email based command prompt process

[Dave H]

Does anyone know a way that an email could be received by
a system that would spawn a command prompt process
automatically for something such as unlocking a network
account with security?

For instance joe's account is locked. You send an email
to a system with the subject line unlock joe 5555 (5555
being some type of changeable password to prevent
unauthorized use).

Once the email is received it spawns the "net user
username /active:yes /DOMAIN" command on the system.

 

[Ray at]

I have pondered this in my head many times but have never done anything
about it. But, when I get around to doing it, this is what I'll try. This
would be for me to be able to e-mail my computer at home and have it send me
files and what not.

1. Trap new mail event in Outlook and check for new mail items that are
from me. All mail items would be moved to a secondary folder after being
checked, since the new mail event does not have a reference to the new items
that have arrived. So, on each new mail event, you'd have to loop through
all the items in the inbox.

2. When an e-mail that appears to be from me is found, I would have some
sort of basic security routine that would verify the originating mail server
was my mail server from work or something along those lines. Or maybe I'd
have a "catch phrase" that has to be in the e-mail that changes every hour
or day or something.

3. Allow for custom commans in the e-mail like:
SHELL: cmd.exe /c {some command}
FILE: SENDFILE "C:\Path\To\File" (e-mail address removed);
(e-mail address removed)
COMMAND: reboot|start FTP service|etc.

This would all have to be custom programming mostly within Outlook (my mail
client of choice). So, if you consider something along these lines, I
suggest the .outlook.program_vba group for the Outlook programming help.

Ray at work

 

[Joe Richards [MVP]]

You could pretty easily do this in perl with a POP3 module to read a mailbox... However who would be requesting the
unlock? The User? They are currently locked out.

I would recommend actually setting up a web page that they can surf to for this functionality. In fact if you want to
buy something, this is part of the functionality of the tool called PSYNCH from MTEC. You can set up actual question and
answer profiles or use securids for the authentication if you would like as well.

 

[Al Dunbar [MS-MVP]]

Does anyone know a way that an email could be received by
a system that would spawn a command prompt process
automatically for something such as unlocking a network
account with security?

For instance joe's account is locked. You send an email
to a system with the subject line unlock joe 5555 (5555
being some type of changeable password to prevent
unauthorized use).

Once the email is received it spawns the "net user
username /active:yes /DOMAIN" command on the system.

Interesting concept, but I see a few pitfalls...

First, you would need some process to be always running (or scheduled to run
periodically) under credentials that would allow access to the mailbox being
used for the purpose. I would recommend WSH over a batch file approach,
because that would give you more control over the process, as well as more
options for processing the mail.

Next, you would need some authentication process that is a bit more subtle
than passing a (changeable?) password in plain text. If you are running in a
closed, homogenous system with, say, exchange server for email, one way to
do this would be to allow the mailbox to receive messages only from a
distribution list that would be populated with those accounts authorized to
manage accounts.

Suppose that, once you send the e-mail to unlock Joe's account, he calls an
hour later to say he still cannot get in. How do you figure out what (if
anything) went wrong? Perhaps the process should e-mail you back a log
indicating success or giving a reason for the failure.

Depending on your environment (i.e. how "closed" it is), I would be most
concerned about security issues. If the e-mail was going to traverse the
internet at all, for example, I would pay particular attention to ensuring
that:

- no actual security tokens (i.e. account names or passwords) were passed in
plain text.

- the types of administrative tasks that could be performed be limited to
the more benign ones. Unlocking would be OK, but it should not enable a
disabled account, set a password, create or delete accounts, or modify any
security settings.

If you are in a more "closed" system, it might be reasonable to do a bit
more. I think, however, that, while it might work in most cases, you might
spend more time coding the parts that allow you to determine what went wrong
in those cases where it did not work.


/Al

 

[Al Dunbar [MS-MVP]]

You could pretty easily do this in perl with a POP3 module to read a

mailbox... However who would be requesting the

unlock? The User? They are currently locked out.

LOL. Like I say to any third party who asks me to reset a password "for a
colleague": "Sure, I will set a new password and then e-mail it to them!".
Similarly, I am sure that, at some point, someone has asked why we do not
have a page on our intranet where people could issue password reset and
account creation requests! If so, it must have been the guy who prepared a
powerpoint that each user should see on first logon showing, among other
things, how to actually logon.

/Al

I would recommend actually setting up a web page that they can surf to for

this functionality. In fact if you want to

buy something, this is part of the functionality of the tool called PSYNCH

from MTEC. You can set up actual question and

 

[DaveH]

Mostly this would be for the domain admins. They
frequently get calls at night to unlock an account,
restart a problem service, reboot a server, etc. If they
don't have immediate access to a computer then they have a
problem. They have remote access to the network, so if a
computer is available therte is no problem.

