Monthly Archives: February 2012

Uninstall programs with wmic

This week I want to take a look at “Windows Management Instrumentation Command-Line” (aka WMIC).
I came across this tool (which even has some sort of subshell) by accident when I was looking for a convenient way to uninstall certain programs from the command line.
WMIC provides a way to interact with the powerful WMI (Windows Management Instrumentation) from the command prompt.
It offers a lot of features and commands to configure the computer and you can change almost all possible system parameters with it.

As I mentioned before I wanted to uninstall programs without having to trigger a “uninstall.exe” or look up this strange MSI codes from the registry.

Lets get hands on and start uninstalling programs
Fire up your command line interface and type

wmic product get name

(by only typing wmic you enter the subshell) and you should get a list of all programs installed on the computer.

Uninstalling a program is very easy and can be done by typing the following:

wmic product where name="XYZ" call uninstall

This command would query WMI and start the uninstall process for the program called XYZ.
Just make sure you use the exact name of the program (double check with the command “wmic product get name”)

If you want to use wildcards you can do this by running the following:

wmic product where "name like 'XYZ%%'" call uninstall

This command would trigger the uninstall process for all versions of the program XYZ installed on the computer.
As said before WMIC offers a lot more than just uninstalling programs – just have look :)

How to secure your SSH server

Using SSH (Secure Shell) is a common and widly used way to access and manage a server from remote. Finally, “after” telnet and rlogin, your communication with the server gets encrypted.

Although all up to date Linux distributions provide a secure configuration of the SSH server by default, it does not hurt to check for yourself and get familiar with the options the SSH server has to offer.
I will just cover the very basics and most important flags of the configuration. You can do a lot more with it like tunneling ports, forwarding X11 session and many more.

The daemon behind SSH listens (by default) on TCP port 22 but can easily be reconfigured to listen on a different port. You can connect to the server by typing

ssh username@hostname|IP:port

in a shell or, if you are on Windows, you might want to try the tool Putty (Main page).

The location of the main configuration file differs from on distribution to the other but can usually be found at

/etc/ssh/sshd_config

Open it up with your favorite text editor (like vi)

vi /etc/ssh/sshd_config

The following snippet is the default configuration which comes with Ubuntu.

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
  • First we can configure the listening port of the SSH server with the Port directive. Some people change that to a different value than “22” for security reasons.
  • Next up you can specify on what IP addresses you want the server to listen on (if you have more than on). Use 0.0.0.0 to listen on every available interface/address (You can use IPv6 too).
  • Due to historical reasons you can specify a different version of SSH by changing the Protocol directive. I strongly recommend to leave it on the value “2” to ensure up to date security and encryption of the communication.
  • If you have a user account for your everyday work on the server (which I do recommend – please don’t use the root account for this) you can change PermitRootLogin to “no” to log in with your username and change to the root account later (if required).
  • For additional security you can generate a key file which can be used for login instead of a username/password combination.
  • Further down you find the X11Forwarding directive. If you don’t have X11 (aka GUI) on your server you can safely disable this (X11Forwarding no)

This is it for now – I will cover special aspects of SSH in a later post.

EDIT (16022012): As I received valuable input by aj, thanks for that :), I recommend reading his comment and consider using his additions in your server configuration.

Options for Windows DHCP Server to work with Opsi

It is part of my profession to care about several PCs and Laptops in our company. Every once in a while one of these computers have to be (re)installed and (re)configured.
As it is a pain to do this manually and click yourself through the setup wizard of Windows I automated this process with the help of OPSI.
With this tool it is easy to set up a fresh instance of Windows in no time.

Basically at the Bootmenu you select “boot from network” and watch OPSI do its job.
For this to work you have to have a DHCP server in your environment (which isn’t that much of a problem) that hands out IP addresses, the next server and the path to the boot image. OPSI uses and (automatically) configures the dhcp3 server that is included in many Linux installations. See the next listing for an example configuration:

testhost
host testhost.domain.com {
filename "linux/pxelinux.0";
hardware ethernet 00:00:00:00:00:01;
next-server 10.20.30.40;
fixed-address 1.2.3.4;
}

The problem here is that you have to care about two different DHCP servers (your main-company Windows DHCP server and the one that OPSI brings along). Furthermore you have to make sure you don’t assign the same IP to two different hosts at the same time and so on…

So I thought about eliminating the “OPSI DHCP” server and only use the Windows one.
There are only a few steps you have to do to get this working.

Fire up the management console of your windows DHCP server and select “Bereichsoptionen” (yeah I know it is German – sorry for that)

Now add options:
Nr. 66: specify your next server (server you want to boot your image from)
Nr. 67: specify the path to the boot image

After that you can safely deactivate your dhcp3 server on the OPSI server.

Note: This guide and options also apply to other network-boot tools you might come across and is not limited to OPSI

Exchange Messagetracking stats

Having an Microsoft Exchange Server in your company or even at home can be great thing.
As every modern Microsoft product it brings a lot of plugins/extensions for the Microsoft management console: Powershell
Nearly everything Exchange (and of course Microsoft) related can be configured via command line input.

I am not that much into Powershell-coding but as I wanted to monitor how many mails certain accounts (group accounts and non-personal) receive I wrote the following script.

param($username)
$Start = (Get-Date -Hour 00 -Minute 00 -Second 00)
$End = (Get-Date -Hour 23 -Minute 59 -Second 59)
$result = get-messagetrackinglog -Start $Start -End $End -EventID "DELIVER" -ResultSize Unlimited -Recipients:$username@domain.com -Server servername 
$number = $result.count
write-host $number

Save the above script as mailstats.ps1 and use the mailbox name as parameter to get the amount of mails this address has received today.