Event Log Blog

Curiosity Kills the Cat

2010-07-21T00:02:17Z

25 years ago, on July 24th, the Amiga 1000 was introduced in New York City (check out the ad). Coincidentally, the Amiga 500 was my first computer and I loved playing games on the Rock Lobster - despite the 7.15909 MHz processor. Well, those were the good old days, the days before mainstream email, the days before spam. Or were they? Believe it or not, in 1985 it had already been 7 years since the first spam email was sent by Gary Thuerk over the ARPAnet.

Source: Wikimedia Commons, Amiga 1000

I don't know about you, but 32 years later I still get spam delivered to my inbox on a daily basis, and that's despite having 2-3 spam filters in place. What's more, I still get legitimate email caught by the spam filter, mostly to the dismay of the sender.

Now, of course WE all know not to open spam - or to even look at it - as it will potentially confirm receipt (if you display images from non-trusted sources) and could also trigger malware (again depending on your email reader's configuration).

But, we've all seen spam emails and I can't help but wonder who actually reads these emails (for purposes other than to get a chuckle), much less opens them! Let's not even think about who opens attachments or clicks (yikes!) from spam emails.

Source: Wikimedia Commons, Spam.jpg

The Facts

So WHO are those people opening, clicking spam? Well, turns out that the MAWWG, the Messaging Anti-Abuse Working Group determines exactly that (and presumably other things too) - every year. Better yet, they publish that information for our enjoyment.

It's been a few months since the latest findings were published, but I'd consider them relevant today nevertheless (and a year from now for that matter).

In a nutshell, the group surveyed the behavior of consumers both in North America and Europe, and published key findings in regards to awareness, consumer confidence and so forth.

Before I give the link to the full PDF (see the Resources section below); here are what I think are some of the most interesting facts:

Half of all users in North America and Europe have "confessed" to opening or accessing spam. 46% of those who opened spam, did so intentionally to unsubscribe or out of some untameable sense of curiosity. Some were even interested in the products "advertised" to them!

Bottom Line: 1 out of 4 people open spam emails because they want to know more, or want to unsubscribe.
In more detail, 19% of all users surveyed either clicked on a link from an email (11%) or opened an attachment from an email (8%) that they themselves suspected to be spam. I found that to be one of the most revealing numbers in the report.
Young users (under 35) consider themselves more experienced, yet at the same time engage in more risky behavior than other age groups. In Germany, 33% of all users consider themselves to be experts. Compare that to France, where only 8% of all users think they are pros.
Less than half of users think that stopping spam or viruses is their responsibility. Instead, they feel that the responsibility lies mainly with the ISP and A/V companies. 48% of all respondents do realize that it is their responsibility. The report doesn't state whether this particular question, which lists 10 choices, was a multiple choice question.
When asked about bots, 84% of users were familiar with the possibility that software, say a virus, can control their computer. At the same time, only 47% were familiar with the terms "bot" or "botnet".
On the upside, 94% of all users are running A/V software that is up-to-date, which is a comforting fact. I can only imagine that the remaining 6%, given Apple's market share, account for most of the rest.

My opinion: OS X users are probably still oblivious and don't see the need to install A/V or any other type of security software on their computers. Still, some PC users apparently still don't install AntiVirus/AntiMalware on their computers, despite many free options being available today.

Wow, that's a lot of bad news to digest. So if I may summarize - the reason why we keep getting spam in our inboxes, is because every 5th person with a computer clicks on links or opens attachments (ah!) from spam emails, and because 6% of all users with a computer don't run security software. Given the amount of people that dwell in the western hemisphere, that amounts to a lot of people.

Well, at least I know now why I keep getting those nuisance emails in my inbox. But somehow I don't feel any better about them.

Training Day

I think what this report shows us the importance of user education. While people are apparently aware of spam, it doesn't look like the average Joe is aware of the implications that a simple click in an email can have.

If you are reading this email, then you are probably a network professional working in an organization. With that, you have a unique opportunity to organize a simple workshop with your employees to educate them about the potential threats, and remind them that it's not a good idea to do anything with suspect emails.

Source: Wikimedia Commons, Botnet for Beginners

There is a wealth of information available on the web about educating users on spam and general computer security. We all know that software can only do so much - it's a constant cat & mouse game between the researchers and the bad guys. It's simply not possible, at least not today, to make the computers we use on a daily basis 100% secure.

While securing computers in a corporation is possible to some extent using whitelisting, content filters and such, doing the same thing for home computers is much more difficult. And it's those computers that are most likely to be part of a botnet.

I can only imagine that the average user does not know that botnets can span thousands, if not millions, of computers. The Conficker botnet alone infected around 10 million computers and has the capacity to send 10 billion emails per day.

Let's face it, the situation will not improve as long as people will click links in emails and open attachments from suspicious senders.

I encourage you to organize a training session with your users on a regular basis. If your organization is large, then you might want to start with the key employees first, and maybe create a tiered training structure.

Our Network is Safe

You might think that your network is safe. You have AntiVirus, white listing, AntiMalware, firewalls in every corner, web content filters and more. Scheduling a training sessions to tell your users on not to do the obvious, is probably the last thing on your mind.

But read on.

Risky behavior by your end users will not only affect global spam rates, but your organization as well. Corporate espionage is growing, and spies (whether they are from a foreign government or corporation) often use email to initially get access to an individuals computers. See SANS Corporate Espionage 201 (PDF) for some techniques being employed.

For example, pretty much every organization has people working from home. If a malicious attacker can compromise a home computer that is used to access a corporate network (even if it's just used to access emails) and install a key logger, then they will most likely have gotten access to your corporate network. Once they have their foot in the door, it's only a matter of time.

There are plenty of resources available on the net on how to educate users on security, spam and so forth. A short training session of 20 minutes is probably enough. The message to convey is simple, and if you keep a few points in mind the session can even be fun. Consider the following for the training session:

Be sure to interact with your users. Start off by asking them if they use A/V software or AntiMalware software at home.
Tell them about botnets, and if they would be happy knowing that their computer is part of a 10 million botnet controlled by people in the Ukraine.
Be sure to explain that a single users actions can compromise their corporate network.
Explain that technology cannot provide 100% security against intruders.

Of course, user education alone is not the answer to solving security problems like viruses, phishing and the like. Encryption, digital signatures (especially for corporate emails), white-listing all should be employed regardless of user education.

Resources

2010 MAAWG Consumer Survey Key Findings Report (6 pages)
2010 MAAWG Consumer Survey Full Report (87 pages)

Using Cartoons to Teach Internet Security
Get IT Done: IT pros offer tips for teaching users

UNICODE - ONE code to rule them all

2010-04-20T22:10:19Z

If you live in an English-speaking country like the United States, United Kingdom or Australia, then you are in the lucky position where every character in your language can be represented by the ASCII table. Many other languages aren't as lucky unfortunately, and it is no surprise given the fact that over 1000 written languages exist. Most of these languages cannot be interpreted by ASCII, most notably Asian and Arabic languages.

Take the text below for example, ASCII would be struggling with this a bit (to say the least):

النمسا

Understanding UNICODE is no easy feat however - just the mere abbreviations out there can be mind-boggling: UTF-7, 8, 16, 32, UCS-2, BOM, BMP, code points, Big-Endian, Little-Endian and so forth. UNICODE support is particularly interesting when dealing with different platforms, such as Windows, Unix and OS X.

It's not all that bad though, and once the dust settles it can all make sense. No, really. As such, the purpose of this article is to give you a basic understanding of UNICODE, enough so that the mention of the word UNICODE doesn't give you cold shivers down your back.

Unicode is essentially one large character set that includes all characters of written languages, including special characters like symbols and so forth. The goal - and this goal is reality today - is to have one character set for all languages.

Back in 1963, when the first draft of ASCII was published, Internationalization was probably not on the top of the committee member's minds. Understandable, considering that not too many people were using computers back then. Things have changed since then, as computers are turning up in pretty much every electrical device (maybe with the exception of stoves and blenders).

The easiest way to start is, of course, with ASCII (American Standard Code for Information Interchange). Gosh were things simple back in the 60s. If you want to represent a character digitally, you would simply map it to a number between 1 and 127. Voila, all set. Time to drive home in your Chevrolet, and listen to a Bob Dylan, Beach Boys or Beatles record. I won't go in to the details now, but for the sake of completeness I will include the ASCII representation of the word "Bob Dylan":

String:      B    o    b         D    y    l    a    n
Decimal:     66   111 98   32   68   121 108 111 110
Hexadecimal: 0x42 0x6F 0x62 0x20 0x44 0x79 0x6C 0x6F 0x6E
Binary:      01000010 01101111 01100010 00010100
             01000100 01111001 01101100 01101111 01101110

Computers, plain and simple as they are, store everything as numbers of course, and as such we need a way to map numbers to letters, and vice versa. This is of course the purpose of the ASCII table, which tells our computers to display a "B" instead of 66.

Since the 7-bit ASCII table has a maximum of 127 characters, any ASCII character can be represented using 7 bits (though they usually consume 8 bits now). This makes calculating, how long a string is for example, quite easy. In C programs for example, ASCII characters are represented using chars, which use 1 byte (=8 bits) of storage. Here is an example in C:

char author[] = "The Beatles";
int authorLen = strlen(author);        // authorLen = 11
size_t authorSize = sizeof(author);    // authorSize = 12

The only reason the two variables are different, is because C automatically appends a 0x0 character at the end of a string (to indicate where it terminates), and as such the size will always one char(acter) longer than the length.

So, this is all fine and well if we only deal with "simple" languages like English. Once we try to represent a more complex language, Japanese for example, things start to get more challenging. The biggest problem is the sheer number of characters - there are simply more than 127 characters in the world's written languages. ASCII was extended to 8-bit (primarily to accommodate European languages), but this still only scratches the surface when you consider Asian and Arabic languages.

Hence, a big problem with ASCII is that is essentially a fixed-length, 8-bit encoding, which makes it impossible to represent complex languages. This is where the Unicode standard comes in: It gives each character a unique code point (number), and includes variable-length encodings as well as 2-byte (or more) encodings.

But before we go to deep into Unicode, we'll just blatantly pretend that Unicode doesn't exist and think of a different way to store Japanese text. Yes! Let us enter a world where every language uses a different encoding! No matter what they want to make you believe - having countless encodings around is fun and exciting. Well, actually it's not, but let's take a look here why.

The ASCII characters end at 127, leaving another 127 characters for other languages. Even though I'm not a linguist, I know that there are more than 127 characters in the rest of the world. Additionally, many Asian languages have significantly more characters than 255 characters, making a multi-byte encoding (since you cannot represent every character with one byte) necessary.

This is where encodings come in (or better, "came" in before Unicode was established), which are basically like stencils. Let's use Japanese for our code page example. I don't speak Japanese unfortunately, but let's take a look at this word, which means "Farewell" in Japanese (you are probably familiar with pronunciation - "sayōnara"):

さようなら

The ASCII table obviously has no representation for these characters, so we would need a new table. As it turns out, there are two main encodings for Japanese: Shift-JIS and EUC-JP. Yes, as if it's not bad enough to have one encoding per language!

