Locked out of the administrator account

Some time ago I wrote about Liunx tools and how they can save my day as an Windows administrator. Today I had to download Trinity again. This time the quest was to reover a Windows 2000 server where the administrator password was lost and the account disabled.

The server was a HP server with an integrated Smart Array 5i. I had to load the cciss module manually to get the volume up and go. Then I ran a script called winpass to try change the passord and unlock the account.

Winpass is a script written by the Trinity folks and it seems to work fine. However, it only work with NTFS and fat partitions. And I could not write to the NTFS partitions. NTFS-3g is included, so for me these lines solved the day:

modprobe cciss
ntfs-3g /dev/cciss/c0d0p1 /mnt0
chntpw /mnt0/WINNT/system32/config/SAM

Microsoft Surface

Cool tool! Check it out!

ActiveSync and 0x80072efd

ActiveSync fails to sync with error Code:80072efd. This happened on my cell phone when using ActiveSync 4.2.

The solution lies within the registry.

ActiveSync version 4.2 made a change to how it interacts with the Windows networking stack to use Layered Service Providers (LSPs) on outgoing Desktop-Pass-Through connections. This allows for improved compatibility & policy compliance in environments where connections to the internet must be passed through these LSPs (ISA Proxy is one such example).

source

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
"AllowLSP"=dword:0

WAN optimization with Riverbed

Today I had a chance to work with a product for WAN optimization for the first time. I ran a live demo at a customers site.

	It works. At least if your network traffic is predictable and repetitive. Most networks are, as clients tend to do much of the same.
	It is too expensive for most customers. It is really hard to justify the cost and more importantly the return of investment.

Acceleration of SSL traffic

Rivedbed promised to support SSL in version 4 of their software. I can't wait to try this one out. It only requires you to install your private key on the box inside your datacenter.

Steelhead appliances now accelerate encrypted (SSL) traffic, using all of Riverbed's algorithms to deliver LAN-like performance for those key business applications.

Of course this won't work for external web sites as you don't have access to private keys. But for intranet applications this is cool!

Exchange 2007

Exchange 2007 supports encrypted MAPI connections. Much details on this issue is not known at this point.

Based on our testing, we've found that the encrypted connections that appear by default in an Exchange 2007 environment with Outlook 2007 clients are a proprietary "MAPI encryption", not SSL.

Impression

Riverbed Steelhead appliances are easy to set up and work without the need to do much. Just make sure the traffic is unencrypted and leave the rest to Riverbed.

RiOS 4.0

I will do a new lab with RiOS 4.0 when it is released and do tests on Exchange, Sharepoint and web traffic. All SSL encrypted. If you are curious about this, please leave me a note.

Microsoft virtualization license rules for Windows 2003

I recently came across some new licensing rules for Windows 2003 Server in regards to virtual images.

The virtualization use rights vary by edition of Windows Server. Standard Edition grants the use rights to run a single virtualized instance of Windows Server Standard Edition. Enterprise Edition grants the use rights to run four instances of Windows Server that may be a mix of Standard Edition and Enterprise Edition. Datacenter Edition is licensed per processor and grants use rights to run an unlimited number of virtualized instances of a mix of Standard Edition, Enterprise Edition and Datacenter Edition.

You can try out Microsoft's own licensing calculator and learn more.

IE7 and pishing filter works

It is good to see that that technology works for you. I got this warning today when I opened an email that I knew was spam.

Unfortunately I did not get this warning before I tried to log in with my username "fuck" and password "you". But better late than never I say. At least you know if you screwed up...

Tags: pishing, IE7

A Cost Analysis of Windows Vista Content Protection

I found this article talking about the new features in Microsoft Vista. At this point I am still reading this document.

Say you've just bought Pink Floyd's "The Dark Side of the Moon", released as a Super Audio CD (SACD) in its 30th anniversary edition in 2003, and you want to play it under Vista. Since the S/PDIF link to your amplifier/speakers is regarded as insecure for playing the SA content, Vista disables it, and you end up hearing a performance by Marcel Marceau instead of Pink Floyd.

Copy of article is found here

.

Tags: DRM, Vista

Update: Read answers here

Extended Validation Certificates

EV SSL: An introduction

Extended Validation certificate is a new type of expensive SSL certificate coming to a browser 7 near you before the end of January 2007 if you are using Internet Explorer. When, if or how other browsers are going to support EV certificates are not known at this time. Microsoft, Opera, Mozilla and KDE(not a browser, but...) are all members of CA/Browser forum and will - eventually - provide web browsers that can highlight websites with EV certificates.

What is the difference between today's certificate and EV certificates?

