Mark M Maning

Overriding Symantec Endpoint Protection's Unininstall Password

2008-11-12T20:54:00.001-05:00

Standard story, I had a user today with Symantec Endpoint Protection and it was causing her CPU to redline. SEP said everything was fine so I thought I'd just save some time and uninstall and re-install like a good Sys-admin would do. Most people know that with Symantec's more corporate products they require that you put in a password in order to uninstall the application. This is a simple protection from an attacker manually removing the antivirus. I didn't realize until today just how simple that was.

I did some looking for the password and asked a few people and I tried to look up what the default password was because knowing this client, that's what it would be. No luck. Then I discovered something, I was watching the processes in the task manager and saw that when I went to uninstall SEP, msiexec ran as I expected but right as the password prompt came up, another instance of msiexec appeared. What are the odds that I just end that process and I'm allowed to get through? Very good.

So then I looked online about this and of course I'm not the first person to find this out. If you can end the process msiexec.exe that is being run as the current user (not system), then the password prompt will disapper and uninstallation will continue. There is a protection built into SEP and other Symantec products that blocks access to the task manager while the password prompt is showing. That's why my favorite windows tool Process Explorer comes in handy. So here's the steps:

Download Process Explorer from Microsoft or Sysinternals
Uninstall the symantec product of your choice
wait for the password prompt to appear
run Process Explorer and find msiexec.exe that is being run as the current user (not the system)
end that process and continue with the uninstallation

I know this really isn't a revelation to most people but I had never done it before and it goes right along with some of my anti-anti-virus research I'm doing.

External Links

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx - Process Explorer download
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=4852 – link to a forum that has other suggestion to resetting the password like “calling support”

Hide Your Private IP in Mozilla Thunderbird

2008-10-30T19:23:00.001-04:00

A friend of mine brought up an issue that I never noticed before: In Mozilla Thunderbird, when you send an email, the private IP address of your computer is also transmitted. So the header will look something like this:

Received: from ?192.168.1.108? (cpe-66-666-666-666.res.rr.com [66.666.666.666])

That 192.168.1.108 is the private IP address of which ever computer you sent the email from.

Who Cares?

Now I get that my public IP must be known to properly route the connection from my gateway to the SMTP server I'm trying to connect to but there's no reason to give out my private IP. Knowing it makes it easier for an attaker to find my computer on the network for specific attacks against me or even worse, know which range of computers to attack to evade some intrusion detection systems.

That being said, it was put there for a reason. Some anti-spam solutions - specifically SpamAssasin - request that you provide the private IP address of the computer you're sending from even if the system is behind a NAT. It doesn't care what IP address you fill in, just that you put something there. If you're going to override it like I show below, you should probably spoof it with a number that could possibly be a private IP address or something that is in the form of a fully qualified domain name else you risk your messages being flagged as spam more often.

How to Fix This

There is an easy workaround:

Open Thunderbird
Open Preferences > Advanced > General
Click on Config Editor
Type in "smtp" and find the number of the SMTP server you want to adjust (usually it will say smtp1)
Right click on the table and create a new string
name it mail.smtpserver.smtp*.hello_argument where * is the number of the smtp server settings that you're changing. Usually 1
assign it whatever value you'd like
NOTE: Changing this setting will result in your messages more likely to be marked as spam by SpamAssasin. Choosing a private IP would be better than just putting something like im.not.telling

Now when you go to send messages your header will look like this:

Received: from 172.25.66.6 (cpe-66-666-666-666.res.rr.com [66.666.666.666])

External Links

https://bugzilla.mozilla.org/show_bug.cgi?id=279525 - link to the mozilla bug discussing this issue in length
http://forums.mozillazine.org/viewtopic.php?f=39&t=574630&start=0&st=0&sk=t&sd=http://forums.mozillazine.org/viewtopic.php?f=39&t=574630&start=0&st=0&sk=t&sd=a - Mozillazine website where I first found discussion about this issue

Defcon XVI - Tor Part II

2008-09-03T21:18:00.004-04:00

Nathan Evans did the last talk on the first night of Defcon called De-TOR-iorate Anonymity. It had a lot of people sweating on the Tor mailing list and even generated a huge debate about whether Tor should even be attempted to be used on a multi-purpose system versus a dedicated machine or virtual machine like JanusVM or AnonymOS. The information was pretty thick to process at the time, but a few minutes later, it finally sunk in. Here's how it works.

Overview of Tor

A quick review of how Tor works. Tor is a anonymity tool that creates a circuit of proxy servers to relay connections through. For instance, in the figure below we see Alice trying to connect to Bob. Alice sends traffic to node 1, node 1 relays that traffic to node 5, node 5 relays that traffic to node 8 and node 8 finally sends the request to Bob. If Bob replies, the data travels back the direction that it came. Simple enough?

Overview of Attack

Nathan's attack would fall under the "partitioning" label as the goal of the attack is to partition the Tor network smaller and smaller until it can find the entry node the user is coming from. Because this attack assumes you have control of the exit node, obtaining the entry node confirms the second node used as a relay thus showing every node in a user's circuit. This makes Tor as anonymous as a single proxy.

Circular Circuits

Nathan found that an attacker can create looped circuits. That is Node 1 relays to Node 2 and then relays to Node 3 but at Node 3 an EXTEND command is issued so the circuit length is increased infinitely. This causes the queue of traffic waiting to be relayed to fill up and the latency to increase by a large amount.

Why it works

Doing a DoS attack and measuring the latency is not new. It was actually talked about at last year's Defcon. The difference with this attack is the attacker actually creates circular circuits so nodes are actually looping traffic back to the beginning instead of relaying properly.

This is why the attack worked:

Tor is hard coded to only uses 3 nodes in a circuit(debatable whether or not to change)
Tor does not provide padding to keep latency at the same rate (and never will)
Tor allows for infinite circuit lengths (to be fixed in proposal 110)

The Attack

To attack the network, he used the following environment

a "Bad Exit Node" owned by the attacker
Tor client used to generate circular circuits (Defined as "DoS Client")
Web server to act as the destination and to keep track of latency (Defined as "DoS Server")
Normal user that is using the Bad Exit Node ("Alice")

The attack is done by a denial-of-service attack on many nodes using circular circuits discussed above. If the user's latency stays low during a circular circuit creation, then the attacker knows that the entry node is NOT one of the DoS'd relays and tries different nodes. In this case, latency is measured by injecting a javascript command to ping a web server collecting stats. The process of generating circular circuits and recording the results is repeated until the user's latency increases substantially at which time the attacker knows that the entry node is one of the three nodes used in the last DoS attack.

Example

In this figure, you can see that Alice is trying to connect to Bob via nodes 1, 5, and the Bad Exit Node that is owned by the attacker. During this time the attacker is creating circular circuits between 1, 2, and 3 which generate large amounts of traffic causing a slow down.

The Fix

Tor has been been updated at least 3 times since writing this blog. Among many other bug fixes and feature additions are the changes related to Proposal 110. This is the proposal to change Tor to handle circular circuits. The proposal splits up relay requests into "Relay" and "Relay_Early." Relay requests do not have the ability to issue the EXTEND command that is used to generate the circular circuits and Relay_Early can as these would be the beginning of the circuits.

The 0.2.0.30 version also makes an addition to block "risky" extend cells.

Relays now reject risky extend cells: if the extend cell includes a digest of all zeroes, or asks to extend back to the relay that sent the extend cell, tear down the circuit. Ideas suggested by rovv.

The fix is not complete. They are still implementing parts of proposal 110. They have to maintain backwards compatibility in case a version 1 circuit is created.

