12 April 2011

TMG - Using the Enterprise Management Server (EMS) to standardise System Firewall rules across multiple arrays

There are 59 system policies or firewall rules for every TMG environment.  These policies are mostly centered and the Local Host "network." By default each array needs to have this configured at array level.  If you then want to make a global change to the system policy you need to connect to every array and change the setting.  Sure, enterprise object can be used at local system policies but there is no global control mechanism.

The system policies are applied before any other rules. The sequence is as follows
  1. System Policy Rules
  2. Enterprise Policy Rules Applied Before Array Firewall Policy
  3. (Array) Firewall Policy Rules
  4. Enterprise Policy Rules Applied After Array Firewall Policy
This is significant since traffic will continue down the policy sequence until it matches a rule.  If no matches are found it is dropped by the absolute last "Default Rule" that denies all traffic.

If we want to centrally manage System Policies we will need to configure an identical rule in the "Enterprise Policy Rules Applied Before Array Firewall Policy." To find the rule so that you can see the finer rule details you need to select Show System Policy Rules from the Firewall Policy view.  You can now browse through or search for the relevant rule. Now you can open the rule and record the rule details.  


You cannot actually change the rule from here.  Right Click the rule and click on  Edit System Policy.  This will now open the System Policy Editor and have the relevant rule selected.  Because we will now be using an enterprise rule to manages this you need to ensure that the "Enable this configuration group" is unchecked.


As an example if I want to be able to turn ICMP (Ping Replies) on for all the Enterprise array members.  This is something that you would normally want to keep turned off, except for certain temporary testing scenarios.  

First I connect to each array. And make sure the "Enable this configuration group" is unchecked.
Secondly I create and Enterprise rule that is identical to the system policy rule.  In this case

Action:  Allow 
Protocol:  PING 
From:  Enterprise Remote Management Servers  
To:  Local Host

This rule is now applied with an enterprise policy.  So if I enable or disable or change this rule it will affect all they arrays managed by that Enterprise policy. In short you now have a global control mechanism for system policies.


08 April 2011

Using Robocopy for enhance file transfer and management

Robocopy or robust copy has been around for a while, since 1997, but it was only available in the resource kit.  Since 2008 robocopy came standard with Vista and Windows Server 2008.  It can be seen as a big enhancement over xcopy.

The highlight feature of robocopy the following:

  • Enhanced copy setting options
  • Attribute based file selection
  • Rich logging options
  • The ability to save and call predefined jobs

Far from being "just a file server migration tool" there are many things you can do with robocopy.  For me the best features are that you can very quickly copy files WITH their NTFS permissions from one location to another.  You can also set robocopy to keep the files in sync based on number of file changes or an a schedule.

The other really handy feature of robocopy is that you can use it to copy over slow and unreliable wan links.  The following features make it very suitable.  Enhanced retry option to resume broken copy operations.  Scheduled run times to only run copies during predefined hours. And the ability to set the inter-packet gap that reduces the bandwidth demand.

Did I mention that you can copy with up to 128 active threads?

A typical robocopy command that one would use is something similar to this:


C:\>robocopy v:\audit u:\audit /E /ZB /EFSRAW /COPYALL /DCOPY:T /V /LOG:robo.txt /TEE

Here is a complete list of the available command switches to help you figure out what the switches are

I have also highlighted some of the more useful features in my opinion.


-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows                              
-------------------------------------------------------------------------------

Usage :: ROBOCOPY source destination [file [file]...] [options]
source :: Source Directory (drive:\path or \\server\share\path).
destination :: Destination Dir  (drive:\path or \\server\share\path).
file :: File(s) to copy  (names/wildcards: default is "*.*").

::
:: Copy options :
::
/S :: copy Subdirectories, but not empty ones.
/E :: copy subdirectories, including Empty ones.
/LEV:n :: only copy the top n LEVels of the source directory tree.

/Z :: copy files in restartable mode.
/B :: copy files in Backup mode.
/ZB :: use restartable mode; if access denied use Backup mode.
/EFSRAW :: copy all encrypted files in EFS RAW mode.

/COPY:copyflag[s] :: what to COPY for files (default is /COPY:DAT).
                       (copyflags : D=Data, A=Attributes, T=Timestamps).
                       (S=Security=NTFS ACLs, O=Owner info, U=aUditing info).

/DCOPY:T :: COPY Directory Timestamps.
/SEC :: copy files with SECurity (equivalent to /COPY:DATS).
/COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU).
/NOCOPY :: COPY NO file info (useful with /PURGE).c:

/SECFIX :: FIX file SECurity on all files, even skipped files.
/TIMFIX :: FIX file TIMes on all files, even skipped files.

