Shawn's MIIS/ILM Tricks, PKI Hints, and Résumé Writing Prevention Tips : Mistakes

RWPT - What not to do when you're coming home from an onsite visit

shawnrab — Wed, 14 Feb 2007 01:12:00 GMT

I have a great story about my travels I would like to share with you. So I travel for Microsoft, I spend an average of 3 business weeks a month on the road. When you travel a lot one thing I have found that is important is to have a good routine. Here is an example from a few weeks ago where I started a new routine of never using the trunk of a rental car.

So I am walking toward the parking lot of my hotel and I am getting ready to go to my rental car so I can make my flight in 2 hours to go home and see my family. I start using the keyless entry on the keychain to honk the horn of the car so I can find it. I start to hear honking so I pop my trunk open and I walk to my car and put my bags in the trunk and I walk to the door and try to use the key to open the car. The car wouldn't open. I try to push the button on the keys to open the car and it still doesn't open. I finally use the button on the keys to honk the horn and the car next to the one I had locked my bags in the trunk in started honking. Of course neither the hotel or the rental car company could/would/should help me break in to someone else's car. Luckily, I noticed that inside the car of the person who forgot to close the trunk of the identically colored Pontiac G6 that got my bags that the directions to the hotel were in German. I let my friends at the hotel know and they told me that there were frequently German people visiting the hotel as Siemens was across the street. They called Siemens and I guess a pretty loud e-mail was sent to the site. Two hours later a German man with an identical Pontiac G6 rental came out to help. Of course it was not the same Pontiac G6 that my bags were locked in. Luckily for me, he knew another German man who had rented said Pontiac G6. I missed my flight but I had my bags.

I am certainly glad I get to make these mistakes so you guys don't have to. Now, I argue that the whole ordeal is 96% my fault for locking my stuff in someone else's trunk and 4% the other man's fault for leaving his trunk open... Of course my wife was expecting me to be home at 2:00pm so I could be with the kids so she could be at a meeting at 7:00 and my flight didn't arrive until 8:00 so she'll argue that it was 100% my fault for not paying attention. She's probably right.

The best part was sending this in an e-mail to my colleagues and getting their stories back.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - My Day Ruining Maneuver

shawnrab — Thu, 14 Dec 2006 06:15:00 GMT

So here is a nice little tip that is a direct result of sleep deprivation and bad habit.

I was working on some C# code that grabs some log files and wraps them up into a cab file and moves them off to a different location. After that it clears the directory so new logs can be written. In writing the code I figured I would take the liberty of trying to get everything in the folder deleted except for the tool itself.

So in thinking I did this:

---snip---

Directory.Delete(Directory.GetCurrentDirectory(), true);

---end---

Where Directory refers to System.IO.Directory

So I am trucking along, writing some other functionality and I finally compiled the code... I fixed the compilation errors (usually missing semi-colons or curly brackets) and I went to test. I had a test directory C:\testdir\testdata where the tool was to be run in testdir and the data to be put in the cab file was in testdata.

Of course at 2:30am I am not thinking about the code I wrote an hour or two before, nor do I think about running this under the debugger. No I dragged the tool from the debug directory straight into a default command prompt. I was puzzled as the code did not return. So I went and looked at the code, thinking I might have done something wrong. I spent about 10 minutes looking. I figured it was hung somewhere so I looked for any potential hanging points - maybe a for loop where I put a greater than sign where I needed a less than sign or something like that. I went to control + C the running code and I caught a glimpse of my desktop...

Zero icons. Of course I had no browsing history anymore either. No PST's. No documents in the My Documents folder.

My default command prompt centers at %userprofile%... the "true" in the Directory.Delete means "go into all of the sub directories and torch everything."

Luckily I had a fairly recent backup. For the rest I used a third party file recovery tool.

This posting is provided "AS IS" with no warranties, and confers no rights.

BAD TROUBLESHOOTING 101 (part 4 of many): Give EVERYONE the opportunity for a short password!!

shawnrab — Tue, 22 Aug 2006 22:40:00 GMT

OK. Let me get this perfectly straight. I am not going to give you a new way to do your passwords like Robert Hensing (http://blogs.technet.com/robert_hensing/archive/2004/11/12/256648.aspx) or former Microsoftie Jesper Johansson (http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx or http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint110104.mspx). I am griping about short password policies. I was asked a question last week, "How do I prove to a customer that a six-character password policy is too short?" It wasn't the question that irked me, it was the thought that people have to actually *ask* that question. Six character passwords are to hackers like opponents are to Tiger Woods with the lead on Sunday at a Major. The red shirt makes it like everyone else starts off with a 4 on their scorecard before they ever hit the course.