External Links

http://www.torproject.org - Tor Project Website
https://www.torproject.org/svn/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt - Details of the proposal for the fix
http://archives.seul.org/or/talk/Aug-2008/msg00148.html - just for accuracy's sake, Roger Dingledine's follow up to my explanation on the or-talk list
http://web.cs.du.edu/~natevans/ - Nathan Evan's website. Nothing there really
https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-evans-grothoff.pdf - Original powerpoint presentation called De-Tor-iorate Anonymity
https://www.torproject.org/svn/trunk/ChangeLog - the always updating changelog of Tor

Using Windows Server 2003 Admin Pack on Vista

2008-08-31T21:13:00.005-04:00

If you haven't found out, the Windows Server 2003 Admin Pack does not work on Vista. This can be annoying for sys admins that aren't lucky enough to have Server 2008 installed everywhere. Luckily, there's a quick fix

Download and install the Server 2003 Admin Pack
Copy and and paste the following code into notepad and save it as "Adminpackfix.cmd" or something like that
@echo off REM RegisterAdminPak.cmd REM (c) 2006 Microsoft Corporation. All rights reserved. set filelist=adprop.dll azroles.dll azroleui.dll ccfg95.dll set filelist=%filelist% certadm.dll certmmc.dll certpdef.dll certtmpl.dll set filelist=%filelist% certxds.dll cladmwiz.dll clcfgsrv.dll clnetrex.dll set filelist=%filelist% cluadmex.dll cluadmmc.dll cmproxy.dll cmroute.dll set filelist=%filelist% cmutoa.dll cnet16.dll debugex.dll dfscore.dll set filelist=%filelist% dfsgui.dll dhcpsnap.dll dnsmgr.dll domadmin.dll set filelist=%filelist% dsadmin.dll dsuiwiz.dll imadmui.dll lrwizdll.dll set filelist=%filelist% mprsnap.dll msclus.dll mstsmhst.dll mstsmmc.dll set filelist=%filelist% nntpadm.dll nntpapi.dll nntpsnap.dll ntdsbsrv.dll set filelist=%filelist% ntfrsapi.dll rasuser.dll rigpsnap.dll rsadmin.dll set filelist=%filelist% rscommon.dll rsconn.dll rsengps.dll rsjob.dll set filelist=%filelist% rsservps.dll rsshell.dll rssubps.dll rtrfiltr.dll set filelist=%filelist% schmmgmt.dll tapisnap.dll tsuserex.dll vsstskex.dll set filelist=%filelist% w95inf16.dll w95inf32.dll winsevnt.dll winsmon.dll set filelist=%filelist% winsrpc.dll winssnap.dll ws03res.dll for %%i in (%filelist%) do ( echo Registering %%i ... regsvr32 /s %%i ) echo. Echo Command Completed
Run the script as administrator and you're set

External Links

http://support.microsoft.com/kb/930056 - KB article about this subject. Gives you more specifics than I go into.
http://www.microsoft.com/downloads/details.aspx?familyid=e487f885-f0c7-436a-a392-25793a25bad7&displaylang=en - Server 2003 SP1 Admin Pack

Defcon XVI - Tor Part 1

2008-08-20T03:00:00.002-04:00

I was kind of excited about this years Tor talks because it was almost skipping over the details of what is Tor and going strait to some more advanced subjects. Roger Dingledine made a great presentation about the vulnerabilities of Tor where he went through each major security bug that was ever discovered. He is very honest about some of the future attacks like Latency Tables, SSL Website Fingerprinting, automatic control port authentication problems, attackers buying old certificate authorities so that SSL MITM attacks would be available anytime, and even how governments are starting to make laws forcing Tor admins to have an real time access to current Tor nodes.

Latency Tables

This was actually pretty interesting to me. Roger made a comment about how an attack would be easier if the attacker had access to a latency table which would keep track of the latency between one point to another on a global scale. This is a theoretical attack as no one has been able to do this effectively.

SSL Website Fingerprinting

This is the theory that it would be possible to document the size of an SSL encrypted web site request so that although an attacker cannot see the data going over the connection, it is possible to see what website the user is visiting. It could even be taken one step further where the table could not only have the initial website size but the first page, and then the redirected page after login. For instance, if someone visits their bank, they first get an initial login, and then a secondary authentication screen, and finally their actual online banking information. Each of those pages have a size that when put together, makes a pretty unusual fingerprint. If you tie this fact together with Mike Perry's SSL cookie exploit, one can imagine a situtuation where an attacker finds the website the user is visiting, inject an <img src="http://www.visitedwebsite.com"> where the cookie is sent in clear text and then a session hijack occurs.

Automatic Control Port Authentication

There has been an addressed issue that shows how an attacker could gain control of a Tor client's control port (which is what's used to generate tunnels) thereby granting the ability to redirect the tunnel or something even more malicious. The work around for this was to provide authentication done either by a password or by a session cookie. Clients like Vidalia now support the authentication mechanism but the problem currently is how is the authentication done at the boot time when a user installs Tor as a Windows Service. Roger didn't have an answer yet to this issue besides that it was currently being worked on.

Purchasing Old CA's

If you look in Firefox or IE or Opera or whatever, you'll see a pretty long list of pre-trusted certificate authorities that come when you install the browser. These are some of the most popular ones that have been trusted for years and come with the browser itself. It just so happens that a lot of these CA's are not even in business anymore but they're still in the browsers in case someone has purchased a certificate that extends through 2020. So what? Well the issue is what if an attacker purchased one of those old CA's, if they wanted to do a MITM attack with SSL, they could and the browser would have no problem with it. There was even a comment about how China is interested in purchasing one to help out with deep packet inspection even on SSL connections.

Governments and Law Enforcement

The last big issue that I thought was interesting to bring up was how some governments (see Germany and others) are pressuring Tor to provide "real time access to law enforcement." Whatever real time and law enforcement really ends up being. Roger makes the point that if it becomes this hard and this illegal, it may not be possible to run a Tor server in that country and it may be difficult to do so in the future.

External Links

http://www.torproject.org - Tor Project Website
http://www.kreativrauschen.com/blog/2007/11/09/german-bundestag-decides-to-implement-data-retention/ - Blog about the new German data retention logs
http://en.wikipedia.org /wiki/Data_retention - Wikipedia entry about data retention laws in other countries

Defcon XVI Overview

2008-08-16T19:50:00.004-04:00

Last year was my first year at Defcon so I was sucking up as much information as possible but generally I just went to the talks and then back to the room to play with the things that I had learned. I didn't get into the social scene very much.

This year I still attended a ton of the talks but instead of taking time to go back to the room and play, my friends and I made more of an effort to get into the Defcon social scene.

Overall Experience

Just like last year I had a blast but I think even more this year because of some of the people we met. I've seen some posts complaining about the situation at Defcon about how it was too crowded and they missed some talks because of this. It sounds to me like a lot of people have gone to things like Microsoft Events where you stand around some muffins and coffee and then sit through 2 hours of talks.Defcon hacks the conservative convention idea and takes into account the amount of hackers that have ADD.They offer 5 tracks of talks at the same time, lock picking training, wireless village, general hang outs, and more. Then when the talks are all done, there are parties all over the city. It's not cup of coffee, stand in line, polite conversation kind of gathering but rather a red bull and vodka, bum rush, punch in the face cluster of people from all over world meeting to show solidarity in the hacker community. At least that's the my ideal perspective of what Defcon should be, it may be growing in a different direction.

