We are in the process of migrating to a new domain. We are first migrating our field staff. Each field staff needs their own “home” folder to store documents. To keep this secure; we need to have read permission for everyone on the root folder and then only allow the user to view their individual issue. I had to accomplish the following:
- Create the folders by username
- Remove inheritance from the parent folder
- Remove “Domain Users” permission from each folder
- Add the user with change permissions on the folder
I had to do this for about 190 users; doing it manually would have been a pain.
To create the folders, I had a list of all the usernames by login. I put the names into a text file and used the following commands in a batch file to create the folders:
@echo off
for /f %%i in (file.txt) do mkdir %%i
Once the folders were created, the next step was to work with the permissions. I found a utility called SetACL. I replaced the “mkdir %%i” in the batch file with the following commands to complete the rest of the tasks:
- setacl -on %%i -ot file -actn setprot -op “dacl:p_c” (Remove inheritance)
- SetACL -on %%i -ot file -actn trustee -trst “n1:domain users;s1:n;ta:remtrst;w:dacl” (Remove Domain Users)
- setacl -on %%i -ot file -actn ace -ace n:%%i;p:change (Add the user with change permissions to their folder
G13 Windows
I am increasingly seeing cases of infection from Rogue AV software. My company is currently working on phasing out our old Symantec 10 and replacing it with Kaspersky, but in the mean time we keep getting these infections.
Luckily the infections have not been very destructive. They are only in one user profile and are usually just an EXE in either Application Data or Local Settings/Application data.
Kaspersky’s viruslist.com has a good article talking about why these are so prevalent and how they are getting past some AV products. The article can be found here.
G13 Malware, Security, Windows
The company I work for now is in the Healthcare Industry. We have a number of users with field devices and due to the new HIPAA regulations, all of the hard drives must be encrypted.
After years of toiling with encryption as a hobby; I finally have a chance to deploy and manage enterprise level encryption!
We have decided on using PGP Whole Disk Encryption. After reading through the manual and setting up the server and a few clients; this is a relatively easy platform to work on. So far I have been very happy with it.
One more new skill under my belt.
G13 Cryptography, Security
I was correct in that the malware was previously unknown. Here is the response from Kaspersky’s Lab:
From: <newvirus@kaspersky.com>
To: <xxx@xxx.com>
Date: 01/13/2010 02:32 PM
Subject: RE: Malware sample [KLAN-57074893]
Hello,
pkdpsysguard.exe – not-a-virus:FraudTool.Win32.WinSpywareProtect.caf
New potentially risk software was found in this file. It’s detection will be included in the next update. Thank you for your help.
——————————————-
Best wishes, Pavel Firsov.
Virus analyst , Kaspersky Lab.
_____________________________
newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com
Score a win!
-G13
G13 Malware, Security, Windows
We recently came across a piece of Fraudware on one of our client PCs. This one is your typical faux anti-virus application which makes repeated attempts to get you to purchase itself.
The good news is that this was not a case of Vundo; it appears that the malware was only specific to one user profile.
Only one EXE was found; once it was deleted the issue went away. We quarantined a sample and I submitted a copy to Anubis as well as Offensive Computing. Neither of these sites could identify what kind of malware it was.
The report from Anubis can be found here. The sample can also be found on Offensive Computing by searching for the md5sum: 6b833d23ddfae069883a3b562e0435ba
The malware seems to have created its own proxy server and modified the settings in Internet Explorer. This prevented us from visiting any sites besides their created one.
I submitted a sample to Kaspersky’s Virus Labs for further analysis.
-G13
G13 Malware, Security, Windows
I have been tasked with choosing a new anti-virus program for my company. After reviewing documents on http://www.av-comparatives.org/ and demoing the software; we decided to go with Kaspersky Open Space Security.
We chose the Business Space Security suite since we were only interested in just anti-virus protection on our workstations and servers. The price could not be beat; we were quoted at about 1/2 the cost of Symantec Endpoint Security.
The one thing we really like about Kaspersky is that after it scans our domain for workstations, it shows us which machines are not protected by Kaspersky. The desktop engine is also very light weight and the administrative interface is not overly complex.
So far it has been a great product!
-G13
G13 Security, Windows
Busy year. I am with a new company in a new role. I will be focused more on security and network now than before. I will have new topics to post soon!
-G
G13 Uncategorized
So I have a new client and they needed a site-to-site VPN. I opted for a DD-WRT solution to save them money. I get the two Linksys WRT54GL routers and load DD-WRT on them.
In my test environment I was able to establish an OpenVPN connection. As SOON as I get them on the customer’s site and change the IPs, everything breaks. I had to temporarily set them up with a PPTP VPN solution until I can get OpenVPN working.
The solution I tried was using just one static key as shown in the DD-WRT wiki docs for establishing a VPN. I’m going to try a CA/Cert next; that may do the trick.
G13 Linux, Security
Following two different leads from the hacked websites, I found two very different types of malware going on. The first one I discovered was a sort of fake anti-virus program. The site is hosted on bestantimalwarelivescanner.com and there is a click hijack running on securedradiostation.cn. A copy of the malware can be found here. Soon I will be testing this inside a VM and will post those results.
The other piece of malware I found was an exploited PDF file. The PDF files contains some JavaScript which I have not been able to extract yet. An example of the PDF can be found here.
I am still working on figuring out what is going on with this malware. When the preceding page, http://www.se-jewelry.net/111 called the file, it passed three variables. The entire string is this:
http://www.se-jewelry.net/111/include/spl.php?stats=Unknown|Unknown|67.240.120.204
I have also pulled down the HTML on these sites. So far it has not shown anything interesting except the examples of malware above.
G13 Security
I receieved a response from the host of one of the IPs which was accessing my site via ftp. Below is the message:
Hello,
Thank you for your information, I have forwarded these log entries to our tier2 department who is presently looking into the issue. If you have any further information regarding this issue, or any new logs you can provide, please provide them to this ticket, or email to xxx@xxx.com
Hopefully they find more information.
G13 Security
