Tuesday, February 26, 2008

Group Policy Preference Client Side Extensions are now available for download!

Here we are - Group Policy Preference Client Side Extensions are now available for download. This is a cool thing bringing lot's of Group Policy Power to admins around the world!

The GPP CSEs are included in Windows Server 2008 RTM, but can now be downloaded for:
Windows XP SP2+ (32/64 bit)
Windows Server 2003 SP1+ (32/64 bit)
Windows Vista RTM+ (32/64 bit)

These are the links:
GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)

To get Group Policy Preferences on your network all you need is a single Windows Server 2008 as a management station in you existing Windows Server 2003 AD (or 2008 AD of course). When RSAT (Remote Server Administration Tools) is out there - very soon! - a Windows Vista SP1 will be enough to get this cool functionality in your domain!

But remember, no GP Preferences (GPP) without the CSEs - so go ahead and download them now ;-)



Friday, February 22, 2008

BitUnlocker - exploiting RAM after poweroff?

This is shocking - if it's true (haven't tested yet)...

Check it out here and see the video below!

get the Full research paper here.


Hope this is not true - BitLocker (and other disk encryption tools) is still a good thing, but it has kinda lost some of its advantages...

Where can I buy RAM that drops its content ASAP after power off? ;-)



Wednesday, February 20, 2008

Group Policy Changes in WS2008 article - part 4


Just want to let you know that my latest article about "Group Policy related changes in Windows Server 2008" has been released today on www.windowsecurity.com.

This 4th article in the series deals with Group Policy Preference actions, processing options, SYSVOL, Item Level targeting (ILT), Export/Import functionality, "well hidden stuff", variables, logging, future additions etc. - read more here...


I hope you like it - feel free to drop a comment or vote on the site!!!




Friday, February 15, 2008

CEH | Certified Ethical Hacker

Today I went for the CEH v5 exam, EC-Council certification# 312-50, I'd been studying for it for a while. It had no less than 150 questions - and pretty tough ones too - but I managed to pass it (85% which is OK considering US law was part of the Qs).

I can really recommend you to go for this exam - it's somethin' else dude! The questions are short and exact (still multiple choice), but just the process of going there is VERY cool and interesting. Personally I downloaded a lot of spooky tools and guides, created an isolated network with virtual machines and tested, tested, tested. It was fun I can tell you - I can't seem to stop studying this stuff!

I also read 2 books on the journey:
- Michael Gregg: Certified Ethical Hacker Exam Prep (very good)
- Kimberly Graves: Official Certified Ethical Hacker Review Guide (very brief)

If you're a totally cool (and white) hacker dude already, you could probably go for the latter only (it will give you the overall idea of what this exam is all about, the CEH terminology etc). BUT the first one mentioned, by Michael Gregg, is a VERY good introduction (broad and deep) into the world of haxin' actually.

The whole idea with this exam is, that to be a professional penetration tester or security consultant, you need the skills and tools of the hackers. Put yourself in their place and start looking for your (or your customers) weakest link! A security system is only as strong as its weakest link - that also means, that security is a process (maintenance).


Security is, and always will be, a mixture of: Prevention + Detection + Response!



Wednesday, February 13, 2008

The WMI Filter Contest - are you the knight in shining armor?

Welcome to "The Quest for the Holy Desktop WMI Filter”, this is a global search for what you could call "The Perfect Desktop WMI Filter". A WMI filter which, by using WMI Query Language (WQL), should be able to spot DESKTOP computers only. It should be a general query - meaning it should be possible to use the filter in most Active Directory environments around the globe for Group Policy filtering.

So, what is a desktop really? Well, actually in this case we'll say it's the opposite of a laptop. Hmm, then what is a laptop? Easy enough: a computer with a battery! We've got the WMI filter for finding laptops already:

Select * from Win32_Battery  - don't you just love the simplicity in this query?

This filter will make a computer with a battery respond back with "TRUE" (because the WMI class instance is present), meaning a GPO with this filter will apply to computers with batteries. Simple right? And you might think it's easy to just "turn it around" to find desktops, like:

Select * From Win32_Battery Where Availability != 2
Select * From Win32_Battery Where Availability IS NOT NULL
“Where Not X Like Y” or whatever

Maybe it is, maybe it's not... I think it's pretty damn hard! For spotting laptops we could have tested the classes Win32_PortableBattery, Win32_PCMCIAController, Win32_POTSModem as well - but somehow I think most people will agree, that the "essential ting", which makes a laptop a laptop, is in fact the battery presence!

