I use Ultr@VNC to remotely manage a large number of machines. The other day, after putting one of the machines on the domain, Ultr@VNC would no longer accept my password (no, caps lock was not the issue). This was unfortunate since the machine is over 1000 miles away, was lacking the needed configuration changes to be operational, and there was no way the employees on site would be able to help me.
The solution? Remote registry editing. Since the machine was now on the domain, I opened regedit on my domain controller. From there, I connected to the problem machine's registry and navigated to: HKEY_LOCAL_MACHINE\software\ORL\WINVNC3\default. There is a string called "Password" with a Reg_Binary value. I opened this string on a properly configured machine and just typed that machine's value into the problem machine's password string. I restarted the WinVNC service using the "Computer Management" program and was able to connect using my correct password.
Another hint is that you can export this key to easily set up multiple installations of Ultr@VNC, or to quickly make changes to already deployed installs. Here's the link to the Registry values for Ultr@VNC server.
December 15, 2004
December 14, 2004
Microsoft Security Bulletin MS04-045 - Vulnerability in WINS Could Allow Remote Code Execution (870763) - Important - Remote Code Execution
Microsoft Security Bulletin MS04-044 - Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835) - Important
Microsoft Security Bulletin MS04-043 - Vulnerability in HyperTerminal Could Allow Code Execution (873339) - Important
Microsoft Security Bulletin MS04-042 - Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service (885249) - Important
Microsoft Security Bulletin MS04-041 - Vulnerability in WordPad Could Allow Code Execution (885836) - Important
December 04, 2004
Sooner or later, in your IT career, you'll be called apon to perform in some sort of 'management' position, whether it be as a Manager, Supervisor, or project/team lead. Here are some helpful resources to help with your transition:
The Two Most Important Management Secrets: The Pygmalion and Galatea Effects - The Pygmalion effect (expectations) and the Galatea effect (self-expectations) are useful concepts for leaders to understand.
Top 7 Leadership Guidelines For New Supervisors
Navigator newsletter - a free bi-monthy management newsletter.
December 01, 2004
Microsoft Security Bulletin MS04-040: "Microsoft Security Bulletin MS04-040" - Cumulative Security Update for Internet Explorer (889293) - Critical
Straying away from it's Black Tuesday policy, Microsoft has decided that this remote code execution vulnerability in Internet Explorer was serious enough to release a patch immediately. Windows XP SP 2 and versions previous to IE 6.x are not affected. Also not affected: Firefox, which I still fully endorse as the alternative to IE.
November 30, 2004
New Netscape browser supports Internet Explorer - Computerworld: "While current Firefox users can switch to IE when they have a problem with a Web site, AOL's Netscape unit found a different solution. If a Web site doesn't display well in the standard Firefox-based configuration in Netscape, it takes two clicks to display the page using the IE engine. The browser stores engine preferences for each Web site."
WOW!! It supports IE?!?! This is really some major improvements! In case you don't know me that well, the two previous statements are my form of sarcasm. This is nothing more than an extension that has been previously avaliable for Firefox users called IE View that I reported about in a blog posting on October 10, 2004: "FireFox Extensions worth installing". Always beware the market-hype machine!!
PC World | Windows SP2 security compromised: "The October exploit required a user to drag an image from one part of a Web page to another, and then to click a button. At the time, Microsoft said the bug required too much user interaction to be considered serious. The new version, discovered by the Greyhats Security Group, eliminates the step of clicking a button, the group said. Like the earlier exploit, the new attack could lead to the execution of HTML and script code in the context of a trusted site, Greyhats said."
Normally I would respond to a release like this as "too much interaction on the part of the user; show me a remote exploit blaster-style and I'll be worried". But then I started thinking about it. People really ARE that stupid and will do pretty much anything that some website or email will tell them. Tip: Do not underestimate the stupidity of your users. If you give them too much credit, it will come back to bite you in the ass.
November 09, 2004
Microsoft Security Bulletin MS04-039: Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258) - Important
Just glad this month wasn't as bad as the last.
November 01, 2004
SANS Institute - Security Policy Project: "Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You�ll find a great set of resources posted here already including policy templates for twenty-four important security requirements. "
GREAT RESOURCE. There are a ton of example policies to help you get on your way, all including a downloadable Word template.
October 28, 2004
Using Domain Controller Virtual Machines: "Virtual Server is a Microsoft Windows-based server application that is optimized to provide virtualization of Windows Server operating systems concurrently on a single physical server. In combination with the Windows Server 2003 operating system, Virtual Server provides a platform for implementing domain controllers in virtual machines. With this platform, you can install multiple Windows Server 2003 or Windows 2000 Server domain controllers in separate virtual machines on a single physical server. In this way, you can host multiple domains, multiple domain controllers for the same domain, or even multiple forests on one physical server that is running a single operating system. "
October 22, 2004
Secunia - Advisories - Microsoft Internet Explorer Two Vulnerabilities - "http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2."
It's funny to me that some media is making this a really big deal. Don't get me wrong, security IS a big deal, but what I'm referring to is the "It even affects SP2!!!!" speil. SP2 isn't the end-all complete total security solution everyone dreams about; it helps (a lot), but nothing is perfect.
Another thing: this only allows the attacker to plant HTML code into the Local Computer zone, not run scripts (on SP2). I'm sure someone can get creative, but this is no where near the severity that most people hype it up to be. It's just like the "exploit" a week after SP2 came out where the attacker had to persuade the user to save a file, then open it...
Understanding Windows Logging - "This article will focus on the importance of monitoring your windows event logs and will highlight the information that is able to be extracted from typical windows logs that help to secure your critical servers. The importance of monitoring the logs will be stressed and creative ways to do this centrally will also be covered. Logging is a very important factor when attempting to decipher what has taken place on a server."
Actually, this entire website is a great resource. Check out WindowsSecurity.com.
October 14, 2004
O'Reilly Network: Google Your Desktop: "The Google Desktop is your own private little Google server. It sits in the background, slogging through your files and folders; indexing your incoming and outgoing email messages, listening in on your instant messenger chats, and browsing the Web right along with you. Just about anything you see and summarily forget, the Google Desktop sees and memorizes for you."
This is a great little article detailing the ins and outs of the new Google Desktop. I'm seriously considering using this. Here's an overview of features:
Real-time operation (in the background)
Indexes files, AIM chats, Outlook (and Express), Text files, MS Office files, and web cache
Indexes any other files by filename
Uses the Google syntax
Can also search the web (without giving up privacy)
The current Microsoft supplied search is a joke. It's slow, only searches files, and doesn't find anything. Mac users have plenty of ammo against windows in this arena, especially with the new Spotlight technology in the works. Google is quickly expanding it's reach; rumors of a Google browser are all over the Internet. Next: the Google OS.
October 13, 2004
ophcrack - This is a version of Rainbow crack. Input a hash key in the webpage and receive the corresponding password!
Read Robert Hensing's Incident Response WebLog on "Why you shouldn't be using passwords of any kind on your Windows networks . . ." Robert makes a great point about not using passwords, but pass-PHRASES. Or, in my opinion, use an incredibly long password like I do. Ophcrack cracked only 7 characters of my 15 character password, AND got the case wrong. Also, disable LMHashes on your servers. The only reason you need the LMHash table is to provide backward compatability with Windows 95 and 98 clients. Most (sane) folks don't support those clients on thier domains, so it's safe to disable.
October 12, 2004
Just when I thought Halloween was over 2 weeks away, Microsoft scares me with 10 new bulletins and one rerelease (8 critical). Thank you Microsoft for the job security!
