Browsing windows's Archives »»

Windows XP SP3 and winpcap

Posted By: Bryan Murphy  Permalink in it, windows

15

May

I installed Windows XP service pack 3 yesterday and found today that wireshark would not detect any of my network interfaces.

Reinstalling winpcap fixed it.

FYI

no comment

Vista makes CNET’s “Top Ten Terrible Tech Products”

Posted By: Bryan Murphy  Permalink in it, rants, windows Tags: , ,

28

Nov

For those of you wondering why I havent beaten up Vista yet… I have. I ran it from mid-beta to early-release and had a very well written and thought out evaluation of its security and usability features. It was quite negative. I wrote the entire article in notepad on my Vista machine.

One day I went to open the file to add finishing touches and proof it and the file disappeared. I know how silly and impossible this sounds. But its true. I have never seen anything like it under any operating system.

That pretty much cinched it for me. I downgraded back to XP and impatiently awaited the arrival of my new mac.

That being said, I laughed aloud as I read the CNET article. It contained many lines that I couldnt help but agree with such as…

Any operating system that provokes a campaign for its predecessor’s reintroduction deserves to be classed as terrible technology. Any operating system that quietly has a downgrade-to- previous-edition option introduced for PC makers deserves to be classed as terrible technology. Any operating system that takes six years of development but is instantly hated by hordes of PC professionals and enthusiasts deserves to be classed as terrible technology.

It’s suffering from painfully slow adoption by users and corporations alike for good reason. I often hear the argument “All operating new operating systems have slow corporate adoption rates” however compared to 2000 and XP as well as planned adoption surveys… its dismal.

Conversely adoption rates of Linux and OS X on the desktop are way up. Microsoft may finally be loosing its foothold of absolute dominance and as any industry can prove this… real competition makes for better products all around.

no comment

More Fun with Stealth Updates

Posted By: Bryan Murphy  Permalink in it, security, windows

28

Sep

As it turns out, the secret and forced windows update is causing problems.  I have heard of this issue cropping up on non-restored systems too.

Yet another reason why I am a Linux/Mac guy.

no comment

Microsofts ‘Stealth’ Update

Posted By: Bryan Murphy  Permalink in it, security, windows

15

Sep

Microsoft has done it again.

We receive reports from our WSUS server telling what updates are rolling out to what servers. So when I started receiving TripWire reports indicating files being altered on a bunch of windows boxes I got concerned.

I started opening the files with hex editors looking for strange junk and ran sigverif to see if files are properly signed. After doing that I detected nothing fishy.

So why did these files change?!

After doing a couple quick searches the answer became clear… Microsoft pushed some updates that it told no one about. These updates come even if you choose not to have updates downloaded automatically.

In this world of heightened security awareness, file integrity verification and patch pre-validation I can’t think of why they would do this.

I guess its just Microsoft’s way.

1 comment

Microsoft’s .ANI Fix Timeline

Posted By: Bryan Murphy  Permalink in it, security, windows

3

Apr

Microsoft announced today that it will issue an urgent, out of cycle patch for the ‘recent’ animated cursor vulnerability (CVE-2007-0038)… a whole week ahead of its precious and ill-conceived patch tuesday.

Some would claim that this an example of Microsoft doing the right thing, getting urgent issues resolved quickly and cutting through their own patching release cycle. Upon closer examination you will find this to be false.

This vulnerability affects all version of MS Internet Explorer and Windows. All an attacker would have to do is embed a malicious animated cursor into a web page and anyone who visits the page is ‘auto-attacked’. Its important to keep in mind that sites like myspace allow anyone to modify their own pages and embed anything they like. Its also important to remember that hackers take over legitimate, commercial sites and embed their nastys. They get more bang for their buck that way.

To support my belief that MS is still only talking big and not following through, I present to you the time-line.

