Archive

Open file security warning on mapped drive

Published
by
Greg
on July 6, 2007
in Networking, Security, Windows Server and Windows XP
. Comments

When opening files on the network over mapped drive OR UNC, you receive a “publisher” or “security” warning before running the file. Very annoying.

In IE, you add the server or domain to your “local intranet” security zone. In my case, my server was: main.domain.local
It was mapped on O: drive.

 

So in the zone I added:
\\main
O:\
domain.local
\\domain.local

That took care of all kinds of connections.

On a domain wide setting: In active directory, I added a group policy for the file types of moderate security.

Go to a domain policy, I did the Default Domain Policy on mine. > Open User Configuration > Administrative Templates > Windows Components > Attachment Manager.

And edit the item: Inclusion List for Moderate Risk file types

Add: .doc;.xls;.exe;.pdf
(just the most common, you might want more)

Add the type you want to exclude from the security warning. Reboot the client computer, or run gpupdate on it to get the new policy. Problem went away for me!

Self-Signed IIS SSL Certificates using OpenSSL

Published
by
Greg
on June 18, 2007
in Linux, Networking, Security and Windows Server
. Comments

Gregs Uberfast version:

Linux:

openssl genrsa -des3 -out CA.key 1024
openssl req -new -key CA.key -x509 -days 3650 -out CA.crt
chmod 400 CA.key
chmod 400 CA.crt

(the above made a new CA, you want to install the crt into IE’s trusted certs.)

Win:

Make cert request in IIS – take to Lin.

Linux:

(All one line)
openssl x509 -req -days 3650 -in certreq.txt -CA CA.crt
-CAkey CA.key -CAcreateserial -out mail.server.crt

Win:

Take that mail.server.crt and install in IIS. People browsing yoru site will get a “not valid CA” type error, especially in IE7, and they’ll need to accept that. Otherwise, you need to buy a real cert. If it’s only your users on the site, then just have them install the CA.crt into IE, as then they will trust the authority/key from the web server. Every user will need to do that.

Recovering/Restoring Exchange server to a new server

Published
by
Greg
on June 12, 2007
in Networking and Windows Server
. Comments

Greg Fischer
6/15/07

I used Exchange 2000 on Windows 2000 for this, 2003 might be a little different. Obviously, you need to make sure you have the backups in the first place, this assumes you have done this, and we will only focus on recovery. Also, this is intended for Small businesses with only 1 Exchange server and some, just a little, tolerance for downtime. You maybe can apply some of this in a large organization, but probably not.

Using NTBackup (online data):

(work in progress)

OLD Server: Felix
NEW Server: Ruphus

  1. Setup a new server as Ruphus. This can be in the same domain and exist with the old server, BUT you will not be able to reconnect the user mailboxes on the new server. That’s a different story and I have not tested procedures for it. We are going to assume the old server is Gone, bye-bye, toast! Also, see notes on seting up a test domain controller and network for full recovery. But at this point, you should have a new Windows server up and running, a DC or not.
  2. Install Exchange, install SP’s on Ruphus.
  3. Open System Manager, delete the Felix from the Exchange site. (will give warnings, but ok)
  4. At this point, we do not have all the configuration from the old server, and for the purposes of this guide, we are not going to bother and assume you can setup your SMTP and other items from memory. In a very large Exchange environment, this might not be possible though, but this guide is intended for those of us with only 1 Exchange server on a small network.
  5. On Ruphus rename the old mailbox and public store databases, and/or create new databases that have the same “exact” logical names as were on Felix. (in System Manager, browse to Servers, and find your public and mailbox stores. Right click and select Rename.)
  6. Run NTBackup, go to Restore, and find your Felix Information Store database, check the mailbox stores listed. (and log files, which will probably be an option)
    1. Click Start Restore.
    2. Select Ruphus as the server
    3. Select a temp directory, in my case I used the large D: drive. (d:\temp)
    4. Check the boxes (I think, Last set, and Mount db’s?)
    5. Start recovery.
  7. Reboot, and make sure your stores mount.
  8. Now, if you have setup a new server on a test network OR your old server is toast and you are trying to recover a new server, then you will need to reconnect the mailboxes to the user accounts. For this you will use a tool called, “mbconn.exe”. On your exchange cd, under: SUPPORT\UTILS\I386
    Find the mbconn.exe and run it. (a gui)
  9. In here, you connect to Ruphus, and select the store you want to reconnect mailboxes. It should display all the orphaned mailboxes. Then you go to Action, Preview All, and select the AD container with your user accounts, and select OK. I should put green checkmarks next to the mailboxes that it matches to. Then you go to Action, and Apply.
    Re-apply this to any leftover mailboxes if they are in different OU’s. For example, you might have users in Accounting, or Marketing OU’s. Each will Preview and Apply separately until you have reconnected all of them.
    NOTE: You probably wont be able to reconnect a few items, like System Attendant mailbox, as they are created new on Ruphus. Also, you will need to do this procedure for each mailbox store separately.
  10. Check Recipient Update Services in Exchange and set the properties accordingly, they will be set to the old server and domain controllers. Tell the objects in RUS to rebuild.
  11. Dare I say, “login as a user and see if Outlook works” … ?

