Category Archives: Security

Logon Type Codes in the Security Logs

With the prevalance of brute force security attempts, it is not uncommon to see EventID 529 appear often in the security logs. When a failed logon attempt is made on the network, the security logs note down the Logon Type among other information. I use this resource quite often – http://www.windowsecurity.com/articles/Logon-Types.html to work out what the codes actually mean.

 The above resource lists the various logon codes with explanations of what they are.

The most common codesI have seen are:

  • Logon Type 2 – Interactive – when someone attempts to logon to the server console.
  • Logon Type 3 – Network – when failed attempts are made inside the network to shared resources on the server. These errors coupled with IIS attempts could also mean attempts are being made on the SMTP service or HTTPS service. Unfortunately, no IP data is logged on these types of attempts. This has to be manually found from the SMTP or Web logs.
  • Logon Type 10 – RemoteInteractive – Attempted logins to Remote Desktop or Terminal Services. This is often accompanied by useful IP information, which can be used to isolate the offending attacker.

The other codes are described in the article.

Move or transfer certificates to another server

In a migration scenario, one of the key steps is to ensure that you keep your trusted SSL certificate. Self-issued certificates which were common in SBS2003 cannot be moved. However, you might need to retain the existing SBS2008 certificate when migrating to a new server.

To export a trusted certificate:

  1. On the Source Server, click Start, click Run, type mmc.exe, and then press ENTER.
  2. On the console, click File, and then click Add/Remove Snap-in.
  3. Click Add, choose Certificates from the list, click Add again, and then click OK.
  4. On the pop-up window, click Computer Account, click Finish, and then click OK.
  5. Expand Certificates, expand Personal, and then click Certificates.
  6. Right-click the certificate that is issued to your Web site (for example: remote.contoso.com), and then click All Tasks, and then click Export.
  7. In the Certificate Export Wizard, click Next.
  8. Ensure Yes, export the private key is selected, and then click Next.
  9. Ensure Include all certificates in the certificate path if possible and Export all extended properties are selected, and then click Next. Do not select Delete the private key if the export is successful.
  10. Type a password to protect the certificate file, and then click Next.
  11. Choose a location to save the .pfx file (for example, C:\trustedcert.pfx), and then click Next.
  12. Finish the wizard.

Transfer this .pfx file to the new server. To import the trusted certificate:

  1. On the Destination Server, click Start, type mmc.exe, and then press ENTER.
  2. On the console, click File, and then click Add/Remove Snap-in.
  3. Choose Certificates from the list, and then click Add.
  4. On the pop-up, select Computer Account, click Finish, and then click OK.
  5. Expand Certificates, expand Personal, and then click Certificates.
  6. Right-click Certificates, click All Tasks, and then click Import.
  7. On the Certificate Import Wizard Welcome page, click Next.
  8. Browse to the location of the saved .pfx file, and then click Next.
  9. Type the password that you typed in the Export procedure, ensure that Mark this key as exportable and Include all extended properties are selected, and then click Next.
  10. Ensure that the certificate will be imported to the Personal folder, and then click Next.
  11. Finish the wizard.

Once the trusted certificate has been imported to the new server, you can run the Add a Trusted Certificate wizard, and select the installed certificate.

For more information, refer to the following Technet article – http://technet.microsoft.com/en-us/library/cc527486(WS.10).aspx

IT Security revisited

I was just reminded of the 10 Immutable Laws of Security (http://technet.microsoft.com/en-us/library/cc722487.aspx)

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore Continue reading IT Security revisited

Identifying Fake Antivirus Programs

TrendMicro have release an informative whitepaper on how to identify Fake Antivirus programs, often refered to as FakeAV. These programs generally pop up on your computer screen, and inform you that your computer has been infected and then offer to clean it out for you. Click on the program will inadvertently install the program, which in turn, installs a whole bunch of nasties.
 
…and hopefully educate yourself on how not to get infected by these apps.
 

Worry-Free Business Security (WFBS) Disk Cleaner Tool

Another cause for disk space shortage on the C: drive of the SBS 2008 servers is the size of AntiVirus data files. With Trend Micro Worry Free Business Security, there is a tool to help clean out the older files and temporary files.
 
 
According to the site, disk usage of up to 9GB could occur.
 
Problem:
Normal WFBS operations will entail disk usage that may range from as low as 1.2GB, and may reach up to 6.0 GB depending on usage.
 
Under some occasions, however, a disk usage of up to 9GB may occur. 
 

Trend Micro Worry Free message “To complete the installation, restart the computer” does not go away

After installing Trend Micro’s Worry Free Business Security version 5.0 or later, the following message comes up on the workstations. After clicking on the “Install drive and restart the computer” button, the system restarts, and this message keeps reappearing.
 
 
The solution is on Trend Micro’s knowledge base, but it is a bit difficult to find. http://esupport.trendmicro.com/Pages/To-complete-the-installation-restart-the-computer-always-appears-when.aspx
 
   1. Stop Cryptographic Services.
   2. Go to the C:\Windows\system32\catroot2 subfolder and rename it as “oldcatroot2”.
   3. Start Cryptographic Services.
   4. Open a command prompt and run the following commands:
      a. regsvr32 wintrust.dll – This registers Microsoft Trust Verification.
      b. regsvr32 netcfgx.dll – This registers Network Configuration Objects.
   5. Restart your computer.
 
There is a bit more information there, detailing the problem.

Microsoft Office Outlook cannot provide form scripting support

I installed Trend Micro Worry Free Business Security Advanced on a server and implemented the antispam features. Trend drops detected spam messages into a folder called Spam Folder in each user’s Outlook mailbox on the Exchange server.
 
When accessing this folder on a Terminal Server, the following error message appears.
 
“Microsoft Office Outlook cannot provide form scripting support. This feature is not available. For more information, contact your support administrator.”
 
The fix to this problem is detailed in KB302003 – http://support.microsoft.com/kb/302003
 
1. Copy Outlvbs.dll from a normal client PC (not a Terminal Server). The file needs to be placed in the Program Files\Microsoft Office\Office12 folder. For Ooulook 2003, put this file in the Office11 folder.
 
2. Enable VB Script support by running the following command on the Terminal Server – msiexec /i {Product GUID} ADDLOCAL=OutlookVBScript /qb
The Product GUID can be found in the HKLM\SOFTWARE\Microsoft\Office\12.0\Common\InstalledPackages. Look for the Microsoft Office package key that is installed.