Parallèlement, le BSI et le CERTA ont demandé à Microsoft de corriger ces faillent de sécurité qui pourraient avoir de grands impacts sur le grand plublique; les risques d’impacts sur les achats en ligne riques d’être gros, et d’apporter plus à la “crise” qu’aux comptes des commerçants.

Microsoft ont fourni une première réponse et contournement qui limiterait les risques mais ne les annule pas : mettre le niveau de sécurité sur le niveau “élevé” pourrait réduire les risques dûs à l’utilisation des contrôles ActiveX et Javascript. Il va sans dire qu’en désactivant ces deux fonctionnalités il devient difficile voire même impossible de parcourir quelques sites Internet.

Ces deux utilitaires, quoique n’ayant pas un lien directe d’utilisation, ont été développés par Hs2n et fournis gratuitement sur le site dans la partie outils. Ci-dessous un passage en revu de leur utilisation.

WuInstall

WuInstall est un outil en ligne de commande pour Windows, qui vous permet d’installer les mises à jour Windows sur un ou plusieurs postes de travail d’une manière contrôlée en utilisant un script batch ou VBS au lieu d’utiliser la fonctionnalité de mise à jour automatique intégrée de Windows.

En effet, il est quelques fois difficile de passer automatiquement les mises à jour quand un applicatif risque de ne plus fonctionner correctement, surtout ceux basés sur une version spéciale d’un environnement donné (exemple : la CLR .Net)

Ceci dit, WuInstall utilise l’API standard de Windows Update pour chercher les mises à jour disponibles, que ce soit sur le site publique Microsoft Update, ou bien un serveur WSUS interne à l’entreprise. Si des mises à jour sont dispobiles, l’utilitaire peut bien les installer.

Export

Comme il est décrit dans l’introduction, l’outil export permet d’affecter le résultat de n’importe quelle commande en ligne de commande à une variable qu’elle soit d’environnement ou de script. Cette fonctionnalité est malheureusement absente en standard sous Windows. Petit exemple : vous voulez créer un fichier avec la date d’aujourd’hui dans un fichier batch: j’ai beau chercher mais il n’y a pas de méthode directe de le faire; cet outil vient à la rescousse comme le montre la figure ci-dessous prise directement sur le site de l’éditeur.

Exemple d'utilisation de l'outil Export

A noter que cet outil vient en deux versions : pour les versions 32 et 64 bits de Windows.

Voilà, j’espère que vous avez trouvé ces outils pratiques, Bonne lecture sur Ntsysv.com!

Copyright Ntsysv.com ]]> http://www.ntsysv.com/index.php/windows-scripting-deux-utilitaires-wuinstall-et-export/feed 1 http://www.ntsysv.com/index.php/securing-your-windows-system http://www.ntsysv.com/index.php/securing-your-windows-system#comments Thu, 05 Feb 2009 17:25:57 +0000 ElMehdi http://www.ntsysv.com/?p=325 Today, increasingly people are using their computers for everything from communication to online banking and investing to shopping.  As we do these things on a more regular basis, we open ourselves up to potential attackers and crackers. 

While some may be looking to phish your personal information and identity for resale, others simply just want to use your computer as a platform from which to attack other unknowing targets.  Below are a few easy, cost-effective steps you will be able to take to make your computer more protected.

