Sebastian del Rio

Abrir .evt de Windows 2003 en Windows Vista

Fri, 15 Feb 2008 15:12:07 GMT

Por si en algun momento lo intentan se encontraran con algun que otro 
incoveniente para visualizar un .evt exportado de Windows 2003 en un Windows Vista.
En el siguiente link se muestran varias soluciones aunque creo la mejor es utilizar
el Script abajo mencionado , ya que nos generara una opcion en el menu Contextual.

Aqui esta el Link

'==========================================================================
'
' NAME: ConvertEVTtoEVTX.vbs
'
' AUTHOR: Steve Paruszkiewicz, Microsoft
' DATE  : 10/04/2007
'
' COMMENT:  Adds "Convert to .EVTX" to the shell context menu for .evt files
'            calls wevtutil to convert evt file for use on Vista/Longhorn
'             then opens the converted .evtx file in event viewer
'
'            If you would later like to remove the Convert to .EVTX context
'            menu option you can delete the following registry key
'            "HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\"
'==========================================================================
Option Explicit
Const LAST_MODIFIED = "10/11/2007"
Const AUTO_OPEN_EVTX = True            
'Set this to False if you want to be prompted to open the converted file instead of 
'opening autmatically


'On Error Resume Next
CheckReg()                                                
'Check to see if script is already registered - NEEDS ADMIN TOKEN ON VISTA


If WScript.Arguments.Count < 1 Then ExitScript("** No File Argument Specified **" & VbCrLf & _ 
 "Script Exiting..." & VbCrLf & VbCrLf & "Convert to .EVTX has been added to the context menu")

Dim strInputFile : strInputFile = WScript.Arguments(0)

ConvertEvtToEVTx(strInputFile)



'************************   Subs and Functions ****************************
Sub ConvertEvtToEVTx(strFileName)
    Dim Shell : Set Shell = CreateObject("Wscript.Shell")
    Dim FSO : Set FSO = CreateObject("Scripting.FileSystemObject")
    Dim strCommand, ret, shortname
    
    If Not(FSO.FileExists(strFileName & "x")) Then
        
        strCommand = "wevtutil export-log """ & strFileName & """ """ & strFileName & "x"" /lf"
    
        WScript.Echo "Converting " & strFileName & "  to .EVTX file"
    
        Shell.Run strCommand,0,True
    
    Else
        shortname = Right(strFileName,Len(strFileName)-InStrRev(strFilename,"\"))
        ret = MsgBox ("The file: " & shortname & "x" & VbCrLf & VbCrLf & "Already Exists." & VbCrLf & _ 
                       "Would you like to overwrite it?",vbYesNo+vbInformation,"File exists")

        If ret = vbYes Then
            strCommand = "wevtutil export-log """ & strFileName & """ """ & strFileName & "x"" /lf /ow:true"
            WScript.Echo "Converting " & strFileName & "  to .EVTX file"
    
            Shell.Run strCommand,0,True
    
        Else
            WScript.Echo "File already exists:  Skipping conversion."
        End If
    
    End If    
    
    WScript.Echo "WEvtUtil Command Done."
    
    If AUTO_OPEN_EVTX Then
    
        If fso.FileExists(strFileName & "x") Then 
            Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
        Else
            MsgBox "The EVTX file: " & strFileName & VbCrLf & VbCrLf & "Could not be created. " & VbCrLf & _ 
            " Please check drive space and permissions on the target folder." & VbCrLf & VbCrLf & "Script Exiting..." _ 
            ,vbOKOnly+vbExclamation,"Error"
            WScript.Quit
        End If     
        
    Else
        ret = MsgBox ("Would you like to open the .EVTX file now?",vbYesNo+vbInformation,"Conversion complete.")
        If ret = vbYes then
            
            If fso.FileExists(strFileName & "x") Then 
                Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
            Else
                MsgBox "The EVTX file: " & strFileName & VbCrLf & VbCrLf & "Could not be created. " & VbCrLf & _ 
                " Please check drive space and permissions on the target folder." & VbCrLf & VbCrLf & "Script Exiting..." _ 
                ,vbOKOnly+vbExclamation,"Error"
                WScript.Quit
            End If     
            
            Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
            
        Else
        
            WScript.Quit
            
        End If
    End If
            
End Sub 



'*** Checks to see if script has already registered right-click menu entries
Function CheckReg()
    On Error Resume next
    Dim retval, Shell : Set Shell = CreateObject("WScript.Shell")
    retval = Shell.RegRead("HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\command\")
    
    If Err.Number <> 0 Then
        'WScript.Echo Err.Description & "  " & Err.Number
        Err.Clear
        AddSelfToReg()                                                    
'adds ability to run from context menu

    End If
End Function

Sub AddSelfToReg()
    ElevateThisScript()
    On Error Resume Next
    Dim strCommand, Shell
    
    Set Shell = CreateObject("WScript.Shell")
    If IsWin64bit() Then
        'Use 32-bit wscript.exe to overcome problems creating excel.application object when passing in a file on x64
        strCommand = Shell.ExpandEnvironmentStrings("%systemroot%") & "\SysWOW64\cscript.exe """ & _
        WScript.ScriptFullName & """ ""%1"""
    Else
        strCommand = Shell.ExpandEnvironmentStrings("%systemroot%") & "\System32\cscript.exe """ & _
        WScript.ScriptFullName & """ ""%1"""
    End If
    
    Shell.RegWrite "HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\command\",strCommand,"REG_SZ"
        
    If Err.Number <> 0 Then
            ExitScript("Unable to write to HKEY_CLASSES_ROOT " & VbCrLf & _
            "This Script may need to be run with a full administrative token once to register context menu entries.")
    End If
End Sub