So code pages serve the same purpose as the ASCII table, they map numbers to letters. The problem with code pages - opposed to Unicode - is that both the author and the reader need to view the text in the same code page. Otherwise, the text will just be garbled. This is what "sayōunara" looks like in the aforementioned encodings:

EUC-JP
0xA4 B5 A4 E8 A4 A6 A4 CA A4 E9

Shift_JIS
0x82 B3 82 E6 82 A4 82 C8 82 E7

Their numerical representation between EUC-JP and Shift_JIS is, as is to be expected, completely different - so knowing the encoding is vital. If the encodings don't match, then the text will be meaningless. And meaningless text is useless.

You can imagine that things can get out of hand when one party (party can be an Operating System, Email client, etc.) uses EUC-JP, and the other Shift_JIS for example. They both represent Japanese characters, but in a completely different way.

Encodings can either (to a certain degree) be auto-detected, or specified as some sort of meta information. Below is a HTML page with the same Japanese word, Shift_JIS encoded:

    Shift_JIS Encoded Page



            さようなら


You can paste this into an editor, save it has a .html file, and then view it in your favorite browser. Try changing "Shift_JIS" to "EUC-JP", fun things await you.

But I am getting carried away, after all this post is about Unicode, not encodings. So, Unicode solves these problems by giving every character from every language a unique code point. No more "Shift_JIS", no more "EUC-JP" (not even to mention all the other encodings out there), just UNICODE.

Once a document is encoded in Unicode, specifying a code page is no longer necessary - as long as the client (reader) supports the particular Unicode encoding (e.g. UTF-8) the text is encoded with.

The five major Unicode encodings are:

UTF-8
UCS-2
UTF-16 (an extension of UCS-2)
UTF-32
UTF-7

All of these encodings are Unicode, and represent Unicode characters. That is, UTF-8 is just as capable as UTF-16 or UTF-32. The number in the encoding name represents the minimum number of bits that are required to store a single Unicode code point. As such, UTF-32 can potentially require 4 x as much storage as UTF-8 - depending on the text that is being encoded. I will be ignoring UTF-7 going forward, as its use is not recommended and it's not widely used anymore.

The biggest difference between UTF-8 and UCS-2/UTF-16/UTF-32 is that UTF-8 is a variable length encoding, opposed to the others being fixed-length encodings. OK, that was a lie. UCS-2, the predecessor of UTF-16, is indeed a fixed length encoding, whereas UTF-16 is a variable length encoding. In most use cases however, UTF-16 uses 2 bytes and is essentially a fixed length encoding. UTF-32 on the other hand, and that is not a lie, is a fixed-length encoding that always uses 4 bytes to store a character.

Let's look at this table which lists the 4 major encodings and some of their properties:

Encoding	Variable/Fixed	Min Bytes	Max Bytes
UTF-8	variable	1	4
UCS-2	fixed	2	2
UTF-16	variable	2	4
UTF-32	fixed	4	4

What this means, is that in order to represent a Unicode character (e.g. さ), a variable length encoding might require more than 1 byte, and in UTF-8's case up to 4 bytes. UTF-8 needs potentially more bytes, since it maintains backward-compatibility with ASCII, and as such loses 7 bits.

Windows uses UTF-16 to store strings internally, as do most Unicode frameworks such as ICU and Qt's QString. Most Unixes on the other hand use UTF-8, and it's also the most commonly found encoding on the web. Mac OSX is a bit of a different beast; due to it using a BSD kernel, all BSD system functions use UTF-8, whereas Apple's Cocoa framework uses UTF-16.

UCS-2 or UTF-16
I had already mentioned that UTF-16 is an extension of UCS-2, so how does it extend it and why does it extend it?

You see, Unicode is so comprehensive now that it encompasses more than what you can store in 2 bytes. All characters (code points) from 0x0000 to 0xFFFF are in the "BMP", the "Basic Multilingual Plane". This is the plane that uses most of the character assignments, but additional planes exist, and here is a list of all planes:

•    The "BMP", "Basic Multilingual Plane", 0x0000 -> 0xFFFF
•    The "SMP", "Supplementary Multilingual Plane", 0x10000 -> 0x1FFFF
•    The "SIP", "Supplementary Ideographic Plane", 0x20000 -> 0x2FFFF
•    The "SSP", "Supplementary Special-purpose Plane", 0xE0000 -> 0xEFFFF

So technically, having 2 bytes available is not even enough anymore to cover all the available code points, you can only cover the BMP. And this is the main difference between UCS-2 and UTF-16, UCS-2 only supports code points in the BMP, whereas UTF-16 supports code points in the supplementary planes as well, through something called "surrogate pairs".

Representation in Unicode
So let's look at the above sample text in Unicode, shall we? Sayonara Shift_JIS & EUC-JP! The site http://rishida.net/tools/conversion/ has some great online tools for Unicode, one of which is called "Uniview". It shows us the actual Unicode code points, the symbol itself and the official description:

The official Unicode notation (U+hex) for the above characters uses the U+ syntax, so for the above letters we would write:

U+3055 U+3088 U+3046 U+306A U+3089

With this information, we can now apply one of the UTF encodings to see the difference:

UTF-8
E3 81 95 E3 82 88 E3 81 86 E3 81 AA E3 82 89

UTF-16
30 55 30 88 30 46 30 6A 30 89

UTF-32
00 00 30 55 00 00 30 88 00 00 30 46 00 00 30 6A 00 00 30 89

So UTF-8 uses 5 more bytes than UCS-2/UTF-16 to represent the same exact characters. Remember that UCS-2 and UTF-16 would be identical for this text since all characters are in the BMP. UTF-32 uses yet 5 more bytes then UTF-8 and would be require the most storage space, as to be expected.

What you can also see here, is that UTF-16 essentially mirrors the U+ notation.

Fixed Length or Variable Length?
Both encoding types have their advantages and disadvantages, and I will be comparing the most popular UTF encodings, UTF-8 and UCS-2, here:

Variable Length UTF-8:
•   ASCII-compatible
•   Uses potentially less space, especially when storing ASCII
•   String analysis/manipulation (e.g. length calculation) is more CPU-intensive

Fixed Length UCS-2:
•   Potentially wastes space, since it always uses fixed amount of storage
•   String analysis/manipulation is usually less CPU intensive

Which encoding to use will depend on the application. If you are creating a web site, then you should probably choose UTF-8. If you are storing data in a database however, then it will depend on the type of strings that will be stored. For example, if you are only storing languages that cannot be represented through ASCII, then it is probably better to use UCS-2. If you are storing both ASCII and languages that require Unicode, then UTF-8 is probably a better choice. An extreme example would be storing English-Only text in a UCS-2 database - it would essentially use twice as much storage as an ASCII version, without any tangible benefits.

One of the strongest suits of UTF-8, at least in my opinion, is its backward compatibility with ASCII. UTF-8 doesn't use any numbers below 127 (0x7F), which are - well - reserved for ASCII characters. This means that all ASCII text is automatically UTF-8 compatible, since any UTF-8 parser will automatically recognized those characters as being ASCII and render them appropriately.

The BOM
And this brings us to the next topic - the BOM (header). BOM stands for "Byte Order Mark", and is usually a 2-4 byte long header in the beginning of a Unicode text stream, e.g. a text file. If a text editor does not recognize a BOM header, then it will usually display the BOM header as either the þÿ or ÿþ characters.

The purpose of the BOM header is to describe the Unicode encoding, including the endianess, of the document. Note that a BOM is usually not used for UTF-8.

Let's revisit the example from earlier, the UTF-16 encoding looked like this:

30 55 30 88 30 46 30 6A 30 89

If we wanted to store this text in a file, including a BOM header, then it could look also look like this:

FF FE 55 30 88 30 46 30 6A 30 89 30

"FF FE" is the BOM header, and in this case indicates that a UTF-16 Little Endian encoding is used. The same text in UTF-16 Big Endian would look like this:

FE FF 30 55 30 88 30 46 30 6A 30 89

The BOM header is generally only useful when Unicode encoded documents are being exchanged between systems that use different Unicode encodings, but given the extremely little overhead it certainly doesn't hurt to add it to any UTF-16 encoded document. As such, Windows always adds a 2-byte BOM header to all Unicode text documents. It is the responsibility of the text reader (e.g. an editor) to interpret the BOM header correctly. Linux on the other hand, being a UTF-8 fan and all, does not need to (and does not) use a BOM header - at least not by default.

Tools & Resources
There are a variety of resources and tools available to help with Unicode authoring, conversions, and so forth.

I personally like Ultraedit, which lets me convert documents to and from UTF-8 and UTF-16, and also supports the BOM headers. GEdit on Linux is also very capable, and supports different code pages (if you ever need to use those) as well. Babelpad is an editor designed specifically for Unicode, and seems to support every possible encoding. I have not actually used this editor though.

A nifty online converter that I already mentioned earlier can be found at http://rishida.net/tools/conversion/, and also check out UniView: http://rishida.net/scripts/uniview/.

The official Unicode website is of course a great resource too, though potentially overwhelming to mere mortals that only have to deal with Unicode occasionally. The best place to start is probably their basic FAQ: http://www.unicode.org/faq/basic_q.html.

I hope this provides some clarification for those who know that Unicode exists, but are not entirely comfortable with the details.

さようなら!

How to REALLY monitor SMTP, POP3 and IMAP on Exchange 2003

2010-02-01T13:15:46Z

Even though Microsoft Exchange Server 2010 has already been released, many organizations still use Exchange 2003. In this article I'll explain how to thoroughly monitor the various Internet protocols that Exchange 2003 offers, including SMTP, POP3, IMAP (and NNTP for that matter). The reason why I'll only be looking at Exchange 2003 is because there is a significant difference in architecture between Exchange 2003 and later versions.

It is a common misconception that you can effectively monitor the W3SVC service (commonly referred to as IIS, though IIS encompasses a lot more than just a web server) and other services provided through IIS, such as SMTP and POP3, by simply monitoring their associated service. It's a misconception, because a given IIS-based service may contain multiple instances - most commonly the case with the World Wide Web Service which often hosts multiple independent web sites. The status of these instances can be controlled independently of the hosting service, though that service needs to be running of course.

Don't despair though, most server-based windows applications, fortunately, can be monitored by ensuring that their respective service is - well - running. For example, to ensure that the Apache service is up, you "simply" make sure that the Apache service is running. The same goes for countless other services such as MySQL - even SQL Server (of course you can still detach individual databases in SQL Server).

Exchange 2003, due its partnership with the Internet Information Services 6.0, is different though. Yes, IIS and Exchange 2003 are tightly coupled, and if you intend to have your Exchange Server 2003 communicate with any other server using a standard Internet protocol such as SMTP, then you will need IIS.

The screenshot above shows that the inetinfo.exe process hosts all the major services (bold name), and that each service can host one or more instance. For more details please see http://technet.microsoft.com/en-us/library/bb124674(EXCHG.65).aspx.

