W32/autorun.worm.aaeb-h Outbreak

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

DHCP Best Practices

Here are several DHCP best practices as collected from various resources including Comp/TIA and Microsoft:

  • Always include the entire subnet in the scope (192.168.1.1 – 192.168.1.254, or 172.29.0.1 – 172.29.255.254)
  • Add exclusions for ranges which are using static IP addresses, and for future growth area, such as setting aside 10 addresses for printers so they stay within the same general IP address range
  • For networks where DHCP services are critcal or for larger networks, consider two DHCP servers configured in an 80/20 split (however, Microsoft Server 2012 has a new provision for redundant DHCP servers)
  • Configure active directory credentials to enable DHCP to update the DNS server with IP address information using secure updates.
  • Use “server side conflict detection” only when needed – this is a feature which delays DHCP from handing out an address until it has first issued an ICMP ping message to check if the address might already be in use but not known by DHCP already (ie statically assigned within the lease range without an exclusion or active lease).
  • Typical DHCP lease time is 8 days, however if you have a separate scope for guest or wireless clients, consider a shorter lease time such as 8 hours; conversely, leases for fixed devices (printers, etc) consider 16-24 days.

Exchange 2010 Checklist

When upgrading your Exchange server to 2010, here is a list of things you should review before moving forward:

1. Clean up old mailboxes: Backup and remove old/Stale mailboxes from exchange 2003 system
2. Clean up mailboxes: Remove deleted items, Purge junk mail folders
3. Identify any archive PST files that users may have on their local systems and move and label them to a central location on the server if they wish for them to be imported into the existing system
4. Identify All domains to be accepted by the mail server
5. Identify need for Active sync. Active sync policies need to be identified and new policies need to be distributed to end users.
6. Mailbox quotas need to be identified
7. Identify retention policies
8. Identify need for any devices that need to relay email to the mail server
9. Spam Rules need to be identified
10. Verify all clients are using outlook 2003 or greater
11. Best practices needs to be run against the server and any issues identified and resolved.
12. Identify certificate information. Unified communications certificate needs to be purchased based on machine name, public name of server, Normal certificate will hold 5 FQDN names unless the internal domain is the same as the external domain.
13. New 2008 x64 server needs be spun up in virtual environment partitioned off so that information store and log files can be stored on their own server.
14. Exchange needs to be installed and configured on server
15. Smart hosts need to be configured if used
16. Configure retention policy
17. Configured email policy
18. Configure any relay’s needed on the network
19. Database and log files need to be moved to appropriate locations on the server
20. Firewall rules need to be implemented to allow port 25 traffic to the server or another port if so indicated in requirements.
21. Connector needs to be built to communicate between the 2003 and 2010 exchange servers
22. Test of migration of one mailbox and verify mail flow between the servers and the outside
23. Schedule move of mailboxes to new server
24. Import PSTs as needed
25. Configure Relays for devices
26. Public folder replication needs be setup and moved to the new server
27. Complete testing
28. Setup external url information in 2003 access to web is via https://FQDN/exchange and in 2010 it is https://FQDn/owa if the client would like to keep /exchange a redirect needs to be configured.
29. Anti virus needs be setup on the exchange server
30. Backups of the server need to be configured, tested and verified
31. Test of active sync and active sync rules
32. Test of all secure certificates
33. Verify all clients connect smoothly to the new server using Auto Discover.

Blackberry Recap

Back in 2010 I posted an article titled Droid Doesn’t in reference to the comparisons between Droid phones and the longstanding enterprise market leader, Blackberry. But if you have been following tech news lately, you will see that the RIM platform is slipping terribly compared to Apple’s iPhone and Google’s Andriod Platform.

I have been a long advocate for Blackberry because of the product was built from the ground up to be both a solid mobile phone, and an enterprise class messaging device. In many ways it is still a far superior product with regards to solid phone performance, and enterprise class messaging device, which includes excellent and consistent manageability, and secure messaging abilities.

However in the consumer driven markets, and the ever slow slippery slope of Bring Your Own Device to work policies, we have seen an in rush of competing products.

Products from Apple and Google are not built from a phone company with light computing power; but rather full on computer companies making mini-computers with phone functionally. Due to their experience as a computer company, they have brought to market excellent devices which server a significantly larger dual-purpose of phone and mobile computer. And the platform which Blackberry was built wasn’t computer friendly enough.

In the early years of 2009-2010 when iPhone and Andriod was introduced into the marketplace, it was easy for large enterprises to turn their noses up at those products for the lack of enterprise features and manageability. However in the years since, Microsoft Exchange with Active Sync, along with better active sync support from Google and Andriod, have brought these devices much closer to the standards we expect from an enterprise mobile device, offering security, and policy based control – perhaps best of all, remote wiping.

