The Security Skeptic

You can use the Date and Time control panels on Windows XP and Vista PCs to synchronize time with public NTP servers, which will give you a more accurate time than you'll get off your PC's local clock. It's simple. Open the Date and Time Properties control panel, choose the Internet Time tab, check "Automatically synchronize with an Internet Time server, and choose a server from the Server pulldown menu. By default, Windows will update your time on a weekly basis thereafter.

On some PCs you want to be fastidious about time. It's particularly important, for example, to have time synchonized among systems where you are centrally collecting and analyzing event logs. In such cases, a week long interval between NTP updates may be too long. Unfortunately, the Date and Time control panel doesn't allow you to change the poll interval. You'll have to edit the Registry (I have to think that somewhere in Microsoft there are developers who are under a Registry compulsion spell that compels them to obfuscate OS configuration).

Open your favorite Registry Editor. If you've never done this before, read MSKB 322756. Navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\

and change value of the DWORD SpecialPollInterval to the number of seconds (another indication of a compulsion spell at work) you wish to set your interval. Simple math: an hour is 3600 seconds, a day 86,400 seconds, and a week is 604,800 seconds. If you want to synchronize on a monthly or longer basis, do the multiplication yourself. On second thought, don't do the math. If you really care that little about time, set it manually.

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID641 by Dave Piscitello  

James Gaskin has written a fine article about the rising and questionable cost of putting Microsoft Office on every employee's desktop, when OpenOffice may more than suffice. Commenting on the F.U.D. that is often written to scare companies from open source - questionable origin, incompatibilities, no customer service and technical support, phantom product enhancement time lines - Jim bluntly states, "any company that automatically puts Microsoft Office on every computer wastes bags and bags of money" and then does the math to prove his point.

Rather than attempt to summarize an article I really encourage you to read, I'll provide this pointer - OpenOffice vs. Microsoft Office - and add my $.02.

OpenOffice is very powerful. The UI is familiar enough that most Office users should have no problem adapting to OpenOffice's menus, pulldowns and commands. I do this whenever Redmond blesses us with a new version of Office, don't you? I've encountered a few incompatibilities with Office documents, but nothing that dissuades me from using or recommending it. If you are worried about the origin of the code and support, you can buy StarOffice from Sun Microsystems for the small price of $75 per user. (If you're worried about product enhancements, then you need to find a life outside document preparation.)

If you think you'll have trouble weaning employees off Office, then try candy instead of a stick. By Jim's estimate, you will save $300-350 per user by substituting OpenOffice for Office. Offer your employees a choice: a standard Windows XP/Vista OS with MS Office installed *or* a standard Windows XP/Vista OS with OpenOffice installed and a $100 bonus for using Open Source.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID623 by Dave Piscitello  

The netstat program is available on every OS I own. Several options are unique to operating systems. A post to a recent thread on the firewall-wizards mailing list reminded me of several options that can be useful in isolating spyware components.

netstat -o displays the process that "owns" a network connection. For example:

c:\netstat -on
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1025         127.0.0.1:1026         ESTABLISHED     1992
  TCP    127.0.0.1:1026         127.0.0.1:1025         ESTABLISHED     1992
  TCP    127.0.0.1:1340         127.0.0.1:1341         ESTABLISHED     5000
  TCP    127.0.0.1:1341         127.0.0.1:1340         ESTABLISHED     5000
  TCP    127.0.0.1:3522         127.0.0.1:43958        ESTABLISHED     4864
  TCP    127.0.0.1:4940         127.0.0.1:4941         ESTABLISHED     5136
  TCP    127.0.0.1:4941         127.0.0.1:4940         ESTABLISHED     5136
  TCP    127.0.0.1:43958        127.0.0.1:3522         ESTABLISHED     3708
  TCP    172.17.1.50:3501       66.93.106.226:7446     ESTABLISHED     3372
  TCP    172.17.1.50:4061       172.17.0.7:3389        ESTABLISHED     2732
  TCP    172.17.1.50:4224       4.79.142.202:80        ESTABLISHED     232

The first column identifies the protocol: TCP, UDP, ...

The next columns identify the host names and ports of the connection endpoints. Microsoft chooses to label these Local Address and Foreign Address, respectlvey. The next column displays the (TCP) connection state (LISTEN, ESTABLISHED, etc., see MSKB 137984 for complete details). The final column, PID, is the process identifier for the executable. Process are the programs executing in your PC's RAM and consuming CPU. All applications and Windows services and many forms of spyware run as processes. Spyware programs are basically processes you didn't choose to install.

netstat -b goes a step further than -o and identifies the executable program (and program components) that created a connection; for example,

Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    spike:1025             localhost:1026         ESTABLISHED     1992
  [controld.exe]
  TCP    spike:1026             localhost:1025         ESTABLISHED     1992
  [controld.exe]
  TCP    spike:1340             localhost:1341         ESTABLISHED     5000
  [thunderbird.exe]
  TCP    spike:1341             localhost:1340         ESTABLISHED     5000
  [thunderbird.exe]
  TCP    spike:3522             localhost:43958        ESTABLISHED     4864
  [ServUAdmin.exe]
  TCP    spike:4940             localhost:4941         ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4941             localhost:4940         ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:43958            localhost:3522         ESTABLISHED     3708
  [ServUDaemon.exe]
  TCP    spike:3501             dsl093-106-226.wdc2.dsl.speakeasy.net:7446  ESTABLISHED     3372
  [Shinkuro.exe]
  TCP    spike:4061             hhi.corecom.com:3389   ESTABLISHED     2732
  [mstsc.exe]
  TCP    spike:4170             bf-in-f99.google.com:http  ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4196             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4198             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4199             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4200             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4201             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4207             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4208             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4226             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4227             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4228             209.221.47.168:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4232             c17-b2b-itp-tags-lb.cnet.com:http  ESTABLISHED     232
  [GoogleDesktopIndex.exe]
  TCP    spike:10110            localhost:4241         TIME_WAIT       0
  TCP    spike:4234             c17-b2b-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4235             c18-btg-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4236             c18-news-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4237             c18-btg-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4238             c18-dw-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4240             c18-dw-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4242             mail.hargray.com:pop3  TIME_WAIT       0

Note that in this example, I did not use the -n option, so netstat attempted to resolve the domain names for local and foreign addresses. All the information available via the -o option is present, but an additional output line identifies the name of the executable or executable component. Many of the processes in my example output are familiar applications. How do you distinguish a useful process from spyware? As I mention in my article, Identifying Spyware Processes on a Windows PC, many web sites provide lists and descriptions of legitimate and undesirable Windows processes.

I should have mentioned these uses of netstat in my article. They are not as information rich as some of the process hunting software I mention in my article, but they "come with" MS-DOS and should be available on any machine you may be asked to inspect.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID604 by Dave Piscitello  

I recently installed Parallels Desktop for Mac on my MacBook. Parallels offers a VM (Virtual Machine) alternative to installing Apple's Boot Camp and running Windows XP natively. Both are in beta, but I read enough positive comments about the Parallels product that I decided I'd try this for two reasons. First, Parallels desktop promised to run Windows XP in a window while I was running MacOS and OSX so I would have access to three operating systems when I boot up. The second was more pragmatic: it looked to be a simpler "uninstall" if I did not like it.

Parallels Desktop is downloadable, and you must get a beta license to use it. When you first launch Parallels Desktop, you set up the VM working environment (RAM, CPU, disk startup sequence, etc.) for your Windows OS (you can also install other Linux-based OSs as well). Then you install your fully licensed copy of XP. The installation sequence is identical to installing XP on an Intel PC. Add five minutes to the time it customarily takes for you to install XP. It took me a few minutes to grow accustomed to the keyboard switch that controls whether you are mousing in the XP window or on the Mac desktop (maybe that's just me...)

If you are a longtime XP user, and have licensed copies of XP and Office, you can save hundreds of dollars by installing these on your Intel-powered Mac (providing you are removing the copies off an Intel PC that will presumably become another boat anchor and environmental hazard). I also have several security applications that are Win32 that are not available for other OSs and routinely use these. My son is contemplating a MacBook for college in the fall, and like most teens, he has a number of games that only run on Windows.

So far, the experience is a positive one. When the beta concludes I'll purchase the licensed software. I'll keep you posted as I try new applications.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID533 by Dave Piscitello  

I recently ran into a situation where I needed to use the passive form of FTP to test a security appliance. Passive (PASV) allows the client to initiate the FTP DATA connections rather than the FTP server. PASV It has been described as a more secure way of for client PCs behind firewalls to transfer files because all the data connections are initiated from the trusted network (we know this is not a sufficient trust model but we also know that security is 10% clue and 90% denial...).

I am still a command line kinda guy, and the FTP client available from the MS DOS command line doesn't support PASV. I really didn't want to download a FTP client I'd only use once, so I decided I'd use a browser. Googling, I read that Internet Explorer was enhanced to support both PASV and standard FTP. I proceeded to configure my rarely used IE browser as per KBA 323446 :

How to change the Internet Explorer FTP Client mode
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab.
4. Under Browsing, click to clear the Enable folder view for FTP sites check box.
5. Click to select the Use Passive FTP (for firewall and DSL modem compatibility) check box.
6. Click OK.

Internet Explorer behaves as a Standard mode FTP client if you select the Enable folder view for FTP sites check box, even if you also select the Use Passive FTP check box. If you clear the Enable folder view for FTP sites check box and then select the Use Passive FTP check box, Internet Explorer behaves as a Passive mode FTP client.

Turns out that this KBA was correct if I only wanted to GET files in PASV mode. I wanted to PUT files, and after fussing, fuming and discussion with my partner Lisa, we concluded that you must skip step 4, Enable folder view for FTP sites.

Gee, and I was so convinced everything I read on the Web was true.

Archived at http://www.securityskeptic.com/arc20060501.htm#BlogID528 by Dave Piscitello  

One of the statistics my web log reporting software provides is a list of operating systems that access my web pages. The report shows about 7500 requests have been made over the past 6 months from Windows Server 2003 hosts.

I appreciate the traffic, but I've got to ask, "Why on earth are you visiting blog sites from your server!" True, browsing with IE on Windows 2003 Server is more secure than before. True, my site is entirely benign (you should of course verify this yourself. Have you listed my site in your trusted sites zone? What a compliment!). But the potential for encountering spyware as you "drive by" blogs and other public web sites is just too high to justify the risk. I found a lovely quote by Deb Shinder in an article on web browser vulnerabilities: "If there is sensitive data on your computer, don’t browse the Web." (I only wish Deb would correct the grammar: data requires a plural verb...)

