Top 10 System Administrator Truths

December 05, 2005


Top 10 System Administrator Truths: "I figure with enough time and effort, anyone could be a System Administrator. Really, it’s not hard, it just takes practice, methodology, and trial and error. A lot of trial and error. These truths will certainly get you on your way. Let’s get started."

Great list; can't find one item I don't agree with him on. Also check out his "8 End-User Troubleshooting Tips" - I enjoyed #8.

Certificate Services

November 14, 2005


Certificate Services "Certificate Services provides customizable services for issuing and managing certificates that are used in software security systems that employ public key technology. Certificate Services is available on computers running Microsoft® Windows Server™ 2003, Standard Edition; Microsoft® Windows Server™ 2003, Enterprise Edition; and Microsoft® Windows Server™ 2003, Datacenter Edition."

Huge resource.. contains checklists, how-to's, etc.

The Administrator Accounts Security Planning Guide

November 11, 2005


The Administrator Accounts Security Planning Guide: "This guide will be an indispensable resource when you plan strategies to secure administrator-level accounts in Microsoft Windows NTbased operating systems such as Windows Server 2003 and Windows XP. It addresses the problem of intruders who acquire administrator account credentials and then use them to compromise the network. The main goal of this guide is to provide prescriptive guidance in terms of the steps you can take to secure your local and domain-based administrator-level accounts and groups. This guidance is based on Microsoft Security Center of Excellence (SCoE) experience in customer environments and represents Microsoft best practices."

Free TechNet Magazine Subscription


: "TechNet Magazine provides the in-depth, hands-on information that IT professionals can use in their daily work. We'll bring you information on Windows administration, successful software deployment, pain-free migration, fortifying your network, patch management, and many more of the topics you need in order to succeed.

Subscribe to TechNet Magazine (Free* to qualified IT professionals)."

AIM worm plays nasty new trick

October 28, 2005


AIM worm plays nasty new trick | CNET "In addition to the 'lockx.exe' rootkit file, the new worm delivers a version of the Sdbot Trojan horse, said FaceTime, which sells products to protect instant-messaging traffic. Sdbot opens a backdoor on the infected PC. The worm also places several spyware and adware applications, including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle, the company added.

Worms on IM networks can spread rapidly. They appear as a message from a buddy with a link that looks innocent, but in fact points to malicious code somewhere on the Internet. Once the user clicks on the link, malicious code is installed and runs on the computer. The worm then spreads itself by sending messages to all names on the victim's contact list."

More ammo for the "Do Not Install IM Apps at Work" argument. I've personally had to clean some crap off of some computers recently as a result of an IM worm. The biggest issue with most users is that stuff like this, whether it be from IM or Email, is confusing when it looks like it's coming from a trusted source. This has been an issue ever since email viruses started appearing, and without proper education, they'll only continue to spread.

If you must use IM at work, look into hosting your own solution. Right now I'm testing Jive Messenger (Jabber) Server (has both linux and windows versions, plugin support, and a great admin interface) along with the Exodus client. It's still in the testing phase, so if anyone has any other Jabber/XMPP solutions I'd love to hear about them (I'm also looking for free or cheap). I've also tested the Pandion client and the Psi Client. Pandion looked good for end users (almost no options for them to customize) but had some issues on the admin side (still worth a look though). Psi reminded me of the old ICQ interface (haven't used it in years, the interface may be the same), which would be difficult for users to navigate. If some users need outside IM access, a client like Gaim (my current fav) will allow access to multiple networks via one interface. Training only a handful of users how to properly use outside IM networks is many times better than training the entire office. Again, if anyone has any good suggestions for my project, please drop me a email or comment.

Suggested Firefox Extensions

October 22, 2005


Here's the Firefox extensions that I think are "MUST HAVES" for proper Firefox use:

Googlebar Lite - A light-weight Google search toolbar.
BlogThis - Adds right-click access to Blogger's BlogThis popup.
Image Zoom - Adds zoom functionality for images.
IE View - Open pages in IE via FireFox menus.
Gmail Notifier - A notifier for Gmail accounts.
PDF Download - Allows to choose wheter you want to view a PDF file in a new tab or to download it.
TinyUrl Creator - Brings the functionality into Firefox.
Open link in... - Adds more tab/window opening options to the context menus.
Forecastfox - Get weather forecasts from Accuweather and display it in any toolbar or status bar.
ChatZilla - Clean, easy to use and highly extensible IRC client.
Edit Config Files - Edit Firefox's configuration files.
Adblock - Filters ads from web-pages (can import/export and use wildcards).
Tabbrowser Preferences - Enhances control over some aspects of tabbed browsing.
Fasterfox - Performance and network tweaks for Firefox.
SessionSaver - Magically restores your last browsing session and allows you to save sessions.
Download Statusbar - View and manage downloads from a tidy statusbar.
Download Manager Tweak - A modification of the Firefox download manager.
Tab X - Adds a close button to each of the browser tabs.
ShowIP - Show the IP address of the current page in the status bar and can pull whois info.
Copy Plain Text - Copies text without formatting.

I hope you find them as useful as I have. I suggest going to the Firefox Extensions page for installation. Don't have Firefox yet?? Get it here: Get Firefox.

IEHistoryView: Freeware Internet Explorer History Viewer

October 21, 2005


IEHistoryView: Freeware Internet Explorer History Viewer: "Each time that you type a URL in the address bar or click on a link in Internet Explorer browser, the URL address is automatically added to the history index file. When you type a sequence of characters in the address bar, Internet Explorer automatically suggests you all URLs that begins with characters sequence that you typed (unless AutoComplete feature for Web addresses is turned off). However, Internet Explorer doesn't allow you to view and edit the entire URL list that it stores inside the history file.

This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days. It also allows you to select one or more URL addresses, and then remove them from the history file or save them into text, HTML or XML file. In addition, you are allowed to view the visited URL list of other user profiles on your computer, and even access the visited URL list on a remote computer, as long as you have permission to access the history folder."

More good stuff from the guys at Nirsoft.

Free (as in beer) VMware Player


VMware Player - VMware Player is free software that enables PC users to easily run any virtual machine on a Windows or Linux PC. VMware Player runs virtual machines created by VMware Workstation, GSX Server or ESX Server and also supports Microsoft virtual machines and Symantec LiveState Recovery disk formats.

Download details: SyncToy v1.0

October 17, 2005


Download details: SyncToy v1.0: "SyncToy is a free PowerToy for Microsoft Windows XP that provides is an easy to use, highly customizable program that helps users to do the heavy lifting involved with the copying, moving, and synchronization of different directories. Most common operations can be performed with just a few clicks of the mouse, and additional customization is available without added complexity. SyncToy can manage multiple sets of folders at the same time; it can combine files from two folders in one case, and mimic renames and deletes in another. Unlike other applications, SyncToy actually keeps track of renames to files and will make sure those changes get carried over to the synchronized folder."

Critical Windows patch may wreak PC havoc


Critical Windows patch may wreak PC havoc | CNET "The patch was released Tuesday to fix four Windows flaws, including one that experts predict will be exploited by a worm in the coming days. The flaw, tagged 'critical' by Microsoft, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC."

