I provide managed EPO services to multiple businesses and I also have dealt with large EPO installs. For me one big data point that I would find useful in EPO is to know the public IP of NAT’d devices, whether users are hiding behind a router on a large network or at a remote site, this information would help locate to some degree a device for sorting or investigation. One feature McAfee has provided within the agent is the ability to add custom properties (up to 4, why would you need more?) which can be set on the client and then periodically sent to the EPO server.

To update these custom properties you have a few options:

FrmInst.exe – Agent installer

Intiates the agent installer to reconfigure the agent, causes the agent to stop and would be noticeable by the user, however this is the recommended method by McAfee for  Windows.

Example: FrmInst.exe /CustomProps1=”Property 1″

msaconfig.exe – McAfee agent configuration

Accomplishes the same as the agent installer without disrupting the agent and is transparent to the user, my choice the setting custom properties.

Example: msaconfig -CustomProps1 “Property 1″

Registry modification

You can also create the registry keys necessary using your script and directly add the data required.

Varies based on OS/Agent version:

Create HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps\

Add a string value with name CustomProps1 and set the value to whatever is needed

Regardless of method, once the value is set and the agent communicates back to the EPO server, you should see the value your script provided,

So, we now have the ability to use a script to update these custom property values but what next? Well if you have no easy way to deploy your script to update this value then this is all really pointless, luckily EPO has a couple easy ways to run your script remote on any system with an agent. Both ways require an executable, in my case I wrote some quick code and built it with visual studio as an executable. To get the public IP I called out to an external service such as whatismyIP or checkip.dyndns.com, converted the value they returned to a string and then used msaconfig to set one of the custom properties to this value.

Once you have the executable you can either register it with the EPO server and use a server task to deploy, or you can actually use agent policy to run an executable after updates occur on the client system. I prefer the later as I find this policy method easier to manage, I just reference a UNC path where the executable is located. The executable runs, updates the value and now I got the IP of the device a computer is hiding behind.

This is a very primitive method of finding this data however using the agent custom properties was the least painful method for the environments I deal with. Based on this example you can easily go and create other custom property values.

]]> http://www.jaredperry.ca/2011/10/mcafee-agent-custom-properties/feed/ 0 http://www.jaredperry.ca/2011/07/iptables-simplified/ http://www.jaredperry.ca/2011/07/iptables-simplified/#comments Mon, 11 Jul 2011 19:03:04 +0000 admin http://www.jaredperry.ca/?p=164 One common problem I come across when conducting vulnerability assessments is the lack of a host firewall or understanding on its configuration. IPTables is the standard firewall on most linux based OSes and once understood is a simple to configure and powerful packet filtering firewall. Often I see unnecessarily complex IPTables rules and the use of automated tools without fully understanding what they are doing. So, lets walk through IPTables and develop a simple set of base rules that could be used on pretty much any server.

IPTables is a packet filtering firewall based on ipfw and IPChains of the past. Pretty much every linux flavour has IPTables available, usually installed with a default ACCEPT everything and no particular ruleset. The simplest way to see what is being applied to a box is by using the command iptables -L, you should see something like this on most vanilla installs,

root@tank:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you do see some preexisting rules you can clear these out and start fresh by flushing these rules with iptables -F. (Don’t do this on production boxes or they maybe left exposed) Now we have a blank slate of IPTables default chains INPUT, FORWARD and OUTPUT all with a default policy of ACCEPT. This basically means that if a packet is processed either coming to, from or through (forwarded) the server and does not match any of our rules it will be allowed to proceed.

As we will be mainly dealing with filtering packets coming to the server, lets begin with the INPUT chain and a few basic rules. First of all we should put in some anti-spoofing rules so local loopback traffic can’t be spoofed by traffic coming in on external interfaces.

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

We will also need to add a rule so that IPTables accepts traffic related to or part of an already established connection, this is one of the powerful features of IPTables in that it can track connections and associated packets.

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

Now we can get into what we want to allow and this can vary based on the purpose of the server, for a web server you will probably want to allow ping ICMP traffic, web traffic on 80 and 443 and ssh (preferably on a different port then 22).

iptables -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT

iptables -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

iptables -A INPUT -p tcp –dport 443 -j ACCEPT

Now lets block everything else, set a rule to reject any packet that doesn’t match our other input rules and also change the default policy of the input chain to drop as a precaution.

iptables -A INPUT -j REJECT

iptables -P INPUT DROP

The FORWARD and OUTPUT chains may need some attention too however if your not forwarding packets through your server it should be set to drop, OUTPUT on the other hand is usually unrestricted.

iptables -A FORWARD -j DROP

iptables -P FORWARD DROP

iptables -A OUTPUT -j ACCEPT

This is our basic ruleset, now lets run iptables -L again,

root@tank:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  –  anywhere             anywhere
REJECT     all  –  anywhere             loopback/8          reject-with icmp-port-unreachable
ACCEPT     all  –  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp –  anywhere             anywhere            icmp echo-request
ACCEPT     tcp  –  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  –  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  –  anywhere             anywhere            tcp dpt:https
REJECT     all  –  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  –  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  –  anywhere             anywhere

Now that we have our rules we will need to make sure they are loaded at startup each time, this varies between OSes however for Debian,

Output the rules to a file using iptables-save > /etc/iptables.rules

Now edit /etc/networking/interfaces to load this file when bringing up the network interface, add pre-up iptables-restore < /etc/iptables.rules after iface lo inet loopback.

