As a network auditor I am using WMI to query windows PC and get relevent information.
secpol.msc gives the account and local policies. Is there a way that I can read all the parameters in the policy to check that users have configured them as per company norms.
Thank You
You can use the RSoP WMI Classes to get the Group Policy settings and the Group Policy Settings Reference for Windows and Windows Server which basically is a set of excel files which contains the windows registry keys where is stored such info.
Related
I've got EC2 instance with IIS and mapped FSx file system on AWS. All in one VPC in one subnet.
IIS config works perfectly as long as it's configured with local drive. When I change config to use path from that mapped FSx I've got an error. Even for just a test static page.
All current users have full access to those files. Do I need to set up any special users for IIS on Domain Controller? Any special permissions? I would appreciate any ideas...
First of all, you need to figure out the substatus code of your IIS server and detailed error message. So please enable IIS detailed error message for your website.
I assume this issue happened just because your identity don't have permission to access configuration file.
1.Please Ensure your IIS site->basic settings->connect as..->set your domain account that have permission to accessyour FSX
2.Please set your application pool identity to your domain account that have access to the FSx.
3.Please grant permission for that application pool account.
4.Please set your authentication user to use application pool identity. For example, if you are using anonymous authentication. Then go to->anonymous authentication->edit..->Application pool identity.
If you don't know how to troubleshooting this issue. Prcoss monitor would help.
You only have to create a filter "RESULT=Access denied & Processname="w3wp.exe".
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
SOLTUION: you can not use the drive letter must be full DNS name for fsx console \DNS_NAME\share
I am having this exact issue. Drive is available on ec2 instance but authorization in IIS fails. Browse directory from IIS workd but can not get authorization to pass test. I have tried admin on EC2 and admin on active directory as users in IIS virtual drive.
It seems that you need to configure the IIS application pool identity to use a domain account that has access to the FSx file system. By default, the application pool identity is a local account that does not have any permissions on the network share.
To change the application pool identity, follow these steps:
Open IIS Manager and select the application pool that hosts your website.
Click on Advanced Settings in the Actions pane.
Under Process Model, click on Identity and then on the ellipsis (...) button.
Select Custom account and enter the domain user name and password that has access to the FSx file system. Click OK to save the changes.
Restart the application pool and the website.
Alternatively, you can use the command line tool appcmd.exe to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
appcmd.exe set config /section:applicationPools /[name='DefaultAppPool'].processModel.identityType:SpecificUser /[name='DefaultAppPool'].processModel.userName:domain\user /[name='DefaultAppPool'].processModel.password:password
You can also use PowerShell to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
Import-Module WebAdministration
Set-ItemProperty IIS:\AppPools\DefaultAppPool -Name processModel -Value #{identityType="SpecificUser";userName="domain\user";password="password"}
For more information, see this article on how to access FSx file shares from IIS.
Password complexity setting is disabled in default domain GPO. I need to enable it on one server, but I don't have the access to edit this GPO on the domain level. When I open local security settings on the server, option to enable (or disable) is grayed out. Is there a way to override default domain GPO for password complexity locally in the registry? And to keep it that way, to stop GPO from being propagated down from domain level to this particular server?
There are two moments in your case. First you can't use a local group policy for domain accounts because AD accounts store on only DCs. Only Domain Controller Polices. And ones apply only to user accounts. Not computer accounts. Second you can use a local group policy for edit settings for only local user accounts. Run the gpedit.msc command on local server for it.
But since Windows 2008 Domain you can separate password policy for different user groups. You can read about it here for example
https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
Good luck.
IIS 7.0+ uses a concept of so-called virtual accounts to identify application pools (IIS AppPool\apppoolname). Do those accounts have profiles and can be local environment variables set for them? How?
The very bottom of this blog post says the virtual accounts cant be managed, they just don't appear in user searches within windows so it sounds like its possible:
http://weblogs.asp.net/owscott/managed-service-accounts-msa-and-virtual-accounts
*IIS and Virtual Accounts
For IIS and Virtual Accounts, the user is called “IIS AppPool{apppoolname}”. For example, “IIS AppPool\DefaultAppPool”. Note that Virtual Accounts can’t be found with the Windows Select Users or Groups tool, but if you type in the name specifically, it can be managed there.*
Alternatelively, You could create a local user account on the server and set the app pool to run as that account.
With regards to editing Environment variables for another user, this post says you can do it in the registry.
https://serverfault.com/questions/397966/windows-how-to-set-environment-variable-for-another-user
Yes, those accounts have their own profiles and you can set environment variables specifically for each account.
Just use a server-side page to set the variable and you can then use it.
I have a PowerShell script to demonstrate that this works in an answer over on ServerFault.
In the advanced settings for the application pool, make sure that Load User Profile is True but this is the default.
Here's what I want to do:
a program that listens in the network for a message, and when that message is received, if the user is not logged in (for example the computer just powered on and windows displays the classic login screen), it automatically logs in a certain user accordingly to the message. the username and password are known and stored safely inside the computer in a configuration for the program i'm talking about.
What I had in mind was a windows service that starts with the computer and also listens to those messages, and if one is received, then it does it's job
but I have no idea of where to start
(basically i'm trying to login a user without having to type the password, which I said is stored and known - need something mostly like the fingerprint software windows 7 comes with, and the ones that you had to install in vista/xp so that fingerprint login would work (fingerprint was only an example) )
There's two methods to pursue depending upon which operating system you're looking to run under.
