Home » Computers » Security

Category Archives: Security

Enable Windows PIN Sign-In

If a Windows 8.x/10 computer is joined to an Active Directory domain then the User Account “PIN sign-in” option is disabled (not Configured) by default. You can set it in either a domain or local Group Policy Object (GPO). It can also enabled on a local computer via a registry key setting.

For Local Group Policy run [Win+R] gpedit.msc and under Local Computer Policy expand the tree to:
Computer Configuration\Administrative Templates\System\Logon
Change the Turn on convenience PIN sign-in setting to Enabled.
(more…)

Create the Key Distribution Services KDS Root Key

Create the “KDS Root Key” for use with Managed Service Account (MSA) and Group Managed Service Accounts (gMSA). Use the New-KdsRootKey PowerShell cmdlet for set up and initialize the KDS root key.

  1. On the Windows Server 2012 domain controller, run the Windows PowerShell from the Taskbar. (I normally run it as Administrator.)
  2. At the Windows PowerShell, type the following command, and then press ENTER:
    Add-KdsRootKey –EffectiveImmediately

The domain controllers will wait up to 10 hours from time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA. The 10 hours is a safety measure to prevent password generation from occurring before all DCs in the environment are capable of answering gMSA requests. If you try to use a gMSA too soon the key might not have been replicated to all Windows Server 2012 DCs and therefore password retrieval might fail when the gMSA host attempts to retrieve the password. gMSA password retrieval failures can also occur when using DCs with limited replication schedules or if there is a replication issue.

Even if there is only one DC you still have to wait the 10 hours.  If you don’t want to wait you can refer to the Microsoft TechNet article this information was taken from: https://technet.microsoft.com/en-us/library/jj128430.aspx

Firefox and weak ephemeral Diffie-Hellman key

You can work around the Firefox browser security warning “SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)” by referring to this Mozilla Q&A post:

https://support.mozilla.org/en-US/questions/1066238

The short version:

Workaround for Firefox 39 and above:

  1. In FireFox, enter “about:config” in the URL field and press enter
  2. Accept the “This might void your warranty!” warning
  3. In the search field at the top, enter “security.ssl3.dhe_rsa_aes
  4. Double click each result (128 and 256) to toggle the Value to “false

Now retry your site – it should work now. Remember to change these settings back when you’re done.

Microsoft NPS with Cisco Equipment Using RADIUS

See this article: Integrating Cisco devices CLI access with Microsoft NPS/RADIUS

Should be cheaper than Cisco’s ACS or ISE systems for small to medium 50-1000 user/computer  organizations.

Think about PCI/DSS (3.0) when analyzing cost/risk/liability/brand reputation.

CertMgr.exe Tool

The Microsoft CertMgr.exe tool is included in few SDKs like the Windows SDK, Drivers SDK, and with Visual Studios.  As of this writing it is a standalone executable and can simply be copied to other computers with requiring installation or other support files. (more…)

Cisco VPN on Windows 8

I have run across this issue when installing both the Cisco AnyConnect VPN client and the traditional Cisco VPN client. Once the client is installed and you attempt to establish the VPN connection you might get one of the following messages: “Unable to establish VPN” or “The VPN client driver encountered an error.”

 

The fix is you need to change the “Display Name” in the registry. Open the following registry key and take out the extra INF stuff at the front of the “Display Name” data. The different VPN clients use different Registry keys.

HKLM\SYSTEM\CurrentControlSet\Services\vpnva\DisplayName

HKLM\SYSTEM\CurrentControlSet\Services\CVirtA\DisplayName

HKLM\SYSTEM\CurrentControlSet\Services\CVPND\DisplayName

Cisco ASA pre-shared Key Recovery

Use this at the ASA’s Enable prompt to show the pre-shared VPN keys:

hostname(config)# more system:running-config
...
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
 default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
 pre-shared-key PASSWORD
...

Force user logoff after a period of inactivity – Windows XP/Server 2003

To logoff the user after a certain period of inactivity, you may use the Winexit screensaver which comes with Windows 2003 Resource Kit tools (free). Download Windows 2003 Resource Kit Tools from here. It contains the file Winexit.scr [Windows Exit Screen Saver]. Once installed, reboot the system.

  • Open C:\Program Files\Windows Resource Kits\Tools
  • Right-click winexit.scr and choose Install
  • The Display Properties dialog box appears with the Screen Saver tab active
  • The Logoff Screen Saver entry is automatically selected
  • Click Settings
  • Select the Force application termination check box to force programs to quit
  • In the Countdown for n seconds box, type the value accordingly
  • In the Logoff Message box, type the message that appears during the logoff countdown. Click OK.
  • In the Display Properties dialog box, click Preview.
  • You see the Auto Logoff dialog box. It displays the logoff message and the countdown timer.
  • Click Cancel. Click OK.

The Force application termination option forces programs to quit even if the programs contain unsaved data. If you do not use this option, programs that contain unsaved data do not quit and the user is not logged off.