Using Offline Database:

Coming later…

Notes on setting up a DC

In my case, I wanted to have a test network, and also a way to do fast recovery of the network on a new server that is offsite. Instead of recovering a DC and AD, I just installed a new server on my existing domain. I made sure it had BASIC drives, not DYNAMIC! And then I setup the server as a backup DC. Make sure you select it as a Global Catalog too! Also, make sure DNS is setup and configured on it!

So, at this point, I had a new DC, GC, DNS server, acting as a backup on my domain. I went in the AD sites and services, and performed a manual replication in the NTDS settings for each server. I also made a ghost image of this server, so I can make a step back, and/or do this again for backup procedures. Keep in mind, once you move ahead though, you’ll probably need to do all this again each time you want a current snapshot of AD for recovery. So what I would do is, setup a basic Win2k load NOT joined to the domain with all the service packs and IE updates, and even Office (I find usefull), and all your utilities you need. (don’t forget the Adminpak!) Then, make a ghost of this server, before doing the join and DCpromo.

Now, we’ve got our replicated server. Lets shut it down, and set it up on the new testing network. (MAKE SURE!!! You cannot communicate with the old one, make them physically separate!) And once removed and setup on the new network, you will need to manually delete this newly dcpromo’d server from your existing network. (see below)

AT this point, we need to sieze all the roles, and make this server the master of the domain. So, look it up online, run the ntdsutil command program and seize all the 5 FSMO’s. Then, go into DNS and remove anything regarding the old servers. (don’t’ forget the server properties listing the old ones as Name servers too) And also, in _msdc SRV records, remove the old servers. After all that, you might need to go in to ADSIEdit (in the adminpak) and find the old servers and delete them in the CN=Configuration container. And if necessary, go in the AD Computers and in Domain Controllers, and delete the servers. And one more… Go into AD sites, and delete the NTDS replication entries and servers. Whew! I think that’s it! You should have a single DC on a test network. This all takes only minutes once you do it a couple times, so it’s not that bad. The hardest part is remembering the ntdsutil command, which you need to lookup online. Just verify that the new server actually holds all the FSMO roles.

We should have a new server all ready to go on the testing/recovery network! All user accounts and settings intact! And now we can begin Exchange!

Gregs reasons to NOT send images in the email body

Published
by
Greg
on April 24, 2007
in Business
. Comments

Gregs reasons to NOT send images in the email body

Are you ready for my geeky-not-what-you-want-to-hear explanation?