We wanted to use cell phones to handle the most frequent
issues as mentioned above, but not complete administration
as would be available with some pda type solutions.

Do you know of any software able to read pop3 mailboxes
without the need to find a perl programmer?

-----Original Message-----
You could pretty easily do this in perl with a POP3

module to read a mailbox... However who would be
requesting the

unlock? The User? They are currently locked out.

I would recommend actually setting up a web page that

they can surf to for this functionality. In fact if you
want to

buy something, this is part of the functionality of the

tool called PSYNCH from MTEC. You can set up actual
question and

answer profiles or use securids for the authentication if you would like as well.

message news:[email protected]...

 

[Dave H]

If anyone is interested, I found an application called
VAMP (Virdi Advanced Mail Processor) at
http://www.downloadsarea.com/ApplicationsDesc.asp?
id=4606 . It reads pop3 email accounts and can perform
multiple processes such as run external based applications
or batch files based on filters you design. I was able to
successfully unlock accounts as I had hoped, and will see
what i can do for security and variables.

 

[Joe Richards [MVP]]

Yeah I would love to see the following future for coming up on the LAN.

1. New User's manager submits a requuest for a new user a day or an hour in advance. When request is made some pass
phrase is submitted (or sent back) to gain access to the account (not the password - just an identifier). This is the
phrase that the manager gives to the new user or puts it at there desk.
2. New User's account is established. Back end systems get proper updates.
3. User sits down at new PC and starts it. PC comes up on a closed network like the cable modem folks use when the MAC
hasn't been oked for use yet.
4. PC asks for authentication or has a NEW USER button or has "I NEED A PASSWORD RESET" button.

5. If user has ID and password (or biometric or smartcard or securid), they logon and get connected to the real network.
When they log off they get disconnected from the real network.

6. If user hits NEW USER the following occurs.
7. It asks for your name and the pass phrase.
8. System figures out your userid (DB lookup) and asks you to set a secure password and gives you a little walkthrough
of what a secure password is. It then checks outside of the main system to see if it is secure and if it isn't gives
hints as to WHY it isn't secure. It tells the user what their ID is so they can logon successfully. It also asks
questions to be used in the event of a password reset/unlock.
9. Finally once your password is set, you get presented with an application that walks you through the process of logon
and how to access this that or the other thing and answers various questions that apply to everyone in the company (like
this is a family, be nice, be PC, don't pinch that cute girl's butt no matter how much it calls out to you, etc) and
maybe some special stuff for the division (like you aren't allowed to share info with the marketing branch since your
dev or whatever) or branch or site (like bathrooms are here and here) or whatever (all based on the info the manager
used during the create submit). It then TESTS you on some of the items to make sure you read it and didn't just click
through it going I KNOW I KNOW I KNOW PISS OFF I KNOW. Also if there are any special non-disclosure things or other
items that need an OK, you do it now.
10. Once all of that is done, user is sent back to main logon screen where they get to test that they remember their
userid and logon and can follow directions.


11. If the user hits the "I NEED A PASSWORD RESET" button it asks for current password and ID. If unknown it asks for
securid, if unknown, it asks the questions that were previously selected and answered by the user. This can actually be
done via mod to the gina and web page and I believe our client people are working on it. It will log a local unknown
user onto the machine with no local access other than to run IE which will connect to our PSYNCH web site to allow the
user to set a password.


The middle section is the fun section.

Also note that ANY time a user needs a password reset or an account unlock, their manager gets an email about it. At the
end of the month or every quarter the manager gets an email of every user who needed an unlock or reset. This way anyone
having troubles with the system gets flagged and the manager is aware of it so they can help out with the proper
training as required.

Oh yeah, if the machine doesn't have the proper software to do the LAN switching business (i.e. corporate loaded
machines), they never see anything but the private network which they can't see any peers on and can only get to the one
web server that is there for them for the above work.


These are called big corporate system dreams...

joe

--
Joe Richards
www.joeware.net

 

[Al Dunbar [MS-MVP]]

Lots to comment on down below...

Yeah I would love to see the following future for coming up on the LAN.

1. New User's manager submits a requuest for a new user a day or an hour

in advance. When request is made some pass

phrase is submitted (or sent back) to gain access to the account (not the

password - just an identifier). This is the

phrase that the manager gives to the new user or puts it at there desk.

e-mail processing logic would need to understand PHB-speak, or be able to
explain in a reply to the manager exactly what was wrong with the syntax of
the request in a way that the manager would be able to easily understand and
fix the problem. Obviously, this type of functionality would be better
presented through a web interface.

2. New User's account is established. Back end systems get proper updates.

Identity of the manager as someone with the ability to authorize a new
access would have to be guaranteed - perhaps easier by e-mail than a web
interface.

