Archive for 2008

Prevent users from clearing history in IE 7

Posted by Steve Wiseman on December 18, 2008 with 7 Comments

This tip is only for Vista….so I apologize in advance to those of you still using XP. In Vista you can easily clear your browsing history by going into the options of Internet Explorer. I have helped a few organizations that use this information after a spyware incident to determine where the problem came from.

Users may notice that something happened, and call the IT department for help. Before they do that they clear their history so they don’t get in trouble. This vital information is now lost, and a potentially bad site could cause the problem again.

So how could you prevent this? Easy, use group policy. You can do this locally, or on your domain controller if you want to apply the changes across your network.

To change the policy on your Vista machine, click on the start button, and type gpedit.msc – then press enter.

 

GPEDIT.MSC

Then the local policy window will be displayed. You will need to drill down to:

Computer Configuration->Administrative Templates->Windows Components->Internet Explorer\

Once you are in that section, scroll down and you will see three items:

“Turn off ‘Delete Browsing History’ functionality”
“Turn off ‘Delete Passwords’ functionality”
“Turn off ‘Delete forms’ functionality” 

Only the first one is necessary for what we are trying to accomplish, but the other two are related and you may want to use them.
 

Gpedit Disable Clear Cookies

I am not a big fan of how many policy items are worded. It forces you to enable them when you want something disabled. So if you want to disable them, then use the enable option. Now, if you go into internet explorer, and try to clear the history, you will notice that the button is disabled:
 

Disable Clear History

This same tip could be used on a domain controller. If you have 2008 it will already be available. On some versions of 2003, you will need to get the updated administrative template for Internet Explorer.

Filed Under: Group Policy, IE, Microsoft, Windows, Windows 2008, Windows Vista

Zero day flaw found in IE 5, IE 6, IE 7, and IE 8

Posted by Steve Wiseman on December 14, 2008 with 0 Comments

Microsoft is reporting that a serious zero day flaw has been discovered in almost every version of Internet Explorer.

IE 7 Logo

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

Even more serious is the flaw can still get you if you have User Access Control enabled in Vista. Microsoft is suggesting at this time to set your security level to high for the Internet security zone, or disable active scripting. These are nice measures, but they still do not guarantee that you are safe from this flaw.

Microsoft has not yet said if they will do another out of band release, but it seems like it is serious enough that they will – once they engineer a fix that won’t break everything.

So my suggestion is (If you can) use FireFox, or another third party browser. Once the bad guys know this flaw exists they will do everything they can to exploit it.

Here are a few more informative links on the issue:

Technet clarification to workaround

McAfee’s report on the issue

Original Security Advisory from Microsoft

Filed Under: Windows

Enabling File and Printer Sharing – FPEnabler.exe

Posted by Steve Wiseman on December 11, 2008 with 1 Comments

We started out this week thinking that we would update FPEnabler.exe. We released this free program about a year ago, but we had to pull it from our website because it was breaking every few months with new patches released by Microsoft. FPEnabler simplified the process of adding a file and printer sharing exception to the firewall. What do you need it for? Well, lots of tools use the file and printer sharing mechanism to install patches, run reports, remotely reboot, etc. And of course, many of our tools use this to do their magic.

Part of the problem is that we used an undocumented, and unsupported method of updating the registry to add this exception. So I thought that if we used the public firewall APIs it would be simpler, but after some deeper research into the issue we have decided against continuing this command line program.

A few reasons for this:

1. Different versions of XP have different ways of reading these registry keys. For example XP Pro is different than XP Media center, and if we set the wrong keys it had the potential of breaking file sharing all together in Windows.

2. Vista has a completely different way of enabling this exception, so we would need to create custom code to detect between Vista and XP.

3. With the new UAC model in Vista, this methodology for changing the firewall settings does not work with UAC enabled…or for users without administrative rights over their PC. So the necessity and effectiveness of an enabler program are in question.

So what to do? Well, if you have lots of machines the answer is group policy. If you have a few machines, you can make these changes by hand.

I have 3 articles for each method that I have written for those of you that need to get this done.

