News Contact Company



August 15, 2011
August 2011 Newsletter

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

August 2011

 

At the Microsoft partner conference in Los Angeles in July, a major portion of the sessions was about the cloud.  No surprise. But quite some time was also spent on System Center and its components, and that’s when I got really excited knowing that we at TrueSec are in the forefront of the ConfigMgr training and consulting area.  
Kent with his “Mastering ConfigMgr2012 Beta 2” and Johan with his classic “Deploying Windows 7 using MDT and ConfigMgr” (now updated to run either on current as well as coming versions) both will run in the US during fall.

 

As for the next version of Windows, very little was mentioned so lets stay focused on Windows 7 and the migration from Windows XP (or as was mentioned in one session, “the best upgrade path to Windows 8 is from Windows 7”).  

Directly after the partner meeting we ran the popular Deployment Geek Week in Redmond with Johan and Mikael at the helm. Five jam packed days on how deploying Windows 7 using tools from Microsoft that are available for free (as well as under license) together with server and infrastructure builds. Don’t miss our next session to be scheduled for December. Stay tuned!

 GeekWeekers, Class of July 2011

Beside the alphabet soup class (referring to all the acronyms for the deployment tools out there) Rhonda Layfield will be hitting the road throughout the US this winter, doing a one day training crush course in deployment. Again, stay tuned for cities and dates.

 

In our efforts to try to offer more than just the infrastructure and security trainings, we also run a SharePoint class with Niklas Goude. He is running his “PowerShell for SharePoint 2010 administrators” in Chicago late September. We are following the trend and offer a Kindle to students, not with the course material loaded, but with Niklas’ book with the same name as the training. Check it out on our site. Niklas also have a longer post in this letter.

 

 

In this issue of the News and Geek Stuff, Marcus is asking a relevant questions about your company’s readiness to withstand a hacker attack. Knowing the importance of security, I have chosen to post a bonus article from our own PKI & Certificate Services 2008 R2 expert Hasain.


Happy reading and stay safe.

Kent Agerlund:

Asset intelligence utility

Johan Arwidmark:

Remote Connection to WinPE during MDT/SCCM deployments

Marcus Murray:

Evolution of Military Cyber Warfare and how it affects us!

 

Mikael Nystrom:
Device drivers can make you feel "differently".......

   Niklas Goude:
Reading Lsa Service Account Secrets using PowerShell
   Michael Petersen:
Enable LENOVO Security Chip (and other stuff) from a TS 

Asset Intelligence Utility

Configuration Manager 2007 and 2012 allows you to import license information from a CSV file. The data are shown in the License 15A – General License Reconciliation Report. The problem for many is that it’s often a bit to difficult to create the CSV file in the correct format. Highly inspired by the CM2007 AILW utility we decided to create our own tool and make it work for both Configuration Manager 2007 and the upcoming 2012 version.

You can download the utility here.

Configuring the utility

Once you have downloaded our utility you have to:

1.     Copy CT-AILW.exe to C:\Program Files\Coretech\AILW\CT-AILW.exe (you need to create the folder manually).

2.     Copy e1db6caa-40cb-49f0-a744-21ca930b419f\e1db6caa-40cb-49f0-a744-21ca930b419f.xml to <D>:\Program Files\Microsoft Configuration Manager\Admin\e1db6caa-40cb-49f0-a744-21ca930b419f\e1db6caa-40cb-49f0-a744-21ca930b419f.xml to <D>:\Program Files\Microsoft Configuration Manager\ Admin Console\XmlStorage\Extensions\Actions\ e1db6caa-40cb-49f0-a744-21ca930b419f\e1db6caa-40cb-49f0-a744-21ca930b419f.xml (notice, you need to create the Actions folder manually).

3.     Restart the Configuration Manager Console.

How it works

Using the tool is pretty easy, all you need to know is the name, vendor and version of the application. That information can be found in the Resource Explorer.

1.     Restart the Configuration Manager Administrator console and navigate to the Assets and Compliance workspace.

2.     Click Edit 3rd Party Licenses on the Ribbon.

3.     Click Run and Connect to Database.

4.     Make sure you are on the Edit tab. Scroll down to the end and enter a new product:

5.     Select the Commit tab and click Commit to SCCM.

6.     Run the report License 15A – General License Reconciliation Report against All Systems. You should have a new entry showing Adobe Reader 9.30 with 99 available licenses.