In my next post I will talk about logging and some more complex rules to protect your servers. Also, becareful when flushing your rules with iptables -F because this will now drop all your connections with a default policy of drop for INPUT.

If you use a corporate AV product, send samples to your vendor for malware that is not being detected. They will often come back with a custom update for your organization which can be pushed out to all installs on your network. Analyze firewall and system logs to see where the malware came from and what it is connecting to. This data can be fed into your firewall to block future connections and also can turn up other computers that may be infected.

A number of tools are now available to quickly analyze malware samples and give you the most information for little effort. Below are a few tools which I have found useful in analyzing different malware samples,

• Basic AV Data – VirusTotal
  • Super fast way to scan a file or URL against 40+ different AV engines, can help indicate if your AV vendor has detection for a file and to assist in finding further details based on what an AV detects a file as. Also provides lots of extended details and metadata that can be useful in determining the source of a file without having to setup a test environment to get this information.
  • Sample report of a EICAR test file http://bit.ly/h4zl0f
  • Can forward samples from email to scan@virustotal.com with subject SCAN.
• In-depth Analysis – Xandora & Anubis
  • More advanced tools, Panda offers Xandora as a free service to upload binaries for analysis. It generates a lot of useful data by running the malware in a VM. Outputs file/registry changes and network connections which can be extremely valuable in blocking emerging malware threats.
  • Sample report from Xandora of Palevo http://bit.ly/h1WRdy
  • Anubis is another free tool similar to Xandora, this tool not only shows network connections but provides you a pcap file.
  • Example report from Anubis http://bit.ly/g6aOsz
• Network Data Analysis – Cloudshark
  • Now you may have some network captures collected while analyzing your samples, Cloudshark offers a quick service to view these captures without having to fire up wireshark (not a replacement but is quick.)
  • Sample report from Cloudshark, http://bit.ly/ksLsaU
• Javascript/PDF/Flash – Wepawet
  • A lot of malware makes use of one of these vectors, Wepawet allows you to upload or provide a URL where all these vectors can be analyzed.
  • Really valuable in picking code out of PDFs and making sense of obfuscated Javascript code
  • Sample Report http://bit.ly/lsrn2N
• Malware Trackers - Zeus Tracker, SANS, MalwareGroup, Clean MX
  • Lots of great blacklists run by security professionals that can tell you if a computer is connecting out a known malware server, Zeus Tracker provides multiple malware lists and the creator actively works with service providers to blackhole or disconnect C&C networks. SANS also provides a list with multiple levels of sensitivity combining multiple sources such as Zeus Tracker.
  • MalwareGroup and CleanMX are correlation sites that analyze servers with automation and using a number of services listed in this post to analyze a servers contents and decide its reputation. Can be really useful in determining if a site is the source of a malware infection, both offer reports on downloadable files and run them through services such as VirusTotal.

This is not an exhaustive list by any means, however these are tools I found useful and have saved me a lot of time and pain.

Recently however I had noticed the community and project had started to become slightly neglected, and as well was catering mainly to a German audience. So I went out in search of alternatives, I discovered several solutions that seemed promising including Smoothwall and M0N0wall, but they were still lacking many of the features of IPCop. I then took a closer look at the IPCop community and discovered a branch off IPCop that was being updated, offering both commercial versions but as well keeping an open source version. The software was called Endian and I am now using the community version that took much of the IPCop base, updated it and included a new, slicker web interface.

Sample of features:

• Multiple Uplinks (Bonus if you have a backup ISP connection)
• Updated and slick web interface
• Same graphs as IPcop, showing system/network load, current connections, services, etc
• Easy DHCP management features
• Dynamic DNS integration
• ClamAV scanning of downloads
• Traffic Shaping
• Snort Integration
• NTop Integration
• Port forwarding and network partitioning
• SIP, HTTP, DNS Proxy with content filter
• OpenVPN integration, IPSec VPN support
• Lots of Logging options

Having SNORT/NTOP integrated makes troubleshooting issues simple, analyze the traffic and easily block problem traffic. Outbound firewall configuration is super easy as well for keeping certain users from using unsupported services such as bittorrent, just allow http/s with content filtering and you got a simple net nanny type setup.

