heidelbergit

RegistryProfileCleanup - cleartext

2011-10-14T08:45:00.003+02:00

Several people have asked me for the VBS code to my "Efficient Registry Cleanup" script, since the link went down. I'm not using any time on this blog these days, so this is just a quick & dirty fix:

http://dl.dropbox.com/u/11617172/RegistryProfileCleanup.txt

Also the "Get User Profile Dirs From Registry" script is here:

http://dl.dropbox.com/u/11617172/GetUserProfileDirsFromRegistry.txt

Cya!
Jakob

P.S. The article is still here: http://www.windowsecurity.com/articles/efficient-registry-cleanup.html

InstallGPPCSE - cleartext

2011-10-14T08:41:00.000+02:00

Several people have asked me for the VBS code to my GPP CSE Install script since the link went down. I'm not using any time on this blog these days, so this is just a quick & dirty fix:

http://dl.dropbox.com/u/11617172/InstallGPPCSE.txt

Cya!
Jakob

FlexCommand - cleartext

2011-06-24T20:38:00.001+02:00

Several people have asked me for the HTA code to my FlexCommand tool since the link went down. I'm not using any time on this blog these days, so this is just a quick & dirty fix:

http://dl.dropbox.com/u/11617172/FLEXCOMMAND.txt

Cya!

Jakob

Unique passwords on local user accounts using VBS and Group Policy

2009-05-24T10:25:00.022+02:00

The purpose of the script (SetLocalPassword.v2.txt - just rename to "SetLocalPassword.vbs") is, to ensure assignment of unique and complex password to a specific local user account (typically the local administrator account) on a Windows client in an Active Directory (AD) domain environment.

The script can be used, if you (for one reason or another) want a specified local user account (e.g. administrator) to be active, but you still want to ensure, that the password used is unique for each computer, that the password is changed regularly (a given period of time) and that you are able to logon using the password at any time. Usually I would recommend customers to just deactivate the local administrator account, or set the password using Group Policy Preferences (preferably different passwords on different security areas), but if these solutions aren’t usable in the environment, “ChangeLocalPassword.vbs” could be the right solution.

The intention is to execute the script as a "Startup Script” within a Group Policy Object (GPO), which is aimed at the relevant computer accounts in AD (as you probably know GPO’s can be filtered by AD security groups, WMI filters, Organizational Units (OU), domain and/or site). This way we ensure that the script is executed in ”SYSTEM" context, in which we can pretty much do anything on the local computer(s). Furthermore, SYSTEM can access network resources on behalf of the computer, as long as the resource in question (a file share in this case) allows “Domain Computers”, the specific AD computer account og “Authenticated Users” to gain access.

It is crucial that the group ”Authenticated Users” is NOT given access to the network share – in that case all users within the domain will be able to read which passwords are used on all computers hit by the GPO. Share permissions (could be a hidden share$) can of course be set to Everyone Full Control, but NTFS must be set to allow only members of the group "Domain Computers" to read and write - domain administrators, and other relevant groups (e.g. helpdesk, supporters, backup account etc.) should also have read access. If you have a Distributed File System (DFS) up and running it could be used as the network share.

This illustrates the scripts cycle:

1. The SYSTEM account is used by the computer during the boot process
2. DNS and AD is contacted, and Group Policies are processed (machine policies)
3. The GPO with the Startup Script is loaded
4. The VBS script is executed (also in SYSTEM context)
5. All activity is logged to a local log file (strLocalLog)
6. Some preliminary checks are performed, this includes last modification of strLocalStamp and network access (strNetShare)
7. A password (strNewPassword) is generated from 4 different criteras (intPasswordLength, intWantNumber, intWantLcase and intWantUcase)
8. The username and password (clear text) is logged in a central log file (strnetFile)
9. The chosen local user account (strLocalUser) is assigned the newly generated password (only if 8 was completed without any errors)
10. A local timestamp file is created or modified if 9 was successfully completed

Some important notes...

First and foremost one must ensure, that the script file the GPO is pointing to cannot be modified by others than the relevant administrators. If a user gets write access to that file, he or she can do anything (locally) on all machines executing the code. This is of course true for any GPO Startup Script used.

Another important thing to note is, that if your users have local admin rights (I hope not), they will be able to “hack” the solution in a couple of ways. First of all they will of course be able to reset passwords for all local user accounts, but if they are a bit clever, they will also be able to take over the SYSTEM account (hint: AT command or PSEXEC) and access the network share we are using – and thus read or modify the log files with all the clear text passwords. But who in the world would allow users to be local administrators in the fist place, right?

A Startup Script will time out if the script takes too long to execute, but we should not have such a problem with this script (normally executed in less than a second). Startup Scripts react differently depending on whether the “Always wait for the network at computer startup and logo” setting is set or not - the script should work in both cases though.

Let’s take a look at the customizable variables.

intDays = 60
- default: 60 days between password change

strNetShare = "\\SERVER\SHARE\"
- define as a share with the correct NTFS permissions set
- is could be a hidden share, perhaps on a DFS
- remember a trailing backslash (\) or the script will fail!

strLocalLog = "C:\admpwd.log"
- placement of the local log file of all activity (except for the password itself)

strLocalStamp = "C:\admpwd.stp"
- placement of the file used as a timestamp

strLocalUser = "test-user"
- name the user account to control (e.g. "administrator")

intPasswordLength = 12
- the number of characters the password should have (exactly)
- must be at least the same as the domains minimum password length

intWantNumbers = 1
- set whether or not the password should contain numbers (complexity requirement)

intWantLcase = 1
- set whether or not the password should contain lowercase letters (complexity requirement)

intWantUcase = 1
- set whether or not the password should contain UPPERCASE letters (complexity requirement)

An example of the strLocalLog (default "c:\admpwd.log") local log file:

2009-05-22 13:20:26 [STARTED]
2009-05-22 13:20:26 [VARIABLES - A]
2009-05-22 13:20:26 - intDays : 1
2009-05-22 13:20:26 - strNetShare : '\\SERVER\SHARE\'
2009-05-22 13:20:26 - strLocalLog : 'C:\admpwd.log'
2009-05-22 13:20:26 - strLocalStamp : 'C:\admpwd.stp'
2009-05-22 13:20:26 - strLocalUser : 'test-user'
2009-05-22 13:20:26 - strComputer : 'COMPUTER1'
2009-05-22 13:20:26 - strNetFile : '\\SERVER\SHARE\COMPUTER1.log'
2009-05-22 13:20:26 STATUS - No local stamp file, probably first run
2009-05-22 13:20:26 SUCCESS - ALIVE:\\SERVER\SHARE\
2009-05-22 13:20:26 [VARIABLES - B]
2009-05-22 13:20:26 - intPasswordLength: 12
2009-05-22 13:20:26 - intWantNumbers : 1
2009-05-22 13:20:26 - intWantLcase : 1
2009-05-22 13:20:26 - intWantUcase : 1
2009-05-22 13:20:26 SUCCESS - PWD SET for: 'test-user'
2009-05-22 13:20:26 SUCCESS - PWD written to: '\\SERVER\SHARE\COMPUTER1.log'
2009-05-22 13:20:26 SUCCESS - TIME written to: 'C:\admpwd.stp'
2009-05-22 13:20:26 [COMPLETED]

2009-05-22 13:27:45 [STARTED]
2009-05-22 13:27:45 [VARIABLES - A]
2009-05-22 13:27:45 - intDays : 1
2009-05-22 13:27:45 - strNetShare : '\\SERVER\SHARE\'
2009-05-22 13:27:45 - strLocalLog : 'C:\admpwd.log'
2009-05-22 13:27:45 - strLocalStamp : 'C:\admpwd.stp'
2009-05-22 13:27:45 - strLocalUser : 'test-user'
2009-05-22 13:27:45 - strComputer : 'COMPUTER1'
2009-05-22 13:27:45 - strNetFile : '\\SERVER\SHARE\COMPUTER1.log'
2009-05-22 13:27:45 STATUS - STAMP last modified: 22-05-2009 13:20:26
2009-05-22 13:27:45 STATUS - STAMP younger than: 1 days!
2009-05-22 13:27:45 [COMPLETED]

An example of the strNetFile (named [computername].log) network log file:

2009-05-20 13:20:26 test-user : 'W57Ja6c5Xcus'
2009-05-22 08:10:39 test-user : 'sdEc7s9Gbba8'

Final note:

The code could most definitely be more optimized (and prettier), but it works like a charm (and pretty fast too) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows 7.

I hope it will turn out to be useful to someone out there - enjoy!

.

Get email address of all users from all mails in an Outlook Folder

2009-01-09T10:52:00.005+01:00

Hi,
Ever had the need to extract all email adresses from a folder in Outlook?

Let's say you want to make a reply to a lot of people who are not in your addressbook (contacts), but who have sent you an email which you have archived in a specific folder (or from your Sent items).

I archive my emails all the time using one folder pr. "case", "customer" etc. - and sometimes it's ery useful to be able to write to everyone who had to do with the specific case. This is when it get's a bit frustrating - you have to find a way to get all the email-adresses, and only once!

This is how to do it the easy way:
1. In Outlook press ALT+F11 (opens Microsoft Visual Basic console)
2. Open "ThisOutlookSession" from the Project tree (left menubar)
3. Paste the code below into the project (right window)
4. Press F5 to Run the code (execute)
5. Select the folder you want to use and hit OK (might take some time to complete)
6. Press ALT+G and then copy the email-addresses from the "immediate" window (debug window)

Oh, and remember to use the BCC field if they shouldn't see eachothers email addresses (in the case you want to send an email to all of them).

CODE:
Sub GetEmailAddressesInFolder()
Dim objFolder As MAPIFolder
Dim strEmail As String
Dim strEmails As String
Dim objItem As Object

Set objFolder = Application.GetNamespace("Mapi").PickFolder

For Each objItem In objFolder.Items
If objItem.Class = olMail Then
strEmail = objItem.SenderEmailAddress
If InStr(strEmails, strEmail) = 0 Then strEmails = strEmails + strEmail + ";"
End If
Next
Debug.Print strEmails
End Sub

The above code is tested on Microsoft Outlook 2007, but should work on older Office systems too.

Original source here - I just had to modify the code a bit.

Bye for now!
.

Software Restriction in Windows 7

2008-11-05T12:21:00.001+01:00

These are some quick notes from a session on AppLocker by Paul A. Cooke, Tech-Ed EMEA 2008:

As you may have seen, I’ve written a few articles on Software Restriction Policy (SRP) under Windows XP and Windows Vista for www.windowsecurity.com (see below). I’m very happy to tell you, that Microsoft now improved this functionality and renamed it into: AppLocker!

Unfortunately I cannot bring you any screenshots (because of NDA), but I can tell you a few things about the basic functionality. With AppLocker you can more easily eliminate unwanted and unknown applications in your Windows (7) environment. You can enforce application standardization – both from a security (malware), and from a management point of view (licensing & user control).

What most organizations try to do these days, it to limit users to be standard users (non-administrators) on their local machines – however this is actually not enough to feel secure as an IT administrator. Running as standard user is not the solution to all of our problems. Many applications can do bad stuff, even within user context – like stealing data, deleting data, manipulating data, encrypting data, creating bot-nets, send spam, social engineering etc. etc. This is true for applications that install in user context (like Google Chrome), or regular executables that don’t actually install – they just run!

If you want to control applications like that, what can run and what cannot – then you need another approach. AppLocker comes to the rescue!

AppLocker has been build around digital signatures – signing of software executables and DLLs. This was also an option in SRP under Windows XP, were we had path, filename, HASH & certificate rule, but it was pretty hard to manage and enforce back then. With Windows 7, a new GUI has been added to the group policy editor to support easy creation of software rules. We have 3 types of rules:
- Allow rules: same as Whitelisting (‘known good’ software)
- Deny rules: same as Blacklisting (‘known bad’ software)
- Exceptions: exclusion from allow or deny rules

Allow rules are of course the recommended approach – the “default deny all applications” rule (Whitelisting), but with specific applications the network administrators wants to allow users to run. As an administrator, you get granular control of specific applications, enforcing who can run and/or install them (if they have the appropriate rights and permissions).

The administration is done by group policy under Computer Configuration > Application Control Policies, but strangely enough you have to put in affected users and groups (still unclear whether or not the SYSTEM account is still excluded from SRP checks). So this is actually Computer policies that are able to hit users, like loopback or group policy preferences.

You can create multiple rule sets and take advantage of specific attributes, like app version (equal/above/below X.0.0.0), filename (executable name), product publisher (the valid root certificate used to sign), product suite (like “Microsoft Office 2007”) – and wildcards seems to be supported still.

You can control executables, installers (MSI), scripts, and DLLs, using certificates (publisher), HASH or path rules. The disadvantage of using HASH rules is, that the HASH will change if the application is updated, certificate/publisher rules are much more flexible because the signature is still going to be there (unless the developers totally mess up). So always try to go for publisher rules, certificates are here to stay :)

Can be run in 3 modes: Enforce policy, Enforce Policy using Group Policy Inheritance and Audit Only mode! The latter is pretty cool, as you can configure a Software Restriction Policy, and test it out before you go “live”.

AppLocker supports import and export of rules, which can be very useful, but one of the best new features is, that there’s no need to create all the rules manually – you have the option to “automatically generate rule”, this feature will analyze a “reference machine” (not sure if this has to be the local machine yet) and files in a given folder on that machine (not sure if this can be a share yet). You can compare this to a “snapshot” feature, take all files in this folder (and subfolders), and make an allow rule from that (certificate based preferably).

The new rule creation tools and wizards seem pretty straight forward – but you really need to think about the SRP design before you go for it, and test intensively, or else you’ll end up in serious trouble ;-)

I just can’t wait to test this deeply and bring you more information!

Previous article series on SRP:
Default Deny All Applications (Part 1)
Default Deny All Applications (Part 2)

Microsoft AppLocker description:
http://www.microsoft.com

User Account Control in Windows 7

2008-11-05T11:07:00.001+01:00

These are some quick notes from a session on UAC by Paul A. Cooke, Tech-Ed EMEA 2008:

Microsoft Windows 7 will reduce the number of OS applications and tasks, that require elevation – this has been done by re-factoring apps and tasks into elevated and non-elevated pieces.

UAC v2 will provide a more flexible prompt behavior for administrators, also administrators will see less UAC elevation prompts.

Users can do even more as standard user (eg. parts of Bitlocker, Windows Update etc.), they will also be able to ‘read’ system settings without needing to elevate.

Windows 7 will be better spotting human vs. application changes, this way “human administrator” changes will be allowed without too many prompts.

UAC can now easily be graduated into 4 levels (from the strict Vista default to totally off) - everything can of course be handled using group policy.

To me this is all pretty cool – but to be honest, I’m one of those weird guys, who don’t care about Vista UAC prompts… I just press ALT+C… How hard can it be? ;-)

I just love sharing!

