Wednesday, January 17, 2018

Windows Firewall, determining required ports

Just a quick note on using Microsoft SysInternal utilities with the Windows firewall log.

For this worked example I am going to communicate with the target server (the server with the firewall) using PSEXEC for remote execution. You could just as easily work on the sever console or use PowerShell.

As usual, I like to explain by real-life example.

A colleague is setting up a Windows Print Server and Microsoft have provided the required protocols and ports to be opened, surprise, surprise the information is incomplete.

Step One
Examine the Windows Firewall Log. By default is resides at:

\\MyServerName\c$\Windows\System32\LogFiles\Firewall 

We can see that when the engineer tries to remotely install a driver, packets are dropped. In the log it looks like this (I have removed the date and time for brevity)

You can look at the heading in the firewall log, but I have highlighted the destination port.

DROP TCP 10.150.85.240 10.20.68.183 12387 9001 48 S 4157967098 0 8192 - - RECEIVE
DROP TCP 10.150.85.240 10.20.68.183 12388 9001 48 S 3357802324 0 8192 - - RECEIVE

In this imaginary scenario, it looks like we are dropping TCP 9001 (if you already know what that is, pretend you don't for the sake of this tutorial). So the next step would be to track down what that port is being used for and whether we should be opening it. We need to get onto that server, either:


  • PowerShell
  • Console
  • RDP
  • PSEXEC

First we will run the built-in Windows tool 'NetStat' using the syntax:

netstat  -an -o

Which will display all the ports on which the server is listening. The '-an' means supress the resolution of the IP address to which to the server may have a connection. This makes the command run much faster. The '-o' means display the running process which is what we want. The output will look something like this:


Active Connections

Proto Local Address         Foreign Address  State           PID
TCP   0.0.0.0:135           0.0.0.0:0        LISTENING       992
TCP   0.0.0.0:445           0.0.0.0:0        LISTENING       4
TCP   0.0.0.0:5357          0.0.0.0:0        LISTENING       4
TCP   0.0.0.0:5985          0.0.0.0:0        LISTENING       4
TCP   0.0.0.0:8081          0.0.0.0:0        LISTENING       3812
TCP   0.0.0.0:8092          0.0.0.0:0        LISTENING       4
TCP   0.0.0.0:8495          0.0.0.0:0        LISTENING       3812
TCP   0.0.0.0:47001         0.0.0.0:0        LISTENING       4
TCP   0.0.0.0:49664         0.0.0.0:0        LISTENING       680
TCP   0.0.0.0:49665         0.0.0.0:0        LISTENING       884
TCP   0.0.0.0:49666         0.0.0.0:0        LISTENING       1320
TCP   0.0.0.0:49669         0.0.0.0:0        LISTENING       2212
TCP   0.0.0.0:49670         0.0.0.0:0        LISTENING       760
TCP   0.0.0.0:49699         0.0.0.0:0        LISTENING       752
TCP   0.0.0.0:49710         0.0.0.0:0        LISTENING       3812
TCP   0.0.0.0:49713         0.0.0.0:0        LISTENING       760
TCP   10.150.210.201:9001   0.0.0.0:0        LISTENING       42
TCP   10.150.210.201:50495  10.20.104.6:443  ESTABLISHED     10744
TCP   10.150.210.201:50496  10.20.104.6:443  ESTABLISHED     10744
TCP   10.150.210.201:50497  10.20.104.6:443  ESTABLISHED     10744

We can see (highlighted) that port 9001 is being listened to by a process with PID (Process ID) 42. We now need to know what that process is. We can use the SysInternals tool 'tasklist', just run it and it should produce an output something like this (I have trimmed the output for clarity):

Image Name             PID SessionName    Session# Mem Usage
====================  ==== =============  =======  ===========
System Idle Process      0 Services        0             4 K
System                   4 Services        0         2,764 K
svchost.exe            836 Services        0        23,516 K
svchost.exe            884 Services        0        16,544 K
svchost.exe           1104 Services        0        26,160 K
WUDFHost.exe          1184 Services        0         2,984 K
svchost.exe           1320 Services        0        65,344 K
dasHost.exe           1744 Services        0         6,912 K
svchost.exe           2020 Services        0         6,648 K
hpservice.exe         1256 Services        0         1,144 K
svchost.exe           1080 Services        0         4,808 K
svchost.exe           2156 Services        0         9,364 K
spoolsv.exe             42 Services        0        16,140 K
wrapper.exe           2408 Services        0         2,336 K
mDNSResponder.exe     2424 Services        0         2,832 K

If we examine this list we can see (highlighted) that PID 9001 is 'spoolsv.exe' so this all provides us with a set of clues:


  1. When we investigate the origin of the dropped traffic in the firewall log we discover that the IP belongs to the workstation we are testing our PrintServer from.
  2. Researching port 9001 reveals it to be the HP JetDirect printing port.
  3. Spoolsv.exe is the Windows Print Spooler.
So good bet this is something we need to open on the firewall of the printserver.


