Mr. Script
Clean up Those Dirty Connections
A script that uses Devcon.exe to disable dirty connections when the computer is connected to the corporate (private) network, compliments of a Mr. Script reader.
- By Chris Brooke
- 08/01/2005
It's a funny thing about security: As soon as you think you've got your computer (or network, or enterprise, for that matter) locked down, another vulnerability pops up. Indeed, there's no such thing as a completely secure computer. Rather, security is an ongoing process. We must be ever vigilant in keeping up with security hotfixes, virus definitions and the like. And we are. I don't know a single administrator who isn't constantly striving to stay ahead of potential security breaches.
Still, despite our best efforts, sometimes a security hole appears—and often in the most obvious place, a place that was just somehow overlooked. This month, we're going to look at one possible vulnerability and use the Devcon.exe tool we learned about last month to tighten it up. The problem: Computers with "dirty" network connections.
Virtually all modern computers—especially notebooks—have more than one network-capable connection. Some have built-in wireless networking devices. They almost certainly have onboard modems. That means if your office is anywhere near an external wireless network or has (gasp!) analog phone lines, much of your network security could be compromised by the presence of a "dirty" connection. Of course, if your users always follow security guidelines and never, ever open potentially unsafe attachments, feel free to move on to the next column. If, on the other hand, you have ever been left scratching your head wondering "What the heck was that user thinking?" read on.
Baard Schøyen, a Mr. Script reader from Norway, sent me this script that uses Devcon.exe to disable dirty connections when the computer is connected to the corporate (private) network.
'nicsec.vbs
'Find and disable a "dirty" LAN connection
'(C) 2005 Schoyen Business Services (Norway)
'Used by permission
'Declare variables:
Dim REA 'reactivate disabled nic (login)
Dim WIP 'wins ip
Dim NIC 'nic collection
Dim PPID 'pnp dev id, nic wrong wins
Dim PNPID 'pnp dev id, formatted
Dim LOC 'dc ping results
Dim SRV 'dc
Dim PC 'computer name
Dim WD 'windir\system32 directory
Dim LNG 'os language
Dim arr1 'ping collection
Dim objD 'dictionary object
Dim SOURCE 'source for this file and devcon.exe
'Create a variable for the current source:
Set objShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(".")
SOURCE = objFSO.GetFolder(".")
'Activate possible deactivated nic:
On Error Resume Next
Set WSHShell = WScript.CreateObject("WScript.Shell")
REA = WSHShell.RegRead("HKLM\SOFTWARE\DC_CLIENT\DirtyNic")
Wscript.Sleep 500
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.Run "cmd /c devcon enable @" & REA, 0, True
On Error Goto 0
'Get the DC dns name:
On Error Resume Next
Set objDomain = GetObject("LDAP://RootDSE")
SRV = objDomain.Get("dnsHostName")
On Error Goto 0
'Find computername:
Set objNetwork = WScript.CreateObject("WScript.Network")
PC = "\\" & objNetwork.ComputerName
Set objShell = WScript.CreateObject("WScript.Shell")
Set objExecObject = objShell.Exec("cmd /c ping -n 4 -w 1000 " & SRV)
Do While Not objExecObject.StdOut.AtEndOfStream
strText = objExecObject.StdOut.ReadLine()
If Instr(strText, "Reply") > 0 Then
LOC = "1"
Exit Do
End If
Loop
'If offsite, quit now:
If LOC = 0 Then Wscript.Quit
'Start a while after login:
Wscript.Sleep 30000
'Assign the path to windir\system32:
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace(&H24&)
Set objFolderItem = objFolder.Self
WD = objFolderItem.Path & "\System32\"
'Copy devcon.exe to System32, if not there:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const OverwriteExisting = True
If objFSO.FileExists(WD & "devcon.exe")=False Then
objFSO.CopyFile SOURCE & "\devcon.exe", WD, OverwriteExisting
End If
'Copy nicsec.vbs to System32, if not there:
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(WD & "nicsec.vbs")=False Then
objFSO.CopyFile SOURCE & "\nicsec.vbs", WD, OverwriteExisting
End If
'Create registry startup value:
Set WSHShell = Wscript.CreateObject("Wscript.Shell")
WSHShell.RegWrite _
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NICstart", _
WD & "nicsec.vbs", "REG_SZ"
'DC IP: Create tmpfile and write ping results:
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.Run "cmd /c ping -n 4 %userdnsdomain% > c:\ip.tmp", 0, True
Wscript.Sleep 500
'Open the file:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("c:\ip.tmp",1)
objFile.SkipLine
objFile.SkipLine
objFile.SkipLine
objFile.SkipLine
objFile.SkipLine
objFile.Skip(11)
strLine = objFile.ReadLine
arr1 = Split(strLine,":")
For i = UBound(arr1) to LBound(arr1) Step -1
WIP = arr1(i)
Next
'Close and delete the file:
objFile.Close
Wscript.Sleep 1000
objFSO.DeleteFile("c:\ip.tmp")
'Find nic's and wins ip, store them in dictionary:
Const TextMode = 1
Set objD = CreateObject("Scripting.Dictionary")
objD.CompareMode = TextMode
'Query for parameters:
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration " & " WHERE IPEnabled = True")
'Add objects to dictionary:
On Error Resume Next
Do Until Err <> 0
For Each objItem in colItems
objD.Add objItem.WINSPrimaryServer, objItem.Caption
If Err <> 0 Then Exit Do
Next
Loop
On Error Goto 0
'Remove the clean NICs from dictionary:
If objD.Exists(WIP) Then objD.Remove(WIP)
'Set variable for dirty nic:
GFI = objD.Items
For i = 0 To objD.Count -1
NIC = GFI(i)
Next
objD.RemoveAll
'Compare parameters to extract and format PNP device ID:
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NetworkAdapter",,48)
For Each objItem in colItems
If objItem.Caption = NIC Then PPID = objItem.PNPDeviceID
Next
'Disable 'dirty' interface:
If PPID <> "" Then
'Format pnp id and assign new variable:
Set RX = New RegExp
RX.Pattern = "&"
RX.Global = True
PNPID = RX.Replace(PPID, "^&")
'Write the new value to registry:
Set WSHShell = Wscript.CreateObject("Wscript.Shell")
WSHShell.RegWrite "HKLM\SOFTWARE\DC_CLIENT\DirtyNic", PNPID
'Run devcon.exe to disable dirty nic:
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.Run "cmd /c devcon disable @" & PNPID, 0, True
'Provide message:
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.Popup "A network card was disabled because " & _
"the computer could have connections to " & _
"two different IP-networks.", 20, _
"Network Security", vbExclamation+4096
End If
Room for Improvement
This script does quite a lot, especially considering that it must "shell out" the command prompt operation of devcon.exe. Still, there are some areas where enhancements could be made. First, it requires WINS. Since Active Directory relies primarily on DNS, this might be a problem for you. Also, it can only detect one "dirty" interface. If you happen to have two modems or a dirty wireless zone nearby, you may not be fully protected—even if you run the script twice.
Even with these limitations, the script adds another vital layer of security to help ensure that your corporate firewall isn't rendered moot. In order to be certain it's working, I recommend setting it up to run at every startup for any client machine that has a potentially dirty NIC, such as notebooks. If you're not connected to your corporate network, all interfaces will work fine and you can surf to your heart's content. Once you connect to your corporate network, it finds and disables the unsecured "dirty" NIC, forcing all of your network communication through your "clean" connection, making it subject to all firewall and network security rules.