Chances are that if you have a server, you have some clients. Please continue to visit my blog, but do so from a client.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID505 by Dave Piscitello  

Dan DiNicolo's "step-by-step methods for evicting invaders and keeping them out", published by PC Magazine, offers a neat and complete presentation of built-in and 3^rd party security solutions that can be implemented to make XP PCs more secure. DiNicolo does a nice job of explaining how to use XP's local security policy, how to secure IE, how to protect XP with a software firewall, and how to combat malware and spam. Dan also explains why patch management is important and even covers the advanced topics of file security using encryption and secure wireless networking.

If you are a regular visitor to my blog and read my SecurityPipeline and Live Security Service columns, these topics will undoubtedly seem familiar to you. In fact, if you've regularly visited my Windows XP Security Resources and read a good number of the columns posted or hyperlinked there, you probably know more about XP Security than you'll learn from Dan's book. This is less a criticism of the book than a conclusion about the appropriate audience for Windows XP Security Solutions.

Dan's 400+ page guide is true to it's sub-title. Every step required to configure each XP security solution is carefully documented. This is clearly useful for consumers and relatively non-technical users for several reasons. Each configuration is exacting enough and written in sufficiently simple terms to assure a high probability of success for even the least sophisticated user. Moreover, just about all the measures I'd recommend, and all the measures large organizations seek to implement, are discussed in a single location. Security-minded professionals are more than willing to search knowledge base after knowledge base to learn not only XP security basics but the nuances of many security features as well. Like many security professionals, I'll read everything I can find about a security measure, try alternative implementations, and whack at the result to see if I can break it. This is *much* more than we can expect from average consumer and non-technical user.

If you have followed the evolution of XP security over the past 9-18 months, you won't find much in DiNicolo's book that hasn't been written elsewhere, with more technical insight, or with an eye on enterprise implementation. But if you know friends and business colleagues who are earnestly interested in learning enough about XP to make informed decisions about security and who will take the time to read *one* chapter a day and follow the advice therein, you should consider recommending this resource.

Archived at http://www.securityskeptic.com/arc20051201.htm#BlogID485 by Dave Piscitello  

I use the CIS Security Benchmarking tool to harden all the PCs in my home office. One of the benchmarks is effective password management. I impose password complexity requirements, age passwords, and impose an account lockout policy. So it's not surprising that every so often, one of my family forgets an account password, is locked out, and needs administrative assistance.

Last night, my son locked himself out of his PC. His account had local administrator permissions so he could install games, music software, etc. To my embarrassment, I could not recall the administrator password, and I hadn't saved this password in my PasswordSafe database.

The only password recovery utility I had ran on a floppy, and my son's PC doesn't have one. I visited a few sites that described password cracking and recovery tools. The first tool I considered was XP Password Recovery. With this tool, you create a bootable image (floppy or CD) that contains utilities to copy the SAM from the troubled PC onto the floppy. You then take the floppy to an Internet-connected PC, and upload the SAM for cracking at a server, which then returns all the accounts and passwords it's cracked from the SAM. Try as I might, I could not feel comfortable with this process, especially given that the offline processing of the SAM is estimated to take several hours.

I next tried NTPassword, by Petter Nordahl-Hagen. NTPassword boots off floppy or CD. This is a sort of Swiss Army Knife of password utilities. NTPassword can reset the passwords of local user accounts (it modifies the encrypted password in the SAM). It detects and unlocks locked or disabled accounts. It is not thwarted if you've used SysKey encryption to (ahem) strengthen the SAM hash against attack. Best of all, it is unbelievably fast - as in less than 5 minutes! - to reset the admin password to blank, unlock the troubled account, and reboot the PC to XP SP2.

Password cracking is not a recreational activity. This is an easy tool to abuse. But if you impose password and account policies on PCs you administer, you'll probably need a recovery tool, and NTPassword one is pretty impressive.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID375 by Dave Piscitello  

I've been helping my daughter's school network. Like many not-for-profit and privately funded schools, my daughter's school is a hodge-podge of PCs. While upgrading all the worthy PCs to Windows XP SP2, I've had to learn the magic incantations each vendor uses to enter SETUP for BIOS from a system boot start so that I could re-order the boot drive sequence.

A handy page to learn all these is the How to get into your computer BIOS at cyberwalker.net

Save a copy to disk. You may need it when you can't get online:-)

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID320 by Dave Piscitello  

I recall are public commitments from Redmond to make Windows more secure. Does Windows XP Service Pack 2, which Microsoft claims is "the most important update ever for Windows XP", deliver the promised goods? More...

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID316 by Dave Piscitello  

Reality is as integral a part of many people's lives as surfing the 'net. Morning radio talk shows have devolved into recaps of the prior evening's island competition, bug buffet, or struggle to be the last apprentice groveling. I confess: I don't get it. But in the spirit of ratings, here's Loop's contribution to Reality Web. Episode One finds Don at work, desperately trying to benchmark a new web service. The phone rings... More...

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID312 by Dave Piscitello  

Another resources page? Didn't I just post two others? OK, so I live in my office on weekends and have no life other than to provide helpful insight to others. I've installed Windows XP SP2 and am evaluating it as I type this blog entry (honest, I'm running SuperScan to see what Windows Firewall blocks by default as I type!).

The good news thus far is that the XP SP2 install finished clean but the process was tedious and the download long, even over Etherloop. Consider ordering a CD. The bad news is that so much has been written in anticipation of Windows XP SP2 that it's nearly impossible to get a read on how good or bad it really is without simply installing it - just don't install it on your one and only PC yet...