Enabling File And Printer Sharing in XP

Enabling File And Printer Sharing in Vista

Enabling File And Printer Sharing using Group Policy

Filed Under: File and Printer Sharing, Windows, Windows Vista, Windows XP

Enabling File and Printer Sharing In Vista

Posted by Steve Wiseman on December 11, 2008 with 1 Comments

File and printer sharing is used primarily for…you guessed it…sharing your files and printers. By default Vista is configued with these disabled. Many times file and printer sharing is also needed for remote administration tools that access the admin$ share.

The first step to getting this to work is enabling an exception in the firewall. Get into the control panel, and double click on the firewall icon:

Vista Firewall Icon

A configuration window will appear, click on the change settings link:

Change Firewall Settings

Once that opens, switch to the “Exceptions” tab, and make sure “File and Printer Sharing” is checked.

File and Printer Sharing Firewall Exceptions

If you are only interested in sharing files, then you are done. If you are interested in getting the admin$ share to work there is one more step…a registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

Browse to the above key, and you will need to create a new DWORD value called:

LocalAccountTokenFilterPolicy

Admin Share Vista

Set it to 1, and reboot.

Now your machine will have file and printer sharing accessible through the firewall, and programs like Remote Control 3.0 will be able to automatically install software from another machine.

This tip will also work for Windows 2008

Filed Under: Admin$ share, File and Printer Sharing, Tools, Windows, Windows 2008, Windows Vista

Enable File and Printer Sharing using Group Policy

Posted by Steve Wiseman on December 11, 2008 with 3 Comments

Since the release of Windows XP SP2 file and printer sharing has been blocked by default in the Windows firewall. This includes all versions of Vista, and even XP SP3. Heck the same is true for the pre-release versions of Windows 7 that I have looked at.

This creates a problem for many of our tools and products. For example, our remote USB disabler cannot do its work without remotely writing the appropriate registry keys. Our Remote Control product cannot automatically install its agent without file and printer sharing. They all use this to do their magic. We are not the only ones – psexec from SysInternals needs file and printer sharing too.

There are hundreds if not thousands of tools used by IT administrators that require file and printer sharing enabled in the firewall.

If you have 10 computers it is an easy fix. You simply walk around to each of them and add an exception in the firewall. Simple. Done.

If you have 100s of computers spread across 3 states…you now have a much more difficult problem. You could write a script that executes at login. The trouble with this idea is that every user would need full administrator access to their own machine. This type of access is getting pretty rare these days, so I don’t even consider it an option.

The best method is group policy. I am going to walk you through it. My example uses Windows 2003 Server. Those of you with 2008 will find that it is almost exactly the same. If you have 2000 Server…well…you have your hands full anyway and shouldn’t even have time to read this article.

Start out by getting on your domain controller. Open “Active Directory Users and Computers”. You need to determine what group of machines your policy is going to be applied to. Some organizations will have computers under many different OUs.

To keep things simple I am going to change the group policy for the entire domain.

Right click on the domain name and go to properties:

Enable File And Printer Sharing Firewall GPO

This will bring up a properties window. You will want to move to the Group Policy tab, select the policy you want to edit (In our case it is the Default Domain Policy) and press the edit button.

GPO File and Printer Sharing Firewall

This is a computer policy (It will apply to computers…not specific users), so drill down to:

Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall

GPO Firewall policy

You will notice two sections under this area. A domain profile, and a standard profile. A machine will automatically determine which profile it should use by the type of network it is connected to. Directly from Microsoft, they are defined in this way:

* Domain profile The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the managed network. For example, the domain profile might contain settings for excepted traffic for the applications and services needed by a managed computer in an enterprise network.

* Standard profile The standard profile is the set of Windows Firewall settings that are needed when the computer is connected to another network. A good example is when an organization laptop computer is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop computer is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.

So generally speaking, I suggest only making these changes to the Domain Profile. You don’t want your sales guys hooking up to a hotel network with their file and printer sharing fully accessible.

