Eliminating Domain Browsing Errors
- UltraTech® Knowledgebase - See any errors like this on you W2K AD network?: The master browser has received a server announcement from the computer
SMITH that believes that it is the master browser for the domain on
transport NetBT_Tcpip_{00E6B950-C066-4E9E-9EA. The master browser is
stopping or an election is being forced.
This is the result of the (unneeded) Computer Browser service. ASB has a great little article on the UltraTech KB about how to disable this and other unnecessary services, which can result in lower network traffic, more cpu and memory free on the computers, and less headaches in the Event Logs when something goes wrong.
December 31, 2003
December 29, 2003
Tips for Preparing Your Disaster or Business Continuity Plan
DISASTER RECOVERY AND PREVENTION
FOR RECORDED INFORMATION - A GUIDE FOR DEVELOPING A DISASTER PLAN - nice quick DR Plan overview by the State of Missouri.
Designing A Disaster Recovery Strategy (PDF)
SunGard’s Crisis Management Checklists
December 28, 2003
Ok, ok, so this has NOTHING to do with Sysadmin issues.. but this is cool anyways. I got this PS2 for my birthday last summer from a pawn shop. My dvd player crapped out this month so I've decided to use the ps2 instead of buying a new one. What's this? Parental lock code? Now I can't watch all of those R-rated movies I've invested so much in. If you ever run into this problem, put in the dvd, reboot the ps2, and at the parental lock password screen press the select button and type in the code 7444 (this is the master code). Now enter your own code. Once the dvd starts, press the select button and choose setup. Press right to go to the "region" menu and change "level" to off. Parental lock bypassed.
Linux for PS2 - for those of you who just need a little more to the sysadmin side, this site helps you run linux on the ps2.
December 18, 2003
Tips & Newsletters-SearchNetworking.com: Router Expert: Cool IOS commands: "This article focuses on working with the IOS image and router configuration files, reviewing the router's default bootstrap behavior, and looks at implementing alternative IOS loading and configuration loading options. We also include an overview of Internetworking File System (IFS) file management tools. "
No Christmas patches from Microsoft - Computerworld: "Microsoft Corp. has an early holiday gift for systems administrators: no monthly security patch release this month. "
December 10, 2003
More proof that firewalls aren't always the only answer:
Security Experts Warn of New Way to Attack Windows - Microsoft Corp. issued a patch for the vulnerability in November, but the security bulletin also listed several workarounds for the flaw, including disabling the Workstation Service and using a firewall to block specific UDP and TCP ports. But penetration testers at Core Security Technologies, a Boston-based security company, discovered a new attack vector that uses a different UDP port. This attack still allows the malicious packets to reach the vulnerable Workstation Service.
Techweb > News > Windows Messenger Service security woes > Big New Chink Found In Windows Messenger Service > December 9, 2003 - According to analysis done by Symantec's DeepSight Threat Analyst Team, the Windows Messenger Service vulnerability can be exploited by a single UDP broadcast, allowing a wholesale compromise of all vulnerable systems on the targeted network.
“If I can exploit one single box on your network, I can exploit all of them,” Huger added.
“An application doesn't care about UDP,” said Huger. “It takes the packet, period, with no authentication.”
A worm just 2.7K in size would be enough to simultaneously infect up to 254 machines. Although that's larger than the minute 376 bytes used by SQLSlammer, “the difference is really trivial,” Huger said.
Not only might such a worm spread faster than Slammer, its damage could significantly outweigh Slammer's damage, for it would have a much greater number of potential targets. The Windows Messenger Service vulnerability exists not just in enterprise machines -- as with Slammer -- but also countless home computers running Windows.
December 03, 2003
Secunia - Advisories - Yahoo! Messenger "yauto.dll" Buffer Overflow Vulnerability: "A vulnerability has been reported in Yahoo! Messenger, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the ActiveX component 'yauto.dll' in the 'Open()' function. This can be exploited to cause a buffer overflow by supplying an overly long argument to the vulnerable function via a malicious web page."
From the MSDN scripting.vbscript newsgroup:
"If you would like to keep informed of the latest additions to the Script
Center, receive beta copies of scripting utilities, and otherwise keep
up-to-date on what's going on in the world of scripting, subscribe to the
Scripting Newswire. To subscribe to this free service (which is nothing more
than periodic emails sent by the Scripitng Guys), send mail to
scripter@microsoft.com, with the subject line Subscribe.
"
December 02, 2003
Help Net Security - Scripting flaws pose severe risk for IE users: "A set of five unpatched scripting vulnerabilities in Internet Explorer creates a mechanism for hackers to compromise targeted PCs."
November 24, 2003
Disaster Recovery (Business Continuity Planning) is one of the most important but widely overlooked projects that a business can implement. Here are some great resources to get started on creating a DR (or BCP) Plan.
Business Continuity Planning - A Primer for Management and IT Personnel - Step by Step Tutorial for DR Planning.
Disaster-Resource.com - Tons of Articles/Information/Resources.
Labmice Disaster Recovery Resources - Great collection of links by LabMice!
House Passes Federal Anti-Spam Bill: "Tauzin said the bill makes it a criminal offense, subject to a maximum five-year prison sentence, to send fraudulent e-mail using such standard spam tactics as false headers and misleading subject lines. The bill calls for statutory damages of $2 million for violations, tripled to $6 million for intentional violations and unlimited damages for fraud and abuse.