2008-10-20T10:01:00.002+02:00

Just found this - using Google Alerts of course :)

I made little modifications on this script created by Jakob Heidelberg to search for printers manually created on user profiles. This is very usefull when you wanna ensure that eveybody has only auto created printers, from Citrix or ThinPrint.

This script load ntuser.dat on each profile, check some registry keys, write a log and unload ntuser.dat. Some users can have problems to load their profiles if you use this script on the same time that they try logon.

http://www.robertoalves.com/?p=58

I just love sharing!

Why does standby overrule shutdown?

2008-10-12T17:48:00.001+02:00

Well, I’m a Microsoft kinda guy – but I do have a problem with one “feature” which has been part of the Windows OS for some time…

Normally I change the default behavior under Power Setting, so that Windows does NOT start a STANDBY process when I close the lid of my laptops – but I haven’t done it on all of my machines, and under every user profile I have (and customers have the same issue).

So, what happens is, that you are done for the day, and then you start a SHUTDOWN process like normally, and then you close the laptops lid – a STANDBY process then starts – Doh!

That means, the SHUTDOWN process is put into STANDBY mode, and the next time you boot your laptop, the machine state resumes, just to finalize the SHUTDOWN process… And then you have to boot you machine to get started – hmmm, I definitely don’t like it!

So what should happen? Well, when a SHUTDOWN process had started, a STANDBY process should NOT be able to “take over” – just let me close the laptop lid and continue the already started SHUTDOWN process, thanx :)

OK, I admit that it’s only a problem when I haven’t changed the default Power Settings, but I can’t be the only human being in this world with that particular problem!?!? Why would you EVER want a SHUTDOWN process to be put into STANDBY mode?

BTW – I have seen, that Mac and Ubuntu people have the same issue on some version – don’t know if it has been fixed on those OS – I have the problem on all the different Windows systems I run on laptops.

Microsoft: IT-experts.dk online forum er nu opdateret

2008-10-02T13:05:00.000+02:00

Citat:

Microsoft Danmark tror meget på lokale danske it netværk. Vi vil gerne hjælpe danske it professionelle med at knytte professionelle forbindelser og have et forum for tekniske spørgsmål og svar, hvor ikke-Microsoft ansatte bidrager med deres perspektiver.

IT-experts.dk er et gratis online forum for danske IT professionelle. Sitet har haft stor succes med en åben stil, hvor alle medlemmer kan stille tekniske spørgsmål og dele sin viden med andre. Efter en nylig opdatering af sitet er der kommet rigtig mange nye features til, såsom RSS feeds i utallige afskygninger, blogs, OpenID og meget andet. Hvis du ikke allerede er oprettet som bruger på den nye platform, så gør det nu og her: http://it-experts.dk/medlem.

De typiske brugere er professionelle IT konsulenter, specialister, administratorer, supportere og arkitekter indenfor messaging, sikkerhed, infrastruktur, virtualisering, terminal services og lignende. Der er en overvejende hovedvægt på Microsoft platformen, men der er bestemt også plads til fokus på andre områder indenfor IT verdenen.

Bag IT-experts.dk står en række dygtige danske IT konsulenter, MVP’ere og Microsoft Technet Influenters, som yder en stor indsats for at holde sitet kørende, besvare spørgsmål, blogge, skrive artikler og lignende, alt på frivillig basis.

Vi ønsker IT-experts.dk tillykke med den nye platform og vil hermed opfordre til at deltage i det største danske Microsoft community for IT professionelle: www.it-experts.dk.

Kilde: http://blogs.technet.com/dkitpro

Windows SteadyState 2.5 is out there!

2008-07-06T16:45:00.001+02:00

This is great news - I've been writing a few articles on this baby, but now we have a brand new version available for download!!!

Go ahead and read some more:

Protect Public Computers with Windows SteadyState, Part 1

Protect Public Computers with Windows SteadyState, Part 2

Windows SteadyState 2.5 Technical FAQ

Windows SteadyState 2.5 Handbook

Download Windows SteadyState 2.5 right here!

Enjoy!

Great Vista hack... Somebody call Mr. Bitlocker!

2008-05-27T07:02:00.007+02:00

We've seen hacks like this before, no doubt about it - but it's a really nice trick which you gotta love (and hate) - check it out here!

So, basically this hack requires PHYSICAL ACCESS to the harddrive, using BackTrack (or some other boot utility capable of reading/writing NTFS) the file Utilman.Exe in \Windows\System32 is replaced with Cmd.exe - after a reboot, at the logon screen, if Utilman is called (by hitting Win-key + U) you'll get a nice command prompt running under SYSTEM credentials - pretty powerfull... From there the only limit is your imagination!

Yes, Bitlocker protects us from attacks like these - so somebody please call Mr. Bitlocker!

.

Group Policy Survival Guide

2008-04-29T09:13:00.001+02:00

Yes, it's true - there's a new GP guide out there from Microsoft...

Check it out here - it's pretty cool!

No place like 127.0.0.1

2008-04-22T14:47:00.001+02:00

So, I'm back home from a great trip to Seattle, Washington, US. The MVP Summit 2008 was a cool experience with lots of info and room for dialog with the product teams at the Microsoft Campus in Redmond.

We had some awesome talks on the future of Group Policy and I would really like to share it with you, but because of Non-Disclosure Agreements 'n' stuff I can't really say anything - yet.

Seattle is a very interesting city with a lot of great restaurants, nice architecture and friendly people. I had 2½ day to spend after the summit and even though I was missing my family Seattle took great care of me :)

Anyway, I hope to go back there next year - better prepared for jetlag (which basically means I'll travel a few days before the event next time) - but, that all depends on how much time I get to share information with you guys/girls out there... No sharing, no MVP award - that's the rule ya' know ;-)

Thanx to the GP team and the other MVPs for a great experience!

Protect Public Computers with Windows SteadyState (Part 2)

2008-04-10T23:43:00.001+02:00

This is my 2nd article that deals with the Windows SteadyState product and how use it to protect public computers!

If you haven't read part 1, please read it here...

Enjoy!

StarterGPOs available for download

2008-04-09T09:02:00.001+02:00

Microsoft introduced the concept of StarterGPOs with GPMC version 2.0 in Vista SP1 + RSAT and Windows Server 2008. The idea is that it should be easy to share Group Policy settings, read more here!

The GREAT thing is that Microsoft has now released some StarterGPO samples - go download the first shipment here!

Security White Papers & Guides for download

2008-04-05T09:34:00.001+02:00

This post gives you some links to online available White Papers and Guides from the Microsoft download site - I hope you can use some of it to analyze and protect your own network(s)!

New Security White Paper of April 2008:

"The Microsoft US National Security Team is composed of strategic security advisors who work with Microsoft customers, partners, MS internal constituencies and the information security industry to promote the adoption of security processes and technologies. The NST also focuses on driving vertical security solutions for a wide range of industries. To this end, the NST has produced a number of white papers that address the specific security needs of particular industries, such as the professional services and financial services industries."

You will find these papers:

- Electronic Signature Assurance and the Digital Chain-of-Evidence
- Enabling Secure Collaboration for Professional Services Firms
- Establishing the Foundation of Authenticity for Electronically Stored Information
- Information Protection Strategies For Financial Services
- Optimizing Branch Office Security and Productivity in the Financial Services Sector
- Secure Software Development for the Financial Services Industry
- Securing the Retail Store-Securing the Data

Go get them here!

Also, go check out the "Fundamental Computer Investigation Guide for Windows":

"The Fundamental Computer Investigation Guide for Windows Solution Accelerator is intended for IT professionals who need to effectively conduct investigations of Microsoft® Windows®–based computers in their organizations. It provides a computer investigation model as well as process and best practice information. The guide also provides a fictitious example of an investigation that involves unauthorized access to confidential information. This investigation uses the provided guidance and demonstrates the use of numerous tools. Information is also included about how to configure a lab to create the example scenario. An appendix provides information about how to prepare for computer investigations, sample worksheets, contact information for reporting different types of computer-related crimes to appropriate law enforcement agencies, and lists of useful tools."

Go get that document right here!

And finally, what about checking out the "The Security Risk Management Guide"?:

"The Security Risk Management Guide explains how to conduct each phase of a security risk management project and create an ongoing process that drives the organization towards the most useful and cost-effective controls to mitigate security risks. It incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners.
This guide references many industry accepted standards for managing security risks. It is an important example of Microsoft's commitment to delivering quality guidance to help customers secure their IT infrastructures."

That document is available right here!

Enjoy...

MVP:Enterprise Security

2008-04-01T19:25:00.001+02:00

Yup, a wish came through - I'm now an MVP!

Receiving the Microsoft Most Valuable Professional Award is a great honor and much appreciated - thank you.

Sharing Rocks - Information wants to be free!

Time to get a beer :-)

Core with a GUI

2008-04-01T00:03:00.000+02:00

If you have messed around in Windows Server 2008 Core installation you've probably had some challenges along the way - like: how do I join a computer to the domain using a command prompt, how can I add Features, tweak the firewall etc. Well, a nice and very useful solution to many of the basic configuration tasks is out there - and it's free of course!

Go check out CoreConfigurator (Server Core Configurator) written by Guy Teverovsky - look how easy it is and stop acting like a geek sent back to the early 90s :-)

Download here and enjoy!

Remote Server Administration Tools Available!

2008-03-25T22:51:00.001+01:00

You can now download the RSAT toolkit for Windows Vista - go get the package right HERE (32-bit) or HERE (64-bit)...

Time to get Group Policy Preferences and all those other goodies up and running - cool stuff!

What's inside Vista Service Pack 1

2008-03-20T08:49:00.001+01:00

Well - in regards to Hotfixes and Security Updates, check out this TechNet article. To get the complete overview, read this one. The "notable changes" can be found here.

That should be enough info to get safely through Eastern :-)

Configuring Granular Password Settings in Windows Server 2008 – The Easy Way!

2008-03-19T22:48:00.001+01:00

This article will demonstrate “The Easy Way” of how to handle Granular Password Policies – also known as Fine-Grained Password Policies - in a Windows Server 2008 domain environment.

In the article series “Configuring Granular Password Settings” (part 1 & part 2) I demonstrated how to configure Granular Password Settings for individual users or global security groups in a Windows Server 2008 Active Directory environment, using built-in methods. This article will demonstrate “The Easy Way” of how to handle these additional password policies in your Windows Server 2008 domain environment... Using Specops Password Policy Basic!

Enjoy!

Easily leave users with the Least Privilege possible

2008-03-18T08:34:00.001+01:00

A new and shiny - free! - tool from BeyondTrust makes it possible for admins around the world to figure out exactly what rights different applications in the environment need to run. This kind of info is essential for removing administrative rights from users and running a "principle of least privilege" environment!

BeyondTrust® Application Rights Auditor is a totally FREE tool which profiles applications and seamlessly identifies the required permissions - very easy to implement, use and manage.

We all know, that administrative rights allow users to circumvent security policies, install unauthorized applications and make unauthorized modifications to a standard desktop configuration - let's move away from those risks... Just register, download and test out this free application - this is "low hanging fruit" giving your environment a needed security-vitamin injection!

Download the Product Sheet (PDF) right here!

A desktop component can be installed on multiple computers to transparently examine applications during execution. The reporting console gives a nice overview of applications the environment from a central point.

Reporting Console Prerequisites:
Microsoft .NET Framework 3.0 SP 1 and
Microsoft Management Console 3.0

Go for it !

Windows Server 2008 Security Guide and the new GPOAccelerator tool is out there!

2008-03-01T09:21:00.001+01:00

I participated in creation of this great guide around security on Windows Server 2008 - really, you gotta see this... Also check out the new and shiny Solution Accelerator called "GPOAccelerator" - it really rocks!

Info from Microsoft:
The primary purposes of this guide are to enable you to do the following:

Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.
Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.
Identify and consider common security scenarios, and then use specific security features in Windows Server 2008 to help you manage them in your environment.
Understand role based security for different workloads in Windows Server 2008.

Hardening:
The WS2008 Security Guide also includes information on how to harden the following server roles and the role services that they provide:

Active Directory Domain Services (AD DS)
Dynamic Host Configuration Protocol (DHCP) Server
Domain Name System (DNS) Server
Web Server (IIS)
File Services
Print Services
Active Directory Certificate Services (AD CS)
Network Policy and Access Services
Terminal Services

The "complete solution" from Microsoft:
The Solution Accelerator for the Windows Server 2008 Security Guide includes the following components:

Executive Overview. A summary for business and technical managers that briefly explains how you can use the guidance and the tool for this Solution Accelerator.
Security Guide. Recommended guidelines and best practices in a series of chapters that offer detailed guidance on how to harden servers running Windows Server 2008 that handle different workloads (see above).
Security Settings Recommendation Appendix. A comprehensive technical reference that explains every prescribed security setting in the security guide.
Security Settings Workbook. A resource that lists all prescribed settings for each of the preconfigured security baselines provided by the guide.
Attack Surface Reference Workbook. A resource that lists the changes that installed server roles introduce in Windows Server 2008.
GPOAccelerator. A tool that you can use to automatically create Group Policy objects (GPOs) recommended by the guide, which is available as a separate download. To learn more about the GPOAccelerator and download the tool, click here.

Where can I get this?
Windows Server 2008 Security Guide (online version)
Get the Windows Server 2008 Security Guide
Get the GPOAccelerator

Enjoy!

How to install GPP CSEs using a Startup Script

2008-03-01T01:34:00.001+01:00

When you have the Group Policy Preference (GPP) Client Side Extensions (CSE) downloaded you'll notice that they are not (yet) in the .MSI format - so using Group Policy Software Installation (GPSI) is not possible. Bummer, right!?
We have .EXE files for Windows XP/2003 and .MSU files for Windows Vista... But that's not the only thing we need to think about. Before "deploying" these things to the clients on the network we need to know the OS version (XP/2003/Vista), the OS architecture (32 or 64 bit), the Service Pack Level, and whether or not the Group Policy Preference Pre-requisites (WmlLite - http://support.microsoft.com/kb/914783/en-us) are installed.
To make all this pretty easy I've created a "demo" script for deploying the GPP CSEs using Startup Script - or a manual launch (in admin context). My good friend Jeremy Moskowitz asked me to do this - so, a couple of hours later the "demo" - or "beta" - script is public (download below)...
Note: I haven't been able to test in all scenarios yet, but I *think* they are all covered pretty well by now. Please report back if you find any problems - any feedback is welcome!
Download the VBS script right here!
NB! You might need other language version for the XmlLite GPP CSE Pre-requisites, so watch out!
Running the script in your production network is on your own risk. The code is delivered "As Is" - totally free of any charge. No strings attached.

I hope this works out nicely for you!
.

Group Policy Preference Client Side Extensions are now available for download!

2008-02-26T18:58:00.001+01:00

Here we are - Group Policy Preference Client Side Extensions are now available for download. This is a cool thing bringing lot's of Group Policy Power to admins around the world!