Selecting the domain profile, and looking on the right we see what we need – “Windows Firewall: Allow file and printer sharing exception”

GPO Windows Firewall File and Printer Sharing

There are two items you need to set. First check the radio button to enabled, and then below you need to fill out a filter value. This tells the group policy what computers are allowed to connect to the machine. For our example I will put *

GPO Firewall Settings

This value allows any computer to connect. Click OK, and allow some time to pass (15 to 30 minutes). Then your computers will pick up the new policy. If you are impatient you can go to the command line on the server and your test machine. Type: GPUPDATE /force

If I hop on one of my Vista machines we can see that it has accepted the policy:

Perfect. Now I can terrorize my programmers by rebooting all of their machines at the same time using Network Administrator :)

Filed Under: Admin$ share, File and Printer Sharing, Group Policy, Windows

Enabling File and Printer Sharing in Windows XP

Posted by Steve Wiseman on December 11, 2008 with 10 Comments

File and Printer sharing is used for sharing printers and files. In addition, a special share, called the admin$ share is used to remotely manage and install software on Windows XP systems. By default file sharing is blocked in the firewall. What do you need to do to get this working under Windows XP?

Here are the steps you need to take:

1. Open the control panel. You will find this by clicking on start, then settings, and then control panel. Click on the icon that says “Network and Internet Connections”

2. Once you are in there. Click on the icon that says “Network Connections”

3. Now you will find your network cards listed here. You will need to right click on the card you want to enable file sharing. Select the properties menu

4. Go to the advanced tab, and click on settings

5. Go to the exceptions menu and make sure file and printer sharing is checked.

6. Click OK. We still have one more step. Microsoft has a feature called “Simple File Sharing”. It should be really called “Broken File Sharing” With this turned on, you cannot access shares unless you give everyone permission. To do this stay in the “Network Connections” Folder click on the tools menu, and select “Folder Options…”

7. Go to the view tab. Scroll down and make sure “Use simple file sharing” is unchecked.

8. Click OK. Sharing is now on

One other important note. Make sure you have set a password, or you will always get an access denied message when trying to connect to a remote machine.

Filed Under: Admin$ share, Windows, Windows XP

Updates to SysInternals

Posted by Steve Wiseman on December 11, 2008 with 1 Comments

Sysinternals Logo

If you have not used their tools before, I highly recommend taking a stroll over to www.sysinternals.com

They have just released updates to Process Monitor, Autoruns, Disk Usage, and Process Explorer

Here are some of the highlights:

Process Monitor v2.03: This update to Process Monitor, a real-time file, registry, process and network monitor, adds the ability to import and export configuration settings, shows an icon in the operations column depicting the event class of the operation, and fixes a symbol configuration bug on Windows XP.

Autoruns v9.36: Autoruns changes the Hide Microsoft Entries to only hide Windows entries, fixes a bug in the Find behavior, allows enabling and disabling entries using the space bar, and fixes a number of minor bugs

Disk Usage v1.33: Du adds a new option, -u, that has it exclude duplicate hard-linked files from its summary.

Process Explorer v11.31: This update works around a bug in the latest Debugging Tools for Windows debug engine DLL and fixes a bug that could cause objects to show up as when Process Explorer was run without administrative rights.

My personal favorite is ProcessMonitor. It has so many uses I find myself running it at least once a week. Want to see what files a program has open? ProcessMonitor can do it. See what DLLs a program uses…again a job for ProcessMonitor. Like I said, check it out, you won’t be disappointed.

On a side note, I will be posting information soon about a beta for Remote Control 3.1 soon. Keep an eye on the blog for details

Filed Under: Sysinternals, Tools, Windows

Anti-Virus and Anti-Spyware

Posted by Steve Wiseman on December 8, 2008 with 19 Comments

I was making the rounds this weekend to visit family and friends. I was asked the usual…”um while you are here…do you think you could take a look at a little computer problem we are having?”

In each case, the system was loaded with spyware. The funny part is all of them were using Comcast, so they had the free Anti-Virus from McAfee. Not one of these systems showed any alerts that McAfee had found anything. Full system scan – nothing. It is true McAfee is Anti-Virus, and not Anti-Spyware – but I would argue that just because a program does not self-replicate does not mean McAfee should ignore it.

Same held true for AdAware. I did a complete scan with AdAware. Every time I would see there were 533 “Threats”. What were those threats? Cookies. Yep those pesky cookies. All of them were used to keep state in a well known web application like gmail. I think about 1% were from spamvertisers.