Tauzin also said the legislation gives the Federal Trade Commission (FTC) the authority to establish a Do-Not-Spam registry based on the FTC's popular Do-Not-Call database for unwanted and unsolicited telemarketing telephone calls. "
November 18, 2003
WinXPcentral - Speed up & Browse Windows 2000 faster.: A fix to speed up Browsing remote shares by not scanning for Scheduled Tasks.
Open up the Registry and go to :
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Explorer/RemoteComputer/NameSpace
Under that branch, select the key :
{D6277990-4C6A-11CF-8D87-00AA0060F5BF} - and delete it.
Gramm-Leach-Bliley and you: "The Safeguards Rule, which went into effect during 2003, requires that included institutions take proactive steps to ensure the security of customer information. At a minimum, institutions must:
- Appoint an individual or group to bear specific responsibility for GLB compliance.
- Identify risks to customer information and assess existing safeguards.
- Implement safeguards that are needed to fill any gaps.
- Monitor the effectiveness of all safeguards.
- Ensure service providers are capable of meeting GLB requirements.
- Adjust the organization's security program as necessary when circumstances change. "
Find more information about the act here. Or find out more on the FTC website here.
Five Things IT Needs To Know About Sarbanes-Oxley Compliance is another good link for yet another piece of legislation that has something to do with IT. Take a look. For more info on Sarbanes-Oxley, look here.
November 17, 2003
I get tons of complaints about NumLock's behavior.. such as it turns on during boot-up when the user doesn't want it to, or it doesn't turn on during boot-up, etc. Here's the solution:
Annoyances.org - Force NumLock to Behave
Solution #3 (Windows 2000/XP only):
Run the Registry Editor (REGEDIT.EXE).
Open HKEY_CURRENT_USER\Control Panel\Keyboard (If the Keyboard key isn't there, add it.)
Double-click the InitialKeyboardIndicators value on the right. (If it's not there, select New from the Edit menu, then String Value, and type InitialKeyboardIndicators for the name of the new value.)
Change the value to any of the following:
0 - all indicators off
1 - Caps Lock on
2 - Num Lock on
4 - Scroll Lock on
Or, combine them by adding the corresponding values:
3 - Caps Lock and Num Lock on
5 - Caps Lock and Scroll Lock on
6 - Num Lock and Scroll Lock on
7 - Caps Lock, Num Lock, and Scroll Lock on
Close the Registry Editor when you're done; the change should take effect the next time you start Windows.
New Windows Worm on the Way?
With the posting Wednesday of proof-of-concept exploit code
for one of the newly discovered vulnerabilities in Windows, the
familiar chain of events that often leads to the release of a
worm has begun.
Less than 24 hours after Microsoft issued the fix, two members of the BugTraq security mailing list posted exploit code for the vulnerability. The author of one of the exploits said the code had been tested only on a Windows 2000 machine with Service Pack 4 installed and the FAT32 file system running. The other exploit is designed for machines running Windows XP. However, experts said it would take little effort to adapt the code for other Windows machines.
And, more importantly, the Workstation vulnerability appears to be a prime candidate for a worm
Happy Birthday Job Security!!
BBC NEWS | Technology | Computer viruses now 20 years old: "This week computer viruses celebrate 20 years of causing trouble and strife to all types of computer users. "
A good (although not complete) list of daily, nightly, weekly, monthly, etc Admin tasks... brought to you by W2Knews™, May 10, 2001
Daily:
Check event log of every server, fix/try to fix as needed.
Creating new directories, shares, and security groups, new accounts, disabling/deleting old accounts, managing account policies.
Make sure backup runs and make sure the restore works as planned.
Plugging Security holes, in both the OS and apps like IIS.
Exchange Management including DL's, users, etc.
Train the training people, helpdesk people, and end users.
Answer all important emails from CFO/CEO/IT-MIS Director.
Glance over T1-hookups, switches, hubs, make sure everything is green.
Check router logs.
Check firewall logs.
Check if Disaster Recovery Systems are still functioning
Various calls to MS Support for things that really aren't your fault.
Check for free space on all servers, for file pollution and quotas.
Ensure that all server services are running.
Ensure that antivirus definitions are up-to-date.
Run defrag and chkdsk on all drives.
Monitor WINS replication.
Monitor directory replication.
Maintain performance baseline data.
Monitor RAM for runaway processes or memory leaks.
Monitor network traffic with sniffer or NETMON to keep performance up.
Keep Service Pack (and/or) hotfixes current as per company policy.
Monitor Web traffic for indications of attacks.
Install software for users
Monitor user email for corporate policy violations.
Check Print Queues.
Keep a log of everything you have fixed or performed maintenance on.
Make sure all apps are shared.
Permissions and filesystem management.
Check for bad system and .ini files on database server (Btrieve).
Make sure load on database server is acceptable and ghosted users are cleared as well as multiple logons.
Nightly:
Backups
(Next Applies to Terminal Server admins only)
Reboot each Citrix server.
Delete all autocreated printers stuck.
Clear out rogue local profiles.
