And so it begins…

Posted by: Justin

Working hard to finish up my grad program @ Ferris State University…posting may be erratic for awhile – bear with me.

.NET, C#, and COM will be me life for a bit – will work to post some information about useful tidbits…

For example, my first challenge of my project (creating an interface for managing multiple remote desktop sessions – similar to tsmmc.msc – back from Windows 2000/2003 days) was finding exactly what allowed me to “tap in” to the RDP library. Lo and behold – eventually I found it after some scrounging around…

Microsoft Terminal Services Active Client 1.0 Type Library – found when adding a reference to your VS project, under the COM tab – this will enable the magic VS Intellisense feature to pick up the MSTSCLib namespace…more as it develops…

Props to this guy for tipping me off via open source – http://www.codeproject.com/KB/cs/Palantir.aspx

Also working on a Microsoft System Center Configuration Manager (SCCM) tool (.NET, C#) that will produce a basic report on package/program chains (i.e. prerequisites). This is being done via WMI. Again, more as develops…

My good buddy is working on a new theme for the site – should be interesting – stay tuned.



IPv6 & company – sometimes cool…sometimes not

Posted by: Justin

I’ve been in an automating mood lately – old school, batch script style.

Here’s another one I cooked up to relieve you of tedious steps needed to turn off all advanced networking features in
Windows 2008/Vista/7.

As a bonus, I added before and after logging for fun.

As a side note, I was not able to cook up a way to dynamically enumerate network connections and uncheck the IPv6 protocol for you…this is still done manually. Perhaps with more time, I could fix this.

Regardless, this little batch file has saved me a bit of time already.

Again, use all but the asterisks for the batch file…

***

rem http://support.microsoft.com/kb/951037

rem Information about the TCP Chimney Offload, Receive Side Scaling, and Network Direct Memory Access features in Windows Server 2008

rem this batch file disable all three advanced settings….

echo ************************** >> c:\pre-disable.txt

echo %date% >> c:\pre-disable.txt

netsh int tcp show global >> c:\pre-disable.txt

netsh int tcp set global chimney=disabled

netsh int tcp set global rss=disabled

netsh int tcp set global autotuninglevel=disabled

netsh int tcp set global congestionprovider=none

netsh int tcp set global ecncapability=disabled

netsh int tcp set global timestamps=disabled

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableTCPA /t REG_DWORD /d 0 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0xffffffff /f

echo ************************* >> c:\post-disable.txt

echo %date% >> c:\post-disable.txt

netsh int tcp show global >> c:\post-disable.txt

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v EnableTCPA >> c:\post-disable.txt

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents >> c:\post-disable.txt

echo …RESTART REQUIRED… >> c:\post-disable.txt

echo …verify ipv6 is unchecked in all interfaces… >> c:\post-disable.txt

start c:\pre-disable.txt

start c:\post-disable.txt

pause

***

Microsoft IT Environment Health Scanner

Posted by: Justin

This tool was mentioned to me by another consultant – it is a fantastic way to get a quick overview of an unfamiliar environment.

Scans for replication, ntp, site, subnet, dns, and all kinds of issues!

Find it here -

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=dd7a00df-1a5b-4fb6-a8a6-657a7968bd11

Finally…a quick way to solve that pesky NTP issue on domain controllers…

Posted by: Justin

Ever muddle through Microsoft KB 816042?

Ever wish there was an easy way to make all those registry edits?

I have…so I did something about it - a simple batch file will do nicely.

Tested this just the other day…batch file dump below (minus the ***s)

***

@echo off

rem http://support.microsoft.com/kb/816042

rem How to configure an authoritative time server in Windows Server

rem Uses pool.ntp.org – feel free to replace with any you like (time.nist.gov is another big one)

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v Type /t REG_SZ /d NTP /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config /v AnnounceFlags /t REG_DWORD /d 5 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer /v Enabled /t REG_DWORD /d 1 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v NtpServer /t REG_SZ /d pool.ntp.org,0×1 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t REG_DWORD /d 900 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxPosPhaseCorrection /t REG_DWORD /d 3600 /f

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxNegPhaseCorrection /t REG_DWORD /d 3600 /f

net stop w32time && net start w32time

pause

***

PS – your windows domain members should automatically look to the PDC emulator for time sync by default.

