Getting lots of Kerberos errors?

When you look at the SBS Monitoring logs everyday do you see lots and lots ( I mean thousands ) of errors coming from workstations? When you look at the workstation even logs you see Kerberos and DCOM errors.

We have found that these generally relate to printer status monitors that reside on the workstation (or server). We especially see this with the HP toolbox printer software that is loaded during the complete printer driver installation of HP Printers.

Do you need these printer monitor programs. No we believe not so if you don’t need them then they should be removed to prevent all the Kerberos errors. You can uninstall and reinstall the printer drivers but take a look in :

HKLM\Software\Microsoft\Windows\currentversion\run

and for HP printers remove the following startup entries :

StatusClient 2.6 REG_SZ

c:\program files\Hewlett-Packard\toolbox\statusclient\statusclient.exe /auto

TomcatStartup 2.5 REG_SZ

c:\program files\Hewlett-Packard\toolbox\hpbpsttp.exe

and then reboot the system. The printer toolbox will no longer be loaded and the security errors on the SBS system should now be gone. The actual monitor programs maybe different for different printer suppliers.

Unable to uninstall Livestate Desktop V3.0

Recently tried to update a customer from Livestate Desktop Recovery V3.0 to the latest Backup Exec Desktop System Recovery 7.0 and guess what? when you attempt to uninstall Livestate from Control Panel you get a message that you “must uninstall a previous version”. Say what? There was no prior version, so now what.

Well, you could go through the registry manually and remove all the entries to Livestate but let us tell you that there are heaps. A much better option is to call up Symantec Tech Support and tell them you are having issues. They will send you a batch file that uninstalls Livestate manually.

This was almost identical to the issue that we had with Livestate 6.0 Server recovery and the only solution was once again a batch file from Symantec. Hmm.. not impressed at all Symantec, not at all. We really hope that when it comes time to uninstall Backup Exec Desktop System Recovery 7.0 we don’t have the same issues.

Web site security threats

We recently attended a security seminar presented by Trend Micro where they said that most of the security threats faced by computers these days are being delivered by web sites. Note how we didn’t say malicious web sites, why? Well, the example that Trend gave was that the web site for the Miami Dolphins football team in the US had been hacked and a small piece of code had been added to their front page that when opened would download a trojan to the viewers computer. Once the trojan was downloaded, it would then execute and download more malware, ultimately allowing the PC to be controlled by hackers for whatever purpose they deemed.

Now you might think that this is all a bit far fetched and only happens in places like America, well think again! The following report in the Sydney Morning Herald highlights how the same thing happened to the web site of the Sydney Opera House. According to the story :

The code would infect web browsers that were not patched with the latest security updates with Trojan software, most likely designed to capture sensitive information such as internet banking details from victims’ computers.

and

Ms Swaffield says NSW police were informed of the security breach, the incident was documented but no action was taken. The Sydney Opera House site is visited by more than 300,000 internet users every month.

Hmmm..interesting eh? If you want a reason to ensure that your workstations are up to date look no further than this story because as it says the trojan would “infect unpatched machines” and that up to 300,000 people use this legitimate web site every month.

So don’t just think that it is your emails that are your biggest security threat, it is all those network users surfing web sites on unpatched machines that can cause major problems.

For the full story see : http://www.smh.com.au/news/security/hackers-infected-opera-house-website/2007/06/11/1181414219766.html

Etrust antivirus slowdowns

We have now seen this a few times so …

If you have Etrust antivirus V7.0 installed on your machine you may experience a situation where the whole system runs extremely slow after the change to daylight svings time ( DST ). A bug exists in the Etrust software that allows Inotask.exe to run at 100% CPU utilization. The resolution is to apply an update from CA which can be found here.

Basically you download the file, unzip it ( using the CA unzip program ) then stop all the Etrust services. Next, replace the files on the affected machine. For a server there will normally be 2 files to replace an don workstations just one. Restart the Etrust services again. The CPU should now return to normal levels.

