two months ago I turned in my letter of resignation to my boss. At the end of business today I will no longer be affiliated with Knowledge Factory or Advania. I will really miss the all the people that made up the company, what is was and what it is. There is no way I can say this without missing everyone. From some of the best technical guys in the business to the management and sales team and Lotta for making sure we got payed. I know I will run into some of you again, I’m not sure where yet though. My best guesses are Microsoft Ignite, at customers or perhaps over an after work beer.

I will continue to deliver what I do best. For inquiries please contact Toriv AB, just call me or mail [email protected]

During the coming weekend I will try to re-brand everything that I have related to the company on my blog, linkedin, twitter etc.

Using certreq to create selfsigned certificates

So sometimes you need to create self-signed certificates in windows. Sometimes I have done it using Openssl software, Windows 2012 and later does include Powershell support using New-SelfSignedCertificate. But all versions of Windows does include all the binaries required to do it natively. It is a two part thing, first create the INF file and then run certreq using that file.

It will create and sign the certificate. Im not really sure why it is also asking where to store the CSR (Certificate Signing Request) so I just close that dialog.

A super simple self-signed certificate

It does not get any simpler than this. It will not limit the intended purposes of the certificate and not really good key size. Sure we can make it better by adding some intended purposes and cryptology

A better self-signed certificate

But now and then we need that the certificate need answer for multiple names a so called SAN certificate.

A SAN certificate

Sources

Technet – Certreq

Replace characters in Exchange [Nordic]

I have in a few smaller companies that the turn of the Automatically update e-mail addresses based on e-mail address policy. Most reasons are really bad reasons. I have heard that we want all email addresses in lowercase or that they think Microsoft shouldn’t translate the Swedish character Ö to OE. So there is a perfectly good solution to do this using the email address policy too.

Enter replacements

you can in the beginning of the row write what characters you want to be replaced. That you want all uppercase A should be lowercase. That you want a Ö to become a regular O. So how do we do this. Using the magic of %r<In><Out>. I have my default one I use, but I needed to update that one since I got a customer request that I thought was good for the future too. My default is now as follows: [Read more…]

Avoid setting up a domain trust for a single users needs

I found a question on the Microsoft Technet Forums, how can I allow a users to use a ERP software in another domain without using his credentials.

So this solution does not really give a solution that allows the local user account any rights, but stores the remote domain username/password for the user so the user doesn’t get bugged for those all the time.

Using CMDKEY to add username-password for alternative domain

 

Recover deleted files/folders on a Workstation

So you have managed to delete some files/folders. Or perhaps even the wrong profile by scripting.

  • First rule of recovery: Don’t write the hard drive from where you want to recover data. If possible shut of the computer until you have a plan.
  • Second rule of recovery: Don’t forget to take backups.
  • Third rule or recovery: Backups are only as good as the last restore test.

There are a couple of ways to recover data that has been deleted but not yet overwritten, but this blog post is about one method. This method requires the System Restore to be enabled. A little list of options:

  • Restore using your backup. There is no replacement for a good backup.
  • Restore using this method (Shadow Copy).
  • Restore using data recovery software.
  • Restore using restore company, for example IBAS.

So how do we restore delete files from a workstation using the Windows Shadow Copy Service? [Read more…]

Trust my site

A colleague of mine Ola Johansson write a blog entry about getting free SSL certificates from StartSSL. So I thought this is a good time to make sure my site was TLS enabled. Lets stop calling it SSL. Since all SSL versions are called insecure, due from different vulnerabilities.

So I have implemented TLS both on my main host and my CDN. So now you can browse my site and trust that you have received a secure copy. Also that Google said that it consider https availability as a ranking signal might have helped too.

virot.eu via HTTPS showing certificate information

virot.eu via HTTPS showing certificate information

 

Removing features from a Specops Deploy/OS Reference image

So in an article I just wrote about how to add features while installing. Now we are doing it the other way around, we are removing features.

This one is even simpler than adding features. One new custom property and one new task sequence entry. [Read more…]