惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Heimdal Security Blog
P
Privacy International News Feed
S
Schneier on Security
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
Spread Privacy
Spread Privacy
P
Privacy & Cybersecurity Law Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
K
Kaspersky official blog
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
aimingoo的专栏
aimingoo的专栏
Simon Willison's Weblog
Simon Willison's Weblog
S
Securelist
Help Net Security
Help Net Security
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Security Archives - TechRepublic
Security Archives - TechRepublic
云风的 BLOG
云风的 BLOG
The GitHub Blog
The GitHub Blog
N
News and Events Feed by Topic
Hacker News: Ask HN
Hacker News: Ask HN
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
M
MIT News - Artificial intelligence
雷峰网
雷峰网
博客园 - 司徒正美
V
V2EX
AWS News Blog
AWS News Blog
Know Your Adversary
Know Your Adversary
N
News | PayPal Newsroom
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
PCI Perspectives
PCI Perspectives
Google DeepMind News
Google DeepMind News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
U
Unit 42
C
Cybersecurity and Infrastructure Security Agency CISA
P
Palo Alto Networks Blog
G
Google Developers Blog
T
Threat Research - Cisco Blogs
博客园 - Franky
I
InfoQ
D
DataBreaches.Net
爱范儿
爱范儿
Y
Y Combinator Blog
博客园 - 叶小钗
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报

Posts on Noah Bailey

How to turn anything into a router Deploy to Cloudfront from GitHub using OpenID Connect Backup Postgres databases with Kubernetes CronJobs The spelling error made 200 billion times a day Restarting Kubernetes pods using a CronJob You've just bought a new domain. Now what? Who Sawed My Motherboard??? Linux on the P8 Aliexpress Mini Laptop Recovering Mysql/Mariadb after a nasty crash Using EXIF data to pick my next lens Converting and developing RAW photos on Linux automatically Thank you, 2016 iPhone Don't Make It Work Self-hosted Surveillance with ZoneMinder Backups, Monitoring, and Security for small Mastodon servers Block web scanners with ipset & iptables Executing commands over SSH with GitHub Actions Debian Sid on encrypted ZFS Protect your dangerously insecure redis server Debian: the luxurious boring lifestyle Monitor radiation with a Raspberry Pi Simple Linux server alerts: Know your performance, errors, security, syslog, and security NUC crashes on debian 11 - How I fixed it Basic Linux server security with fail2ban, ossec, and firewall Windows 11 will create heaps of needless trash Domesticated Kubernetes Networking The Cursed Certificate Our mostly disposable and entirely stupid world Trying out OpenBSD (as a Linux geek) Making VoIP Calls with Antique Rotary Phones Monitoring WAN speed with speedtest-cli and ElasticSearch Monitoring WAN latency with InfluxDB The Zeroshell botnet returns Installing Gentoo on a vintage Thinkpad T60 Malware emails 2: Russian boogaloo TP-Link Device Weirdness ElasticSearch broke all my nice things (a story of cascading failure) A New Botnet is Targeting Network Infrastructure Malware on the Wire: Monitoring Network Traffic with Suricata and ClamAV Cloud Threat Protection with OSSEC and Suricata Malware Emails From Jerks Surviving the Apocalypse with an Offline Wikipedia Server Being Attacked by Bots Linux Router, Firewall and IDS Appliance You Probably Don't Need a VPN Fix an Oversharded Elasticsearch Cluster Automating KVM Virtualization Update all your linux servers as fast as possible Cleanup Systemd Journald Storage Stop Putting Your SSH Keys on Github! Clustering KVM with Ceph Storage Stealing Windows Sessions FreeRadius Active Directory Integration Retrieving WPA2 Keys on Windows Deploy MDT Litetouch on Linux with TFTPD and Syslinux The Inflatable Dinghy Generating Cisco IOS config files with Python Homebrew SAN Getting Cloudy
Generating MSI transform files with Orca
2018-10-02 · via Posts on Noah Bailey

Deploying MSI installers with group policy is super neat and super handy…. Most of the time.