The three most common Internet services your Exchange 2003 server is running are probably SMTP, POP3 and IMAP4. While a lot of attention is being paid to the core Exchange services such as

• Microsoft Exchange Information Store (MSExchangeIS)
• Microsoft Exchange System Attendant (MSExchangeSA)

The services providing SMTP, POP3 and IMAP4 connectivity are usually similarly important, especially the SMTP service. Looking at the EventSentry service status page immediately reveals that the SMTP, POP3 and IMAP4 services are managed by IIS:

As you can see, IMAP4Svc, POP3Svc and SMTPSvc all use inetinfo.exe (Executable column) for their host process. So why is this important again?

Since all of these services support multiple instances INSIDE the service (inetinfo.exe), the host process will continue to run even when one or more instances inside the service are stopped. Since most installations only have one instance, stopping that one instance inside the service will still leave the service up and running. The effect of course is the same; the service is not available to the end users while the Windows service will happily continue to run.

A screen shot from the System Manager application shows instances listed inside:

As you can see with the IMAP4 protocol, we have two virtual servers setup that are both hosted inside the "Microsoft Exchange IMAP4" service. To stubbornly illustrate my point further I took a screenshot that shows both IMAP4 instances stopped while the service itself is running:

So I think we're all in agreement now that monitoring the POP3, SMTP etc. services in Exchange 2003 is not enough if you want to ensure that these services are actually available. So how do we monitor all of these instances?
The easiest way is actually with a VBScript, which is included below. VBScript works well since the cscript.exe interpreter is readily installed on Windows 2003, so no additional installation of tools is required. The script enumerates all instances of a given protocol, and checks whether they are running or not. If at least one instance is not running, the tool will return 1, thus setting the ERRORLEVEL to 1.

This VBScript can then be embedded into EventSentry, which will then run the script at set intervals using the application scheduler, notifying you via email (with the proper filter setup) when an instance is stopped. There's a screencast for that, you can view it at http://www.eventsentry.com/screencasts/eventsentry-application-scheduler/eventsentry-application-scheduler.htm. It shows you how to create an embedded script and setup EventSentry to notify you when the scripts returns an error. Note that the screencast uses an older version of the script which only monitored web sites (not SMTP, IMAP4, ...), but the process of setting up the script with EventSentry is exactly the same.

You should be able to use the script as-is, just configure which protocols are monitored by adjusting the values in the "Define which protocols to monitor here" section. The script always prints all installed instances and their status, and any stopped instance is prefixed with an asterisk. Below is what an email from EventSentry looks like:

The line with the stopped instance won't be yellow in the actual email, I just added this for readability. The script can also easily be modified to automatically start any stopped instances - simply add the line

Instance.Start

after line 102. This will still trigger an email (or error) to notify you that it was stopped, but a subsequent run of the script at the next monitoring interval should not trigger an error again if the start was successful.

A note of caution here though - I have seen the script hang indefinitely with this line added when an instance that is currently stopped can't be started because it's not configured correctly. Hence, it's not included by default.

' Lists the state of all IIS protocols configured on the local machine
' and returns an %ERRORLEVEL% of 1, if at least one instance is not in
' the "Started" state.
'
' When scheduling this script with EventSentry's application scheduler,
' make sure that the interpreter is set to "cscript.exe"

Option Explicit

Dim allInstancesAreRunning

Dim monitorSMTP, monitorPOP3, monitorIMAP4, monitorNNTP, monitorFTP, monitorWWW

' Define which protocols to monitor here

monitorSMTP = 1
monitorPOP3 = 1
monitorIMAP4 = 1
monitorNNTP = 1
monitorFTP   = 1
monitorWWW   = 1

' Define which protocols to monitor here

' ==================== EXECUTION STARTS HERE ====================
allInstancesAreRunning = EnumerateAllInstances

If allInstancesAreRunning = 0 Then
    WScript.Echo vbCRLF & "WARNING: One or more IIS components are not running" & vbCRLF
End If

If allInstancesAreRunning = 0 Then
    WScript.Quit 1
End If

' ==================== FUNCTIONS ====================
Function EnumerateAllInstances

EnumerateAllInstances = 1

If monitorSMTP = 1 Then
    EnumerateAllInstances = EnumerateAllInstances And EnumerateInstances("localhost", "SMTPSVC")
End If

If monitorPOP3 = 1 Then
    EnumerateAllInstances = EnumerateAllInstances And EnumerateInstances("localhost", "POP3SVC")
End If

If monitorIMAP4 = 1 Then
    EnumerateAllInstances = EnumerateAllInstances And EnumerateInstances("localhost", "IMAP4SVC")
End If

If monitorNNTP = 1 Then
    EnumerateAllInstances = EnumerateAllInstances And EnumerateInstances("localhost", "NNTPSVC")
End If

If monitorFTP = 1 Then
    EnumerateAllInstances = EnumerateAllInstances And EnumerateInstances("localhost", "FTPSVC")
End If

If monitorWWW = 1 Then
    EnumerateAllInstances = EnumerateAllInstances And EnumerateInstances("localhost", "W3SVC")
End If

End Function

Function MapServiceToInstance( Service )

    If Service = "SMTPSVC" Then
        MapServiceToInstance = "IIsSmtpServer"
    ElseIf Service = "POP3SVC" Then
        MapServiceToInstance = "IIsPop3Server"
    ElseIf Service = "IMAP4SVC" Then
        MapServiceToInstance = "IIsImapServer"
    ElseIf Service = "W3SVC" Then
        MapServiceToInstance = "IIsWebServer"
    ElseIf Service = "NNTPSVC" Then
        MapServiceToInstance = "IIsNntpServer"
    ElseIf Service = "FTPSVC" Then
        MapServiceToInstance = "IIsFtpServer"
    End If

End Function

Function EnumerateInstances( Server, Service )
    On Error Resume Next

    Dim VirtualServerService
    Dim Instance, InstanceID

    EnumerateInstances = 1

    Set VirtualServerService = GetObject("IIS://" & Server & "/" & Service)

    If Err.Number = 0 Then
        InstanceID = MapServiceToInstance(Service)

        For Each Instance in VirtualServerService

        If Instance.KeyType = InstanceID Then

                If SiteIsNotRunning(Instance.ServerState) Then
                    WScript.StdOut.Write "*"
                    EnumerateInstances = 0
                End If

                WScript.StdOut.Write Instance.ServerComment & " (" & Service & "): " & State2Desc(Instance.ServerState) & vbCRLF
        End If
        Next
    End If

End Function

Function SiteIsNotRunning( nState )

    If nState <> 2 Then
        SiteIsNotRunning = 1
    Else
        SiteIsNotRunning = 0
    End If

End Function

Function State2Desc( nState )

    Select Case nState
    Case 1
        'MD_SERVER_STATE_STARTING
        State2Desc = "Starting"
    Case 2
        'MD_SERVER_STATE_STARTED
        State2Desc = "Running"
    Case 3
        'MD_SERVER_STATE_STOPPING
        State2Desc = "Stopping"
    Case 4
        'MD_SERVER_STATE_STOPPED
        State2Desc = "Stopped"
    Case 5
        'MD_SERVER_STATE_PAUSING
        State2Desc = "Pausing"
    Case 6
        'MD_SERVER_STATE_PAUSED
        State2Desc = "Paused"
    Case 7
        'MD_SERVER_STATE_CONTINUING
        State2Desc = "Continuing"
    Case Else
        State2Desc = "Unknown state"
    End Select

End Function

You can also download the script from here.

Until next time,
Ingmar.

Announcing EventSentry v2.91

2009-11-30T23:09:05Z

Now that EventSentry v2.91 has been released, I'm happy to have the opportunity to blog about our monitoring solution again.

The most significant new feature in EventSentry is the Health Matrix, a new way to see your network status in a space-efficient way. In fact, you can see the overall health status of your entire network on a single screen, even if it consists of hundreds of hosts.

We also made numerous other changes throughout the web reports, and added some exciting new filtering capabilities with our event log filters, as well as improved speed with the event log engine and file checksum generations.

EventSentry v2.91 also includes many minor improvements throughout the application, including service monitoring, process tracking and more. We have also updated EventSentry Light, and a new version will be released in the coming days after we have completed testing.

But now to the new features in version 2.91:

Health Matrix
In the health matrix, each host is displayed as a colored square, circle or rectangle, with the color indicating the overall health of the monitored computer. When all of the monitored components of a host are in an OK status, the color of the square is green. The color will change to orange or red when a problem is detected, depending on the number or severity of the issue.

The health matrix is highly customizable, for example both the size and shape of the icons can be adjusted depending on the size of the network (and your monitor).

Event Log Monitoring
In 2.91, the event log filtering engine was improved, resulting in reduced CPU usage of the event log monitoring component. Since the CPU usage of the EventSentry agent is already quite low, you will most likely only notice this improvement on hosts that generate an extremely large number of events, such as domain controllers.

Also new is the ability to filter events based on insertion strings in addition to just filtering based on the event message text. This means that one can now match individual strings inside event messages against strings, numbers, file checksums and group memberships. If you are not familiar with the term "insertion string", then I highly recommend my previous post about event message files before you read on.

Consider the following hypothetical example: The environment-monitoring component of EventSentry logs event id 10908:

The temperature (78.21 degrees F) has fallen outside the configured range (60F to 76F).

which is defined as:

The temperature (%3 degrees %4) has fallen outside the configured range (%1%4 to %2%4).

This event obviously informs us, that the current temperature has exceeded a set limit. Now let's say that we wanted to get an email when the temperature exceeds the limit, but also send a page when the temperature exceeds 90 degrees.

The new filtering feature allows you to do just that, by using the numerical comparison functionality with insertion strings (of course you would also need to set the hour/day properties). Assuming that you already have a filter in place for regular email notifications, you would simply setup an additional include filter that would evaluate insertion string 3 (%3) and only match if the number is above 90. See the screen shot below for the example. The result is a filter that only matches when then the temperature exceeds 90 degrees.

2.91 also includes two more comparison options, file checksums and group membership. So, if an insertion string represents a filename (e.g. from a security event), then EventSentry can create a SHA checksum from the specified file and compare it with the value that you specified. Another example would be a security event that includes a username in an insertion string, in which case you could setup a filter that would only match if that user is a member of particular group you specify. Both examples are mostly applicable for security events, since those are most likely to contain either filenames or usernames.
Using file checksums, you can be notified whenever a user plays solitaire, even when the user renames the executable.

Simply create a checksum of the file first using shachecksum.exe (included in the free NTToolkit, make sure you account for different OS versions and platforms) and intercept the corresponding 4688 event.

Service Monitoring
Service Monitoring now collects the username as well as the executable of a service. These additional properties are available in the web reports and in events generated, for example when the username of a service changes.

Software Monitoring
Software monitoring has been overhauled in 2.91, and some limitations and bugs have been removed. On Vista, Win2k8 and later, Windows patches are now monitored and included in the software inventory. 64-bit software is now classified as such and searchable, and searching for installed Windows Updated patches has also been simplified.

SNMP Traps
EventSentry can now send version 2c and version 3 traps, previously only version 1 traps were sent by the agent. The SNMP trap daemon was originally set to be released as part of 2.91, but this feature has been pushed back to v2.92.

