Blog

Recently, I was pushing out an upgrade to Symantec Endpoint Protection (SEP) when I came across an issue with a machine that caused the upgrade to fail, though I don’t believe it was caused by the upgrade itself. Basically, the older version of SEP didn’t quite uninstall completely and the new version of SEP didn’t quite install completely. There was just enough stuff broken in SEP so that it was effectively useless. Virus definitions were not downloading and active scan was simply not functioning. The easiest way to resolve this problem, naturally, is to uninstall both versions and reinstall.

Unfortunately, the uninstall failed with a “fatal error”. At this point, I could’ve gone to CleanWipe and had it remove SEP completely for me, but I’ve had instances where CleanWipe doesn’t get rid of all the registry keys and a new install will fail. Below are two links for the manual uninstall document for SEP. [more]

http://www.symantec.com/business/support/index?page=content&id=TECH102261 – How to manually uninstall Symantec Endpoint Protection client from Windows 2000, XP and 2003, 32-bit Editions

http://www.symantec.com/business/support/index?page=content&id=TECH102286 – How to manually uninstall Symantec Endpoint Protection client from Windows Vista, Windows 7, and Windows 2008 32-bit

It’s a long document, but it will effectively let you remove all traces of SEP from your PC.

I was working on updating servers when I came across SQL Server 2005 SP4 patch failing to install.  I was able to locate the installation logs in the SQL Server folder.  The reason for failure was that it could not add user NT AUTHORITY\SYSTEM to local group that just happened to be a domain group.  I wasn’t sure if this server used to be a domain controller, but it can have an effect on SQL Server installations as indicated by http://support.microsoft.com/kb/925976. [more]

I started combing through the registry under the Microsoft SQL Server path as listed in the above KB article to see if I could spot any of the keys.  Inside of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\Setup, I saw registry key SQLGroup with a SID that belonged to the domain group listed in the SQL install log.  The way you tell what the SID is mapped to is using a tool called PsGetSid from sysinternals.

I then decided to look up the SID for the local Administrators group using the PsGetSid utility, and then I changed the SQLGroup key data to the SID of the Builtin\Administrators group.  I restarted the SQL services to make sure they could restart after the change.

This time, the install worked and the log was clean.  I did see that NT Authority\System shows up in the local Administrators group on the server.

I had been working with a customer to move all their file shares to a new server and implement Distributed File System (DFS). All looked to be working as it should, except one user’s My Documents was still pointing to the old file share. It was also taking approximately 7-8 minutes to login. I ran the Group Policy Results wizard against the terminal server she was accessing and her user account. I verified that group policy was applying to her account but it was failing to apply folder redirection. I made sure no other users were having the same issue. [more]

I started reviewing the Group policy events and found the error causing the problem redirecting her userdocs. I opened the path that was shown in the error message and found a Word document named  "A Hot Site is defined as a fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster or for disaster rec.doc".  I was able to copy the file to another location and remove it from the path. I then attempt to connect as the user, the login process completed quickly and the My Documents redirection was working as should. I renamed the file and placed it back in the users My Documents.

I wanted to add a Favorite to my Windows 7 Explorer.  I didn’t see an obvious way to do it.  I expected to find an “Add to Favorites” or “Send to Favorites” menu option, but they are not available.  Then by accident I found a simple drag and drop method.

• Navigate to the folder you want to add to the Favorites and then click and drag the icon in the Address bar down to the Favorites heading. If you release the icon in the Favorites listing, a new shortcut will be created.
• To delete a Favorite, right click on the shortcut and then select [Remove] from the popup menu.

Here is a screen shot demonstrating this: [more]

The newer machines have a replacement for the traditional BIOS called UEFI. You can run the (GPT) GUID Partition Tables (replacement for MBR- Master Boot Record) independently of UEFI, but they are all a part of the same technology advancement to replace the MBR and BIOS technologies.  UEFI is required only if you have a disk larger than 2T.  UEFI provides a power-on shell similar to the BIOS power on shell but with more options.

An advantage of UEFI is boot times. My boot time on my laptop is consistently under 30 seconds from power on to logon. However, that's with out whole disk encryption setup.

Additional information can be found at : http://en.wikipedia.org/wiki/UEFI

When enabling whole disk encryption, be sure to save the recovery key externally from your laptop.  I recently upgraded to Mac OSX 10.7 (aka "Lion") and enabled the new whole disk encryption feature which is now part of FileVault.  Before encryption begins it provides the recovery key but it's up to you to save it offline (no USB flash drive option).  Thankfully I did this because when I rebooted it prompted me for local admin credentials which of course I changed and didn't remember.  Without the recovery key saved on my home network I would have been in big trouble.

Here are a few tips concerning using SMTP over TLS. 

1. Requires certificate, but it does not have to be a trusted certificate (self-signed is OK).
2. Still uses port 25.
3. Requires EHLO (extended HELO)

I recently had a task to help a user save their BitLocker Recovery key to a flash drive, but the option to save to a flash drive was greyed out.  I tried logging on as the local administrator and several other things, but nothing worked.  Eventually, I used the “manage-bde –status” command to see what kind of protectors were on the drive.  Then, I added my own protector by using the “manage-bde –protectors –add C: -recoverykey z:”, where C: is the BitLocker system drive and Z: is the drive the USB is in.  Don’t forget: the recovery key will be saved to the USB as a hidden file.

The Google Chrome OS is just the Chrome browser running on a thin OS.  So extensions are like applications installed on other operating systems.  They have much more power than Firefox plugins.  Extensions are not reviewed, just removed when people complain.  Many extensions have cross site scripting vulnerabilities, enabling one extension to read and write information in other tabs.  For example, an extension could inject javascript into the tab for your online banking and have it collect and send your credentials to the attacker.  It could even show you the old figures so that you don’t even know that your all your money was transferred out of your account.

This information is from a session I attended at Black Hat called Hacking Google Chrome OS presented by Matt Johansen and Kyle Osborn of WhiteHat Security.