Overview .edu



Lab Operating System ServicesOverviewThis lab will demonstrate how to manage and configure services on the Windows and Linux operating systems. You will use the file sharing services you configured in the previous lab, so it’s important that you complete the previous lab before starting this one. Learning ObjectivesUpon completion of this lab, you should be able to Demonstrate and explain how to start, top and check the status of a service on the Windows and Linux operating system.Understand how to monitor a service locally on the server as well as remotely. Understand how a service logs its activity. Lab BreakdownThis lab consists of 3 parts:In part one you will explore how the Linux operating system uses and manages services.In part two you will explore how the Windows operating system uses and manages services.RequirementsBefore you start this lab you will need:Complete the server lab before this lab. You must have windows file sharing setup on both your centos5 and win2008 virtual machines prior to starting this lab.These virtual machines, Win2008 (Windows Server 2008) – acting as a serverCentos5 (Centos Linux 5) – acting as a server Win 7 (Windows 7) – acting as a workstationStartup the Win2008, Centos5 and Win7 virtual machines:Logon to Win2008dc as Administrator (the account with the most access on the Windows platform)Logon to Centos5 as root (the account with the most access on a *nix platform)Logon to Win7 as user (a non-privileged account)Remember, in all cases, the password is SU2orange!This lab uses the same setup as the previous lab. So it is important that you complete the previous lab before attempting this lab!Part 1 – Linux ServicesIn this section, we will demonstrate service management on the Linux operating systemChecking, Starting and Stopping ServicesFrom the Centos5 terminal window:Let’s check to see if the samba service is running. To see if any service is running under linux, we type service [name] status. For example, to see if the (smb) portion of the Samba service is running, type:[root@centos5]# service smb status If the service is running you should see: smbd (pid …) is running…recall: a pid corresponds to a unique number for the running process. If the service is NOT running, you will seesmbd is stoppedThe pid (program id) will vary on each system, so you and your neighbor in the lab probably won’t have the same PID. If your Samba service is not running you can start it by typing:[root@centos5]# service smb start As the service starts, you will see a status message usually it will be [ OK ].Here are the remaining service commands. Try each of theseTo Stop the smb service, type : service smb stopTo Start the smb service,type : service smb startTo Restart (stop then start) the service, type: service smb restartAgain, give each of these commands a try. Play around a bit, but when you’re done, make sure the service is started.If that weren’t enough the Samba service consists of TWO network services these aresmb – implements the file and printer sharing service for Sambanmb – implements the name resolution service for SambaMake sure to start the nmb service, too type:[root@centos5]# service nmb startConfiguring the service to run at startup (when the computer boots).It can be a real bummer to have to boot the server, logon as root and then start the service manually. It would be nice to be able to configure the service to run at startup, no? Luckily we can configure our server to do this.Unix and Linux operating systems automatically start services based on the pre-determined runlevel. There are 7 runlevels on a unix system, numbered 0 through 6. I strongly suggest reading this link to learn more about runlevels: the common runlevels for production servers is 3 and 5. Let’s explore the startup services.From the Centos5 terminal window:Let’s see what services are slated to run at startup, type:[root@centos5]# chkconfig --listWhoa, that’s a big list. It scrolls by too fast. Try piping the results to more:[root@centos5]# chkconfig –-list | more You can then check the list a page at a time by pressing the space bar.You can also check the runlevel of the specific Samba service, such as smb with this command:[root@centos5]# chkconfig smb –-list You should see output like this, noting the service will not start at any runlevelsmb 0:off 1:off 2:off 3:off 4:off 5:off 6:off To configure the Samba service to start when the computer boots, turn it on. Type:[root@centos5]# chkconfig smb onthen Type [root@centos5]# chkconfig smb –-listTo See that the service is now configured for that runlevel.smb 0:off 1:off 2:on 3:on 4:on 5:on 6:offNote: you can disable services from running at startup with:chkconfig [service] offbut I don’t recommend just shutting off services unless you fully understand the impact of doing so! Its one thing to turn off a service you started, it’s another thing to stop one you know nothing about!At this point, let’s configure both the smb and nmb services to run at startup. To do this, you would enter:[root@centos5]# chkconfig smb on[root@centos5]# chkconfig nmb onLinux Service Monitoring and LoggingOne important aspect of providing a service is keeping tabs on it. This means viewing active connections keeping a recorded history of service activity. Watching events in real-time is called monitoring. As we learned in lecture there are 3 levels of monitoring (Ping, Port and Service), also known as PPS.You can monitor a service locally or remotely. For example it doesn’t make sense to ping a service from the same host for which the service is running, but it does make sense to monitor the service from the host it’s running on.For example, the win2008 server IP address is 192.168.80.10. So we could ping that host as a crude method