John's questions

I am looking at configuring our Windows DNS Servers for some type of DNS based blackhole operation. Ideally, we would be able to use feeds from MalwareDomains.com or the like. I was curious how one could go about setting up and implementing such a setup. The workflow would look something like the following:

1. Script to pull down and parse the feed list
2. Script to publish feed list into Windows DNS
3. Bad connections stopped due to new DNS entries

The challenge that I am having deals with step 2. I am not sure how to publish a large list of DNS entries into the Windows DNS server. Ideally this would work for Server 2008 or newer.

I am looking for a method that would allow us to forward the IIS Advanced Logging logs to a centralized log source via syslog or something similar. We are able to perform this currently for the regular IIS logs with Snare; however it does not work the same for IIS Advanced Logging.

The default file path is different for IIS Advanced Logging (%SystemDrive%\inetpub\logs\AdvancedLogs) and it appears that the file names are based upon the UTC time, see here, and not the local date and time that you can specify with regular logging. This also creates and issue for developing some type of wildcard rule if we wanted to test this with Snare. Any ideas are welcome.

I am working on a project where I would like to perform host documentation for a variety of items. Part of these items would be sourced from Powershell and the rest would be sourced from NMAP. For the Powershell part, I am working on trying to build something homegrown and similar to the SYDI-Server project. Instead of WMI it would use Powershell and allow for a much larger and easier method in which to obtain various results from remote machines. Also, the SYDI-Server project has not been updated in a while. The NMAP piece would be used to perform a scan or two on the remote host and return the results such that Powershell could use or consume those and add them to the final report being generated. The idea is similar for the reporting to be a MS Word document that is output from Powershell that contains all of the elements needed for the host documentation.

All of that said, is there a way to have data shared or sent back and forth from Powershell to NMAP? Is there a way to have the results from NMAP used or parsed in Powershell for further manipulation?

What are the security ramifications that one should be aware of when considering using WebDAV? How does one go about securing it? What else should I know about it?

I am working on a project where we need to be able to tell and report periodically on what software is installed on our various Linux/Unix servers. I have looked at this, How to inventory what software/roles a Linux server is "serving up" to clients?, posting and this, Open-source inventory agent, posting and was not able to locate information that would suggest an answer to my issue. I am not sure that the OCS Agent would report on Linux/Unix servers like it does in Windows. Are there any scripts, open source software, software agents, etc. that can be used to run against a large number of Linux/Unix servers to report on what software is installed and what versions are installed?

=========================

Updates for clarity:

I am looking for a reliable way in which to determine if particular software exists on a Linux/Unix machine. Ideally, this would be a remote solution where I can point it towards the servers in question and have it return the results indicating if the software in question exists on that box or not. Also, should I be concerned about the following issues relating to installed software on a Linux/Unix host?

1. Software installed from packages
2. Software installed from source
3. Software that is installed to an unknown or unexpected location

How would I go about handling these conditions along with finding out if the software exists?

I am working on trying to make sense of what is required for both PCI DSS compliance as well as FIPS compliance in relation to SSL/TLS cipher suites. I have been reading the guide here and here. However, I have not been able to find anything that states what order or priority I should list the ciphers in. I can see which ones I need to use and disable, but I assume that there is a priority that should be followed for them as well. This is primarily for Windows servers and then later I would look at performing the same to Linux servers running Apache.

I am working on building some new CentOs 6 servers and creating documentation for the installation of said servers. I would like to create a base CentOS 6 server install that would be light on the packages to reduce bloat by default. Additionally, I am looking for some common or industry practices in which to harden the server so that it can be used in production and online facing to the world. I am curious if there are any best practice guides, techniques, or steps that you use in performing such a task? Later, I would look at adding servers and sections to the documentation about using the server for web serving, database hosting, etc. For now, I am looking for a base server install.

I am working on a project where I need to be able to audit various users and user group permissions on a NTFS formatted Windows file server. I would like to use PowerShell and have it recursively search through the remote file share or it could be ran on the server itself and have it output all of the permissions it finds either for everything or for the specified user or user group. The goal is to be able to use this for periodic auditing of users and user groups to ensure that permission creep is not occurring and that all permissions are being setup in the same manner by different system administrators. Lastly, it would be used for identifying where we need to make changes when we change user groups in group policy. Are there any common ways of approaching this? Does PowerShell stand up to this task? Would it be possible to have PowerShell output the results into a readable format?

Similar to some of the topics touched on in this question, Is it important to reboot Linux after a kernel update?, I was curious if there was a way in which one could apply kernel updates to the system without rebooting. I know that there is a vendor called Ksplice that offer features like this. However, I was curious if there was a way to perform this same task without a commercial offering or perhaps an alternative to Ksplice since it looks like some of the feature sets may have changed since they were purchased by Oracle. Ideally, if there is a script or way that I can add some files to perform this on CentOS, Red Hat, and/or Ubuntu would be great.