The answer is a pretty easy one... Or is it? Password crackers can see passwords with less than 8 characters immediately. OK, so you know immediately that you have a limited character set to work with. At that point you *hope* that you have end users that use longer passwords. Well, what about social engineering? How many end users encorporate one of the following in their password:

Spouse's name?

Spouse's maiden name?

Kids' names?

Parents' names?

Pets' names?

Favorite sports team?

College attended?

Favorite hobby?

Make of vehicle?

Favorite movie?

Most recent movie they liked?

Favorite TV show?

Favorite actor/actress?

Favorite pro/college athlete?

A study was once done (I can't disclose details about it because it names a lot of names) showing that those 14 items would get well over half of passwords if they were included in a dictionary with hybrid capability ("password" could also be interpreted as "P@$$w0rD")

So you could potentially have a middle school student go into the cafeteria and hand out a survey for a "science project" and populate your dictionary file and then use a popular password cracker to run attacks against the shorter passwords and get quick results. Personally, I would be guilty of a few of those, but I am smart about it. I use a larger character set. One of my old passwords was a tribute to one of my favorite athletes "J0hn3lw@yH@ll0fF@m32004".

I wonder how many administrators you would get with the social engineering? I wonder if a middle school student added a 15th question "What is your favorite password?" How many would you get? That is a question for another day. I'd be interested in seeing how many of those you would get.

So I really haven't done anything definitive to prove that 6 character passwords are *that* bad. I have said something about password crackers and social engineering, but what's really the hold up here?

In my days in Product Support Services, I took about a hundred calls from customers who liked blank passwords and their new "0wn3r" liked those blank passwords as well. Can you count on your end user knowing better? Here's what I would like to see. I would like to see a video similar to those you see in an alcohol or drug or smoking or bad driving course. Your lungs will look like "this" when you're 50 if you use short and bad passwords. Seriously though, there needs to be a level of accountability there. Put the fear into the end user. If your password is the one that exposes Colonel Sanders' secret formula, you're fired.

So what are you preventing? The sticky note on the monitor or under the keyboard? A helpdesk call from someone who forgot their 9 character password? How about this? Go and print out 50 flash cards with inanimate objects on them and give everyone a deck of those cards and a roll of tape. Educate them to use something they can easily remember and the flash card to construct their password. So for me, my daughter's name is Georgia and her birthday is 5/26 and if I had a flash card with an apple on it, I could have a password like "Georgia5@^Apple"

That's not too bad, right? You can argue that there is capability of inside attacks at that point, but you can take it a step further. I could have a green apple and a red apple. Or a golden delicious apple. Or have four pictures on the flash card and instruct the user to remember one of them and not use the card again. 50 cards would get about five years of use with a 42 day expiration

I guess the justification is that it may or may not cost more to educate the user than it would cost to have everything 0wn3d. I am certainly glad that in some organizations there are compliance police that enforce these things and even better who are doing away with passwords and moving to two-factor authentication. But for those who still need to use passwords, please - educate your user. If a person can remember a 9-digit phone number, you can find a way for them to remember a 9 character password.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - BAD TROUBLESHOOTING 101 (part 3 of many) Everyone's a local admin!!

shawnrab — Thu, 06 Jul 2006 14:06:00 GMT

OK. gripe time. One of my co-workers was asked by a customer, "Can you prevent a local admin from deselecting File and Printer Sharing?"

Come to find out, everyone in their domain was a local admin.

Here's the problem... I used to get similar questions to that one a lot in that exact scenario. They all have the same answer. You can use a GPO to hide junk, but the local admin can always circumvent those processes.

We're shoving LUA and Least Privilege down your throats and we're still getting these questions.

Here's how I would have responded to that customer today if I knew I wouldn't get fired...

You're an administrator. What are they paying you for? So you made all of your users local administrators so they could install printer drivers or so they could install their favorite cool toolbar which is really spyware. You're essentially delegating your responsibilities to the end user for what? So you don't have to hear them gripe. Nice work. So to prevent 20 phone calls, you increased your attack surface area 80 million percent. You don't have any control over your environment anymore. Sure, you can react now. No more cutting off the problems at the knees. Joe Enduser goes to a website, clicks on a link and gets a virus, block the website. Jill Enduser clicks on a link in an Instant Message and gets a virus, port out Instant Messaging.

