Saturday, April 27, 2013

windows server 2003 set wallpaper for all users through GPO

I have tested the procedures below on my side. In order to set the uniform wallpaper for users, you can refer to the steps below:
1. Create an OU and put all users that you want to set the wallpaper into it on domain.
2. Create a share folder and grant everyone has full control permission on it and put the wallpaper picture into this share.
3. Create a GPO, navigate to
User Configuration\Administrative Templates\Desktop\Active Desktop \Active Desktop Wallpaper
Set this item enable and in the wallpaper name column, input the share path that we created in step 2, for example \\servername\share\picture.jpg
After finishing, please click OK to confirm.

4. On the client pc, logon to PC using the user account included in the OU defined in first one step to test the result.

How to use Group Policy to disable USB drives on Windows XP

there is also a registry key in Windows XP that allows you to block the use of USB storage devices. Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing.

How to block existing USB Storage Devices


To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM\CurrentControlSet\Services\UsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK.
image
If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.
Key: HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
Value: Start
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled

How to block new USB Storage Devices


This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:\Windows\Inf and select “Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK.
image
Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.
Click “Yes” to the security warning.
image
Then click OK.
Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.
image
Now repeat the steps above and this time select “C:\Windows\Inf\Usbstor.pnf”
You should see something like the images below in your group policy.
image
Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.

See the Microsoft article about this option at http://support.microsoft.com/kb/823732

Monday, April 22, 2013

Unexpected Error 0x8ffe2740 when starting FTP or IIS

Another one of Microsoft’s descriptive errors is 0x8ffe2740 when trying to start an FTP or Web Server from the IIS Administration module. The error itself means that there is a port conflict with another service. This is a relatively easy diagnosis, as you should already know what ports your ftp or web servers use.

Use the netstat command in the command console to find out what program is using a particular TCP port. Replace the ## with the port you wish to test. This works on Windows Server 2003 and 2008.
netstat -anop TCP|find “:##”
The above command will return a PID (process ID). You will need to match that to a running program or service. Type the following command:
tasklist /SVC /FI “PID eq ####”
Here is an example using port 21. In this example you can see the “ftpsvc” service is using port 21 through svchost.exe – which is normal. In a client’s machine, it was MSUpdate2.exe that was using port 21 – a piece of malware using an FTP server to serve pirated movies!


Migrating websites from IIS6 to IIS7

Below are the steps required to move a website hosted on IIS6 to IIS7 (Internet Information Services 6 to 7). IIS7 replaces the aging metabase with a more convenient applicationHost.config which stores the configuration in XML.
There are two versions of MS Deploy, the program needed to migrate. Download the 32bit version here, and the x64 version here.
Installing MS Deploy on the Source IIS6 Server
1.       You must have .NET Framework 2.0 SP1 or 3.5 installed on the server.
2.       Download the file and open it. Choose Setup Type: Typical. Be sure to use the x64 version if you have Windows 2003 x64. There is no entry in the Start Menu; you need to start the program through the command prompt. C:\Program Files\Microsoft Web Deploy\msdeploy followed by the command.
Installing MS Deploy on the Destination IIS7 Server
1.       Same as above. Be sure to use the x64 version if you have Windows 2008 x64.
Create a Backup of the IIS7 configuration
It is important to create a backup of the IIS7 configuration before you start. You never know when you’ll make a mistake, and restoring IIS to the default configuration without a backup isn’t fun.
IIS7 comes with the appcmd.exe command line tool, which is new for IIS7, and simplifies configuration backups immensely. It is located in the %windir%\system32\inetsrv\ folder, which isn’t in the path variables, so you’ll need to navigate to that path with the command prompt first.
1.       Click Start -> Run -> type “cmd” and press OK.
2.       At the command prompt, navigate to the %windir%\system32\inetsrv\ folder. (type “cd \” and then “cd C:\Windows\system32\inetsrv” if windows is in the default path)
3.       Once in the target directory, type: appcmd add backup “BackupPreMigrate”
4.       Press Enter. All done.
5.       To display a list of previous backups type: appcmd list backup
6.       To restore a backup, type: appcmd restore backup “BackupPreMigrate”
Verify Dependencies on Source IIS6 Server
Below is a screenshot of all the variables supported by the migrate tool. All instructions below assume you are in the C:\Program Files\Microsoft Web Deploy\directory at the command prompt.
1.     At the command prompt (In the C:\Program Files\Microsoft Web Deploy\ directory), type:
msdeploy –verb:getDependencies –source:metakey=lm/w3svc/#siteidentifier
The list that is returned is fairly comprehensive as to what components are installed and available for use on the particular website. It does not, however, distinguish which components are actually in use.
Installing Required Components on Destination IIS7 Server
From the dependency list you can determine which roles need to be installed on the destination IIS7 Server. Any dependencies listed in the XML file that is saved during the migration will need to be installed on the destination server or else the migration will not complete. You can remove dependencies beforehand or from within the XML file found in the backup directory after the sync command.
Migrate Website
  • On the source IIS6 Server type:
msdeploy -verb:sync  -source:metakey=lm/w3svc/# siteidentifier -dest:archivedir=c:\backup_name
Move the backup folder (c:\backup_name) to the destination server, or if on a network simply backup to the final destination on the IIS7 server or SAN.
  • On the destination IIS7 Server type:
msdeploy -verb:migrate -source:archivedir=c:\backup_name -dest:metakey=lm/w3svc/# siteidentifier
After Migration

