Tuesday, July 28, 2015

Sysadmin Link Seventh-Inning Stretch

Here are some tips and tricks for the sysadmin crowd.

While doing a project on a Win 7 laptop cleanup, I was looking for an automated way to clean off all the inactive/unused Windows user profiles. Sure I could have gone into the advanced settings and removed the account profiles manually. But a command-line tool would have been helpful.

I re-found the Delprof2 - User Profile Deletion Tool provided by Helge Klein. It worked as advertised. The first pass I used it it could not delete one local profile for some reason. Turns out that some software that had been installed was still running as service under that account. After I had deleted the software and rebooted, the tool then worked to remove that remaining account. Free for private, non-profit org, or educational org use. Otherwise requires a commercial license purchase.

More Tips and Tricks

Smartphone-Friendly Conference Bridge URL Formatting

One of my biggest frustrations with conference call invites is receiving one when I am in the field and having to join via smart-phone. The meeting reminder comes up with the main dial-in number, but then I have to try to switch back-and-forth to find, note, and enter the actual bridge #.

So I found a standard formatting that can be included/used for one-click use in both calling the main # and then auto-entering the bridge number.  Please folks! start adding this to your meeting invites!

The basic format is thus:

join 100200 conference code on the conference line 12345678 on most of the newer devices

Malware Anti-Exploit Update

Malwarebytes Anti-Exploit - Version was released. From the setup installer’s change notes:

Malwarebytes Anti-Exploit

New Features:
• Added new Layer0 exploit mitigations for IE VB scripting
• Added new Layer1 exploit mitigations for ROP detection
• Added new Layer3 exploit mitigations for Powershell abuse
• Added telemetry from Firefox
• Added ability to edit custom shields
• Added ability to log protection events to UI
• Added ability to auto-upgrade corporate builds
• Added support for Windows 10
• Added blacklisting of pirated and fraudulent license keys

• Improved Java shield in corporate environments
• Improved exploit telemetry
• Removed duplicate default shields for portable browsers
• Removed "shielded applications" counter from UI

• Fixed issue when printing to Adobe PDF
• Fixed issue with Speedbit Download Accelerator
• Fixed issue with plugins from PowerDVD and GAS Tecnologia
• Fixed issue with nProtect GameGuard Anti-Cheat
• Fixed issue with certain exclusions not respected
• Fixed issue with Knowledge Coach Office Add-In
• Fixed issue with false positive from IE
• Fixed issue with Foxit Reader startup
• Fixed issue with Excel PowerQuery
• Fixed issue with Excel DEP Enforcement
• Fixed issue with IE VB scripting block
• Fixed issue with Chrome crashes

Techniques for adding “Open Command Prompt Here” &/or “Elevated” to the Windows Explorer Shell Menu

Windows 8/8.1/10 have an option to allow you to open both a Command Prompt or Elevated Command Prompt window from the start menu.

You can also right-click a folder or white-space and open a command window. However you likely won’t be able to open an elevated one easily.

There are a number of ways you can modify the registry to create some optional Explorer shell menu items. And you can do some clever keyboard/copy/paste tricks as well in the default Windows GUI.

In the end I found and went with this utility on my personal systems.

Here are a few more options:

On my own system I don’t mind using a utility to make the changes needed, but if you really need the feature and are authorized to make the changes, “manually” setting the feature via RegEdit works well. The benefit of that method is that you “know” what changes are being made and how to remove/regress them if required.

Windows Critical Out of Band Security Patch Released

Yes…late again…but better late than…well, you know.


Claus Valca

Windows 10 and Wi-Fi Sense: Here be Dragons

I’ve read about.

I “get” it from the “helpfulness” and convenience side of things.

I absolutely don’t get it from a security standpoint.

So basically in Windows 10 it’s a feature that allows you to share your Wi-Fi network settings (and credentials) with other contacts via Facebook, or Outlook.com, or Skype. It seems to be a feature for Windows Phone 8.1/10 and Windows 10 in general.