Checkout Endian at http://www.endian.com/en/community/overview/

Powershell gives you an object oriented scripting language that allows for easy manipulation of data, for example where we are talking about getting device info, we can create a new WMI object that contains all the data about a computers BIOs very easily.

PS C:\Documents and Settings\sysjared> $objBIOS = get-wmiobject -class Win32_BIOS
PS C:\Documents and Settings\sysjared> $objBIOS

$strFilter = "(&(objectCategory=Computer))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$computerObjects = $objSearcher.FindAll() | foreach {
    $name = [String]$_.Properties.cn
}
$name

After googling the error, I discovered a lot of people were having this issue and I also soon found the problem, Windows Media Player. I really can’t understand why Microsoft is infesting its media playing software into a fresh install of the OS. If you remember in the past WMP in a early leak of Windows 7 caused music files to be scanned and to have a small amount of data added to the beginning of these files, corrupting them. Now they have processes from this software, running and scanning your files even from a clean install without ever opening the program. Further they missed that it would cause difficulties with sysprep, and now I have to kill these processes or disable them from services, in order to get sysprep to function correctly.

Source: http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/8f5002e1-95b4-47bf-b031-4b72b3eb388a/

1. Install MySQL.NET 5.0.9, there is newer versions, but I choose 5.0.9 because it works with all my scripts.
   • http://dev.mysql.com/downloads/connector/net/5.0.html
2. If you are running a Powershell script as a task, you will need to change the execution policy in Powershell
   • Set-ExecutionPolicy unrestricted
3. On servers if you want to run a Powershell script from a network share without prompt, you will need to add the share to Internet Explorers trusted sites list, apparently IE policy effects file share script execution
4. You will need to now load the connector into your powershell script, first is for 32-bit windows, the second is for 64-bit version of windows
   • [void][system.reflection.Assembly]::LoadFrom(“C:\Program Files\MySQL\MySQL Connector Net 5.0.9\Binaries\.NET 2.0\MySQL.Data.dll”)
   • [void][system.reflection.Assembly]::LoadFrom(“C:\Program Files (x86)\MySQL\MySQL Connector Net 5.0.9\Binaries\.NET 2.0\MySQL.Data.dll”)
5. Now we will want to connect to our database
   • $dbconnect = New-Object MySql.Data.MySqlClient.MySqlConnection
   • $dbconnect.ConnectionString = “server=servername;user id=dbusername;password=dbpassword;database=dbname;pooling=false”
   • $dbconnect.Open()
6. Once we have connected, we can now create a MySQL command object, below is an example SQL command
   • $sql = New-Object MySql.Data.MySqlClient.MySqlCommand
   • $sql.Connection = $dbconnect
   • $sql.CommandText = “INSERT INTO computer_details (computer_id, mac, dhcp, model, domain, manufacturer, type, memory, ip, servicetag, lastimagedate, servicepack, os, biosrev, scriptversion, lastrun, ou) VALUES (‘$resultID’, ‘$macAddress’, ‘$dhcp’, ‘$model’, ‘$domain’, ‘$manufacturer’, ‘$systemType’, ‘$memory’, ‘$ipAddress’, ‘$servicetag’, NOW(), ‘$servicePack’, ‘$operatingSystem’, ‘$biosrev’, ‘$version’, NOW(), ‘$ou’ )”
   • $sql.ExecuteNonQuery()
   • $dbconnect.Close()

Using this example you can now easily collect data from your servers and insert it into a database. You can as well use any SQL statement you wish, including querying a database, and using Powershell to output/manipulate this data as needed. In future posts I will get into some examples of what I have done with powershell and mysql.

• Software RAID configuration
• Single server
• Heavy, high bandwidth load (Upwards of 200 active clients, and hundreds of thousands of active files)
• No backup/rescue scenarios
• Outdated OS (Running windows server 2003 storage edition, Dell customized, this became an issue as it could not be updated and was severely lacking, feature and performance wise)
• Reliability to the clients
• Capacity limitations (1 Terabyte total, with over 600 gigs in use)

To deal with these weaknesses, the whole file server setup needed to be revamped, while the existing setup ran in parallel. It was apparent that a new server was needed, Dell no longer supplied 745N PowerVault file servers, and were instead pushing expensive SAN systems, we wanted a low cost solution that had a great deal of redundancy and performance. So we looked at our existing server, and decided we would get the same server again, but where would be find the same model? Well ebay.