Monday, October 30, 2017

Copy DACL from one folder to another

If you ever need to copy the access rights from one folder to another, this will help. This is also useful in cases where you need to duplicate the permissions from a folder to a recently re-created junction link.

Get-Acl -Path  SourceFolder | Set-Acl -Path  DestinationFolder

Here is an example:

Original State

  • There is a folder on the G: drive called 'Medicine'
  • There is a junction point on 'E:\Shared\Medicine' which points to the folder.
  • The permissions on the junction point are identical and complex

Some hero then deletes the junction point. This is then recreated thus:

mklink /j "E:\Shared\Medicine" "G:\Medicine"

We can then restore the junction link's missing DACL using PowerShell thus:

Get-Acl -Path "G:\Medicine" | Set-Acl -Path  "E:\Shared\Medicine"


Cheers!

Wednesday, August 2, 2017

Dump or Search for SPN records

Here you go:

#########################
$SearchCriteria = "CX"  # ----- What you search for
#########################
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*)"
$results = $search.Findall()
Foreach($result in $results)
{
$userEntry = $result.GetDirectoryEntry()
If($($userEntry.name) -like "*$SearchCriteria*")
{
Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black"
Write-host "DN      =      "  $userEntry.distinguishedName
Write-host "Object Cat. = "  $userEntry.objectCategory
Write-host "servicePrincipalNames"
$i=1
foreach($SPN in $userEntry.servicePrincipalName)
{
Write-host "SPN(" $i ")   =      " $SPN       $i+=1
}
Write-host ""
}
}

Saturday, July 22, 2017

Switch off ellipses in Scrivener


So you want Scrivener to stop converting three periods into an ellipses? You think you need to switch off them bottom of the to options in the picture below? No - you have to switch off BOTH of the options below because the two are linked within the Apple API. This in not a Scrivener issue.

Cheers!




Wednesday, July 12, 2017

Event ID 7023 "The Data Sharing Service service terminated with the following error: %%3239247876"

You may see this on Server 2016 which may shutdown all file shares.

This is caused by the UAL Service ('User Access Logging Service'), which is responsible for logging access requests to the Security Event Log coming into conflict with the DS Service ('Data Sharing Service'), which is obviously responsible for file sharing.

They are conflicting as they try so share certain system DLLs.

The solution is to reconfigure both services to reserve their own (tiny) memory space. This can be achieved using the Service Configuration Tool (sc.exe) thus:

Sc config ualsvc type=own 
Sc config dssvc type=own

Cheers!

Tuesday, July 11, 2017

Default Permissions Issues in Server 2016

* This article published in a hurry, will tidy later *

This error:

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          7/11/2017 9:04:32 AM
Event ID:      10016
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      SL2TDC4.MyDomain.ORG
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

So this is a permissions issue related to the 'Connected Devices Platform' and can cause the NIC to fail during Windows updates. Here is now to fix:



  • Open REGEDIT navigate to HKEY_CLASSES_ROOT\CLSID\{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
  • Right-Click, select permissions
  • Click Advanced
  • Change Ownership to Administrators
  • Check the "replace all child object permissions entries with inheritable permissions from this object' checkbox
  • Click OK
  • Click YES
  • Edit permissions to provide Administrators FULL CONTROL if it is not already set.
  • Now go to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}
  • Right-Click, select permissions
  • Click Advanced
  • Change Ownership to Administrators
  • Check the "replace owner on subcontainers and objects' checkbox
  • Click OK
  • Click YES
  • Edit permissions to provide Administrators FULL CONTROL if it is not already set.

  • Next, run COMEXP from an admin cmd prompt
  • Navigate down to Component Services\My Computer\DCOM Config\{F72671A9-012C-4725-9D2F-2A4D32D65169}
  • Right-Click select properties then the Security tab
  • Select Customize on the 'Launch and Activation Permissions'
  • Select Edit
  • Add Local Service from the local SAM
  • Check 'Local Activation'
  • OK, OK
  • Reboot
Repeat for all instances of EventID 10016 (System Event Log)

Connected Devices Platform (NIC Disconnects)
CLSID  {8D8F4F83-3594-4F07-8369-FC3C3CAE4919}

APPID  {F72671A9-012C-4725-9D2F-2A4D32D65169}

RuntimeBroker (Memory Leak)
CLSID  {D63B10C5-BB46-4990-A94F-E40B9D520160}

APPID  {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}





Saturday, July 8, 2017

Icons wrong on Microsoft Office Documents (Mac OS)

Delete /Library/Caches/com.apple.iconservices.store.

You will need to enter your administrator password for this

Reboot

Cheers!

Friday, July 7, 2017

Redirect HOME folders on a Mac

I have always liked to separate my data from the system files on my Mac. That way I can use TimeMachine to restore an earlier version of my system drive without worrying about reverting my documents and vice-versa. Call it personal style, but this is how you do it:

I will take you through processing the DOCUMENTS folder, then you can rinse and repeat for MUSIC, PICTURES or whatever you want.

