IST346: LabLast Update: 9/24/2010 4:12 PM

Lab Operating SystemServices

Overview

This lab will demonstrate how to manage and configure services on the Windows and Linux operating systems. You will use the file sharing services you configured in the previous lab, so it’s important that you complete the previous lab before starting this one.

Learning Objectives

Upon completion of this lab, you should be able to

  • Demonstrate and explain how to start, top and check the status of a service on the Windows and Linux operating system.
  • Understand how to monitor a service locally on the server as well as remotely.
  • Understand how a service logs its activity.

Lab Breakdown

This lab consists of 3 parts:

  1. In part one you will explore how the Linux operating system uses and manages services.
  2. In part two you will explore how the Windows operating system uses and manages services.

Requirements

Before you start this lab you will need:

  1. Complete the server lab before this lab. You must have windows file sharing setup on both your centos5 and win2008virtual machines prior to starting this lab.
  2. These virtual machines,
  3. Win2008(Windows Server 2008) – acting as a server
  4. Centos5 (Centos Linux 5) – acting as a server
  5. Win 7 (Windows 7) – acting as a workstation
  6. Startup the Win2008, Centos5and Win7virtual machines:
  7. Logon to Win2008dcas Administrator (the account with the most access on the Windows platform)
  8. Logon to Centos5 as root (the account with the most access on a *nix platform)
  9. Logon to Win7 as user(a non-privileged account)
  10. Remember, in all cases, the password is SU2orange!
  11. This lab uses the same setup as the previous lab. So it is important that you complete the previous lab before attempting this lab!

Part 1 – Linux Services

In this section, we will demonstrate service management on the Linux operating system

Checking, Starting and Stopping Services

From the Centos5 terminal window:

  1. Let’s check to see if the samba service is running. To see if any service is running under linux, we type service [name] status. For example, to see if the (smb) portion of the Samba service is running, type:
    [root@centos5]# service smb status
    If the service is running you should see:
    smbd (pid…) is running…
    recall: a pid corresponds to a unique number for the running process.
    If the service is NOT running, you will see
    smbd is stopped
  2. The pid (program id) will vary on each system, so you and your neighbor in the lab probably won’t have the same PID. If your Samba service is not running you can start it by typing:
    [root@centos5]# service smbstart
    As the service starts, you will see a status message usually it will be [ OK ].
  3. Here are the remaining service commands. Try each of these
  4. To Stop the smbservice, type : service smb stop
  5. To Start the smbservice,type : service smbstart
  6. To Restart(stop then start) the service, type:service smb restart
  7. Again, give each of these commands a try. Play around a bit, but when you’re done, make sure the service is started.
  8. If that weren’t enough the Samba service consists of TWO network services these are
  9. smb – implements the file and printer sharing service for Samba
  10. nmb– implements the name resolution service for Samba
  11. Make sure to start the nmb service, too type:
    [root@centos5]# service nmbstart

Configuring the service to run at startup (when the computer boots).

It can be a real bummer to have to boot the server, logon as root and thenstart the service manually. It would be nice to be able to configure the service to run at startup, no? Luckily we can configure our server to do this.

Unix and Linux operating systems automatically start services based on the pre-determined runlevel. There are 7 runlevels on a unix system, numbered 0 through 6. I strongly suggest reading this link to learn more about runlevels: common runlevels for production servers is 3 and 5. Let’s explore the startup services.

From the Centos5 terminal window:

  1. Let’s see what services are slated to run at startup, type:
    [root@centos5]# chkconfig --list
    Whoa, that’s a big list. It scrolls by too fast. Try piping the results to more:
    [root@centos5]# chkconfig –-list | more
    You can then check the list a page at a time by pressing the space bar.
  2. You can also check the runlevel of the specific Samba service, such as smb with this command:
    [root@centos5]# chkconfigsmb –-list
    You should see output like this, noting the service will not start at any runlevel
    smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
  3. To configure the Samba service to start when the computer boots, turn it on. Type:
    [root@centos5]# chkconfigsmb on
    then Type
    [root@centos5]# chkconfigsmb –-list
    To See that the service is now configured for that runlevel.
    smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
  4. Note: you can disable services from running at startup with:
    chkconfig[service] off
    but I don’t recommend just shutting off services unless you fully understand the impact of doing so!Its one thing to turn off a service you started, it’s another thing to stop one you know nothing about!
  5. At this point, let’s configure both the smb and nmb services to run at startup. To do this, you would enter:
    [root@centos5]# chkconfigsmb on
    [root@centos5]# chkconfignmb on

Linux Service Monitoring and Logging

One important aspect of providing a service is keeping tabs on it. This means viewing active connections keeping a recorded history of service activity. Watching events in real-time is called monitoring. As we learned in lecture there are 3 levels of monitoring (Ping, Port and Service), also known as PPS.

You can monitor a service locally or remotely. For example it doesn’t make sense to ping a service from the same host for which the service is running, but it does make sense to monitor the service from the host it’s running on.

