XSS and bypassing an Imperva WAF with JSFuck
One of the biggest problems I have is to try and convince people that adopting new methods and setting up the infrastructure to automate things and make things easier in the long run and is an all-round money saver. What would you rather do, spend hours deploying a server, or click a couple buttons and puff, the server is cloned and configured and done. There more important things out there to do like reading the newspaper or Facebooking my friends or designing complex high available single sign on infrastructures!
I think it might be they are just dam scared that automating the clicking of buttons and build processes etc, will do them out of a job! It just really makes me grumpy that people don’t move with the times, there are so many examples where I could save days and days of work by putting a little bit of effort in or modifying the infrastructure to support automation, are we still in the year 2003 people!!!!
Since grumpy admin has been in the office, things are getting better, the whole office, know about PowerShell and my boss, tends to use PowerShell every now and then! But there is only so much a solitary voice can do!
I had trouble explaining how important DSC is to my boss, that it’s the tech we need to be experts on now, if not for our current roles, but for our next roles, when we are replaced by someone who does know DSC! (my vain attempts to use his fears against him to make him change!)
Just yesterday – I had to step in and stop my boss from doing crazy shit! He was trying to configure a domain user account to be a member of a local user box on each server we have.
He was getting bored of logging on to each box, so I just did it a few mouse click by configuring an AD group policy restricted group! While not PowerShell or DSC, this example kind of show the type work method stilled used in my work place.
So I thought I would create a blog series on DSC in between other blogs posts because you will get bored of just reading about DSC every time I post right?
SO Let’s Start –
DSC an simple overview!
I was introduced to DSC by Don Jones, a MPV who runs the PowerShell.org, I had seen the notes on the patch released but I didn’t really click at that time how, important DSC is and will be for the future of Windows. Nano server wasn’t announced and somehow I was blind to the road map of the windows product line! (talking 2014, lots has changed since then!!!)
If you doing PowerShell and you not come across any of Don Jones work or web casts, then you’re doing something wrong. He runs the powershell.org website, did some great books and I have learned lots from him. He gives lots away for free like eBooks etc. A true MVP!
Now DSC came in version 4 of PowerShell, and as with everything in PowerShell it gets better with time! You can even install the Windows Management Framework on Windows Server 2008 R2.
DSC does what it says on the tin! Desired State ConfigurationS
Simply put, it defines what you want the computer state to be. If you want a server to always have IIS and various configurational settings in IIS then define a configuration and it will be applied. If you configure DSC on that server. It will just work, if their configurational drift. The change will be reverted! You define you configuration once, and apply it and it will ensure it is always compliant. That is what we want isn’t it guys!
Something that Don Jones said in a webcast once, seen so many I can’t remember which was, this and it has stuck with me was –
“PowerShell allows you to script your work friends out of a job”.
Sadly, my boss is still here and there no sign of my promotion to his spot yet! I might have to invite the BOFH and install a lift shaft!
With PowerShell and DSC, you no longer really need a massive team to deploy and run a infrastructure.
How does DSC work under the hood? I hear you screaming.
Now the key to DSC is MOF!
MOF is text based definitions fine, it’s open source and industry standard, Microsoft don’t own MOF format, they are part of the working group that define it, so you can use MOF and hence DSC to configure no windows machines as well. That is right- you can use DSC to configure Linux as well!
Managed Object Format.
While I’m pasting in links, here is a MSDN link for more information about MOF and how it works! IE using CIM etc
So the bottom line really is that PowerShell creates a MOF file which defines the actual configuration and the MOF file is applied on the target computer often referred to a target node.
This compounds the change in mentality in server operation of the last 8-10 years, which my company has yet to catch up with… I am actually going to get this moto printed on a t-shirt!
“Treat Your Servers As Cattle, Not Pets”
Here is another great image from Microsoft on DSC and MOF, as they say a picture paints a thousand words.
Now as I perhaps have mentioned before there is a push and pull method of applying MOF files to a target node. You ever send the MOF to the node or the node is configured to look on a PULL server for it’s configurational settings. From then on it’s down to the Local Configuration Manager.
Local configuration manager, then when it has the information it needs, just does it things! LCM, checks the MOF and then calls the appropriate DSC PowerShell resources to make it happen. If the DSC resource isn’t in the base Windows Management Framework build, you have to make sure the NODE has access to the resources.
DSC is a script module which can be authored yourself, so you can customize. But Grumpy Admin is a lazy admin and chances are someone somewhere has already done what you want to do! Let them do the heavy work.
Now as hinted at LCM is packaged with the Windows Management Framework starting from version 4. So this tech has been out for ages and is growing strength to strength with each version. I think I also mentioned you can install framework 4 on Windows Server 2008 R2. Framework 5’s and higher requirements might be higher, check the read me notes guys! RTFM
LCM is itself configurable with a few options, it has settings like do you use push or pull method etc, how often do you check for updates and other stuff! Useful!!!
When the LCM gets its marching order, and kicks off a DSC resource, the resource script first checks to see what state the node is in. I mean why would it set a value if it’s already set! DSC is lazy like I guess!
Let’s take a registry setting or role on the target node. It will check to see if that node has the registry setting or role installed/configured and if not set it/install the role!
*(Picture shameless stolen off google,thank to who ever did it!)
WOW simple right, as you will later in this blog series, DSC can be added to VMM as well, deploy a base server, and throw a MOF at it and poof it becomes what you want it to be! Need a new web server, a few clicks, done!
Naturally you need the supporting infrastructure in place to support this type of deployment!
Now, as mentioned there are two methods to get configurations settings to a target node, you can push a configuration right to the target node. You have to use the start-dscconfiguation cmdlet for this! Here is the get-help on start-dscconfiguation cmdlet! (wow some PowerShell in this PowerShell focused blog!)
Simple! This makes compliance and consistent deployment even more easy really- think of this scenario
- I have 10 IIS servers in a farm, I want to modify the configurational settings of them all.
- I can connect to all of them and do it manually
- I could do a simple script in PowerShell that remotes and does the configurational change
- I can just push a new DSC out with the changes
- Or even better I could publish the DSC configuration to a pull server and let the nodes just grab the configuration and configure themselves.
That sounds so easy, and it’s clear to see in a production environment which option you really want to choose… The pull server, would house all the configurations and should be assessable to each of the target nodes. Typically, a HTTPS web server is chosen to host, but HTTP and SMB are also supported models! SERIOUSLY…security guys…. THINK!!!! Let’s go with HTTPS shall we!
Going back to Don Jones, he says the following
“push is for testing and setting up pull configurations.”
Remember DSC is all about automatically deploying stuff and configuational settings and making things simpler. Simpler means less work, which means Grumpy Admin can do more, while doing less, fitting right in with my Lazy Admin mentality!
Look Forward to the next posting in this series, where we will start to play and build a pull server by pushing a configuration to it!