Web Reporting
We have made a number of improvements in the web reporting to make using our web-based interface easier:

•    Reports are now easily accessible from every page, in addition to the reports page.
•    The database usage page now shows the actual page name in addition to the table name.
•    The dashboard page has been overhauled
•    The network status page can be customized (performance counters & disks)

Miscellaneous Improvements

There have of course been other improvements across the board, such as:

•    Notes can now be applied to computers
•    AD-linked groups can be sorted, and authentication properties can be set globally
•    Hardware monitoring now includes the IP address of an interface
•    Process tracking can capture the command line of a process
•    Logon tracking includes group information
•    File checksum generation has been optimized and will now use fewer CPU resources (affects file monitoring and file access tracking)
•    The minimum database interval for environment monitoring has been reduced to 5 minutes from 15 minutes
•    Software uninstallation events now include the same information as software installation events

If you have an active maintenance agreement, then this 2.91 release will of course be free of charge. If you are not already using EventSentry, then you can download a free 30-day evaluation version from http://www.eventsentry.com/downloads_downloadtrial.php.

Happy Holidays,
Ingmar.

Group Policy Software Deployment: Targeting the right computers with WMI filters

2009-10-20T03:04:03Z

Group policy was introduced with Windows 2000, and is an easy way of centralizing many Windows settings. In addition to centralizing event log and firewall settings, I personally like the ability to deploy MSI-based software applications with Group Policy, since it makes it extremely easy to deploy new software packages.

Even though Software Installation only works only with MSI-based packages, it does make deploying MSI-based software packages extremely easy. Here is a short list of software (mostly tools for sysadmins) that you can deploy using Active Directory:

7-Zip
Firefox (from FrontMotion)
Foxit Reader (a PDF reader)
TortoiseSVN
ActivePerl
Python
SourceGear Vault Client
OpenOffice (I have not tried this)
Adobe Flash (requires custom download)

There are of course many more, and you can distribute most Microsoft client applications, such as Microsoft Office, through Group Policy as well.

We generally deploy software through Group Policy when three or more computers use it, since it's very easy to create a new package (if you already have a network share etc. setup, then you can literally do it in 2 minutes).

Before I list some of the useful WMI queries we use to target certain operating systems or computer types, there are a couple of things to note for those who are new to software deployment via group policy:

Software packages are always installed right after a reboot, so they're mostly suitable for workstations.
The network share which hosts the MSI files needs to give the computer accounts (e.g. DESKTOP1$) at least read access. Generally, giving EveryOne Read access works well unless you have a reason to restrict access to the software packages that you distribute.

Since the mechanism to distribute software is based on group policies, any sort of software package you create inside a group policy, will need to be assigned to an organizational unit (OU).

Since OUs can contain a large amount of computers that might not all need that particular software package, you can use two techniques to narrow down which computers receive the software:

Security Filtering
WMI Filtering

Security Filtering
With this method, you create a security group in ActiveDirectory, place the computers that should get a particular software package into the group, and then specify this group in the Security Filtering list.

The screen shot below shows a group policy that will only be applied to members of the "Source Control Computers" group:

WMI Filtering
With this method, you can filter the computers which are affected by your policy, based on common properties of the Operating System. For example, some packages might distinguish between 32-bit and 64-bit, some packages might only work on Vista or later, whereas other packages apply only to servers. With WMI, you can target the right computers without having to mess with group memberships (though you will probably still need to do that). For example:

32-bit vs. 64-bit computers
only workstations
only computers running a certain OS
only computers with a certain amount of RAM
only computers of a certain brand

With WMI filtering, you just create the software group policy, for example:

7-Zip 32-bit
7-Zip 64-bit

and then apply the respective WMI filter to them. But lets cut to the chase, here are a few WMI queries that you can cut & paste:

Operating System 32-bit
Select * from Win32_Processor where AddressWidth = '32'
Operating System 64-bit
Select * from Win32_Processor where AddressWidth = '64'

Workstation
Select * from WIN32_OperatingSystem where ProductType=1
Domain Controller
Select * from WIN32_OperatingSystem where ProductType=2
Server
Select * from WIN32_OperatingSystem where ProductType=3

Some filters require multiple WMI queries, which are just chained together.

Workstation 32-bit
Select * from WIN32_OperatingSystem where ProductType=1
Select * from Win32_Processor where AddressWidth = '32'
Workstation 64-bit
Select * from WIN32_OperatingSystem where ProductType=1
Select * from Win32_Processor where AddressWidth = '64'

Windows XP
Select * from WIN32_OperatingSystem where Version='5.1.2600' and ProductType=1
Windows Vista
Select * from WIN32_OperatingSystem where Version='6.0.6002' and ProductType=1
Windows 7
Select * from WIN32_OperatingSystem where Version='6.1.7600' and ProductType=1

Windows 2003
Select * from WIN32_OperatingSystem where Version='5.2.3790' and ProductType>1
Windows 2008
Select * from WIN32_OperatingSystem where Version='6.0.6002' and ProductType>1
Windows 2008 R2
Select * from WIN32_OperatingSystem where Version='6.1.7600' and ProductType>1

WIN32_OperatingSystem of course includes more information that can be useful for WMI queries, such as a descriptive name of the installed OS ("Name") as well as the service pack installed ("ServicePackMajorVersion").

Manufacturer (e.g. DELL)
Select * from WIN32_ComputerSystem where Manufacturer = 'DELL'

Installed Memory (e.g. more than 1Gb)
Select * from WIN32_ComputerSystem where TotalPhysicalMemory >= 1073741824

Like I mentioned earlier, this is merely a small sample of the possible WMI queries one can use to filter group policies, but they should cover most relevant scenarios. Feel free to suggest other useful WMI queries and I will include them here.

For more information, check out these resources on WMI:

WMI
Secrets of Windows Management Instrumentation
Scriptomatic (Vista/Win2k8/Win7: run as administrator!)

Happy querying,
Ingmar.

Get your KIX on route 66 - Powerful (login) scripts made easy with KiXtart

2009-09-17T21:07:39Z

Route 66 was a US highway that connected Chicago with Los Angeles (or vice versa), with a total length of almost 2500 miles (for the rest of world using the metric system: almost 4000 km). It was established in 1926 and Nat King Cole first recorded the song "(Get Your Kicks On) Route 66" in 1946.

Completely unrelated to Route 66 of course is KiXtart, a free, free-format scripting language for Windows.

I first ran across KiXtart back in '99, when I was looking for a scripting language that I could use to write login scripts in a NT4 network. My goals back then were simple, and included the ability to map printers and shares depending on the user and/or group membership.

I was already familiar with Perl back then, and would have preferred to use that, if it wouldn't have been for the requirement to install Perl on every workstation. Things have changed since then of course, and installing Perl today on every workstation in your domain would be rather simple with GroupPolicy (ActivePerl provides a MSI).

Still, KiXtart is a surprisingly simple and flexible scripting language that will allow you to accomplish most anything (not only in regards to login scripts) with extremely little effort. KiXtart also supports Windows 9x clients, if you are in the unfortunate position to take advantage of that functionality.

So what can you do with KiXtart? Here is an overview:

Read and/or write to the registry
Manage the event log
Add printer or network share connections
Create shortcuts, program groups etc.
Read and/or write from/to files
Retrieve system information (memory, hostname, IP address, ...)
Get group information
And much more ...

There really is little you cannot do, and most tasks can be accomplished with as little as one or two lines of code. How about some practical examples of what you can do with KiXtart:

Map the color laser printer to all members of the "Marketing" group at logon.

Map a network share depending on the network location (e.g. IP address) of a user.

Query registry values or log information to the event log.

Add a shortcut or program group

Change the wallpaper :-)

The KiXtart web site has the complete documentation for all commands and functions that are at your disposal, and you can download them in a variety of formats (I recommend the CHM format) from http://www.kixtart.org/?p=manual.

But that's all nothing but dry theory, so I will show you how to create a KiXtart script that accomplishes the following:

Creates a printer connection depending on the group membership of the user
Maps network shares depending on the group membership
Displays a warning message if the latest service pack is not installed
Maps another network share only if the user is in a certain IP network
Display a warning if the password is older than 180 days

1. Creating a printer connection

IF INGROUP("MARKETING")
        ? "Connecting to color laser ..."
        ADDPRINTERCONNECTION("\\PRINTSERVER\COLOR_LASER_1")
ENDIF

In this example we are taking advantage of two functions, INGROUP and ADDPRINTERCONNECTION. I think they are fairly self-explanatory. If the currently logged on user is in the MARKETING group, then a printer connection to \\PRINTSERVER\COLOR_LASER_1 will be established.

2. Mapping network shares

The same INGROUP feature can be used to add network connections as well, so here is how you can control connections to network shares based on group membership

;Map Home Directory
USE G: "\\FILESERVER\@USERID"

IF INGROUP("Marketing")
        USE I: "\\FILESERVER\Marketing"
ENDIF

IF INGROUP("SALES")
        USE J: "\\FILESERVER\Sales"
ENDIF

In this example I introduced macros (@USERID), another powerful feature of KiXtart. By default, pretty much any system property is available as a macro (macros always start with the @ symbol). @USERID contains the user name of the currently logged on user, but there are others, such as:

@ProductType (OS type, e.g. "Windows Vista Ultimate"
@Wksta (computer name)
@LDomain (logon domain)
@CSD (service pack information)
@CPU (CPU information)
@Address (MAC address of network adapter)
@IPaddress0, @IPaddress1, ... @IPaddress3 (IP address of xth network adapter)
@PWAge (password age)

Lines that contain comments in KiXtart start with a semi-colon.

3. Display a warning based on the service pack number

KiXtart also includes a variety of functions for handling strings. We can use the @CSD variable to get the service pack information:

? "Service Pack: " + @CSD

which will yield something similar to

Service Pack: Service Pack 1

In order to display a dynamic message, we can get the last character and evaluate it. So let's display a warning message if a user is running Vista with a service pack smaller than SP 2:

IF INSTR(@ProductType, "Vista") > 0
IF RIGHT(@CSD, 1) < 2
    MESSAGEBOX("Important Message from your IT Department" + @CRLF + @CRLF + "Your computer is not running the latest service pack, and will be upgraded tomorrow automatically at 10am. The upgrade will take approximately 30 minutes, and you will not be able to use your computer at that time." + @CRLF + @CRLF + "Thank you for your understanding.", "Service Pack Installation", 48)
ENDIF
ENDIF

The INSTR() function checks whether a string appears inside another string, and the LEFT() function retrieves the specified number of characters from the beginning of a string.

4. Map a network share depending on the IP address

Let's imagine that we have a network share with lots of really large files (e.g. corporate training videos and more) and that we only want to map this share if a user is in the headquarter, opposed to a satellite location which has a slow access speed.

IF LEFT(@IPADDRESS0, 11) = " 10. 10. 0"
         USE Z: "\\FILESERVER\TrainingVideos"
ENDIF

Now the network share is only mapped if the user is in the 10.10.0.0/24 subnet. You can also use the EnumIPInfo() if you need to get more information from the network adapter.

