MBs Windows Security

This should be pretty obvious, but a lot of people don’t seem to be aware of this old trick. Normally, if you try to guess another user’s password and it fails, the attempt will show up in the event viewer of the domain controller. However, there is a way you can try to guess an account’s password without the attempts ever being logged.

It’s actually pretty simple: just unplug your network cable. Continue Reading »

Today Symantec released two new whitepapers about security protections in Vista: Analysis of GS Protection in Windows Vista and Analysis of Address Space Layout Randomization on Windows Vista.

Although my last blog post criticized Symantec for its hyped FUD, these two papers, by the same author, definitely provide some good information and demonstrate the thorough research that Ollie Whitehouse has done on this matter. Furthermore, the author clearly states the true issues here and provides detailed research notes. Continue Reading »

Recently a friend was complaining to me about the “screen flickering” that occurs whenever a User Account Control (UAC) prompt comes up in Vista and he wanted to know how to turn it off—not UAC, just the dimming and flickering effects. He said he already looked in the display settings and didn’t see anything there. Continue Reading »

When I was a teenager in California there was private oil pier near Rincon that we liked to jump off. It was great—you’d throw your surf board off first so there was no backing out, because it was scary looking down at the dark green ocean so far below you. Once your board was in the water you had no choice but to follow it out into the emptiness below. Continue Reading »

I thought I would add a bit more to my original post to clarify the problem. Half of the problem is the way Windows searches paths, and the other half is software developers who don’t quote their paths in the Registry or when calling CreateProcess. There are no built-in Windows services that have this problem and this issue has been documented for over a decade. Continue Reading »

A couple years ago I mentioned in a SecurityFocus column that Windows has a problem when you put a file named “program.exe” in the system root directory. The problem is basically in how it deals with spaces in paths that don’t have quotes around them. Anyone with the permissions to create a file in the root directory could create a malicious program that could escalate their privileges. Here’s an excerpt from that article: Continue Reading »

I have always been annoyed with the huge number of files under the Windows directory, but I was very surprised when I looked at my Windows directory under Vista: 39,609 files and 7,411 folders! Continue Reading »

If you have ever locked down a Windows 2003 or Vista machine you have probably run across the Application Experience Lookup Service, also known as Application Experience or AeLookupSvc. The documentation on this service is pretty vague and sometimes contradictory, so people often ask me whether they should keep this service enabled or to disable it. I thought I would clarify exactly what this service does. Continue Reading »

I recently got a chance to play around with file screens feature in Windows Server 2003 R2 and found it to be very interesting. Although it appears to be designed to provide general content control on a file server, it has some features that allow you to tightly control content in any directory. Continue Reading »

Many people tell me they are surprised with how much effort I put into hardening Windows Server 2003–the last hardening document I wrote for a client was 112 pages long. That’s not 112 pages of writing, policy, and how-to’s, that’s 112 pages of nothing but settings. The process itself involves the modification, removal, or locking down of over 5,000 Registry keys and system files. Continue Reading »

Microsoft has released v1.2 of the Windows Vista Security Guide:

http://go.microsoft.com/?linkid=5639874

One thing I have always liked about NTFS security is the fine-grained control you have over file permissions. But this power comes at a price—you must understand a whole new world of acronyms, confusing metaphors, and expanded definition of words such as principal, trustee, and inheritance. To fully take advantage of file permissions you need to understand how the whole thing works and delve into the lower levels where there is no pretty user interface and no cushion between you and the inner working of windows. You know you are close to understanding NTFS file permissions when you stop talking about files and folders and instead refer to objects and containers. Continue Reading »

With Microsoft’s ongoing improvements to the patch management process, you may find yourself letting automation take over on patch Tuesday. I sat down at my PC this morning and saw that it had rebooted because it automatically installed new updates. Although I spent half the day yesterday writing patch reports for several clients, I forgot to apply the patches on my own system. The fact is that nowadays you can get away with doing that.

Have you ever needed to audit which icons users click on the Start Menu? It makes quite an impressive forensics report when you can say exactly who clicked what and when. Well you can do it in Windows pretty easily. First, enable auditing on all files under C:\Documents and Settings\All Users\Start Menu as well as individual user start menus. Make sure your local security policy is set to audit object access, and every time someone clicks on a Start Menu icon, it will generate an Event Log entry.

Here’s a Log Parser query you can use to build a list of clicked icons:

logparser “SELECT TimeGenerated, RESOLVE_SID(SID), EXTRACT_PREFIX(EXTRACT_FILENAME(Path), 0, ‘.lnk’) AS Item USING EXTRACT_TOKEN(Strings,2,’|') AS Path FROM Security WHERE Path LIKE’%Start Menu%.lnk’ ORDER BY TimeGenerated” -i:evt

You could also extend this to include icons on the desktop and on quick launch toolbars.

Hint: do you need to re-create Start Menu clicks on a system that didn’t have auditing enabled? Try looking at the last accessed date of each .lnk file. It’s not as accurate as the Event Log, but you’d be surprised what you can discover.