George Chetcuti

Adobe Flash Player vulnerability

Adobe Flash Player and earlier which is present in a variety of Adobe products such as, Adobe reader and Acrobat contain a memory corruption vulnerability which can allow a remote attacker execute arbitrary code. These versions of Flash Players are present on all mainstream operating systems and users running these versions need to upgrade to the latest version of Flash Player. For more details about this vulnerability visit Adobe's Security Bulletin APSB11-02.

In critical environments or where the latest version cannot be deployed immediately, the following steps may be required:

Disabling Flash content in Web Browsers and Adobe Reader 9 or later
Disabling JavaScript in Adobe Reader
Preventing PDF documents from automatically opening in web browsers
Uninstall Flash Player

You may encounter some problems when uninstalling Flash Player while Adobe released an uninstaller and the steps required to overcome this problem. See Uninstall ActiveX. Note that this will not remove the instances of Flash Player that are installed with Adobe Reader or other Adobe products.

Using HTTPS in Event Forwarding

As we have seen in Setting up an Event Collecting Computer you can use either Http or Https protocol to transfer data from the forwarding to the collecting computer. Although standard Http transport uses encryption for forwarded events, you can configure event forwarding to use the encrypted Https protocol. However, using Https requires the following additional tasks to be performed on the forwarding computers:

You need to install a certificate. You can do this automatically in Active Directory environments by using an enterprise CA.
You need to create a Windows Firewall exception for TCP port 443. If you opted to minimize bandwidth or latency in the collecting computer's Advanced setting – Event Delivery Optimization, then you must also add a Https firewall exception rule and install a certificate on the collecting computer.
At an elevated command prompt type: winrm quickconfig – transport:https

Finally, from the Advanced Subscription Settings on the Collecting computer you need to click the Protocol: drop-down arrow and select HTTPS as show below:

Event Subscription delay

Events are collected or sent (when subscription configuration is set to normal) every 15 minutes which is quite adequate for normal operations; however, there might be critical periods for some resources that we need to reduce this delay and get critical events faster. As already noted in Setting up an Event Collecting Computer, with the help of the wecutil command-line tool we can modify this parameter. The wecutil syntax is as follows:
wecutil ss "subscription_name" /cm:custom
wecutil ss "subscription_name" /hi:<milliseconds_delay>
where the only parameters you need to specify are the subscription name and the delay in milliseconds, for example:
wecutil ss "Test Subscription" /cm:custom
wecutil ss "Test Subscription" /hi:30000
would set our current subscription called "Test Subscription" to 5 minutes intervals. The interval parameter is called HeartbeatInterval as shown below:

To display the current configuration, at an elevated command prompt type:
wecutil gs "Test Subscription"
For a full list of the wecutil command options type wecutil /? at the command prompt.

Takeown command-line tool

In Linux/Unix operating systems we find the chown command to change the owner of a file, and what about Windows? Since Windows 2000 as far as I can recall, we can use the Takeown command. It's not my intention to compare both commands but give and take, they are pretty much similar. Takeowner enables an administrator recover access to a file or a complete folder that previously was denied access to. By making the administrator the owner of the file or folder, access permissions can then be modified according to the administrator/IT requirements. You can have two scenarios, one instance is when a file or folder may have an unknown owner due to a deleted user account or some form of corruption in AD and another instance is when the administrator is asked by security staff to take ownership of files and folders that belong to a specific user. The command takeown allows you to take ownership of files on remote computers as well, for example:

takeown /s <destination> /u <domain\user> /p <password> /f <file> /a /r

Where /a – gives ownership to the administrators group instead of the current logged on user

and /r – performs a recursive call on all files and subdirectories of the target directory

For a full explanation of the takeown command and its parameters, from the command prompt type, takeown /?

Bear in mind that taking ownership of a file in Windows does not give you access rights, therefore, you need to set file permissions afterwards in order to be able to manage the data. From the command line you can use the Icacls command to modify the acce

Setting up an Event Collecting Computer

Having set up all remote hosts that you will be retrieving Events from, it is time to configure the Collecting workstation. The collecting computer would normally be an admin computer running Windows Vista, Windows 7 or Windows Server 2008. Assuming our collecting computer is named env1client01 then, from an elevated command prompt type:
wecutil qc
This command will set Windows Event Collector service from Manual to Delay-Start.
Next, we need to create an Event Subscription as follows:

Open Event Viewer on evn1client01 (Collecting computer), right click Subscriptions and select Create Subscription.

A Subscription Properties window should appear as shown below, type a name and a description:

There are two types of Subscriptions, you can use the default type:

Collector initiated – where the collecting computer contacts the source computers to retrieve events. I suggest that you test the added computers by clicking the Test button from the Select Computers… option.
Source computer initiated – where all forwarding computers send events to the Collecting computer. Non-domain computers need to have a certificate installed to be able to connect successfully, in fact, domain related issues will prevent proper flow of events!

Next, click Select Events… button and define the error criteria such as, levels, log, source, etc. that will be used to match and collect events.