The Microsoft Advisory:

Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC: "Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC"

Exploit code raises Windows worm alarm

October 14, 2005


Exploit code raises Windows worm alarm | CNET "Exploit code exists for four of the 14 vulnerabilities for which Microsoft provided fixes this week, experts said Thursday. One of the exploits was written for a flaw which Microsoft tagged as 'critical.' The bug lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC.

'When we start to see exploits surfacing, we know there will shortly be malicious code,' said Alfred Huger, a senior director at Symantec Security Response. 'We expect at least the MSDTC vulnerability to be used in a worm in the short term.'"

It's sorta hard to decipher all the hype from reality.. Yes, in the past few years we've seen several examples of MS vulnerablilities turn into some nasty worms, but lately I've been seeing a news article like this after every major patch release, which just turns out to be all hype. I'm not willing to bet my networks and systems on wheter or not this is hype, but unfortunately I fear many will.

Black Tuesday - 9 total, 3 critical

October 11, 2005


Microsoft Security Bulletin MS05-044: Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering (905495) - Moderate

Microsoft Security Bulletin MS05-045: Vulnerability in Network Connection Manager Could Allow Denial of Service (905414) - Moderate

Microsoft Security Bulletin MS05-046: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) - Important

Microsoft Security Bulletin MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) - Important

Microsoft Security Bulletin MS05-048: Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245) - Important

Microsoft Security Bulletin MS05-049: Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) - Important

Microsoft Security Bulletin MS05-050: Vulnerability in DirectShow Could Allow Remote Code Execution (904706) - Critical

Microsoft Security Bulletin MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) - Critical

Microsoft Security Bulletin MS05-052: Cumulative Security Update for Internet Explorer (896688) - Critical

Download details: Using Domain Controller Virtual Machines

October 10, 2005


Download details: Using Domain Controller Virtual Machines: "Running domain controllers in virtual machines is best suited for test and pre-production piloting environments. With strict adherence to the requirements described in this document, domain controllers running in virtual machines can also be used in a production environment."

For more information Virtual Server 2005 Administrator's Guide and Using the VMRC client to access virtual machines.

Nematodes: The Making of 'Beneficial' Network Worms

October 07, 2005


{EWeek} Nematodes: The Making of 'Beneficial' Network Worms: "Convinced that businesses will use nonmalicious worms to cut down on network security costs, a high-profile security researcher is pushing ahead with a new framework for creating a 'controlled worm' that can be used for beneficial purposes.

Dave Aitel, vulnerability researcher at New York-based Immunity Inc., unveiled a research-level demo of the "Nematode" framework at the Hack In The Box confab in Kuala Lumpur, Malaysia, insisting that good worms will become an important part of an organization's security strategy."

Something like this is nothing new, but it's still a great idea. Anyone remember the Welchia worm in 2003 that removed the Blaster virus and then installed the MS03-026 patch? I would like to follow Aitel's progress in this area; this kind of tech shows promise.

Slew of Windows patches coming | CNET


Slew of Windows patches coming | CNET As part of its monthly patching cycle, Microsoft on Tuesday plans to release eight security alerts for flaws in the Windows operating system.">Slew of Windows patches coming | CNET "As part of its monthly patching cycle, Microsoft on Tuesday plans to release eight security alerts for flaws in the Windows operating system."

Engineer's Toolbox -

October 03, 2005


Engineer's Toolbox - "

Excellent resource - Must have RSS feed.

Black Tuesday Fun - No Patches But Some Concern

September 15, 2005


Security Bulletin Search: "Microsoft has no new security bulletins to release as part of the monthly release cycle for the month of September 2005."

Microsoft blames time constraints for pulled patch - "Microsoft has explained why it decided not to issue the latest instalment of monthly security updates, maintaining that it needed more time to test the patches.

'The update release process involves a significant testing focus if customers are to get high quality updates,' explained Tracey Pretorius, Microsoft's PR manager. 'It was a quality issue. We wanted to do some additional testing.'"

Microsoft's delay to patch fuels concerns: "The concerns come after Microsoft announced last Thursday that a critical fix for the Windows operating system would be distributed in the following week. The next day, the software giant pulled the planned patch due to quality issues, according to Mike Reavey, operations manager for the Microsoft Security Research Center."

Download details: Windows XP SP2 Support Tools for Advanced Users


Windows XP SP2 Support Tools for Advanced Users: "The Windows Support Tools for Microsoft Windows XP are intended for use by Microsoft support personnel and experienced users to assist in diagnosing and resolving computer problems. For individual tool descriptions, see the Windows Support Tools documentation (Suptools.chm). "

Windows 2000 Utilities - Network Monitoring Utilities

September 14, 2005


Windows 2000 Utilities (Freeware, Shareware, and affordable software for Windows 2000 Administration)

Nice little collection from the great resource List is a little old, but has some good tools.

Magical Jelly Bean

September 13, 2005


Magical Jelly Bean Software - Magical Jelly Bean Keyfinder v1.41: "The Magical Jelly Bean Keyfinder is a freeware utility that retrieves your Product Key (cd key) used to install windows from your registry. "

Windows Server 2003 Tools

August 27, 2005


Windows Server 2003 Tools: "On this page you'll find downloadable tools that will help you support Windows Server 2003 systems." - Really helpful little collection of tools. Sometimes we overlook the obvious source...

Windows Server 2003 Feature Packs: "On this page you'll find downloadable feature packs that provide all-new Windows Server 2003 solutions and functionality." - Several nice add-ons...

Download details: File Replication Service Diagnostics Tool (FRSDiag.exe): "FRSDiag provides a graphical interface to help troubleshoot and diagnose problems with the File Replication Service (FRS). FRS is used to replicate files and folders in the SYSVOL file share on domain controllers and files in Distributed File System (DFS) targets. FRSDiag helps to gather snap-shot information about the service, perform automated tests against that data, and compile an overview of possible problems that may exist in the environment."

Upgrading from Windows 2000 to Windows Server 2003

August 26, 2005


How to upgrade Windows 2000 domain controllers to Windows Server 2003

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain

Preparing Your Windows 2000 Network for an Upgrade to Windows 2003, from Global Knowledge Network - White Papers, Webcasts and Case Studies - TechRepublic

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Windows Server 2003 - How to transfer the FSMO Operations Master roles

Transferring FSMO Roles: "How can I transfer some or all of the FSMO Roles from one DC to another?"

Microsoft exploit code hits the web

August 12, 2005


Microsoft exploit code hits the web - "Exploit code has started appearing on hacking websites for a critical Microsoft flaw less than three days after the patch was released.

