This is what I will be doing tonight..
Uncategorized
Clients won’t connect to replaced SCCM Site Server
If you deploy the SCCM 2007 client via GPO and end up having to replace the SCCM Site server. Apparently according to the PSS team the GPO client install hard codes the site code into the registry.
You need to remove these reg entries below and the server will autodiscover… Hooray~!!!
Remove these entries
x86
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client]
"GPRequestedSiteAssignmentCode"="SITECODE"
"GPSiteAssignmentRetryInterval(Min)"=dword:0000003c
"GPSiteAssignmentRetryDuration(Hour)"=dword:0000000c
x64
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Mobile Client]
"GPRequestedSiteAssignmentCode"="SITECODE"
"GPSiteAssignmentRetryInterval(Min)"=dword:0000003c
"GPSiteAssignmentRetryDuration(Hour)"=dword:0000000c
Installing SCCM 2007 SP2 on Windows Server 2008 R2
I recently needed to install SCCM 2007 on a Windows Server 2008 R2 box and after a little research I found 2 very helpful sites that make the job much easier.
The first website gave me a PowerShell script that installed all the Roles and Features I needed.
The script can be found here and the one you need is “PrepSiteServer2‘’
The second site gives you step by step instructions on how to install SCCM 2007 SP2 on Windows Server 2008 and even walks you through all the gotcha’s
Here is the URL: http://blogs.southworks.net/aortega/2009/09/16/deploy-sccm-2007-sp2-rc-on-windows-server-2008-r2/
6 Ways to prevent viruses/trojans on your computer
As someone who used to make a pretty handsome living cleaning up virus infected computers. I decided to put together 6 helpful tips that will help eliminate viruses and trojans on your computer. Hopefully it was worth the price of admission. Here we go.
1. Have and use an Antivirus Client (Microsoft Security Essentials/Sophos AV for OSX is free.. No Excuses)
2. Uninstall Adobe Flash Player. Adobe Flash has more holes than swiss cheese and no matter how many updates they put out you can’t really fix bad code. Yep you’ll lose out on some functionality but honestly for what you’ll gain in time recovered in not rebuilding your machine weekly it’s worth it
3. Create an Admin account on your computer and change your day to day account to a “regular user” account. If the virus doesn’t have admin rights. It can’t install.. This is probably the most critical change.
4. Be smart about what you click on. Just cause it’s on facebook does not mean that is safe. No some dad in the US did not find his daughter on a webcam so stop clicking the link. It’s called clickjacking and it can seriously mess up your PC. (btw.. there is no such thing as nude photos of Anna Kornikova either)
5. If it sounds to good to be true.. It probably is. (e.g. watching cricket online for free) Do not install anything on your machine that is not from a reputable source. This includes Active X controls and “plugins”
6. Update your computer and your web browser regularly. Windows, PC or Linux it doesn’t matter just get it done. You can configure Windows Update to install at 3 in the morning while you’re hopefully sleeping
That’s it.. While this advice is not bulletproof it will help mitigate most of the threats out there.
Cheers,
C
Building an access point to “share” a restricted internet connection
The last ten years have seen the proliferation of wireless internet hotspots from your local starbucks to internet cafe’s in virtually every country. Unfortunately, despite the low cost of high speed internet some resorts and hotels feel the need to charge skyhigh rates or limit the access to one device. In the last six months, I have travelled numerous times and found that even in 4 star hotels in the midwestern US are especially restrictive with amount of devices one can connect.
My wife and I recently travelled to a 5 star resort in Puerto Vallarta and despite an above average price price per night. They still felt the need to charge 11 USD dollars per night for WIFI access per device. There was no way around this, The authentication mechanism used a 10 digit code to authenticate NAC and allow that MAC address to access to the internet VLAN. Yes we could spoof the MAC address on the other devices but only one device could connect at a time and if the NAC appliance discovered two devices presenting the same MAC it would shut down both ports.
The way to get around this is to:
1) Build a Bluetooth PAN network between two laptops.
a) Laptop 1 will use the WIFI code provided by the hotel or resort.
b) Once the connection is established ensure internet access by browsing to www.google.com
c) Next go into the bluetooth driver. We used two macbooks. So went into the System Preferences -> Bluetooth
d) We paired the two macbooks (which is easy with OSX) and once the devices were paired. We went to advanced and shared the internet connection (see screenshot)
The next step is to share the internet connection. We again went into the System Preferences and this time into the “Sharing” control panel. We shared the Airport connection with the Bluetooth PAN.
At this point Laptop 2 should be able to reach the internet without a WIFI connection.
2) The next step is to share the bluetooth network from Laptop 2 using WIFI.
a) On laptop 2 go into the System Preferences -> Sharing
b) Choose Internet Sharing and Select the “Bluetooth PAN” and share via Airport.
c) You will then have the option to create SSID you for your WIFI access point. I would also highly recommend enabling WEP and specifying a 128bit 10 digit WEP code. Even if it’s as simple as your phone number although I would recommend a more complex code. You now have a Wifi access point that you can share with all your devices.