What is the best way to force HTTP requests to HTTPS requests on IIS 6? For example, I have both a directory and a whole site that I need to force HTTPS on for two different servers. What is the best or preferred method of accomplishing this? This will need to redirect requests that come in on HTTP to HTTPS. I was thinking of something along the lines of mod_rewrite from the Linux world.

Note that I already have a certificate installed and working.

I have a Linux TAR file that I would like to convert directly into an ISO. Is there a way to do this, preferably, without having to extract the contents of the file first?

This would be similar to the following question; however, this is focused on plain or straight-up tar files and not related to bzip or a bzipped tar.

This is also something that I intended to use within a script and the reason that I do not want to extract it first.

In light of a growing number of security issues, such as the newly announced Browser Exploit Against SSL/TLS (BEAST), I was curious how we could go about enabling TLS 1.1 and 1.2 with OpenSSL and Apache to ensure that we will not be vulnerable to such threat vectors.

Issue: We have a number of bookmarks that we need to publish to our users computers that are bound to active directory. We can easily accomplish this with group policy for Internet Explorer. At the present time, I am not able to locate a way in which to publish these same set of bookmarks to our staff user's computers for FireFox. Each computer in our organization has FireFox installed on it and we need to keep the core set of bookmarks the same for both browsers. I was curious if there was a way to send these out to FireFox through group policy in case we needed to edit them again in the future.

UPDATE: We have many versions of FireFox that are greater than v3.6. We also are wanting to append these bookmarks to all users even for users with existing profiles.

Issue: Centralized user management and user permission mangement of user access needs for resources (access to services, home directories, joining to local user groups, file system permissions, etc.) on Linux servers by way of group membership within Active Directory.

Background: We have a number of Linux servers, some CentOS and others Ubuntu, that are used for development, web hosting, database hosting, PXE serving, etc. We also have a centralized Active Directory envrionment where all users are added into and provided with group memberships at the time of joining the organization.

Example: Bob and Alice join the organization, they get added into their appropriate groups within AD, and now they have access to SSH or MySQL on one or more of our Linux servers. Once Bob leaves, we remove him from the AD group(s) and he no longer has access to the Linux servers for SSH, MySQL, etc.

Notes: How does one approach such a task? Is there a set of utilities available within Linux already that will allow this type of operation? The access we need to grant to a user is going to be dependant upon the user group memberships that they are a member of from Active Directory. For example, everyone within the AD Group of Development will need to have SSH access, MySQL access, and a home directory on the Linux versioning server 1 and 2. Everyone that is within the AD group of systems administrator will need to have SSH access and SU permissions for all of the Linux servers, etc. I have looked through a number of the existing articles on serverfault and have not found anything that matches up to the needs listed here.

I would like to know if there is a way, preferably through Group Policy, that one can hide the total size listing and the free space listing on network drives. We have an active directory environment that we map network drives to a MS Windows File Server. We are afraid that users will become either unnecessarily concerned about the free space that is displayed or they will think that it is a free for all chewing up whatever space they want. I do know about the use of quotas and how that will change the visual display, but we are not able to implement quotas within our organization due to various reasons.

We are working on migrating from Novell to Active Directory. During the transition, We are going to evaluate our drive mappings in light of current standards to see if what we have been doing still fits, is in alignment with best practices, simplify administration of the resources, etc. At present, we have 11 different drive mappings that are mapped. This seems, to me, to be a few too many and rather confusing for end users. These drive mappings also appear to relate to some older convention that existed in the organization that ended being something like the following:

• K:\ - Mapping of physical CD-ROM drive of Novell server
• N:\ - IT administrative scripts and utilities
• S:\ - Another user's home folder, if needed
• T:\ - dBase III mapping (this should hopefully disappear after the migration)
• U:\ - Project or other group shares
• V:\ - Project or other group shares
• W:\ - Work (departmental or unit work share)
• X:\ - Applications share
• Y:\ - Home folder
• Z:\ - System volume

This is a very confusing structure for users, both end users and IT, within our organization. I would like to ask for industry best practices and how others design their drive mappings. What are some things that one should be aware of and how do you compensate or control those items? What are things that should be considered from a management and maintenance perspective?

Our clients are going to be Windows XP, Windows Server 2003, Windows 7 Pro, and Windows Server 2008. Later on we would like to incorporate Linux and Macintosh OS X (10.6 or newer) clients into our drive mappings as well.

Any help, ideas, resources, or links that you can provide would be greatly appreciated.