How about this? When you were really building your fantasy team or playing World of Warcrack you could have been investigating Software Restriction Policies or actually packaging the drivers for the printer that 20 people who are all in the same OU and pushing that msi down using that SMS Deployment you bragged about in your last review. Now you are bracing yourself for the next virus introduced by those local admins and the 5 days of lost production due to cleanup. The wrong guy is going to get fired. The poor guy you made into a local admin who thought he was getting an IM from his mother who introduced the virus is going to get fired. Not the lazy admin who had three people nag at him because they couldn't download the MP3 software so he made everyone a local admin to "fix" the problem.

Worse than that we actually built a feature into the Windows Vista product that essentially stops everything and asks you if you are "really really sure" if you want to install that malware even if you are local admin. And you can turn THAT off. So please... please... for your sake. If you're going to give Pat Enduser local admin, please don't turn that off. At least that way Pat will have someone who is doing the right thing on his side (not you, dude - the person who wrote that code into Vista).

Do me a favor. Read into LUA.

400 level:

http://blogs.msdn.com/aaron_margosis/

200-300 level:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx

100 level:

http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

P.S. Stop being lazy. And don't think Power Users is any better (http://blogs.technet.com/jesper_johansson/archive/2006/03/12/421870.aspx)

BTW, I am not perfect, either. I ran into one of the above Enduser problems once when I didn't know any better. Not going to tell you which one, but I too was lazy. Of course(and luckily), I was a one-machine administrator at the time.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT + PKI Hints - BAD TROUBLESHOOTING 101 (part 2 of many) Certification Authorities on a Domain Controller

shawnrab — Tue, 16 May 2006 11:29:00 GMT

I blogged last week on User Profile troubleshooting and that was one of my biggest pet peeves. Now it is time for my BIGGEST pet peeve. I almost feel bad that I am on entry number 4 of this blog and I can't save this one for later, but I need to hopefully spread the word and stop the bleeding.

This really isn't much of a blog entry on troubleshooting, but often times I have seen people stand up a temporary CA to get things like Live Communications Server or Outlook Web Access to work, so I guess technically you could look at it that way. I don't know where it started or who first said it was OK, but I am going to say it now... DO NOT INSTALL AN ENTERPRISE ROOT CA ON A DOMAIN CONTROLLER. This is a bad idea. A really bad idea. First of all, if I was a hacker and I wanted to target a server, I would target a DC. If I was a mean hacker and I wanted to send e-mail that was digitally signed by the CEO saying that everyone is fired, I would be happy to know that the DC I just attacked also had the private key of the root CA on it. That only touches the surface of what you could do if you had the private key. And there would be no means of revocation. Second of all, the biggest dependency of the Certificate Service is the computer name. There are hooks in DCPromo.exe to check to see if the computer is a CA. You would have to backup the CA using the CA snap-in, demote the DC or decommission the DC and move the CA backup to a server with the same name (How to move a certification authority to another server - http://support.microsoft.com/default.aspx?scid=kb;en-us;298138). Now, what if the DC goes down? I hope you have a backup (http://blogs.technet.com/shawnrab/archive/2006/05/10/427905.aspx) because if we go into Directory Services Restore mode, we can't take a backup of the CA's private key. With no backup of the CA, if the computer is toast, so are the certificates you issued.

The Microsoft Best Practice of a three-tier CA with an offline root is the way to go. And with support for Certificate Services on Windows Server 2003 SP1 on Virtual Server 2005 R2, there's really no excuse. If you have an enterprise subordinate CA that issued 100,000 certificates that is compromised, all you have to do is revoke one single certificate to deem the CA and the certificates it issued inoperable. If you add a Hardware Storage Module (HSM) for the private keys, you're in better shape. You'll thank me. Your auditor will thank me. Your CEO will thank me. OK, maybe not - you've likely made any potential problem go away.

Certificate Services and PKI is 95% planning and 5% doing. If you stand up a temporary CA for one or two certificates as a short-term solution, I am *almost* OK with that as long as you come in behind that CA with a full-blown PKI and you don't install the CA on a DC. With the guidance of the Best Practices for Implementing Windows Server 2003 PKI (http://technet2.microsoft.com/WindowsServer/en/Library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true) and my two three-tier webcasts (http://support.microsoft.com/default.aspx?kbid=896733 and http://support.microsoft.com/default.aspx?kbid=896737), you could set up a temporary three-tier PKI using Virtual Server 2005 R2 and Windows Server 2003 SP1 and have quick and cheap practice for a full-blown PKI.

You can install a parallel PKI to the temporary PKI and have it work almost independant to the existing PKI. The only thing they will share is the Certificate Templates, which are in the Configuration NC in Active Directory.

