Sysinternal: Ctrl2cap

I am beginning a new series on the Sysinternal tools which is now part of Microsoft Technet tools. This series of posts will highlight both interesting and useful tools available as part of the Sysinternal suite of tools. The most common tool, and perhaps the most important is ProcMon, but we’ll get to that later. Today we’ll review the first tool posted, Ctrl2cap.

Ctrl2Cap was designed to help transition users from old Unix style keyboards where the control key is where the caps-lock key is on a standard windows keyboard. Installing this tool will capture keyboard inputs and will swap control and caps-lock keys to enable an easier transition for Unix administrators to a windows environment. I encounter the inverse-situation when I am at a Unix style workstation, or an AS400 and they are using a Unix style keyboard and am accustom to a standard windows keyboard layout.

Additional information directly from Microsoft on this tool:

On Win2K Ctrl2cap is a WDM filter driver that layers in the keyboard class device’s stack above the keyboard class device. This is in contrast to the Win2K DDK’s kbfiltr example that layers itself between the i8042 port device and the keyboard class device. I chose to layer on top of the keyboard class device for several reasons:

  • It means that the Ctrl2cap IRP_MJ_READ interception and manipulation code is shared between the NT 4 and Win2K versions.

  • I don’t need to supply an INF file and have the user go through the Device Manager to install Ctrl2cap – I simply modify the appropriate Registry value (the keyboard class devices’s HKLM\System\CurrentControlSet\Control\Class UpperFilters value).

More information and the download of this tool can be found at: http://technet.microsoft.com/en-us/sysinternals/bb897578.aspx

 

Some mail server networking best practices

I was reminded this week about the importance of some good best practices when handling the networking portion of a mail server. While a server or exchange administrator will do a great job handling all of the best practices of configuring the software itself, it is not uncommon for the networking portion to be overlooked. Here is a summary of a couple of networking or firewall related best practices…

  • Your Mail Server should be NAT’ed to an IP address different than your general internet traffic. This ensures that malicious activity taking place on your general internet traffic, or an infected pc, or even a guest system does not impact your ability to send email. If I guest laptop on your wireless network has a virus and is sending out spam, it might result in your IP address being blacklisted, and it will cascade onto your mail server. With a public IP address dedicated to your mail server, you can be assured that if you’re blacklisted, it is because of traffic through your mail server, and not from another source.
  • Block outbound port 25 from everything except your mail server. In general, the only device that should be sending mail outside of your network is your mail server, and if another device needs to send email, such as your MFP or other device, it should relay off your mail server, and not send out directly.
  • If you are using some form of hosted inbound spam or mail filtering, such as MXLogic or Reflexion, you should source IP filter your inbound port 25 traffic, or better yet, consider using an alternate port. If you don’t lock this down, it permits people to bypass your hosted mail hosting, and directly send spam to your mail server.
  • Ensure that your firewall has application aware protection in place for SMTP traffic, however if you have an older Cisco PIX firewall and an Exchange mail server, consider turning FIXUP off for SMTP since there is a long history of documented problems.
  • Be on the lookout for a mail administrator who assigns a public IP address on their mail server directly, thereby bypassing the firewall or other edge protection. If they really want to dual home the mail server, have them place it on a DMZ instead.

Enjoy

 

Disabled Mailbox is not showing in Disconnected Mailbox Area

In Exchange, when you delete an active directory user account, it does not delete their mailbox automatically. Instead it considers the mailbox to be in a “disconnected” state. The mailbox exists but it is no longer associated to an active directory user account. There are several reasons why you might want to keep the mailbox around and perhaps eventually reconnect it. Today I was working on a very corrupt user account in AD, but the mailbox itself was fine. I simply deleted the user account from AD (after ensuring proper backups were taken), and then recreated a new user account. Now even though the username is the same as the one I just deleted, they contain a different GUID, so they are, in fact, different users. After creating the AD user account, I went over to the Exchange Management Console and the users mailbox was missing from both the Mailbox list, as well as the Disconnected list. The reason for this is because these are moved during a mailbox maintenance process. However you can speed this up.

 

Launch the Exchange PowerShell and run the following

Clean-MailboxDatabase

After that is complete, go back to the Disconnect Mailbox list and refresh the page, and you will find your mailbox.

 

Enjoy!

DHCP Server Logs

There have been several instances where I have been trying to troubleshoot DHCP Issues live, or other cases when I needed to know what computer had a specific IP address in the past…. A useful way to find out this information is to use/view the DHCP server logs. The log keeps only the past 7 days of logs, but through backups, you can actually go back to any point in time.

The log it located at C:\Windows\System32\dhcp

The logs are named dhcpsrvlog-mon; dhcpsrvlog-tues, etc… you get the idea. There is also a separate log to DHCPv6 (IPv6) addreseses.

 

dhcplog

Also, along that lines, don’t specifically trust the DHCP Lease active/inactive status as indicated in the DHCP console. Sometimes a reservation is used for a device that is set statically, so DHCP will show inactive, while the address is actually in use. Also it might show active even though the device isn’t properly receiving an IP address.

Enjoy!

Cisco terminal length 0 and –more–

From time to time I just need to perform a simple dump of a configuration file from a Cisco IOS device for backup or review purposes, such as a from a router or switch. However, for switch stacks or complex configurations the configuration file can be long, and when using something like Putty to log all the terminal/ssh actions to a file, there is no need to constantly press any key at the –more– prompt. To avoid this, you can simply enter:
terminal length 0
at the enable (#) prompt. From there you will no longer see page breaks but rather have the data scroll out to you the entire configuration file. This also avoids the needs to go back and find/replace the –more– elements from a dump.

Enjoy!

ca.gov email servers under spam attack

 

ca.gov

For the past couple of days many ca.gov domains have been under attack with a huge volume of spam. The result is effectively a denial of service of the mail servers, as they are saturated with connection attempts. This has caused various many emails to sporadically bounce because the sending SMTP mail servers are unable to connect to the ca.gov mail servers.

Using an inbound hosted mail filtering service such as Postini or MxLogic can help avoid this problem for your organization because they host multiple inbound SMTP servers, and have a focus on the stability and reliability of these services so you don’t have to worry about it.

W32/autorun.worm.aaeb-h Outbreak

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

How to Remove a XenServer Slave when it No Longer Exists in the Pool

Citrix article CTX126382 describes how to remove a XenServer Slave from a pool, however it does not completely clean up after the process is complete. While the host will be removed, any storage repositiories will be left behind, such as DVD and local storage.

To clean these up perform the following:

1) Click on the disconnected storage repository on the console

2) On the general tab, right-click on the UUID and select copy

3) On the Pool master console, type: xe sr-forget uuid= (and then right-click paste which will insert the UUID of the disconnected storage repository)

Repete this process for all disconnected storage repositories, which is tpically local storage, DVD, and removable storage.

 

 

 

Powered by WordPress.com.

Up ↑