Security testers at eEye claim to have found two separate examples of working exploit code in the past few hours that could give full control of a target PC. "

Here's some of said exploits, from FrSIRT:
Microsoft Windows 2000 Plug and Play Universal Remote Exploit (MS05-039)
Microsoft Internet Explorer COM Objects File Download Exploit (MS05-038)
Microsoft Windows Plug and Play Remote Buffer Overflow Exploit (MS05-039)

Black Tuesday: 6 Fun Things To Take Away Your Spare Time

August 09, 2005


Microsoft Security Bulletin MS05-038: "Cumulative Security Update for Internet Explorer (896727)" - Critical

Microsoft Security Bulletin MS05-039: "Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)" - Critical

Microsoft Security Bulletin MS05-040: "Vulnerability in Telephony Service Could Allow Remote Code Execution (893756)" - Important

Microsoft Security Bulletin MS05-041: "Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591)" - Moderate

Microsoft Security Bulletin MS05-042: "Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587)" - Moderate

Microsoft Security Bulletin MS05-043: "Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)" - Critical

3 Criticals.. but beware none-the-less. Although labeled Moderate, MS05-041 (RDP) already has an exploit released over at FrSIRT.

Get Home Earlier With Windows Vista

August 04, 2005


Get Home Earlier With Windows Vista: "Windows Vista offers systems engineers, deployment engineers, and support center operators a possibility of life outside of work"

I'll have to admit that I haven't been very excited (at all) about the new Windows Vista (Longhorn). With the loss of WinFS and other features, plus the far away shipping date, I've just ignored all of the hype and looked at this as just MS selling another Service Pack as an OS. Well, this article helps get me a bit more excited by outlining what Vista will do for me, the SysAdmin. Features I'm looking forward to: registry and file virtualization, better Group Policy (configure just about everything), monad, imaging (better, easier to update), customized help fuctions, better error reporting, more in-depth error messages, hardware monitoring, and hopefully much more as I learn more about this new OS. Of course, I'm taking a wait and see approach to whether or not this stuff lives up to the promises, but if it does, I'll be happy with it.

Here's Microsoft's Resources for IT Professionals website.

NirSoft - freeware utilities: password recovery, system utilities, desktop utilities


NirSoft - freeware utilities: password recovery, system utilities, desktop utilities: "NirSoft web site provides a unique collection of small and useful freeware utilities, all of them developed by Nir Sofer. "

Take a look at his MessenPass, Mail PassView, and his Protected Storage PassView utilities... these will blow your mind! MessenPass pulled out my Gaim Yahoo! Messenger account password and Mail PassView was able to pull out several Outlook account password on my box in a matter of seconds (as long as it took for me to double-click). The Protected Storage PassView utility pulls passwords out of IE (saved logins) and just showed me why I NEVER save my passwords in IE or Firefox. This is some scary stuff.. that's one reason why losing physical access to a box results in the end of your security. Wow. If I were you, I'd get this stuff before he wises up and starts selling it.. Right now everything is FREEWARE.

Worm hole found in Windows 2000

August 03, 2005


Worm hole found in Windows 2000 | CNET "The vulnerability in Microsoft's operating system could enable remote intruders to enter a PC via its Internet Protocol address, Marc Maiffret, chief hacking officer at eEye Digital Security, said on Wednesday. As no action on the part of the computer user is required, the flaw could easily be exploited to create a worm attack, he noted.

What may be particularly problematic with this unpatched security hole is that a work-around is unlikely, he said."

This looks to be a little worrisome... We'll just have to take a wait and see approach to what happens with this. Sometimes you have to always remember that there are huge holes out there that just aren't found yet.. and hopefully, the people who do find them are responsible people who won't take advantage (like eEye, who won't release any details until a patch is avaliable).

DefCon 13 Coverage

August 02, 2005

1 comments DefCon 13 Coverage: "We now conclude the MAKE Magazine DEFCON coverage. We have a special spot on MAKE with all the enhanced audio podcasts, images, posts and more."

InformationWeek > Security > Hackers Demonstrate Their Skills in Vegas > August 1, 2005: "Even allegedly foolproof biometrics aren't totally safe at Defcon, the conference where crackers, hackers, and feds come to share tips and tricks."

Great coverage of Defcon 13. Unfortunately, I was unable to attend this year, just like every year since Defcon 6. Well, there's always next year... Also, you may want to take a look at the Defcon Media Archives.. a good resource.

Happy System Administrator Appreciation Day !!

July 29, 2005


System Administrator Appreciation Day Friday July 29th 2005: "Friday, July 29th, 2005, is the 6th annual System Administrator Appreciation Day. On this special international day, give your System Administrator something that shows that you truly appreciate their hard work and dedication.

Let's face it, System Administrators get no respect 364 days a year. This is the day that all fellow System Administrators across the globe, will be showered with expensive sports cars and large piles of cash in appreciation of their diligent work. But seriously, we are asking for a nice token gift and some public acknowledgement. It's the least you could do. Consider all the daunting tasks and long hours (weekends too.) Let's be honest, sometimes we don't know our System Administrators as well as they know us. Remember this is one day to recognize your System Administrator for their workplace contributions and to promote professional excellence. Thank them for all the things they do for you and your business."

Happy SysAdmin Day everyone! Here's a little treat, nerdcore style:
Keith Schofield
Geek Rhymes
badd spellah

Upgrading from Windows 2000 Server to Windows Server 2003

July 25, 2005

1 comments | Windows | How To Upgrade Windows 2000 Domain to Windows 2003 Server - very detailed step by step instruction list.

Microsoft File Server Migration Toolkit: "To make the file server migration and consolidation process easier, Microsoft has released the Microsoft File Server Migration Toolkit. In addition, Microsoft has released guidance for file server migration and consolidation as part of the Solution Accelerator for Consolidating and Migrating File and Print Servers."

Upgrading from Windows 2000 Server to Windows Server 2003: "This white paper provides an overview of the upgrade process and outlines some of the basic decisions to consider—whether you are upgrading an existing system, performing a new installation, or carrying out a migration. "

How to upgrade Windows 2000 domain controllers to Windows Server 2003: "This article discusses how to upgrade Microsoft Windows 2000 domain controllers to Microsoft Windows Server 2003 and how to add new Windows Server 2003 domain controllers to Windows 2000 domains."

Upgrading Windows NT/2000 to Windows 2003 (Part 1): "This article covers the upgrading caveats that need to be considered when upgrading from Windows NT and Windows 2000 Network environments to Windows 2003. Issues encountered during installation and understanding the importance of the minimum requirements prescribed for installing the software, understanding the fundamentals described below will resolve and reduce problems that are usually encountered."

TechNet Virtual Lab: Windows Server 2003 - Now that you upgraded, here's some help learning how to administer it.

80 Super Security Tips

July 22, 2005


80 Super Security Tips: "Whether your PC is 3 years or 3 days old, it faces the same, sometimes scary security issues. Viruses want to attack your system the moment it goes online, spyware is piggybacking with your mail and trying to slide in along with online ads, Trojans lay in wait at every turn and Phish—perhaps the sneakiest attack of all—smile at you while trying to steal your identity.

There are ways out of this mess. These tips can show you what to do, help you better understand the threats and be ready with a plan of counter attack. "

This is a great article.. while most tips are aimed at newbies (good resource for your users), there are some good tidbits for advanced users. Really worth a look.

Contact information does not appear in the address book in Outlook 2002 and Outlook 2003


Contact information does not appear in the address book in Outlook 2002 and Outlook 2003: "When you use your address book to select recipients for an e-mail message or a fax message, information from your Contacts folder does not appear in the list."