But, our tests for spotting DESKTOPS only (machines without a battery - yes, I know this will include servers as they a "stationary" too) have not been a success yet! We probably just need the correct syntax? And this is where you get into the picture!


Are you able to crack open this nut? There's a cool price!

This all started on a mailing list for Group Policy guys and girls - called GPTalk - created and maintained by Group Policy guru and MVP Darren Mar-Elia - the guy behind GPOguy.com and SDM Software. You can join the list RIGHT HERE and participate in this contest to WIN a free copy of the:

GPExpert™ Troubleshooting Pak 

BUT you have to be the first person to crack this thing, there'll be only ONE WINNER - that could be you!

I'll be evaluating incoming answers - FIFO: "First In First Out" method is used. Hopefully we'll see the most simple solution first - simplicity works, right? Actually I wouldn't know in this case would I...

One important thing! We will ask you kindly to TEST any WMI query submissions before sending them to everybody on the list. During your testing, you should use a tool to verify the WMI filter against a minimum of 2 desktops and 2 laptops. You can use the free WMI Filter Validation Tool to test you WMI filters in your environment. Personally I’m also using Scriptomatic version 2 and WBEMTEST for finding the available classes, items, queries etc.

Please have a look at the "rules" further down!

Why do this? Well, because it's fun - and useful at the same time... When looking at it generally, the purpose of this filter is to say: "I want these user settings to apply, but only when the user logs on to stationary machines". This can be used for a lot of security related setting, eg. in the case where Automatically cached Offline Files/Folders are unwanted on stationary machines for certain users etc. The job of most WMI filters placed on User policies is to limit which machines the policy setting(s) should apply to (even though WMI filters could check for user specific things too). Besides from that it's a nice challenge, we can pretty easily "spot" laptops, as they have batteries – and desktops don’t, but that’s not good enough for Mr. WQL, is it?!


Stuff we have tried - and the rules

We’ve been around solutions looking for Win32_SystemEnclosure > ChassisType before - which basically doesn’t work in a WMI filter because that’s an Array (and yes, I've also seen lots of posts on forums out there claiming that particular class is the solution – but for WMI/WQL queries it’s not). If would work in a script (because you can add additional logic to scripts), but we are searching for a WMI Filter - not workarounds of any kind!

As mentioned we tried with the Win32_Battery WMI class. However, as desktops don’t know this class at all, they'll return FALSE no matter what. Basically a desktop computer is gonna say “Heck, I don’t know anything about that class *Panic* I’m out!” – or just “False”... Bummer!

We have also tried PowerSupplyState, Win32_DesktopMonitor, Win32_DisplayConfiguration, Win32_SystemSlot, Win32_Fan and other classes – just haven’t found the perfect “this is definitely a desktop WMI item value or class”…

We're basically looking for something like:

A) Select * from Win32_SomeClassOnlyDesktopsHave


B )Select * from Win32_SomeClass.SomeItem = “SomeValueOnlyDesktopsHave”


C) Some way of saying “if you don’t know the class (eg. Win32_Battery), then apply the GPO anyway”

Again, the “quest” is to find the perfect, *universal*, way of spotting “Non-laptops” or Desktops – it can of course be done by looking for some special computer Manufacturer/Model, BIOS version, specific hardware driver or whatever – but that stuff it most likely gonna be different from environment to environment. Also, if we all just used computer names like “DESKxxx” for desktops and “LAPTxxx” for laptops, we could have used WMI filters for computer name – but unfortunately that’s not the case - or at least I won't consider that a valid solution :)

The thing is, that normally it’s the LAPTOPS that have special hardware – like Batteries and built-in Modems, PCMCIA slots etc. – so they are pretty easy to find. With desktop computers it’s another story – hope you can help us out here!

Please, again, we know lot’s of “workarounds”, but what we need is a *WMI filter* and it has to return *TRUE* for *DESKTOPS* (or let’s call the NON-LAPTOPS or NON-PORTABLES, it doesn’t really matter).

Remember, simplicity works - maybe the answer/solution is pretty straight forward? Feel free to post any additional questions to the mailing list!