5. Display a warning if a password is old

Most networks require users to change their passwords on a regular basis, but wouldn't it be nice if we could give our users a one-time warning before they are faced with the inevitable prompt that requires them to change their password?

$PasswordWarningThreshold = 170

IF @PWAge = $PasswordWarningThreshold
   MESSAGEBOX("Your password is " + $PasswordWarningThreshold + " days old and will have to be changed in 10 days. Please think of a really good password in the meantime.", "Password Expiration", 64)
ENDIF

In this example I also introduced variables, which are specified with the dollar sign. These are simplified examples, and there is a lot more you can do. For example, using the registry functions, you can save user responses and previous alerts in the registry, and later read them again.

So, forget multiple logon scripts or batch scripts using "NET USE" commands. With KiXtart, you can have one central login script that can adjust dynamically to the user, location, operating system or even the computer itself.

To get started, simply follow these steps:

Create a batch file (e.g. login.cmd) with the following line:

%0\..\WKix32.exe %0\..\login.kix
Create the actual login script for KiXtart, e.g. "login.kix"
Assign the login script login.cmd to all user accounts that require them

That's it. You don't have to install anything on the client computers, and you now have a single login script for your entire network.

Until next time,
Ingmar.

Wish Sandwich - 5 (free) tools we wish Windows had

2009-08-13T11:53:20Z

"Have you ever heard of a wish sandwich? A wish sandwich is the kind of a sandwich where you have two slices of bread and you, hee hee hee, wish you had some meat..."

These are part of the lyrics from the "Rubber Biscuit" song by "The Chips", covered by the Blues Brothers in 1978. At the time, UNIX was almost 10 years old, the first version of BSD had been released, and Microsoft had their office in Albuquerque with Bill Gates being 23 years old.

It would take almost another 20 years before Windows NT 4 would be released. But back to the future now.

Well, after working with Windows for about 15 years now, I also wish that the base set of utilities that ship as part of Windows would have been updated and improved. It might seem odd, but one of the first things I do when I install a new release of Windows, is to open notepad, the calculator and paint - to see if they have improved.

Somewhat surprisingly, Windows 7 brings a lot of improvements to the core utilities that ship with Windows. Microsoft not only spiced up Paint and Wordpad by giving them the "Ribbon", but also improved the calculator in ways never imagined before. Yeah!

But these improvements do not satisfy a long-time Windows user! Having worked with Linux, OS X and Windows since the 3.0 days, I have my own list of apps that I use to substitute or extend some of the archaic tools that ship with Windows.

And here they are:

1. Notepad
What we know today as "Notepad", was first seen in Windows NT 4.0. When Windows 2000 came out, notepad hadn't changed. Well, fair enough - it had only been 4 years after all. A short while later Windows XP was released with a bang, but notepad was still the same. Windows 2003 showed that an upgrade to notepad obviously had low priority, and the release of Vista confirmed to me that notepad was clearly no longer under development. The recent release of Windows 7 crushed my hopes of Microsoft ever releasing an updated version of Notepad. Sigh.

So, why was Notepad left behind? Well, I have a few theories:

a)    The developer who originally developed Notepad has left the company, and nobody at Microsoft understands the existing code enough to make modifications.
b)    Companies developing third-party editors formed a powerful, mafia-like lobby, threatening Microsoft (presumably kidnappings) to never ever release an update to notepad, to ensure that third-party editors will continue to sell well.
c)    Microsoft deems Notepad complete, and cannot imagine how this robust application could be improved.
d)    Windows applications do not use text files, since all configuration is stored in the registry or databases. Even though unneeded, Notepad is provided as a courtesy and might be excluded from future version (like, telnet.exe!).

Whatever the reason (I may never find out), fact is that Notepad hasn't been updated in 13 years, and since Windows 8 won't be out until 2012, probably won't change in 16 years. That's a lot of years for a software program.

Line Numbers?
Basic syntax highlighting?
Anyone?

So what could replace Notepad? Why, Notepad2 of course! To be fair, there are more powerful editors out there than Notepad2, but it's free, light-weight and fast. Florian's Notepad2 supports line numbers, syntax highlighting, line highlighting, encodings, Unix/Windows line endings, transparency and much more. An extended version from Kai Liu is also available here, most notably including code folding abilities. Tabs are not supported in either version, unfortunately.

My other favorite editor is Ultraedit, as it includes pretty much any feature you could ever want from an editor. A nice feature, for sysadmins in particular, is the ability to switch environments. The "System Administrator" view for example, allows you to show SSH/telnet/FTP windows along with the editor windows.

2. Command Prompt
Yeah, this hasn't changed much since the early days either, though the introduction of the PowerShell deserves some credit. Using Linux regularly though, I miss some of the features like tabs, transparency and so forth.

The good news is, there is an excellent substitution out there called Console. The latest beta of version 2 features transparency, multiple tabs, appearance options and is free. It's so free, that they even give you the source code if you want it! It works on all the machines I use (mostly Vista, soon to be Win7) and I'm very happy with it overall - though it is a beta still and you might run into a glitch every now and then. I sit around in the command line a lot, and having multiple tabs open is nice.

One option I really like is the ability to show the currently executing command as the tab title, which is useful because you can see when a long-running process finishes (see screenshot above where fping is running in the 2nd tab).

When downloading, get the latest beta and simply extract all files from the

Console2\bin\release

folder to a directory of your choice.

3. Desktops / Spaces
Linux, and Unix, had multiple desktops since the industrial revolution. Well, at least it seems that way. I'm not sure why this hasn't been added to Windows yet, given that:

•   Every major Operating System OTHER than Windows includes it
•   Microsoft provides a tool (part of Sysinternals) that offers this functionality

Yes, in the age of affordable large monitors, multiple desktops aren't really that necessary anymore. But, many of us still work on laptops and having multiple virtual desktops can help group different work into different workspaces.

I recommend Sysinternals' Desktops, but there are more tools out there that do the same thing - though they are not all free.

4. Launchy
It indexes all of your applications in the start menu, and you can simply launch them by typing their name - or part of their name. No longer do you have to wade through dozens and dozens of menu items just to find a shortcut. Simply launch Launchy with ALT+SPACE and type a couple of letters. Voila!

5. PuTTY
If you work with Windows and UNIX/Linux machines, then it's pretty much impossible that you haven't heard of PuTTY. It's a free SSH client that no only provides SSH/Telnet functionality, but also comes with other SSH-related utilities like PSCP, PSFTP and PLINK (see previous post on this).

I'd love it if Windows would ship with a command-line SSH client, just like all UNIX and Linux distributions do.

Of course there is more, but these are the tools "desktop" that we really use on a daily basis.

If your computers are in an Active Directory domain and you want to roll out some of these tools with your computers by default, then I recommend reading our previous post: Your favorite tools and utilities always available everywhere.

What do you want for nothing?

Rubber Biscuit?

Firefox .NET Framework Assistant Paranoia

2009-06-05T15:09:58Z

There has been a lot of concern and uproar recently about the .NET Framework Assistant Firefox Add-On (plug-in), that Microsoft silently installs with the Microsoft .NET Framework 3.5 Service Pack 1 (which was pushed in early 2009 with Windows Update). As such, if you are using Firefox, then there this is a very high probability that you have this Firefox Add-On installed, maybe even without knowing it.

To quote Microsoft: "In the .NET Framework 3.5 SP1, the .NET Framework Assistant enables Firefox to use the ClickOnce technology that is included in the .NET Framework."

There are dozens of blogs that complain about the security implications, how the Add-On cannot be uninstalled and eventually post instructions on how to remove the Add-On from your computer, essentially implying that the AddOn harbors major security risks. Contrary to most Firefox Add-Ons, this one can't be uninstalled through the browser since it was installed at the "computer level". As such, you have to remove files from the file system and modify the Firefox configuration to disable it.

I'd have to admit that I haven't heard much about the ClickOnce technology before this sneaky little AddOn was set free, and the buzz words one reads in all the blogs, newspapers etc. certainly have the potential to make one uneasy and follow the surgical removal procedure without much hesitation:

Microsoft installs .NET AddOn without user approval!
AddOn can't be uninstalled
AddOn silently runs .NET applications without user knowledge!
ActiveX security hell is back!

So is the AddOn a security risk and do you have scramble to rip it out? Not in my opinion, and I will explain why.

In this post I will clear up some misconceptions about the ClickOnce technology, but also show you how to remove the AddOn from any number of computers with a few clicks - using our new AutoAdministrator 2.0 - just in case you do want to rip it out :-).

What most people don't know, is that the ClickOnce "technology" is already present in Internet Explorer, and is not even close to what was/is possible with ActiveX applets.

ClickOnce applications run in a sandbox, similar to Java, and - by default - do not have any permission outside the sandbox. As such, a web site can't just install a trojan horse or spam client on your computer - at least not using ClickOnce. The users permission is asked before elevated permissions are assigned to the application, and software that's being installed can be signed - just like Windows applications are. Please see the Microsoft article below for more information on ClickOnce deployment and security:

ClickOnce Deployment and Security

So the AddOn is really just a gateway into something that is already on your system in the first place - .NET. Java does the same thing, and the AddOn Microsoft provides is likely much leaner than the Java plugins - and doesn't register a new plugin with every new Java update that is released.

Don't get me wrong - Microsoft could have handled this much better, and the inability to uninstall the AddOn really doesn't help their case.

Oh, and by the way, to see a sample ClickOnce application then you can click here. It's hosted by the author of the FFClickOnce Firefox AddOn, a predecessor of the .NET Framework Assistant if you will.

However, Microsoft has recently provided information on their site that outlines the required steps to remove the Add-In from Firefox, and has also released an update that will allow you to uninstall it on a per-user basis. Keep in mind that even with this update, every user would have to uninstall the Add-On manually:

Update to .NET Framework 3.5 SP1 for the .NET Framework Assistant 1.0 for Firefox

Having said all that, you might still want or have to remove the AddOn from multiple computers if you need to remove the ability for your users to run ClickOnce applications from Firefox. The good news is that you can remove all files as well as all registry entries that are associated with this Add-On from any number of computers within a matter of minutes -- using AutoAdministrator.

AutoAdministrator integrates with ActiveDirectory, and lets you query/modify files, services, registry entries and more on any number of computers with the click of a few buttons. Read on to find out more.

Microsoft states that you need to perform three steps to remove the Add-On (official removal instructions - KB963707):

1. Delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{20a82645-c095-46ed-80e3-08825760534b}

2. In the Firefox preferences (about:config), right-click the general.useragent.extra.microsoftdotnet property and select "reset".

3. Delete the folder %SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\DotNetAssistantExtension.

We can accomplish (1) and (3) with AutoAdministrator, which does remove the Add-On. It doesn't reset the setting inside Firefox (2), but that should be merely a formality without the actual plug in. Our tests have shown that the plug in is gone after deleting the registry key and the directory on the file system.

There are two prerequisites for this to work: Your remote machines need to have the remote registry service running (you can temporary toggle that too with AutoAdministrator if it's not running!) and the ADMIN$ share needs to exist.

As with all things you can do with AutoAdministrator, you should be very careful. We cannot take any responsibilities if you end up corrupting your Firefox installations, or worse, the Windows OS.

