Monday, November 29, 2010

Use Windows 7 as a PPTP VPN Server

Today I was browsing technet and I found a link to a youtube video on how to setup Windows 7 to act as a PPTP VPN server for a home solution. This will allow computer savy home users to access any PC on their home network through a Windows 7 machine. I didn't even know this functionality was possible in Windows 7!

Check it out, here is the link:

http://www.youtube.com/watch?v=1s5JxMG06L4

Forefront Client Security Server Components Supported Operating Systems

Forefront Client Security (FCS) Server Components are not supported on all operating systems.

The Management Server must be setup on one of the following windows operating systems:

- Windows Server 2003 SP2 or later, Standard or Enterprise

- Windows Server 2008 Standard or Windows Server 2008 Enterprise

- Windows Server 2008 Standard SP1 or later, or Windows Server 2008 Enterprise SP1 or later

The following operating systems are not supported:

- Windows Server 2008 Server Core installation

- Windows Server 2008 R2

- x64 and Itanium server editions

- Microsoft Windows Small Business Server 2003

- Windows Small Business Server 2003 R2

- Windows Small Business Server 2008

For more information please see:

http://technet.microsoft.com/en-us/library/bb404245.aspx

Thursday, November 25, 2010

New Password Stealer Found MD5: 6deb0bdb5fb07bcdb1205d6ddd6a4ec2

Today I stumbled across a new trojan/password stealer that installs itself through Sun Microsystems Java.

Users receive an email such as:

Amy Fibro commented on your photo.
To see the comment thread, follow the link below:
http://www.facebook.com/n/?photo.php&fbid=155175754523620&set=a.145049682202894.23363.100000935890817&mid=33283faG5af34842cf81G37f9cbG9
Thanks,
The Facebook Team

This email is not from facebook. If you look at the link on the email - it points to a different URL that contains the java application which installs the virus.



With a default install of Internet Explorer 8 with all latest security updates and patches up to 26/11/2010 and default security settings the worm was able to automatically install itself.

The worm adds itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it can automatically execute upon startup.

The worm also changes the internet explorer security settings by modifying a series of registry keys.

The following Registry Values were modified:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1406 =
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1406 =
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1406 =
1609 =


The worm is also capable of infecting executables.

The malware injects codes into the address space of the following processes to mask its presence:
taskhost.exe
taskeng.exe
wscntfy.exe
ctfmon.exe
rdpclip.exe
explorer.exe


If you do not run your PC as administrator the worm will not have permissions to infect beyond your user profile.

The worm collects FTP credentials (IP, port, username, and passwords) from the following FTP software:
•FlashFXP
•Total Commander
•ws_ftp
•FileZilla
•FAR/FAR2
•winscp
•FTP Commander
•CoreFTP
•SmartFTP

The worm also has a keylogger for logging all other password related activity such as bank accounts etc.

When installed the worm copied itself to:

%APPDATA%\<random letters%>\<random letters>.exe

For example for me it called itself niba.exe.



When the virus is running the description the virus gives itself in task manager is Windows Defender.

Running the virus through one of my favorite sites virscan.org we see that only some antivirus companies detect it and the ones that do only come back with a generic detection.



I will be submitting the virus sample to the other anti-virus companies to get this worm indexed ASAP.

How to Grab MD5 or SHA1 hash of files in Windows

To simply grab the MD5 or SHA1 hash of a file in windows use the Microsoft File Checksum Integrity Verifier (FCIV) Utility. Download this tool from here:

http://download.microsoft.com/download/c/f/4/cf454ae0-a4bb-4123-8333-a1b6737712f7/windows-kb841290-x86-enu.exe

Below are examples on how to use this tool:

Tuesday, November 23, 2010

How to Deploy Microsoft .NET Framework 4 with Group Policy with Startup Script

To deploy .NET Framework 4 to your network you must use a startup script. No longer can you push .NET Framework out via an MSI file as with earlier versions such as .NET Framework 1.1.