If you have a small or medium business, I really recommend you take a PC out of production, install XP SP2, and play with it. If you don't know exactly what to play with, cheer up! I've put a resources page together on Windows XP SP2 at Windows XP SP2 resources. I've tried to include the resources I read to prepare myself before installing SP2, and other resources I found while attempting to get a sense of how the Windows as well as Microsoft-bashing communities were faring with their SP2 deployment and testing.

To its credit, Microsoft's put together a lot of useful information. Of course, it's really hard to navigate Microsoft's web site using "XP SP2" as your only search argument, so I've tried to include the "best of" here. If you find other good resources, let me know.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID301 by Dave Piscitello  

Like so many technical professionals, I pay my debt to society by helping friends, not-for-profits, and private schools solve computer and networking problems. The most common problems are (1) virus and spyware infections; (2) badly fragmented C:\ drives; and (3) no appreciation for file organization.

Problem (1) usually requires that I make a house call with a bootable Windows XP CD (See BartPE, my blog entry 223) and try to remove the virus or otherwise repair a Windows OS.

For problem (2), I again make house calls, this time with a USB hard drive so I can copy off whatever the PC owner deems valuable, create enough space to defrag the drive and point the owner to my blog entry 286 on Defragmentation 101.

Problem (3) drives me crazy. My experience is that 8 out of 10 home PCs treat the My Documents folder like a 20x20 public storage unit. *Everything* goes there. Of course, My Documents is always on drive C:\ and few PCs come with partitions, so the mechanical saves to this location eventually lead to problem (2), and often leaves PC owners in the lurch: if a virus has rendered their C:\ drive completely useless, it is often the case they will lose some "valuable" files when they perform an OEM recovery.

I'm no doubt identifying the operating environment of your PC, or of someone you know. My remedial actions for this behavior is a three-stage therapy.

1. Remove as many "valuable" files as the owner chooses and defrag the hard drive.

2. Reboot the machine into MS-DOS, run a disk partition program. I generally create an extended partition, and within this partition, I create a partition for applications, and a partition for data (and music).

3. I explain that they should not mechanically install programs to drive C:\ but to the partition called "APPS", and show them how to modify MS Office and music applications to save to folders other than My Documents, on a separate partition I name whatever the PC owner wishes (FAMILY, DATA, STUFF..). In some cases, I create a partition exclusively for MUSIC.

For the unavoidable encounter with a PC owner who insists on having My Documents, I ask for a glass of water, and while he or she is away, I create a new My Documents folder in a partition other than C:\ - sneaky, but it saves a house call.

It's sad that PC manufacturers so rarely partition drives. It would save so many headaches.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID298 by Dave Piscitello  

If you are hesitant to even open the Windows Registry, but are having trouble removing programs, try PUI. This utility displays registry entries and uninstall strings for installed programs and Windows updates. You can also remove programs from the builtin user interface (instead of Add/Remove Programs).

PUI also identifies programs that cannot be uninstalled. Sometimes, programs leave uninstall data in temp folders, and these are deleted. Other programs are installed by the manufacturer or Microsoft and cannot be removed. Badly written software sometimes can't be removed using conventional Add/Remove Program: as the author notes, PUI saves you the trouble of searching all over the net only to learn, "you can't remove it".

PUI claims to detect certain spyware and adware, and these, too, can be deleted from the user interface. This isn't the primary feature and purpose of PUI, but a good complement to an already nice piece of software.

PUI (freeware) is written by Ur I.T. Mate Group and can be found at http://www.it-mate.co.uk.This is also a credible download site for 100% true freeware: no baits, no lures, no registration, no popups, and the software available for download is completely free of charge, fully functional, free of advertising, spyware and malware.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID293 by Dave Piscitello  

A SearchWin2000.com indicates 39% of the respondees plan to dump Internet Explorer, 35% said they would keep using it and 24% favored using IE and some other browser. Do these figures reflect a kneejerk reaction to Scob or a vote of no confidence in Microsoft's browser specifically, and Microsoft wares in general?

However you choose to interpret the results, I'm pretty certain that if your desktop environment consists of IE, Outlook, Messenger, Office, and the Windows operating systems, and you care even a whit about security, you are investing considerable time, brain cycles, and bandwidth patching software, and securing configurations.

It's perfectly reasonable for you to be asking, "Is this as good as it gets?" More...

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID294 by Dave Piscitello  

If defragmenting a disk is something foreign to you, then you may find Disk Defragging 101 helpful. The article, obviously for beginners, only talks about disk defragmentation in a limited context (using the built-in defragger for Win2K/XP/2003). The author really doesn't talk much about the problems defragmentation causes: for some simple explanations, read Why defrag?. Both articles are easy to read and informative enough to give you suitable background for more advanced reading.

One of the more serious problems associated with fragmentation is its impact on virtual memory. When VM has to scan your drive to collect tiny chunks of RAM in order to operate, your performance will tank badly. I describe how to avoid this in my Watchguard LSS column, Take the Sting out of XP performance issues.

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID286 by Dave Piscitello  

Windows FAT file system offers no encryption and file access controls (user and group level permissions on files). Why is anyone still using it?