Backups
Weekly:
Clean Servers, check for .tmp files, and other file pollution.
Implement any new policy, permission, logon script, or scheduled script modifications.
Research, Research, Research.
Change any active monitoring & alerting (third party tools) as needed.
Update Website, External and Intranet, process website log reports.
Check PerfMon, NetMon, (or 3rd party tools) for OK baselines.
Reboot Servers if needed.
Keep up-to-date on IT news regarding my networks.
Evaluate software for System Admin purposes.
Try to get some MCSE study time in.
Performance Monitoring/Capacity Planning- Budgeting for the future.
Uptime/Downtime reports.
Auditing network for unauthorized changes, ideally both from the inside but also outside-in.
Plan for W2K migration.
Monthly:
Rebuild Databases as needed.
Gather statistics on Webservers. Send to CEO/CIO/CTO/CFO (Whomever).
Clean exchange mailboxes.
Change Service Account Passwords (not doing this is Russian roulette).
Convincing your boss that most of this stuff _needs_ to be done.
Extended testing backups with restores.
Maintaining applicable Service Level Agreements.
Set System and Application priorities: If more than one thing is broken, what needs to be fixed first.
Managing off-site storage of backup tapes, whether you take them home or a service picks them up.
IT System vulnerability analysis: like "This mail server uses this mail router- what's the impact if one or both are down (if mail server is down mail router will store inbound mail and may run out of disk space).
Periodically reviewing all of the above, is documentation up to date? Has the Disaster Recovery Plan been updated to reflect changes in the environment?
Periodically reviewing workload. Are some things no longer done?
Periodically review company technical environment. How can it be improved?
Initial or Occasionally:
Disaster Recovery to alternate site, in case of emergency.
Configure and maintain DNS - Internal and External, DHCP, WINS, TCP/IP, etc.
Document the full network.
Rebuild corrupt servers.
Test the Restore Procedure.
Reconfigure domain structure.. again.
Get a performance baseline for things like %Processor Time, PageFaults, Disk Queues.
Initial checklist should include status of administrative and service passwords, status of the backups, check out DHCP scope(s), WINS, DNS, remove unnecessary protocols.
W2Knews is a great weekly newsletter brought to you by Sunbelt Software - subscribe here.
November 16, 2003
Download details: Port Requirements for Microsoft Windows Server System - This spreadsheet shows what network ports are used by the system services utilized by the Microsoft Windows Server System products.
This could be quite useful, so take a look.
November 14, 2003
IT SUPPORT
You have 2 cows.
You're paid to build, support, fix, maintain, and show users how to milk the
cows.
The users rarely listen to your instructions and they break the cows.
The manufacturer realizes there are critical flaws in the cows.
You upgrade your 2 cows for one new super cow.
The users rarely listen to your instructions and they break the cow.
The manufacturer realizes there are critical flaws in the cow.
You quit and become a sheep herder.
November 12, 2003
Everyone knows Windows 2000 defrag can't be run from the command line nor can be scheduled in the Task Scheduler. I've tested a free (everything I use is free or close to it) program that schedules defrags called AutoDeFrag but I've had a few problems with it (at least in my test environment).
In my quest to find the (free) solution to my defrag needs, I've come across 3 scripts that can be scheduled to automate Win2000 defrag:
myITforum.com : Clean Temporary Files and Run Defrag
myITforum.com : Automating Defrag
myITforum.com : Defragment All Hard Drives
This should help with all of those patches:
JSI Tip 3709. QChain.exe is a safe way of installing multiple hotfixes with a single reboot.
296861 - How to Install Multiple Windows Updates or Hotfixes with Only One Reboot
Download details: Windows 2000 & NT4.0 Reskit Utility: QChain.exe
Make a batch file such as:
@echo off
setlocal
set PATHTOFIXES={some path}
%PATHTOFIXES%\{patch name}.exe /Z /M
%PATHTOFIXES%\{patch name}.exe /Z /M
%PATHTOFIXES%\{patch name}.exe /Z /M
%PATHTOFIXES%\qchain.exe c:\hotfix.log
and enjoy the fun!
November 11, 2003
November's round of patches starts now, with 4 new Security Bulletins:
Microsoft Security Bulletin MS03-048 - Cumulative Security Update for Internet Explorer (824145) - Critical
Microsoft Security Bulletin MS03-049 - Buffer Overrun in the Workstation Service Could Allow Code Execution (828749) - Critical
Microsoft Security Bulletin MS03-050 - Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run (831527) - Important
Microsoft Security Bulletin MS03-051 - Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (813360) - Critical
A little tip from me: Pay extra attention to MS03-049...
PC security audits for businesses? | CNET News.com: "Publicly traded U.S. corporations would have to certify that they have conducted an annual computer security audit, according to a draft of long-awaited legislation the U.S. House of Representatives is preparing. "
Currently, publicly traded companies must follow a detailed set of rules when filing annual reports with the Securities and Exchange Commission. Putnam's proposal, seen by CNET News.com, would extend that annual reporting requirement to include the audit that would follow standards to be set by the SEC.
It does say, however, that the certification in the annual report "shall not include specific proprietary information and shall not contain any information identifying, directly or indirectly, any specific vulnerability of the (company's) computer information."
