If you ever have an organization with multiple password complexity requirements, definitely consider a third party tool to handle the job for you. I came across a domain setup recently where the password and lockout policy had been set, but there were a select group of restricted users with a no-password requirement.
*Note, do not set up a policy without password restrictions/requirements.
The problem with this is, one is able to set only 1 password policy for hte entire domain. So, short of a third party utility or another domain, here is what I did as a workaround.
First, make sure you have documented the policy before making adjustments.
Temporarily disable the password policy (Do this out of hours) by setting minimum lengths, durations etcetera to zero. If you simply disable the policy, the previous setting will remain in effect, and you will be unable to adjust users passwords in the interim. Now that this is done, you are able to successfully set zero-length passwords to your select group of restricted users. Once this is done, return the password policy settings to what they were.
As an alternative (Yet equally insecure) for accessability. This solution is good for users who only use one device that nobody else will (Such as a communcation aid/talker). Remember though, the password gets stored in plain text which is a big no-no.
*Edit the registry solely at your own risk!
Go to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
1) Add a Value called DefaultPassword
2) Make the data type REG_SZ
3) Type in the user password in the string editor
4) Add another Value called AutoAdminLogon
5) Data type as REG_SZ
6) Set the value to 1
7) Set the forceautologon key to 1
When you restart the machine, you should be automatically logged in to the default domain.
Tuesday, May 16, 2006
Wednesday, April 05, 2006
Logging Software
If you are looking for a software auditing tool/alternative to MS SMS, have a look at LOGINventory. It comes with a free 20 client license and gives nice reports. If you intend to audit more than 20 devices however, you need to purchase additional licenses. A great tool for a small business network!
unable to find network path remote registry
Earlier today I was unable to access a remote client to view the event viewer. I was, however, able to access it with remote desktop. My first check was to see if remote registry was enabled and indeed it was. Each time I tried to connect to another computer... I was faced with the long pause and eventual message "Network Path Not Found".
The solution was to ensure that File & Printer sharing is enabled on the network adapter.
The solution was to ensure that File & Printer sharing is enabled on the network adapter.
Tuesday, January 31, 2006
UPS setup with secondary server remote shutdown
Recently one of the locations I support finally acquired some UPSs. As the result of a few surges the other week, they no longer wanted to pay me to rebuild a server (Or hear I told you so).
We have a Belkin SurgeMaster 500VA Battery Backup connected via usb to a windows 2000 server. The UPS is also providing power to our Linux (Karoshi http://www.karoshi.org.uk ) intranet and proxy/filtering server. I chose to setup the UPS monitor up through the 2000 box because, in all likely-hood, when I move on the next person may not know much about linux. Or even worse, a consultant comes in to charge extra $$ because their UPS is hooked up via linux. The drawback in working in a school is funds. A passing thought is I wonder where all the extra UK petrol tax is going since the price increases... Anyways, back to work.
After installing and setting up the 2000 server as the UPS monitor, I needed a way to safely shutdown the linux box. This was achieved by setting up an ssh tunnel using plink (A command-line version of PuTTy) and executing:
shutdown -h now
Sounds easy enough except our linux box authenticates everything through kerberos LDAP through a 2000 domain controller, so it wasn't a matter of setting up the batch file to login and shutdown, because groups aren't synched. In short, there was no easy/quick way to get either sudoer hooked in, or to enter a second password through a tty (Which is good security).
What was needed:
Once we have the ssh server setup, try logging into the local machine as a client. If this isn't successful, you most likely have to start sshd by running the following as root:
/etc/init.d/sshd
If you still cannot login locally, it's time to go google and read the various man pages.
After downloading plink to the powerdown folder, open up a command prompt on the 2000 server (start, run, cmd). change directory to plink and attempt a login by typing:
C:/powerdown> plink linuxCompName -l username -pw ******
You should have a shell after accepting the prompt to accept the key. Now we know we can securely log in to our linux box from windows, yay! Go celebrate with caffiene or have a play around with your shell.
In order to shell in as root, we have to make a change in our sshd configuration file, located at /etc/ssh/sshd_config. Change PermitRootLogin no, to PermitRootLogin yes.
Because we want the shutdown to be fully automated, we need to produce a batch file that gets called by the UPS monitor. On the 2k server, pen up notepad and enter the following:
plink linuxBoxName -batch -l root -pw plaintextPassword!? -m linuxHalt.txt
Save the file as "upsShutdown.bat" and make sure to include the quotes. Otherwise the file will save as a text file.
The -batch option disables any confirmation messages. The -l option indicates who will log in. The -pw switch signals password.
Wait a minute! A plaintext file with our coveted root login details!?!? OBVIOUSLY, this is not best practice! The scenario here involves a need to login as root because the authentication scheme is only handling LDAP domain user accounts, not the local accounts on the linux box. If I had more time to spend on this I would come up with something better. With that said, if somebody has a simpler solution please let me know! Unfortunately, I don't have the time to implement the most secure solution. Whatever changes, screwups, or problems you have in your network or on your computers because of this information is ONLY your fault. Follow these instructions at your own risk/peril/busted/hacked network!
