Configure Windows via a batch script

While I primarily use *nix based systems at home and work, I am sometimes called upon to administer Windows boxes. I have finally decided to do some basic research to figure out how to automate these tasks; behold, my Windows configuration batch script!!!

Note: This script must be executed with Administrator privileges.

@ECHO OFF
net user Guard /add
sc config "CertPropSvc" start= disabled
sc config "Browser" " start= disabled
sc config "UxSms" start= disabled
sc config "DPS" start= disabled
sc config "TrkWks" start= disabled
sc config "IKEEXT" start= disabled
sc config "PcaSvc" start= disabled
sc config "EMDMgmt" start= disabled
sc config "RasAuto" start= disabled
sc config "RasMan" start= disabled
sc config "RemoteRegistry" start= disabled
sc config "SCardSvr" start= disabled
sc config "SCPolicySvc" start= disabled
sc config "LanmanServer" start= disabled
sc config "TabletInputService" start= disabled
sc config "TermService" start= disabled
sc config "WebClient" start= disabled
sc config "idsvc" start= disabled
sc config "wcncsvc" start= disabled
sc config "WMPNetworkSvc" start= disabled
sc config "WinRM" start= disabled
sc config "WinHttpAutoProxySvc" start= disabled
sc config "AppMgmt" start= disabled
sc config "WdiServiceHost" start= disabled
sc config "WdiSystemHost" start= disabled
netsh advfirewall firewall add rule name="Rule1" dir=out action=allow protocol=tcp remoteport=80,8080,8443,443 remoteip=10.0.0.60 profile=any
netsh advfirewall firewall add rule name="MAIL" dir=out action=allow protocol=tcp remoteport=110,143,993,995,25,587,465 remoteip=any profile=any
netsh advfirewall firewall add rule name="LOCAL" dir=out action=allow protocol=tcp remoteport=any remoteip=localsubnet profile=any
netsh advfirewall set domainprofile firewallpolicy blockinbound,blockoutbound
netsh advfirewall set privateprofile firewallpolicy blockinbound,blockoutbound
netsh advfirewall set publicprofile firewallpolicy blockinbound,blockoutbound
netsh advfirewall set domainprofile state on
netsh advfirewall set privateprofile state on
netsh advfirewall set publicprofile state on

A quick rundown of what this code actually does:

• The program sc is a program that interacts with windows services. I use the config keyword to disable some services from starting.
• The netsh program does multiple things, one of which is to configure the windows firewall. In this script I add a couple of rules and apply them to the domain.
• The second line of the batch script creates a new user.

References:

• Windows Knowledge Base article about how to use 'netsh advfirewall' instead of 'netsh firewall'
• Grand Stream Dreams blog post about how to interact with windows firewall via batch scripts
• Stack overflow Q&A about creating users from the command line
• Paradineshift article about how to disable services via a batch script

Tomcat Configuration

For those keeping track, I have been playing with Tomcat. And I have mentioned the lack of useful tutorials out there. So here is one I made to (hopefully) fill in the gap! If you have any questions just ask away in the comments!

What you need:

• Apache Tomcat
• This guide was done with CentOS, but should be applicable to other Unix-based distributions

Summary:

This guide will take you through some steps to ensure Tomcat just works. I am trying to be as thorough as possible so some of these steps may not be applicable to you.

Here we go....

1. First, you have to install Tomcat5. I just use the CentOS repository since that is the nice & easy way to get the latest security patches and fixes. Of course, purists will recommend you build from source. Each to their own; if you choose to do it my way just enter the following into the command-prompt:
   
   sudo yum install tomcat5
    
2. Find out which version of Java you are running (so we can set up our variables)

/usr/sbin/alternatives --display java

Our system is configured to use /usr/lib/jvm/jre-1.6.0-openjdk/bin/java


3. Now we need to edit the Tomcat5 configuration file to use our Java implementation. Edit the file /etc/tomcat5/tomcat5.conf with your own values:

# you could also override JAVA_HOME here
# Where your java installation lives
JAVA_HOME="/usr/lib/jvm/jre-1.6.0-openjdk/"
# Time to wait in seconds, before killing process
# Lower this value for testing to stop you waiting ages
SHUTDOWN_WAIT=10
# Connector port is 8080 for this tomcat5 instance
# Need to change this in server.xml as well
CONNECTOR_PORT=8080
   


4. Edit /etc/tomcat5/server.xml file with your desired configuration


5. Start Tomcat5 through the following commands:
   
   sudo /etc/init.d/tomcat5 start
#To start tomcat on reboot run the following
sudo chkconfig tomcat5 on --level 2,3,5

References:

• OpenBD guide to running Tomcat (geared to their app)
• David Ghedini's blog offers a great overview of this topic

Tomcat with SSL

I have been tackling some server issues lately, trying to get Tomcat to play nicely with SSL and get everything locked down. And since there seems to be a lack of useful tutorials out there (at least nothing I could find) I made my own little how-to. If you have any questions just ask away in the comments!

What you need:

• Apache Tomcat
• The OpenSSL toolset which comes installed with Linux (this guide was done with CentOS, but should be applicable to other distributions)
• An account with startssl.com (or other certificate signing authority)

Summary:

This post will go through the various steps required to set up Tomcat with SSL. At the time of writing StartSSL were still offering free signed certificates.

1. Getting your ceritificate

I am going to assume that you have already got yourself an account with a certificate signing authority. Most of these services provide documentation on how you can get your very own certificate, but for the sake of thoroughness I will outline the steps I followed to get my certificate:

1. Run the following command on your server(where [server] should be changed into something unique for you)

openssl req -new -newkey rsa:2048 -nodes -keyout [server].key -out [server].csr


2. The system will now ask you a bunch of questions such as location, emails and passwords. Answer appropriately for your system.


3. Log-in to http://www.startssl.com/ (or whatever certificate signing authority you have chosen)


4. Select the option to upload your own cetificate signing request file (you don't need them to generate another key for you; step 1 already created that for us)


5. Once you uploaded the contents of the *.csr file, you should receive an encoded public certificate file (*.crt). It should also give you the root and intermediate certificates of the servers used to sign those certificates.


6. Save all files in a safe place (something with decent file permissions so that the files cannot be tampered with). For the rest of this guide we are going to assume /etc/pki/tls/certs/.

2. Configuring TomCat

1.  If your certificate authority has not already done so, create a chain file of the signing server's certificates:
   
   cat [cert1].pem [cert2]/pem > chain.pem
   


2. We need to put all out certificates into a keystore file, so that Tomcat only has to load up one object (not multiple files)

openssl pkcs12 -export -in [server].crt -inkey [server].key -out [server].p12 -name tomcat -CAfile chain.pem -chain

3. The final step is to let Tomcat know the existence of the keystore file. Edit the server.xml file (in CentOS it is /etc/tomcat5/server.xml) as follows:
   
   <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" algorithm="SunX509" keystoreType="PKCS12" keystoreFile="/etc/pki/tls/certs/server.p12" keystorePass="abc123" enableLookups="false" disableUploadTimeout="true acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
   
   NOTE: The lines algorithm="..." and keystoreType="..." are crucial! This is where most of my headaches lay; apparently Tomcat couldn't auto-detect the algorithm and so HTTPS just didn't work.

References:

• Ars Technica guide to getting a free SSL certificate
• GoDaddy help article for generating certificates
• Mulesoft guide to configuring Tomcat with SSL
• Digicert guide to configuring Tomcat with SSL
• Ashraf Hossain's guide to redirecting all HTTP requests to HTTPS