For example, the win2008 server IP address is 192.168.80.10. So we could ping that host as a crude method for monitoring its uptime. The problem is that doesn’t tell us anything about the service being up and running – it only gives us information about the server.

[root@centos5]# ping –c 4 192.168.80.10
PING 192.168.80.10 (192.168.80.10) 56(84) bytes of data.

64 bytes from 192.168.80.10: icmp_seq=1 ttl=128 time=2.83 ms

64 bytes from 192.168.80.10: icmp_seq=2 ttl=128 time=0.390 ms

64 bytes from 192.168.80.10: icmp_seq=3 ttl=128 time=0.374 ms

64 bytes from 192.168.80.10: icmp_seq=4 ttl=128 time=0.302 ms

Yeah! The server’s up –but that tells us nothing about the service. Of course the inverse is more useful. If the server is down the service is definitely down!

Monitoring services from the outside

One method for remotely monitoring a service is to check for the open TCP and UDP ports used by that service. If the ports aren’t open, then the service can’t be used. For example, the Samba / Windows File Sharing Service require 2open TCP ports: 139, and 445.

BTW: How do I know this? Experience. And a little help from this maps services to their port numbers)

In linux, there is a command nmap which can be used to scan a server for open ports. Nmap is a useful utility because it checks which ports are open on your servers. Open ports are the channels by which workstations connect to your server to use a service. You should only have ports open for the services you need to provide to your users and workstations. And from a remote standpoint, nmap can help you figure out what services should (and shouldn’t) be running. Let’s play around with this ideal a bit.

  1. First, let’s port scan the win2008 server, type:
    [root@centos5]# nmap 192.168.80.10
    It takes a while for the scan to complete, but when it’s done you should see a list of open ports, included in that list should be ports 139 and 445:

    This tells us that windows file sharing is available on win2008 (192.168.80.10)
  2. Next for grins, let’s port scan our centos5 host, type:
    [root@centos5]# nmap 192.168.80.11
    The scan should go much faster (after all you are scanning a local computer) and when it’s done you should see ports 139 and 445 once more:
  3. Next what I’d like you to do it turn off the smb service, and then do another port scan. This should help enforce what’s happening here. For when you turn of smb ports 139 and 445 will no longer be open, type:
    [root@centos5]# service smbstop
    You should see:
    Shutting down SMB services: [OK]
    Next, type:
    [root@centos5]# nmap 192.168.80.11

Notice the smb ports are no longer open. Hopefully this makes more sense now!

  1. Please make sure to turn thesmb service back on type:
    [root@centos5]# service smbstop

And maybe if you’re feeling frisky, give it one more port-scan to verify the required ports are open.

Monitoring services from the inside

Depth in monitoring is important. And to really know what’s going on with your services required a diversified strategy. You should try to monitor your services from the outside (remotely) and from the inside (on the host itself).
You can use the smbstatus command to monitor active connections to your Samba file sharing service. This will tell you which workstations and users are connecting to the service. For example type:
[root@centos5]# service smbstop
but since nobody is using the service right now the output is kind of boring:

So, let’s connect to the service from thewin7 workstation and do some things

From the Win7 virtual machine:

  1. Click on Start Computer
  2. Double click on the L: drive

    (NOTE: If you don’t see an L: drive, make sure you review the steps of the previous lab)
  3. You should see the message file inside the share. Double-click to open the message file.
  4. That should be enough workstation activity to see what’s happening back on the server.

Back in the terminal window of Centos5:

  1. Type:

[root@centos5]# smbstatus -S
please note, that’s a capital “S”. The output should be a little more interesting this time, showing you the workstation that is connecting to the service:


Note: you can also try the smbstatus –v command which gives you more detailed information.

  1. If monitoring is the Yin, logging is the Yang. Monitoring shows you activity in real-time, while logging gives you a recorded history of that activity over time. By default the Samba service appends all activity from your win7 computer to the file /var/log/samba/log.win7 you can use the tail command to see the last few connections made to the service, type:
    [root@centos5]# tail /var/log/samba/smbd.log
    Neato, eh?

Questions

1.1What is the linux command to start the smbservice?

1.2What is the linux command to enable the samba service at startup?

1.3What is the difference between runlevel 3 and runlevel 5?

1.4What is the difference between monitoring a service and logging it?

1.5When you consider what logging does do you forsee any issues with very busy services that get logged? (lots of workstations connecting to the service)

1.6What is the relationship between a port (TCP / UDP) and a service?

1.7What is the relationship between a server and a service?

Part 2 – Service Management on Windows

In this section, we will demonstrate service management on the Windows operating system

Starting and Stopping Services

From the Win2008 command prompt:

  1. Let’s check to see if the Windows File Sharing service is running. The name of this service in Windows is LanmanServer. To see if the service is running, type: sc query lanmanserver

    You should see state “4” which means the service is running.

Tangent Time!
You should be curious as to why it is called LanmanServer. Well, the original file sharing service was called LAN Manager see: and it used a network protocol called Server Message Block, or smb for short.Hmm. Where have you heard that name before? Yes, Samba! Samba is an open-source implementation of the Server Message Block protocol.Lan Manager uses smb, and Samba uses smb. This is why the WinXP1 workstation can connect to both of them in the same manner – they implement the same protocol.

