These tips are from the book Windows Server Hacks by Mitch Tulloch (O'Reilly Media, ISBN: 0-596-00647-0, 2004). Hack 12 deals with getting event log information. Hack 77 presents answers to common security-related FAQs, and Hack 98 talks about the Automated System Recovery (ASR), a new feature of Windows Server 2003 that makes recovering from a disaster a whole lot easier.
Contributed by O'Reilly Media Rating: / 26 June 14, 2004
Windows Server Hacks 12: Get Event Log Information
Need to check on the size and configuration settings of your event logs? Use this script instead of the GUI; it’s faster!
Monitoring event logs is an essential part of an administrator’s job. Unfortunately, viewing event log settings and log file sizes from the GUI is cumbersome, and it would be useful to have an easier way to obtain this information.
That’s exactly what this hack is all about. You can run the script on Windows NT/2000 and later to obtain the current file size, maximum file size, and number of records, and you can overwrite settings on the Application, System, and Security logs.
The Code
Type the following script into Notepad (make sure Word Wrap is disabled) and save it with a .vbs extension as loginfo.vbs. Or, if you like, you can download the script from the O’Reilly web site.
Option Explicit On Error Resume Next Dim strMoniker Dim refWMI Dim colEventLogs Dim refEventLog Dim strSource
'moniker string stub - security privilege needed to get 'numrecords for Security log strMoniker = "winMgmts:{(Security)}!"
'append to moniker string if a machine name has been given If WScript.Arguments.Count = 1 Then _ strMoniker = strMoniker & "\\" & WScript.Arguments(0) & ":"
'attempt to connect to WMI Set refWMI = GetObject(strMoniker) If Err <> 0 Then WScript.Echo "Could not connect to the WMI service." WScript.Quit End If
'get a collection of Win32_NTEventLogFile objects Set colEventLogs = refWMI.InstancesOf("Win32_NTEventLogFile") If Err <> 0 Then WScript.Echo "Could not retrieve Event Log objects" WScript.Quit End If
'iterate through each log and output information For Each refEventLog In colEventLogs WScript.Echo "Information for the " & _ refEventLog.LogfileName & _ " log:" WScript.Echo " Current file size: " & refEventLog.FileSize WScript.Echo " Maximum file size: " & refEventLog.MaxFileSize WScript.Echo " The Log currently contains " & _ refEventLog.NumberOfRecords & " records"
'output policy info in a friendly format using OverwriteOutDated, 'as OverWritePolicy is utterly pointless. 'note "-1" is the signed interpretation of 4294967295 Select Case refEventLog.OverwriteOutDated Case 0 WScript.Echo _ " Log entries may be overwritten as required" Case -1 WScript.Echo _ " Log entries may NEVER be overwritten" Case Else WScript.Echo _ " Log entries may be overwritten after " & _ refEventLog.OverwriteOutDated & " days" WScript.Echo End Select Next
Set refEventLog = Nothing Set colEventLogs = Nothing Set refWMI = Nothing
Running the Hack
To run the script, use Cscript.exe, the command-line version of the Windows Script Host (WSH). Simply type cscript loginfo.vbs at a command prompt from the directory in which the script resides. Here is a sample of typical output when the script runs on a Windows 2000 machine:
C:\> cscript loginfo.vbs Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Information for the Security log: Current file size: 65536 Maximum file size: 524288 The Log currently contains 166 records Log entries may be overwritten after 7 days
Information for the Application log: Current file size: 524288 Maximum file size: 524288 The Log currently contains 2648 records Log entries may be overwritten as required
Information for the System log: Current file size: 524288 Maximum file size: 524288 The Log currently contains 2648 records Log entries may be overwritten after 7 days
Note that when you run this script on a domain controller, it displays information concerning the Directory Service, File Replication Service, and DNS logs as well.
—Rod Trent
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Rod Trent, CEO of myITforum.com, shares his answers to common security questions.
"At myITforum.com (http://www.myitforum.com), we often get questions regarding general network-security issues, and I try to answer them in the form of a Security FAQ. Here’s a short selection of the most common questions we receive along with my responses. You can find more security tips at myITforum.com."
Steps to Computer Security
Q: What can I do to make sure my computer is secure?
A: It depends on whether you are a consumer or a business.
Consumers. Consumers should start by using an Internet firewall on all PCs and laptops. An Internet firewall can help prevent outsiders from getting to your computer through the Internet. If you use Windows XP, enable the built-in firewall feature on that platform. You should also update your computer regularly, either by using the Automatic Updates feature or by regularly visiting the Windows Update web site to download the latest Microsoft security updates. Also, make sure your antivirus software is up-to-date; installing, configuring and maintaining your antivirus software is absolutely essential.