My bae knows I’m coming over to crash at their pad, knows I love to do the Wi-Fi thing, sends me their Wi-Fi creds via Wi-Fi Sense and I’m golden for the hookup when I drop in. No awkward asking for Wi-Fi creds or trying to type in that 64-character strong password!

Thanks Microsoft.

You can optionally set it to automatically share your network settings/creds with your contacts, not just on a per-contact basis. Helpful isn’t it.

It seems that once they have the contact, they cannot then share the settings/creds with their friends/contacts as well, unless they already know the actual (clean-text) password and share it with others. Nor can you use Wi-Fi sense with enterprise networks using 802.1x. It also does not grant them access to other computers or devices on the shared network.

A workaround is to rename your network SSID to end with “_optout”.  Which kind of begs the question; if you are already OK with sharing this security why would you want to then go and “_optout”.

According to my understanding, while they can access your shared network, they don’t get to see your shared password. Small consolation because any malware or infection they have on their systems comes along for the ride and is granted permission to be on your network and in your “home”.

And that’s the core of the concern. While many non-technical users will be happy with the convenience of easily sharing network access to their family and friends, the deeper threat is what could happen once that “guest” system is connected on the network; exploit scans? pen-testing? downloading of questionable files?

To me it falls under that “it’s just network access to the Internet what’s the harm?” false security mentality that is so ubiquitous nowadays that drives security sysadmins to the point of madness. Just like the “why is it a problem that I borrowed my Ethernet cable at work to plug in my personal XP laptop during my lunch hour?…it’s not like I’m using my locked-down enterprise work system.”

Really? Just can’t see the problem there can you? Hmm.

Yes all those points are still risks under the “old-school” model of Wi-Fi access sharing; here’s my SSID, here’s the password, need some help? But at least there is a pause or opportunity to consider the device/user/access being granted--maybe go over some house rules and review/vet the system if you are a security geek.

Nor do I see a way to later selectively (retroactively) block or disable access granted to a contact…short of renaming your SSID and/or changing the access authentication password. Though I suppose if your Wi-Fi router supports it (and you know the former-bae’s MAC address) you might be able to block them via access point filtering.

Regardless, the current GSD recommendation is to run away from this “helpful” feature as fast as you can.

Now that I’m thinking about it, it’s probably time to consider setting up a “guest” Wi-Fi network with a different SSID that is isolated from the main “trusted” Wi-Fi network.

…or pick up a Wi-FI router that supports an isolated “guest” SSID zone as mine does.

More readings:

hat tip to TinyApps blog


Claus Valca

Portable Windows movie players

After I do a video file conversion I like to check how the conversion plays back.

I don’t really care for or use the stock Windows Media Player software.

For the longest time I have used VideoLAN VLC media player and found it adequate for the purpose. I prefer the VLC Media Player Portable package. However it seems to take a long time to load up and get started on all the systems I run it on. Maybe that’s me.

I was reading this TinyApps blog post Download Flash videos and I jumped and browsed around on the Grab Any media app/extension that was mentioned.

There I saw a recommendation for the MPC-HC open-source video player. It also comes in a Media Player Classic - Home Cinema (MPC-HC) Portable version over at PortableApps.com.

Me likey!  It is relatively small, launches much faster than VLC, and has so far been compatible with my favored video codecs.

So I’m keeping it around in my portable apps collection.

Another similar alternative to both VLC and MPC-HC is SMPlayer, another free media player for Windows systems also available in a SMPlayer Portable via PortableApps.com.

Always good to have alternatives!

Claus Valca

Rook Security - Milano tool

As usual…a week or more late…

Anyway, Rook Security spent some time analyzing the data-dump from Hacking Team and in the process have found some indicators of compromise (IOCs) of a Hacking Team presence on a system.