So today, with many of the reasons to reject the iPhone and Android products gone, these competing phone products are now on a more level playing field. However, that only applies to the enterprise and IT end of the equation. From the end-user prospective, the Blackberry is still a clunky, aged style device. Where the new devices, are more appealing, with thousands of more applications and are more social.

Unfortunately it appears that unless Research In Motion, the makers of Blackberry comes around quickly to adapt, they will disappear very soon. Their last attempts to change from their proprietary OS to the Andriod derived OS doesn’t appear to be working well enough to make them a market leader.

Having “Good Time”

No, that’s not bad grammar… It is just a reminder that it is important for all windows systems to have “good time” and all be pulling from an accurate time source. In Active Directory based networks it is critical that all of your systems be no greater than 5 minutes apart from each other. Without this, it can lead to sporadic issues with users being unable to connect to resources on the network.

The best way to configure this for our clients is for the domain controllers to be pulling time from a reliable time source (such as pool.ntp.org) and then for domain servers and workstations to pull from the domain controllers.

Offline NT Password & Registry Editor

What is it?

  • This is a utility to reset the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista/Win7 etc system.
  • You do not need to know the old password to set a new one.
  • It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD or another system.
  • Will detect and offer to unlock locked or disabled out user accounts!
  • There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.
  •  

Continue reading “Offline NT Password & Registry Editor”

VoIP System Design Considerations

When installing and configuring the VoIP System, it is necessary to analyze and meet some design considerations to ensure the best quality and user experience. The design considerations cover available bandwidth and quality of service.

Bandwidth Requirements and Call Capacity

The available connection bandwidth determines the maximum number of simultaneous calls that the system can support with the appropriate audio quality. Before installing and configuring the LVS components, use this information to determine the maximum number of simultaneous VoIP connections that the system can support. For asymmetric connections, such as ADSL, the maximum number of calls is determined by the upstream bandwidth.

For more information about bandwidth calculation, refer to the following web sites:

Wide Area Network (WAN) Quality of Service (QoS)

You can choose from several types of broadband access technologies to provide symmetric or asymmetric connectivity to a small business. These technologies vary on the available bandwidth and on the quality of service. It is generally recommended that you use broadband access with a Service Level Agreement that provides quality of service. If there is not a Service Level Agreement with regard to the broadband connection quality of service, the downstream audio quality may be affected negatively under heavy load conditions (bandwidth utilization beyond 80%). To eliminate or minimize this effect, Linksys recommends one of the following actions:

  • For broadband connections with a bandwidth lower than 2 Mbps, perform the call capacity

calculations by assuming a bandwidth value of 50% of the existing broadband bandwidth. For example, in the case of a 2 Mbps broadband connection, assume 1 Mbps. Limit the uplink bandwidth in the Integrated Access Device to this value. This setting helps to maintain the utilization levels below 60%, thus reducing jitter and packet loss.

  • Use an additional broadband connection for voice services only. A separate connection is required

when the broadband connection services do not offer quality of service and when it is not possible to apply the above mentioned utilization mechanism.

Wave Embassy Security : Remove all users / enrolled fingerprints

This recipe explains how to remove and delete all enrolled users and fingerprints in Wave’s Embassy Security Suite. This is very handy if you, like me, had enrolled fingerprints/users but then did a clean install of an OS without deleting the enrolled fingerprints/users. Usually you will get an error saying that the fingerprint is already enrolled but none show in the security center.

I had upgraded my XP Prof installation to Vista by doing a clean install. However, after reinstalling the Embassy Security suite i was unable to re-enroll my fingerprints. It appeared that the TPM/Biometric scanner thought my prints were already enrolled. This recipe will show how to reset all the users and prints.

1. Open windows explorer and go to the C:

2. Then go to Program Files > Wave Systems Corp > Dell Preboot Manager

3. Double-click on the deleteusers.exe

4. This will bring up a command window and a prompt asking if you want to delete all enrolled users. Choose Yes.

5. The command box window will run and then show “users deleted”

6. You should now be able to re-enroll your fingerprint.

This was tested on a Dell D620 and D430 laptops w/Wave Embassy Security.

Echo Elimination & DTMF Problems

The easiest echo to fix is:

  1. Echo that you or the person at the other end of the call always hears on a VoIP phone system when you’re talking on an analog line or trunk
  2. Echo that you or the person at the other end of the call always hears on a regular phone system connected to a VoIP phone line (adapter), and where you don’t hear the echo when you connect your butt-set directly on the line (with the phone system disconnected). Continue reading “Echo Elimination & DTMF Problems”

Powered by WordPress.com.

Up ↑