Ok, this issue was killing me so I had to post the fix...

Interview with Dan Kaminsky on Microsoft 's security

July 21, 2005


Interview with Dan Kaminsky on Microsoft 's security - Discusses his attendance to Blue Hat, and his thoughts on Microsoft's security situation.

Hacking Windows XP: Speed Up Your Network and Internet Connection


Hacking Windows XP: Speed Up Your Network and Internet Connection: "Depending on the type of network connection you have, you might be able to tweak your connection so that the speed of your Internet, as well as your local area network, will be faster. By hacking the System Registry and editing the TCP/IP parameters, you can fine-tune the values to take advantage of more reliable, faster Internet connections, such as DSL and cable."

Thanks ExtremeTech.


July 20, 2005


InventoryISX, Workstation, server, software and computer auditing and inventory tracking.: "The InventoryISX suite is intended to be a Freeware program for auditing the local or remote network(s) of a small to medium type of business, with mainly a Windows Architecture infrastructure. "

This looks very interesting.. I plan on trying this out (and using it if it turns out as good as it looks). Now only if I could get it to download...

Portable USB Programs List


Portable USB Programs List: "USB drives have become very popular lately you can do just about anything with them, this is a good list that covers most common computer functions. The applications will run off USB drives and require no installs."

Not a bad [simple] toolkit list.

Black Tuesday - Mid Summer Edition (July)

July 12, 2005


Microsoft Security Bulletin MS05-035: "Microsoft Security Bulletin MS05-035
Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672)" - Critical

Microsoft Security Bulletin MS05-036: "Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214)" - Critical

Microsoft Security Bulletin MS05-037: "Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)"

Everytime I look at releases like these I can't help but feel ripped off... but way better what could have been released.

TechNet Virtual Labs

July 07, 2005


TechNet Virtual Labs: "Ever wanted to test Microsoft's newest software in a sandbox environment? Wouldn't it be great to be able to test new servers immediately, without formatting hard drives or dedicating one or more computers to the project? Now you can, with the TechNet Virtual Labs."

This is bloody awesome!! Not only is it a good training tool for the stuff you already use, but you can play with stuff you don't have. (Like I don't use Exchange up here, but I'm really interested in learning it.. now I can virtually).

Articles by Windows Security Expert Randy Franklin Smith


Articles by Windows Security Expert Randy Franklin Smith - very nice collection of articles, covering from recent (2005) back to 2000. Also, his Windows Security Log Encyclopedia is awesome.. a listing of security log events along with an explaination and his personal comments.

Anatomy Of A Hack—The Rise And Fall Of Your Network

July 06, 2005


Anatomy Of A Hack—The Rise And Fall Of Your Network: "One of the great mysteries in security management is the modus operandi of an attacker. What is it that attackers do, and how do they do it? As with all great mysteries, this one generates a lot of interest, accounting for the phenomenal success of books and classes on how to actually attack networks. Although attacking networks can be fun and informative—not to mention illegal if you do not have all the proper permissions—the fact remains that the vast majority of us do not need to know how to do so. "

Nice article on how a hack goes down. A good read, I suggest everyone to take a look. If you have any more of these type articles/stories/case studies/etc, please drop me a comment.

Also, check out thisFun Link.

Nuclear power plant secrets leaked by computer virus

July 05, 2005


Nuclear power plant secrets leaked by computer virus, Sophos reports: "According to the Japanese press, approximately 40MB of confidential reports, related to nuclear power plant inspections over several years, was leaked from a virus-infected computer belonging to an employee of the Mitsubishi Electric Plant Engineering (MPE). The data is said to have been distributed to users of the Winny peer-to-peer file-sharing system. Winny is the most popular file-sharing network in Japan, with over a quarter of a million users."

Prime example of why a great deal of care should be taken when remotely accessing company data.

Worm outbreak feared after port scanning spike -

June 24, 2005


Worm outbreak feared after port scanning spike - "A surge in scanning on a port associated with a Windows flaw patched last week suggests that a mass worm attack may be imminent, experts said.

A rise in activity on TCP Port 445 could be a sign that hackers are trying to exploit a flaw in Server Message Block, Gartner analyst John Pescatore said on Thursday.
Symantec saw a spike in scanning on TCP Port 445 last week but the probing of the port has since gone back to normal levels, Huger said. "I don't think we should be screaming the barn is burning by any means," he said."

You should always take what you hear in the news with a grain (sometimes bag) of salt, but situations like are an acceptable reason for alarm. Time to get those patches rolling!! - Scott Hanselman's Weblog - Scott Hanselman's 2005 Ultimate Developer and Power Users Tool List

June 21, 2005

0 comments - Scott Hanselman's Weblog - Scott Hanselman's 2005 Ultimate Developer and Power Users Tool List: "Everyone collects utilities, and most folks have a list of a few that they feel are indispensable. Here's mine. Each has a distinct purpose, and I probably touch each at least a few times a week. For me, util means utilitarian and it means don't clutter my tray. If it saves me time, and seamlessly integrates with my life, it's the bomb.
Here are most of the contents of my C:/UTILS folder. These are all well loved and used. I wouldn't recommend them if I didn't use them constantly."
Holy Crap!! This Developer and Power User's Tool List is an awesome resource. Just scanning through the list I must have opened 10 links to tools. Really worth a look (and a place in your bookmarks).

IT Magazine Resources

June 18, 2005

0 comments"FREE one-year magazine subscriptions: computers, business and engineering trade publications" - Great resource of free technical/industry magazines. I get about 10 of these, all free and all to my home.

Here's a list of magazines of interest to the SysAdmin:
Free (to those who qualify)
Network World
Information Security
Information Week
Network Computing
Paid Subscriptions
Windows IT Pro - MUST HAVE
Linux Journal

I know there's others.. if you know of any that should be included, let me know.

Migrating to Symantec AntiVirus Corporate Edition 10.0

June 16, 2005


Migrating to Symantec AntiVirus Corporate Edition 10.0, part 1: "This document gives a detailed description of migrating to Symantec AntiVirus Corporate Edition 10.0 from previous versions of Symantec AntiVirus Corporate Edition or Norton AntiVirus Corporate Edition."

Ok for those with SAV < 10.. The new version 10 offering looks great on paper (according to the release notes at least), but please take note.. I've done a lot of wathcing newsgroups, mailing lists, forums, etc, and it seems that a ton of people are having issues with it. According to all those who've made it work properly, the above guide must be followed to the letter or you will fail. Here's the experience of Andy (a member of the NTSysAdmin mailing list):

"My experience with the SAVCE 10 migration was relatively painless b\c I did my homework. Symantec published a four part upgrade document and anyone needing to upgrade to 10 needs to read, re-read, take notes and sleep with this doc. Also, take the upgrade in phases. The new SSC will manage version 9 clients, which buys you time. My upgrade went like this:

1. Remove SSC and any other management tools from primary server 2. Reboot server 3. Install new SSC 4. Reboot server 5. Install other management apps 6. Reboot server 7. Deploy AV server to primary server 8. Reboot server 9. Test SSC as needed, insuring updates are being retrieved, client groups are OK, etc.
10. Deploy SAVCE 10 client to a few clients 11. Reboot clients, if needed 12. Deploy to rest of clients and troubleshoot as needed 13. Clear SSC cache and test."

