Windows Server How ToYour Windows Server Knowledge Base

If you are looking for quick way to get information about remote system this how to is for you. I present you network scan tool – Winfingerprint. This tool is designed to gather information about Microsoft systems and applications. It can use RPC, ICMP, SMB, SNMP, TCP and UDP to obtain various information. You can quickly get information about remote OS version, users, groups, SID, password policies, services, shares, disks and much more.

You can read more about this tool here .

Tool can be downloaded from this location .

This post will show you the way how to reset IP stack on your Windows server 2003 or Windows XP machine. Lets say we want to reset IP stack and write log to C:\resetlog.txt file. Note that log file is not optional parameter. To perform reset open command line and type:

netsh int ip reset C:\resetlog.txt

This post will show you how to run Network Diagnostics scan to test your network connectivity and troubleshoot related issues. I personally run this tool first thing every time i troubleshoot network related issues on client system. To run scan open command line on your Windows XP and type:

netsh diag gui

In “Network Diagnostics” windows select “Set scanning options” to set or unset various scanning objects that will be tested during scan.

To start scan press “Scan your system” button.

This post will show you how to change windows user password. Lets say we have local user account “testuser” and want to change its password to Passw0rd .

1. COMMON WAY

Right click mouse on “My computer” and select “Manage” to open Computer Management window. Expand “Local users and groups” and select “Users”. In the right pane right click mouse on “testuser” user and select “Set Password…”

Click “Proceed” and type new password two times as requested.

2. ADVANCED WAY

To change password open command line and type:

net user testuser Passw0rd

To change password without showing it:

net user testuser *

This post will show you how to enable or disable Windows user. Lets say we have local user account “testuser” and we want to disable it.

1. COMMON WAY

Right click mouse on “My computer” and select “Manage” to open Computer Management window. Expand “Local users and groups” and select “Users”. In the right pane right click mouse on “testuser” user and select “Properties”. In “testuser Properties” window select “General” tab.

To disable “testuser” check “Account is disabled”, hit “OK” and you are done.

If you want to enable “testuser” account remove check mark from “Account is disabled” and hit “OK”.

2. ADVANCED WAY

To disable “testuser” account open command line on your Windows machine and type:

net user testuser /active:no

To enable “testuser” account type:

net user testuser /active:yes

This post will show you how to add local user to group on your Windows machine. Lets say we want to add local user account “testuser” to group “Administrators”.

1. COMMON WAY

Right click mouse on “My computer” and select “Manage” to open Computer Management window. Expand “Local users and groups” and select “Groups”. In the right pane right click on “Administrators” and select “Properties”.

In “Administrators properties” window click “Add…” . Type testuser and hit “Check Names” to verify that user exists on local system. Press “OK” and you are done !

2. ADVANCED WAY

To add “testuser” to “Administrators” group open command line on your Windows machine and type:

net localgroup Administrators testuser /add

This post will show you how to create local user on your Windows machine. Lets say we want to create local user account named “testuser” with password “Passw0rd”.

1. SIMPLE WAY

Right click mouse on “My computer” and select “Manage” to open Computer Management window. Expand “Local users and groups”, right click on “Users” and select “New User…”

In “New User” window enter this information:

User name: testuser
Password: Passw0rd
Confirm password: Passw0rd
Disable “User must change password at next logon” option.

Click “Create” button and you are done.

2. ADVANCED WAY

To create local user account “testuser” open command line on your Windows computer and type:

net user testuser Passw0rd /ADD

All we know how to create hidden folder by going into folder properties and applying “hidden” attribute. This post show another way how to create invisible folder in your Windows powered system. To do it right click mouse in desired location (desktop for example) and choose New>Folder. Hold ALT and type 255 as name. Release ALT button. OK now we have unnamed folder.

To make it invisible right click on it and choose properties. Open “Customize” tab and select “Change Icon…” . Select this icon type from list:

Click OK and then click “Apply”. Hm… where is it?

This post will show you how to get control of remote command line using psexec . Psexec is part of “pstools” written by Mark Russinovich and can be downloaded here . Lets say we want to connect to server named “testserver” and get control of its command line. To do it open command line on your Windows server 2003 and type:

psexec \\testserver cmd

This post will show you how to build IPsec policy rule using command line on your Windows server 2003.

