Best Way to Track Service Being Turned On?

W

Will

Guest
I have a strange situation on a firewall I need help with. The server is

Windows 2000 running ISA Server 2004. For reasons I cannot determine yet,

the Internet Connection Sharing (ICS) service keeps getting set to

Automatic. I set it manually to disable, and I have verified that

nothing in group policy should be turning it on. A few days go by, and

then I login and see the service set to Automatic, and sometimes turned on.

I don't believe the other operator of that particular server has enough

knowledge to make this change, nor do I believe he would be malevant enough

to do it. So I have a problem.

What is the best method to get an email alert at the moment that:

1) A particular service has its service status changed to Automatic?

2) The service is started?

I assume there is a third party tool that would monitor services and do the

notification for me. I would appreciate pointers to the best tools of this

type.

--

Will

 
M

Michael Bednarek

Guest
On Sat, 26 Apr 2008 17:06:50 -0700, Will wrote in

microsoft.public.security:

<span style="color:blue">

>I have a strange situation on a firewall I need help with. The server is

>Windows 2000 running ISA Server 2004. For reasons I cannot determine yet,

>the Internet Connection Sharing (ICS) service keeps getting set to

>Automatic. I set it manually to disable, and I have verified that

>nothing in group policy should be turning it on. A few days go by, and

>then I login and see the service set to Automatic, and sometimes turned on.

>I don't believe the other operator of that particular server has enough

>knowledge to make this change, nor do I believe he would be malevant enough

>to do it. So I have a problem.

>

>What is the best method to get an email alert at the moment that:

>

>1) A particular service has its service status changed to Automatic?

>

>2) The service is started?

>

>I assume there is a third party tool that would monitor services and do the

>notification for me. I would appreciate pointers to the best tools of this

>type.</span>

Write a batch script. Use SC.EXE to query the service, parse its output

with FIND{STR}.EXE, wait/sleep with PING.EXE. Use BLAT.EXE to send the

e-mail. Avoid sending endlessly e-mails either by setting the service to

the desired state, or use logic to send the e-mail only when the state

changes.

--

Michael Bednarek http://mbednarek.com/ "POST NO BILLS"

 
W

Will

Guest
"Michael Bednarek" <mbATmbednarek.com@BLACKHOLESPAM.NET> wrote in message

news:rbj814h1f1qpti9d057lnufh26qom1qlqm@4ax.com...<span style="color:blue">

> On Sat, 26 Apr 2008 17:06:50 -0700, Will wrote in

> microsoft.public.security:

><span style="color:green">

> >I have a strange situation on a firewall I need help with. The server</span></span>

is<span style="color:blue"><span style="color:green">

> >Windows 2000 running ISA Server 2004. For reasons I cannot determine</span></span>

yet,<span style="color:blue"><span style="color:green">

> >the Internet Connection Sharing (ICS) service keeps getting set to

> >Automatic. I set it manually to disable, and I have verified that

> >nothing in group policy should be turning it on. A few days go by, and

> >then I login and see the service set to Automatic, and sometimes turned</span></span>

on.<span style="color:blue"><span style="color:green">

> >I don't believe the other operator of that particular server has enough

> >knowledge to make this change, nor do I believe he would be malevant</span></span>

enough<span style="color:blue"><span style="color:green">

> >to do it. So I have a problem.

> >

> >What is the best method to get an email alert at the moment that:

> >

> >1) A particular service has its service status changed to Automatic?

> >

> >2) The service is started?

> >

> >I assume there is a third party tool that would monitor services and do</span></span>

the<span style="color:blue"><span style="color:green">

> >notification for me. I would appreciate pointers to the best tools of</span></span>

this<span style="color:blue"><span style="color:green">

> >type.</span>

>

> Write a batch script. Use SC.EXE to query the service, parse its output

> with FIND{STR}.EXE, wait/sleep with PING.EXE. Use BLAT.EXE to send the

> e-mail. Avoid sending endlessly e-mails either by setting the service to

> the desired state, or use logic to send the e-mail only when the state

> changes.</span>

I would like other things, like the process id that started the service, the

user name /security context, name of program running in that process etc.

