Archive for the ‘Uncategorized’Category
The wonder that is LastPass
All it takes is you to be comprimised once for you to realize the importance of strong passwords. If your enterprise is anything like mine you will know that password complexity is the ultimate conundrum for IT administrators. If you make the password policy too complex people will simply write it down and attach it to their computer via post it note. If the password policy is too simple ir leaves your organization vulnerable to attack.
I myself have struggled with making my passwords complex enough but simple enough that I can remember. I have numerous systems and sites that I must log into on a daily basis and creating a individual complex password for each one seemed impossible until I discovered password managers.
Password managers have been around for quite a while but most have lacked user friendliness and most have lived on the desktop. Meaning if your hard drive dies or you forget the master password then you are hooped. I’ve tried several over the years from iKeePass to 1Password on the OSX platfrom and finally ewallet. None of these solutions really did it for me. I wanted a solution that worked cross platform and would sync with my mobile devices. This hasn’t existed until now.
A company out of Virginia called LastPass has created a hosted solution for your desktop, notebook and mobile devices that works with your choice of webbrowser. That’s right friends, you are not limited to using strictly Internet Explorer. LastPass allows you to use passwords up to 20 characters with any degree of complexity including special characters. It stores your passwords using 256 bit AES encryption on their host proof servers. What this means is that the passwords are encrypted locally before being transported across the network. Especially important if you are worried about things like Man in the middle attacks. One of the things I like most about last pass is that it is only $1/month. Even on a lowly Systems Admin salary I can afford a dollar a month.
I highly recommend this product. This product can be ordered directly from the the vendor at http://www.lastpass.com
-chris
25
01 2010
Investigating Local Workstations
In any organization one of it’s greatest assets is it’s employees. However, in the information age of it’s greatest liabilities is it’s employees. I cannot tell you the horror stories of compromised information and systems that I have across in my days as a System Engineer. In my current role, I frequently get escalations and automated notifications on compromised workstations. The initial part of investigating these workstation often needs to be done without the end user’s knowledge and interaction. This means I need to leverage 3 different interfaces (WMI, RPC and FS). The first thing that I want to know is…
What has the end user installed?
If your users are anything like my end users, they violate the Acceptable Use Policy (AUP) with great vigour. They install all kinds of garbage on their notebook that A) has no business purpose B) comes with hidden bonus items such as trojans and backdoors. C) Violates various licensing laws and rules.
My primary method of investigating installed Software is with the SCCM Resource Explorer tool. This leverages the WMI interface and gives me a nice list of installed products. If i start seeing items such as Bit-Torrent clients I automatically know that this is not going to end well.
Sometimes though for some strange reason the workstation i’m trying to investigate does not have the SCCM client on it. This is when use a great free tool from the folks at Manage Engine. They come out with some free tools that allow you to leverage the RPC interface. One of the tools included in the package is one called Software Inventory. This tools connects to the remote machine and uses your admin credentials to create a list of Software Installed.
Once you know what is installed you can go ahead you often have a good idea what you are dealing with. Often it’s just time to reimage the workstation. However, if you don’t have any evidence to support the reimage. You then need to proceed further the next step is investigating the applications in the ‘Startup’ category.
MSCONFIG
MSConfig is a great place to look for viruses/trojans that start with the workstation. In the last year though, I’ve noticed that the trojans are getting a lot more tricky and do not show up in MSConfig. 
Trend Micro – HiJack This
HiJack this used to be an opensource tool until it was bought by Trend Micro. This tool allows you to see what starts when the operating system is powered up. What Browser Helper Objects are integrated into the browser. If you start to see items and DLL’s registered that should not be there. You definitely might want to investigate further. Trend still offers HiJack This for free on their website or at download.com
Run Once
The next place you want to look is the “Run Once” portions of the Windows Registry. This is often where Trojans and Viruses hide themselves. The Registry Keys that you want to look at are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Services
The services MMC console is another great place to look for Viruses and Trojans. A quick perusal of the running services might indicate an infection and depending on the infection will determine the remediation. 
If after investigating these areas you still suspect an infection there are numerous types of free tools that you can use.
1. Sysinternals RootKit Revealer
2. Gmer
In the organization I currently work for we had a scenario where a certain area of users did not get patched and ended up getting infected with the Conficker Virus. Sophos Software has created a great tool to remove the Conficker Worm/Virus it can be found here.
The information security world is definitely a scary one and there is definitely a lot at stake. You don’t need to know necessarily everything about every virus that comes out. It is simply a matter of knowing the key parts of the system to investigate and learning to use Google to investigate the methodology your infection uses as well as the impact on the system.