/PURGE :: delete dest files/dirs that no longer exist in source.
/MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).

/MOV :: MOVe files (delete from source after copying).
/MOVE :: MOVE files AND dirs (delete from source after copying).

/A+:[RASHCNET] :: add the given Attributes to copied files.
/A-:[RASHCNET] :: remove the given Attributes from copied files.
/CREATE :: CREATE directory tree and zero-length files only.
/FAT :: create destination files using 8.3 FAT file names only.
/256 :: turn off very long path (> 256 characters) support.

/MON:n :: MONitor source; run again when more than n changes seen.
/MOT:m :: MOnitor source; run again in m minutes Time, if changed.

/RH:hhmm-hhmm :: Run Hours - times when new copies may be started.
/PF :: check run hours on a Per File (not per pass) basis.

/IPG:n :: Inter-Packet Gap (ms), to free bandwidth on slow lines.
/SL :: copy symbolic links versus the target.
/MT[:n] :: Do multi-threaded copies with n threads (default 8).
                n must be at least 1 and not greater than 128.
                This option is incompatible with the /IPG and /EFSRAW options.
                Redirect output using /LOG option for better performance.

::
:: File Selection Options :
::
/A :: copy only files with the Archive attribute set.
/M :: copy only files with the Archive attribute and reset it.
/IA:[RASHCNETO] :: Include only files with any of the given Attributes set.
/XA:[RASHCNETO] :: eXclude files with any of the given Attributes set.
/TE
 /XF file [file]... :: eXclude Files matching given names/paths/wildcards.
 /XD dirs [dirs]... :: eXclude Directories matching given names/paths.
                /XC :: eXclude Changed files.
                /XN :: eXclude Newer files.
                /XO :: eXclude Older files.
                /XX :: eXclude eXtra files and directories.
                /XL :: eXclude Lonely files and directories.
                /IS :: Include Same files.
                /IT :: Include Tweaked files.

/MAX:n :: MAXimum file size - exclude files bigger than n bytes.
/MIN:n :: MINimum file size - exclude files smaller than n bytes.

/MAXAGE:n :: MAXimum file AGE - exclude files older than n days/date.
/MINAGE:n :: MINimum file AGE - exclude files newer than n days/date.
/MAXLAD:n :: MAXimum Last Access Date - exclude files unused since n.
/MINLAD:n :: MINimum Last Access Date - exclude files used since n.
                      (If n < 1900 then n = n days, else n = YYYYMMDD date).

/XJ :: eXclude Junction points. (normally included by default).

/FFT :: assume FAT File Times (2-second granularity).
/DST :: compensate for one-hour DST time differences.

/XJD :: eXclude Junction points for Directories.
/XJF :: eXclude Junction points for Files.

::
:: Retry Options :
::
/R:n :: number of Retries on failed copies: default 1 million.
/W:n :: Wait time between retries: default is 30 seconds.

/REG :: Save /R:n and /W:n in the Registry as default settings.

/TBD :: wait for sharenames To Be Defined (retry error 67).

::
:: Logging Options :
::
/L :: List only - don't copy, timestamp or delete any files.
/X :: report all eXtra files, not just those selected.
/V :: produce Verbose output, showing skipped files.
/TS :: include source file Time Stamps in the output.
/FP :: include Full Pathname of files in the output.
/BYTES :: Print sizes as bytes.

/NS :: No Size - don't log file sizes.
/NC :: No Class - don't log file classes.
/NFL :: No File List - don't log file names.
/NDL :: No Directory List - don't log directory names.

/NP :: No Progress - don't display percentage copied.
/ETA :: show Estimated Time of Arrival of copied files.

/LOG:file :: output status to LOG file (overwrite existing log).
/LOG+:file :: output status to LOG file (append to existing log).

/UNILOG:file :: output status to LOG file as UNICODE (overwrite existing log).
/UNILOG+:file :: output status to LOG file as UNICODE (append to existing log).

/TEE :: output to console window, as well as the log file.

/NJH :: No Job Header.
/NJS :: No Job Summary.

/UNICODE :: output status as UNICODE.

::
:: Job Options 
::
/JOB:jobname :: take parameters from the named JOB file.
/SAVE:jobname :: SAVE parameters to the named job file
/QUIT :: QUIT after processing command line (to view parameters).
/NOSD :: NO Source Directory is specified.
/NODD :: NO Destination Directory is specified.
/IF :: Include the following Files.