1. Always make backups of important information and store in a safe place separate from your computer.
2. Update and patch your OS, browser and software frequently.  If you have a Windows OS, start by going to windowsupdate.microsoft.com and running the update wizard.  This program will help you find the latest patches for your Windows computer.  Also go to officeupdate.microsoft.com to locate possible patches for your Office programs.
3. Install a firewall.  Without a good firewall, viruses, worms, Trojans, malware and adware can all easily access your computer from the Internet.  Consideration should be given to the benefits and differences between hardware and software based firewall programs.
4. Review your browser and email settings for optimum security.  Why should you do this?  Active-X and JavaScript are often used by hackers to plant malicious programs into your computers.  While cookies are relatively harmless in terms of security concerns, they do still track your movements on the Internet to build a profile of you.  At a minimum set your security setting for the “internet zone” to High, and your “trusted sites zone” to Medium Low.
5. Install antivirus software and set for automatic updates so that you receive the most current versions.
6. Do not open unknown email attachments.  It is simply not enough that you may recognize the address from which it originates because many viruses can spread from a familiar address.
7. Do not run programs from unknown origins.  Also, do not send these types of programs to friends and coworkers because they contain funny or amusing stories or jokes.  They may contain a Trojans horse waiting to infect a computer.
8. Disable hidden filename extensions.  By default, the Windows operating system is set to “hide file extensions for known file types”.  Disable this option so that file extensions display in Windows.  Some file extensions will, by default, continue to remain hidden, but you are more likely to see any unusual file extensions that do not belong.
9. Turn off your computer and disconnect from the network when not using the computer.  A hacker cannot attack your computer when you are disconnected from the network or the computer is off.
10. Consider making a boot disk on a floppy disk in case your computer is damaged or compromised by a malicious program.  Obviously, you need to take this step before you experience a hostile breach of your system.

I hope these recommendations will help you.

Happy staying in Ntsysv Blog!

So, what’s the facts? The first one is that the application is not working, and thus, many people cannot work. The server (a Windows 2003 server) is a Dell server backed up with Symantec Backup Exec System Recovery (BESR), a tool that takes drives images so that recovery time is the least, and the last save is available in a network share. I have available too some free resources in an ESX enough to create a new virtual machine to host the server image.

As you noticed, the starting idea was to recover the image  of the physical server to a virtual machine. What I came up with is a new technique to virtualize a physical server, and transform it to a virtual machine. This is thanks to “Restore Anywhere” option available in BESR; in normal restore cases, we will restore to an identical hardware and this option is not needed, but in the scenario I described, the image is going to a virtual hardware. It is good to know that Windows License Product Key will be needed to be able to Activate Windows later on. No need for specific drivers as VMware ones are available by default.

So how we do it?

To be able to “remake” a blank server, BESR comes with a bootable CD that configures the basic information needed to work with the new server : we can configure network interfaces, map network drives,…etc. Once the IP stack is correctly configured (you can issue a “ping” command to the IP used to check if the server is responding) you can use the available wizard to map a drive to the network share hosting the images.

After this basic configuration, you can start recovering the server, or shall I say building the virtualized server. It will take up to 2 hours to restore 50Gb image if the ESX is “normally” used; of course, it may take less time in a test environment. After the first reboot, the server will start configuring the new hardware, this may take up to 15 minutes, so you can go and have a coffee! A question will be asked to you  is that if you need the server to be joined to a domain or you want to keep it in the “workgroup”. It is wise to let it in the workgroup till it becomes available to configure it at your ease.

The server is now up and running; the new virtual server will keep the initial name, applications and so on, but no hardware configuration will remain, neither network configuration. At this point, you can reconfigure your server as you wish.

For me, I was able to backup specific file using ntbackup tool in the new virtual machine and restore them to the original physical server. Please note that if you connect you new virtual machine to the network, and if you keep the same name, it may generate a “duplicate name” TCP/IP error. I bypassed this error by removing any DNS server IP, Wins server IP from network configuration. Also, you will have to disable Netbios naming utilization, so the server will only use IPs to communicate in the network.

I hope you liked this post and found it helpful, and I’d like to thank you for your time.

The file to update is :

%USERPROFILE%\Application Data\VMware\config.ini

for windows versions of VMware workstation, and :

~/.vmware/config

for Linux one.

