Tuesday, July 13, 2021

IIS 10 user account for writing to file system

Recently I was trying to identify what user account was writing a .json file from the web server so we can lock down permissions specifically to that account. Lots of articles reference several accounts like IIS apppool\{pool name} or the iis_iusrs accounts built in. Neither of these accounts were working in our scenario. After turning on file auditing and reviewing the security logs I found a frustrating but simple answer to my question. The account being use is just "iusr" for the write permissions on that file. I granted that account permission to the file specifically needing modified and suddenly it worked as expected. This is the equivalent of "apache" ownership for apache web servers. 




Posted by at No comments:

Saturday, July 3, 2021

PrintNightmare, aka CVE-2021-34527, disable print spooler script

Hopefully by the time I publish this you've already heard about this PrintNightmare exploit. Going off of microsoft's post here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 There are a couple ways to handle this exploit.

Say you wanted to go with the "I want to disable print spooler on all applicable machines" route specified in microsft's work around. Say you had a decent sized environment that you had a list of, or could get a list of. Now say you could powershell your life into happiness. Here's that powershell for disabling this service across a list of provided servers:


Make sure if you have print servers that you exclude them from your list!


#This list can be rather long, I've tested it with over 50 servers in the list. Just make sure you quote each server and provide a list

$list = ”Server01“, ”Server02“, "Server03"

#This is where we are going to get the current status of the service, stop the service, disable the service, and finally, display the status of the service again. This will prove that the service has been stopped and disabled.

foreach($server in $list){
#This next line just echos out what its doing, un-necessary if you don't care to keep an eye on the servers as it works through the powershell. I highly recommend it though.
echo "Starting on $server"
#displays the current status of the print spooler
Get-Service -computer $server -Name Spooler | select displayname, status, starttype
#Stops the print spooler service
Get-Service -computer $server -Name Spooler | stop-service
#Sets the print spooler service to disabled
Get-Service -computer $server -Name Spooler | set-service -StartupType disabled\
#Displays the current status of the print spooler again
Get-Service -computer $server -Name Spooler | select displayname, status, starttype
#Again, echos out the name of the server so you can isolate the server reporting back. This was just more of a sanity check. you could drop either of these echos if you wanted to.
echo "Completed on $server"
}

Code without the comments:

$list = ”Server01“, ”Server02“, "Server03"
foreach($server in $list){
echo "Starting on $server"
Get-Service -computer $server -Name Spooler | select displayname, status, starttype
Get-Service -computer $server -Name Spooler | stop-service
Get-Service -computer $server -Name Spooler | set-service -StartupType disabled\
Get-Service -computer $server -Name Spooler | select displayname, status, starttype
echo "Completed on $server"
}


This is what that looks like in powershell:



Disclaimer: I am not a security expert of any sort. I do IT for a living and sometimes I just need to share cool/helpful things I've worked on that may be causing headaches for others. I hope this helps you. This information is provided as a guide and contains no guarantees. There may be better ways of doing this, this is just what worked for me. Please test this code in your environment on either test/dev boxes or on low impact production before full scale running this across everything. Feel free to discuss possible variances in coding in the comments below. 
Posted by at No comments:
Subscribe to: Posts (Atom)