tech blog

All it takes is you to be comprimised once for you to realize the importance of strong passwords. If your enterprise is anything like mine you will know that password complexity is the ultimate conundrum for IT administrators. If you make the password policy too complex people will simply write it down and attach it to their computer via post it note.  If the password policy is too simple ir leaves your organization vulnerable to attack.

I myself have struggled with making my passwords complex enough but simple enough that I can remember. I have numerous systems and sites that I must log into on a daily basis and creating a individual complex password for each one seemed impossible until I discovered password managers.

Password managers have been around for quite a while but most have lacked user friendliness and most have lived on the desktop. Meaning if your hard drive dies or you forget the master password then you are hooped. I’ve tried several over the years from iKeePass to 1Password on the OSX platfrom and finally ewallet. None of these solutions really did it for me. I wanted a solution that worked cross platform and would sync with my mobile devices. This hasn’t existed until now.

A company out of Virginia called LastPass has created a hosted solution for your desktop, notebook and mobile devices that works with your choice of webbrowser. That’s right friends, you are not limited to using strictly Internet Explorer. LastPass allows you to use passwords up to 20 characters with any degree of complexity including special characters. It stores your passwords using 256 bit AES encryption on their host proof servers. What this means is that the passwords are encrypted locally before being transported across the network. Especially important if you are worried about things like Man in the middle attacks. One of the things I like most about last pass is that it is only $1/month. Even on a lowly Systems Admin salary I can afford a dollar a month.

I highly recommend this product. This product can be ordered directly from the the vendor at http://www.lastpass.com

-chris

As an IT professional one of the first steps you need to take to protect your organization is to draft and implement an Acceptable Use Policy (AUP).  An AUP is pretty standard in most organizations and should be in place whether you have 5 or 50,000 users. If you do not have an Acceptable Use Policy you do not have to reinvent the wheel. You can find samples online that you can tailor to your uses. A few samples can be found here. Once you have drafted your policy you may need to contact your legal council for your organization before it is distributed. Next you will need to work with your HR department to ensure that this policy is communicated and each employee signs a document saying that they not only have read the policy but that they understand the policy. This is a key component of the employee signoff. Many a wrongful termination case has been proved valid because the employee simply said “they just told me to sign it, I didn’t understand.”

Now that you have your AUP in place, you must ensure that it has bite. When you have an AUP that does not have consequences it  is like an alligator with no teeth. The alligator may intimidate some but in most cases will be ignored. When you investigate AUP violations ensure that your HR team is involved, ensure that your evidence is bulletproof e.g make sure your policy states that the employee is responsible for all use with their assigned asset. This removes the “my son must have been using my company computer. etc” excuse.

Lastly, as an IT manager you need to start looking for it.  Too many managers and administrators turn a blind eye and think that this does not affect their organization. The truth of the matter is that if your organization is larger than 10 people it probably will affect your organization and no industry is immune.   One of the most recent cases that has made the news here in Vancouver has been the case with the Vancouver School Board employees at the Maintenance Shed. Several employees were caught viewing Pornography on company systems and on company time.

No matter how you personally  feel about Pornography. It is for sure offensive to some and is a legal risk for your organization. Not only do organizations need to consider lost time in productivity, but a lot of Adult websites are riddled with trojans and viruses just waiting to infect your corporate workstations. The cost to remediate these infections is costing organizations billions of dollars.

While Pornography is the predominant AUP violation it is not the only one. More and more organizations are letting their end users have local administrative rights on the workstation. This has led to everything from pirated software to freeware and shareware being installed. Taking the legal licensing risks aside, there are numerous corruption and infection risks associated.

Having a strong AUP is by no means a complete solution. It will not solve all of your user related problems. However, it is the first step in ensuring that your organization is well protected and a mandatory part of ensuring that your organization is doing it’s “due diligence”.