The Advanced… button loads optional settings which are:

User Account – whether you want to use specific user or machine account. The account must be a member of the forwarding computer's Event Log Readers group.
Event Delivery Optimization – where you can save the bandwidth consumed (when monitoring over a WAN) or force a push delivery mode to get events faster (when monitoring critical services) or use the default normal behavior which ensures a reliabl

Choosing your Cloud provider

There’s much we can do to secure our assets in the Cloud and I am quite sure that most of you, IT Security Pros are on the go! However, I would like to share with you a couple of points worth noting before choosing your Cloud provider.
During the search for Cloud providers take a note of certifications such as, ISO, PCI, etc. they have achieved as these will help you differentiate between providers that commit themselves to operational and security best practices and others that operate for the sake of making money. Remember that certifications and regular audits make vendors follow some rules! That’s a plus, isn’t it?
Search for online docs or FAQs on the provider’s site that state responsibilities and liabilities in clear English. Quite often customers come to know about liabilities after an incident which may have legal implications on the business. Therefore, I suggest that you understand the division of liabilities and responsibilities before signing any agreements.
Other aspects of the Cloud that implies direct or indirect security concerns are the account interface, data backup and management of resources. How secure the account interface is? What kind of backup mechanism they have, if any? How backup media is handled? Is data wiped out completely from terminated resources? Is the provider internal staff with higher privileges monitored?
These are the kind of questions we need to ask and if some providers lack to answer then I would place them in my blacklist. After all, cloud providers should deal with security as a business enabler!

Hyper-V test setups

You may be contemplating of building a quick test environment using a free virtualization solution on a high spec PC. This is quite a cheap but effective solution, even in large organizations where an IT department or an individual entity can build a test platform isolated from the production environment. Say, a core i7 CPU computer with 6/8GB of Ram and 4TB of storage space would make a perfect test lab! Check Deb's superb article about setting up a base test setup here. Whether you will be using Microsoft's Hyper-V, Citrix's Xen or VMware's ESX make sure that you reduce the threats that a test lab may introduce to your network resources.
In the event you will be using Hyper-V as your test environment then I recommend that the virtualized host machine (PC) is NOT joined to the organization's domain but if your admin workstation (Hyper-V Manager) is part of the domain then go for a setup that resembles Client-domain and Server-workgroup as denoted in the Hyper-V Remote Management Configuration Utility web page.
To assist you with the installation of Hyper-V from Windows 7 follow this great video by David Davis on – It is very important that with this scenario you might need to set the IP address of your Hyper-V host PC or server in your Windows 7 hosts file. Since, the virtualized host PC or server is not in the domain it may not register itself with the internal DNS! So watch out for DNS issues if you fail to connect remotely and start getting RPC error messages.

Windows Task Scheduler vulnerability

An attacker could exploit Task Scheduler vulnerability by running a specially crafted application which allows elevated privileges to the logged on user. Therefore, an attacker needs to have a valid logon user account in order to be able to exploit this weakness. This vulnerability affects Windows Vista, Windows 7, Windows Servers 2008 and 2008 R2. Microsoft has released a security update that addresses the weakness in Task Scheduler while users who have enabled automatic updating need not to worry as the fix was included in December 2010 release updates.

For more information visit Microsoft’s security bulletin MS10-092

Setting up an Event Forwarding Computer

Windows Event forwarding requires the setup of forwarding computers and a collecting computer as we have seen in Managing Windows Events. In this post we start by setting up a typical forwarding computer and proceed to the collecting computer setup in another post. Let's assume that we are collecting events from a Windows 2008 server named Win2k8Web, hence our first forwarding computer is Win2k8Web.
To set up the forwarding computer follow these steps:

We need to configure the Windows Remote Management service first. Log on to Win2k8Web, open an elevated command prompt and type: winrm quickconfig

Type Y to the requested changes. These depend on the current configuration but WinRM would need:

To start the WinRM service and set it to auto-start.
To grant administrative rights when the computer is not part of a domain
To allow remote access
To create a WinRM listener on HTTP://* to accept WS-Man requests by creating a firewall exception – Note, this firewall exception does not apply to Public networks.

Next, we need to add the computer account of the collecting computer to the local Event Log Readers group. Assuming that the collecting computer (my admin workstation in the domain env1.testlab) is named env1client01, then at an elevated command prompt on Win2k8Web type: net localgroup "Event Log Readers" [email protected] /add

In the above procedure we have configured the Win2k8Web host as a forwarding computer where it allows the collecting computer env1client001 to have remote access and collect events. In the post to follow, we will configure the collecting computer.

Managing Windows Events

The wealth of info stored in Windows event logs is astonishing. But most often we miss what we are looking for as the amount of information stored may be overwhelming at times. There are various third-party tools out there that manage and organize event logs in a useful manner; however, I would like to share with you some Event Forwarding Concepts that allow administrators collect and group specific events to one location. With Event Forwarding you can send specific events from individual computers to a target computer or your admin workstation. Then you would be able to view the most important events grouped into one event log/viewer from your workstation rather than connecting remotely to each and every target machine. One of the core advantages of Windows Event Forwarding is that it uses HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) protocols to transfer data and as such, the traffic can flow easily through firewalls within an organization, assuming that the organization IT Policies allow web browsing! All traffic generated by the forwarding mechanism is encrypted even if you use HTTP. The implementation process requires a two-part exercise. That is, you need to configure both target (forwarding) and receiving (collecting) computers. Both computers need to have the Windows Remote Management and the Windows Event Collector services up and running. Note, that only Windows Vista, Windows Server 2008 and Windows Server 2003 R2 can have the role of a collecting computer. In addition, you may need to add firewall rules that allow incoming/outgoing traffic to/from services participating in the process.

Scroll to Top