Category Archives: Security

FSMO Roles and moving them

I wrote last week about my move from Exchange 2003 to Exchange 2007, and in that article I mentioned that I moved my Domain Controller over at the same time.

There has been questions about what and how, so I’ve knocked this together for anyone that needs to do likewise.

In this scenario we have our old server, and we have our new freshly Server 2003’d server, OLD and NEW.

  • Install DNS on the NEW server, however do not configure it. To do this just add the DNS role through Add Remove programs. You may also need WINS if you use legacy OS’s.
  • Configure the NEW server’s network with a static IP, and the primary DNS should point to the OLD server for DNS, with itself as a secondary.
  • Join the domain on the new server (through computer properties) and reboot.
  • DCPromo the server upto a DC, you should join this server as ‘Additional Domain Controller for an Existing Domain’. This will automatically configure the DNS to replicate the DNS of the domain. Use the defaults for all the settings, unless you have a good reason not to. Make sure you remember the recovery password that you enter.

Write after a reboot at this point you will have two DC servers on your LAN (NEW and OLD), the problem is however that OLD will still be the FSMO master for all the roles in the domain, seeming as we are decommissioning this box we need to move all the roles.

  • First off we need to make the NEW server a Global Catalogue server, to do this launch ‘Active Directory Sites and Services’, now expand your site, then expand servers, select the NEW server, then right click and properties of NTDS Settings (on the right pain). Select the ‘Global Catalogue check box, now ok out of this screen.
  • Now change the properties of the NEW server network to point to itself for DNS as primary and the OLD server as secondary.

Now that the server is a GC server we can assign it FSMO Roles, lets do that.

  • Launch the ‘Active Directory Users and Computers’ from Admin tools.
  • Select the Domain and right click, select ‘connect to domain controller’, select NEW then ok.
  • Right click the Domain, select ‘Operations Masters’.
  • You should now see a screen with three tabs, Select the change button on each tab to migrate that role to the connected server.
  • Domain Naming Master must now be transferred. Launch the ‘Active Directory Domains and Trusts’ tool from Admin Tools.
  • Right click the root level, and select the ‘Connect to Domain Controller and select the NEW server.
  • Right click the root level, and select ‘Operations Master’ then Change. This should move the Ops Master role over to NEW.

The last couple of roles can either be done through script (as can all of the above), or with an ‘unsupported but shipped’ tool. We will use the later as it’s easiest to describe without going into how to use the NTDSUTIL.EXE tool.

  • First register the Schema Management tool by typing regsvr32 schmmgmt.dll into the run box on the server.
  • Now run MMC and add the Active Directory Schema snapin to it.
  • Right click the Domain name, and select ‘Change Domain Controller, select NEW server.
  • Right click the Domain name, and select ‘Schema Master’, then change.
  • Now we need to change the Site Licensing Server, to do this open ‘Active Directory Sites and Services’, now select Sites, then your domain, then on the right pain right click ‘Licensing Site Settings’ and then Change on the Licensing Computer area.

Ok nearly done now. Reboot the NEW server, and wait, what we are looking for is an event type of 1869 (or 1119, but we should get an 1869) to show up in the NEW servers Directory Service log. Whatever you do don’t shutdown the OLD server until you get this, else nobody will be able to logon, as we will not have a GC server on the lan.

When we get that Event happen, we can remove the Global Catalog role from the OLD server, this is done in the same way as we added it to NEW earlier.

Now we do some checks and force the PDC role over, and for this we will use NTDSUTIL.

  • Launch a command prompt
  • type NTDSUTIL
  • You should see ntdsutil: at the prompt. Here we type Roles and press enter
  • fsmo maintenance: connections and enter
  • server connections: connect to server NEW (or servername here) and enter
  • Connected to NEW using credentials of locally logged on user.
    server connections:
    CTRL-Z and enter
  • fsmo maintenance: Seize PDC
  • This should result in the server attempting a nice transfer of the role (which should already be on the NEW server). The results will also tell you about the other roles. If any of the roles are still on the OLD server, then type the appropriate command from below to seize the role on the NEW server.

