Query Azure SQL Database Table via Powershell

Real quick one… I have used similar code for ages to query local on-premise SQL databases. However Azure requires the use of encrypted connections.  Here is some fully working code:

#Set Defaults (Optional) which allows you to skip defining instance, user, and password each time
$AzureDefaultInstanceName = “myUniqueAzureSQLDBName”
$AzureDefaultUserID = “myUserIDToAzureSQL”
$AzureDefaultPassword = “myPasswordToAzureSQL”

#The actual function
Function get-azureSQL (
[string]$InstanceName = $AzureDefaultInstanceName
,[string]$UserID = $AzureDefaultUserID
,[string]$Password = $AzureDefaultPassword
,[string]$Query){

$connectionString = “Server=tcp:$($InstanceName).database.windows.net,1433;”
$connectionString = $connectionString + “Database=$($InstanceName);”
$connectionString = $connectionString + “User ID=$($UserID)@$($InstanceName);”
$connectionString = $connectionString + “Password=$($Password);”
$connectionString = $connectionString + “Encrypt=True;”
$connectionString = $connectionString + “TrustServerCertificate=False;”
$connectionString = $connectionString + “Connection Timeout=30;”

$SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = $connectionString

$SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$SqlCmd.CommandText = $Query
$SqlCmd.Connection = $SqlConnection

$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
$SqlAdapter.SelectCommand = $SqlCmd

$DataSet = New-Object System.Data.DataSet
$SqlAdapter.Fill($DataSet) | Out-Null
$SqlConnection.Close()

return $DataSet.Tables[0]
}

#Querying Azure SQL using Defaults defined above
get-azureSQL -Query “select * from logs”

#Querying Azure SQL without Defaults
get-azureSQL -InstanceName “myUniqueAzureSQLDBName” -UserID “myUserIDToAzureSQL” -Password “myPasswordToAzureSQL” -Query “select * from logs”

Sure you can install the Azure Powershell module and then the SQL commands too but most of the time you need to get in quick and grab something, this code is super fast and works every time for me and best of all…. no installs.

If this helped you or you want to suggest an improvement, please just leave it in the commands.

Enjoy,

-Eric

Secure PowerShell Scripts running via Windows Task Scheduler using MD5 Hashes to safeguard against Tampering

Over the years the number of Task Scheduled based PowerShell scripts has increased. However, this poses serious potential security risks.

The Security Issue

Given that these tasks commonly run as a service account, with additional rights, it is a potential attack vector.

Simply changing the underlying script can allow a hacker access to anything the service account has access to.Even signing the scripts can be useless as the system can be configured to ignore signing.

The Solution

I have created this one-liner that Task Scheduler can use that will only run the script if the hash of the script matches the hash listed in the one-liner. If someone tries to change this in Task Scheduler they would be required to reenter the proper password.

powershell.exe -command if ([System.BitConverter]::ToString((New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes(‘C:\temp\test.ps1‘))) -eq ‘33-CD-2A-54-ED-F3-0F-94-5F-D2-97-D9-FE-4F-45-79‘) {. c:\temp\test.ps1} else {Send-MailMessage -SmtpServer smtp.server.domain.com -From whatever@domain.com -To you@domain.com -Subject ‘Failed to Run Script – Hash Not Correct’}

Notes about One Line Script Executor

  • You need to replace c:\temp\test.ps1 with the path to your script. (two places in this example)
  • You must supply the hash of the script. (use the following command to get it)

[System.BitConverter]::ToString((New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes(‘C:\temp\test.ps1‘)))

  • Script will email you if hash fails.
    • Change TO: and FROM: to match your needs.
  • Do NOT use double quotes in this script, do NOT forget that CMD will pass this to PowerShell, and will strip out double quotes.

If this helped you or perhaps you have suggestions to make it better, please do leave them in the comments.

Enjoy

-Eric

Unauthorized 401 when calling Coldfusion CFC Component WebService on IIS

If you just setup a fresh Coldfusion/IIS box and all of a sudden you check one of your CFC Component WebServices and get a 401 you are not alone!

I bet you went to the folder and triple checked IIS that Anonymous Authentication was enabled and everything else was disabled and yet still didnt work. Right about that time perhaps you start questioning everything you know in this world. I mean IIS is set to anonymous yet it’s telling you its not authenticating as if it were sent to Windows Authentication.

The Solution

Rest assured, you are not losing it. Simply you like me likely made the mistake of blanket turning on Windows Authentication at the root which in turned enabled it for the virtual folder:

/jakarta

CFC’s must pass back to this folder since they are processed server side. Anyways the easy solution is to set /jakarta folder to Anonymous Authentication.

Hey if this helped you or you know something I should add to make it better, please leave it in the comments!

-Eric

Connect to Azure SQL Database using ColdFusion 10/11/2016

My how the years fly and things change.

Even in 2017 I still find value in making quick enterprise applications in Coldfusion. However the world is a changing, many of my endpoint are beyond the boundaries of my corporate firewalls.

