Category Archives: Security

%SystemRoot%system32 secrets: cipher

Next command in my list is what you never remember about unless user comes in with a cry: “I’ve reset my password and now all my EFS-encrypted files are gone!!!”. Are you familiar with the situation? I am not, fortunately, but I heard some related horror stories. Backup the encryption keys is the key. And updating of keys on the files. And creating of recovery keys. And backing up the encryption keys. All that the utility in the question can do for you.

There are plenty of articles about the actions described above. But when I tried to look at the utility’s description more closely, I found one new function: cipher with arguments “/W” and a folder will remove all data from unused disk space on the volume where the folder is placed. What it is doing is:

1) Creating folder EFSTMPWP on the volume:

2) Creating there a temp file (or several, according to some sources)

image

3) Writing there zeros, then ones, and polishes it with some random values:

image

It does each step until the whole disk is filled up and then repeats:

image

image

image

Of course it is quite time consuming, especially on large volumes. But if I was the person to design the command, I’d rather made it to write not just zeros and ones, but just encrypt every free cluster with a random key. Luckily it wasn’t me, so it is not even more long procedure 😉

The command asks you to close all the applications to make the effort as effective as it is possible, mostly to eliminate all the temp files with data in them.

Further reading:

cipher /?

http://technet.microsoft.com/en-us/library/cc771346(WS.10).aspx

http://support.microsoft.com/kb/295680

http://support.microsoft.com/kb/814599

Advertisements

Delegate permissions for creating GPO objects in other domain

imageThe task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed.

image

At least I don’t know a way to change the group’s scope (but I noted to myself to find out everything about it). So we won’t get this easy way. Will we retreat? No way. If we can’t add our object to the group, we can create other group and grant permission to the group directly. What permissions does have “Group Policy Creator Owners” group? As far as I know to create any GPO we need permissions in two places: Policies container in AD and Policies folder in sysvol. So let us delegate the permissions for the brand-new group “Role GP Creator Owners”:

1) in AD on Domain/System/Policies container:

image

image

image

image

I guess, “Create All Child Objects” is a bit overkill, and we can do better (just a guess), but the “Group Policy Creator Owners” group has these permissions, so we won’t do it worse.

2) now on a Policies folder:

image

image

That’ll do the job for us. At least at did for me, but still, I recommend to check it with support if you have it. I’ll definitely do that and fix the article if it needs it.

Wildcard certificates drawbacks

imageThat’s one of the referrers from search systems which leads users to my blog. Ok, there certainly are drawbacks, so why not? But first things first: what are those wildcard certificates?

In order to protect communications with some web-services or web sites (not only them, actually) we use SSL certificates. I have to say, that it doesn’t, actually, mean that every site with https prefix and valid certificate is valid itself or communications with it are protected, but that’s not for today’s discussion. Anyway, SSL certificates are somewhat brilliant and somewhat ugly, but they are our reality for now and since you have many web-sites, or medium to large infrastructure which uses multitude of services protected by certificates… That’s because a certificate is issued for one particular domain name, that is microsoft.com, www.microsoft.com and technet.microsoft.com should all have different certificates for their protection. Well, in such situation you are usually bound to manage dozens and hundreds of certificates which expire, need to be renewed, need to be monitored… The hell of a job. But “security is security” and all that stuff, so you are to do it all.

But the world wouldn’t see many inventions if not for lazy people, you know. So those lazy invented wildcard certificates. Those are issued to names like *.microsoft.com and hence can be used on any of microsoft.com’s subdomains. That solves all the problems above. Or does it? Indeed it does. But nothing comes without cost, remember? This case is not an exception from the rule. If you use a wildcard certificate in your organization you have one secret key on every your box which needs a certificate (there are services which allow you to create multiple wildcard certificates with one name, but different secret keys… But then why even bother to do that?). Statistically that does mean that you are increasing the risk of compromising this one particular certificate. Some don’t think this is a problem, well. Why bother with certificates at all, then? =) Suppose, we are not those guys and we think that compromising of the certificate for several dozen services is a problem but not very big one: we’ll just need to get one new and spread it over our sites. But, since we had this certificate compromised, we can consider any of our services as a such as well. So we need also audit these systems to find out if they are ok. And, believe me, it is very expensive.

So, security will definitely be harmed (at least statistically). But that’s not over: you may (or may not) get many other problems.

