Monday, February 28, 2011

Using SCP to copy files between hosts

To copy remote file to your filesystem use the following syntax:
scp your_username@remotehost.edu:foobar.txt /some/local/directory

To copy local file to remote filesystem use the following syntax:
scp foobar.txt your_username@remotehost.edu:/some/remote/directory

To copy folder to a remote filesystem use
scp -r foo your_username@remotehost.edu:/some/remote/directory/bar

Thursday, February 24, 2011

Procmon - little handy tool

Recently, I've faced a problem, when wrong GPO from old misconfigured Windows Server 2003 DC applied to newly installed Windows Server 2008. There was a lot of issues related to wrong registry and file system permissions (the only things that doesn't restore to a previous state after removing GPO), so different services, such as Terminal services, couldn't start and produced a lot of errors. The only tool that helped me was Procmon. It allows to see real-time operations of operating system, check all "Access denied" errors and much more. Now everything works just fine.

Assigning restrictions to logon locally, accessing computers from the network and other interesting user permissions on Windows

Today's task was to secure access to the Microsoft Windows 2008 server using GPO. That's an interesting topic to play with because there is a lot of different combinations exists to accomplish this. A combination of local and domain policies, NTFS permissions can be used. Here I will try to post a conclusions that arised after this work.
First of all I would like to talk about NTFS permission named "Traverse Folder". That's a very interesting permission because it allows us to tighten security to a highest level. Let's make an example. Let's say we want to access a folder under the following path: "C:\lala\dada\KEY". For user "Tony" to access folder "KEY" he has to have NTFS permissions for it, but not only for it. What about parent folders? In fact, he has to have a "Traverse Folder" permission on all the parent folders to access "KEY" folder. So we should modify all the parent folders permissions to give "Tony" access to "KEY"? Not at all. By default, GPO assign the following "User Right": "Bypass Traverse Checking" to "Administrators, Backup Operators, Users, Everyone, Local Service and Network Service" on workstations and servers and "Administrators, Authenticated Users, Everyone, Local Service, Network Service and Pre-Windows 2000 Compatible Access" on Domain Controllers.
This is the link to Microsoft support article that describes different incompatibilities that may appear after wrong modification of critical user rights like "Allow logon locally", "Access this computer from the network" etc.