月度归档:2017年02月

Modify an SMTP Service Property

ADSI:
strComputer = "LocalHost"

Set objIIS = GetObject("IIS://" & strComputer & "/SMTPSVC/1")
objIIS.FullyQualifiedDomainName = "stmp.517sou.net"
objIIS.SetInfo

#Wscript.Echo "OK!"

cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set /Smtpsvc/1/FullyQualifiedDomainName "stmp.517sou.net"

PowerShell & WMI

Set-ExecutionPolicy RemoteSigned
function Configure-SMTPService ([string]$incomingEMailDomainName, [int]$incomingEMailMaxMessageSize)
{
       Write-Host -Foregroundcolor White ” -> Changing the start-up type of SMTP service to ‘Automatic’…”
       Set-Service “SMTPSVC” -StartupType Automatic -ErrorAction SilentlyContinue
       if ($?)
       {
             Write-Host -Foregroundcolor Green ” [OK] Successfully changed startup type.”
       }
       else
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to change startup type.”
             Exit
       }
       
       Write-Host -Foregroundcolor White ” -> Starting SMTP service…”
       Start-Service “SMTPSVC” -ErrorAction SilentlyContinue
       
       if ($?)
       {
             Write-Host -Foregroundcolor Green ” [OK] Service successfully started.”
       }
       else
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to start service.”
             Exit
       }
      
       # Ascriptomatic is a great tool to explorefor exploring WMI namespace is scriptomatic: 
       # http://www.microsoft.com/en-us/download/details.aspx?id=12028
       Write-Host -Foregroundcolor White ” -> CreatingCreate incoming SMTP domain…”
       
       # First create a new smtp domain. The path ‘SmtpSvc/1’ is the first virtual SMTP server. If you need to modify another virtual SMTP server
       # change the path accordingly.
       try
       {
             $smtpDomains = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpDomain’
             $newSMTPDomain = $smtpDomains.CreateInstance()
             $newSMTPDomain.Name = “SmtpSvc/1/Domain/$incomingEMailDomainName“
             $newSMTPDomain.Put()  | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully created incoming email domain.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to create incoming email domain.”
             Exit
       }
      
       Write-Host -Foregroundcolor White ” -> Configuring incoming SMTP domain…”
   
       try
       {
             # Configure the new smtp domain as alias domain
             $smtpDomainSettings = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpDomainSetting’
             $newSMTPDomainSetting = $smtpDomainSettings.CreateInstance()
 
             # Set the type of the domain to “Alias”
             $newSMTPDomainSetting.RouteAction = 16
 
             # Map the settings to the domain we created in the first step
             $newSMTPDomainSetting.Name = “SmtpSvc/1/Domain/$incomingEMailDomainName“
             $newSMTPDomainSetting.Put() | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully configured incoming email domain.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to configure incoming e-mail domain.”
             Exit
       }
       Write-Host -Foregroundcolor White ” -> Configuring virtual SMTP server…”

       try
       {
             $virtualSMTPServer = Get-WmiObject IISSmtpServerSetting -namespace “ROOT\MicrosoftIISv2” | Where-Object { $_.name -like “SmtpSVC/1” }
             
             # Set maximum message size (in bytes)
             $virtualSMTPServer.MaxMessageSize = ($incomingEMailMaxMessageSize * 1024)

             # Disable session size limit
             $virtualSMTPServer.MaxSessionSize = 0

             # Set maximum number of recipients
             $virtualSMTPServer.MaxRecipients = 0

             
             # Set maximum messages per connection
             $virtualSMTPServer.MaxBatchedMessages = 0
             $virtualSMTPServer.Put() | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully configured virtual SMTP server.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to configure virtual SMTP server.”
             Exit
       }
}
Configure-SMTPService “sp.mydomain.local” 10240

Puppet部署:
configWinSMTPSVC.vbs

strComputer = "LocalHost"
 
Set objIIS = GetObject("IIS://" & strComputer & "/SMTPSVC/1")
Wscript.Echo "FullyQualifiedDomainName(Before): " & objIIS.FullyQualifiedDomainName
strFQDN = Trim(objIIS.FullyQualifiedDomainName)
If Instr(strFQDN,"517sou.net") = 0 Then
	objIIS.FullyQualifiedDomainName = "smtp.517sou.net"
	objIIS.SetInfo
End If
Wscript.Echo "FullyQualifiedDomainName(After): " & objIIS.FullyQualifiedDomainName
class configWinSMTPSVC {
    file { 'C:/Windows/Temp/configWinSMTPSVC.vbs':
    ensure => 'file',
	alias  => "configWinSMTPSVCvbs",
    source_permissions  => ignore,
    group  => 'Administrators',
	source => "puppet://puppet.zzy.com/files/windows/smtpsvc/configWinSMTPSVC.vbs",
  }
  exec { 'exec-configWinSMTPSVC':
    path      => $::path,
    command   => 'cmd.exe /c cscript.exe //Nologo C:/Windows/Temp/configWinSMTPSVC.vbs',
	require   => File['configWinSMTPSVCvbs'],
  }
}

Kubernetes系统架构简介

1. 前言

Together we will ensure that Kubernetes is a strong and open container management framework for any application and in any environment, whether in a private, public or hybrid cloud.

Urs Hölzle, Google

Kubernetes作为Docker生态圈中重要一员,是Google多年大规模容器管理技术的开源版本,是产线实践经验的最佳表现[G1] 。如Urs Hölzle所说,无论是公有云还是私有云甚至混合云,Kubernetes将作为一个为任何应用,任何环境的容器管理框架无处不在。正因为如此, 目前受到各大巨头及初创公司的青睐,如Microsoft、VMWare、Red Hat、CoreOS、Mesos等,纷纷加入给Kubernetes贡献代码。随着Kubernetes社区及各大厂商的不断改进、发展,Kuberentes将成为容器管理领域的领导者。

接下来我们会用一系列文章逐一探索Kubernetes是什么、能做什么以及怎么做。 继续阅读

获取Windows管理员用户名及对应的SID

GetAdminName.vbs:

'''''Code Start '''''
Wscript.Echo GetAdminName

Function GetAdminName 
	Set objNetwork = CreateObject("Wscript.Network") 	'get the current computer name
	objComputerName = objNetwork.ComputerName

	Set objwmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & objComputerName)
	qry = "SELECT * FROM Win32_Account where Domain = '" & cstr(objComputerName) & "'" 'set query, making sure to only look at local computer

	For Each Admin in objwmi.ExecQuery(qry)
		if (left(admin.sid, 6) = "S-1-5-" and right(admin.sid,4) = "-500") then 	'look for admin sid
			GetAdminName = admin.name
		end if
	next
End Function

'''''Code End'''''

在.bat中获取.vbs返回值
GetAdminName.bat

@echo off
for /f "delims=" %%x in ('cscript //nologo t.vbs') do (
    set sFileName=%%x
)
echo %sFileName%
REM pause.

命令行查询用户对应的SID

C:\Users\Administrator>wmic useraccount where "SID like 'S-1-5-%-500'" get sid
SID
S-1-5-21-2837057897-1460117072-2570820871-500

E:\temp>wmic useraccount where "SID like 'S-1-5-%-%'" get caption,sid
Caption SID
SHANE-WORKPLACE\Administrator S-1-5-21-4246277841-3966888941-2683127511-500
SHANE-WORKPLACE\DefaultAccount S-1-5-21-4246277841-3966888941-2683127511-503
SHANE-WORKPLACE\Guest S-1-5-21-4246277841-3966888941-2683127511-501
SHANE-WORKPLACE\Shane.Wan S-1-5-21-4246277841-3966888941-2683127511-1001

Generating password hashes with puppet

Puppet expects the user’s password to be encrypted in the format the local system expects, for most modern Unix-like systems (Linux, *BSD, Solaris, etc.) this format is a salted SHA1 password hash.

To generate a password hash to use with puppet manifest files you can use the mkpasswd utility (it’s available in the whois package):

1
2
3
$ mkpasswd -m sha-512
Password:
$6$qfPDlAej83p$cj2nc1NjbKjhL42Mo/3Uia4NqD4dIB3ouVeI/tSG92UqH5cMKOA/ihjmxAuRtKHzGED0EHmdM0iNxa/662NW//

You can then use the password hash in a puppet manifest file:

1
2
3
4
user { 'root':
    ensure   => 'present',
    password => '$6$qfPDlAej83p$cj2nc1NjbKjhL42Mo/3Uia4NqD4dIB3ouVeI/tSG92UqH5cMKOA/ihjmxAuRtKHzGED0EHmdM0iNxa/662NW//',
}

Don’t forget to put the password in quotes so that puppet does not interpret it as a variable if it contains the dollar sign ($).

