Security for a day

One of the things that annoys me with Forefront is the inability to scan multiple, selected machines in the console.
One way around that is to use the command line and mpcmdrun.exe.
mpcmdrun.exe is the Forefront tool to get information, but can be used to start Forefront scans.

“C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 1

Forces an immediate quick scan.

“C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 2

Forces an immediate full scan.

Niffy, eh?

When I get in to work and have a number of Forefront generated alerts, I drop the machine names from the alerts in to a text file.
Using Psexec I can then kick of scans of all these machines just to make sure they are clean

Psexec @alerted.txt “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 1

Psexec will go through the list, machine by machine, however, only once it has completed the scan on the machine.
For the more serious alerts I prefer to run a full scan

Psexec @majoralert.txt “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 2

Running a full scan PSexec on 20 normal machines could take hours this way!

NOTE: Running a full scan on a PC won’t make any friends. It will mostly like generate help desk calls on why their PC is suddenly running slowly. You may want to send an email to the user in question before hand – or not you, BOFH, you

On the full scans, I occasionally dump out some of the logs just to have a history file for ammo from the angry user. Forefront does produce a link with alert email, which points to a pretty SQL reporting page, but I still like the raw data.

Psexec @majoralert.txt “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” –getfiles

This, annoyingly, drops the file on the remote machine, so I then have to bring the files to my local machine:

Robocopy “\\machinename\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Support” c:\dumps\machinename *.*

Here’s a much nicer guide, with pictures, from retrieving and working with the Forefront client log files here.

Should you want to run this a schedule task to kick off a full scan create the task with this undocumented command:

“C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -RestrictPrivileges -scantype 2

(or MCSE 2008 as the rest of us call it)

For reasons only known to myself, I’ve stupidly decided to kick off the final two MCITP: Enterprise exams starting with 70-649.

Ah, nothing like making bets, attempting to get a bit of competition going, that you can get certified before the rest of the team.

In front the Boss. (He’s a hockey playing, beer drinking, Northern ninja for randomly appearing like that!)

Pure Muppet magic on my part! Meep.

Hum ho.

Why the Enterprise rather than the long winded 70-647 update exam first? After skimming the objectives, it looks less work and studying for 749 will help out with 647 at a guess.

Check List:

Study guide:                                         Ms Press Self paced 70-647 Training kit

Hands on:                                              Build a virtual lab on Windows 2008 and use the Ms Virtual Labs

Pick a date to get this done by:    Monday 23rd of March 2009

Better get on with it then.

So, kick off by designing and build and small self contained Windows 2008 domain. This is all built on a physical machine, running Windows 2008 Server x64 with 8GB of RAM, lots of hard disk space and a couple of NICs. Hyper-V is installed.

I’ve added three additional networks in the Virtual Network Manger: Domain_Internal, DMZ and Hyper-V_External. Hyper-V_External is connected to the router for direct Internet access.

I’ve build, installed the Integration tools and patched (32updates and 159mb later) one VM, then cloned it (done by copying it to a new location, starting it up and running newsid) to speed things up and save download bandwidth. I should have used Windows Deployment Services (WDS), but I get around to that later.

The master network plan is below

This isn’t information leakage and I haven’t forgotten to add IPv6 addresses in, just a basic network diagram!

So once everything has finished installing, on with setting it up.

Now to start going through the notes and playing!

Notes Part 1

Hiding from the rain this weekend, I was perusing through my local book shop new releases section, when I came accross a book called Daemon by Daniel Suarez. From the book’s cover artwork it was obviously technology based rather than supernatural, so Ipicked it up and had a quick glance at it. The back cover aluded to bots getting up to mischief on a massive scale and bumping people off.

Techo-based stories can be hit or miss, but I haven’t picked up one in a while, so grabbed a copy. With the rain pouring outside and terrible tv re-runs, I settled in with the book.

I flew through the book and finished it the next day.

 Daniel is an independent systems consultant working heavily with databases and obviously done a huge amount of research.What struck me is how realistic the technical segments were and how the thematics echoed in a number of conversations I been involved in, had or listened in on. Reading the back pages, I noted that he’d been working with the guys that did the Hacking Exposed series, so Iguess that’s why I recognize a bunch of the attacks.

