Tokenized Runnas - Source Path Delima - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » Tokenized Runnas - Source Path Delima

Page 1 of 1

1

Topic Options

#155533 - 2006-01-18 03:43 AM Tokenized Runnas - Source Path Delima
Deano Deano Lurker Registered: 2006-01-17 Posts: 3	I thought I posted this early.. but I do not see it. Pardon if this is redundant. We recently moved to Windows XP SP2 and learned that su no longer functions. The runnas utility is a great. However, I am looking for suggestions to resolve a problem. ENVIRONMENT We try to insure redundancy in our systems, and stive for simplistic solutions that we can maintain balanced with performance and security To this end we distribute our login scripts across the doamin using the netlogon share. The Kix32.exe, Runnas utilities are copied to C:\Windows for performance. Scripts are kept on the server for maintenance. We also have software download points distributed through out our sites. In our scripts we use three server variables. LogonServer, HomeServer, and DownLoadServer. The logon server is the first responding server. However, this is not always the closest server nor located on a high speed link. The DownLoadServer is the server located at the site accessible via a high speed link. The HomeServer houses thier default user directory and shared file location. For roaming users the HomeServer may not be local. By default the main body of our script runs as user level. Configuration checks can typically be performed as user, and a script with elevated rights called when required. Some components are simple and mearly update a registry pointer for a network license manager for a roaming client. Others begin the installation of service packs. When we need to call another script we typically reference the LogonServer. This LogonServer is reference because a) it is up and running (fault tolerance), b) first responder (least busy) and c) the next script is a small file and does not burden the link. If we need to reference a script may perform a software update, we reference the DownLoadServer location for the script. As you can see the source of execution is dynamic. The problem we encounter is with the tokenized files. Though we can successfully pass parameters to this script, example $DownLoadServer=\\ServerName, this only influences what this script will act on. It does not change the path used to run the tokenized script. Example \\SeverName\Netlogon\ScriptName. The immediate problem is that this entry is static and not dynamic. It will not allow for fault tolerance nor dynamically allocating a download point. I have a few solutions that I can think of but each has it's draw backs. a) Build a seperate tokenized script for each server. Use LogonServer to call the appropriate script with the desired path recorded. PRO - Will work, CON, Maintenance intensive and does not allow for dynamically adding and removing servers. b) Use DNS alias records to provide primary and secondary names, or use a round robin approach. PRO Will reduce to a single script and provide redundancy CON Will not select based on performance, nor best path. If link is down, it may need to timeout on dozens of servers before hitting the correct one causing excessive delays c) Copy all tokenzid scripts to a local directory on the workstation with a common reference point. PRO - Will work and eliminates tracking servers. CON - Increased difficulty to maintain scripts. Problems can cause users to reference outdated scripts. d) Map a drive to the logon shared and use the drive letter to referenece scripts on the server. PRO - Will work and eliminates maintenanc and redundancy issues, CON - NET USE can take 10-15 seconds to execute over a slow link. (When you are already mapping 3 drives the delays mount) e) Enhancement request??? Modify runnas to allow passing of the executable path for a tokenized script! Example... runnas /user cmd /password ... /Exepath:LServer\Netlogon I know security... security. The utility has a built in /crc checker so it can perform validation of the executable that is distributed across the logon shares. The utility would need to reference this location as the default path in the event the cmd is "SourcePath\KIX32.exe SourcePath\Script.KIX" Is this a reasonable request to submit for the Runnas command or am I just overlooking the obvious? These are a few methods I can think. I would appreciate any recommendations or suggestions you have on the subject. Thanks in advance! Edited by Deano (2006-01-18 03:56 AM)
Top

#155534 - 2006-01-18 02:31 PM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Hey Deano. Such a well thought-out and articulate request deserves immediate attention. I like your idea. Want to propose two thoughts ... 1) Would it "help" in your situation if environment variables used in the command line were "saved" unresolved (unexpanded) to the token file. Then - when the token file is executed, the environment variable is resolved "at runtime" ? The user may be able to "spoof" the late-bound environment variable though. 2) I love your idea of breaking-out the command line into separate arguments, then allow one to over-ride SOME aspects of it ... like you suggested, how about something like: runnas /user:joe /pass:xxx /exe:notepad.exe /path:c:\windows\system32 /args:file.txt then, you tokenize it, and then can override the following: runnas notepad.tok /path:%logonserver% /args:file2.txt Plus - I would like to get the opinions of the "security experts" on the board here - to give their thoughts. But other than that - I think its a go.
Top

#155535 - 2006-01-18 02:41 PM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	btw - a runtime check would be done on this: /path:\\server\folder to ensure that \\server\folder actually existed and that it IS INDEED A FOLDER - and not some file (executable or otherwise) ...
Top

#155536 - 2006-01-18 02:44 PM Re: Tokenized Runnas - Source Path Delima
Radimus Radimus Moderator Registered: 2000-01-06 Posts: 5187 Loc: Tampa, FL	This post need to be archived in the FAQ to show how to post a question. Imagine, someone with a question that supplies details of their problem and environment... amazing. _________________________ How to ask questions the smart way <-----------> Before you ask
Top