December 2006 - Determina discovers .ANI 0-day vulnerability and reports its findings to Microsoft
March 23 2007 - Microsoft releases MSIE patch MS05-020 to fix vulnerabilities related to this. This patch was shoddy and still allowed exploitation of this specific vulnerability
March 26 2007 - Security researchers start to see exploits for this vulnerability in the wild
March 27 2007 - Determina releases their own ‘3rd party’ patch to mitigate this vulnerability
March 30 2007 - eEye follows suite and releases their own patch
April 3 2007 - Microsoft releases MS07-017 ‘out of cycle’ to patch this bug

Exposure Times
System exposure since discovery: 93 days*
System exposure since active exploits discovered: 8 days

*This is a conservative estimate. The article states “In December 2006″. For fairness sake this figure assumes 12/31/06 but the figure could in fact be as large as 123 days, if it was discovered 12/01/06

sources:
http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038

no comment

A Crash Course in Active Directory

Posted By: Bryan Murphy  Permalink in it, windows

5

Aug

Contents

[edit]

Basics

Uses DNS for name resolution

WINS and NetBios aren’t needed unless a legacy app requires it

AD’s Tree is called the ‘Directory Information Tree’ (DIT)

It is based on the ‘Extensible Storage Engine’ (ESE)

AD Consists of two types of objects. Containers and non-containers (or leaf nodes)

All objects have a ‘Globally Unique Identifier’ (GUID)

Hierarchical paths in AD are known as ‘ADsPaths’

ADsPaths are normally referred to using LDAP standards

 Starts with a 'programmatic identifier' (progID)  followed by ://  separate each part with a comma  prefix each part with dc= (dc stands for domain name component)    prl.pbb.local becomes  LDAP://dc=pbb,dc=pbb,dc=local

A distinguished name (DN) is used to reference an object in a DIT

A relative distinguished name (RDN) is used to reference an object within its parent container

 To reference Alice's object in prl_biz ou within the prl ou it would look like this.  LDAP://cn=albin,ou=prl_biz,ou=prl,dc=pbb,dc=pbb,dc=local

The available DN’s are as follows

 CN = Common Name  L  = Locality  ST = Street of Province Name  O  = Organization Name  OU = Organization Unit  C  = County  STREET = Street address  DC = Domain Component  UID = User ID

domains and domain trees

A domain controller (DC) can be authoritative for one and only one domain.

Containers (the object type) may contain other container objects as well as leaf nodes.

An OU is the other type of container and can have group policies applied to it, and a container (the object) can not.

Each forest has a child container called ‘Configuration’ which has a child container called ‘Schema’

Global Catalog (GC)

Used to perform forest wide searches

Accessed via LDAP on port 3268

Uses progID of GC://

The GC is read-only and can not be directly updated

Objects available in the GC are members of the PAS (Partial Attributes Set)

To add/remove attributes use the AD Schema snap-in for mmc

Flexible Single Master of Operations (FSMO - pronounced fizmo)

Certain actions in the forest/domain will only be done by the FSMO regardless of how many other DC’s you have.

 Schema Master (forest-wide)    Only machine allowed to make schema changes.  Changes made on other DCs will be refered to the FSMO    Domain Naming Master (forest-wide)    PDC Emulator (domain-wide)    PW synching and PDC legacy compatibility.  Browser Master    RID Master (domain-wide)    Relative ID Master, All security principals have a Security Identifier (SID).    Infrastructure Master (domain-wide)    Maintains cross-domain object references (phantom references).  User is in domainA but a member of a group in domain B

 NTDSUTIL:   howto: [1]  download: support pack [2]  Allows transfer of FSMO roles to other DCs.  If the FSMO server dies you can ungracefully force the role to another dc -- known as 'seizing' the role. [3]

Groups

3 scopes…

 Domain Local: membership available only within domain.  May contain other groups (admin group)

 Domain Global: membership available only within domain.  Used to define roles (enterprise admin, backup admin, exchange admins, sql admins, ect.)

 Universal: Forest Wide

2 types…

 distribution: generally used as messaging lists for email and im (exchange distro lists)

 security: sid is passed to as auth token

The type of a group may be converted at any time.

Naming Contexts (NC) and Application Partitions

Breaks up replication of DCs. can be based on political, geographic or bw related things.

Consists of 3 predefined naming contexts, each represents a different aspect of AD data.

 Configuration NC: (forest) holds data pertaining to LDAP, Exchange, subnets

 Schema NC: (forest) defines types of data AD can store

 Domain NC: (domain) domain specific, users, groups, computers, ect.

 Application Partitions: User defined NCs.  Can not contain security principals

To retrieve a list of NCs you query the RootDSE entry.