/Kent

 

 

Evolution of Military Cyber Warfare and how it affects us

 

 

 

 

 

 Every country in the world has some kind of armed forces to protect their territorial domains and for most countries they would be defined Sea, Air and Land. It´s also pretty obvious that we use the Navy to protect the sea, the Air force to protect the air, and the  Infantry to protect the land.
On top of that we have special forces etc. that can operate in various environment.

 So, how does all this fit into an IT-newsletter like this one? Well, today country after country are realizing that they have a new domain that needs to be protected. That domain is cyberspace and this presents a great challenge to governments, defense departments and armed forces all over the world.

Can you Imagine being responsible for inventing a working strategy to defend a country's entire IT-infrastructure? How would you even define your country's cyberspace domain? Would national data stored on a foreign server be in-scope or out of-scope? The World Wide Web is still changing every second and cloud services, social networks, mobility etc. is making it even more difficult every day.

Another great challenge is shaping a cyber-army and equip it with the necessary tools to make it efficient. In the physical world the human race has been fighting wars as long as we can remember and we know exactly how to train soldiers, build tanks, bunkers,  machineguns, tripwire and bombs etc.

Believe it or not, but even it the whoe cyber-war concept is still very immature, most countries are building these armies and tools as we speak. Today there are new military careers where you can become a cyber-soldier, and several old and new players in the defense industry are manufacturing and selling tools for both "defensive" and "offensive" warfare.

Another scary insight is that even though we haven´t seen the first fully fledged cyber war yet, there are small battles between countries being fought every day in cyberspace. An example of this is the theft that was announced in June this year. 24.000 sensitive documents was stolen from a large US contractor and a foreign government is suspected to be behind the attack.

 

Small and sometimes even big  battles are also being fought in the non-military parts of cyberspace and I think it´s time that all of us that are responsible for networks and IT-infrastructure needs to at least have a defensive IT-strategy.

I have seen so many cases when a company has been attacked by some cybercriminals and you realize that they did hardly have any working defense strategy or security controls at all.

 

So if your organization doesn´t have this in place then please make it a priority that you at least starts taking some measures in this area.

What you will need in the long run is an IT-infrastructure that can resist most expected attacks from your potential opponents. This includes both trained staff and the correct tools. You will also need alarm systems that can identify when an attack is initiated and staff that understands incident response if there is ever a breach.

 

I realize that most companies doesn´t need military-grade defense but most of them needs better protection than they have in place today.

Imagine there is a scale from one to five where 1 is totally reactive and lacks most security controls while 5 is a dynamic and resilient infrastructure managed by highly trained security personnel. Pick a number that you think represents your current status and pick a number that you think is suitable for where your organization needs to be to be secure. If the number of your current status is lower than where you need to be then you know you have work to do.

 

And of course, if you need any help.. Don´t hesitate to contact Truesec!

 

Best regards,

Marcus Murray

 

 

 Remote Connection to WinPE during MDT/SCCM deployments

  In the new Dart 7 (Beta) release, Microsoft added a remote connection application to WinPE. It allows you to connect to a WinPE system using the new Dart Remote Connection Viewer. This article explains how to add it to either MDT 2010 Lite Touch or ConfigMgr (SCCM) 2007 to monitor your deployments.

Credit goes to Michael Niehaus for letting me know it existed and explaining the inner works, and thank you Process Monitor and Process Explorer for helping me figure out what files where actually needed :)

Download the Remote Monitoring sample files


Adding Remote Monitoring to MDT 2010 or ConfigMgr 2007 OS Deployments

 

Adding Remote Monitoring to your deployments is done in these three high-level steps. The sample for MDT 2010 Lite Touch is for a x64 boot image, and the sample for ConfigMgr 2007 is for a x86 boot image.