If you have any questions or need a little extra help. I’d be glad to lend a hand chris (at) chrismadge.com
27
11 2009
Windows 7 for Students – $39.99
Microsoft has made Windows 7 Home Premium and Professional available to students at certain Canadian Universities for as cheap as $39.99 CAD.. This deal only lasts until January 3rd so get on it..
09
11 2009
Signs you might be infected with a virus or trojan
- Getting new popups every 5 seconds
- Internet homepage is now something similar http://www.nigerianscampharmacia.co.za
- After typing google.ca into your webbrowser you go somewhere other than google.
- Workstation is REALLY slow. Attempts to kill the processes that are using up all the memory and processing power fail
- If there are new programs installed on your workstation like “Antivirus 2010” that you did not install.
- Your antivirus software is disabled
- Applications lock up or crash for no apparent reason
- You cannot access certain drives
- You cannot print
10
09 2009
Securing RDP on a Windows XP Machine
//taken from mobydisk.com
Remote Desktop, Unsafely
Many people use the Windows XP Professional remote desktop feature to gain easy access to their home PCs. But opening up a connection to an administrator account on your system is very dangerous. Just by opening the port on my firewall I received several logon attempts, from various countries, within a week. Free tools exist that assist hackers with breaking into Windows Remote Desktop connections. Fortunately there are a few simple steps you can take to protect yourself:
Remote Desktop, Safely
Limit users who can log on remotely
First, only allow certain users remote desktop access. Go to the Control Panel, then system, then the Remote tab.
From there, enable “Allow users to connect remotely to this computer.” Then, click “Select Remote Users.”
Here, add only the users who you want to be able to log in remotely. If you are super-secure, you can set this to a standard user account, and force yourself to run as a normal user. This is a very difficult way to run Windows since many applications assume the user has Administrator rights, so I leave that decision up to you.
Unfortunately for you, that setting didn’t do a thing! You will find that you can still log on as any administrator account. To make things complicated, Microsoft defaults to the least secure setting possible while hiding this fact from the user. You will need to go to another location to change the real list. Click Start – Programs – Administrative Tools – Local Security Policy. If you can’t find it, you can also do Start – Run – enter “%SystemRoot%\system32\secpol.msc /s” – Ok.
Under Local Policies – User Rights Assignment, there is a line that says “Allow logon through Terminal Services.” And just next to it is “Administrators, Remote Desktop Users.” Aha! Too bad it didn’t show “Administrators” in the other screen. Double-click this setting and remove “Administrators.” If you want an administrator to have access, just add them explicitly through the other screen.
Set an account lockout policy
There are already tools that will use brute-force to guess passwords and log-on remotely. You cannot stop this, but it can be minimized by setting an account lockout policy. If someone tries to guess the password, then after a few guesses they will be locked out for a period of time. This can make hours or days of guessing become centuries. That makes it infeasable to brute-force into your system.
From the same Local Security Policy screen from before, go to Account Policies – Account Lockout Policy.
Account lockout threshhold: This is the number of failed logon attempts before the user is locked-out. Three is usually sufficient to indicate someone is trying to break in.
Reset account lockout counter after: For a typical home system, set this setting to be the same as the Account Lockout Duration below.
Account lockout duration: This is how long the user will be unable to logon after several failed attempts. Even a few minutes will significantly reduce the possibility of a remote brute-force attack. For a home system, any more than a few minutes can be frustrating. You may come home to find your account is locked-out because of some joker guessing passwords. Adjust the setting to your own tolerance. Setting this value to zero means to lock the account until it is manually unlocked.
To manually unlock an account you must logon as another administrator user (preferably one without remote desktop access). Then go to Start – Programs – Administrative Tools – Computer Management – Local Users and Groups. Click on the individual user and uncheck the “account is disabled” check box. You may then log on as that user.
Require Passwords and 128-Bit Encryption
For compatibility with older, weaker, less-secure clients, Windows XP defaults to allowing minimal or no encryption on remote desktop connections. If you are connecting with older software, upgrade it. If you are connecting with the PocketPC Terminal Services Client, then this setting won’t work for you since that client does not support high encryption. 
Click Start – Run – “%SystemRoot%\system32\gpedit.msc /s” to get to the Group Policy Editor. I don’t know how to get there any easier than that, so you might want to add an icon for it to your Administrative Tools.
From here, go to Computer Configuration – Administrative Templates – Windows Components – Terminal Services – Encryption and Security.
