My Notes to Myself and Others... : General Computing

Mandatory Integrity Control (What,how and why do we care?)

Erik Rozman — Sat, 19 Jan 2008 15:10:03 GMT

The theory

Mandatory Integrity Control (MIC) is an additional layer of security built into Vista and
Windows 2008. This particular layer helps Windows protect itself from harmful intentional and unintentional
changes to important objects. Among the objects protected we can find files, directories, registry
key, printers, and actually any object that has a security descriptor.

The beauty of MIC is that it has been there in the background all along protecting you, yet you never knew
it existed. You might have actually encountered it by trying to change a file that is protected by it, and even
though you had the permission you couldn't...

The MIC layer is a barrier placed before your permissions are checked. Essentially this new road block checks
your privilege level against the object that you are trying to change. If your privilege level is equal or higher you are
allowed to make the change. On the other hand if your privilege is lower you cannot change the object even
though you may have the permission to.

Vista defines four integrity levels in order of precedence from low to high (the Untrusted and Trusted Installer are out
of scope here):

Low - Used by Internet Explorer 7 to enforce Protected Mode:
Medium - Used for standard users (assumed if no other level is set):
High - Used for administrative actions (CMD with Run as administrator):
System - Used by the system

Note that what happens is that each privilege level is represented by a different group SID.

Privilege levels are inherited, meaning that the privilege level of the creator is inherited by the object
that is created. If a user opens Notepad the users privilege level is attached to the process and the
file created by the process and so on...

A quick example

Ok, lets try something practical.
In the following example I will create a new file using an elevated CMD.exe ,view the integrity level by using ICACLS and then
I will try to delete the same file using a standard CMD.EXE...lets see what happens:

Note that CMD was started as an administrator and the file has been created with a privilege level of high (last line
of ICACLS output. The users privilege level is also high (see the WOAMI output and he belong to the Administrators
group).

Note that the second instance of CMD is not run as and administrator. The file is still there, still with a high level of privilege,
the user has permissions (ICACLS and WHOAMI output) yet he can not delete the file.
The reason is that the current privilege of the user is medium (note the output of WHOAMI).

Now to top it off-something odd(or actually normal,depends on how you look at it...). If you attempt to delete the file
from an Explorer window you will receive the following message:

Once acknowledged (by pressing Continue) the file will be deleted-what happened here?

Well by choosing to continue you elevated the Explorer processes level to High- thus you can delete the file...

Conclusion

Based on the above example you can see that MIC is an additional layer of security implanted into Vista. Vista
assigns the level of integrity a specific object belongs too, it's not configurable and the only way that a user
can elevate his own level of integrity is by interacting with the system an explicitly acknowledging an action(such as
the deletion of the file in our example). A very important point to understand about MIC is that it protects files
from being tampered with,not their privacy. In other words only ACLS will protect the file from being read.

Now I really love to contradict myself (at least I do it in different paragraphs...),there is a way to manipulate
files and even protect it's contents by using MIC but it's not a way I would recommend. On the other hand it's
still good to know and as Mark Minasi mentions what happens if a malware actually creates a file with the privilege
level of System -no one will be able to delete it?!?

Mark has created a tool called CHML.EXE that is a bit more versatile then ICACLS and it allows you to set privilege
levels.
For additional information on CHML look at:
http://www.minasi.com/vista/chml.htm

Citrix to acquire XenSource

Erik Rozman — Sun, 19 Aug 2007 07:42:28 GMT

Somewhat surprising but understandable. The question is how will Citrix size up against Microsoft
if Microsoft will see them as a competition and not a partner.

