binaryfactory.ca

Depending on how you use Active Directory in your organization, you may be setting a lot of security policies on workstations, and some of these settings can be problematic during the automated build of computers.

A few workarounds exist to avoid applying those to the workstations being imaged:

* Create a temporary OU for the computer account, and move it to the proper location once the build is done
* Change the order of the steps in your build to avoid issues caused by security settings
* Configure a GPO to override the settings that need to be set only during deployment, and filter that only to machines being used.

For multiple different reasons, I had to use the last option. It is a rather clean option, as it doesn’t involve moving computer accounts after the build or any chances on the domain during the imaging process, other than joining the machine, which is great.

One word of notice: Make sure whatever you are overriding is not a must for security and is simply an “annoyance”, because eventually (within a few minutes probably), a user WILL figure out how you’re doing the filtering and WILL apply it to his own machine, in order to bypass some security settings.

Only a few steps are involved :

1) Create a GPO that will set the values to what they need to be during the build (don’t link it yet)

2) Create a WMI filter called “BoxBeingBuilt” or something similar. Have it do a query on something you know is true only during imaging. If you can’t find anything reliable, do something like this:

Select * from Win32_Environment Where Name = “BuildinDaBox”

3) Ensure your built process sets a system variable with that name at the beginning, and removes it at the end.

Tada!

For security reasons, it might be advisable to clear your swap file at shutdown.

It doesn’t provide great security, and you really should be using full drive encryption anways.

But in case anyone is wondering, for a 1.5gig swap file, this option (ClearPageFileAtShutdown) seems to add about 30 to 40 seconds of time to the shutdown procedure as it overwrites the file with zeroes.

Now turn it back off and install Truecrypt!

** Update ** Official word from Symantec

My favorite quote from that paragraph is: “ Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users”.

Wow, I guess Norton’s too good, they don’t even need to sign patches. Then why do they ever sign them, if they can push unsigned ones?

Why was that patch hidden, and why did they delete true messages concerning PIFTS before the "spam” appeared?

PIFTS.exe is generating quite a buzz as nobody seems to really know what it does, and Symantec seems to be putting more effort at moderating posts than explaining what it does."

SANS page about PIFTS

Blog post by a guy who thinks that Slashdot is a web 2.0 social networking site for techies:

Digg discussion about that page

Anubis report (who knows if that was done using the real file though):

Slashdot Discussion

Washington Post "Voices"

Great screenshot from the Symantec boards, the thread should be gone in a few minutes..

And another one..

Possibly a great 4chan prank? Who knows, you’d think Symantec would release an official statement if that was the case..

PdaNet 1.40 has been released. I’ve been able to connect to various IPSec tunnels using the client on my laptop with this version , which makes connecting easier. You have to make sure you’re using UDP or that transparent tunneling has been disabled. I haven’t got it working with IPSec over TCP. It still fails on one of my VPNs and I can’t really figure out why but I think it might not be related to Pdanet itself..time to apt-get update it !

From the changelog:

Version 1.40

• Implement VPN and UDP support.
• Display a numeric battery meter (you know you want it).
• Resolve a CPU usage issue that drains the battery faster.
• Add a DNS cache for instant lookup, improve initial connection speed.
• Pause UI update when device is sleeping to save power.
• This version is a significant improvement over previous versions.

Here is a quick how-to on how to connect to your work’s VPN on the iPhone and use it on your laptop. Special thanks to Nutbar on HowardForums who helped me with the last trick about the connection order.

• Jailbreak your iPhone ( http://www.quickpwn.com/2008/09/jailbreak-iphone-2… )
• Install PdaNet from Cydia
  • Get PdaNet working by setting up an AdHoc Wifi network on your laptop. Then connect your iPhone to it, start PdaNet.
    • Test the connection on your laptop by browsing a few websites through the iPhone.
    • Disable PdaNet and Wifi for now.
• Try connecting to your IPSec VPN from your laptop. It *MIGHT* work but will probably not. If it does work, you’re done here!
• If it didn’t work, setup the VPN connection on your iPhone. Most types of VPNs are supported, I tried with IPSec but others such as L2TP and PPTP should work (Some providers apparently do not support PPTP/GRE unless you pay an extra fee.. *cough* Rogers *cough*)
  • Test the VPN connection on the iPhone by connecting to it and then loading an Intranet page from Safari to confirm that it is indeed working. If your VPN uses a second authentication page, like some Checkpoint setups do, open that page on the iPhone and authenticate again.
• Enable Wifi, connect to your AdHoc network. Start PdaNet.
• Enjoy your tethered VPN from your laptop. It might be a bit slow but you don’t have to get a card for your laptop, and if you’re on Rogers/Fido, the 6gig data plan allows for that. It can be a hell of a life saver when there’s that big problem at 2am and you’re in the middle of nowhere!*
• For very simple tasks that don’t require a lot of work and can be done over RDP, WinAdmin is a remote desktop program for iPhone that will work well over the VPN. Get it from iTunes ! (Not Available in Canadian Store yet, find it somewhere else!)
  

  WinAdmin screenshot

*note that Rogers doesn’t have coverage decent enough for that yet

*not tested on Edge but should work the same, just even slower.

*intensive data transfer actually drains the battery faster than it can charge over USB – don’t expect to be able to work 8hours in a row.

Common sense regarding web security is to never use the same password on multiple sites. That way, when one password gets compromised, not all of them are.

I usually generate passwords for every single web site that requires a login. For some of them, I even generate the username. There is no way I can remember all of them by heart, it is simply impossible. However, I use a combination of Firefox, Truecrypt, and KeyPass to store my passwords in a secure way. The whole hard drive is encrypted with Truecrypt, low-security site passwords are stored in Firefox, and the important ones are stored in KeyPass, which is also encrypted.