  1. Email was never designed to have images. Email programs have “retrofitted” them.
  2. They increase the size if each message, sometimes 4-10x and more! When you are talking about a single signature that is 20k, that is 5-6x larger message size than what the message would be without it. And when you load your mail server with thousands and thousands of those, that can mean the difference of a slow or fast server. The difference is in mailbox size, scanning time, transfer and process time, database storage, backup time and space, and sending/receiving time. All being 5,6,10 times more than what they could be, just because you have a logo.
  3. More and more people have images blocked by their email client.
  4. More and more mail server scanners (for spam and viruses) strip out the images and HTML formatting because of security reasons. (because spam and viruses link images and HTML code to outside sources, loading things you don’t want in your system, and also verifying you exist and can receive more spam!) Which completely disallows the users ability to see the intended publication, which make the message sometimes appear out of order or jumbled around, completely obscuring the message. (which is only in text in the first place)
  5. Email client programs can have any possible screen width for the message, making it impossible to correctly format a background and graphical body so that it looks correct for all users. This is way tougher than doing doing web pages, because at least on the web, you design for 800×600 screen size and larger. But email programs can be resized, and sometime very small.
  6. Relating to the last item… When you design a template for sending messages in HTML (so you can have images) you are limited to the design capability of the email program. Not everyone has the same email program, and therefore the formatting will most likely be rendered incorrectly. (meaning, it’s not very portable, unlike PDF’s.)

Ok, so that’s all, as far as I know, factual, technical reasons to not use images in email. With that knowledge, it is my *technical* advice to not use them in the message body. On the other hand, they do make the message more attractive (usually). And they can help to “brand” the message. I can surely understand that.

Email is all about the *message* you want to deliver. And what you say is in the typed text. I have all my images blocked on my programs, so I can cut through the mumbo jumbo and read the actual message in my small preview pane. To me, it’s more professional to keep your message body as text, and attach any images you want to share. (including PDF invoices, with images on the invoice itself) And, it’s more respectful to the client that they receive the properly formatted, text message, then to be cute. To me it’s a matter of function-over-form, not the other way around. But, of course, now we’re are talking about *my opinion*.

Set duplex on linux network card

Published
by
Greg
on March 5, 2007
in Linux and Networking
. Comments

Statically/manually define/set duplex on linux network card
Use mii-tool or ethtool

//////////////////////////////

A Note About Duplex Settings

By default, Linux NICs negotiate their speed and duplex settings
with the switch. This is done by exchanging electronic signals
called Fast Link Pulses (FLP). When the speed and duplex are forced
to a particular setting the FLPs are not sent. When a NIC is in
auto-negotiation mode and detects a healthy, viable link but receives
no FLPs, it errs on the side of caution and sets its duplex to
half-duplex and sometimes it will also set its speed to the lowest
configurable value. It is therefore possible to force a switch port to
100 Mbps full duplex, but have the auto-negotiating server NIC set
itself to 100Mbps half-duplex which will result in errors. The same is
true for the switch if the switch port is set to auto-negotiate and
server NIC is set to 100 Mbps full duplex. It is best to either force
both the switch port and server NIC to either auto-negotiate or
the same forced speed and duplex values.

//////////////////////////////

//////////////////////////////// mii-tool

/////////////////////////////////////////////////////////////

[root@bigboy tmp]# mii-tool
SIOCGMIIPHY on ‘eth0′ failed: Operation not supported
eth1: 100 Mbit, half duplex, link ok
[root@bigboy tmp]#

[root@bigboy tmp]# mii-tool -v
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:10:18, model 33 rev 2
basic mode:   autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
[root@bigboy tmp]#

mii-tool -F 100baseTx-FD eth0

//////////////////////////////// Ethtool

/////////////////////////////////////////////////////////////

[root@bigboy tmp]# ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes:   10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: g
Wake-on: g
Current message level: 0×00000007 (7)
Link detected: yes
[root@bigboy tmp]#

#
# File: /etc/sysconfig/network-scripts/ifcfg-eth0
#
DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
BOOTPROTO=static
ONBOOT=yes
ETHTOOL_OPTS=”speed 100 duplex full autoneg off”

////////////////////// or
ethtool -s eth1 speed 100 duplex full autoneg off

Things I do not like about EFS and a better solution called Truecrypt

Published
by
Greg
on February 19, 2007
in Backup, Security, Windows Server, Windows Vista and Windows XP
. Comments

I am not expert on these things (encryption), but I have done some reading and found some issues with Encrypted File System I don’t like. I may not describe the issues correctly, so this is just my opinion more than anything.

