Monday, May 3, 2010

DHCP Reservations via PowerShell and Exported .CSV Leases File

Ran into an issue with having to transfer DHCP reservations from one stand alone Windows 2008 server to a Windows 2008 R2 server. When I tried the export and import netsh commands they failed. Not wanting to manually create the whole class C worth of reservations again I came up with this more efficient method.

Basically, here are the steps: log onto the old DHCP server and export the current leases to a .csv file. Copy that file over to the new DHCP server. Place the PowerShell script (code listed below) into the same directory as the .csv file. Then run the script and watch the happiness.

Found the idea for the Add-Content part via another site. PowerShell is such a interesting creature.


#-------------Code from dhcpRes.ps1-----------------------------------------------------------

# IP Address of the Current DHCP Server Running the Script
$server = "192.168.2.1"

# The Scope IP Address
$scope = "192.168.2.0"

# Netsh Commands File
$commands = "dhcp.txt"

# Exported .CSV File of DHCP Leases from Other DHCP Server
$leases = import-csv "dhcp.csv"

$leases | % {
add-content -path $commands -value "dhcp server $server scope $scope add reservedip $($_.'Client IP Address') $($_.'Unique ID') `"$($_.'Unique ID')`""
}

netsh exec $commands

#End of Code
Posted by at No comments:
Labels: ,

Friday, February 12, 2010

Windows 2008 TS RemoteApp

Last month I pushed out a legacy application using Windows 2008 Terminal Services RemoteApp. I was very pleased with how easy it was and I won't go into setting up RemoteApp since there is more than enough documentation online for that; however, I will give a couple of points to consider.
  1. RemoteApp opens on the primary monitor and cannot be moved to another
  2. Disable the user screen saver on the terminal server. Otherwise, a user that leaves the RemoteApp up but idle will lock out their session on the server and they will need to restart the RemoteApp.
  3. Since closing the RemoteApp won't log the user off the terminal server, limit the user's sessions on the server. This can be done either through a group policy or RemoteApp settings on the server.
Numbers 2 and 3 can be done easily via group policy. Here are the settings I applied to the terminal server.

Computer Configuration / Policies / Administrative Templates / System / Group Policy
User Group Policy loopback processing mode = Enabled (Mode - Merge)

Computer Configuration / Policies / Administrative Templates / Windows Components / Terminal Services / Terminal Server / Session Time Limits
Set time limit for active but idle Terminal Services sessions = Enabled (Idle session limit - 16 hours)
Set time limit for active Terminal Services sessions = Enabled (Active Session limit - 16 hours)
Set time limit for disconnected sessions = Enabled (End a disconnected session - 1 hour)
Set time limit for logoff of RemoteApp sessions = Enabled (RemoteApp session logoff delay - 30 minutes)
Terminate session when time limits are reached = Enabled

User Configuration / Policies / Administrative Templates / Control Panel / Display
Screen Saver = Disabled
Posted by at 1 comment:
Labels:

Wednesday, January 27, 2010

Fun C# ASP.NET Page for Lotto Numbers

To lighten the mood in my office, I came up with fun C# ASP.NET page to randomly display lotto numbers. It's configured for the Cali lotto format but you can easily modify it for whatever state your in. Enjoy.

using System;
using System.Web;
using System.Text;

public partial class numbers : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{

}

protected void GetLottoNumbers(object sender, EventArgs e)
{
ArrayList arlNum = new ArrayList();
Random RandomClass = new Random();

while (arlNum.Count < 5)
{
int g = RandomClass.Next(1, 56);
if (!arlNum.Contains(g))
{
arlNum.Add(g);
}
}

arlNum.Sort();

pnlNum.Visible = true;
lblN1.Text = arlNum[0].ToString();
lblN2.Text = arlNum[1].ToString();
lblN3.Text = arlNum[2].ToString();
lblN4.Text = arlNum[3].ToString();
lblN5.Text = arlNum[4].ToString();
lblN6.Text = RandomClass.Next(1, 46).ToString();
btnNumbers.Text = "Get Another Set";
}


}


-----------------------Portion of numbers.aspx------------------------------

<h2>IT Retirement Numbers</h2>
<hr />
<p><strong>Would you like to see some IT retirement numbers?</strong></p>

<asp:Button ID="btnNumbers" runat="server" Text="Get Numbers" OnClick="GetLottoNumbers" />

<asp:Panel ID="pnlNum" runat="server" Visible="false">

<br />
Here you go...

<asp:Label ID="lblN1" runat="server" Width="20" />

<asp:Label ID="lblN2" runat="server" Width="20" />

<asp:Label ID="lblN3" runat="server" Width="20" />

<asp:Label ID="lblN4" runat="server" Width="20" />

<asp:Label ID="lblN5" runat="server" Width="20" />

and mega number
<asp:Label ID="lblN6" runat="server" Width="20" />
</asp:Panel>
Posted by at No comments:

Friday, January 22, 2010

OpenBSD Transparent Firewall for Server Room Switch

Below is the rule set for an OpenBSD transparent firewall to protect servers on the same switch from unauthorized hosts on the local network. This ruleset assumes that there is a network firewall in place and only filters on MAC addresses of the local network clients and devices.

The firewall is setup with three network interfaces and sits between the server room network access port and the switch for the server room. The third interface is needed for remote ssh access and is plugged into a regular port on the switch.

Here is a link to my old post on MAC filtering using a Bridge and Packet Tagging


#############################################################
# Macros and Tables
#############################################################

# Interfaces
switch_if = "bge0"
nap_if = "bge1"
ssh_if = "em0"

############################################################
# Logging, Timeouts, Limits, Interface skips, Scrubs
############################################################

# Set logging interface
set loginterface $nap_if

# Revised - Adaptive Set higher state limits
set timeout { adaptive.start 10000, adaptive.end 110000 }
set limit states 100000
set timeout interval 10

# Normalize all incoming/outgoing traffic to prevent malformed packets
match in all scrub (no-df)

# Don't filter on loopback interface or ssh_if
set skip on lo0
set skip on em0

###########################################################
# Rules
###########################################################

# Block Traffic from Unauthorized Hosts into Servers
block in log on $nap_if all label "block in"

# Allow All Traffic on Switch Interface
pass in quick on $switch_if all
pass out quick on $switch_if all

# Allow All Traffic From Servers Behind Switch to Rest of Network
pass out quick on $nap_if all

# Allow Traffic from Known Good Mac Addresses into Servers
pass in quick on $nap_if all tagged goodmac

# Allowing Broadcast UDP into Servers
pass in quick on $nap_if proto udp to any port { 67 68 137 138 1900 3702 }
Posted by at No comments:
Labels:

Tuesday, January 12, 2010

Manually Rotating OpenBSD PF Logs

While installing a new OpenBSD transparent bridge, the need came up to view with Wireshark a relatively new pf log file. Thanks to some colleagues at work I was able to accomplish this task by two quick commands.

$ su root

# newsyslog /var/log/pflog

Another way to do this is a simple tcpdump command.

$ sudo tcpdump -nettti pflog0 -w pfdumpfile
Posted by at No comments:

Wednesday, October 28, 2009

Squid on OpenBSD Gateway Firewall

Running Squid on an OpenBSD gateway firewall allows you a nice transparent client web proxy. Below are my notes for installation and configuration.

Installing

# pkg_add -v ftp://..../packages/i386/squid-2.7.STABLE6.tgz

Create the required swap directories

# squid -z

Start squid automatically upon boot. Add to /etc/rc.local

if [ -x /usr/local/sbin/squid ]; then
echo -n ' squid'; /usr/local/sbin/squid
fi


Configuration and File Locations

Configuration file (squid.conf) is located in /etc/squid

Log files (access.log*) are located in /var/squid/logs

Edit HTML error file (ERR_ACCESS_DENIED) is located in
/usr/local/share/squid/errors/English

Rotate the Squid log files once a day by adding the cron job. (sudo crontab -e)

0 0 * * * /usr/local/sbin/squid -k rotate

Redirect Rule for PF
rdr on $int_if proto tcp from $mynet to any port { 80 8080 } -> 127.0.0.1 port 3128

squid.conf settings

Network Settings
Port used by squid and mode (around line 930) http_port 127.0.0.1:3128 transparent

hostname for server (around line 3,000): visible_hostname mywebproxy.mydomain.net

Defining Access Lists (around line 500 of the squid.conf)

Remote domains
acl support.microsoft.com dstdomain support.microsoft.com
or for a list of domains in a text file (use .domain.com to get all sites in domain)
acl bad_sites dstdomain "/etc/squid/blocked_domains.txt"


Client IPs
acl labstation src XXX.XXX.3.3
acl local_net src XXX.XXX.3.0/24
or for a list of IPs in a text file
acl labstations src "/etc/squid/labstations.txt"

Destination IPs
acl badguy dst 156.17.17.19
or for a list of IPs in a text file
acl badguys dst "/etc/squid/badguys.txt"

Requested File Extensions
acl badfiletypes url_regex -i \.wmf$ \.exe$ \.zip$ \.bat$ \.msi$ \.vb$ \.vbs$ \.mde$ \.reg$

Client Access Rules (around line 650)
Rule logic is based upon first rule matching wins and allows or denies access

Allowing the safe_sites acl
http_access allow safe_sites

Denying the badfiletypes acl
http_access deny badfiletypes

Last two rules should allowing traffic for your clients acl and then block traffic from all others
http_access allow local_net
http_access deny all

Squid Commands

Reload the configuration file
# sudo squid -k reconfigure

Rotate the logs and cache
# sudo squid -k rotate
Posted by at 1 comment:

Wednesday, September 2, 2009

Powershell Script to Get All ActiveSync Devices

I wrote a quick Powershell script that will output an htm file of all the ActiveSync devices on an Exchange server. Just take off the .txt and using the Exchange Management Shell navigate to the directory where you have the script type in the command ./getactivesyncdevices.ps1 . The script will output the results to a file called getactivesyncdevices.htm.

$daysago = 7

@(

write-output '<html><head><title>Exchange 2007 ActiveSync Devices</title></head><body>'
write-output '<p><strong>Exchange 2007 ActiveSync Devices as of ' (get-date) '</strong></p>'
write-output '<p style="font-weight: bold; color: red;">Red = No Sync Attempts in ' $daysago ' Days</p>'
write-output '<table border="1" cellpadding="5"><tr><th>User</th><th>ActiveSync Device(s)</th></tr>'

$mailboxes = get-mailbox | sort -property name | select-object name,alias


foreach ($mailbox in $mailboxes)
{

$devices = get-activesyncdevicestatistics -mailbox $mailbox.alias


if ($devices -ne $null)
{

write-output '<tr><td>' $mailbox.name '</td><td>'

foreach ($device in $devices)
{


if ([datetime]$device.LastSyncAttemptTime -gt [datetime]::Now.AddDays(-$daysago) )
{

write-output '<p>'

}
else
{
write-output '<p style="font-weight: bold; color: red;">'
}

write-output 'ID:' $device.DeviceId '<br />'
write-output 'First Sync:' $device.FirstSyncTime '<br />'
write-output 'Last Sync:' $device.LastSuccessSync '<br />'
write-output 'Last Sync Attempt:' $device.LastSyncAttemptTime '<br />'
write-output 'Type:' $device.DeviceType '<br />'
write-output 'Model:' $device.DeviceModel '<br />'
write-output 'OS:' $device.DeviceOS '<br />'
write-output '</p>'
}

write-output '</td></tr>'
}
}

write-output '</table></body></html>'

) | out-file GetActiveSyncDevices.htm
Posted by at No comments:
Subscribe to: Posts (Atom)