After the migration is complete, some elements will need to be re-configured. PHP, ASP.NET Ajax and others will need to be configured independently of the IIS migration to match the source server’s settings.

Hacking the Trend Micro Security Dashboard for SMB: Reset the Password

Trend Micro’s Client Server Security for SMB is a well-designed security solution for small businesses. One of its greatest features is the ability to be deployed, updated, and controlled via the local network. With the push of a button you can scan all networked computers, increase security, send messages or print reports.
I’ve recently taken over the role of administrator for a company and unfortunately the Trend Micro passwords were lost.
Fear not, there is a simple method to resetting the password (too easy?)
1.       Navigate to: \Program Files\Trend Micro\security server(officescan)\private
2.       Open ofcserver.ini in Notepad
3.       Press CTRL-F to search for: master_pwd
4.       Once found, the string should look similar to: master_pwd=!CRYPT!xxxxx
5.       xxxxx is representative of a long string of hex characters making up an encrypted password
6.       In place of !CRYPT!xxxxx put “70″ so it will look like: master_pwd=70
7.       70 is the hexadecimal value for “1″
8.       Save the file
9.       Press Start -> Run -> Type: services.msc and press enter
10.    Find “Trend Micro Security Server Master Service” and restart the service
11.    Login to the Trend Micro Security Dashboard with the password as “1″ without the quotations

12.    The default URL for the dashboard is: https://IPADDRESS:4343/officescan/default_SMB.htm

Hacking the Trend Micro Security Dashboard for SMB: Reset the Password

Trend Micro’s Client Server Security for SMB is a well-designed security solution for small businesses. One of its greatest features is the ability to be deployed, updated, and controlled via the local network. With the push of a button you can scan all networked computers, increase security, send messages or print reports.
I’ve recently taken over the role of administrator for a company and unfortunately the Trend Micro passwords were lost.
Fear not, there is a simple method to resetting the password (too easy?)
1.       Navigate to: \Program Files\Trend Micro\security server(officescan)\private
2.       Open ofcserver.ini in Notepad
3.       Press CTRL-F to search for: master_pwd
4.       Once found, the string should look similar to: master_pwd=!CRYPT!xxxxx
5.       xxxxx is representative of a long string of hex characters making up an encrypted password
6.       In place of !CRYPT!xxxxx put “70″ so it will look like: master_pwd=70
7.       70 is the hexadecimal value for “1″
8.       Save the file
9.       Press Start -> Run -> Type: services.msc and press enter
10.    Find “Trend Micro Security Server Master Service” and restart the service
11.    Login to the Trend Micro Security Dashboard with the password as “1″ without the quotations

12.    The default URL for the dashboard is: https://IPADDRESS:4343/officescan/default_SMB.htm

Free way to block Facebook or other Websites?