§  Download Dart 7 (Beta) and create the Dart ISO

§  Extract the files needed for Remote Connection

§  Configure the boot image(s) for MDT 2010 Lite Touch or ConfigMgr 2007

Step 1 - Download Dart 7 (Beta) and create the Dart ISO

1.   Download Dart 7 (Beta) from http://blogs.technet.com/b/mdop/archive/2011/04/04/diagnostics-and-recovery-toolset-dart-7-beta-released.aspx

2.   Install Dart 7 using the default settings

3.   Use the DaRT Recovery Image wizard to create the Dart ISO, use the source files from Windows 7 x64, and on the Remote Connections page, select Allow Remote Connection, and specify a port number like 3388.

 

Step 2- Extract the files needed for Remote Connection

1.   Using WinRAR (or any other extractor or mount utility), extract the Dart ISO to a folder. For example C:\Dart

2.   Use ImageX or DISM to mount the C:\Dart\Sources\boot.wim file

3.   From the mounted image, copy the following files to a folder on your server. For example D:\ExtraFiles\x64\Windows\System32

DartConfig.dat
FirewallExceptionChange.dll
LockingHooks.dll
MSDartCmn.dll
RdpCore.dll
rdpencom.dll
RemoteRecovery.exe

Configure MDT 2010 Lite Touch to add the files to its boot image (SCCM instructions further down)

1.   Download the sample files (link) and extract them to D:\Tmp

2.   Copy the D:\Tmp\MDT2010LiteTouch\x64\Unattend.xml to the D:\ExtraFiles\x64 folder

3.   Create the D:\ExtraFiles\x64\Deploy\Scripts folder and copy D:\Tmp\StartRemoteRecovery.wsf to D:\ExtraFiles\x64\Deploy\Scripts.

4.   Configure your deployment share to use the D:\ExtraFiles\x64 folder for the x64 boot image.

5.   Update the deployment share, done :)


MDT 2010 Lite Touch with the Remote Connection waiting...



Configure ConfigMgr 2007 (MDT 2010 Zero Touch) to add the files to its boot image

This sample is for a x86 boot image, for ConfigMgr 2007 deployments you always use (or should use) a x86 image even when deploying x64 operating systems.

 

1.   Download the sample files (link) and extract them to D:\Tmp

2.   Copy the D:\Tmp\MDT2010ZeroTouch(SCCM2007)\x86\Unattend.xml to the D:\ExtraFiles\x86 folder

3.   Create the D:\ExtraFiles\x86\Deploy\Scripts folder and copy the D:\Tmp\StartRemoteRecovery.wsf to D:\ExtraFiles\x86\Deploy\Scripts.

4.   From the MDT 2010 Files Packages in ConfigMgr 2007, copy the ZTIUtility.vbs script to D:\ExtraFiles\x86\Deploy\Scripts

5.   When creating the boot image in ConfigMgr 2007 (using the Create Boot Image using Microsoft Deployment wizard), specify the D:\ExtraFiles\x86 folder in the Extra Directory to Add.

Note: The reason for using Unattend.xml file rather than the Operating System Media Pre-Execution Hook (tsconfig.ini) is because I wanted the Remote Connection to work even if the ConfigMgr wizard was used when starting the deployment. TSconfig.ini is not process until you click Next when using the wizard. The reason for not using WinPEShl.ini is because the network needs to be started, and it's the wpeini.exe process that starts the network, and then parses the unattend.xml file, so starting via Unattend.xml turned out to be the best :)



ConfigMgr 2007 (MDT Zero Touch) with the Remote Connection waiting...


How it works

In this sample, the StartRemoteRecoveryScript.wsf script is started by unattend.xml, before the normal LiteTouch.wsf script is or ConfigMgr wizard is launched. To connect to WinPE you need to use the DaRT Remote Connection Viewer, and type in the Ticket Number, IP Address and Port.

This information is visible on the WinPE client, and is also stored in the inv32.xml in X:\Windows\System32 on the client. If you want to automate the connection to the client (for example provide a readymade link), you can create a script that reads the info from inv32.xml and creates a shortcut on the deployment server. Dart Remote Connection Viewer supports command line parameters for Ticket Number, IP Address and Port.



