I had the pleasure of attending this years infosec event at Olympia and it was a thoroughly enjoyable afternoon - even with the hard sell By some vendors!!
I wasn't aware of any particular focus to this years event, certainly there were vendors who duplicated other vendors products with password management systems seemingly the 'in' thing. At least three vendors had the same password management product just presented in a slightly different way.
One vendor has an interesting approach to the problem of single sign on - Imprivata, whom I've had the pleasure of dealing with before displayed their showpiece single sign on tool - This appliance is a very impressive piece of technology that not just does single sign on but can also integrate with the building management system make decisions on access based on where your door card is used.
For example, No local logon's allowed on the servers unless your swipe card has been detected as being used to access the server room, also no vpn access for your account if your pass HAS been used to gain access to the building.
With Imprivata's single sign on technology these types of rules can be used to build a very powerful and comprehensive access control layer
The second vendor I was impressed by was Secerno. They have an appliance that is desigend to sit in front of SQL servers and reject or accept SQL queries dependant on where the query originated.
For example, if you have a payroll system that HR have access to but you don't want anyone else running (or trying to run) queries against it you can just block ALL queries from other IP addresses/terminals, etc. This is very handy for the casual browser or for the SQL admin who wants to poke around confidential databases. Obviously, if the SQL admin can take a backup of the database and take it offsite then the security is broken but it's an interesting idea.
Another vendor. GFI may well have something of a niche product with their endpoint security software. Many vendors have endpoint software for managing USB, CD burners and so on but this is the first I have seen that claims to be able to do the range of mobile phones as well. It should be an interesting application to play with.
The final stand I have to mention is Microsofts where I got to meet Claire Smyth of Technet magazine and she is an absolute delight to talk to, Obviously very comitted to TechNet and the technet community. Just a few minutes at the Microsoft stand really gives you an idea of the passion these people have for thier products and the comittment they have to security.
Overall, The event was a lot of fun and I'd recommend it to anyone who has to deal with IT Security.
Thursday, April 26, 2007
Wednesday, April 25, 2007
Display FSMO role holders
Imagine the scene - You are consultant and have been asked to fix an Active Directory issue - One of the first things you need to find out is where all the FSMO roles live. You could go digging around in Active Directory Computers and Users, Domains and Trusts and Schema Master (remembering to register SCHMMGMT.DLL) or you could just run the script below.
Copy the script in the box below, save it as 'fmso-role-holders.vbs' then run it via cscript fmso-role-holders.vbs
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objSchema = GetObject ("LDAP://" & objRootDSE.Get("schemaNamingContext"))
strSchemaMaster = objSchema.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strSchemaMaster)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Forest-wide Schema Master FSMO: " & objComputer.Name
Set objNtds = Nothing
Set objComputer = Nothing
Set objPartitions = GetObject("LDAP://CN=Partitions," & objRootDSE.Get("configurationNamingContext"))
strDomainNamingMaster = objPartitions.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strDomainNamingMaster)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Forest-wide Domain Naming Master FSMO: " & objComputer.Name
Set objDomain = GetObject ("LDAP://" & objRootDSE.Get("defaultNamingContext"))
strPdcEmulator = objDomain.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strPdcEmulator)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Domain's PDC Emulator FSMO: " & objComputer.Name
Set objRidManager = GetObject("LDAP://CN=RID Manager$,CN=System," & objRootDSE.Get("defaultNamingContext"))
strRidMaster = objRidManager.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strRidMaster)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Domain's RID Master FSMO: " & objComputer.Name
Set objInfrastructure = GetObject("LDAP://CN=Infrastructure," & objRootDSE.Get("defaultNamingContext"))
strInfrastructureMaster = objInfrastructure.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strInfrastructureMaster)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Domain's Infrastructure Master FSMO: " & objComputer.Name