Microsoft Security Bulletin MS04-028:Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) - Critical (RERELEASE)
Microsoft Security Bulletin MS04-029: Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350) - Important
Microsoft Security Bulletin MS04-030: Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service (824151) - Important
Microsoft Security Bulletin MS04-031: Vulnerability in NetDDE Could Allow Remote Code Execution (841533) - Important
Microsoft Security Bulletin MS04-032: Security Update for Microsoft Windows (840987) - Critical
Microsoft Security Bulletin MS04-033: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (886836) - Critical
Microsoft Security Bulletin MS04-034: Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376) - Critical
Microsoft Security Bulletin MS04-035: Vulnerability in SMTP Could Allow Remote Code Execution (885881) - Critical
Microsoft Security Bulletin MS04-036: Vulnerability in NNTP Could Allow Remote Code Execution (883935) - Critical
Microsoft Security Bulletin MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution (841356) - Critical
Microsoft Security Bulletin MS04-038: Cumulative Security Update for Internet Explorer (834707) - Critical
October 11, 2004
Geek Cruises--computer education for geeks & consumers - ok I SERIOUSLY need this. Check out the "Convincing the Boss" link for helpful hints on getting your company to tote the note.
October 10, 2004
For me, the jury's still out regarding FireFox replacing IE. Here's some add-ons that are sure to help the transition:
IE View 0.82
Adds "View page in Internet Explorer" links to the content and link context menu. Handy for previewing pages in IE, loading up IE-only pages when you run across them in Mozilla, etc. - This saves you from the hassle having to open IE and navigating to the page that's giving Firefox issues.
Googlebar 0.9.0.29
An unofficial Google toolbar for Firefox. - Way more (useful) features than the official IE-only version.. the only complaint is that it takes up it's own toolbar. I like to keep my toolbars small, and in IE I combine the navigation buttons, Google Toolbar, and the File menu all on one line with the address bar and links right below, on thier own bar. Small and sleek. But with all of the features (university search, computer search, and many more searching options) I am willing to put up with this drawback.
Image Zoom 0.1.7
Adds zoom functionality for images - Can you live without this?
Autofill 0.2
Autofill is a semi-faithful recreation of Google's IE Autofill function in Mozilla Firefox (with some additional features). - This is nice. Multiple profiles, more feilds, etc make this worthwhile (and better than the official Autofill).
BlogThis 0.2.1
Adds right-click access to Blogger's BlogThis popup. - For those not using the Googlebar, this is a necessary extension. Even if you are using Googlebar, this is a worthy feature that allows you to Blog a link without needing to visit the site.
Copy Plain Text 0.2
Copies text without formatting - see the Image Zoom response.
LastTab 1.0.4
Modifies CTRL-TAB to switch to recently selected tabs; CTRL-SHIFT-TAB moves in the opposite direction. - A great time saver. Just like Alt-Tab in Windows, except for your FireFox tabs. I can't tell you how many times I hit Alt-Tab without thinking, just to get annoyed that I have to use the mouse to change tabs.
October 08, 2004
Well, I decided to make a jump to Mozilla Firefox from trusty ol' Internet Explorer. So far, I'm not 100% sure of what I think about the new browser. First looking at it, it seems really nice. I love the tabbed browsing, the XPSP2-like security features (block installs, block pop-ups, block active-x installs), the way I can customize the toolbars, and the speed. My favorites (bookmarks) imported over without hassle, as well as my cookies, history, and settings.
One of my main complaints is the lack of Google Toolbar support. Yes, there is a version of the toolbar built-in, but it is only limited to search (although you can search a lot more than Google). I want my Blog-This button, my highlighter, etc. Phil Ringnalda created a BlogThis extension for FireFox, but I haven't installed/tested it yet.
Most of my issues with this new browser is based around my familiarity with IE. I remember the early days, when Netscape was king and was the only browser I'd use. After Netscape died (well, died enough), I made the switch to IE and never went back. Looking at the browser world now, IE has fallen (way) behind. It is time for a change.
Here's a quick list of links to help with the Mozilla FireFox browser:
List of Keyboard Shortcuts.
List of Mozilla Extensions.
List of Mozilla Themes.
Also, I switched from Outlook Express to Mozilla ThunderBird last night as well. I've tested several email clients over the past few months, and ThunderBird looks like it can hold its own with OE. My main complaint, right off, is the lack of decent filter setup (which OE is victim to also). I've played with several other products the kill both of these clients when it comes to filter setup, but those other products usually suck at everything else. I would REALLY test ThunderBird and install it at work, but nothing beats Outlook 2003. Nothing. But, give me a few days/weeks and we'll see if I stay with the 'bird or run back to OE at home.
October 05, 2004
PictView for Windows: "Read images in over 150 variations of approximately 50 file formats, including all famous and widely-used formats"
Nice little utility.. most people wouldn't care about a picture viewer, but check out the command-line converter. I can't tell you how many times someone sent me an email asking me to convert a file from some obscure format to something readable.. this is a quick and easy program to do it with.
September 22, 2004
Microsoft Windows XP - Command-line reference A-Z
A handy reference of all of the command-line commands and what they do, options, etc.
September 20, 2004
Hack In The Box - Sasser Netsky virus coder lands job with security firm - "A German teenager accused of creating the Sasser worm that infected millions of computers around the world is being taught to become a security software programmer, the company that hired him said on Friday. Eighteen-year-old Sven Jaschan has been taken on by the Securepoint computer firm based in Lueneburg, northern Germany and is being trained to make firewalls, which stop suspect files from entering computer systems."
This sets a horrible precident.. Write a virus, get rewarded with a job. What was this firm thinking? We'll see more and more people writing viruses in hopes of employment. I can see hiring ex-hackers, who have a large understanding of security and ways around security, but at least a hacker chooses his target and only affects his target. A virus writer creates a little program and then lets it free to infect whatever it can, causing enormous losses for those companies and individuals involved. {True} hackers also follow a certain code of ethics; although thier actions may not be legal, at least they attempt to show some respect for the victim by not violating certain rules. To me, virus writers have no respect for the (internet) community that they are a part of.
Symantec to acquire security firm @stake | CNET News.com: "Symantec has signed an agreement to acquire @stake, a security consulting and software company, Symantec said Thursday.
@stake will improve Symantec's consulting contacts--six of the top 10 financial institutions are customers, Symantec said. Symantec also will get products to help check and recover lost passwords and to test and improve Web site security. "
Meant to report on this last week, but you know how that goes. Really, I think this blows. I remember l0pht back when they were a bunch of guys in Boston playing around w/ technology in thier spare time. Oh well.. I'd sell out too if the price was right.
DNS Stuff: DNS tools, WHOIS, tracert, ping, and other network tools. - This is a must bookmark site. Tons of tools such as: DNS reports, dns timing, whois, reverse dns lookup, routing lookup, spam database, etc.
September 17, 2004
The GUI Gallery: "On these pages you will find many screen shots of various desktop computer Graphical User Interfaces and operating systems. Many different people have had different ideas of how a GUI should work and these screen shots show many of the more popular ones. "
This site is pretty awesome. I spent quite some time reminencing over pictures of old operating systems I've played with over the years: GEOS, Windows 3.0, OS/2 Warp (which I still have a copy of), etc. The screenshots of Microsoft BOB were amusing. I found a copy of BOB at a thrift store the other day, but I couldn't justify the $2 asking price for it (and it was half-off everything day).
arstechnica: Will Microsoft sue OpenOffice users?: "According to a provision in the landmark Sun-Microsoft settlement, Microsoft can sue OpenOffice.org (as the application suite is now known) users and developers over copies of OpenOffice.org installed after April 1, 2004. The agreement between Sun and Microsoft was made public as part of Sun's SEC filings earlier this week. While OpenOffice.org users would be fair game, users of Sun's StarOffice suite upon which OpenOffice.org is based are specifically protected from legal action by Microsoft."
Lets ruin everything that is free. The article talks about how hard it will be for them to sue users (since they are considered monopolists) but this can sure stifle the future growth of the product. Poor home users and small companies will just have to find (yet) another alternative to the {great} Microsoft Office.
September 16, 2004
Heysoft - EventSave - "There is no utility delivered with Windows NT to move the events from the current logs into backup files.