This comparison chart shows the differences between the two types of certificates.

Feature	Today's cert	EV cert
Price	You can get certificates all in all price ranges.	Will cost more as this the new, hot and secure certificate.
Validity of certificate	From one to three years.	Max 27 months, but the specification recommends 12 months validity.
Verification of certificate owner	Not much. You just need to document that you own the domain you request a certificate for.	There is a common procedure all EV certificate authorities need to comply to before issuing a certificate. The procedure seems to be somewhat vague at this point so there is a chance that there will be different procedure for each issuer.
Browser compatibility	You can get 99%-99.99% compatibility from most issuers.	EV certificates will use existing root certificates. At this point no there is no way to tell what root certificate the various issuers will use and compatibility is therefore now known at this time. There are requirements to be met for the root certificate, and these requirements are defined in the guidelines from CA/Browser Forum.
Wildcard certificates	Supported by many issuers.	Not supported. This is a requirement from CA/Brower Forum.

Pictures of EV SSL sites

I found some pictures from Verisign with some pictures showing how IE will look on a site with a EV certificate. The pictures had to be sized down to display properly on this page, so you can click on the image to get it in full size.

And a site without EV certificate:

External links

• http://www.instantssl.com/ssl-certificate-products/addsupport/ssl-evssl-twoyearpromo.html

• CA/Browser Forum.
• InstantSSL - my favorite issuer.
• Offer on EV certificates from InstantSSL.
• Tags: SSL, encryption, IE7, security.

EDNS - DNS extension

EDNS - DNS extension

I recently became aware of an extension to DNS called EDNS. As I work a lot with DNS I not quite sure how I could have missed this extension until now.

EDNS is an extension of the DNS protocol which allows more flags, label types and return codes to be defined, and enhances the transport of DNS data in UDP packets. The version of EDNS specified by RFC 2671 is known as EDNS0.

Wikipedia

EDNS - why?

According to the specifications of DNS, UDP packets should be no longer than 512 bytes in length. There are not any space left for additional flags in the header. For normal use this is  no problem at all, but to implement new features in DNS, such as DNSSEC, changes were needed.

EDNS uses a pseudo resource record called OPT to identify this extension. More links are found in the links section below.

Our firewall, a Fortigate FG-500A from Fortinet, logs oversized packets as a potential vulnerability in the IPS module. At the same time, it only logs the packet as bad, but it does not drop the packet. So it can't be that bad :)

EDNS - what you should know!

This extension is almost invincible for system administrators. Windows 2003 supports this extension by default, but I have never seen any problems as a result of this until today.

• Legacy DNS servers that don't know anything about EDNS will just ignore the OPT resource sent from the other side.
• DNS clients (such as computers) usually never use this option as it do not need to send packets greater than 512 bytes. Most DNS packets are between 150 and 200 bytes.
• There is an hotfix available for Windows 2000 to solve issues related to EDNS queries.
• Window 2003 DNS server do not announce itself as an EDNS capable server to other servers. But it replies to other hosts as EDNS capable when asked to do so.
• Newer versions of BIND seems to advertise itself as EDNS capable.
• EDNS usually adds as little as 10-15 bytes extra data into an UDP packet. In most queries you are still way below the limit of 512 bytes. Some intrusion prevention systems, firewalls or DNS servers may drop packets because of invalid options in the packet. Except for old Windows 2000 implementations (see above) and some Cisco PIX I don't know of any issues related to this.
• Some Cisco PIX firewalls are reported to drop oversized packets. But I do not have any information about what versions do so or how to fix this.
• Before EDNS, DNS reverted to TCP based transactions if the query exceeded 512 bytes. The only consequence from this is some extra IP packets on the network, and somewhat slower DNS. If the client asks a question where the server needs to send more than a 512 bytes reply it answers back that the client need to revert to TCP.
• DNS tries to compress the packets. That is, everything between two dots are only sent one time in the packet. If you query for www.novell.no and get a reply back with lots of additional records, novell is only sent once in the packet. Additional records are records that you did not ask about, but  what the DNS server think that you probably want to ask about later.

EDNS - turn off in Windows 2003

You can't turn off EDNS in Windows 2003 - it will always reply as EDNS capable if the source includes EDNS in the original packet. To make sure you do not send out EDNS probes to all hosts on the Internet you can make the following change in registry. (By default this feature is disabled, and the registry key is not present.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
EnableEDNSProbes=0x0

External links:

• Report from Fortiguard center.
• RFC2671 - the original specification.
• Article from Microsoft that talks about how to install the tool dnscmd.exe.
• How to change EDNS settings in Windows 2003.

• Tags: EDNS, DNS, EDNS0