Poweshell under the security context of another user (RunAs)

Recently i needed to run some powershell scripts under multiple security context’s – the main reason for this was my client’s strict delegation model.

We ended up with multiple service account with rights only to the needed systems (Its not such a bad thing!)

The result was this powershell script to change security context

$SPAccountName = “<username>”;
$AccountPassword = “<password>”;
$AccountPasswordAsSecureString = $AccountPassword | ConvertTo-SecureString -Force -AsPlainText
$credential = New-Object System.Management.Automation.PsCredential(“$env:userdomain\$SPAccountName”,$AccountPasswordAsSecureString)
$SvcAccSession = New-PSSession -Credential $credential;
Invoke-Command -Session $SvcAccSession -Script { Import-Module ActiveDirectory }
Invoke-Command -Session $SvcAccSession -Script { Get-AdGroupMember “Some-group”}

In the above example we just get the member of some application group – but really, you can do whatever you like.

If you need it to query a specific server you can use -Computername <servername> right after New-PSSession.

This method also came in rather handy when running service-side powershell execution invoked by a webservice.. but more on that later

 

Access Director 2.4.0.2 released!

It’s been some time since our last update, but here we go again

Access Director has been updated and released

This is a major upgrade, all previous versions should be uninstalled prior to installing the new versions

Short list of changes

  • Its now possbile to use localized balloon notification (or your own)
  • Language default is en-us
    • valid values are auto, or specific lananuge files e.g. de-de.lng (must reside in existing languages folder)
  • Localized menu options (remember du save lng files as unicode)
  • Registry modifications now resides in HKLMSoftwareNoLightPeopleAccess Director
  • as per request the MSI, and application itself is now signed
  • Removed the need for any registry keys needed for the service to start (will run with default values if no other is present
  • Updated Policy Prefences template included in zip file

Direct Download Link: http://tinyurl.com/mtc4pzo

let me know of bugs and feature requests 🙂 @MarcussenThomas

 

 

Advanced Installer

For many years I’ve been working with Wise Package Studio, the best tool ever for application repackaging projects. Since Wise Package Studio is End of life – announced in December 2011. Now seemed like a good time to find a new tool, Flexera Admin Studio seemed like the obvious choice, but is rather expensive (still a great tool)

In some cases Orca (http://www.technipages.com/download-orca-msi-editor) would get the job done, but still would take a long time

I remembered coming across Advanced Installer at TechEd NA, so decide to have a look at the tool

There is a free trial from the website and also a free version: http://www.advancedinstaller.com/download.html

Advanced Installer comes in multiple versions, I choose to test the Architect version, mainly because it had the following features highlighted

  • Repacker
  • App-V
  • SCCM
  • MSI Quick-Edit

My test of the product was a great success !

Today I will recommend this product to my customers looking to repackage or edit MSI’s, it has a nice and intuitive interface, much like Wise Package Studio had 😉

Have a look at some of the videos from Advanced Installer on YouTube: https://www.youtube.com/channel/UCIPx2SPC1K7_DoPdVeFHoNg

 

 

Admin Rights: The Root Of Many Vulnerabilities

A recent survey conducted by BeyondTrust (www.beyondtrust.com), a developer and marketer of least privilege management software, reveals that 92% of critical vulnerabilities reported by Microsoft could have been prevented simply by removing administrator rights from Windows users. Also, the survey points out, removing administrator rights helps companies protect themselves and their computers against 94% of Microsoft Office, 89% of Microsoft Internet Explorer, and 53% of Windows vulnerabilities. Given the prevalence of Microsoft software in today’s corporate environment, these numbers should give any administrator pause.

Get a head start removing Admin Rights – by using Access Director from Basic Bytes

Application repackaging – Active Setup & Windows Installer Repair

If you repackage or deploy applications you need to know about Active Setup and Windows Installer Repair

The best methods are documented first, but also other alternative ways.

Method I

Active Setup Method:

This is one of the best practices in MSI Packaging which uses the native Active Setup behavior of Windows and Windows Installer HKCU keys repair techniques.

One should follow these specific steps while using this method:

  1. Make sure all HKCU keys in the MSI Package that we are creating are under structured component names like CurrentUser, CurrentUser1, etc.
  2. The Package author should be able to judge and set the key path for that Component properly.
  3. As per Microsoft Component guidelines, make sure the components containing HKCU keys are as few in count as possible, for example only one component (CurrentUser) with all HKCU keys with best key path set is the best practice.
  4. Create the following registry keys under the main hive:
  1. HKLMSoftwareMicrosoftActive SetupInstalled Components{GUID of the MSI}
  2. ComponentID=PackageName_ComponentName
  3. StubPath=[SystemFolder]msiexec.exe /fu {Product Code of the MSI} /q
  4. Version=ProductVersion

The principle of Active Setup behavior is when a new user logs on for the first time, then the Active Setup will perform a checksum between HKLMSoftwareMicrosoftActive SetupInstalled Components{GUID of the MSI} and HKCUSoftwareMicrosoftActive SetupInstalled Components{GUID of the MSI}; and if the GUID is not present under HKCU, then it performs all actions which are under that main hive (StubPath, Version) and populates the GUID under HKCU. The main Advantage of Active Setup is it performs an action only once per User with the Checksum behavior by matching the entries under HKLM and HKCU.