I wrote a little tool which can be used to schedule a job to automatically save all events to another file and clear each log afterwards. Independently of how often you run it, there will be one file created every month for each log, called year_month_computer_xxx.evt, where xxx is the name of the log (like, for instance, Security or System)."
Nice freeware.
SecurityFocus HOME News: Feds say Lamo inspired other hackers: "The final act in the saga of Adrian Lamo's hacking adventures ended with a contrite message from the once brash cyber outlaw, and a grim denunciation from his prosecutor, who blamed the hacker for inspiring other computer intruders. "
September 15, 2004
Troubleshooting Group Policy in Windows 2000: "This white paper explains how IT administrators can troubleshoot Group Policy. It includes sections on using command line tools, accessing and using logs, common troubleshooting scenarios, solving software installation issues, checklists for troubleshooting, and best practices. This advanced level paper assumes readers are familiar with the fundamentals of Group Policy. It includes the following sections:"
September 14, 2004
Microsoft Security Bulletin MS04-028: Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) - Critical
This looks pretty bad.. there are a ton of applications that are affected. The attack vector is limited (somewhat); this can't be exploited remotely (like blaster), but the exploitation potential via email or webpage is great.
(edit: 9/22) There is proof of concept and exploit code circulating already, so be on the lookout for the next major virus.
Download details: Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2: "Windows XP Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in previous versions of Windows XP. Windows Firewall is a stateful host-based firewall that discards unsolicited incoming traffic, providing a level of protection for computers against malicious users or programs. To provide better protection for computers connected to any kind of network (such as the Internet, a home network, or an organization network), Windows XP SP2 enables Windows Firewall on all network connections by default. This new behavior can impair some types of communications. This article describes how to deploy the appropriate configuration settings for Windows Firewall on an organization network so that it is enabled and providing protection, and so that communications are not impaired."
Good white paper on how to set up Windows Firewall using GPOs.
September 11, 2004
So, SysAdminHell has been around for 1 year, 231 posts, 18,966 words, and 408 links. Here's to another year of surviving this hell!
Here's a little treat that I'm sure most of us can relate to:
The Chronicles of George: "George is, quite simply, the worst helpdesk technician ever.
His grasp on the written word is shakier than a canoe full of epileptics. His knowledge of computers is thinner than a Vegas dancer's chiffon underpants. He is, by all standards of intelligence, a rock."
By the way, anyone wanting a gmail account send me an email at netmancer@gmail.com and I'll hook it up (if I have them).
Here's some more goodies:
my favorite webcomics:
Dilbert
General Protection Fault
User Friendly
Penny Arcade
(some of) my favorite mailing lists:
Def-Con Stuff
NTSysAdmin
WinSecurityIssues
W2Knews
WXPnews
September 10, 2004
312354 - OL: An "Operation Failed" Error Message Appears After You Click "Send and Receive"
I was getting this error: the operation failed. an object could not be found. I installed the latest updates/service packs, uninstalled office/reinstalled office, nothing. Apparently, Windows keeps your outlook profiles and settings even if the software is removed from your computer.
September 09, 2004
Optimizing Domain Name System (DNS), Windows 2000
JSI Tip 3412. How do I setup the Domain Name System for Active Directory?:
SSRN-War, Peace, or Stalemate: Wargames, Wardialing, Wardriving, and the Emerging Market for Hacker Ethics by Patrick Ryan: "This article will explain the roots of the term 'wardriving,' and the cultural phenomenon of the 1983 Hollywood movie WarGames that gave birth to the concept more than 20 years ago. Moreover, this article will show that the press has often confused wardriving with computer crimes involving trespass and illegal access. There are inconspicuous ethical shades to wardriving that are poorly understood, and to date, no academic literature has analyzed the legality of the activity. This article will argue that the act of wardriving itself is quite innocuous, legal, and can even be quite beneficial to society."
September 08, 2004
UNIX on the Game Boy Advance: "In this document, we discuss 'gbaunix', a rather contrived experiment in which we run an ancient version of the UNIX operating system on a popular hand-held video game system using a simulator. "
Not sure how practical this is, but it's pretty cool. Might as well have something to do w/ my gba; either the game suck or are too expensive for my broke ass.
ATK - Attack Tool Kit - The acronym ATK stands for Attack Tool Kit. It was first developed to provide a very small and handy tool for Windows to realize fast checks for dedicated vulnerabilities.
SecurityFocus HOME Infocus: Metasploit Framework, Part 2: "This article will start off with a brief introduction to the console interface and explain how to select and use an exploit module. We will then cover the environment system, how it works, and what features can be enabled through it. "
September 04, 2004
Click here to help me and to start your way to your own free iPod.
Ok, here's the deal. FreeiPods.com is giving away iPods, including the new Apple 20 GB iPod for free, sort of. The way it works is simple. You sign up. You are now presented with a list of "trial offers". Currently, all of these trials require a credit card number. Pick a trial, give them your CC#, go through the trial for a short amount of time, then cancel (or keep the service if you want). Nothing shows up on your credit card. Next, you have to get 5 friends to sign up and participate in a trial. If they sign up with your referral code, you get a credit once it is verified that they did a trial. After you have completed this, you get a free iPod shipped to your house.
I did my research on this. I have not found a single complaint on any newsgroup, mailing list, website, forum, etc that had any merit. Sure, it's easy to blow this off as paranoia, but the economics of this make sense. Check out Jay Bees' analysis of the economics driving this offer. It makes perfect business sense. The parent company, Gratis Internet, has been registered with the BBB over the past several years with no pending complaints. I've only heard positive experiences with this program.
Here's my deal: Everyone knows that I will NEVER be able to afford an iPod. Everyone also knows that I WANT an iPod. If you're interested in getting a free iPod, what does it hurt to help me out? Click here to help me and to get started on your free iPod.
Here's a few more links:
The Original Free iPod Guide
Guide to freeiPods.com
Yet Another Guide to FreeiPods.com
Gratis Internet Better Business Bureau Report
Analysis of the economics driving FreeiPods.com.
September 03, 2004
Windows 2000/XP Command Prompt - Cheat Sheet [[PRINTABLE]] - nice handy reference for when you draw a blank.
RIAA forced technology weed to choke it - "See the problem? The network providers will tell you in very colourful language exactly where to shove it, no doubt there. Even if they didn't, what would they implement it on again? They hold none of the databases, you and I do. If they manage to coerce Kazaa into forcing the filters onto your machine somehow, there are a dozen other networks out there. If they get them all, a lot of the code is open source, I'd give it 30 minutes before a dozen new networks spring up.
In the old days, there was one provider, and one repository, one throat to strangle. It was manageable technically if it came down to a technical solution. Instead of allowing that technical solution to blossom, they went the legal route, and lost. In the intervening years, the tech went around them, and they sat still, and possibly regressed.
The problem with forced evolution is that it tends to work. The RIAA made the networks evolve technically, from a relatively incocous MP3 network to the file sharing network from hell. There is nothing you can't get anymore, and there is no one to stop it. If they came up with a tool, unlikely as that may be, there is no place to implement it."
- Well written article outlining how the RIAA and MPAA have shot themselves in the foot and why. BTW, I shit on the RIAA. I may not share files, but I'm not purchasing any more music from those assholes. I'll purchase used from stores, garage sales, or pawn shops rather than let my money see RIAA's pockets. They've lost a customer for life.
September 01, 2004
BOFH takes the Piss | The Register: "And I'm left wondering what Lassie would do... would she dial the suspiciously short US 24hr freecall number? Would she ring the local 'Value Added' (pfft) Reseller and ask what the hell's going on? Or would she just relieve herself on the cabinet and wander off?
So I'm relieving myself on the cabinet (with the Power OFF, of course) when the user returns to the office. .."
This is one of the funniest BOFH's I've read in a long while.. take a look.
August 31, 2004
Gmail and GTray - here's a neat little program that sits in your system tray and notifies you of new messages in your Gmail account. It uses https for authentication (which Google's own program doesn't).