I am working on compiling a list of reasons why in place upgrades of software and operating systems are a bad idea. There are many people that I work with that think that it is easier and better to just install the new version of a piece of software or an operating system on top of the old version. I, however, believe that this is generally a bad idea and that it is better to take the extra time to uninstall the previous version of a software item or perform a clean installation of the operating system. All of this is also contingent upon having a solid backup operation in place.

I would like to gather other thoughts that people have about in place versus clean installations.

• What are the advantages and disadvantages of each in relation to both software and operating systems?
• What types of problems have you run into and how did you resolve them for both software and operating systems?
• Is there anything else that I should know of that I can share with my coworkers in relation to this topic?

Thank you in advance for your help with this. I look forward to hearing what all you have to share.

We are looking for ways in which to further enhance our documentation and our ability to allow easy access to the information as well as editing the information. With these ideas in mind, we created an internal wiki based upon the MediaWiki platform for our Tier 1 (Help Desk). This has been a huge success for the Help Desk and they use this extensively for their daily operations. Now, we are looking at ways in which to document things for our Tier 2 (Systems Administrators). We need to have the information for Tier 2 separate from the information for Tier 1 due to the sensitivity of the information and the fact that it will contain steps for how we build our servers, etc.

I am looking for ideas and suggestions in relation to how we can accomplish the following aims:

• Centralized documentation based upon the MediaWiki platform
• Separated content between Tier 1 and Tier 2
• We like the look and feel that we have for Tier 1 and that could be used for Tier 2
• Can this be ran on the same server if we were to run two different installations of MediaWiki? Is this even a good idea to run multiple installations of MediaWiki on the same machine?
• Support for FQDN and SSL certificates for each documentation installation
• Is there a way to slice or keep separate part of the Tier 1 MediaWiki installation based upon user or group membership?

Thank you in advance and I look forward to your ideas and suggestions.

We are working on a web project where we need to be able to bind to an active directory domain and then pass the user's credentials to the domain to make sure the user has successfully authenticated before we allow them access to one of our web applications. We have HTTPS working fine for the front end to accept the credentials. The problem we are running into is for the connection between our server and the active directory server. The active directory server is maintained by a different section of our IT department and we do not have access to it. This active directory server is using a self-signed certificate and does not have a fully qualified domain name (i.e. people.local).

I have read many places that talk about setting the TLS_REQCERT variable to never; however, I am worried about man-in-the-middle attacks and do not feel comfortable leaving the setting set this way. I have also read some articles that talk about being able to query the active directory server from a Linux command line, view the self-signed certificate, save the self-signed certificate to the local Linux server, and then use this certificate for the trust so that you do not have to set TLS_REQCERT to never. I am not sure how I can go about viewing and saving the self-signed certificate from the Linux command line. I have some CentOS servers that we are running that we need to make this operational on.

Any help that you can provide would be greatly appreciated. Thanks in advance.

I am working on some iptables firewall rules and have seen many examples that suggest the importance of blocking potentially impossible traffic from non-routable IP address spaces. This would include items from RFC 1918, RFC 1700, RFC 5735, RFC 3927, RFC 3068, RFC 2544, RFC 5737, RFC 3171, and RFC 919. Some examples include the following:

• $CURRENT_IP
• 0.0.0.0/8
• 10.0.0.0/8
• 127.0.0.0/8
• 169.254.0.0/16
• 172.16.0.0/12
• 192.0.0.0/24
• 192.0.2.0/24
• 192.88.99.0/24
• 192.168.0.0/16
• 198.18.0.0/15
• 198.51.100.0/24
• 203.0.113.0/24
• 224.0.0.0/4
• 240.0.0.0/4
• 255.255.255.255

Some of the examples indicate that you only need to worry about checking for this traffic if it is the source of the traffic. Example of:

$IPT -A ANTISPOOF -s 0.0.0.0/8 -m limit --limit 5/min --limit-burst 5 -j LOG --log-prefix "Denied Spoofed Source IP Address: "
$IPT -A ANTISPOOF -s 0.0.0.0/8 -j DROP

In other examples, a more aggressive stance is taken where they check for the source and destination for both input and output. Examples include:

iptables -A INPUT -d 172.0.0.0/8 -j DROP
iptables -A INPUT -s 172.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.0.0.0/8 -j DROP
iptables -A OUTPUT -s 172.0.0.0/8 -j DROP

I remain with the following questions:

• Do I need to check for the source address of the IP ranges listed above in the bulleted list?
• Do I need to check for the destination address of the IP ranges listed above in the bulleted list?
• Is is important to create rules for the IP ranges listed above that would include both the INPUT and OUTPUT chains?
• Are there any IP ranges that I have forgotten to check from that are missing from the bulleted list above?

Thanks in advance for your help with this.