Ebay had a large listing of Dell 745N PowerVaults, all for under $1000, the server we finally choose had the fastest P4 possible 3.2ghz, 2 GB of ram,  4 x 250GB hard drives, and a hardware raid card (PERC 5\i). This solved one major problem, taking the raid management away from the OS and putting it on a dedicated RAID controller, as well we upgraded the RAM to 4GB, and increased hard drive space to 4 x 750GB. After receiving the server, we did the hardware upgrades, then came the next problem, what do we do with the old server 2003 storage edition OS? Well its 2008, and Microsoft had updated their OS, we wanted to use server 2008. However, if you have ever worked with a Dell PowerVault they lack a CD-ROM drive, and do not support any OS besides a USB installed version of server 2003. In the months before working on the storage issue, I was working with Windows Deployment, and utilizing its PXE boot feature, we could boot into a Vista PE environment. Then I copied the contents of our server 2008 installation disc onto a large flash drive, and from a command prompt I loaded up the setup.exe from the installation files. This is a fairly easy way to install modern versions of windows, you could even make a bootable usb drive to do the installation. Once into the installation wizard, I got as far as the disk configuration, then a road block, the raid setup was not detected. It took a while but we finally found the adaptec driver from a german Dell ftp. So now we had server 2008 installed, a machine with larger capacity then before, now 2 terabytes in hardware RAID 5.

After running our new server for a month, doing testing with the new OS, as well as load testing, we were ready for production. Then came the painful situation of moving all the data from the old file server to the new, without disruption. Using robocopy we copied each home directory, one by one, preserving the file attributes including time stamps, then updating each user AD object to the new server. Finally we moved the workgroups, and other miscellaneous files, leaving us with a fully operational file system, that was both up to date and redundant. Looking at our initial assessment we had crossed a lot off our list:

• Software RAID configuration
• Single server
• Heavy, high bandwidth load (Upwards of 200 active clients, and hundreds of thousands of active files)
• No backup/rescue scenarios
• Outdated OS (Running windows server 2003 storage edition, Dell customized, this became an issue as it could not be updated and was severely lacking, feature and performance wise)
• Reliability to the clients
• Capacity limitations (1 Terabyte total, with over 600 gigs in use)

Still, we had a few more items to accomplish, and with our offices being spread across a university, the idea of a multisite file system soon took root. To build this system, we needed to upgrade the old server, find a load balancing/file replication technology, and find an alternate location. In upgrading the old server, we added a hardware RAID card which was special ordered from Dell for a 745N, apparently they still have 5 year old RAID cards ready for order. As well we upgraded the RAM, hard drives, and fully cleaned the server to be  similar to the Ebay purchased 745N. Next we updated the OS to server 2008, using the same method, and placed it in our main IT support office building, in a storage room. At that point we had two servers with similar specs, configurations, and separate locations, so all we needed was a piece of software that works with Windows, and can handle file replication/load balancing.

The software we decided to go with, was something that I had worked with a year before, it was built into Windows, Distributed File System (DFS). DFS is the underlying technology that is already used to replicate data/files between domain controllers, and has been integrated into Windows server for quite sometime. In server 2003, DFS was not as feature full as I would have liked, but it did show promise, for that reason I was willing to give it another try in server 2008. After initial testing, I had concluded that DFS had made many steps forward since server 2003, it had an easier to understand setup, added namespace and replication group features. So using DFS, I configured a domain namespace for user directories, workgroups, and profiles, these namespaces mean that a client would connect to the following type of share and it would then take that user and connect them to the regionally closest file server, all transparently. Namespace links can be used the same as any share, and look like this:

• \\domainname\users$
• \\domainname\profiles$
• \\domainname\workgroupname

You can also use existing share names, which will act the same as a DFS namespace, pointing to one of the servers based on region, shares like:

• \\server1\users$
  • Points to which ever server is closest, or if no sites configured it will choose randomly:
    • Server1
    • Server2
• \\server2\users$

This made for a great setup, mainly if one server went offline, it would failover to the other server, and we can easily change or add new servers without changing the share name. With the shares taken care of, the next step before they could be enabled would be to replicate files so that they are the same on both servers, even if they are being constantly edited and opened. Using the file replication section of DFS, I separated each OU’s folders into replicating folders, and once completed we had a fully replicating group of servers. Of course there was issues, which are still being weeded out but they are minor, many include how some programs place locks on certain files. So far we have alleviated any issues quickly and they have not caused disruption.

In conclusion, if you are a small to medium sized organization, and are running an aging file system, you should consider looking at the options I have outlined. The older Dell Powervault line may seem out of date for modern operating systems, but in the correct setup they can work perfectly to quickly serve files, and can be stacked with cheap hard drives. When looking at storage systems, always have hardware RAID, and if possible have offsite backup or even multisite replication. Server 2008, is a necessary upgrade if you choose windows for your file systems, although it is based on Vista, it lacks the issues you encounter with that desktop OS. In future posts, I will get into further detail and provide greater instruction on configuring file systems.