(IN)SECURE Magazine


(IN)SECURE Magazine: "(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics."

Reading through issue 1.2, I'm finding this magazine to be full of good writing, great info, and professional layout. This isn't something that some kid threw together, but a professional resource. Thanks to HNS.

i.Ftp - No BS FTP client

June 14, 2005


MemeCode - i.Ftp: "i.Ftp is a little graphical FTP client, which does what I need in an FTP client without the size and fuss."

If you're looking for a small (688K d/l), quick, no-install, little footprint ftp client that just gets the job done, this is what you want. Thanks to Matthew Allen and Philipp Krieger for a great little program.

Black Tuesday - 10 from Uncle Bill - 3 Crit


Microsoft Security Bulletin MS05-025: Cumulative Security Update for Internet Explorer (883939) - Critical, Remote Code Execution

Microsoft Security Bulletin MS05-026: Vulnerability in HTML Help Could Allow Remote Code Execution (896358) - Critical

Microsoft Security Bulletin MS05-027: Vulnerability in Server Message Block Could Allow Remote Code Execution (896422) - Critical

Microsoft Security Bulletin MS05-028: Vulnerability in Web Client Service Could Allow Remote Code Execution (896426) - Important

Microsoft Security Bulletin MS05-029: Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179) - Important

Microsoft Security Bulletin MS05-030: Vulnerability in Outlook Express Could Allow Remote Code Execution (897715) - Important

Microsoft Security Bulletin MS05-031: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458) - Important

Microsoft Security Bulletin MS05-032: Vulnerability in Microsoft Agent Could Allow Spoofing (890046) - Moderate

Microsoft Security Bulletin MS05-033: Vulnerability in Telnet Client Could Allow Information Disclosure (896428) - Moderate

Microsoft Security Bulletin MS05-034: Cumulative Security Update for ISA Server 2000 (899753) - Moderate

A Quick and Dirty Intro to Nessus (Hacking Illustrated Series)

May 25, 2005


A Quick and Dirty Intro to Nessus (Hacking Illustrated Series) - Nice swf movie to walk you through using Nessus from the Auditor boot CD. There are also more great videos and a nice resource under thier General Network Security section. Be sure to use thier RSS Feed.

Trojan attack takes files hostage


SecurityFocus HOME News: Trojan attack takes files hostage: "The Trojan downloader (download-aag AKA Pgpcoder) exploits a well-known Internet Explorer vulnerability (MS04-023) to download hostile code onto vulnerable Windows boxes. It then searches for files with various extensions and encodes them. The original documents are deleted and the newly encoded files become unreadable. The malware also drops a message onto the system with instructions on how to buy the tool needed to decode the files, demanding payment of $200 from victims if they ever want to see their documents again. "

I'm in the wrong business. This seems to be the first of it's kind in the fact that your files are held for ransom, and I expect in the upcoming years that this type virus will become commonplace. Another reason why backups are a Good Thing. But for all of you who don't back up your files, have fun with this one.

Google Help : Cheat Sheet

May 23, 2005


Google Help : Cheat Sheet - Awesome..

Best Sites for Windows Powered Pocket PCs, Handheld PCs, and Smartphones

May 19, 2005


Best Sites for Windows Powered Pocket PCs, Handheld PCs, and Smartphones: Awesome resource for those who own or support handheld mobile devices.

Pa1mOne Treo 650

May 16, 2005


Although I don't own a Treo 650, I have been called upon to support these devices. Here are a few resources that I found helpful.

palmOne - Support - Treo 650 - The official support site.

palmOne - FREE Newsletters - keep up-to-date on updates.

Treo650Faq: The Treo 650 Knowledge Base. - tons upon tons of info.

palmOne - Community - Tips for Treo 650 Smartphone - A large list of tips.

Some notes I found interesting:

Access error log after crash:
Press the Phone button.
Using the on-screen dialpad or the number keys enter #*377 (#*ERR on the dialpad for error) and choose Dial.

Google It With Your Treo
A new service from Google enables you to ask questions, retrieve definitions, and much more. Using the Treo messaging program, enter a phrase, for example define pandering, and send it as a text message to 46645. Usually within a minute Google will respond with the definition. Other phrases you can use include pizza followed by a Zip Code to find the names and address of local pizza joints.

Black Tuesday - Not So Bad At All

May 10, 2005


Microsoft Security Bulletin MS05-024: Vulnerability in Web View Could Allow Remote Code Execution (894320) - Important

Almost as good as no updates. Great Birthday present from MS!

How a Bookmaker and a Whiz Kid Took On an Extortionist — and Won

May 04, 2005


How a Bookmaker and a Whiz Kid Took On an Extortionist — and Won - CSO Magazine - May 2005: "Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this."

Huge article covering Online Extortion; worth the read.

The Java Telnet Application/Applet v2.0


The Java Telnet Application/Applet v2.0: "... is a fully featured telnet implementation coupled with a very sophisticated terminal emulation for VT and ANSI terminals."

Wired News: U.S. Military's Elite Hacker Crew

April 18, 2005


Wired News: U.S. Military's Elite Hacker Crew: "The U.S. military has assembled the world's most formidable hacker posse: a super-secret, multimillion-dollar weapons program that may be ready to launch bloodless cyberwar against enemy networks -- from electric grids to telephone nets."
"In simple terms and sans any military jargon, the unit could best be described as the world's most formidable hacker posse. Ever."

It is interesting to read reports like this. "Cyberwar", "hacker posse", etc. What is the media's facination with this romantized vision of the great computer war? This isn't Neuromancer where "Console Cowboys" "punch deck" and mesh with the "Ice" and ride on a digital shark to "cut the AI" (or in Johnny Neumonic, but it was a digital dolphin that helped "Hack his Brain"). This isn't the final "Hack the Gibson" scene in the movie "Hackers" where you float around a "data city".

The reality of the situation boring, nothing like the images the media conjures to describe the "Cyberwar". So the Military has some guys that call themselves hackers (who doesn't). They probably sit around in some cubes, a few computer screens in front of them, typing away at some command prompt, running scans on foriegn IPs, looking for exploits, intercepting traffic. Probably very boring, nothing like what it is hyped up to be. Maybe it's just me, but I'd love to see the media portray the real, unhyped world of hackers (or just anything to do with computers), but that would be too boring for the masses.

eEye Digital Security - Free WiFi Scanning Tool

April 14, 2005


eEye Digital Security - is offering a free new utility, the Retina WiFi Scanner for Windows and for Pocket PC. eEye always produces fine security tools, I suggest you check them out.

