A few people have emailed asking why Windows Server 2008 does not reply to pings (and how to enable it).

It doesn’t by default. No official reason why, but it probably has something to do with POD (Ping of Death) and Ping Flooding. Commonly used in Denial of Service attacks, POD is when a target server is sent an unusually large ICMP packet. For Ping flooding, if the target server is set to respond to pings, it may become bogged down and unable to effectively respond to other requests such as HTTP and FTP. Denial of Service attacks usually require a coordinated effort among multiple computers to halt a server - but it happens, and often!

To enable pings on the public profile (ie. over the Internet), go to Administrative Tools -> Firewall with Advanced Security -> Inbound Rules and find “File and Printer Sharing (Echo Request – ICMPv4-In)” -> Right-click and select “Enable.”

You can also open up the command prompt and type:

or type the following to disable the setting:

For Windows Server 2008 R2, type:

(No Ratings Yet)

No Comments |  Print This Post |

Another one of Microsoft’s descriptive errors is 0x8ffe2740 when trying to start an FTP or Web Server from the IIS Administration module. The error itself means that there is a port conflict with another service. This is a relatively easy diagnosis, as you should already know what ports your ftp or web servers use.

Use the netstat command in the command console to find out what program is using a particular TCP port. Replace the ## with the port you wish to test. This works on Windows Server 2003 and 2008.

The above command will return a PID (process ID). You will need to match that to a running program or service. Type the following command:

Here is an example using port 21. In this example you can see the “ftpsvc” service is using port 21 through svchost.exe – which is normal. In a client’s machine, it was MSUpdate2.exe that was using port 21 – a piece of malware using an FTP server to serve pirated movies!

(average: 5.00 out of 5)

No Comments |  Print This Post |

The PC-OFF.BAT virus loads a shutdown script when logging onto Windows XP. A few seconds after logging in, Windows will shutdown. This also affects safe mode. The countdown timer is set to only a few seconds, not allowing the user to enter “shutdown – a” in the run box. You may not even see the emergency shutdown dialog before you are automatically shutdown.

In order to remove the files, you’ll need the Windows XP CD. Other options include putting the hard drive into another computer, or using a LiveCD (BartPE or Linux) to remove the files.

Remove the files from your hard drive using the Windows XP CD

1. Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.
2. When the “Welcome to Setup” screen appears, press “R.”
3. Select the installation you wish to access (there should be only one option for most systems).
4. Enter the administrator password when asked.
5. Once at the Recovery Prompt, press ENTER after typing the following command: chdir c:\windows
6. Press ENTER after typing the following command: del bar311.exe
7. Press ENTER after typing the following command: del password_viewer.exe
8. Press ENTER after typing the following command: del photo.zip.exe
9. Press ENTER after typing the following command: del pc-off.bat
10. Press ENTER after typing the following command: exit
11. Remove the Windows XP disc and restart your computer.

Once pc-off.bat is removed from the Windows directory, you’ll be able to logon to Windows without it shutting down immediately. There are still remnants left over in the registry though – best to clean those up.

1. Go to Start -> Run and type “regedit” and press ENTER.
2. Go to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon and find the key: “Userinit=C:\WINDOWS\system32\userinit.exe,xxxxxx.exe” where xxxxxx.exe is bar311.exe, photo.zip.exe or password_viewer.exe.
3. Delete bar311.exe, photo.zip.exe or password_viewer.exe from the key, but be sure to leave userinit.exe! If you delete that, you will be unable to logon to Windows.
4. Go to HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advanced and set the following key values: “Hidden=dword:00000001 (1)” “HideFileExt=Dword:00000000 (0)” “ShowSupperHidden=Dword:00000001 (1)”
5. Go to HKEY_CURRENT_USER \software\microsoft\Command Processor and find the key: “autorun=c:\windows\pc-off.bat” and remove “c:\windows\pc-off.bat”

(No Ratings Yet)

No Comments |  Print This Post |

February’s Patch Tuesday was eventful to say the least. Many have noticed that Patch #977165 (Security Bulletin MS10-015) causes a blue screen on some systems (Stop Error: PAGE_FAULT_IN_NONPAGED_AREA). While the initial outrage was directed at Microsoft for a shoddy patch, eventually it was found that the Alureon Rootkit was the cause of the blue screen after KB977165 was installed.

But don’t worry! – the makers of the Alureon Rootkit have actually updated it and patched the flaw! Hurray!

For everyone else there are two options:

1. Use a LiveCD to scan your hard drive for the rootkit and remove it. This will resolve the issue. Try Knoppix STD (http://www.knoppix-std.org/) or BartPE (http://www.nu2.nu/pebuilder/).
2. Remove MS10-015 (977165) from your system.

How to remove Security Bulletin MS10-015 (977165) from your system

1. Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.
2. When the “Welcome to Setup” screen appears, press “R.”
3. Select the installation you wish to access (there should be only one option for most systems).
4. Enter the administrator password when asked.
5. Once at the Recovery Prompt, press ENTER after typing the following command: CHDIR $NtUninstallKB977165$\spuninst
6. Press ENTER after typing the following:  BATCH spuninst.txt
7. Press ENTER after typing the following:  systemroot
8. Press ENTER after typing the following:  exit
9. Remove the Windows XP CD and restart.

(No Ratings Yet)

No Comments |  Print This Post |

Some time ago a co-worker had mentioned someone had been rummaging through her files on her computer. She had expressed some concern over the situation as the files in question were pertaining to a terminated employee. I nodded in sympathy and asked her the following questions:

• When did this happen?
  Her response: After she had left work for the evening, but before she came in the next day.
• Did you log-off of your computer in the evening?
  Her response: No.
• Did you lock your office in the evening?
  Her response: No.
• Is there anyone currently employed that would have an interest in those files?
  Her response: Yes.
• Did you tell the Boss?
  Her response: No.

Because the office didn’t have any form of employee tracking, we could not find out who was in the building, let alone who accessed the files. While management was trying find out who did it, I was focusing more on the measures that could have been taken to prevent it. The worker had not logged off her machine or locked her office in the evening. As with all things in IT, the typical process response is always reactive instead of proactive. If the managers had taken my concerns seriously with regards to physical and virtual security months before, the situation would not have happened. This example was the catalyst I needed to affect a change in policy regarding passwords, automatic log-off, and certain aspects of physical security.

People, Process, Technology

Everyone has seen the People, Process, Technology Venn diagrams prevalent in business literature. I believe the most effective security practices involve a balance of all three categories to succeed – the process has to be sound, the technology relevant, and the people informed. Relying on any one of these categories too much will surely result in failure. No matter how locked-down a server is, if someone writes their password on a post-it note on the monitor, it is no longer secure. If there is no process in place to direct the people or the technology on the correct actions to take to be secure, it will fail.

Social Engineering

It seems the most vulnerable aspect of security lies in people’s tendency to succumb to social engineering tricks. Medium-sized companies are especially vulnerable as they may not have the means to implement physical security and also lack the close-knit employee base to detect outsiders easily. How easy do you think it would be to walk into a medium-sized company with a Canon shirt and convince them you are there to fix the copier?

I’d like to hear your own experiences with security, including what you think are the most important factors in creating a successful security policy.

(average: 5.00 out of 5)

1 Comment |  Print This Post |