Copy the script in the box below, save it as 'fmso-role-holders.vbs' then run it via cscript fmso-role-holders.vbs
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objSchema = GetObject ("LDAP://" & objRootDSE.Get("schemaNamingContext"))
strSchemaMaster = objSchema.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strSchemaMaster)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Forest-wide Schema Master FSMO: " & objComputer.Name
Set objNtds = Nothing
Set objComputer = Nothing
Set objPartitions = GetObject("LDAP://CN=Partitions," & objRootDSE.Get("configurationNamingContext"))
strDomainNamingMaster = objPartitions.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strDomainNamingMaster)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Forest-wide Domain Naming Master FSMO: " & objComputer.Name
Set objDomain = GetObject ("LDAP://" & objRootDSE.Get("defaultNamingContext"))
strPdcEmulator = objDomain.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strPdcEmulator)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Domain's PDC Emulator FSMO: " & objComputer.Name
Set objRidManager = GetObject("LDAP://CN=RID Manager$,CN=System," & objRootDSE.Get("defaultNamingContext"))
strRidMaster = objRidManager.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strRidMaster)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Domain's RID Master FSMO: " & objComputer.Name
Set objInfrastructure = GetObject("LDAP://CN=Infrastructure," & objRootDSE.Get("defaultNamingContext"))
strInfrastructureMaster = objInfrastructure.Get("fSMORoleOwner")
Set objNtds = GetObject("LDAP://" & strInfrastructureMaster)
Set objComputer = GetObject(objNtds.Parent)
wscript.Echo "Domain's Infrastructure Master FSMO: " & objComputer.Name
Wednesday, April 18, 2007
Automated phone systems
Working in the IT field means I'm often on the phone to different companies and the one thing I VERY quickly learn to hate are the automated call handling systems that it seems everyone has introduced.
There are several things that I truly hate about these menu systems but one of the main ones is how every damn system has a variant of "In order to serve you better our menu has changed" - err, how does you messing around with your MENU serve me? It just means I have to sit here and listen to you twittering on when you could serve me better by fixing the product in the first place!
In actually many people do the same as me, they listen to the menu options once and write them down for future use - Outlook's notes field is particularly handy for this.
The other big problem I have with these systems is how you have to negotiate a maze of options to finally get the dept you want only to be told "This department is closed". Frustrating doesn't even begin to describe it.
There has got to be something better than a digital Dorothy answering the phones for every company.
There are several things that I truly hate about these menu systems but one of the main ones is how every damn system has a variant of "In order to serve you better our menu has changed" - err, how does you messing around with your MENU serve me? It just means I have to sit here and listen to you twittering on when you could serve me better by fixing the product in the first place!
In actually many people do the same as me, they listen to the menu options once and write them down for future use - Outlook's notes field is particularly handy for this.
The other big problem I have with these systems is how you have to negotiate a maze of options to finally get the dept you want only to be told "This department is closed". Frustrating doesn't even begin to describe it.
There has got to be something better than a digital Dorothy answering the phones for every company.
Tuesday, April 17, 2007
Further exploits for DNS Remote management vulnerability
Last Friday Microsoft announced a new security vulnerability in DNS management, today the advisory was updated to include reports of an attack in the wild that is trying to exploit this hole.
Whilst the security hole is an issue I'm not overly concerned about it. Certainly I'm tracking it and Microsoft have provided a couple of work arounds for the issue but this is typical security hole that a good security policy would at best prevent and at worst severely restrict.
The explain what I mean let's have a look at the vulnerability in detail:
DNS is a server service that listens on port 53. All DNS servers have to listen on port 53 as it's part of the requirements for running DNS - Changing the port is not an option so that already opens up possible attack vectors and so you lock that down by accepting traffic on port 53 from just a limited range of IP addresses.
However, This new security hole isn't based around DNS as it works on port 53 it's a hole in how DNS accepts remote management requests over RPC. This is a very important thing to understand. Just because it's DNS it's not port 53.