The wonder that is LastPass
All it takes is you to be compromised once for you to realize the importance of strong passwords. If your enterprise is anything like mine you will know that password complexity is the ultimate conundrum for IT administrators. If you make the password policy too complex people will simply write it down and attach it to their computer via post it note. If the password policy is too simple ir leaves your organization vulnerable to attack.
I myself have struggled with making my passwords complex enough but simple enough that I can remember. I have numerous systems and sites that I must log into on a daily basis and creating a individual complex password for each one seemed impossible until I discovered password managers.
Password managers have been around for quite a while but most have lacked user friendliness and most have lived on the desktop. Meaning if your hard drive dies or you forget the master password then you are hooped. I’ve tried several over the years from iKeePass to 1Password on the OSX platfrom and finally ewallet. None of these solutions really did it for me. I wanted a solution that worked cross platform and would sync with my mobile devices. This hasn’t existed until now.
A company out of Virginia called LastPass has created a hosted solution for your desktop, notebook and mobile devices that works with your choice of webbrowser. That’s right friends, you are not limited to using strictly Internet Explorer. LastPass allows you to use passwords up to 20 characters with any degree of complexity including special characters. It stores your passwords using 256 bit AES encryption on their host proof servers. What this means is that the passwords are encrypted locally before being transported across the network. Especially important if you are worried about things like Man in the middle attacks. One of the things I like most about last pass is that it is only $1/month. Even on a lowly Systems Admin salary I can afford a dollar a month.
I highly recommend this product. This product can be ordered directly from the the vendor at http://www.lastpass.com
-chris
Investigating Local Workstations
In any organization one of it’s greatest assets is it’s employees. However, in the information age of it’s greatest liabilities is it’s employees. I cannot tell you the horror stories of compromised information and systems that I have across in my days as a System Engineer. In my current role, I frequently get escalations and automated notifications on compromised workstations. The initial part of investigating these workstation often needs to be done without the end user’s knowledge and interaction. This means I need to leverage 3 different interfaces (WMI, RPC and FS). The first thing that I want to know is…
What has the end user installed?
If your users are anything like my end users, they violate the Acceptable Use Policy (AUP) with great vigour. They install all kinds of garbage on their notebook that A) has no business purpose B) comes with hidden bonus items such as trojans and backdoors. C) Violates various licensing laws and rules.
My primary method of investigating installed Software is with the SCCM Resource Explorer tool. This leverages the WMI interface and gives me a nice list of installed products. If i start seeing items such as Bit-Torrent clients I automatically know that this is not going to end well.
Sometimes though for some strange reason the workstation i’m trying to investigate does not have the SCCM client on it. This is when use a great free tool from the folks at Manage Engine. They come out with some free tools that allow you to leverage the RPC interface. One of the tools included in the package is one called Software Inventory. This tools connects to the remote machine and uses your admin credentials to create a list of Software Installed.
Once you know what is installed you can go ahead you often have a good idea what you are dealing with. Often it’s just time to reimage the workstation. However, if you don’t have any evidence to support the reimage. You then need to proceed further the next step is investigating the applications in the ‘Startup’ category.
MSCONFIG
MSConfig is a great place to look for viruses/trojans that start with the workstation. In the last year though, I’ve noticed that the trojans are getting a lot more tricky and do not show up in MSConfig. 
Trend Micro – HiJack This
HiJack this used to be an opensource tool until it was bought by Trend Micro. This tool allows you to see what starts when the operating system is powered up. What Browser Helper Objects are integrated into the browser. If you start to see items and DLL’s registered that should not be there. You definitely might want to investigate further. Trend still offers HiJack This for free on their website or at download.com
Run Once
The next place you want to look is the “Run Once” portions of the Windows Registry. This is often where Trojans and Viruses hide themselves. The Registry Keys that you want to look at are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Services
The services MMC console is another great place to look for Viruses and Trojans. A quick perusal of the running services might indicate an infection and depending on the infection will determine the remediation. 
If after investigating these areas you still suspect an infection there are numerous types of free tools that you can use.
1. Sysinternals RootKit Revealer
2. Gmer
In the organization I currently work for we had a scenario where a certain area of users did not get patched and ended up getting infected with the Conficker Virus. Sophos Software has created a great tool to remove the Conficker Worm/Virus it can be found here.
The information security world is definitely a scary one and there is definitely a lot at stake. You don’t need to know necessarily everything about every virus that comes out. It is simply a matter of knowing the key parts of the system to investigate and learning to use Google to investigate the methodology your infection uses as well as the impact on the system.
If you have any questions or need a little extra help. I’d be glad to lend a hand chris (at) chrismadge.com
Windows 7 for Students – $39.99
Signs you might be infected with a virus or trojan
- Getting new popups every 5 seconds
- Internet homepage is now something similar http://www.nigerianscampharmacia.co.za
- After typing google.ca into your webbrowser you go somewhere other than google.
- Workstation is REALLY slow. Attempts to kill the processes that are using up all the memory and processing power fail
- If there are new programs installed on your workstation like “Antivirus 2010” that you did not install.
- Your antivirus software is disabled
- Applications lock up or crash for no apparent reason
- You cannot access certain drives
- You cannot print