On another note, I have several invites laying around. If you want an invite shoot me an email systemgod[at]gmail[dot]com.
August 20, 2004
Gmail Notifier: "The Gmail Notifier is a downloadable Windows application that alerts you when you have new Gmail messages. It displays an icon in your system tray to let you know if you have unread Gmail messages, and shows you their subjects, senders and snippets, all without your having to open a web browser. "
August 19, 2004
Group Policy Settings Reference for .adm files included with Windows XP Professional Service Pack 2: "This spreadsheet lists the full set of Group Policy settings described in Administrative Template (.adm) files shipped with Windows Professional Service Pack 2. This includes all policy settings supported on Windows 2000 (to Service Pack 4), Windows XP Professional (to Service Pack 2) and Windows Server 2003. The spreadsheet includes separate worksheets for each of the .adm files shipped, as well as a consolidated worksheet for easy searching. Additionally, an "Update History" worksheet has been added to list those policy settings added since Windows Server 2003 was released. Using column filters, the spreadsheet allows simple filtering by operating system, component and machine/user configuration, as well as regular text search of keywords through Excel."
Researchers find holes in XP SP2: "Security researchers inspecting an update to Microsoft%27s Windows XP found two software flaws that could allow virus writers and malicious hackers to sidestep new security features in the operating system."
Ok this is just plain stupid. The actual advisory (posted here: http://www.heise.de/security/artikel/50051) states that some user interaction is required to exploit this vulnerability, such as having the user type cmd exploitname.exe (or whatever file extension). They also say that this method bypasses some antivirus software. HOW IS THIS AN EXPLOIT!!?!? If I talked someone into opening Windows Firewall and opening up port 145 to the outside world, is that a vulnerability in the Operating System? What if I tricked someone into giving me thier password, is that a vulnerability of that system's authentication mechanisms? NO. At the most this is an exploit of the user's intelligence, if that.
August 17, 2004
239803 - How to Change the Recovery Console Administrator Password on a Domain Controller
322672 - How To Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003
August 16, 2004
842242 - Some programs seem to stop working after you install Windows XP Service Pack 2 - informative article on how to set up the windows firewall to get your programs to work.
August 13, 2004
307900 - Upgrading Windows 2000 Group Policy for Windows XP
322176 - HOW TO: Administer GPO Properties in Windows 2000
Applying Windows XP Group Policy in a Windows 2000 Domain (Part 1)
August 12, 2004
283037 - Large memory support is available in Windows 2000 and Windows Server 2003
Google Groups: View Thread "W2k3 32-bit - more than 4GB RAM useful?" - 1. (modified) Physical Address Extensions (PAE) mode is automatically set on
if a) you are running WS2003 Enterprise or Datacenter Edition and b) your
machine has more than 4Gb of physical RAM and c) your BIOS indicates that
your machine supports hot pluggable memory. If your machine meets a) and b),
but not c), you can add the /PAE switch in boot.ini to enable access to more
than 4Gb of physical RAM. In all other cases the OS will not use more than
4Gb of physical RAM.
August 09, 2004
Download details: Windows XP Service Pack 2 for IT Professionals and Developers - "Microsoft Windows XP Service Pack 2 (SP2) provides new proactive security technologies for Windows XP to better defend against viruses, worms, and hackers. In addition to a more robust security infrastructure, SP2 improves the security configuration options of Windows XP and provides better security information to help users faced with security decisions."
It's finally here!!
August 06, 2004
A White Hat s Penetration Test: "By Mati Aharoni
Contributing Writer
Article Date: 2003-12-15
This tutorial is more of a 'case study', in which I describe a recent penetration test I performed. Due to the success of the penetration test (in a relatively very short time) I decided to share this experience with you."
This is a great walk through of the Chain of Events that lead a guy armed only with a domain name to gain admin control over a companie's mail server and network. Great read. {note: If anyone has any more "hack stories" like this, please send me an email (systemgod@gmail.com). I love reading this type of thing.}
Symantec Enterprise Support: "This page provides you with links to the most relevant knowledge base documents for SP2 and your Symantec antivirus and desktop firewall products."
August 05, 2004
Tom's Hardware Guide Business Reports: Defcon 12's Fear and Hacking in Vegas - Introduction: Another sweet article about the last Defcon that ended at the beginning of this month. As you can tell, I really miss going. The last Defcon I attended was Defcon 6, and I've been trying to go back ever since. Hopefully, there's always next year.
PDAs under attack: "Kaspersky Labs has detected Backdoor.WinCE.Brador.a, the first backdoor for PDAs running under PocketPC (based on Windows CE).
Brador is a classic Trojan backdoor program: it opens the infected machine for remote administration. Brador is 5632 bytes in size and it infects handhelds running Pocket PC."
August 03, 2004
NewsForge | Blackhat/Defcon: The final report: "The week-long Defcon 12 and Blackhat Briefings ended Sunday. Taking center stage in our final report are Google, a video history of bulletin board systems, a healthy dose of 'lessons not learned' by our federal bureaucracy, anarchy, and the threat of physical violence." - This is a great article by someone who was actually in attendance of both events. Unfortunately, I was unable to attend Defcon due to family situation (kid) and financial restraints. There's always next year!
Wired News: Wi-Fi Shootout in the Desert: "The teens from Cincinnati got an ovation at the DefCon hacker conference here Sunday when organizers announced at the Alexis Park Resort that the winners of this year's Wi-Fi shootout might have broken a world record for ground distance in establishing a 55.1-mile Wi-Fi connection. "
This is a great article..
July 30, 2004
Microsoft Security Bulletin MS04-025 - Cumulative Security Update for Internet Explorer (867801) - Critical - Remote Code Execution
Download details: SQL Server Health and History Tool (SQLH2): "SQLH2 collects four main types of information:
1. Feature Usage - What services/features are installed, running and level of workload on the service.
2. Configuration Settings - Machine, OS and SQL configuration settings, SQL instance and database metadata.
3. Uptime of the SQL Server service
4. Performance Counters (optional) - Used to determine performance trends"
July 26, 2004
System Administrator Appreciation Day: 5th Annual - Friday - July 30th, 2004" - A special day, once a year, to acknowledge the worthiness and appreciation of the person occupying the role, especially as it is often this person who really keeps the wheels of your company turning.
HOOK ME UP. EMAIL ME WITH YOUR PRAISE AND GRATITUDE AND GIFTS!!
July 23, 2004
Moving office? - IT Manager - CNETAsia
docs.sun.com: StarOffice 6.0 Software Responsefile Installation Guide
837932 - Event ID 2108 and Event ID 1084 occur during inbound replication of Active Directory in Windows 2000 Server and in Windows Server 2003
232122 - Performing Offline Defragmentation of the Active Directory Database
253644 - Inbound Replication to Global Catalog Servers Does Not Work Because of a Database Error
321046 - How To Use DNSLint to Troubleshoot Active Directory Replication Issues
JSI Tip 4837. Low disk space on a drive may prevent Active Directory replication?
269417 - Event 1586 Message: The Checkpoint with the PDC Was Unsuccessful
July 21, 2004
TechNet Virtual Lab - Ever wanted to test Microsoft's newest software in a sandbox environment? Wouldn't it be great to be able to test new servers immediately, without formatting hard drives or dedicating one or more computers to the project? Now you can, with the TechNet Virtual Lab.
As part of the TechNet Virtual Lab, you will have full access to Windows Server 2003 through seven modules:
• System Administration Scripting
• Active Directory - New User Interface
• Active Directory - New Functionality
• Group Policy Management Console
• Remote Desktop for Administration and Remote Assistance
• File, Storage, and Print
• IIS 6.0
• Security
July 20, 2004
Download details: SBS Customer Presentation: "This is a presentation that covers the following. Introducing Windows SBS 2003, Overview of business benefits and custom designed solutions"
This powerpoint presentation from Microsoft helps consultants sell Small Business Server to thier clients. Very handy.