The parameter you have to add is :

mks.noBeep = “TRUE”

Please note:

• The configuration file is “profile” dependent; so if you update it for your profile, other ones in the same computer won’t have it configured.
• You have to stop/close all Vmware Workstation running instances.
• You may need to restart the “VMware Autorization Service“
• You may not find the config or config.ini files, so just edit a new file.
• Under Linux, a file or folder for which the name starts with a Dot is hidden, to be able to see it you have to issue an “ls -a” to display it.

Hope this was helpful.

In a previous article I talked about disabling Autorun facility in Windows using a registry value suggested by US-CERT. To remind the reader, the key and value are :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Value : @=”@SYS:DoesNotExist”

To deploy this configuration using GPO, we need to create a new, or may be update an existing one, administration file. Administration files are normally located in folder :

%systemroot%\inf

and have .adm extension.

I will not go into details of ADM files syntax, version control and Operating System filtering, as it will need more than one article, but anyway : here is a prototype you can always use with Windows XP (and above?) and you can change the key and values but keep the same syntax. For interested readers, I recommend this document : “Using Administrative Template Files with Registry-Based Group Policy” from Microsoft site.

So, the ADM file I propose for this configuration:

CLASS MACHINE
CATEGORY !!category
KEYNAME “SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf”
POLICY !!policynameautorun
ACTIONLISTON
VALUENAME “@”        VALUE “@SYS:DoesNotExist”
END ACTIONLISTON
ACTIONLISTOFF
VALUENAME “@”        VALUE “”
END ACTIONLISTOFF
END POLICY
END CATEGORY
[strings]
category=”Custom Policy Settings”
policynameautorun=”Disable autorun”

save this lines as “customPolicies.adm” for example, and import it as an administrative template. To do so, develop “computer configuration“, then right click on “administrative templates” group,  and choose “Add/Remove templates”, click on “Add” and browse for your file. Once selected, validate and close; You’ll see your new group of policies (that is named “category” in the adm file) in the groups tree. You can see this steps in this video.

One done, you man not see the new policy as there’s a default filtering. To disable filtering, right click on “administrative templates”, select “Display” menu and then “Filtering”; uncheck all checkboxes. Have a look here :

Some explanations about parameters used in the above example :

• KEYNAME : Registry key to change/create.
• ACTIONLISTON : actions to perform when the policy is enabled
• ACTIONLISTOFF : actions to perform when policy is disabled
• strings section : values for substitution variables, noted with double exclamation mark (!!category for example). These varibales are used for portability between different language versions of Windows.

Having the adm file imported does not mean it is in use and applied. You need to create a new strategy (or update an existing one) to use the policy. Then you have to link this strategy to the Organisational Unit (OU) you want.

In the client side, you need to run gpupdate in the command prompt if you want the modifications to be applied right at the moment without waiting any longer. Gpupdate command replaces secedit command available in Windows 2000 and older versions. Please refer to the help of these commands for more details.

I hope you enjoyed reading and it was useful.

In a previous article we saw how to disable low dik space warnings in Windows systems, in this article we will talk about Autorun.

Microsoft Windows come with the AutoRun feature which make applications start automaticaly when inserting a CD/DVD, mapping a network drive or plugging a USB key. This is the worst case because everyone can plug a usb key to move data, to get pictures from a friend, to copy music …etc.

When a Removable Device is connected to computer, either the autorun launches the exe/.com file to witch a Autorun.inf file point to, or the user double click on the icon to browse the device content. In both cases, a hidden execution happens and make the computer infected. As an example, the Malicious software W32.Downadup uses this technique to spread.

In Microsoft, we can read many articles, such :

• How to correct “disable Autorun registry key” enforcement in Windows : which details also how to disable autorun useing Group Policy Objects (GPO)
• How to Enable or Disable Automatically Running CD-ROMs
• How to disable the use of USB storage devices (more radical solution!)