To sum up: I’m definitely not fond of the solution. At least for now. you may and should decide on your own. =)

%SystemRoot%System32 Secrets: AzMan

To be honest, I had been thinking of it as of some unneeded tool for quite a long time before I had a close look on the console and its abilities. I was wrong. It is really powerful instrument to manage or delegate permissions for an application. It is as powerful that I’m only teasing you in this article, before creating one or more big articles about it. Imagine, you need a person to have a full control over some Hyper-V virtual machine, including the right to delete it, but the only thing he or she is not to do is creating snapshots (because those are a pain in the neck, you know). Can you create such a set of permissions? Easy! Do you want to create quite the opposite policy? You are welcome. Do you want to check a user against some complex rules, not only groups? Create your scripts for this matter. What is even more pleasant: it is very role-oriented. Thinking in terms of roles is simple and nice with the tool.

image

Ok, will tell you me, what’s the trap? Unfortunately there are not one of them. First of them: your application should be written with AzMan in mind. It is true though for many MS applications, like, say, Hyper-V or DPM. But if you use VMM, then it is almost impossible for you to use AzMan with Hyper-V. And VMM has less abilities in the field. And I don’t like the way it has them =) DPM’s AzMan is not yet broken by any “management” software, but, my gosh! It is soooo poor in its capabilities =(

Still, if you don’t use VMM, or use some other app which is compatible with AzMan then I sincere recommend you to take a look at it.

The case of jammed permissions

imageOnce I got a request ticket from one of our administrators whom are delegated some permissions in their parts of AD to. The person told me that he didn’t have permissions for some accounts. Well, no problem: I investigated the issue, found that the inheritance on that record was broken and I fixed it – one checkbox and “OK” button – big deal! The next day I received another request… for the same person. The inheritance was broken again! Ok, I’m not a newbie, I even know something about adminCount, adminSDHolder and SDProp. So I went and checked if the account was a member of any of protected groups: no, it wasn’t though it had been before. So I tried several more tricks, like moving the account to another OU and back. No luck. And and that point I received another request, from other administrator with the same problem but an other account. And this other person had been domain admin before too.

Well, at this point I was almost sure, that it is because SDProp overwrites the permissions. Quick check of adminCount attribute showed that I was right: it was set to 1. After I had set it to 0 and restored inheritance to the object everything became normal. And a bit of investigation showed that when an account leaves a protected group, adminCount attribute doesn’t switch to 0. After that a bit more of investigation showed me that it is by design. In more detail read here and here. Next time, I won’t be so lazy and will trust my inner admin Winking smile

%SystemRoot%System32 Secrets: Auditpol

CLIThis command is very useful in case you need to fine-tune audit. For example you cannot set “Audit directory service changes” without setting “Audit directory service replication” using only GUI, because “There is no Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories”. therefore, you need auditpol badly in case you need to set those subcategories. You also need it in order to script changes to or audit of SACL. You need it also to backup or restore those policies quickly (say you need to turn some auditing settings on for some time and turn them off later). You also can fully reset auditing policy.

Wow! While writing the text I become filled with awe. I definitely should have used it more =)

Syntax is quite excessive, so I just show you a very simple example:

image

Have fun! =)

Malware: how comes we are infected?

It was not the first time I had the same argue: some of my peers and even colleagues still think that the major infection method for client computers is through some kind of vulnerabilities which don’t involve stupidity. I believe (and I have some brothers in arm in my belief) that abovementioned “stupidity”, or let’s say lack of education and carelessness is the major threat. What am I talking about? Well… Some of the sources tells us that most of successful malware installs itself using USB sticks, shared drives or some kind of other user-involving technologies.

For example, in MS Security Intelligence report #9 (1H2010) we see the following table:

1

Win32/Taterf

2

Win32/Frethog

3

Win32/Renos

4

Win32/Rimecud

5

Win32/Conficker

6

Win32/Autorun

7

Win32/Hotbar

8

Win32/FakeSpypro

9

Win32/Alureon

10

Win32/Zwangi

 

These are the top 10 malware families detected on client computers. The 1st is the most often detected. The 10th, correspondingly, the least (of these 10, of course). Now I will just repeat the table with addition of infection mechanisms:

1

Win32/Taterf

Win32/Taterf is a family of worms that spread via mapped drives in order to steal login and account details for popular online games.

2

Win32/Frethog

Spreads Via…

Mapped Drives

3

Win32/Renos

Downloads of “video codecs” and other “goodies” from malicious sites. 
4

Win32/Rimecud

Win32/Rimecud is a family of worms with multiple components that spreads via removable drives, and instant messaging.
5

Win32/Conficker

No argues here: it is spreading through the vulnerability. And still: “it may also spread via removable drives and by exploiting weak passwords.”
6

Win32/Autorun

No arguing here, too: “spreads through fixed and removable drives by dropping copies of itself.
7

Win32/Hotbar

Install it yourself kit. Seriously.
8

Win32/FakeSpypro

Rogue:Win32/FakeSpypro may be installed from the program’s web site or by social engineering from third party web sites.
9

Win32/Alureon

Manual download (keygens, drive-by downloads, etc…)
10

Win32/Zwangi

Manual download.

 

You know what? I even don’t want to discuss it. Read one more report. And that’s all: no need to “hack” into your computer if a criminal can hack into your head.

Be careful at least this year and the following ones =)