This webcast is the *best* memory troubleshooting presentation I have ever seen.This should be standard advanced training for everyone in the Windows industry. It’s a 97 minute presentation

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=64

* Requires a Live ID login.

Did you know that you do not gain performance by having or not having a page file?

Did you know that sizing of the page file(s) has nothing  to do with the amount of physical memory on the computer?

Did you know the more RAM you have the smaller page file you need?

Did you know that the page file(s) never contain data that can be found elsewhere on the disk?

Did you know that the x64 virtual address space is really 17 *billion* gigabytes in size, but limited to 16 terabytes for now?

Did you know that a high number of hard page faults does not directly mean low on memory?

Did you know that so-called “memory optimizer” third-party applications make memory optimization worse?

Did you know that if you minimized all of your running applications and let the computer run idle that all of your running applications would be paged out to the page file eventually?

Thanks for reading & let’s continue to be good network citizens!

• Network connectivity between servers
• Active Directory health – sites, subnets, replication
• File replication – sysvol issues
• DNS health
• Network adapter configuration
• Domain controller health
• Network Time Protocol (NTP)
• Exchange server configuration
• Event log entries

The tool can be found on the Microsoft Downloads website. It is a very simple tool to install and run. The process goes something like this.

Download and install the Microsoft IT Environment Health Scanner. The .NET Framework v2.0 is required for installation and operation. Once the installation is completed, click on the icon created on the desktop or in the Start Menu.

Icon for Microsoft IT Environment Health Scanner

The application will begin collecting user provided network information prior to beginning the scan. The application welcome screen appears.

Welcome screen

The application then will want to apply any necessary and recent updates.

Update processing

The next step in the wizard asks for the local firewall IP address information.

Firewall IP address information

The application then asks for the subnet that you want scanned. In this case, it found the local subnet on my computer and automatically entered the appropriate information.

Subnet to scan

Start the scan and let it run.

Begin the scan

Domain administrator credentials will need to be entered to gain access to secured areas of the domain.

Enter Domain Administrator credentials

The scan will go through several areas to check the health of the environment.

Running the scan

I am unable to show you a completed scan. I do not have access to the forest root of my domain and was unable to run the tool in the child domain. However, if you have a small environment and can run this tool, it looks like an excellent resource to gain some insight into the environment and spot potential problem issues. Let me and and other ITKE readers know if you use this application. What results did you get? Did anything surprise you? What steps did you take based on the scan results? What did the follow-up scan show?

Thanks for reading & let’s continue to be good network citizens!

The Startup Control panel tool window looks like the window below:

Startup Control Panel window

Using the application:

I have successfully run this utility on both XP and Vista. The dialog contains six to seven tabs, depending on your system configuration. Each tab represents one place where a program can be registered to run at system startup. These include:

• Startup (user) – the current user’s Startup folder in the Start Menu.
• Startup (common) – the common (all users) Startup folder in the Start Menu.
• HKLM / Run – the Run registry key located in HKEY_LOCAL_MACHINE. These apply for all users.
• HKCU / Run – the Run registry key located in HKEY_CURRENT_USER. These apply for the current user only.
• Services – system services that are started before the user logs in. This appears only in Win9x; on NT/2000/XP, use the Services control panel, or the Services item in Computer Management.
• Run Once – started once and once only at the next system startup.
• Deleted – programs go to the Deleted tab when you remove them from another location. They will not run at system startup, but will merely be stored should you ever want to use them again. If you delete an item from the Deleted tab, it is removed permanently.

Each page contains a list of the programs registered at that location. Use the checkbox to enable or disable individual items. Additional operations are available by right-clicking an item. You can select multiple items using the Shift and Control keys. Options include:

• New… – create a new entry. You can also drag & drop files from My Computer or Explorer.
• Edit… – edit an existing entry.
• Delete – delete the currently selected entry.
• Disable / Enable – disable or enable the selected entry. A disabled program will appear in the list with a special icon, and will not run at system startup. You can also use the checkbox next to an item to enable or disable it.
• Run Now – executes the program now.
• Send To – moves the entry from the current location to another.
• Press F5 to refresh the list at any time.

Hope you find this tool as useful as I do. Thanks for reading and let’s continue to be good network citizens.

