When I arrived at work this morning, I was forwarded a urgent demand from the corporate communications office. The presentation computer by the elevator lobby near the executives was showing an old screen-saver using the old company logo. I had seen something similar in on the displays in the south lobby a week or so back, so I knew what they were talking about.
The machines by the elevator lobby were using a restricted domain account. Since the computer was purposed to display information, the screen-saver was disabled in group policy. If the screen-saver wasn’t even enabled, how could the user have seen a screen-saver, I asked.
So I set out to google for a solution. I found that if no one is logged in, the screen-saver settings in hkey_users\.default\control panel\desktop will be used. I thought that had to be the solution. No one was logged in, and that caused a screen-saver to run. It was a good theory, but it turned out the .default registry settings use logon.scr for the screen-saver. That isn’t the screen-saver that was observed.
I searched some more, I found out I’d forgotten a key piece of information. The Default user account which is used as the template when new accounts are made does not store the default registry information in hkey_users\.default. That is for the service account. Instead the registry is stored in ntuser.dat.
When the computer was ghosted, the last act prior to sysprep is to copy the profile used to configure everything into the default profile. Because these systems are exceedingly old, the ntuser.dat is set to run the old old screen-saver. Any new account will be created expecting to use this old screen-saver. With domain accounts, the screen-saver is changed by group policy. But there is an issue with local accounts, and also I suspect and issue when the user profile does not load correctly, and it uses a default profile instead.
I updated the ntuser.dat on the systems for which I have responsibility. I also edited the registry to remove the existing configuration pointing to the old old screen-saver.
Archive for March 2007
Requiem for a Screensaver
Patched for DST Yet?
I just saw an email from the I.T. department at a government agency. They ask all users to leave their Windows and Mac systems online this weekend and make sure automatic updates are enabled in preparation for the DST change. Wow, sounds like they are leaving things to the last minute there. It also sounds like they have a rather chaotic patch distribution system.
I’m not so sure we’ve been as methodical as we could have been about this. I also feel our user communication was kind of late. We have a good excuse. We changed our company name in February. We’ve been working for months preparing for that changeover, so DST was a secondary item until that was finished.
I’m not going to be at work the week of the 12th. Traditionally when I’m not in the office, something hits the fan. Usually its a major virus incident. So if I were my co-workers, I’d buckle up for a bumpy ride.
I need to talk about your flair
I was running the good old password cracker this weekend, and I notice that there are still 10-15% of the accounts using passwords like Aaaaaaa1. (A = capital letter, a=lowercase). These passwords are fairly easy to bruteforce since there is a low level of complexity. These are passwords where the user is attempting to do the bare minimum to fit the password requirements.
It kind of reminded me of that scene from Office Space.
STAN
I need to talk about your flair.
JOANNA
Really? I have 15 buttons on. I, uh, (shows him
STAN
Well, ok, 15 is minimum, ok?
JOANNA
Ok.
STAN
Now, it’s up to you whether or not you want to just do the bare
minimum. Well, like Brian, for example, has 37 pieces of flair. And a
terrific smile.
JOANNA
Ok. Ok, you want me to wear more?
STAN
Look. Joanna.
JOANNA
Yeah.
STAN
People can get a cheeseburger anywhere, ok? They come to Chotchkie’s
for the atmosphere and the attitude. That’s what the flair’s about.
It’s about fun.
JOANNA
Ok. So, more then?
STAN
Look, we want you to express yourself, ok? If you think the bare
minimum is enough, then ok. But some people choose to wear more and we
encourage that, ok? You do want to express yourself, don’t you?
JOANNA
Yeah. Yeah.
STAN
Great. Great. That’s all I ask.
JOANNA
Ok.
We should have a policy that any password I can crack must be expired immediately.
What is your selection criteria for corporate antivirus?
I was really impressed by the the RFP George Washington University put together for their Encryption project. It was made available at the SANS Desktop and Storage Encryption Summit that I attended a few months back.
I decided to sit down and try to hammer out a list of requirements for some upcoming projects. I’ would like to replace the corporate antivirus that we currently use on our desktops and servers. I’ve been kind of impressed with what McAfee has done. Many companies left them for Symantec at the turn of the millenium. McAfee was too difficult to update, and had a reputation for bogging the systems down. Now McAfee has a reputation for being easy to manage through ePolicy Orchestrator and many companies have tired of Symantec’s lack of support, virus definition corruption problems and confusing update structure.
Certainly reputation is important. Experiences from someone you trust can go a lot further thna a 30 day eval in a lab. The problem is that the people I know using McAfee have really drunk the koolaid. They’re like a Mac user. They can only bash the competition, they apparently have nothing but postitive experiences to report. It makes me question whether they can be trusted to provide a true evaluation of McAfee.
Actually detecting and cleaning is important. But how to select which vendor is good at it? I read an interesting NIST article on that from 1996. Rather than evaluating vendors on the basis of some virus zoo, I think a better evaluation is to 1) measure their response time when a new varient comes out, and 2) measure how they perform when signatures aren’t available and all that is left is heuristics and behavior profiling.
The ability to control which PUPs (potentially unwanted programs) are detected and what occurs. I am sick of getting alerts about Netcat. I don’t have a problem with it being in my environment. But because Symantec made an error in the version I’m running, I can’t completely exclude it from detection.
It is just so easy to make the evaluation points all of the things you hate about the current product, rather than brainstorming a full list of requirements.
Currently we have a lot of systems having issues with corrupt virus definitions. Gartner reports that McAfee has the same problems. How do I know if that’s a real issue. Is it better or worse than my Symantec problems.
Restricted Groups
Sadly, at work we operate with pretty much all users as local administrator. Their local administrator rights allows the user to remove domain administrators from the local administrator group breaking our ability to manage the systems. Years ago we set up a login script to add domain admins to the local administrators group if the user was a local administrator. We looked for a way to do this in group policy, but we were always told that it is not possible to append members to a group.
Based on something I had read a while back about this actually being possible, I decided to look into it further. What I found is that the Restricted Groups portion of group policy has a “member of”. I can set domain admins as a restricted group, leave the members portion blank. This does not erase the current members as it did in earlier versions of windows. Then in the “members of” box, I add administrators. This adds the domain admins group to the local administrators on all domain computers.
No muss no fuss.
Remote Desktop Connection 6
Ever since installing the Remote Desktop Connection version 6 client on my XP computer, it seems like every system I connect into has problems with Accessibility shortcuts suddenly becoming active. The “k” brings up the narrator, the “l” locks the computer, “d” seems to minimize. Its driving me crazy. If I am logged into the system, I can often hit the windows key a couple of times to get the normal keys back. When the computer is locked I often have to disconnect the session and then reconnect to be able to log in.