    Seize infrastructure master
    Seize domain naming master
    Seize RID master
    Seize schema master
    Select operation target

That should be it. You can now DCPromo out the OLD server, and use the new server as if the OLD one did not exist.

The only things left that may need to do are, setup the helper addresses in DNS so the server can lookup Internet DNS names. Setup your DHCP Scope and options.

If there is anything that I have missed, then please let me know.

Snort 2.7 Beta out

Pop along to the Snort Site for the downloads.

I would not recomend installing this as your live version, but advise you to give it a go.

New additions in this version :-

  • Target-based stream reassembly, including handling of TCP data overlaps and anomalous TCP header flags on a per-destination basis. 11 different target-based policies are supported. See README.stream5 for specific configuration options for operating system targets.
  • UDP session tracking
  • Option to emulate Stream4 flushing behaviour
  • Stream5 replaces BOTH Stream4 Flow — should disable both of these when Stream5 is enabled.

BlueRay Decrypter

muslix64 has done it again. There is now a BluRay decrypter available for anyone that wants to remove the DRM from their BR disk.

This is an early version and has the bellow limitations :

  • Don't support BD+
  • Don't support Volume unique key
  • Only support one CPS unit key per disc
  • I don't clear the HDMV_copy_control_descriptor in the stream
  • Don't have any FAQ or document so far…
  • You have to provide your own CPS unit key
  • The playback seems to work with VideoLan

However it works, so get yourself a copy. BackupBluRayV001

PDF’s are Bad!

 Or at the moment at least they are. A new security flaw has popped up (Here and Here).

Want an example? Try Clicking this, it's ok though that will not do anything nasty.

The good news? It seems that FoxIt on Vista (either IE or Firefox) does not exibit the behaviour, however at the moment (as Justin has said) it looks like pretty much all versions of Adobe's Acrobat plugin do exibit the issue.

So my advice? Pop over to Foxit Software for there PDF reader, not only does it not have the issue, it's a good deal faster and smaller as well.

Kanguru Biometric USB Drive

USB memory sticks are a dime a dozen at the moment; they are cheap, and easily available. So, why then would you pay $99 for a 256Mb device like the Kanguru Biometric USB drive?

The selling point of the drive is that it will keep your data secure by using a built in fingerprint reader, and uses the fingerprint to encrypt the data stored on the flash disk.

 First up let's look at the specs for the device:

  • 256MB – 4GB internal storage (device reviewed is the 256MB version).
  • Can store up to 5 fingerprints.
  • Write Protection Switch.
  • Can be used on any user level; You don’t have to be the Administrator on the PC to use it.
  • The security application runs entirely from the Bio Drive so you never have to install software on any computer.
  • Software is preloaded and ready to go out of the box.
  • Optional password recovery.
  • User friendly setup.
  • High Speed USB2.0 Interface.
  • Top grade fingerprint sensor-508 DPI.
  • Windows 98/ME/2000/XP compatible.
  • Read Speed 8MB/s.
  • Write Speed 7MB/s.
  • Sensor type Capacity Area Sensor (236×192 pixels).

But enough of the techie stuff, the question is "does it work"? To be honest, I was expecting the device to not work; I use Vista as my day-to-day OS. The good news is that Vista has the drivers included, so I shouldn't have worried.

Once the device is installed in Windows, two new drives present themselves to the operating system. One of these is, by default, inaccessible. The other contains the software that allows access, via your fingerprint, to the contents of the device.

On the first run of the software you're asked to go through the setup routine for the device. This is simple in itself. You are first asked for the device serial number, this is in the box for the device.

After you put the serial number in, the system will ask you to "Enroll". This is the process by which the device learns your fingerprints.

