Archive for category Security
Cause a Computer to Stop Booting via Script
Interesting simple script I wrote today to cause a computer to stop booting. When run the operating system will not load, the issue is easily reversed with a boot cd of any kind. Why would I ever want to do this you might ask. Simple I used it at the request of an employer. The boss had requested a way to see exactly what a user was doing on his work computer without a chance to clean it up. I used kaseya to push this script down and a few min later I got a call from the user saying his computer crashed. I told him to send it to IT and he did. I got the computer, renamed the file and turned it over to the boss so he could see what he wanted. He was let go a few hours later.
Read the rest of this entry »
Scripted Enumeration of Accounts with Local Admin Rights
Beefing up security on networks keeps you from having issues in the long run. An hour today can save you three later. In a effort to improve network security and individual computer security I came up with this fancy little kaseya script. It enumerates the local administrators on a computer and exports them to a text file named whatever the target computer has been named. This can also be run through a batch login script. In the example below “g:” is a admin share on my local server, you can make this what ever you want or use a get file in kaseya to snatch the text file from the computer.
Removing Trend Micro Client/Server Security Silently Through Kaseya or a Login Script
As you might have noticed from my last post I have spent some time cleaning up Trend Micro issues on my networks this week. I have a few installs that are messed up and need a reinstall so I made this.
Script Description: Uninstall Trend Micro client
IF True
THEN
Set Registry Value
Parameter 1 : HKEY_LOCAL_MACHINESOFTWARETrendMicroPC-cillinNTCorpCurrentVersionMisc.Allow Uninstall
Parameter 2 : 1
Parameter 3 : REG_DWORD
OS Type : 0
Execute File
Parameter 1 : c:Program FilesTrend MicroClient Server Security Agentntrmv.exe
Parameter 2 : /silent /noreboot
Parameter 3 : 0
OS Type : 0
ELSE
Trend Micro Client/Server Agent Uninstall Without Password
I am posting this because I have had this issue a few times and it seems to be happening more and more often to me. The idea is that when you go to unload office scan, or the trend agent it prompts you for a password, you enter it and away you go. The issue is when you have a client computer that is not communicating with the server as it should be, it cannot authenticate the password. Here is the fix; in the registry key below change the DWORD value to a ’1′ instead of a ’0′. This change will allow for the uninstallation of the software without entering the password.
“Allow Uninstall”=dword:00000000
[ad]
The 333 Event ID In The Application Event Log
I am writing this because I had a server doing this for a very long time before I pinned down the cause. This will include a lot of what I found on the internet and my own personal fix that worked for me.
Example Event:
Event Source: Application Popup
Event Category: None
Event ID: 333
Date: 3/23/2009
Time: 2:44:53 PM
User: N/A
Computer: SERVER1
Description:
An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system’s image of the Registry.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 6c 00 ……l.
0008: 00 00 00 00 4d 01 00 c0 ….M..À
0010: 00 00 00 00 4d 01 00 c0 ….M..À
0018: 00 00 00 00 00 00 00 00 ……..
0020: 00 00 00 00 00 00 00 00 ……..
Symptoms: Every third of a second or so there was an event id 333 error logged in the application event log on the server. This would start after the server has been up for a few hours to days and will stop for a period after the server was rebooted. The error occurred so often I was reaching 30,000 instances of the error in 24 hours. About 36 hours after the event started occurring no one was able to login active directory, and to get the server back up it required a manual hard reboot.
Adding ‘Lock My Computer’ Shortcut to The Desktop
In a effort to increase security at one of my healthcare providers they requested a quick way their employees can lock their computers when they walk away from their computers. I found Mklnk, it is a very tiny free utility that lets you make shortcuts from command line. I decided to use this to accomplish this task. I did some research and found that the following command will lock your computer.
Conficker; What is it? How to Prevent and clean It.
What is it?: Conflicker is a virus that has been spreading for about 2 months infecting an estimated 15-20 million computers worldwide. Systems running windows 2000, server 2000, windows XP (all variations), Vista (all variations), server 2003, server 2008 and even windows 7 are susceptible. The details of what exactly the virus does are a bit sketchy because of the way the virus is created. At this time it appears that the virus is dormant in the computer and waiting to download the remainder of its payload code on April 1st. Right now it is presumed that the worm spreads itsself through the RPC service and through http, network shares, USB and removable media, and even FTP. The worm has the ability to modify open port exceptions on windows firewall as well as the ability to stop svchost.exe, services.exe, and explorer.exe. It has a built in P2P application so that the virus can both communicate code between each other and web servers and coordinate. This is where the fear of fast changing polymorphic code comes from as well as the ability of the virus to use host computers in a zombie like fashion to attack other computers or servers.
Symptoms of the virus are expected to include and have been confirmed to include:
- Services disabling on their own. Namely windows defender, BITS, windows firewall, and some third party antivirus services such as live update.
- Massive increase in network traffic. Up to a 10-15% increase in total network traffic is expected on infected networks. This is due to attacks on shares and accounts, as well as spreading of the virus and payload.
- Account lockouts reset. If the virus is on a DC it will dictionary attack the admin account and admin shares, if the account locks out, it will automatically reset the lockout.
- Lastly some or all AV websites, security websites, and windows update sites are inaccessible. they reply to ping and answer to telnet on port 80, but they are not accessible to any browser. This appears to be done through a virtual proxy system.
Autopatcher, a Better Way of Staying Updated
Today, another really nifty tool for update deployment. Weather you have a computer that missed a few patches, or a fresh install you are trying to catch up to the rest of your network autopatcher is a easy solution. All you have to do is download a little exe and it will connect to Microsoft.com, and get the latest patches. When you run the application it will automatically determine what you are missing on the computer. These are automatically selected, then check any add-ons you want to install, and away you go. Now what makes this nifty is once the patches are downloaded once, it works offline. If you have a few computers to update it doesn’t bottle neck your bandwidth. Even better than that it will run off a thumbdrive or a network share and does not require install of the patcher application on the client side. Just another solution when you need to process a update quickly, or update a few computers at a office that is running a low bandwidth WAN. Also it is another substitute to windows update that does not require you to go through the validation process. It supports windows 2ksp4, vista, server 2003, and xp sp3, in a few different languages and over both X86, and X64 architecture.
http://www.autopatcher.com/
[ad]
Service Pack 3 Rollout Options Switches and Scripts
Okay so Service Pack 3. Scary I know, I am always weary of big service pack rollouts. However if you don’t update to SP3, you are open to contracting some nasty bugs. Here are some simple install possibilities if you don’t have it on your network yet. I suggest that you take a look at some of the install articles on SP3 and some of the complications people have experienced before doing a mass rollout. Below are some options that might be helpful to you, but as always test on a few computers before rolling out to a bunch. You might also want to check out this link for a explanation of the switches and arguments for installation. In my scripts below the switches I use will force all aplications closed, and do a backup of of the replaced files, and make a log. A progress window is displayed during the install and at the end the computer is rebooted. I found this to be the best option for rollouts as you can see the progress bar to estimate time remaining, and you do have a log and a backup if things go wrong. I suggest you find the right mix of switches that work for you though.
Read the rest of this entry »
Reset a Local Account Password With VBS
Posted by admin in Kaseya, Scripts, Security, Visual Basic Script (vbs) on March 11, 2010
Today I added a bunch of old computers with different local admin account passwords to our domain. So, since I am all for doing things the easy way I came up with a quick script. I added the computers that I needed the admin account reset on to an active directory OU and applied this script.
Read the rest of this entry »