SteveOH

Now, there are plenty of places to find resources on this issue, because it’s quite common to have to do so.  My issue, was a little different, in that there were multiple layers of security (authentication and authorization) for me to access the files that were needed.  Here’s what the setup looked like:

Web Server -> WorkGroup -> Firewall -> Domain -> File Server -> Network Share -> SAN

As you can see, there are several issues are hand.  Not only do the accounts have to exist to allow for this communication (and an Administrator account is the only way to go), all sorts of permissions have to be valid for this to function (ie. Local Permissions within each OS on each Server, NTFS (file permissions) on each local server, Access permissions through the Firewall, Access permissions of Domain Resources, Local process level permissions, etc).  It was a nightmare, but I believe I figured it out.

There are a few things that needed to be done in this situation.  First, the permissions on the SAN needed to allow Administrators full control.  Additionally, the local user on the file server needed to have administrative privileges, to both the system and the SAN, thus allowing the network share.   Next, the firewall rules needed to allow file traffic (I can’t remember the SMB ports right now – and Windows needs netBios and something else to let file transfers go through, as well as authentication).  Finally, the Web Server local user needs admin rights.

To get this to work, I needed everything involved to run with elevated privileges, from IIS, to each thread in the application.  Since there was going to be a large amount of file movement, as well as resource and memory manipulation, it’s required.

Therefore, the admin credentials were inputted into IIS to map the network share from the Web Server to the File Server.  Next, I had to impersonate the admin user in each thread within the application, a pain, but the guide can be found via Google (if I have time, I’ll track them down again). Next, the machine.config needed to be modified to allow the ASP.NET process to run with the elevated permissions.  The web.config needs to be altered to allow impersonation with the credentials as well.

Now here’s the kicker, and something that’s not quite known but buried within Microsoft’s documentation.  For this to work (Work Group computer to authenticate to another computer) is to mirror the accounts (same username and password) on both servers (these are local accounts, not domain accounts – since the share was local on the server, the domain can be bypassed. If it were a domain resource, we would have to authenticate via NTLM to an Active Directory server, which would have been a bit more complicated).  This allows the hash sent from one system to another to be identical, and thus, you will authenticate (if you know the username and password on one workgroup computer, and it’s the same on another, chances are you’re who you say you are).

This took me a week to figure out, which was not enjoyable.  I hope this saves you some time.

So I recently got bombarded with 2 infections of this pesky beast. Some variants are easy to remove (SpyBot can simply pull them out) but the variant I came across was resilient. It loaded a DLL into the Winlogon.exe (injection) executable file (the Windows process responsible for authentication to the Operating System – Windows cannot run without it) and ran from there. So you can’t kill the process, because the OS will reboot. You can’t delete the DLL file, because the OS has it locked. Basically, it’s like a tumor in the center of your brain… there’s really no winning.

There are a few solutions out there (very few) such as Bayles’ solution and this one from a poster on TechRepublic , but unfortunately, neither was any good for me. Bayles’ solution works for variants that inject into Explorer.exe, which is loaded once the OS is loaded and you log in. However, winlogon is loaded as one of the first steps in loading the registry, so it’s loaded even before you press control-alt-delete (it’s actually the process that shows you the login screen). The other solution could have worked had I had administrative privileges on my machine, but I did not (this is my work machine). Therefore, I had to find another solution to bypass the OS from reinfecting itself, but still have access to the underlying file system.

I could have removed the hard drive, but I did not have another laptop to install the HDD into. I couldn’t boot to the Recovery Console using an XP CD, because I did not know the Administrative password. So my solution? I booted the laptop using an Ubuntu Linux CD I had in my laptop bag. Here’s what I did.

1. Boot normally in Windows XP and get the names of the infected DLLs using Bayles’ method (again, pendmove won’t work because winlogon is placed in memory (with the infected DLL) before pendmove is loaded).
2. Reboot using Ubuntu CD – hit enter at the first screen (Run or Install Ubuntu)
3. Unmount the NTFS file system (on a typical installation, it will be the entire drive) – We do this because the standard driver file is a read-only NTFS driver.
4. Open a terminal and install the ntfs-3g packages
   1. sudo apt-get install ntfs-3g
5. Create mount point
   1. sudo mkdir /mnt/test
6. Mount the hard drive
   1. sudo mount -t ntfs-3g /dev/sda1 /mnt/test
      1. /dev/sda1 – is the partition we want to mount, yours may be different
      1. /mnt/test – is the directory in which to mount the partition
7. You can then browse to the windows/system32 directory and delete the infected DLLs (in my case the path was /mnt/test/windows/system32/sbbqikklll.dll)
8. Reboot and then you must run some scanners. I suggest running SpyBot to clean up the rest of the garbage, and then maybe an anti-virus scanner (I used Symantec Corporate). Finally, run the Windows Malware Removal Tool.
   1. This step is extremely important. This trojan downloads other infections to your systems (ads, other programs, etc). Who knows if these other files contain other viruses, trojans, keyloggers, etc.