July 16, 2004
Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD: "Bart's PE Builder helps you build a 'BartPE' (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.
It will give you a complete Win32 environment with network support, a graphical user interface (800x600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on.
This will replace any Dos bootdisk in no time!"
Download details: Microsoft Product Support's Reporting Tools: "The Microsoft Product Support Reporting Tool facilitates the gathering of critical system and logging information used in troubleshooting support issues. The reporting tool DOES NOT make any registry changes or modifications to the operating system. There are 8 specialty versions, one for each of the following support scenario categories: Alliance, Directory Services (not for Windows NT 4.0), Networking, Clustering, SQL, Software Update Services, MDAC and Base/Setup/Storage/Print/Performance."
July 13, 2004
Microsoft Delays By a Year Delivery of Two New Patching Systems: "Microsoft's Windows Update Services (WUS), the product formerly known as Software Update Services (SUS) 2.0, is now due to ship by mid-2005, rather than mid-2004. And the new Microsoft Update (MU) Service, a new patching system designed to provide fixes to not only Windows, but also Office, SQL Server, Exchange Server and other core Microsoft products, also is now due out by mid-2005, a year later than anticipated."
Microsoft Security Bulletin MS04-018: Cumulative Security Update for Outlook Express (823353) - Moderate (Cumulative Update) - Denial of Service
Microsoft Security Bulletin MS04-019: Vulnerability in Utility Manager Could Allow Code Execution (842526) - Important (replaced MS03-025) - Local Elevation of Privilege
Microsoft Security Bulletin MS04-020: Vulnerability in POSIX Could Allow Code Execution (841872) - Important - Local Elevation of Privilege
Microsoft Security Bulletin MS04-021: Security Update for IIS 4.0 (841373) - Important - Remote Code Execution
Microsoft Security Bulletin MS04-022: Vulnerability in Task Scheduler Could Allow Code Execution (841873) - Critical - Remote Code Execution
Microsoft Security Bulletin MS04-023: Vulnerability in HTML Help Could Allow Code Execution (840315) - Critical - Remote Code Execution
Microsoft Security Bulletin MS04-024: Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) - Important - Remote Code Execution
July 10, 2004
839109 - You receive a ".pst is not compatible" error message when you open an Outlook 2003 .pst file: "Start Outlook 2003.
On the File menu, click Data File Management, and then click Add.
Click Outlook 97-2002 Personal Folders File (PST).
Click OK.
Click OK to accept the default name, and then click OK again.
Outlook 2003 now creates a new .pst file that is based on the earlier .pst file and maintains the ANSI formatting for that .pst file.
Click Close.
At the bottom of the navigation pane, click Folder List.
In the navigation pane, you now see the new .pst file.
Drag the information from your existing Outlook 2003 folders to the new .pst file. You may also use the Import and Export Wizard on the File menu to move the information from your existing Outlook 2003 folders to the new .pst file.
In the navigation pane, right-click the new .pst file, and then click Close 'file_name'."
Computing.Net - Outlook 2003->Outlook 2000 Contacts: "I had the problem of importing a .pst file to outlook 2000 that has been exported using outlook 2003. I installed Office Resource Kit . In Resource Kit Programs run 'Custom Maintenance Wizard'. In the next step put the 2003 CD in the drive and specify the location of the files. Following this you can create a new CMW file . Click next till you get the dialogue 'Change Office User Settings'. Click on Microsoft Office Outlook 2003. Click on miscellaneous and then PST settings. Change the preffered PST mode to ' Enforce ANSI PST '.Finally copy the MaintWiz.exe to c:\ and in the command prompt change the drive letter to c:\> .
Run the command
MaintWiz.eze /c 'Documents and Settings\Administrator\My Documents\New Maintenance Data File.CMW ' /qb-"
List of Current Papers and Brief Summaries: "'Learning by Doing' CCNA Textbook Version 1 (Pearson Education Press)" - and other resources.
July 07, 2004
Another Internet Explorer flaw found | CNET News.com: "Microsoft on Friday released a fix that's designed to protect computers from one of three flaws that, together, could be used to digitally slip past a PC's security through the browser. This weekend, however, a security researcher identified another flaw that could serve the same purpose and which isn't fixed by Microsoft's patch.
'They chose to address only one part of the problem,' said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. 'They should have seen this one coming.' "
July 06, 2004
JAYBE.org: "Pop Goes the Gmail is a program that sits between the http://gmail.com web server and your email client, converting messages from web format into POP3 format that a program such as Outlook Express or Thunderbird can understand."
July 02, 2004
Download details: Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669): "Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer."
870669 - How to disable the ADODB.Stream object from Internet Explorer
Yahoo! News - U.S. Steers Consumers Away From IE: "The Department of Homeland Security's U.S. Computer Emergency Readiness Team touched off a storm this week when it recommended for security reasons using browsers other than Microsoft Corp.'s Internet Explorer.
The Microsoft browser, the government warned, cannot protect against vulnerabilities in its Internet Information Services (IIS) 5 server programs, which a team of hackers allegedly based in Russia has exploited with a Java script that is appended to Web sites. "
Note: Microsoft has claimed that those folks using XP SP2 are not affected by this issue. I really do recommend installing the service pack, even if it's still in beta. I've been using it both at home and work since it came out, and RC1 before that without any issues. I have noticed no slowdowns, broken apps, etc. It's like if Microsoft did something right!
July 01, 2004
BHODemon 2.0: "Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. BHODemon is free, runs in the 'tray' area, and works on Windows 95 or later operating systems (in other words, Windows 95, Windows 98, Windows 98SE, Windows ME, Windows NT4, Windows 2000, and Windows XP)."
I know this is old news, since this is still being exploited...
eEye Digital Security - Vulnerability Management Solutions: "It has been discovered that an adware purveyor has leveraged two security flaws (one of which was previously undetected, a 'zero day') in Microsoft's Internet Explorer browser to surreptitiously install a toolbar on victims' computers that triggers pop-up ads.
One of the flaws lets an attacker run a program on a victim's machine, while the other enables malicious code to run with privileges higher than normally allowed. When combined, the two issues allow for the creation of a Web site that, when visited by victims can upload and install programs to the victim's computer."
June 30, 2004
G-Mailto: "G-Mailto is a utility that automatically associates 'mailto' email links on the web with GMail. So clicking a link like this: Email me! will open up the GMail compose window instead of opening up something like Outlook Express that doesn't work with GMail (yet)."
Windows XP update could cause support chaos - Computerworld: "The major changes to Windows XP included in the upcoming Service Pack 2 are expected to cause support headaches, and analysts, users, PC makers and Microsoft Corp. are all expecting a spike in help desk calls. "
- I've been running XPSP2RC2 since it's release at home and for the past week at work. I've seen no issues whatsoever. Actually, I like the additional security, the firewall, the pop-up blocker, and the fact that it asks permission to run programs/scripts it doesn't know about.
June 27, 2004
Techworld.com - Mac OS X security myth exposed: "Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "
June 25, 2004
How To Test Exchange SMTP operations using Telnet
How To retrieve Exchange mail via POP3 using Telnet
June 17, 2004
Xnews - Xnews, a free Usenet newsreader for Windows 9x/NT/2000/XP
Xnews - Reviews and free downloads at Download.com
From my tests, it seems to be a great little program.. no installation, easy to configure, small..
June 16, 2004
Windows XP Service Pack 2 Release Candidate 2 Technical Preview Download: "Windows XP Service Pack 2 (SP2) provides an enhanced security infrastructure that defends against viruses, worms and hackers, along with increased manageability and control for IT professionals and an improved experience for users.
To aid IT professionals in planning and testing for the deployment of Windows XP SP2, Microsoft is making available this preview, based on Release Candidate 2 (RC2) of the SP2. Additionally, we have established 11 newsgroups for sharing information."
