Archive

Archive for August, 2008

Administrative Templates Error

August 19, 2008 Leave a comment

As of late I have been experiencing the following error message when opening GPO’s on the Domain Controller or from Server\XP workstations that have the Adminpak.msi installed.

******Picture to be uploaded shortly******

After doing a very quick Google search I came across the following article from the Microsoft Help and Support site regarding this specific error:

“The following entry in the [strings] section is too long and has been truncated”

The error is generated when trying to modify or view GPOs in Windows 2003 server, XP or Win2K.

CAUSE

This problem occurs because older versions of the Group Policy editor cannot interpret some string types that include more than 255 characters. These string types are included in parts of .adm files that are meant to be excluded by the “IF VERSION” construct.

Typically, the problem occurs when you try to view or modify a GPO that has been viewed by a different workstation, and that workstation contains .adm files that use the “IF VERSION >=5” construct. When an administrative workstation views a GPO, the workstation automatically updates that GPO with the latest version of the .adm files. If the workstation’s .adm files are newer than the files that are contained in the \Adm folder of the domain GPO, the template files are updated. If the template files contain the “IF VERSION >=5” construct, when an administrative workstation tries to modify or to view the GPO, and the workstation does not have this hotfix installed, the errors occur.

The resolution is to download and install a fix for the particular version of windows you are running. I download the version for 2003 and it worked in resolving the issue
Advertisements
Categories: Uncategorized

Windows 2003 Security Guide

August 14, 2008 Leave a comment

I’ve recently decided to lock down the MCSE classroom servers and workstations. Most of the exercises done by the students only accomplished to reveal a setting here and there within the GPO or local policy. I will using a variety of methods and tools to accomplish this. The following are my currently defined objectives:

  • Define baseline security measures

  • Define and create role specific templates

  • Apply all security templates using GPO’s

  • Implement authentication & encryption at the Network layer using IPSec

  • Configure any manual changes as required to improve security

After doing some research I’ve decided to follow the “Windows 2003 Security Guide”. The guide is broken into 13 chapters and covers both baseline and server specific roles using GPO’s and the Security Configuration Wizard that is available with Sever2003 SP1.   IPSec will also be configured to provide an additional layer of protection for IP packets.  It not only acts as a packet filtering firewall but can be configured to require either Authentication and\or Encrpytion for all IP packets.

The primary server roles that are discussed in the guide include:

  • Domain controllers that include DNS services

  • File\Print Servers

  • Web Servers

  • Microsoft Internet Authentication Server (IAS) servers

  • Certificate Services (CA) servers

  • Bastion Hosts

I’ve also chosen to use the Enterprise Client Member Server Baseline.inf security policy provided by the guide. Also, in order to assist in determing which ports are required for server specific roles I will reference the “Network Ports Requirements for Server 2003”

Categories: Uncategorized

IPTables Part 1

August 13, 2008 Leave a comment

One of the very first questions I read was related to Iptables.  I am familiar with Cisco’s ACL’s and IPSec filters so with that in hand I’m sure to get a grasp on Iptables

The source of the packet determines which chain it traverses initially.  A chain defines the directional flow of the physical traffic.  There are three predefined chains (INPUT, OUTPUT, and FORWARD) in the “filter” table.   Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. The command “iptables -L” is executed by user root to display the firewall configuration.  I found the below info on LinuxHomeNetworking in an article called “Quick How To: Linux Firewalls, Using Ipchains”.

 

Queue Type Queue Function Packet Transformation Chain in Queue Chain Function
Filter Packet filtering
FORWARD
Filters packets to servers accessible by another NIC on the firewall.
INPUT
Filters packets destined to the firewall.
OUTPUT
Filters packets originating from the firewall
Nat Network Address Translation
PREROUTING
Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall’s routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.
POSTROUTING
Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
OUTPUT
Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)
Mangle TCP header modification
PREROUTING
POSTROUTING
OUTPUT
INPUT
FORWARD
Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)

 

I will need to first define the traffic that I want and then create the rules.  The list below clearly defines the traffic required for communication:

  1. ICMP request\replies
  2. DNS queries for web sites

Now that i understand Ipchains a bit more it’s time to start building some tables, or chains…whatever.  Anyway I’ll begin by allowing the box to ping and recieve echo replies.  This will assist in troubelshooting connectivity at the network layer.