Businesses. Businesses should follow a similar but more involved procedure. Start by verifying the configuration of your firewalls for both Internet and intranet. By auditing your firewall configurations, you ensure they comply with your company’s security policy. Firewalls are your first line of defense, and best practice requires blocking all ports that are not actually being used by applications on your network. Business should also protect their networks by requiring employees to follow the precautions outlined by Microsoft (http://www.microsoft.com/protect/) on both their home PCs and laptops, especially if they use these machines to connect to your enterprise. PCs and laptops that VPN or RAS into your network must be protected by a properly configured firewall.
Businesses must also keep their systems up-to-date with the latest security patches from Microsoft. To do so, subscribe to Microsoft’s free security notification service and use Microsoft update services to automatically obtain patches for your network, see “Microsoft Security Tools” [Hack #78] (in the book)for more information. Finally, business should invest in antivirus software, because such protection is absolutely essential for keeping sensitive business data safe from attackers.
Vulnerability Types
Q: What are the vulnerability types that I need to monitor against?
A: There are three basic types of vulnerability:
Administrative vulnerability: The failure to observe administrative best practices, such as using a weak password or logging onto an account that has more user rights than the user requires to perform a specific task.
Product vulnerability: A security-related bug in a product that is addressed by a security bulletin/hotfix or a service pack.
Physical vulnerability: The failure to provide physical security for a computer. Physical vulnerability can include leaving an unlocked workstation running in an area that is accessible to unauthorized users, leaving a server room unlocked or open, or losing a laptop or leaving it at a customer site.
Strong Password Policy
Q: What is the best practice to follow when creating policies for user passwords?
A: Each company’s security-level needs are different, but in general, strong passwords should be at least six characters long, should not contain all or part of the user’s account name, and should contains at least three of the four following categories of characters: uppercase letters, lowercase letters, Base 10 digits, and nonalphanumeric symbols found on the keyboard, such as !, @, and #.
How Microsoft Handles Security
Q: Is there any documentation on how Microsoft handles security against worms and viruses?
A: Yes. Microsoft has released a “Security at Microsoft” white paper on how they handle security issues (http://www.microsoft.com/downloads/details.aspx?FamilyID=73f1ba8e-a15c-4c05-be87-8d21b1372485).This paper describes what Microsoft’s Corporate Security Group does to prevent malicious or unauthorized use of digital assets at Microsoft. This asset protection takes place through a formal risk-management frame-work, risk-management processes, and clear organizational roles and responsibilities. The basis of the approach is recognition that risk is an inherent part of any environment and that risk should be proactively managed. The principles and techniques described in Microsoft’s white paper can be employed to manage risk at any organization.
Reporting Security Incidents to Microsoft
Q: How can I report a security incident or vulnerability to Microsoft?
Reporting Security Incidents to Government Authorities
Q: We’ve just had a security incident. Who can I call to report it?
A: The FBI encourages the public to report any suspected violations of U.S. federal law. Never think that your security incident is insignificant. Your incident might be part of a larger attack or the beginning of a larger attack. You can find your local FBI Field Division information athttp://www.fbi.gov/contact/fo/fo.htm.
Getting Government Security Clearance
Q: How can you apply for security clearance for a government job?
A: In our daily newsletter at myITforum.com ( http://www.myitforum.com/newsletter.asp), we sometimes post open positions for jobs in the government sector that require special security clearance before applying. Several folks have wondered what it takes to get the security clearance, and a list of good tidbits of information were posted to the myITforum. com Off-Topic list ( http://www.topica.com/lists/myOTforum/). Here are some additional places you can find information on government security clearance:
Automated System Recovery (ASR) is a new feature of Windows Server 2003 that makes recovering from a disaster a whole lot easier.
Rebuilding a server after a disaster is generally not a trivial task. The process usually involves reinstalling Windows from scratch, reconfiguring disk partitions to the exact configuration they had before the failure, and then restoring the system volumes, boot volumes, and all your data volumes. The process is not especially complicated, but it takes a considerable amount of time to do it right, usually with significant involvement of the administrator along the way.
With Windows Server 2003, however, things have suddenly gotten much easier. Automated System Recovery (ASR), a new feature included in the Backup utility, greatly simplifies the process of recovering a server that won’t boot because of severe problems with the system/boot volume, such as Registry corruption. By automating the process of restoring a failed server, ASR saves you time and reduces the chances for making mistakes. ASR is an essential part of the Recovery Roadmap [Hack #99] (in the book)for troubleshooting problems that might happen to Windows servers, and this hack leads you through the process step by step. I’ll also clarify how best to use this feature and how to resolve problems that can arise.