Windows experts say the only reasons to use FAT are to provide dual boot capabilities, and to boot from a diskette. But precious few folks actually dual boot - even if their are a million of you, you represent at most two percent - and diskettes are on the deprecation trail. So if you fall into either of these categories, don't read any further.

Still with me? I thought so. Eliminating FAT from your PC or laptop is easy, right? Choose NTFS during setup. But what if your PC or laptop manufacturer shipped your OEM version of Windows NT/2000/XP on a FAT volume? In this case, you can use convert.exe. This command line utility will reformat a FAT volume to NTFS, but if you want to format the volume or partition on which your OS resides, you'll have to schedule the conversion following a restart.

Why am I writing about this, still? It turns out that certain OEM recovery disks rebuild your C:\ drive to be FAT. My partner, Lisa Phifer, and I monkey with all sorts of applications and drivers, (some in beta), and our laptop file systems and registries turn to sludge much faster than the average user. Lisa takes the path of least resistance, builds a restorable drive image, and reinstalls this each time instead of the OEM recovery disk.

I am finally doing the same. Following my recent laptop purchase, I used Partition Magic to create a primary partition for a "clean" install of Windows 2000 operating system from the OEM disk. I created an Extended Partition with three logical partitions: one for virtual memory (swap); one for applications; and one for data files. I installed Win2k, MS Office and the CIS Security Scoring Tool. I hardened the laptop according to the Win2kProGold_R1.2.4.inf template, which included all the Windows 2000 updates and service packs. Finally (hours later) I created a drive image (we use PowerQuest Drive Image) and burned this to a CD. I didn't install drivers for the several network adapters I use because these change frequently as well, and driver bloat is one of the things Lisa's helped me appreciate I should avoid. I think this will save me a fair bit of time, over time.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID260 by Dave Piscitello  

Call it kismet -BTW, did you know that kismet is Islam for "the will of Allah"? - but just days after I blog about BartPE, my wife asks me to help a friend who's computer isn't working. I take a BartPE Live CD along, and a USB microdrive.

I boot off BartPE and use the McAfee Sting Averter antivirus software to remove 3 viruses. Unfortunately, my wife's friend panicked and tried to use the OEM recovery disk to - obviously - recover from the problem. Her behavior is probably not unusual for a casual PC user. Moreover, her explanation for why she continued when the recovery disk warned it would erase her hard drive was probably common for a large part of the PC user population, "I was only worried about my files, aren't they in the memory?"

There is a happy ending to this story. For whatever reason, the OEM recovery encountered an error before it erased the hard drive. I was able to boot from BartPE, and copy about 200 Megabytes of family photos, office files, and (remember this!) configuration files from this woman's computer onto the USB microdrive. When I retried the OEM recovery process, it failed again. So I returned the next day with Partition Magic emergency disks, reformatted the hard drive, and was able to reinstall Windows ME on the PC.

I suggested that my wife's friend send Bart a PayPal donation, and she said she'd be more than happy to do so ;-)

They lived happily ever after... well, probably until the next PC problem.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID227 by Dave Piscitello  

In March, the total number of pages requested by Windows XP users at my blog surpassed the total number requested by Windows 2000 users. Windows OS users account for nearly 75% of requests. Windows XP users account for 41% of this percentage, followed by 2000 (34%), 98 (11%), 95 (6%), NT (5%), ME (2%).

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID226 by Dave Piscitello  

You open Task Manager under Windows NT/2000/XP. Under the Processes Tab, in the Column labeled Image Name, you see a rather long list of executables (.exe). Those you aren't familiar with may unnerve you. Some are intuitive, like IEXPLORE.EXE; others, like msccn32.exe, are not so obvious. By the way, if you see msccn32.exe, you have the Win32.Sobig.B@mm virus!

Spyware, trojan, zombie, or just plain unnecessary service?

A great site to learn what all these cryptic Image names represent is the WinTasks Process Library at LIUtilities (Uniblue Systems LTD), manufacturer of WinTasks software products. Any time I've Googled an Image Name, this site is the first search result returned. The library entry for each process name provides a description of the file, the company, whether the file is a system process or security risk, and common errors associated with this file.

The Process Library won't tell you if the process is unnecessary. Read the "Pruning Services" section of my article, Take The "Sting" Out of XP Performance Issues to learn how to decide whether a service is a candidate for pruning.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID225 by Dave Piscitello  

Your c:\ drive crashes. You don't know the cause. You are desperate to retrieve files from this machine, with a capital D. If you could only boot from another medium (if you only partitioned that 120 Gig drive!).

Trouble is, your new PC doesn't have a floppy drive.

Before you reach for that OEM Recovery CD or call the drive recovery folks, consider Bart's Preinstalled Environment (BartPE) bootable live Windows CD (BartPE). BartPE lets you create a CD with a scaled down Windows OS (2000 Server or XP Professional), including network connection support, GUI, and file system support for FAT and NTFS (a much-needed improvement over DOS boot disks). It has a clean, simple user interface, and custom explorer.

Use BartPE to rescue files from a hard drive to a network share. Perhaps you need to perform a virus scan and can't find that Installation CD. Not a problem: you can add an antivirus plugin (McAfee Avert Stinger) to the ISO image of the CD you create with BarPE software. In fact, author Bart Lagerweij has amassed lots of plugins for his "donateware", from RAM disk to a remote desktop.