 

VMware Networking Issues with Windows 7

If you need a Firewall between the physical host and its guest virtual machines, this workaround is not for you.

The problem is that on Windows 7 (x86/x64) the VMware virtual adapters and subnets are found and reported as “Unidentified Network”. This means that the built-in Windows Firewall can only treat the VMware networks, and thus the guest VMs, as type Public.

When the network type is set to Public, the Windows Firewall by default blocks Microsoft File & Print, and other most other network traffic, which effectively prevents useful direct communication between the physical host and its VM guests. You might, if allowed, disable the Firewall or configure exception rules for the VMware virtual subnets and/or hosts. Disabling the Firewall for all public networks is a bad security practice and managing the Windows Firewall is a tedious task that still leaves potential security holes.

Below are the instructions from the VMware Knowledge Base Article 1004813 that I used to change the VMware virtual network adapters to be endpoints. Endpoints do not show up in the “Network and Sharing Center” are also excluded from control of the Windows Firewall. This makes it easier to manage the Firewall rules and Home, Work, and Public network types for real, physical adapters.

This work around solution can be used until VMware updates their networking technology to meet current operating systems standards.

# VMware KB Article: 1004813
# Updated: Apr 29, 2010

Redefine the VMware virtual NICs as endpoint devices

This procedure is permanent and allows for the continued use of Bridged, NAT, and Host Only networking. However, doing this causes the VMware virtual NICs to disappear from the Network and Sharing Center, even though they remain visible under Network Connections. This also causes the VMware virtual NICs to be exempt from all Windows Firewall access rules. When implemented, the control of virtual machine network access must be done from the guest operating system of each virtual machine. This bypasses the default security model of Windows Vista with respect to the the VMware virtual NICs, and the implications of using this procedure must be carefully considered.

To redefine the VMware virtual NICs as endpoint devices:

  1. Click Start > Run.
  2. Type regedit and click OK.
  3. Double-click HKEY_LOCAL_MACHINE>System>CurrentControlSet>Control>Class>{4D36E972-E325-11CE-BFC1-08002BE10318}.
    Caution: VMware recommends that you back up this registry key before proceeding:
    1. If {4D36E972-E325-11CE-BFC1-08002BE10318} is not still highlighted, click it.
    2. Click File > Export.
    3. Pick a location and name for the Registration File (*.reg).
    4. Click Save.
  4. Click 0000.
  5. Look at the content of the Data field associated with the DriverDesc entry.
  6. If you see VMware Virtual Ethernet Adapter for VMnetx , where x is replaced by a number, then:
    1. Right-click an empty space in the right content pane.
    2. Click New > Dword.
    3. Type *NdisDeviceType
      and press Enter.
      Note: Ensure to include the asterisk (*) at the beginning of the entry.
    4. Double-click *NdisDeviceType.
    5. Type 1 and press Enter.
  7. Repeat steps 4-6, replacing 0000 in step 4 with the next entry in numerical order, until you have reached the end of all numerical entries.
  8. Follow the Disable the VMware virtual NICs section of this article above.
  9. Repeat step 8 but click Enable this network device instead.

Find EFS Files and Folders

You can use the command line program “cipher.exe” to find all the encrypted files and folders on a drive, or for a directory path. This will search and display all the encrypted files in the current folder and all subfolders:

F:\\>cipher /u /n

Encrypted File(s) on your system:

F:\\Users\\blah\\Documents\\XYZ Review form - confidential.xlsx

F:\\>

Unlocking Windows NT/2000/2003 Domain Controllers

Petter Nordahl-Hagen has written a Windows NT/2000 offline password editor. I have been using various versions of this disk for several years and have had very good results with it. Thank you, Petter!

However, the program only resets the password for the MACHINE Administrator account, not the DOMAIN Administrator account. And wouldn’t you know it, on a Windows 2000 server which is an Active Directory controller, you CANNOT log into any machine-level account. Which means that resetting the MACHINE Administrator password is pretty much useless.

Or so it would seem. It turns out that “Directory Service Recovery Mode” uses the MACHINE-level accounts, since the whole point of this mode is that the AD control databases may be corrupted and you need a way to manually edit them (presumably using some high-priced third-party software package…)

I was able to reset the password on the DOMAIN Administrator account using the following procedure:

Again: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.

NOTE: If you are following these directions to try and “break into” a corporate domain which has one or more working Active Directory controllers, but YOU don’t have Administrator access to the domain, you’re wasting your time. The procedure detailed below will only work if you have physical access to a domain controller. It will also forcibly reset the AD Administrator password, which means that if you are somehow able to do this to a domain controller, the existing Administrator password will no longer work and the rightful administrators will know something is going on… and if they trace it back to you and fire you, or even better put you in jail, then you have gotten what you deserve.

  • Use Petter’s disk to reset the MACHINE Administrator password to “no password”.

NOTE: If you are following these directions to work on a machine which is not a domain controller, STOP RIGHT HERE. You now have access to the machine by rebooting and logging in as the machine’s Administrator account (with no password.) Everything below this message is specific to domain controllers.