You can also use the following command in a login script to force the issue (older hack, but still works)…

net time \\[server name] /set /yes

for more info see – http://support.microsoft.com/kb/120944

Exchange Edge Server Safe List Aggregation – Automated!

Posted by: Justin

While the Edge server role is a great idea for Exchange 2007, it seems to lack some basic functionality. I had one client that wished to have the Outlook client safe sender lists aggregated automatically every day…so I cooked this up. Seems to work fine!

Schedule this to run every 24 hours to update user’s safe list’s generated in Outlook (put code below into a .bat file on the edge server).

“%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe” -psconsolefile “e:\exchange\bin\exshell.psc1″
-command “Get-Mailbox | where {$_.RecipientType -eq [Microsoft.Exchange.Data.Directory.Recipient.RecipientType]::MailboxUser } | Update-Safelist”

After you save your file, run this on the edge server to create the scheduled task

at 23:00 /every:M,T,W,Th,F,S,Su  cmd /c "c:\[path to file]\[file name].bat"

When it doesn’t work as advertised…

Posted by: Justin

I recently had a challenging experience with Windows XP clients using single-sign-on (SSO) for terminal server (TS) 2008 RemoteApp.

After Windows XP service pack 3 is applied, you are able to “turn on” the feature by following an article such as this…Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3. Note that while the article says you can’t control the client’s settings for SSO servers, you can…if you upgrade your group policy objects on your sysvol share and use Vista or Windows 2008 to manage group policy! You must follow the article to enable SSO, but you can control which server connections make use of it via a GPO.

This magic is already present in Vista and 7 when used as TS clients for RemoteApp.

My experience was different, as I applied the proper registry tweaks…but my RemoteApp window was still prompting users for login to the TS environment instead of merely passing the username/password on!

After banging my head on my desk for awhile, I finally “googled” the right combination of words to find a nifty hotfix for credssp and the exact issue I was experiencing!

Behold (it is properly named!) – When you enable SSO for a terminal server from a Windows XP SP3-based client computer, you are still prompted for user credentials when you log on to the terminal server.

I created a batch file to apply both hotfixes silently at start up…seems to do the trick…the magic now works as stated!

Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3

More fun with Exchange 2007 web services

Posted by: Justin

I have seen several broken instances of autodiscover and other Exchange 2007 web services.

Generally fixing these involves…

  • Verifying internal and external DNS matches (for a single server setup)
    • autodiscover.domain.com -> cname to mail.domain.com
    • mail.domain.com -> points to actual exchange server
    • Make sure this matches on the outside to make things smooth -> external dns should point to those public IPs used for publishing http/https to the CAS
    • I have seen people set up confusing and improper firewall and public DNS entries that cause havoc and are hard to track down initially! Pay attention when publishing your mail server and editing public DNS. A fix for a mistake can take hours to propagate in public DNS!
    • Verify certificate names
      • A UCC is needed (godaddy.com has cheap ones)…follow the installation instructions – or check my blog for an earlier article about this.
      • If you didn’t install it and question if it was done right, just reinstall it – usually is faster anyway.
      • Rebuilding virtual directories my do it…
        • Most can be done with remove-…virtualdirectory (like remove-oabvirtualdirectory)
        • Check this article for a great overview -
          • http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/
  • I have seen that you should stop IIS before running the new-…virtualdirectory commands…restart IIS after the new VD is created successfully.
  • For a missing OAB the web distribution point…
    • http://blogs.msdn.com/dgoldman/archive/2006/11/27/Error-0×80190194-when-using-an-outlook-2007-client-to-download-a-web-distribution-enabled-oab.aspx
    • When in doubt, test it out
      • GREAT testing site for Outlook web services and Exchange services
        • https://www.testexchangeconnectivity.com/
  • Test with outlook client
    • OAB – tools -> send/receive -> download address book -> hit OK.
    • OOF – tools -> out of office assistant (will bomb out if not working, otherwise will show up nicely!)
    • Free/busy – attempt to schedule a meeting and using the schedule assistant
    • Change to folder view and view the Sync Issues container for any other problem hints
  • With outlook open, hold ctrl and right-click the tray icon for it. Try out connection status (should have directory & mail service connections via TCP (LAN/VPN) or HTTP(S) (outlook anywhere)) and the test autoconfiguration.
  • test-outlookwebservices
    • I have seen 401 unauthorized errors before, but have had the autodiscover working despite these.
    • Note that autodiscover.xml is a placeholder file (there isn’t actually anything in it!)
    • If you are running Exchange 2007 on Windows 2008…you may want to disable IPv6…but do it RIGHT – don’t just uncheck the box in network control panel and call it good – RTFM
      • http://support.microsoft.com/kb/929852