Remember I said, "Before...?" I really mean before: find 15-20 minutes out of your busy schedule to download PEbuilder.exe and create a rescue CD now. Then PayPal Bart some cash.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID223 by Dave Piscitello  

I was asked recently if I would recommend someone to argue the side of proprietary software in a security debate. My response was that I honestly don't know anyone who is knowledgeable, credible, and willing to engage in this sort of debate any longer.

"Which is better?" is a tired tale that has nothing to do with security and everything to do with religion and bias and envy. No one with a modicum of professionalism wants to argue with folks from the open source community who delight in attention they garner when they disparage Windows. I suspect that Microsoft begs off invitations to such public debates because they have exhausted the pool of qualified people willing to participate. I'm actually quite happy that MSFT's engineers choose to stay in Redmond, to work at improving product, over participation in amateur theatrical performances with badly written scripts (pun intended).

Let's look at this issue from another perspective. In my blog #46, Web Server Market Leader: Apache or Microsoft IIS?, I mention a poll that shows more Fortune 1000 companies run web and other critical internet service on Windows than <choose-your-*nix>. Are all these administrators crazy, stupid, duped, or coerced? I don't think so. I imagine that they are very informed, experienced, disciplined professionals. I also suspect that the best among the Financial community's administrators would scoff at the lame arguments, snorting and snickering you invariably suffer through during "Which is Better?" sessions.

What too many open source folks refuse to admit is that securing operating systems and services all boils down to running the server you are best informed and prepared to secure, which reduces to experience and a whole lot of RTFM and GTFW (google the freakin' web!). Consider this: the reason a *nix guru (imagines) he can secure a *nix system better than a Windows system probably has much more to do with the vast experience accumulated over hundreds upon hundreds of hours of use and administration and far less to do with inherent flaws in Windows Security architecture. A corresponding investment by the same bright fellow in Windows administration would yield a system just as rigorously secured.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID157 by Dave Piscitello  

I've been tinkering with the CIS (Center for Internet Security) Windows Security Scoring Tool for a while now, incrementally struggling my way to a perfect 10. The tool and accompanying templates help you attain the "baseline minimum level of prudent due care" when securing a Windows computer.

I set out with the goal of configuring my server to satisfy the configuration criteria in the Win2kSrvGold_R1.0.1.inf template. I chose this template because it seemed to be the more demanding of the two criteria among the templates CIS bundles with the tool (the other is an NSA template). I also chose to implement a security template using the Windows 2000 Security Configuration and Analysis Toolset.

From my modest initial score, I climbed my way to a 7.9. At this point, I had to customize the template in the following manner:

• I customized both the Legal Notice Text and Caption.

• I set RequireLogonToChangePassword=0 because I could find no way to do this using Windows 2000 (and the documented method for Windows NT did not apply).

• I modified the available services list to automatic start FTP, IIS, and W3SVC, since I'm securing a public access web server and an intranet-accessible FTP service.

Why am I doing this, you ask? Eating my own dog food. I carp constantly about implementing security measures close to assets. I believe these efforts pay off. I know much more now than I ever imagined I would about the server I run, and this is A Good Thing.

FWIW, CIS has done a really good job creating these baselines, and the documentation, while not perfect, is very effective. I'm looking forward to the completion of the XP security templates.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID155 by Dave Piscitello  

John Hogan, Site Editor for SearchWin2000.com, wrote an editorial concerning Microsoft's announced intention to issue patches on a monthly basis, with exceptions for emergency cases. John asks how this policy is being received by the folks in Windows shops; specifically:

Does once-a-month patching work for you?

You should voice an opinion and take the poll.

I sent John the following in an e-mail:

John,

Ask yourself whether once a month works for you with other safety measures:

- gas leaks (it's a minor leak, you'll be fine until November 1st)

- carpenter ants (how much could they destroy in a few weeks' time?)

- plumbing (only a few drops are leaking onto the ceiling below, we

can probably wait until the end of the month).

- home security (the camera's off center, we only have a partial

view of the vault, let's

I can't help but conclude you are always better off (a) receiving

notification and forewarning of a problem as early as possible, and (b) investing the time to remedy a problem as early as practical.

It's also important to get patches as early as possible so that you can TEST them before installing them on production systems.

We don't have good criteria for judging whether vulnerabilities are critical or benign, and it may well be that individual organizations' criteria will draw different conclusions than "general consensus".

I think this is an effort to simplify both Microsoft's distribution, multiple patch confusion, and administrative overhead. But ultimately, as an administrator, I would want to be notified quickly, have the patch made available quickly, have TIME TO EVALUATE IMPACT and TEST the patch, and finally, decide for my organization whether the vulnerability merits immediate attention.

------------

I'm curious, too, so drop me an email as well.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID152 by Dave Piscitello  

After reading Fred Avolio's NetSec Letter #29 and blog on A Linux Desktop, I sent the following in an email to Fred, and copied Marcus Ranum:

IMO, too much attention and emphasis are being placed on the terrible consequences of homogeneity and too little on improving (secure) coding practices. Last time I looked, which is *recently*, exploits continue to be disclosed for every *NIX operating system, at a pace arguably close to Windows exploit disclosures. The notion that we'll somehow insulate society from massive computing meltdown by diversifying across dozens of exploitable operating systems doesn't hold water. If I were an organization motivated enough to attack a cyber-infrastructure, and that infrastructure was heterogeneous, I'd simply through more cycles at developing an attack that would succeed on multiple platforms. The fact that this hasn't been done yet isn't enough to convince me it can't be done. Windows happens to be perceived to be the low-hanging fruit, the 90-lb. weakling, and the target of amateurs.

