Friday, November 10, 2023

Simplify Third-Party Application Patching with Chocolatey

Managing third-party application updates can be a time-consuming task, especially in an IT environment where automation is crucial. In this blog post, we'll explore how Chocolatey, a package manager for Windows, can streamline the process of patching third-party applications. We'll also provide you with a handy PowerShell script to set up a scheduled task for automated updates.

Chocolatey for Third-Party Application Management:
Chocolatey is a powerful tool that simplifies the installation and management of software on Windows systems. It offers a vast repository of pre-packaged applications, making it an excellent choice for IT professionals. Here's how you can leverage Chocolatey for third-party application patch management:

1. Installation: Start by installing Chocolatey on your systems. You can find detailed installation instructions on the official Chocolatey website [link](https://chocolatey.org/install).

2. Package Installation: Once Chocolatey is up and running, you can easily install third-party applications by running commands like `choco install <package-name>`. Chocolatey will fetch the latest version from its community repository and install it silently.

3. Automated Updates: To keep your third-party applications up-to-date automatically, you can create a scheduled task in Windows. Below is a PowerShell script that you can use to create such a task:

# Define the task action to run 'choco upgrade all -y'
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument 'choco upgrade all -y'

# Set the daily trigger to run at 5 AM
$trigger = New-ScheduledTaskTrigger -Daily -At 5am

# Create the scheduled task
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Chocolatey-Upgrade" -User "USERNAME" -Password "PASSWORD"
# Replace 'USERNAME' and 'PASSWORD' with appropriate credentials

Chocolatey simplifies third-party application patch management by providing an automated and efficient way to install and update software. By setting up a scheduled task using the provided PowerShell script, you can ensure that your systems stay up-to-date with the latest versions of your favorite applications.

Give it a try, and let Chocolatey take the hassle out of managing third-party software updates. Your confidence level in this solution should be high, as Chocolatey is a widely used and trusted tool in the IT community.

Monday, July 5, 2021

Is someone infiltrating into your computer?

Sometimes you may have to open certain ports on your computer to allow you to remote into your computer at home or in office. There is a very good chance that this port will be scanned by hackers and they will try to infiltrate into your computer... sometimes just for fun and sometimes for malicious purposes. 

Event viewer is the place where you can keep an eye on it and see if this happening or not. 

Step 1:
Right click the Start menu button and open Event Viewer on your computer. 


Step 2:
Browse to "Windows Logs" and then "Security" and look for Event ID 4624.

Step 3:
Look into the details of the event. You can see below that I tried to sign in from my computer called "Pluto" with an IP address 192.168.1.3 with the admin user. 

There are numerous logon types like 2,3,4,5,8,9,10, but in this article we are only talking about type 3, which is for remote connections. If you want to know more about the logon types please go this article from Microsoft's article on Administrative Tools and Logon Types

This is what happens when you provide incorrect username/password. It generate an Event ID 4625.  An attempt was made to sign into the computer, but because of wrong password or username it was rejected. 

What happens is that hackers will keep trying to login till they get in. Therefore, you need to keep an eye on this log event if you have you RDP port open to public. 


Create a filter to quickly access these events.

On the Event Viewer select the log name "Security" and then select "Filter Current Log". It will bring up the dialogue box for filter properties. 

1. This looks for the logs in the last 24 hours. You can set any range. 
2. Provide the event ID. In this case it's 4625.
3. Click Okay


This pulls up only two events on my computer.

Now you need to save the "Filter to Custom Views". 

1. Select the "Save Filter to Custom Views"
2. Name the filter.
3. Provide the location. You can save it "Custom Views" or create a sub folder. 
4. Click Ok to save the filter. 

Once saved you can always access is from under "Custom Views".

Examples of Logon Types and Failures:
  • A failed attempt to sign in using RDP will generate an event ID 4625 and logon type 3.
  • A failed attempt to sign in on the computer will generate an event ID 4625 and logon type 2.
  • A failed attempt to sign in on console view will generate an event ID 4625 and logon type 10. 

The logon types will differ but the event ID for all failed attempts remains the same. Unless you know that you tried to sign in yourself and you entered the wrong password then these events are concerning and needs to be further investigated. 

For example for if you look into the "Network Information" section and you find that the attempt to sign in was a from an unknown computer and the IP address is a public IP address then it definitely means that someone is attempting to sign in. 









Thursday, July 1, 2021

PrintNightmare - Solution Until Microsoft Releases a Patch

Microsoft recently released a patch, CVE-2021-1675, to address the exploit in the Windows Print Spooler service, but it turned out that the patch didn't work. Initially they thought the bug was just about local privileges' escalation but it turns out that it's full remote execution. That means that an attacker can get full domain privileges' by executing the code as standard user. There are tons of ways a malicious actor could execute this exploit. The vulnerability has been dubbed as PrintNightmare.

Microsoft, probably, will be releasing a new patch soon but until then the only thing you can do is to disable the print spooler on the domain controller or any server where you don't need print spooler running. So here is what you can do.

Step 1:
Open PowerShell ISE as Administrator and type the below script:

Stop-Service -Name Spooler
Set-Service -StartupType Disabled -Name Spooler
Save the script as .ps1 file. 



Step 2:
Deploy the deploy script using your remote monitoring and management system. You will basically need to create a filter that will pull all the domain controllers and file servers. Create a scheduled task to run the script on all those machines pulled by the filter. 