The reason for KeyPass is that you can’t rely on Firefox to keep your passwords safe, it’s not meant to do that. It does fine for my Slashdot password though, as long as the hard drive is encrypted.

With the release of the latest round of Smartphones, more and more people are using an iPhone, an Android phone, and Windows mobiles phones too. Now, these phones often come with nice data plans and decent browsers that didn’t exist just a few years ago. Before using Opera Mini and Safari mobile, going to Slashdot on a mobile phone to post a few comments did not feel like an interesting way to waste 10 minutes at all. Now, it is doable in a comfortable way.

Except typing passwords. That is definitely a pain. I don’t want to remember that 16char. password every time I post a retarded comment on Fark. Yet, I don’t really want to save cookies and authenticated sessions either, because the iPhone is not very secure (understatement of the year). I am convinced that a lot of people who use mobile phones will set a lot of their online passwords to something short, simple, and sometimes maybe even numeric only.

What is the solution? Secure mobile devices and certificates? Possibly. Fingerprint protected certificates could be nice as well, leveraged by some kind of “OpenID” infrastructure maybe.

I guess with the latest iPhone firmware, it takes more than clicking emergency call or receiving a call to unlock it, at least.

Sometimes, it might be impossible to clean up all old domain accounts at the same time. Maybe you’re using Windows 2000 mixed mode and don’t have the LastLogonTimestamp field handy, maybe your users use some applications that don’t update it properly…there can be many reasons.

However, if it is a huge environment where there are a lot of administrators, and you know that the deprovisioning process is not always followed, you should at least disable the old accounts that are members of Domain Admin.

I use oldcmp by Joeware, maker of the greatest AD tools on Earth.

Oldcmp was originally designed to disable old computer accounts, but it’s also made to work with user accounts. It can use pwdLastSet and LastLogonTimestamp as attributes.

Check out the oldcmp usage first.

Then, it is a matter of running oldcmp with the proper switches, and filters. Always run it in reporting mode first.

oldcmp -users -report -af “memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com” -llts -age 120 -format csv

oldcmp -users -report -af “memberof=CN=Administrators,CN=Builtin,DC=domain,DC=com” -llts -age 120 -format csv

This will output a CSV file with a list of Domain Admins that have not logged in for 120days+ according to the LastLogonTimestamp attribute. Of course, this attribute is not precise as it is replicated roughly every 2 weeks. However, this will give you a pretty good list of “old” admins.

Then, if you only want to remove them from the Domain Admins group, either do it manually or use admod to do it. If your domain is not totally insane, there should be few accounts to remove.

If you want to completely disable the accounts, you can use the same oldcmp string as above, with the safety and reporting removed. I’ll let you read the usage so you don’t blame me if you disable all your domain admins! If you are using pwdLastSet, watch out not to disable accounts that are set so that the password doesn’t expire..

You should do that on Enterprise Admins and other high privilege groups as well obviously, and also, on the whole domain.

When working a lot with Group Policy, one thing that I would love being able to do is merging user right assignments. If you’re aware of how to do it, be sure to post a comment (Workaround, 3rd party tool, etc).

Let’s say you have 500 servers. All servers run some agent service that must always be set to automatic, and for which you have customized ACLs. (You grant helpdesk the right to restart the service for example).

Well, this is pretty easy to handle as every service can be handled in different GPOs, so you just create a GPO with your settings, and you link it appropriately.

Now, what if you want to grant the service account that this service uses on every computer the right to “Log On as a Service” ? You could put that in the same GPO, but it would override any other policy that has “Log On as a service” defined and is applied before this one. Wouldn’t it be nice to be able to specify in a GPO that the service account must have “Log on as a service” while keeping the currently specified rights?

A limitation of Active Directory that I have always found to be extremely aggravating is the Password and Account lockout policy.

You could only set one for the domain..any other policy defined at the OU level would be applied to local accounts only.

How many times did I wish I could set a different password policy for service accounts ! I had to decide between relying on people to use good service account passwords or forcing end-users to use insane passwords. So we had to trust the people creating the service accounts..

Different departments requiring different policies for auditing purposes were also a reason to setup a separate domain. That means at least two new servers, more management time..ew!

In 2008, if you are running AD in Windows 2008 Native mode, you can now create PSOs (Password Settings Objects)  and therefore apply different password policies to different security groups!

This is absolutely awesome and is a very good argument to migrate to 2008.

See this Technet article about Password Settings Objects/Fine-grained password policies , and use this great tool (PSOMgr from Joeware) to play with the settings, instead of using Adsiedit.

I wonder when Microsoft will have a nice interface to create these..

Oh yeah, and my other favorite reason is Read-Only DCs..let’s say they both rank as #1 reasons

When hardening Windows servers through security templates or Group Policies, it is important to give the proper permissions to services. You might want to grant a helpdesk group the rights to stop, start and pause a service while not being able to change the parameters on the server, and most of all, without being a local admin of that server.

To do that, you create a new Group Policy, and under Computer configuration, you find the System Services section. Then you select your spooler service, you set its startup mode to automatic, and you specify the rights.

Now, the problem is that the default rights the GPMC console shows you is NOT aligned with the actual defaults of Windows !

Here you can see on the left, what GPMC is proposing. On the right, Default Windows 2003 settings.

Now, it is probably a very good thing to remove Power Users. The print spooler might be perfectly fine with what GPMC wants you to use + your own customizations.

However, it is very important to make sure that any service that depends on this service is able to read! For example, if only administrators can read the service, and you have a Fax server that depends on the Print Spooler , it will not be able to start unless the service account it uses is part of Administrators!

Just a thing to keep in mind when hardening a lot of services, or when troubleshooting service startup problems..