Of course, the powerdown folder being on an NTFS network, tighten your permissions to only allow SYSTEM, and whatever user your UPS monitor software runs as with Read and Execute only.
Remember, we need to have a way to pass commands once the terminal is open. This is done through the -m option in the batch file. It will open linuxHalt.txt and execute the commands in that file on the remote linux server. Our text file simply has the one line in it:
shutdown -h now
Save your changes.
Now, make sure you have any files open on your linuxbox saved and execute the batch file. This will simulate the UPS calling the powerdown script. You should see your linuxbox go down immediately. You can change out the now parameter with -t 5 which would make it shutdown in 5 minutes.
Finally, we ensure that our UPS software (Belkin in this case) executes the batch file by entering the full path to the batch script (ie c:\powerdown\batchscript.bat). If you have a test environment test it. If not, wait until after hours (duh) and test it live.
We have a Belkin SurgeMaster 500VA Battery Backup connected via usb to a windows 2000 server. The UPS is also providing power to our Linux (Karoshi http://www.karoshi.org.uk ) intranet and proxy/filtering server. I chose to setup the UPS monitor up through the 2000 box because, in all likely-hood, when I move on the next person may not know much about linux. Or even worse, a consultant comes in to charge extra $$ because their UPS is hooked up via linux. The drawback in working in a school is funds. A passing thought is I wonder where all the extra UK petrol tax is going since the price increases... Anyways, back to work.
After installing and setting up the 2000 server as the UPS monitor, I needed a way to safely shutdown the linux box. This was achieved by setting up an ssh tunnel using plink (A command-line version of PuTTy) and executing:
shutdown -h now
Sounds easy enough except our linux box authenticates everything through kerberos LDAP through a 2000 domain controller, so it wasn't a matter of setting up the batch file to login and shutdown, because groups aren't synched. In short, there was no easy/quick way to get either sudoer hooked in, or to enter a second password through a tty (Which is good security).
What was needed:
- sshd installed on the linux box
- a folder with NTFS permissions on the 2000 server, for this example we'll call the folder powerdown
- plink on the server monitoring the UPS (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
- A batch file called upsShutdown.bat
- A plink.exe option file called linuxHalt.txt
Once we have the ssh server setup, try logging into the local machine as a client. If this isn't successful, you most likely have to start sshd by running the following as root:
/etc/init.d/sshd
If you still cannot login locally, it's time to go google and read the various man pages.
After downloading plink to the powerdown folder, open up a command prompt on the 2000 server (start, run, cmd). change directory to plink and attempt a login by typing:
C:/powerdown> plink linuxCompName -l username -pw ******
You should have a shell after accepting the prompt to accept the key. Now we know we can securely log in to our linux box from windows, yay! Go celebrate with caffiene or have a play around with your shell.
In order to shell in as root, we have to make a change in our sshd configuration file, located at /etc/ssh/sshd_config. Change PermitRootLogin no, to PermitRootLogin yes.
Because we want the shutdown to be fully automated, we need to produce a batch file that gets called by the UPS monitor. On the 2k server, pen up notepad and enter the following:
plink linuxBoxName -batch -l root -pw plaintextPassword!? -m linuxHalt.txt
Save the file as "upsShutdown.bat" and make sure to include the quotes. Otherwise the file will save as a text file.
The -batch option disables any confirmation messages. The -l option indicates who will log in. The -pw switch signals password.
Wait a minute! A plaintext file with our coveted root login details!?!? OBVIOUSLY, this is not best practice! The scenario here involves a need to login as root because the authentication scheme is only handling LDAP domain user accounts, not the local accounts on the linux box. If I had more time to spend on this I would come up with something better. With that said, if somebody has a simpler solution please let me know! Unfortunately, I don't have the time to implement the most secure solution. Whatever changes, screwups, or problems you have in your network or on your computers because of this information is ONLY your fault. Follow these instructions at your own risk/peril/busted/hacked network!
Of course, the powerdown folder being on an NTFS network, tighten your permissions to only allow SYSTEM, and whatever user your UPS monitor software runs as with Read and Execute only.
Remember, we need to have a way to pass commands once the terminal is open. This is done through the -m option in the batch file. It will open linuxHalt.txt and execute the commands in that file on the remote linux server. Our text file simply has the one line in it:
shutdown -h now
Save your changes.
Now, make sure you have any files open on your linuxbox saved and execute the batch file. This will simulate the UPS calling the powerdown script. You should see your linuxbox go down immediately. You can change out the now parameter with -t 5 which would make it shutdown in 5 minutes.
Finally, we ensure that our UPS software (Belkin in this case) executes the batch file by entering the full path to the batch script (ie c:\powerdown\batchscript.bat). If you have a test environment test it. If not, wait until after hours (duh) and test it live.
Subscribe to:
Posts (Atom)