Parallèlement, le BSI et le CERTA ont demandé à Microsoft de corriger ces faillent de sécurité qui pourraient avoir de grands impacts sur le grand plublique; les risques d’impacts sur les achats en ligne riques d’être gros, et d’apporter plus à la “crise” qu’aux comptes des commerçants.

Microsoft ont fourni une première réponse et contournement qui limiterait les risques mais ne les annule pas : mettre le niveau de sécurité sur le niveau “élevé” pourrait réduire les risques dûs à l’utilisation des contrôles ActiveX et Javascript. Il va sans dire qu’en désactivant ces deux fonctionnalités il devient difficile voire même impossible de parcourir quelques sites Internet.

Ces deux utilitaires, quoique n’ayant pas un lien directe d’utilisation, ont été développés par Hs2n et fournis gratuitement sur le site dans la partie outils. Ci-dessous un passage en revu de leur utilisation.

WuInstall

WuInstall est un outil en ligne de commande pour Windows, qui vous permet d’installer les mises à jour Windows sur un ou plusieurs postes de travail d’une manière contrôlée en utilisant un script batch ou VBS au lieu d’utiliser la fonctionnalité de mise à jour automatique intégrée de Windows.

En effet, il est quelques fois difficile de passer automatiquement les mises à jour quand un applicatif risque de ne plus fonctionner correctement, surtout ceux basés sur une version spéciale d’un environnement donné (exemple : la CLR .Net)

Ceci dit, WuInstall utilise l’API standard de Windows Update pour chercher les mises à jour disponibles, que ce soit sur le site publique Microsoft Update, ou bien un serveur WSUS interne à l’entreprise. Si des mises à jour sont dispobiles, l’utilitaire peut bien les installer.

Export

Comme il est décrit dans l’introduction, l’outil export permet d’affecter le résultat de n’importe quelle commande en ligne de commande à une variable qu’elle soit d’environnement ou de script. Cette fonctionnalité est malheureusement absente en standard sous Windows. Petit exemple : vous voulez créer un fichier avec la date d’aujourd’hui dans un fichier batch: j’ai beau chercher mais il n’y a pas de méthode directe de le faire; cet outil vient à la rescousse comme le montre la figure ci-dessous prise directement sur le site de l’éditeur.

Exemple d'utilisation de l'outil Export

A noter que cet outil vient en deux versions : pour les versions 32 et 64 bits de Windows.

Voilà, j’espère que vous avez trouvé ces outils pratiques, Bonne lecture sur Ntsysv.com!

Copyright Ntsysv.com ]]> http://www.ntsysv.com/index.php/windows-scripting-deux-utilitaires-wuinstall-et-export/feed 1 http://www.ntsysv.com/index.php/introduction-to-dnssec-dns-security-extensions http://www.ntsysv.com/index.php/introduction-to-dnssec-dns-security-extensions#comments Sun, 01 Mar 2009 00:38:40 +0000 Aicha http://www.ntsysv.com/?p=345 DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System (DNS). In fact, DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning. DNSSEC is a specification of an extension to the DNS through the definition of additional DNS Resource Records that can be used by DNS clients to validate the authenticity of a DNS response, the data integrity of the DNS response, and where the response indicates no such domain or resource type exists, this negative information can also be authenticated.

DNSSEC provides:

1. Origin authentication of DNS data,
2. Data integrity
3. Authenticated denial of existence.

These functions are based on asymmetric cryptography system

In other words, if an attacker attempts to create a DNS response that has been altered from the original authentic response in some fashion, and the attacker then attempts to pass the response off as an authentic response, then a DNSSEC-aware DNS client should be able to detect the fact that the response has been altered and that the response does not correspond to the authoritative DNS information for that zone. In other words, DNSSEC is intended to protect DNS clients from forged DNS data. This protection does not eliminate the potential to inject false data into a DNS resolution transaction, but it adds additional information to DNS responses to allow a client to check that the response is authentic and complete.

As I said before, dnssec is based on cryptography, especially Public key cryptography which relies on a public and private key pair

Two types of keys are identified for use in zone signing operations. The first type is called

A Zone Signing Key (ZSK) and the second type are called a Key Signing Key (KSK). The ZSK Is used to sign the RRsets within the zone, and this includes signing the ZSK itself, the KSK is used to sign root of the Zone, which includes the ZSK and the KSK and may also be used outside the zone either as the trusted anchor in a security-aware server or as part of the chain of trust by a parent Name Server.

DNSsec mechanisms require also changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034

What are the uses of each resource record?

DNSSEC uses public key cryptography to sign and authenticate DNS Resource record sets (RRsets).

