Just some content.

Creating a SystemD service to run a self hosted devops agent.

I have the need to run an Azure Devops Agent as a systemD. Typcially I would just run it inside a container. But due to requirements on this system and pipeline I am unable to simply run inside a container. The belows assumes you have an agent already setup. Lets get started.

Creating the service file

First, lets go over the structure of a systemd service file.

There are three important sections. They are [Unit], [Service], and [Install]. The extension is .service and we can make comments with the hash symbol(#).

Lets create a file

[Unit]
Description=Devops Service
After=multi-user.target

[Service]
ExecStart=/home/[username]/myagent/run.sh
WorkingDirectory=/home/[username]/myagent/
User=opc
Group=opc
Restart=always
Type=simple

[Install]
WantedBy=default.target

What does each section do?

The [Unit] section helps describe the service and when to start it. In this case we want to ensure the network is up before starting the[...]

CScan.exe

Recently ran into an opportunity that prevented a user from connecting into the network via VPN.

They would click login after entering her username and password and it would take up to 12 minutes before it would attempt to connect. This caused the login attempt to fail due to the secondary password changing several times since it was entered.

After researching the process with tools from SysInternals, it ended up being CScan.exe. The CScan utility was kicking off a scan after entering the credentials and was reading every key in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages. Cleaning up the windows update files with cleanmgr.exe resolved this.

[...]

Windows Password Filters

Do you have password requirements that is your windows accounts must follow? What is the requirements do not fall in Microsoft's password requirement policies? You can create your own filter to require custom rules.

Uses for Password Filters

One example of why you would want to use a password filter would to match the password to a database of known bad passwords and deny allowing your customer using that password.

Obtaining a Password Filter

You are able to create your own filter or find a precompiled filter that matches your requirements. We will be using OpenPasswordFilter from https://github.com/brockrob/OpenPasswordFilter.

Installing the Password Filter

There is an installer but we will be installing just the service and dll. First launch and compile the OpenPasswordFilter. Copy the DLL into C:\Windows\System32.

Register Password Filter

Launch Registry Edito[...]

Connecting to the console of a customer without their password!

Have you ever had a need to provide assistance to a customer and needed to view what was on their console while they are not at their desk?

For example one of your customers receives an exception when they launch an application under their profile. You are unable to replicate the exception under your profile. The customer is away at lunch and you have permission to correct this problem. What could you do?

Note: I typically do not recommend this method as it could break the integrity of trust. Someone in the organization could say that you could access their account and performed actions that could violate a company policy. I am documenting this as it does exist and could be used as a last resort. If you do use this method, I would recommend that you communicate clearly and document your actions.

You do not know the password to their account and you do not want to change the password. What[...]