1. In Windows 2000, don’t even bother. It can be bypassed with their recovery agent or administrator. So if you lose your laptop, the data can be accessed.

2. In XP, it is better and more secure. I think there is no data recovery agent, but I think a local administrator account on a non-domain install of XP will still have the private keys.

3. The private keys are on that hard drive!

4. You still see all the files. The file names are all viewable, and that may be a security risk for some companies. It’s better than nothing, but I don’t like that too much.

5. You can’t encrypt the whole system. Or a whole partition for that matter. You must encrypt a folder, and at that, only the files in that folder are encrypted.

6. Here’s the one I like least… with EFS, when you open a file, it is decrypted to a tmp file. This file is deleted once you finish with it, but as you know, files are not “wiped” from the drive when they delete, they just remove the pointer to it. So unless data is overwritten in that place of the drive, that data is accessible to anyone. If you had a spreadsheet with SSN’s or credit card numbers, and you just happen to lose your system to someone who knows what to do with it, you got a big problem!!

7. There’s more, I just can’t think of them.

Anyway, after doing some reading… I found that Bitlocker in Vista will be a very nice solution. But you have to buy Enterprise or Ultimate versions of Vista to get it. Bitlocker can encrypt the entire OS partition. Now that is nice! That is exaclty what we wanted! And if you set it up correctly, using a key or PIN at boot, it will make an extremely secure setup. One drawback, you can only encrypt the partition the OS is on, not other partitions. You’ll need to use normal EFS for them.

That’s nice, but I have Vista Business. And I don’t want to spend more money right now. Plus, on my main system and pretty much all my clients, they have 2000 and XP. Guess what I found to get me by? TrueCrypt. www.truecrypt.org. Nice product!! And it’s open-source and free!!!!

With TrueCrypt, you can password protect an entire partition with AES 256-bit encryption. You can use multiple ciphers and even key based access using a USB drive. (Bitlocker can do the USB drive thing too!) It’s a tiny program running in the systray. And in my case, I am just running a password authentication and 256bit AES on a separate partition, so my performance is pretty good too, though not as fast without encryption. Now, with XP I will be making redirections to My Documents to that private drive, and saving all my “work-in-progress” there. That, to me, operates reasonably, and pretty darn secure. I could do more to secure it, like use a key file on my usb key drive. Then you cannot get into any of my private data without the key drive inserted! But I need to test that first.

TrueCrypt can also create a virtual drive from a file.� That might be handy, but performance is just a little slower that way.� It cannot encrypt your OS partition though, which is a drag, but at least I can encrypt a separate partition and you cannot see the file system structure.� It has a lot of neat features. Definitely worth trying if you want lock down things.

CD or DVD drives in Windows XP give error code 39

Published
by
Greg
on February 7, 2007
in PC Repair, Registry and Windows XP
. Comments

All the logical fixes didn’t work. Reinstall, removed ide drivers, reinstalled again, no worky.

I was getting an Error code 39 (and 37 on another machine), and the DVD/CD drives would not show up in Windows.

“Windows cannot initialize the device driver for this hardware. (Code 37)”

The problem seems to be caused by CD Burner software that is not loading or installed properly. It’s odd because I’ve found this on several machines lately.  It occurred to me that there are a lot of programs now that can burn CD or DVD.  Itunes, or other music programs for one, they are very common now.  But there’s other things, like some accounting software that can backup to CD.  You have to watch for any of them that might install their own burning capability.