November 06, 2003
This is a rare Outlook problem, but a good thing to know when you do have to deal with it:
Dealing with winmail.dat and unreadable email attachments: "Email users sometimes find that they receive email messages with a strange file attached, called winmail.dat. When they attempt to open this file, either it can't be opened at all, or it contains 'garbage' data. "
Microsoft to Place Bounty on Virus Writers
: "LONDON (Reuters) - Microsoft Corp. and security organizations are set to offer cash bounties for information on the authors of the crippling MSBlast and Sobig computer bugs, industry sources said on Wednesday.
Technology news service CNET News.com reported late on Tuesday that the software giant would offer $500,000 for information leading to the arrest of the writers of two of the costliest computer bug outbreaks to hit the Internet. "
Red Hat recommends Windows for consumers - News & Technology - CNETAsia: "Red Hat's chief executive has said that Linux needs to mature further before home users will get a positive experience from the operating system, saying they should choose Windows instead. "
November 04, 2003
NewsForge | Red Hat tells customers, 'No more freebies!": "'Red Hat does not plan to release another product in the Red Hat Linux line.' "In an email to Red Hat Network customers, the company has announced today that it "...will discontinue maintenance and errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December 31, 2003," that "Red Hat will discontinue maintenance and errata support for Red Hat Linux 9 as of April 30, 2004,"
October 30, 2003
Website of the day:
Center for Internet Security - Standards: "The Center for Internet Security (CIS) is a not-for-profit cooperative enterprise that helps organizations reduce the risk of business and e-commerce disruptions resulting from inadequate security configurations"
They maintain security configuration benchmarks for multiple types of systems.. with free tools to help you configure your systems.
October 26, 2003
Quick note:
Sometimes google turns up some real great resources. Take a look at this 4 page pdf file of
Win2k Services. Damn I love google (even at 3:30 in the morning).
Security audit: "To see how well-prepared a typical enterprise network is, we found a business willing to let us tag along while a professional auditing company poked and probed 28 of its servers, and then delivered its findings in a face-to-face meeting.
The results were frightening - and should sound the alarm for IT directors everywhere."
This is an awesome article.. please take a good look at it.
This article is from Network World Fusion - a great internet and print resource.
October 25, 2003
This would change some attitudes:
New law would require computer security audits, status reports - Computerworld: " WASHINGTON -- New legislation being drafted in the U.S. House of Representatives, which could be introduced as early as next week, would require all publicly traded companies to conduct independent computer security assessments and report the results yearly in their annual reports. "
From ComputerWorld
October 24, 2003
Microsoft Security Bulletin MS03-043 hole. I suggest disabling the {useless} Messenging Service on all of your Windows devices to ward off this vuln and any future holes that may be found. The easiest way to do this in an AD environment is to use Group Policy.
Here's the article:
Son of MSBlast on the way? | CNET News.com: "Released on a security mailing list earlier this week, the program takes advantage of a flaw in Microsoft's Messenger Service to cause Windows-based computers to crash. The vulnerability affects almost every current Microsoft Windows system, leaving security experts concerned that independent hackers will quickly find a way to take control of a large number of computers by exploiting the flaw. "
"I think we are going to see a repeat of the (MSBlast worm)," said Vincent Weafer, senior director of Symantec's antivirus research center, referring to the program that spread across the Internet in August. The program used a similarly widespread Windows flaw to break through computers' security. "It took three weeks (for hackers) to figure out a working worm in that case."
From CNET News.com -- Technology news and business reports
October 22, 2003
I've posted before about the wonders of RSS.. well, here's some great RSS sources out there for you SysAdmins:
Take a look at NewsIsFree.com for a huge collection of RSS feeds.
http://www.net-security.org/dl/bck/news.rss - Help Net Security News
http://www.net-security.org/dl/bck/vuln.rss - Help Net Security Vulnerabilities
http://www.net-security.org/dl/bck/advi.rss - Help Net Security Advisories
http://www.net-security.org/dl/bck/sowi.rss - Help Net Security Windows Software
http://www.net-security.org/dl/bck/soli.rss - Help Net Security Linux Software
http://www.securityfocus.com/rss/news.xml - SecurityFocus News
http://www.securityfocus.com/rss/vulnerabilities.xml - SecurityFocus Vulnerabilities
http://www.inetsecurity.info/backend.php - Internet Security Information & Tools
http://de.trendmicro-europe.com/enterprise/security_info/rssinfo.php - Trend Micro Virus Alert
http://xml.newsisfree.com/feeds/95/95.xml - PacketStorm Security Files
http://www.computerworld.com/news/xml/0,5000,583,00.xml - Computerworld Hacking News
http://www.computerworld.com/news/xml/0,5000,73,00.xml - Computerworld Security News
http://www.cert.org/channels/certcc.rdf - CERT
http://www.theregister.co.uk/feeds/latest.rdf - TheRegister News
http://www.thundermain.com/rss/ - Microsoft Download Center
http://arstechnica.com/etc/rdf/ars.rdf - Ars Technica
http://www.netsys.com/news.rdf - Netsys News
http://www.pcworld.com/resource/browse/0,cat,1537,sortIdx,1,00.asp - PCWorld Viruses
http://rss.pcworld.com/rss/downloads.rss?period=week - PCWorld Popular Downloads of the Week
http://www.wired.com/news_drop/netcenter/netcenter.rdf - Wired
http://www.techdirt.com/techdirt_rss.xml - Techdirt
http://slashdot.org/slashdot.rdf - Slashdot
http://lockergnome.com/rss/techspecialist.php - Lockergnome Tech Specialist
October 21, 2003
For those of you that need to schedule defrag on Windows2000, take a look at MorphaSys AutoDeFrag.