Basically you can download their free/open-source tool which does a quick or full scan of a system and compares the files against known IOC hashes.

Downloads - Rook Security.  Current look for the “Milano 1.0.1: Hacking Team Malware Detection Utility” link.  There is also an MSI version for enterprise deployment.

Then it’s up to your leet skills to figure out if these are false positives or not.

I’ve ran their tool against both my systems. The quick scan is very fast. The full scan took a nighttime to complete on my traditional HDD system but it ran very fast across my SSDD drive system.  In all cases my systems came back clean.

It’s a portable app so no excuse not to include in in your USB carry-stick toolkit.

You may want to keep an eye on their tool for updates. At least one update has been released. It is also unknown if other security vendors are adding the IOC/hashes to their own detection engines.

More info here

Constant Vigilance!

Claus Valca

GSD Windows Defense in Depth Strategy

I noticed more than a few times I have posted a listing of the security posture I take and it has been almost a year since the last topic-specific post here.

So here you go. Tested and approved on Windows 7/8.1 platforms. Not sure yet on Win 10.

  1. TrueCrypt full disk encryption. Yes. I know. Development stopped mysteriously…blah.blah.blah. There are a number of free alternative WDE options for users if you wish (or Bitlocker if your Windows OS supports it) such as DiskCryptor or VeraCrypt. My purpose in using TrueCrypt/WDE is to protect the contents of our system from data-loss in the event the device is stolen. Period. (Note to self…I’ll probably have to do a full TrueCrypt disk decryption before doing the Win 10 upgrade. Hmm… gotta think about the options for WDE on Windows 10 carefully as Bitlocker only valid on one of my systems. Thoughts or recommendations anyone?)
  2. I’m using the built-in Windows Firewall product with (generally) default settings.
  3. I keep the Windows OS fully patched (drivers too as best I can) to minimize OS vulnerabilities.
  4. I keep any (remaining) third party plug-in software (such as Flash, Java, Silverlight, etc.) fully patched and install updates as soon as a new build version is released. However..see item 4.
  5. I have continued my march on removing Flash, Java, etc. plug-ins from our systems…with little ill impact. You can’t exploit what isn’t installed.
  6. Microsoft Security Essentials - Microsoft Windows. Far from the most robust or highly ranked, what I loose there I gain in the additional security layers below. Also the interface is easy to work with and manage and it plays well (thank goodness) with the additional security layers. My alternative choice would be Bitdefender Antivirus Free for those who need a super-duty AV product.
  7. Malwarebytes Anti-Malware & Internet Security Software - I use the “Premium” version on our systems. The free version is good too, however it doesn’t include “real-time” monitoring features.
  8. Malwarebytes Anti-Exploit Free - I use the free version of this tool as it covers all my primary concerns. Works great (as far as I can tell!) for zero-day exploits against (primarily) web-browsers.
  9. Enhanced Mitigation Experience Toolkit - EMET - Use of this anti-exploit platform is left for the more tech-savvy folks…particularly when combining with Malwarebytes Anti-Exploit. They can co-exist but takes some tweaking to harmonize with Internet Explorer in particular.
  10. CryptoPrevent Malware Prevention - Foolish IT - I use the free version to help protect all our home systems against ransomware/cryptoware threats.
  11. GlassWire - I use the free version of this firewall product for it’s logging features.
  12. Zemana AntiLogger Free - I’ve only recently found this product. It seems to be working well in the background.
  13. Process Explorer - Microsoft Sysinternals - I have this set to run in my system-tray automatically at login. It lets me quickly monitor and check on running processes and sub-processes. I check often so I can remain familiar with the normal running processes. If something new appears it should stand out to me and I can explore further.
  14. Sysmon - Microsoft Sysinternals - This core service runs in the background doing logging of process creations. I had turned on the network connection logging as well but there was so many entries, even with an event log manager utility it was hard sorting out the noise. So I turned off that option for now. This is mostly good for post-incident review work but it’s good to have running now.