The GPP CSEs are included in Windows Server 2008 RTM, but can now be downloaded for:
Windows XP SP2+ (32/64 bit)
Windows Server 2003 SP1+ (32/64 bit)
Windows Vista RTM+ (32/64 bit)

These are the links:
GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)

To get Group Policy Preferences on your network all you need is a single Windows Server 2008 as a management station in you existing Windows Server 2003 AD (or 2008 AD of course). When RSAT (Remote Server Administration Tools) is out there - very soon! - a Windows Vista SP1 will be enough to get this cool functionality in your domain!

But remember, no GP Preferences (GPP) without the CSEs - so go ahead and download them now ;-)

BitUnlocker - exploiting RAM after poweroff?

2008-02-22T09:48:00.001+01:00

This is shocking - if it's true (haven't tested yet)...

Check it out here and see the video below!

get the Full research paper here.

Hope this is not true - BitLocker (and other disk encryption tools) is still a good thing, but it has kinda lost some of its advantages...

Where can I buy RAM that drops its content ASAP after power off? ;-)

Group Policy Changes in WS2008 article - part 4

2008-02-20T17:04:00.001+01:00

Hi,

Just want to let you know that my latest article about "Group Policy related changes in Windows Server 2008" has been released today on www.windowsecurity.com.

This 4th article in the series deals with Group Policy Preference actions, processing options, SYSVOL, Item Level targeting (ILT), Export/Import functionality, "well hidden stuff", variables, logging, future additions etc. - read more here...

I hope you like it - feel free to drop a comment or vote on the site!!!

/Jakob

CEH | Certified Ethical Hacker

2008-02-15T16:39:00.001+01:00

Today I went for the CEH v5 exam, EC-Council certification# 312-50, I'd been studying for it for a while. It had no less than 150 questions - and pretty tough ones too - but I managed to pass it (85% which is OK considering US law was part of the Qs).

I can really recommend you to go for this exam - it's somethin' else dude! The questions are short and exact (still multiple choice), but just the process of going there is VERY cool and interesting. Personally I downloaded a lot of spooky tools and guides, created an isolated network with virtual machines and tested, tested, tested. It was fun I can tell you - I can't seem to stop studying this stuff!

I also read 2 books on the journey:
- Michael Gregg: Certified Ethical Hacker Exam Prep (very good)
- Kimberly Graves: Official Certified Ethical Hacker Review Guide (very brief)

If you're a totally cool (and white) hacker dude already, you could probably go for the latter only (it will give you the overall idea of what this exam is all about, the CEH terminology etc). BUT the first one mentioned, by Michael Gregg, is a VERY good introduction (broad and deep) into the world of haxin' actually.

The whole idea with this exam is, that to be a professional penetration tester or security consultant, you need the skills and tools of the hackers. Put yourself in their place and start looking for your (or your customers) weakest link! A security system is only as strong as its weakest link - that also means, that security is a process (maintenance).

Security is, and always will be, a mixture of: Prevention + Detection + Response!

The WMI Filter Contest - are you the knight in shining armor?

2008-02-13T13:27:00.001+01:00

Welcome to "The Quest for the Holy Desktop WMI Filter”, this is a global search for what you could call "The Perfect Desktop WMI Filter". A WMI filter which, by using WMI Query Language (WQL), should be able to spot DESKTOP computers only. It should be a general query - meaning it should be possible to use the filter in most Active Directory environments around the globe for Group Policy filtering.

So, what is a desktop really? Well, actually in this case we'll say it's the opposite of a laptop. Hmm, then what is a laptop? Easy enough: a computer with a battery! We've got the WMI filter for finding laptops already:

Select * from Win32_Battery - don't you just love the simplicity in this query?

This filter will make a computer with a battery respond back with "TRUE" (because the WMI class instance is present), meaning a GPO with this filter will apply to computers with batteries. Simple right? And you might think it's easy to just "turn it around" to find desktops, like:

Select * From Win32_Battery Where Availability != 2
or
Select * From Win32_Battery Where Availability IS NOT NULL
or
“Where Not X Like Y” or whatever

Maybe it is, maybe it's not... I think it's pretty damn hard! For spotting laptops we could have tested the classes Win32_PortableBattery, Win32_PCMCIAController, Win32_POTSModem as well - but somehow I think most people will agree, that the "essential ting", which makes a laptop a laptop, is in fact the battery presence!

But, our tests for spotting DESKTOPS only (machines without a battery - yes, I know this will include servers as they a "stationary" too) have not been a success yet! We probably just need the correct syntax? And this is where you get into the picture!

Are you able to crack open this nut? There's a cool price!

This all started on a mailing list for Group Policy guys and girls - called GPTalk - created and maintained by Group Policy guru and MVP Darren Mar-Elia - the guy behind GPOguy.com and SDM Software. You can join the list RIGHT HERE and participate in this contest to WIN a free copy of the:

GPExpert™ Troubleshooting Pak

BUT you have to be the first person to crack this thing, there'll be only ONE WINNER - that could be you!

I'll be evaluating incoming answers - FIFO: "First In First Out" method is used. Hopefully we'll see the most simple solution first - simplicity works, right? Actually I wouldn't know in this case would I...

One important thing! We will ask you kindly to TEST any WMI query submissions before sending them to everybody on the list. During your testing, you should use a tool to verify the WMI filter against a minimum of 2 desktops and 2 laptops. You can use the free WMI Filter Validation Tool to test you WMI filters in your environment. Personally I’m also using Scriptomatic version 2 and WBEMTEST for finding the available classes, items, queries etc.

Please have a look at the "rules" further down!

Why do this? Well, because it's fun - and useful at the same time... When looking at it generally, the purpose of this filter is to say: "I want these user settings to apply, but only when the user logs on to stationary machines". This can be used for a lot of security related setting, eg. in the case where Automatically cached Offline Files/Folders are unwanted on stationary machines for certain users etc. The job of most WMI filters placed on User policies is to limit which machines the policy setting(s) should apply to (even though WMI filters could check for user specific things too). Besides from that it's a nice challenge, we can pretty easily "spot" laptops, as they have batteries – and desktops don’t, but that’s not good enough for Mr. WQL, is it?!

Stuff we have tried - and the rules

We’ve been around solutions looking for Win32_SystemEnclosure > ChassisType before - which basically doesn’t work in a WMI filter because that’s an Array (and yes, I've also seen lots of posts on forums out there claiming that particular class is the solution – but for WMI/WQL queries it’s not). If would work in a script (because you can add additional logic to scripts), but we are searching for a WMI Filter - not workarounds of any kind!

As mentioned we tried with the Win32_Battery WMI class. However, as desktops don’t know this class at all, they'll return FALSE no matter what. Basically a desktop computer is gonna say “Heck, I don’t know anything about that class *Panic* I’m out!” – or just “False”... Bummer!

We have also tried PowerSupplyState, Win32_DesktopMonitor, Win32_DisplayConfiguration, Win32_SystemSlot, Win32_Fan and other classes – just haven’t found the perfect “this is definitely a desktop WMI item value or class”…

We're basically looking for something like:

A) Select * from Win32_SomeClassOnlyDesktopsHave

B )Select * from Win32_SomeClass.SomeItem = “SomeValueOnlyDesktopsHave”

C) Some way of saying “if you don’t know the class (eg. Win32_Battery), then apply the GPO anyway”

Again, the “quest” is to find the perfect, *universal*, way of spotting “Non-laptops” or Desktops – it can of course be done by looking for some special computer Manufacturer/Model, BIOS version, specific hardware driver or whatever – but that stuff it most likely gonna be different from environment to environment. Also, if we all just used computer names like “DESKxxx” for desktops and “LAPTxxx” for laptops, we could have used WMI filters for computer name – but unfortunately that’s not the case - or at least I won't consider that a valid solution :)

The thing is, that normally it’s the LAPTOPS that have special hardware – like Batteries and built-in Modems, PCMCIA slots etc. – so they are pretty easy to find. With desktop computers it’s another story – hope you can help us out here!

Please, again, we know lot’s of “workarounds”, but what we need is a *WMI filter* and it has to return *TRUE* for *DESKTOPS* (or let’s call the NON-LAPTOPS or NON-PORTABLES, it doesn’t really matter).

Remember, simplicity works - maybe the answer/solution is pretty straight forward? Feel free to post any additional questions to the mailing list!

Another example of what has been tried

We could maybe try to go for presence of PCI (and not Mini-PCI) or AGP slots, as we expect most desktops to have PCI slots (and laptops to have Mini-PCI, but that would depend on the form factor) – or maybe AGP (but does onboard VGA count as AGP? Any PCI VGA cards left out there? Yeah, probably...). If not we could maybe go for something like this:

A) Select * From Win32_SystemSlot Where SlotDesignation = “PCI%”
Or
B) Select * From Win32_SystemSlot Where SlotDesignation = “AGP”

However, this is not accepted as a solution as we cannot say that all desktop computers have AGP slots. But - maybe you can convince us otherwise?

Other cool Group Policy information:

You'll find additional Group Policy information at these sites:

www.gpanswers.com - The home of Group Policy guru and MVP Jeremy Moskowitz, check out the community there too!
TechNet Group Policy Forum - A brand new Group Policy forum on Microsoft TechNet
The Group Policy Team - The home of the Microsoft Group Policy Team
Jakob H. Heidelberg blog - My own blog, mostly about Group Policy and Security
www.heidelbergit.dk - My website with blog RSS, certifications, LinkedIn info etc.

Hope to hear from you soon - O' Yee Knight of the Microsoft Group Policy Table!

A strange KB I would say - 240 days of Windows Server 2008 for nothing?

2008-02-12T10:46:00.001+01:00

Sometimes you come upon a strange KB article - which makes you wonder why that information is public or what's the general purpose of the article is... I found this one today:

How to extend the Windows Server 2008 evaluation period
http://support.microsoft.com/kb/948472

This is quoted from the article:

SUMMARY

This article describes how to extend, or re-arm, the Windows Server 2008 evaluation period. The evaluation period is also known as the "activation grace" period. These instructions apply to any edition of Windows Server 2008. This includes evaluation copies.

INTRODUCTION

Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days.
Note Although you can reset the 60-day evaluation period, you cannot extend it beyond 60 days at any time. When you reset the current 60-day evaluation period, you lose whatever time is left on the previous 60-day evaluation period. Therefore, to maximize the total evaluation time, wait until close to the end of the current 60-day evaluation period before you reset the evaluation period.

MORE INFORMATION

How to install Windows Server 2008 without activating it

1. Run the Windows Server 2008 Setup program.
2. When you are prompted to enter a product key for activation, do not enter a key. Click No when Setup asks you to confirm your selection.
3. You may be prompted to select the edition of Windows Server 2008 that you want to evaluate. Select the edition that you want to install.
Note After Windows Server 2008 is installed, the edition cannot be changed without reinstalling it.

4. When you are prompted, read the evaluation terms in the Microsoft Software License Terms, and then accept the terms.
5. When the Windows Server 2008 Setup program is finished, your initial 60-day evaluation period starts. To check the time that is left on your current evaluation period, run the Slmgr.vbs script that is in the System32 folder. Use the -dli switch to run this script. The slmgr.vbs -dli command displays the number of days that are left in the current 60-day evaluation period.

How to manually extend the evaluation period

When the initial 60-day evaluation period nears its end, you can run the Slmgr.vbs script to reset the evaluation period. To do this, follow these steps:

1. Click Start, and then click Command Prompt.
2. Type slmgr.vbs -dli, and then press ENTER to check the current status of your evaluation period.
3. To reset the evaluation period, type slmgr.vbs –rearm, and then press ENTER.
4. Restart the computer.

This resets the evaluation period to 60 days.

How to automate the extension of the evaluation period

You may want to set up a process that automatically resets the evaluation period every 60 days. One way to automate this process is by using the Task Scheduler. You can configure the Task Scheduler to run the Slmgr.vbs script and to restart the server at a particular time. To do this, follow these steps:

1. Click Start, point to Administrative Tools, and then click Task Scheduler.
2. Copy the following sample task to the server, and then save it as an .xml file. For example, you can save the file as Extend.xml.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2007-09-17T14:26:04.433</Date>
    <Author>Microsoft Corporation</Author>
  </RegistrationInfo>
  <Triggers>
    <TimeTrigger id="18c4a453-d7aa-4647-916b-af0c3ea16a6b">
      <Repetition>
        <Interval>P59D</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2007-10-05T02:23:24</StartBoundary>
      <EndBoundary>2008-09-17T14:23:24.777</EndBoundary>
      <Enabled>true</Enabled>
    </TimeTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>domain\alias</UserId>
      <LogonType>Password</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>true</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter>
    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT1M</Interval>
      <Count>3</Count>
    </RestartOnFailure>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\slmgr.vbs</Command>
      <Arguments>-rearm</Arguments>
    </Exec>
    <Exec>
      <Command>C:\Windows\System32\shutdown.exe</Command>
      <Arguments>/r</Arguments>
    </Exec>
  </Actions>
</Task>

3. In the sample task, change the value of the following “UserID” tag to contain your domain and your alias:

<UserId>domain\alias</UserId>

4. In the Task Scheduler, click Import Task on the Action menu.

5. Click the sample task .xml file. For example, click Extend.xml.

6. Click Import.

7. Click the Triggers tab.

8. Click the One Time trigger, and then click Edit.

9. Change the start date of the task to a date just before the end of your current evaluation period.

10. Click OK, and then exit the Task Scheduler.

The Task Scheduler will now run the evaluation reset operation on the date that you specified.

Windows Vista vs. Windows XP patching

2008-02-10T11:22:00.001+01:00

On January 24 MVP:Security Jesper Johansson posted a very good blog entry, "Do Vista Users Need Fewer Security Patches Than XP Users?", about Windows XP vs. Windows Vista security. This was in reply to the "One Year Vulnerability Report" by Jeff Jones (who is the Director of Security at Microsoft).

It's VERY interesting reading showing how strong Vista is - oh, and Jesper takes that even further comparing IE7 and Firefox patching. Cool stuff.

Enjoy!

WSUS 3.0 SP1 is out there!

2008-02-09T00:48:00.001+01:00

The final version has been released:

Windows Server Update Services 3.0 SP1 - download here.

Quote:

Overview
Windows Server Update Services 3.0 Service Pack 1 (WSUS 3.0 SP1) delivers important customer-requested management, stability, and performance improvements, while incorporating further enhancements to local publishing of drivers and the Client Servicing API addition.
WSUS 3.0 SP1 delivers new features that enable administrators to more easily manage and deploy updates across the organization. This package installs both the WSUS 3.0 Server and WSUS 3.0 Administration Console components, for all Windows Server 2003 SP1 supported languages. Additionally, the WSUS 3.0 SP1 client is included in all supported client platform languages. You must install the server components on a computer running Windows Server 2008 or Windows Server 2003 SP1 or later. You may install the Administration Console on a remote computer running Windows Server 2008, Windows Vista, Windows Server 2003 SP1, or Windows XP SP2.