One particular bulletin is creating some concerns for Microsoft Windows 2000 users. MS09-048 is a bulletin for a vulnerability to the TCP/IP stack in all current supported versions of Windows. The bulletin describes the vulnerability:

Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Even though the bulletin here describes it as potential remote code execution, the webcast focused more on the denial of service threat due to this vulnerability. Unfortunately, Microsoft has chosen to not issue a patch for Windows 2000, even though Windows 2000 is a supported version of Windows with regards to patches and security fixes. ComputerWorld gives a good amount of detail in the article: Microsoft: Patching Windows 2000 ‘infeasible’ Dark Reading published Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack and The Register published Microsoft, Cisco issue patches for newfangled DoS exploit.

I know that there is a reasonable population of Windows 2000 machines in operation at my organization. So, this choice by Microsoft to not issue a patch for this vulnerability raises some concerns. Fortunately the vulnerable population is not publicly exposed and does not have mobile users. The layered defenses we have in place should help mitigate the risks to our environment. However, the risk is still there and the threat needs to be addressed. What other vulnerability will come out that Microsoft chooses not to address in a supported operating system? Are you facing the same situation in your environment? How large is the risk to your environment? What are you doing to address these threats? Why are you doing what you are doing? Share your thoughts with other ITKE readers.

Thanks for reading & let’s continue to be good network citizens.

We had a situation recently where malicious software got onto a couple of machines and attempted to use the Administrator account to login. We have account lockout on our Windows 2003 AD domain, so after the appropriate number of invalid tries the Administrator account was locked out in the domain. This is because the machines were members of the domain and the malware did not distinguish the local administrator account from the domain administrator when attempting to elevate authority. Note that we use least user authority in our environment so the malware was not able to spread beyond these two machines. We suspect the machines became infected due to out of date antivirus signatures.

Unfortunately, the antivirus we use did not alert us to the situation. The way we were alerted was by our Microsoft Systems Center Operations Manager (SCOM) implementation. It notified the SCOM admin that the domain Administrator account was locked. The operations team was then tasked with tracking down what or who was locking this account. This is where the Microsoft Account Lockout and Management Tools came in use and helped isolate the cause.

The first tool that we used was the LockoutStatus.exe. The screen looks like this after running and finding the Administrator account is NOT locked out. This is after I had already unlocked the account.

As you can see it checked a lot of domain controllers. I ran this directly on one of the AD domain controllers. When an account is locked out, there will be a lockout time and an Orig. Lock domain controller listed. You can set what account you wish to check lockout on as well as what domain you want to test. The options screen looks like this.

If the account is locked and a domain controller is listed, the next step is to run the EventCombMT tool. This tool can be used for much more than just account lockout analysis but that is the only focus of its use today. You need to specify several things in this tool to get it to find the event log records of interest.

The domain needs to be filled in. Then right-click in the Select To Search/Right Click to Add field and select what servers’ event logs you wish to scan for the event of interest. In this case, I’m choosing the domain controller that is shown in the Orig.Lock column in the LockoutStatus tool. Select the Security log and the Success Audit and Failure Audit Event Types. The Event ID of 675 is the specific event of interest where the client is attempting to use a locked account. The Text field would have the account of interest.

One additional thing you might consider doing is to narrow down the date range. As default, the eventcombmt tool looks through all of the active logs on the server(s). So, it could take a substantial amount of time to complete the scan. The eventcombmt Options menu item has the following selections that can help you narrow down the search or tweak how the tool runs.

In my case, since the LockoutStatus window would have the Lockout Time listed, I would take a time span on either side of this event. So, in this example, I used a 24 hour period from 11:37 AM yesterday, until 11:37 today.

This modifies the search criteria. Then, click Search and the application searches the event logs of the server(s) for the criteria selected.

When eventcombmt finishes the log search, some summary statistics are displayed.

The application writes a text file to the C:\Temp folder by default. This text file contains a text file with a single line per event found matching the search criteria in the selected logs. A sample line for a search match is shown below with wrapping as needed.

675,AUDIT FAILURE,Security,Wed Feb 11 05:03:15 2009,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator

User ID: %(sid removed for security purposes) Service Name: krbtgt/domain.COM Pre-Authentication Type: 0×2 Failure Code: 0×18

Client Address: 10.xx.xx.200

The Client Address may indicate another domain controller or a client machine. If it is another domain controller, then you will need to rerun the eventcombmt process against that server. If the server is across a WAN link, then consider running the eventcombmt tool directly on that server. It could take a while to search the event logs across a slow WAN link. If the Client Address is the actual suspected source, then go to the client and speak with the user about the situation. If the device or user is locking out a security principal account, then severe action may need to be taken to ensure your environment is not placed at further risk letting the device and/or user remain on the network.