Function IsWin64bit()
    On Error Resume Next
    Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
    Dim shell : Set shell = CreateObject("wscript.shell")
    Dim Windir : Windir = shell.ExpandEnvironmentStrings("%SYSTEMROOT%")
    If fso.FolderExists(Windir & "\SysWOW64") Then
        IsWin64bit = True
    Else
        IsWin64bit = False
    End If
End Function

Sub ExitScript(ByVal MSG)
  Msg = Msg & VbCrLf
  Msg = Msg & "_______________________________________________________" & vbCrLf 
  Msg = Msg & "VBS script created by Steve Paruszkiewicz. Last modified on: " & LAST_MODIFIED & vbCrLf & VbCrLf
  DisplayMsg(Msg)
  wscript.quit   
End Sub

Sub DisplayMsg(Msg)
      On error resume Next
    Msgbox Msg
End Sub

'*********************************************************************************
'    Subroutine: ElevateThisScript()    
'
'    Author: Steve Paruszkiewicz, Microsoft
'    Last Modified:  August 2, 2007
'    
'    Purpose: (Intended for Vista and Windows Server 2008)
'    Forces the currently running script to prompt for UAC elevation if it detects
'    that the current user credentials do not have administrative priviliges
'
'    If run on Windows XP this script will cause the RunAs dialog to appear if the user
'    does not have administrative rights, giving the opportunity to run as an administrator  
'
'    This Sub Attempts to call the script with its original arguments.  Arguments that contain a space
'    will be wrapped in double quotes when the script calls itself again.
'
'    Usage:  Add a call to this sub (ElevateThisScript) to the beginning of your script to ensure
'            that the script gets an administrative token
'**********************************************************************************        
Sub ElevateThisScript()
    
    Const HKEY_CLASSES_ROOT  = &H80000000
    Const HKEY_CURRENT_USER  = &H80000001
    Const HKEY_LOCAL_MACHINE = &H80000002
    Const HKEY_USERS         = &H80000003
    const KEY_QUERY_VALUE      = 1
    Const KEY_SET_VALUE          = 2

    Dim scriptEngine, engineFolder, argString, arg, Args, scriptCommand, HasRequiredRegAccess
    Dim objShellApp : Set objShellApp = CreateObject("Shell.Application")
        
    
    scriptEngine = Ucase(Mid(Wscript.FullName,InstrRev(Wscript.FullName,"\")+1))
    engineFolder = Left(Wscript.FullName,InstrRev(Wscript.FullName,"\"))
    argString = ""
    
    Set Args = Wscript.Arguments
    
    For each arg in Args                        'loop though argument array as a collection to rebuild argument string
        If instr(arg," ") > 0 Then arg = """" & arg & """"    'if the argument contains a space wrap it in double quotes
        argString = argString & " " & Arg
    Next

    scriptCommand = engineFolder & scriptEngine
        
    Dim strComputer : strComputer = "."
        
    Dim objReg, bHasAccessRight
    Set objReg=GetObject("winmgmts:"_
        & "{impersonationLevel=impersonate}!\\" &_ 
        strComputer & "\root\default:StdRegProv")
    

    'Check for administrative registry access rights
    objReg.CheckAccess HKEY_LOCAL_MACHINE, "System\CurrentControlSet\Control\CrashControl", _
        KEY_SET_VALUE, bHasAccessRight
    
    If bHasAccessRight = True Then
    
        HasRequiredRegAccess = True
        Exit Sub
        
    Else
        
        HasRequiredRegAccess = False
        objShellApp.ShellExecute scriptCommand, " """ & Wscript.ScriptFullName & """" & argString, "", "runas"
        WScript.Quit
    End If
        
    
End Sub

Once you have the script installed, right click on a .EVT file and you should have the option to convert the file to .EVTX format as shown below:

Windows Vista Service Pack 1 Release Candidate

Thu, 24 Jan 2008 15:52:43 GMT

La verdad no me habia enterado de esto , :) pero bueno ya hay disponible una RC del Service Pack 1 de Windows Vista.

Aqui les dejo el link

http://www.microsoft.com/downloads/details.aspx?FamilyID=9de6260e-4275-482d-9524-de850c4dd91c&DisplayLang=en.

Microsoft Active Directory Topology Diagrammer (ADTD) - Topologia Active directory

Mon, 21 Jan 2008 15:51:21 GMT

Microsoft Active Directory Topology Diagrammer (ADTD)

Les dejo una utilidad sumamente util a la hora de diagramar nuestro AD, para analizar la estructura , o cuando entramos a un nuevo trabajo , o caso de consultoria y no sabemos como estan armadas las cosas , en fin ...

ADTD nos permite generar desde nuestro equipo y mediante el software Microsoft Visio un grafico de nuestra infraestructura de Active Directory de forma automática. La instalación y uso es realmente sencilla. Una vez la tengamos instalada y ejecutada nos permite seleccionar el grado de detalle, pudiendo llegar a mostrar entre otras cosas OU´s, servidores Exchange, conectores de correo, controladores de dominio y los roles que están realizando actualmente.

Una utilidad altamente recomendable que nos permite analizar gráficamente nuestra arquitectura de Active Directory e incluso poder llegar a detectar posibles problemas de diseño de nuestra infraestructura.

Para su ejecucción necesitamos tener instalado .Net Framework 2.0 y Microsoft Visio para dejar al ADTD dibujar a sus anchas.

Puedes descargar esta utilidad desde el siguiente enlace:

http://www.microsoft.com/downloads/details.aspx?familyid=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en

Ocultar Maquina en Mis sitios de Red.

Mon, 19 Nov 2007 19:17:30 GMT

:: ¿Cómo ocultar un equipo en el entorno red?

Se explica como hacer que nuestro nombre y pc no aparezca en la red, y solo se podrá acceder al pc desde la red conociendo el nombre o su dirección IP.

(DT, AGENCIAS) Para ello es necesario usar el registro de Windows, pinchamos en Inicio después ejecutar, escribimos "regedit" y pulsamos aceptar.