RPC is another protocol that uses ports which cannot be changed and it's also been known as an attack vector for some years. Additionally, RPC is the protocol that allows access to things like the c: drive on most computers and this is one of many reasons that most ISP's block RPC port traffic.
I'm hoping that this goes someway to explaining how this exploit works, if you understand then you will understand what I'm about to say:
The biggest risk from this security vulnerability is from INSIDE the corporate network.
Got that? Good.
Any company that exposes RPC ports inside the network for any user on the Internet to access has already been attacked and has hopefully wised up.
The threat from this security hole is more related to remote management of DNS from internal networks. Most administrators will install the adminpak.msi tools onto their machines and then connect to the DNS server and manage them remotely.
A good security policy which includes locking down remote access to the server for management functions to a limited subset of users would render this type of hole useless before it even gets off the ground.
The fact that an exploit has been crafted which is not a proof of concept is proof itself of companies inabilities to take proper responsibility for the security of their infrastructure.
Windows has shipped with security templates since before Windows 2000 was released, the templates in Windows 2000 were FAR superior to those that you could get for NT but even Windows NT had a lock down tool.
Microsoft often gets blamed for poor security practices but most administrators are guilty of exactly the same. A good sense of security and a good lock down policy will mitigate against most attacks that we see these days.
Whilst the security hole is an issue I'm not overly concerned about it. Certainly I'm tracking it and Microsoft have provided a couple of work arounds for the issue but this is typical security hole that a good security policy would at best prevent and at worst severely restrict.
The explain what I mean let's have a look at the vulnerability in detail:
DNS is a server service that listens on port 53. All DNS servers have to listen on port 53 as it's part of the requirements for running DNS - Changing the port is not an option so that already opens up possible attack vectors and so you lock that down by accepting traffic on port 53 from just a limited range of IP addresses.
However, This new security hole isn't based around DNS as it works on port 53 it's a hole in how DNS accepts remote management requests over RPC. This is a very important thing to understand. Just because it's DNS it's not port 53.
RPC is another protocol that uses ports which cannot be changed and it's also been known as an attack vector for some years. Additionally, RPC is the protocol that allows access to things like the c: drive on most computers and this is one of many reasons that most ISP's block RPC port traffic.
I'm hoping that this goes someway to explaining how this exploit works, if you understand then you will understand what I'm about to say:
The biggest risk from this security vulnerability is from INSIDE the corporate network.
Got that? Good.
Any company that exposes RPC ports inside the network for any user on the Internet to access has already been attacked and has hopefully wised up.
The threat from this security hole is more related to remote management of DNS from internal networks. Most administrators will install the adminpak.msi tools onto their machines and then connect to the DNS server and manage them remotely.
A good security policy which includes locking down remote access to the server for management functions to a limited subset of users would render this type of hole useless before it even gets off the ground.
The fact that an exploit has been crafted which is not a proof of concept is proof itself of companies inabilities to take proper responsibility for the security of their infrastructure.
Windows has shipped with security templates since before Windows 2000 was released, the templates in Windows 2000 were FAR superior to those that you could get for NT but even Windows NT had a lock down tool.
Microsoft often gets blamed for poor security practices but most administrators are guilty of exactly the same. A good sense of security and a good lock down policy will mitigate against most attacks that we see these days.
Friday, April 13, 2007
Say goodbye to initative
When I joined my first IT department a lot of things were new to me but I was expected to basically get on with it. Sure I could ask questions and I could see if there were any procedures but a lot of it was left up to me to learn and sort out.
Fast-forward thirteen years and we have the paper-MCSE who doesn't seem to have the ability to think for themselves. Too often people in IT Depts these days seem to expect to be spoon fed and led by the neck, there doesn't seem to be that spark of "I want to figure out why this is broken".
To many of today's IS staff seem content to just rattle through the same old checklist of items and in the process quite often alienate customers.
In many ways this is not the fault of the new helpdesk person coming into the organisation but instead its a problem endemic in the very way IT Departments work these days.