List of talks I attended:

Welcome by DT & Making the DEFCON 16 Badge with Joe "Kingpin" Grand
Clinton Wong - Web Privacy & Flash Local Shared Objects.
Roger Dingledine -Security and anonymity vulnerabilities in Tor: past, present, and future
Robert Ricks -New Tool for SQL Injection with DNS Exfiltration.
Magnus Bråding -Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol.
Eric Schmiedl -Advanced Physical Attacks: Going Beyond Social Engineering and Dumpster Diving Or, Techniques of Industrial Espionage
Fyodor -NMAP-Scanning the Internet.
Matt Yoder-Death Envelope: Medieval Solution to a 21st Century Problem.
John Fitzpatrick -Virtually Hacking.
Nathan Evans -De-TOR-iorate Anonymity
Movie Night With DT: Premiere of "Hackers Are People Too
Cameron Hotchkies-Under the iHood.
Jay Beale-Owning the Users with Agent in the Middle.
Luciano Bello & Maximiliano Bertacchini-Predictable RNG in the Vulnerable Debian OpenSSL Package, the What and the How.
Panel: All your Sploits (and Servers) are belong to us.
Mike Perry-365-Day:Active https cookie hijacking.
Tony Howlett-The death of Cash: The Loss of anonymity & other danger of the cash free society.
Ryan Trost-Evade IDS/IPS Systems using Geospatial Threat Detection.
Rick Hill-War Ballooning-Kismet Wireless "Eye in the Sky"
Jay Beale-They're Hacking Our Clients! Introducing Free Client-side Intrustion Prevention.
DAVIX Visualization Workshop
Stealing the Internet

Tor

I've been following Tor for a while now so it was interesting to go to the two Tor specific talks – both about vulnerabilities in Tor. Roger Dingledine presented a general overview of past, present, and future vulnerabilities in the Tor network and Nathan Evans went over a specific vulnerability which allowed an attacker to find out all nodes in a circuit. Both talks were interesting and I'm going to go into much more detail in future blog entries.

Sidejacking Redux

Last year, the concept of sidejacking was in its infancy. Sidejacking or session hijacking is when an attacker uses a man in the middle to steal the current session of something a user is accessing. For instance, with this attack, an attacker could steal the cookies used to authenticate a person's gmail account which would grant the attacker access to Gmail and all other Google services for the amount of time that session was valid. This year Jay Beale of the company Intel Guardians released a tool called “The Middler” which automates this process and Mike Perry of Riverbed and the Tor Project pointed out a flaw in the way that some companies have tried to protect users from this exploit.

Since last year, services like Gmail have offered SSL encryption to protect from this attack but they didn't force users to use SSL which lead to Mike Perry's talk. He pointed out an attack on a Gmail where even though the user was using an SSL connection, the cookie could be transmitted in clear text allowing a session hijack. This was done by doing a MITM attack, using a tool to check which online service the user was using, inject a piece of html that pointed to the non-SSL encrypted version of that online service and then perform a session hijack after reading in the credentials. He even pointed out a simple fix that he has told Gmail and Yahoo about where you can set a bit in the cookie to only transmit in SSL.

War-Ballooning

One of the most fun talks that I attended was Rick Hill's War-Ballooning demonstration. They were planning on doing a live demo from the roof of the Riveria but at the last minute, some authorities decided to stop them. War-Ballooning was a development of last years idea of War-Rocketing which shot a rocket in the air and then searched for wireless signals while it parachuted to the ground. This year they took a professional balloon that was used by photographers for shooting aerial shots, attached a cooler filled with various wireless gear, and configured a orbital webcam that controlled which direction the yagi antenna was pointing. So they gave a video of the demonstration which was recorded the day before in a park five miles out of town. For added drama, they used Kismet's feature to read wireless networks out loud as it found them. They had the balloon up for ten minutes and found over 300 wireless signals as it broadcast a 7 mile radius. 30% of those were unsecured.

Hackers Are People Too - Ashley Schwartau

And how could I forget to add something about my acting debut in the documentary Hackers Are People Too which was premiered at Defcon XVI. Well ok, maybe I was on the screen for less than 2 seconds and I wasn't quoted as saying anything but hey, to be in a hacker documentary was really cool. Ashley even recognized me when I came up to her vendor booth. But enough of my vanity, the documentary was so cool and people really should pick it up to show to their friends and family and get the scarey idea of what hackers are out of their heads.

External Links

http://www.hackersarepeopletoo.com - link to the Hackers Are People Too official website (BUY BUY BUY!!!)
http://fscked.org/ - Mike Perry's website
http://www.defcon.org-Defcon
http://www.intelguardians.com/ - Intel Guardians will soon be releasing "The Middler"
s

Defcon XVI - Day 0

2008-08-08T10:42:00.003-04:00

I arrived Thursday morning to Las Vegas in an attempt to do some of the pre-Defcon social events this year. We posted our room availability on the Defcon forums and picked up two roomates to help with the costs; Riot and Matt.

I reserved the "deluxe" room at the Riveria which although being nicer, doesn't have any more space than the non-deluxe. It does look much more romantic but filling it with 4 guys takes care of that feeling pretty quickly.

Badges this year include an IR port, an SD slot, and supposedly a way to shut off all TV's in a certain radius, and a transmit mode that may allow you to talk to other badges as you walk around the floor.

Ethical Hackers

Ethical Hackers was doing a get together at Hofbrauhaus, a German brew house at 8:00pm. Dan who runs the site was putting it all together and had a $500 tab for us to use. The whole event was a lot of fun and had a lot of interesting people. Timmy of Red Rock Security, Brian of Cisco, Ed of Intel Guardians, David an extreme baby sitter, Collin of Training Camp, Mike the Military Vet, Naps, and a bunch of others of whom I may have forgotten their names. Check out ChicagoCon for anyone that will be in the area. Sounds like a very worthwhile event. I think the whole get together was a success.

EFF Summit

We also grabbed a few of the guys to make it back to the EFF Summit at the top of the Monaco tower back at the Riveria. Donations were $40 to get in and included a one year membership. Once the sound system was working at around 10:30 or 11:00, some of the EFF guys went up to talk about some of the cases that were won and some of good things that the EFF does. I think it was kind of preaching to the choir but the event went pretty well.

External Links

http://www.ethicalhackers.net
Red Rock Security
ChicagoCon
Intel Guardians

Running Windows Programs in Ubuntu with SeamlessRDP

2008-08-06T17:22:00.003-04:00

While looking for what's happening at this years Defcon that I'll be attending, I stumbled across a blog entry from 360 Security talking about SeamlessRDP. After seeing how easy it is to setup and use, I don't know why I haven't heard more about it. But that's probably because I've never really looked into running Windows apps in Ubuntu.

What is SeamlessRDP

SeamlessRDP is an extension for remote desktop/terminal servers that allows a single application to be remoted into instead of the entire computer. In my scenario, I have an Ubuntu system and I run a virtual Windows XP in the background. I install SeamlessRDP onto the Windows VM and I can now run individual applications without messing around with the VM itself.

The company Cendio created SeamlessRDP when they were trying to get their own products to work with rdesktop. They realized that it could be of use to other in the community and released it under GPL.

How to

It's extremely easy to setup:

On the remote desktop server, download SeamlessRDP binary file.
Extract it to an easy to use location like C:\seamlessrdp
On the client, make sure you have at least version 1.5 of rdesktop installed (Hardy is all set). Download it from here if you need
Now you're ready to use it - here's an example of running Word 2007: rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe c:\program files\microsoft office\office12\winword.exe" 192.168.1.5:3389 -u administrator -p password
Running Internet Explorer: rdesktop -A -s "c:\seamlessrdpshell.exe c:\program files\internet explorer\iexplore.exe" 192.168.1.5:3389 -u administrator -p password

I admit, I haven't done any research into other products or alternatives that may work better, so let me know if you find anything

External Links

http://www.cendio.com/seamlessrdp/ - Cendio's page about seamless RDP
http://www.rdesktop.org/ - rdesktop.org for the client
http://blog.ncircle.com/ - where I originally found the post

Precreating Computers In Active Directory

2008-08-04T17:00:00.001-04:00

This is a simple one that goes back to a conversation I had with a consultant. We were talking about adding a computer to a domain and then moving the computer to the designated OU that was dedicated to that site. I made the comment that it might be even better to precreate the computer account in the appropriate OU and then you don't need to bug a domain administrator to do the moving around. His reply was something like "Yea I haven't had good luck with that." That's one of my favorite reasons for technical problems. It's kind of like saying, I tried it once, it didn't work, so it must be broken.

