Andrew Healey's Blog » windows

vbScript: Quickly determine architecture

Andrew — Tue, 20 Jul 2010 18:10:11 +0000

I’ve been using a routine to determine 64-bit v 32-bit workstations for some time checking the registry for the PROCESSOR_ARCHITECTURE in the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment path. However, this was proving to be error prone. So, I just gave up that method altogether since all Windows x64 editions have a “%SystemDrive%\Program Files (x86)” directory. This makes it just a quick and easy call the folderexists method of the filesystemobject.

The only downside is that can’t be used remotely but since most of my scripts are used in local policies, this shouldn’t be an issue.

Cheers!

Private Function is64bit()
	Dim filesys : Set filesys = CreateObject("Scripting.FileSystemObject")
	Dim bln64bit : bln64bit = False
	If filesys.FolderExists("C:\Program Files (x86)") then bln64bit = True
	is64bit = bln64bit
End Function

Part 1: Blocking Bad Hosts – Finding Them, Easily

Andrew — Tue, 22 Dec 2009 07:19:13 +0000

Download Script: get-bad-hosts.zip

While troubleshooting some issues on an OWA Front-End server, I went over to the security log to see if the authentication attempts were getting past this box. The problem I found was the log was so full of failed logon attempts it was difficult to filter out what I was looking for. In a twelve hour period, there were thousands of 529 events in the security log. Now, I know this is nothing new, but I found a few patterns. I manually exported the log to a CSV, parsed out all the source ip addresses and opened it up in Excel. What I found was that 98.7% of failed logon attempts were made by just four different ip addresses. (I recommend using MaxMind’s GeoIP Address Locator for help in determining where the source addresses are located.)

The easy fix is to setup an IPSec policy to block all traffic coming from those addresses. And I did just that. There are many different methods to blocking bad hosts. And, anybody who has dealt with this knows, they will come back. Just from different addresses.

One other piece I was able to get from this is that there are several of our users whom have fat fingered their passwords within ActiveSync (or they just have it setup wrong). And then there are those users who have forgotten their domain, e-mail address, username, etc.

This is step one in my project to automate the blocking of bad hosts. My goal is to build an automated method for blocking hosts with a high percentage of bad logon attempts within n hours. And, even if I can’t get it 100% automated, this first whack at it took my bad logon attempts from 800 per hour to 25 per hour; nearly a 97% improvement! And, a lot less crap to sift through when troubleshooting real issues.

So, my first goal is to automate a method of extracting the data I want from the event log. (The script can be found below.) The most important piece of data is the source ip address. However, the other pieces of data I decided to extract could be helpful in determining the legitimacy of the logon failure.

To get the data, simply download the script and run “cscript /nologo get-bad-hosts.vbs > bad-hosts.csv” (w/o the quotes). You can then open the file in Excel, do a quick pivot-table and identify the source addresses with the most hits. At that point, you can add the host (or address block) to an ipsec policy to block all traffic from that address.

In my next post, I’ll explain the details in setting up a quick ipsec policy to block the bad guys. Cheers!

'==========================================================================
' VBScript Source File
' NAME: get-bad-hosts.vbs
' AUTHOR: Andrew J Healey
' WEB: http://halfloaded.com/
' DATE  : Dec 21 2009
' COMMENT: This script will return data in csv format for use in determining
'	hack, lockout or bad logon attempts
' PROCESS: 1) query event log for event id 529; 2) parse data to return
'	useful data; 3) output to screen
' USAGE: cscript /nologo get-bad-hosts.vbs c:\bad-hosts.csv
'==========================================================================
 
Option Explicit
On Error Resume Next
 
Dim strComputer, objWMIService, colLoggedEvents
Dim objEvent, objRegEx, colMatches, strMatch
Dim strUserName, strWorkstation, strIPAddress, strDomain
 
'Change to name of computer to query remote machine
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    &amp; "{impersonationLevel=impersonate}!\\" &amp; strComputer &amp; "\root\cimv2")
 
'Event 529 in the security log are "Failure Audit" for a "Logon/Logoff"
Set colLoggedEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            &amp; "EventCode = '529'")
 
'Write header to screen
wscript.echo chr(34) &amp; "User Name" &amp; chr(34) &amp; "," &amp; _
			 chr(34) &amp; "Workstation" &amp; chr(34) &amp; "," &amp; _
			 chr(34) &amp; "Source IP" &amp; chr(34) &amp; "," &amp; _
			 chr(34) &amp; "Windows Domain" &amp; chr(34) &amp; "," &amp; _
			 chr(34) &amp; "Date/Time" &amp; chr(34)
 