The problem is this - Many IT Departments have the same type of calls and these calls can be handled by someone with very little knowledge following a checklist. Not only does this make the call closure rate look good but also reduces costs as the person on the helpdesk can be paid less.
This is all fine for the very basic calls and issues but it starts to fall down for the more complex ones because some of the more complex problems cannot be fixed by following a checklist. Certainly a checklist can be used as a guide but real world troubleshooting needs more of a thorough approach than a checklist can provide.
Fast-forward thirteen years and we have the paper-MCSE who doesn't seem to have the ability to think for themselves. Too often people in IT Depts these days seem to expect to be spoon fed and led by the neck, there doesn't seem to be that spark of "I want to figure out why this is broken".
To many of today's IS staff seem content to just rattle through the same old checklist of items and in the process quite often alienate customers.
In many ways this is not the fault of the new helpdesk person coming into the organisation but instead its a problem endemic in the very way IT Departments work these days.
The problem is this - Many IT Departments have the same type of calls and these calls can be handled by someone with very little knowledge following a checklist. Not only does this make the call closure rate look good but also reduces costs as the person on the helpdesk can be paid less.
This is all fine for the very basic calls and issues but it starts to fall down for the more complex ones because some of the more complex problems cannot be fixed by following a checklist. Certainly a checklist can be used as a guide but real world troubleshooting needs more of a thorough approach than a checklist can provide.
Tuesday, April 10, 2007
Goodbye Easter, Hello Patch Tuesday
Many of us have just gotten back into the office after a nice Easter break eating to much chocolate and too many hot cross buns but thanks to Microsoft you had better not get too complacent as another round of security patches is about to be unleashed.
Not content with just the out-of-band security patch released to counter the Animated Cursor vulnerability Microsoft are going to release an additional five security patches as part of the regular patch Tuesday cycle. Four of these fixes are aimed at the Windows operating system and, as always, the cumulative rating from Microsoft is Critical.
Hope you had a good Easter break because it's back to business.
Not content with just the out-of-band security patch released to counter the Animated Cursor vulnerability Microsoft are going to release an additional five security patches as part of the regular patch Tuesday cycle. Four of these fixes are aimed at the Windows operating system and, as always, the cumulative rating from Microsoft is Critical.
Hope you had a good Easter break because it's back to business.
Tuesday, April 03, 2007
Animated Cursor Vulnerbility? Not if you get your Security updates from MS via RSS!
I sure that many of you are aware that later on today Microsoft will be releasing a patch for a zero-day security hole in Windows based operating systems that can be accessed by specially crafted .ANI files.
I subscribe to several security RSS feeds including EEyes zero day tracker and Microsoft's security response center blog
This morning when I checked the RSS feeds I was surprised to see that Microsoft's had not been updated. When I checked the website three news updates had been posted but the RSS feed itself had not been updated.
This vulnerability is easily the most critical zero day since Microsoft moved to monthly patching. The fact that an out of band patch is due to be released today only enforces that and therefore its insane that they haven't done any quality checking on something as simple as the RSS feed for Security Response Centers blog! I hope this is not a sign of the surprise with which Microsoft has been caught out.
I've emailed the security response center and hope to see the RSS feed fixed before the patch is released.
I subscribe to several security RSS feeds including EEyes zero day tracker and Microsoft's security response center blog
This morning when I checked the RSS feeds I was surprised to see that Microsoft's had not been updated. When I checked the website three news updates had been posted but the RSS feed itself had not been updated.
This vulnerability is easily the most critical zero day since Microsoft moved to monthly patching. The fact that an out of band patch is due to be released today only enforces that and therefore its insane that they haven't done any quality checking on something as simple as the RSS feed for Security Response Centers blog! I hope this is not a sign of the surprise with which Microsoft has been caught out.
I've emailed the security response center and hope to see the RSS feed fixed before the patch is released.
Subscribe to:
Posts (Atom)