 LDAP util  how to: [4]  download: support tools [5]   LDAP util can be used to view the RootDSE entry.  Connection -> Connection -> enter name of DC

… incomplete

Schema

The schema is located under the configuration container. It is the blueprint for datastorage in ad. each object has a corresponding class. IE user class, user object type.

 Active Directory Service Interfaces (ADSIEdit)  how to: [6]  download: support tools [7]   Can be viewed using and AD viewer such as ADSIEdit (MMC snap-in) or LDP

Schema is made of two types of ad objects…

classes:
attributes:

… Very Incomplete

Replication

Note: details regarding cross-domain replication omitted.

Connection Objects define what DCs replicate with each other and how often. Generally managed by the DC

Knowledge Consistency Checker (KCC) is what generates the connection objects.

 RepAdmin  how to: [8]   Command line tool for admining replication
ReplMon  how to: [9]  Graphical util for managing and monitoring replication

Each DC maintains its own separate ‘Update Sequence Number’ (USN). It is a 64bit value assigned to each update transication. Each update increments the USN value. Like the serial number in DNS.

Each DC maintains its highest combined USN for all NCs in the highestCommittedUSN value of the RootDSE. The values are always different from DC to DC for a given replication.

If time is off by 5minutes or more on a DC it will not be able to replicate.

Originating Update (write)  The point of origin for an update (on which DC was this update made)
Replicated Update (write)  A change that did not originate on the DC in question.

Each DC has a GUID called the DSA GUID. It is used to uniquely identify a DC and is the objectGUID of the NTDS settings object for the DC in the configuration container.

The High-WaterMark Vector (HWMV) is a table maintained independently by each DC. Keeps info on where a DC last left off when replicating the NC with a specific partner.

The up-to-dateness vector (UTDV) is a table maintained independently by each DC. It is used for replication dampening to reduce traffic and endless replication.

An example of how an object is modified during replication…

1.  A user is created on serverA.  2.  The object (user) is replicated to serverB.  3.  The object is subsequently modified on serverB.  4.  The new changes are replicated back to serverA.
1.  Creation of the object on ServerA    1. values are set to defaults defined for user creation    2. users USN is set to 1000 (the USN of this transaction)    3. version number is set to 1.    4. timestamp is set to the time of creation    5. originating-server GUID is set to the GUID of the server    6. originating-server USN is set to 1000 (USN of this transaction)
2.  Replication of the object to serverB    serverB adds a copy of the object as a replicated write.  USN 2500 is assigned to the object.  This value is written to the USNCreated and USNChanged attributes of the object.
3.  Password changed for user on serverB.    1. Password value is set    2. passwords USN is set to 3777 (USN for this transaction)    3. users version number is set to 2.    4. timestamp is updated    5. originating-server GUID is set to the GUID of serverB    6. originating-server USN is set to 3777 (USN of this transaction)
4.  Password change replication to serverA    serverA generates a transaction USN of 1333.  USNChanged is set to 1333.  Originating-server GUID is set to that of serverB

… Incomplete (missing conflict resolution section)

AD and DNS

DC Locator

Resource Records used to AD

Delegation Options

… incomplete (duh)

Profiles

A profile is created on each computer a user logs into. It is %systemDrive%\Documents and Settings\%userName%

It creates various data files including NTUSER.DAT. This file contains the user portion of the registry. This includes the screen saver, wallpaper, myDocuments location, etc.

Settings specific to the computer in question are also applied to the user via the AllUsers\NTUSER.DAT on the given machine.

You use the ADUC (Active Directory Users and Computers) tool to set the roaming profile info for a given user.

To have the profile deleted from the local machine upon logout set the following key on the computer (computer and teaching labs!)…

 HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonDeleteRoamingCache

With a server based default user profile you can add icons to desktop, bookmarks, ect. It should exist under the NETLOGON share.

Group Policy

Group Policies are referred to GPOs or group policy objects. they contain a large amount of configuration info that is applied to all users automatically.

 Group Policy Management Console (GPMC)  howto: [10]  Allows for editing, viewing resultant set of policies (RSOP) and runing reports.

Three states a policy item can exist in are enabled, disabled or un-configured. unconfigured is the default for everything.

The structure of the templates in the editor looks like…

User Configuration    Software Settings    Windows Settings    Administrative Templates    Computer Configuration    Software Settings    Windows Settings    Administrative Templates

These are generated from the Administrative Template (ADM) files in the system volume.