AutoDeFrag is a launcher for the standard defragmenter built into Windows 2000. The standard defragmenter does not support the ability to be scheduled, and therefore must be manually launched when required, once for each fixed disk in your system.
AutoDeFrag works around this limitation and allows the Windows 2000 Task Scheduler to be used to schedule the defragmenter.
AutoDeFrag is a tiny (~50k) Win32 console application that does not require any user input.
Just copy the .exe into a folder (like in \winnt) and schedule, or use the at command via command prompt.
October 16, 2003
This is awesome! SpamBayes is a free, open-source spam-killing plugin for Outlook and Outlook Express. Using the superior Bayesian mathematical method and a self-training method, this program can achieve 99% spam blocking functionality within a week of use. This is my spam solution, and it's worth a try.
A TechTV write-up on SpamBayes:
TechTV | SpamBayes: Spam Prevention With Smarts
Download the plugin here:
SpamBayes Outlook Addin
or here:
SpamBayes: Bayesian anti-spam classifier written in Python.
Quote from spambayes.sourceforge.net:
SpamBayes will attempt to classify incoming email messages as 'spam', 'ham' (good, non-spam email) or 'unsure'. This means you can have spam or unsure messages automatically filed away in a different mail folder, where it won't interrupt your email reading. First SpamBayes must be trained by each user to identify spam and ham. Essentially, you show SpamBayes a pile of email that you like (ham) and a pile you don't like (spam). SpamBayes will then analyze the piles for clues as to what makes the spam and ham different. For example; different words, differences in the mailer headers and content style. The system then uses these clues to examine new messages.
October 15, 2003
Microsoft Security Bulletin MS03-046 - Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)
Microsoft Security Bulletin MS03-047 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)
- --------------------------------------------------------------------
Title: Microsoft Exchange Server Security Bulletin Summary for
October 2003
Issued: October 15, 2003
Version Number: 1.0
Bulletin: http://www.microsoft.com/technet/security/excoct03.asp
- --------------------------------------------------------------------
I've grown to hate Wednesdays:
Microsoft Windows Security Bulletin Summary for October, 2003
Microsoft Security Bulletin MS03-041 - Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)
Microsoft Security Bulletin MS03-042 - Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232)
Microsoft Security Bulletin MS03-043 - Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
Microsoft Security Bulletin MS03-044 - Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119)
Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
October 13, 2003
I know I went on and on about this exploit weeks ago, but this time it's a little different. Here's a post from the NTSysAdmin list:
rpc-dcom2 exploitIt doesn't matter if your system is patched. I tried this
against a fully patched win2k and a fully patched XP system. Both systems
crashed or crucial operating system services crashed but explorer remained
up.
Microsoft admits that WinXP SP1, even though patched, got exploited (but says that they haven't tested it on other platforms). This is bad, really bad.
Here's a little help:
Snort signature:
alert TCP any any -> any 135 (msg:"RPC Vulnerability - bind
initiation";sid:1; rev:1; content:"|05 00 0B 03 10 00 00 00 48 00 00 00
7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00
00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11
9F E8 08 00 2B10 48 60 02 00 00 00|";
flow:to_server,established;classtype:attempted-admin;)
One suggestion would be to turn off these services and to block ports TCP 135, 139, 445 and 593; and UDP 135, 137, 138 and 445. I urge caution before doing this; there are numerous programs/applications that rely on RPC/DCOM and these ports. (Like a program called ScanRouter - which I had some rpc issues with over the weekend or Veritas Netbackup).
Here's a SearchSecurity article for further information: SearchSecurity.com | Exploit code targets recent RPC flaws
Link to the code: rpcdcom3.c
October 08, 2003
"Late last week, Microsoft released a fix that addressed a way the flaw could be exploited but didn't fix the ADODB.Stream object itself, iDefense said in its advisory. 'I would not be surprised to see another wave of quiet, yet dangerous, Trojan attacks in light of this new exploit code,' Ken Dunham, iDefense's director of malicious code, said in the advisory.
Reston, Va.-based iDefense recommends users set a kill bit in the Windows registry to prevent the attack. Here is the key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{00000566-0000-0010-8000-00AA006D2EA4}
Then users would need to create a dword value called 'Compatibility Flags' with the value '400.' "
Read more about this in this Search Security Article.
October 07, 2003
SecurityFocus HOME Infocus: Exploiting Cisco Routers (Part One)
Another great SecurityFocus article, this time on Exploiting Cisco Routers, part 1. This is the first of a three-part series that will focus on identifying
and then exploiting vulnerabilities and poor configurations in Cisco
routers.
Check out this article, which is brought to you by SecurityFocus. While there, subscribe to thier newsletters, mailing lists, and RSS feeds.
SecurityFocus NEWSLETTERS Columnists: Linux vs. Windows Viruses
A GREAT article on why Linux is better than Windows when it comes to viruses. Here's a quote:
"There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory."