Here is an excerpt: "The Retina WiFi Scanner is a comprehensive wireless detection tool that incorporates Retina Network Security Scanner technology to discover all active wireless devices and connections on a company network. Installed on a Windows laptop or desktop PC, Retina WiFi enables security and IT professionals to detect wireless access devices, scan for service and generate detailed reports on their wireless security. Retina WiFi Scanner for Windows can push data to eEye's REM Security Management Console to integrate into a company’s overall vulnerability management system."

Black Tuesday - 5 Critical, 8 Overall

April 12, 2005


Microsoft Security Bulletin MS05-016: Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086) - Important

Microsoft Security Bulletin MS05-017: Vulnerability in Message Queuing Could Allow Code Execution (892944) - Important

Microsoft Security Bulletin MS05-018: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859) - Important

Microsoft Security Bulletin MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066) - Critical

Microsoft Security Bulletin MS05-020: Cumulative Security Update for Internet Explorer (890923) - Critical

Microsoft Security Bulletin MS05-021: Vulnerability in Exchange Server Could Allow Remote Code Execution (894549) - Critical

Microsoft Security Bulletin MS05-022: Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597) - Critical

Microsoft Security Bulletin MS05-023: Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169) - Critical

MS05-019 looks like it can be a huge pain. Have fun!

Two Tools for Friday: CPAU and Powercfg

April 08, 2005


CPAU: "Command line tool for starting process in alternate security context. Basically this is a runas replacement. Also allows you to create job files and encode the id, password, and command line in a file so it can be used by normal users."

This is an awesome little tool. Worth adding to your toolkit. Also has it's own forum for help from the user community.

Powercfg: Enables an administrator to control the power settings on a system.

This is a great command-line tool to control those bloody power options. In the past I posted about the GPO solution from EneryStar, but it turned out to just be too much trouble. This .exe is built into Windows XP SP2, so no software installation is necessary. It allows you to list the power schemes, query thier settings, create, delete, change, and more. You can configure via command line everything that you can configure via the GUI. This has really saved me a ton of headaches, since I have over 150 systems that require always on (no hibernation/standby) and the user is locked down to the point that it is impossible to change the power config without changing the GPO settings for all the machines. A little Powercfg and logon script and it's problem solved!

Beware of WinXP XP2 and group policy issue

April 06, 2005


Beware of WinXP XP2 and group policy issue: "After you install Windows XP [SP2], you may notice an issue when you configure the Windows firewall group policy settings: Group policy-based software distribution does not always occur with the first or second reboot and other group policies are not always applied."

By default, Windows XP does not wait for the network to be initialized at startup and logon, thus some GPOs and GPO settings are missed until the next reboot. This can be changed (as the article states) at 'Computer Configuration\Administrative Templates\System\Logon.'"

On another note, the Search/TechTarget site contains a wealth of great information/resources on a (large) variety of subjects. I personally subscribe to over 10 of thier many, many mailing lists and recieve great tips in my email daily. You may want to check them out.

How to Use Dumpchk.exe to Check a Memory Dump File


How to Use Dumpchk.exe to Check a Memory Dump File: "This article describes Dumpchk.exe, which is a command-line utility that you can use to verify that a memory dump file has been created correctly. Dumpchk does not require access to symbols."

Analyzing Windows 2000 Memory Dumps - From

Troubleshooting Windows STOP Errors (BSOD) and Freezes from the UltraTech Knowledgebase

Remote Exploit - Auditor (Live) CD

April 05, 2005


Rexploit - is a group of security folks that put together a great collection of security tools/information. Best of all, they coupled it with Knoppix (bootable Linux) and threw it all on a CD! It's a fairly slow download, but it looks like it'll be well worth the wait. This CD is even recommended by the FBI.

Another good Knoppix-based security CD I've used (and loved) in the past is Knoppix STD. "{It} is a collection of hundreds if not thousands of open source security tools. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. Its sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can."

Slashdot | Feds Hack Wireless Network in 3 Minutes


Slashdot | Feds Hack Wireless Network in 3 Minutes: "xs3 writes At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. {...} This article will be a general overview of the procedures used by the FBI team..'"
The article is here.

It seems that they were breaking the pass phrases used to generate the keys (and not the keys themselves). Which is good as long as you don't use passphrases (I use 128-bit hex that I made up - no generation for me!).

Themes/Customizations for Windows Devices

April 02, 2005


Ok so I got tired of the look and feel of my boxen. Since the only computers that I access the GUI are of the Microsoft variety (I only use command-line on my linux servers), I've did a little research and decided to post the results: - massive amount of customizations, great layouts, customizations for anything that can be customized.
Get Skinned - msstyles, wallpapers, bootscreens although not very organized.. - good collection for XP; cursors, boot screens, icons, logons, wallpapers, media player, etc. - a good number of supported programs with a decent number of skins, includes some yahoo! messenger 6 skins, - a few categories, but a good number of files.
Toebee -fairly in-depth guide to making Yahoo Messenger 6 skins, also has a nice little collection of skins he has made.
Neowin UXTheme Multi-Patcher - needed to apply msstyles. - The site I use to get all of my Pocket PC themes, has a TON of files.

If anyone has any more sites they'd like to mention (and there are a ton of them out there), please drop me a comment (or email). Please, no adult-oriented stuff.

Cooperative Linux

March 25, 2005


Cooperative Linux - "Cooperative Linux is the first working free and open source method for optimally running Linux on Microsoft Windows natively. More generally, Cooperative Linux (short-named coLinux) is a port of the Linux kernel that allows it to run cooperatively alongside another operating system on a single machine. For instance, it allows one to freely run Linux on Windows 2000/XP, without using a commercial PC virtualization software such as VMware, in a way which is much more optimal than using any general purpose PC virtualization software."

This looks very promising for those who want to use linux functionality/programs but can't escape the windows platform. I'm planning on playing with this on a test machine at some point in the near future. If anyone has any war stories with this product, let me know.

The BlogCast Repository

March 15, 2005


The BlogCast Repository - A Microsoft Community Resource: "THE CENTRAL VAULT FOR FREE TECHNICAL VIDEOS"

This is a great resource.. seems small right now, but it looks like it will grow (it's also really new). User-created videos that walk you through issues really help. I might even consider creating my own Blogcasts (even gives me the idea of doing some for custom in-house setups!).

They even have a RSS feed:

Also take a look at the "How to Create a Blogcast" link. It is extremely easy! You can create your own video to accompany your documentation or training materials. Really nice. I'm going to be focusing some time/energy on this in the near future.

Hash Functions Cracked


Internet security takes a hit with encryption technique flaw - Mar. 15, 2005: "The technique, called a 'hash function,' has been commonly used by Web site operators to scramble online transmissions containing credit-card information, Social Security numbers and other personal information.

Hash functions were thought to be impenetrable, but a team of researchers in China found that this encryption method was not as resistant to hackers than previously thought, according to the report."

SAV9 Functionality Hole - misses virus files


SecurityFocus HOME Mailing List: BugTraq: SAV9 Functionality Hole - misses virus files: "When SAV9 is protecting the file server, and an unprotected client saves files to
a share on the server, the files are not scanned. When another unprotected client opens these files, they are not scanned by the server. The server will only find these files during a scheduled scan."