My Symantec recommendation…

Posted by: Justin

Having trouble with Symantec Endpoint Protection (SEP) and Windows Server? You are not alone.

While a reputable product, Symantec anti-virus products seem to have become more troublesome lately (in my opinion).

I have recently seen a few strange examples related to file share problems when Windows Server 2008 has SEP installed. The example I have in mind was set up with a vanilla SEP install.

Windows XP clients would drop connections with the file server – any shares would be inaccessible.  You could ping the server and hit the Internet, but no file shares, which means no group policy, no roaming profiles or redirected folders. Rebooting the server fixed the issue temporarily.

I found a solution by hitting the forums and Symantec’s site.

See Document ID 2008100113145148

They recommend maintenance release 3 (MR3) and 2008 SP 2 be applied.

In my case, I couldn’t apply SP 2, so I used a work-around instead. I disabled auto-protect altogether and set a scheduled scan (daily) instead. This fixed the issue until I can put SP 2 on. Also don’t forget to disable all features but anti-virus on the SEP client (i.e. axe pro-active threat protection and the rest).

If you do some digging, you’ll find there are A LOT of issues with SEP breaking things in general. Security software issues like this are hard to track down and highly disruptive.

Not surprisingly, my recommendations for SEP are few and far between.

Cracking the SAM

Posted by: Justin

I have done this before, but it’s been awhile, so I thought I would refresh my memory on password cracking.

My tools (used on Windows XP VM)

  • L0phtCrack (15 day trial for downloads, GUI, professional-grade)
  • Cain and Abel (freeware, GUI)
  • OphCrack (freeware, GUI)
  • pwdump (used for grabbing the SAM)

My victim

I have a Windows XP Professional SP3 virtual machine with a SAM that has several accounts with passwords of  varying strength.

  • user1 / asdfjkl;
  • user2 / weak
  • user3 / asdfjkl;12345
  • user4 / 123ikm852
  • user5 / jasonlives
  • user6 / jasonalmostlives
  • user7 / jason1lives
  • user8 / biec?32z

The Process – Part 1

  1. First, I boot up the VM with my linux ISO (use the try ubuntu without making changes option)
  2. I open the Places -> Computer area and open the 8.6 GB media drive (my local file system). Then I navigate to the SAM stored in c:\windows\system32\config. Click the thumbnails for a larger picture.
    1. Windows XP Professional-2009-09-01-16-39-31
    2. Windows XP Professional-2009-09-01-16-42-15
  3. Copy the SAM somewhere…in this case, I put it on my host machine as a temporary storage area. Then I rebooted my victim machine & installed L0phtCrack on it to start a brute force attack on the hashes in the SAM.
  4. I love drag-and-drop features in VMware Workstation!
  5. L0phtCrack can import the local machine’s SAM with it’s wizard interface, but you need admin access to do that. I just skipped the wizard and imported my SAM file.
  6. I modified the session options like so (to include characters)…you can also see the proc is maxed out (lc.exe)! This translates to 50% utilization on my host machine.
    1. Windows XP Professional-2009-09-01-17-03-44
  7. Now it is time to wait…
  8. After a long wait, my somewhat under-powered VM came up with the following…
    1. Windows XP Professional-2009-09-02-16-20-35
    2. Note that only the weakest were cracked. It seems the demo of this tool only allows 6 accounts and does not allow brute force cracking (although you can select it). Too bad I can’t actually try all of the features with this demo (on a budget for this experiment). So I will attempt another method…