Official announcement by Citrix

Brian Maddens comments

Windows 2008 Technical Library

Erik Rozman — Fri, 10 Aug 2007 08:27:03 GMT

With the advent of Windows 2008 (Beta),and basically everyone getting their hands on a copy and
trying to learn how to use it, the Windows 2008 Technical Library can be a great resource.
The library describes what's new and provides step by step guides to explore the features:

http://technet2.microsoft.com/windowsserver2008/en/library/bab0f1a1-54aa-4cef-9164-139e8bcc44751033.mspx?mfr=true

Windows Live OneCare 2.0 to feature Online Photo Backup

Erik Rozman — Sat, 04 Aug 2007 13:21:01 GMT

A post on the Windows Vista team blog promises that the new OneCare will come with 10GB of
online storage to be used as a backup location for digital photographs(at a cost). The post provides
a short demonstration of the feature.

Wow,10GB. Online backup,kind of blows you away and makes you think about how everything
is going online. If network connections speed keeps growing you will no longer need local storage
and your data will follow you...Ok,I can't be that positive, think of the ramifications though,your
personal files will be stored on a location that you do not control...

A look at User Account Control (UAC)

Erik Rozman — Thu, 02 Aug 2007 23:00:31 GMT

Overview

UAC (also called Admin Approval Mode) is a new feature introduced with Windows Vista. The main goal of this
feature is to protect the operating system from malicious or accidental damage. This goal is achieved by
requesting consent from the user when an administrative action is attempted (installing an application, opening
computer management,etc.)

UAC has been introduced as the eternal battle between security and functionality rages on. While on one hand we
would like to allow our users to have full access to their systems (which essentially are their tools of trade), on the
other hand we are well aware that allowing unlimited access will without any doubt lead to unintentional/intentional
damage to the local system and far worse to the whole network(virus/worm/adaware infection).

On the same note, an additional issue we must deal with are administrative users. The majority of system admins will use
their privileged accounts for daily tasks. If such an account is compromised by malicious software it is literally unstoppable.
Several options were introduced to limit the access of administrative accounts without hampering their ability to manage a
system. One such example is 'Run as'. A system administrator can use a standard account for standard tasks, and use a
privileged account to invoke administrative tools (by using 'Run as'). Note that when using this feature a different account
is used to invoke a process and a different token (more about these later) is attached to that process (until the process
is stopped).

In my opinion, unless enforced by company policy, most system administrators kept on using privileged accounts as
they saw the need of using 'Run as' as a nuisance(invoking a different account,entering the user name again and then
the password, too much finger travel). Most system administrators, found the benefit in using 'Run as' when
standard users had to be awarded elevated permissions to perform a task (in other words when it didn't affect them...).

Enter UAC. UAC steps in and attempts to provide a type of a compromise between functionality and security by providing an
environment in which using an "elevated account" is less of a nuisance and not much of a choice...
Every time a standard user or an administrative user attempts to execute a command that requires elevated
privileges(not to be confused with permissions) he or she are queried if they are sure that they want to proceed (the exact
form of the query will be discussed later in this article).

So, how does(did) it work?

Privileges and permissions are different things:

Privileges/User rights -can be defined as broad abilities that apply to a system as a whole. Changing
the time on a system is a privilege/user right,backing up a system is a privilege/user right.
Permissions -what a user(process by proxy) can do to a specific object (be it a file or a printer, or an object in
Active Directory).

When a user logs on to the system he is authenticated(user/password), then a token is built for him by the system. The token,
will include the users privileges and Security Identifiers (SIDs). A token is very similar to a security pass.
[A SID is a unique string that uniquely (obviously) identifies security principals (user accounts,groups)]
A users token is attached to every process that the user initiates. The first process the user initiates in Vista is explorer.exe
which in turn initiates all process, which inherit the token from it.
When a user attempts to perform an administrative task,such as change the time, his token is examined-if he "owns" the privilege,
he will succeed- otherwise he will fail.
A similar process is undertaken when trying to access an object-each object has an Access Control List(ACL) that has Access Control
Entries (ACE). Each ACE defines a specific SID and wether this SID is allowed or denied a specific action. When the user attempts
to take a specific action on an object his token is examined and his SIDs are compared to the ones on the ACL,if there is a match
then the action defined is examined and according to it the user will either succeed or fail. If no match is found,the user will fail.
[the process is very similar to a private club,each member has a card(token) and the bouncer has the list(ACL) of who is allowed to enter]
A users token is created during the log-on process,thus if he is added to a new group for it to be reflected in his token, he has
to logoff and on again so a new token can be created for him.