For Windows XP, Windows 2000, and Windows Server 2003 you need to create a GINA.DLL. This is a replacement DLL which must follow specific rules which handles the authentication process. In your case your replacement DLL would be known by the service which was listening for your start signal, and it would make a call into the DLL with the username and password as appropriate.
MSDN Magazine article on customizing GINA.DLL
MSDN entry on GINA
For Windows Vista/7 and above you'll need to look into the Credential Provider API.
MSDN Magazine article on Credential Provider API in Vista.
MSDN entry on Credential Provider API
You can use windows auto logon feature to do this.
Create a service which waits for the required data on a network socket. Make sure this service is started after the network service (Tcpip). Modify winlogon service properties (manually) so that it depends on your service. By depends, I mean that winlogon service is started after your service.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon to 1
Once you receive the data on your network socket, set the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword
Once the registry settings are in place, then the winlogon service can read those values and proceed with the login process.
For more details on setting the registry values refer: http://support.microsoft.com/kb/315231
I want clarify a little the suggestion of Vikram.exe.
Of cause the usage of AutoAdminLogon seems native for the problem, but saving of the password in registry as a clear text under HKLM\...\Winlogon\DefaultPassword is not good. Since Windows 2000 it is supported the usage of the secrets DefaultPassword which makes the same effect as the DefaultPassword registry value (see Protecting the Automatic Logon Password for the code example).
Another way to force user login or to do any other actions on the login screen is switching to the Winlogon desktop (full name WinSta0\Winlogon). You can use SwitchDesktop and SetProcessWindowStation to do this (see Window Stations and Desktops). If the service run under System account you will have all rights to do this. Depend on the configuration of your service it could be also needed to use SetTokenInformation with TokenSessionId to change the current session id. After the service process will run on the WinSta0\Winlogon desktop you can use functions like FindWindow and other GUI API to place any information in controls of the window (user name, password and so on) of other process. So you can implement more complex scenarios.
Firstly let me just say im not 100% sure how to fully complete such a application but I have a few tips.
you will need to create a Windows Service that starts during the Pre-Login, you can create a service in C#, An example of creating a C# Service is linked below:
http://msdn.microsoft.com/en-us/library/zt39148a(VS.80).aspx
Within your application you would set the property Startup Type to Automatic, This will automatically start your service on boot.
You should know that windows services run under a secure context by account so you will have to get your service to run with privs do do this.
In your Service Properties you can Click Log On and you can
To specify that the service uses the Local Service account, click This account, and then type the following NT AUTHORITY\LocalService.
To specify that the service uses the Network Service account, click This account, and then type the following NT AUTHORITY\NetworkService.
As your trying to do this remotly you will have to look at WMI (Windows Management Instrumentation) and you will be able to start/stop and send commands to your service.
Your service then would send a command to the Login Management (Not Sure of the name).
you may also wish to check this WOL class which will switch the computer on remotely as long as it supports Wake On LAN, If this is for a corporate environment then I advise you to check your network cards to make sure they are supported
http://www.codeproject.com/KB/IP/wolclass.aspx
I know of some education software that I use for schools that's called CC4 ( http://www.rm.com/shops/rmshop/story.aspx?cref=PS1026195 ) and we can do exactly what you need within this system, I'm not fully sure of how it works fully but i believe it takes the same principles described above.
I have just installed Windows Server 2003 Standard Edition and therefore IIS6 (comes as standard). I have also install the windows component that enable the administration of IIS from the browser (https://server:8098/). The problem I have is that I have to log-in to this tool but the Server Administrator u/name and p/word does not let me in.
The Windows documentation on this tool (http://support.microsoft.com/kb/324282) says "You are prompted for a user name and password that exist on the Web Server" but none of the standard user acounts on the server let me in.
Thanks,
Here are a couple ideas:
Take a look at the security log on the server for clues.
Look at the "Directory Security" tab on the properties of the admin site and ensure "Enable anonymous access" is unchecked. You will need to use "Integrated Windows authentication" or "Basic authentication". If you use Basic auth then the password is sent across then network base64 encoded - you will want to use SSL to encrypt it.
Is there a specific requirement to use the web tools? You can download Internet Information Services (IIS) 6.0 Manager for Windows XP from Microsoft and run it from a client.
I'm not so sure now, haven't set up a Win 2003 box in a while but as far as I remember you have to activate remote desktop first and then you can use a RDP client to access the server. I recommend that over the ActiveX RDP client.
Is the server part of a domain? It may be defaulting to a domain username/password combo rather than a local username/password.
Try "server.domain.local\administrator" or "administrator#server.domain.local".
I would check the permissions on that site in IIS - make sure you are using an account that is a member of a group specifically assigned permissions. I understand that the builtin admin account is not working but its possible the site permissions have changed removing that account or group. - hope that makes some sort of sense
This might be unlikely, but are you trying to use a username that has a blank password? Windows restricts remote access when using those accounts.
If that's the case, you can check the Group Policy (gpedit.msc for local computer, or the one for domains if it's in a domain.):
Computer Configuration
Windows Settings
Security Settings
Local Policies
Accounts: Limit local account use of blank passwords to console logon only