We have programmers who could write this program, or we could go with a

script, but I'm trying to find something off the shelf first.

--

Will

 
R

Roger Abell [MVP]

Guest
"Will" <westes-usc@noemail.nospam> wrote in message

news:ybWdnclml_MCXonVnZ2dnUVZ_jydnZ2d@giganews.com...<span style="color:blue">

> "Michael Bednarek" <mbATmbednarek.com@BLACKHOLESPAM.NET> wrote in message

> news:rbj814h1f1qpti9d057lnufh26qom1qlqm@4ax.com...<span style="color:green">

>> On Sat, 26 Apr 2008 17:06:50 -0700, Will wrote in

>> microsoft.public.security:

>><span style="color:darkred">

>> >I have a strange situation on a firewall I need help with. The server</span></span>

> is<span style="color:green"><span style="color:darkred">

>> >Windows 2000 running ISA Server 2004. For reasons I cannot determine</span></span>

> yet,<span style="color:green"><span style="color:darkred">

>> >the Internet Connection Sharing (ICS) service keeps getting set to

>> >Automatic. I set it manually to disable, and I have verified that

>> >nothing in group policy should be turning it on. A few days go by, and

>> >then I login and see the service set to Automatic, and sometimes turned</span></span>

> on.<span style="color:green"><span style="color:darkred">

>> >I don't believe the other operator of that particular server has enough

>> >knowledge to make this change, nor do I believe he would be malevant</span></span>

> enough<span style="color:green"><span style="color:darkred">

>> >to do it. So I have a problem.

>> >

>> >What is the best method to get an email alert at the moment that:

>> >

>> >1) A particular service has its service status changed to Automatic?

>> >

>> >2) The service is started?

>> >

>> >I assume there is a third party tool that would monitor services and do</span></span>

> the<span style="color:green"><span style="color:darkred">

>> >notification for me. I would appreciate pointers to the best tools of</span></span>

> this<span style="color:green"><span style="color:darkred">

>> >type.</span>

>>

>> Write a batch script. Use SC.EXE to query the service, parse its output

>> with FIND{STR}.EXE, wait/sleep with PING.EXE. Use BLAT.EXE to send the

>> e-mail. Avoid sending endlessly e-mails either by setting the service to

>> the desired state, or use logic to send the e-mail only when the state

>> changes.</span>

>

> I would like other things, like the process id that started the service,

> the

> user name /security context, name of program running in that process etc.

>

> We have programmers who could write this program, or we could go with a

> script, but I'm trying to find something off the shelf first.</span>

I sort of doubt you are going to find all of that off-the-shelf Will.

The reason is that you imply reading into the security log, as the

history of who started / altered the service is not kept by the SCM

so querying the SCM state will not show process that started etc.

Also, just how much other than "service xyz entered started state"

sort of event messages depends on OS version.

You might want to think about guaranteeing sufficent items are

logged to event logs, and then have a little monitoring service

that uses eventing to subscribe to event log messages of interest.

When a service transitions it could at least snapshot what is

running on the system.

Another question: Are you satisfied with the watcher software

running on the same, watched machine? I mean, if something is

changing services on you can you trust info frome software that

is also on that machine and subject to similar changes?