I have ended up with a ton of nodeJS webservices endpoints  running as docker containers in Azure jamming away data in Azure SQL. I want Coldfusion to be able to utilize that data.

The Solution

The solution is stupid easy… you can use the native Microsoft SQL Driver, no need to mess with anything else.

Go ahead put in the basics

  • Database: Name as shown in Azure
  • Server: something.database.windows.net
  • Port: 1433
  • Username: <sqlaccountname>@<databasename>
  • Password: <password>

Then for the secret sauce

  • Hit Show Advanced Settings
  • In the connection string put the following:

EncryptionMethod=SSL;Encrypt=yes;TrustServerCertificate=no;

Note: Encrypt=yes may not be needed but since its working I am not touching it.

And that’s it!

If this was helpful or have a way to make it better? Let me know in the comments.

-Eric

 

 

 

 

Fix: Windows 10 Start Menu (and Modern Subsystem) Freezes and Stops Working

Nothing gets me more upset than seeing a common issue that never seems to get fixed. Since Windows 10 inception I have noticed a rather odd issue that occurs about weekly where my Start Menu, all Metro (Modern) Apps, and even Internet Explorer (which is odd given its a Win32 App) locks up, freezes, and just plan stops working.

The only obvious cure had been to reboot the PC.

However through alot of trial an error have figured out a workaround to get your PC back on its feet.

The Workaround

  • Simply open Task Manager (CTRL + SHIFT + ESC)
  • Click More Details (if needed)
  • Go to Details
  • Locate: siHost.exe
  • Right Click, End Process Tree

Note: This may need to be done twice in my testing but should always return the start menu after that second try. Many times it only takes once.

More Detail

You may notice when this happens that there are the following events in the event logs:

The program ShellExperienceHost.exe version 10.0.10586.218 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
Process ID: 2290
Start Time: 01d1a082cc447ca3
Termination Time: 4294967295
Application Path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Report Id: 524e2a97-0c76-11e6-8dae-64006a80564a
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Also you may see errors about SearchUI.exe

 

Workaround: Chrome will not PIN sites to Windows 10 Taskbar

I could rant for a long while about how Microsoft removed the verb “Pin to Taskbar” from the Shell.Application COM object but I won’t. I will simply say that I think they did that to keep OEM’s from putting crap on it when you buy a new PC. However as so often is the case, there was unintended side effects. Reasonable use cases like Chrome being able to PIN websites and Corporate IT being able to PIN corporate applications comes to mind. Lets not talk about how anti-competitive it looks when Internet Explorer (IE) is able to still pin items to the taskbar yet 3rd Party browsers like Chrome are left in the dust.

Ok I said I wouldn’t rant, here is the workaround.

  • Simply do the normal process in Chrome to PIN something to the start menu.
  • Then go here:
    • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
      • Note: <username> will be your username you use to logon to Windows. If you dont know it simply go to c:\users and you should be able to figure it out
  • Find the shortcut Chrome created for your website, right click and you will see “PIN to Taskbar”

Also thanks to Reddit for figuring this out:

Chrome "Add To Taskbar" Issue
byu/Shinenite inWindows10

Leave a comment if it helped you!

-Eric

Get a list of all System Center Virtual Machine Manager (SCVMM 2012 R2) Users via SQL

Ever need to send a notice to your System Center Virtual Machine Manager (SCVMM) users like “Upgrade to UR7 coming” but realized you never took the time to collect all of their names?

Here is some quick SQL that will give you the names of anyone who has actually used the platform:

select
distinct replace(SessionOwner, ‘contoso\’,”) as Username
from [tbl_TR_TaskTrail]
order by 1

As a added bonus if you replace contoso with your domain name it will strip that out making it ready to past into outlook for name resolution.

Enjoy!

-Eric

Search Active Directory for Specific Word or Phrase (string) in a Group

Ever tried to search for a group by name but the part you know is in the middle? Did you think you would be smart and go to the advanced tab then do “blah” contains, hit search and find nothing?

Quickest way to find is actually via PowerShell

Get-ADGroup -Filter {Name -like “*blah*”} | select SAMAccountName

Works great!

Enjoy

-Eric

Offline Downloading of Windows 10 Patchs

Anyone looking at Microsoft KB’s may be surprised to see that there are no direct download links. However you can still download the patches manually by finding and downloding them here:

http://catalog.update.microsoft.com

This can also be used to import patches into WSUS if needed.

Hope it help

-Eric

Fix | Windows 10, “the connection cannot proceed because authentication is not enabled”

Ah security, the balance between not allowing access at all and allowing too much access.

In Windows 10 Microsoft changed RDP’s defaults. They modified the default for “SecurityLayer” from 0 to 2. Even if you go into the user interface and disable: “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)” Still doesn’t change that value to a 2.

Simple fix:

  1. Open RegEdit
  2. Navigate to this Key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Change “SecurityLayer” to a zero
  4. Reboot and done!