The DaRT Remote Connection Viewer

The StartRemoteRecovery.wsf script

The StartRemoteRecovery.wsf script is simply used to start RemoteRecovery.exe in a way so it's starting the application and then continues. If you just add RemoteRecovery.exe directly to unattend.xml it will pause forever. Also, I decided to start the RemoteRecovert.exe application minimized. If you don't like that, simply change line 22 in the script to iRetVal = oSHell.Run(sCmd, 1, false)




The RemoteRecovery.exe application minimized




My MDT01 Server with an open connection to my WinPE client using DaRT Remote Connection Viewer

 

 

 

 

 

By Johan Arwidmark
Microsoft MVP – Setup and Deployment




 

Device drivers can make you feel "differently".......

 

Today’s story is about a driver, a driver that did not really wanted to be installed. I’ll guess you been in that situation before and I will give a tip on how to make those drives install like a charm. The driver of today’s topic is a Smartcard driver, so first of all we need to force the driver in to the deployment solution, which normally is not too advanced. You just down load the driver, unpack the driver and import the driver into the Deployment Workbench in MDT or as a driver package into SCCM, in MDT we need to create a selection profile so we can ignore PNP and just inject the driver and so I did. First test shows that, yes the driver does get into the driver store but it does not work. You can always see what driver you have in Windows 7 using DISM

DISM /Online /Get-Drivers /Format:Table

Ok, so now I need to read about this driver, so after a while it turns out that the driver can only be installed using “Right click on the INF file and select install” method, Well that then tells me that using the old Rundll32 trick should work, but no luck. Ok, ok let us try the Devcon trick the, nope sorry. Now at this time the customer is asking me if I have any problems and of course I don’t have any problems, it’s just a “bad” driver-day…

So, it works when right clicking, ok. But nothing else seems to work, hmm. There is one thing I haven't tried yet and that is to use the IExpress trick, let us try that and 25 minutes later (re-deploy the machine) it worked like a charm. Now you may ask yourself. –What is the IExpress trick?

Package nasty drivers in a self-extracting and self-installing executable

Now, let us be very clear about one thing, all other methods are better than this (if they work) but sometimes I don’t have time to fly over to the developer with my baseball bat and explain how to do things…

1. Get the driver

In this case the driver is downloadable from the vendor and from http://catalog.update.microsoft.com. From the Vendor it’s a ZIP and from MS catalog it’s a CAB file. A nice thing about MS Catalog is that you can search for the PNP number, but in this case I know the name. A search on “HID C200” will give me “HID Global - Input - HID Crescendo C200”

2. Unpack the driver

ZIP files is, well just ZIP file. CAB files can be opened easily using the command Expand

Expand file.CAB –f:* C:\Driver

3. Pack the Driver using IExpress

What you might not know is that included in Windows 7 there is a packaging application called IExpress and in this case it is really useful.

So, here is the step by step:

Start IExpress by typing IEexpress in a CMD prompt and select to create a new package.

Select to “Extract and run an installation command”.


Give it a name.


Select no confirmation prompt.


Don’t display any license agreement.

Browse to the folder where you have unpacked the drivers and select them all.

Use the dropdown list and select the inf file, if you want to run something else like a batch file, just type the name and it will work.

Nope, no windows please…

Nope, don’t need any kind of messages…

Be sure to select “long names” if the driver have that".

Nope, no restart, we will fix that in the task sequences ourselves.

Save it.

Create the package.

Wait…

4. Deploy the package

Now you have an executable application that works in MDT (have not tested in SCCM, but it might work there too) that will deploy the “nasty” driver in a way that works…
/mike - aka the Deployment Bunny

 

 

 

 

 

 

 

 

 

 

 

 

 

Reading Lsa Service Account Secrets using PowerShell

 Intro

The Local Security Authority (Lsa) in Windows is designed to manage a Systems sec policy, auditing, logging users on to the system and storing private data such as Service Account Passwords, Cached Password hashes, FTP and Web-User Passwords, Remote Access Service (RAS) dial-up account Names and Passwords and Computer Account passwords for domain Access.

The LSA Secrets are stored under the HKLM:\Security\Policy\Secrets key. This key contains additional sub-keys that store encrypted Secrets. The HKLM:\Security\Policy\Secrets key is not accessible from regedit or other tools by default, but you can access it by running as SYSTEM.