At the recent SANS conference in Sydney, over a few beers after one session, James Shewmaker was talking on similar, but more advanced exploits, he’d witnessed and was teaching on how to defend against to his class 504: Hacker Techniques, Exploits and Incident Handling. I’ve only had to deal with this sort of attack at a local level. It’s almost scary to see these sort of attacks put in to a feasiblestory line with global consequences.  At the same conference I was bugging Mike Poor about a course he authored on bots and worms, his passion and fascination is always  infectious, so can talks for days on the topic. Pretty much everything he talked on surfaced in the book . I wonder how much of Mike’s suggestions on dealing, subverting and defeating with bots will appear in the sequel, Freedom.

Once bit that did make me smile was the though of the use of netstumber  - surely they should have been using Kismet

If your a looking for a good solid piece of entertainment with some scary IT implications, well worth a read.

Had a problem user, who decided AV wasn’t needed and promptly removed it from his system.

I got the call, called up the customer and politely pointed out the Internet was full of Bad Stuff™ and it’s a good idea NOT to uninstall, especially as it broke IT policy doing so.

The conversation went a bit “odd” .

He knew better than any of us and bluntly informed me he never goes to bad sites or opens unknown attachments, thus he was safe. He didn’t need it at home and he sure didn’t need it at work. Especially as “we” used it to spy on him.

Er. Right. Okay then.

Moving along quickly. As he had local admin rights on the box, I started to look at changing registry keys to blocking the further uninstalling Forefront. Yaniv Feldman came to my rescue with a new blog posting on exactly how to do this saving quite a bit of time for me.

http://blogs.microsoft.co.il/blogs/yanivf/archive/2009/01/09/temper-protection-in-forefront-client-security.aspx

Sadly, Yaniv offers no suggestions on managing paranoia.

The folks over at the Technet magazine have publish this little gem on OCS and ISA depolyment

Worth a read if you have OCS and need the outside world to connect up to it

http://technet.microsoft.com/en-us/magazine/dd440949.aspx

Ran in to this little problem after rebuilding a Cisco ASA.

Got everything working except for RSA authentication.

DNS forward and reverse entries were in place (if you don’t have a PTR record, the ACE server would not automatically resolve the FQDN) and the agent on the RSA windows ACE server was set up and set to all local user authenticate and everything seemed correct.

You need a successful authentication for the shared key to be pass to ASA, so tried to authenticate to ASA with a token and it failed.

On the RSA windows ACE server:

Securid Helpdesk Administrator – Report – Log Monitor – activity monitor set it to monitor the ASA.

node verification failed message was display at each authentication attempt.

We figured that the shared key wasn’t getting to the ASA but couldn’t find any obvious place to find it.

Then we dug out this gem:

(This is taken directly from the Ciscowiki)

I read about the .sdi file on the flash of an ASA. So what happens is on the first authentication, the RSA hands down an sdi file to the ASA and this becomes the shared key between the 2 devices.  Since the ASA had an existing key, .sdi file, the way to fix it was to simply delete the file(s).

ASA(config)# dir
Directory of disk0:/

6 drwx 8192 09:18:46 May 31 2008 crypto_archive
91 -rwx 14635008 03:08:24 Aug 12 2008 asa803-k8.bin
92 -rwx 6851212 03:10:56 Aug 12 2008 asdm-603.bin
2 drwx 8192 03:14:44 Aug 12 2008 log
93 -rwx 2153344 11:33:12 Aug 12 2008 anyconnect-win-2.2.0136-k9.pkg
99 -rwx 512 19:01:08 Aug 13 2008 10-100-1-20.sdi

ASA(config)# delete disk0:10-100-1-20.sdi

-Chop-

Removed the .sdi file and on the first authentication everything worked as expected.

Thanks anonymous Cisco-guy and THE Bundy!

We were splitting two web sites to two new servers from the existing one. The sites all worked and resolved internally, so created a new web publishing rules on the ISA for the relocated sites and their host header names.

When attempting to access the web site number two the web page displayed:

Bad Request (Invalid Hostname) - 400 Error

The web sites still worked internally and the ISA could resolve the server host headers and browse the sites. The rule looked good, pointed to the right location had the right ports open.

Turned on logging and watched for access to the site. No hits. Muck around checking event logs, restarting the firewall services and tweaking the rule. No joy.

Got a pencil and paper out and went through my deployment notes, ticking off each step. Got the web listener for site two and immediately found the problem. I had done a copy and paste of the rule and web listener and hadn’t changed the IP address of the second web listener to it new address. It was still using the first listener IP.

Added the correct IP address and everything worked as expected.