Not all companies have programs or licences for content filtering on their networks. It is arguably worth the $10-$60 per employee/year to licence a content filtering package in terms of increased productivity. What is difficult is selling the idea of spending a large chunk of money to management, especially in this economy. I would imagine a large number of companies can pinpoint their bandwidth and productivity problems to 10 or fewer websites. Facebook, Myspace, Youtube, etc…
Below is a logon script for Windows that will analyze the user’s hosts file and modify it accordingly to block Facebook or any other website you wish. It simply redirects to 127.0.0.1 (home).
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
hostsFile = objShell.ExpandEnvironmentStrings("%SystemRoot%") & "\system32\drivers\etc\hosts"
strIP = "127.0.0.1"
strValue = "facebook.com"

If objFSO.FileExists(hostsFile) Then
 Set objTextFile = objFSO.OpenTextFile(hostsFile, ForReading)
Else
 Set myFile = objFSO.CreateTextFile(hostsFile, True)
 myFile.WriteLine "127.0.0.1       localhost"
 myFile.WriteLine strIP & " " & strValue
 Wscript.Quit
End If

strFlag = 0
Do Until objTextFile.AtEndOfStream
 strLine = Trim(objTextFile.ReadLine)
 If InStr(strLine, strIP) > 0 Then
  If InStr(strLine, strValue) > 0 Then
   strFlag = "1"
  End If
 End If
Loop
objTextFile.Close

If strFlag = 0 Then
 Set objTextFile = objFSO.OpenTextFile(hostsFile, ForAppending)
 objTextFile.WriteLine vbCrLf & strIP & " " & strValue
End If
Another alternative is to block the IP address of the website using rules on your gateway firewall (Windows or router). The problem with this method is many of the larger sites have multiple IP addresses and adding block lines for each is tedious work. You can block entire ranges of IP addresses. Example: Adding 69.63.0.0/16 would block 69.63.0.0 – 69.63.255.255 (65,536 total addresses – 16bit block). Be careful though, some “good” websites may be in the ranges you block, but in a pinch, it does the job.

Finally, Untangle is an open source gateway that can be run on Windows or on its own dedicated server. It includes content filtering in addition to a multitude of other features. Try it out.