ASR Backup
The simplest way to back up your system with ASR is to use the Backup or Restore Wizard that starts by default when you select Accessories -> System Tools -> Backup. Simply start the wizard, select “Back up files and settings,” and choose the option to back up “All information on this computer.” Then, specify the remaining backup job parameters as usual. The result is that all information on your hard drives is backed up, including the boot, system, and data volumes. Later, should a disaster occur, you can restore your system by using the ASR restore process to the exact configuration it had earlier.
The backup is done by using shadow copies [Hack #95]to ensure that any open files on the system and boot volumes are properly backed up. Note, however, that this applies mainly to the system and boot volumes, which are critical for successful ASR backup. While shadow copies are also used to back up data volumes, these shadow copies are deleted afterward unless you’ve specifically enabled shadow copies on these volumes to help protect users’ work from accidental loss or damage.
An alternative method for performing ASR backup is to start Backup and switch to Advanced Mode. Then, under the Welcome tab (Figure 1), select the Automated System Recovery Wizard button. This wizard lets you back up only information on your system and boot volumes that is critical to restore your system; it does not back up any data volumes, which are usually best left for your regular backup program to handle anyway.
Figure 1. Starting the Automated System Recovery Wizard
During the ASR backup process, you’re asked to insert a blank, formatted floppy to create a system recovery disk (commonly called an ASR floppy). This floppy is critical to the ASR restore process, so it’s worth digging a little deeper into how it’s used. The ASR backup process saves two files onto your floppy: the ASR state file ( asr.sif), which contains information about the disk signatures and configuration of disk volumes on your machine, and asrpnp.sif, which contains information about different Plug and Play devices on your system. These two files are critical for the recovery of your system, because they connect the underlying hardware configuration with the operating system above it. As we’ll see in a moment, you need to insert this floppy at the beginning of the ASR restore, in order to rebuild the disk subsystem and hardware configuration of your system before restoring the contents of the system and boot volumes.
What if you have no floppy disk drive on your machine? Fortunately, you can still use ASR to back up your system, but its a bit of a workaround. During the ASR backup process copies of these asr.sif and asrpnp.sif files are also saved in the %SystemRoot%\Repair folder on your server. So, when you receive a prompt at the end of the backup process to insert a floppy, simply ignore the prompt and instead copy asr.sif and asrpnp.sif from Repair to a network share on another server (one that has a floppy disk drive installed). Then, copy the files from the share on that server to a blank floppy you insert into its drive, and you now have a working ASR floppy for your backup. Then, go buy a USB external floppy drive, because you’ll need it if you ever have to rebuild your original server from the backup set you created. In other words, you can perform ASR backup without a floppy, but you cannot perform an ASR restore without one.
What if you lose your ASR floppy? Well, the procedure just described will work in this case too. Just insert a new blank, formatted floppy into your server and copy asr.sif and asrpnp.sif from the Repair directory to the floppy. Note that these files must be located in the root folder on the floppy for the restore process to work, so use a separate floppy for each ASR backup; don’t try to combine several ASR backups in different folders on one floppy.
However, since the Repair directory is located on the boot volume of the system itself, if your system volume is toast, then so is your Repair directory and the files within it. So, what if you’ve lost your ASR floppy and the Repair directory is gone with your hard drive? There’s still a workaround that can save your bacon: use the Backup utility on a different machine to open the backup catalog for the ASR backup set you want to restore, expand the %SystemRoot%\Repair directory on the boot volume, select asr.sif and asrpnp.sif as the files you want to restore, insert a blank floppy, and restore these two files to the root of the floppy. Presto! You now have a recovered ASR floppy you can use to initiate a restore.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
The ASR restore process in a nutshell is as follows: first, the disk configurations are restored; then, your system and boot volumes are formatted; and, finally, a bare-bones version of Windows is installed that starts Backup and rebuilds your system and boot volumes from your ASR backup set stored on tape media.
Note that your system and boot volumes are formatted. Clearly, using the ASR restore process should be considered a last-ditch effort, to be used only when everything else fails. See “Recovery Roadmap” [Hack #99] for information on how to choose between the various recovery options for Windows servers.
Using ASR Restore
Let’s look at a restore in more detail. First, make sure you have your ASR floppy, tape backup media, and original installation files for Windows Server 2003 (i.e., the product CD). If you have any mass storage controllers on your server that require an updated driver to replace the one on the product CD, be sure to have this handy as well.
Also—and this might be important—be sure to back up any data files or folders located on your system or boot volumes. Since ASR reformats these volumes, anything other than the Windows operating system files that are located on these volumes might be lost. Mind you, best practice is to never store data files on these volumes—you should store them on separate volumes instead—so if you’ve been following this practice you have nothing to worry about, right? Note that I said might be lost, not will be lost. While Windows documentation says that non–operating system files stored on system/boot volumes won’t be restored by ASR, my own experience is that they are restored sometimes and other times not. So, just to be safe, back up these volumes separately using normal backup procedures so you can later restore any missing data files.