How does(now) it work

In Windows Vista there are two types of users, standard users and administrator accounts. Every user that is created and logs on
to a Vista system is classified as one or the other. The distinction is important due to the fact that the token creation process has
changed. Each user still gets a token,yet:

Standard user -Receives one token that identifies the user to the system
Administrator accounts -Receives two tokens,one that represents the user as a standard user and one that holds all of the elevated
privileges that the user has.

To facilitate the usage of two tokens a new service called 'Application Information' has been added to Vista. This service is responsible
to identify the attempted usage of an administrative privilege and to act upon it based on the policies configured.

Implementation and Experience

UAC is enabled by default.
When Vista is installed, the first user that is created is defined as an administrator account (with UAC enabled). The built-in Administrator
account is disabled (by default). If the Vista installation is an upgrade from XP, and the installation determines that the only administrative
account is the built-in administrator it will leave it enabled with UAC enabled.
You should also note, that the local built-in administrator account can not be used to log on to the system in Safe Mode. Only exception
is in the case of a non-domain joined system that has no other administrative accounts configured on it. If the system is joined to a domain
there are no exceptions(local built-in administrator can not be used to log-on),if there is no other administrative account to be used, and
no cached credentials, Safe Mode with Networking has to be used to enable logon.

When an administrator account attempts an administrative task the system will ask for consent. It does so by taking a "dark screenshot"
and imposing above it a window that asks for consent. Now this "dark screenshot",except being very dramatic is actually a safe environment
that only Windows processes can access. It is possible for malware to imitate the visual appearance of this environment, yet it has to be
already installed on the system(in other words you are already in a bad place).

fig.1 Consent Window

By the way, the visual structure of the prompt will vary:
Red background and red shield icon: The application is from a blocked publisher or is blocked by Group Policy.

Blue/green background: The application is a Windows Vista administrative application, such as a control panel.

Gray background and gold shield icon: The application is Authenticode signed and trusted by the local computer.

Yellow background and red shield icon: The application is unsigned or signed but not yet trusted by the local computer.
In addition to that the details button will provide the exact name of the executable trying to run. Personally,I would also
like to see the name of the process that invoked the command.

When a standard user attempts to run a task that is of administrative nature he will be prompted to enter the credentials
of an administrator account.

fig.2 Credentials Window

The third visual cue is a small shield being placed next to menu options that warrant for administrative privileges.

Configuring UAC

UAC can be configured by using the Local Security Policy or by using GPO(Group Policy Object). There are nine settings:

fig.3 UAC settings (local Security Policy)

In my opinion the two major settings that control the behavior of this feature are:

Behavior of the elevation prompt for administrators in Admin Approval Mode:
- Elevate without prompting
- Prompt for credentials
- Prompt for consent (Default)
Behavior of the elevation prompt for standard users:
- Automatically deny elevation request for users
- Prompt for credentials (Default)

An additional location that can be used to turn off UAC can be found on the 'User Accounts' applet in 'Control Panel'. As you can see
in figure 4 the option is "prefixed" by a shield meaning that is a protected action.

Fig. 4 Turn UAC off

Conclusion

Considering UAC and past attempts to do something similar, leads me to the conclusion that UAC is a an upgraded 'Run as'. What
I mean to say is that when analyzing how this works we can see that UAC saves the hassle of having to enter credentials for system
administrators by allowing them to use one account with two tokens.
UAC provides safety,it might prevent mistakes done by system administrators and it might prevent the installation/execution
of unwanted software by providing the user with a "second chance".