Simply select a finger to scan, then run your finger over the sensor a few times and the device will tell you that it has learned that print.

The device is capable of learning five different prints, and you can type in a recovery password, just in case. The only thing I should mention, as it's not obvious, is as soon as you have finished learning prints you can simply click the X; there is no continue or complete button, which is slightly odd, but not really a problem.

After that, instead of the configuration application launching when you insert the device, you get the device access menu.

From this you can click the "FD-Pass" option and scan your print, this will allow access to the encrypted drive area.

There are other options as well, "Setup" restarts the learning application, and "Practice" does just that. However there is one more application, "Screen Lock".

The "Screen Lock" application starts a screen-saver, and only allows you to unlock the PC if you use your fingerprint.

Even though it's a great idea, it perhaps does not go far enough. Restarting the PC will work around that lock.

Ideally, the drive needs a GINA (Windows login security screen) replacement that will allow you to use your fingerprint to login to Windows. Then, the normal screen lock (part of the Windows screen-saver menu) will also require the fingerprint unlock.

There are companies that already do this – IBM recently integrated it into some of their T series laptops. The T series also had another feature that I would like to see on this device: a password saver. If all your passwords could be safely encrypted to the device, using your fingerprint to unlock them, life would be so much easier!

That said, it could only be a software release away, and perhaps Kanguru will look into some of these features at a later date.

On to the performance of the device. After all, that's its prime use.

The picture to the right will show you the benchmark figures I obtained from the device in the real world, and though Kanguru claim 8MB/s it's actually a little below that on my device.

This is not actually very quick. Yes, it's probably quick enough to use for small everyday documents etc, but not for large file transfers.

I could not test to see if the 4kb block performance is good enough to run the drive with Vista's ReadyBoost, as that requires more than 256MB on the external storage, and the Kanguru device has 230MB free (it seems 26MB of the device is used for the fingerprint software).

For comparison reasons, I have overlaid the benchmark from a SanDisk Cruzer 2GB. This shows that USB 2 devices can perform better than the Kanguru device does.

You will notice from this chart that the Kanguru does have one performance trick up it's sleeve, the random access time one the Kanguru is good, as is its CPU utilisation.

The CPU will probably be because the device is not taxing the USB Bus in any real way, however the quick random access times show that the device has used decent internal components, and may well be usable as a Vista ReadyBoost drive. However, there are complications here as well, as you will have to swipe for access every time you want to use it for the ReadyBoost function.

So in conclusion, the idea behind the device is a good one. Secure data has its place – especialy inside big business – and using a Biometric form of protection is certainly one of the better solutions, as the device will proably be used by management and HR. These people are usually not classed as technical, and this device has a nice, simple, intuitive interface for access.

The device is let down slightly by it's lack of throughput performance, and it could have added value if Kanguru invest a little time in the software integration with Windows, and possibly OSX/Unix support. It is also odd that they have not shipped any U3 style software with the device (U3 and the other software allows you to take your documents, applications and settings with you).

If you need a flash drive for general use there are certainly better and cheaper alternatives on the market. However, if you need to secure the data that you store on the flash drive, then the Kanguru Biometric is certainly the one to go for.

Links

Kanguru Site

Email Virus Warning

There is a ‘new’ email virus doing the rounds, here is the lowdown. The email will contain a file called message.zip which contains a HTA file. This HTA will try and download activex controls to the local PC from 1gb.ru, t35.com, hzs.nm.ru, users.cjb.net and h16.ru. The subject is usually “Secure Message from HotMail.com user”.

AV Vendors are now scanning for the virus, here is the links through to the AV Vendors.

Symantec (W32.Feebs.[D|E]@mm):
http://www.sarc.com/avcenter/venc/data/w32.feebs.d@mm.html

Trend Micro (JS_FEEBS.M):
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FFEEBS%2EM

F-Secure (Feebs):
http://www.f-secure.com/v-descs/feebs.shtml