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT  -p icmp –icmp-type echo-reply   -j ACCEPT

The first line states were using the Output filter which filters packets orginating from the firewall.   The -p states that one of the following protocols is being: ICMP, TCP, UDP and ALL.  In this case ICMP is being referenced which is the protocol that is synonymous with ping.  –ICMP-TYPE ECHO-REPLY states the type of ICMP being used and -j jumps to the specified target chain when the patched matches the current rule.

If i decided to remain anonymous and deny all echo request sent to the box the following line would be used:

iptables -A INPUT -p icmp –icmp-type any -j DROP

What about something else like DNS queries for web sites.  A few new switches need to be used such as -O and -i, which states the Ouput\Input port of ETH0 is being used.  –DPORT 53 is for DNS and –SPORT is for a souce port between 1024 to 65535.  Once again the traffic is jumped -j to ACCEPT.

iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1024:65535 -j ACCEPT

I just found another great site called iptablesrocks.org with an how to with configuring a whole table.

I have decided to also review the questions I’ve downloaded from TestKingCert for this exam.  As I cover a topic any relevant questions will be posted.

You need to add a line to your IPTables Firewall Input chain that will stop any attempts to use the default install of Back Orifice against hosts on your 10.10.10.0 network.  Which of the following would be the correct command to use?

Ans: ipchains -A INPUT -p TCP -s 0.0.0.0/0 -d 10.10.,10.0/24 31337 -j DENY

When using IPTable when you need to specify all possible IP Address the syntax can be either 0/0, 0.0.0.0/0 or any.

You are reviewing the current configuration of an  IPTables firewall and notice the following rule: ipchains -A output -p TCP -d ! 10.0.0.1 http://www.  What does this mean?

Ans: This rule for the output chain states that all TCP packets are able to get the the www service on any IP address except for 10.0.0.1

What does the following rule imply: iptables -A output -p TCP -s 10.0.0.0/24 -d 0.0.0.0/0 80 -j ACCEPT

Ans: This rule for the output chain states that any TCP packets from the 10.0.0.0/24 network and destined to any IP address on port 80 is accepted

What does the following rule imply: iptables -A input -p TCP -s 0.0.0.0/24 -d 10.0.0.0/24 500:5000 -j DENY

Ans: This rule for input chain states that any TCP from any IP Address and destined to the 10.0.0.0/24 network on ports 500 through 5000 will be denied

Categories: Security

Brick Walls Are There For A Reason…

August 5, 2008 1 comment

My sister Abby recently suprised both Kate (my other sister) and myself with a spontaneous gift while out for some drinks.  She said she had to go to the bathroom and after sometime arrived holding a bag from Borders and within it contained 2 copies of “The Last Lecture” by Randy Pausch, who recently died of pancreatic cancer.  The book was his last attempt at reflecting upon the world his wisdom, with every intention of stimulating the drive within each of us to LIVE LIFE…..Carpe Diem…Sieze the Day….Every culture has it’s own expression but the underlying principle transends all being.  Abby said that Randy reminded her of me in this way.  His love for life.  His true understanding of it’s brevity.  His passion to make the most of his time here.  She was never more right. 