Supported Operating Systems:
Windows Server 2003 Service Pack 1; Windows Server 2008
- Note: there's a special guide for SBS 2003 environments...

Additional information:

Release Notes for Windows Server Update Services 3.0 SP1

Microsoft Windows Server Update Services 3.0 SP1 Overview

Deploying Microsoft Windows Server Update Services 3.0 SP1

Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0 SP1

Microsoft Windows Server Update Services 3.0 SP1 Operations Guide

Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003

Enjoy!

Why a single AV engine is not enough!

2008-02-08T16:00:00.001+01:00

This is just to prove my point - a single AV engine is not enough if you want to be secure.

I had this problem today at a customer - a user had received a link in her Messenger... And she clicked it and probably accepted to execute the thing => Pooof (all her MSN Messenger contacts were spammed with links to the worm)!

We tried to use some different online scanners - as the local AV engines (no names mentioned) didn't find anything - even after updating the signatures. The online scanners I tried first didn't show anything. So, this particular online scanner turned out to be VERY cool and effective:

I can recommend this scanning link whenever you have a suspicious file you want to scan: http://virusscan.jotti.org/

As you can see it uses several engines to determine if the file is infected or not - so nice, thanx!

Free online scanners

2008-02-08T11:17:00.001+01:00

Just a quick list of online scanners - will try to update regularly - please post or send me an email if you have other great links!

General scanner (very cool):
http://virusscan.jotti.org/

File/Machine scanning:
http://housecall65.trendmicro.com
http://www.pandasecurity.com/homeusers/solutions/activescan
http://www.bitdefender.com/scan8/ie.html
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://support.f-secure.com/enu/home/ols.shtml
http://onlinescan.avast.com
http://www.kaspersky.com/scanforvirus
http://www.eset.com/onlinescan
http://www.virustotal.com

Microsoft Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx

GFI EndPointScan
http://www.endpointscan.com/

Acunetix WVS (is your website hackable?)
http://www.acunetix.com/cross-site-scripting/scanner.htm

Test email system
http://www.windowsecurity.com/emailsecuritytest

Windows Server 2008 RTM Administrative Template and Security settings reference spreadsheet available

2008-02-06T16:38:00.001+01:00

The Microsoft Group Policy Team has released the very useful Excel spreadsheet describing Administrative Template and Security policy settings.

Check out the GP team blog here or download the XLS/XLSX spreadsheet right here!

Enjoy... ;-)

Using Group Policy to Secure and Manage UNIX, Linux and Mac Systems

2008-02-06T00:45:00.001+01:00

This new webinar from www.centrify.com has been announced lately - featuring my good pal Jeremy Moskowitz - it's gonna be awesome!

Check out the content and sign up for a great show - 100% guarantee:

Five Top Benefits of Using Windows Group Policy to Secure and Manage UNIX, Linux and Mac Systems

    Date:           February 21, 2008
    Time:          2 p.m. Eastern US (11 a.m. Pacific)
    Duration:     1 hour

In this live webinar, Linux, UNIX and Mac admins will get a concise overview of how Group Policy works from Jeremy Moskowitz, author of authoritative works on both Windows Group Policy and Windows/Linux integration. Centrify's David McNeely will then explain the workings of the Group Policy engine that is seamlessly built into DirectControl and the unique benefits of using it for non-Windows policy enforcement. He'll also demonstrate using Windows Group Policy to lock down user and security settings on a Mac desktop system.

Register now (*CLICK HERE*) and we'll send you a free copy of our complementary white paper on extending Windows Group Policy to Linux, UNIX and Mac.

Powershell Group Policy Remote Refresh

2008-01-30T16:10:00.001+01:00

Check out this new Powershell Cmdlet from Darren Mar-Elia:

We have had the capability with other tools/script - but using PS is new, great stuff!

Limiting Tor access with ISA 2004/2006

2008-01-30T13:40:00.001+01:00

If you have looked into "The onion ring", or just "Tor", you have probably wondered if it would be wise to block access from these anonymous servers (or maybe just the exit nodes). I am not gonna talk about how the encrypted Tor network works, as a great deal of info can be found "out there". Main source should be: www.torproject.org - and perhaps WikiPedia.

As a security guy (or ISA administrator maybe), you ask yourself "why do these people want to be anonymous"? In this case "anonymous" means that "they" don't want targets on the Internet to see the originating IP address (the source). A "target" is typically a web site or some other web service.

The answer? Well, first you gotta ask yourself: "who are they"? And there's really no good answer to that question I guess - who really knows? All we can do is guess, so let me turn these questions around: if I were to try out a hack, or some new exploit, would I do it directly over my personal WAN IP? Or would I try to "hide" my originating IP? If you look at it in that perspective Tor networks are GREAT for hiding out - the whole idea is that it shouldn't be possible to track the communication. What you don't know can hurt you, right? I'm not saying all Tor users are hackers or anything, because they are not, but you have to look at the odds... What do you think? I cant help thinking, that if you hide from someone you have something (bad) to hide - but hey, it could be a Christmas present, right?

Anyway - you have to decide - do I want these people to be able to access my web sites and services or not? I'm not going to decide on your behalf - that's politics!

So, what can we do about it if we want them out? Well, after reading Thomas Shinders Blog entry "HammerOfGod Computer Sets — Block and Log by Country" I got an idea. How about downloading a list of Tor servers, import it into a Computer Set (CS) and make sure that CS is an Exception on all of you Published services? This way hackers out there, behind Tor servers, won't be able to poke around your IIS servers or whatever you have.

So, I started a search for Tor lists - the best thing would probably be to create it yourself dynamically - but that would take programming skills that I unfortunately haven't got. I'm just a scripting kinda guy... The thing is, you would need to have a Tor client installed and from that extract the list once in a while - not possible for me (maybe you can do it easily - please post a "how to" then).

But, then I found a list on Proxy.org - this list it updated regularly - the only thing is, that this list is formatted for easy import on Apache servers, definitely not ISA. But hey, we can change the formatting in a script and then call the "AddComputersToComputerSet.vbs" script from Microsoft... Simple, all we have to do then, is to configure the CS exceptions on our ISA rules, schedule the script and never touch it again!

So, I created a simple script for:

a) Downloading the latest Tor server list from Proxy.org
b) After the download it creates a new file with the correct format (machine_name<tab>IP_address)
c) And then it calls the AddComputersToComputerSet.vbs with the correct parameters

You can download the script here - also download the script from MS (link above) and place them in the same directory. You will need a bit of VBS knowledge to "tweak" the script(s), but I've tried to make the code "easy understandable". Now, make sure you can run it from your ISA box (it downloads over HTTP), and then schedule the thing (oh, and remember to remove the Msgbox "Done!" line if you want this as a scheduled task).

If you want it to run from another machine, take a look at the link to the AddComputersToComputerSet I provided above (some changes are needed).

Please report back if you have any bug reports or ideas! It provided "As Is" - after downloading you're on your own :)

The dynamically created/updated ISA Computer Set:

The ISA Rule/Publishing Exceptions:

What's missing?
I can think of a lot of things I'd like to add in there - but the idea with this blog entry is to "spread the word" and a Proof of Concept.

Personally I want to add logging of script actions, email alerts if the list is unavailable or some other errors occur. Also, there's a weakness in case the downloadable list is compromised somehow. Say someone adds Internal/Private/"not-Tor" IPs etc. to the list, it just might give some strange results for your users. So, we have to trust the list is OK secure - but it would be a good idea to put in some sort of validation on what IP addresses are put into this particular CS.

Hope you can use this :)

Is your company prepared for 2008?

2008-01-29T09:59:00.001+01:00

Read an interesting piece of information about the most likely security threats in 2008 - read it here!

Top Ten Cyber Security Menaces for 2008:

Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites
Increasing Sophistication And Effectiveness In Botnets
Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing
Mobile Phone Threats, Especially Against iPhones And Android-Based Phones; Plus VOIP
Insider Attacks
Advanced Identity Theft from Persistent Bots
Increasingly Malicious Spyware
Web Application Security Exploits
Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing
Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations

The ranked list is created by Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller.

SQL attacks - the lethal injection

2008-01-25T12:42:00.001+01:00

Hi there,

Let everybody know the two very simple golden rules when it comes to web-applications that are communicating with SQL servers:

1. Never send user input text strings directly to the (backend) SQL server(s). Make sure to "clean it up" first (eg. no special chars etc.). Only accept thing you KNOW you want.

2. Always use Stored Procedures and call them with arguments instead of letting text strings (SQL injections) take control of your (backend) SQL server(s).

Sticking to those rules will make life a lot easier for admins, consultant and security guys like me. Tell you company developers, thirds party software vendors etc. to stick to the rules (even though they should know them by heart already) - spread the word and life will be a lot easier for all of us good people around the globe :)

Yes of course you can assign Group Policies to Security Groups!

2008-01-25T00:48:00.001+01:00

I have to blog this right away - it will be part of a larger "GP Processing" article at some point though... But this is IMHO important stuff which needs to get out there quick :)

I've heard the following sentence too many times (in one way or the other): "You can only assign Group Policy Objects to Site, Domain Level or OU's"...

- but that's only partly true! Normally in newsgroups, forums etc. this leaves the readers (eg. someone who asked a GP question or whatever) with the impression that you cannot "hit" members of a certain Security Group only (which leaves you with "Site/Domain/OU Filtering" and/or "WMI Filtering" as the only possible a choices available). But that's simply not fair to the amazing Group Policy processing engine!

Even though "WMI Filtering" is pretty well-known these days (after WS2003 arrived), many people tend to forget the little - but extremely effective and flexible - thing called "Security Filtering" (even though it's somewhat more "Basic" compared to WMI)...

Let's talk about it for a minute or two if you are interested...

You can set this kind of filtering within the Group Policy Management Console (GPMC) on either the Scope tab:

- or the Delegation tab (a bit more Advanced):

As you can see, by DEFAULT all Group Policy Objects (GPO) include "Authenticated Users" with both Allow:"Read" and Allow:"Apply Group Policy" permissions set. Both of these permissions are needed for users and computers to take on (or process) a given GPO:

The thing about the very important "Authenticated Users" group is that it includes ALL User AND Computer accounts/objects within the AD domain (Domain Controllers too, right). So, by default a GPO applies to both computers and users (we are not going to talk about disabling GPO parts etc. now).

That's the "technical" explanation why policies placed on
a) the Site applies to ALL users and computers within the Site (users site follows computer site, site follows IP address)
b) the Domain Level applies to ALL users and computers within the Domain
c) any given OU applies to ALL users and computers within that particular OU (and sub-OUs for that matter)
=> because the "Authenticated Users" security group is there by default. These default permissions on new GPOs are handled by something called "Security Descriptors", but more on that in some other blog or article.

So, we have Security permission on all of our GPOs (unfortunately not the GPO links, but that's another talk) - leaving us with GREAT power to control to whom he particular GPO should be assigned (or 'applied'). All we need to do is to change the default permissions and <Zaboooka!> we are in complete control.

First step is generally to remove the "Authenticated Users" group from the GPO in question. Click Remove (below Security Filtering section) on the Scope tab and click OK:

Click Add... and select the domain security group you want to "hit" - click OK when done:

And <poof>, this GPO will only apply to members of "The Sales Group" - or whatever group (or user, or computer object...) you selected:

Now all you need to do is to link the GPO to the Domain Level (or Site or OU if that's better in your case) - but the Domain Level should be fine for most environments.

Now, you could turn this around and Exclude certain groups, users or computers - by setting Deny:"Apply Group Policy" instead. In some cases that might be the best choice - but as always with "deny" you have to watch out (manly because deny overwrites allow)!

Also note, that Security groups can include both user and computer accounts - we are maybe used to thinking that groups are for users only (in my experience most admins know the "Domain Users" group - but the "Domain Computers" group is not that well known)... But, with this in mind, you could make a group of computers instead of applying a WMI filter for instance (which is generally slower).

You could use other methods for setting permissions than the GPMC (like scripts) - but the GPMC is a wonderful tool for doing this easily - no sweat!

One way of automatically creating Security Groups from members of an OU is described in my article "Configuring Granular Password Settings in Windows Server 2008, Part 2" - these groups are referred to as Shadow Groups (cool, right). In some "filtering situations" that is nice to know...

Wow - that was nice getting it off my shoulders, and now I can refer to this blog entry whenever I get the question again - and so can you of course :-)

VM Ware with Multiple Physical NICs

2008-01-17T21:47:00.001+01:00

Got a question about whether it's possible to attach physical network adapters to VM Wares virtual network adapters - like eg. 1-to-1. An 'yes' it's possible... Just like it's possible in Virtual PC and Virtual Server from Microsoft.

It's basically the same story for VM Ware Workstation and Server (almost the same dialog boxes) - go to Virtual Network Settings:

Select what "Virtual Networks" you want - in here you can assign specific NICs to VMnet0-9 (you BRIDGE your adapters to the virtual "switch" you could say).

Pretty nice - now you're almost done...

On the Virtual Machine Settings - select the Network Adapter - choose Custom - and select the Virtual Network your Physical Network Adapter is bound to:

That should do it. Simple, right?

Time to contribute to the Group Policy Explain texts!

2008-01-12T12:58:00.000+01:00

The Microsoft Group Policy Team invites everyone to send in suggestions for Explain text changes of any kind (check the link).

Just send your suggestions to "gptext(@)microsoft(.)com".

*

Do you want GGPI? Great Group Policy Information?

2008-01-09T20:57:00.000+01:00

So, you are in the mood for studying Group Policy? In the lack of GGPI, I know the feeling.

And you got tired of reading my GP stuff here:
http://www.windowsecurity.com/Jakob_H_Heidelberg :-)

I'll recommend you to go for these sites then:
http://blogs.technet.com/grouppolicy
http://www.gpanswers.com
http://www.gpoguy.com

That's where everything starts...

Enjoy!

.

You just have to check out this Oracle install!

2008-01-04T17:04:00.000+01:00

Some say Danes are strange - this is the proof :-)

A guy installs an Oracle database with his nose only - go check out "The Nose Job":

http://www.youtube.com/watch?v=CHzV4LZnvHc

Windows Vista SP1 Release Candidate is out there!

2007-12-06T00:39:00.001+01:00

From the Vista Team blog:
Today we're making available the release candidate (RC) of Windows Vista SP1 via Microsoft Connect, and tomorrow subscribers to TechNet and MDSN will have access to those RC bits too. In addition, the RC will be available to the public next week via Microsoft's Download Center.

Check out the Vista Team blog here!

Go get it!

/Jakob

Windows Server 2008 RC1 in Public Beta!

2007-12-06T00:25:00.001+01:00

Today Microsoft made available for download the Release Candidate 1 (RC1) version of Windows Server 2008!

This build includes Group Policy Preferences - you HAVE TO try it out!

Download you evaluation copy here!

/Jakob

Group Policy Changes in WS2008 article - part 3

2007-12-05T23:53:00.001+01:00

Hi,

Just want to let you know that my latest article about "Group Policy related changes in Windows Server 2008" is released on www.windowsecurity.com.

