binaryfactory.ca

Depending on how you use Active Directory in your organization, you may be setting a lot of security policies on workstations, and some of these settings can be problematic during the automated build of computers.

A few workarounds exist to avoid applying those to the workstations being imaged:

* Create a temporary OU for the computer account, and move it to the proper location once the build is done
* Change the order of the steps in your build to avoid issues caused by security settings
* Configure a GPO to override the settings that need to be set only during deployment, and filter that only to machines being used.

For multiple different reasons, I had to use the last option. It is a rather clean option, as it doesn’t involve moving computer accounts after the build or any chances on the domain during the imaging process, other than joining the machine, which is great.

One word of notice: Make sure whatever you are overriding is not a must for security and is simply an “annoyance”, because eventually (within a few minutes probably), a user WILL figure out how you’re doing the filtering and WILL apply it to his own machine, in order to bypass some security settings.

Only a few steps are involved :

1) Create a GPO that will set the values to what they need to be during the build (don’t link it yet)

2) Create a WMI filter called “BoxBeingBuilt” or something similar. Have it do a query on something you know is true only during imaging. If you can’t find anything reliable, do something like this:

Select * from Win32_Environment Where Name = “BuildinDaBox”

3) Ensure your built process sets a system variable with that name at the beginning, and removes it at the end.

Tada!

For security reasons, it might be advisable to clear your swap file at shutdown.

It doesn’t provide great security, and you really should be using full drive encryption anways.

But in case anyone is wondering, for a 1.5gig swap file, this option (ClearPageFileAtShutdown) seems to add about 30 to 40 seconds of time to the shutdown procedure as it overwrites the file with zeroes.

Now turn it back off and install Truecrypt!

** Update ** Official word from Symantec

My favorite quote from that paragraph is: “ Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users”.

Wow, I guess Norton’s too good, they don’t even need to sign patches. Then why do they ever sign them, if they can push unsigned ones?

Why was that patch hidden, and why did they delete true messages concerning PIFTS before the "spam” appeared?

PIFTS.exe is generating quite a buzz as nobody seems to really know what it does, and Symantec seems to be putting more effort at moderating posts than explaining what it does."

SANS page about PIFTS

Blog post by a guy who thinks that Slashdot is a web 2.0 social networking site for techies:

Digg discussion about that page

Anubis report (who knows if that was done using the real file though):

Slashdot Discussion

Washington Post "Voices"

Great screenshot from the Symantec boards, the thread should be gone in a few minutes..

And another one..

Possibly a great 4chan prank? Who knows, you’d think Symantec would release an official statement if that was the case..

PdaNet 1.40 has been released. I’ve been able to connect to various IPSec tunnels using the client on my laptop with this version , which makes connecting easier. You have to make sure you’re using UDP or that transparent tunneling has been disabled. I haven’t got it working with IPSec over TCP. It still fails on one of my VPNs and I can’t really figure out why but I think it might not be related to Pdanet itself..time to apt-get update it !

From the changelog:

Version 1.40

• Implement VPN and UDP support.
• Display a numeric battery meter (you know you want it).
• Resolve a CPU usage issue that drains the battery faster.
• Add a DNS cache for instant lookup, improve initial connection speed.
• Pause UI update when device is sleeping to save power.
• This version is a significant improvement over previous versions.

Here is a quick how-to on how to connect to your work’s VPN on the iPhone and use it on your laptop. Special thanks to Nutbar on HowardForums who helped me with the last trick about the connection order.

• Jailbreak your iPhone ( http://www.quickpwn.com/2008/09/jailbreak-iphone-2… )
• Install PdaNet from Cydia
  • Get PdaNet working by setting up an AdHoc Wifi network on your laptop. Then connect your iPhone to it, start PdaNet.
    • Test the connection on your laptop by browsing a few websites through the iPhone.
    • Disable PdaNet and Wifi for now.
• Try connecting to your IPSec VPN from your laptop. It *MIGHT* work but will probably not. If it does work, you’re done here!
• If it didn’t work, setup the VPN connection on your iPhone. Most types of VPNs are supported, I tried with IPSec but others such as L2TP and PPTP should work (Some providers apparently do not support PPTP/GRE unless you pay an extra fee.. *cough* Rogers *cough*)
  • Test the VPN connection on the iPhone by connecting to it and then loading an Intranet page from Safari to confirm that it is indeed working. If your VPN uses a second authentication page, like some Checkpoint setups do, open that page on the iPhone and authenticate again.
• Enable Wifi, connect to your AdHoc network. Start PdaNet.
• Enjoy your tethered VPN from your laptop. It might be a bit slow but you don’t have to get a card for your laptop, and if you’re on Rogers/Fido, the 6gig data plan allows for that. It can be a hell of a life saver when there’s that big problem at 2am and you’re in the middle of nowhere!*
• For very simple tasks that don’t require a lot of work and can be done over RDP, WinAdmin is a remote desktop program for iPhone that will work well over the VPN. Get it from iTunes ! (Not Available in Canadian Store yet, find it somewhere else!)
  

  WinAdmin screenshot

*note that Rogers doesn’t have coverage decent enough for that yet

*not tested on Edge but should work the same, just even slower.

*intensive data transfer actually drains the battery faster than it can charge over USB – don’t expect to be able to work 8hours in a row.