The first computer I looked at had this interesting piece of malware called “Internet AntiVirus Pro”. To the average user it looked like a real anti-virus product, and it would find all kinds of “viruses” on your system. It scared the heck out of my Uncle. He was considering paying the $91 fee they were suggesting to remove the “problems”

Take a look at one of the screens:

Internet AntiVirus Pro

You get a very professional payment form when you click on “Erase all threats” 89.95 + 1.95 activation.

I tried removing it by hand with no luck. Finally I tried SpyBot – Seek and Destroy – don’t let that website scare you. It really works. On every single system I cleaned Spybot did the job.

What about anti-virus? On Sunday I was at my Aunt’s house. I decided I would make a pre-emptive strike. “How is your computer I asked?”. “Fine” She said. Hmm. They have two teenagers that are constantly downloading everything and anything. “Can I take a look?”

Sure enough, SpyBot found nothing. Anti-Virus? I forgot that I had installed the free version of AVG a few months ago. They use DSL, and do not have Comcast….so no free McAfee.

Don’t get me wrong. I know this is just a single case – but I don’t think I will ever use McAfee again. If it misses that much how can I possibly trust it?

So this post is a question. What anti-virus are you using, and what has worked the best for you?

Email me at support@intelliadmin.com or post a comment in the article.

Filed Under: AntiSpyware, AntiVirus, Windows

Active Directory – Limits

Posted by Steve Wiseman on December 6, 2008 with 0 Comments

I came across an interesting bunch of statistics the other day when researching a problem I was having. These are the maximum limits for Active Directory

Windows Active Directory Limits

-Maximum number of GPOs that can apply to a user/computer: 999

-Maximum number of DNS servers in an AD-integrated zone (without manually adding the details): 850 (Windows 2000), 1300 (Windows 2003)

-Maximum number of supported DCs in a given domain: 1200

-Maximum number of members of a group: 5000 (Windows 2000), unlimited in Windows 2003

-Maximum number of DHCP servers in a forest: 850 (Windows 2000 SP1 or RTM), unlimited (Windows 2000 SP2 or later and Windows 2003)

-Maximum number of UPN suffixes that can be set through the UI: 850 (you can set more if you need to via ADSI scripts)

-Maximum number of objects that can be created over the lifetime of a given DIT (i.e. the AD database on a given DC): 2 billion

The last one is interesting. This means that no matter what, you can only create 2 billion objects in AD. Even if you delete previous items – it will never use the same ID again.

I decided to calculate when this would be exhausted if you created and deleted an AD object every second – 63 years.

Hopefully the server would have been upgraded by then :)

Filed Under: Windows

Microsoft expanding Vista SP2 test group

Posted by Steve Wiseman on December 3, 2008 with 0 Comments

Microsoft released the beta of Windows Vista Service Pack 2 to MSDN subscribers on Tuesday. In a few postings found on Microsoft Blogs they indicated that the service will not only update Vista, but will also work with 2008 Server.

I decided to take a peek at my MSDN account, and indeed it is available for download:

Windows Vista SP2

By tomorrow, anyone will be able to download and test the service pack by signing up at the Microsoft customer preview program (CPP).

In addition to fixing some bugs, a few additional features will be available:

-Windows Vista SP2 adds Windows Search 4.0 for faster and improved relevancy in searches.

-Windows Vista SP2 contains the Bluetooth 2.1 Feature Pack supporting the most recent specification for Bluetooth Technology

-Adds Windows Connect Now (WCN) to simplify Wi-Fi Configuration

-Windows Vista SP2 enables the exFAT file system to support UTC timestamps, which allows correct file synchronization across time zones

Notice how I put the last one in bold. This is an interesting improvement to this file system. exFAT is used for flash drives, and is only supported in Vista SP1. I wonder if they have any other features in mind.

I am downloading it right now, and I will tell you what I find.

Filed Under: Windows
Next Page »
Remote Control 4
A fast, easy remote control solution for windows
$179 Per Administrator
Click for more info

Please wait while we add your email address to our list

Join our Tips and Software Email List

Get free software, news, and tips
once a week by joining our email list
Enter your email address below

Just like you, we hate spam.

We promise to never sell, or spam your inbox

Thanks for joining our list, and have a great day!

Error adding address

There was an error adding your email address.
It might be because you are already on our list.
If this is not the case, please try again later. Thanks!