NOTE: If you are following these directions to work on a machine which is running Windows XP, STOP RIGHT HERE. The machine IS NOT A DOMAIN CONTROLLER. Go back and re-read the note right above this one.

NOTE: If you are following these directions to work on a machine which is running Windows 2003, STOP RIGHT HERE and follow these directions instead.

  • Reboot, hit F8, and enter “Directory Service Recovery Mode”. The machine will boot up as a standalone server without any Active Directory support.
  • When the login screen appears, hit CTRL-ALT-DEL and log in as “Administrator” with no password. This is the MACHINE Administrator account, and does not have the ability to modify anything specific involving the Active Directory information, although it can backup and restore the physical files which contain the AD databases.
  • Run “regedit”. Navigate to HKEY_USERS\.Default\Control Panel\Desktop and change the following values:
    Value Original Change to
    SCRNSAVE.EXE logon.scr cmd.exe
    ScreenSaveTimeout 900 15
    ScreenSaveActive May be 0 or 1 1

 

  • Reboot normally. When the box appears asking you to hit CTRL-ALT-DEL to log in, just wait. After 15-30 seconds you will see a command prompt appear (since that is the screensaver.)
  • I have received an email from somebody which simplifies the process… I can’t verify this myself (because I don’t use Windows) but the method makes sense. Apparently, once you get the command prompt you can type this one command to reset the password:

    C:\WINNT\system32> NET USER ADMINISTRATOR newpassword

    Once you enter this command, you should be able to exit from the command prompt, hit CTRL-ALT-DELETE, and log into the domain Administrator account using the new password. Again, without a Windows server I have no way to verify that this does or does not work, so I would appreciate any feedback from people who have tried this and can tell me that it does or does not work with their particular version of Windows.

  • In the command prompt, type the following command:

    C:\WINNT\system32> MMC DSA.MSC

    This should bring up the management console where you can edit users’ passwords, including the password for the Administrator account. If you type this command and it doesn’t work, wait 30 seconds and try it again. This happened to me, it sounded like it was still in the process of loading drivers into memory in the background…

    If this doesn’t work after waiting the 30 seconds… realize that THIS IS A COMMAND PROMPT WITH FULL DOMAIN ADMINISTRATOR RIGHTS, and you’re running a command (“MMC.EXE”) with another filename (“DSA.MSC”) as an argument. If it “just plain doesn’t work”, maybe you need to locate these two files and type them in as full path names. Maybe something like “C:\WINNT\SYSTEM32\MMC.EXE C:\WINNT\SYSTEM32\DSA.MSC”.

    If you know absolutely nothing about how to use a command line, then reboot into DSR Mode, log in as Administrator, and use the graphical “Find Files” thingy to find the files, and write down their locations. Then try it again (reboot and wait for the command line, etc.)

Disable Driver Signing in Windows 7

I have not tried this in Win7x64, but in Win7 32-bit (x86) it works to disable the signed driver requirements in Windows 7.

bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON

Please note that changing Driver Sign may be a security risk. I in no way endorse or recommend that this should be used by anyone who does not understand the risks involved.

Cisco ASA 5505 blocking Internet Radio

regueiro writes:
I have blocked Internet radio who use port 80.
You should inspect the port and you can add this commands

regex audio-mpeg "audio/.*"

 

policy-map type inspect http test_radio
parameters
protocol-violation action drop-connection log
match response header content-type regex audio-mpeg
drop-connection log
match request header user-agent regex _default_windows-media-player-tunnel
drop-connection log

 

 

class global-class-test
inspect http test_radio
 

 

To help you, use a sniffer and capture radio traffic and see http headers.
It is easy to block streaming from media-player, but for other I check the response header and when I see audio/* (like audio/* where * can be mpeg, x-mpeg, mpeg3, and/or x-mepg3 …) I close the connection. 

Sorry for my bad english.

 

ASA 5505 to block Internet radio

regueiro writes:
I have blocked Internet radio who use port 80.
You should inspect the port and you can add this commands

regex audio-mpeg "audio/.*"

policy-map type inspect http test_radio
parameters
protocol-violation action drop-connection log
match response header content-type regex audio-mpeg
drop-connection log
match request header user-agent regex _default_windows-media-player-tunnel
drop-connection log

class global-class-test
inspect http test_radio

To help you, use a sniffer and capture radio traffic and see http headers.
It is easy to block streaming from media-player, but for other I check the response header and when I see audio/*   (like audio/*  where * can be mpeg,  x-mpeg,  mpeg3,  and/or x-mepg3 …) I close the connection.

Sorry for my bad english.

VBScript to Verify Digitally Signed File

MSDN article

The following sample VBScript code will verify a Signed file:


Dim Signer, File, ShowUI, FileOK
Set Signer = CreateObject("Scripting.Signer")
File = "c:\newfile.wsf"
ShowUI = True
FileOK = Signer.VerifyFile(File, ShowUI)
If FileOK Then
WScript.Echo File & " is trusted."
Else
WScript.Echo File & " is NOT trusted."
End If