Désactiver une carte réseau avec NetSH

Pour désactiver une carte réseau en ligne de commande, on peut utiliser l’outil « netsh »

Cela peut être utile pour Windows 2008 en mode Core

Les étapes:

1) Lister les cartes pour trouver le nom de l’interface à désactiver

pour lister les cartes on utilise:

netsh int sh int

Vérifier l’adressage réseau pour chaque carte

netsh int ip sh ip

2) Désactivation de la carte réseau

netsh int set int name="<nom_de_la_carte>" admin=disabled

il faut remplacer <nom_de_la_carte> par la référence trouver plus haut dans la colonne « interface name »

Cette dernière commande ne renvoie pas de résultat, pour vérifier que la carte est bien désactivé, relancer la commande « netsh int sh int », on peut voit la colonne « Admin State » Disabled

Toutes les commandes utilisées ci-dessus sont abrégées, pour connaitre le nom des contextes dans netsh, il suffit de naviguer dans les différents contexte

netsh /?

On peut retrouver un article intéressant sur netsh sur le site technet

ISA Server 2006 Log IP address convertion

Voici une fonction qui permet de convertir un type BigINT contenu dans le champ ‘ClientIP’ de la table ‘WebProxyLog’ en adresse IP de type A.B.C.D

USE [master]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE FUNCTION [dbo].[IntegerToIPAddress] (@IP AS bigint)
RETURNS varchar(15)
AS
BEGIN
DECLARE @Octet1 bigint
DECLARE @Octet2 bigint
DECLARE @Octet3 bigint
DECLARE @Octet4 bigint
DECLARE @RestOfIP bigint
SET @Octet1 = @IP / 16777216
SET @RestOfIP = @IP - (@Octet1 * 16777216)
SET @Octet2 = @RestOfIP / 65536
SET @RestOfIP = @RestOfIP - (@Octet2 * 65536)
SET @Octet3 = @RestOfIP / 256
SET @Octet4 = @RestOfIP - (@Octet3 * 256)
RETURN(CONVERT(varchar, @Octet1) + '.' +
CONVERT(varchar, @Octet2) + '.' +
CONVERT(varchar, @Octet3) + '.' +
CONVERT(varchar, @Octet4))
END

Une fois la fonction créée, on peut l’exécuter comme cela:

use master
go
SELECT  dbo.IntegerToIPAddress(167772161)
go

Résultat:

 

Pour la conversion inverse adresseIP vers BigINT utiliser la requête fournit par Microsoft dans son KB891223

SELECT
CAST(SourceIP / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +
CAST(SourceIP / 256 / 256 % 256 AS VARCHAR) + '.' +
CAST(SourceIP / 256 % 256 AS VARCHAR) + '.' +
CAST(SourceIP % 256 AS VARCHAR) 

AS [Nice Source Ip], FirewallLog.*
From FirewallLog

Powershell : Script Rotation de Logs

Bonjour,

J’utilise Kiwi Syslog server en version gratuite, cette version ne propose pas la rotation de log. Pour remédier à cet inconviénient j’utilise le script PS suivant :

# Function to Check Log Size and Rotate as Needed
function RotateLog($log)
{
        $enc  = New-Object System.Text.UTF8Encoding
        $file = Get-Item "$log"  # Get Log File
        $filedir = "D:\Program Files (x86)\Syslogd\Logs\" # Get Log Directory
        $server = HostName
        $datetime = Get-Date -uformat "%Y%m%d-%H%M" # Get Current Date and Time
        $fdatetime = Get-Date -uformat "%B %e, %Y - %H%M hours" # Get Formatted Current Date and Time
        $arcdir = "$filedir\archive" # Specify Log Archive Directory
        # Variables mails
        $date = Get-Date -uformat "%d-%m-%Y"
        $smtp = "smtp.domaine.net"		#serveur smtp
        $mail_from = "Syslog@domaine.net"
        $mail_to = "supervision@domaine.net"
        $subject = "Syslog du jour"
        $bd = "Ci-Joint le syslog du $date"
        #Test et/ou création du Dossier Archive
		if ((Test-Path -Path $arcdir -PathType container) -ne $True) # Verify that the Archive Directory Exists - If not, Create it
        	{
            New-Item $arcdir -Type directory # Create Directory if it does not Exist
        	}
        #$filename = $file.BaseName -replace $file.extension,"" # Remove File Extension from Name
        $filename = $file.BaseName
        $newname = "${filename}_${datetime}.log" # Specify New Name for Archived Log
        Rename-Item -Path $file.fullname -NewName $newname  # Rotate Current Log to Archive
        Move-Item  -Path "${filedir}${newname}" -Dest "$arcdir"  -Force # Move Archived Log to Archive Directory
        $pj="${arcdir}\${newname}"
	    Send-MailMessage -From $mail_from -To $mail_to -SmtpServer $smtp -Subject $subject -Encoding $enc -Attachments $pj -Body $bd
	}		  