Check out this article, which is brought to you by SecurityFocus. While there, subscribe to thier newsletters, mailing lists, and RSS feeds.
October 04, 2003
Pioneer Press | 10/03/2003 |: "Sen. Norm Coleman, two days after holding a high-profile hearing on the recording industry's anti-piracy campaign, said Thursday he will push legislation this year to reduce legal penalties for people who download copyrighted music off the Internet.
Coleman, R-Minn., said current penalties, $750 to $150,000 per song downloaded, are excessive and enough to scare innocent people into settling lawsuits filed by the recording industry."
Coleman said he will also press for changes in federal law to curb the recording industry's subpoena power.
Microsoft Security Bulletin MS03-040
- ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040
Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ----------------------------------------------------------------------
Recommendation: Customers should apply the patch immediately.
October 03, 2003
Well, I decided to throw together a quick list of links that I find valuable in the world of SysAdminHell. (Note: They are in no particular order, so the links at the bottom of the list are just as important as the ones at the top).
EventID.Net - The resource for Event Log information. Just input the event id and source into the search feature for tons of valuable information.
TechNet Online - Microsoft's resource for all things IT. A very valuable resource.
JSI, INC. - A massive collection of FAQs/Tips/Solutions for almost any topic you may need information on.
DriverGuide.com - Search for drivers for any piece of hardware you may encounter. Membership is required, but it is quick and free (and everyone gets the same login user/pass). A must visit site anytime you are without a driver.
Windows NT/2000 FAQ - A large collection of Windows FAQs, all nice and searchable.
Windows 2000 Resource Center at LabMice.net - A beautiful resource, loads of how-tos, tutorials, articles, downloads - everything you might need to be a good admin.
NETSYS.COM - Find the latest news and articles as well as tons of archived info on the site that claims to be "The Intelligent Hacker's Choice!".
TechTutorials: Free Computer, Programming, Networking and Application Tutorials - A nice (FREE!) collection of IT tutorials ranging from Windows to Unix, Hardware to Programming, even sections on OS2 and DOS!
Ars Technica - Ars Technica is "The PC Enthusiast's Resource" (I visit this site at least 3-4 times a week just to read the news and commentary).
Top 75 Network Security Tools - A list of the best network security tools around - brought to you by the creator of nmap, Fydor.
Help Net Security - A great resource of security news, advisories, downloads, and articles.
.:[packet storm]:. - An extremely large and current security resource.
SecurityFocus - This site is an excellent resource when it comes to vulnerabilty advisories, newsletters, mailing lists, news, tools, etc. Seriously. Excellent.
The UltraTech® Knowledgebase Viewer - A collection of KB's based off the NTSysAdmin Mailing List (the best NTSysAdmin list around) - Tons of information, resources, links, etc (it's hard to not get side-tracked by all of the interesting information on this site).
Pacs-Portal Startups List - Find anything that may be in your computer's startup list (msconfig) here - a great resource if the site is up.
Google - This is a given, the ONLY search engine around in my world.
Symantec - A great virus database, great virus removal tools = a great resource when you have a virus problem.
October 02, 2003
Sometimes you just need a quick break from the day. Here are a few links to help you out:
User Friendly the Comic Strip - The Daily Static - The best IT comic around.
Dilbert.com - The Official Dilbert Website - A [true] look into the life of the office worker.
The Bastard Operator From Hell Official Archive - The original Bastard.
The Register - Bastard Operator From Hell - A true IT hero.
Web of es.comp.os.linux.*: comic from es.comp.os.linux.* - Translated from Spanish, sometimes hard to follow but still entertaining.
A zero-day exploit targeting an Internet Explorer vulnerability (versions
5 and forward) is being used to install a Trojan. Experts warn that it's
only a prelude to a series of attacks that are likely to wreck havoc given
the number of unprotected systems.
"This zero-day exploit is huge. It will likely be a major, and highly
successful, vector of attack upon thousands of computers for some time,"
says Ken Dunham, malicious code intelligence manager at iDEFENSE. "We have
verified that attackers are installing backdoor Trojans and dialers on
targeted computers at will."
"Multiple examples of the exploit code are available for attackers to
analyze and use in crafting their own attack," adds Dunham. "This type of
code availability and underground activity traditionally foreshadows a
flurry of malicious attacks."
Microsoft first issued a patch for the 'object type' vulnerability on Aug.
20. The flaw allows an attacker to compromise a system by embedding
malicious code in a Web page. If the Web page is viewed with a fully
patched IE browser, the malicious code embedded in the Web page will
execute. The 'object type' vulnerability patch doesn't prevent this
variation of the flaw, but Microsoft plans to issue a fix shortly.