3. User sits down at new PC and starts it. PC comes up on a closed network

like the cable modem folks use when the MAC

hasn't been oked for use yet.

Eek, yet more infrastructure to build and maintain...

4. PC asks for authentication or has a NEW USER button or has "I NEED A

PASSWORD RESET" button.

Eeks, yet more security code to write and make bullet-proof and auditable.

5. If user has ID and password (or biometric or smartcard or securid),

they logon and get connected to the real network.

When they log off they get disconnected from the real network.

Hopefully this will become part of the o/s, as that is where this type of
coding belongs.

6. If user hits NEW USER the following occurs.
7. It asks for your name and the pass phrase.

Name? We are an organization of moderate size (under 20,000 users), but I
personally know of at least four pairs of users with duplicate names.

passphrase? Was this specified by the manager and then communicated to the
new user? How would this be protected from misuse/abuse by others (including
the manager himself)?

How many retries would the person get?

8. System figures out your userid (DB lookup) and asks you to set a secure

password

Meaning that the account was created without a password? Or that the
password was the passphrase?

and gives you a little walkthrough
of what a secure password is. It then checks outside of the main system to

see if it is secure and if it isn't gives

hints as to WHY it isn't secure. It tells the user what their ID is so

they can logon successfully. It also asks

questions to be used in the event of a password reset/unlock.

Necessary in the internet environment where the user could be anywhere, and
so could the help desk. But those questions and answers need to be kept very
secure, even to the extent that the help desk people never become aware of
what they are.

9. Finally once your password is set, you get presented with an

application that walks you through the process of logon

and how to access this that or the other thing and answers various

questions that apply to everyone in the company (like

this is a family, be nice, be PC, don't pinch that cute girl's butt no

matter how much it calls out to you, etc) and

maybe some special stuff for the division (like you aren't allowed to

share info with the marketing branch since your

dev or whatever) or branch or site (like bathrooms are here and here) or

whatever (all based on the info the manager

used during the create submit). It then TESTS you on some of the items to

make sure you read it and didn't just click

through it going I KNOW I KNOW I KNOW PISS OFF I KNOW. Also if there are

any special non-disclosure things or other

items that need an OK, you do it now.

All useful and important things, no doubt, but the new user is in a hurry to
get to work, and will often do whatever it takes to get past this stuff
without remembering what has been displayed on the screen.

10. Once all of that is done, user is sent back to main logon screen where

they get to test that they remember their

userid and logon and can follow directions.

Whew! I find that our users get more out of the above process when they drop
in to get their passwords in person, and have the opportunity to logon and
ask questions of a human.

11. If the user hits the "I NEED A PASSWORD RESET" button it asks for

current password and ID. If unknown it asks for

securid, if unknown, it asks the questions that were previously selected

and answered by the user.

securid? where did that come from? And if rarely used, how can we expect the
user to reasonably remember it?

questions? I have a friend who makes it a habit to NEVER give the correct
answer to these questions. His mother's maiden name is noted as different on
all twenty of the services he subscribes to, because he does not trust them
not to use that personal information to access his bank account (for
example). Of course, he now needs to remember twenty passwords PLUS twenty
phony maiden names. But real security is often not simple.

This can actually be
done via mod to the gina and web page and I believe our client people are

working on it. It will log a local unknown

user onto the machine with no local access other than to run IE which will

connect to our PSYNCH web site to allow the

user to set a password.

Eek, yet more infrastructure to build and maintain...

The middle section is the fun section.

Also note that ANY time a user needs a password reset or an account

unlock, their manager gets an email about it.

So then, company org chart changes must be reflected in the account
database...

At the
end of the month or every quarter the manager gets an email of every user

who needed an unlock or reset. This way anyone

having troubles with the system gets flagged and the manager is aware of

it so they can help out with the proper

training as required.

My manager wouldn't want to be bothered with micromanaging to that level. I
also consider that a person's transactions with the network and the admins
are confidential. I find I get really good cooperation from users when they
finally realize that we are there to help them get back online, not to
tattletale to their supervisor about their troubles with the technology.

To those that do have trouble with passwords I say: "I don't care how often
you have password problems - call us so that you can avoid getting behind in
your work". We are also the best source they have of suggestions for ways to
manage passwords.

Oh yeah, if the machine doesn't have the proper software to do the LAN

switching business (i.e. corporate loaded

machines), they never see anything but the private network which they

can't see any peers on and can only get to the one

web server that is there for them for the above work.

That is easy for us - it is just illegal for anyone to put anything other
than a properly configured system on the network.

These are called big corporate system dreams...

.... of someone who wants to downsize the network admin department,
perhaps???

/Al ;-)