 

Each Secret contains five values:

·        CurrVal – Current Encrypted Value

·        CupdTime – Last Update Time

·        OldVal – Old Value

·        OupdTime  Old Update Time
         SecDesc – Security Descriptor

 

P/Invoke

Windows PowerShell V 2.0 includes a Cmdlet, Add-Type, which is used to add a Microsoft .NET Framework type (a class) to a Windows PowerShell session. It’s also possible to call native Windows APIs in Windows PowerShell.

If you want to learn how to call the Native Windows APIs, check out PInvoke.net. Pinvok.net is a wiki that allows developers to share P/Invoke signatures, user-defined types, and any other info related to calling Win32 and other unmanaged APIs from managed code (C# VB.NET and PowerShell, Yaay).

As for this particular little example we’ll check out advapi32 and the LsaRetrievePrivateData function. The function is described here.

PowerShell
As mentioned earlier, you can’t access the HKLM:\Security\Policy\Secrets key as a User, however, you can access it as SYSTEM. A simple way of running PowerShell as NT AUTHORITY\SYSTEM is by using psexec.exe.

PS > .\PsExec.exe -i -s powershell.exe

PS > whoami

nt authority\system

Step two is to use the sample code from P/Invoke in PowerShell. Thanks to the Add-Type CmdLet, we can simply place the C# sample code in a variable and pass it to the CmdLet using the MemberDefinition parameter.

$signature = @"

[StructLayout(LayoutKind.Sequential)]

public struct LSA_UNICODE_STRING

{

  public UInt16 Length;

  public UInt16 MaximumLength;

  public IntPtr Buffer;

}

[StructLayout(LayoutKind.Sequential)]

public struct LSA_OBJECT_ATTRIBUTES

{

  public int Length;

  public IntPtr RootDirectory;

  public LSA_UNICODE_STRING ObjectName;

  public uint Attributes;

  public IntPtr SecurityDescriptor;

  public IntPtr SecurityQualityOfService;

}

public enum LSA_AccessPolicy : long

{

  POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,

  POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,

  POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,

  POLICY_TRUST_ADMIN = 0x00000008L,

  POLICY_CREATE_ACCOUNT = 0x00000010L,

  POLICY_CREATE_SECRET = 0x00000020L,

  POLICY_CREATE_PRIVILEGE = 0x00000040L,

  POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,

  POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,

  POLICY_AUDIT_LOG_ADMIN = 0x00000200L,

  POLICY_SERVER_ADMIN = 0x00000400L,

  POLICY_LOOKUP_NAMES = 0x00000800L,

  POLICY_NOTIFICATION = 0x00001000L

}

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

public static extern uint LsaRetrievePrivateData(

  IntPtr PolicyHandle,

  ref LSA_UNICODE_STRING KeyName,

  out IntPtr PrivateData

);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

public static extern uint LsaStorePrivateData(

  IntPtr policyHandle,

  ref LSA_UNICODE_STRING KeyName,

  ref LSA_UNICODE_STRING PrivateData

);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

public static extern uint LsaOpenPolicy(

  ref LSA_UNICODE_STRING SystemName,

  ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,

  uint DesiredAccess,

  out IntPtr PolicyHandle

);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

public static extern uint LsaNtStatusToWinError(

  uint status

);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

public static extern uint LsaClose(

  IntPtr policyHandle

);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

public static extern uint LsaFreeMemory(

  IntPtr buffer

);

"@

 

Add-Type -MemberDefinition $signature -Name LSAUtil -Namespace LSAUtil

 

In the example above we store the Sample Code from P/Invoke in a variable and then use the Add-Type CmdLet to Add it to our PowerShell Session.

Now for the tricky part. You can access the Lsa Secrets for Service Accounts using the NT AUTHORITY\SYSTEM account but you can’t decrypt them. To decrypt the Values you have to own them. How to solve this? The simplest way is to use the reg.exe command.

In this example i’ll use the SC_OSearch14 key (SharePoint 2010 Timer) and create a temporary key where i’ll copy each of the represented values described above.

 

"CurrVal","OldVal","OupdTime","CupdTime","SecDesc" | ForEach-Object {

  $copyFrom = "HKLM\SECURITY\Policy\Secrets\_SC_OSearch14\" + $_

  $copyTo = "HKLM\SECURITY\Policy\Secrets\MySecret\" + $_

  $regCopy = reg COPY $copyFrom $copyTo /s /f

}

 

Next, I’ll create three objects holding the objectAtrtibutes, localSystem and secretName.