In 2008, across my clients I saw a lot of cases of Windows Antvirus Pro 2008 variants… Towards the end of the year and through most of 2009 I didn’t see a lot of infections. However, it looks like it has regrouped and come back in full force. I’m seeing an escalating number of FAKEAV infections with my clients. I’m still investigating on how the infections got there because the users stretch across a lot of different roles … developers, merchandisers and accountants. Unfortunately, Web history and Installed Application hasn’t been a help.

I do know however have a remediation plan.

Step 1. Download Combofix from a reputable source on a clean working workstation

Step 2.  Copy the combofix executable to a USB drive.

Step 3.  Reboot the workstation and load Windows in Safe Command Prompt Mode

Step 4. Run the Combofix Executable off the USB drive

Step 5. Let the Computer reboot and Combofix to complete.

Step 6. Use an Antivirus client other than TrendMicro (as it won’t see the virus… it’s useless I know) to complete a scan on the remdiated workstation. It should come up with an all clear.

Step 7. Return the workstation back to the enduser.

On the variant that is out right now this remediation path has been very successful for me. I hope it is for you..

I was asked the other day what the FSMO roles were. I remember them being apart of one of the Windows 2k3 MCSE exams but couldn’t remember for the life of me what they were. It was certainly embarrassing and as soon as I was at a workstation I looked up what they were. I thought that I would share them all with you just in case you forgot as well.

When there is only one Domain Controller in an environment that DC holds obviously all the roles. However in larger environments it is a best to distribute them amongst your other Domain Controllers in the forest.

Schema Master

In an AD forest the Schema Master is where all the Schema changes and updates happen. Once the changes to the Schema are made it is replicated to the other Domain controllers. Like most FSMO roles, there can only be one Schema Master in the whole forest.

Domain Naming Master

This Server/Role holds the rights to add and delete domains from the forest. It is also the server that controls federation and links to other directory environments. Like the Schema role, there can only be one Domain Naming Master.

Infrastructure Master

The Infrastructure Master role is a little more complicated. Within an AD structure all the different elements are referenced by the GUID, SID and the DN for the object. Within the forest and the federated relationships the Infrastructure Master is responsible for updating the GUID/SID and DN for the other Domain Controllers.

Relative ID (RID) Master
The GUID and SID’s that we referenced earlier when they are created they are created on the various domain controllers. So whenever someone creates a user account, an OU or a Security Group it creates the GUID and SID as well as the Relative ID. A RID is created for each GUID and SID. Each DC is allotted a certain amount of RID’s when it runs out of RID’s it must ask the RID master for more. There can only be one RID master.

PDC Emulator

In NT4 days (1997-2000) there were two types of domain controllers Primary DC’s and Backup DC’s. A PDC emulator is only required only in a mixed environment.

• Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
• Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
• Account lockout is processed on the PDC emulator.
• Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
• The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.* (Borrowed from Daniel Petri)

There can be a PDC emulator in each Domain in the Forest and the only role that can be held by multiple servers in a forest.

and that’s the FSMO roles.. Next time I’m asked hopefully I’ll remember!

In any organization one of it’s greatest assets is it’s employees. However, in the information age of it’s greatest liabilities is it’s employees.  I cannot tell you the horror stories of compromised information and systems that I have across in my days as a System Engineer.   In my current role, I frequently get escalations and automated notifications on compromised workstations. The initial part of investigating these workstation often needs to be done without the end user’s knowledge and interaction. This means I need to leverage 3 different interfaces (WMI, RPC and FS). The first thing that I want to know is…

What has the end user installed?

If your users are anything like my end users, they violate the Acceptable Use Policy (AUP) with great vigour. They install all kinds of garbage on their notebook that A) has no business purpose B) comes with hidden bonus items such as trojans and backdoors. C) Violates various licensing laws and rules.

My primary method of investigating installed Software is with the SCCM Resource Explorer tool. This leverages the WMI interface and gives me a nice list of installed products. If i start seeing items such as Bit-Torrent clients I automatically know that this is not going to end well. 