Another example of what has been tried

We could maybe try to go for presence of PCI (and not Mini-PCI) or AGP slots, as we expect most desktops to have PCI slots (and laptops to have Mini-PCI, but that would depend on the form factor) – or maybe AGP (but does onboard VGA count as AGP? Any PCI VGA cards left out there? Yeah, probably...). If not we could maybe go for something like this:

A) Select * From Win32_SystemSlot Where SlotDesignation = “PCI%”
B) Select * From Win32_SystemSlot Where SlotDesignation = “AGP”

However, this is not accepted as a solution as we cannot say that all desktop computers have AGP slots. But - maybe you can convince us otherwise?


Other cool Group Policy information:

You'll find additional Group Policy information at these sites:

www.gpanswers.com - The home of Group Policy guru and MVP Jeremy Moskowitz, check out the community there too!
TechNet Group Policy Forum - A brand new Group Policy forum on Microsoft TechNet
The Group Policy Team - The home of the Microsoft Group Policy Team
Jakob H. Heidelberg blog - My own blog, mostly about Group Policy and Security
www.heidelbergit.dk - My website with blog RSS, certifications, LinkedIn info etc.


Hope to hear from you soon - O' Yee Knight of the Microsoft Group Policy Table!

Tuesday, February 12, 2008

A strange KB I would say - 240 days of Windows Server 2008 for nothing?

Sometimes you come upon a strange KB article - which makes you wonder why that information is public or what's the general purpose of the article is... I found this one today:

How to extend the Windows Server 2008 evaluation period


This is quoted from the article:


This article describes how to extend, or re-arm, the Windows Server 2008 evaluation period. The evaluation period is also known as the "activation grace" period. These instructions apply to any edition of Windows Server 2008. This includes evaluation copies.


Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days.
Note Although you can reset the 60-day evaluation period, you cannot extend it beyond 60 days at any time. When you reset the current 60-day evaluation period, you lose whatever time is left on the previous 60-day evaluation period. Therefore, to maximize the total evaluation time, wait until close to the end of the current 60-day evaluation period before you reset the evaluation period.


How to install Windows Server 2008 without activating it

1. Run the Windows Server 2008 Setup program.
2. When you are prompted to enter a product key for activation, do not enter a key. Click No when Setup asks you to confirm your selection.
3. You may be prompted to select the edition of Windows Server 2008 that you want to evaluate. Select the edition that you want to install.
Note After Windows Server 2008 is installed, the edition cannot be changed without reinstalling it.

4. When you are prompted, read the evaluation terms in the Microsoft Software License Terms, and then accept the terms.
5. When the Windows Server 2008 Setup program is finished, your initial 60-day evaluation period starts. To check the time that is left on your current evaluation period, run the Slmgr.vbs script that is in the System32 folder. Use the -dli switch to run this script. The slmgr.vbs -dli command displays the number of days that are left in the current 60-day evaluation period.

How to manually extend the evaluation period
When the initial 60-day evaluation period nears its end, you can run the Slmgr.vbs script to reset the evaluation period. To do this, follow these steps:

1. Click Start, and then click Command Prompt.
2. Type slmgr.vbs -dli, and then press ENTER to check the current status of your evaluation period.
3. To reset the evaluation period, type slmgr.vbs –rearm, and then press ENTER.
4. Restart the computer.

This resets the evaluation period to 60 days.

How to automate the extension of the evaluation period

You may want to set up a process that automatically resets the evaluation period every 60 days. One way to automate this process is by using the Task Scheduler. You can configure the Task Scheduler to run the Slmgr.vbs script and to restart the server at a particular time. To do this, follow these steps:

1. Click Start, point to Administrative Tools, and then click Task Scheduler.
2. Copy the following sample task to the server, and then save it as an .xml file. For example, you can save the file as Extend.xml.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<Author>Microsoft Corporation</Author>
<TimeTrigger id="18c4a453-d7aa-4647-916b-af0c3ea16a6b">
<Principal id="Author">
<Actions Context="Author">

3. In the sample task, change the value of the following “UserID” tag to contain your domain and your alias:


4. In the Task Scheduler, click Import Task on the Action menu.

5. Click the sample task .xml file. For example, click Extend.xml.

6. Click Import.

7. Click the Triggers tab.

8. Click the One Time trigger, and then click Edit.

9. Change the start date of the task to a date just before the end of your current evaluation period.

10. Click OK, and then exit the Task Scheduler.

The Task Scheduler will now run the evaluation reset operation on the date that you specified.