Block IP Addresses using IP Security Policy in Windows Server 2003

Most System Administrators use a hardware firewall to block IP addresses from accessing their network. Co-located servers do not always have the advantage of utilizing a hardware firewall. Software firewalls can often be expensive.
As you may already know, Windows 2003 lets administrators control IP access from the configuration panels in SMTP and IIS, among others. But what if you want to block an IP address from all services with only one motion? This is where the IP Security Policy Management snap-in comes in handy.
Configure the IP Security Policy to block your first IP address
1.       Click “Start” and “Run” – type “MMC” and press OK.
2.       In the MMC, click “File” and “Add/Remove Snap In.”
3.       In the “Standalone” tab, click “Add.”
4.       Select “IP Security Policy Management” and click “Add.”
5.       Select “Local Computer” and click “Finish.”
6.       Close the “Add standalone Snap-in” window and click “OK” on the “Add/Remove Snap-in” window.
7.       Now that you are back in the MMC console, right-click on “IP Security Policies on Local Computer” in the left-hand pane and select “Create IP Security Policy.”
8.       Click “Next.”
9.       Enter a name (ex. IP Block List) and description into the boxes and click “Next.”
10.    Leave “Activate the default response rule” checked. Click “Next.”
11.    Leave “Active Directory default (Kerberos)” checked. Click “Next.”
12.    Leave “Edit properties” checked. Click “Finish.”
13.    The Properties box should be open.
14.    To add your first IP address, click “Add.” Make sure “Use Add Wizard” is checked beside the button.
15.    Click “Next” when the “Create IP Security Rule” wizard opens.
16.    Leave “This rule does not specify a tunnel” checked. Click “Next.”
17.    Select “All network connections” under Network Type (unless you want to specify by adapter). Click “Next.”
18.    You are now at the “IP Filter List.” The “All ICMP Traffic” and “All IP Traffic” options will not meet our needs; we will need to add another. Click “Add.”
19.    Name the IP Filter List (ex. Blocked IP List) and enter a description. Click “Add” to enter the first IP address to block.
20.    The “IP Filter Wizard” will pop up. Click “Next.”
21.    This will be the first IP address or IP range we enter to block. Enter a description (I usually enter the IP itself) and make sure “Mirrored” is selected below. This will ensure packets to/from are blocked, allowing you to create one rule instead of two. Click “Next.”
22.    Keep “Source Address” as “My IP Address” and click “Next.”
23.    Under “Destination Address” select “A specific IP Address” or “A specific IP Subnet.” If you select “Any IP address” it will block all IPs!
24.    Enter in the IP address in the fields below and click “Next.”
25.    Under “select protocol type” choose “Any” (means “All”) unless you specifically want to block from RDP (Remote Desktop), TCP or UDP, etc. Click “Next.”
26.    Click “Finish.”
27.    Now that you are back to the “IP Filter List” click “OK.”
28.    You will be back in the “IP Filter List” list in the Security Rule Wizard – make sure you select your new “Blocked IP List” and not “All IP Traffic” or “All ICMP Traffic.” Click “Next.”
29.    You will be taken to “Filter Action.” The lists: Permit, Request Security (Optional), and Require Security will not meet our needs. Click “Add.”
30.    In the “IP Security Filter Action” wizard, click “Next.”
31.    Select a name (ex. Block all Packets) and click “Next.”
32.    Select “Block” for the filter action behavior. Click “Next.”
33.    Click “Finish.”
34.    You are back to the “Filter Action” list. Select your new list (Block All Packets) and click “Next.”
35.    Click “Finish.”
36.    You are back to your IP Security Policy list (Blocked IP List) Properties. Click “OK.”
37.    Back in the “IP Security Policies on Local Computer” snap-in, you’ll need to assign the new policy. In the right-hand pane, right-click on your new list (IP Block List) and select “assign.”
To make it easier the next time you wish to block an IP address, save the MMC Snap-in configuration as a shortcut. Go to “File” and “Save As” and save it on your Desktop or Start Menu.
To Block Additional IP Addresses
1.       Enter the IP Block List snap-in you saved.
2.       In the right-hand pane double-click your IP Block List.
3.       Under “IP Filter List” select the newly created “Blocked IP List” and click “Edit.” Make sure “Use Add Wizard” is checked.
4.       Under “IP Filter Lists” select your “Blocked IP List” (not All ICMP or IP Traffic) and click “Edit.”
5.       You are now in the “Add IP wizard” area. You will see the first IP address you blocked in a listing under “IP Filters.” Click “Add.”
6.       Follow all previous steps to add the IP address you wish to block. Once finished, exit all dialog boxes.

You may need to restart the server for the settings to take effect.

Windows XP shuts down after login – PC-OFF.BAT

The PC-OFF.BAT virus loads a shutdown script when logging onto Windows XP. A few seconds after logging in, Windows will shut down. This also affects safe mode. The countdown timer is set to only a few seconds, not allowing the user to enter “shutdown – a” in the run box. You may not even see the emergency shutdown dialog before you are automatically shut down.