--

Roger

 
W

Will

Guest
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:u$1A6TKqIHA.5416@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:ybWdnclml_MCXonVnZ2dnUVZ_jydnZ2d@giganews.com...<span style="color:green">

>> "Michael Bednarek" <mbATmbednarek.com@BLACKHOLESPAM.NET> wrote in message

>> news:rbj814h1f1qpti9d057lnufh26qom1qlqm@4ax.com...<span style="color:darkred">

>>> On Sat, 26 Apr 2008 17:06:50 -0700, Will wrote in

>>> microsoft.public.security:

>>>

>>> >I have a strange situation on a firewall I need help with. The

>>> >server</span>

>> is<span style="color:darkred">

>>> >Windows 2000 running ISA Server 2004. For reasons I cannot determine</span>

>> yet,<span style="color:darkred">

>>> >the Internet Connection Sharing (ICS) service keeps getting set to

>>> >Automatic. I set it manually to disable, and I have verified that

>>> >nothing in group policy should be turning it on. A few days go by,

>>> >and

>>> >then I login and see the service set to Automatic, and sometimes turned</span>

>> on.<span style="color:darkred">

>>> >I don't believe the other operator of that particular server has enough

>>> >knowledge to make this change, nor do I believe he would be malevant</span>

>> enough<span style="color:darkred">

>>> >to do it. So I have a problem.

>>> >

>>> >What is the best method to get an email alert at the moment that:

>>> >

>>> >1) A particular service has its service status changed to Automatic?

>>> >

>>> >2) The service is started?

>>> >

>>> >I assume there is a third party tool that would monitor services and do</span>

>> the<span style="color:darkred">

>>> >notification for me. I would appreciate pointers to the best tools of</span>

>> this<span style="color:darkred">

>>> >type.

>>>

>>> Write a batch script. Use SC.EXE to query the service, parse its output

>>> with FIND{STR}.EXE, wait/sleep with PING.EXE. Use BLAT.EXE to send the

>>> e-mail. Avoid sending endlessly e-mails either by setting the service to

>>> the desired state, or use logic to send the e-mail only when the state

>>> changes.</span>

>>

>> I would like other things, like the process id that started the service,

>> the

>> user name /security context, name of program running in that process etc.

>>

>> We have programmers who could write this program, or we could go with a

>> script, but I'm trying to find something off the shelf first.</span>

>

> I sort of doubt you are going to find all of that off-the-shelf Will.

> The reason is that you imply reading into the security log, as the

> history of who started / altered the service is not kept by the SCM

> so querying the SCM state will not show process that started etc.

> Also, just how much other than "service xyz entered started state"

> sort of event messages depends on OS version.

> You might want to think about guaranteeing sufficent items are

> logged to event logs, and then have a little monitoring service

> that uses eventing to subscribe to event log messages of interest.

> When a service transitions it could at least snapshot what is

> running on the system.

> Another question: Are you satisfied with the watcher software

> running on the same, watched machine? I mean, if something is

> changing services on you can you trust info frome software that

> is also on that machine and subject to similar changes?</span>

This is a very valid question, but in the big picture I don't think that the

person or thing starting the ICS service is all that bright. I suspect

server misconfiguration more than I do monster in the machine. style_emoticons/ It's a

very well secured firewall with no access allowed from the network, so I'm

hopeful a simple direct monitor running on the same computer will be enough.

In an ideal world the monitoring service would have some cryptographically

secure means of recording its own termination and restart events in a way

that could not be tampered with. I doubt I will get that.

--

Will

 
W

Will

Guest
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:u$1A6TKqIHA.5416@TK2MSFTNGP06.phx.gbl...<span style="color:blue"><span style="color:green">

>> I would like other things, like the process id that started the service,

>> the

>> user name /security context, name of program running in that process etc.

>>

>> We have programmers who could write this program, or we could go with a

>> script, but I'm trying to find something off the shelf first.</span>

>

> I sort of doubt you are going to find all of that off-the-shelf Will.

> The reason is that you imply reading into the security log, as the

> history of who started / altered the service is not kept by the SCM

> so querying the SCM state will not show process that started etc.

> Also, just how much other than "service xyz entered started state"

> sort of event messages depends on OS version.

> You might want to think about guaranteeing sufficent items are

> logged to event logs, and then have a little monitoring service

> that uses eventing to subscribe to event log messages of interest.

> When a service transitions it could at least snapshot what is

> running on the system.</span>

Roger, running with this idea, what level of Windows event auditing is

required to capture start and stop information for a service?