Why Do This?

Anyways, the real reason that you would want to do this is if you have a team of IT staff where a few have domain administrators rights but most of them are just local admins on the workstations to provide support and install software. Adding a computer to the domain would be a normal task for these kind of support staff.

Problem

So you have a brand new computer that you want to add to your network. You assign on of the non domain admins to install necessary software and join it to the domain. When he adds it to the domain, the computer is dumped into the "computers" folder in AD where the appropriate group policies and delegated access is NOT applied. You want the new computer to go into a separate OU but you don't want to grant the user access to move or manipulate Active Directory AND you want to delegate the entire process to the admins so that you don't need to be involved in the specifics. So what do you do?

Solution

If you precreate the computer in the appropriate OU in Active Directory, when that computer is joined to the domain, it will have the group policies and permissions that it needs. As a domain admin, you can precreate the computer account yourself but you'd rather delegate access the IT support team. Here's how you do it:

Delegate Control To Non-Domain Admins

Open Active Directory Users and Computers
Right click on the OU and then click All Tasks>Delegate Control
Click Add and put in the appropriate user or group (IT Admins)
Click "create a custom task to delegate"
Click "only the following objects in this folder"
Check Computer Objects
Check "Create selected objects in this folder"
Under "Show these permissions" uncheck everything and click "Next"

You've now granted non-admins access to create computers inside of that OU.

Pre-Create New Computer

These are the tasks for the non-admin to perform using the Server 2003 Admin Pack

In Active Directory Users and Computers, right click the target OU the computer should go to and choose New>Computer
Name the computer
Under "The following users or group can join this computer to the domain" choose a group that has appropriate access like "IT Admins" or "Domain Users" to allow anyone do it.
This is the step that is usually missed. If you don't do this, then by default Domain Admins are the only one that can add the computer to the domain.
Click Next

Now on the client you go through the normal process of adding the computer to the domain.

Enable SID History / Disable SID Filtering

2008-07-25T11:12:00.006-04:00

I've been getting a lot of experience with the Active Directory Migration Tools [ADMT] but it seems like I always have a problem with using SID history between domains. This is more of a reminder for myself how to get SID History to work.

What is SID History

SID History is an attribute of an Active Directory object that stores an old Security IDentifier(SID) mostly commonly used during a migration. So you have an old domain, and you move to a new domain, and the user on the new account maintains access to all of their old files and folders. This saves the hassles of having to re-permission network shares, folder access, applications, etc. In order to use SID history, you must disable SID Filtering and enable SID History on the trust between the domains.

To enable SID History on a trust issue this command:

What is SID Filtering

The nemesis of SID History is SID Filtering. This is a security measure put into place by default that protects your new environment from attackers that may have broken into the old domain. Although you may think, no one's going to get into the old domain, I think that just about every migration I've done, they leave the original domain up and running and then starts to put a low priority on everything in that domain; patches, access control management, event log review all becomes secondary because no one is on it any more and now becomes a fairly large new attack vector. While it makes sense to leave the old environment up and running, it still needs that same care it has always needed.

So that's why SID Filtering is good, but unfortunately, it completely blocks the use of SID History which would be very important during a migration. This command below disables SID Filtering:

External Links

http://technet2.microsoft.com/windowsserver/en/library/52b395b4-0313-47d8-87d4-fb1dd4d5c4701033.mspx?mfr=true - Technet article about disabling SID filtering
http://technet2.microsoft.com/windowsserver/en/library/31915de7-ff58-4f26-a8ec-450ffca759121033.mspx?mfr=true - Technet article about external trusts

Password Protect Grub

2008-07-21T20:22:00.003-04:00

This weekend, my company threw their annual trip to the mountains which included a team building scavenger hunt through the small town community, a boat trip to the lake, and some after hour pranks. One such prank involved a picture being taken of my friend in an unfortunate position while he was sleeping downstairs. He had left his laptop on the table and we agreed that it would be perfect to surprise him by changing the desktop background of his computer to the photo we took that night. At 4am I wasn't interested in live CD's or slaving hard drives but luckily I was able to boot into his Ubuntu partition in minutes with root access.

And why am I telling you this? Because the reason I was able to access it so easily was because Grub was not password protected and I booted it into rescue mode which gave me root access to his entire hard drive. Although I thought it was hilarious, it was a good reminder to always lock it down. So this is how to password protect some or all of the entries in Grub.

Password Protect Grub Entries

This shows you how to password protect individual Grub entries

Generate your Grub password with the following command

Copy the last string because this is what you'll use inside the Grub configuration file
Using your editor of choice, edit /boot/grub/menu.lst
Find the part that shows the different boot options at the bottom of the page where you'll see something like this:

Edit the section for the recovery mode so that it looks like this

Save the menu.lst file and reboot to see if you were successful

Password Protect Editing Grub Entries

This is how to password protect all of Grub so that you cannot run your own commands. This is a big one because an attacker could edit the Grub entries to do something like print out your /etc/password file

Edit the menu.lst file
Find the section below and remove the '#' and replace the hash with your Grub hash you created earlier

Go through each entry that you want to lock out from editing by adding the word "lock" right after the title

Load Alternative Menu On Password

This is a way of loading a separate boot menu when the user presses 'P' and enters a password.

Make a duplicate of menu.lst named menu-admin.lst. This will be the alternative menu
Edit the menu-admin.lst file so that you only have the entries you want. This is the only menu that will show so you may want to duplicate some of the original ones too.

Disclaimer

This is NOT by any means, a very good security measure. It's just a way to stop a lazy attacker or your little brother. The rule still applies that if you have physical access to the box, you can do what whatever you want. If you want to be serious about protecting a system from physical attacks, you'll need to look at encrypting the entire hard drive.

External Links

http://www.gnu.org/software/grub/manual/grub.html#Security

Encrypting Webpages and Posts with GPG and FireGPG

2008-07-03T20:33:00.008-04:00

Just recently FireGPG released their 0.5 version which along with other bug fixes and feature additions, includes the ability to automatically reading inline GPG/PGP key blocks from websites. This perfectly fits into an idea I was thinking about a few weeks ago.

UPDATE 7/14/08: FireGPG's newest version supports symmetrical encryption and line breaks making it even easier to do what I'm talking about.

The idea is that using FireGPG you can encrypt your posts to public web pages, forums, wikis, and even MySpace (if you still use that) so that only you, or whomever possesses the private key can decrypt.

For example, say you have a very private message that you and your friend would like to share but you want to make sure no one can read it while you are writing it and that no one can read it after you've posted it. You generate a key for your posts and then you send your friend the private key, and she decrypts it but no one else can. Not even the owner of the website.

Why would you want to do this?

It's an alternative to SSL if you don't have the ability to set it up (forums, blog comments) [There are other alternatives I've seen done with Javascript but most of them site security flaws]
Way of keeping private posts private even from server owners
Encryption is fun!

Why would you not do this

This is a last stretch effort and by no means is it a perfect solution. In fact, the public key encryption just does not fit in with this but I haven't found many general encryption plug-ins to encrypt a message with great confidence. Plus it doesn't give you control of revoking the key if it gets stolen. Do not use this as a serious solution but an example of what someone COULD do.

One of the requests at FireGPG is that they can support symmetric encryption which would work much better in this situation. Until then, this still works pretty well.

Install GPG

http://www.gnupg.org/download/index.en.html

I'm really not going to go through the process of installing on your system because it's very easy. Use the site's documentation.

Generate a GPG Key For Your Usage

You can always use your GUI of choice to do this but from command line here's the easiest way:

Follow through the steps to create your key.