Sunday, February 10, 2008

Windows Vista vs. Windows XP patching

On January 24 MVP:Security Jesper Johansson posted a very good blog entry, "Do Vista Users Need Fewer Security Patches Than XP Users?", about Windows XP vs. Windows Vista security. This was in reply to the "One Year Vulnerability Report" by Jeff Jones (who is the Director of Security at Microsoft).

It's VERY interesting reading  showing how strong Vista is - oh, and Jesper takes that even further comparing IE7 and Firefox patching. Cool stuff.





Saturday, February 09, 2008

WSUS 3.0 SP1 is out there!

The final version has been released:

Windows Server Update Services 3.0 SP1 - download here.


Windows Server Update Services 3.0 Service Pack 1 (WSUS 3.0 SP1) delivers important customer-requested management, stability, and performance improvements, while incorporating further enhancements to local publishing of drivers and the Client Servicing API addition.
WSUS 3.0 SP1 delivers new features that enable administrators to more easily manage and deploy updates across the organization. This package installs both the WSUS 3.0 Server and WSUS 3.0 Administration Console components, for all Windows Server 2003 SP1 supported languages. Additionally, the WSUS 3.0 SP1 client is included in all supported client platform languages. You must install the server components on a computer running Windows Server 2008 or Windows Server 2003 SP1 or later. You may install the Administration Console on a remote computer running Windows Server 2008, Windows Vista, Windows Server 2003 SP1, or Windows XP SP2.

Supported Operating Systems:
Windows Server 2003 Service Pack 1; Windows Server 2008
- Note: there's a special guide for SBS 2003 environments...

Additional information:

Release Notes for Windows Server Update Services 3.0 SP1

Microsoft Windows Server Update Services 3.0 SP1 Overview

Deploying Microsoft Windows Server Update Services 3.0 SP1

Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0 SP1

Microsoft Windows Server Update Services 3.0 SP1 Operations Guide

Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003





Friday, February 08, 2008

Why a single AV engine is not enough!

This is just to prove my point - a single AV engine is not enough if you want to be secure.

I had this problem today at a customer - a user had received a link in her Messenger... And she clicked it and probably accepted to execute the thing => Pooof (all her MSN Messenger contacts were spammed with links to the worm)!

We tried to use some different online scanners - as the local AV engines (no names mentioned) didn't find anything - even after updating the signatures. The online scanners I tried first didn't show anything. So, this particular online scanner turned out to be VERY cool and effective:


I can recommend this scanning link whenever you have a suspicious file you want to scan: http://virusscan.jotti.org/

As you can see it uses several engines to determine if the file is infected or not - so nice, thanx!




Free online scanners

Just a quick list of online scanners - will try to update regularly - please post or send me an email if you have other great links!

General scanner (very cool):

File/Machine scanning:

Microsoft Malicious Software Removal Tool

GFI EndPointScan

Acunetix WVS (is your website hackable?)

Test email system



Wednesday, February 06, 2008

Windows Server 2008 RTM Administrative Template and Security settings reference spreadsheet available

The Microsoft Group Policy Team has released the very useful Excel spreadsheet describing Administrative Template and Security policy settings.

Check out the GP team blog here or download the XLS/XLSX spreadsheet right here!


Enjoy... ;-)




Using Group Policy to Secure and Manage UNIX, Linux and Mac Systems

This new webinar from www.centrify.com has been announced lately - featuring my good pal Jeremy Moskowitz - it's gonna be awesome!

Check out the content and sign up for a great show - 100% guarantee:


Five Top Benefits of Using Windows Group Policy to Secure and Manage UNIX, Linux and Mac Systems

    Date:           February 21, 2008    
    Time:          2 p.m. Eastern US (11 a.m. Pacific)    
    Duration:     1 hour  

In this live webinar, Linux, UNIX and Mac admins will get a concise overview of how Group Policy works from Jeremy Moskowitz, author of authoritative works on both Windows Group Policy and Windows/Linux integration. Centrify's David McNeely will then explain the workings of the Group Policy engine that is seamlessly built into DirectControl and the unique benefits of using it for non-Windows policy enforcement. He'll also demonstrate using Windows Group Policy to lock down user and security settings on a Mac desktop system.

Register now (*CLICK HERE*) and we'll send you a free copy of our complementary white paper on extending Windows Group Policy to Linux, UNIX and Mac.