Tag : vbs

Automate Renaming and Joining a domain using vbs

This script will do the following:

  1. Rename the computer
  2. Copy the script locally
  3. Set a task to execute the script in 2 mins
  4. Restart the computer
  5. When the script runs again (number3) it will see that the computer name matches the “domain” plus services tag serial and join it to the domain
  6. restart the computer
  7. delete itself from the local host

This script works with windows XP – it can be modified to work with other versions of windows link 2000 and 7.   {code lang:vb id:13}{/code}

Back Door Admin Discovery and Removal

Scenario:

You are working with a computer in your domain and you discover a unknown user account in the document and settings or users (windows 7) folder of the computer.  You search your Active Directory for that user and don’t find them.  You then check the local computer users and computers to find that this is a backdoor administrator. Then you have to ask several questions: (I added my answers below each question)

  1. How did this local user account come to be on this computer?
    •  A boot disk was used to bypass the local security and create a backdoor administrator account.
  2. How did they compromise your security?
    • They where able to use the F12 to gain access through the boot menu.
  3. Who is the most likely to be responsible for compromising the security of the system?
    • This computer was a student computer and is most likely caused by students.
  4. How far spread is this problem?
    • Upon check several computers in this computer cart I discovered it was a school wide problem.  = ( 
  5. How can we fix this?
    • Remove the Local Admin users
    • Remove ability to boot to USB drive and CD/DVD drive
  6. What is the next step?
    • Create a script to do it for me to all computers on the server!

 

Students  created backdoor admin accounts with Hiren’s Boot CD http://www.hiren.info/pages/bootcd it allows them to boot in from the cd drive and add backdoor admin that can be used to bypass the security of the domain.

 

The Solution

Bios Settings

In the Bios you will need to ensure the following

  • The bios is password protected
  • In the boot order remove the
    •  USB Drive
    • CD Drive
    • DIskette Drive

Discover how wide spread the problem is 

To Discover how wide speard this problem is I need to create a script that does several functions.  I first need it to go through a list of computers (within my Active Directory) and then have it test if the computers is on, if it is I want it to get a list of all the local accounts with Local Administrator Access to the machine.

Script for Discovering local admins in your domain.

Run this script as a domain admin

{code lang:vb id:11}{/code}

Explained:

This script looks at a list of computers located on a server.  It will use the name of each line, break then go to the next line.  Once it has the computer name it will then  check that the computer is online.  If it is online it will then write to a file a list of accounts listed in the local Administrators group.  When the script is fhinished it will prompt completed.

It run my entire directory it took about 45mins and returned about 275 computers that where on.

Delete the Local Admins

This code will delete the local compters based on their names.

{code lang:vb id:12}{/code}

The End Results

  • I removed the ability to boot to another other device than the Harddrive.
  • Was able to list all the local admin accounts to determine the usernames of backdoor administrators
  • Ran a script that deleted the local admin accounts on the machines
In the end I was able to locate the local admin in each computer on my domain.  I could then look for users that didn’t belong in the local administrator group adding each suer the script. Then I took each compuoter that had a rouge admin account and add it to the script. Running the final script will delete the users from the computers all from the comfort of your chair!

See attched Sample files for examples of the files used with this script.

Learning Visual Basic Scripting Variable Scope

My experiences with VBS Scripting.

 

You can’t be a System Admin in the School systems for very long without using a vbs script to get something done.  We use a wide variety of scripts to help maintain our control over the hundreds of computers that we are faced with. I have even used scripts to delete  backdoor admins that where created by the previous techs.

{code lang:vb id:8}{/code}

This script is a very simple representation of what a VBS script can do.  Running this as a computer startup script will remove and trace of the specified user.

 

I have found that VBS scripts can be very forgiving in their usage.  An example of this is in the script above.

strComputer =”.”

This line in most languages would need to be declared before you say it is equal to anything.  VBS allows you to call a variable (strComputer) without specifying what it will be used for.

Another example of this same script seen here is written with several differences. 

 

{code lang:vb id:9}{/code}

This code does the exact same thing, but it is more formal in that everything is declared.

The line:

Option Explicit

means that it will only run if all the variables are called.  You see this on line 2

Dim strComputer, strUser

where Dim is calling strComputer and the comma separates the variables. You could see it called like this:

Dim strComputer
Dim strUser  

Variable Scope

Another reason to declare variables at the beginning of the script is to define scope.  What? OK if you have one object like strComputer that you need to run in two functions that will need to be defined outside the functions.

 

{code lang:vb id:10}{/code}

In this example there are three variables.  The first is varNew and the second and third have the same name called testVar.  Because testVar only exists within each function – they are different.

If you run the script you would get  Image Right:

 

Functions

VarScope

The next section of code calls a function  runScript()  and the has WScript.Quit

the runScript() tells the computer to find the function runScript() and execute its code block.

WScript.Quit tells the program to exit the script.

 

 

I will post more tutorials later on how to start scripting with VBS scripts.