I hope this helps. Contact me if you need any special assistance.

Imports System.Security.Cryptography

    Function MD5_me(ByVal txt As String) As String
Dim strPlainText As String = txtPassword.Text
Dim hashedDataBytes As Byte()
Dim encoder As New UTF8Encoding()
Dim x As Integer
Dim hashedStr As String = “”

Dim md5Hasher As New MD5CryptoServiceProvider()

hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(strPlainText))

For x = 0 To hashedDataBytes.Length – 1
hashedStr += hashedDataBytes(x).ToString()
Next

MD5_me = hashedStr
End Function

Windws XP SP2 introduces a few new twists to TCP/IP in order to babysit users and “reduce the threat” of worms spreading fast without control. In one such attempt, the devs seem to have limited the number of possible TCP connection attempts per second to 10 (from unlimited in SP1). This argumentative feature can possibly affect server and P2P programs that need to open many outbound connections at the same time.Rant: The forward thinking of Microsoft developers here is that you can only infect 10 new systems per second via TCP/IP ?!?… If you also consider that each of those infected computers will infect 10 others at the same rate:
second 1:  1+10 computers
second 2: 10+10*10 computers (110 new ones)
second 3: 10+100*10 computers ( 1110 new ones)
second 4: 10+1000*10 computers (11110 new ones)
….
all the way to 10*60 + 10^60 computers in a single minute (that’s a number with 60 digits, or it would far exceed Earth’s population). Even if we consider that 90% of those computers are unreachable/protected, one would still reach ALL of them within a minute.

In other words, even though it is not going to stop worm spreading, it’s going to delay it a few seconds, limit possible network congestion a bit, and limit the use of your PC to 10 connection attempts per second in the process ! I have no problem with the new default setting limiting outbound connection attempts. Still, users should have the option to easily disable or change this setting. I might be going out on a limb here, but ever since the introduction of Windows XP I can’t help thinking that I dislike all the bult-in Windows “wisardry” in a sense that the system also limits user access. That irritating trend to ease the mental load on end users is somewhat insulting, considering that Windows is to make the more “intelligent” choice instead of the end user, as well as limit their access to tuning such settings…
End of rant.

With the new implementation, if a P2P or some other network program attempts to connect to 100 sites at once, it would only be able to connect to 10 per second, so it would take it 10 seconds to reach all 100. In addition, even though the setting was registry editable in XP SP1, it is now only possible to edit by changing it directly in the system file tcpip.sys. To make matters worse, that file is in use, so you also need to be in Safe mode in order to edit it.

You only need to worry about the number of connection attempts per second if you have noticed a slowdown in network programs requiring a number of connections opened at once. You can check if you’re hitting this limit from the Event Viewer, under System – look for TCP/IP Warnings saying: “TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts”. Keep in mind this is a cap only on incomplete outbound connect attempts per second, not total connections. Still, running servers and P2P programs can definitely be affected by this new limitation. Use the fix as you see fit.

To change or remove the limit, you can use the following program:

Event ID 4226 Patcher – Windows XP SP2 – A patching program for removing or changing the limit imposed on connection attempts in SP2. The patcher has the ability to restore tcpip.sys back to the original… Still, you might want to back up tcpip.sys, use it at your own risk. The author of this patch can be reached @ http://www.lvllord.de/

Background Information (MS Knowledge Base Article 223316) : The Microsoft Windows operating systems (2000/2003 and XP) include the ability to encrypt data directly on volumes that use the NTFS file system so that no other user can access your data. You can encrypt your files and folders if you set an attribute in the object’s Properties dialog box .

 

**Warning** The use of Encrypting File System (EFS) will prevent a person who does not have administrative rights from gaining access to your data. Theft of encrypted files is still possible but the files/folders will be formatted in such a way that they can’t be viewed by any casual user. These files CAN be deleted and erased from your system so backups are necessary. If you don’t back up the certificate keys to the EFS then the data will be useless to you if you ever have to recover your system from scratch.