A subject I have not mentioned here is the issue of application compatibility this is an important subject
since it enable us to use applications that have not been built with UAC in mind.
For that and more on UAC you can visit:

http://technet.microsoft.com/en-us/windowsvista/aa905113.aspx

Phishing Sites and IE7

Erik Rozman — Wed, 01 Aug 2007 20:05:44 GMT

Technorati Tags: IE7, rants, general computing

I am an Ebay user. As an Ebay user I am a target for phishng attacks. About a week ago I have made a purchase
and I forogt to leave feedback for the seller. A few minutes ago,I received an e-mail saying that I have received
a message from a seller(nothing special for someone who uses Ebay). I was a bit distracted so I pressed the
hyperlink found in the e-mail.

In a second I was transported to a message from IE7 saying that I am trying to reach a site that is reported as
a known site that is used for phishing:

Moral of the story,watch what you click on and good work IE7!

A memory leak occurs if the DNS dynamic update protocol is enabled on a DHCP server that is running Windows Server 2003

Erik Rozman — Fri, 27 Jul 2007 06:18:00 GMT

http://support.microsoft.com/kb/939928

Windows Server 2008 Component Posters

Erik Rozman — Tue, 24 Jul 2007 20:21:00 GMT

These two posters, originally published in the July 2007 issue of TechNet Magazine, provide a
strong visual tool to aide in the understanding of various features and components of Windows
Server 2008. One poster focuses exclusively on powerful new Active Directory technologies,
while the other provides a technical look at a variety of new features available in Windows Server
2008 (such as Server Core, Network Access Protection, and more).

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2b9e44e-0bbd-47cb-bc09-b3d48be7f867&displaylang=en

Events and Errors Message Center

Erik Rozman — Tue, 24 Jul 2007 19:25:00 GMT

When one of the systems that you manage fails one the best ideas for troubleshooting is
looking at the logs. If the OS you are using is from Microsoft the main location for logs is
the event viewer.

The only problem with logs is that at times they provide very cryptic messages. In order to figure
out what the entry in the log means or what remedies can be used I personally use the following
website:
http://www.eventid.net

A couple of day ago I have noticed a KB article announcing that an "Events and Errors Message Center"
has been opened. This center will enable you to search for specific events (using the filters provided)
and once you do find the event you can also browse potential solutions/explanations.
The URL is:
http://www.microsoft.com/technet/support/ee/ee_advanced.aspx

Windows 2008 Impressions: Attended Installation

Erik Rozman — Sat, 14 Jul 2007 18:36:00 GMT

The attended installation process of Windows 2008 has been simplified.

Until Windows 2008, the process of installing a Windows system included the basic configuration of the system.
In other words the installer was asked a bunch of question he had to answer and once he was done he had a running
system. The system still needed to be configured but a basic system was up and running.

Windows 2008 changes this, (the installation no longer provides a running system) in order to simplify the installation
process almost all configurative questions have been removed and we are left with the bare necessities. The installation
process (very similar to Vista’s installation process) is comprised of the following questions:

1. Location (locale and time zone)

2. Disk partitioning-note that you do not have to create a partition, you can simply choose empty space and the
installation procedure will configure it for you

3. Product Key-by entering the correct key the correct version of the OS is chosen, if no key is entered the installer is
warned yet he is allowed to choose the version of the installation and he has to provide the key later on.

That’s it.

To Windows veterans this may seem a bit strange, you may be asking yourself, where is the part in which we configure
networking, you may also be asking yourself where do I chose the components I want installed…the answer is that they
have been removed from the installation process for the sake of simplicity.

When you are done with the installation all you get is a system with a very basic installation of Windows 2008 Server. System
configuration has been moved from the installation further down the line. Do not fear though, it has not been moved too far down
the line, you actually configure your server just after you have installed it with two new tools provided by the system (I will write
about them in my next post on the subject).