Method II

Active Setup Method:

This method can be used for both MSIs and Non-MSIs

Create a silent SMS script or Wise Script (for eg:-Script.exe) which will create the needed HKCU registry entries for the application. Then place that EXE in the Application [INSTALLDIR] in your MSI Pkg or Executable binary memory.

Then create the following additional registry entries in the MSI Package or within the Script whichever is applicable:

HKLMSoftwareMicrosoftActive SetupInstalled Components{GUID or AppName}

ComponentID=PackageName_ComponentName

StubPath=”[INSTALLDIR]Script.exe”

Version=ProductVersion

 

The Active Setup performs the regular checksum (comparison of entries under) HKLM and HKCU and if the respective unique GUID or AppName is not present under HKCU hive, then it will perform all actions (StubPath, Version) and populates the GUID or AppName under HKCU hive too. This is only once per user — for the first time — to populate HKCU hive.

Method I and method II use the Active Setup feature, and One should understand the advantages of one over the other. Method I requires source resiliency to populate HKCU keys, where as method II does not require this as the Script.exe does everything.

Method I and method II can be used in any scenarios like if Advertised entry points are present or NOT present.

Method III

Windows Installer repair method

Typically the body of the script will be;

Check for the existence of a Flag key under
HKCUSoftwareCompany NameApplications{ProductName][productversion]
Installed=True

If the key exists then quit else initiate the Windows Installer repair to populate HKCU keys:

Msiexec /fu {Product Code of the MSI} /q

 

And edit and create registry key (Basically a Flag Key which can be any key which your firm adopts)
HKCUSoftwareXYZ*Applications{ProductName][productversion]
Installed=True
End
* XYZ= Name of the organization Company
And keep this script exe in HKLMSoftwareMicrosoftWindowsCurrentVersionRun.

One should keep in mind that the /p switch can also be used to repair files (populate) user-specific data (Profile data) with the following syntax:

Msiexec /fup {Product Code Of the MSI) /q

 

Method IV

Silent empty exe with valid shortcut:

Create a silent empty exe and its Advertised shortcut and place both of them in the Application [INSTALLDIR]. And use them as entry points to trigger healing to populate HKCU keys.

Essentials – Access Director

Allowing a known user to elevate specific applications or tasks on demand

http://www.youtube.com/watch?v=-ZrL_rbqYlI

In the video we are logged on a workstation with the TestUser
TestUser is not member of the Local Administrators group
TestUser is member of the custom created local group Access Director

When requesting local administrators access using the tray icon, it will verify that we are a know user that is a member of the local group Access Director. If we are member of the local group we will be elevated for a predefined number of minutes (2 minutes in the example)

When elevated, we can click on any application and RunAs Administrator – we will as always be prompted for our logged on credentials, but this time the application is running with local administration privileges.

When the timer hits 2 minutes, our administration privileges are expired.

This will make it possible ONLY to elevated, when needed and not having to load the full profile with administrative privileges

The tray icon does not require additional rights to run
A local system service will handle all requests
All options are configurable through gpo and/or registry

Read more about latest additions at https://basic-bytes.com

Supported AV clients for SCEP to automatically uninstall

Endpoint Protection uninstalls the following antimalware software only:

  • Symantec AntiVirus Corporate Edition version 10
  • Symantec Endpoint Protection version 11
  • Symantec Endpoint Protection Small Business Edition version 12
  • McAfee VirusScan Enterprise version 8
  • Trend Micro OfficeScan
  • Microsoft Forefront Codename Stirling Beta 2
  • Microsoft Forefront Codename Stirling Beta 3
  • Microsoft Forefront Client Security v1
  • Microsoft Security Essentials v1
  • Microsoft Security Essentials 2010
  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Security Center Online v1

Download Windows Driver Kit for WIndows 8.1

The Windows Driver Kit (WDK) includes the tools and documentation you need to develop drivers. Windows Driver Kit (WDK) 8.1 is integrated into Microsoft Visual Studio 2012 (Professional, Premium, and Ultimate) to provide you with a complete set of tools to develop, build, package, test, and debug drivers.

Direct Download Link: http://go.microsoft.com/fwlink/?LinkID=317353

Windows 8.1 RTM app samples

This sample pack includes all the app code examples developed and updated for Windows 8.1 RTM. These samples should only be used with the released version of Windows 8.1 and Visual Studio 2013 RC. The sample pack provides a convenient way to download all the samples at once. The samples in this sample pack are available in C#, C++, and JavaScript

Direct download link: http://go.microsoft.com/fwlink/?LinkId=322042