theHobbes

Goodness, its been two months since I last posted! Well, life sometimes does get in the way...

We (my ship) have just come into a program that scans the network for usb drivers and gives a report on when they were last used. Thinking I had nothing to worry about as I had written an ADM template and propagated it through group policy to disable the USBSTOR key, we ran the scan.

The results were different from what I had expected. We discovered a pattern of continual USB usage. Obviously, something was wrong. I pulled up one of the most recent USB uses and went to the computer. Here’s what happened-

When you plug a usb device into a computer for the first time, windows will install that device for you automatically. The system process does this in the background, changing that USBSTOR registry key from 4 (disabled) to 3 (enabled) in the process. This key will change back eventually as group policy trickles down, but the user will have a window to use that usb device and any other they plug in while the key is still at 3. Nefarious!

Fortunately, there is an easy way to fix this. You have to restrict permissions on the key, so that when windows attempts to install it, it is unable to do so. I went into my group policy management tool, and edited my group policy object in the following manner:

1) Computer configuration > windows settings > security settings >registry.
2) Right click the registry and select add key.
3) Add the key you need (in this case the USBSTOR key).
Set your permissions (in this case read only)
Set configure this key and replace existing permissions on all subkeys with inheritable permissions.
hit ok and do a gpupdate /force on the domain controllers.

This seems to have worked- when I try and install a brand new usb device on a domain computer, it get an access denied error (even as admin). Also, the scans haven’t showed any new activity in 5 days (since I implemented the registry permission restriction).

Everything appears to be working smoothly. Until the next crisis, of course.

I just finished “Daemon”, a technology thriller book written by a former database engineer named Daniel Suarez. Its about a computer program which kicks off after it reads a newsfeed of its creator's death, and proceeds to basically take over the world. Talk about fascinating. It is written in a way that does not dumb the technology discussed in it down at all, but I think would still engage a non-technical reader. There is a sequel coming out in 2010 as well. The author’s site can be found here.

(On a side note, check out some of the links he has, as well as his RSS feed. I found a really interesting site, a directory of live webcams across the internet and globe, among other things...)

I stumbled upon a really amazing networking tool over the weekend, while watching old episodes of Hak 5 (I still really need to build a Wifi Pineapple). They reviewed a program called Spiceworks, which is a free (ad supported, but not annoyingly so) network monitoring and management tool. I’ve only dipped into it a little so far, but it can inventory all the devices connected to your network, give you status alerts on them (eg. 25 % disk space on a specific host), show serial numbers, operating systems, software installed, and numerous other bits of information. Its very robust, and its free!

I am a bit worried about the security aspect- after all, they do pump adds in, and collect certain bits of data, but I suppose it all boils down to the risks and the benefits, and how they weigh in your mind. However, all of the data is stored locally on the computer you installed the program to, and port 80 is going to be open anyway...

Some users were complaining of profile problems- desktop icons not appearing, favorites not showing up, things just being generally messed up when they logged on. After looking at one such profile, I noticed that it was taking an extremely long time for the user to log off. I logged in with my account, and the same thing happened to me. I also got an error message, which stated “Delayed write failed”.

I went to the event viewer and had a look, and noticed a warning logged which had the error message text and an event ID of 50, with a source of MrxSMB. I googled this, and got back this Microsoft Article, stating the fix.

There are two ways to go about it- apply the hotfix, or perform the workaround. Being the lazy admin I am, I opted for the workaround:

“To work around this problem, turn off SMB signing on the server:

1. Start Registry Editor.
2. Locate, and then click the enablesecuritysignature value under the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters
3. On the Edit menu, click Modify.
4. In the Value data: box, type 0, and then click OK.
5. Quit Registry Editor.
6. Stop and then restart the server service, or restart the computer.”

As I said in the previous posts, we are receiving a lot of upgrades to our network on the ship. Among them, several group policy changes have been made, including making the target of the “My Documents” folder immutable. To get around this, I’ve had to make some registry changes, as we are not authorized to roll back or change the group policy.

Go to the registry and edit the HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer key. Find and delete the DisablePersonalDirChange value. This will bring back the ability to change the target.