Sometimes, though, you need a bit more than just the default options when pushing out packages, and for those of us that don’t have a wheelbarrow full of money to burn on System Center there are two ways to do this:

  1. Use a GP Preference Item to distribute a configuration file to managed systems
  2. Create a transform set to apply to the MSI installer file

While the first approach at first seems more straightforward, it does lead to the inevitable “GPO Spaghetti” once packages are added and removed. While MST installs are more technically involved, they’re a lot more manageable long term.

MSI packaging tools

To service MSI installers, we need a tool known as Orca.

Orca is part of the Windows SDK, and can be installed with the MSI tools bundle. We don’t need the whole SDK, so only install the parts we need. After we accept the end user license agreement, we can select only the ‘MSI Tools,’ weighing in at a mere eight and a half megabytes.

After we’re done installing the MSI tools, we gear up to install Orca. On my version, it’s buried in the C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x86 directory, but you may need to hunt around the Windows Kits directory to find the installer.

Ironically, Orca uses an MSI installer to install itself.

C:\> msiexec /i "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x86\Orca-x86_en-us.msi" /qb

Once it’s installed, we can open the program and start poking at some installers.

Taking apart the installer file

In this case, we are interested in configuring the Splunk Universal Forwarder to send events from Windows Servers to a local indexer for a lab environment. We can do this by adding the install switches to the transform file. Here’s how:

  1. Open the MSI package in Orca.
  2. Find the Property table within the MSI
  3. Create a new transform
    • Transform > New Transform
  4. Edit the Property table to contain the parameters we want to add

Reading the Instructions

Of course, now is a great time to check the documentation for our specific product and needs. Most packages that use MSI silent install switches will have a similar procedure.

According to the Splunk Documentation, we need to configure the following parameters:

  • AGREETOLICENSE=Yes
  • RECEIVING_INDEXER="<host:port>"
  • DEPLOYMENT_SERVER="<host:port>"

To add these configurations to the transform, we need to head back to Orca.

First, locate the AGREETOLICENSE key in the Property table. The default value will be ‘No’ so we will change it to ‘Yes’

Next we will add the indexer and the deployment server. Some of these aren’t configured by default, so we will need to make sure the installer will parse these parameters. The list of parameters with default values is usually called AdminProperties and its value is a semicolon separated list of keys. All we need to do here is make sure that all the new keys we will be adding are somewhere in the string. In this case, we need to add RECEIVING_INDEXER to the list.

Now that the installer knows what to do with our parameters, we can actually add them. Right click the table and click ‘Add Row’ then enter the key and value that will be added to the transform.

After all the parameters have been added to the transform, it’s time to export the finished patch file and get it ready for deployment. The MST is generated by going to Transform > Generate Transform and saving the file.

Deploying the package

From here on out, we follow the usual methods for deploying software with GPO. In the group policy editor we create a new assigned application and select the MSI installer for Splunk Forwarder. Then, under Modifications the MST is selected. I recommend a replicated DFS network location for deploying software packages.

After satisfactory testing, we can roll this package out to our servers. After group policy has converged the next reboot will install the package on our servers. Within a couple minutes, the machines will start the local service and connect to the indexer.

And a quick ramble about security…

Now, let’s talk about why I did it this way. There is another way to set up Splunk, where a dedicated server will create event subscriptions to all the other servers and then it will send those to the indexer on their behalf. There are a number of security benefits to this:

  • No extra binaries and services on other servers
  • No need to restart mission critical servers to install the agent
  • Exposing our servers to the splunk API is a bad idea

This is all valid.

However, there’s what I believe to be a bigger risk to this configuration: the service account!!!! Yes, service accounts are evil and bad. Since the forwarder needs to authenticate against all the servers that it will be logging it will need wide network access and privileged access to the servers it touches… And I’m sure many administrators simply give it Domain Admin (shudders) access as a quick and sloppy workaround. Alternatively, some may go the extra mile and set up a gMSA with the right access in all the right places, and honestly kudos to those guys. 👍

For our purposes, I think simply using the Local Service and not giving it any special domain access is the way to go since the only thing on the network it’s touching is the Splunk API. Our time would much better be spent configuring a proper cert on the server. As always, if you have something to say please send me a message!