Monday, December 12, 2005

Post with VBScript Using NTLM, HTTPS

There are many ways to post data to a web site using VBScript. It becomes harder when you must use HTTPS. It gets downright silly when the script must use integrated authentication to the web server as the user running it.

Here are all my attempts to do just that, listing the last one that finally succeeded:

Function post(sText)
  dim http

  'This line sets the client XML object.
  'This method appears to require hard-coded credentials, or it will revert to anonymous.
  'It also needs the host and certificate names to match when using HTTPS.
  ' set http = Createobject("MSXML2.XMLHTTP")

  'This line sets the server XML object.
  'This method appears to require hard-coded credentials, or it will revert to anonymous.
  'It will do HTTPS if the host and certificate names don't match.
  ' set http = Createobject("MSXML2.ServerXMLHTTP")

  'These lines set the server XML object, version 4.
  'This method will pass NTLM credentials when the proxy configuration is set.
  'It also will do HTTPS if the host and certificate names don't match.
  'But most clients don't have MSXML4.
  ' set http = Createobject("MSXML2.ServerXMLHTTP.4.0")
  ' http.setProxy 2, "gkproxy", "gkweb"

  'These lines set the WinHTTPRequest object.
  'This method will pass NTLM credentials when the proxy configuration is set.
  'It also will do HTTPS if the host and certificate names don't match.
  'And most clients support it!
  set http = CreateObject("WinHttp.WinHttpRequest.5.1")
  http.SetAutoLogonPolicy 0

  http.Open "POST", "https://host/default.spx", false
  http.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
  http.send sText
  post = http.responseText
  Set http = nothing
End Function

Sunday, December 04, 2005

Remove Add/Modify FTP Locations

I've been locking down a new Terminal Server for Microsoft Office. It's fun playing God. You shall not save files here!

Anyway, I found a feature that could not be disabled with your typical policies. I did not want users trying to save to an FTP site. So I created an ADM file:

CLASS USER

CATEGORY "Microsoft Office 2003"
  KEYNAME "Software\Microsoft\Office\11.0\Common"
  POLICY "Remove 'Add/Modify FTP Locations' when you open or save a file"
    PART "Check to enforce setting on; uncheck to enforce setting off" CHECKBOX
     VALUENAME RemoveFTPLocationsFromLookIn
     VALUEON NUMERIC 1
     VALUEOFF NUMERIC 0
    END PART
  END POLICY
END CATEGORY


Save the text as an .ADM file and import it into your group policy. Be sure to set the filter to view templates that can't be fully managed. This means that the setting controlled by this ADM file is "tattooed" and remains when the policy is removed.

Saturday, November 19, 2005

It's in the Mail

You know, it's not so hard to send e-mail from VBScript. I guess I just figured it would be given my experience with Perl and batch files.

All that is needed is Outlook Express. I finally found a good reason to have OE installed by default.

Function SendEMail(sSender, sTo, sSubject, sTextBody, sFrom, sFile, sSMTPServer)
  Dim objEmail
  Set objEmail = CreateObject("CDO.Message")
  objEmail.Sender = sSender
  objEmail.To = sTo
  objEmail.Subject = sSubject
  objEmail.TextBody = sTextBody
  objEmail.From = sFrom
  objEmail.AddAttachment(sFile)
  objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = sSMTPServer
  objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
  objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
  objEmail.Configuration.Fields.Update
  objEmail.Send
End Function

Monday, November 14, 2005

Why Don't You Just Tell Me What File?

I wrote a script and tried to make it easy. You could pick your input file and name your log file using common dialog boxes.

Now I have to re-write the script as a service, but I don't want to forget how to do this:

Option Explicit

'Confirm execution
Dim strScriptName, i
strScriptName = "My Script"
i = MsgBox ("Select an input file.", 1, strScriptName)
If i <> 1 Then
  i = MsgBox ("Script aborted.", 0, strScriptName)
  Wscript.Quit
End If

'Select the input file
Dim objCD, IntCD, strCD
Set ObjCD = CreateObject("UserAccounts.CommonDialog")
ObjCD.Filter = "Text Documents|*.txt|All Files|*.*"
ObjCD.FilterIndex = 1
IntCD = ObjCD.ShowOpen
If IntCD = False Then
  i = MsgBox ("No input file selected. Script aborted.", 0, strScriptName)
  Wscript.Quit
End If
strCD = objCD.FileName