'Loop through all events matching criteria above: 529 in sec log
For Each objEvent in colLoggedEvents
	'Use regex to parse any ip addresses from event
	' if no address found, goto next record
	Set objRegEx = CreateObject("VBScript.RegExp")
	objRegEx.Global = True
	objRegEx.IgnoreCase = True
 
	'Will return the line of the user name that was used
	objRegEx.Pattern = "(\tUser Name:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strUserName = strMatch.Value
	Next
 
	'Will return the line of the workstation name that was used
	objRegEx.Pattern = "(\tWorkstation Name:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strWorkstation = strMatch.Value
	Next
 
	'Will return the line of the source ip address
	objRegEx.Pattern = "(\tSource Network Address:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strIPAddress = strMatch.Value
	Next
 
	'Will return the line of the domain that was used
	objRegEx.Pattern = "\tDomain:(.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strDomain = strMatch.Value
	Next
 
	'Output clean csv line for easy reading in spreadsheet program
	wscript.echo chr(34) &amp; GetCleanText(strUserName) &amp; chr(34) &amp; "," &amp; _
				 chr(34) &amp; GetCleanText(strWorkstation) &amp; chr(34) &amp; "," &amp; _
				 chr(34) &amp; GetCleanText(strIpAddress) &amp; chr(34) &amp; "," &amp; _
				 chr(34) &amp; GetCleanText(strDomain) &amp; chr(34) &amp; "," &amp; _
				 chr(34) &amp; WMIDateStringToDate(objEvent.TimeWritten) &amp; chr(34)
Next
 
Private Function GetCleanText(byVal strText)
	'This will cleanup the text and return only necessary data
	' I'm sure there is a better way to do this :)
	dim tmp,txt
	tmp = Split(strText,":")
	txt = tmp(1)
	txt = Replace(txt,vbTab,"")
	txt = Replace(txt,vbCrLf,"")
	txt = Trim(txt)
	GetCleanText = txt
End Function
 
Private Function WMIDateStringToDate(byVal dtmEventDate)
	'Borrowed from the "Hey, Scripting Guy! BLOG"
	' --> Search: WMIDateStringToDate
    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) &amp; "/" &amp; _
        Mid(dtmEventDate, 7, 2) &amp; "/" &amp; Left(dtmEventDate, 4) _
            &amp; " " &amp; Mid (dtmEventDate, 9, 2) &amp; ":" &amp; _
                Mid(dtmEventDate, 11, 2) &amp; ":" &amp; Mid(dtmEventDate, _
                    13, 2))
End Function

vbScript – List All Members Of Sensitive Groups: Schema, Enterprise and Domain Admins

Andrew — Fri, 13 Mar 2009 19:24:46 +0000

Update 2009.04.16: At the request of a commenter, I added a couple lines to the script that will dump the output to a text file in the root of the C: drive. I also corrected a couple errors in the script.

I was tasked to get a dump of all the users in our Schema Admins, Enterprise Admins and Domain Admins for our Forest. I started thinking about it and realized a couple things. Two of the three groups reside at the forest root while the Domain Admins group exists for every domain in the forest. This meant I would need to enumerate every domain and depending on the domain, enumerate either all three groups or just one.

My thinking was overly complex and I realized this halfway through writing a new script. Using the power of LDAP, I can use a logical “or” (|) statement. When run against a domain, it would always return “Domain Admins” since it will always exist in an AD domain. When it is run against the forest root domain, it would also return the “Enterprise Admins” group and “Schema Admins” group. Here is the LDAP query:

(&(objectCategory=group)(|((name=Enterprise Admins*)(name=Domain Admins*)(name=Schema Admins*))))

At this point, all I need to do is this:

Enumerate all domains in the forest
Loop through each domain
Execute LDAP query against each domain
Loop through LDAP query results
Dump membership of each group

The script below does just that. I hope some find it useful. There is no configuration necessary. You should be able to just run it from your environment as no domain references (or really anything) is hard coded. The only thing you may want to add to or remove from is the LDAP filter. Cheers!