This 3rd article in the series deals with the new and shiny Group Policy Preferences - read more here...

I hope you like it!!!

/Jakob

Formatting "Message text for users attempting to log on"

2007-12-01T04:59:00.001+01:00

If you have ever tried defining the Security Options policy setting called: "Interactive logon: Message text for users attempting to log on", you may have had some difficulties formatting the message the way you wanted it. This blog is about "how to" workaround a minor bug in the GPEDIT tool...

The issue:

First things first - the Group Policy setting is located here:

"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\"

The value is a Multi-String registry value that allows you to make multiple lines in the message. The message pops up right after a users hits Ctrl+Alt+Del as a general warning to the user before actually logging on. But, unfortunately the formatting isn't as perfect as it could be.

What happens is, that carriage returns are lost after formatting this "pre-logon message" with GPEDIT, imagine you would want a message like this (see Figure 3):

--->

I don't know why this should be so hard? Jump next line please...

Let's do a comma, and continue the line...
Line number 4 is ready, but let's jump line 5 & 6 now...

Line 7 finishes up this story!

<---

Such a message would end up as (see Figure 5):

--->

I don't know why this should be so hard? Jump next line please...
Let's do a comma, and continue the line...
Line number 4 is ready, but let's jump line 5 & 6 now...
Line 7 finishes up this story!

<---

So, basically the problem is: line feeds/carriage returns/empty lines disappear completely!

You can actually see this within the GPEDIT GUI, but only if you hit "Apply" before "OK" - if you just hit "OK" after typing in your message you cannot see that it's actually changed by GPEDIT (so you think the formatting is working as it should). I tested this behavior with GPEDIT on Windows XP SP2 (local policy), Windows Server 2003 SP1 (domain policy), Windows Vista SP Pre-RC (local policy) and Windows Server 2008 RC1 (domain policy).

Figure 1 - I typed in my message with the format I wanted:

Figure 2 - I clicked Apply, and the formatting was changed:

If I had just click OK I wouldn't have noticed the change - anyway it's a bit annoying, right?

Solution/Workaround:

The solution I came up with is to modify the policy file directly/manually using Notepad. The file is located here:

"\\DOMAIN.local\SYSVOL\DOMAIN.local\Policies\{GPO-GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"

Within that file we have the relevant registry value, called "LegalNoticeText":

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don't know why this should be so hard? Jump next line please...," ",Let's do a comma"," and continue the line...,Line number 4 is ready"," but let's jump line 5 & 6 now...," "," ",Line 7 finishes up this story!

Notice the " " (<quote><space><quote>) sequences, which are the same as empty lines.

This is the relevant line from a working GptTempl.inf file (the correct syntax written manually), and it actually works great:

Figure 3 - Pre-logon message on a Windows Server 2003 SP1 Domain Controller:

Figure 4 - The above inserted GptTmpl.inf line also works for Windows XP SP2 in the same domain:

So, this proves that the INI file can actually be correctly formatted so clients (tested w/WS2003 SP1 and XP SP2 in a domain) can show the message perfectly. Please notice that the behavior is similar with local policies, but my testing has been focused on domain environments so far.

If you try to modify the working policy setting using GPEDIT again - after changing just a tiny bit (or just hitting OK to an existing setting) within the GPO the formatting/syntax is ruined again unfortunately (when GPO is saved by GPEDIT)! Look here what came out of it when I tested it:

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don't know why this should be so hard? Jump next line please...,Let's do a comma"," and continue the line...,Line number 4 is ready"," but let's jump line 5 & 6 now...,Line 7 finishes up this story!

Notice the " " (<quote><space><quote>) sequences are gone! This gives a wrong result (no empty lines) when clients get the pre-logon message.

Figure 5 - The formatting is lost (or wrong) when GPEDIT does the job:

Please notice, if you're testing this you will have to define an additional policy setting for it to work, namely the "Interactive logon: Message title for users attempting to log on" setting.

Figure 6 - The title must be set for pre-logon message to appear

Conclusion

So, my conclusion is that (existing version of) GPEDIT doesn't modify the GptTmpl.inf file properly (or the registry for local policies for that matter) - for this particular value at least... My best guess is that it doesn't handle the quotes (") correctly, but I can't be 100% sure. A bug report has been made for Microsoft - so hopefully it will be fixed before the final release of Windows Server 2008 and the Remote Server Administration Tools (RSAT).

However, as mentioned you can make it work with a workaround like this: Just perform the GptTmpl.inf (below SYSVOL) editing manually, make a backup of the file when it's perfect - and never touch that GPO with GPEDIT again... Until Microsoft releases an updated version of GPEDIT anyway.

Related KB articles out there:
KB 330618
KB 238149
Technet article

Remote Server Administration Tools (RSAT) in beta

2007-11-28T21:49:00.000+01:00

Microsoft Remote Server Administration Tools (RSAT) are now in Beta, available on https://connect.microsoft.com/ - I just got hold on them!

The download contains:
Remote Server Administration Tools Beta Fact Sheet.docx
Windows6.0-KB941314-x64.msu
Windows6.0-KB941314-x86.msu

Still waiting to install on my Vista SP1 Beta...

[UPDATE]
Install went just fine - but some admin tools are still not included (se readme for more info).

This is the exact download location:
http://connect.microsoft.com/windows/Downloads/DownloadDetails.aspx?DownloadID=9561

More info:
http://blogs.technet.com/windowsserver/archive/2007/11/28/remote-server-administration-tools-rsat-beta-is-now-available.aspx

Group Policy Changes in WS2008 article - part 2

2007-11-25T23:06:00.000+01:00

Hi,
Just want to let you know that my latest article about "Group Policy related changes in Windows Server 2008" is released on www.windowsecurity.com.

This 2nd article in the series deals with the Group Policy Management Console (GPMC) version 2 - read more here...

Part 3 about Group Policy Preferences is soon to be published too.... Enjoy!

.

Windows SteadyState v2.5 Beta

2007-11-20T15:19:00.000+01:00

If you have ever tried out the Shared Computer Toolkit - or the newer Windows SteadyState toolkit, you probably know that Windows Vista has not been supported so far... But now it's here - go get it:

Windows SteadyState 2.5 Beta
http://www.microsoft.com/downloads/details.aspx?FamilyId=4DE91D3A-69F4-4D7B-94B1-C69B8BE029F4&displaylang=en

Windows SteadyState 2.5 Beta Handbook
http://www.microsoft.com/downloads/details.aspx?familyid=D173452A-CE26-4F26-9C30-982F705F84D2&displaylang=en

Windows SteadyState 2.5 Beta Readme File
http://download.microsoft.com/download/E/2/F/E2F23589-E8E1-404F-9DAB-77F1CAE24153/ReadmeBeta.txt

Supported Operating Systems:
Windows Vista: Business/Home Basic/Starter/Ultimate/Enterprise/Home PremiumWindows XP: Home/Professional with Service Pack 2

Jeremy Moskowitz in RunAs Radio

2007-11-20T10:57:00.001+01:00

Richard Campbell & Greg Hughes from RunAs Radio talks to my good friend Jeremy Moskowitz about Group Policy - who would have guessed, right :-)

Check it out here: http://www.runasradio.com/default.aspx?showNum=32

My WindowSecurity.com articles...

2007-11-20T10:47:00.000+01:00

Hi,
This is a list of my articles on www.windowsecurity.com for reference - if you haven't read them yet, please do so!

Group Policy related changes in Windows Server 2008 (Part 1: What are Starter GPOs?)
This article series deals with the new Group Policy features W2008 will bring, including GPMC v2 features and Group Policy Preferences.
http://windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.html

Protect Public Computers with Windows SteadyState (Part 1)
This is an article series deals with the Windows SteadyState product and how to protect public computers using this toolkit.
http://windowsecurity.com/articles/Protect-Public-Computers-Windows-SteadyState-Part1.html

Configuring Granular Password Settings in Windows Server 2008 (Part 1 & 2)
This article series deals with how to set Granular Password Policies for WS2008 domains.
http://windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html
http://windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part2.html

Efficient Registry Cleanup
This article deals with Group Policy Startup scripts and why they are so powerful.
http://windowsecurity.com/articles/Efficient-Registry-Cleanup.html

Default Deny All Applications (Part 1 & 2)
This article series deals with Software Restriction Policies and how to implement SRP in a corporate environment.
http://windowsecurity.com/articles/Default-Deny-All-Applications-Part1.html
http://windowsecurity.com/articles/Default-Deny-All-Applications-Part2.html

How to Force Remote Group Policy Processing
This article shows how to update Group Policy settings on remote computers using different approaches.
http://windowsecurity.com/articles/How-Force-Remote-Group-Policy-Processing.html

Managing Windows Vista Group Policy (Part 1, 2 & 3)
This article series deals with the new things in Group Policy land after Windows Vista joined the world.
http://windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part1.html
http://windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part2.html
http://windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part3.html

All feedback is very welcome - just send me an email!

Free PowerShell Cmdlets for Group Policy

2007-11-18T11:29:00.000+01:00

Group Policy MVP Darren Mar-Elia has released some new PS cmdlets for handling Group Policy Objects using PowerShell.

Check them out here:
http://www.gpoguy.com/powershell.htm

I hope you'll like it!
/Jakob

AGPM whitepaper out there

2007-11-13T22:06:00.000+01:00

Just a "quick note" this time!

A nice looking whitepaper is available from the Microsoft Group Policy Team... This time it's an AGPM overview: Advanced Group Policy Management Overview

Group Policy Revolution Coming Up!

2007-11-13T18:03:00.001+01:00

It's exciting, fantastic, amazing, wonderful and totally cool - Microsoft has FINALLY announced what is going to happen with the PolicyMaker stuff they got when taking over DesktopStandards... It's going to be released with Windows Server 2008 as many of us had hoped for!

This is just GREAT I can tell you - and it will available to the public with the RC1 release of Windows Server 2008, maybe even before as a separate Beta program I'm told...

Microsoft decided to call it "Group Policy Preferences" or just "GP Preferences". So, what can we do with this you ask? Well, here's some of it:

Map network drives
Set Environment variables
Copy Files to clients
Create and update INI files
Modify registry settings on the clients (REG_SZ, REG_DWORD, REG_BINARY, REG_MULTI_SZ, and REG_EXPAND_SZ )
Create Shortcuts (URL/File/Shell)
Open Database Connectivity (ODBC)
Control Devices
Set Folder Options
Define File Associations
Tweak Internet Settings
Handle Local Users and Groups (change passwords, add/remove from groups, disable users etc.)
Set Network Options (like VPN or Dial-Up connections)
Configure Power Options (Windows XP)
Map Printers (even TCP/IP printers)
Set Regional Options
Create Scheduled Tasks
Set properties on Services
Tweak the Start Menu
and so on....

As you can see, it's quite impressive and something that will make companies around the world turn to Windows Server 2008 ASAP... I think and hope anyway!

The client part, a necessary extension which must be installed on the client, will be ready for Windows XP/2003/Vista - and in both x86 and x64 editions. Windows Server 2008 already includes the CSE (Client Side Extension).

There's SO much to tell, and SO little time... But, a Whitepaper is ready (a REALLY nice of the kind) thank you Microsoft!

Download the whitepaper here:
An Overview of Group Policy Preferences

Microsoft IT Forum 2007 Barcelona

2007-11-13T14:31:00.001+01:00

Hi there,

I've been pretty busy the last days - so I haven't have time to create this "hello from Barcelona" post, now it's here :)

This year is a little special for me as it's the first time participating as a HOL (Hands-On-Lab) Proctor and an ATE (Ask The Expert - or "Ask The so called Expert")... So I'm working for Microsoft some hours during the day, which means I cannot attend all the sessions I might want - but so far I've been very lucky.

I'm assigned to the MDOP (Microsoft Desktop Optimization Pack) labs - so for me it's SoftGrid, AGPM (Advanced Group Policy Management), Desktop Error Monitoring, DART (Diagnostics and Recovery Toolset - which is actually the good old "Administrators Pak" from the former Winternals, including the Locksmith utility to reset passwords...) - most attendees seems to focus on SoftGrid and AGPM though (as expected).

I've met a lot of Danes down here - we are around 250 this year - that is really great I think (compared to the size of the country). Many companies can see the value of TechEd apparently - I can understand why. For me it's not only the technical news, info and sessions, but also meeting people from around the world, from my own country, from Microsoft and vendors - and doing some good old "social networking" - which is very valuable, both shot and long term.

Hope to see you soon (or maybe next year).

SoftGrid is now Microsoft Application Virtualization

2007-11-13T14:12:00.001+01:00

I hope you have tried out SoftGrid (part of the cool MDOP package) - but, now we gotta start using a new name: "Microsoft Application Virtualization" - or actually "System Center Application Virtualization Management System "...

We all know the Microsoft way of doing this by now: buy the technology/product, start selling with the good old (well known) name, change the name - and some would add: then, as the very last part of the process, change the naming within the code, like "Softricity" folder names, service names etc. (as they often "forget" about this).

Nevertheless a Public Beta version is available for the NEW version 4.5 (most have 4.2 out there I guess). The Beta is available from Microsoft Connect - just sign up and as to participate in the "Application Virtualization 4.5 Public Beta".

You then ask: what's the new stuff? First of all we of course have a lot of bugfixes, but you also have new and cool functionality worth a lot of nice words - but I'm afraid it's gonna be another time, sorry.

However, check these links:
Microsoft Application Virtualization 4.5 Beta – What’s New
Microsoft SoftGrid Application Virtualization

Hope you will like it!

ADMX Migrator version 1.2

2007-11-12T15:57:00.001+01:00

Good news from IT Forum Barcelona:

ADMX Migrator has been upgrade and now includes:

(1) Enhancements and bug fixes to support a wider range of ADM templates for conversion to ADMX.
(2) Enhancements to code and documentation for conversion error reporting and warnings.
(3) Improved handling of internationalized ADMX templates.

Get it here:

http://go.microsoft.com/fwlink/?LinkId=77409

Great stuff!

Sysprep - Generalize - SID

2007-10-16T08:33:00.000+02:00

I create millions and billions of Virtual Machines - ok, maybe not that many but it feels like it. Everytime I have copied the physical files (VHD/VMC) a number of things must be done if I want to join those virtual machines to my domain(s) - most importantly: the machines SID (Security ID) must be re-generated to be unique and the computer must be renamed of course.

So, heres the thing. Back in the good old days you had to find the Windows CD, find and extract the Deploy.CAB file to you hard drive and then execute the SYSPREP.EXE tool. But, with Windows Vista and Windows Server 2008 the SYSPREP file(s) can be found below:

%WINDIR%\System32\Sysprep - ready "out of the box", just waiting for you to go for it!

And this is the important thing (and the reason why I started this blog): If you want to create a new SID, remember to CHECK the "Generalize" checkbox - or else you have to go all over again...

