Confessions of a Microsoft Consultant : Security

Anti-Virus Software, That's Free!

Daniel Oxley — Tue, 20 Oct 2009 10:27:00 GMT

I am probably the last Microsoft blogger to actually get round to writing something about this… but hey, I have been busy!

Microsoft recently released to the public their free anti-virus solution, Microsoft Security Essentials (MSE). I had been trialling the beta versions for a few months on a Windows 7 computer and I was really pleased with it, so the fact that it has now been released as a final product is great! Bizarrely, it even got the stamp of approval from my Anti-MS brother who told me that it consumes much less CPU and memory on his computer, and he has now gotten rid of his McAfee software completely (even though his paid for subscription has not expired). Of course, then he finished the sentence with the usual “but it is from Microsoft so is bound to be full of security holes” nonsense he actually believes.

The virus signature updates are automatically downloaded via the Windows Update service, so it is important that you have this feature enabled. MSE is available in 32 or 64 bit and will run on Windows XP, Windows Vista and Windows 7, so go get it now! There really is no excuse not to run an antivirus product on all your computers, especially because it is completely free – you just need to have a genuine license of Windows in order to be able to install it… :-)

The download and more information is available here: http://www.microsoft.com/security_essentials/

Safely setting autologon for Windows

Daniel Oxley — Wed, 22 Apr 2009 19:16:57 GMT

When configuring Microsoft Windows to auto-logon, most people just modify the following keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomain

However, the problem with doing it that way is that the password for the user account is stored in the registry as unencrypted text, which means that anyone with enough rights to view the registry, be it locally or remotely, can view the password easily and potentially compromise the system. This also applies if the computer was infected with a virus or malware, which could also potentially read the configured auto-logon user credentials and then send them over the internet for future malicious use.

However, if you use the Sysinternals tool AutoLogons to configure the auto-logon then the password string value is stored encrypted in the registry as an LSA secret. Which means that, once the autologon is configured, the unencrypted version of the password used cannot be viewed by anyone/anything at all.

The tool couldn’t be simpler to use, and most importantly, it helps to maintain the security of your systems.

Windows Server 2008 doesn’t have to ignore the MBSA if you don’t want it to

Daniel Oxley — Mon, 20 Apr 2009 10:28:52 GMT

The Microsoft Baseline Security Analyser (MBSA) is an excellent free tool by Microsoft that provides a simple and easy-to-use method of identifying common security misconfigurations for your Microsoft Windows computers. The current version (MBSA 2.1) runs on Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP and Windows 2000 and will scan all systems, most installed Windows components, and applications such as Internet Information Server (IIS) 5.0, 6.0 and 7.0, SQL Server 7.0, 2000 and 2005, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003.

A problem you might come up against however is that Windows Server 2008 computers by default have all the security settings turned on. Consequently, when you try to scan them, you see the below error appear in the MBSA console “Could not resolve the computer name: Please specify computername.”:

This is nothing to worry about and can be quickly remedied by enabling (only temporarily if necessary) the file sharing feature. To do this, just open the Network and Sharing Centre and select the radio button as displayed in the image below.

Once enabled, you can restart the scan and all should work correctly. So start checking your security right now by downloading the tool here: http://www.microsoft.com/downloads/details.aspx?familyid=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=en

I recommend that you read the Frequently Asked Questions page as there is some important information there, particularly if you wish to scan computers that don’t have internet connections (or connections that are perhaps restricted by a proxy server). The MBSA needs to download the latest security catalogue from Microsoft over the internet, but if the computer does not have internet access then the process will fail. In the FAQ are the instructions required in order to manually download the files from a different machine that does have internet access in order to manually update the catalogue on the computer running the MBSA.

Job/Life/Reputation protector 2.0

Daniel Oxley — Mon, 10 Nov 2008 14:58:00 GMT

Back in January I posted some simple VBA code for adding an “are you sure?” type question to the Reply To All button in Outlook. Since then I have received a few suggestions for improving the code, one of the most common of which was to add to the question box the list of names that the mail will be sent to. So, as requested, you can find below the updated code!