Once you are ready to decommission the temporary PKI, you can use a quick command to remove the remnants of the temporary PKI from Active Directory. For a CA with friendly name Temp-CA-1, you can run this command: certutil.exe -dsdel Temp-CA-1

So all in all, just say NO to a CA on a DC.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - BAD TROUBLESHOOTING 101 (part 1 of many) User profile troubleshooting - don't blow them away

shawnrab — Thu, 11 May 2006 05:34:00 GMT

One alarming trend I am seeing on customer sites and I saw when I was in PSS was the common troubleshooting step of blowing away a user profile. An end user calls in to the helpdesk because they are having trouble logging on, whether they receive an error stating that a temporary profile loaded or that it just takes too long. Most helpdesk techs or admins take a nice simple path. They blow away the user profile. STOP IT. This is like having a car that doesn't start, so instead of figuring out the problem you break the glass on the dashboard and move the arrow that is pointing to "E" and glue it to the "F."

There are a few common problems with user profile unloading. The most common is that the user logged off and an application left an open handle into the profile (file or registry) and that handle is not allowing the user to log on. I don't know the case numbers but I would say that this is the problem more than 50% of the time as a conservative estimate (my educated guess would be 99%).

Common event log messages are in the application log coming from UserEnv and have event IDs of 1524/1517 (Windows XP/2003) or 1000 (Windows 2000)

http://support.microsoft.com/?kbid=837115

One of the Escalation Engineers in PSS wrote a tool called User Profile Hive Cleanup or UPHClean to help troubleshoot and often resolve these issues.

http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Now, let me get to the point. Blowing away the profile is BAD NEWS. The user's private keys are stored there. The user might have data stored in the profile. Renaming it and renaming it back is OK, but if your user is engaging in User Autoenrollment and the certificate template specifies to publish the certificate to the user's account then they get another certificate on their account. User certificates are BY FAR the largest contributor to user-account bloat in Active Directory. Now, you might say, "I checked the checkbox to have the user's certificate not publish to the directory if a duplicate exists." That doesn't do you any good for the new profile. So now you have a chicken-egg scenario. You wouldn't have gotten in the mess in the first place

Also, how many users like to lose their favorites, or IE cache or cookies? OK, that might seem minor, but now think about the CEO losing EFS encrypted data. So you try to rename the profile and you can't because something has it's filthy mitts on ntuser.dat. So you reboot into safe mode as local admin and blow that puppy away. Chances are the reboot may have temporarily mitigated the issue.

You can use UPHClean actively where the service does its best to resolve these issues on the fly OR you can use UPHClean in Reporting mode to have events show up in the event logs - likely the culprit of the issue.

Next time in BAD TROUBLESHOOTING 101 - I will talk about another bad practice I have seen in the field and in PSS... Which one? Whichever one is firing me up that day.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - Don't "Jack" it up, back it up!!!

shawnrab — Wed, 10 May 2006 21:28:00 GMT

I spent almost 4 years in Microsoft Product Support Services. I would take calls and fix problems. One nice thing about PSS is that if you worked the night shift, they would give you a salary differential. Being a younger employee and in need of some extra cash I would field night shift calls. The night shift calls were often really nasty issues and there was one common theme when it came to most customers.

So I am watching my favorite show on Monday night. Being a Premier Field Engineer, I travel a ton and there's one constant rule that I follow. Book your flights and make hotel arrangements around the show "24." Yeah, a DVR is a good idea, but I have too many friends who text message me their reactions as the show happens. I turn the phone off when I am on the West Coast... Watching "24" the night of the show is the only acceptable workaround. I can't go to work the next day without knowing the facts. Anyway, I am watching "24" and the main character Jack finally acquired the evidence that implicates the Fictional President of the United States in all of the days actions. It was a recording of the Fictional President talking to the bad guy. Jack had acquired the recording before in the season and then the bad guy got it back and during the last episode a different bad guy erased it. WHY DIDN'T JACK MAKE A BACKUP??

That bothers me that my fictional hero didn't make a backup. Jack is like the unfortunate many of the customers who would call me at night. There's really no excuse. We provide a tool (ntbackup.exe) to do backups. It's free, or at least it comes free with the purchase of Windows Server. So why aren't you using this shiny toy that comes in the bottom of the cereal box?

So what is the excuse for not having a backup? You didn't have time? You were busy dodging bullets and running from the MAN? Either way, don't get JACKED, make sure the data is BACKED!!

This posting is provided "AS IS" with no warranties, and confers no rights.