En el editor de registro nos vamos al siguiente registro, lo hacemos navegando por el árbol de directorios que tenemos en la parte de la izquierda hasta llegar a:

HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSET SERVICESLANMANSERVERPARAMETERS

A partir de ahí creamos una nueva clave de registro, con la opción valor DWORD, poniendo como nombre de la nueva clave la palabra hidden.

Como valor del nuevo registro asignaremos un 1, el valor le podremos insertar con tan solo hacer doble clic sobre la nueva clave que acabamos de crear (hidden) o seleccionándola y dando al botón derecho y se elige modificar.

Solo resta cerrar el editor de registro y posteriormente reiniciar el sistema, los efectos de este cambio serán percibido después de minutos o incluso horas, todo esto depende del tiempo de actualización de la red local.

Cambiar Pasword Administrador Local Remotamente

Tue, 04 Sep 2007 12:23:01 GMT

Changing local admin password?

I just find a good method to change the local admin password of client PC remotely from MCPMAG. By using this method, you don't need to put the new password in script in order to make it work. You may reference this:

SysInternals offers a free too called PsPasswd
http://www.sysinternals.com/Utilities/PsPasswd.html , which
allows you to remotely reset passwords on a range of computers
on your network. The tool will also report successes and
failures of changed passwords, and allows you to run a single
command against a list of computers. Since the password is just
included within the syntax of a command that you run, it will
never be stored as plain text in a batch or script file.

To use PsPasswd, you'll first need a list of all computers in
your domain. To enumerate all computer objects in a domain,
you could run this script:

LogFile = "C:\computers.txt"
Const ForWriting = 2
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select Name, Location from 'LDAP://DC=mcpmag,DC=com' " _
& "Where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Set objFSO =
CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile(LogFile, ForWriting)

Do Until objRecordSet.EOF
objFile.WriteLine objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop

Note that the script will output to a file named "computers.txt"
on the C drive. This could be changed by editing the LogFile
variable assignment in the first line of the script. Note that
in your environment, you will also need to change the domain
referenced in line 12. In my example, I use mcpmag.com
(DC=mcpmag,DC=com).

Once you have a list of all computers, you can then run
pspasswd.exe to change the local administrator password on
all systems in the list. Here's the syntax that I used on my
test network:

pspasswd.exe @c:\computers.txt administrator P@ssword!

Following the @ symbol in the command syntax is the path to
the file containing all computer names. The next part of the
syntax is the name of the account whose password will be
changed, followed by the new password (P@ssword!).

Now here is the output that was generated from the command:

PsPasswd v1.21 - Local and remote password changer
Copyright (C) 2003-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

\\PC1:
Error changing password:
The network path was not found.

\\BSODME:
Password for BSODME\administrator successfully changed.

Since the output will list both success and failures, you will
be able to note the systems in which the password was not
successfully changed. In my case, the system named PC1 was not
located. So I would have to ensure that PC1 was online and then
run the command a second time. (Note that PsPasswd can also be
run against a single computer.) Since the command relies on UNC
paths to connect to systems, you will need to ensure that the
target systems have File and Print Sharing enabled and that File
and Print Sharing is not being blocked by the system's firewall.
By default, the Windows XP Pro SP2 firewall does not allow File
and Print sharing. However, this can be quickly changed via
Group Policy.

As you can see, with a simple list of computers on your network,
remotely changing the local administrator password using PsPasswd
is a relatively painless process.

Activar Ip route - Windows XP

Wed, 15 Aug 2007 01:41:22 GMT

http://www.windowsnetworking.com/articles_tutorials/w2kprout.html

No se puede Abrir Agregar o Quitar Programas

Tue, 14 Aug 2007 16:11:35 GMT

If the Add/Remove Programs applet does NOT open, or flashes briefly, you may have some missing registry entries.

To fix the problem:

1. Open a CMD.EXE prompt.

2. Type regsvr32 mshtml.dll and press Enter and OK.

3. Type regsvr32 shdocvw.dll -i and press Enter and OK.

4. Type regsvr32 shell32.dll -i and press Enter and OK.

Caso de Consultoria - Implementacion de RRAS + Terminal Services

Mon, 13 Aug 2007 22:35:52 GMT

En el dia de hoy me encontre con un incoveniente de un cliente , el cual me contacto para implementar un servidor VPN, y Terminal Services para ejecutar una aplicacion remota desde una Branch Office mediante la VPN.

Escenario :
1 DC Windows 2000 Server.

Oficina Remota en Rio Negro
1 Windows 2003 Server.

Analisis de la situacion , lo primero que se chequeo es el hecho de tener licencias de Terminal Service , por el tema de VPN se verifico la existencia de un servidor DHCP, el mismo utilizaba el DHCP de un router del cual disponian. Se verifico componentes instalados , se actualizo el servidor con los ultimos parches disponibles , y manos a la Obra

El primer incoveniente que me encontre fue que no se podia abrir el SNAP IN , de Agregar o Quitar Programas, al querer abrirlo se veia un destello , pero sin dar un error ni nada no se abria la pantalla correspondiente , por lo cual no se podia agregar RRAS , ni Terminal Service , buscando un poco de informacion en internet di con un foro en el cual indicaba un Articulo con un problema similar y la solucion era registrar ciertas DLL nuevamente. Asi que agarre una maquina virtual desregistre esas DLLs , reproduci el problema , y luego las volvi a registrar volviendo todo a funcionar.

If the Add/Remove Programs applet does NOT open, or flashes briefly, you may have some missing registry entries.