# Call Function
$log = "D:\Program Files (x86)\Syslogd\Logs\SyslogCatchAll.txt" # Specify Log File
RotateLog($log) # Call Log Rotation Function

Liste des ports utilisés par Microsoft

Port Microsoft

When you look at an installation of Windows (especially server-versions of Windows), you will find a number of ports open. Several of these are well-known ports, while others are dynamically assigned.The dynamically assigned ports start at port 1024 and usually range up through roughly port 1100. The exact meaning of these can be obtained through the « endpoint mapper » at port135.

Basic Windows ports

135 The « end-point mapper ». RPC services are assigned other ports dynamically. When trying to connect to a service, you go throug this mapper to discover where it is located. The process works the same as on the UNIX RPC portmapper. A big difference is that a lot of services run on top of named pipes, which don’t have a specific port.
137 NetBIOS name service. This is how NetBIOS-based services find each other. On a NetBIOS network, these names uniquely identify the machine and services running on the machine (and the IP address doesn’t matter). Machines find each other either using broadcasts or looking them up in a centralized NetBIOS naming server (called a WINS server).
138 NetBIOS datagram service. This is primarily used for broadcasting information. It is primarily used by the SMB browser service that fills the information within the « Network Neighborhood » icon.

Basic Services

This section describes the ports that you would encounter when installing the basic services on WinNT Server. Note that virtually all Microsoft services require port 135 for remote administration.

42 For WINS replication. Remember that normal access to the WINS service is through port 137; this port is used for database replication.
1723 PPTP (Microsoft’s VPN solution). Note that this will also use IP protocol 47.
138 NetBIOS datagram service. This is primarily used for broadcasting information. It is primarily used by the SMB browser service that fills the information within the « Network Neighborhood » icon.

Exchange Server

This section describes the type of ports you might see in Micorosft’s Exchange server. This is a huge e-mail server package.

Again note the heavy reliance upon port 135 for remote administration and RPC communication between server components.

102 X.400 MTA
110 POP3
119 NNTP
143 IMAP4
389 LDAP
563 POP3 over SSL.
636 LDAP over SSL.
993 IMAP4 over SSL.
995 POP3 over SSL.

NetMeeting

Microsoft’s NetMeeting is video-conferencing style software.

389 Internet Locator Server (ILS) using LDAP.
522 ULP (User Location Server), obsoleted by LDAP. ULP is only used by older version of NetMeeting.
636 Secure LDAP over SSL
1503 T.120 teleconferencing protocol
1720 H.323 call setup
1731 Audio call control protocol
Dynamically assigned ports for call control and RTP transport of the data.

Windows Media

The Windows Media Server streams content over the web. This was formerly known as « NetShow » and uses the .asf file extension.

80 Can stream content over HTTP.
1755 Uses a TCP control connection on this port, as well as some UDP traffic.
7007 Encoder-to-server traffic. This allows an encoder (such as a system encoding live radio) to stream content to the server, which then streams it out to clients.

Note that the UDP traffic may be carried over IP multicast.

Terminal Server

Microsoft’s Terminal Server is a special version of WinNT Server that allows remote GUI access. It is essentially Microsoft’s version of X Windows, but since the Win32 API isn’t geared toward remote viewing, its bandwith requirements are higher. Clients are available for WinCE devices allow NC-style access.

3389 RDP client
1494 Citrix (ICA) client
636 Secure LDAP over SSL
1503 T.120 teleconferencing protocol
1720 H.323 call setup
1731 Audio call control
Dynamically assigned ports for call control and RTP transport of the data.

Cluster Server

Clustering is where multiple servers coordindate themselves into providing the same service so that if any server goes down, clients get uninterupted operation.

1717 Convoy
2504 WLBS

Other

 

593 Encapsulates the RPC ‘end-point mapping’ services within HTTP.
1477 MS SNA server
1478 MS SNA server

Source : http://www.iss.net/security_center/advice/Exploits/Ports/groups/Microsoft/default.htm

 

A voir aussi -> http://support.microsoft.com/kb/832017