How to enable Encrypting File System file sharing

In Microsoft Windows XP, EFS supports file sharing of encrypted files among multiple users. With this support, you can give individual users permission to access an encrypted file. The ability to add additional users is restricted to individual files. Support for multiple users on folders is not provided in either Microsoft Windows 2000 or Windows XP. Also, support for the use of groups on encrypted files is not provided by EFS.

After a file has been encrypted, file sharing is enabled through a new button in the user interface. A file must be encrypted first and then saved before additional users can be added. Users can be added either from the local computer or from the Active Directory service if the user has a valid certificate for EFS. The ability to add additional users is restricted to individual files. Support for multiple users on EFS encrypted folders is not provided. Also, only individual users can be added to files. Support for the use of groups on encrypted files is not provided by EFS.

 

How to encrypt and decrypt using the Encrypting File System

The following steps encrypt and decrypt a file or folder using the Encrypting File System.

Note These guidelines apply to Windows 2000 and Windows XP.

Encrypting a folder

Although you can encrypt files individually, we strongly recommend that you designate a specific folder for storing encrypted data.

Encrypt a folder and its contents

Although you can encrypt files individually, generally it is a good idea to designate a specific folder where you will store your encrypted files, and to encrypt that folder. If you do this, all files that are created in or moved to this folder will automatically obtain the encrypted attribute.

To encrypt a folder and its current contents, follow these steps:

•  Right-click the folder that you want to encrypt, and then click Properties .

•  In the Properties dialog box, click Advanced .

•  The Advanced Attributes dialog box displays attribute options for compression and encryption. This dialog box also includes archive and indexing attributes.

Note Although the NTFS file system supports both compression and encryption, it does not support both at the same time. This means that you can only select one or the other. A file or folder cannot be both encrypted and compressed at the same time.

To encrypt the folder, click to select the Encrypt contents to secure data check box, and then click OK .

•  Click OK to close the Advanced Attributes dialog box.

•  If the folder you chose to encrypt in steps 1 to 3 already contains files, a Confirm Attribute Changes dialog box will appear.

You can choose to encrypt only the folder so that all files subsequently moved to the folder or created in this folder will be encrypted. If you want to also encrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files , and then click OK .

Decrypting a folder

To decrypt a folder, use basically the same process but in reverse order:

•  Right-click the folder that you want to decrypt, and then click Properties .

•  Click Advanced .

•  Click to clear the Encrypt contents to secure data check box to decrypt the data.

•  Click OK to close the Advanced Attributes dialog box.

•  Click OK to close the Properties dialog box.

•  If the folder has files in it, the Confirm Attribute Changes dialog box appears. You can choose to decrypt only the folder. However, this will not decrypt any files currently contained in the folder.

If you want to decrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files , and then click OK .

Additional information

How files are encrypted

Files are encrypted through the use of algorithms that essentially rearrange, scramble, and encode the data. A key pair is randomly generated when you encrypt your first file. This key pair is made up of a private and a public key. The key pair is used to encode and decode the encrypted files.

If the key pair is lost or damaged and you have not designated a recovery agent, and then there is no way to recover the data.

Why you must back up your certificates

Because there is no way to recover data that has been encrypted with a corrupted or missing certificate, it is critical that you back up the certificates and store them in a secure location. You can also specify a recovery agent. This agent can restore the data. The recovery agent’s certificate serves a different purpose than the user’s certificate.

How to back up your certificate

To back up your certificates, follow these steps:

•  Start Microsoft Internet Explorer.

•  On the Tools menu, click Internet Options .

•  On the Content tab, in the Certificates section, click Certificates .

•  Click the Personal tab.

Note There may be several certificates present, depending on whether you have installed certificates for other purpose.

•  Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System . This is the certificate that was generated when you encrypted your first folder.

•  Click Export to start the Certificate Export Wizard , and then click Next .

•  Click Yes, export the private key to export the private key, and then click Next .

•  Click Enable Strong protection , and then click Next .

•  Type your password. (You must have a password to protect the private key.)

•  Specify the path where you want to save the key. You can save the key to a floppy disk, another location on the hard disk, or a CD. If the hard disk fails or is reformatted, the key and the backup will be lost. (If you back up the key to a floppy disk or CD, you must store that disk or CD in a secure location.)

•  Specify the destination, and then click Next .