To fix the problem:

1. Open a CMD.EXE prompt.

2. Type regsvr32 mshtml.dll and press Enter and OK.

3. Type regsvr32 shdocvw.dll -i and press Enter and OK.

4. Type regsvr32 shell32.dll -i and press Enter and OK.

Una vez hecho esto ya pude abrir el SNAP IN por lo cual todo fue mas rapido

Instalacion de RRAS,
Se configuro el mismo como servidor de acceso remoto. El primer problema que me encontre una vez hechoo el fowarding del puerto 1723 hacia la ip interna del RRAS server. Fue que al conectar la VPN recibia un error 733
El mismo se daba por que no habia ninguna direccion IP disponible para el cliente ( De hecho no habia DHCP) asi que se asigno un pool de direcciones desde el RRAS para los clientes VPN. Luego de eso la conexion fue normal.

Instalacion de Terminal Service en Modo Aplicacion ( Era un Windows 2000 server )
Se instalo el servicio de Terminal Services , el servidor de licencias de terminal services. Todo quedo funcionando correctamente.

La unica complicacion fue el tema del panel de Control , lo cual queria dejar en este BLOG , por si a alguien le sucede !

Problema ISA SERVER 2006 - "Setup was unable to update array storage data"

Tue, 10 Jul 2007 13:05:17 GMT

El dia Sabado estuve tratando un incoveniente con un cliente, el cual para ponerlos en escenario tenia instalado un ISA SERVER 2006 EE, funcionando correctamente , tenia la necesidad de agregar un segundo Nodo de ISA SERVER 2006.

Escenario:
Maquina instalada y funcionando
ISASRV01

1 Windows 2003 SP2 - ISA SERVER 2006 EE - Configuration Storage Server + Array Member

Maquina a Instalar
ISASRV02

1 Windows 2003 SP2 - ISA SERVER 2006 EE - Configuration Storage Server + Array Member
3 Placas de Red.

LAN , Conectada a la Red Interna

DMZ , Conectada a la DMZ

Intra Array , Cable cruzado conectado de maquina a maquina para comunicacion entre servidores.

Al querer agregar la segunda maquina como una replica del Configuration storage server ISASRV01 , obtenia el siguiente error mientras se efectuaba la instalacion y luego daba un rolling Back, y se paraba la instalacion. El error que recibia era el siguiente.

"Setup was unable to update array storage data. To update storage data,
there must be connectivity between this computer and at least one ISA
server array member and between that array member and the configuration
storage."

Pruebas efectuadas.
En primer punto se chequeo que el ISASRV01 estuvieran todos los servicios Arriba.
Se probo conectividad, utilizando ping desde ambas maquinas tenian conectividad una con la otra.

Despues de chequear y chequear , el cliente me comento que habian estado haciendo pruebas con NLB y luego sacaron un servidor antiguo, asi que me fui al ISASRV01 y empece a chequearlo.
El problema era el siguiente , cuando se tiene mas de un servidor ISA SERVER 2006 interconectados uno debe configurar mediante que placa de red se comunican los mismos,

Esto se hace desde,
Array - MyArray - Configuration - Servers
Ahi en mi server Boton derecho y Propiedades. En la solapa Communication la primer opcion es "Use This IP Addres for communication with array members"
Este campo tenia ingresado 0.0.0.0 solo se cambio esa opcion por la IP de la placa Intra Array Local.

Luego el Wizard siguio correctamente y se pudo efectuar la instalacion de manera correcta.

Bueno espero le sirva de ayuda a alguien :)

IsaBPA Version 5 - ISA Best Practices Analyzer

Thu, 05 Jul 2007 14:11:06 GMT

Una nueva version del Best Practices Analyzer , aqui les dejo algunas de las nuevas mejoras. ( No tenia ganas de traducir todo :) )

The ISA Server Team is excited to announce the version 5.0 release of the Microsoft© ISA Server Best Practices Analyzer Tool (IsaBPA V5).

New in Version 5 of IsaBPA:

ü ISA Data Packager (IDP) GUI – The IDP collects all information needed for troubleshooting with a single click. For this version, we added a GUI for our data collection tool. This GUI will allow easier configuration and better use of the IDP.

ü BPA2Visio – we added a super cool application that takes the IsaBPA report and converts this report into a Visio network diagram, so that the ISA administrator or the support engineer can see how the ISA Server views its environment (networks, published web/non-web servers/server farms, CSS, VPN sites and clients). You need to have Visio 2003 or Visio 2007 installed on one of your machines (not necessary the ISA Server machine). Check out this screenshot!

ü We added new checks to Version 5. There are now 218 rules, and more than 900 settings are displayed. The focus of this release was to target Windows Server SP2 issues. This new suite joins the Hardware, Authentication, OWA, SSL Certificates, Site-to-site VPN with IPsec, WPLB, Branch Office, and logging suites that were introduced in previous IsaBPA versions.

ü More documentation. The documentation (UE) team enhanced the Help file. It now contains more than 100 pages. You can now find which checks are being performed, how to operate the IsaBPA, and of course how to fix the found issues.

ü Bug fixes. We fixed a few bugs that were discovered in the previous version.

You can get the IsaBPAv5 using the integrated live update mechanism or by simply going to http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en and downloading the new version. The tool requires .NET 1.1 framework and above.

Leer Direccion Ip en MDF de ISA SERVER 2006

Tue, 26 Jun 2007 14:39:27 GMT

Muchas veces los administradores de redes, precisamos hacer auditoria por ejemplo de la Navegacion en Internet que pasa por nuestro ISA SERVER. En principio y como regla basica para poder hacer una auditoria de este tipo , todos nuestros clientes deben salir a internet por el ISA ya sea como clientes Web Proxy o Secure Nat. Isa server 2006 trae de por si algunas opciones de reporte las mismas se encuentran en Monitoring - Reports el problema es que no son muy completos y muy poco flexibles estos reportes , por lo cual podemos utilizar programas de terceros como GFI Web monitor.