for monitoring its uptime. The problem is that doesn’t tell us anything about the service being up and running – it only gives us information about the server. [root@centos5]# ping –c 4 192.168.80.10PING 192.168.80.10 (192.168.80.10) 56(84) bytes of data.64 bytes from 192.168.80.10: icmp_seq=1 ttl=128 time=2.83 ms64 bytes from 192.168.80.10: icmp_seq=2 ttl=128 time=0.390 ms64 bytes from 192.168.80.10: icmp_seq=3 ttl=128 time=0.374 ms64 bytes from 192.168.80.10: icmp_seq=4 ttl=128 time=0.302 msYeah! The server’s up –but that tells us nothing about the service. Of course the inverse is more useful. If the server is down the service is definitely down!Monitoring services from the outsideOne method for remotely monitoring a service is to check for the open TCP and UDP ports used by that service. If the ports aren’t open, then the service can’t be used. For example, the Samba / Windows File Sharing Service require 2 open TCP ports: 139, and 445. BTW: How do I know this? Experience. And a little help from this (this maps services to their port numbers)In linux, there is a command nmap which can be used to scan a server for open ports. Nmap is a useful utility because it checks which ports are open on your servers. Open ports are the channels by which workstations connect to your server to use a service. You should only have ports open for the services you need to provide to your users and workstations. And from a remote standpoint, nmap can help you figure out what services should (and shouldn’t) be running. Let’s play around with this ideal a bit.First, let’s port scan the win2008 server, type:[root@centos5]# nmap 192.168.80.10It takes a while for the scan to complete, but when it’s done you should see a list of open ports, included in that list should be ports 139 and 445:This tells us that windows file sharing is available on win2008 (192.168.80.10)Next for grins, let’s port scan our centos5 host, type:[root@centos5]# nmap 192.168.80.11The scan should go much faster (after all you are scanning a local computer) and when it’s done you should see ports 139 and 445 once more:Next what I’d like you to do it turn off the smb service, and then do another port scan. This should help enforce what’s happening here. For when you turn of smb ports 139 and 445 will no longer be open, type:[root@centos5]# service smb stopYou should see:Shutting down SMB services: [OK]Next, type:[root@centos5]# nmap 192.168.80.11Notice the smb ports are no longer open. Hopefully this makes more sense now!Please make sure to turn the smb service back on type:[root@centos5]# service smb stopAnd maybe if you’re feeling frisky, give it one more port-scan to verify the required ports are open.Monitoring services from the insideDepth in monitoring is important. And to really know what’s going on with your services required a diversified strategy. You should try to monitor your services from the outside (remotely) and from the inside (on the host itself).You can use the smbstatus command to monitor active connections to your Samba file sharing service. This will tell you which workstations and users are connecting to the service. For example type:[root@centos5]# service smb stop but since nobody is using the service right now the output is kind of boring:So, let’s connect to the service from the win7 workstation and do some thingsFrom the Win7 virtual machine:Click on Start ComputerDouble click on the L: drive (NOTE: If you don’t see an L: drive, make sure you review the steps of the previous lab)You should see the message file inside the share. Double-click to open the message file.That should be enough workstation activity to see what’s happening back on the server.Back in the terminal window of Centos5:Type:[root@centos5]# smbstatus -S please note, that’s a capital “S”. The output should be a little more interesting this time, showing you the workstation that is connecting to the service:Note: you can also try the smbstatus –v command which gives you more detailed information.If monitoring is the Yin, logging is the Yang. Monitoring shows you activity in real-time, while logging gives you a recorded history of that activity over time. By default the Samba service appends all activity from your win7 computer to the file /var/log/samba/log.win7 you can use the tail command to see the last few connections made to the service, type:[root@centos5]# tail /var/log/samba/smbd.log Neato, eh?QuestionsWhat is the linux command to start the smb service?What is the linux command to enable the samba service at startup?What is the difference between runlevel 3 and runlevel 5?What is the difference between monitoring a service and logging it?When you consider what logging does do you forsee any issues with very busy services that get logged? (lots of workstations connecting to the service) What is the relationship between a port (TCP / UDP) and a service?What is the relationship between a server and a service?Part 2 – Service Management on WindowsIn this section, we will demonstrate service management on the Windows operating systemStarting and Stopping ServicesFrom the Win2008 command prompt:Let’s check to see if the Windows File Sharing service is running. The name of this service in Windows is LanmanServer. To see if the service is running, type: sc query lanmanserverYou should see state “4” which means the service is running.Tangent Time! You should be curious as to why it is called LanmanServer. Well, the original file sharing service was called LAN Manager see: and it used a network protocol called Server Message Block, or smb for short. Hmm. Where have you heard that name before? Yes, Samba! Samba is an open-source implementation of the Server Message Block protocol. Lan Manager uses smb, and Samba uses smb. This is why