#155537 - 2006-01-18 03:38 PM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	ok, i re-read your great post again - and realized that we may need more than just simple exe path substitution here .... like you said, if you have a commmand like like this: <server1>\kix32.exe <server2>\script.kix you would want to be able to override <server1> and <server2> (not just the executable path) ... can think of two options ... 1) Encode the command line using custom %environment% variables, then (kinda like SU used to do) you set the variables at runtime ... SET "path1=\\whatever" SET "path2=\\whatever" SHELL "runnas file.tok" 2) You encode the command line using (like you said) special "tokens", like this: runnas "<path1>\kix32.exe <path2>\myscript" then, at runtime, fill-in the tokens with command-line switches: runnas file.tok /path1:\\whatever /path2:\\whatever
Top

#155538 - 2006-01-18 04:25 PM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	I just tried/tested option one (environment variables like SU) ... works a charm and I can provide an exe for you to try ... I still think I prefer the second option though ... even though the first is more basic and SU-like ... I never did like having to (remember) to set those environment variables. Plus - im not a huge security-freak myself, but my internal security alarm is slightly "buzzing" as i think about this stuff. Much would depend on the command line that you crafted - how "exposed" you would be. And in some case, the only thing that would "save your bacon" is the CRC check. Plus dont forget, the CRC check is only for the EXE - not for a script you may call. So in some cases, you might be exposed.
Top

#155539 - 2006-01-18 05:28 PM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	This "environment variable" thing is kinda tricky ... the thing is ... in which "user context" should the variables get resolved ... the callers or the called ? For example if using %USERPROFILE% - should it use the caller's (users) %userprofile% or should it use the %userprofile% of the userid your running it under. Dynamic environments variables that have been SET up-front, can only be resolved in the CALLERS context.
Top

#155540 - 2006-01-18 06:09 PM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Sorry for my ramblings here ... just dawned on me - thats why Microsoft built-in the /ENV switch to runas ... so that the CALLERS environment block is substituted into the CALLEES environment block ...
Top

#155541 - 2006-01-19 03:48 PM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Deano ... I have a new release that will probably suit your needs. Find it here: RUNNAS - Tokenized Runas Utility Hey, are you still with us or am I just talking to myself ? ;0) (Thats ok if your not, I do alot of that anyways, just ask my wife).
Top

#155542 - 2006-01-20 01:39 AM Re: Tokenized Runnas - Source Path Delima
Deano Deano Lurker Registered: 2006-01-17 Posts: 3	Shawn - Thank you for looking into this! I am sorry I have not been responsive. I have been out of town for a couple of days. I apprecaite all of the time you have put into this. I will download the utility first thing tomorrow. Thanks again! Dean
Top

#155543 - 2006-01-20 03:05 AM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Hey Dean, it was my pleasure. You had some fine suggestions there. Looking forward to hearing any results.
Top

#155544 - 2006-01-21 04:37 AM Re: Tokenized Runnas - Source Path Delima
Deano Deano Lurker Registered: 2006-01-17 Posts: 3	Shawn - I have run through a few tests today. I checked it first for backward compatability so as not to break the couple of scripts I had already converted. So far so good. I build a few additional ones today using the additional parameters and from what I can tell so far everything is working. I did not have a chance to disable the NetLogon shared and verify the scripts rolled over to the next available @LServer. I will continue on this Monday. However, one thing I did notice is that the title bar displayed the password stored in the tokenized script. Just thought you would want to know. Thanks again for all of your help. I will let you know how the rest of my tests go.
Top

#155545 - 2006-01-21 04:48 AM Re: Tokenized Runnas - Source Path Delima
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Quote: However, one thing I did notice is that the title bar displayed the password stored in the tokenized script There you go, now THAT'S SECURITY I guess you need some more regression testing there Shawn
Top

#155546 - 2006-01-21 05:14 AM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	hmmmm, i have yet to see anything like that in my testing ... can i see an example of your command lines ?
Top

#155547 - 2006-01-21 05:25 AM Re: Tokenized Runnas - Source Path Delima
Allen Allen KiX Supporter Registered: 2003-04-19 Posts: 4567 Loc: USA	LOL! No one would ever think to look for the password there... Now I can safely remove my sticky note from the bottom of my keyboard. BTW Shawn...I've been reading these posts with great interest... I'm looking forward to the next time I need to do something with this. Looks good so far.
Top

#155548 - 2006-01-21 05:26 AM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	I just put out a slightly modified version of runnas, that treats the title a little different ... but when you saw the password, were you running an older token file against the newer runnas - because if so, all bets are off on that.
Top

#155549 - 2006-01-21 05:39 AM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	ok i just replicated it - you ran an old token file with the new runnas - let me see if i can fix that. laugh it up boys.
Top

#155550 - 2006-01-21 06:07 AM Re: Tokenized Runnas - Source Path Delima
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Nah! Not laughing it up Shawn. These are the normal aches and pains that one goes through to create really useful software. You've gone the extra mile where no one else has seemed to have gone with this and it's idea has been around for many years now.
Top

#155551 - 2006-01-21 06:24 AM Re: Tokenized Runnas - Source Path Delima
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	ok deano - i just posted (yet another) build (1.12 double check to make sure you got that version) that has a much improved tokenfile reader - in fact, this new version of runnas should probably be able to read and execute that old token file you had kicking around. give it a go and advise.
Top

#155552 - 2006-01-21 02:50 PM Re: Tokenized Runnas - Source Path Delima
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Hate to say "I told you so" but did we not chat about version checking and backward compatability? _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 302 anonymous users online.

Newest Members

Sir_Barrington, batdk82, StuTheCoder, M_Moore, BeeEm
17886 Registered Users

Generated in 0.075 seconds in which 0.023 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking