Shelling out to a command prompt from within an Office application

Posted on By Mark Wilson

Earlier today I needed to shell out to a command prompt from a locked-down desktop PC. With only a limited set of icons and no access to the Run dialog from the Start Menu, I asked a colleague if he knew any back doors in the client build. He showed me this neat method for shelling out to pretty much anything you like from within an Office application:

  1. Open Microsoft Word, Excel, Outlook or another application that supports Microsoft Visual Basic for Applications (VBA).
  2. Select Macro, then Visual Basic Editor from the Tools menu (or type Alt-F11).
  3. Select Module from the Insert menu and enter the following code in the Module window:
    Sub Main()Dim x
    x = Shell("cmd.exe")
    End Sub
  4. Select Run Sub/User Form from the Run menu (or type F5) and a new instance of cmd.exe will be launched.

The security implications of this could be severe, but as an administrator it’s a useful trick to know.

Priority order for the application of GPOs

Posted on By Mark Wilson

The group policy management console (GPMC) integrates group policy functionality from a variety of Active Directory administrative tools into a single, unified console dedicated to group policy management tasks. One of the many useful features of GPMC is the ability to carry out group policy modelling, for example when diagnosing issues with GPO application.

Policies are applied in the following order:

  1. Local
  2. Site
  3. Domain
  4. Organizational unit (OU)
  5. Child OU
  6. [Child OU etc.]

When a container (site, domain or OU) has links to multiple GPOs, these can be assigned a link order to designate an order of precedence. Sounds straightforward enough, except that to me, the term “link order” suggests the order in which links to GPOs are applied – i.e. 1, then 2, then 3, etc. In that way, if GPO a (with link order 1) is overridden by a setting in GPO b (with link order 2), then GPO b (second to be applied) would be the winning GPO. Except that it doesn’t work that way!

Microsoft’s Group Policy Management Console Technical Reference provides a full description of how GPMC can be used, and provided me with a gem of information that seems to me totally illogical, but solved a problem I’ve been struggling with this afternoon:

“When a container has multiple GPO links, administrators can use GPMC to manipulate the link order for every container. GPMC assigns each link a link order number; the GPO link with link order of 1 has highest precedence on that container.”

The GPO with link order 1 has the highest priority – i.e it is applied last! I switched the policy link order and now the resultant set of policies is exactly the way I need it to be.

SP1 for Windows SharePoint Services and SharePoint Portal Server 2003

Posted on By Mark Wilson

Microsoft has two information sharing and collaboration platforms for Windows Server 2003:

Service pack 1 has been released for each of these platforms and is available from the Microsoft website (WSS, SPS). SPS SP1 requires WSS SP1 to have been installed. Once installed, neither of these updates can be removed.

Full details of WSS SP1 are available in Microsoft knowledge base article 841876. Similarly, full details of SPS SP1 are available in Microsoft knowledge base article 841883.

Note that if multiple WSS servers are being used in a web farm, these should all be updated to SP1 at the same time as described in Microsoft knowledge base article 875358. For SPS, see Microsoft knowledge base article 875371.

The Windows SharePoint Services Administrator’s Guide has been updated for SP1 and there is also a SharePoint Portal Server Administrator’s Guide.

Migration tool for IIS web applications

Posted on By Mark Wilson

Microsoft have released the Internet Information Services (IIS) 6.0 Migration Tool – a command line tool to automates several of the steps involved in migrating a web application (configuration data, site content, and application settings) from IIS 4.0, IIS 5.0 or IIS 6.0 to a clean installation of IIS 6.0.

Should you run the Windows Firewall, a third party firewall, or both?

Posted on By Mark Wilson

“Which firewall should I use?” – it’s an interesting question. Microsoft are positioning the Windows Firewall (part of Windows XP service pack 2) as a major leap forward in terms of network protection, and it is; but there are many good third-party firewall products out there. Should you use the Windows Firewall? Should you use your third-party product? Should you use both?

According to the Windows IT Pro magazine network (formerly the Windows and .NET magazine network) Windows Tips and Tricks Update, Microsoft issued the following statement in response to such questions from their customer base:

“We strongly recommend that users run only one host firewall on their system. Yes, the XP SP2 Windows Firewall can coexist with third-party firewalls, but multiple firewalls don’t make you safer. Running multiple firewalls just means you have to configure the settings in multiple places (e.g., opening ports for each firewall you run). For anyone who wants to keep using a third-party firewall after installing XP SP2 – for example, because they like some of the extra features – we suggest they turn off the Windows Firewall. We have already advised third-party firewall vendors to programmatically turn off the Windows Firewall in their future releases, so this will eventually be automatic.

We don’t have any specific guidance as to whether people should use the built-in XP SP2 Windows Firewall or use a third-party product. We absolutely believe that people who don’t already have host firewalls should run the Windows Firewall in XP SP2. Almost all firewalls on the market (including the Windows Firewall) provide good security; it then boils down to what features and capabilities people want. The Windows Firewall, for example, doesn’t do any alerting or intrusion detection. Neither does it offer outbound filtering capabilities. The Windows Firewall focuses on preventing attacks from successfully penetrating a system, but it doesn’t do anything to protect systems once bad software is locally installed. Some other products also have better diagnostics and centralized reporting than the Windows Firewall (which has no reporting whatsoever). I don’t believe people are “safer” running third-party firewalls, but there may be some features in these products that they would like to have.”

Whatever the answer, in today’s climate, and in line with the security principle of defence in depth, we should all seriously consider the use of a firewall on all PCs, and the Windows Firewall is a good starting point.