June 15, 2004
Download details: Windows Server 2003 Administration Tools Pack: "The Windows Server 2003 Administration Tools Pack (adminpak.msi) provides server management tools that allow administrators to remotely manage Windows 2000 Servers & Windows Server 2003 family servers. This is the final version (build 3790) of the adminpak.msi file."
June 10, 2004
Microsoft TechNet: Microsoft Exchange Server 2003 Technical Documentation Library - This is your source for Exchange Server 2003 technical documentation that has been reviewed and approved by the Exchange Server product team. The library is a catalog of technical content about Exchange Server
June 09, 2004
GNUWin II online Version :: GNUWin -- Open your Windows !: "GNUWin II is a free software compilation for Windows. GNUWin II includes numerous programs, completely free, which cover a wide spectrum of uses. The software included in GNUWin is not shareware nor freeware, but original free software and Open Source software, for which the source code is available, and that is and will always be free (free both as in "free speech", and as in "free beer"). "
Hack In The Box - Symantec: New Virus Deletes All Files: "The malware targets Windows computers, and arrives in an email bearing the subject 'Re' and an attachment that will have an .asp, .hta, .htm, .htt, .html, .vbe or .vbs extension. Upon infection, the virus uses Microsoft Outlook to send itself to everyone in the Microsoft Outlook Address Book. 'If the day is the 6th, 13th, 21st, or 28th, the worm will delete all the files from the computer,' Symantec reports."
Computerworld | Internet Explorer carved up by zero-day hole: "Two new vulnerabilities have been discovered in Internet Explorer which allow a complete bypass of security and provide system access to a computer, including the installation of files on someone's hard disk without their knowledge, through a single click.
In simple terms, the link uses an unknown vulnerability to open up a local Explorer help file -- ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm. It delays executing anything immediately but instead uses another unknown vulnerability to run another file which in turn runs some script. This script is then used to run more script. And finally that script is used to run an exploit that Microsoft Corp. has been aware of since August 2003 but hasn't patched.
That exploit -- Adodb.stream -- has not been viewed as particularly dangerous, since it only works when the file containing the code is present on the user's hard disk. The problem comes in the fact that the Help file initially opened is assumed to be safe since it is a local file and so has minimal security restrictions. "
June 08, 2004
TinyResmeter - TinyResMeter is a small tool that display usefull realtime system resources informations, but it also give much more details thru context menu when you right-click over displayed fields ! TinyResMeter it's only ~100KB, no EXE-compression cheating, no install needed, just download and launch.
Check out some of his other stuff.
Microsoft Security Bulletin MS04-016: Vulnerability in DirectPlay Could Allow Denial of Service (839643) - Moderate
Microsoft Security Bulletin MS04-017: Vulnerability in Crystal Reports Web Viewer Could Allow Information Disclosure and Denial of Service (842689) - Moderate
No big ones this month.
The 46 Best-ever Freeware Utilities - Very nice list of tools.. pay attention to the Best Notepad Replacement section.. very recommended.
Ultr@VNC - Remote Control Software - If I'm not mistaken, I've blogged about this before, but check out this tip:
If you want to get maximum refresh rate, responsivness and performances, you can try to completely disable "Hardware Acceleration" on the machines that run WinVNC. It can be done in "Display Properties" Panel - "Settings" Tab - "Advanced..." Button - "Troubleshooting" Tab - "Harware Acceleration" Tab set to "None". This makes a BIG difference, especially over LAN connections and even with others VNC distributions.WARNING: Turning off hardware acceleration with some ATI cards with result in BSODs under windows 2000. When you can turn it off however, the results are impressive. WARNING: This trick is pointless if the Video Hook Driver (W2000/XP) is used on the server.
Seriously, this tip works great. I am dead-heading a test machine and I was finding the refresh to be extremely sluggish. Now it seems quicker than if I was sitting at the machine itself!
Also, today's Black Tuesday (MS patch day). They don't have the patches up on Technet yet, but expect some Direct X issues.. (rss is good).
June 07, 2004
Somix - Support - This MIB Archive is freely available to help users find the SNMP information they need. .
MIBs for 3com, alcatel, checkpoint, cisco, citrix, compaq, dell, foundry, hp, ibm, linksys, lucent, microsoft, motorola, netscreen, nokia, nortel, novel, oracle, sun, etc (just to name a few).
June 03, 2004
How do I install applications for use with Terminal Server?: "There are two modes in terminal server, Execute and Install. By default all users are logged on in Execute mode and this means they can run programs etc. When you want to install an Application for use by everyone the Administrator should change to Install mode.
The best way to install software is to use the Add/Remove programs control panel applet as this will automatically set the mode to Install during the installation and then back to Execute at the end. Alternatively you can manually change your mode to install by typing
C:\> change user /install
To change back to execute use
C:\> change user /execute
And to check you current mode use
C:\> change user /query"
May 26, 2004
OpenOffice.org - OpenOffice.org is both an open-source application and project. It is free. The product is a multi-platform office productivity suite compatible with all major file formats.
This is a sweet MS Office replacement (but without an email app or Access app). Tons of customization, can save as a MS Office file (can set to default save)... Free. I'm running it at home and loving it. Take a look.
May 25, 2004
Download details: Exchange 2003: All-In-One Tools Download: "This package contains all the Exchange tools bundled together in a single download. "
Download details: Microsoft SQL Server Best Practices Analyzer - Microsoft SQL Server Best Practices Analyzer is a database management tool that lets you verify the implementation of common Best Practices on your servers.
May 18, 2004
Download details: Windows 2000 Default Policy Restore Tool: "RecreateDefPol.exe is a tool developed for the restoration of the Default Domain and Default Domain Controllers policy files, in case of accidental deletion. This tool is for use exclusively on Windows 2000 Server, Advanced Server, and DataCenter Server. Do not use this tool on Windows Server 2003; use Dcgpofix.exe instead (included in Windows Server 2003)."
299475 - Windows 2000 Security Event Descriptions (Part 1 of 2)
301677 - Windows 2000 Security Event Descriptions (Part 2 of 2)
May 15, 2004
Keyboard Shortcuts with Windows XP: "When speed counts, the keyboard is still king. Almost all the actions and commands you can perform with a mouse you can perform faster using combinations of keys on your keyboard. These simple keyboard shortcuts can get you where you want to go faster than several clicks of a mouse. You'll work faster on spreadsheets and similar documents, too, because you won't lose your place switching back and forth between mouse and keys.
Here are some of the most useful keyboard shortcuts:"
May 12, 2004
xBill for Windows: "Yet again, the fate of the world rests on your hands! An evil computer hacker, known only by his handle 'Bill', has created the ultimate computer virus. A virus so powerful that it has the power to transmute an ordinary computer into a toaster oven. (oooh!) 'Bill' has cloned himself into a billion-jillion micro-Bills. Their sole purpose is to deliver the nefarious virus, which has been cleverly disguised as a popular operating system.
As System Administrator / Exterminator, your job is to keep Bill from succeeding at his task."
May 11, 2004
Microsoft Security Bulletin MS04-015: Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374) - Important - Remote Code Execution
The only update this month!! Only affects XP and 2003..
TheNetworkAdministrator.com - More entertainment for the Network Admin. - Need to have something entertaining on Black Tuesday (Microsoft Security Bulletin release day).
May 05, 2004
TheOpenCD: "TheOpenCD is a collection of high quality Free and Open Source Software. The programs run in Windows and cover the most common tasks such as word processing, presentations, e-mail, web browsing, web design, and image manipulation. We include only the highest quality programs, which have been carefully tested for stability and which we consider appropriate for a wide audience."
Microsoft Hardening Systems and Servers: Checklists and Guides: "These guides and checklists help you improve the security of your systems whether they are new or already in operation."
Technet Briefings - link to slides and info from various MS events.. including the Microsoft Security Summit I attended last Friday.
May 03, 2004
Symantec Security Response - W32.Sasser.B.Worm
PSS Security Response Team Alert - New Worm Sasser
The worm exploits the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011 (835732) on April 13, 2004. As of right now, there are 2 other variants of this worm.