The Process – Part 2

  1. I decided to try other password tools – like Cain. This is part of the Cain & Abel suite here. I also needed to use Ophcrack available here.
    1. A word about the efficiency for Ophcrack – it uses rainbow tables, which are precomputed hashes for sets of passwords…so instead of trying every password in the dictionary (with a dictionary-only table), the program will just search for the matching hash.
    2. So if (for example) my password was “mice” and the hash was “x94lfrj94j48dk”, then Ophcrack would just search it’s large table to find that hash.
  2. I also used pwdump7 available here. This dumps the live SAM to a text file that contains the hashes that various tools can import.
    1. For instance – I ran the following on my XP victim machine.
      1. c:\pwdump7\pwdump7.exe > c:\samdump.txt
      2. Here is the sample I got from it -> samdump.
    2. I can then import my dump file to Cain or Ophcrack
  3. First – Cain.
    1. Cracker tab -> Right-click to load my samdump.txt file.
    2. I tried a modified dictionary attack with all possible characters and numbers. I loaded the default word list included with Cain – c:\program files\cain\wordlists\wordlist.txt.
    3. My results are here in a screen shot, again, just click to get a larger view.
    4. Windows XP Professional-2009-09-08-15-10-23
    5. In summary, Cain was not as effective as I would have hoped, as a full dictionary and hybrid attack did not reveal many of the passwords. I also tried a brute force with all possible characters, but that would have taken years to complete (by Cain’s estimate). I still think Cain is an easy-to-use security tool and do not wish to discredit it – there are many other features I have not tested yet. For this exercise, I turned to rainbow tables. Note that the online rainbow crack with Cain is not free.
  4. Enter Ophcrack – the basic rainbow tables are free (lowercase, uppercase, numbers – about 750 MB). Tables with characters are quite large (8 GB) and cost a couple hundred bucks.
    1. I downloaded the fast free xp tables. This was a large download but was no challenge for my Internet pipe!
    2. I installed the table download in Ophcrack by unzipping it and using Ophcrack to point to its location.
    3. I loaded my samdump.txt file and began cracking. You can also load a local or remote live SAM.
    4. It did not take long for the program to compare against the table – only about 5 minutes on my VM.
    5. Here are the results – ophcrack results
    6. Note that Users 3, 6, and 8 were note cracked – they were either too long for the computed tables or the tables lacked the characters used in the password. Thus, there would be no match in the table. I believe that purchasing a commercial table set would be quite useful in cracking most passwords.

Conclusion

While cracking passwords is easier than it used to be, strong passwords will still keep you pretty safe. I recommend following best practices on this – upper-case and lower-case letters, numbers, and symbols for a password of 8 or more characters. Avoid words in a dictionary – I was able to crack the password “weak” in seconds with all three tools.

Also – if you think “3″ for “e” or “@” for “a” is clever – think again. I could search for these variations on dictionary words in Cain by ticking a box. L0phtCrack had a similar option.

I think rainbow tables are the best way to go for general cracking…they are much faster. However, you have to purchase the larger tables that have all possible combinations. Even these giant tables have limits (usually like 16 character passwords). Brute force is the ultimate, but you will be well aged by the time you brute force a password with letters, numbers, and symbols with a length of 8 or 10 characters.

Cain seems similar to L0phtCrack, but it is free. If I had a serious password audit need, I would definitely purchase rainbow table sets and probably L0phtCrack. However, there are plenty of free tools for password cracking – finding a jem among them is the hard part.

In addition, you can see from above that there are numerous ways to get a password hash dump from a system – whether you have admin-level access or not.

Note that this article represents an experiment with my own property and systems – I do not condone cracking other people’s systems without their consent. Use this information at your own risk.

GFI Home Backup 2009 – Quick Eval

Posted by: Justin

GFI recently released a few freeware editions for programs they use under the “We Care” initiative.