Although I’ve never lost someone truly close to heart, I have seen some of my fellow bretheren pass on.  My son is named after his uncle, Sevan Demirtas who also passed away of Pancreatic cancer, like Randy.   He and I were never close but i had all the respect for him.   He was also very loved and appreciated by his own family and close circle of friends.   He had character and a passion of life, something I admire dearly.  Perhaps he and I would have become good friends over time, I’d like to hope our passion for life would have forged a strong friendship over time.  It was therefore almost instinctual, for both my wife and I to decide that our first born son would carry on his name and so on October 28th, 2007 Sevan Keohan was born into this world.  My love for him is undescribeable and I’ve never been more passionate about anything else in all my existence.   Nothing has given me more fortitude and passion to continue my quest for a full life then to set a living example for my son.

Now, regarding “Brick Walls” Randy said the following in his book

” The brick walls are there for a reason.  There’re not there to keep us out.  The brick walls are there to give us a chance to show how badly we want something”  

This also reminds me of my most favorite quote…

“He who has a why…will make do with almost any how”

I’ve always truly believed in both these ideals.  The feeling of true accomplishment comes from overcoming adversity, persevering the impossible and not allowing obstacles of any kind to deter one from achieving thier heartfelt goals.  If it were easy then everyone would do it.  The act of accomplishing something of both great desire and challenge empowers us.  With each accomplishment it becomes more evident that all things are possible and every brick wall just another means to an end.  For example, I once passed a Kempo Karate belt by throwing up during the 2 hour test only to stand back in line and declare my readiness to continue.  I had made the decision to continue and that was enough.  I overcame the immediate obstacle.  I passed the test and earned the respect from my instructor, who happens to be a dear friend of mine for sometime now,  and he also had a similiar experience of his own. m   I hope to pass onto Sevan this passion to overcome such obstacles that life may put in our way.    I want him to learn from my example…not words.   I will be action.  I will be CARPE DIEM!!!!

Categories: Daily Insights

Complaints…

August 2, 2008 Leave a comment

Every once in a while I browse through my small, yet life appropriate books for inspiration.  I say life appropriate because they all revolve around self enlightenment.  I am by no means a sage or aspiring budda, only a man who seeks to better understand the world around him.  It’s amazing how much of the world and your environment you are trully unaware of.  Possibly because you have not experienced a situation, whether by choice or circumstance,  or perhaps your focus was so intense you became unaware of the immediate world around you, eitherway you were standing too close to the painting to truly admire the art.  We have all been there.  Moments of  “Oh Right”…”Thats What You Mean” or …”Now I Finally Understand”.  Much can be said of factual knowledge but nothing is more important in bringing clarity to a situation then to truly experience the moment. 

That being said I would like to pass on some principles laid out by Dale Carnegie in “How To Make Friends And Influence People”.   The first chapter is called “Fundamental Techniques in Handling People”.  In it he lays out the 3 principles below:

  1. Don’t criticize, condemn or complain
  2. Give honest and sincere appreciation
  3. Arouse in the other person an eager want

Apparently simple steps to follow but how many of us take the time to truly analyze a situation and apply these principles?  It takes practice and only through constant reflection and forward thinking will you ever be able to utilize these ideals and learn to benefit from your current situation.  No where does he profess using, abusing or taking advantage of others.  His principles reflect an ideology that believes in treating others with respect and kindness with the ultimate goal of laying the groundwork to successully obtain your objectives.  Anger and criticism are the least useful tools in any situation and should be limited in there use….well…until the situation dictates otherwise.  It could be said that some people only understand agression but I disagree.  Everyone wants to feel special apprceciated and when made to feel so will almost always seek to reward others with small, yet kind gestures.  In the end “anger instigates anger”.  Once a person becomes defensive there is no more forward progress and any attemts at such will be met with disdain.  I’ve learned that no one wins an arguement and most of the time both parties walk away wounded. 

Love is what makes the world go round…Ever chasing it’s sibling hate…

Healing wounds and spreading joy abound….Of such a thing I wish my fate…

Hardened resolve met with gentle hands….Making of the world a better place…

Earth and fire..Rock and sand…Moving forward eternally at it’s own pace…..

Categories: Daily Insights