Just place this code in a module in Outlook (you can get to the VBA editor by pressing ALT+F11) and then assign it a button on the toolbar:

Sub ReplyToAllGuard()

    On Error GoTo ReplyAllErr
    Dim myOlApp As Outlook.Application
    Dim myFolder As Outlook.MAPIFolder
    Dim myItem As Outlook.MailItem
    Dim ReplyMail As Outlook.MailItem
    Dim i As Integer

    Set myOlApp = Application
    Set myFolder = myOlApp.ActiveExplorer.CurrentFolder

    iCount = myOlApp.ActiveExplorer.Selection.Count

    For i = 1 To iCount

        Set myItem = myOlApp.ActiveExplorer.Selection.Item(1)
        Set ReplyMail = myItem.ReplyAll

    Next i

    Dim mymsg As String
    Dim strRecipients As String
    Dim ReplyQ As Integer

    For Each strRec In ReplyMail.Recipients

        strRecipients = strRecipients & strRec & Chr(13)

    Next

    mymsg = "You just clicked Reply to All. Are you sure that this is what you want to do? The following recipients will receive this mail:" & _
            Chr(13) & Chr(13) & strRecipients

    ReplyQ = MsgBox(mymsg, vbYesNo, "Job/Life/Reputation protector")

    If ReplyQ = vbNo Then

        Set ReplyMail = Nothing
        Exit Sub

    Else

        myItem.UnRead = False
        ReplyMail.Display

    End If

ReplyAllErr:

    If Err.Number = -2147467259 Then

        MsgBox "The sender has prevented you from being able to reply to all recipients.", vbOKOnly, "Job/Life/Reputation protector"

    End If

    Exit Sub

End Sub

I also made one another change to the code in order to prevent receiving the error “A program is trying to access e-mail address information stored in Outlook”. This error is generated because Outlook has detected a possible security risk because some ‘unknown’ VBA code is trying to harvest the e-mail addresses from an e-mail; in this case though, we actually want it to!

Basically, instead of initiating a new Outlook session in memory, the code now reuses the existing instance of Outlook, thereby not generating a security problem as the message box is suggesting.

Edit: I amended the code to fix an oversight by me where the code did not clean up after itself! Also, the mail now marks itself as read after you reply - Thanks JP for pointing it out.

In the immortal words of Homer, "Doh!"

Daniel Oxley — Wed, 30 Jan 2008 17:41:00 GMT

I use Bitlocker on my work laptop to ensure that all my data is safe as I would not want any corporate or client documents to fall into the wrong hands. Also, as most people do, I store some personal data on my work laptop. Nothing exciting really, just things like payslips and the odd photo of my family; things like that. To keep these files doubly safe, and away from any prying eyes, I encrypt them again with EFS. I guess you could call this "belt and braces" because there really is no need to do it (although my father would be proud of me for being so well prepared! (Hi Dad)). EFS is nice and easy, and is invisible to me as far as the encrypting and decrypting process works because I do not have to do anything to read/edit the files; Windows Vista takes care of everything.

Well, the other day I decided to switch my desktop OS of Windows Vista Ultimate 32bit for the latest build of Windows Server 2008 64bit because I had a 64bit CPU that was being wasted and also I wanted to use the excellent Hyper-V of Windows Server 2008. I meticulously copied all of my files onto my USB hard drive in preparation for the install then I ran the script a couple of times just to make sure everything was copied over. Then I verified that everything was there by hand in case my script had done something dodgy. Great, all backed up, time to format the drive... (I am sure that some people will see where this post is going). Upon getting back into Windows, I started a copy of all my files back into the My Documents folder, only to see the following error appear towards the end of the copy:

Hmmm, must be something up with the NTFS permissions; I'll hit the Continue button to fix it. Then:

"Try Again". "Try Again". "Try Again". "Try Again". "Try Again". "Try Again". "Try Again". "TRY AGAIN". AAAARRRRRGGGGGGHHHHH!!!!! I DIDN'T BACK UP MY EFS KEYS, NOOOOOOOOOO!!!!!

There really is no point crossing fingers here hoping it will suddenly work. Nor will praying, or asking Bletchley Park for help, make it any better; if you don't back up your private key before wiping your hard drive then your encrypted files are lost forever. And, because I had used Bitlocker to previously encrypt the drive there was no point even bothering to try and recover deleted files from the partition, as there would not be any. Sigh, that's it then. I might as well delete those encrypted files on my drive as they just taunt me every time I see them there. Up to this point I had experienced various emotions, each one worse than the previous one. Rather than try to describe them here I think it is easier to use emoticons as visually it is much clearer:

Once I had calmed down a little and accepted the fact that it was all gone I did the following to make sure that this never happens to me again. So go do it yourself, NOW! Don't learn the hard way like me as it is not very friendly on the blood pressure.

Open Control Panel and choose User Accounts. Then click on the link circled in the image below:

Run through the wizard and back up your key(s) to a secure location.

That is all there is to it, nothing else. Then, if one day you need to recover an encrypted file, you can just import your backed up key files into the new computer and you'll have access again to the encrypted data. When my brother Steve reads this he'll probably send me a Nelson (from the Simpsons) "Ha-Ha" email. Steve, no need as I am already feeling gutted for doing it in the first place.