If you want the passwords to be stored in plain text in the puppet manifest you can use puppet’s generate function to call mkpassword and return the generated the hash version of the password:

1
2
3
4
5
$password = 'your_plain_text_password'
user { 'root':
    ensure   => 'present',
    password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),
}
References:

Manage the Root User Password on Linux

# https://gist.github.com/jeffmccune/2360984
# = Class: site::root_user
#
# This is a simple class to manage the root user password.
# The shadow hash of an existing password can be easily obtained
# by running `puppet resource user root` on a Linux system
# that has the desired root password already set.
# Puppet will then manage this password everywhere.
#
# First, I set the password to “puppet” on one Linux node and then get back the
# shadow hash.
#
# root@pe-centos6:~# passwd root
# Changing password for user root.
# New password:
# BAD PASSWORD: it does not contain enough DIFFERENT characters
# BAD PASSWORD: is too simple
# Retype new password:
# passwd: all authentication tokens updated successfully.
# root@pe-centos6:~# puppet resource user root
# user { ‘root’:
# ensure => ‘present’,
# comment => ‘root’,
# gid => ‘0’,
# groups => [‘root’, ‘bin’, ‘daemon’, ‘sys’, ‘adm’, ‘disk’, ‘wheel’],
# home => ‘/root’,
# password => ‘$6$7pe0INu/$Uxsn.lb/mJjd9394DIJx5JS9a1NVhrpWDpXRtPGS78/BfyShhOf1G0ft7mRHspXDZo6.ezyqpqIXHQ8Tl8ZJt0’,
# password_max_age => ‘99999’,
# password_min_age => ‘0’,
# shell => ‘/bin/bash’,
# uid => ‘0’,
# }
#
# = Sample Usage
#
# include site::root_user
#
# (MARKUP: http://links.puppetlabs.com/puppet_manifest_documentation)
class site::root_user {
# This will enforce the root password of “puppet”
user { root:
ensure => present,
password => ‘$6$7pe0INu/$Uxsn.lb/mJjd9394DIJx5JS9a1NVhrpWDpXRtPGS78/BfyShhOf1G0ft7mRHspXDZo6.ezyqpqIXHQ8Tl8ZJt0’,
}
}

How to enforce password complexity on Linux

On most Linux systems, you can use PAM (the “pluggable authentication module”) to enforce password complexity. If you have a file named /etc/pam.d/system-auth on RedHat (/etc/pam.d/common-password on Debian systems), look for lines that look like those shown below.

$ grep password /etc/pam.d/system-auth
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

That’s what you should expect to see on a new system.

By default, passwords must have at least six characters (see /etc/login.defs for possible changes). This is hardly long enough by current standards to consider passwords to be secure. You will have a much stronger password complexity policy if you change the first line to something like this, requiring longer passwords and ensuring a degree of complexity as well.

password requisite pam_cracklib.so try_first_pass retry=3 minlength=12 lcredit=1
ucredit=1 dcredit=1 ocredit=1 difok=4

Here’s what each of the available parameters does:

try_first_pass = sets the number of times users can attempt setting a good
  password before the passwd command aborts
minlen = establishes a measure of complexity related to the password length
  (more in a moment on this)
lcredit = sets the minimum number of required lowercase letters
ucredit = sets the minimum number of required uppercase letters
dcredit = sets the minimum number of required digits
ocredit = sets the minimum number of required other characters
difok = sets the number of characters that must be different from those in the
   previous password

That said, minlen is actually a measure of complexity, not simply length. It specifies a complexity score that must be reached for a password to be deemed as acceptable. If each character in a password added one to the complexity count, then minlen would simply represent the password length but, if some characters count more than once, the calculation is more complex. So let’s see how this works.
继续阅读

Linux、Windows Server Password Security Policy Strengthen

catalog

1. windows Security and Protection(Logon and Authentication)
2. windows密码强制安全策略
3. PAM(Pluggable Authentication Modules)
4. linux密码强制安全策略配置

 

1. windows Security and Protection(Logon and Authentication)

This page lists resources for logon and authentication in Windows Server 2003, which includes passwords, Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest. In addition, some protocols are combined into authentication packages, such as Negotiate and Schannel, as part of an extensible authentication architecture.

0x1: Create an extensive defense model

1. Educate your users about how to best protect their accounts from unauthorized attacks 
https://technet.microsoft.com/en-us/library/cc784090#BKMK_UserBP

2. Use the system key utility (Syskey) on computers throughout your network. The system key utility uses strong encryption techniques to secure account password information that is stored in the Security Accounts Manager (SAM) database. 
    1) The system key utility: https://technet.microsoft.com/en-us/library/cc783856
    2) create or update a system key: 

3. Define password policy that ensures that every user is following the password guidelines that you decide are appropriate 
https://technet.microsoft.com/en-us/library/cc784090#BKMK_PasswordPolicy

4. Consider whether implementing account lockout policy is appropriate for your organization. 
https://technet.microsoft.com/en-us/library/cc784090#BKMK_AccountLockout
 

继续阅读

如何在 Linux 上设置密码策略

用户帐号管理是系统管理员最重要的工作之一。而密码安全是系统安全中最受关注的一块。在本教程中,我将为大家介绍如何在 Linux 上设置密码策略

假设你已经在你的 Linux 系统上使用了 PAM (Pluggable Authentication Modules,插入式验证模块),因为这些年所有的 Linux 发行版都在使用它。 继续阅读