'==========================================================================
' VBScript Source File
' NAME: Active Directory Admin Audit
' AUTHOR: Andrew J Healey
' DATE  : 2009.04.16
' COMMENT: This script will check all the domains within a forest
'		and report all the members of the following groups: Schema
'		Admins, Enterprise Admins and Domain Admins. See notes to
'		expand on the groups.
'==========================================================================

'Define Constants
Const adUseClient = 3
Const ForWriting = 2
 
'Set the path and filename for the dump of sensitive users
'  Folder must exist!
fileTemp = "C:\AD Admin Audit.txt"
 
'Create tmp file and report file
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTempFile = objFSO.OpenTextFile(fileTemp, ForWriting, True)
 
'Query RootDSE and return array with all AD domains in forest
Set adoComm = CreateObject("ADODB.Command")
Set adoConn = CreateObject("ADODB.Connection")
adoConn.Provider = "ADsDSOObject"
adoConn.cursorLocation = adUseClient
adoConn.Open "Active Directory Provider"
adoComm.ActiveConnection = adoConn
 
Set objRootDSE = GetObject("LDAP://RootDSE")
strBase   =  " & objRootDSE.Get("rootDomainNamingContext") & ">;"
strFilter = "(objectcategory=domainDNS);"
strAttrs  = "distinguishedName;"
strScope  = "subtree"
 
strQuery = strBase & strFilter & strAttrs & strScope
adoComm.CommandText = strQuery
adoComm.Properties("Page Size") = 50
adoComm.Properties("Timeout") = 30
adoComm.Properties("Cache Results") = False
 
Set adoRS = adoComm.Execute
 
'Start Loop
Do Until adoRS.EOF
	'Parse ad search results to create well formed DNS domain
	strDomain = Replace(adoRS.Fields(0).Value,"DC=","")
	strDomain = Replace(strDomain,",",".")
	Call GrpAll(strDomain)
	adoRS.MoveNext
Loop
adoRS.Close
adoConn.Close
wscript.quit
 
Function GrpAll(x)
	'To search for more groups, edit the "strFilter" line. It uses a simple
	' LDAP or (|) so multiple groups can be added. It uses ADO record sets
	' to loop so it doesn't have to find all of them, just one. Every domain
	' will contain at least the Domain Admins group.
	Set adoCommand = CreateObject("ADODB.Command")
	Set adoConnection = CreateObject("ADODB.Connection")
	adoConnection.Provider = "ADsDSOObject"
	adoConnection.cursorLocation = adUseClient
	adoConnection.Open "Active Directory Provider"
	adoCommand.ActiveConnection = adoConnection
 
	strBase   = ";"
	strFilter = "(&(objectCategory=group)(|((name=Enterprise Admins*)" & _
				"(name=Domain Admins*)(name=Schema Admins*))));"
	strAttrs  = "name,member;"
	strScope  = "subtree"
 
	strQuery = strBase & strFilter & strAttrs & strScope
	adoCommand.CommandText = strQuery
	adoCommand.Properties("Page Size") = 5000
	adoCommand.Properties("Timeout") = 30
	adoCommand.Properties("Cache Results") = False
 
	Set adoRecordset = adoCommand.Execute
 
	objTempFile.WriteLine "Group report for domain: " & x
 
	adoRecordset.MoveFirst
 
	Do Until adoRecordset.EOF
	    objTempFile.WriteLine vbTab & adoRecordset.Fields(0).Value
		For Each strMember in adoRecordset.Fields(1).Value
			objTempFile.WriteLine vbTab & vbTab & strMember
		Next
	    adoRecordset.MoveNext
	Loop
 
	adoRecordset.Close
	adoConnection.Close
End Function

SNMP In A Windows Environment

Andrew — Thu, 12 Mar 2009 19:57:55 +0000

The difficult part with managing SNMP via Group Policy is that SNMP is not installed by default. The first step is to install SNMP on all the machines you want to monitor via SNMP. This can be managed a couple ways. The simplest method that I have used is the one Zenoss recommends. If you only have a couple of machines to install SNMP on, it may be easier just to go into the Add/Remove Programs –> Add/Remove Windows Components –> Management and Monitoring Tools –> Simple Network Monitoring Protocol.

Once SNMP is setup, you need to create a custom ADM template to manage the SNMP settings via Group Policy. This sounds more difficult that it really is. The bonus is that once you see it done a time or two, you really start to understand the power in home made ADM templates. I would checkout the mailing list at ActiveDir.org and the information available on petri.co.il. Both of these resources are invaluable for getting things done in Windows and Active Directory.

If you just want to manually control the SNMP settings, just go: Start –> Run –> Services.msc. Select the SNMP service, right click and select Properties and click on the security tab. All your communities can be managed through that tab.

Unfortunately, MS didn’t make SNMP as easy to implement in Windows as *nix environments have. However, setting it up on Windows is a good experience and all the work will pay off in spades once it is complete.

As for monitoring packages, check out Zenoss and Zabbix. I’m all for the open source, service support model of software development and these two have proven it is a viable means of running a productive and profitable software development business.