Thanks for reading and let’s continue to be good network citizens!

In case you have not seen or heard the latest US-CERT Technical Cyber Security Alert reads as shown below. I don’t know about you but the information in this bulletin really concerns me. I know personally how autorun.inf can affect a computer. I recently received a digital picture frame (DPF) as a gift. It is a very nice one in that it can handle several different types of media and is even an MP3 player. When I connected it to my computer the first time, Windows went through the “new device found” routine. Windows found the device as a standard removable storage device. That was no big deal. However, the DPF has 128MB of internal storage and that storage held an autorun.inf file that referenced a trojan executable! Fortunately my anti-virus detected it and deleted the file before it could do damage. How many consumers do not have antivirus? How would the trojan affected their systems? That is a substantial risk in today’s technology environment!

I would highly recommend taking the steps outlined below to ensure that autorun.inf does not take down a critical system within your organization.

Thanks for reading & let’s continue to be good network citizens.

National Cyber Alert System

Technical Cyber Security Alert TA09-020A

Microsoft Windows Does Not Disable AutoRun Properly

Original release date: January 20, 2009

Last revised: –

Source: US-CERT

Systems Affected

* Microsoft Windows

Overview

Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft’s guidelines for disabling AutoRun are not fully effective, which could be considered a  vulnerability.

I. Description

Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations:

* A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or Firewire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.

* A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive’s contents, this action can cause code execution.

* The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected. Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables

Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

II. Impact

By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@=”@SYS:DoesNotExist”

To import this value, perform the following steps:

* Copy the text

* Paste the text into Windows Notepad

* Save the file as autorun.reg

* Navigate to the file location

* Double-click the file to import it into the Windows registry

Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround.

IV. References

* The Dangers of Windows AutoRun -

<http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html>

* US-CERT Vulnerability Note VU#889747 -

<http://www.kb.cert.org/vuls/id/889747>

* Nick Brown’s blog: Memory stick worms -

<http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>

* TR08-004 Disabling Autorun -

<http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx>

* How to Enable or Disable Automatically Running CD-ROMs -

<http://support.microsoft.com/kb/155217>

* NoDriveTypeAutoRun -

<http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx>

* Autorun.inf Entries -

<http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx>

* W32.Downadup -

<http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99>

* MS08-067 Worm, Downadup/Conflicker -

<http://www.f-secure.com/weblog/archives/00001576.html>

* Social Engineering Autoplay and Windows 7 -

<http://www.f-secure.com/weblog/archives/00001586.html>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with “TA09-020A Feedback VU#889747″ in the subject.

____________________________________________________________________

For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

Revision History

January 20, 2009: Initial release

================================================

Day 1

=====

http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1

Keynote Address 1: The Art of Click-Jacking – Jeremiah Grossman Keynote Address 2: Cyberwar is Bullshit – Marcus Ranum

Presentations:

- Delivering Identity Management 2.0 by Leveraging OPSS

- Bluepilling the Xen Hypervisor

- Pass the Hash Toolkit for Windows

- Internet Explorer 8 – Trustworthy Engineering and Browsing

- Full Process Reconsitution from Memory

- Hacking Internet Kiosks

- Analysis and Visualization of Common Packers

- A Fox in the Hen House – UPnP IGD

- MoocherHunting

- Browser Exploits: A New Model for Browser Security

- Time for a Free Hardware Foundation?

- Mac OS Xploitation

- Hacking a Bird in The Sky 2.0

- How the Leopard Hides His Spots – OS X Anti-Forensics Techniques

Day 2

=====

http://thepiratebay.org/torrent/4654974/HITBSecConf2008_-_Malaysia_Videos___Day_2

Keynote Address 3: Dissolving an Industry as a Hobby – THE PIRATE BAY

Presentations:

- Pushing the Camel Through the Eye of a Needle

- An Effective Methodology to Enable Security Evaluation at RTL Level

- Remote Code Execution Through Intel CPU Bugs

- Next Generation Reverse Shell

- Build Your Own Password Cracker with a Disassembler and VM Magic

- Decompilers and Beyond

- Cracking into Embedded Devices and Beyond!

- Client-side Security

- Top 10 Web 2.0 Attacks

===

On a related note, the registration for HITBSecConf2009 – Dubai (20th – 23rd April) is now open!

http://conference.hitb.org/hitbsecconf2009dubai/

The Call for Papers (CFP) for HITBSecConf2009 – Malaysia (October 5th -

8th) will open in March 2009.