April 2007 - Posts

Take a break and relax

in one of these shirts...

Susan Bradley gave me a great idea the other day, so today I went to the Cafe Press and designed a couple of t-shirts, featuring one of my underwater photos on the back. It was mostly just for fun, but it came out pretty well I think.

Oh, and if you have ever trecked down the beach toward 7 degree water, wearing a 400-weight undergarment under your dry suit, a 30 kg tank, and 15 kg of lead, you know exactly what the saying on the front means.

Posted 17 April 2007 10:00 PM by jesper | 2 comment(s)

Filed under: Diving

Turn off RPC management of DNS on all DCs

By now you have probably seen:

http://www.microsoft.com/technet/security/advisory/935964.mspx

 

Microsoft recommends you mitigate the problem by disabling RPC management on DNS. They give the switch to do that, but no script to do it on a large number of DCs or DNS servers.

 

Here is how you do it on scale:

1. Generate a list of all your DCs or DNS servers. Put it in a file called DCList.txt. You can generate this list by right-clicking the Domain Controllers OU and selecting "Export List..." If you have a more complicated list write a query to get them. Below I show how to do that.
2. Log on as an Enterprise Admin (or a domain admin if you only have one domain)
3. Run this command in the directory where you put the DCList.txt file
   for /f %i in (DCList.txt) do reg add \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /t REG_DWORD /d 4

That's will change the setting. To set it back to the original you would run this command instead:

for /f %i in (DCList.txt) do reg delete \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /f

 

Both changes require you to stop and restart the DNS service. You can use these commands for that:

for /f %i in (DCList.txt) do sc \\%i stop DNS
for /f %i in (DCList.txt) do sc \\%i start DNS

 

 

 To generate a list of DCs, you can use the Saved Queries feature of Active Directory Users and Computers. Here is how:

1. Open Active Directory Users and Computers
2. Right-click Saved Queries and select "New Query"
3. Name the query "Domain Controllers" and click "Define Query"
4. In the "Find" dropdown select "Computers"
5. In the "Role:" dropdown select "Domain Controller"
6. Click OK Twice
7. Select the query. You should now see all your DCs in the right-hand pane.
8. Right-click the query and select "Export list..."
9. Save it somewhere as DCs.txt.
10. Alternatively, run "netdom query dc > DCs.txt" on a command line. In that case you need to delete the last line of the file before you run the rest of the command though. Otherwise it will try to set this value on the computer "The".
11. Navigate to that directory. Because the file is tab-delimited you need to modify the command in the for loop slightly to make it work. The following command will parse the file properly and disable RPC management on DNS on all DCs.
    for /f "skip=1 tokens=1" %i in (DCs.txt) do reg add \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /t REG_DWORD /d 4

Using this file the commands to stop and restart the DNS service need to be slightly modified:

for /f "skip=1 tokens=1" %i in (DCs.txt) do sc \\%i stop DNS
for /f "skip=1 tokens=1" %i in (DCs.txt) do sc \\%i start DNS 

 

Hopefully this will help people mitigate this problem a bit faster than having to do manual registry changes everywhere.

Posted 13 April 2007 09:51 AM by jesper | 23 comment(s)

Filed under: Windows Security

You gotta wonder

This is just great! The day after I won a million Euros in the U.K. National Lottery I won the same amount in the East-West Australian Lottery! Just look at this e-mail I just got:

I can't figure out why these people keep giving me such vast sums of money just because I have an e-mail address! That's awesome. I should get another e-mail address. Maybe I never have to work again?

 You really have to wonder though, do people actually fall for this crap? Does the weird batch number really mean people think its real? Let's see how many clues there are in this e-mail:

1. Australia does not use Euro's. It would make relatively little sense for them to have a lottery that gives away prices in Euros. But, then again, this is probably destined for Americans; who think Australia is a small town in Idaho.
2. The return e-mail address is incomplete, but then again, do people notice such small details?
3. I'm not sure what the deal is with "Bank's Name:Bank Name: laagste Bank B.V." but that doesn't look like any Australian bank, or any other bank I know for that matter
4. "0031 616 293 431" is not a valid international calling convention in most countries (although I think it would work in Australia, ironically, if the area code were not fake). The normal way to write it would be "+31". Besides, if you call +31..., you would end up in the Netherlands, not in Australia.
5.  The e-mail address I am supposed to contact has a .pl extension. That's Poland, not Australia, nor the Netherlands.
6. And, finally, if you don't play the lottery, it is quite unlikely you are going to win!

All in all, not the perfect crime; and yet, I get several of these a week. As a friend of mine once said at a conference "clearly, someone is buying ***** enlargement pills!" It's gotta work sufficiently well to make it worthwhile for the criminals. Clearly, there must be enough people out there who have enough of a clue to be able to receive e-mail, but not enough to understand that nobody is going to give them a million Euros for that feat.

I've said many times (c.f. http://www.microsoft.com/technet/technetmag/issues/2006/07/SecurityWatch/default.aspx) that those of us in the InfoSec field need to take it upon ourselves to help others become more paranoid and better able to fend for themselves in security. Typically I am met by blank stares and hostile claims that "users are too stoopid to be taught and need to be prevented from doing stoopid things instead." Then we recommend that they buy some "360" security suite, that provides "total peace of mind for your activities online". Tell me, someone, what software will protect me from willingly sending an e-mail to some "bank" in Poland and giving them my personal information?

I'd also like to question the purported stupidity of end-users. What people is it that we deal with? Who is it that is smart enough to learn a written language, has enough job skills to earn money to purchase a computer, or at least time on one, is capable of signing up for an e-mail account and even good enough to write e-mail; but is too stupid to be taught, inside the span of about 10 minutes, that any e-mail message that claims they won one million anything, just by having an e-mail address is FAKE?!? I mean, do we really have such poor people skills that we can't explain that fundamental concept to someone so smart they can write and send e-mail messages? I'd say that failure lies not with the end user, but with the technologist who is unable to explain even the most basic concepts to the end user. It's really not that high a bar folks! Let's do our share to spread the word. If nothing else, if people stop falling for this nonsense, our mail boxes would be much cleaner.

Posted 03 April 2007 11:49 PM by jesper | 13 comment(s)

Filed under: Security Pontification

Search

This Blog

• Home

Tags

Community

Archives

Links

• My Microsoft Blog
• Steve's Blog
• Susan's SBS blog
• Alun Jones is a great guy, with great insight
• Jen's blog
• Aaron Margosis' blog

Syndication

• RSS for Posts
• Atom
• RSS for Comments
• Email Notifications
  Go

News

• The Windows Server 2008 Security Resource Kit is available!
  . You can also order it as part of the whole Windows Server 2008 Resource Kit and save some money.
  Or, if you need to know about Vista instead, there is:
   
  
  If you need a more general approach to help you Protect Your Windows Network, there is a book for that too
  

  There is now a mobile version of the blog.