I can make the same or stronger argument for user-introduced consequences. Windows or *NIX, we are simply awful at securely configuring systems. We're lazy. We don't RTFM. And it's been my experience (which I'll claim is extensive, since I have evaluated dozens of appliances and software products) that often as not, when we do RTFM we discover features are documented incorrectly, or not documented at all. If everyone took 30 minutes and exerted the modest effort required to install and configure a PFW and AV software, exploit frequency would fall dramatically.

I'm also tired of hearing about *Nix superiority w/r/t security. I run a Win2k server and desktops. I invest a considerable effort to see it is secured, but no more so than anyone must to secure Linux. I've run a Linux server, and after running both, I will tell you that I feel more confident with Win2K than I did with Linux. I had better access to resources, documentation, assessment tools, security templates, etc. Your results will probably vary, but I believe this is so because you were weaned on Linux and I on Windows (well, Mac, then Windows). The largest financial firms run windows servers and they are tight as a drum. They could make Linux servers tight as a drum as well, because they have time, talent, approval, and motivation to develop and implement secure operations and practices.

The sad fact is that all commercial operating systems fail to meet secure computing criteria. Even if any *one* OS met the criteria, I believe it will be a long time before the general population would be able to maintain them securely *and* be productive. Being secure and productive takes time and thoughtful action. We don't want to invest either.

As expected, nay, anticipated, Marcus offered yet another example of why I love email threads of this sort:

It's a complex problem in many variables - worrying about any one of

them preferentially is going to just leave you open someplace else.

The problem is about:

bad code

bad defaults

bad policies

bad administration

bad documentation

bad users

bad marketing

... etc.

If we apply pressure to any one, two, or three of those, we won't

make any actual progress. But we'll have some limited and

transient success. (viz: M$ secure coding initiative. firewalls, etc)

The question I am now mulling over isn't whether limited and transient success puts us in a better place than we are now (strongly agree) but whether it's the best we can expect...

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID147 by Dave Piscitello  

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID141 by Dave Piscitello  

I recently purchased a Coolmax Gemini CD-309 Series External Enclosure for 3.5" IDE drives. This is one of those under $40 purchases I can't help but recommend.

If you have a spare hard drive - perhaps you've cannibalized a dead or time-to-retire PC, or found one for cheap on eBay - you can create an enormous and reliable removable/portable storage device.

Installation is so simple it's printed on the back of the packaging: remove back panel, slide out HDD tray, connect IDE cable to HDD, connect power cable, and close the case. Plug the USB into a computer and power up the drive. Windows 2000/XP PnP recognizes it as removable storage. Yes, there are screws involved, but you don't have to fret about Evil Static Electricity, and there's really nothing you can break.

I found myself wondering why I'm buying 128 and 256 MByte Compact Flash and Secure Digital cards when I can have 10 Gigabytes for under $100 (including case and hard drive).

Then I remember I have a digital camera and MP3 player... O.K., so I use many removable media.

But with the portable HDD, I can back up reams of information on spare hard drives, or create and store system partition images for all my systems, a bootable forensics partition, or just back up the hundreds of music files I've ripped (from my CDs, emusic.com, and other authorized music distributors, thank you...).

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID140 by Dave Piscitello  

Having the opportunity to use Windows XP Professional on my new work PC, I decided that my conclusion that, "XP was terrible" was overblown.

XP Professional is very good. It's XP Home Edition that IMO bites.

So just as I scrapped Windows ME in favor of Windows 2000 Professional two years ago, I decided to scrap XP HE for XP PRO.

Good intentions oft go awry. Microsoft claims that an upgrade saves your settings and installed programs.

Not exactly.

The PC I upgraded uses a USB connected WiFi adapter for wireless networking. Windows dutifully saved the TCP/IP information from my XP HE network connection settings, but it didn't save my WiFi settings: ESSID, Channel, Encryption, ...

Now this is not all that troublesome, except for the tiny matter of completing registration online during Windows XP installation. No WiFi, no Internet. No Internet, no registration.

With the increasing number of home WiFi networks, and given Microsoft's campaign to eliminate "casual copying", you'd think they would get this right.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID120 by Dave Piscitello  

Everyone knows the drill. Your PC ages and gets slow, or you discover you have 37 Kilobytes left on your c:\ partition, after defragging the disk. Perhaps you've installed - or are preparing to install - a new version of Windows, which invariably accelerates the aging process, and then a new Office suite, which throws your PC into a coma.

Cheap fixes include adding RAM or an additional disk drive. A more ambitious fix is to replace the PC. Whichever you choose, it pays to audit your PC hardware, software, and file store.

Auditing PC hardware and software is helpful in both cases. A good PC audit tool will tell you how much memory you have, and how many memory slots the installed memory occupies. You'll need the latter to determine what you order; for example, if you have 128 MB RAM installed as two 64 MB DIMMs and only two slots, you'll have to remove one or both to upgrade (sell what you remove on eBay but don't expect a lot). Audit tools will also tell you how your disk(s) are partitioned, what space remains, etc.

I've found the free Belarc Advisor really useful. In addition to telling me about PC hardware, it also tells me about the Windows OS (build, service packs, and hotfixes) and software licenses and versions. These are extremely helpful to me when I buy a new PC and want to create the same "production environment" before I retire the old one.