Si asi y todo necesitamos hacer una auditoria utilizando la base de datos del ISA SERVER , veremos que la direccion IP aparece cifrada , aqui les dejo una respuesta de un post de Technet , donde se explica como descifrar este numero y pasarla a la lengua de Cervantes.

1. Primera abris la calculadora de Windows y la pones en la vista Cientifica.

2. Asegurate que este seleccionado el modo DEC y pegas tu número 3232236068 .

3. Ahora moves la selección de DEC a HEX eso como resultado te va a dar C0A802224 que son los 4 octetos juntos en HEXA, cada octeto son 2 números hexa.

4. Ahora tomas de a pares del número en HEXA y haces el procedimiento inverso por cada par en la calculadora y te queda conformada tu IP:

CA = 192

A8 = 168

02 = 2

24 = 18

La IP que te muestra es 192.168.2.18 ==> C0.A8.02.24 ==> C0A80224 ==> 3232236068

Certificacion Windows 2008 - MCSE ha muerto

Tue, 26 Jun 2007 14:03:18 GMT

I watched the Microsoft webinar on the new Server 2008 (formerly Longhorn) certifications last week and came away feeling a little underwhelmed. In case you didn’t know already the MCSE is “dead” for Server 2008 and they are moving on to a “job based” approach to their certifications. Read on for more details.

Windows Server 2008 MCTS Certifications
To begin with, there will be several Microsoft Certified Technology Specialist (MCTS) exams that you can take to certify specific skills on the Server 2008 platform. These are roughly equivalent to becoming a MCP in Windows 2000/2003. You will earn MCTS certification for each different exam that you pass. Here are the initial MCTS exams that will be released:

70-640 MCTS: Configuring Windows Server 2008 Active Directory
70-642 MCTS: Configuring Windows Server 2008 Network Infrastructure
70-643 MCTS: Configuring Windows Server 2008 Application Platforms

70-640 and 70-642 are no surprise but 70-643 is interesting. It will cover Internet Information Services (IIS 7) and Microsoft Virtual Server among other things. Pretty cool. These exams are scheduled to be available 30 days after Server 2008 goes RTM.

Windows Server 2008 MCITP Certifications
There are two different Server 2008 tracks, the Server Administrator and the Enterprise Server Administrator. Both of these are MCITP level certifications, requiring multiple exams. These are the highest level of certification (outside of the MCA program) that you can attain. Here are the requirements for each.

Windows Server 2008 Administrator:
70-640 Active Directory
70-642 Network Infrastructure
70-646 Windows 2008 Server Administrator Exam
***Only 3 exams required; the MCTS exams 70-640 and 70-642 and the main MCITP exam for this track, 70-646

Windows Server 2008 Enterprise Administrator:
70-640 Active Directory
70-642 Network Infrastructure
70-643 Applications Platform
70-620 OR 70-624 Windows Vista Client
70-647 Windows Server 2008 Enterprise Administrator Exam
***5 exams required; the MCTS exams 70-640, 70-642, 70-643, 70-620 (or 70-624) and the main MCITP exam for this track, 70-647

The two MCITP exams are schedlued to be available 60 days after Server 2008 goes RTM.

Do I lose my MCSE/MCSA?
No. You get to keep your MCSE or any credential earned under the Windows 2000/2003 certification track. You essentially have a “MCSE in Windows 2003″ (for example). However, you do not become a “MCSE in Windows 2008″, because the MCSE no longer exists. You will have to upgrade to one of the MCITP certifications referenced above. Your Windows 2000/2003 certifications will not expire and will continue to be valuable as long as Windows 2000/2003 is used on company networks. If you are currently working on your MCSE/MCSA keep working on it…it is still valuable and will provide you with excellent base knowledge that will also apply to Windows 2008.

Can you upgrade your MCSE/MCSA to Windows Server 2008 Certifications?
Yes, there is an upgrade path but only for WINDOWS 2003 MCSEs and MCSAs. If you are certified in Windows 2000, you must upgrade to Windows 2003 first or just take the Windows 2008 exams individually. Here are the upgrade details:

Windows 2003 MCSE - Pass the 70-649 (upgrade) exam and you do not have to take 70-640, 70-642, 70-643. You DO have to take the MCITP: Enterprise Server Administrator exam and the Vista client exam.

Windows 2003 MCSA - Pass the 70-648 (upgrade) exam and you do not have to take 70-640, 70-642. You DO have to take the MCITP: Server Administrator exam.

My Thoughts on the Windows 2008 Certifications
Like I said in the opening, I came away a little underwhelmed. It just seems like the main MCITP certifications do not have enough substance. I am all for simplicity (only 2 or 3 different professional tracks) but I would like to see a few more exams attached to the higher level certs to make them a little tougher to attain. I also think it will be a bit clunky to say (or put on a resume), “I am a MCITIP: Enterprise Administrator, MCTS: ISA Server, MCTS: Exchange Server”, etc. There should be one certification (probably the Enterprise Administator certification) that requires Exchange Server, ISA Server and perhaps SQL Server knowledge, in addition to all of the core Windows Server 2008 requirements. This would be of value to companies and IT professionals alike.

What do you think?

Looking for more information on Windows Server 2008 Certifications? Check out Trika’s Microsoft site; it is loaded with Microsoft certification information and she is very helpful.

Digg Us! If you like this post, please help us out and vote for us at Digg!