By default workstations and member servers refresh GPOs every 90 minutes and DCs every 5.

On non DCs 1 to 30 minutes (randomly generated) will be added to the refresh time to avoid everyone checking in at once.

GPOs allow admin to remote deploy applications to users OR computers. MSI is the only way this works.

MSIs can be modified for the environment. This process is known as creating a ‘transform’.

You can set an MSI to auto-install when someone attempts to open a file with an extension that an MSI app can read.

If an install is assigned to the user portion of the GPO it will install when the user logs into a machine and uninstall upon log off. If its installed to the computer it is available to any user who logs into it.

MS Windows Installer  howto: [11]   Used to generate MSI files
Install Shield  site: [12]  The best tools in the installer maker.  3rd party
Installer Design Studio (scriptlogic)  site: [13]  The one scriptlogic makes.  Looks very easy to use and is fairly inexpensive.
Group Policy Settings Reference (document) : [14]
Group Policy Homepage : [15]
MSN docs for Group Policy : [16]

Backup, Recovery and Maintenance

Backup up AD

Restoring a DC

Restoring AD

FSMO recovery

DIT Maintenance

… Incomplete (duh)

Exchange Integration

… incomplete (duh)

Links

Common admin tasks: [17]

Remote Administration: [18]

All information gleaned from…

Active Directory 3d Edition, O’Reilly Publishing By: Joe Richards, Robbie Allen & Alistair G. Lowe-Norris

no comment

Microsoft offers Apple security advice?

Posted By: Bryan Murphy  Permalink in apple, it, rants, security, windows

7

Jul

Fresh after the article from security firm Sophos entitled “Sophos recommends Macs for security“, A member of Microsoft’s security team blasts Apple for not having a “security czar” and not communicating with users about security vulnerabilities.

By contrast, he points to Microsoft as a prime example of how to respond to threats, providing well-documented communications and prescriptive “how-to” guidance with alerts that are delivered through email, RSS and deployment tools.

This whole paragraph is absolutely laughable. Lets flash back for a second to Microsoft security bulletin 912840 and my rant regarding it. And now lets re-read that happy little Microsoft fud. Something doesn’t add up, does it?

If that isn’t enough to convince you, lets look at yet another reason why no software vendor should ever adopt Microsoft’s security practices. Two words; Patch Tuesday. Holy god is that a bad model. No matter how bad a vulnerability is, they will sit on the patch (leaving everyone exposed) till the next patch Tuesday. Just because its more convenient for admins.

I, as an admin, would much rather patch frequently, than sit on hands while blatantly exposed to a threat.

Once they work these things out, then (maybe) they can blast other software vendors. Until that time though, they should sit back, shut up and stop making themselves look foolish.

no comment

6 Ways to make your Windows machine fast like the day you got it

Posted By: Bryan Murphy  Permalink in it, windows

16

Feb

One of the more common questions my support team at work receives is in regards to Windows based computers starting to run slowly. This will eventually happen to all windows machines and is simply in the nature of windows.

The long-term problem is that the windows registry (the database that underlies windows and controls everything from passwords to last window locations) simply gets clogged from installing and uninstalling software.

Most Windows professionals recommend that if you want a machine to remain ’speedy’ that you should reformat it every 6-12 months (new Windows install). Obviously not all of us have the time to do this so I will outline a few things that can be done short of formatting that will still significantly increase system performance.