During the following reboot a new SID is automatically generated - and you will have to type in your Product/License Key, provide a new Computer Name, select an Administrator Password etc.

You may have known this already - personally I didn't because I tend to use the wonderful Sysinternal NewSID tool for this purpose in most cases (it's much faster)... However, that tool is not officially supported for Windows Server 2008 (or even Vista) at this time - but hopefully it will be soon?

_

Starter GPO's - what are they?

2007-10-02T02:39:00.001+02:00

With Windows Server 2008 (Codename Longhorn) you will notice a new container called "Starter GPOs" inside the GPMC (version 2.0 - BTW this version will also be available as a separate download for Windows Vista with SP1).

This new container can hold what I would call "templates" for creating new GPO's - with the limitation that only Administrative Template settings are available. When creating new GPO's you can choose to use a Starter GPO as the source (read: template) - which makes it easy and fast to create multiple GPO's with the same baseline configuration.

But, the very cool thing is that you can now "export" those GPO templates (Starter GPO's) to a Cabinet file (.CAB) and then import into another environment - completely independent of the source domain/forest! So, you can create the PERFECT Starter GPO and then bring it around the world, share it on the Internet (if legal?), deploy it on all systems you can get a hold on etc. etc.

When you 'enable' Starter GPO's in the domain for the first time, a folder called "StarterGPOs" is created inside the SYSVOL folder (\\domain.com\SYSVOL\domain.com\StarterGPOs) - this is where all the "magic" is done... For each new Starter GPO you create, you will see a new folder below this StarterGPOs folder - each will have a unique GUID (just like normal group policies). So, when you create a new GPO with a Starter GPO as source a nice and simple COPY process is actually performed - the subfolders and files from the Starter GPO's GUID folder is just copied into the \\domain.com\SYSVOL\domain.com\Policies\[SomeNewGUID] folder - and wupti, you are ready to deploy...

Well, it may not be the same as the Templates we got with AGPM (Advanced Group Policy Management from Desktop Optimization Pack) - but, even if you don't have the required DOP license you still get a few cookies for "free"...

One last thing - remember to create a separate backup process for Starter GPO's, as they are not backed up though the GPMC "Backup All" method you have for the regular GPO's - the yhave a seperate backup procedure. So far there's no script for backing up the Starter GPO's, but I'm pretty sure it will show up (just like the "BackupAllGPOs.wsf script).

And don't worry - if you should get an error like this:

"The overall error was: The system cannot find the path specified. Additional details follow"
&
"[Error] The backup configuration file [C:\xxx\Backup.xml] cannot be saved. The following error occurred: The system cannot find the path specified."

when performing a backup of your Starter GPO's you are probably testing the RC0 release... That build has a known bug which has been corrected already (RC1)!

But besides from this minor detail I say: Thumbs up for Starter GPO's!

_

Moskowitz videos

2007-10-02T02:35:00.000+02:00

Hi,

Microsoft MVP, Jeremy Moskowitz, has 2 video interviews out there... Check them out:

Part 1 & Part 2

_

GPMC Script Samples

2007-09-29T01:16:00.000+02:00

Overview:
The Group Policy Management Console (GPMC) can be scripted by using a built-in COM object.

This package contains a great deal of script examples:
BackupAllGPOs.wsf
BackupGPO.wsf
CopyGPO.wsf
CreateEnvironmentFromXML.wsf
CreateGPO.wsf
CreateMigrationTable.wsf
CreateXMLFromEnvironment.wsf
DeleteGPO.wsf
DumpGPOInfo.wsf
DumpSOMInfo.wsf
FindDisabledGPOs.wsf
FindDuplicateNamedGPOs.wsf
FindGPOsByPolicyExtension.wsf
FindGPOsBySecurityGroup.wsf
FindGPOsWithNoSecurityFiltering.wsf
findorphanedGPOsInSYSVOL.wsf
FindSOMsWithExternalGPOLinks.wsf
FindUnlinkedGPOs.wsf
GetReportsForAllGPOs.wsf
GetReportsForGPO.wsf
GrantPermissionOnAllGPOs.wsf
ImportAllGPOs.wsf
ImportGPO.wsf
ListAllGPOs.wsf
ListSOMPolicyTree.wsf
QueryBackupLocation.wsf
RestoreAllGPOs.wsf
RestoreGPO.wsf
SetGPOCreationPermissions.wsf
SetGPOPermissions.wsf
SetGPOPermissionsBySOM.wsf
SetSOMPermissions.wsf
SampleEnvironment.xml
ScriptingReadme.rtf
SampleMigrationTable.migtable
Lib_CommonGPMCFunctions.js

System requirements:
Windows Server 2008 or Windows Vista

Download here:
http://www.microsoft.com/downloads/details.aspx?familyid=38c1a89b-a6d2-4f2a-a944-9236999aee65

Populate the Central Store?

2007-09-29T01:09:00.000+02:00

If you are in a large international organization you might want to upload Vista ADML files for the different languages used on management computers to the Central Store.

Now you can download both ADMX and ADML files for Vista in a single package:
http://go.microsoft.com/?linkid=7471439

You might wanna pick out the languages needed only (ADML files) - as this will take up around 80MB of SYSVOL space.

GP related changes - good MS article

2007-09-29T01:07:00.000+02:00

Check out this article, it's really good for a "quick" summary of the GP related changes in Windows Vista/Windows Server 2008 (Longhorn)

http://technet2.microsoft.com/WindowsVista/en/library/5ae8da2a-878e-48db-a3c1-4be6ac7cf7631033.mspx?mfr=true

Windows Server 2008 RC0 is out there!

2007-09-25T09:24:00.000+02:00

It's so exciting - Windows Server 2008 RC0 is out there and ready to be downloaded!

Read the team blog here:
http://blogs.technet.com/windowsserver/

Download CTP here:
http://www.microsoft.com/windowsserver2008/audsel.mspx

.. og go get it from Technet (if you are a subscriber).

_

Windows Script 5.7 released!

2007-09-02T09:35:00.000+02:00

Microsoft just gave us an updated version of the Windows Script engine that we all love so much... This version brings very few additions, but great many fixes.

From release notes:
This release of Windows Script brings the improvements in scripting made during the Vista development cycle to downlevel platforms. During any release cycle we test with increasingly effective analysis tools designed to expose stability problems, memory leaks, and potential security weaknesses in code. The results from this testing comprise the vast majority of changes. Of course, we also include all the current security updates. This is the fastest, most robust, and secure release of Windows Script available.

Why Version 5.7?
The primary reason for changing the version number from 5.6 to 5.7 is to simplify servicing and support by synchronizing the versioning to a consistent scheme based on Vista build number. The minor version increase does not indicate significant new features. The scripting feature set is substantially the same as 5.6, with only minor additions.

What’s New
In addition to the general improvements noted above, the following are some of the notable changes in this release.

JScript
• This package includes the improved garbage collector (GC) shipped with Internet Explorer 7 and Vista. The new GC can dramatically improve the performance of applications that create large numbers of objects, such as Ajax-style web applications. These performance improvements are now available to users of earlier browsers.This work replaces and improves upon KB919237. If you have implemented KB919237, we recommend removing the registry keys.
• New progid JScript.Compact implements the JScript Compact Profile (ECMA 327). This is a profile of the ECMAScript language standard with a subset of features. See the ECMA 327 standard for more information.
• Update for new Daylight Savings Time rules.

VBScript
• VBScript defines a new global function GetUILanguage that returns the current default user interface language. This is the same value returned by the Windows API GetUserDefaultUILanguage. Script authors can now write code that is aware of the current user’s language preference.
• Fix crash when calling VBScript class objects from JScript.
• Fix problems with comparisons to NaN in some versions (KB901104).VBScript and JScript
• Support for large address space on machines with > 2GB RAM (KB890048)
• Improved stack checking makes script more robust in the face of stack overflows.
• Fix miscellaneous TLS leaks and memory leaks, including using the RegEx object with more than 10 sub-matches.Windows Scripting Host
• Fixed rare deadlocks in remote scripting. Prevents occasional hangs in remote scripts.
• Fixed propagation of error return codes in remote scripting. Error codes produced by remote scripts are more reliably returned to the client.
• Fixed attempting to load nonexistent wshenu.dll which created performance problem in login scripts.

Included KB’s
This release also contains fixes described in the following knowledgebase articles.
KB831191
KB834742
KB836863
KB890048
KB892296
KB901104
KB903648
KB906092
KB917344
KB919237 (superceded by new GC)
KB925753
KB933811
KB933812
KB933873
KB940284

Download here:
Windows Script 5.7 for Windows 2000
Windows Script 5.7 for Windows XP
Windows Script 5.7 for Windows Server 2003
Windows Script 5.7 Release Notes

Group Policy Diagnostic Best Practice Analyzer

2007-09-02T09:27:00.000+02:00

Microsoft just released a free tool to search for errors in Group Policy configuration - totally new and cool tool in the Best Practice Analyzer (BPA) series.

Download here:
GPDBPA for Windows XP
GPDBPA for Windows XP x64 Edition
GPDBPA for Windows Server 2003
GPDBPA for Windows Server 2003 x64 Edition

Read more here:
Microsoft KB 940122 article: "How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data"

Quote from KB article:
You can use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect data about an environment's Group Policy configuration. For example, you can use this tool to analyze a Group Policy configuration for the following purposes:

• To search for common configuration errors
• To discover and to diagnose problems
• To collect data for archiving

The account that you use to run the tool must have the appropriate permissions to access both the Active Directory database on an environment's domain controllers and the SYSVOL file structure that is maintained on those domain controllers. Additionally, the account must have local Administrator permissions on the Group Policy client.

There are two additional prerequisites for using the GPDBPA tool:
•The Microsoft .NET Framework version 1.1 or a later version must be installed on the computer on which the GPDBPA tool is installed.
•The Windows Management Instrumentation (WMI) service must be running on the environment's domain controllers.

Something nice for the wall

2007-07-17T23:42:00.000+02:00

If you haven't got them already - those geeky posters from the July 2007 issue of TechNet Magazine visualizing the various features and components of Windows Server 2008 - go get them here, ready to print :-)

Windows SteadyState - the new and shiny Shared Computer Toolkit

2007-06-19T21:03:00.000+02:00

Windows SteadyState is ready for download from Microsoft now - you can get it right here! It's free - you just need to pass the WGA test... Only pirate Windows users cannot pass that test, so what are you waiting for? :)

This toolkit is extremely efficient when it comes to protecting public available Windows XP computers (no support for Windows Vista unfortunately).

In short Windows SteadyState is:
- Easier to set up
- Easier to use
- More Secure

Windows SteadyState website:
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Microsoft Virtual Server 2005 R2 SP1 released

2007-06-12T08:14:00.000+02:00

Hi!

Microsoft released Service Pack 1 for Virtual Server 2005 R2 - Enterprise Edition!

It can be downloaded here! More info available here!

Now all we need is 64bit support for the Guest OS :-)

Booth #914

2007-06-05T21:28:00.000+02:00

I joined a session "Deep Dive into Microsoft Windows Vista Group Policy Changes and Troubleshooting" with Jeremy Moskowitz here in Orlando - and he was very good. He's a funny guy and it seemed like everybody in the room just loved him. Thanx for the inspiration Jeremy - you put on a nice show.

After the session I joined him at the SpecOps booth (#914) and spoke to some of the other Group Policy Gurus, like Darren Mar-Elia, J. Peter Bruzzese and the SpecOps employees. SpecOps were really focused on sharing info on their SpecOps Deploy product - so why not help them here ;-)

Tomorrow I hope to catch Derek Melber - a 'colleague' from www.windowsecurity.com - he was busy preparing for his upcoming Group Policy sessions so he didn't show today... I'll try to get back with a report from those sessions when possible.

I have to mention that it turned out Peter Bruzzese not only mentions me, but also quotes me, in his new book "Tricks of the Microsoft Windows Vista Master" * - as a "Vista Master" - thanx for the honor!

* Book is published by Que Publishing
ISBN-13: 978-0-7897-3689-5
ISBN-10: 0-7897-3689-6
Amazon link here!

Blogging from TechEd 2007 Orlando

2007-06-04T16:45:00.000+02:00

Hi there,

I'm blogging "Live" from Microsoft TechEd 2007 in Orlando, Florida. It's an amazing event - and hopefully we will learn something new :)

You should be able to follow the blogs on the Microsoft Technet Denmark website in danish:
http://www.microsoft.com/danmark/technet/default.mspx

Direct links:
http://blogs.technet.com/dkitpro/archive/2007/06/04/jakob-blogger-fra-teched-i-orlando.aspx
http://blogs.technet.com/dkitpro/archive/2007/05/23/f-lg-med-i-jakobs-blog-om-bl-a-microsoft-group-policies.aspx

Export a Local User Policy on Vista

2007-05-19T14:28:00.000+02:00

I received an interesting question by mail the other day regarding my article about MLGO on Windowsecurity.com. The question was, if it is possible to export a local policy assigned to a specific user to a user on another computer...?

After scratching my head and researching a bit it seemed like nobody had a good answer for this and no GUI tool is apparently available - so I had to come up with something myself... This is the result:

The following undocumented - and probably unsupported - method worked for me:

On "Source Computer":
1. Create/modify a local policy for the "Source User"
2. Go to "C:\Windows\System32\GroupPolicyUsers\" and locate the last modified policy folder
- the folder should be named with the SID (Security ID) of the "Source User", e.g. "S-1-5-21-452792215-1268730067-2626448776-1108"
3. Copy the folder and content to the "Target Computer" into the same directory structure

On "Target Computer":
1. Rename the newly copied folder to the SID of the "Target User" (the user who should receive the "exported" policy)
- how to find the SID of a local user?
2. Set NTFS permissions on the newly renamed folder to:
- SYSTEM = "Full Control"
- Administrators group = "Full Control"
- "Target User" = "Read & Execute"
3. Test a logon as the "Target User", the policies should be correctly applied.

Done! Well, the procedure is a bid "odd", but it could be scripted if required.

Blocking U3 USB devices

2007-05-10T09:19:00.000+02:00

Hey,

I get this question a lot: how can we block U3 devices on the network?

Well, one approach that some companies take is to simply block the physical USB ports by glue etc. - no USB devices are able to get in, so we have a "secure" system... Hmmm, this would mean that we are not able to use other USB devices either - maybe not the best solution for all of us then...

If you have Windows Vista deployed the new Device Control functionality, but most companies have Windows XP and Windows Server 2003 products in production (and probably waits for Vista Service Pack 1 before they go ahead with the Vista deployment)... So, what could they do then?

Third party software, like GFI EndPointSecurity is capable of blocking USB devices etc. - and it's does a very good job too, but there's also a free way to do it (if you ask me it's the best way to do it): implement Software Restriction Policies (SRP)!

I've been writing about the "Default Deny All Applications" approach and this is (of couse) also capable of blocking U3 devices - out of the box, built-in Windows functionality.

