Roger's Information Security Blog: Microsoft Archives

Group Policy Management Console and Vista SP1

I'm sure some people will read this and think gee what a moron, but it may save some other people a few minutes.

After installing Symantec Endpoint Protection, I found that the Windows Firewall was still enabled on my computer. I had set up a WMI filtered Group Policy that disabled the Windows Firewall if SEP11 was installed. Eventually, I remembered that I created the firewall disable policy on Windows 2003, and that was not going to be able to manage the Vista policy. While I could disable the XP firewall, there were some Vista options not available in that policy.

I notice there are some things called Vista Extensions for Group Policy, perhaps that would have added the missing pieces to my Windows 2003 GPMC, but I don't know.

I set out googling GPMC and Vista. I was beset by websites talking mostly about release candidate versions of Vista. There were a few pre-SP1 articles complaining that it was being removed. Even searching at Microsoft.com didn't help. I finally found a forum post that linked KB941314, the Remote Server Administrator Tools for Vista SP1 and Windows 2008. I installed that, but apparently didn't read the instructions because I still couldn't find the Group Policy Management Console after the installation concluded.. Eventually I found a post indicating the need to install the KB then go into the control panel -> Programs -> Programs and Features and add new windows features.

I ultimately solved the problem I was trying to solve, after wasting a lot of time.

The Case of the New DC and the LM Hash

While reviewing the results of the latest windows domain password audit, I noted that there was an increase in the number of lanman hashes stored. We had two domain controllers blow up recently and they had to be rebuilt from scratch rather than restored from backup. I correctly figured that on one or both of those DCs the disable lan man setting had not been implemented correctly.

I knew that on a Windows 2000 domain controller this setting needed to be added manually. The Group Policy setting only effects XP and Windows 2003 computers. I didn't remember what the registry setting was so I sent to http://support.microsoft.com/kb/299656,

I read

To add this key by using Registry Editor, follow these steps: 1. Start Registry Editor (Regedt32.exe).
2. Locate and then click the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.
4. Quit Registry Editor.
5. Restart the computer, and then change your password to make the setting active.

In my haste, I forgot about the difference between a Key and a Value. I saw that the domain controller had HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa with Nolanman hash set to dword value 1. I compared that to the other domain controllers and didn't see why that domain controller wasn't working.

It took a second to realize that was the Windows 2003 setting set by Group Policy. For Windows 2000, you need to go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and create a key of nolmhash. That isn't the same thing at all. A quick check verified that this setting was missing on the new DCs and existed on the old DCs. We set the registry key and scheduled a reboot.

Good for Office 2003 sp3

David LeBlanc takes the occasion of a Excel zero day to say see I told you so. Excel 2003 SP3 is not vulnerable.

I'd like to know if SP3 is not vulnerable because of the disabling of support for old file formats, or if its not vulnerable due to the other assorted fixes in the service pack. David implies its that latter saying " We did a _lot_ of work fuzzing our apps and fixing bugs. While I'll never claim that SP3 is unbreakable, it's a lot more robust than Office 2003 was previously, and this probably won't be the last time we see an advisory over something that affects SP2 but not SP3."

I was just thinking if its not vulnerable because obsolete file formats are disabled (security over backwards compatibility), then people who follow information in this KB to enable those file types are still vulnerable. I guess we'll find out when the patch is released and more information is available. Until then I'm going to go put a bug in someones ear at work about upgrading to SP3. We can't afford to wait until all of our other apps support Office 2007.

EFS Assistant

I just noticed that Microsoft released a new tool called the EFS Assistant back in May.

One of the big drawbacks to using EFS is enforcing what folders are encrypted. It seemed like unless you wrote some convoluted script using cipher, what was encrypted was in the hands of the user. I prefer to leave as little security as possible in the hands of the end user.

There are still many drawbacks to using EFS, but this tool helps with one of those issues.

Windows 2003 SP2, MS07-016 and IE7

According to Microsoft Technet MS07-016 is included in Windows 2003 Service Pack 2.

However, if you install IE7 after installing SP2 for Windows 2003, you end up with a wininet.dll that is version 7.0.5730.11. According to MS07-016, this is a vulnerable version of this dll.

So now, we're in a pickle. As of Monday, Windows Update did not recognize a need for MS07-016 on this computer. The Security Bulletin does not address this scenario.

I contacted our Microsoft Technical Account Manager. He contacted the security group at Microsoft who verified that the system is vulnerable and we must reapply the patch. Fortunately the Cumulative Update for Internet Explorer 7 for Windows Server 2003 (KB928090) worked on this system even though the patch says its for Windows 2003 SP1.