Install FireGPG

Install FireGPG from here - http://getfiregpg.org/install.html

Encrypt Your Posts:

After FireGPG is installed, you now have a FireGPG menu option when you select a block of text and right-click. So the process is this:

Write the post or whatever you're sending to a site
Select the entire text before submitting
Right click and select the FireGPG menu option
Click Encrypt
Select the key that you created above and click OK

This will create an encrypted version of your post ready for you to submit.

Decrypting Websites

When you want to view an encrypted post, FireGPG automatically sees it and prompts you to decrypt it. If you have tons and tons of posts, it's going to be very annoying to decrypt every message but it woudl work.

Granting Access

The last part is just giving the private key to those who should be able to see your posts. One obvious way would be this:

export the private key
encrypt it with your friend's public key
email it to him or her

External Links:

http://getfiregpg.org/ - FireGPG Firefox plugin
http://www.gnupg.org/ - GPG website
http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html - GPG HOWTO manuals

Setup Site-to-Site VPN With Sonicwall

2008-05-20T12:16:00.005-04:00

I've been using the SonicWall devices for a little while now. I started getting into them after a recommendation from a friend and the TZ series has proven to be a good solution for small to medium sized businesses.

You can find more information about SonicWalls and the TZ series here but I'm going to go over how to setup an IPSEC VPN between two tz180's using the Standard SonicOS firmware. If you have the enhanced SonicOS, the steps are almost the same.

Overview:

set the unique names of each device
configure subnet, dhcp, etc
create a VPN policy to connect to the other

NOTE: I'm not talking about setting passwords or security here - it's assumed that you've already setup the environment.

Set the Unique Name on each device:

log into the first device's web interface
click on VPN on the left side
under "Unique Firewall Identifier" create a name logical name like "USNY1"
log into the second device's web interface
click on VPN
under "Unique Firewall Identifier" create another name like "USNY2"

Configure Subnets for DHCP:

log into the first device's web interface
click Network > LAN
set the SonicWall LAN IP to something like 10.0.1.1
set the subnet mask to whatever is appropriate for your network like 255.255.255.0
repeat the sames steps for device 2 except make the ip and subnet different like 10.0.2.1 and 10.0.2.0/255.255.255.0

Setup VPN Policy:

Assuming you have the following configuration we can create the VPN policy:

Site 1
Device Name: USNY1
Subnet: 10.0.1.0/24

Site 2
Device Name: USNY2
Subnet: 10.0.2.0/24

Setup Device 1

On device 1 click on VPN > Settings
click Add under VPN Policies
Fill out the information as shown below:
IPSec Keyring Mode: IKE using Shared Secret
Name: USNY2 [name of your device 2]
IPSec Primary Gateway Name or Address: the public IP address of device 2
IPSec Secondary Gateway or Name or Address: left blank in most cases
Shared Secret: Since you will only be typing it in twice and this is the basis of the tunnel's security, you should set it to be very strong. [https://www.grc.com/passwords.htm] Write it down!
click the Specify destination networks below and click Add
type in the subnet that device 2 is controlling - in this example 10.0.2.0/24
click OK

Setup Device 2 [Almost same as above]

On device 1 click on VPN > Settings
click Add under VPN Policies
Fill out the information as shown below:
IPSec Keyring Mode: IKE using Shared Secret
Name: USNY1 [name of your device 1]
IPSec Primary Gateway Name or Address: the public IP address of device 1
IPSec Secondary Gateway or Name or Address: left blank in most cases
Shared Secret: same as the password you generated above
- click the Specify destination networks below and click Add
- type in the subnet that device 1 is controlling - in this example http://10.0.1.0/24
- click OK

Check The logs:

If you've configured everything correctly, you should be able to watch the VPN tunnel negotiation process from the event logs.

click on Log > Categories
check "Log all categories" - this will record VPN functions
under Log click "View"
review the logs for the following events:
SENDING>>>> ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x26D85F88) *(HASH, NOTIFY:DPD_ACK)
RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x3AAF690F) *(HASH, NOTIFY:DPD_REQUEST)

Troubleshooting:

Phase 2 or Algorithm's Don't Match
If you see a log with this kind of message it is most likely caused by different encryption under the Phase 2 settings. Go back and make sure they match exactly.

IKE Initiator: Proposed IKE ID mismatch
This message is most likely caused by the firewall names being mismatched. Make sure that under VPN settings, the name is set to something unique and the VPN policy on each device has each other's appropriate name.

Dynamic IP's
If you're connecting two sites with dynamic IP addresses, I've read that you need to check the "Aggressive Mode" type of VPN but maybe someone can confirm that.

click VPN and click configure on the tunnel you created
under proposals change "Exchange" to Aggressive mode
click the Advanced tab
click Enable Keep Alive and Try to bring up all possible Tunnels
click OK

Other
If you're getting anything else check out the log events reference guide here -
http://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf.

External Links:

Sonicwall.com - Had to put a link to this
http://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf - great guide for easy event log decoding
https://www.grc.com/passwords.htm - a good strong online password generator for one time passwords

Clear Out The Last Login From Being Displayed

2008-05-12T20:06:00.003-04:00

Clearing out the last logged on user from the login screen is is a very simple task that I like to set on my domains and as the local policies for workgroup computers. It helps out in two different ways: first as a matter of security because an attacker walking up to the computer doesn't necessarily know a user name to log in with and second it helps to teach the user what their user name is because we all know if we don't type it in every day, we forget it. [see saved passwords]

Overview

For those of you that know mostly what you're doing and just need a reminder, here it is. The policy setting you need to change is located under:

Computer Configuration > Windows Settings > and Security Settings > Local Policies >Security Options
Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."

On a Windows Domain Controller

Under Administrative Tools open the Group Policy Management
Find the group policy you want to change select it, right click, and choose "Edit".
Expand Computer Configuration, Windows Settings, and Security Settings
Expand Local Policies node, and then click Security Options.
Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."
The setting will take affect on the next time the clients reboots. As a reminder, it can take varying amounts of time for group policies to be applied.

On a Local Vista Machine

In the Control Panel, click System and Maintenance and open the Administrative Tools
Open the Local Security Policy .
Expand Computer Configuration, Windows Settings, and Security Settings
Expand Local Policies node, and then click Security Options.
Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."

External Links:

http://support.microsoft.com/kb/310125 - Link to the MS KB article

How To Use LogMeIn with Linux

2008-04-27T15:32:00.009-04:00

My company uses LogMeIn [www.logmein.com] for remote support for some of their clients. One of the problems for me was that the company doesn't support Linux, officially. I've talked to support twice, one saying that they are working on Linux support and the other saying they don't and there are no plans to.

The problem: If you have the wrong version of Java installed and you go to remote control a remote system using LogMeIn, every time you click on an area of the screen it refreshes the entire page. Every mouse movement reloads the page to update what it think you just did. Also keyboard input is not visible until you actually click.

The solution:I don't have a perfect solution, but this will "almost always" work at least for Ubuntu systems and I've tested it on Gusty and Hardy. The key is installing the specific version of Java that LogMeIn supports along with the appropriate Firefox plugins. It took a lot of trial and error but I finally found the perfect combination of java versions and plugins.

The following is the output from a dkpg --get-selections | grep "java" on my system:

Download file java.cfg

So, looking at my other entry about re-installing software from a dpkg output, all you need to do is copy the above information and run the following command:

This will install all of the above packages and hopefully get LogMeIn to work for you. Note: I haven't tested to see whether some of these library packages are extra so use at your own risk.

Let me know if you have any input on other versions of Linux. Email

External Links

www.logmein.com - A good tool oriented at providing remote support with a concentration on security

Cheat Sheets

2008-03-23T20:29:00.005-04:00

Just a quick one today - I love cheat sheets especially when I'm debugging someone else's code. The following are a list from ILoveJackDaniels.com and one other from johnbokma.com that have been very useful to me lately.