So, fire up AutoAdministrator and select the computers you want to uninstall the pesky Add-On from in the right pane. Then, select "Registry" from the toolbar and paste the key from step one in there and select "Delete key".

The screen shot above shows the result list, using the "Read Value" option. To actually delete the key, you would need to select "Delete key". Machines that are turned off are displayed as "Ping Failure: ...", and machines that don't have the Add-On installed show a Windows API error message.

When you are doing ripping the registry settings out, you can delete the folder as well. This time, select "File Management" from the toolbar, and paste the directory in there. Note that the remote path should start with ADMIN$, as shown in the screen shot below:

You can also save these settings as a preset, so that you can retrieve these settings at any point in the future with the click of a button.

I hope this information helps you make an informed decision as to how to proceed with the AddOn if it's already installed in your network. You can

Leave it
Give your users instructions on how to disable it
Roll-out the Microsoft patch to give your users the ability to uninstall it ( arguably identical to (2) )
Remove it from all systems with AutoAdministrator or scripts

I think if this exercise reveals anything, then it's that Firefox's AddOn framework leaves some room for improvement. For example, why did Firefox not inform me that this AddOn had been installed? Skype also silently installs an AddOn, though that can be removed easily.

And if you're really serious about browser security, then you might want to check out the Flashblock AddOn. It disables all flash animations by default, leaving placeholders that you can click to load any flash animation. This improves page load times, can help suppress annoying flash-based ads and of course helps security. I haven't tested it on many sites yet, but it can quickly get annoying if you're accessing a lot of web sites that contain reporting widgets that are flash-based.

So long,
Ingmar.

Auditing Changes to Microsoft SQL Server Database Tables

2009-05-15T17:11:21Z

Database servers store massive amounts of data, often including sensitive information. It is not uncommon for there to be databases holding millions of rows of data, where a small subset of rows are considered critical or sensitive. This could be anything from a Social Security number to an EventSentry entry of a security event. Being notified when existing data in your database changes is crucial for log data, and can be accomplished by using triggers with Microsoft SQL Server.

For those of you not familiar with triggers, a database trigger executes code in response to events on a table or database. Triggers are essentially hooks into a table, and they usually execute SQL statements as a response to another SQL statement.

Since we love the windows event log, we'll take advantage of SQL Server's ability for triggers to log an event to the event log when a row in a table is modified. This allows us to not only log that activity, but also get notified immediately when suspicious or important activity occurs in the EventSentry database.

In EventSentry, we have a table named ESEventlogMain that stores Windows event information. This table constantly gets new data inserted into it, and it often gets purged as well to manage the size of the database. However, there is no reason this data should ever be modified. If it is, then we know that something is amiss and we want to trigger an event in the event log. It is also useful to know what account made that change.

The first step is to create the message in SQL. You can use this SQL statement to create it:

sp_addmessage 80000, 10, 'Data Integrity Alert: %s', @with_log = TRUE

The first argument is a unique SQL server message ID that should be 50001 or higher, you can delete it again using sp_dropmessage. The number 10 is the severity level, but you can read more about the different options for sp_addmessage here.

Now we create the trigger that will use this message:

CREATE TRIGGER Trigger_ESEventlogMain_Modified ON
ESEventlogMain
FOR UPDATE
AS

IF UPDATE(eventmessage) OR UPDATE(eventid) OR UPDATE(eventtime) OR UPDATE(eventcomputer)
BEGIN

     DECLARE @Msg VARCHAR(8000)
     DECLARE @EventNumber INT
     DECLARE @EventID INT
     DECLARE @Computer VARCHAR(255)
     DECLARE @EventMessageOld VARCHAR(8000)
     DECLARE @EventMessageNew VARCHAR(8000)

     SET @EventNumber = (SELECT eventnumber from deleted)
     SET @EventID = (SELECT eventid from deleted)
     SET @Computer = (SELECT A.eventcomputer from ESEventlogComputer as A, deleted as B WHERE A.id = B.eventcomputer)
     SET @EventMessageOld = (SELECT eventmessage from deleted)
     SET @EventMessageNew = (SELECT eventmessage from inserted)

     SET @Msg = 'ESEventlogMain modified by ' + CONVERT(VARCHAR(20), USER_NAME(USER_ID())) + ' at ' + CONVERT(VARCHAR(20), GETDATE()) + '. Computer: ' + @Computer + ', Event ID: ' + CONVERT(VARCHAR(8), @EventID) + ', Event Number: ' + CONVERT(VARCHAR(16), @EventNumber) + ', EventMessage (old) =' + @EventMessageOld + ', EventMessage (new) = ' + @EventMessageNew

     RAISERROR( 80000, 10, 1, @Msg)
END

This creates a trigger which will generate an event when the eventmessage column in the ESEventlogMain table is modified. You can remove the "IF UPDATE(eventmessage) ..." clause (as well as the BEGIN & END statements) if you want to be notified of any changes to that table, this might however create some noise since acknowledging events will also perform an UPDATE on this table.

FYI: "deleted" and "inserted" are keywords that refer to either the old record that was updated (=deleted) or the new data (=inserted).

As you can see from the screen shot above, the message text from a logoff event was renamed to "Trigger Test". So now that the event is in the event log, we can set up a filter in EventSentry to alert us:

Events generated from triggers always have the event id 17061, so it's a good idea to restrict the filter further using the "Content Filter" field. From now on, when the ESEventlogMain table is modified, we will get an entry in the event log as well as an email.

Just remember that any database administrator can delete or modify triggers, so it's crucial that you keep dba access to your database as restricted as possible.

Please see the Table Relationships topic in the EventSentry help file for more information on the database tables used by EventSentry.

Best,
Tames, Ingmar + Ryan.

]]>

Running Linux applications on Windows - over the network with Xming

2009-04-19T13:19:10Z

I always find it interesting to see clothes and accessories that were in fashion 30 years ago, make it back into the mainstream. It seems like the computer industry also goes in cycles every now and then.

Back in the early days of computing – before the dawn of the glorious PC era – there were few powerful servers that were accessed by dumb terminals. The emergence of the IBM PC changed all that and eventually led to the rich clients that most of us have under our desks today. The traditional PC desktop however causes quite a bit of management overhead – especially in large organizations – which appears to be leading to the re-emergence of “dumb” terminals that access a powerful – well – terminal server. Only this time we have a fancy user interface.

If you have worked with Unix-like operating systems before, then you’re probably familiar with the X windows system, though most people don’t know about the X Windows system’s (from now on referenced to as X11) network transparency. In essence, you can run an application on host A, but actually display and interact with the application on host B. Furthermore, you can actually utilize X11 to remotely log into a host running X11 without the need to install additional software on that host – provided that X11 is configured to support this. The screenshot below shows this a bit better.So what does this mean in practice? You can install a resource-hungry application on a dedicated and powerful Linux host, yet run and execute the application on a different, less powerful Linux machine – even if that machine is not even running Linux. What’s even better is that those remote applications appear just like any other application on your desktop. Citrix calls this “application publishing”, and Microsoft introduced “TS RemoteApp” with the Windows Server 2008 platform. Yet, X Windows has offered this functionality for decades - from the very start.

But what makes this feature really interesting for us windows admins (or Unix admins that, for whatever reason, have to use a Windows workstation), is the fact that you can install an X server on your windows machine and run Linux applications “natively” on it – thanks to the open-source project Xming).

Xming, according to the project web site, is the “leading free unlimited X Window Server for Microsoft Windows® (XP/2003/Vista)”. There have been security concerns in the past when using X11 remotely, but by tunneling X11 traffic through SSH, Xming is actually quite secure and doesn’t usually require any configuration changes on the host running X11 (phew!).

When tasked with either cross-platform system administration or development, the discovery of Xming opens up a door of possibilities. For example, you can edit remote configuration files conveniently by running your favorite Linux editor on your Windows desktop, or run a terminal like gnome-terminal. Why run a terminal through X-Windows when you can just use an SSH app like PuTTY? For one thing, you can launch GUI applications directly from the terminal (e.g. ‘gedit &’) on your Windows desktop. Of course, you can also play a Linux game on Windows that way.

If you’re a cross-platform developer, then you can execute a Linux/Unix development studio (e.g. eclipse) on your Windows box – and it appears just like any other Windows app. And since it’s technically running on the Linux box, compiling on your Windows app really compiles it on the remote platform (e.g. Linux). The responsiveness of applications is also quite good, at least over an Ethernet connection.

This technique also works for multiple end users, so it’s also possible to connect to one Linux machine from multiple Windows machines and run Linux apps. The Linux machine really acts like a terminal server in this case.

Let’s look at how to run a Linux app on a Windows desktop. I used Ubuntu 8.10 and installed Xming on a Vista laptop. So, download & install the following Xming packages from http://sourceforge.net/project/showfiles.php?group_id=156984:

Xming
Xming-fonts

Then, start XLaunch from the start menu and select the following options:

Multiple Windows
Start a program
Start program: Enter the application you want to launch there. E.g. gnome-terminal, gedit, mahjongg or whichever remote application you want to run “locally”
Run remote – using PuTTY: Select this option and specify the computer name, user name and password.
On the next step, simply leave the default options in place, click “Next” and “Finish”.

You should now have a little X icon on the tray, and the application you selected should be running on your desktop. The screenshot below shows gnome-terminal and gnome-text-editor running on my Vista machine.

Xming uses plink.exe (see also: http://www.eventlogblog.com/blog/2007/12/plink-or-issuing-ssh-command-o.html) internally to execute apps, whose display is then redirected to our local Windows client, on the remote host. You can also save these settings in a configuration file and create a shortcut on your desktop or start menu.

If the XDMCP protocol is enabled on the Linux/Unix host (disabled by default on most distributions for security reasons), then you can log into the remote host for a complete remote session similar to VNC or other remote desktop applications. But again, keep in mind that XDMCP transmits data in clear text over the wire (using both TCP and UDP), and as such is an insecure protocol that should only be enabled in trusted networks. To log in remotely with Xming, select the following options after starting XLaunch:

One Window
Open session via XDMCP
Specify the remote host name

One last tip regarding Xming: If, at some point down the line, you are unable to launch remote apps on your desktop, even though the X tray icon from Xming is present, then try to reset the X server by right-clicking the tray icon and choosing "Exit".

Well, I hope this gives you a starting point and helps ease the pain when maintaining heterogeneous network environments.

Until next time,
Ingmar.

Finding a crashing TAPI driver and re-organizing svchost.exe

2009-03-14T04:07:58Z

We recently had to troubleshoot an interesting problem on a Windows XP workstation that had just been recently installed. There was nothing unusual about that computer: It was a member of a domain, had all the latest patches, AntiVirus software and of course the EventSentry agent installed.

What happened daily was this: The computer would boot up ok without any problems, but at some point several windows-related error messages would be emailed to us by EventSentry, after which remote access (with the exception of a basic ping) to the computer was impossible. This made troubleshooting this problem particularly difficult since it was located in a remote location. The user of that workstation never actually reported any problems, but the wealth of error message we received from the event log confirmed that something was wrong on that computer. And, since we believe in preventative maintenance, we decided to take a look and get to the bottom of it.