The strange thing that we have found is that only certain machines are affected. Sometimes servers ( SBS2003 included ) and sometime workstations. No rhym or reason. Go figure.

Good security demo

Here’s a great video that demonstrates how “insecure” even the most the modern networks are. All you have to do is ignore one fundamental security principal ( which end users do all the time ) and then the flood gates are open.

http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx?videoid=351

It’s only about 20 minutes in total time but we just wish we could download the file in total for later reference.

Book review – Spies Among us

Spies Amoung Us: How to stop spies, terrorists, hackers and criminals you don’t even know you encounter every day by Ira Winkler was a little disappointing we thought. Well, probably the most likely reason is that we’ve heard it all before. Security isn’t as destination it is a process as all good security professionals know. Ira’s book covers a wide range of topics but the answers are always very simple and usually just require common sense. We suppose that in this day and age that is what is missing from most people. Why would someone from Nigeria ask you to allow them to transfer money through your account for a significant handling fee? C’mon, now really, but you’d be amazed at how many people just that scam alone fools. From memory we think email scams are Nigeria largest earning export.

This book is probably a good read for someone who really hasn’t had to think too much about security. It does provide plenty of real world examples of how professionals perform penetration tests of businesses and generally how they walk away with the information they require with a few days. It is probably a good book to get your boss to read to convince them to spend more on security but as we all know this is highly unlikley. Why? Simply because security is all about maintaining the status quo in managements eyes. They think that it doesn’t contribute to profits and it doesn’t reduce expenditure so what good is it? In the face of this sort of attitude we like to ask – “What do you have to do to be 100% certain that a break in will not re-occur once your computer systems have been compromised?“ – Answer “The only way to be 100% certain is to wipe EVERYTHING (servers, workstations, the lot) and reload“. How expensive is that going to prove boss?

The cost of proactive security is always far cheaper than reactive security but not many businesses understand that until it is too late. If you don’t see the benefit of security then read Spies Amoung Us before your business becomes a victim.

Why isn’t this a critical update?

Got wireless? Have you got this “patch” from Microsoft? KB917021 . If you don’t then I’d make sure that you do. You’ll also have to download it MANUALLY, yes manually it is not available from Windows download at all. Why is this “patch” important? Well …

Changes for nonbroadcast networks

In Windows XP with Service Pack 2, Wireless Auto Configuration tries to match preferred wireless networks to wireless networks that broadcast their network name. If no network matches a preferred wireless network, Wireless Auto Configuration sends probe requests to determine whether the preferred networks are nonbroadcast networks. In this manner, a Windows XP wireless client advertises its list of preferred wireless networks. An observer may monitor these probe requests and configure a wireless network by using a name that matches a preferred wireless network. If the wireless network is not secured, this network could enable unauthorized connections to the computer.

Yes, you read right. If you have Windows XP with Service Pack 2 and all the patches and a wireless adapater that you leave on even when it is not connected to a wireless acess point then without this patch Wireless Auto Config sends probe requests to determine whether the network you used to connect to are there. Bottom line Windows XP wireless client tells anyone who wants to listen its list of preferred wireless networks. This ain’t good.

Also while you are in fiddling withyour wireless setting turn off your wireless adapters ability to connect to ad hoc networks. This option is default on Windows XP and may allow someone to connect to your computer via ad hoc wireless if you leave your wireless card turn on.

Safest bet? When you aren’t using wireless on your laptop – turn the adapter off.

DNS Vulnerability

Possible DNS vulnerability on SBS2003 server as per the Microsoft article :

http://www.microsoft.com/technet/security/advisory/935964.mspx

The simple fix for the time being is :

1.	On the start menu click ‘Run’ and then type ‘Regedit’ and then press enter.
2.	Navigate to the following registry location: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters”
3.	On the ‘Edit’ menu select ‘New’ and then click ‘DWORD Value’
4.	Where ‘New Value #1’ is highlighted type ‘RpcProtocol’ for the name of the value and then press enter.
5.	Double click on the newly created value and change the value’s data to ‘4’ (without the quotes).
6.	Restart the DNS service for the change to take effect.