Sunday, January 16, 2005 - Posts

The right password in the right place

Many eons ago I thought I did a brilliant thing about passwords.  I made sure that all the local adminstrator passwords on my desktops matched the Administrator password of the domain.  But see what I didn't realize was that I was in reality causing my server to be more insecure.  Dr. Jesper Johansson made me realize what a dumb blonde move I made by doing this because I was making my domain controller rely on the security of my desktops and laptops.  As he says, more secure systems shouldn't rely on the security of weaker ones. 

Since then I have a different password for the admin account that does not match the server's admin account.

Today one and only one of our desktops was stolen from the office and because it did not have the default password of the server on it, I didn't have to freak out and change the admin password of the network. 

It's obvious that my most insecure systems are the ones that can be easily stolen.  I was a local CPA tech meeting last week and they said that these “snatch and grabs“ were happening all over town.  One firm even had 8 such buglaries over the last three years.  Wow. 

In the 10 laws of security, law number 3 says if a bad guy has physical access to your computer, it's not your computer.  Well I can certainly attest to that.  It's definitely NOT my computer anymore.

 

 

posted Sunday, January 16, 2005 10:31 PM by bradley with 0 Comments

The experience of buying a computer -- ugh never again

I had to buy a computer in a retail computer store today. 

I hope I don't have to repeat the experience.  You see we had a bit of a problem at the office.  We had a break in and lost one desktop.  Fortunately because there is NOTHING on that desktop that has identity information on it, I had no SB1386 notifications, and because I had pulled an inventory script of the network prior to migration, guess who had a full itemized listing of what was stolen.  Came in handy!  Because all of my data is on my server, and once I got word that it was fine, I was much more relieved and just more in a “Oh bother” mood [as Pooh bear would say].

But I needed to get a computer back in that person's desktop as soon as possible.  I normally purchase systems from Dell, specifying what I want, but decided to order the Dell and then get an inexpensive desktop at a retail store for Monday morning.

I've come to the conclusion even more than before that the retail experience is overwhelming and confusing.  I went into Best Buy with a range of computers in mind, found what I wanted and then went in search of a salesman.  Now I can't blame Best Buy for being busy and having their salespeople needed to go in detail over all the options, but I can fault them as to the ambiance.  Blaring stereo noise coming from the video section, and just an overall “cluttered” feel.  The Windows Media player was getting a lot of attention but it was in the far back wall and the one kid that had settled down in front of it had pulled out a chair and was sitting in the middle of the aisle working the remote.  The area where the laptops were, again seemed a bit cluttered.  You can definitely tell that Laptops are hot sellers because there was more floor space for them than for desktops.  I could tell that I was not in my normal “patience” mode today because after waiting for about 15 or twenty minutes for a salesman to free up I finally left BestBuy and went to CompUsa where I bought a desktop.  Now trying to find a XP Professional machine when you want to attach to a domain was just about impossible.  Fortunately I keep a copy of XP Pro upgrade around at all times “just in case” and I have Office 2003 MOLP media that I have licenses for so I knew I didn't care what OS the machine was, as I'd put on it what I wanted to. 

After getting the retail box home I found it had the following installed:

  • Norton antivirus suite
  • McAfee security suite
  • XP sp2
  • BigFix Consumer
  • AOL

Ick... and I promptly removed all of those.... well obviously NOT the XP sp2  :-)

Then because I couldn't find a desktop WITHOUT about four media slots I had to go into computer management and move all the media drive slots away from my network drives.

There was a guy there comparing prices to Costco.  You know that makes me wonder about if there was more “small business network computers” there at Costco that had XP pro it might be better for small businesses.  I don't know how a small business would ever find a computer SBSized in a retail store these days.  No wonder all the VARs and VAPs complain about small businesses ending up with XP Home.  It's hard to find a XP Pro from a retail store.

Did see an interesting thing at the checkout.  A plastic bubble pack for a $99 per month subscription to XDrive with a 5 user version that advertised file sharing and collaboration.  Chad was talking in the listserves that he does whiteboxes because retail computers load up with Soooooo much gunk that they spend more time uninstalling all the junk that it's just not worth it.  I definitely found that to be true today.

posted Sunday, January 16, 2005 10:05 PM by bradley with 4 Comments

To all of those folks who beleive that you can safely run TS in app mode on a SBS 2003 box:

To anyone who truly beleives that running Terminal Server in Application mode on our SBS 2003 domain controller can be made secure and could ever be secure, I am reminded of a joke that Dr. Jesper J said and has been repeated in SBSland.... “what are you smokin' and why aren't you sharing?”

Today, in addition to screwing up the user versus cal in Terminal server I loaded up more applications on it.  I loaded up Office application on my Terminal server [keeping in mind that normally we tell folks to NEVER install any applications like Office on a server.]  I flipped the “Themes” service to automatic and started it so that the desktops could “look” like Windows XP.  I uninstalled [but only for the users] the Enhanced IE active X blocking.  I basically lowered and totally introduced threat vectors all over the place.  All the hard work done by Michael Howard and his team to protect that server from the stupid user, I totally ripped out everything that his team did.  I still haven't even grabbed the security resource kit to apply the recommend guidance.

How can anyone honestly and truly think that they can in turn ACL and permission themselves back to the lowered attack surface that the Microsoft server team built. 

I enabled services, I installed software [which reminds me need to Shavlik that box again because that's “unpatched Office 2003 as it's fresh off the CDrom”, I'm letting a user “drive” that box instead of normally how my domain controller runs, left alone to do it's job, with most of the time having me remote in from my desktop and not even walk over to the console. 

Sorry all you folks who think that they have the skill to lock down a domain controller enough so that it can be run in TS in application mode, I just so totally disagree with you folks. 

You want to introduce too much risk, Way too much risk.  Remember, where I'm at, in California I must make reasonable Security precautions to protect my data.  If you think that running Terminal Server in application mode on our domain controller was ever reasonable.... “how about sharin' what you are smokin'“?

I will post once again what I've ranted about in the newsgroups before:

1. Apply the Notssid.inf security template to TS running permissions compatible with TS users.

2. Use the AppSec tool to limit which applications can be executed.3. Do not enable remote control.

4. Do not enable application server mode on a domain controllers.To connect to a terminal server from the network, users must have the Log On Locally user right assigned. If you implement application server mode on a domain controller, nonadministrators must be assigned the Log On Locally user right at the domain controller. Because this user right is typically assigned in Group Policy, it enables users to log on at the console of any domain controller in the domain, greatly reducing security.

5. Implement the strongest available form of encryption between the TS client and server

6. Choose the correct mode for your TS deployment [if you only need remote administration, the only deploy that]

7. Install the latest service pack and security updates.

  

Don't want to do #1, nor #2, on our SBS boxes, and we clearly are in

violation of #4.

  

Page 393-394 Security Resource Kit.

 

Read this doc and see how much is done to lock down a TS server..... we can't do this stuff in SBS land. 

At least not on our domain controllers anyway.
posted Sunday, January 16, 2005 12:00 AM by bradley with 1 Comments