To make things even easier there is also a GUI for robocopy http://technet.microsoft.com/en-us/magazine/2009.04.utilityspotlight.aspx



Conclusion
By using this very unappreciated yet extremely powerful command line tool you can achieve great functionality if used in the correct manner for suitable applications.  As an example, robocopy can be used to automatically move files that have not been used for a long time to an archive location while preserving and maintaining naming and security as well as file attributes. Makes you think that you might not need that archiving tool after all...

06 April 2011

Sophos Endpoint Protection create new SID script for virtual machine templates and cloned machines

If you are duplicating or cloning or deploying form a template image with Sophos preinstalled you will need to clear the existing SID and generate a new one.  If this is not done the machine will not be managable from the Sophos Central Administration Console

The steps required to do this is outlined in:
http://www.sophos.com/support/knowledgebase/article/12561.html

I have put these into a VBScript just to speed things up a little.  To run it you will need to open as command prompt "Run as Administrator"  the run cscript yourscriptname.vbs

I have included the registry and file paths to cover both the x86 and x64 OS version deployments.


'################################################################################
'# Sophos EndPoint Security 9.5                                                 #
'# This script will create a new SID for this machine as per the steps listed   #
'#  at http://www.sophos.com/support/knowledgebase/article/12561.html           #
'# This will remove the currently SID and create a new unique SID on restart    #                                                                              #
'#                                                                              #
'#                                                Etienne Liebetrau - April 2011#
'################################################################################


on error resume next


wscript.echo "Post Clone Cleanup Starting"
wscript.echo "Initiating Script Objects"




'create Script Shell Object


Set WshShell = WScript.CreateObject("WScript.Shell")




'Set values Sophos Services


SMR = """Sophos Message Router"""
SA =  """Sophos Agent"""
SAUS = """Sophos AutoUpdate Service"


wscript.echo "Stopping Services"


'Stop Sophos Services


wshshell.run "net stop " & smr,2,True 
wshshell.run "net stop " & sa,2,True
wshshell.run "net stop " & saus,2,True


wscript.echo "Removing Registry Entries"


'Set Registry Keys to be removed (x86 OS)


Regkey1 = "HKEY_LOCAL_MACHINE\Software\Sophos\Messaging System\Router\Private\pkc"
RegKey2 = "HKEY_LOCAL_MACHINE\Software\Sophos\Messaging System\Router\Private\pkp"
Regkey3 = "HKEY_LOCAL_MACHINE\Software\Sophos\Remote Management System\ManagementAgent\Private\pkc"
Regkey4 = "HKEY_LOCAL_MACHINE\Software\Sophos\Remote Management System\ManagementAgent\Private\pkp"


'Set Registry Keys to be removed (x64 OS)


X64Regkey1 = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Messaging System\Router\Private\pkc"
X64RegKey2 = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Messaging System\Router\Private\pkp"
X64Regkey3 = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkc"
X64Regkey4 = "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkp"


'Delete Registry Keys


WshShell.RegDelete Regkey1
WshShell.RegDelete Regkey2
WshShell.RegDelete Regkey3
WshShell.RegDelete Regkey4
WshShell.RegDelete X64Regkey1
WshShell.RegDelete X64Regkey2
WshShell.RegDelete X64Regkey3
WshShell.RegDelete X64Regkey4


Wscript.echo "Removing Files"


'Remove machine_ID.txt files


Set FSO = CreateObject("scripting.filesystemobject")


File1 = """c:\Program Files\AutoUpdate\machine_ID.txt"""
File2 = """c:\Program Files\AutoUpdate\datamachine_ID.txt"""
File3 = """c:\Program Files(x86)\AutoUpdate\machine_ID.txt"""
File4 = """c:\Program Files(x86)\AutoUpdate\data\machine_ID.txt"""
File5 = """C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt"""


FSO.deletefile File1
FSO.deletefile File2
FSO.deletefile File3
FSO.deletefile File4
FSO.deletefile File5


wscript.echo "Post Clone Cleanup Completed"
wscript.sleep 10000


wscript.quit


After the script has been run and the machine is rebooted it should show up in the Sophos Management Console with the current computer name.

#### Update 1 ###

Normally you would run this script before making the machine a template or running sysprep etc.
After having run sysprep the SID of the machine will now be different. This prevent you from opening the Sophos console on the machine because the local security groups is no longer valid for the Sophos AV as per the machine.xml file.  When you attempt to open the console you get the following error.