Of course, it could never be that easy... when I wanted to change a user’s target (one who is logged on and without admin rights), I had to engage in some more shenanigans. The “runas” option (right click, or shift right click a program and choose the runas option) is also now disabled, and regular users are not permitted to edit the registry. This meant I had to go into the command line and change my permissions.

To do this, type
runas /env /user:yourusername@yourdomainname cmd

(run as, current environment, your account with admin rights, and the program you want to run, which is cmd.exe).

Then you can run regedit from the command line and with your admin account.

My ship has some contractors aboard, performing some upgrades to the network. When they began the router phase of their work, I jumped on the chance to learn some new things about an area which I don’t have the fullest understanding. Setting the speeds on router interfaces is one of the things they were doing, and here is what they did, as I understand it. If I have anything wrong in my write up, as far as how and why they did things, please don’t hesitate to email me with corrections or explanations.

In a network, the all the router interfaces should generally be working at the same speed. They should also be operating at the highest speeds they are capable of. This is to facilitate traffic of course, but also to avoid packet collisions and CRCs. While setting up the interfaces to automatically detect and run at a speed may seem like a good idea, it can be harmful. This is due to the danger that when a node drops off for whatever reason, the device it was interfacing with will connect to the next available device, and may not renegotiate speeds, leading to mismatched data flow and those CRCs.

So here is how to hardcode those speeds, on our Cisco routers:

Get into the router, through telnet or ssh or terminal cable. Enable privileged mode (en command).
config t (configure terminal)
int f0/0 (choose your interface, in this case f0/0)
speed 100 (set the speed)
duplex full (set full duplex)
then use ctrl c or ctrl z to exit the terminal configuration.
type wr to write the changes.

Here is a very cool picture taken and modified by Carol at the Cummer Museum in Jacksonville:

Also, here is a shot of myself and a friend on deployment, letting our collective beards flourish.

So the other day one of my coworkers received an email for an offer about his car that just seemed too good to be true. The person wanted to fly down from Japan to buy it, and was offering his asking price. All he had to do was send some personal information to the guy... Understandably, he was a little suspicious. So I told him there was a definite way to find out if the email really was from Japan- the internet email headers. We popped them open and the email turned out to not be routed through any japanese servers at all.
You can look up the headers of an email in outlook by opening up the message, and going to view> options> and looking at the internet headers in the box. There are also many web based utilities for looking up IP addresses as well (for example, Who Is).

A nasty problem we've been having with newly imaged machines (the navy provides a prebuilt image for computers that need to be slicked/started from scratch). The print spooler will continually shut off, and HP4200 series printers will not install due to "missing or corrupted drivers". Even when the new driver is installed, it will still throw that error.

There are a couple fixes that I’ve tried. The first works less well than the second...

1) Put your XP CD in the CD Drive.

2) Start > Run > EXPAND /r "TheCDDriveLetter"\i386
\SPOOLSV.EX_ C:\Windows\System32

3) Start > Run SPOOLSV.EXE /install

Then go into services and started the Print Spooler manually. When rebooting, it now will start up again.

The second involves copying the contents of the system32\drivers folder from a known good computer to the same directory on the damaged one. This seems to replace whatever dll is messed up, and lets you install the drivers properly.

I've been put in charge of creating an intranet site for my command. As part of this, one of the CO's requirements was a Commanding Officer's Suggestion box. He wanted to have it set up so that people could either put in their email addresses, or leave them blank so they could be anonymous. To do this, I set up a little php script that would take form data and pop it to an email address, anonymous or otherwise. That was no problem- the hard part was setting up PHP on the IIS server (IIS 6). I went through hell and back trying to set it up (and crashed the intranet site a couple of times) before I was saved by the following guide.

Installing PHP on IIS 6

I got a little tired with the old site design, so I figured it was time for a change. I've tried to streamline everything, and make the things I want to get to more easily accessed. I've also cut out a lot of the chaff that was lurking around, and made the linking structure and all that much cleaner. I think I'm going to mostly use it as a technical reference site/online resume, so when I figure stuff out I'll post it so I don't forget. I'll still throw personal info up here though, but I'm not sure what form exactly all this will take. We will see...