When the Default Security Level is set to Disallowed, nothing is able to launch except what the administrator defines as Unrestricted (and some default rules and limitations on top of this). When a user plugs in the U3 USB device NOTHING happens - no weird hacker tools, utilities, applications and whatever those 'wonderful' devices normally introduce.

Behind the scenes SRP restricts access to the U3 LaunchPad and leaves only an event in the Windows Event log:

Source: Software Restriction Policy
Event ID: 865
Type: Warning

"Access to C:\...\LaunchPad.exe has been restricted by your Administrator by the default software restriction policy level"

This limitation can be set on user and/or computer level.

After introducing SRP on your Windows computers (Windows XP and above) - you can consider your network "U3 free".

Remote Desktop issue on multihomed machines

2007-05-03T01:43:00.000+02:00

I have seen this issue too many times now, so I have to write this short blog about it!

Have you ever seen this error when trying to connect to a Remote Desktop enabled machine using MSTSC/Remote Desktop Client:

Remote Desktop Disconnected
The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator.

Well, I've seen it so many times now, especially on ISA servers... Even after the RDP sessions have worked nicely, sometimes, for some reason, the RDP settings can be changed - or even "corrupted". In most cases the above error has something to do with NIC (Network Interface Card) adapter binding to RDP.

If you are experiencing this issue go read the Microsoft KB article: "You can not establish a Remote Desktop session to a computer running one of the affected products". You will find it here http://support.microsoft.com/kb/555382 - good luck!

WSUS 3.0 Released - nice stuff!

2007-05-01T07:46:00.000+02:00

I'm happy to tell you that WSUS version 3.0 has been released! The release day was April 30th 2007 - a day to remember...

This version bring lots of goodies compared to it's younger brother WSUS 2.0 (who did a great job in my opinion).

So, what's new? Well, let my try to wrap up some of the really good stuff:
- Inplace upgrade over WSUS 2.0 SP1
- New setup and configuration wizard
- New MMC (Microsoft Management Console) GUI
- New views and reports (and faster reports - up to 50%)
- Cleanup wizard for management of stale clients and content
- Built-in email notifications
- New approvement rules
- Enhanced target group concepts (eg. overlapping group membership)
- Support for language sub-setting for downstream replica servers
- Peer caching
- Syncronization with MS down to every 1 hour now
- Native support for x64 platform
- NLB (Network Load balancing) and SQL Cluster support
- MOM Management Pack (will be released very soon)
- Client 'Sync me now' quick check-in
- and all the other stuff...

Download:
x86/x64 package
WSUS 3.0 Release Notes
WSUS 3.0 on SBS 2003
Deployment Guide for WSUS 3.0
Step-by-step Guide: Getting Started with WSUS 3.0

Go to WSUS Technical Library for more information, guides etc.

I think we will all benefit from this release - well, maybe not the penguin guys :)

Windows Server Code Name Longhorn Beta 3 is PUBLIC!

2007-04-26T08:02:00.000+02:00

Hello there,

I know it has been a while, but something great happened today :)

Windows Server Code Name "Longhorn" is available for download here:
http://www.microsoft.com/technet/prodtechnol/beta/lhs/default.mspx

You can download Standard, Enterprise, Web and even Datacenter editions - x86 or x64!

Go get it ASAP!!!!

Virtual PC 2007 is out there!

2007-02-19T21:36:00.000+01:00

Go to this link and get the latest version of Virtual PC!

You must uninstall any previously installed beta versions of VPC 2007 before installing the latest edition.

You can download the release notes here!

This release of Virtual PC 2007 introduces support for the following:

Windows Vista™ operating system as a host operating system
Windows Vista as a guest operating system
64-bit host operating systems
Hardware-assisted virtualization
Network-based installation of a guest operating system
Running virtual machines on multiple monitors
Support has been removed for the use of linked disks in a virtual machine

Windows Vista Language Packs

2007-01-30T07:32:00.000+01:00

First of all - happy Vista Launch Day :)

I just want to write a real quick blog about Windows Vistas way of handling Display Language. With Windows 2000/XP we also had MUIs - Multilingual User Interface language packs - they were just a bit more complicated to setup (just getting the media was a seperate task). LIPs (Language Interface Pack) for Windows Vista Ultimate and Windows Vista Enterprise are now available on Windows Update!

Installing languages (we can have multiple packs installed):

The administrator installs the required language packs and users can user Regional and Language Options to set their Display Language - the language follows the user. In this case I'm, gonna select Danish...

Now all we have to do is to log off:

The GUI is not in Danish... Internet Explorer, Calculator, Control Panel, Help & Support - everything!

Other language packs are available on the Windows Update website - by the end of 2007 there should be 99 languages available according to Microsoft

Extremely cool and smooth if you ask me :)

FlexCommand

2007-01-15T00:33:00.000+01:00

Hi,

I was looking at Darren Mar-Elia's (MVP Group Policy) tool that makes it possible to update a REMOTE computers Group Policy settings using the command line (almost like the good "old" GPUPDATE, just on speed). You can get more info and download the tool here.
I thought it might be an idea to "wrap" the tool into a simple GUI application that should make it possible to select an Organizational Unit (OU) in a domain and run the RGPREFRESH for each computer object in the OU. I know you can use a FOR command, DSQUERY and other stuff, but "normal" admins etc. might not find this easy to do.
That made me start working on a "quick-and-dirty" HTA application which should let the user select an OU and the run the RGPREFRESH command with some checkboxes for the available switches... BUT, after a short time I decided to make the application more FLEXIBLE so the user can type ANY command that should be executed for a given number of computers (selected from an OU).
The tool can now be combined with most command line utilities, fx. the wonderful PSEXEC from Sysinternals.

The FlexCommand HTA application
So, let's take a look at the tool in its current state (version 1.0).

As you can see above the GUI is pretty simple. First we should select en Organizational Unit (must be done before the application can be executed):

After selecting a given OU (hopefully one with computer objects in it) there is 2 checkboxes that can be selected.
A. Also handle computers in sub-Organizational Units?
With this checkbox selected we use "SUBTREE" in the LDAP query behind the scenes, so all computer objects in the underlying OU's will be handled too!
B. Only run command if the computer is alive (WMI)?
With this checkbox selected we check to see if the remote computer is alive - by using a WMI PING (that unfortunately can be a bit slow when a remote computer is not responding - but still faster than commands that just wait to "timeout") - before actually executing a command against the remote computer.

Then we need to type in the command, the example below is a simple PING command. It's IMPORTANT to understand, that the computernames from the selected OU (or OU's) will be inserted instead of the "{C}" signature which MUST be entered before the application can be executed.

In some cases it will be necessary to specify a FULL PATH to the command line utility that must be run - remember to user the "quote signs" on each side of the file path.

Using the PING example above, the result is the following in my test domain, and this command is repeated for each computer (that is alive in the selected OU and Sub-OUs):

The tool can be downloaded here!

Future versions
Well, I haven't thought this through 100% yet (and I know the tool is not perfect yet) but I have thought about making the following changes whenever I have time:
1. Logging - write a logfile that shows the commands that where executed
2. Reporting - give a report at the end about number of successfully executed commands etc.
3. Testmode - checkbox where you can make a "what if" execution before running "the real thing"
4. Selection between a- or synchronous execution of commands
I hope you will enjoy this "as-is" tool - it's FREE for you to USE and MODIFY (one cool thing about HTA applications).
All comments and ideas are very welcome - just send me an email for info at heidelbergit dot dk!

Best regards
Jakob H. Heidelberg

Group Policy Update

2007-01-06T16:23:00.000+01:00

If you have read my article series on windowsecurity.com about "Managing Windows Vista Group Policy" theres a few extra comments I would like to add...

ADMX
The most important note I would like to make is that Microsoft published a tool to migrate ADM files to the ADMX file format some time ago (november 2006) - the tool was actually developed by FullAmor and licensed freely for Microsoft costumors. The tool is called "ADMX Migrator", but actually does more than just migrate templates...

The product requires "Microsoft Management Console 3.0" and "Microsoft .NET version 2.0" on Windows Vista, Windows XP SP2 or Windows Server 2003 SP1 to work - and provides the following functionality:

1. Converting/migrating ADM files to the new XML based Administrative Templates format: ADMX. You can even select multiple files to convert at one time - it's almost too easy!

2. Creating new ADMX files from scratch without the need to understand and master XML and the special syntax the templates requires. This is the "editor" part of the "ADMX Migrator" tool.
This is a very powerfull tool with lots of possibilities for admins around the world. I you haven't played with this already I will advice you to do so, you can use this link.

GPMC
At TechEd in Barcelona there was a "rumor" that Microsoft will remove the builtin GPMC from Windows Vista as part of the Vista Service Pack 1 installation. I don't know if this is true and a final decision, but it was actually stated so by the Group Policy Product Manager, Michael Dennis. The reason should be, that Microsoft received some "complaints" on the fact that every user could start this wonderfull admin tool (maybe those costumors haven't heard of Group Policy settings that disallow the use of MMC, Software Restriction policies etc.?). Well, I just think it's funny to think of a Service Pack that actually remove functionality (without replacing with anything else/better) instead of adding stuff - maybe it's just me :-)

TOOLBELT
The great guys at gpanswers.com have collected a Group policy Toolbelt that a GP admin just must have - it can be downloaded here: http://www.gpanswers.com/toolbelt. Within this "belt" you will find tools within an ISO file ready to be "mounted" or burned. The tools are anything from an ADM file that sets GPO logging level to third party utilities that makes tho job of a GP admin a bit more easy. Check it out the next time you have time to download about 70 MB - a lot better than finding the tools on diffenrent sites around the world.

THE VISTA SETTINGS
If you haven't looked on Windows Vista Group Policy news in detail yet, here is you chance to do so. Microsoft relased this Excel document (as they have done in the past) with Vista GP settings. Very interesting reading for GP nerds like myself. We now have SO many GP settings that no man can possibly contain all the great possibilities in his head so that's why we need this sheet. As mentioned in one of my articles for windowsecurity.com there will hopefully be a search option within the MMC when Microsoft released the first service pack to Windows Vista (and in Longhorn Server). It will be interesting to see how they manage to incorporate such a crucial functionality - we must have faith in those guys :)

And BTW - when you guys are changing the code anyway, why not put a "Save changes" dialog into the GPEDIT MMC like ANY other GUI that handles important system changes. I hope that we will also see some workflow handling soon, one admin that changes the GP settings and a manager that approves the changes, making them "live" in the environment. Also versioning is needed as GP's will probably "rule the world" in a few years - not just backups, but real versioning that makes it possible to spot changes made over time and to get back to a "safe" setting fast (rollback). Well, I actually know that MS is working on this too (DOPSA - Desktop Optimization Pack for Software Assurance) - but as with Christmas presents it can be hard to wait too long - I'll get back to this in a post very soon :)

If you think I haven't done anything for a while

2007-01-06T16:07:00.000+01:00

If you think I haven't done anything for a while, then please check out my articles on www.windowsecurity.com about Group Policy on Windows Vista and Longhorn Server:

http://windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part1.html
http://windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part2.html
http://windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part3.html

And this Danish website (in danish), http://www.tweakup.dk/, about new stuff in Windows Vista for non-IT professionals:
http://www.tweakup.dk/article/1022/dk/

I'm now an auther on the above sites, so there won't be much time to write in here - but I'll do my very, very best :-)

Hope you will enjoy - and Happy New Year BTW!

Windows Mobile Network Analyzer

2006-11-11T12:15:00.000+01:00

Troubleshooting network is not that easy on a Windows Mobile using built-in functionality. But with a new powertoy from Microsoft it's possible to perform two very basic network troubleshooting commands: PING and IPCONFIG!

Furthermore you can save a capture file (.cap) and use an external network analyzer tool so see what packets were received etc.

Check it out: Windows Mobile Network Analyzer PowerToy

Download your virtual machines!

2006-11-07T08:35:00.000+01:00

Microsoft really did a nice thing the other day, this is so kewl...

Microsoft released a few VHD files (Virtual Hard Discs) with some of their top products pre-installed! This means you can test the products and get some hands-on experience - no time wasted on installing etc.

All you need is the free Virtual Server 2005 software and then you can download the VHD files from here - fantastic!

These days VHD files are available for:
Exchange Server 2007
SQL Server 2005
Windows Server 2003 R2
ISA Server 2006

Taking a look at MS products was never this easy before... Enjoy!

Exchange 2003 in real trouble

2006-11-02T09:18:00.000+01:00

Hi,

Just wanted to share an experience I had the other day at a customer's network (a small company with around 15 guys in the sales department and a few more in administration etc.).

The local IT responsible called me and asked me if I had an idea why their Internet connection was extremely slow that Monday - it had been so since around 10:40 the same morning... Hmm, I had no idea to begin with, so we had to do some troubleshooting over the phone.

First we did some ICMP echo requests against some remote servers and I could only agree, things didn't look good - so the question was: Is this because of the ISP or some local problem?

Well, the ISP had no problems in the area they said (but it seems they never have any problems - officially). So I set up some monitoring in their Sonicwall firewall and we quickly spotted heavy action from their Exchange 2003 server. He tried to restart the server and after half an hour it actually restarted - it was under heavy load! After the reboot the network performance went bad again, so I asked him to go into Exchange System Manager (ESM) and take a look at the queues...

The queue situation turned out to be pretty ugly and it looked like the server was an open relay, hit by some SPAM/hacker attack or whatever - even though I was pretty sure everything was setup correctly and in a secure manner when I installed the server. So I grabbed my jacket and went to the customer's location.

When I arrived I could see almost 1000 queues left in retry state, each with a single message of around 1 MB. The server was responding extremely slowly and every mouse click was like an eternity. When I took a closer look at the emails it seemed as though they were all sent from an internal user, let's call him Mr. Spammer! I feared some malware had entered his computer - even though I knew he was not a local admin, they had antivirus & -spyware running, XP built-in firewall activated etc.

I went to the users seat an unplugged his computer, looked in his Event Log, running processes/services and Outlook sent items - and there it was... At 10.40 this guy actually produced an email for a high number of external receivers, probably above one thousand... That should be OK, but the thing is, he attached a 1 MB picture - this changed the story completely. Exchange simply couldn't handle that amount of traffic.

So now I was sure this was not an attack or anything - I was pretty relieved I can tell you - it was now "just" a local user who acted like a SPAMMER... An internal attack you could say. Well, I never saw that one coming!

Now I had one problem - the queues didn't go away. Restart of SMTP service didn't work, the "Default SMTP Virtual Server" queue (and pickup) directory was empty so I was left with the manual approach of deleting every item in each queue.... Or using the AQADMCLI tool.

This tool is an admins friend in situations like mine. I downloaded the tool from another server, placed it on a floppy, copied to the (offline) Exchange server and executed the file. This gives you a Command Prompt, and all I had to do was to type:

setserver SERVERNAME
delmsg flags=all

This displayed a lot of entries about queues being flushed - or messages being deleted - and then all I had to do was to type in quit. Problem solved!