DHCP MAC Filtering on Windows

2008-02-29T19:39:00.003-05:00

I was having dinner with some of the IT guys from a client I work for and I brought up the suggestion that they do MAC filtering for all of their network devices as an added security measure. The only problem was they were using Windows Server 2003 for the DHCP server which, natively, does not support MAC filtering. That's where the DHCP Server Callout DLL comes in.

This is a DLL that was created by the Microsoft DHCP team to allow access to certain parts of DHCP that were not before. In this case, MAC filtering.

Why filter MAC addresses

The idea of DHCP MAC filtering is that when a foreign system tries to connect to your network, they are not given an IP address unless their network card is on the list of allowed systems. In order for them to get on the network, they have to see a member of the IT department.

This protects a guest from accidentally spreading infections of spyware, viruses, or trojans not to mention it helps the IT department keep track of who and what goes on the network. [Please notice how I say accidentally because MAC spoofing would easily circumvent this security measure]

Install The Callout DLL

Overview:

Install the DLL
Create the necessary registry keys
Populate the list of allowed or denied MAC addresses
Restart the DHCP

Download and Install

Download and install the files: Download
The MACFilterCallout.dll was installed to %SystemRoot%\system32 along with a file named SetupDHCPMacFilter.rtf.This includes very basic instructions.
Run the MacFilterCallout.msi and go through the steps to install it. All this does is extract the two files to your %systemroot%\system32\ folder.

Create the registry keys:

Choose one of two ways:
Option 1: Manually create the following registry keys:

Key Name	Key Type	Description
CalloutDlls	REG_MULTI_SZ	The location of the MacFilterCallout.dll
CalloutEnabled	DWORD	0 = Disable MacFilterCallout 1 = Enable MacFilterCallout
CalloutErrorLogFile	REG_MULTI_SZ	Log path. If this registry key is not specified, callout dll will output errors %WINDIR%\System32\Log.txt
CalloutInfoLogFile	REG_MULTI_SZ	Info log path. If this key is not present, no information messages will be logged.
CalloutMACAddressListFile	REG_MULTI_SZ	This is the name and location of the MAC filtering list you're going to be creating next.

Option 2: Merge the keys that I've made for you: Download

Download the file above, extract the contents, and merge the registry file that I created for you.

Here are the values the .REG file contains. Make sure they match up to your environment.

Key Name	Value
CalloutDlls	C:\windows\system32\MacFilterCallout.dll
CalloutEnabled	1
CalloutErrorLogFile	C:\windows\system32\MacFilterCallout.log
CalloutInfoLogFile	C:\windows\system32\MacFilterCalloutInfo.log
CalloutMACAddressListFile	C:\windows\system32\MAClist.txt

NOTE: If you are not using C:\windows as your windows directory, you will have to edit the registry to fit your system.

Create the MAC list

As I showed above, the key CalloutMACAddressListFile points to a location where you need to create a specially formatted text file that contacts which MAC addresses to filter.You can only choose to allow a certain set of MAC's or DENY them. Here is the format of that file:

MAC_ACTION = {ALLOW / DENY} 0cdc1c6d1266 05dc2de01023 ...

Note: You must include the { }'s around either the ALLOW or DENY action

Help Populating the MAC list

If you are going to use the ALLOW action you're most likely going to want to find all of the valid MAC addresses on the network. Here are some suggestions for ways you can do this:

Nmap + ARP- with the command nmap -PR 192.168.0.0/24 or whatever your network is, it will do an arp scan of the network. Then doing an "arp -a > arptable.txt" gives you tab delimited file perfect for opening as a spread sheet and extracting the list of MAC addresses you need to use
DHCP logs - use your existing DHCP server logs [usually under c:\windows\system32\dhcp\] to find all the MAC addresses in the last week.
Switch logs - if you have a good enough switch, it will keep track of which MAC addresses are using the devices.

Note: Obviously be careful how you create this list. If the CEO of the company has a laptop that you happened to forget to put onto the allow list, he may not be happy with your new security measure.

Want to know what the MSI Installer REALLY does?

One major pet peeve of mine is when you download a program and it installs without telling you what it did. That's how this MSI works. Here's what it does:

copies the dll to %system%/system32/
copies the rtf to %system%/system32/
registers BOTH the dll and the rtf as shared DLL's
adds some interesting registry keys like on named "CompleteMacLevel" that I don't know what it does.

I know that may not help anything but it makes me feel a little better.

External Links

http://blogs.technet.com/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx - DHCP server team's blog with the original article

Allow Non-Admins To Update Firefox

2007-12-17T18:24:00.000-05:00

One of my clients had the problem of users being excessively prompted to update Firefox

A new version of Firefox is available:
It is strongly recommended that you upgrade Firefox as soon as possible

It then shows the "Download and Install Now" button but eventually fails when a normal users runs it because they are not local admins. This prompt repeats over and over until IT gets a phone call about how they hate Firefox and are going to go back to using IE.

It's actually as simple as you may think. If you change "C:\Program Files\Mozilla Firefox" to allow "YOURDOMAIN\Domain Users" write access, a normal user can update Firefox.

You can go around to each workstation but where is the fun in that? The builtin program "cacls" with the help of PSExec will let you update all of the computers on a site. This idea was put together by my friend with a little tweaking on my part. Basically you just create a list of computers, and then run the command remotely on each one.

Create a List of Computers

You can do this however you'd like but for me I like to export a list of computers them from ADUC. This will only help if your computers are in the same folder or OU. You could always just write down the names of the computers but that's boring.

Open Active Directory Users and Computers
From the menu bar choose View > Add / Remove Columns
Remove all columns that are not Name [Type, Description] and click OK
Open the folder or OU that contains the computers you would like to update
Right-click on the folder or OU and choose "Export List..."
Save the file as "computer_list.txt" somewhere logical to you

Create the Script

Here is the entire command all together. Hopefully it's obvious to change the YOURDOMAIN\ADMIN_ACCOUNT to an account that is a member of the Domain Admins group and change YOURDOMAIN\Domain Users to whatever your domain is.

psexec @computer_list.txt -u YOURDOMAIN\ADMIN_ACCOUNT cacls “%SYSTEMDRIVE%\Program Files\Mozilla Firefox” /E /G “YOURDOMAIN\Domain Users”:W

You will want to put this into a batch file because you'll have to run it again or on a regular basis if some of your computers are turned off or not on the network when you're running the script.

External Links

http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html/trackback - link to my friend's website who actually did the testing and put everything together

Can't Force SSL With Outlook Mobile Access

2007-12-16T14:11:00.000-05:00

I just learned today that you cannot force the user of SSL on any part of an Exchange enabled website in IIS. You can still use SSL but apparently turning on the "Require Secure Channel(SSL)" option makes OMA not work. Here was the error I was getting:

If you have recently changed your password, the system may not yet have completed the change. Please wait a short time and try again. If this is not the case, your Exchange server mailbox has not been created. Please access your account via Microsoft Outlook or Microsoft Outlook Web Access to create your user mailbox. Please contact your system administrator for additional assistance.

I have to admit I've only set up the OMA site a half dozen times so there may be something out there that explains this issue better than I but I've found a bunch of websites that support this claim. One site makes a reference to a KB article that no longer exists.

The Steps

Open the IIS Management Console on the back-end Exchange 2003 server.
Right click the Exchweb virtual directory under the default Web site, and then click Properties.
Click the Directory Security tab.
Click Edit in the Secure Communications area.
Click to clear the "Require secure channel (SSL)" check box, and then click OK for all windows.

But I To Force SSL

The problem remains "What if you actually want to force SSL?" I had a hard enough time trying to have 50 users understand what the "S" in HTTPS meant. What I did was create a second site that was Exchange enabled. This site I forced SSL while the first site I left it optional. I sent an update to the end users explaining that there was a new mail website "https://www.website.com/mail" and made a few minor modifications [adding company logo] so that they could tell the difference in the hopes that they would think that new = upgrade. This way, if they used http instead of https, I could redirect them automatically.