In order to remove the files, you’ll need the Windows XP CD. Other options include putting the hard drive into another computer, or using a LiveCD (BartPE or Linux) to remove the files.
Remove the files from your hard drive using the Windows XP CD
1.       Insert the Windows XP disc into the CDROM. You may need to adjust your BIOS settings to boot the CDROM first.
2.       When the “Welcome to Setup” screen appears, press “R.”
3.       Select the installation you wish to access (there should be only one option for most systems).
4.       Enter the administrator password when asked.
5.       Once at the Recovery Prompt, press ENTER after typing the following command: chdir c:\windows
6.       Press ENTER after typing the following command: del bar311.exe
7.       Press ENTER after typing the following command: del password_viewer.exe
8.       Press ENTER after typing the following command: del photo.zip.exe
9.       Press ENTER after typing the following command: del pc-off.bat
10.    Press ENTER after typing the following command: exit
11.    Remove the Windows XP disc and restart your computer.
Once pc-off.bat is removed from the Windows directory, you’ll be able to logon to Windows without it shutting down immediately. There are still remnants left over in the registry though – best to clean those up.
1.       Go to Start -> Run and type “regedit” and press ENTER.
2.       Go to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon and find the key: “Userinit=C:\WINDOWS\system32\userinit.exe,xxxxxx.exe” where xxxxxx.exe is bar311.exe, photo.zip.exe or password_viewer.exe.
3.       Delete bar311.exe, photo.zip.exe or password_viewer.exe from the key, but be sure to leave userinit.exe! If you delete that, you will be unable to logon to Windows.
4.       Go to HKEY_CURRENT_USER \software\microsoft\windows\currentversion\explorer\advancedand set the following key values: “Hidden=dword:00000001 (1)” “HideFileExt=Dword:00000000 (0)” “ShowSupperHidden=Dword:00000001 (1)”
5.       Go to HKEY_CURRENT_USER \software\microsoft\Command Processor and find the key: “autorun=c:\windows\pc-off.bat” and remove “c:\windows\pc-off.bat”

Install the Windows Recovery Console in the Boot list

The Windows Recovery Console is required to fix many startup issues caused by malware, viruses, and corrupt system files. The Recovery Console can be booted from the Windows Setup disc, but many machines (including Netbooks) do not have CD drives or easy access to the Windows Setup disc.
Below are the instructions to install the Recovery Console on any Windows XP machine as a boot list option. You will no longer need physical access to the Windows Setup disc (except to install initially) when things go wrong.

  • Insert the Windows XP setup disc.
  • Click Start -> Run and type: “%windir%\i386\winnt32.exe /cmdcons
  • Click YES on the Windows Setup box to install the Recovery Console.
  • Setup will attempt to connect to the Internet to update any setup files from the disc. Press ESC to interrupt the setup and use the files on the disc only.
  • Once the Recovery Console is installed a confirmation box will pop up. Click OK.
Some Windows XP passwords will not be recognized by the Recovery Console. To remove the password requirement, modify the following registry key:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole
  • Set the DWORD SecurityLevel value to 1.

Removing the VMware Server SSL Certificate Trust Warning

When you first install VMware Server, you’ll find the administration area in Firefox or Internet Explorer has a security certificate error. This is because the certificate that ships with VMware is self-signed (untrusted). One solution is to use a trusted certificate from a third party (Verisign, GoDaddy, etc) but that has costs associated with it and is not actually necessary. If you want your computer to properly trust the certificate, add it to the Trusted Root list.
1.       Navigate to the SSL folder where VMWare Server is installed (ex. C:\Program Files\VMware\VMware Server\SSL).
2.       Double-click on RUI.crt.
3.       Click “Install Certificate” on the Certificate Information window that pops up.
4.       Click “Next” to start the Certificate Import Wizard.
5.       Select “Place all certificates in the following store” and click “Browse”.
6.       Select “Trusted Root Certification Authorities” and click “OK”.
7.       Click “Next” and “Finished”.
8.       A Security Warning box will pop up, click “Yes” and then “OK”.
9.       Close the Certificate Information window.

10.    The SSL warning will no longer show on the VMWare Server login screen.