I wrote a script that your welcome to copy it to push the .NET framework to all x86 and x64 windows based PC's on your network.

Save the following as a ".bat" file.

setlocal

REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************

REM Enter the Product Name.
set ProductName=Microsoft .NET Framework 4 Client Profile

REM Set DeployServer to a network-accessible location containing the Office source files.
set DeployServer=\\kbomb.local\netlogon\software

REM Set LogLocation to a central directory to collect log files.
set LogLocation=C:\Windows\Logs

REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line.
REM *********************************************************************

IF NOT "%ProgramFiles(x86)%"=="" (goto ARP64) else (goto ARP86)

REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 uninstall key
:ARP64
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%"
if NOT %errorlevel%==1 (goto End)

REM Check for 32 and 64 bit versions of Office 2010 in regular uninstall key.(Office 64bit would also appear here on a 64bit OS)
:ARP86
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%"
if %errorlevel%==1 (goto DeployOffice) else (goto End)

REM If 1 returned, the product was not found. Run setup here.
:DeployOffice
start /wait %DeployServer%\dotNetFx40_Full_x86_x64.exe /passive
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt

REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
:End

Endlocal


Please modify the DeployServer path to fit your environment.

Copy the script into the startup script folder inside the group policy object. Make sure you use a startup script and not a logon script! Refer to the following screenshot:



My script is called frameworkinstall.bat

Link this group policy object to your computer accounts. When the workstations refresh there group policy they will automatically install .NET Framework v4 on next reboot.

Taken with my iPhone 4:



Note: If you do not want the user to see the progress of the installation, please change /passive to /q. This will result in the PC hanging at the "Running Startup Scripts" for a few minutes. I personally prefer to present the users with a progress bar!

Monday, November 22, 2010

Can a RODC be a GC?

Answer: Yes

One of the gotchas before an RODC will advertise as a GC in your domain is that domainprep needs to be run in each domain, regardless if there are Win2k8 DCs in the domain or not:

If the RODC will be a global catalog server, you must also run adprep /domainprep in all domains in the forest, regardless of whether the domain runs a Windows Server 2008 domain controller. When you run adprep /domainprep in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server.

If you haven't looked at RODCs for your branch office deployments for the future now is a good time to do so. I think one of the best things coming for Win2k8 is the ability to run RODCs on Server Core, reducing the attack surface and patching requirements and only caching the passwords for the users needed in the branch site instead of all passwords for the domain.

What are inetOrgPerson objects?

What are inetOrgPerson objects?



Windows Server 2003 Active Directory includes a new object type (that is, object class), inetOrg-Person, which is identical to the user object type in practically every way. InetOrgPerson was defined in RFC 2798 to represent a standard network user, and many other directory services use it for this purpose. Therefore, inetOrgPerson was brought along to Active Directory so that it would be easier to interoperate with these other products or to migrate them to Active Directory.

Although inetOrgPerson should be identical to user, Microsoft recommends that you test it with your applications that would use Active Directory as an authentication method, and your other projected usage scenarios, before you actually start using inetOrgPerson objects.

If inetOrgPerson objects are not needed in your forest, you can modify the forest schema so that InetOrgPerson doesn't appear in the New context menu of the Users and Computers snap-in. You would need to change the defaultHidingValue property of the inetOrgPerson schema class definition to TRUE. This setting affects all administrators of the forest, unless they use some other tool to create objects.

Sunday, November 21, 2010

What is the Central Store with 2008 Group Policy?

ADMX Central Store is a centralized location of keeping new XML-based administrative template (ADMX) files. In a Windows Server 2008 network environment, the Group Policy Object Editor does not copy ADMX files to each edited group policy object (GPO). Instead, it uses ADMX Central Store in a domain controller. The ADMX Central Store is not created automatically.

When using GPMC on Windows Vista, 2008 or higher operating systems they automatically query the following location to see if a central store exists:

\\domain.local\sysvol\domain\policies\PolicyDefinitions

If you have not created this folder in your SYSVOL, GPMC will look at its local hard drive for:

%systemroot%\PolicyDefinitions

If you have custom ADMX templates in your domain you want to use the new Central Store so that all PC's and domain controllers use the central store when editing group policy objects.