A friend of mine called me from his job Sunday evening for help clearing it off of most of the computers in his department. It's pretty nasty, seems to totally screw up the LSASS service. (Local Security Authority Subsystem Service provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server.) He had issues opening programs (event viewer, msconfig, etc) because of authentication issues, the computer would reboot, safe mode would have issues, the cpu would max out..
Here are details from Symantec:
1. Attempts to create a mutex called Jobaka3 and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
2. Copies itself as %Windir%\avserve2.exe.
3. Adds the value: "avserve2.exe"="%Windir%\avserve2.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the worm runs when you start Windows.
4. Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.
5. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
6. Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
April 28, 2004
TweakXP.com - Remove Windows Messenger: Start - Run - then type: RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove
Yeah you're supposed to be able to remove Messenger via Add/Remove Windows Components, but it never worked for me. THE DAMN THING WOULDN'T GO AWAY!!
Download details: SQL Server 2000 Books Online (Updated) - Download the updated documentation for Microsoft SQL Server 2000. SQL Server Books Online January 2004 Update includes the complete documentation that shipped with SQL Server 2000 plus revisions.
SQL Server Administration Articles
Microsoft SQL Server: 10 Steps to Help Secure SQL Server 2000
Microsoft SQL Server: Setup and Administration - Tek-Tips Forums: "Microsoft SQL Server: Setup and Administration Forum"
SQL Server Administration FAQ
JSI Tip 3079. SQL Server 2000 Database Recovery: Backup and Restore - Webcast. - "In this session, we will discuss the new SQL Server recovery models, as well as the enhancements made to backup and restore on the newly redesigned SQL Server 2000. We will also talk about the enhancements and challenges you may encounter while deploying log shipping on SQL Server Enterprise Edition. We will also talk about the directions you can use to deal with, and be prepared for, disaster recovery and compare those with previous versions."
JSI Tip 6662. Support WebCast: Microsoft SQL Server 2000 Service Pack 3. - Microsoft SQL Server 2000 Service Pack 3 is the latest and most comprehensive update to SQL Server 2000. This WebCast will feature the changes throughout the product that you must know about, including the addition of Watson to SQL Server.
April 27, 2004
More attack code surfaces for recent MS security holes - Computerworld: "Just days after Microsoft Corp. warned its customers about the release of code that can exploit a hole in its Secure Sockets Layer (SSL) library, new code that claims to exploit another recently disclosed hole surfaced on a French-language Web site.
The computer code can be used by a remote attacker to trigger a buffer overrun vulnerability in the Local Security Authority Subsystem (LSASS), according to a message posted to www.k-otik.com. Microsoft released a patch for the LSASS vulnerability, MS04-011, on April 13, along with fixes for the SSL problem and a number of other vulnerabilities (see story). "
April 26, 2004
Geek News Central - Microsoft has RSS feed for Security Bulletins - here's the rss link: http://www.microsoft.com/technet/security/bulletin/secrss.aspx
Office 2003 Editions Resource Kit Administrative Updates - The Office Resource Kit offers the latest information about deploying administrative updates for Microsoft Office 2003 in your organization. Included here is a comprehensive list of updates released for Office 2003 Editions.
Download details: Microsoft Office 2000 to Microsoft Office 2003 Migration Issues: "This paper explains the basic differences between Microsoft Office 2000 and Microsoft Office 2003 at a cursory level. It describes the obvious changes a user might see in the menu bar user interface and what a user might perceive as a bug, depending on his or her advanced usage of the various Office applications. This paper also provides a summary of the most likely issues an administrator might encounter during and after a migration of Office 2000 to Office 2003. Included is information about several design changes that affect programmatic access to Office application objects, which may also affect custom applications."
April 23, 2004
SecurityFocus HOME Mailing List: BugTraq: "Potential Microsoft PCT worm (MS04-011) - A revised exploit has been released for the PCT flaw in the last 24-hrs by
THC (THCIISSLame.c). For the last few hours we have also been receiving
uncorroborated anecdotal evidence from reliable sources that a working worm
is being trialled on the Internet, in preparation for imminent release. The
primary concern is that this flaw affects unpatched SSL enabled IIS servers,
which could potentially be thousands of hosts."
April 20, 2004
Active Directory Operations Guide: Appendix B - Procedures Reference - Awsome reference for various Active Directory Procedures.
April 19, 2004
Intel(R) IT Manager Game - A flash game by Intel. You're an IT Manager with a bunch of whiney end-users who all want upgrades. Gain extra budget points by answering trick questions thrown at you by the CEO. It looks fun, but only if it would let me log in (just sits there trying to save my details). I wanna manage the Mickey Mouse Club!!
April 16, 2004
Exploits Available For MS04-11 Vulns � **PATCH NOW** :: Internet Security Information & Tools :: All Security, all the time - latest news, tips, and tools and Ask an expert your security question.: "Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:"
[Dailydave] wormsSo Immunity released our lsass exploit to CANVAS today, as well as a working ASN.1 exploit (with much credit to Solar Eclipse). One of the great things about the lsass exploit is that not only is it perfectly reliable on all service packs, but it can also not kill the service if it doesn't want to!
Hack In The Box - Keeping Knowledge Free - www.hackinthebox.org: "No need to double-click to be infected by Netsky-V the new Netsky-V worm (W32/Netsky-V) spreads without using email attachments to infect. Other widespread versions of the Netsky worm have infected users by tempting them to double-click on an email attachment, but Netsky-V exploits security loopholes in Microsoft's software that mean users can be hit just by reading an email. "
April 15, 2004
Exchange FAQs - Just as the title says, Exchange FAQs for versions 5.5, 2000, and 2003.
April 13, 2004
Microsoft Security Bulletin MS04-011: Security Update for Microsoft Windows (835732) - Security Update for Microsoft Windows (835732) - Critical - Remote Code Execution (a list of vulnerabilities.
Microsoft Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) - Cumulative Update for Microsoft RPC/DCOM (828741) - Critical - Remote Code Execution
Microsoft Security Bulletin MS04-013: Cumulative Security Update for Outlook Express (837009) - Cumulative Security Update for Outlook Express (837009) - Critical - Remote Code Execution
Microsoft Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) - Important - Remote Code Execution
Cooperative Linux- Cooperative Linux is the first working free and open source method for optimally running Linux on Microsoft Windows natively. More generally, Cooperative Linux (short-named coLinux) is a port of the Linux kernel that allows it to run cooperatively alongside another operating system on a single machine. For instance, it allows one to freely run Linux on Windows 2000/XP, without using a commercial PC virtualization software such as VMware, in a way which is much more optimal than using any general purpose PC virtualization software
April 09, 2004
I've run into issues with this in the past: a user thinks they're cute and sets up a background but for some reason it always shows up as the default. Here's the reg entries to remove it:
Here's how to change which bitmap displays on the desktop before Windows NT log in: "With a simple registry change, you can change the default bitmap that displays behind the logon prompt in Windows NT 4.0. You will need to have the bitmap you want to use in the Winnt directory, with an 8.3 naming convention name.
Hive: HKEY_USERS
Key: Default\Control Panel\Desktop
Name: Wallpaper
Data Type: REG_SZ
Value: Full path to the bitmap
There are also other Values that apply:
Name: TileWallpaper
Data Type: REG_SZ
Value: 0 for tiling, 1 for no tiling
Name: WallpaperStyle
Data Type: REG_SZ
Value: 0 for normal, 2 for full-screen"
Local Area Security: "Local Area Security Linux is a 'Live CD' distribution with a small footprint. Containing over 200 information security and administration related tools. As well as a full desktop environment and office productivity applications."
The Metasploit Project: "The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This release includes 18 exploits and 27 payloads; many of these exploits are either the only ones publicly available or just much more reliable than anything else out there. The Framework will run on any modern system that has a working Perl interpreter, the Windows installer includes a slimmed-down version of the Cygwin environment."
asleap home page - [The author] wrote asleap while researching weaknesses in the Cisco proprietary LEAP protocol after I discovered that LEAP uses a modified MS-CHAPv2 exchange to authenticate users. MS-CHAPv2 is very bad.