* DON'T BE A MORON, BACKUP YOUR DATA FIRST *

  • Create your target folder on your separated data drive. In my case a folder called 'Documents'
  • Now we need to maintain the icon the easy way before we lose it by deleting the original folder. So, open a Get-Info window for both the original and the new folders. At the tippy-top of the Get-Info window is a miniature version of the icon. We are going to copy and paste it from the original to the new. Its a little weird because don't bother right-clicking for a context menu, there isn't one. This is what you do - click the miniature version of the original and the icon will have a glow around it. CTRL-C. Go to the miniature icon in the Get-Info for the new folder, click it until it glows. CTRL-V.
  • The next step is to replace the existing 'Documents' folder with a junction link. Since it will replace the existing 'Documents' folder we need to delete it. (Repeat) we will be deleting the documents folder, so BACK IT UP!
  • Launch a terminal window and enter
chmod -R -N ~/Documents

  • That will change the permission on that folder to allow you to delete it, now we will delete it.
rm -rf ~/Documents
  • You should see your regular Documents folder vanish. It may come back after a few seconds as some Apple watchdog process corrects what it thinks is an error condition. Don't worry just run it again and move on to the next command as quickly as you can, and that is to create the junction link that replaces the regular folder and points to your new folder:
ln -s /Volumes/Data/Documents
  • Replace the word 'Data' with the name of the drive that contains your new Documents folder.
  • Job done, you should now have a redirect in place. You can prove that by manually placing a file in the new folder, then navigate to your Documents folder using the 'GO' menu on the taskbar.
Cheers!




Sunday, June 25, 2017

Saturday, May 27, 2017

Error 0x80070070

The shortest post ever...

Error: 0x80070070

Means whatever you were doing ran out of disk space.

Cheers!


Wednesday, February 15, 2017

Microsoft Azure VM Sizes

Here is a useful list of Azure VM sizes, the XML parameter is what you would use in the configuration files for your PaaS instance. Specifically the 'ServiceDefinition.csdef' file. For example:

WorkerRole name="MyCacheWorkerRole" vmsize="Medium"


 VM Size in Azure

(note the use of descriptive words instead of codes in model A0 through A4)

Modern Title
Parameter in XML
Cores
Memory
(GB)
Local Disk Size
(GB)
NICs
Bandwidth
A0
ExtraSmall
1
0.756
20
1
Low
A1
Small
11
1.75
225
1
Medium
A2
Medium
2
3.5
490
1
Medium
A3
Large
3
7
1000
2
High
A4
ExtraLarge
8
14
2040
4
High
A5
A5
2
14
490
1
Medium
A6
A6
4
28
1000
2
High
A7
A7
8
56
2040
4
High
A8
A8
8
56
1817
2
High
A9
A9
16
112
1817
4
Very High
A10
A10
8
56
1817
2
High
A11
A11
16
112
1817
4
Very High
A1 v2
Standard_A1_ v2
1
2
10
1
Medium
A2 v2
Standard_A2_v2
2
4
20
2
Medium
A4 v2
Standard_A4_v2
4
8
40
4
High
A8 v2
Standard_A8_v2
8
16
80
8
High
A2m v2
Standard_A2m_v2
2
16
20
2
Medium
A4m v2
Standard_A4m_v2
4
32
40
4
High
A8m v2
Standard_A8m_v2
8
64
80
8
High
D1
Standard_D1
1
3.5
50
1
Medium
D2
Standard_D2
2
7
100
2
High
D3
Standard_D3
4
14
200
4
High
D4
Standard_D4
8
28
400
8
High
D11
Standard_D11
2
14
100
2
High
D12
Standard_D12
4
28
200
4
High
D13
Standard_D13
8
56
400
8
High
D14
Standard_D14
16
112
800
8
Very High
D1 v2
Standard_D1_v2
1
1
3.5
1
Medium
D2 v2
Standard_D2_v2
2
2
7
2
High
D3 v2
Standard_D3_v2
4
4
14
4
High
D4 v2
Standard_D4_v2
8
8
28
8
High
D5 v2
Standard_D5_v2
16
16
56
8
Extremely High
D11 v2
Standard_D11_v2
2
14
100
2
High
D12 v2
Standard_D12_v2
4
28
200
4
High
D13 v2
Standard_D13_v2
8
56
400
8
High
D14 v2
Standard_D14_v2
16
112
800
8
Extremely High
D15 v2
Standard_D15_v2
20
140
1000
8
Extremely High
G1
Standard_G1
2
28
384
1
High
G2
Standard_G2
4
56
768
2
High
G3
Standard_G3
8
112
1536
4
Very High
G4
Standard_G4
16
224
3072
8
Extremely High
G5
Standard_G5
32
448
6144
8
Extremely High
H8
Standard_H8
8
56
1000
8
High
H16
Standard_H16
16
112
2000
8
Very High
H8m
Standard_H8m
8
112
1000
8
High
H16m
Standard_H16m
16
224
2000
8
Very High
H16r
Standard_H16r
16
112
2000
8
Very High
H16mr
Standard_H16mr
16
224
2000
8
Very High