 

For additional information about the Encrypting File System (EFS), visit the following Microsoft Web sites:

Encrypting File System in Windows 2000
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

Encrypting File System in Windows XP and Microsoft Windows Server 2003
http://www.microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery/default.asp

Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.

When a file is deleted off of a Windows system (I’m not sure about Linux) the file isn’t really deleted, but the pointer (File Table entry) is deleted so there’s no way the OS can get to it (in essence, the file no longer exists in the OS’s eyes).  So instead of using a large amount of disk I/O operations to delete a 2.78 GB file, a simple deletion of 8k (just a number, has no significanse other than showing the size difference) at a static point on the disk platters accomplishes the same thing (to the OS).  Eventually those sectors on the disk will be overwritten with new data that we actually want, and the OS (and the user) are none-the-wiser.  That’s not good enough for me.  From the documentation, Eraser overwrites those sectors repeatedly (the ensure all sectors in the clusters are overwritten) so that the data is lost, not just ‘deleted’.

An excellent tool for keeping your data really safe.  If you’ve deleted it, make sure it’s really gone.  These types of things have a tendency of biting you in the rear.

You can download Eraser here.

Specifications

Manufacturer:

Fujitsu

Part number:

FPCM10241

General

Platform Technology

Intel Centrino

System Type

Tablet PC

Built-in Devices

Wireless LAN antenna, SmartCard reader/writer

Width

11.5 in

Depth

9.3 in

Height

1.4 in

Weight

4.2 lbs

Processor

Processor

Intel Pentium M 1.4 GHz

Data bus speed

400 MHz

Processor features

Enhanced SpeedStep technology

Chipset type

Intel 855GM

Cache Memory

Type

L2 cache

Cache size

1 MB

RAM

Installed Size

256 MB / 2 GB(max)

Technology

DDR SDRAM – 266 MHz

Memory specification compliance

DDR266/PC2100

Storage Controller

Storage controller type

IDE

Storage

Floppy Drive

None

Hard Drive

40 GB

Storage Removable

None

Optical Storage (2nd)

2nd optical storage type

None

Display

Display Type

12.1 in TFT active matrix

Max Resolution

1024 x 768

Color support

24-bit (16.7 million colors)

Video

Graphics Processor / Vendor

Intel 855GM – AGP

Video Memory

Shared video memory (UMA)

Audio

Audio output type

Sound card

Audio output compliant standards

AC ’97

Input Device(s)

Input device type

Keyboard, Touchpad, Digitizer, Digital pen, Scroll button

Telecom

Modem

Fax / modem

Max transfer rate

56 Kbps

Protocols & Specifications

ITU V.90

Networking

Networking

Network adapter

Networking / Wireless LAN Supported

Yes

Data link protocol

Ethernet, IEEE 802.11b, Fast Ethernet

Networking standards

IEEE 802.11b

Expansion / Connectivity

Expansion Bays

None

Expansion Slots Total (Free)

2 ( 1 ) x Memory, 1 ( 1 ) x CardBus – Type III (2 x type I / II)

Interfaces

2 x Hi-Speed USB – 4 pin USB Type A, 1 x Modem – Phone line – RJ-11, 1 x Network – Ethernet 10Base-T/100Base-TX – RJ-45, 1 x Display / video – VGA – 15 pin HD D-Sub (HD-15), 1 x Infrared – IrDA, 1 x Headphones – Output – Mini-phone stereo 3.5 mm, 1 x Microphone – Input – Mini-phone 3.5 mm, 1 x Docking / port replicator

Miscellaneous

Features

Security lock slot (cable lock sold separately)

Compliant Standards

CUL, TUV, EN55022, EN55024, EN 60950, ICES-003, UL 60950, CISPR 22 Class B, FCC Class B certified, FCC Class C certified

Power

Power device form factor

External

Voltage Required

AC 120/230 V ( 50/60 Hz)

Battery

Technology

Lithium ion

Installed Qty

1

Mfr estimated battery life

4.5 hour(s)

Operating System / Software

OS Provided

Microsoft Windows XP Tablet PC Edition

Software type

Zinio Reader, Microsoft Reader, NewsStand Reader, Drivers & Utilities, Fujitsu HotKey Utility, Microsoft Internet Explorer, FranklinCovey TabletPlanner (Trial), PowerQuest Drive Image Special Edition

Manufacturer Warranty

Service & support type

1 year warranty

Service & Support Details

Limited warranty – 1 year

Windows

---

Error – Event ID 2011

Error – Event ID 2011 – “Not enough server storage” or “Not enough memory to complete transaction. Close some applications and retry”

After you install Norton AntiVirus (or IBM AntiVirus 3.01N, in particular Build 301.590), you receive one or both of the following error messages:

Not enough server storage is available to process this command.

or

Not enough memory to complete transaction. Close some applications and retry.