Sometimes though for some strange reason the workstation i’m trying to investigate does not have the SCCM client on it. This is when use a great free tool from the folks at Manage Engine. They come out with some free tools that allow you to leverage the RPC interface. One of the tools included in the package is one called Software Inventory. This tools connects to the remote machine and uses your admin credentials to create a list of Software Installed.

Once you know what is installed you can go ahead you often have a good idea what you are dealing with. Often it’s just time to reimage the workstation. However, if you don’t have any evidence to support the reimage. You then need to proceed further the next step is investigating the applications in the ‘Startup’ category.

MSCONFIG

MSConfig is a great place to look for viruses/trojans that start with the workstation. In the last year though, I’ve noticed that the trojans are getting a lot more tricky and do not show up in MSConfig.

Trend Micro – HiJack This

HiJack this used to be an opensource tool until it was bought by Trend Micro. This tool allows you to see what starts when the operating system is powered up. What Browser Helper Objects are integrated into the browser. If you start to see items and DLL’s registered that should not be there. You definitely might want to investigate further. Trend still offers HiJack This for free on their website or at download.com

Run Once

The next place you want to look is the “Run Once” portions of the Windows Registry. This is often where Trojans and Viruses hide themselves.  The Registry Keys that you want to look at are:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Services

The services MMC console is another great place to look for Viruses and Trojans. A quick perusal of the running services might indicate an infection and depending on the infection will determine the remediation.

If after investigating these areas you still suspect an infection there are numerous types of free tools that you can use.

1. Sysinternals RootKit Revealer

2. Gmer

3. F-Secure BlackLight

In the organization I currently work for we had a scenario where a certain area of users did not get patched and ended up getting infected with the Conficker Virus. Sophos Software has created a great tool to remove the Conficker Worm/Virus it can be found here.

The information security world is definitely a scary one and there is definitely a lot at stake. You don’t need to know necessarily everything  about every virus that comes out. It is simply a matter of knowing the key parts of the system to investigate and learning to use Google to investigate the methodology your infection uses as well as the impact on the system.

If you have any questions or need a little extra help. I’d be glad to lend a hand chris (at) chrismadge.com

Microsoft has made Windows 7 Home Premium and Professional available to students at certain Canadian Universities for as cheap as $39.99 CAD.. This deal only lasts until January 3rd so get on it..

http://www.microsoft.com/canada/windows/discoverytour/student.aspx?wt.mc_id=can_co-win7launch-en_vanity_student

The makers of Sentry and FamilySafe Protection Software has been apparently gather data from IM chats and selling it to it’s “Trusted Partners” (EULA) hmm… Can this be considered a mild Trojan horse?!?

Hit the Link for the full story

Found this article on Kevin Beaver’s Security Blog… Awesome stuff…

http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1368125,00.html

As a system administrator there is nothing more annoying than End users who get yucky JavaScript files in their Temporary Internet Files. You may find that the Temporary Internet Files may take up too much space for whatever reason you need to clean up the temporary internet files en masse.  There is a tool to help you quickly get the job done. This tool is called “icsweep” it is a free ware download from http:// www.ctrl-alt-del.com.au It is a simple command line tool that is easily scriptable that removes all the temporary internet files from the user profiles on the current workstation. The only user profile it doesn’t clear is the active logged in user.

Here is a video on it’s usage :

ICSWEEP Demo

1. Getting new popups every 5 seconds
2. Internet homepage is now something similar http://www.nigerianscampharmacia.co.za
3. After typing google.ca into your webbrowser you go somewhere other than google.
4. Workstation is REALLY slow. Attempts to kill the processes that are using up all the memory and processing power fail
5. If there are new programs installed on your workstation like “Antivirus 2010” that you did not install.
6. Your antivirus software is disabled
7. Applications lock up or crash for no apparent reason
8. You cannot access certain drives
9. You cannot print