'Select the log file
i = MsgBox ("Now select a log file.", 0, strScriptName)
Dim strLogFile, objLogFile, intLogFile
strLogFile = ObjCD.FileName & ".log"
Set objLogFile = CreateObject("SAFRCFileDlg.FileSave")
objLogFile.FileName = strLogFile
objLogFile.FileType = "Text Document"
intLogFile = objLogFile.OpenFileSaveDlg
If intLogFile Then
  strLogFile = objLogFile.FileName
Else
  i = MsgBox ("No log file selected. Script aborted.", 0, strScriptName)
  Wscript.Quit
End If

i = MsgBox ("Input File: " & strCD, 0, strScriptName)
i = MsgBox ("Output File: " & strLogFile, 0, strScriptName)

It works only on Windows XP, by the way!

Saturday, November 12, 2005

Software Restrictions

I've never used Software Restriction Policies in Windows before. They were introduced with Windows XP and Windows Server 2003.

I have used the Group Policy "User Configuration/Administrative Templates/System/Run only allowed Windows applications" before. The problem with this policy is that it only works from Explorer. What if you don't want users to have access to Explorer? What if you need users to have access to Cmd or Task Manager, both of which can launch programs regardless of this policy?

Well, the answer is Software Restrictions. When set up with the option to apply to all users except local administrators, you can enable the policy default security level to disallowed. No program will run unless you have a rule for it.

Now, the default rules are OK for starters. They allowed most software in %ProgramFiles% and %SystemRoot% to run. But for my application, I did not want a program to run without a specific rule.

So I disallowed all the default rules and started logging on. I watched the Event Viewer for policy violations until I found all the programs that needed to be allowed:

Name,Type,Security Level
%Temp%\getpaths.cmd,Path,Unrestricted
C:\WINDOWS\Application Compatibility Scripts\acregl.exe,Path,Unrestricted
C:\WINDOWS\Application Compatibility Scripts\end.cmd,Path,Unrestricted
C:\WINDOWS\Application Compatibility Scripts\rootdrv.cmd,Path,Unrestricted
C:\WINDOWS\Application Compatibility Scripts\setpaths.cmd,Path,Unrestricted
C:\WINDOWS\system32\notepad.exe,Path,Unrestricted
C:\WINDOWS\system32\userinit.exe,Path,Unrestricted
C:\WINDOWS\system32\usrlogon.cmd,Path,Unrestricted

This policy let users run Notepad on the Terminal Server cluster as I outlined in my last blog - but nothing else.

For more information, check out this link:

Using Software Restriction Policies to Protect Against Unauthorized Software

Friday, November 11, 2005

Terminal Server

It's been a busy week building a Terminal Server cluster. Two servers, running Windows 2003 Server Standard.

I installed Terminal Services and IIS with the Remote Desktop Web option, then set up Network Load Balancing between the two servers as outlined here:

How to Configure Windows Network Load Balancing for pure Terminal Server environments

I copied the files from WINDOWS\Web\TSWeb to the root web and edited default.htm. That file is too big to post here, but the most important change was the addition of the following code right before MsRdpClient.Connect:

if MsRdpClient.SecuredSettingsEnabled then
  MsRdpClient.SecuredSettings.StartProgram = "notepad.exe"
else
  msgbox "Cannot access secured setting (startprogram) in the current browser zone"
end if

That code starts notepad, but can be changed to start any program as the shell. Of course, how do you prevent users from breaking out of that program, or accessing the desktop using another RDP client?

Well, first you want to remove the ability of the BUILTIN\Users group to write to all the drives. Then you'll want to look at this document:

Locking Down Windows Server 2003 Terminal Server Sessions

But the real answer is Software Restrictions. More on that next time.

Wednesday, November 09, 2005

Account Enabler

Here is a script that will enable the accounts created with CSVDE.

If you have a password policy, you will need to import accounts using CSVDE as disabled. Then you must set the password of each account so that it meets your policy requirements. Only then can you enable the account.

This script will set the password, force it to be changed on next logon, and enable the account all in one shot. You feed it the DN column from your CSVDE spreadsheet.