Further investigation of the computer showed that a number of critical services (e.g. Server service) would be stopped a couple of hours after the computer had booted, explaining why we couldn't access the computer remotely anymore. Of course we didn't yet know why these services were stopping.

We briefly considered re-installing the computer in question, but since it had just recently (less than a month ago) been installed, the problem would probably just re-surface again later. Any search for malware also didn't yield anything.

At this point I started to review the event log history of the computer in more detail through the EventSentry Web Reports. Since we were collecting event logs from that computer (which worked well, even when we couldn't access it remotely), viewing and searching for events was fast and easy (even though the computer was across a WAN and essentially unreachable).

I didn't expect to find much (critical events had already been emailed to us), but I browsed through the application and system event logs anyway and came across an interesting event:

Event Log:    Application
Event Type:   Error
Event Source: Application Error
Event ID:     1000
Message: Faulting application svchost.exe, version 5.1.2600.5512, faulting module xxTSP3x.tsp, version 1.0.0.1, fault address 0x000f1528.

Even though this was an error event, we didn't actually receive it via email since we had earlier decided to exclude all "Application Error" events - due to the overwhelming noise that various crashing executables on workstations usually generate.

Svchost.exe is a generic host process, and Windows XP (and later) run multiple services as part of a single svchost.exe process. On Vista for example, a single svchost.exe process might host as many as 18 services - all part of a single process. Windows usually runs multiple svchost.exe processes, all "hosting" one or more services. This makes troubleshooting problems with the svchost.exe process somewhat difficult, since a faulting svchost.exe process can potentially point to dozens of services. My Vista machine runs 67 services inside only 16 svchost.exe processes. Using the tasklist.exe command, you can list all running svchost processes as well as the services running inside each of them:

tasklist /SVC /FI "IMAGENAME eq svchost.exe"

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    912 DcomLaunch, PlugPlay
svchost.exe                   1008 RpcSs
svchost.exe                   1072 WinDefend
svchost.exe                   1148 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe                   1180 AudioEndpointBuilder, CscService, hidserv,
                                   Netman, PcaSvc, SysMain,
                                   TabletInputService, TrkWks, UxSms,
                                   WdiSystemHost, Wlansvc, WPDBusEnum, wudfsvc
svchost.exe                   1216 AeLookupSvc, BITS, Browser, EapHost,
                                   IKEEXT, iphlpsvc, LanmanServer, MMCSS,
                                   ProfSvc, RasMan, Schedule, seclogon, SENS,
                                   SharedAccess, ShellHWDetection, Themes,
                                   Winmgmt, wuauserv
svchost.exe                   1364 gpsvc
svchost.exe                   1480 EventSystem, FDResPub, LanmanWorkstation,
                                   netprofm, nsi, SSDPSRV, SstpSvc, TBS,
                                   upnphost, W32Time, WebClient
svchost.exe                   1600 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
                                   TermService
svchost.exe                   1872 BFE, DPS, MpsSvc
svchost.exe                    856 BthServ
svchost.exe                   2228 Net Driver HPZ12
svchost.exe                   2280 Pml Driver HPZ12
svchost.exe                   2304 PolicyAgent
svchost.exe                   2364 stisvc
svchost.exe                   2788 WerSvc

Note that the grouping of services varies from OS to OS - Windows Server 2003 combines different services than Windows XP does for example.

Back to our problem, the error event fortunately contains additional information, such as the module where the process crashed: xxTSP3x.tsp. If you are a bit familiar with TAPI, the Microsoft Telephony API, then you might know that files with the .tsp extension are TAPI Service Providers, essentially drivers that communicate directly with the phone hardware. Bingo - it was a problem with that TSP driver that caused the svchost.exe process to fail, which in turn killed all other services that run inside that same process. On a Vista machine for example, a crashing Telephony (tapisrv) service would mean that the CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv and TermService would all terminate. What solitarity.

Coincidentally, the computer(s) in question where running a VoIP application that was utilizing this TSP driver, and was in fact having problems. No kidding you might say, if the underlying driver crashes. Fortunately we were able to get an update from the developers which ultimately resolved this problem.

Now, I couldn't help but wonder whether I could change the grouping of services. Let's just pretend that we wouldn't have been able to get an update for the driver quickly and would need to isolate the Telephony service, so that a crash of a TSP driver wouldn't affect the LanmanServer service (on XP the Telephony service is in a group with most critical system services, something that was changed in Vista). All I would have to do was create a new group that would only include the telephony service, and finally change the telephony service itself to point to that group. Turns out that this is possible!

As always, you might want to backup any registry keys that you modify before you make such substantial changes like the ones listed below:

1. Create a new svchost group called Telephony

Open regedit and navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost.
Create a new Multi-string value (REG_MULTI_SZ) with a descriptive name, I will use telephony in our example.
Associate the Tapisrv service with that group, so add that as the only value.
Find the existing group that is hosting this service (netsvcs on Windows XP), and remove Tapisrv from that list.
Create a new subkey with the name of the group (telephony)
Add the same values to this new key as are present from the original group. In our case I added two REG_DWORD values:

AuthenticationCapabilities = 12320
CoInitializeSecurityParam = 1

2. Change the service to utilize the telephony group
Now that the group has been created, we can change the service itself to point to the new svchost group. In the registry editor, navigate to HKLM\System\CurrentControlSet\Services\TapiSrv and edit the ImagePath value. Change it from

%SystemRoot%\System32\svchost.exe -k netsvcs

to

%SystemRoot%\System32\svchost.exe -k telephony

Note that we are changing the value that is passed through the -k parameter to reflect the name of the svchost group that we created earlier.

I rebooted the computer after the change, though this is probably not even be necessary. Voila, the telephony service now runs in its own svchost.exe process.

Image Name                   PID Services
========================= ====== =============================================
svchost.exe                  916 DcomLaunch, TermService
svchost.exe                 1000 RpcSs
svchost.exe                 1092 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
                                 dmserver, ERSvc, EventSystem, helpsvc,
                                 LanmanServer, lanmanworkstation, Netman,
                                 Nla, Schedule, seclogon, SENS, SharedAccess,
                                 ShellHWDetection, srservice, Themes, TrkWks,
                                 W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe                 1180 Dnscache
svchost.exe                 1292 LmHosts, RemoteRegistry, SSDPSRV, WebClient
svchost.exe                 2412 TapiSrv

I wouldn't recommend making too many changes to these built-in groupings unless you have a particular problem to solve, or want to ensure that potentially unstable or vulnerable services are isolated.

Well, thanks to EventSentry we got critical errors emailed to us, and were able to review the event logs even when those computers where unreachable - speeding up the troubleshooting process significantly. And, with a little research, I learned a bit more about the svchost.exe process and how to tweak the default Windows setup in that regard.

Hope this was helpful,
Ingmar.

Cleaning up Disk Space and automatic fragmentation reports via email

2009-02-11T16:15:00Z

Even though disk storage is cheaper and faster than ever, for some reason I still run into disk space problems on occasion. The most common disk space problems I run into is a full C drive (why would you need more than 4Gb for the OS?) or a database that grows too large.

We have found and utilized several tools over the past years and I am going to share some of my approaches to quickly identify space hogs, free up disk space and deal with fragmentation.

Once a machine is low on disk space one will usually want to find out which files use up the most space and move them to a new volume or send them to data heaven for good. There are a lot of tools out there that visualize disk space consumption on a volume, but my favorite by far is Windirstat. Windirstat uses a treemap which displays every file in a colored rectangle and was inspired by KDirStat from Linux (the original author really wants to make sure you know what the original is). The size of the rectangle is proportional to the file size, so you will either want to look for clusters of many small files (e.g. to spot lots of unneeded temp files) or for large rectangles to identify any files you might not need anymore. I find it incredibly easy to spot files that can be safely deleted with Windirstat. The screenshot below shows what Windirstat looks like on my Vista laptop with a 64Gb HD.

Of course, just running Windirstat alone doesn't mean that you will be able to find files that can be safely deleted. But once you have identified files that do occupy significant amounts of disk space, you can engage in research to determine whether these files can be compressed, moved or deleted. Usual candidates are the temporary files, pagefile, IIS log files, NTBackup temp files and temporary installer MSI files (more on that below).

Windows will sometimes cache and leave installer files on your C drive, even when the application is no longer installed or has been upgraded. Depending on how long ago the OS was installed, this can be between a few hundred megabytes or nothing at all. You can delete those so-called "orphaned cached Windows Installer data files" with the msizap.exe utility, using the G command-line switch. Using msizap has been the last resort for me a few times, freeing up significant space on the C drive of servers when nothing else could be moved or deleted. Msizap is part of the Windows Installer 4.5 SDK which can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=6A35AC14-2626-4846-BB51-DDCE49D6FFB6&displaylang=en. The screenshot below shows msizap in action.

Now, after cleaning up all the space we'd want to defragment our drive as well, right? Disk defragmentation software has been around since MS-DOS, but people are still debating whether defragmentation software, especially commercial one, is worth the effort. It is sort of like taking multivitamins - it most likely doesn't hurt but there is no clear indicator that it cures diseases or makes you feel better after taking them.

Some operating systems, most notably Linux and Mac OS X attempt to prevent fragmentation as much as possible and don't even include defragmentation software, but the Windows software market is awash with both free and commercial defrag software. If you are interested in learning more about fragmentation and its cause, then Wikipedia has an article about defragmentation.

So is it worth it to use or invest in commercial defragmentation software? I think it depends. I have used various defragmentation programs over the last 10 years or so, and have seen one case where a MSSQL database on an extremely badly fragmented partition had became so slow that it was essentially unusable (yes, the database was for EventSentry :-) ). Defragging this partition with PerfectDisk solved the problem and the database was performing well after defragmentation. So yes, fragmentation can be bad if it gets out of control, though this is the only time I remember a defragmentation having such a significant impact. If you have a partition with little disk space available and lot write activity, then it will probably make sense to continuously defrag the partition to ensure optimal performance. Otherwise I think it is a luxury and will not yield significant disk performance benefits.

You can also use the -a switch of the defrag.exe utility that ships with Windows to analyze a drive and get basic metrics as to whether the drive should be defragmented or not. However, if you have a lot of machines then running defrag.exe on all of them manually can be tedious, especially since you would need to do that on a regular basis (e.g. monthly). Fortunately, you can use EventSentry's application scheduler feature to automate this task in three simple steps (in this example we will focus only on the system drive). Since the application scheduler logs output from any command-line utility you run to the event log, we can actually get an email when Windows thinks that a drive is fragmented.

Create an embedded script (e.g. DefragCheck.cmd) that runs "defrag.exe %Systemdrive% -a -v"
Create a system health package and add a new application scheduler object to it - making sure that both check boxes in regards to error levels are checked. Pick the embedded script @DefragCheck.cmd and schedule it to run. Everytime defrag.exe is executed, EventSentry will log an event to the event log with the output of defrag.exe.
Create a new event log package and add a filter that matches the events generated (Log=Application, Source=EventSentry, EventID=10200) and additionally looks for the string *You should defragment this volume*.