Log Inicio y Cierre de Sesion

Tue, 19 Jun 2007 18:44:45 GMT

Muy frecuentemente preguntan en los foros de Technet como auditar los eventos de Inicio - Cierre de Sesion a lo que normalmente se responde que se puede hacer mediante la politica de Auditoria , aca les dejo un metodo alternativo el cual nos dejara un log , el cual sera mas practico que mirar el Event Viewer :)

Crear los siguientes archivos con el notepad o su editor de texto favorito

------logon.cmd----
echo logon %username% %computername% %date% %time% >> \\dc1\carpeta\logon.log

-----logoff.cmd-----
echo logoff %username% %computername% %date% %time% >> \\dc1\carpeta\logoff.log

Ahora deberemos incluir estos dos archivos dentro de la Default Domain Policy por ejemplo para que se ejecuten al inicio y cierre de sesion
User Configuration-> Windows Settings-> Scripts (Logon/Logoff)-> Logon
User Configuration-> Windows Settings-> Scripts (Logon/Logoff)-> Logoff

Como resultado veremos nuestros dos archivos con los siguientes contenidos , los cuales seran bastante mas facil de consultar en el caso de tener que auditar Inicio - Cierre de Sesion

logon Richard WS01 Tue 22/02/2005 10:39:51.12
logon Peter WS02 Tue 22/02/2005 10:42:01.07

logoff Richard WS01 Tue 22/02/2005 10:41:08.45
logoff Peter WS02 Tue 22/02/2005 10:42:46.81

Espero les sirva

Denegar ejecucion de Software

Tue, 19 Jun 2007 16:13:06 GMT

If you missed the first part in this article series please go to Default Deny All Applications (Part 1).

Introduction

Since Windows XP, administrators around the world have had the option to define Software Restriction Policies (SRP) for their client computers to control what software is allowed, or not allowed, to run. So far too few organizations have implemented this functionality despite the fact that it could actually bring a very high level of security, depending on how it is enforced. In this second article about SRP we will look at how to implement what we could also refer to as “software filter policies”.

Danger zone

Before we get too far it is important to point out that, prior to introducing SRP on production computers, you should plan and test them thoroughly. This can be done in Active Directory (AD) by isolating a single test machine or user object in an Organizational Unit (OU) or by setting “Apply Group Policy” permission on the Group Policy Object (GPO) to only that single test-machine or -user account. SRP can even be used on Stand-alone computers if you don’t want to touch the production environment at all. I would recommend you use virtual machines for basic testing and ‘production-like’ machines for the final tests. After heavy testing, the SRP should be implemented on pilot users in groups – it’s better to take small steps than hurrying into disaster!

The overall process

Mistakes in the design or implementation of this can cause considerable user frustration, and even loss of money or productivity, so watch out as you go along. This takes a lot of planning work, testing and probably some maintenance from the day it is introduced in the production environment. From that point on you will be able to sleep tight at night…

The following list gives a quick view of what to have in mind when introducing SRP in a Windows environment.

When designing the SRP setup, different decisions must be made, for example:

Decide between user and computer GPOs: what AD objects should the SRP policies apply to?
Decide between a Blacklisting (BL) and a Whitelisting (WL) approach (WL is recommended if possible)
If using the BL approach, a list of everything that should not run must be made
If using the WL approach, a list of everything that should run must be made
Decide what SRP options to use (enforcement, designated file types, administrator exceptions etc.)
Decide what type of rules to use (path, HASH, certificate or Internet zone)

When testing the SRP setup, different steps must be taken, for example:

Test the basic functionality in a virtual lab (using Virtual PC/Server, VMware or similar)
Test the functionality in your environment by using ‘production-like’ machines (and user accounts)
Test with small groups of pilot users in steps of 5-10 users over a few weeks, then scale up
Continue to the next pilot group only after successful implementation for the previous pilot users
Be sure to test all the different user types and machine types you need to secure with SRP
Be sure to test upgrade scenarios, like patching of the operating system, upgrading third party applications, migrations etc.
Also focus on performance on the different hardware in your organization. Implementing SRP will in most cases affect system performance a bit, depending on how it is implemented (see the part about Trusted Publishers)
Sometimes applications launch other applications, make sure this is under full control
By default Desktop and Start Menu shortcuts (.LNK) are blocked, make sure to modify this as needed
Be sure that any admin scripts (e.g. login scripts in SYSVOL/NETLOGON shares etc.) are able to run

Before introducing SRP in production, some procedures should be in place:

Introduce a written workflow on how applications, updates etc. should be tested, approved and introduced on the network, so everybody is aware of the procedures required
Be sure that management knows SRP pros and cons and that they agree on the decision to introduce it
Have a fallback plan on how to get rid of the SRP GPOs fast, for certain users, groups, computers, sites etc.
User education: inform users why SRP is important and what the procedure is to acquire new software
A small tip: Put descriptions on SRP rules, over time a good naming convention will save you some time

Different paths to SRP

Configuring a Software Restriction Policy is basically only a few steps:

Creating a User or a Computer GPO and placing it on a Site, Domain or OU (or as a local policy) and enabling SRP within the Group Policy. The SRP settings are located here (see Figure 1):

Computer Configuration| Windows Settings | Security Settings | Software Restriction Policies
User Configuration | Windows Settings | Security Settings | Software Restriction Policies

The first time SRP is introduced in a GPO, the option “New Software Restriction Policies” will be available.

Figure 1

Setting the Default Security Level. Figure 2 shows how the level is set by right-clicking the wanted level and choosing “Set as default”.
- The default level is ‘Unrestricted’ which means that all software can run and that additional rules for disallowed software should be made – this is also known as Blacklisting.
- The most secure level is ‘Disallowed’ which means that no software can run and that additional rules for allowed software should be made – this is also known as Whitelisting.
- By default the system creates a few rules that allow the operating system to run without any inconvenient blocking
  NB! If those rules are removed or changed without any thought, the affected system(s) could become unusable.

Figure 2

With Windows Vista and Longhorn we have a new level called ‘Basic User’ which allows programs to execute as a user that does not have Administrator access rights, so the user can access resources accessible by normal users only. This level is not addressed any further in this article.