When you create the central store make sure you copy all existing custom ADMX policies from your local computer (%systemroot%\PolicyDefinitions) to the central store!

I encourage you to watch the following video by John Baker, it explains the Central Store and group policy changes in more detail!

http://technet.microsoft.com/en-us/edge/screencast-how-to-configure-the-central-admx-store.aspx

You cannot change the location for the central store, it is hardcoded!

Saturday, November 20, 2010

Moving to DFS-R for SYSVOL

Windows Server 2008 and Windows Server 2008 R2 supports DFS-R for replicating the SYSVOL partition between domain controllers.

For this to work all domain controllers in a active directory domain need to be Windows Server 2008 or Windows Server 2008 R2 and the Domain Functional Level must be Windows Server 2008.

Every domain within a forest has its own SYSVOL directory structure that is replicated. As a result your Forest Functional Level does not need to be 2008... other domains in your forest can continue to use the legacy FRS.

If you create a new Active Directory Domain thats Windows Server 2008 domain functional level it will automatically use SYSVOL. However if you are migrating towards Windows Server 2008 DFL you will need to migrate the SYSVOL replication over to DFS-R. This migration process needs to be performed once you have raised the DFL to Windows Server 2008.

To understand the process of migrating to DFS-R for your SYSVOL directory please read the following blog posts by Mahesh Unnikrishnan, a Senior Program Manager at Microsoft. There are 5 parts to this how-to:

http://http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx

http://blogs.technet.com/filecab/archive/2008/02/14/sysvol-migration-series-part-2-dfsrmig-exe-the-sysvol-migration-tool.aspx

http://blogs.technet.com/filecab/archive/2008/03/05/sysvol-migration-series-part-3-migrating-to-the-prepared-state.aspx

http://blogs.technet.com/filecab/archive/2008/03/17/sysvol-migration-series-part-4-migrating-to-the-redirected-state.aspx

http://blogs.technet.com/filecab/archive/2008/03/19/sysvol-migration-series-part-5-migrating-to-the-eliminated-state.aspx

Monday, November 1, 2010

Exchange 2003 - Services wouldnt start due to AD Issues

Today I had an issue escalated to me where the following Exchange 2003 services would not start due to problems speaking with Active Directory:
- Microsoft Exchange Information Store
- Microsoft Exchange MTA Stacks
- Microsoft Exchange System Attendant

While diagnosing this issue I had the following diagnostic logging turned to medium for all sub components of the following:
- MSExchangeDSAccess
- MSExchangeSRS
- MSExchangeSA

Diagnostic logging is turned on in the Exchange 2003 server properties under the diagnostic logging tab.



There were two problems causing this issue - I will go through how I fixed both of them.

Problem 1 - The Local DC was not listening on TCP 3268

After looking at the issue initially I found out that the domain controller in the same active directory site as Exchange 2003 server was not listening on TCP 3268 (Global Catalog). The server was marked as being a global catalog server. During this time the following errors were being generated.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: 01/11/2010
Time: 4:03:31 PM
User: N/A
Computer: MELB-EXCH-31
Description:
The Microsoft Exchange Information Store service terminated with service-specific error 2147500037 (0x80004005).




Event Type: Error
Event Source: MSExchangeMTA
Event Category: Operating System
Event ID: 2248
Date: 01/11/2010
Time: 5:18:22 PM
User: N/A
Computer: MELB-EXCH-31
Description:
A fatal error occurred. Directory operation (ds_initialize) failed with problem RD Server. [MAIN BASE 1 1 %5] (16)




Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 1121
Date: 01/11/2010
Time: 6:14:38 PM
User: N/A
Computer: MELB-EXCH-31
Description:
Error 0xfaf connecting to the Microsoft Active Directory.