Now, insert your product CD and boot from your CD-ROM drive (press the appropriate key to do this if required). Press F6 when prompted if you have an updated device driver for your mass storage device. Then, press F2 when text-mode setup prompts you to perform ASR restore, and insert the ASR floppy when asked to do so. The recovery process will rebuild the disk signatures and partition table, reformat the system/boot volumes, copy installation files, and begin installing Windows. A short while into the installation of Windows, the Automated System Recovery Wizard screen will ask you to specify the location of the tape backup media where your ASR backup is located. Once you specify this, the recovery process continues and it’s considerably faster than the Windows installation process itself, which is nice. Be sure not to interrupt this process; otherwise, you’ll have an incomplete and nonfunctional server. Once the restore process is finished, the logon screen appears and you’re done.
That is, you’re done unless your system was totally fried and you have to rebuild it from scratch—in which case, you have to complete the procedure by restoring any data volumes on your server from your regular backup sets.
Here’s one more thing that’s helpful, but not documented. Running the ASR restore process also creates a setup.log file that identifies the system and boot volumes, checksums for kernel files, the directory where Windows is installed, and the device drivers loaded during setup. A copy of this file is placed in %SystemRoot%\Repair and also another one is placed on the ASR floppy itself, which is handy for verifying the details of the restore process. Print that log and keep a record of it for troubleshooting purposes later.
Hacking the Restore
If your original machine is really toast, you can use ASR to restore to a different machine. However, to do this, you must ensure that the hardware on your new system is identical to your original (toasted) system, with the exception of the video card, network card, and hard disks, which can be different brands or types. Concerning hard disks, however, make sure the number of hard drives in your new system is equal to or greater than the number of hard drives on the old system, and also make sure that the storage capacity of each drive is the same or larger than drives on your old system.
If you’re using ASR to restore a failed server to another system with hardware that does differ significantly from the old one, there’s a workaround: you can hack the asr.sif file to make the ASR restore process install additional device drivers (or any other kinds of files) that might be needed by the text-mode setup process to install Windows successfully and complete the recovery.
The asr.sif file is a text file with different sections, identified by brackets:
By adding an additional [InstallFiles] section, you can specify additional files that need to be copied to the machine during text-mode setup. For example, adding the following section will cause the driver file MyDriver.sys to be copied from the root of the floppy disk that has the volume label My Drivers to the %SystemRoot%\System32\Drivers folder on the machine:
[InstallFiles] 1=1,"My Drivers","Floppy","%SystemRoot%\System32\Drivers\MyDriver.sys","My Company Name",0x00000001
During text-mode setup, a prompt will ask you to insert the floppy disk that has the driver file for My Company Name, and the 0x00000001 flag indicates that this prompt will always appear. Other flags can also be used, including 0x00000006, which indicates that ASR recovery can’t proceed unless you load the specified driver file; 0x00000010, which indicates that any existing copy of MyDriver.sys should be overwritten by the new file; and 0x00000020, which prompts before overwriting an existing version of the file.
Using this hack, you can customize the ASR restore process to make it successful, even if there are some hardware differences between theoriginal machine and the new one.
Using ASR
Finally, many administrators don’t understood when to use ASR to back up the system and when they should just use regular backups. You should back up your system anytime you change your hardware or operating system configuration. Examples of such changes might include upgrading to a new version of the operating system, installing service packs or hotfixes, adding new disk storage or changing the partition layout of your volumes, switching from basic to dynamic storage, installing a new Windows component or service, installing and configuring a third-party application, installing new hardware or upgrading device drivers, and so on.
Doesn’t this sound suspiciously like the instructions for creating the old Emergency Repair Disk (ERD) on Windows NT/2000? Yes, though ASR is a far more powerful feature than the ERD. since it backs up the System State and Registry on your machine, it does include similar functionality to the ERD, including saving a copy of your Registry hives in the Repair folder. But while the ERD could be used only to replace corrupt or missing system files or Registry hives, ASR is a complete system-recovery feature that does everything the ERD did and more—automatically.
You don’t need to use ASR for backup when your system is tuned and running perfectly and only user data files are being created, modified, or deleted on your server. If you’ve properly partitioned your system so that all user data files are on data volumes separate from the boot and system volumes, then you can simply back up these data volumes on a daily basis to ensure nothing is lost in the case of a disaster. But if you change your basic operating system or underlying hardware in an significant way, use Backup to create a new ASR backup set so that you can recover your system to its current state, should massive failure occur.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
/ 26 
System-Level Fault Tolerance (Clustering/Network Load Balancing)