1. Install Ad-Aware SE
Ad-Aware SE is one of the better anti-spyware programs ont he market and is completely free. Spyware can be installed via legitimate software that you intended on installing or by simply browsing to a web site that will execute malicious code. Internet Explorer is notoriously susceptible to spy ware installing itself via routine web browsing and because of this (and a number of other reasons) US-CERT (the governmental agency in charge of issuing software security announcements) recommends that no one run Internet Explorer at all. FireFox is an excellent alternative and should import all of your IE favorites during the install.
2. Make sure your virus software is up to date and run and complete system scans.
Virii is a common performance thief on windows based computers. They hog resources either by design or wile executing a payload and harvesting address books, files on your hard drive or propagating itself.
3. Look at your sysTray.
The sysTray is the area next to the clock in the lower right hand corner of your screen. Each icon you see there is running in memory. I recommend right clicking on each icon that you do not need and seeing if there is way to permanently disable the item. Some items will have a ‘disable’ option, however it will only disable it for that session. Upon logging out and back in you will see the icon again. With items like this you will need to find a ‘preferences’ or ‘configuration’ option. If none seems to be available I would go into the application associated with it and check in its preferences.
4. Startup Items
Open windows explorer (windows hot key + e on your keyboard) and browse to ‘c:\documents and settings\YOURUSERNAME\startmenup\startp” and delete any icons that you do not running when you log in. You will also want to do this in the ‘c:\documents and settings\all users\startmenu\startup” directory after having logged in as administrator. If you realy want to get a handle on whats going on at startup you will want AutoRuns by sysinternals.
5. Run a scandisk.
By going to My Computer, and right clicking on your C drive you will be shown a dialog box with a number of tabs. Go to the ‘Tools’ tab and start a scan disk. This will check your drive for file system errors and correct them. In some cases windows will need exclusive rights to the hard drive and say that it will be run during the next reboot. Tell it ok and then reboot your machine.
6. Run a defrag.
After the machine returns from the scan disk in the same area run a defrag or ‘disk defragmentation’. This will physically align all of your files in the proper order on your hard drive. This will create less drive-seak time when running programs or loading files. This task is best performed monthly.
If you have performed all of these steps, rebooted your machine and are still unsatisfied with the performance, you may want to consider backing up your files, locating all of your programs install media and licenses and reformat your machine and reinstall windows.
Click here to view a microsoft article on the same subject.
2 comments

Microsoft’s serious commitment to security

Posted By: Bryan Murphy  Permalink in it, rants, security, windows

30

Dec

In many recent interviews Microsoft has vowed their firm commitment to security all the wile demonstrating the exact opposite.

Case in point: On December 28th US-CERT issued security advisory VU#181038 pertaining to all versions of Microsoft operating systems. This is a 0-day vulnerability.

We all know that US-CERT generally issues advisories (at least) a few days after the initial discovery. In this case the vulnerability and corresponding incidents where first discovered on December 27th according to McAfee.

Upon examining the Microsoft security bulletin 912840 associated with this vulnerability you will notice that it was Published December 28th. The same day as the US-CERT announcement and one day after its initial discovery. A serious vulnerability that effects ALL versions of the number one most used operating system in the world, and they wait a day to even post an advisory on their web site?

Even this isn’t what bothers me the most. What really got me was when I visited Microsoft.com trying t to find more information. At current they have a giant flash animation (it takes up about 75% of the page) that contains a sun flower set against the recognizable windows “blue sky, green grass” backdrop wearing sunglasses with the heading “start having fun”. So this vulnerability isn’t being displayed prominently. Lets look closer at the front page and see if we can find a link to information on this vulnerability. Look all you want, its not there. No mention on the home page at all.

So lets click on security. Its sure to be listed there. Once again, look all you like. You won’t find it.

No patch exists, it results in a remote code execution on a fully patched Windows XP, 2003 server, etc and Microsoft makes no mention of it on both their home page and their security page.

I think its time Microsoft stop jawing about this commitment to security and start demonstrating it.

1 comment

Common Criteria and windows

Posted By: Bryan Murphy  Permalink in it, rants, security, windows

16

Dec

It was just announced that MS Windows XP SP2 and 2k3 server have been accredited with the Common Criteria evaluation level 4+.

For those of you who don ‘t know, the common criteria is an ISO standard that was created to provide a common way of evaluating and rating security. It combines the USs old Orange Book evaluation with the DoD ’s redbook and the Canadian CTCPEC and the EUs ITSEC. It has 7 Evaluation Levels of Assurance (EALs) 1 being the lowest and 7 being the highest.

Now here is ware things start to get shaky. Windows has achieved 4+. Novell has had 4+ for Open Enterprise server for some time and it appears that Suse and RedHat are both going for evaluations and will likely achieve 4+.

The reason for this is that 4+ is the highest level of accreditation that a commercial product can hope to achieve. It is this fact that makes me believe the Common Criteria is doing a disservice to the security community.

I find it hard to believe that additional security can not be added to windows, that it can ‘t be more secure than it is now. But yet we have hit a wall with the CC. What motivation does Microsoft or others have to improve on their security if they are already accredited at the highest possible level?

no comment
Next Page »

Categories

Monthly Archives

Feeds

Blogroll

Meta