IPSec with Windows

IPSec with Windows XP/2003 can very useful and is underutilised, here are just some examples of what you can do:

  1. Block specific protocols and ports
  2. Create an internal secure connections between specific Windows hosts
  3. Implement Server and Domain Isolation
  4. Proxy IPSec traffic to non Windows boxes with ISA server

Blocking specific protocols or ports.
Why would you want to do this when you can use Windows firewall or a 3rd party firewall?

  1. If you have a Windows 2000 machine you can use IPSec rules to block protocols and ports just like a firewall.
  2. You create outbound rules which cannot be done with the Windows firewall.
  3. You cannot control 3rd party firewalls with Group Policy.

Creating rules:
Block inbound access to TCP port 80 but allow outbound TCP 80.
IPSeccmd.exe -w REG -p “Block TCP 80 Filter” -r “Block Inbound TCP 80 Rule” -f *=0:80:TCP -n BLOCK -x
See Microsoft KB 813878 for more specific examples.

Further reading and reference:

Juniper/Netscreen Snoop function

Juniper/Netscreen devices have a built in packet sniffer named Snoop.
Snoop dumps the contents of packets into the memory buffer the same as debug.

Snoop Commands to use:
snoop ; Starts snoop
snoop detail ; Full packet logging
get dbuf stream ; Displays output to screen

More details from the Juniper website and these two articles:
What options are available when configuring snoop
How do you use Snoop for troubleshooting

Windows Command Line Tools

Windows XP/2003/Vista/Longhorn(2008) command line utilities (IMHO) are neglected by most IT Professionals, this is mostly due to everyone being used to the GUI. *nix/BSD people live in the command shell. Listed below are some old trusty commands from the DOS days which still work today in Vista together with some new updated tools.

Useful commands: (see syntax full more details)
FC – compares files
fc file1 file2 ; Compares file1 to file2
GETMAC – get the mac address of the computers NIC or adapter
getmac /v ; provides the MAC address in verbose mode
getmac /S computer1 /FO list /v ; Provides the MAC address on a remote computer named ; computer1 and formats the output in a list verbosely
SFC – system file checker, scans all system files and replaces incorrect versions
sfc /scannow ; Scans all protected system files immediately
SUBST – Associates a path with a drive letter.
subst u: c:myfoldermysubfolderdata ; Drive letter U: will now list the contents of ; c:myfoldermysubfolderdata
SYSTEMINFO – Displays operating system configuration information.
systeminfo /FO list ; Displays the information in a list format
systeminfo /FO list > c:tempmysys.txt ; Pipes the information out to a text file names ; mysys.txt
TASKLIST – Displays a list of currently running processes on either a local or remote machine.
tasklist /FO table /V ; Lists all the tasks running and formats it into a table view
TASKKILL – Terminate tasks by PID or image name.
taskkill /IM notepad.exe ; Will terminate notepad.exe
taskkill /PID 3493 ; Will terminate Process ID 3493 which could be calc.exe use tasklist
TREE – Displays the folder structure of a drive or path.
tree d:myfolders /F ; Displays the folder structure and files within

NETSH commands: (deserves it’s own section)
NETSH is one of the most powerful command line utilites! The only thing with greater power and flexibility is the new PowerShell. NETSH as far as I know started with Windows XP and Server 2003, however I’ve noticed that in Vista/Longhorn some commands have been removed and others added. Here are just a few examples of what I use it for:
netsh firewall show state ; Displays the current state of the Windows firewall
netsh interface ip show config ; The same as IPCONFIG in Vista it’s ipv4 instead of ip
netsh -c interface dump > c:lanconfig.txt ; Dumps the lan config including IP, GW, DNS
netsh -f c:lanconfig.txt ; Imports the configuration from above. Handy if you need to ; change IP settings on a static network without DHCP etc.
Create a script with netsh commands to change your IP and firewall settings:
This script will change the IP, Gateway and DNS settings and turn off the firewall for testing.
ECHO Setting IP Address Please Wait…
netsh int ip set address “Local Area Connection” static 1
ECHO Setting DNS Please Wait…
netsh int ip set dns “Local Area Connection” static
ECHO All addresses Set…
ECHO Now I’m going to turn off the Firewall for testing…
netsh firewall set opmode disable
Echo Firewall is off… BECAREFUL!!!
This script will change the NIC settings back to DHCP and turn the firewall back on.
ECHO Resetting IP Address to DHCP Please Wait…
netsh int ip set address “Local Area Connection” dhcp
ECHO resetting WINS to DHCP Please Wait…
netsh int ip set wins “Local Area Connection” dhcp
ECHO resetting DNS to DHCP Please Wait…
netsh int ip set dns “Local Area Connection” dhcp
ECHO All addresses reset to DHCP
ECHO Turning on Firewall…
netsh firewall set opmode mode = enable exceptions = disable
ECHO Firewall ON, we are ready for normal operation.. Bye!

Bitlocker Drive Encryption with Vista

Windows Vista Enterprise and Ultimate editions ship with a complete hard drive encryption utility named “Bitlocker” which is ideal for laptops! In addition you could use it for other computers that have a higher risk rating e.g. computers that are more susceptible to theft due to geographical location within a office (reception). Then again there should be no data on a computer in the reception area 🙂

My Laptop has been configured with Bitlocker and I really don’t see any apparent performance hit. However it does take a long time to setup and/or to decrypt if you want to turn it off.

BitLocker Drive Encryption Technical Overview
FAQ Page
Step-by-step guide

Techrepublic step-by-step article

Takeown utility

Takeown is a utility that has been around for a while and is now standard in Windows Server 2003 and Vista. Takeown allows you to take ownership of files and folders from the command line, so you can script it!

Basic examples:
To take ownership of a file
takeown /f c:myfile

To take ownership of a folder
takeown /f c:myfolder /r

Syntax switches:

TAKEOWN [/S system [/U username [/P [password]]]] /F filename [/A] [/R [/D prompt]]

This tool allows an administrator to recover access to a file that was denied by re-assigning file ownership.

Parameter List:
/S system Specifies the remote system to connect to.

/U [domain]user Specifies the user context under which the command should execute.

/P [password] Specifies the password for the given user context. Prompts for input if omitted.

/F filename Specifies the filename or directory name pattern. Wildcard “*” can be used to specify the pattern. Allows sharenamefilename.

/A Gives ownership to the administrators group instead of the current user.

/R Recurse: instructs tool to operate on files in specified directory and all subdirectories.

/D prompt Default answer used when the current user does not have the “list folder” permission
on a directory. This occurs while operating recursively (/R) on sub-directories. Valid values “Y” to take ownership or “N” to skip.

/? Displays this help message.

NOTE: 1) If /A is not specified, file ownership will be given to the current logged on user.

2) Mixed patterns using “?” and “*” are not supported.

3) /D is used to suppress the confirmation prompt.

TAKEOWN /F lostfile
TAKEOWN /F \systemsharelostfile /A
TAKEOWN /F directory /R /D N
TAKEOWN /F directory /R /A
TAKEOWN /F C:WindowsSystem32acme.exe
TAKEOWN /F %windir%*.txt
TAKEOWN /S system /F MyShareAcme*.doc
TAKEOWN /S system /U user /F MySharefoo.dll
TAKEOWN /S system /U domainuser /P password /F sharefilename
TAKEOWN /S system /U user /P password /F DocReport.doc /A
TAKEOWN /S system /U user /P password /F Myshare*
TAKEOWN /S system /U user /P password /F HomeLogon /R
TAKEOWN /S system /U user /P password /F Mysharedirectory /R /A

Reference Sites:
Microsoft Technet
Windows IT Pro