April 08, 2004
Take a look at "addusers.exe" and "usrtogrp.exe" in the W2K Admin Kit.
Batchfile setusers.bat:
addusers /c c:\apps\addusers.txt /p:ce
usrtogrp c:\apps\usrtogrp.txt
regedit /s autologon.reg
exit
addusers.txt:
[Users]
(username),(full name),(password),
usrtogrp.txt:
DOMAIN:localmachine
LOCALGROUP:Administrators
(username)
autologon.reg:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultUserName"="(username)"
"DefaultPassword"=""
"AutoAdminLogon"="1"
Resources:
autologon
Batch files - Use REGEDIT to add, read, or delete registry values
Windows 2000 Resource Kit - MS website
April 05, 2004
Personal Message Store Export Utility: "PMSEU was designed to export Internet messages out of Outlook while preserving the Internet headers during export"
At startup PMSEU attempts to locate all message stores. These are displayed in the first list box. Selecting one of the message stores listed in the 1st list box will fill the 2nd list box with all the root level folders in the message store. Selecting a folder in the 2nd list box fills the 3rd list box with any subfolders found in the folder you selected. The utility does not support folders beyond that level but the source code is included if you need to drill farther down. You can export messages out of items listed in either list box #2 or list box #3. Just select a folder to export from, type a filename to export to into the edit box and press the Export button.
March 31, 2004
Ultrasound - Monitoring and Troubleshooting Tool for File Replication service (FRS): "Ultrasound is a powerful tool to measure the health of FRS replica sets by providing health ratings and historical information about replica sets. Ultrasound also allows administrators to monitor the progress of replication and detect problems that can cause replication to become backlogged or stopped. "
March 30, 2004
Freeware at nohack.de - nohack scanner - Free portscanner that is insanely fast compared to other portscanners I've tried before. (My test system took only 52 seconds to do a complete tcp/udp scan). Small, no install, free..
March 29, 2004
287497 - How to Use the Inbox Repair Tools to Recover Messages
From Lockergnome: The Inbox Repair Tool can be used to fix corrupt PST files and even OST files. Although the tool can be useful, it isn't always able to repair every PST file. It works by repairing the PST file's header and then deleting anything in the file that it doesn't understand. So if a PST file's header is damaged, as may be the case for corruption that occurs during a version upgrade of Office, the tool should have no trouble making the repair. But if the data within the file is corrupt, the Inbox Repair Tool will likely destroy what's left of the file. That's why it's always good to make a backup of the PST file before running the Inbox Repair Tool.
272279 - How to Troubleshoot the File Replication Service and the Distributed File System
285923 - Error Messages Every 5 Minutes Report Events 1000, 1001, and 13508, Citing Replication Trouble
281271 - Windows 2000 Certification Authority Configuration to Publish Certificates in Active Directory of Trusted Domain
Certification Authority Does Not Publish Certificate Revocation List to Active Directory
March 24, 2004
TechReviewer.com :: Tweak Windows XP :: - The purpose of this guide is to tweak Windows XP for optimal performance, get rid of all the useless extras that Windows XP comes with, and to decrease the startup time of Windows XP.
March 22, 2004
Hack In The Box - 'Witty' Worm Wrecks Computers: "The 'Witty' worm writes random data onto the hard drives of computers equipped with the Black Ice and Real Secure Internet firewall products, causing the drives to fail and making it impossible to restart the PCs. Unlike many recent worms that arrive as e-mail attachments, it spreads automatically to vulnerable computers without any action on the part of the user. At least 50,000 computers have been infected so far..."
Looks as if M$ isn't the only one whose products are affected by these types of worms..
New Bagle worms crawl through old Microsoft hole - Computerworld: "Antivirus companies issued software updates and alerts about Bagle.Q, R, S and T. The new versions of the worm, which first appeared in January, don't carry file attachments containing the virus. Instead, they use a months-old Windows security hole to break into vulnerable machines.
'It's really nasty. Just previewing a message in an e-mail client could download the virus to your computer,' said Graham Cluley, senior technology consultant at Sophos PLC in Abingdon, U.K. "
Windows Update Services - Read about the new and improved SUS.
Windows Update Services (WUS) is the new name for the next version of the update management solution currently known as Software Update Services (SUS). Windows Update Services will support updating Windows®, Office, SQL Server™, and other Microsoft products and will provide significantly expanded capabilities over SUS.
After reading the WUS data sheet I've found quite a few additions to the original SUS that I've been looking for in 3rd-party patch management tools:
1. Updates all MS products, as well as critical driver updates, non-critical updates, etc.
2. Ability to scan systems for missing patches.
3. Ability to uninstall updates, including group uninstall.
4. Target systems for update deployment.
5. Network optimization - BITS, MSI, download resumption, optimization for branch offices.
6. Status reports allow admins to easily determine update deployment status (success, failure, error, etc)
7. Allows extensive logging to SQL database.
8. Client software will auto-update itself if necessary.
9. Can be deployed in a hierachial topology (parent/child servers).
10. Encrypts communications between WUS and the Microsoft Udate download servers as well as server-server and server-client communications.
11. Uses digital signatures to verify updates are from Microsoft.
12. Easier Admin interface - new design.
13. Group policy client configuration.
14. Ability to specify which updates get deployed on specifically targeted machines.
15. Allows for command-line and script-based control.
I'm hoping to get to play with this sometime soon (hurry and release a beta Microsoft!!). WUS looks like it could kill the 3rd party solutions I was testing and all this for FREE!! It looks like it has the best features from several 3rd party products I've seen - just hope it works as well as it looks. Fuck SUS, go WUS!
March 15, 2004
317249 - How to Troubleshoot Event ID 2021 and Event ID 2022
228766 - How to Change the Server Service Properties
Miranda Instant Messenger - Miranda IM is a nice little multi-protocol instant messenging client that supports AIM, Yahoo, MSN, ICQ, Jabber, netsend, IRC, etc,etc. The client is extremely customizable and uses plug-ins for most of its functionality. If you use more that one IM client or need to be able to customize your apps, take a look at Miranda.
There are many reasons to use Miranda IM.
Here are a few:
~ It's smaller, starts and runs faster, uses less memory
~ It contains no advertising or spyware
~ It takes up less space on your screen
~ It has support for plugins to extend the functionality
~ It supports more IM protocols than other clients
~ It requires no installation, so it can be easily moved from computer to computer
~ It is highly customisable
~ It is open source (GPL). Only open source software can be truely free and completely trustworthy with your privacy.
March 09, 2004
Microsoft Security Bulletin MS04-008: Vulnerability in Windows Media Services Could Allow a Denial of Service (832359) - Moderate
Microsoft Security Bulletin MS04-009 : - Vulnerability in Microsoft Outlook Could Allow Code Execution (828040) - Important
Microsoft Security Bulletin MS04-010: - Vulnerability in MSN Messenger Could Allow Information Disclosure (838512) - Moderate
March 05, 2004
Restore Files - Restore files which are deleted from the recycle bin or deleted while holding down the Shift key by mistake.
Conversely, this program has another function that makes it almost impossible to restore all deleted files.
You can use it after deletion of confidential documents, embarrassing files and so on.
You don't have to install it, so it doesn't leave any garbage in the PC.
(You can also run it from a floppy disk.)
March 04, 2004
Download details: Windows 2000 Registry Repair Utility - Registry Corruption in Windows 2000 can prevent your system from booting. The Windows 2000 Registry Repair Utility is a tool that can help to recover a Windows 2000 system from registry corruption. This utility can be downloaded on to floppy disks and then run on the system with the corrupted registry. Six floppy disks are required for downloading this utility. The utility will attempt to repair the corrupted registry and allow your machine to boot again.