Stuff n Things

Yep I write about Stuff.. and Things

Stuff n Things

Posts
  • Restricted Admin mode for RDP in Windows 8.1 / 2012 R2

    So we released some information a couple of weeks ago on the upcoming OS releases that mentioned various security features that will be built into the new operating system. Specifically one that was mentioned at a briefing at Blackhat was a Restricted...
  • Automatically refreshing EMET GPO’s

    If' you’ve tried configuring EMET via GPO’s you’ve probably come to realize that while the GPO’s may process normally and change registry keys locally on the system it does not actually affect the running configuration of EMET.   From the...
  • Configuring EMET via GPO/GPP w/o using the ADMX files

    [UPDATE 7/23/2014] I've create a wiki page at http://social.technet.microsoft.com/wiki/contents/articles/25585.emet-gpo-gpp-using-task-scheduler-to-import-emet-settings.aspx that condenses these steps and adds a few new items and is open to collaborative...
  • Automating WSUS Cleanup

    By default WSUS does not clean up anything in an automated manner.  This is not normally too much of an issue for a system with plenty of drive space and a system that does not do definitions.  However with FCS thrown into the environment WSUS...
  • Setting EMET Local Configuration via GPP

    Our PG released EMET 5.0 yeah and it works pretty well and has some cool new functionality such as actually blocking on pin rules and the new ASR feature which I feel is very cool too. A big fix was the fact that there is a service now and that service...
  • Troubleshooting an EMET Mitigation Application Crash

      In the process of deploying and piloting EMET there is a definite possibility that a legitimate application will not function properly with EMET. Lets try to set some expectations here there are basically 2 things you can do when this occurs: Work...
  • Using Logparser + Eventcomb to find malware

    During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out.  I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most...
  • FCS Intervals

    So you've seen the following options with your FCS settings and are wondering how do these work??? Malware Scanning "Run a Quick Scan at set interval (hours):" Security state assessment "Scan at set interval (hours):" Malware Definition...
  • FCS Database Sizing

    One common issue we seem to be seeing in FCS support is that the DTS job that transfers data from the Onepoint database to the SystemCenterReporting database begins failing. While there could be many reasons for this job failing including permissions...
  • Xpath Event Log Filtering

    So I’ve been working on some stuff lately with Event Log Forwarding and Auditing in general and have come to realize the goodness of using Xpath filtering… you know that “XML” tab you never look at when filtering your event logs There are other great...
  • Dealing with malware that creates .exe’s on file shares

    So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users.  My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same...
  • Determining the cause of FCS client performance issues

    Realistically this process should work for other AV clients as well but I’m doing it in the context of the one I support.  Although it isn’t extremely common we do run into scenarios where customer has issues with the FCS client taking up large amounts...
  • Malware Win32/Conficker.B W32.Downadup.B

    So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware. You can find write-ups from various AV companies at the following URL’s http://www.ca.com...
  • How to add extra scheduled scans or definition updates for FCS

    The default option for scheduled scans in FCS is kind of sparse currently and it's something we get requests about so I'm posting a possible workaround to get more scheduled scans. Below is the shot of the FCS policy setting.. you can either pick "every...
  • Managing IE Sites for EMET with ASR (Attack Surface Reduction)

      If you haven’t started testing EMET 5.0 please consider doing so especially if you are charged with piloting the product for your organization as this version is the latest and has more fixes and protections than are available in the 4.x platform...
  • Testing the ASR feature for Office documents in EMET 5.0

    Had a customer recently ask me how to test the ASR feature for EMET 5.0 so figured I would write this up to help others as well. Keep in mind there are 2 different sets of programs that utilize ASR one is IE and the other is Office programs or more specifically...
  • Managing Trusted Sites via Policy for EMET ASR

    Part of the new functionality of EMET allows you to block or allow plugins in IE based on the zone that a web site is located in. The default example is the java plugin is blocked on the “Internet” zone but allowed on the “Intranet”...
  • WSUS FCS Definitions

    This is a follow up post to my previous FCS definitions post.  The first one focused on the mpam-fe files and what is contained that you can find on the security portal at www.microsoft.com/security/portal .  This one instead focuses on what...
  • How-to: Removal of Conficker in your FCS environment

    Another Conficker post :) however this one is aimed at our FCS customers. It semi-applies to other customers however other AV vendors operated differently with regards to updates etc so this won’t necessarily be applicable to all. So today is Patch...
  • Understanding FCS Definitions

    A fairly frequent question we get is how do FCS definitions work. How do I find just the delta’s for the month etc. You can always manually download the latest definitions from http://www.microsoft.com/security/portal with the links on the right. This...
  • More on File Shares and Autorun.inf with regards to malware

    So in my last post I mentioned the fact that Conficker/Downad whatever can also have a component that will spread through file shares that allow everyone to write at the root level of the file share. So a typical autorun.inf looks something like this...
  • Some Interesting FCS SQL Queries

    With a recent case I have an issue where the client count of managed computers in MOM admin console was quite different then that in the FCS console so I was trying to find out exactly which computers were not in FCS so I could troubleshoot some of those...
  • FCS .adm settings

    I’m not really advocating using this and I can’t take credit for this as it was posted on the FCS forums by a “ lofty10 ”. However I do know that many people are looking for something like this to manage FCS clients that do not have an FCS server infrastructure...
  • Logparsing FCS to find files that were infected

    Working an interesting case at the moment where we have multiple files across servers that were infected and we are needing to generate a list of all the files that were infected on each server. So the first thing to realize is that the 1006 and 3004...
  • Another WSUS Cleanup Script

    Just noticed this as I was looking for a solution for a different WSUS problem and thought I would share this here as well.  http://gallery.technet.microsoft.com/ScriptCenter/en-us/90ca6976-d441-4a10-89b0-30a7103d55db Apparently a “Thomas Schlacter...