The public keys are stored in DNSKEY Resource records, Digital signatures are stored in RRSIG resource records while, The NSEC resource record lists two separate things: the next owner name (in the canonical ordering of the zone) that contains Authoritative data or a delegation point NS RRset, and the set of RRTypes present at the NSEC RR’s owner name but for A DS RR it refers to a DNSKEY RR by Storing the key tag, algorithm number, and a digest of the DNSKEY RR, The DS RR appears only On the upper (parental) side of a delegation

Deploying Dnssec

1. Enable dnssec in authorative and recursive servers : Means that your dns will support dnssec functionality, so you have to add the following line in named.conf file (named configuration file):

Options {Dnssec-enable yes; };

2. Generate zsk and ksk for each zone :
   i/ Create zsk key:

   Dnssec-keygen -a rsasha1 -b 1024 -n zone ecole.com

   This command will generate 2 files with the following extensions:

   .key is public portion of the key

   .private is private portion of the key

   ii/ Create the ksk key:

   dnssec-keygen -a rsasha1 -b 1400 -f KSK -n zone ecole.com

3. Include keys in the zone file : we have to add the public portions to the zone file either but just including using this syntax :

$INCLUDE keys/Kecole.com.+005+12513.key; KSK

$INCLUDE keys/Kecole.com.+005+03977.key; ZSK

Or using command line mode :

Cat keys/Kecole.com.+005+12513.key >> ecole.db

cat keys/Kecole.com.+005+03977.key >> ecole.db

4. Sign the zone using the following command:

Dnssec-signzone -o ecole.com -t -k Kecole.com. +005+12513 ecole.db Kecole.com.+005+03977

5. Update named.conf file :

Replace :

zone “ecole.com ” {

file “ecole .db “;

};

With:

zone “ecole.com ” {

file “ecole.db.signed “;

};

6. Creating a secure delegation :

The process for signing a sub domain is essentially similar to that defined for signing a zone with one single difference; A Delegated Signer RR can be added to the ecole.com zone file to create secure delegation.

In fact we have to follow the same steps described before but while singing the zone we have to use the command:

dnssec-signzone -o etudiant.ecole.com -t -g -k Ketudiant.ecole.com.+005+64536

etudiant.db Ketudiant.ecole.com.+005+48560

The -g argument is used to generate two special files called dsset-etudiant.ecole.com. (Containing the DS RR for the parent) and keyset-etudiant.ecole.com. (Containing a copy of the public Key DNSKEY RR of the KSK).

When the parent administrator receives the dsset-etudiant.ecole.com. and, optionally, the keyset-etudiant.ecole.com. files, they are placed in the same directory where the ecole.com zone is signed. The dsset-etudiant.ecole.com. File is included in the original ecole.com zone. Re-sign the zone by executing the dnssec-signzone command exactly as before

The only thing that has changed is the additional Ds reecords in the new zone file, so that the sub domain zone gets its authentification through the delegation point in ecole.com in the parent zone

You may understand more the use of the Ds record in my next article which will be about DLV System and how to create a trusted anchor within a chain of trust

I hope it was useful and I want to thankyou for your time.

As discussed in the Forum ( in a post about Remote Access), there’s some actions we can take (I can not list all of them) and that help speeding up Windows.

Physical Disk Speed

When choosing a hard disk for your computer or laptop, think in a long term fashion: you may keep some money in your pocket but you will have to get them out sooner than you think when your slow cheap new disk start struggling under whatever software you use. So spend more money and get a good disk for once.

Disk And File Fragmentation

Every time you delete or move a huge number of files or big files (an old movie or game) think about Defragmentation. Windows Built-in Disk Defragmentation Tool is not there by chance, it is enough to use with normal files; I say normal files because the tool cannot defrag paging file for example or some system files. The tool is available under  :

All Programs/Accessories/System tools

and is called Disk Defragmenter.

A nice method exists to Defragment disks in Command Line mode, using a batch file for example. The command defrag is here to help scripting all drives defragmentation while sleeping or taking a coffee. The help section of this command is clear and command usage is straightforward as discribed bellow :

C:\>defrag /?
Usage:
defrag <volume> [-a] [-f] [-v] [-?]
volume  drive letter or mount point (d: or d:\vol\mountpoint)
-a      Analyze only
-f      Force defragmentation even if free space is low
-v      Verbose output
-?      Display this help text

all you have to do is to replace <volume> by drive name (eg. C:, D:…).

For System and special files, there is many tools available to buy on the net.

Paging File aka Pagefile.sys

Paging file (or swap file) helps the Operating System to run more programs than what would only physical RAM do. It is a partition of the Disk (generally for Unix Like systems), or a file constructed in a particular way (possible for both Windows and Linux). All known Operating System need a paging space; an exception are the “Live” Systems, that run in available RAM and may not need to swap.