I am not sure how to treat this change or how I feel about it. On one hand there is no doubt that this change simplifies the installation
process of the OS which in turn allows quicker installations due to it’s “fire and forget” style, yet on the other hand it provides less
flexibility during the installation phase and it makes it seem a lot simpler to deploy a server. In addition to that it also makes it seem simpler
to deploy the OS. You may be asking why does that seem problematic?

Begin rant: The field of IT is being treated with less respect due to the fact that everyone feels that they can get involved with IT,
they understand IT and they can do IT since IT is simple. When all you need to deploy and OS is to click a mouse things
will get a lot worse…
Obviously this isn't the root of all evil yet deploying a server correctly isn't as simple as clicking on a button and in my opinion
the impression that it is as simple as clicking on a button shouldn't be created...after all perception is everything.

Disclaimer- The experiences and the ideas expressed in this post are my personal experiences. If you feel that they are inaccurate
or incorrect feel free to contact me about them.

TCP Header Checksums Displayed as Corrupted (using Network Monitor)

Erik Rozman — Wed, 11 Jul 2007 16:12:00 GMT

OK,so I was troubleshooting and odd issue with an FTP server and one of the things
that caught my attention while using Network Monitor (on a Windows 2000 server)
was that some(actually almost all) of the TCP checksums (originating from the server)
were found to be incorrect.

At first I thought I was having a networking problem,yet someone pointed out the fact
that since the calculation was being offloaded to the NIC Network Monitor may be
calculating the checksums incorrectly.

http://support.microsoft.com/kb/243294

TechNet Webcast: The New Server Core Installation Option in Windows Server 2008 (Level 300)

Erik Rozman — Sun, 08 Jul 2007 19:27:00 GMT

The description from the website:

Summary

In this session, we explore Server Core, a new minimal installation option included in Windows Server 2008. A Server Core installation provides a minimal environment for running a subset of the server roles, the Active Directory directory service, Active Directory Lightweight Directory Services, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and file, print, and media services. Server Core also can reduce the servicing and management requirements and the attack surface for those server roles. In this webcast, we discuss the architecture of Server Core, in addition to installation, configuration, and administration of Server Core.

Presenter: Andrew Mason, Principal Program Manager Lead, Microsoft Corporation

Follow the link to view the webcast.

Funny article about iPhone...

Erik Rozman — Sat, 30 Jun 2007 18:56:00 GMT

I have no opinion or clue about the accuracy of the article titled "Ten Reasons Why You Shouldn't Buy an iPhone"by Jim Lynch
published at extremtech.com, yet it managed to make me laugh(read through it,until the end-and I hope you will understand
what I found amusing):

http://www.extremetech.com/article2/0,1697,2151961,00.asp

-- Erik Rozman

Exchange 2003 OWA and Vista

Erik Rozman — Sat, 07 Apr 2007 11:28:00 GMT

An oldie but I see it coming up in the newsgroups...my guess is that some sysadmins forgot to
fix the problem and the users (specifically home users) trying to access their mailboxes are
surprised and convinced that something is wrong with their own system(which to some extent is
true...):

http://support.microsoft.com/kb/911829

Vista Tip-Administrative CMD

Erik Rozman — Sat, 27 Jan 2007 13:47:00 GMT

Most administrators use the command prompt to run administrative tasks.
The problem is that if you are using Vista, opening the CMD will not allow you to run
commands as an administrator(unclear to me as to why couldn't they simply let the UAC
take care of it).

To solve this you could start the CMD using a shortcut with RUNAS, a better solution
though is creating a shortcut for CMD and setting the check box by the 'Run as administrator'
(Properties>Advanced).

Which process uses a specific port (TCP/UDP)

Erik Rozman — Fri, 05 Jan 2007 13:34:00 GMT

The most common reason for such a question to come up is security.
TCP/UDP ports are virtual windows on the walls that represent your computer.
If a perpetrator would like to gain access to your system he would do such using one
such window.