the WinXP1 workstation can connect to both of them in the same manner – they implement the same protocol.You can control services in Windows similar to the way you can in Linux. It should some to no surprise to you that the syntax is a little different. :Start the service: sc start LanmanServerStop the service: sc stop LanmanServerThere is no way to restart the service, like in linux. In Windows you have to execute a stop and then a start. Let’s Try out each of these three commands. Start, stop, and query. Type in the following:C:\users\Administrator> sc stop LanmanServerC:\users\Administrator> sc query LanmanServerC:\users\Administrator>sc start LanmanServerC:\users\Administrator>sc query LanmanServerWhen you done playing around make sure the service is started!Configuring the service to run at startup (when the computer boots).The same sc command can be used to view or or edit the startup configuration for the Windows service. Windows services don’t use runlevels, so their implementation is a little more straightforward.To view the current startup status for the service, type: sc qc LanmanServerYou can see from the output the service is set to AUTO_START.You can change whether the service will start at boot time, too, but I strongly discourage you from doing this. If you want to play around fine, but make sure you leave it configured to start at boot time!To disable the service from starting up at boot time: sc config lanmanserver start= disabledTo enable the service so that it starts at boot time: sc config lanmanserver start= autoService Monitoring and LoggingWhat about monitoring and Logging on Windows? You can use the net session command to monitor active connections to your Lan Manager file sharing service. For example type: net session but since nobody is using the service the output is kind of boring:So, let’s connect to the service and do some things!Once again, from the Win7 virtual machine:Click on Start ComputerDouble click on the W: drive (NOTE: If you don’t see a W: drive, make sure you review the steps of the previous lab)You should see the message file inside the share. Double-click to open the message file.That should be enough workstation activity to see what’s happening back on the server.Now back to the the Win2008 server!Type in net session once more and you should see the following output:Yes, there is our one connected session.What about the logs you say? Well Windows has a shaky past when it comes to LAN Manager logging for the longest time. Logging was disabled by default and decisions like this led to Microsoft getting a reputation for not being serious about security (even though anyone who knows what they’re doing can turn it on easily). Anyway Microsoft changed that setting with Windows 2008 and File Sharing access is logged.From the Win2008 virtual machine:Open the Event Viewer: Start -> Administrative Tools -> Event ViewerClick the Windows Logs folder and then the Security event log. You should see something similar to the following:Look through the most recent entries in the log for an event with Task Category of Credential Validation. If you double-click on it you should see the log entry for connecting to the share from the Win7 workstation.QuestionsWhat is the command to Restart the LAN manager server service?What is the command to Turn on the Windows LAN Manager Server service at startup?How does the act of monitoring differ from the act of logging?In your opinion which activity is more useful monitoring or logging?What type of information does monitoring tell you which logging cannot?Which activity monitoring or logging would assist you in tracking down a security breach? Why?Part 3 – Getting the Lab Checker Script WorkingThis lab is handed in using the provided lab-checker script. The script can be found in the same location where you got this lab. Here are the instructions:Onetime Pre-Script Setup for Win7This script is designed run from your win7 virtual machine. You will need to configure powershell properly. This is a one-time deal.From win2008x open Server ManagerClick on the start button, type powershell in the search box.Right-click on the Windows Powershell icon and choose Run as Administrator from the menu. This will force a UAC dialog, click Yes to launch powershell using administrator rights.At the Blue powershell prompt, type set-executionpolicy unrestricted and press the enter key. At the confirmation prompt, type Y and press enter. You have now enabled scripts to run without restrictions. This is required to run the lab-check scripts.At the Blue powershell prompt, type get-executionpolicy and make sure it returns Unrestricted if it does, you’re ready to rock and roll.Executing the Script to “check your lab”Make sure all the virtual machines you used in the lab are powered on and working properly.Open up your web browser inside the win7 virtual machine. Download the script: visit and right click on the script and choose “save target as” save to your documents folder.Click on Start Documents to open the documents folder. Right click on the L01.Ps1 script in the documents folder, select Properties and click Unblock. If you don’t do this you will see a “warning” each time you attempt to execute the script.Open the powershell command prompt. (Click start, type powershell, press the enter key)Move into the documents folder (where you stored the script) type: cd documents into the powershell command prompt and press enterExecute the script by typing: .\L01.ps1 and pressing enter.Follow along with the script output and answer any questions as they arise.When you think you’re got it correct, email the lab to yourself and it will cc your instructor.This concludes Our Lab ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download