 

$objectAttributes = New-Object LSAUtil.LSAUtil+LSA_OBJECT_ATTRIBUTES

$objectAttributes.Length = 0

$objectAttributes.RootDirectory = [IntPtr]::Zero

$objectAttributes.Attributes = 0

$objectAttributes.SecurityDescriptor = [IntPtr]::Zero

$objectAttributes.SecurityQualityOfService = [IntPtr]::Zero

# localSystem

$localsystem = New-Object LSAUtil.LSAUtil+LSA_UNICODE_STRING

$localsystem.Buffer = [IntPtr]::Zero

$localsystem.Length = 0

$localsystem.MaximumLength = 0

 

# Secret Name

$secretName = New-Object LSAUtil.LSAUtil+LSA_UNICODE_STRING

$secretName.Buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni("MySecret")

$secretName.Length = [Uint16]("MySecret".Length * [System.Text.UnicodeEncoding]::CharSize)

$secretName.MaximumLength =

[Uint16](("MySecret".Length + 1) * [System.Text.UnicodeEncoding]::CharSize)

 

With the objects at hand i can go ahead and retrieve the Lsa Policy Handle.

 

$lsaPolicyHandle = [IntPtr]::Zero

[LSAUtil.LSAUtil+LSA_AccessPolicy]$access =

[LSAUtil.LSAUtil+LSA_AccessPolicy]::POLICY_GET_PRIVATE_INFORMATION

$lsaOpenPolicyHandle =

[LSAUtil.LSAUtil]::LSAOpenPolicy(

  [ref]$localSystem,

  [ref]$objectAttributes,

  $access,

  [ref]$lsaPolicyHandle

)

$lsaNtStatusToWinError = [LSAUtil.LSAUtil]::LsaNtStatusToWinError($ntsResult)

 

If the LsaOpenPolicy function works out, it returns ’0′, otherwise you’ll have a nice error. A good tip is to check the output.

if($lsaOpenPolicyHandle -ne 0) {

  Write-Warning "lsaOpenPolicyHandle Windows Error Code: $lsaOpenPolicyHandle"

}

 

Next, we retrieve the Private Data using the LsaRetrievePrivateData function and close the LsaPolicyHandle.

 

$privateData = [IntPtr]::Zero

$ntsResult =

[LSAUtil.LSAUtil]::LsaRetrievePrivateData(

  $lsaPolicyHandle,

  [ref]$secretName,

  [ref]$privateData

)

$lsaClose = [LSAUtil.LSAUtil]::LsaClose($lsaPolicyHandle)

 

Again, it’s a good idea to check the exit code from the LsaRetrievePrivateData function.

if($lsaNtStatusToWinError -ne 0) {

  Write-Warning "lsaNtsStatusToWinError: $lsaNtStatusToWinError"

}

 

Next step is to convert the output to a managed object and then convert it to a string.

[LSAUtil.LSAUtil+LSA_UNICODE_STRING]$secretData =

[LSAUtil.LSAUtil+LSA_UNICODE_STRING][System.Runtime.InteropServices.marshal]::PtrToStructure(

  $privateData,

  [LSAUtil.LSAUtil+LSA_UNICODE_STRING]

)

[string]$value = [System.Runtime.InteropServices.marshal]::PtrToStringAuto($secretData.Buffer)

$value = $value.SubString(0, ($secretData.Length / 2))

$freeMemory = [LSAUtil.LSAUtil]::LsaFreeMemory($privateData)

 

At this point, you should have a Password in clear text. To find the account associated with the ‘_SC_OSearch14′ Service Account you can simply use WMI as demonstrated below.

$serviceName = "_SC_OSearch14" -Replace "^_SC_"

$service = Get-WmiObject -Query "SELECT StartName FROM Win32_Service WHERE Name = '$serviceName'"

$account = $service.StartName

 

Last step is to return the Account and Password as demonstrated below.

 

New-Object PSObject -Property @{

  Account = $account;

  SETEC_ASTRONOMY = $value

}

 

Account             SETEC_ASTRONOMY

-------             ---------------

POWERSHELL\spAdmin  Password1

 

Visit http://research.truesec.com/ to download the code demonstrated above.

