Monday, October 30, 2006
I have many application servers and there are many application administrators. I'm the responsible of the Operating system and the Hardware but there have been several problems because the application administrators wants to be able to stop and start some services like SQL Server Service or MSSQL Agent Service. Well, Of course that I wont give them administrators rights, either Server Operators rights because they don't need them.
My way to resolve this issue its to give permissions only to specified services and to specified people. An excelent tool called SetACL its able to set this kind of permissions. Another plus, its that you can do it remotely or in a batch file... After I download this tool and save it to temporary location, I typed setacl -help to display the help.
Well, I do the following to set permissions to a server named server1 to the service MSSQLSERVER.
c:\tmp>setacl -on "\\server1\SQLSERVERAGENT" -ot srv -act ace -ace "n:domain\group1;p:start_stop"
-on ObectName: its to specify in wich server it'll be the change.
-ot ObjectTYpe: The type of object.(Files, Registery keys, Network Shares, Printers, Services, Active DIrectory object ans processes.)
-actn Action: Type of Action.(ace, trustee, domain, list, restore, setwoner, setgroup, clear.....may more).
-ace Acces contro entry: On services are read, start_stop or full.
Many excellent examples are available on the Examples page.
Dont forget to test firts this tool (all tools really) on a test server...
REGARDS
Wednesday, October 25, 2006
Because the hotmail account its so important for me and I use thunderbird to read all my other personal e-mail accounts (yahoo, gmail), I want to have all my accounts in my computer and read and compose e-mails even when Im offline. Well because hotmail doesnt provides a POP service, there is an extension for Thunderbird for read web page based e-mails. Its name is Web mail extension (http://webmail.mozdev.org) and currently suport the folowing web mail based web sites:
- Yahoo
- Hotmail
- Lycos
- mail.com
- Gmail
- Libero
- AOL
Then I open thunderbirs, went to Tools menu and select Extensions.Then hit the Install button and select the webmail-x-x.xpi file. From the warning window thar says that the software in unsigned, well I need it so I dont care if its not signed, so I hit Install Now!.
I repeate the previous procedure for the hotmail-x-x.xpi file. Well, lest see if it works
After, I setup the hotmail account like a new POP account. The difference is that in POP server I type localhost, and in SMTP sever again type localhost.
Then I restarted Thunderbird. But after a little time fo searchig the window to configure the extension, I open the Tools menu and select Extensions, the select the webmail extension and click the Preferences button. Hoooo my surprice when I find a red alert!!!
The SMTP button is red. OK, no problem.. I open a terminal window and type
# sockstat -4
I found that thunderbird is working like a POP server. And because sendmail its using port 25, thunderbird cant start in that port.
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
user thunderbir 12637 27 tcp4 127.0.0.1:110 *:*
user sendmail 588 3 tcp4 127.0.0.1:25 *:*
.
.
I have two options:
1) Disable sendmail or change the port it works.
2) Change the thunderbird port to other than 25.
Because I use send mail for testing and other stuff, Ill use the option two. In the WebMail options, I type 2525 in the SMTP field and restart Thunderbird.
I go back to the WebMail options and viola!!! its green.
OK, now we need to tell the new account that we create that the SMTP server on localhost use por 2525. I went to the account settings, and in the localhost server hit Edit and type 2525 in the port.
Now I see this in the terminal.
# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
user thunderbir 68241 10 tcp4 127.0.0.1:2525 *:*
user thunderbir 68241 12 tcp4 127.0.0.1:110 *:*
I close and open again Thunderbird, I hit the GET MAIL button and AMAZING!!! Thunderbird starts downloading all my hotmail messages..
After I minutes, I can read the e-mails..
REGARDS
Tuesday, October 24, 2006
The best way to maintain all your computers and devices time synchronized its that one server handle the task of Time Server. In a windows domain environment, the PDC Emulator its the responsible of that task, but only to windows computers members of that domain.
To allow that server to the role of Time Server to other computers or devices I do the following.
In the PDC emulator of the forest root domain (the first domain controller you installed in the forest), open registry editor (regedit.exe) and configure the following:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
This registry entry determines which peers W32Time will accept synchronization from. I change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 to 1.north-america.pool.ntp.org,0x1 here. Alternatively, you can specify the IP address of this time server, which is 200.9.74.4 (this DNS record has many values) instead.