Step 3:
The RMM should tell you whether the task executed successfully or not. But you can sign in into randomly into some machines to verify if the spooler function has been stopped and disabled. 

Wednesday, June 30, 2021

Fix Computer Clock Drifts with W32tm

Under normal circumstances computer clocks do not drift on domain joined machines. Windows will trigger the "Windows Time Service", W32Time, service at random intervals and it will sync the time with the machine that holds the PDC emulator operations master role. But if a machine is not joined to the domain or was previously configured with some other source then the clock might start to drift occasionally. 

There are number of ways to resolve the issue. 

With a batch script and Task Scheduler

Step 1
Open Notepad and type the below command. 
w32tm /config /manualpeerlist:"time.google.com" /syncfromflags:manual /update

The script sets the time server to time.google.com and then syncs the time with it. 

Step 2
Save the Notepad file as batch file (.bat file)

Step 3
Run Task Schedule and create a basic tasks and schedule it to run daily. Under action add the batch file and save it. On the Task Schedule, under the General tab make sure you check the box "Run with highest privileges". 

If you want to know more about Windows Time Service and the command-line tool W32tm.exe to configure Windows Time Service, visit the website at https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings 


Tuesday, June 29, 2021

SNMP - Simple Network Management Protocol

SNMP stands for Simple Network Management Protocol. It was initially developed to collect information from for switches and routers but now it's extended to a wide array of devices such Windows and Linux machines, printers, power supplies, and even IOT devices. This is basically available on almost any device that can transmit packets. 

While working with SNMP we need to know these key terms.

OID - Object Identifier
OID is an object identifier for a value that can be monitored on a device. Anything that can be monitor on a device with SNMP has an OID. For example, we want to monitor the temperature on a device we will find the OID for temperature for that device.

OID is a bunch numbers separated by dots like 1.3.6.1.2.1.2.2.1.8. If you want to monitor something else on same device you will find the OID for that thing you want to monitor.

MIB - Management Information Base
An MIB is a text file that allows us to translate the numerical OID to text base OIDs. For example, synology-system-MIB::temperature.0 can be MID for the OID in the above example. Technically we can work with OID only, but MIBs can make our life easier.

There are standard OIDs and MIBs on a lot of standard devices and can make life a lot easier. For example: sysuptime.0 is MIB for system up time on any device.
You don't really need to find OID and MIBs on standard devices. They are almost the same. The only devices that you need to find for are non-standard devices.

You can find the OID and MIBs on manufacturer user guides. Many these documents are available online.

How SNMP works?

Polling - The network monitoring system connects to device on port 161 and tells which OID it needs information on. The device then responds to the network monitoring system with the information on port 161.

Notifying - The devices themselves send OID information to the network monitoring system on port 162. These messages are called traps, notifications or informs.


Version
There are three version of SNMP so far, SNMPv1, SNMPv2 and SNMPv3. The most prominent difference between them is the increasing security.

For version 1 & 2c you don't need username and password. You just need a community string for authentication and this community string is sent in plain text across the network. It also doesn't offer encryption.

For version 3 the community string is replaced with the need for a username + password. It also enforces encryption.

Remember: SNMP can be used to change device settings. So if you are using version 1 and 2c and attacker gets hold of community string then he can compromise the network.

SNMPv3
Offer stronger authentication and encryption. But they are not required. If monitoring with SNMPv3 is not setup properly then there is no difference between SNMPv1 and SNMPv3 because the secure authentication and encryption is not required. It is available for you to setup/configure but it's not a requirement. Therefore proper configuration is necessary and it all comes down the security levels in SNMPv3. 

What are security levels?
There is no default security level for SNMPv3. The security level must be configured on a device per username basis. Remember that the security level on each device is set on PER USERNAME basis. On a device different users could be set to different security levels.

Once you configured the users and security levels on the device then you configure the network monitoring system to match the security levels configured on the device.

The security levels are explained below:

noAuthNoPriv
  • The lowest security level
  • Username only (no password is required)
  • Message is not encrypted.
  • No better than SNMPv1 and 2c

authNoPriv
  • Middle security level
  • Username and password are required.
  • Message is not encrypted.
  • Anyone who can see the network traffic can see your username and also what the device sends back to you. The communication is taking place in plaintext.
  • The password is not sent over the network, but in fact creates cryptographic hash values which allows both devices to verify that they have the same password.
  • Authentication allows for the use of either MD5 or SHA-1 hashing algorithms. But it must be same on both the device and network monitoring system.
  • This reason we use this security level is that encryption is resource intensive and some people not want to strain their devices or the devices might not be able to cope with it.
authPriv
  • Highest security level
  • Username + password is use for authentication.
  • And privacy password for encryption.
  • The message are authenticated and also partially encrypted. The SNMP message is encrypted but the username and some metadata remains unencrypted.
  • Privacy password is used to both encrypt and decrypt the messages. You have the option of using DES or AES
  • DES - More computationally expensive and less secure
  • AES - Less computationally expensive and more secure

Always create strong passwords and don't create the same password for authentication and privacy. Doesn't matter which protocol version you use but if you don't use a strong password you are making the intruders job easy. 

Simplify Third-Party Application Patching with Chocolatey

Managing third-party application updates can be a time-consuming task, especially in an IT environment where automation is crucial. In this ...