File types can be removed and added to fit any environment, but the default file type list includes the most common executables: BAT, CMD, COM, EXE, HTA, LNK, MSI, OCX, PIF, REG & SCR and in addition these extensions: ADE, ADP, BAS, CHM, CPL, CRT, HLP, INF, INS, ISP, MDB, MDE, MSC, MSP, MST, PCD, SHS, URL, VB & WSC.
Note: As the Designated Files Type Properties dialog states, the list is “in addition to the standard program file types, such as EXE, DLL and VBS” – I haven’t been able to get a complete list of those, but I have confirmed that VBS, VBE, JS and JSE are blocked even though they are not in the list. I would have preferred a single list administrators around the world could change as needed, but that’s how it is.

Figure 3

Setting up exceptions to the Default Security Level. These are known as ‘Additional Rules’. Please see the subject “Additional Rules” in this article for further information.
Configuring ‘Enforcement Properties’. See Figure 4, this includes:
- “All software files”: We have the option to check DLL’s (Dynamic Link Libraries) when they are executed too. This is not a default setting and will have some impact on both performance and planning/implementation/maintenance tasks.
- “All users except local administrators”: Here we can choose whether or not SRP should apply for Local administrators. By default all users are hit by SRP. This policy option is only relevant for computer policies.
- “Enforce certificate rules”: Option to choose whether or not to use certificate rules should be applied. Note: As stated in the dialog in Figure 4 “Certificate rules will negatively impact the performance of your machine”.

Figure 4

Configuring ‘Trusted Publishers Properties’, also known as Authenticode policy options (see Figure 5). In this dialog we can choose who should be able to select Trusted Publishers for certificate rules. We also have an option to verify whether a certificate is revoked or not, and/or to check if the timestamp is valid when it is added.

Figure 5

Additional Rules

When configuring Additional Rules, a method - or a couple of methods - on how to indentify software should be decided. We have 4 different software identification methods available:

HASH rules

HASH’es are cryptographic fingerprints that remain regardless of the file name and location. These are especially good when using WL, but not that effective when BL (the reason for this is partly described by the ProduKey example in my first SRP article): An MD5 or SHA-1 HASH gives strong software identification of the ‘ProduKey.exe’ binary file, so allowing a specific HASH value to run makes sure that only that version of the executable can run. However, disallowing a specific HASH only affects one version (or compilation) of the application and a smart user can change the file pretty easily so it is identified as another (unknown) piece of software. The word ‘unknown’ is very important in this matter – it’s really the key to decide between BL or WL – do we want users to be able to execute software we don’t know, yes or no?

If users should not be able to run an old version of a specific application, let’s say it’s ‘buggy’ and causing system crashes, using a ‘deny this HASH value’-rule would be a good decision. Please keep in mind that a new version of a given application will always result in a new HASH value that must be allowed – or disallowed.
Certificate rules

Certificate rules uses signed hashes and provides very strong software identification, but as we trust a given certificate we actually trust all software signed with that specific certificate. This could be a good thing or a bad thing. It’s a good thing if we, for instance, get an application from a third party vendor who signed all the significant files in the application (maybe including DLLs), so instead of making a given number of HASH rules we can just create a single rule that trusts the certificate and we are up and running. But, let’s say I trust a digital certificate used to sign some tool from Microsoft (or any other software vendor) – now my users are able to run all applications signed by that specific certificate… Hmm, so the problem is to know exactly what applications were signed by that certificate? Without that knowledge we don’t know what we have allowed. Instead of allowing just the single application we needed for our users, we might have allowed hundreds of applications from the vendor to run on our systems.

Testing of Certificate rules can be done by using these tools: File Signing Tool (Signcode.exe) & Certificate Creation Tool (Makecert.exe).
Path rules

Path rules are the most common and “easy-to-use” rules we have. Path rules can deny or allow a file on a specified location (e.g. “C:\Scripts\Script.VBS”), a filename (e.g. “Script.VBS”), a folder (e.g. “C:\Scripts”), a UNC path (e.g.”\\SERVER\SHARE\File.VBS”) or a registry path (e.g. “%[Registry Hive]\[Registry Key Name]\[Value Name]%”). Path rules can use environment variables (e.g. “%WINDIR%”) and the wildcards ‘?’ = one char (e.g. “\\SERVER??\Share\Script.VBS”) and ‘*’ = any number of chars (e.g. “*.VBS”).

If you are using path rules a few things need to be addressed:
- If a given folder path is set, this also effects all executables in all subfolders
- If a user has write access to a folder that is set to Unrestricted, the user can copy any file to that directory and execute it from there. The design should take care of this issue, perhaps by introducing ACL (Access Control List) settings by the use of Group Policies
- If the user has write access to an executable that is specified as Unrestricted, the user could overwrite that executable with another one to circumvent the SRP
- If a folder path includes environment variables, like %TEMP%, even a limited user could change the user environment variables by using the SET command to another path (SET TEMP=C:\MyFolder) – and suddenly the user can control what software can be run by copying executables or scripts to that path.
As stated above, users may try to rename or move disallowed files – or overwrite unrestricted files to circumvent the SRP – this is why HASH or Certificate rules are normally considered ‘best choice’.
Internet Zone

Internet Explorer security zones can be used to control software installation and applies to only Windows Installer packages (.MSI) that are run from one of the default Internet zones. These rules are not that common to use.

When multiple rules are used they are evaluated in the order mentioned above, the default rule will be evaluated as the last rule – the most specific match will take precedence.

SRP Limitations

Some limitations of SRP must be taken into consideration. The scope of Software Restriction Policies is not the entire operating system as you might expect. SRP do not apply to the following code:

Drivers or other kernel mode software installed
Any program executed by the local SYSTEM account
Macros inside of Microsoft Office documents (we have other ways to block those by using group policies)
Programs written for the common language runtime (these programs use the Code Access Security Policy)

Conclusion

Software Restriction Policies demands a special, and time consuming, workflow when introducing new software and updates in the environment, but besides from that it brings a level of security so much higher than with the “default allow all” setup. Some environments might not be suited for SRP, but my guess is that most networks have computers and/or users for which the SRP technology is ‘spot on’.