So todays blog is just a small tribute to AQADMCLI and it's authors - I hope this info will come in handy someday in your admin-life :)

You can read more about the tool here.

Alt+C Vista Trick

2006-10-21T22:07:00.000+02:00

This might be a very simple trick which is known to many people out there, but I'm gonna give it out for free no matter what you say :-)

I've read and heard people complaining about the new UAC popup we have in Windows Vista - personally I really don't mind at all - but this really seems to mess people up... Before this, the same people probably complained about the lack of security in Microsoft products, talking about how wonderful Mac and Linux is to use, hmm let me stop now before I get too angry.

Well, I just want to say, that whenever you see this:

All you have to do is press [Alt]+C !!! You DON'T have to click the "Continue" button with the mouse... Once you've learned this trick, maybe you won't get so annoyed with Vista UAC behavior anymore ;-)

Do you notice the difference?

2006-10-21T10:00:00.000+02:00

Hi,

Just wanted to share this nice detail within Windows Vista Disk Management GUI... Just saw it a few minutes ago and I like it alot!

Do you notice the difference from 2000/XP/2003?

Well, now it doesn't just say "System" anymore (on the System partition/volume), now we have some great detail on the functions each partition/volume has on the computer... This would be "System" (the boot files), "Boot" (the Windows files), "Page Files" (we have the Page File on this partition), "Active" (the partition is used by the BIOS), "Crash Dump" (on system failure we use this drive to store the Kernel memory dump) and "Primary Partition" (the partition type, could be "Extended" etc.)...

Well, maybe I'm crazy - but I really like this detailed info right there in Disk Manager :)

Am I command prompt admin?

2006-10-13T20:52:00.000+02:00

Have you ever been in a situation where you wanted to know whether you are logged into a Windows Vista command promt as an administrator or a limited user?

Well, this is a small tip to let you SEE the difference :)

We have a registry key that gives us an option to autorun a specific BAT file whenever a command prompt is executed:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\

All you need to do is to add a String value called "autorun" and point to the BAT file we will create in a few seconds... Use "quotes" in the path, like in my case: "C:\!MY AREA\admintest.bat"

The BAT file itself needs to include the following code:

@echo off
pushd %SystemRoot%\System32
set ADMINTEST=~_~_ThisGottaBeUnique_~_~
:START
MD %ADMINTEST% > NUL 2>&1
if exist %SystemRoot%\System32\%ADMINTEST% GOTO ADMIN
GOTO END
:ADMIN
color 5f
RD %ADMINTEST%
:END
set ADMINTEST=popd

Basically it tries to create a (hopefully) unique directory below "Systemroot\System32" and tests if it succeedes, as only admins can create directories at that location it is pretty simple to figure out.

The rest is just setting the COLOR of the CLI background.

This picture shows the elements needed to perform this little trick - two different CLI's, one as a limited user (black) and one as an admin (purple) - the last title bar still shows "Administrator: Command Prompt" which is the only 'hint' we have by default.

In the background you will see the registry setting as well as the BAT script... I hope you can use this IRL, if not... it's still pretty kewl :)

Windows Vista beta - build 5744.16384

2006-10-07T00:34:00.000+02:00

In case you didn't know, Microsoft just released Windows Vista build 5744.16384 - the release which is also called RC2 - on https://connect.microsoft.com, but this is only for beta testers right now.

According to different sources a more "public" release will arrive very soon - like MSDN, "second-wave beta testers" and perhaps others...

We still don't need new keys!

The ISO files you need are the following:
0x523B6D3A:
vista_5744.16384.061003-1945_x86fre_client-LRMCFRE_EN_DVD.iso

0x0F8131AB:
vista_5744.16384.061003-1945_x64fre_client-LRMCxFRE_EN_DVD.iso

Have a nice testing time - I'm downloading as I write, simply can't wait to check out this thing :)

EDIT:
The release is now available to the public - all you need is a key (or you will only have Vista in a trial period of 14 days I beleive), go here to download:
http://download.windowsvista.com/preview/rc2/en/download.htm

Windows Vista beta - build 5728.16387

2006-09-24T16:56:00.000+02:00

If you haven't already downloaded the latest Vista beta build (the first public version after build 5600 =RC1), then you have the option from these links:

x86 (approx. 2.6GB) - or - x64 (approx. 3.6GB)

Important information:
"This build (5728) has a number of improvements and updates from RC1, but has not been put through the same internal testing process as RC1 and therefore may be unstable in certain installations. We are making this release available for a limited time only (and only by download) in order to get broad distribution and testing in a variety of PC configurations. Please note: This build may not have the same level of support or servicing via Windows Update, and you may not be able to upgrade to the final version of Windows Vista."

Terminal Services Client v6 - RC1

2006-09-24T16:38:00.000+02:00

Microsoft released v6 of the RDP client just the other day.

It looks a bit different than the former versions:

But it's not just the icon and some colors that has changed - let's take look at some changes... First of all the RC1 version is called 6.0.5600.16384 - to some extend indicating that this is from Vista build 5600 (=Vista RC1).

The first cool thing I notices was, that this version is installed like any other update to the OS - not like a separate application as it used to. This provides us with a new MSTSC.EXE file - so when launching the executable (without a path) we get the latest version (earlier it didn't replace the builtin version of MSTSC (v. 5.1.2600.2180) - I'll get back to this in a moment) - also it doesn't force an installation into "Accessories" either, both "features" that made some of us kinda frustrated).

I usually start the RDP client from a command prompt with some switches "MSTSC /v 192.168.170.100 /console" for instance brings me to the active session (console) of 192.168.170.100. Now this finally works without mistakenly launching an old version of the client (namely the builtin version placed in the Windows folders with a system environment path to it) - earlier version "upgrades" of the RDP client (like version 5.2.3790.1830 from the Windows Server 2003 R2 CD I believe) placed itself in "%programfiles%\remote desktop" instead of replacing the MSTSC.EXE file in the "%windir%\system32" folder). Well, now this works - great job!

Lets take a quick look at some differences between the versions:

This is version 5.1.2600.2180 (notice that there is no Security or Advanced tab):

This is version 5.2.3790.1830 (notice we now got a Security tab):

This is version 6.0.5600.16384 RC1 (now the Security tab is gone and the Advanced tab is introduced):

So what is the difference then? Well, the first 5 tabs - General, Display, Local Resources, Programs and Experience haven't changed since the builtin release... The Security tab (which might have been there in versions in between, I'm not sure) in version 5.2.3790.1830 brings us authentication of the remote system - see more detailed info right here! The tab looked like this:

Well, in the RDP v6 RC1 version the tab was renamed to Advanced and it now looks like this:

The top part is like the Security tab - but now we also have the "Connect from anywhere" section where we can configure Terminal Services Gateway settings.

Where can I get it? It's currently available on http://connect.microsoft.com for Vista/Longhorn BETA testers.

Enjoy :)

Vista RC1 productkeys available!

2006-09-15T09:29:00.000+02:00

Vista productkeys should be available right here (you need to use your Passport):
http://www.microsoft.com/windowsvista/PCTrialResults1.aspx?s=37&refer=%2Fwindowsvista%2Fgetready%2Fpreview.mspx

If the above doesn’t work – try this link:
http://www.laboratoire-microsoft.org/n/22215/ (the site looks kinda funny, but it works!)…

Remember that you can activate your product key up to 10 times!

Download Windows Vista Pre RC1 build 5536

2006-08-29T19:38:00.000+02:00

Microsoft released Windows Vista Pre RC1 build 5536 to the public - but you need to act fast, only 100.000 downloads will be available...

http://download.windowsvista.com/preview/prerc1/en/download.html

NETSHELL - Tip #1

2006-08-26T18:06:00.000+02:00

The NETSH(ell) command is a very powerful tool included in the Windows 2K+ systems. The following article brings you a few tips on using this command - have a nice one!

A)
I have seen a problem a few times where Windows XP computers do not want to change their IP addresses after a move from one network to another. It's like some part of the computers IP stack is still attached to the old IP address - and this happens even though you use IPCONFIG /RELEASE & /RENEW!

Well, in this case the NETSH command is very useful, try this:

NETSH INT IP RESET C:\IPRESET.TXT

After executing the command you IP stack is rebuild in a few seconds.

B)
Some spyware and other awful software replaces parts of the Winsock Catalog for "sniffing" purposes - when this crap is removed (by anti-spyware apps for instance) you will sometimes find that your Internet connection is no longer up and running. In this case try the following command:

NETSH WINSOCK RESET

After executing the command you must restart your computer for the changes to take effect. When the system is back up and running you may have to reset the IP stack (tip 1A) - and you should be up and running again now.

C)
Within Help & Support you may have found the Network Diagnostics Tool which tests the computers network access in detail - it's actually pretty good, but seldom used I think. If you (like myself) are a command line junkie, you (or a user) can launch the tool by running the following command:

NETSH DIAG GUI

After executing the command a nice HTML interface (The Help & Support page) pops up and you can click "Scan your system" which will end up with a network report.

All for now - CYA!

Windows Live Writer (beta)

2006-08-14T23:36:00.000+02:00

This is a test Windows Live Writer beta!

Please check out this great tool here:

http://windowslivewriter.spaces.live.com/blog/

The Virtual Direct Push Setup (VDPS part 3)

2006-08-04T01:50:00.000+02:00

The Virtual Direct Push Setup (VDPS part 3)
Please be sure to checkout part 1 & part 2 of the VDPS article also :)

This VDPS article covers functionality of the "Virtual Machine Network Driver" (VMND) and links to really nice external information.

Testing SMS and other phone stuff
You can use the VMND to test different phone features too. You could try to send an SMS message by doing the following on the mobile device:
- "Start" > "Messaging"
- click "Menu" > "Switch Accounts..."
- select "Text Messages" > click New
Send an SMS to phone# 0010001 with some message and click "Send".
Within no time you receive a message from 0010001 with the same message as you sent before.

You can test emergency calls - like: 911
A phone line that is allways Busy: 7272024
A phone line which is never answered: 7272773

More info here: http://blogs.msdn.com/barrybo/archive/2005/09/17/469702.aspx

More information needed!
Download or view this cool video which inspired me to create the VDPS articles:
http://msexchangeteam.com/videos/9/train/entry426996.aspx

Microsofts "Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2":
Look here

What is next?
Next time I have a hard time sleeping I'll expand the VDPS articles with:
- "Remote Wipe" and the "ActiveSync Web Administration Tool"
- "Device security" settings (in ESM) and how they apply to the device
- Direct Push and encryption using HTTPS (SSL)
- The mentioned features from an ISA 2004/2006 admins point of view

The Virtual Direct Push Setup (VDPS part 2)

2006-08-03T23:18:00.000+02:00

The Virtual Direct Push Setup (VDPS part 2)!

Be sure to check out VDPS part 1 http://heidelbergit.blogspot.com/2006/08/virtual-direct-push-setup-vdps-part-1.html first :)

Well, the virtual domain environment is up and running, now for the funny part.

On "DC" create a new user account called "mobile" and be sure to create a mailbox for the user also - make the password something relatively easy for testing purpose, like "Start123" (must be uppercase + lowercase + numbers by default). From now on just minimize the "DC" VM to save on performance - the rest of the time all we need it love... No, the Exchange server of course - Doh! If nothing else is stated, please use the "EXCH" VM from now on (maybe even in Full Screen mode for better performance.

On "EXCH": From the OWA (http://localhost/exchange - logged in as Administrator) send a test email to "mobile". Hopefully no error messages will return :)

Open Exchange System Manager (ESM) on "EXCH" - expand "Global Settings" > Right click "Mobile Services" and select Properties. On the "General" tab select "Enable user initiated synchronization" AND "Enable Direct Push over HTTP(s)". For now we will not set up any "Device Security" options - but we will test this out later on! For now just select "OK" and close down ESM. Exchange is now ready to handle Direct Push... See picture.

Now we get to the "Virtual Machine Network Driver for Microsoft Device Emulator". Copy the "netsvwrap.msi" file to "EXCH" (use the "drag and drop" feature in VPC) and execute the file (next, next, next etc.).

Now we need the "Standalone Device Emulator 1.0 with Windows Mobile OS Images"... First copy the downloaded Device Emulator files to "EXCH" - then extract the downloaded "V1Emulator.zip" file, and run: "standalone_emulator_V1.exe" (next, next, next etc.). Next execute the "efp.msi" file (next, next, next etc.). Now you are all set :)

Go to "Start" > "All programs" > "Microsoft Windows Mobile 5.0 MSFP Emulator Images" > click "PocketPC - Coldboot"... This is what you should see after some time (typically a few minutes).

- Note: MSFP (Messaging and Security Feature Pack) is required on the Windows Mobile 5.0 device - we are "lucky" that Microsoft provided a Mobile OS image with this Feature Pack on it. This image is a great part in making the VDPS possible...!

Now - within the "WM 5.0 MSFP" mobile device click "Start" > "Programs" > open "ActiveSync". In ActiveSync click "Menu" > "Add Server source", in the field "Server address" specify the (static) IP address of you virtual Exchange server and uncheck the "This server requires an encrypted (SSL) connection" checkbox. Say "OK" to the "Security Warning" that pops up - IRL you should of course use SSL, but this is just a first glance at Direct Push, so no need to get too complicated at this point. You should now see this.

Click "Next" - on the "Edit Server Settings" page specify "User name" (mobile), "Password" (Start123) and Domain (whatever you named your AD domain). Remember to enable/check the checkbox "Save password (required for automatic sync)". This is what you should see now. Let's just ignore the "Advanced" button for now and click "Next". Please also ignore the "Settings" button at the next screen and click "Finish". The mobile device will try to synchronize with our Exchange server - but fails...

It fails because no network connection have been established yet on the mobile device - so don't worry too much yet. The network driver we installed earlier sets up some functionality that I'm going to cover in detail later on (VDPS part 3)- but the most important thing to know right now is, that it creates the "Fake Network" which is used to communicate with the virtual Exchange server.

To establish the needed network connection, click the "antenna" icon at the top of the screen (still within the virtual mobile device). You will see a dialog like this. The dialog states "This network card connects me to: The Internet (or work via VPN)" (default choice) - let's just click "Connect"!

Next click "Sync" to manually initialize the first synchronization from the mobile device - hopefully your device will successfully contact the Exchange server and perform the sync nicely - like you see here - and when finished you should see something similar to this.

As you may claim, we haven't really performed a Direct Push of mail yet - but now it's time for the big test... On the mobile device close the "ActiveSync" application, the "Programs" folder and you should see the default startup view.

Now, on "EXCH" log on to OWA and send "mobile" another test email. A short moment after you click "Send" you should see the sync process starting on the mobile device. And after a few seconds a popup should be displayed (the "New E-mail Messages" popup). Click "Dismiss" and you should be "back where we started" - only now we have 2 unread e-mails!

Well - all for now - CYA!

Check out the VDPS part 3
http://heidelbergit.blogspot.com/2006/08/virtual-direct-push-setup-vdps-part-3.html