Archive for August, 2008
Using Shadow Copy to save the day from the beach. (reRun)
Aug 18th
Check out my side of this panicked phone call from the early morning junior admin.
“What do you mean the backup did not run last night?”
“Why exactly wouldn’t the tape drive be plugged into the same UPS as the library?”
“His WHAT was plugged into the ups? His cell phone? Why wouldn’t you move it?”
“Yeah, yeah yeah, Of course I can get your files back I have plan 1-di0-t in place.”
I checked the file server and someone definitely deleted moved or otherwise did something to our main executive share. The deleted files were already mirrored to the raid mirror and via my xcop
y script this morning at 6am.
In about 10 minutes it will be 8am est and shit WILL hit the fan.
Did I mention I am not in the office and in Costa Rica? (business not pleasure kids! I’m building wireless infrastructure. Don’t be jealous.)
So from the beach (OK, you can be a little jealous.) I was able to remote desktop into my file server via my favorite HP 2710p Tablet. (It works in the bright sunny light!) Yup everything was gone and there is no network recycle bin.
So what did I do? How did I fix it quickly?
I restored the whole thing from Shadow Copy in 10 minutes flat.
Check out the steps I used:
I restored the whole thing from Shadow Copy in 10 minutes flat.
Check out the steps I used:
First the server needs to be running 2003 or better.
Next the box needs to have shadow copy enabled on the volume with your files. Capacity is so cheap, that I have it enabled on all my servers volumes backing up 5 times a day.
Now that gives me access to 5 revisions a day going back as long as space permits. You can modify how much space Shadow Copy uses. Remember it is WAY better to be proactive and over prepared
for these times than not at all. It is the difference between easy work and pulling your hair out of your head.
In this instance I opened the share right clicked choose properties and then previous versions.
I saw this:
Each of those dates and times are full folders from the specific time. Apparently my shadow copy attributes have been modified and I only have 2 copies per day… But onward and upward…
I clicked on this mornings earliest backup but the files were not there. Onto yesterdays last backup around 12pm and bingo bango I had my files I dragged the folder back to its place on the volume and was about to call it a day when I decided to find out what happened. Or at least know who did it when and if it happens again in the future.
I enabled auditing and I will show you how when I get back!
Should the junior admin be fired for not correcting the tape drive issue? How about the night admin who’s cell phone was plugged in instead of my tape drive?
Now let me get back to tanning…working! Today’s challenge of the day:
Getting the damn monkeys to stop eating my wires and flucking with the repeaters.
Yes Admins rule the world and can do it from the beach!
_TheEnjoyYourJobAdmiN_
Antivirus software on a voting machine? Diebold you have done it again!
Aug 17th
Damn I love XKCD!
I hope you enjoy this as much as I did. Obviously I am getting a lot of my news from the comics nowadays… I knew DieBold Voting machines have been suspect for a while with all there ease of hacking methods…
But now it looks as if Diebold is blaming issues with their voting machines on poor old Mcafee… If the device was created properly it would not need antivirus software running on it. Hello?
Is this thing on? Maybe I can help you make a more secure OS for your device… It’s called Linux. Look into it.
Did You Know You Can Unlock YOUR User’s XP Workstation?
Aug 16th
So…I’ve always wondered if there was a way to remotely unlock a users workstation. I mean c’mon, who wouldn’t want to sneak up and see what your employees are typing about you in an email, or things they have open and are doing!
Naw really, this really shouldn’t be used in malicious ways. It can be a very useful tool, and for me it was, being in IT it meant I could quickly check up on an employees machine if I needed to find an IP address or if they had something open from the network that someone else needed to get in.
There are a ton of legitimate reasons that this would be useful.
So after hours and hours of scouring the Internet many months ago, I managed to find a tool somehow by a man named Dan Farino. Props go to this guy! He users a process to create a service on the remote machine and inject a DLL into the Winlogon process. Of course you need the administrator password to the machine or the domain. You could use that password to log into the machine directly – but it will log off the current user killing any documents they have opened and in a un-saved state.
I won’t go too much into detail, because most of the overview can be found here. I highly encourage you to read the little that there is behind how this thing works. It’s basically a shell command you run in a command prompt.
