Print Friendly
Comments

Check a Console Command

Executes a program and captures its console output which may then be evaluated for a possible alert condition. No attempt is made to end the launched process so it's important that it is self-terminating (or can reconfigure an already running instance of itself).

Task Parameters

Execute: The file name (if it can be located in the system PATH) or a fully specified path to the .com or .exe program to be launched. May be entered from the keyboard or clipboard or, if connected to a local service instance, click the Execute caption to select from the file system on that machine.

Arguments: Any command line parameters to be passed to the program on launch. Optional.

Returns a text buffer of up to 32KB comprising everything written to STDOUT or STDERR before either the program exits or 30 seconds have elapsed (whichever comes soonest). This may then be evaluated for a Literal Fragment, with a Regular Expression or in a Numeric Comparison.

Task Security

As this task will launch the nominated binary with a high privilege level the creation or modification of tasks of this type is subject to the following restrictions by default;

1. The Winserver Wingman user-interface instance must be running on the same system as the service instance to which it is connected.

2. The Winserver Wingman user-interface instance must itself be running with elevated privilege including specifically the ability to write to the HKEY_LOCAL_MACHINE registry tree.

On submitting changes for this type of task the client will include a cryptographically random key which it has also written to HKLM. The service will only action an amendment if it arrives with a key that matches the entry it then reads from HKLM (which it will immediately delete). If the key does not match it will log the error and refuse any further interface connections until the service is restarted.

This mechanism depends on the integrity of Windows' User Account Control (UAC). On systems that pre-date UAC or where its protections have been disabled or diminished other precautions should be considered necessary;

1. The Winserver Wingman service should only accept interface connections from the local machine (i.e. Interface Binding: 127.0.0.1). This is the default configuration.

2. Logon to the machine should be restricted to trusted users only.

Finally it's important to remember that the utilities that this task might launch, and any scripts or other modules they might in turn load, should reside in protected locations where they may not be tampered with (i.e. C:\Windows, C:\Program Files).

Secure Paths

As an added precaution it is possible to specify (via a registry edit) a limited set of folders from which binaries may be executed. If the setting is configured only programs that can be found within one of the nominated locations will be launched (the task will otherwise signal an alert);

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Ionwerks\Wingman]
"SecurePaths"="C:\\Windows|C:\\Program Files"

Multiple paths should be separated by a vertical bar character.

A service restart is required before alterations to this setting will take effect.

14 August 2016