  1. You can control services in Windows similar to the way you can in Linux. It should some to no surprise to you that the syntax is a little different. :
  2. Start the service: sc start LanmanServer
  3. Stop the service: sc stop LanmanServer
  4. There is no way to restart the service, like in linux. In Windows you have to execute a stop and then a start. 
  5. Let’s Try out each of these three commands. Start, stop, and query. Type in the following:
    C:\users\Administrator> scstop LanmanServer
    C:\users\Administrator> scquery LanmanServer
    C:\users\Administrator>sc start LanmanServer

C:\users\Administrator>sc query LanmanServer

  1. When you done playing around make sure the service is started!

Configuring the service to run at startup (when the computer boots).

The same sccommand can be used to view or or edit the startup configuration for the Windows service. Windows services don’t use runlevels, so their implementation is a little more straightforward.

  1. To view the current startup status for the service, type: scqc LanmanServer

You can see from the output the service is set to AUTO_START.

  1. You can change whether the service will start at boot time, too, but I strongly discourage you from doing this. If you want to play around fine, but make sure you leave it configured to start at boot time!
  2. To disable the service from starting up at boot time:
    scconfiglanmanserver start= disabled
  3. To enable the service so that it starts at boot time:
    scconfiglanmanserver start= auto

Service Monitoring and Logging

What about monitoring and Logging on Windows?

You can use the net session command to monitor active connections to your Lan Manager file sharing service. For example type: net session but since nobody is using the service the output is kind of boring:

So, let’s connect to the service and do some things!

Once again, from the Win7 virtual machine:

  1. Click on Start  Computer
  2. Double click on the W: drive

    (NOTE: If you don’t see a W: drive, make sure you review the steps of the previous lab)
  3. You should see the message file inside the share. Double-click to open the message file.
  4. That should be enough workstation activity to see what’s happening back on the server.

Now back to the theWin2008server!

  1. Type in net session once more and you should see the following output:

Yes, there is our one connected session.

What about the logs you say? Well Windows has a shaky past when it comes to LAN Manager logging for the longest time. Logging was disabled by default and decisions like this led to Microsoft getting a reputation for not being serious about security (even though anyone who knows what they’re doing can turn it on easily). Anyway Microsoft changed that setting with Windows 2008and File Sharing access is logged.

From the Win2008 virtual machine:

  1. Open the Event Viewer: Start -> Administrative Tools -> Event Viewer
  2. Click the Windows Logs folder and then the Security event log. You should see something similar to the following:
  3. Look through the most recent entries in the log for an event with Task Category of Credential Validation. If you double-click on it you should see the log entry for connecting to the share from the Win7 workstation.

Questions

2.1What is the command to Restart the LAN manager server service?

2.2What is the command to Turn on the Windows LAN Manager Server service at startup?

2.3How does the act of monitoring differ from the act of logging?

2.4In your opinion which activity is more useful monitoring or logging?

2.5What type of information does monitoring tell you which logging cannot?

2.6Which activity monitoring or logging would assist you in tracking down a security breach? Why?

Part 3 – Getting the Lab Checker Script Working

This lab is handed in using the provided lab-checker script. The script can be found in the same location where you got this lab. Here are the instructions:

Onetime Pre-Script Setup for Win7

This script is designed run from your win7 virtual machine. You will need to configure powershell properly. This is a one-time deal.

  1. From win2008x open Server Manager
  2. Click on the start button, type powershell in the search box.
  3. Right-click on the Windows Powershell icon and choose Run as Administrator from the menu. This will force a UAC dialog, click Yes to launch powershell using administrator rights.
  4. At the Blue powershell prompt, type set-executionpolicy unrestricted and press the enter key.
  5. At the confirmation prompt, type Y and press enter. You have now enabled scripts to run without restrictions. This is required to run the lab-check scripts.
  6. At the Blue powershell prompt, type get-executionpolicy and make sure it returns Unrestricted if it does, you’re ready to rock and roll.

Executing the Script to “check your lab”

  1. Make sure all the virtual machines you used in the lab are powered on and working properly.
  2. Open up your web browser inside the win7 virtual machine.
  3. Download the script: visit and right click on the script and choose “save target as” save to your documents folder.
  4. Click on Start Documents to open the documents folder.
  5. Right click on the L01.Ps1 script in the documents folder, select Properties and click Unblock. If you don’t do this you will see a “warning” each time you attempt to execute the script.
  6. Open the powershell command prompt. (Click start, type powershell, press the enter key)
  7. Move into the documents folder (where you stored the script) type: cd documents into the powershell command prompt and press enter
  8. Execute the script by typing: .\L01.ps1and pressing enter.
  9. Follow along with the script output and answer any questions as they arise.
  10. When you think you’re got it correct, email the lab to yourself and it will cc your instructor.

This concludes Our Lab

Page 1