Lets say we want to block TCP 80 port to make internal web sites inaccessible. First of all we need to create IPsec policy. To do it open command line and type:

netsh ipsec static add policy name=”Block TCP port 80″ description=”Block any internal web sites”

Next step is to create filter for newly created policy. To create it type:

netsh ipsec static add filter filterlist=”80 TCP” srcaddr=any srcport=0 dstaddr=me dstport=80 protocol=tcp mirrored=yes

srcaddr – source address
srcport – source port
dstaddr – destination address
dstport – destination port

Next lets create filter action to block traffic. To do it type:

netsh ipsec static add filteraction name=block action=block

Now we have all needed components to build IPsec policy rule. Policy, filter and filter action. To build policy rule type:

netsh ipsec static add rule name=”Block TCP 80″ policy=”Block TCP port 80″ filterlist=”80 TCP” filteraction=”block”

And the last step is to activate newly created rule. To do it type:

netsh ipsec static set policy name=”Block TCP port 80″ assign=y

Have you noticed that your Windows server or Windows XP machine is acting strange recently? Laggy system? Strange warnings? Services gone wild? It is possible that infection is ruining your day. This post will guide you through basic steps how to prevent infection or deal with it, if it is too late.

PREVENTION

* Keep up to date *

First thing you must do to guard your Windows server – keep it updated! Make sure you have latest service pack and security updates for your server. Updates can be downloaded directly from Windows Update (manually or scheduled) or through your WSUS (Windows server update services) server. You can get more information about WSUS server here . Keep it up to date and chance to get infected or hacked will decrease significantly.

* Access control *

Do you know who, when and with what permissions can access you server? Make that kind of  list and setup logging for these users. Keep your server in secured room with limited access to authorized personnel only.

* Install Antivirus software *

To guard your server against possible threats you need decent antivirus software. There are many antivirus products on market and it can be hard to choose the best one. Lets talk straight… There is no really good free antivirus which can handle most infections, have great background auto scanning engine and all other features needed for normal server protection.  I can suggest Symantec and AVG products. But you must do research on your own and choose product that suits you.

* Firewall is a must *

I guess there is no need to keep all 65535 ports opened on your server. Make a list of ports you`ll need to access and block unneeded ones with your firewall. It can be hardware firewall solution or software product.  Personally i am using IpSec to block unwanted traffic to and from my servers. Note that build in Windows server 2003 firewall can control only incoming traffic. Also keep logging you firewall to see what possible threats you are dealing with.

* Monitoring *

Monitor your server. If you are equipped with intelligent monitoring solution you can see changes in server behavior very quickly. Personally i use Nagios and Microsoft Operations Manager to monitor my servers. Nagios for front line and MOM for more comprehensive monitoring.

*******************************************************************************************************************************

CLEAN INFECTION

If your server is infected follow these steps to clear it:

* Access to antivirus and update websites *

Fist of all check if you can access antivirus (Symantec , Panda and etc.) and Windows Update websites. One of infection symptoms are blocked antivirus vendor websites and inaccessible Windows Update site.

* Try to update your system *

If update website or WSUS is accessible try to update your system to install latest service packs and security updates.

* Disable network connection *

It can be that the source of infection is another infected computer on the network. Anyway it is highly recommended to be offline until the infection will be purged from your server.

* Run Full Antivirus/Antispyware scan *

If you have antivirus software installed on infected server it seems that it was bad choice. Anyway start full scan on the infected system.

Anyway i would recommend to get another antivirus product if possible with up to date databases and run it on infected system.

If your server is in really bad shape and new antivirus installations are impossible, old antivirus cant be started – create bootable antivirus CD disk with latest updates and boot your server from it to clear infection.

* Check Start Up programs *

You must check locations where programs are  set to start automatically after server reboot for infected executables and delete them if antivirus software cant manage it.

Open registry editor and check these locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Check if you can see any unknown executables in the right pane that must be prevented from starting. You can search for this information in google from another computer by typing the name of executable.

To check another popular place open Start>Run, type msconfig and press OK. Select “Startup” tab and review executables once more.

To simplify all this infected startups hunting you can use nice tool named “Autoruns”. It will help you to see all locations of startups at once. Tool can be downloaded from here .

* Run virus removal tool *

If you managed to identify infection name download removal tool using another computer (we are offline remember?) and run it to make sure that infection was completely removed. Tool download location can be found by googling “<infection name> removal tool” .

* Update your system! *

If you are still missing any security updates hurry and update your system before infection strikes back again. Get missing updates and install them on infected server.

* Install new antivirus software *

* Review access permissions *

* Configure firewall rules *

* Back online! *

And… KEEP IT CLEAN !

This post will show you how to notify Windows about service account password change using command line.

Lets say we have service named “Symantec Antivirus” and it runs as local user account named “testuser” (Log On As) . For security purposes we changed password for this user to “NewPassword“. To notify “Symantec Antivirus” that password for its service account was changed open command line and type:

sc config “Symantec Antivirus” password= NewPassword

Note that there is space between equals sign and password value.