Option Explicit

Dim strPW, intPW, intAccount
strPW = "password" 'Set your password here
intPW = 0 'Forces password change
intAccount = 512 'Enables account

'Script usage and confirmation
Dim strScriptName, i
strScriptName = "Account Enabler"
i = MsgBox ("Select a text file that has one user DN per line. The user will be enabled and their password will be set to " & strPW & ".", 1, strScriptName)
If i <> 1 Then
  i = MsgBox ("Script aborted.", 0, strScriptName)
  Wscript.Quit
End If

'Select the input file
Dim objCD, intCD, strCD
Set objCD = CreateObject("UserAccounts.CommonDialog")
objCD.Filter = "Text Documents|*.txt|All Files|*.*"
objCD.FilterIndex = 1
intCD = objCD.ShowOpen
If intCD = False Then
  i = MsgBox ("No input file selected. Script aborted.", 0, strScriptName)
  Wscript.Quit
End If
strCD = objCD.FileName

'Get user DNs from the input file
Dim arrDN
arrDN = GetLines(strCD)

'Perform action on each user
Dim strDN, objUser
For Each strDN in arrDN
  Set objUser = GetObject("LDAP://" & strDN)
  If objUser.class="user" then
    objUser.SetPassword strPW
    objUser.SetInfo
    objUser.Put "pwdLastSet", intPW
    objUser.SetInfo
    objUser.Put "userAccountControl", intAccount
    objUser.SetInfo
  End If
Next

'Exit script
i = MsgBox ("Script done.", 0, strScriptName)


Function GetLines(strFile)
  'Read file
  Dim objTextFile, strText, objFSO
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  Set objTextFile = objFSO.OpenTextFile(strFile, 1)
  strText = objTextFile.ReadAll
  objTextFile.Close
  Set objTextFile = Nothing

  'Trim trailing CR/LF from ini file
  Dim intLength, strEnd
  intLength = Len(strText)
  strEnd = Right(strText, 2)
  If strEnd = vbCrLf Then strText = Left(strText, intLength - 2)

  'Write lines into array
  Dim arrLines
  arrLines = Split(strText, vbCrLf)

  GetLines = arrLines
End Function

Until I come up with a standard disclaimer, just be warned that I am no programmer. Use my scripts only if you dare. Cheers!

Tuesday, November 08, 2005

CSVDE

CSVDE is a great tool included with Windows 2003 Server that allows you to import accounts using a comma-separated values (CSV) file.

Exchange 2003 mailboxes can also be created with the import. Use the export function first to understand what fields and values to use. Here are the fields I need:

objectClass (always "user")
DN
givenName
initials
sn
displayName
sAMAccountName
userPrincipalName
userAccountControl (always 514)
msExchHomeServerName
homeMDB
mailNickname
mail
mDBUseDefaults (always "TRUE")

Here are some sites with more information:

How can I create a large number of users for testing purposes?
Brief but comprehensive guide to several bulk import options from Petri.co.il.

Introduction to CSVDE
Check out the Excel tips in the Advanced Import section from ComputerPerformance.co.uk.

These accounts will be disabled. CSVDE can't do passwords - they should be set and the accounts enabled with a script I'll post soon.

Monday, November 07, 2005

Best Way To Display Script?

When I blog script, I think this is the way to go. Here is a template for five lines of code:

<div NOWRAP style="height:300; width:500; overflow:auto; background-color:#EFEFEF"><code>Insert code line 1 here
Insert code line 2 here
&nbsp; Insert indented code line 3 here
&nbsp; &nbsp; Insert double indented code line 4 here
Insert code line 5 here
</code></div>

You can find/replace double-spaces with "&nbsp; " in your script using notepad. Who said it was going to be easy?

RRAS and IAS Default Domain

I helped myself the other day. I searched Google Groups for "IAS RAS Default Domain" and found an old post of mine.

It was a good thing I answered my own question, because I surely forgot it again when I needed it. That's why I'm writing this blog, which Google helps me publish and search. Thanks Google!

Anyway, here is the info:

If the remote access server is a member of domain and the user response does not contain a domain name, then the domain name of the remote access server is used.

Solution: To use a different domain name than that of the IAS server, on the computer running IAS, set the following registry value to the name of the domain that you want to use:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
\PPP\ControlProtocols\BuiltIn

REG_SZ "DefaultDomain"

Start Here

Well, everything has to start somewhere.

Drill
Pronunciation: 'dril
Function: verb
1 a : to fix something in the mind or habit pattern of by repetitive instruction b : to impart or communicate by repetition c : to train or exercise in military drill

- Hey Sarge, you gotta give me a minute here on this thing we're doin'. I mean what we're doin'. What are we doin', Sarge?