Blog

I was attempting to add a PAT (port address translation) rule for https (TCP 443) on a customer's Cisco ASA. The rule kept getting rejected with the error that it could not be created.  After trying a few times, I figured out the ASA was rejecting the rule because ASDM (Adaptive Security Device Manager) access, which uses https had been enabled on the outside interface.  I changed the port number for ASDM and I was then able to create the PAT rule.

Working on an ISA server the other day I had to change the LAN IP addresses.  I was RDP’d into the server from the internal network when I made the change and applied it.  I waited a few seconds and tried to reconnect to the server (by name).  DNS has updated properly with the correct IP address, and I could ping the address, but I couldn’t RDP back to the server.  The server was virtual, so I used VI to connect to the server console.  I didn’t see any issues, but rebooted the server to be sure.  When the server came up, I still couldn’t RDP.  I checked the Terminal Services service and it was not running.  I tried to start it, but it failed.  I checked the event log and it mentioned something about the service binding.  I ran the Terminal Services Configuration console, checked the Properties of the RDP-Tcp object.  On the Network Adapter tab, the “All network adapters configured with this protocol” was selected (which is the default, but wasn’t working).  I manually selected the LAN NIC and hit Apply, and RDP started working again. [more]

I was experiencing long delays when attempting to delete files from my laptop or external USB drives.  For example, deleting a 1.5 GB file would start a continually rotating flood bar of deleting.  It would run for 30 minutes or more before I would give up and click the cancel bar in the dialog window.

The canceling would also present a never ending flood bar lasting 15 minutes or more.  After doing some research regarding an early Vista problem with file moves and deletions I looked at several configurations but could not find the problem.

Finally realized during the installation of PGP desktop I had enabled a secure delete (shred) feature.  When I disabled the shred feature, my never ending delete processes went away.

I had a situation come up this week where a user was able to change the security on a file that they had created. This type of action was not desirable and I was having a hard time tracking down how this was happening. It turned out to be the following: User had modify permissions for the folder and subfolders so they were free to create and delete files. However, the CREATOR OWNER permission was also on the folder and was set to FULL CONTROL. Thus, when the user created a new file, they were the owner. As such, they were then given the ability to change the permissions. So, the gotcha is be careful how the CREATOR OWNER permission is used…and keep a watchful eye on curious users.

I’ve been using the Microsoft RDP client for the Mac to login to one of our terminal servers.  Unfortunately this client has an annoying bug where the time zone is not set correctly if time zone redirection is set through group policy.  After manually changing the time zone a few days in a row I decided to look for more automated solution.  I found that you can invoke the Date and Time control panel applet from a command line and pass the desired time zone.  The command is: [more]

control.exe timedate.cpl,,/Z Central Standard Time

The time zone has to match the one key values saved in the registry at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Time Zones.  I put this in a command file and added it to my startup group on the server.

Thousands of Windows Live accounts have been compromised with their passwords posted online.  This information was posted on the Windows Live blog at http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry.  This is unfortunate, but is another example of why one should not use the same password in more than one place.

The blog post states that these were compromised by phishing attempts.  Microsoft has taken measures to block access to all of the accounts that were exposed. However, if you have an account, I would suggest you change the password and secret answer right away just to be safe.

Recently a customer had opened a phishing e-mail making rounds starting around the first of September.  This was an e-mail that is reported as an IRS version of Zeus Bot (some additional info: http://garwarner.blogspot.com/2009/09/irs-version-of-zeus-bot-continues.html).

After the virus definitions caught up with this, it was quarantined off and seemed to only affect the user profile on the terminal server where it was opened.  However, users started reporting also that Internet Explorer was crashing randomly. [more]

Looking through the event logs, I could see that IE was crashing from a faulting module named RASADHLP.dll.   This file is a remote access dialup helper and shouldn’t even be in use.  After comparing the files in Windows\system32 directory with another terminal server at the location, the files appeared identical.  However, the problematic server had another copy of RASADHLP.dll under C:\Program Files\Internet Explorer.

Further investigation of this file showed the creation date as the same day that the user received and opened the phishing e-mail.  Also it showed the user as the Owner of that file.  It is likely that IE was trying to use this file in it’s program directory first before the one in system32.

After renaming the file, IE was working without any problems.  The file was removed from the system.  Users running as non-admins likely helped to isolate the malware, but it still had written a bogus file to IE’s program directory.

On October 1, 2009, President Obama proclaimed October 2009 as National Cyber Security Awareness Month.  This marks the sixth annual National Cyber Security Awareness Month.  The theme for 2009 is "Our Shared Responsibility".  To read the proclamation, visit http://www.whitehouse.gov/the_press_office/Presidential-Proclamation-National-Cybersecurity-Awareness-Month/

The following sites have been created to focus on safe computing practices by the Department of Homeland Security (DHS) and the Federal Trade Commission (FTC): [more]

• www.onguardonline.gov
• www.dhs.gov/cyber

Be mindful about what filtering software you use.  Some web filtering software gathers data on chats.  Software produced by EchoMetrix and sold under the Sentry and FamilySafe brands reads private chats then the company sells information to third parties. The company reportedly collects data on what kids are saying about movies, music or video games in chats carried out through services such as Yahoo, MSN, AOL, and other services.  Supposedly, no identifiable information is disclused because the program does not record children's names or addresses.  This is definitely an example of why it's good to read through the user agreements of the software you use.

Click here to read the original article.