If you are interested here are some previous GSD posts on this subject.

Constant Vigilance!

Claus Valca

Random Thought…

I really get rumpled when I get a robo-call from our neighborhood conglomerate grocery store weeks (nay, sometimes months) after we had bought and consumed a recalled food product from the store shelves.

Thank goodness Lavie and I generally have iron clad guts and reasonably youthful health.

I file those calls under TL:DMN (Too Late:Doesn’t Matter Now)

--Claus V.

Windows 10 Linkpost - Almost Here Edition


“Number 10” CC by 2.0 attribution: by yoppy on flickr.

Confession. In my “to be blogged” pile I have two folders of shame. One is titled “Windows 8/8.1” and the other is titled “iOS7”. They are filled with applicable links I collected but didn’t post on the lead up-to and immediately after those OS releases.  I need to file them.

Likewise, it has been a while since my last significant Windows 10 post. I don’t want to make that same mistake so here you go. Full Win 10 post out of the primary hopper. I’ve still got some Windows 10 feature-specific items I want to get out on their own “standalone” posts, but for now, this should do.

Generally I have enjoyed the Windows 10 TP builds I have been using. The last release before you had to use a Microsoft account to continue to get the updates was very solid. I took a pass on extending the build updates as I still don’t much like the idea of tying Win 10 (consumer) usage to an online account -- a la Apple iCloud or Google Chromebook. The Valca ranch is keeping to local accounts only for our systems. Sorry Microsoft.

Lavie was generally impressed with her foray through the Win 10 VM I put on her laptop. It’s close enough to Windows 8 that while she noted the clear differences, it didn’t freak her out like Win 8 did. She also likes the native Win 10 Start menu and we may not need to load Start8 or Classic Shell.

The only “major” complaint I have is the silliness of having the Win 10 GUI design for features/settings/configs but also having the “classic” GUI elements scattered amongst them. The Win 10 GUI design is “modern” but there is just so much wasted space (white-space for you print layout geeks) that I feel like I’m reading out of the “Large Type” book section of the library (no offense Pop). I prefer the tight and compact views when we are addressing configuration and settings.

Which leads me to a critical thought. In the “"*Nix” world there are several different desktop environments one can pick from depending on your preference. Not all desktop environments are fully compatible with core build platforms, but many are. Wouldn’t it be CRAZY if MS released a core (non-GUI) OS base for desktops that one could then install your own preferred (alternative) desktop environment? Say something like Server Core for Windows Server 2012 R2 and Windows Server 2012 (Windows). Jerry Nixon had a brief talk about the “core” concept Windows Core is Windows 10 is Windows Core is Windows 10.  Then again, that might be too technical and challenging and the *Nix world already has that idea well matured. Still--it’s a thought. There are already a few “replacement” Window shells out there still: Five replacements for the Windows 7 desktop via TechRepublic.

I still plan on upgrading my Win 7 Professional laptop system “Alister” to Win 10. Probably in September or October. Then maybe in 2016 depending on how that went upgrade my primary laptop “Tatiana” to Win 10.

Lavie will probably get Win 10 placed on her laptop by the end of August.

I’ll let you know how things go…

Official Windows 10 Site - Microsoft

Now, on to the link dump…

Win 10 - First Considerations

Win 10 - Gut Checks & Getting Started Guides (Safe for All Audiences)

Win 10 Flavor Details

About that Win 10 Upgrade icon…

Win 10 How-To’s…

Win 10 Updates and Upgrades

Now what could go wrong with mandatory/forced updates?

Oh. Yeah. That could happen…so can you stop it? At least for now? Maybe…

So how long are we good for?

More for the Admins

Opinion and Analysis

Depreciated but maybe useful in reference

Note, these are mostly pre-release build update notices and feature pick-apart reviews. Or ponderings on things generally no longer being hotly discussed.

Good Luck!

--Claus Valca