Will any audit setting guarantee an eventviewer message showing change of

the service start status from - for example - Disabled to Automatic?

--

Will

 
W

Will

Guest
Roger, you will love this one: I tracked down the problem with ICS going

to Automatic start on a Windows 2000 firewall as being a GPO problem. It

turns out that if you develop a GPO to turn on the Windows Firewall service,

it also turns on Internet Connection Sharing on Windows 2000 computers!!

So the GPO that turns on firewalls on Windows 2003 has the lovely side

effect of turning your Windows 2000 servers (and in this case Windows 2000

firewall) into a proxy server. Now if that doesn't make your eyes,

nostrils, and sides of your lips move in six different directions at once,

nothing will. style_emoticons/

I posted about this in the Microsoft group_policy newsgroup, and personally

I think this really bad misfeature has a pretty serious security

implication.

I know how to take care of this for now.

--

Will

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:u$1A6TKqIHA.5416@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:ybWdnclml_MCXonVnZ2dnUVZ_jydnZ2d@giganews.com...<span style="color:green">

>> "Michael Bednarek" <mbATmbednarek.com@BLACKHOLESPAM.NET> wrote in message

>> news:rbj814h1f1qpti9d057lnufh26qom1qlqm@4ax.com...<span style="color:darkred">

>>> On Sat, 26 Apr 2008 17:06:50 -0700, Will wrote in

>>> microsoft.public.security:

>>>

>>> >I have a strange situation on a firewall I need help with. The

>>> >server</span>

>> is<span style="color:darkred">

>>> >Windows 2000 running ISA Server 2004. For reasons I cannot determine</span>

>> yet,<span style="color:darkred">

>>> >the Internet Connection Sharing (ICS) service keeps getting set to

>>> >Automatic. I set it manually to disable, and I have verified that

>>> >nothing in group policy should be turning it on. A few days go by,

>>> >and

>>> >then I login and see the service set to Automatic, and sometimes turned</span>

>> on.<span style="color:darkred">

>>> >I don't believe the other operator of that particular server has enough

>>> >knowledge to make this change, nor do I believe he would be malevant</span>

>> enough<span style="color:darkred">

>>> >to do it. So I have a problem.

>>> >

>>> >What is the best method to get an email alert at the moment that:

>>> >

>>> >1) A particular service has its service status changed to Automatic?

>>> >

>>> >2) The service is started?

>>> >

>>> >I assume there is a third party tool that would monitor services and do</span>

>> the<span style="color:darkred">

>>> >notification for me. I would appreciate pointers to the best tools of</span>

>> this<span style="color:darkred">

>>> >type.

>>>

>>> Write a batch script. Use SC.EXE to query the service, parse its output

>>> with FIND{STR}.EXE, wait/sleep with PING.EXE. Use BLAT.EXE to send the

>>> e-mail. Avoid sending endlessly e-mails either by setting the service to

>>> the desired state, or use logic to send the e-mail only when the state

>>> changes.</span>

>>

>> I would like other things, like the process id that started the service,

>> the

>> user name /security context, name of program running in that process etc.

>>

>> We have programmers who could write this program, or we could go with a

>> script, but I'm trying to find something off the shelf first.</span>

>

> I sort of doubt you are going to find all of that off-the-shelf Will.

> The reason is that you imply reading into the security log, as the

> history of who started / altered the service is not kept by the SCM

> so querying the SCM state will not show process that started etc.

> Also, just how much other than "service xyz entered started state"

> sort of event messages depends on OS version.

> You might want to think about guaranteeing sufficent items are

> logged to event logs, and then have a little monitoring service

> that uses eventing to subscribe to event log messages of interest.

> When a service transitions it could at least snapshot what is

> running on the system.

> Another question: Are you satisfied with the watcher software

> running on the same, watched machine? I mean, if something is

> changing services on you can you trust info frome software that

> is also on that machine and subject to similar changes?

> --

> Roger</span>

 
You must log in or register to reply here.
Top Bottom