It takes dedication, understanding and hard work to implement a “Default Deny” policy – which might be why it is seldom done… One thing is certain, implementing such policies in the correct way will make sure the network administrators can sleep much better at night.

Over the next couple of years it will be interesting to see if Microsoft will continue to develop this part of the Group Policy environment - or if something even better arrives, who knows…

External links

KB 324036 How To Use Software Restriction Policies in Windows Server 2003

Technet: Using Software Restriction Policies to Protect Against Unauthorized Software (Vista/Longhorn)

Technet: Software Restriction Policy for Windows XP Clients

If you missed the first part in this article series please go to Default Deny All Applications (Part 1).

Algo parecido a QoS en ISA SERVER 2004/2006

Tue, 19 Jun 2007 14:39:13 GMT

One of the new features in ISA 2004 SP2 is Diffserv. Diffserv is a method of packet prioritization that applies to all web traffic passing through an ISA 2004 SP2 Server. Using the Diffserv Web filter, the ISA server can scan the Uniform Resource Locator (URL) or domain name and apply packet priority using DiffServ bits.

The Diffserv web filter has been given a high priority, and is near the top in the list of Web filters. The Diffserv web filter must be made aware of the size of the request/response being sent and has to inspect the data when it is being sent/recieved by the ISA server. It is crucial that you do not change the priority of the Diffserv web filter. Before we get started configuring this, you should be aware of the following: - Diffserv prioritization only applys to HTTP and HTTPS traffic - ISA may strip Diffserv bits for traffic using other protocols - First packet priority is not assigned to responses coming from the cache - By default, the size of the first chunk is not taken into account for first packet priority To begin, open the ISA Management MMC and expand the Configuration node and then click on General. Click on Specify Diffserv Preferences.

On the General tab, ensure the box next to "Allow the setting of Diffserv bits according to URLs and domain names" is checked.

On the Priorities tab, click Add to create a priority. Enter the name for the priority and the Diffserv Codepoint. The Codepoint is a 6-digit binary value which specifies the priority level. There is more information about the different Diffserv Codepoints at the end of this article. For this example we will use 100110 which is one of the high priority Codepoints.

Add another priority called Low and give it a value of 001010.

Next select the URLs tab and click Add. Enter the URL (wildcards are supported) and choose one of the priorities you created in the previous steps.

Here I have added two URLs, one with high priority and one with low.

URL Diffserv settings only apply to HTTP traffic. If you wish to set priorities to HTTPS traffic you must use the Domains setting.

Finally, under the Networks tab, you can choose which Network Sets to apply the Diffserv filter to.

Once you are done configuring the Diffserv preferences, apply the configuration to the ISA server and you are good to go!

For more information see:

SQL server Katmai. Nuestro sql 2005 ya es viejo ;)

Wed, 30 May 2007 10:22:41 GMT

Ya hay datos de la nueva version de SQL la cual promete un cambio radical en el producto , mas informacion en la url.

http://www.microsoft.com/latam/technet/articulos/tn/2007/may-01.mspx

Windows Longhorn tiene Nombre !

Wed, 16 May 2007 15:48:32 GMT

Finalmente Longhorn tiene nombre!

Windows Server 2008

Mas info:

http://www.microsoft.com/windowsserver2008/default.mspx

Crear archivos ejecutables , a partir de un script.

Thu, 05 Apr 2007 12:12:52 GMT

Les dejo una utilidad excelente en el caso de que necesitemos encapsular ciertos script, por ejemplo si tenemos codigo que no queremos que otro vea , como ser un password en texto plano.

Se trata de una utilidad de Windows vista / Windows XP iexpress.

En la siguiente URL encontraran informacion al respecto.
http://www.petri.co.il/create_executable_with_iexpress.htm

Agregar informacion al registro - Muy interesante.

Wed, 04 Apr 2007 14:35:22 GMT

RegPol

Description

This command line utility enables you to import .REG files even if the Group Policy is set to restrict the registry editing tools.

If you use this policy setting, just use regpol.zip to import .REG files instead of the traditional 'Regedit –s' and 'Reg import'.

Requirements: Windows 2000/XP/2003

Current version: 1.2.8

Version highlights: Minor fixes

"Windows Registry Editor Version 5.00" error
“Subscript out of range" error

Download

Download regpol.zip (11kb)

Windows Vista UAC - La operación solicitada requiere elevación

Wed, 04 Apr 2007 02:03:41 GMT

Esto tiene que ver con el UAC (User Acces control) y es una de las nuevas caracteristicas en cuanto a seguridad de Windows Vista. basicamente necesitas un privilegio superior al que tienes en ese momento. Afortunadamente esto se puede modificar desde las politicas de grupo Locales.

Configuración de seguridad local->Directivas locales->Opciones de seguridad

Para iniciar el administrador de directivas de seguridad, haga clic en el botón Inicio, seleccione Ejecutar, indique el nombre del programa secpol.msc en el cuadro de diálogo Ejecutar y, a continuación, haga clic en Aceptar.
Nombre de la directiva: Control de cuenta de usuario: comportamiento del indicador de elevación
Descripción determina cómo se notifica a un usuario antes de ejecutar un programa con permisos superiores.
• No preguntar: eleva los privilegios en modo silencioso.
• Pedir consentimiento: pregunta al usuario si desea continuar (Sí/No).
• Pedir credenciales: exige la contraseña de inicio de sesión del usuario antes de continuar (*).

Esta directiva sólo se aplica cuando UAC está habilitado.

Nota: en la mayoría de los casos, la selección de No preguntar NO es recomendable. Permitiría a las aplicaciones de UAC iniciar aplicaciones de administrador sin su conocimiento ni consentimiento.
Nota: el asterisco (*) indica la configuración predeterminada.