This last error lead me down the right track, "0xfaf". I found a handy forum post that lets you understand all the different codes in relation to the information store connecting to Active Directory:

- Error: 0x96e, Service: Microsoft Active Directory - This problem occurs because the domain controller and other Exchange-Server-dependent services do not start completely when Exchange 2007 tries to start. See 940845 for details.
- Error: 0x8004010f, Service: Microsoft Active Directory - This behavior may occur if the organization name that you select during setup contains the forward slash mark (/) character. See 329599 for more information on this problem.
- Error: 4015, Service: Microsoft Exchange Information Server Directory - The Directory service will not start if the system date is later than January 17, 2038. See 154595 for details about this problem.
- Error: 0x80004005, Service: Microsoft Exchange Server Directory - This behavior may occur because the information store database is not initializing properly. See 322315 to solve this problem.
- Error: 0x80004005, Service: Microsoft Active Directory - You may not be able to mount Exchange 2000 information store databases and this event is logged. See 314294 and 822579 for details.
- Error: 0xfb5, Service: Microsoft Exchange Server Directory - This issue can occur if the Information Store service has been configured to log on as a system account or to use the Local System account. See 288952 to solve this problem.
- Error: 0xfaf, Service: Microsoft Active Directory - This behavior can occur because you do not have a global catalog in the forest or the connection to the global catalog is lost. See 303186 and 823163 to find out how to fix this problem.
- Error: 0xfaf, Service: Microsoft Exchange Server Directory - This issue can occur if the server is renamed after Exchange Server installation; some values in the MSExchangeIS key contain the name of the test server. See 248124 to solve this problem.
- Error: 0xfaf, Service: Microsoft Active Directory - This behavior can occur because you do not have a global catalog in the forest or the connection to the global catalog is lost. See 303186 and 823163 to find out how to fix this problem.
- Error: 0xfaf, Service: Microsoft Exchange Server Directory - This issue can occur if the server is renamed after Exchange Server installation; some values in the MSExchangeIS key contain the name of the test server. See 248124 to solve this problem.


As per the post above - I went to Microsoft Knowledgebase article 823163:

http://support.microsoft.com/kb/823163

This article stated:

This issue may occur if one or both of the following conditions are true:
- There is no global catalog in the forest.
- There is a problem with the connection to the global catalog.


There was only a single domain controller in the same Active Directory site as the Exchange 2003 server. This domain controller was marked as being a global catalog server however performing a "netstat -ant" revealed that it was not listening on the global catalog port TCP 3268.

Initially I tried removing the global catalog role of the server rebooting, re-adding the global catalog role then rebooting again. This did not resolve the problem.

To resolve this problem I demoted the server from being a domain controller and re-promoted it. After re-promoting the DC it then came up as a global catalog server again. There were no errors in the event logs about not being a global catalog server.

Problem 2 - The Exchange 2003 Server could not find the Active Directory Site

After re-promoting the domain controller I ran into another problem, the Exchange 2003 server could not find which Active Directory Site it was in.

Exchange was producing the following error:

c007077f no site available

The following errors were experienced in the event logs:

Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2114
Date: 01/11/2010
Time: 9:55:46 PM
User: N/A
Computer: MELB-EXCH-31
Description:
Process MAD.EXE (PID=1936). Topology Discovery failed, error 0x80040952.




I ran NLTEST /DSGETSITE to see if windows server itself could find its active directory site. This command threw out the following error:

1919 0x77f ERROR_NO_SITENAME



The exchange server was speaking to random domain controllers in other Active Directory sites. I determined this by following this article:

http://clintboessen.blogspot.com/2010/05/how-to-find-out-which-domain-controller.html

All other workstations and servers in the same Active Directory site could determine its site location. The problem was isolated to the Exchange 2003 server. To resolve this problem I found a workaround with a registry key where I hard coded the Exchange 2003 server's Active Directory site.

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

"SiteName" as a String Value

Enter the active directory site name as it appears in AD Sites and Services.



Then restart the Netlogon service. After this the Exchange Server 2003 was behaving properly and the services were able to be started.