Monday, April 20, 2015

Blocking Cyber Attacks on Windows Servers using CyberArms software and PowerShell scripts

Recently the number of audit failures on our Remote Desktop and IIS servers has increased drastically in the last month.
List of IP addresses found here.
Found this program for our 2012 servers (or any RDP using TLS)

CyberArms Intrusion Detection and Defence System

Default config...
After 3 failed login attempts, it would temporarily block the IP for 20 minutes. (Soft Lock)
After 10 login attempts, it would block the IP for 24 hours. (Hard lock)
-There is the option to hard lock the IP address forever.

1) No option to customized notification emails. -wanted to include
2) Cannot white-list a service provider only IP addresses.
3) No Response to inquiry about their products and licensing.

Since the program creates an event log for when it blocks the IP address, a PowerShell script was created to add firewall rules (permanent rules) and send email notifications out with detailed information.

The original PowerShell script just sent out emails with the server name when an event log with 4001 or 9001 is created in the "CyberArms" event log.

It worked great on our 2012 servers, however 2008 stored the Event log data with extra returns and spaces in the IP addresses.  In testing it caused the local network to be blocked via firewall.  Good thing it was a virtual machine and could still be access through Virtual Center.

Updated the PowerShell script to distinguish between 2008 and 2012 servers.

Another VBscript was created to manually delete any firewalls from 'trusted' IP addresses using netsh from another computer.

After the first weekend having to check each IP address and manually delete the rules got old and time consuming.

The next revision of the script added NSlookup to a ProviderLookup function in the script.

The ProviderLookup function was created to allow certain IP addresses or provider names (provided by NSLookup) to be unblocked automatically.

Example if NSlookup returned a provider name with "" in it, then we trusted it and the firewall was deleted.

Emails now include the IP address, the provider information and if the rule was deleted.

Install CyberArms software
Enable any security agents in CyberArms
Download PowerShell Script "CyberArms Eventlog Script.txt"
- Rename to .PS1 and change "DOMAIN.CA" and email settings.
Create Task Sequence to run the script when event 4001 or 9001 is logged.

Update - April 21, 2015

The ProviderLookup function will now include Country and ISP information extracted from if it cannot find a DNS name for the IP address.

Future options
1) Create the same firewall rule on more that one server via PowerShell Array variable.
2) Create a pause between rule creation and rule deletion, just in case there was malicious intentions.
- probably use a ping command to for 10 minutes then have it delete the rule.
3) Working on cleaning up the ProviderLookup function so that certain ISP names will be allowed.

Thursday, April 2, 2015

Removing a Lync Contact using Powershell and XML

Back in February I posted about adding contacts to Lync Groups.
However, what happens when you spell the contact address wrong and you just imported that into your 1000+ clients contact list...

Well, you need to find a way to remove the contact from the XML file.
I could have restored the backup files to the user accounts... but didn't think of that until I got this solution working. *

After trying to create an XML script tath use the same script in the previous post, but this time we will replace the offending string with blanks.

Add this to the Configurable Variables section
#Delete this line from XML
$Variable = @'
<Contact Buddy="" SubscribePresence="1" Groups="1 20" />
$CommonContact = "" # The one that is spelled wrong.

In the Process-Contacts Function,

Change If ($ContactsToAdd) to If ($ContactsToAdd) 

Remove the $ContactsToAdd section and replace it with.

$DeleteRecord = (Get-Content "$WorkingFolder\DocItemSet.xml") |
    ForEach-Object {$_ -replace $Variable, ""} |
    Set-Content "$WorkingFolder\DocItemSet.xml"

* This does remove the contact from the user's visual list of contacts.  However, when the user's contact info is exported, the old contact is still there just not listed in any groups which is why it doesn't appear in the client.

In short, double check spelling and try it on a test account.

To change the script from all users to 1 users change...
$AllSipAddresses = Get-CsUser -Identity -Filter {Enabled -eq $True} | Select SipAddress | %{$_.SipAddress.Replace('sip:','')}

Original Post about adding groups found here on Roland Paix's IT Blog

More on the custom Lync rooms found here.