Now stop and restart the Windows Time service using the following commands:
net stop w32time
net start w32time
It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.
Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:
Now you can also synchronize all other devices with your internal server.w32tm /resync /rediscover
This is the TCPDUMP output when my Time queries the pool.ntp.org server.
# tcpdump -i fxp0 port 123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
15:31:54.405417 IP 192.168.0.1.ntp > 209.134.156.193.ntp: NTPv4, Client, length 48
15:31:54.583201 IP 209.134.156.193.ntp > 192.168.0.1.ntp: NTPv4, Server, length 48
15:31:54.583400 IP 192.168.0.1.ntp > 209.134.156.193.ntp: NTPv4, Client, length 48
15:31:54.718812 IP 209.134.156.193.ntp > 192.168.0.1.ntp: NTPv4, Server, length 48
15:31:54.718958 IP 192.168.0.1.ntp > 209.134.156.193.tp: NTPv4, Client, length 48
15:31:54.860833 IP 209.134.156.193.ntp > 192.168.0.1.ntp: NTPv4, Server, length 48
15:31:54.860965 IP 192.168.0.1.ntp > 209.134.156.193.ntp: NTPv4, Client, length 48
15:31:55.026748 IP 209.134.156.193.ntp > 192.168.0.1.ntp: NTPv4, Server, length 48
As you can see, it queries the pool server four times.
This are the first two packets(first query) decoded.
15:41:47.169673 IP (tos 0x0, ttl 64, id 28921, offset 0, flags [none], proto: UDP (17), length: 76) 192.168.0.1.12
3 > 24.79.79.83.123: [udp sum ok] NTPv4, length 48
Client, Leap indicator: clock unsynchronized (192), Stratum 0, poll 4s, precision -6
Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
Reference Timestamp: 0.000000000
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3370711307.169597354 (2006/10/24 15:41:47)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3370711307.169597354 (2006/10/24 15:41:47)
15:41:47.254032 IP (tos 0x0, ttl 115, id 5765, offset 0, flags [none], proto: UDP (17), length: 76) 24.79.79.83.123 >
192.168.0.1.123: [udp sum ok] NTPv3, length 48
Server, Leap indicator: (0), Stratum 3, poll 4s, precision -6
Root Delay: 0.075942, Root dispersion: 0.089370, Reference-ID: 209.167.68.100
Reference Timestamp: 3370711255.533787299 (2006/10/24 15:40:55)
Originator Timestamp: 3370711307.169597354 (2006/10/24 15:41:47)
Receive Timestamp: 3370711307.228787299 (2006/10/24 15:41:47)
Transmit Timestamp: 3370711307.228787299 (2006/10/24 15:41:47)
Originator - Receive Timestamp: +0.059189944
Originator - Transmit Timestamp: +0.059189944
REGARDS
Monday, October 23, 2006
I recently installed vmware in my freebsd 6.1-RELEASE laptop (the one from where Im writing this) and is so easey. I'll use VMWare to install windows, OPenBSD and other stuff in my Lap, so I can test applications, run windows programs(also can use wine.. I'll do it later), test tools and so on.
These are the steps I follow:
# cd /usr/ports/emulators/vmware3
#make install clean
Of course that I need X-Window already running. I only have a couple of problems with some dependency packages; all I do was download the package and pkg_add package.tbz. If the package was not available, I open another terminal and cd to the port directory and do make install clean.
Then when the installation finished, I make a script that mount the linprocfs partition and change the sysctl value. Here is the script:
#!/bin/sh
echo "Loading kernel sysctl flag"
sysctl kern.ipc.shm_allow_removed=1
echo "Starting VMWare Service"
/usr/X11R6/etc/rc.d/001.vmware.sh start
echo "Mounting procfs"
mount -t linprocfs /proc /compat/linux/proc
echo "Starting Client"
vmware &
To start vmware, just type:
# ./vmware-start.sh
I hope these can help you..
C. R.
Hi.-
This is my firts blog...
I'll like to publish some usefull information about the IT environment. English is not my native language so I'm sorry for the errors in the spelling.
I'm new in the Security Area, but I like it so much. So there be a lot of post in this subject.
See you soon..
C. R.