"The API that Symantec is using is not on file open from the file system, but rather file open by the local desktop - this allows files to be saved and opened without being scanned."

Black Tuesday - Skipped!!?!

March 09, 2005


MS skips patch Tuesday | The Register: "Microsoft passed on this month's instalment of its regular patch release cycle. Patch Tuesday brought no security updates in March, unlike February when the software giant issued 12 new advisories and a major revision of an earlier notice."

I'm not complaining...

Maxthon browser produces a better IE


Maxthon browser produces a better IE: "Today, I have a new entrant into the group that builds on the underlying code of Internet Explorer. The product is from MySoft Technology (see editorial links below) and is called Maxthon. "

"Maxthon uses very few resources, resulting in an average of 65% less RAM usage compared to IE when having the same large number of pages open."

"Maxthon uses a tabbed browsing interface and supports mouse gestures, super drag and drop (which allows any URL to be highlighted in a browser window and dragged to any tab) and privacy protection (automatic end of session flushing of history, cookies, and cache). It also includes AD Hunter (Maxthon's popup blocker), full support for the Google toolbar, a very useful "External Utility Bar" that can be used to launch selected application from the browser, and skinning. "

This looks very interesting.. I'll look into it at home.

Black Tuesday - Skipped!!?!


MS skips patch Tuesday | The Register: "Microsoft passed on this month's instalment of its regular patch release cycle. Patch Tuesday brought no security updates in March, unlike February when the software giant issued 12 new advisories and a major revision of an earlier notice."

I'm not complaining...

February 28, 2005

2 comments - The online resource for process information!: "In the recesses of your computer, 20-30 invisible processes run silently in the background. Some hog system resources, turning your PC into a sluggish computer. Worse yet, other useless processes harbour spyware and Trojans - violating your privacy and giving hackers free reign on your computer. is an invaluable resource for anyone who wants to know the exact purpose of every single process."

Awesome resource.. it had information for every process running on my system (with the exception of rare or custom stuff).


February 24, 2005


Sysinternals Freeware - PsExec: "PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. "

Here's Windows IT Pro Mark Russinovich's article on PsExec.

Free Books / Tutorial Resources

February 23, 2005

0 comments - Free Online Programming Tutorials - You will find over 300 programming language tutorials, lessons, and how-to's.

Table of Contents - Practical PHP Programming: "Welcome to the home of the online book, 'Practical PHP Programming'. "

Free Programming and Computer Science Books - tons of free technical books. RSS feed:



Sysinternals Freeware - Utilities for Windows NT and Windows 2000 - RootkitRevealer: "RootkitRevealer is an advanced root kit detection utility. It runs on Windows NT
4 and higher and its output lists Registry and file system API discrepancies that
may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect memory-based rootkits like Fu that don't survive reboots)."

Symantec Antivirus May Execute Virus Code

February 10, 2005


Slashdot | Symantec Antivirus May Execute Virus Code

Symantec flaw leaves opening for viruses: ZDNet Australia: News: Security - "Symantec has issued a patch for a flaw in its scanning software that could cause a virus to run, rather than catch it."

"Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible. "

This could have been a VERY bad situation. Luckily, Symantec was able to update thier software via thier subscription service, but just imagine the trouble and headache that would occur if thier auto-update wasn't possible for this fix...

Black Tuesday - Flood 'o' Patches - 12 total, 8 critical

February 08, 2005


Microsoft Security Bulletin MS05-004: ASP.NET Path Validation Vulnerability (887219) - Important

Microsoft Security Bulletin MS05-005: Vulnerability in Microsoft Office XP could allow Remote Code Execution (873352) - Critical

Microsoft Security Bulletin MS05-006: Vulnerability in Windows SharePoint Services and SharePoint Team Services Could Allow Cross-Site Scripting and Spoofing Attacks (887981) - Moderate

Microsoft Security Bulletin MS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302) - Important

Microsoft Security Bulletin MS05-008: Vulnerability in Windows Shell Could Allow Remote Code Execution (890047) - Important

Microsoft Security Bulletin MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261) - Critical

Microsoft Security Bulletin MS05-010: Vulnerability in the License Logging Service Could Allow Code Execution (885834) - Critical

Microsoft Security Bulletin MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution (885250) - Critical

Microsoft Security Bulletin MS05-012: Vulnerability in OLE and COM Could Allow Remote Code Execution (873333) - Critical

Microsoft Security Bulletin MS05-013: Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781) - Critical

Microsoft Security Bulletin MS05-014: Cumulative Security Update for Internet Explorer (867282) - Critical

Microsoft Security Bulletin MS05-015: Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113) - Critical

All I can say is: DAMN.

The Windows XP Layout

February 03, 2005


The Windows XP Layout: "This sample book chapter looks at the file and folder structure created by a Windows XP installation, provides a roadmap for important programs, and discusses other issues related to file structure and layout."

Nice little bit of reading material. It is important to note that the author, Stu Sjouwerman, is of NTSysAdmin list fame.

0 comments - Analysis of the Texas Instruments DST RFID - "The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle immobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems. A preliminary version of the full academic paper describing our attacks in detail is also available below. "

This is pretty sweet. They describe their attack and show you the practical applications of it in the field, complete with videos.



PromqryUI.exe - "PromqryUI can accurately determine if a modern (Windows 2000 and later) managed Windows system has network interfaces in promiscuous mode. If a system has network interfaces in promiscuous mode, it may indicate the presence of a network sniffer running on the system.

PromqryUI cannot detect standalone sniffers or sniffers running on non-Windows operating systems."

Here's the command line utility: Promqrycmd.exe

Directory Disk Usage

February 02, 2005


Diruse.exe: Directory Disk Usage: "This command-line tool displays directory size information, including compression information for NTFS volumes. You can use Diruse to determine the actual usage of space for compressed files and directories. You can also specify a maximum folder size. Diruse then marks any folders that exceed the specified limit and, if you choose, alerts you to the problem. Diruse is similar to du used in UNIX."

This tool, although small, is a great addition to any administrator's toolkit. I recently was able to use it in a way that solved a very large and time consuming monitoring issue that I had.

Promising Software

January 31, 2005


Here's a trio of promising looking software.. I haven't test drove them yet, but they look like they have potential.

Open Computers and Softwares Inventory: "Open Computers and Softwares Inventory is an application designed to help a network administrator keep track of the computers configuration and the number of copies of software that are installed on the network."

WarLinux: "A new linux distribution for Wardrivers. It is available on disk and bootable CD. It's main intended use is for systems administrators that want to audit and evaluate thier wireless network installations. Should be handy for wardriving also." Project Info - SNARE - Auditing and EventLog Management: "SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data. Agents are available for Linux, Windows, Solaris, IIS, Lotus Notes, Irix, AIX, ISA/IIS + more"

Wireless LAN Security Site

January 30, 2005


Wireless LAN Security Site: "Lots of people are interested in wireless LAN security nowadays. Given that level of interest, there's a need for accurate information on how the current standards work, what's wrong with them, and the current thinking on how to fix the problems. This page tries to gather relevant papers and standards in a single place. " - A TON of Wireless links and information

Wireless LAN Security & Wardriving (802.11): Wardriving Tools & Utilities (War Driving Software) -'s list of (numerous) wardriving tools. Also contains tons of information on antennas how-tos, wardriving books, etc...

