Tom Decaluwé

MS press is celebrating there 25th birthday and giving away a free ebook for all.

A great way to start the new year!

http://csna01.libredigital.com/?urws8un4p7

For those of you using Backup Exec it might be woth noting that when you try to re-catalog old tapes made in Version 9 on a version 12 system the catalog will run but when you try to restore data off the tapes you'll get a nice error indicating you must first catalog the tape.

The only way up untill know that i have found to restore these older tapes is to install Veritas 9 on a spare system and catalog/restore from that machine. I'll be looking in more detail on the Symantec website to see if there is a fix or update but there does not seem to be one.

Check out these three sessions "NPS - Wireshark Quickstart Session 3" from network protocol specialists.

http://new.networkprotocolspecialists.com/wsquickstart_1

http://new.networkprotocolspecialists.com/wsquickstart_2

http://new.networkprotocolspecialists.com/wsquickstart_3

This weekend we had a great It-Talks event on Domain controllers and security. During the event an interesting feature within windows came to my attention by one of the attendees Johan Goddyn. Apparently there is an easy /hidden way to access a cmd prompt during the setup of windows ever since the early NT days .

press SHIFT  + F10 during any part of the setup and you will instantly get a cmd prompt. As you are in a PE environemnt you could very well be able to load an USB stick full of you favorite tools.

In a previous post I showed you the different profiles and basic setup you can do when starting to use the advanced security firewall in vista for the first time.  However when you use this configuration you will notice your system will lose domain connectivity.

For the system to be able to detect your domain and shift from public / private mode to domain you need to open a number of protocols or your client will be unable to detect your domain controllers and thus be unable to shift to this security profile.

What do you need for the network detection:

NLA requires the defalut protocols of a DC to be available

• TCP 135 => RPC connectivity
• TCP 445/139  | UDP 138/137 => file share connectivity
• UDP 53 => DNS
• TCP 389 | UDP 389 => LDAP

when configuring the protocols don't forget we are looking at destination ports and not source ports.

in my setup i limited the connectivity down to only the Domain Controller as destination to lock down the environment as much as possible.

With windows Vista and windows 2008 come the great new Advanced security firewall. This new fully featured in/out firewall is a great security enhancement for any environment, but the real power comes when you start to manage the firewall using GPO’s.

In this post I would like to show you how you can leverage the new firewall to secure your clients and use Wireshark to figure out exactly what to enable. For this demo well configure incomming ICMP ping only so you can fully see the power of the windows firewall.

1. default behavior:

The first thing to do will be is to create the default behavour for the firewall. As with all firewall’s the first thing you will want to do is configure the default behaviour. The main thing to remember is the Advanced firewall has 3 modes and these 3 modes link back to the VISTA network locations

 
(*) Pay special attention to the little shields. As you can see only public does not have a little shield meaning that this is the only option non admins can select.

Below you can see my default setup:

	Your system will work perfectly on the domain but you will not be able to reach your client from management stations,…
	Your client will have a total lock down and will do nothing on the network. This is the most secure setup but might not meet your business requirements. I would typically enable a number of default applications i trust in this configuration.
	Your client will have a total lock down and will do nothing on the network. This is the most secure setup but might not meet your business requirements. I would typically only enable DHCP, http(s) and dns outbound in this config.

2. Customize settings

The main rule of thumb is that you never merge the local urles with your GPO rules unless you really really have a good reason. My opinion is you want to manage all FW settings centrally. Don’t try and mix central management with decentral management. It only makes things morge difficult.

	Domain Note that we allow unicast reponces for any multicast send here to ensure maximum functionality. In my oppinion the domain profile is so well managed that there is no need to bug users with messages.
	Private Note that eventhough unicast resonce is blocked. Windows advance firewall will Allow DHCP replies anyhow. As this is not a fully managed network you might want to bug users with info
	Public Note that eventhough unicast resonce is blocked. Windows advance firewall will Allow DHCP replies anyhow. As this is a complete lockdown the default behavoiur is ok and you don’t want users calling you telling you they got a block message, you know, you blocked everything.

3. Configure logging:

A third thing to do when configuring the firewall is to ensure good logging. Depending on how sensative you think windows firewall logs are, you’ll want more or less security on the directory you log to. You can use GPO’s to set security on your default logging directory and allow support desk staff, users,… access to the log.

(*) depending on how long you want to log for you might concider upping the Size certainly if you do like i do and log both success and failure.

4. Opening up the lockdown:

With the settings above you have created an environment that is prety well locked down. Ofcourse you will now want to start opening up some apps, ports,.. to enable functionality. As you can see in the wizard MS as already helped you a great deal by creating a long list of predefined programs. We’ll use wireshark to do some lookup of our own and try to figure out exactly what to openup. You can repeat these steps for other protocols and apps if you want.

a) Start a default trace and configure an ICMP display filter as shown below

b) Inspect the OSI layer 3 info, what we can see here is

Version 4 => this indicates we are using IPv4

Protocol ICMP => this indicates we are not using UDP or TCP but the ICMP protocol

c) Inspect the packet data

In normal TCP/UDP based traffic you would not use this field and you would use the layer 4 info as the windos firewall is still not as advanced as MS ISA and has no application layer capabilities.

For ICMP however we can leverage the info to completely lock down ICMP to only allow incomming ping requests. For this you need to note down

Type = 8

code = 0

d) create rule

As this is ICMP and is returned by the TCP stack there is no way to specify the program that may accept these connections. However if there where and you don’t know what program is responding you can always use MS netmon, tcpview or process monitor to trace the applictions.

from our trace we know we where looking at ICMP version 4 traffic

We can see there is a default for echo request but because we can no check what MS configures when you select this option we can create a new type by filling in the bottom values and hitting add

Continue opening protocols, ports and programs in your setup untill you have the secure setup you required.

---------------------

 

Here is a trace example of an RDP session using MS netmon and how you can see the application doing the conversation.