See it at www.gfi.com/frw

3 of the 4 products are light versions of commercial products, but there is a new one – a home backup software. I decided to install it on a Windows XP VM and test its feature set.

I acquired version 3.0 and installed it – painless. I had to give up my name and email address to get the download link…

Backup Features

The interface seems clean. Backup, restore, and sync are the main focus of this product (Figure 1).

Figure 1

Windows XP Professional-2009-08-31-20-36-55

First, I tried a backup job. See Figure 2. This software, at first glance, offers more than other freebie backup software I have used in the past. The source, for example, allows us to select types of files with a few clicks, parts of the registry, program settings, etc. Impressive. See Figure 3, 4, and 5.

Figure 2

Windows XP Professional-2009-08-31-20-39-20

Figure 3

Windows XP Professional-2009-08-31-20-40-44

Figure 4

Windows XP Professional-2009-08-31-20-42-50

Figure 5

Windows XP Professional-2009-08-31-20-43-48

For this exercise, I selected My Documents. It is also worth noting that I can grab backups from network locations. Not bad.

Next is the destination selection. I can send it to network or local storage. There is an FTP function…but I hesitate to use it – especially for home backup…how many users using freebie backup software have a FTP server running? There’s a great risk using FTP and little benefit if you don’t have a FTP server offsite. If you are sending on the LAN, use a file share instead…

Note worthy – the file share destination option allows you to authenticate.

I’m going to use the default local folder for this, as shown in Figure 6. This points to C:\Program Files\GFI\GFI Backup 2009 – Home Edition\Backup

Figure 6

Windows XP Professional-2009-08-31-20-52-48

Why is “Floppy” even mentioned in the removable device option? Does anyone still use floppies? If you do, please put them down now and go buy a USB flash media immediately, if not sooner.

Ahh…options…this one includes encryption and compression. Better than NT Backup! See Figure 7. Versioning is supported! This is a great way to prune backups without thinking. I would choose the stack option and keep 3 versions. AES encryption is great for securing your backups if they are lost or stolen, while zip compression is ubiquitous. Good choice, GFI. Note that if you encrypt here, you must compress as well.

Figure 7

Windows XP Professional-2009-08-31-21-02-51

I choose to encrypt with AES and a simple key.

Next up, the scheduling options seem powerful, even allowing you to run the job as a certain user. See Figure 8. I will just use the manual schedule for this.

Figure 8

Windows XP Professional-2009-08-31-21-05-12

Finally, the events option tab – I will leave the defaults, as they seem fine, but I will add the verify option. I detest taking backups without verification.

Figure 9

Windows XP Professional-2009-08-31-21-06-07

My backup of less than 1 MB took 5 minutes + to finish. Not the best performance.

I wanted to test to see if it backs up open files, so I added a WordPad document and left it open while the backup ran. It worked. The second backup was very fast. I’m unsure of why the first one took so long…

In summary, I ran a restore and could see my two versions of the archive. I was prompted for my password, as expected. Restores worked as expected.

Thoughts…

Overall, the software does offer a lot for free. I would say it is superior to NT Backup for file-level backup. I wouldn’t back up a domain controller or exchange server with it, but it would be adequate for a poor man’s backup solution for files.

I don’t think I’m going to throw my Acronis disk out the window, but I would carry this software package with me to clients and use it if they had nothing. I would also recommend it to people for basic home use (it’s target audience, which it would serve well).

With tools like Carbonite and MozyHome/Pro paired with a broadband connection, I don’t see a need for software like this. I personally rely on Carbonite and have not been disappointed in 8 months (I currently have 60 GB and counting in their cloud!).  I also use Acronis (home edition) for PC images, if needed, which is overkill for average users.

If you have dial-up Internet and no budget for backup, I would use this software. If you have a decent pipe, I would spend 50 bucks per year for Carbonite or MozyHome – they are far less hassle to maintain (there are no backup “jobs” – it just works), and you don’t have to worry about offsite backup as a separate issue.

Thanks for caring GFI, but I will stick with Carbonite for now.