Today I received an US-CERT notification to say that those solutions are not effective when a media is first time connected to computer. In the Technical Cyber Security Alert TA09-020A we can read :

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft   Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

The proposed solution is to set the following value to registry :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

Value : @=”@SYS:DoesNotExist”

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Hope you found this post useful, and I’d like to invite you to subscribe to my feed to keep in touch with future posts.

We saw in a previous article how to save and restore a Windows 2003 system by using ASR. This is a particular method available in Windows 2003 but not in Windows 2000 and older versions.

Based on a live linux 22Mb image, PING offers all needed commands to map a Windows share, mount an NFS partition, and maybe make an FTP image. The included automated dhcp client makes it easy for people not used to linux systems to use PING without any problem.

In the officiel Website we can read more details about its advantages; those I find interesting :

• Backup and Restore the BIOS data as well;
• Either burn a bootable CD / DVD, either integrate within a PXE / RIS environment;
• Possibility to Blank local admin’s password;
• Create your own restoration bootable DVD

and if we compare PING to DOS or Ghost tools :

• Most network cards automatically recognized by the Kernel;
• Most CD/DVD readers automatically recognized by the Kernel;
• You don’t have to run a Ghostcast server to receive images over the network;
• More supported filesystems;
• You can store an image on several CD/DVD (CD/DVD-spanning);
• You can backup and restore BIOS settings too;
• Much much smaller than WinPE / BartPE;

Basic linux commands are also available to run in the text mode. In fact, PING starts a text based assistant to guide the user step by step. It is always possible, if the assistant exits, to start it by using

/etc/init.d/rc.ping

script.

In the example I expose in this video, I start by making an image of a Windows 2003 server to a network share. Then I destroy the existant disk and create a new blank one. Then I restore the saved image to the new disk. Note that source and destination disks may be of different sizes, but necessary the source larger than the destination.

An evident remark is that the tool may be used for any kind of operating system, as it does not look at files level but in blocs one.

Enjoy seeing this video, and I hope it will help!

Obtain HD version by a simple Call or   Paypal

Entrez votre code d’accès -
Enter your access code

Pour connaître notre solution de micro paiement : Allopass

PING is available to download in the offcial Web Site.

so let’s start!

Creating the floppy image

To create a floppy image, simply go to hardware edit tab, double click on floppy icon and chose “using an image”; you’ll have the option to create a blank image, that’s what I highlight in the following video.

Now, let’s get into the action!

Performing the backup and restore.

So, now that we have a blank “floppy” to use, let’s start by making the ASR backup. Note that the ASR backup will save most of system configuration files, system state, boot info, registry and so on. Ensure that the .bkf file is saved together with the floppy. The .bkf file may be saved to a network share, or on a second disk attached to the server to restore.

So be able to apply this procedure, you’ll need:

• Windows 2003 CD (or what ever version you use)
• Created ASR floppy with its .bkf file

To perform the restore, we start by booting on Windows CD and hitting F2 when the ASR Restore choice is available. The Windows setup will start as any usual windows setup, but it will ask you soon for the backup file. Once the restore ends, the setup will reboot the server and you’ll be able to use the server as it was at backup time.

I hope you found it useful, and I’d like to thank you for your time.

La solution est plutôt simple à mettre en place mais il faut la connaitre! Il s’agit d’ajouter un paramètre de timeout ou de délai entre caractères saisis. Il faut définir ce paramètre pour toutes les machines virtuelles (Windows, Linux, ou autre) qui posent ce problème.

Il s’agit du paramètre:

typematicMinDelay

Il faut ouvrir le fichier de configuration de votre machine virtuelle (le fichier .vmx dans le dossier de la VM), et ajouter, à la dernière ligne, l’entrée suivante:

keyboard.typematicMinDelay = 2000000

Le chiffre 2000000 determine la durée entre deux saisies successives, on la force à 2 secondes dans notre cas (vu que l’unité par défaut est la µSec).

Voilà! il faut démarrer/redémarrer votre machine pour que la modification soit prise en compte.

Hope this helps!