You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application.
You are not a member of any of the Sophos groups. To launch this application, you must be a member of SophosAdministrator, SophosPowerUser or SophosUser group. Please contact your administrator.


One more step that is required for everything to work properly is to execute the following


MsiExec.exe /i "c:\ProgramData\Sophos\AutoUpdate\cache\savxp\Sophos Anti-Virus.msi" REINSTALL=ALL REINSTALLMODE=voums UPDATEDRIVERS=0 /l*v c:\msi.log /qb

This repairs the msi recreating the machine.xml file.

Sophos does give a fix here http://www.sophos.com/support/knowledgebase/article/113207.html but it is not something I could automate easily.

Thanks to the anonymous commenter for raising this question.

#### Update2 ###

Per request I have also added the steps to fix the SID issue in a new script.  This should be run after the machine has finished being cloned.  This does what is highlighted in update 1 above. Please note: For Windows XP and 2003 installations change


C:\ProgramData to C:\Documents and Settings\All Users\Application Data 







'################################################################################
'# Sophos EndPoint Security 9.5                                                 #
'# This script will Update the machine.xml with NEW SIDs as  the steps listed   #
'# at http://www.sophos.com/support/knowledgebase/article/113207.html           #
'# Will update the original SIDS with the updated SIDS required after clone     #                                                                              #
'#                                                                              #
'#                                                Etienne Liebetrau - April 2011#
'################################################################################




On Error Resume Next


' Retrive new SID values


wscript.Echo "Post Clone Security Fix Starting"
wscript.echo "Retrieving new group SID values"


strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Localaccount = True and Name ='SophosUser'",,48)
For Each objItem in colItems
    SU = objItem.SID
Next


Set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Localaccount = True and Name ='SophosPowerUser'",,48)
For Each objItem in colItems
    SPU = objItem.SID
Next


Set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Localaccount = True and Name ='SophosAdministrator'",,48)
For Each objItem in colItems
    SADM = objItem.SID
Next


'create Script Shell Object


Set WshShell = WScript.CreateObject("WScript.Shell")




'Set values Sophos Service


SAV = "SAVService"


wscript.echo "Stopping Service"


'Stop Sophos Services


wshshell.run "net stop " & SAV,2,True 


' Write new SID values to machine.xml file


wscript.echo "Writing new group SID Values to machine.xml file"


dim oXml
dim oNode


SET oXML = CreateObject("MSXML2.DomDocument")
oXml.Load "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml"


Set oNode = oXml.SelectSingleNode("//role[@name='SophosAdministrator']/SID")
oNode.Text = SADM




Set oNode = oXml.SelectSingleNode("//role[@name='SophosPowerUser']/SID")
oNode.Text = SPU


Set oNode = oXml.SelectSingleNode("//role[@name='SophosUser']/SID")
oNode.Text = SU




oXml.Save "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml"




wscript.echo "Updated file."
wscript.echo "Starting Service"


'Start Sophos Service


wshshell.run "net start " & SAV,2,True 


wscript.echo "SID Security Fix Applied"


To summarise then.:

Step 1 Runs the first script before cloning the machine
Step 2 After the clone is completed run the second script.  No reboot is required after this script.

05 April 2011

Scripts to see where your account is getting locked out from

In a previous article I covered the basics of account lockout.
http://fixmyitsystem.com/2011/02/how-to-find-out-why-your-account-keeps.html

Essentially this is a way to automate or at least reduce the effort it takes to go through the logs looking for event ID 664 on 2003 or 4740 on 2008.  Text in RED should be replaced by the relevant info.

Windows 2003 VB Script
Using the script below you can extract the security event log and only show the events that you are interested in.

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\ADSERVERNAME\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'and EventCode = '644' and Message like '%USERNAME%'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Message: " & objEvent.Message & VBNewLine
Next


Windows 2008 PowerShell
In power-shell we don't have to run vb-script we can call the objects we want directly


get-eventlog -Computername ADSERVERNAME "Security" -InstanceID "4740" -Message *"USERNAME"* | format
list Timegenerated, Message 

You can also output the result to a file by adding

get-eventlog -Computername ADSERVERNAME "Security" -InstanceID "4740" -Message *"USERNAME"* | format
list Timegenerated, Message | tee-object -filepath output.txt

In both cases you should get and output the looks similar to


By running the scripts you can save yourself the effort of trawling through logs on multiple servers.

Since it is already very filtered by the time you get the results it should be pretty much just what you are looking for.

These scripts can of course be built onto to make them more user friendly for support staff etc.  but this should give you the just of it.