From monthly archives: January 2018

We are pleased to present below all posts archived in 'January 2018'. If you still can't find what you are looking for, try using the search box.

Timothy

Forcing Windows Server to Use a Specific Outgoing IP Address

Normally this isn't much of an issue, but for some outgoing connections you want to use a specific IP address on your server that has many IP addresses set.  An example might be if you have a VPN set up to a remote location and you want to whitelist one IP address, not every single IP address on that server.  Windows does not use the first IP address you set in the Network Properties.  It instead chooses from that and all alternative IP addresses and guesses what the best one might be to use.  This is sometimes not the one you want to use.  And if you added an IP address in the future, who's to say it will stay the same and not choose a different one?  Then the above firewall rule would become broken.

Well, luckily, PowerShell to the rescue.  There is a property on all IP addresses called "Skip As Source" which is not exposed through the GUI.  What it does is allow you exclude an IP address from consideration as the primary / outgoing IP address.  You can use Set-NetIPAddress to assign this manually, but we can do better.  Using a couple lines of PowerShell, you can create a ps1 script and then run it via a Scheduled Task, say, hourly, so that if at any time in the future you add a new IP address, the primary IP will consistently be correct, at least within an hour.

The script looks like this.  Assuming the IP address you want to be primary is 192.168.33.129.

$primaryIP = "192.168.33.129"
Set-NetIPAddress -IPAddress $primaryIP -SkipAsSource $false
Get-NetAdapter | Get-NetIPAddress | ? { $_.IPAddress -ne $primaryIP } | % {
    Set-NetIPAddress -IPAddress $_.IPAddress -SkipAsSource $true
}

Now all IP addresses, except the one you are designating as "primary," will be excluded from consideration as primary.  We can verify this using...

Get-NetAdapter | Get-NetIPAddress | Select-Object IPAddress,SkipAsSource

Now if you save that segment to a PS1 file, then schedule it to run hourly using the SYSTEM account, your primary IP address is now automated.

Timothy

PowerShell Script to Detect Meltdown and Spectre Vulnerability on All Windows Computers in Your Domain

Today Microsoft released a PowerShell script that can be run on any Windows system to detect if the system is vulnerably to Meltdown and Spectre.  If you haven't heard about it yet, go here: https://support.microsoft.com/en-us/help/4073119.

Building on this, I created a PowerShell script (download below) that will find every Windows computer in your domain and run the Microsoft script and return the results.  This allows you to see the status of the patch deployment for your entire domain run from a single PC.

Prerequisites:

  • PowerShell 5 - This will basically work out of the box for Windows Server 2016 and Windows 10.  This may be a problem for some organizations that have not deployed PowerShell 5 yet for older operating systems.  The good news is that PowerShell 5 is available for Windows Server as old as 2008 R2 and Windows 7.  The script makes use of Install-PackageProvider and Install-Module which reach out to NuGet to retrieve the latest bits of the package Microsoft deployed.  There may be workarounds, hopefully if so somebody can build upon what I have here.
  •  
  • PowerShell Remoting - You must have set up PowerShell remoting so that Invoke-Command can run against other systems from wherever you execute this from.  It's not hard, but depending on your organization's security requirements, this might also be a blocking issue.
  •  
  • Run as a domain administrator or other account which has administrator access on all target computers.

How to use:

Just download it and run it (link is at the bottom of this post).  It's really that simple.  For systems that don't meet the prerequisites, you will see an entry in the output status showing "Error."  You can then go back to that machine and try running portions of the script manually if you want to troubleshoot, but at least in my environment, the most common issue is just not having PowerShell 5 installed.  If you want to export it to a CSV, which can then be opened in Excel, add the command line switch -csv followed by the path, like below.

  • .\Get-SpeculationControlSettingsOnAllComputersInDomain.ps1 -CSV C:\Users\YourName\Desktop\SpeculationControlOutput.csv

Examining the output:

The first two columns are the computer name and the script execution status.  The script execution status can be OK, Error, or Offline.  I think this is pretty self explanatory.  It either worked, didn't, or the computer wasn't online so the script couldn't be run.

The next columns are as follows (note: they are abbreviated since there are so many and it needs to fit on the screen).