If anyone has any more good wireless security resources, please feel free to share.

Configure Windows XP to Automatically Login

January 28, 2005


Configure Windows XP to Automatically Login: "Click Start, Run and type CONTROL USERPASSWORDS2, and click Ok.
Uncheck 'Users must enter a user name and password to use this computer' option, and click Ok."

Learn something new each day. With W2K, this was the users applet in the Control Panel, but they had to mess it all up to make XP look "pretty".

Keep your activation status intact when reinstalling XP


Keep your activation status intact when reinstalling XP - "Learn how you can reformat your hard disk and reinstall Windows XP on a system without messing around with Microsoft's Product Activation after the reinstall. "

Great little hint to keep you from having to call India (Microsoft's support) every time you have to reload a box. Please note that this may not work on machines w/ different hardware (especially different network cards).

Geeks in Management?

January 26, 2005


Slashdot | Geeks in Management? - An open question to the Slashdot crowd asking for tips and hints for geeks who are shoved into a management role (read: me).

I've only gotten a part of the way down the forums and I've found some great pointers. Worth a look if you're in a management position or will persue a management position in the future.

January 25, 2005

0 comments - A guide to Oracle, Windows, Linux and OS X commands.

A handly little guide. Also contains guides to Syntax for each system and has a special guide for WSH.

Log Parser 2.2 Released

January 20, 2005


Download details: Log Parser 2.2: "Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. You tell Log Parser what information you need and how you want it processed. The results of your query can be custom-formatted in text based output, or they can be persisted to more specialty targets like SQL, SYSLOG, or a chart. "

Scriptomatic 2.0 Released

January 14, 2005


Download details: Scriptomatic 2.0: "A completely new version of the famous Scriptomatic, the utility that writes WMI scripts for you. (And, in the process, teaches you the fundamental concepts behind writing WMI scripts for yourself.) Unlike its predecessor, Scriptomatic 2.0 isn�t limited to writing just VBScript scripts; instead, Scriptomatic 2.0 can write scripts in Perl, Python, or JScript as well. In addition, Scriptomatic 2.0 gives you a host of new output formats to use when running scripts, including saving data as plain-text, as a stand-alone Web page, or even as XML. Scriptomatic 2.0 handles arrays, it converts dates to a more readable format, and it works with all the WMI classes on your computer; on top of all that, it also writes scripts that can be run against multiple machines."

RSS Popper

January 12, 2005


RSS Popper - RSS aggregator for Outlook - "RSS Popper is an RSS/ATOM/RDF news aggregator that delivers news to Outlook. It allows the leveraging of Outlook powerful functionality for reading news feeds."

I've been using Beaver RSS reader for quite a while now, but it does have a few shortcomings (although it is still a great program). Some of those shortcomings include: lack of atom support (this blog uses atom as well as gmail), the inability to delete feeds (which, after a while, causes the program to slow down), occasional .net errors, and the lack of authenticated feeds.

What I do like about RSS Popper is the fact it is free, ties into Outlook, atom feeds, support for feed authentication, the ability to delete messages, and the ability to forward messages (like an email). So far I'm fairly pleased.

If anyone has any other FREE RSS readers that are worth a look, please let me know.

NOTE: Take a look at my Wednesday, October 22, 2003 and my Wednesday, January 21, 2004 postings for IT related feeds.

20 Year Archive on Google Groups


20 Year Archive on Google Groups: "Google has fully integrated the past 20 years of Usenet archives into Google Groups, which now offers access to more than 800 million messages dating back to 1981. This is by far the most complete collection of Usenet articles ever assembled and a fascinating first-hand historical account. "

This is awesome. I've always loved Google ever since I dropped Webcrawler (search engine back in the day) for them. This Usenet history timeline makes for some very interesting reading.

Black Tuesday

January 11, 2005


Microsoft Security Bulletin MS05-001 - Vulnerability in HTML Help Could Allow Code Execution (890175) - Critical
Microsoft Security Bulletin MS05-002 - Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711) - Critical
Microsoft Security Bulletin MS05-003: - Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250) - Important

It's sorta funny when an icon or cursor can get your system compromised. Not only that, but how many times does Microsoft have to patch HTML help? Nothing like MS03-026 (blaster) this month but still annoying nonetheless. I just hope that they learn how to code w/o all of the unchecked buffers before they release Longhorn.

True Stories of Knoppix Rescues

January 10, 2005

0 comments True Stories of Knoppix Rescues: "As a battle-hardened sysadmin, I've seen a lot of broken systems (some I broke, and some were broken for me). I've carried a number of rescue disks, including tomsrtbt and the LinuxCare Bootable Business Card, but over the past year or two, I've started to rely completely on Knoppix as an all-in-one rescue disk. Below are some real-life accounts of how I've saved some broken systems with just my Knoppix CD."

Great article promoting the greatness that is Knoppix. Also try Knoppix STD (Security Tools Distribution).

Microsoft releases antispyware, malware-removal tools


Microsoft releases antispyware, malware-removal tools - Computerworld: "JANUARY 06, 2005 (COMPUTERWORLD) - Microsoft Corp.'s introduction today of two free security tools designed to help users get rid of spyware and other malicious code is a long-overdue move from a company whose software is the biggest target of attacks on the Internet, users and analysts said."

Microsoft Windows AntiSpyware (Beta) Home - MS Official Beta page - Where unprofessional journalism looks better - Exclusive: Microsoft Anti-Spyware Beta Due 6th January - Comments and screenshots from Neowin.

I'm not sure what to think about MS entering yet another market. It's perfectly normal to feel a little unsure and worried about another product integrating itself into my OS, but they did a fairly decent job with Service Pack 2's (for XP) firewall. Also, who better to indentify unwanted changes in the OS than the people who built the OS? We'll see. They would do really well to make sure that it can be easily managed in the Corporate environment. Since I'm far too busy to play with this new addition right now, if anyone has any comments about MS AntiSpyware, please let me know.

IE flaw threat hits the roof

January 07, 2005


IE flaw threat hits the roof | CNET "Secunia said Friday it has raised its rating of the vulnerabilities in Microsoft's browser to 'extremely critical,' its highest rating. The flaws, which affect IE 6, could enable attackers to place and execute programs such as spyware and pornography dialers on victims' computers without their knowledge, said Thomas Kristensen, Secunia's chief technology officer. "

"In order for us to rate a vulnerability as extremely critical, there has to be a working exploit out there and one that doesn't require user interaction," Kristensen said. "This is our highest rating and is the last warning for users to fix their systems."


Network/System Administrator To-Do List

January 05, 2005


Santeria Systems - Network/System Administrator To-Do List - "As a network or system administrator, unless you are working on a specific project, your work is... well, let's face it... mundane. That is not to say it is not important. In fact, your mundane routine is vital to well running systems and equipment. This is in-turn vital to the company bottom line."

Not the most complete list, but he's refining it now. Good reference.