Voila - now you will get an email every time defrag.exe determines that a drive is fragmented - and only if it's fragmented.

Defrag.exe is of course only one of the many utilities out there that can determine fragmentation, and you will likely get different results from different utilities. For example, it's very likely that defrag.exe tells you that a drive is not fragmented, when a different software (e.g. PerfectDisk) will tell you otherwise.

One scenario where you definitely do NOT want to use defragmentation software is on SSD drives, as they usually don't suffer from the same random access delays and defragging will reduce the lifespan of the drive.

Best,
Ingmar.

Announcing AutoAdministrator v2.0

2009-01-06T16:46:44Z

After launching version 2.90 of EventSentry just a few months ago, we're excited to announce yet another major software release coming from NETIKUS.NET ltd - AutoAdministrator v2.0.

The last update of the 1.x series was released more than four years ago, so we decided to completely re-build it from scratch and add all the features that have been requested by our users since the last release. The result is a powerful tool that makes it unbelievably easy to apply changes to remote workstations and servers. Whether a change or query needs to be applied to one or 100 computers makes little difference with AutoAdministrator.

In a nutshell, AutoAdministrator lets you query or update a variety of Windows settings and services across any number of servers and/or workstations, without the need to create a script or perform the actions manually. Simply select the feature, computers (it integrates with Active Directory) and click start.

Let's say, for example, that you needed to obtain or set the value of a registry entry across 30 machines. By just using regedit, it would probably take you a total of 15 minutes to connect, retrieve the value, and paste it to an editor/spreadsheet and move on to the next machine. The same task, using AutoAdministrator, could be done in as little as 1 minute.

Querying the "Remote Registry" service status across multiple computers

This is just one example of course, as AutoAdministrator can control services, read/set registry values, query file information, copy/delete files, manage passwords, shutdown/reboot, query logged on users, ping hosts and manage ODBC connections.

As previously mentioned, AutoAdministrator integrates with ActiveDirectory, making it a breeze to manage computers that are part of a Windows domain. You can also pull computers from the Microsoft Windows Network or create custom groups to organize computers inside AutoAdministrator. If you need to connect to remote computers using alternate (administrative) credentials, then you can assign those credentials to any Active Directory OU, group or individual computer item.

The update process itself is fully threaded, making it possible to push updates in a very short time, even to a large amount of computers.

File Management dialog, mirror / copy the
C:\Batch directory to remote computers

Another new feature is the ability to create presets, making it a snap to repeat common tasks. Simply configure the feature (e.g. query service W3SVC), select the computers and save it as a preset. The next time you open AutoAdministrator, you can simply select the preset and click "Update".

We think that AutoAdministrator is an incredible time-saver for anybody who manages more than 10 computers, whether they are servers or workstations.

Here is a complete list of all features in the new AutoAdministrator:

Ping
Ping computers to retrieve ping statistics.

ODBC
Query, copy or delete System DSNs on remote hosts.

Passwords
Verify, update or reset passwords of user accounts on remote hosts.

Shutdown / Reboot

Shutdown, reboot or cancel a pending shutdown on remote hosts. You can optionally send a message as well.

Services

Control any service (Query, start, stop, continue, pause, restart)
Change startup type (manual, automatic, disabled)
Remove service
Change Logon (service can be automatically restarted as well)

Registry

Values: Read, add, delete and change
Keys: Add, delete
Copy entire keys to remote computers

File Management

Copy files and folders to remote computers
Delete files and folders from remote computers
Mirror local directories to remote computers

File Information

Query remote files to retrieve its hash, size, attributes, modification time, version, company or description
Remote files can be compared against a hash you provide

Logons

Show users that are currently logged on interactively to a computer
Count the number of users that are logged on (useful for terminal servers)

The scheduled release date for AutoAdministrator is January 12th 2009, and you can request a trial then at https://www.netikus.net/products_trial_request.html. If you can't wait and would like to download the beta, then simply contact our support team at https://www.netikus.net/about_contact.html.

Happy New Year,
Ingmar.

EventSentry v2.90: Compliance Tracking for SOX, PCI, GLBA, HIPAA, FISMA, COBIT, ...

2008-12-13T15:57:37Z

This is round two in the new features available in EventSentry v2.90, and this time I'll be covering the new compliance features.

Even though EventSentry was not originally designed to help with compliance, its event log consolidation capabilities made it an effective and economical solution to help our customers with their various compliance efforts throughout the years.

But while being able to filter and search through security events is helpful, it is not enough to quickly create reports that group information based on key elements, such as user creations, group modifications, policy changes and more.

In version 2.90 we addressed this by creating the new Compliance Tracking features which are based on the previous Tracking features.

This means that in addition to the "standard" event log consolidation that simply collects events and records them as is, compliance tracking intercepts specific events (e.g. account creation, logon/logoff, process creation), parses them, extracts the required information and records the relevant information in the EventSentry database.

Compliance Tracking covers the following auditing areas in Windows:

Process Activity
Console & Network Logons
File Access Activity
Account Management (User, Group & Computer accounts)
Policy Changes
Print Jobs

For example, finding out which group memberships changed over the last week is matter of two clicks in the web reports - and restricting a report to only reflect a particular group and/or action is just as easy.

But let me briefly outline the benefits of the individual tracking features:

Process Tracking
This feature records all process activity and lets you know which processes where started when, by whom, for how long and from which computer. This feature is not only useful for security purposes, but also helpful when troubleshooting or requiring statistical information (e.g. how often is PowerPoint being run).

Logon Tracking
This component tracks everything logon-related on your network, including console, successful as well as failed network logons. Using the console logon tracking for example, you can generate reports that show what time users logon and logoff, including from which computer, whether they are local admin and more details. Using the new network logon tracking, you can track successful as well as failed network logons. The included reports can reveal information such as which users logged on with a failed password, logon protocol distribution, most common reason for failed logons and more.

File Access Tracking
This feature is new in v2.90 and tracks all successful file access activity that has been enabled on files or directories. EventSentry does this by intercepting audit events that are generated when files or folders which are being audited. Since Windows Server 2003 and earlier don't actually audit when objects are changed, but instead only audit the requested file access (click here for a related post), EventSentry can perform additional checks and verifications to complement the native auditing capabilities of the OS - such as checksum creation. Of course EventSentry also gathers additional information - such as the source computer from where a change was made.

Account Management Tracking
Also new in v2.90 is account management tracking, which encompasses user, group and computer account management tracking. This feature really makes life easier when you deal with large quantities of user, group and / or computer account changes.

For example, tracking a users group membership changes - even across computers and domains - is only a few mouse clicks away. Do you need to know which computer accounts were created in the last week in your domain? This only takes three clicks in the web reports.

Policy Change Tracking
Another feature added in v2.90, policy change tracking records the following "policy" events:

Domain Policy Changes
Audit Policy Changes
Kerberos Policy Changes
User Right Changes
Logon Right Changes
Trust Relationship Changes

Again, getting information about any of the above scenarios is extremely easy - such as seeing which user/logon rights were assigned in the last week or on which server the password policy was changed in the last 2 weeks.

Since none of tracking features are limited to hard-coded reports but instead are easily adaptable, they not only make your auditors happy - they provide you with valuable information. This allows you to utilize EventSentry not only for compliance but many other tasks, whether is security-related, for troubleshooting or something else.

As always, please see the documentation for more information. You can take a look at version history as well for a complete list of changes and new features in the 2.90 release of EventSentry.

Enjoy,
Ingmar.

EventSentry v2.90: Event Log Monitoring Changes

2008-11-04T18:21:01Z

Since we have just released EventSentry v2.90, we'll be blogging about the improvements and new features in the coming weeks. Since event log monitoring is how it all started, my first post in this series will be about the improvements and new features in our event log monitoring engine.

Vista/Windows 2008
The biggest change in v2.90, in regards to event log monitoring, is of course the native support of the Windows Vista and Server 2008 event log API. As many of you know, Microsoft introduced a new API for event log monitoring while still keeping the legacy API in place for applications that don't support the new API yet.

EventSentry v2.81 uses this legacy API with some work-arounds to monitor the new event logs, but I highly recommend upgrading to v2.90 if you're monitoring Server 2008 and/or Vista event logs. Upgrading will result in less overhead and better formatting and presentation of events since the agents now access the event log with the native API. Naturally, the event log backup feature will backup event logs in the new evtx format on Vista/Server 2008 computers.

The new version also supports the new Operational event logs which are displayed under Application and Services Logs/Microsoft, for example the Microsoft-Windows-Backup/Operational log.

These operational logs need to be configured as custom event logs in EventSentry, by specifying the full path (e.g. Microsoft-Windows-Backup/Operational) as the name of the custom event log.

Please see one of my previous posts about the event log changes in Vista (which also applies to Server 2008) for more information.

Note that support for the new event log API is transparent, and there is still only one executable of the EventSentry agent for all versions of Windows.

64-Bit
EventSentry v2.81 did not format some events on 64-bit editions of Windows correctly, and we have resolved this problem in 2.90 which renders all events on 64-bit machines correctly. The EventSentry agent still runs as a 32-bit application in 2.90, but we have long-term plans to supply a 64-bit agent for x64 operating systems.

Filter Timers
Filter Timer filters allow you to ignore events that would otherwise trigger an alert, if they are followed by another event within a preset time period. For example, if an event indicating that a critical service is stopped is being immediately followed by another event indicating that the service is running again, then a filter would allow you to suppress both events.

Previously however, filter timers had to be setup exactly for each event pair. This meant that if you wanted to use a filter timer for 5 services, then you would have to create 10 events. Starting with 2.90 you only have to create 2 events now, as long as the first event and the clearing event share the same order of insertion strings - which is usually the case.

Please see the documentation for more information.

Action Trigger History
Selected actions (e.g. email, pager) now include the ability to log their trigger history - that is every time they are triggered by an event - to the database. This helps you confirm that a notification was in fact performed, and also gives you the ability to gather statistics about which actions are being triggered and how often.

The action trigger history includes the following information:

•    Date/Time
•    Computer
•    Action Name, Action Recipients
•    Event Log Package, Filter Name
•    Event Log, Event Source, Event ID, Event Number

Please see the documentation for more information.

Web Reports: Error Explanation
Many events from the security event log, for example audit failure event 675, contain error numbers and failure codes inside the event that require you to research them in order to find out what they mean. Here is an example:

You can see that the failure code of 0x25 in itself doesn't reveal too much, but if you view the same exact event through our web reporting, then the failure code is automatically explained for you:

As you can see in the screenshot above, the Kerberos failure code of 0x25 is automatically explained as "Clock skew too great".

Copying / Pasting event details from Emails
If you have been using EventSentry for a while, then you've probably setup event exclusions more than once, most likely after receiving an email from one of the agents. Starting with 2.90, you can now copy the event in your email client and paste it into a new filter. The management console will parse the event properties and automatically fill in the following fields for you:

•    Event Log
•    Event Severity
•    Event Source
•    Event Category
•    Event ID

Please see the documentation for more information.

You can take a look at version history as well for a complete list of changes and new features in the 2.90 release of EventSentry.

Enjoy,
Ingmar.