For Windows, the size of the Pagefile.sys file is automatically set and the default location is the system drive. Here, at Windows Setup time or after, it is recommended to create a dedicated drive to host the paging file, so that the heavy I/O load does not affect neither Windows itself nor any running application. For the size of the Pagefile.sys, it is linked to physical memory size and in general 1,5 to 2 times bigger. An easy way to decide is by checking the recommended size calculated by Windows as described in the following animation :

One done, you man not see the new policy as there’s a default filtering. To disable filtering, right click on “administrative templates”, select “Display” menu and then “Filtering”; uncheck all checkboxes. Have a look here :

Some explanations about parameters used in the above example :

• KEYNAME : Registry key to change/create.
• ACTIONLISTON : actions to perform when the policy is enabled
• ACTIONLISTOFF : actions to perform when policy is disabled
• strings section : values for substitution variables, noted with double exclamation mark (!!category for example). These varibales are used for portability between different language versions of Windows.

Having the adm file imported does not mean it is in use and applied. You need to create a new strategy (or update an existing one) to use the policy. Then you have to link this strategy to the Organisational Unit (OU) you want.

In the client side, you need to run gpupdate in the command prompt if you want the modifications to be applied right at the moment without waiting any longer. Gpupdate command replaces secedit command available in Windows 2000 and older versions. Please refer to the help of these commands for more details.

I hope you enjoyed reading and it was useful.

In a previous article we saw how to disable low dik space warnings in Windows systems, in this article we will talk about Autorun.

Microsoft Windows come with the AutoRun feature which make applications start automaticaly when inserting a CD/DVD, mapping a network drive or plugging a USB key. This is the worst case because everyone can plug a usb key to move data, to get pictures from a friend, to copy music …etc.

When a Removable Device is connected to computer, either the autorun launches the exe/.com file to witch a Autorun.inf file point to, or the user double click on the icon to browse the device content. In both cases, a hidden execution happens and make the computer infected. As an example, the Malicious software W32.Downadup uses this technique to spread.

In Microsoft, we can read many articles, such :

• How to correct “disable Autorun registry key” enforcement in Windows : which details also how to disable autorun useing Group Policy Objects (GPO)
• How to Enable or Disable Automatically Running CD-ROMs
• How to disable the use of USB storage devices (more radical solution!)

Today I received an US-CERT notification to say that those solutions are not effective when a media is first time connected to computer. In the Technical Cyber Security Alert TA09-020A we can read :

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft   Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

The proposed solution is to set the following value to registry :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

Value : @=”@SYS:DoesNotExist”

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Hope you found this post useful, and I’d like to invite you to subscribe to my feed to keep in touch with future posts.

We saw in a previous article how to save and restore a Windows 2003 system by using ASR. This is a particular method available in Windows 2003 but not in Windows 2000 and older versions.

Based on a live linux 22Mb image, PING offers all needed commands to map a Windows share, mount an NFS partition, and maybe make an FTP image. The included automated dhcp client makes it easy for people not used to linux systems to use PING without any problem.

In the officiel Website we can read more details about its advantages; those I find interesting :

• Backup and Restore the BIOS data as well;
• Either burn a bootable CD / DVD, either integrate within a PXE / RIS environment;
• Possibility to Blank local admin’s password;
• Create your own restoration bootable DVD

and if we compare PING to DOS or Ghost tools :

• Most network cards automatically recognized by the Kernel;
• Most CD/DVD readers automatically recognized by the Kernel;
• You don’t have to run a Ghostcast server to receive images over the network;
• More supported filesystems;
• You can store an image on several CD/DVD (CD/DVD-spanning);
• You can backup and restore BIOS settings too;
• Much much smaller than WinPE / BartPE;

Basic linux commands are also available to run in the text mode. In fact, PING starts a text based assistant to guide the user step by step. It is always possible, if the assistant exits, to start it by using

/etc/init.d/rc.ping

script.

In the example I expose in this video, I start by making an image of a Windows 2003 server to a network share. Then I destroy the existant disk and create a new blank one. Then I restore the saved image to the new disk. Note that source and destination disks may be of different sizes, but necessary the source larger than the destination.

An evident remark is that the tool may be used for any kind of operating system, as it does not look at files level but in blocs one.

Enjoy seeing this video, and I hope it will help!

Obtain HD version by a simple Call or   Paypal

Entrez votre code d’accès -
Enter your access code

Pour connaître notre solution de micro paiement : Allopass

PING is available to download in the offcial Web Site.