External Links

http://www.petri.co.il/forums/showthread.php?t=10208 - Daniel Petri's website forum http://www.webservertalk.com/archive128-2004-3-166297.html - Forum article that makes a reference to the problem.

Find Last Logon in Active Directory [VBScript]

2007-12-10T17:57:00.000-05:00

I found this script from the site www.rlmueller.net which has a ton of other handy scripts that are free anyone to hack as long as you don't blame him for screwing something up.

This script searches through each domain controller of whichever domain your computer is a member of and outputs the "lastlogon" attribute of the account. Very useful in finding old accounts that are unused. Just be careful because some service accounts that you may have created on the domain will not show a lastlogon event at all

' LastLogonTimeStamp.vbs
' VBScript program to determine when each user in the domain last logged
' on. Domain must be at Windows Server 2003 Functional Level.
'
' ----------------------------------------------------------------------
' Copyright (c) 2007 Richard L. Mueller
' Hilltop Lab web site - http://www.rlmueller.net
' Version 1.0 - March 24, 2007
' Version 1.1 - July 6, 2007 - Modify how IADsLargeInteger interface
'                              is invoked.
'
' The lastLogonTimeStamp attribute is Integer8, a 64-bit number
' representing the date as the number of 100 nanosecond intervals since
' 12:00 am January 1, 1601. This value is converted to a date. The last
' logon date is in UTC (Coordinated Univeral Time). It must be adjusted
' by the Time Zone bias in the machine registry to convert to local
' time.
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.

Option Explicit

Dim objRootDSE, adoConnection, adoCommand, strQuery
Dim adoRecordset, strDNSDomain, objShell, lngBiasKey
Dim lngBias, k, strDN, dtmDate, objDate
Dim strBase, strFilter, strAttributes, lngHigh, lngLow

' Obtain local Time Zone bias from machine registry.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
    & "TimeZoneInformation\ActiveTimeBias")
If (UCase(TypeName(lngBiasKey)) = "LONG") Then
    lngBias = lngBiasKey
ElseIf (UCase(TypeName(lngBiasKey)) = "VARIANT()") Then
    lngBias = 0
    For k = 0 To UBound(lngBiasKey)
        lngBias = lngBias + (lngBiasKey(k) * 256^k)
    Next
End If
Set objShell = Nothing

' Determine DNS domain from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
Set objRootDSE = Nothing

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire domain.
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on all user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,lastLogonTimeStamp"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 60
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate resulting recordset.
Do Until adoRecordset.EOF
   ' Retrieve attribute values for the user.
    strDN = adoRecordset.Fields("distinguishedName").Value
    ' Convert Integer8 value to date/time in current time zone.
    On Error Resume Next
    Set objDate = adoRecordset.Fields("lastLogonTimeStamp").Value
    If (Err.Number <> 0) Then
        On Error GoTo 0
        dtmDate = #1/1/1601#
    Else
        On Error GoTo 0
        lngHigh = objDate.HighPart
        lngLow = objDate.LowPart
        If (lngLow < 0) Then
            lngHigh = lngHigh + 1
        End If
        If (lngHigh = 0) And (lngLow = 0 ) Then
            dtmDate = #1/1/1601#
        Else
            dtmDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
                + lngLow)/600000000 - lngBias)/1440
        End If
    End If
    ' Display values for the user.
    If (dtmDate = #1/1/1601#) Then
        Wscript.Echo strDN & ";Never"
    Else
        Wscript.Echo strDN & ";" & dtmDate
    End If
    adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
Set adoConnection = Nothing
Set adoCommand = Nothing
Set adoRecordset = Nothing
Set objDate = Nothing

Save this text as a .vbs file and run it something like this:
cscript LastLogon.vbs > LogonTimes.txt

External Link:
http://www.rlmueller.net/Last Logon.htm - the site which I found this script and where you should go if you like it.

Polycom PVX Full Vista Support 8.0.4

2007-11-15T13:15:00.000-05:00

After attempting to install the most recent version of Polycom PVX software on a brand new Windows Vista machine, I found that there were horizontal lines all over the picture and some major lag. I looked through all the support documents and tested with two other cameras.

Finally I gave up and called Polycom Support [1-888-4143]. They explained that there was a new version that wasn't yet public. Great! So here is the currently super secret link.

www.polycom.com/support/pvx804

From the release notes:

PVX 8.0.4 delivers the following upgrades and modifications for PVX users:
Support for Microsoft Vista Business and Enterprise editions

Enhanced support for dual core Intel and AMD processors

Fixes for priority field issues (see release notes for details)

Upgrade support is provided in English only

External Links:

www.polycom.com/support/pvx804 - the site that I'm talking about http://downloads.polycom.com/video/pvx/804/PVX_8_0_4_4035.zip - the direct link to the newest software

How To Easily Migrate Public Folders Using Outlook

2007-11-12T16:11:00.000-05:00

This is a really simple way of moving public folders from one Exchange server to another that doesn't involving using Microsoft's PFMigrate Tool. That doesn't mean that this is the best way but when you have a small site or even a big complicated site that you don't want to go through the hassle configuring each site to talk to one another, this comes in handy. The way that I outline below does not take into account any permission structure so it will need to be recreated after the migration. Here is an over view:

Copy the source public folders to an individual mailbox folder
Export the folder to a PST
Import the PST into a target mailbox
Copy the folder to the existing public folders of the target environment

Setup:

Find the file size of the information store so that you know how much information you'll be transferring.
1. You can do this by opening outlook that is connected to the Exchange server,
2. right click on the public folder you want to migrate, choose properties.
3. Then click the "Folder Size" button in the lower right corner. Make note of the "Total Size:"
Choose a migration mailbox that you will use on the source and target [this can be your personal one if you want]
Log onto the source exchange server and make sure that the mailbox supports the size of the public folders
Do the same on the target Exchange server
while you're logged in, also make sure that you've been granted rights to add files to the public folder

Export From The Source:

Connect to the source Exchange server from Outlook
create a folder in your personal mailbox that will store a copy of the public folders
Open the public folders you want to migrate
right click the folder you want to copy and choose "Copy FolderName"
Choose the folder in the personal mailbox that you created previously
After the copy is complete, go to File>Import and Export
Choose Export to a file and then Personal Folder File
Select the personal folder that now contains all of the public folders and click Next
Choose a location to export it to and click finish

Import To The Target:

Create a new profile in Outlook and connect to the target Exchange server
go to File>Import and Export
Choose "Import from another program or file"
Select Personal Folder File and click next
Choose the PST that you just created and import the files into your local mailbox under a sub folder somewhere
Drag the folder that you just imported into the public folders of the target exchange server

External Links:

http://support.microsoft.com/kb/822895 - PFMigrate - the Microsoft supported way of migrating public folders. This is great tool that pays more attention to detail than the way that I did it

Automatically Create an Outlook Profile on Logon

2007-11-09T11:06:00.002-05:00

I put together this process during a string of Exchange migration projects and it's really come in handy. There are hundreds of scenarios why you would want to automatically create the outlook profiles on logon.

One would be you are the system administrator of 100's of users and you're adding a new Exchange server. Rather than going around to explain to everyone the exchange server to type in to connect to, or having someone go around to 1000 workstations, you can script it like below.

Another would be as a sys admin, you have users that are switching workstations often and you're tired of all the calls complaining "My email doesn't work on so-and-so's machine" because they don't know how to set up their Outlook profiles.