We might close all those windows (and it is advisable to do so when accessing the
Internet, by using a firewall that blocks direct access to the ports on your system),
yet due to their nature there may be times when you would like to allow access to your
system (hosting a website on your system or simply sharing files among systems).

Another important facet of the issue is that once a system is penetrated by a perpetrator
he might want to call his friends and have a party or in other words a malicious software
might open a port and allow access to others(publish your IP and port on an IRC channel).

Better yet,if you are infected by a virus, it might be using your system to scan for other
systems that might be vulnerable while striving to infect them.

How can we check who exactly is opening windows on our systems?

The best way to do this is to verify which process has opened a specific port.
If the process is familiar you are OK yet if you identify a process which you can not
account for you may be in trouble.

The following methods can be used to match open ports to processes:

Windows XP and higher- use the NETSTAT -O command
Pre XP- Download a neat tool called FPORT from Foundstone (McAffe)

Once you have the output you can simply Google the process names to determine their roles.
If you do this from time to time it possible to track behavioral changes and easily track down
unknown open ports on a system.

Still playing with RAM

Erik Rozman — Tue, 02 Jan 2007 09:38:00 GMT

I can't really say what happened since I don't understand it yet it works,so I guess that is important.

After losing one memory bank on my system(one of two 1GB sticks) and forgetting about it
I was awakened when my virtual machines would not start...Now looking for 133 memory sticks
is quite a challenge but I found a few that might be good.

So I tried to install it, two new sticks...system counts the memory and verifies it and then simply
freezes...I replace the old stick,it works...

I put the old one and then new one together-doesn't work(which is logical).

Switched between the slots and presto...two memory sticks from different manufacturers
with different speeds and it works...
Why ask questions...

Testing Memory (RAM)

Erik Rozman — Sun, 31 Dec 2006 19:39:00 GMT

OK,
So why I remembered this is a long and odd story which includes myself forgetting
that I have faulty memory installed on my laptop, wanting to install Fedora Core 6 inside
VMware on the same laptop and ending up recompiling the kernel in order to be able to
install VMware tools and failing...

Anyways Microsoft have a nifty tool that allows you to test your memory modules
by burning a CD:

http://oca.microsoft.com/en/windiag.asp

Yes I know,it has been there for long and might have even mentioned it in the past but
but it's still useful (and I am getting old...).

TombstoneLifetime 2003 SP1

Erik Rozman — Sat, 04 Mar 2006 18:53:00 GMT

A major yet not so known change. From 60 days we are going to 180 days
on new Active Directory(SP1) implementations and upgrades that have slipstreamed copy.

In other words your backups should be valid for 180 days and deleted objects
are saved for 180 days...

http://support.microsoft.com/kb/q216993/

Why sandboxes are important...or in other words don't shoot yourself in the leg

Erik Rozman — Mon, 19 Sep 2005 20:23:00 GMT

Why not you ask?
Well since it may be painfull...

Microsoft released a patch for Exchange 2003(888619). I read the documentation and it seemed to be relatively harmless...so I decided to apply it to my environment.

http://support.microsoft.com/?kbid=888619

[Yes,I know that it is extremely important to test patches before they are applied to production servers
but I guess I like living on the edge...yea,right!]

My environment has a front-end/back-end configuration-after the patch was applied to one of my servers OWA
stopped working for the users homed on it.

To make it even worse when I tried applying the patch(before understanding that I have an issue) to my other servers,
I got an error message stating that my server does not have SP1 for Exchange 2003 installed so I can't install the patch.
I have SP1 installed as far as I can tell.
[I start to get that sinking feeling...]

After removing the patch from the problematic server the service was resumed.

I don't really know what happened since I didn't have time to investigate it. I don't blame anyone for this(nor do I imply that there is a problem with the patch) but myself for not testing the patch and in addition to that it is possible that I have a problem in my environment that caused this.

Be sure to test the effects of a patch to your environment...