The format is: RemoteUnlock.exe computername
Please Note: This only works on XP workstations as far as my testing goes. It’s a no go on Windows 2000, specially anything earlier. Vista I’m unsure about as well.
Also, a fundamental step you must not forget in this process is to relock the workstation after your through with it. You type in that command, do what you need to do on the computer, then you need to hit ENTER. Good Luck!!
A tool to evaluate SQL injection vulnerabilities
Aug 15th
The other night at school we got on the discussion of SQL injection website attacks. I happen to know someone who has a website that has been the victim of multiple SQL injection attacks. This person was getting really fed up with it, and they were finding them selves restoring backups about three times a day due to some script kiddie trying to make name for themselves, and trying to be a 1337 H4x0r.
SQL injection has been around for a while, and isn’t anything new. If you are just climbing out from under your rock, and have never heard of SQL injection here is a good definition of what SQL injection is from Wikipedia:
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
Well my instructor pointed out a pretty cool free application one can use to test their web page for basic, simple SQL injection attacks to see if they are vulnerable. If they are vulnerable, this application will give them a nice little report telling them how many vulnerabilities a website might have, which pages vulnerabilities have been found on, and what database information is found on the back end.
This application is from HP, and is called Scrawlr. Since it is free, the scans it does, and the attack methods it uses is fairly basic. For a more robust scan, HP has another enterprise product you can pay for. However if you use Scrawlr, and you do find vulnerabilities, that means your site is open to even the most novice of script kiddies, and you will be able to patch up your site to protect against basic attacks.
Do you know of any other SQL injection scanning/evaluating programs? If you do, I would love to play with some so please let me know in the comments.
What happens if I apply Vista-specific Group Policy settings to my XP machines?
Aug 14th
I get this question all the time:
“What happens if I apply Vista-specific settings to my XP machines?”
So, here’s the answer: If you have a “newer” policy setting, and it affects an “older” machine… (in general) NOTHING BAD HAPPENS.
Let’s figure out why.
Let’s take the case of a “newer” policy setting, say, “Remove Games link from Start Menu” which is a Vista-only function. XP doesn’t have a Games link to remove off the Start Menu.
So when you affect an XP machine with a Vista-specific policy setting, the interesting part is … something DOES happen.
But it happens under the hood, and we don’t really see it.
That “something” is that a registry entry gets punched in place which gives the edict to “Remove Games link from Start Menu” to Windows Explorer.
Except XP’s Windows Explorer doesn’t know what to do with this information. So it promptly ignores it.
What about the other direction? Can you take an “older” policy (say, for XP) setting and affect a newer” (Vista) machine?
Usually. Like “Prevent access to the control panel.” Works great since Windows 2000,and then XP and now Vista.
Not all XP policy settings are valid for Vista, however.
Why? Well, Vista shook some items up a bit, and some got lost in the shuffle.
How do you know if a policy setting is valid for a particular operating system? Use the GP Editor Filtering capabilities to determine if a setting is valid for a particular operating system. And also check the Explaintext and what’s known as the “Requirements” settings. You can see the “Requirements” indicator when you click on a policy setting and you’re using the “Extended” view (the default.)
Most policy settings will say something like: “At least Microsoft Windows XP” or “Windows Server 2003 family.”
So it’s not really true that “NOTHING” happens when you create a GPO which contains policy settings for “older” machines. Something does, indeed happen.
Except it’s basically ignored, because that operating system wouldn’t know what to do with the directions it just got.
Stay tuned to more group policy goondess from Jeremey over at GPAnswers.com!
Enable multiple Remote Desktop Connections to your XP or MCE Machine.
Aug 14th
Have you ever remote desktoped (that’s a word isn’t it?) into your home machine and kicked off your significant other? You wind up with her Bloomingdales order form and she winds up mad. She logs back in and kicks you off – fun, fun, fun.
We found a nifty little trick from Golod.com dating back a few years… He found out that by using a XP RC2 termserver.dll file and a little registry know-how you can enable up to 3 concurrent remote desktop sessions to the one machine. This makes it like Windows Server 2000 or 2003.
If you use a Windows Media Center this is gold. As the author goes on to describe when he remoted into his MCE machine the TV output would stop – weak. So this was his work-a-round…
More >
