Categories
blog Microsoft

My take on AntiVirus / AntiSpyware applications

Virii suck, I just though I’d throw that out there.  They cost the world billions of dollars a year and keep people like you and me up at night.  I wish I had the final solution for you but I don’t, however, I do have a list of applications/tools/services that I use to keep my computers running virus and spyware free.

Desktop Antivirus / AntiSpyware

At work my company has standardized on NOD32 from ESET.  I had never herd of the company until I started at my current position about a year and a half ago and now, I rarely use anything but NOD32.  They have a couple of editions but I’m only familiar with ESET NOD32 AV v2.6 and v3.0.  So far I have not had a single problem with virii or spyware (except for a few hacking/cracking tools that I use on occasion).

If I’m not using or recommending NOD32 for home / client computers I go with AVG.  AVG AntiVirus 8.0, the newest version from AVG covers pretty much everything you would need from an AntiVirus / AntiSpyware software suite.  They even have a free edition that can be found here for home computers that only need basic protection.  If your on a budget, AVG Free Edition is for you.  Again, so far, with my use of AVG Antivirus, I have not had a single problem.

Safe Internet Browsing

This is a huge deal when it comes to keeping your computer safe.  Sometimes it doesn’t involve any software at all.  Just some intelligence and PG13 level surfing (no porn or online gambling allowed!!).  However, because of my ADHD and endless appetite for information, even I run across some potentially bad websites.

To combat this I use OpenDNS.  I’ve done a blog post on them a while back.  Search at the right if you are interested but I’ll cover a few points to OpenDNS here.  First of all, OpenDNS is cool.  Second, OpenDNS is free.  Now that I got those two things out of the way, I’ll explain it a bit.  OpenDNS is a free DNS service that you point your network DNS servers, clients, etc towards and you instantly get a bit better service.  If you go to the website and create an account and then register your IP address there, you can have settings specified that would prevent people from surfing websites that fall within a specific category.  Below is what I have mine set to.

The moderate setting includes blocking of Adaware, Alochol, Dating, Drugs, Gambling, Hate/Discrimination, Weapons, Tasteless, Lingerie/Bikini, Proxy/Anonymizer, Sexuality, Nudity, Pornography, and Phishing.  The last one is especially cool because it uses the phishing database PhishTank, which is THE defacto standard in phishing databases…well at least I believe so.

Desktop and Network Firewalls

As much as I should use a desktop firewall, I don’t.  It hinders my ability to do network scans, attach to different networks, open up shares on my computer remotely, test software, etc.  But, do what I say and not what I do.  If you have no reason not to use one…then do so.  The built in Windows Firewall is fine but if you need to feel a little safer at night, I recommend ZoneAlarm.  It has both high reviewes in the major computer magazines and is recommended by the security research group Gibson Research Corp.

My home network firewall is pfSense, a free open source, fully featured firewall that I have installed on an old workstation with two network interfaces.  Visit the website for a full list of features.  Other firewall’s that I would recommend would be the Cisco PIX or ASA, m0n0wall, and any Linux distribution running iptables.  It’s not that these are the only secure options out there but rather I only have extensive experience in this small list.

SPAM Protection

This cannot be stressed enough…  Never use an email address without a **GREAT** SPAM filter.  For personal use, grab a free GMail account.  For corporate use get a Barracuda SPAM firewall, use Postini or build your own SPAM filter based on SpamAssassin.  For the DIY I recommend Maia Mailguard.  The reason for this is quite simple, spyware and virii can be transmitted quite easily through email.  If you are not protected, you are asking for trouble.

Defense in Depth

Although all of my recomendations, in my option, are good ones..not a single one of them guarantees that you will not get infected.  Things like zero day attacks, trojans, virii, spyware, adaware, malware, etc are not always easily detected and therefore may hit a large number of computers over a short period of time without the security companies knowledge.  However, with the use of all of them together, you now have the tools for a fighting chance and with any luck, you’ll be virus free.

Hopefully you’ll take my advice on one or more of the above topics and have a safer more enjoyable time on the internet.

Extras!!

Here are a few extra tools that I did not fit in.

ESET Online Scanner | TrendMicro House Call | TrendMicro HijackThis | Symantec Removal Tools

Categories
blog Microsoft Windows

Dell Laptop offline file syncronization issues

Recently I had a client who purchase a new laptop from Dell.  It was a failry straight forward setup, nothing out of the ordinary.  After we got the computer joined to the domain and the user’s profile setup, we started the file syncronization process for a number of directories that they needed to take offsite on a daily basis to be able to read/modify while out of the office and without internet connectivty.  They had been using Microsoft’s offline file feature.  Again, nothint out of the ordinary.