Here's an overview of the process:

Create a PRF that has all of the settings you want for the end users
Create a logon script and apply it through a group policy to the end users
The script runs at user logon and reads a registry entry to see if it has ever ran before [if it has then it quits]
If this is the first time, it imports the PRF with all of the settings for the company automatically

Creating the PRF:

A PRF is a file that stores all the information for Outlook to create a profile for a user. There is no way to set the exchange server or which mailboxes to open through group policy so you have to rely on PRF files for administration and installation.

In this example, all I'm doing is pointing out where the exchange server is and that cached mode should be enabled. When you look at the Office Resource Kit [ORK] you will see that there are a lot more settings that you can play with than just the few here.

Here's what you need to do:

Download Microsoft Office Resource Kit [ORK] and install it on any workstation
Open the “Custom Installation Wizard” from the Start menu
When prompted, point to an Office 2003 Installation source. Either an administration point on the network or a CD will do.
Then when prompted choose, "Create a new MST" and click "Next.".
At the top right of the window, click the drop down and skip to step 17 “Outlook: Customize Default Profile”
Create a new profile and name it appropriately. Remember what you named it, you will need it to edit the script later
Configure the settings appropriately with the Exchange server, whether or not you want “Cached Mode” and whatever other site specific settings you need
Click Next and Next again to go to the “Export Profiles Settings” screen
Click the “Export Profile Settings” button and save the PRF to a place on the network [\\server\share\ORK_profile.prf]
Make sure that you test it on a workstation by running this command:
OUTLOOK /importprf \\server\share\ORK_profile.prf

EDIT: Thanks to Oliver for catching a colon that shouldn't be there.

Creating a Logon Script To Install The Outlook Profile

So there is a PRF file created that has all of the necessary settings and it has been tested to make sure that it works. Instead of running that command individually for each of the hundreds of users on the network, it's scripted.

This script [compared to a batch file] not only runs the command, it checks to see if the command has ever been run before and if the profile has already been created. If it has, then it exits and that's it. If it has not, it imports the PRF file and then adds a registry setting so that it never runs again.

Disclaimer: There are a ton of ways you can do this but the end result should be that the script below runs on each machine. You could just instruct the users to run the script manually but this way, when a new user is added to the network, they will automatically have their profile set up.

Here's an overview of one way to set it up:

Copy this script to a text file and then save it as a .VBS to make it a vbs script: '*************************************************** ' File: auto_outlook.vbs ' Author: Mark M Manning ' Date: 10/10/2007 ' Version: 1 ' Based on the work of Peder Pedersen - pep@deif.com '*************************************************** Option Explicit Dim Company, PRFLocation, ProfileName ' ========================================= ' ====== EDIT THIS INFORMATION============= Company = "CompanyName" ' SET THE NAME OF YOUR COMPANY PRFLocation = "c:\test.prf" ' SET THE LOCATION ON THE NETWORK OR LOCAL DRIVE 'PRFLocation = "\\SERVER\share\test.prf" ' OF THE PRF THAT HAS BEEN CREATE ProfileName = "Site_Profile" ' This is the name that you have already ' created when you made the PRF. ' make sure they are the same ' ========================================= ' =================DO NOT EDIT ANYTHING BELOW THIS SECTION================ ' ======================================================================== Set WshShell = CreateObject("WScript.Shell") Set WshNetwork = Wscript.CreateObject("Wscript.Network") Set fso = CreateObject("Scripting.FileSystemObject") Set ObjEnv = WshShell.Environment("Process") Set objShell = CreateObject("Shell.Application") Set objSysInfo = CreateObject("ADSystemInfo") Set objUser = GetObject("LDAP://" & objSysInfo.UserName) Const HKEY_CURRENT_USER = &H80000001 Dim HKCUfirstRunflag HKCUfirstRunflag = "HKCU\Software\" & Company & "\FirstRunFlag" Dim HKCUprofile HKCUprofile = "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName Dim WshShell, WshNetwork, objEnv, fso, objShell, username, key, FirstRunCurrentUser, MSOKey, NoProfile, OfficeInstalled, strUserName, strInitials Dim strOfficePath, strMachineName, objSysInfo, objUser Dim objWord, LogonSrv, PRFPath, result, OSnummer, objWMIService, colOperatingSystems, objOperatingSystem strOfficePath = "Software\Microsoft\Office\11.0\Common\UserInfo" 'Path for office user info strMachineName = "." ' ============== START OF MAIN SCRIPT ============== 'Check OS ' ========================================= Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strMachineName & "\root\cimv2") Set colOperatingSystems = objWMIService.ExecQuery _ ("Select * from Win32_OperatingSystem") For Each objOperatingSystem in colOperatingSystems result = objOperatingSystem.Version OSnummer = Left(result,3) if OSnummer <> "5.1" then 'Wscript.Echo "This is not XP" 'Debug Wscript.Quit else 'Wscript.Echo OSnummer 'Debug end if Next ' ========================================= 'Test to see if the script has run before ' ========================================= TestfirstRunUser ' Has script been run before? If FirstRunCurrentUser then 'If not then continue TestProfile If NoProfile then 'Set up profile if none exists OutlookSetup 'Setup Outlook profile End if end if ' ========================================= ' Add a registry key if the script runs successfully WshShell.RegWrite HKCUfirstrunflag, "1", "REG_DWORD" cleanup ' ================================================ ' ============== END OF MAIN SCRIPT ============== ' ================================================ ' -------- Test if first run for this user? Sub TestFirstRunUser on error resume next 'cannot be read first time key = WshShell.RegRead(HKCUfirstRunflag) If Err <> 0 Then FirstRunCurrentUser = True Else FirstRunCurrentUser = False End If On Error Goto 0 End Sub '------------ Test if profile exists? Sub TestProfile on error resume next 'cannot be read first time MSOKey = WshShell.RegRead(HKCUprofile) ' determine if a profile has already been setup If MSOKey = "" Then 'wscript.echo "No Profile" 'Testing NoProfile = True else 'wscript.echo "Profile exists" 'Testing NoProfile = False end if On Error Goto 0 End sub Sub OutlookSetup WshShell.Run "outlook.exe /importprf " & PRFLocation, 1, False End Sub Sub Cleanup Set WshNetwork = Nothing Set objSysInfo = Nothing Set WshShell = Nothing Set fso = Nothing Set ObjEnv = Nothing Set objShell = Nothing Set objUser = Nothing Set objWord = Nothing Set objWMIService = Nothing Set colOperatingSystems = Nothing Set objWord = Nothing End Sub
Edit the script under where it says "EDIT THIS INFORMATION" [see Step #6 above]
For instance:
Company = "CompanyName" ' SET THE NAME OF YOUR COMPANY PRFLocation = "\\server\share\ORK_profile.prf" ' SET THE LOCATION ON THE NETWORK OR LOCAL DRIVE ProfileName = "YOURSITEPROFILENAME"
Save the vbscript to the netlogon folder or somewhere appropriate on the network [\\domain.local\netlogon\auto_outlook.vbs]
If necessary, create a group policy to apply the new logon script [or edit an existing one to add this script.]

4a. [OPTIONAL] If you have some kind of software on the clients that protects against using vbscript at logon, already have an existing batch script that runs at logon, or like some admins I know are just against using vbscripts at logon completely, you can call the script from a batch file by running the "CScript" command. Include the command as something like this:

cscript \\domain.local\netlogon\auto_outlook.vbs
Test by running your logon script from a workstation. Check the following

The registry key was created [HKCU\Software\%COMPANY%\FirstRunFlag
The profile with the appropriate name was created [even if a profile already exists]
Control Panel > Mail > Show Profiles
The exchange server and information is configured correctly

External Links:

http://office.microsoft.com/en-us/ork2003/HA011402581033.aspx - Link about using PRF files

http://www.microsoft.com/downloads/details.aspx?FamilyID=4bb7cb10-a6e5-4334-8925-3bcf308cfbaf&displaylang=en – download the Microsoft Office 2003 Resource kit