The solution was to remove the upperfilters and lowerfilters in the registry key below:

Find  "UpperFilters" and "LowerFilters" values in this key and delete them:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}


After that, I uninstalled the device in Device Manager, and scanned for new hardware.  The drive came right back up!


More details on this page:


 http://support.microsoft.com/default.aspx/kb/314060


							
 

		
 

	
		
		

			

				
Vista help and support will not open but I found a fix.


				

					Published 
by 
Greg
 
on February 4, 2007
 
in Windows Vista
.
					Comments
					
									
 
			
 

			

				
 In Windows Vista (mine is Business version) my Help and Support would not open. Said something about like:


“internet explorer cannot download from / help”


For some reason, Dreamweaver 8 install messed this up.�  The fix was to tweak the file type association.�  I just did�  a simple registry update, but there might be other ways.


In the registry I had this:


[HKEY_CLASSES_ROOT.xml]

@="xmlfile"

"Content Type"="application/x-xml"

"PerceivedType"="text"


Under HKCR\.xml key, I had a Content Type of “application/x-xml” set.�  I updated that to “text/xml”


So the final fix should look like this:


[HKEY_CLASSES_ROOT.xml]

@="xmlfile"

"Content Type"="text/xml"

"PerceivedType"="text"


And my Help and Support started to work!


							
 

		
 

	
		
		

			

				
Master Browser checking with browstat


				

					Published 
by 
Greg
 
on February 1, 2007
 
in Networking and Windows Server
.
					Comments
					
									
 
			
 

			

				
 All these years and I’ve never known how to determine what the “master browser” was on my networks. How many times do you see those event log errors about “such and such is not the master browser” or “unable to get a browse list”. Not that I know how to fix all that, but at least I can find out WHAT THE MASTER IS in the first place!


There’s a cool utility called: browstat


Run from command line. There is one stupid thing though, you need to determine your Netbios transport first. To do that, run: net config rdr


C:\>net config rdr

Computer name                        \\MYSERVER

Full Computer name                   myserver.yourdomain.com

User name                            administrator

Workstation active on

        NetbiosSmb (000000000000)

        NetBT_Tcpip_{0FCE584B-9B98-4D26-A241-1A070D06767A} (00188B3A1EE6)

        NetBT_Tcpip_{F55EF45C-33E5-4842-A4AC-8DFF82D07B76} (00188B3A1EE8)

Software version                     Windows 2000

Workstation domain                   YOURDOMAIN

Workstation Domain DNS Name          YOURDOMAIN.com

Logon domain                         YOURDOMAIN

COM Open Timeout (sec)               0

COM Send Count (byte)                16

COM Send Timeout (msec)              250

The command completed successfully.


So you can see… what a mess!  You need this:


NetBT_Tcpip_{0FCE584B-9B98-4D26-A241-1A070D06767A}


And to get your master browser run this:


browstat getmaster NetBT_Tcpip_{0FCE584B-9B98-4D26-A241-1A070D06767A} YOURDOMAIN


It should return something like: Master Browser: MYSERVER


You can also run: browstat status YOURDOMAIN

This will list all kinds of useful info, including your transports.  It shows your backup servers, as well as your master browser.


							
 

		
 

	
		
		

			

				
LSASRV Event ID 40960 Detected an Attempted downgrade attack


				

					Published 
by 
Greg
 
on February 1, 2007
 
in Networking and Windows XP
.
					Comments
					
									
 
			
 

			

				
 Event ID 40960 and 40961


“The Security System detected an attempted downgrade attack for server…”


In my case, when we logged the user in and opened Windows Explorer to a network share, we received an error. “The system detected a possible attempt to compromise security.”  Then in the event logs, we saw the errors above.  Turned out, a previous administrator saved a logon password under this user account.  To remedy, you must open Control Panel, User Accounts, and then the Advanced tab.  Then click the Manage Passwords button.  In there, you can set and modify network passwords for specific servers.  (a feature I never knew existed!)  Sure enough, the server we were connecting to was in that list and set to the name of an ex-admin.  Removed that item, and problem solved!