Well, this computer took up more than a few hours of my time as well as another associate of mine.  The computer no matter what we did would not syncronize files during the logon process even thought the little checkbox was checked to do so.  As it turns out, Dell has some sort of security suite that they are deploying with all the laptops now with the name of WavXDocMgr.  This was the culprit of the syncronization issue.  We took this out of MSCONFIG as a startup process and the problem was solved.  As this was not the answer but rather a workaround, we have started talking with Dell but as of yet have not found a fix for the issue so I thought I would share.

Categories
blog Microsoft Windows

Microsoft PowerShell – Searching for a command

I live in command line on Linux, Cisco, HP, and a number of other products but for some reason it feels UnAmerican to do it on Windows.  I’m coming around though.  With the implementation of the Microsoft Powershell on Windows you now have a great deal of power that you may or may not have had before.  For me, troubleshooting Exchange 2007 and AD, it is a blessing.  However, finding the command that you need to use to get the information you want is pretty hard.  I guess that’s why Microsoft created the “get-command” command for PowerShell.  It is basically a search function for Powershell and will return a list of commands that you can run to get the information you need (per your search).

So lets use the command to find more about our Exchange queues (Exchange 2007 Server).

Get-Command *queue*

Which will return a list of commands that you can run from PowerShell like Get-Queue, Retry-Queue, and Suspend-Queue.

Now lets try something to do with Active Directory.  Try this command.

Get-Command *User*

It’ll return a boatload of commands but you can see a few that might be useful like New-ADUser and New-ADGroup.

Hopefully this will shine some light on the still fairly new (feeling) command line power of Microsoft’s Operating Systems.

Categories
blog Microsoft Windows

Disable SSLv2 for Windows Server 2003

This is a followon from my last post about weak SSL ciphers but they kind of go hand in hand.  SSLv3 offers a few security improvements over SSLv2 and is supported by the majority of new browsers.  What we will do in this post is disable the ability for a client co choose to use SSLv2 if connected to your webserver that has SSLv2 disabled.  To accomplish this we will need to do the following.

Open regedit and find the key

HKLMSYSTEM|CurrentControlSetControlSecurityProvidersSCHANNELProtocols

Now for SSL 2.0 you will want to create a new DWORD value named Enabled with a data value of 0 in Hex in both the client and server subkeys.  This will disable the ability for the server to use or allow the use of SSLv2 during the use of SSL.  You can also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
“Enabled”=dword:00000000

Again with this one, Nessus will find the vulnerability fairly easy so their is almost no reason to have it running. Nessus’ vulnerability will be displayed as “Synopsis : The remote service encrypts traffic using a protocol with known weaknesses.”

NOTE: This change may break clients/servers/applications so I take no responsibility for YOUR actions.

Categories
blog Microsoft Windows

Windows / IIS SSL – Restrict Weak Ciphers

I have been on a little bit of a security kick lately with my time at work thwarting SQL injection attempts, securing web servers, firewall administration and so much more and have been doing some pretty repetitive tasks so I thought I’d put them up here to help me remember how to do these very important tasks.

This piece is on restricting weak ciphers within your SSL certificates.  Nessus and some other security auditing tools will detect this one with ease so there’s really no good excuse not to lock it down.  Basically what we are going to do is remove the ability for web clients (IE, Firefox, Safari, Opera, etc) connect to the web server with anything but 128 bit or greater SSL encryption.  This just sounds like a good deal anyway if you as me.

An example of a weak cipher is like I mentioned above, anything less that 128 bit encryption.  There are about a dozen methods of encryption from SSL_RSA_EXPORT1024_WITH_RC4_56_SHA to SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5.  Yes I know that sounds cryptic and it really is (pun intended).  So what we need to do is scan the host first.  You can use Tenable Nessus or your choice of scanning utility but we want to see what it comes up with.  Chances are if you were diligent during the setup of the server, you may not have to do this but if your the other 95% out there, then you will need to do the following.

Open "regedit" and find the key
HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers.

This will have a number of other subkeys below it.  Next we will want to disable anything that has a number less than 128 in it.  I.E. RC2 40/128 we will disable but RC2 128/128 we will not.  Clear as mud?  To disable the cipher click on the subkey that you want to disable and create a new DWORD value named Enabled.  In the value data keep it 0 in Hex.  This will disable the cipher from being able to run.  You could also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 40/128]
“Enabled”=dword:00000000

I would do this for RC2 40/128.  RC4 40/128 and RC4 56/128.  I feel better already.  Hopefully you will too after you get this done on your website.

NOTE: This may break some clients/servers/applications so I take no responsibility for YOUR actions. 🙂