  • BTIHWPr - BTIHardwarePresent - Hardware support for branch target injection mitigation is present.
  • BTIWinPr - BTIWindowsSupportPresent - Windows OS support for branch target injection mitigation is present.
  • BTIWinEn - BTIWindowsSupportEnabled - Windows OS support for branch target injection mitigation is enabled.
  • BTIDisSP - BTIDisabledBySystemPolicy - Windows OS support for branch target injection mitigation is disabled by system policy.
  • BTINoHWSup - BTIDisabledByNoHardwareSupport - Windows OS support for branch target injection mitigation is disabled by absence of hardware support.
  • KVAShdwRq - KVAShadowRequired - Hardware requires kernel VA shadowing.
  • KVIWinPr - KVAShadowWindowsSupportPresent - Windows OS support for kernel VA shadow is present.
  • KVIWinEn - KVAShadowWindowsSupportEnabled - Windows OS support for kernel VA shadow is enabled.
  • KVIPcidEn - KVAShadowPcidEnabled - Windows OS support for PCID performance optimization is enabled.  (Not required for security.)

According to the guidance the main things you want to look for is to have the following columns all show TRUE: BTIHWPr, BTIWinPr, BTIWinEn, KVAShdwRq, KVIWinPr, KVIWinEn.

This script is public domain.  Also, ABSOLUTELY NO WARRANTY.  I do not guarantee at all that the script works correctly in your scenario and I am not responsible for damage!

Here's example output of what it looks like when it's running.  I obfuscated my system names, but you can see how I have systems that are not yet patched below.  The patches are deploying tonight.  :-)  You will also notice that quite a few don't have PowerShell 5 installed.

Computer          Status  BTIHWPr BTIWinPr BTIWinEn BTIDisSP BTINoHWSup KVAShdwRq KVIWinPr KVIWinEn KVIPcidEn
--------          ------  ------- -------- -------- -------- ---------- --------- -------- -------- ---------
SRVDC1.nc.us.d... Error
SRVCA1.nc.us.d... Error
SRVSCOM1.nc.us... Error
SRVMAIL1.nc.us... OK      False   False    False    False    False      True      False    False    False
SRVCCS1.nc.us.... Error
SRVTFS2.nc.us.... Error
SRVWeb2.nc.us.... Error
SRVSQL3.nc.us.... Error
SRVMail2.nc.us... Offline
SRVSQL4.nc.us.... Error
SRVWEB1.nc.us.... Error
SRVWEB3.nc.us.... Error
SRVTFSBUILD2.n... OK      False   False    False    False    False      True      False    False    False
SRVTFSBUILD1.n... OK      False   False    False    False    False      True      False    False    False
SRVTFSBUILD3.n... OK      False   False    False    False    False      True      False    False    False
DESKTOP138.nc.... Offline
SRVWEB1A.nc.us... Error
SRVCACHE1.nc.u... Error
SRVCACHE2.nc.u... Error
DESKTOP923.nc.... Offline
DESKTOP251.nc.... OK      False   False    False    False    False      True      False    False    False
SRVDC2.nc.us.d... OK      False   False    False    False    False      True      False    False    False

Click here to download the script.

@avianwaves

Avian Waves on Twitter Avian Waves on Facebook Avian Waves on Spotify

Recent Comments
  1. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    Camilo: Edward comment solved the issue! After installing the 16.5.3 (from the link provided and without uninstalling...
  2. Re: It's Coming Any Day Now...
    Tim: Awesome to hear. Can't wait to check it out.
  3. Re: RD Tabs Security Advisory - 2.0 and 2.1 Beta
    Roman: Hi admin having same materiel as i need. Also get some extra stuff here: [url="hit5k.com"]Patch Applications...
  4. Re: RD Tabs Security Advisory - 2.0 and 2.1 Beta
    Roman: Hi admin having same materiel as i need. Also get some extra stuff here: Patch Applications
  5. Re: 3.0 is coming...
    Sean: Great news, can't wait!
  6. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    Funny Guy: To add my 2 cents - after a day of fight it appears that DPM installation uses WMI queries to detect...
  7. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    Funny Guy: To add my 2 cents - after a day of fight it appears that DPM installation uses WMI queries to detect...
  8. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    Funny Guy: To add my 2 cents - after a day of fight it appears that DPM installation uses WMI queries to detect...
  9. Re: DPM 2016 + SQL 2016 and "An unexpected error occurred during the installation" ID: 4387
    kAM aCOSTA: Thanks Edward !!!
  10. Re: 3.0 is coming...
    Dave: Very Cool!