Windows 2008

GPO Search Tool

0

My colleague Alex Verboon posted up a link to a great tool the other day for GPO. Take a look:

http://gps.cloudapp.net/

How do i: Rejoin computer to the same account?

0

Pet hate of mine is creation of new computer accounts (ahhh) for machines that have been reimaged, rejoining the same account is actually really simple!

  1. Open up AD Users & Computers
  2. Find your computer account
  3. Right click an hit “Reset”
  4. Join the computer to the domain with the old account.

Bam, computers back on the domain with the same name and groups! Simple

Hydraq IE 0 Day Exploit (Symantec)

0
What does Hydraq do?

Hydraq is a targeted attack that installs itself on a user’s computer or an organization’s server. It then can be used to search an organization for private information. Hydra can capture and forward all information from an infected computer, including a live feed of windows on a screen and all information typed on the keyboard. Hydra can also be remotely updated to perform additional tasks, including attempting to compromise other machines.

How does Hydraq infect a computer?

Typically an email is sent to an individual or small group of individuals, within an organization. All efforts are made to make the email look legitimate, that is, it will appear as though it was sent by somebody the recipient trusts . The subject matter will often be related to the recipient’s area of business. In order to install the malware, the user must be tricked into either clicking a malicious link or opening an attachment. Both methods then exploit a vulnerability to install the Trojan onto the machine.

What is the current state of Hydraq?

At this time, the command and control servers are no longer active so any of the Hydraq trojans still remaining in the field are effectively non-functional. Symantec has released definitions to detect and remove infections of the Hydraq trojan.

Customers are encouraged to follow best practices in general and specifically to update to the latest patches available for Adobe Acrobat, Adobe Reader, and Adobe Flash Player. See: Adobe APSB09-10. At this time a patch is not available for the Internet Explorer, but IPS signatures have been released by Symantec which block exploitation of both vulnerabilities.

Information on Hydraq
Symantec customers are protected

Our product and services teams discuss how Symantec customers are effectively protected from this threat.

Symantec Protection Suite

The Hydraq attacks were targeted at the core security infrastructure of organizations. Multiple layers of defense bolster an organization’s ability to defend against such attacks. Symantec Protection Suite users have a robust defense at the gateway with Brightmail Gateway for SMTP email security, along with Web Gateway for Web traffic and usage, ensuring that an organization is able to monitor all incoming and outgoing mail and Web traffic – constantly monitoring for and stopping threats. The Protection Suite ensures endpoints are clean with its market-leading Endpoint Security product. Finally, by having access to Symantec’s Backup Exec for desktops and laptops, in the event an endpoint is infected, doing a complete re-image is quick and easy, ensuring up-time and employee productivity. Symantec’s security products are backed by our Global Intelligence Network, ensuring customers are protected and up-to-date on rules and signatures.

Symantec Security Information Manager

A number of these attacks were achieved using a combination of attack vectors, resulting in back door Trojans being installed. Security Information Manager can effectively collect and prioritize these events as they occur across the layered security solutions that need to be deployed to protect against a broad variety of these attack vectors. Security Information Manager can further contribute global intelligence to the correlation process to include malicious IP, Worm IP and Botnet IP lists that can be manually updated to automatically conclude incidents around this particular attack. Early detection of single exploited attack vectors may provide preemptive visibility to attacks before they can fully execute.

DeepSight Early Warning Services

Symantec DeepSight Early Warning Services provides actionable intelligence covering the complete threat lifecycle, from initial vulnerability to active attack. On January 15 we published a journal about a new unpatched Microsoft Internet Explorer vulnerability, which is leveraged by malware identified by Symantec as Trojan.Hydraq. DeepSight Analysts continue to provide updates to this evolving threat as new information becomes available. DeepSight subscribers benefit from personalized notifications and expert analysis (including patches, countermeasures and workarounds) to better protect critical information assets against a potential attack.

Symantec Managed Security Services

Symantec Managed Security Services monitors over 800 customers (including 92 of the Fortune 500). In response to this threat, Symantec MSS updated our detection capabilities for both the targeted Trojan.Hydraq as well as exploits against the recent IE vulnerability. This monitoring includes customers’ firewalls, intrusion detection sensors (IDS), web proxies and system logs. As this threat is primarily client side, any clients with our Managed Endpoint Security service also received updates to protect their endpoints from this attack. Our SOC Analysts are available to work with customers to take proactive steps to mitigate the IE vulnerability within their enterprise as needed.

Symantec Critical Systems Protection

The focus of these attacks was to steal intellectual property. Symantec Critical Systems Protection plays a significant role in defending this data by placing constraints around which users and applications have access to sensitive data. Any unauthorized users or applications would have been denied access to the data and an alert would have been generated by making the attempt. Additionally, Symantec Critical Systems Protection provides out-of-the-box protection against both known and unknown remote code execution attempts.

Altiris Total Management Suite

With this attack, Total Management Suite customers benefit from the ability to gain complete visibility into their IT environment. Users run accurate asset inventory reports to react quickly to threats and vulnerabilities and take the necessary steps to remediate. Total Management Suite will have quickly found the necessary software updates and/or patches then run automatic processes for all assets – like upgrading to IE 8 in this case. Total Management Suite also generates reports to ensure successful updates or migrations, and update asset inventory reports to prepare for ongoing management.

Symantec Hosted Services

Trojan.Hydraq spans multiple communication protocols and can evade signature-based detection. Symantec Hosted Services help protect against converged threats that span email, Web, and instant messaging. Our proprietary heuristic technology for malware and spam filtering, captures and shares threat intelligence across these protocols and provides identification of previously unseen threats. All managed via a single, integrated security management console that simplifies administration while increasing visibility and control.

Finding when a user last logged on

0

In this case ADSIEdit.msc is our friend (this is found on the Windows 2003 support pack or from the Administrative tools on your 2008 DC / in the RSAT pack on Windows Vista / 7. So open up adsiedit.msc Connect to your Domain Naming context, navigate to the users account and right click and go properties.

(more…)

Windows 2008 Active Directory (New forest)

Hi, i am going to start a series of blog entries on setting up a Windows 2008 Based infrastructure, this may be helpful as a reference for System administrators with limited experience with Active Directory and other Windows 2008 Features to have a reference for setting up 2008 related infrastructure.

In this Entry i will start of with showing how to setup a Windows 2008 Based Active Directory Domain, this will be based on a NEW domain.

So lets start !!

Pre-Start Checklist

  • Install the Latest Windows Updates (Click Start > All Programs > Windows Update)
  • Uninstall the IPv6 Interface on your network card
  • Set your Network Card Statically, set your DNS server to the IP you have provided for the machine

Installing Active Directory

Unlike previous version of Windows, your start-up page when you login will no longer allow you to Add active directory via the GUI; Its not really a big deal to be honest, if your going to be installing active directory you should know what the commands are. Click Start > Run > Type “dcpromo

1 
Active Directory Binary Checks

From here you can now see that Windows 2008 is doing some checks to make sure Active Directory Domain Services is installed; I have done this on purpose to show that Windows 2008 is now smart enough to install the basics first. After this screen you will now be shown the Active Directory Setup Wizard.

It is important to note at this stage that there are certain Base Services that need to be installed to provide certain functionality with Windows 2008, in this case its ADDS.

2

Go to Top