- From Security Wire Digest
to subscribe, go to http://infosecuritymag.bellevue.com
September 29, 2003
We're testing different Disaster Recovery techniques in the event that one of our domain controllers (the only one in the domain at the time) is destroyed and we can not find similar hardware to restore to. Here's some of the Microsoft articles to help in this process:
263532 - How to Perform a Disaster Recovery Restoration of Active Directory on Dissimilar Hardware
237556 - How to Troubleshoot Windows 2000 Hardware Abstraction Layer Issues
229716 - Description of the Windows 2000 Recovery Console
255504 - Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
249694 - How to Move a Windows 2000 Installation to Different Hardware
292175 - How to Perform an In-Place Upgrade of Windows 2000
306952 - What an In-Place Windows 2000 Upgrade Changes and What It Does Not Change
September 25, 2003
Attention Info Addicts: RSS is a great thing. It stands for many things, but in my world, RSS stands for only one: bringing information to my desktop. It's like having a program that continually hits news websites for new headlines, security sites for new advisories, blogs for new postings, etc, and placing all of the new information into one simple program, ready of you to digest. Personally I get the latest advisories, news, tech news, tech blogs, and even info on hockey all in one place - reducing the need to hit 20 or 30 websites every 30 minutes to stay on top of the game. Here's a few links you'll need to get started:
Recommended Reader:
Wildgrape NewsDesk - this free program is fast and easy. The only gripe I have about it is that all of a sudden it seems to want to crash on my work pc (probably a .Net issue). Other than that, it runs great on my home box and lets me quickly stay informed.
Where to look for RSS feeds:
djeaux :: RSS newsfeeds - Has a short listing of Security-related newsfeeds.
NewsIsFree - an insane database full of news feeds for many different subjects.
Blogstreet - Lists blogs with RSS feeds.
A helpful article:
Blogs: Another Tool in the Security Pro's Toolkit
September 22, 2003
This is an interesting passage from theInquirer.net:
"The notion of copyright infringement as theft was clearly addressed in the 1985 Supreme Court decision of Dowling v. United States. While this case involved hard goods (phonograph records), Justice Harry Blackmun was most certainly speaking of abstract property (copyrights) when he wrote these words in his majority decision overturning Dowling's conviction of interstate transport of stolen property: '(copyright infringement) does not easily equate with theft, conversion, or fraud... The infringer invades a statutorily defined province guaranteed to the copyright holder alone. But he does not
assume physical control over copyright; nor does he wholly deprive its owner of its use.'"
This is the article:
RIAA collects fines, doesn't pay artists
This is hilarious: User Friendly Amnesty Form
And also this: Accounting for 12-year old Brianna LaHara's Settlement by the RIAA.
September 19, 2003
As an Admin, sometimes you find the need to use the built-in MS Backup utility. Here's a quick syntax summary:
JSI Tip 4113. More on Windows 2000 backup command-line switches.: "Windows 2000 backup command-line switches."
Syntax
ntbackup backup [systemstate] "bks file name" /j {"job name"} [/p {"pool name"}] [/g {"guid name"}] [/t { "tape name"}] [/n {"media name"}] [/f {"file name"}] [/d {"set description"}] [/ds {"server name"}] [/is {"server name"}] [/a] [/v:{yes|no}] [/r:{yes|no}] [/l:{f|s|n}] [/m {backup type}] [/rs:{yes|no}] [/hc:{on|off}] [/um]
Parameters
SWITCH DESCRIPTION
systemstate Specifies that you want to back up the system state data. When you back up the system state data, all of the system state data is backed up, so the /s switch does not apply. Also, the backup type is forced to normal or copy.
bks file name Specifies the name of the backup selection file (.bks file) to be used for the backup operation. A backup selection file contains information on the files and folders that you have selected for backup. You have to create the file by using the graphical user interface (GUI) version of Backup.
/j {"job name"} Specifies the job name to be used in the log file. The job name usually describes the files and folders that you are backing up in the current backup job as well as the date and time at which you backed up the files.
/p {"pool name"} Specifies the media pool from which you want to use media. This is usually a subpool of the Backup media pool, such as 4mm DDS. If you select this, do not use the following switches: /a /g /f /t.
/g {"guid name"} Overwrites or appends to this tape. Do not use this switch in conjunction with /p.
/t{"tape name"} Overwrites or appends to this tape. Do not use this switch in conjunction with /p.
/n {"media name"} Specifies the new tape name. Do not use /a with this switch.
/f {"file name"} Logical disk path and file name. You cannot use the following switches with this switch: /p /g /t.
/d {"set description"} Specifies a label for each backup set.
/ds {"server name"} Backs up the directory service file for the specified Microsoft Exchange server.
The /DS command line switches for NTBackup (with Exchange 5.5) no longer work with NTBackup for Exchange 2000. The Directory Store (DS) switch is not relevant since Exchange 2000 uses the Windows 2000 Active Directory. The Information Store (IS) switch does not apply since the structure of the Information Store has changed from Exchange 5.5
/is {"server name"} Backs up the Information Store file for the specified Exchange server.
The /IS command line switches for NTBackup (with Exchange 5.5) no longer work with NTBackup for Exchange 2000. The Directory Store (DS) switch is not relevant since Exchange 2000 uses the Windows 2000 Active Directory. The Information Store (IS) switch does not apply since the structure of the Information Store has changed from Exchange 5.5
/a Performs an append operation. Either /g or /t must be used in conjunction with this switch. Do not use this switch in conjunction with /p.
/v:{yes|no} Verifies the data after the backup is complete.
/r:{yes|no} Restricts access to this tape for the owner or members of the Administrators group.
/l:{f|s|n} Specifies the type of log file: f=full, s=summary, n=none (with n, no log file is created).