Meep

SANS Canberra 2009

The folks from SANS are back again to the capital city. Four tracks are being run this time

504: Hacker Techniques, Exploits and Incident Handling - John Strand

508: Computer Forensics, Investigation, and Response - Rob Lee

401: Security Essentials Boot Camp - Mark Hofman

560: Network Penetration Testing and Ethical Hacking - Bryce Galbraith

Having dropping Mark with a large bar tab, forcing John to talk for two hours despite jet lag and sleep deprivation, attempting to point out the Southern Cross to Bryce in a cloud covered night sky and being randomly lasered in the back of the head by Rob, I can honestly say this should be a great and highly entertaining group of instructors to get in Canberra.

Shearwater are managing the conference again, so expect a smooth, well oiled event.

My biggest hope to to drop one more round of shots on Mark’s unsuspecting bar tab, er, be able to take the 560 or 508 tracks this time round.

All joking aside, SANS training and instructors blows away any of the competition when it comes to relevant, skills based security training. These guy’s day jobs keep them in contact with the real world and they pass on that knowledge and skills over the six days of training.

With a less than cheery outlook on the job market, having real skills and the confidence to use them, rather than page filling training is going to make the difference in front of an interviewer or at the next review with your boss.

Yes, the training isn’t cheap and the SANS brand isn’t as well known as the CISSP, but the skills and knowledge gained from the training is undeniable.

The certification may not be as widely recognized, but when it is, the other person knows you’ve earn it on your own merits. No braindumps, crash courses or parrot learning to get you over the SANS line, only hard work and UNDERSTANDING the material.

That makes the difference to me.

SANS goes to Melbourne.

A small, intimate gathering for those who want to master the security foundations.

With Mark Hofman as your guide, it’ll be a week well spent getting your mind wrapped around the multitude of security risks, tools and avenues that exist today. Mark will get you through it while keeping it relevant and fun. Save some energy for the evening boot camp to get hands on practice on the day’s material!

Security 401: SANS Security Essentials Bootcamp Style

Like any normal day in the office, at some point I’ll get blamed for something not working.

More specifically, one of the security systems I manage gets blamed, but I cop the flack for it. Moaning at an imamate firewall doesn’t elicit the sheer pleasure of ranting a human being, or me, it appears.

Anyway, over the weekend a financial web site had stopped working and they wanted it to work. It was throwing up authentication errors in a Java Applet screen they never seen before. The Web company’s helpdesk said nothing had changed, so it had to be our problem, or my problem, as normal. Since nothing changed on the network, client machines or firewall rule sets (gotta love change management) and I had a screen shot of the error with times of the problems, I called up the ISA logs, and filtered on the url of the site.

The screen shots filled me with apprehension, as the web site had a big ugly Java error and the pages were .jhtml and it was all running over SSL. After a chat with the staff member, he said the site looked like it had an update.

I’ve had problems before with Java programmers do dubious things over http and the ISA correctly dropping the traffic, so wasn’t looking forward to getting in to a fight with a big financial web company over coding.

The ISA filter displayed a whole heap of these errors when connecting to the site:

Status: 995 The I/O operation has been aborted because of either a thread exit or an application request

Now this doesn’t tell you much, so after a quick bit of browsing the web I found a reply from Jim Harrison to someone with similar issues

“This is expected even for normal termination of SSL Tunnel traffic.

ISA can’t follow the HTTP conversation within the SSL session and so the session closure is always a surprise.

It does not indicate an error in ISA."

I trust Jim’s advice implicitly, and was sure the lovely web company’s fault, but his reply didn’t help nail what was wrong and SSL won’t let me analyse the traffic.

Help came from an unexpected source when the staffer mention he could access the web site at home, after taking a very long time to load to first time. Did anything else happen while you accessed the site, like some piece of software update? I enquired. It appears that his machine downloaded the latest version of Java first. Hmm, to the test lab machines!

I fired up a test machine, broke company standard build policy, ripped out the current package version of Java and installed the latest and greatest straight from the web site. This promptly broke the machine. I grabbed the next test machine and attempted to update Java. That broke it too. The third machine, a totally non-standard machine, installed Java without issues and could “magically” accessed the site. No need to touch the ISA rules.

Grinning like a Cheshire cat I promptly handed over the mess of updating everyone Java client to the packaging team with a couple of notes on how it had destroyed to perfectly good machines for no apparent reason.

Take away: if you see status message 995 being logged on ISA, a web app stops working and the site is Java based, then check the Java client and ask what version you should be using to access the site first.

Put money on it the helpdesk with say install the latest version.