The hardest task is backing up or copying your file store. I try to faithfully keep all business and personal files on a separate partition, and burn a CD of this partition. I also keep a partition of the dozens upon dozens of software tool downloads, and I glean the ones I no longer use before I burn a CD of these.

No matter how faithfully you organize files, there's bound to be critical bits and pieces of configuration information lying in your primary partition: anything from .ini and other program and user configuration and database files, etc/ hosts, IE favorites and cookies, address books, updated hardware drivers, software license keys, e-mail folders, PGP key rings, and more. If you've installed applications on drives other than your primary, this kind of information may be on other partitions as well. Belarc's audit tool helps you by providing a list of installed applications so you can at least ferret around the install folders and at worst, guess what you ought to backup or copy.

I hate upgrades and replacement. Both are tedious processes, both fraught with peril: I'm convinced that when people estimate of the annual cost of PC maintenance at 5-6 times the actual purchase cost, they are including 8-20 hours associated with some upgrade or replacement.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID116 by Dave Piscitello  

Default installations of Windows XP Home and Professional Editions boot with a number of services that are not necessary for correct operation in home and many enterprise offices. Some of these pose security problems because they advertise services or solicit connections from anonymous (read: unauthenticated) hosts. Others simply waste RAM.

If you administer a firewall and have blocked all outbound services except those you authorize, you will "discover" PCs running XP on your trusted interface by the appearance of DENIED traffic to port 1900, the SSDP Discovery Service. If you aren't administering a firewall, run LAN analysis software like Ethereal on internal networks to see if SSDP is blathering on your LANs. If you are unwilling to do either, there is little point in reading further.

XP uses the Simple Service Discovery Protocol to gather information about Universal Plug and Play (UPnP) devices like a networked printer on a network. UPnP device responses provide lots of useful information but also provide a vector for DOS and DDOS attacks (Google "UPnP vulnerabilities"). If you are certain you don't have UPnP devices, you can safely disable this service, eliminate port 1900-directed traffic, and save some RAM. If you don't see traffic at Port 5000 (read on) you probably don't have UPnP devices on your network.

If you disable SSDP, you can also disable the companion UPnP Device Host service, which supports the UPnP peer-to-peer exchanges using Port 5000. This unfortunate port "assignment" collides with a remote administration tool (RAT, a form of trojan program) called Sockets de Troie, and lots of Internet Chess servers. If you do disable UPnP and still see traffic at port 5000, investigate further!

I've discussed SSDP/UPnP in the context of XP, but ME also has this service, and patches exist to add these to Windows 95/98.

One last point. UPnP is not the same OS function as Plug and Play, which manages device discovery on your PC.

This single act of pruning saves a bit of RAM, a fair amount of noise on your LAN, and improves your risk profile. If I've whetted your appetite and you want to learn how to prune-and-tune your PC, download Black Viper's excellent paper on XP services configurations.

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID112 by Dave Piscitello  

If you custom build a PC, you will probably choose to forego the floppy drive (and buy extra memory). But you may bump into programs that just can't grok the notion that a PC doesn't have a floppy drive! Fortunately,

One such program is Windows Terminal Services Client Creator for Windows 2000 Advanced Server. Here's my workaround for this problem.

• Create the floppies from the client creator software at your server.

• If you have USB ports on your server and client PC, copy the floppies onto a removable drive or compact flash card in two folders, DISK1 and DISK2 (no spaces).

• Open the folder DISK1, run SETUP.EXE, and the installer will automagically look for the folder DISK2 in the same drive/location.

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID108 by Dave Piscitello  

Windows Anonymous Login (also known as "null session") is Number 5 on the SANS Top 20 Vulnerability List. The recommended procedure for protecting against Anonymous Login is to change the value of the Registry Key

HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous

to one (1) for NT, and two (2) for Windows 2000 and XP.

A much simpler and safer way to change this is to use the Security Policy Editor (accessible via Administrative Tools and the Control Panel) and change the value of the Local Security Setting "Additional Restrictions for Anonymous Connections" to "No Access Without Explicit Anonymous Permissions".

Why anyone recommends editing the Registry if you don't have to is beyond me...

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID26 by Dave Piscitello  

Don't look to DELL for *any* help whatever!

I'll confine the "rant" element of this posting by saying DELL is way off base by insisting you buy a Dimension series computer with a pre-installed OS. They compound the crime by providing no sympathy and very little support for anyone who wants to do otherwise.

I needed an inexpensive computer to use as a server. I bought a DELL Dimension 2350. I had a licensed copy of Windows 2000 Advanced Server. I installed the OS, and discovered that the licensed version of W2KAS has no drivers for the mostly on-motherboard devices including the display, USB, and Ethernet NIC.

Of course, at the time, I had no idea what this hardware was, and got no help from DELL or Windows Administrative Tools...

I thought to install the drivers off the supplied XP Home Edition drivers CD (ugh...), then thought better of this. However,...

you can browse and identify the Dimension series hardware from this disk! For the Dimension 2350, you'll need to go to Intel and Broadcom and retrieve the following drivers:

• Broadcom 440x 10/100 Ethernet Adapter
• Intel 82845G/GL/GE/GV graphics controller
• Intel 82801DB/DBM USB Universal Host Controller and
• USB 2.0 root hub controller

The paranoid in me whispers conspiracy...

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID13 by Dave Piscitello