/m {backup type} Specifies the backup type. It must be one of the following: normal, copy, differential, incremental, or daily.
/rs:{yes|no} Backs up the Removable Storage database.
/hc:{on|off} Uses hardware compression, if it is available, on the tape drive.
/um Finds the first available media, formats it, and uses it for the current backup operation. Use the /p switch to designate a device-type media pool when you use the /um switch so that Backup searches for the appropriate type of media, such as 4mm DDS. When you use the /um switch, Backup searches the following media pools for available media: Free pool, Import pool, Unrecognized pool, and Backup pool. When available media is found, the search stops and the media is formatted and then used without prompting you for input. This command is not applicable to tape loaders and you should only use it if you have a standalone tape device.
September 18, 2003
Here's some interesting news:
Microsoft's SUS Website:
Software Update Services now provides Windows service packs (SPs), in addition to critical and security updates. SUS will deliver Windows XP SP1, Windows 2000 SP4, and all future service packs for Windows 2000, Windows XP, and the Windows Server™ 2003 family of products.
This will sure save some wear and tear on the shoes but trying to use this to deploy on a large number of hosts will not. Some suggest to set up several SUS servers or to use GPO to control deployments.
For those of you who do not know about SUS, go here: Software Update Services. It is a free and easy way to provide critical updates and (now) service packs to your client pcs/servers instead of manually doing them or having your users go to Windows Update to patch themselves. You also have the power to approve which updates are installed. This website SUSserver.com is a great resource for SUS.
September 17, 2003
I've seen several tips on freeing up CPU cycles by enacting this minor tweak. Here's the how-to:
This excerpt from Windows-Help.NET:
"To disable the Indexing service, open Computer Management from Administrative Tools (on the Start menu if you enabled this, or from the Control Panel), select Services and Applications, double click Services, and find the Indexing Service. Double click to bring up the Properties window, and click Stop to let Windows stop the service. Then from the Status type drop down box select Disabled. "
MSBlast copycat set to pounce, firm says | CNET News.com
Here's even more warning to all of you out in SysAdminHell. I've heard multiple sources say that it's only a matter of days before said worm is released, and it won't be pretty.
For those of you who don't like to patch, get your resumes ready. I heard that the Real Estate industry is doing rather well.
September 14, 2003
Ok guys.. I just received this email on the NTSysAdmin mailing list:
The PSS Security team is issuing this alert to advise customers that on Saturday 9/13/03 a research company called XXXXXX published a paper providing guidance on how to exploit the vulnerabilities patched by Microsoft Security Bulletin MS03-039. To date we've had no reports of actual exploit code being publicly available or being used actively in a worm or virus
The paper makes it very simple to your 11 year old neighbor to write a worm with this exploit.
Patch your systems!! Mine are all patched (as of today) so get busy.
Find out more about the PSS Security Team.
September 12, 2003
Here's a quick and easy way to gather information from Active Directory and import it into a spreadsheet:
Run Active Directory Users and Computers.
Select View -> Add/Remove Columns, and add the columns you want to display and export (e-mail address, last name, etc.).
Select the Users container or another organizational unit (OU) within your Active Directory hierarchy.
Right click on this same container/OU, select Export List and provide a path/filename.
Open up the exported text file with Microsoft Excel or another spreadsheet application.
You now have the information you need in spreadsheet format.
September 11, 2003
Here's a good hint:
Enable Account Management Auditing
Sometimes you want to know what is going on w/ your Active Directory at all times (who wouldn't right?). User lockouts, creations, deletions, etc. To get these events into your event logs, you must enable the Audit account management policy for both success and failure. Here's how:
1. Log into your domain controller.
2. Select Domain Controller Security Policy under Administrative Tools in the start menu.
3. Find your way through security settings, local policies, audit policy.
4. Enable Audit Account Management for success and failure.
5. Done.
Look out for these events in your event logs (or use a filter program, such as EventSentry).
624 - user account creation
642 - user account changed
630 - user account deleted
628 - user account password set
627 - user account password attempt
644 - user account locked out
642 - user account changed: account disabled
645 - computer account created
647 - computer account deleted
635 - local group created
639 - local group changed
638 - local group deleted
631 - global group created
641 - global group changed
634 - global group deleted
Many thanks to Windows & .Net Magazine for publishing such a great article on this. If you don't regularly read this magazine, then you're no SysAdmin (well, in the Windows world at least).
Hey kids. INSTALL THE MS03-039 PATCH NOW!!! This is no bloody joke. Yesterday afternoon Microsoft had the nerve to disrupt my already busy day by releasing Microsoft TechNet Security Bulletin MS03-039 which is yet ANOTHER hole in the RPC service. Every single Windows NT kernel-based computer is affected (2k, NT, 2k3, XP). Blaster 2 is only a matter of tweaking the original Blaster worm, so patch now. I've been watching the lists and newsgroups closely (as well as my own installations) and haven't seen any issues with this patch as of yet. It may also be of interest to grab the free Eeye RPC scanner here to get a good look at what's vulnerable on your networks.
Remember: Now that you know, it's up to you whether you spend a few hours and some reboots to patch now or spend a ton of time cleaning viruses later.
Subscribe to:
Posts (Atom)