You can change the “Set client connection encryption level” from “Not Configured” to “Enabled” and “High Level” to force the client to use 128-bit security. This protects your passwords as well as anything transmitted during your terminal service session.
Enabling “Always prompt client for password upon connection” prevents the remote user from saving the password on the client computer and avoiding the password prompt. Saving passwords is generally a dangerous setting since the password is now on another computer, and because it allows the user to forget it.
Change the TCP Port
You can move the terminal services port from 3389 to another port by changing the registry key at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
You will then need to specify the port when you connect to your system. Connect with something like “my.computerathome.com:1234″ instead of “my.computerathome.com”
IP Address White List
Windows Firewall allows you to limit which IP addresses have access to remote desktop. To do this, open the Control Panel and run Windows Firewall. Select the Exceptions tab and make sure “Remote Desktop” is checked.
Click the “Edit” button and you will see a list of TCP ports. Windows Firewall assumes that Remote Desktop lies on port 3389. If you changed the port number, you will need cancel this screen and instead click “Add Port” and create a entry with the port number you used.
Click the “Change Scope” button. From this screen, you can limit to the local network, or to a specific set of IP addresses.
Thanks to Nick for this tip!
Prevent a MITM Attack
Remote desktop is encrypted, which makes it more secure than many simplistic VNC implementations. However, without additional security Remote Desktop is vulnerable to a man-in-the-middle attack because it does not use a certificate to authenticate the server like SSL/SSH does. That means that if you connect to a your system via remote desktop, there is no guarantee that the conversation is not recorded and your passwords are not guaranteed to be safe, even though the session is encrypted.
On Windows XP, there is no built-in support for secure certificates in remote desktop. Therefore, to close this security hole you must use SSH tunneling over a VNC connection. However, Windows Server 2003 provides an enhanced version of terminal services that supports security authentication via TLS. For this to work, you must be using an updated version of the Remote Desktop Client software. You must also configure Windows Server 2003 to use a certificate as described in the Microsoft Knowledge Base article.
Monitor Log Files
The Event Viewer logs failed login attempts and account lockouts. You can periodically check this to see if anyone is trying to get in. If your firewall keeps logs (Windows Firewall does) then you can use these to see when someone tries to connect.
04
05 2009
What are you worth?
A itworld canada site gives average income of similar positions in your geographical area..
http://www.itworldcanada.com/salarycalculator/calculator.aspx
20
04 2009
Blackberry App World not an April Fools Joke
After months and months of waiting the Blackberry App World finally opened. I will admit I had low expectations of the Blackberry version of the Apple App Store. However, when the store opened last night at 9pm PST. I admit I was quite impressed. Lots of new applications including several free offerings , including the Poynt application and the Shazam Application which was the focus of an Apple commericial for the iPhone. I’m excited to see what new applications come to the store in the next few months and today i’m really glad I own a blackberry…
Blackberry App World
01
04 2009
Hiatus
So I realize I have spend the last 6 months without an update. This is not to say that I haven’t learned anything or nothing new has happened in the technological world. It’s well I just got busy… Look forward to more regular updating from now on. 
01
04 2009
Brute Force Removing a Mailbox from Exchange 2007
So there is a time in every organization where an employee who was involved in everything leaves. He/She was an integral part of many different projects and it comes time to remove them from the Exchange Organization.
You done all the standard stuff that you have been required to by various laws and regulations. You have archived the users mail. You have made sure that all of their files are backed up and stored safely. Before you hit Remove Mailbox in the Exchange Management Console let me tell you a little story about disconnected mailboxes.
Disconnected Mailbox Storage is the Recycle Bin for Exchange Organizations. It allows the Exchange System Administrator to go “Oh Crap we still needed that”. When you click remove mailbox it doesn’t actually remove the mailbox. It just moves the mailbox to the ‘Disconnected Mailboxes Grouping’ the time that Exchange holds the mailbox before permanently deleting the mailbox is 30 days. For most users this works out perfectly.
There is however a time and a place where you will want to remove all instances of that user from your Exchange organization. This scenario would be like the one I described above. Where the user who is being removed was receiving meeting requests for the Project Manager and answering vacation emails for the Vice President but never removed the delegation. If you simply remove the mailbox the delegations will remain and cause bounced email for every meeting request. To solve this problem there is a very simple Exchange Powershell Command that goes like this:
Remove-Mailbox -Identity contoso\john -Permanent $true
Exchange Shell will then ask if you want to remove associations. The answer to that question is Yes to all.
The powershell command will complete and it will be like the mailbox was never in the Exchange Organization.