The problem goes further then error messages – Clients also can’t access network shares.  Also, Event Viewer on the server computer (the computer with the shares, not the computer trying to access the shares) may have entries for one or more of the following event messages in the system log:

Event ID : 2011
Source : Srv
Description: The Server’s configuration parameter “IRPStackSize” is too small for the server to use a local device. Please
increase the value of this parameter.

To solve the problem you have to reset the IRPStackSize parameter back to its default value of 15 on the server where the share is.  Using Regedit navigate to the following key:

HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Services
\lanmanserver
\parameters

Check for a value named IRPStackSize. If it doesn’t exist, create it as type DWORD.  With base set to decimal, enter the value 15.

Note:  Under Windows 2000, the default value of IRPStackSize is 15, and the range is from 11 to50.  Under Windows XP, the default value for IRPStackSize is 15, and the range is from 11 to 50.  Under Windows NT 4.0, the default value of IRPStackSize is 0×4, and the range is from 0×4 to 0xC (4 – 12). Windows NT 4.0 with Service Pack 5 or later ignores values less than 0×7.

Reboot the computer.

This bug is documented at:

Microsoft Knowledge base article 177078

Microsoft Knowledge base article 106167

Symantec Knowledge Base Article 2000021411512248

Symantec Knowledge Base Article 2003111315593848

This advice applies to the following operating systems:

• Microsoft Windows XP Professional
• Microsoft Windows XP Home Edition
• Microsoft Windows XP Professional 64-Bit Edition (Itanium)
• Microsoft Windows XP Media Center Edition 2002
• Microsoft Windows XP Tablet PC Edition
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Professional Edition
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows NT Workstation 4.0 Developer Edition
• Microsoft Windows NT Server 4.0 Standard Edition
• Microsoft Windows NT Server 4.0 Enterprise Edition

While I won’t declare my age or year of birth for the entire world to see (for obvious security reasons), I have recently celebrated a birthday. Birthdays, to me, are just another day in terms of events. But, each birthday signifies the end of an entire year of life, and the beginning of a new one. At this point in my life, being a full time employee and a full time student, as well as a full time volunteer and a part time business owner, I find it extremely difficult to find a balance. I guess it’s the way of the libra to yearn for balance, but man is it hard!

Anyway, I guess the reason for my writing this post is so that I can put my goals for the next year of life, which I believe to be more important than the calendar year.

Goals:

I will post my detailed goals in the days to come.More to come…

So I set up a Virtual Private Network (VPN) for remote access to my home.  It was a lot easier than I had anticipated as it only took about 35 minutes.  However, there are some things to note about my implementation.

1. PPTP was used (instead of L2TP/IPSec) due to the simplicity
2. ISA 2004 was used to create the VPN
3. Windows 2003 Server VPN services were installed before VPN creation
4. I am currently using Microsoft Vista Business Edition as the VPN client.  Windows XP has not been tested.

The directions downloaded here were quite long, so I can only assume (and reasonably so) that the VPN I have set up is very basic and is not the ultimate in security.  I actually only used some of Chapter 4 (about ~68% of it) to get it established and connected.  I verified connectivity and everything is working beautifully.  One thing, when I initially connected I was unable to hit the internet or anything else and I noticed that the default gateway for the VPN was set to 0.0.0.0  After a bit of research I had to set the VPN to not use the Default Gateway of the VPN, and then everything worked like a dream.

My next task is utilize the increased security of L2TP/IPSec and use the certificates.

Using ISA 2004 made it a lot easier than I anticipated.  Below is the list of the actual steps I took, generalized of course:

1. Install Remote Access / VPN role on Server 2003
2. Enable VPN connections through ISA 2004]
3. Create access rules allow VPN users to connect to the internal network
4. Enable Dial-in access to VPN user accounts
   1. I wasn’t sure this was going to work as I do not have an Active Directory environment, but it was of no concern.  Instead of accessing the user properties via the Active Directory Users and Computers MMC snap-in, you simply go to Computer Management and edit the same option on the local user’s properties.
5. Test it!