/Niklas

 

Enable LENOVO TPM Security Chip (and other stuff) from a TS

I have some customers who run strictly Lenovo Computers (laptops and Desktops). On a lot of these computers the security Chip has been disabled or is in Inactive mode, thus not allowing the use of Bitlocker. I just finished messing around with activating the TPM Chip in the BIOS From a Task sequence on those LENOVO computers, and once all the minor obstacles were figured out, it turned out to be quiet easy.

The first thing I wanted to do was to check if the TPM chis was already Active, and if not, Activate it. This is actually real simple on a LENOVO laptop, as this can all be done using WMI. LENOVO has been kind enough to supply the scripts needed to do this, along with some .pdf guides ( Get the scripts HERE).

Once you have the scripts, the once you need are ListAll.vbs and SetConfig.vbs. The ListAll script, will list the status of all WMI configurable settings in the BIOS. Just open an elevated command prompt and run the ListAll.vbs, and remember use cscript.exe when you execute the script, or you will get like 50 message boxes…

cscript.exe ListAll.vbs

In the picture below (from a LENOVO W520), you can see that the Security chip is Inactive, and needs to be activated for Bitlocker to work. (you will also notice that the computer is running in AHCI mode, and that Virtualization is disabled along with a lot of other stuff.. these settings can be changed as well if necessary)

To change the settings we utilize the script SetConfig.vbs. Just place it in your scripts package (or create one), and then in your Task Sequence add a Run Command line STEP Like shown in the Picture



Command line: Cscript.exe SetConfig.vbs SecurityChip Active

It’s important that the settings you want to change are written exactly as they appear in the ListAll output, as they are case sensitive, or the script will fail. This means that Active is correct but active is NOT.

That’s basically it. The TPM chip will now be activated during the next reboot, which off cause means that you must add a reboot before enabling Bitlocker.

If you want it real neat and pretty, you could make an option on the step to not run if the Chip is already active. It’s not necessary to do so, but it will at least give you some info on whether or not the chip was enabled in the SMSTS.log.


Make an If NONE option, and in that if statement, add a Query WMI (as shown a bow), In that Query change the Namespace from root\cimv2 to root\wmi and in the WQL Query write:

Select * FROM Lenovo_BiosSetting WHERE CurrentSetting = 'SecurityChip,Active'

Now the script will only run if the status of the Security Chip is different from Active.

One last thing I ran into was on Lenovo T510 and T410, where this didn’t work. Turned out it was because of an error in the BIOS… Once I flashed the bios with the newest version, it worked like a charm… Should you need a guide on how to do an SCCM unattended BIOS update I have written a guide on my blog http://blog.coretech.dk/mip/

 

 /Michael


Bonus post from our PKI expert Hasain Alshakarti

It is not about having spare time and it is not about just testing but it is all about what is supposed to work in the Windows platform but it does not or it is not clear enough to understand and use. Let me give you one example: It all started with a question about how to manually perform a scripted certificate request using enrollment agents at the Microsoft TechNet forums for Windows Server Security http://social.technet.microsoft.com/Forums/en-US/winserversecurity. My previous experience tells that the certreq.exe can be used in such situation and that was my given answer but it all ended in a non-working scenario with one of a kind error message that said "Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)". This type of errors triggers my curiosity and gets me going until I manage to have a working solution or gets knocked out temporarily until I find my way and sometimes with a custom written tool to share with the community :) Read more about this specific topic and other topics on my blog at http://secadmins.

 

 

 

 

 

 Hasain

 

Where to find us......

Understand how hackers attack the Windows Platform with Marcus Murray

Amsterdam
New York City

September 12-14
November 14-16

Mastering PKI & Certificate Services 2008 R2 with Hasain Alshakarti

London

October 31

Deployment Foundations Class with Rhonda Layfield

DC

September 12-15

 Mastering ConfigMgr2012 Beta2
with Kent Agerlund

Minneapolis 
London, UK
Chicago
October 24-27
Ocotober 31
November 28
 Deploying Windows 7 using MDT and SCCM with Johan Arwidmark  Minneapolis
Boston
October 10-12
November 8-10

 

Full schedule at http://www.truesec.com

 

 

 

 

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement