George Chetcuti WS Blog

George Chetcuti is a promoter of effective IT governance and IT security best practices. With a personal experience of many years managing complex setups, his contribution to this community is to provide security related info and tips. This blog is aimed at increasing security awareness among IT professionals.

Windows Server 2008 R2 Service Pack 1

Windows Server 2008 R2 and Windows 7 Service Pack 1 provides further improvements and hardens these Operating Systems. Although, SP1 includes previous updates which many organizations and users have deployed through Windows Update, Windows Server Update Services (WSUS) or third-party patch management systems, it is quite often the practice to use a Service Pack as a baseline. That is, having successfully deployed a service pack throughout the organization creates a reference point or standard which puts your mind at rest. Some machines or even servers might have missed some updates or an administrator might have skipped some problematic updates intentionally. By time, patch management standards are likely to end up in a mess!
However, before going for a full deployment of SP1 I suggest that you test your environment. If patch management inventory is available, look for machines that lack updates with respect to others and find out why. Test the most critical machines in a test or staging environment before updating production ones. Where possible, follow Microsoft recommendations before applying SP1 and run the System Update Readiness Tool to resolve update inconsistencies. There have been issues with some devise drives, hence it is recommended to update these with the latest versions and some users are reporting SP1 installation failures with an unknown error.
As most organizations run their servers in virtualized environments, you might encounter similar problems while SP1 tries to access some virtual devices. In fact, I had to disable guest add-ons on my virtualized setup in order to be able install SP1 successfully. For more details about this error and the troubleshooting steps I performed to find the problem go here.

Cmdkey command-line tool

The Windows Cmdkey command creates, lists and deletes stored user names and passwords form a computer. The Cmdkey command helps administrators and security executives lists the user stored credentials and aids in finding evidence or troubleshooting remote access issues! This tool may become handy when administrators want to give users access to a shared resource for temporary use without exposing any login details. For example, a user wishes to access a shared folder /data on server \\win2k8web for temporary basis. An administrator would use a username that has access to the shared resource and either through a remote script or manually from the user workstation types:

Cmdkey /add:win2kweb /user:usernamewithrights /pass:userpassword

Where the syntax is as follows:

Cmdkey /add:<Shared resource> /user:<UserName> /pass:<Password>

Doing so, a new set of credentials are added on the user workstation without making the user aware of the username and password details! Although, a curious and slightly technical user would find the username, I suggest that the administrator would then delete these credentials when the user is ready with his temporary work by typing the following:

Cmdkey /delete:win2k8web

The delete operation denies the user access to that shared resource within the same session while the user may need to log off and log on to access the shared resource after adding the new credentials. Other examples of the cmdkey command are the following:

cmdkey /add:Servername /user:Username

Will add a Username to the current logged on user to access

Privacy by Design – Part 1

The safeguards that Federal Trade Commission (FTC) is proposing are quite reasonable and it is hard to understand why some were not implemented by the vendors in the first place. The approach of building applications and services led by security best practices would help create a safer environment. The safety measures are not just technical ones but include physical and administrative safeguards. The level of security required depend on the sensitivity of data, size and nature of the business operations and type of risks the business faces. So, what are we talking about?
For example, why Google email service is not encrypted by default and it's just an option that the end-user has to set? Google recently announced that they will make HTTPs the default protocol for their email services. The framework by FTC suggests that security controls are defined during the planning stages of an application and are revised during deployment and maintenance stages of the application. Some may argue that Google's gmail took off when cyber criminality was at its infancy, was it? Is it not the same scenario we have with Cloud service providers? How many vendors are building their infrastructure on security best practices? I am pretty sure that there are quite a number of secure cloud setups but we still lack common standards that regulate cloud computing services!
The FTC framework asserts that businesses should collect only the information needed to fulfill a specific legitimate need and nothing more! Typical example is where a local service provider collects information about unsecured wir

Google’s search algorithm changes

Another update by Google of its search ranking algorithm has caused anger amongst several businesses which according to CNNMoney had a negative impact on their websites traffic! Many businesses rely on search engines to drive traffic to their sites mainly on Google search engine as it is by far the most used engine. According to Google the goal of the new algorithm or changes is to move high-quality sites at the top of the search rankings. They (Google) were being criticized by many users that low quality sites were ranking high. It is quite normal that minor changes to the algorithm are performed on regular basis but this change was big and had immediate drastic effects,hopefully for improved search results! The IP address would allow you to compare the old algorithm against the new one, where results from the search would appear as they would have appeared before the latest changes. Check your website or blog, mine has lost some places but to more relevant content. It’s kind of a dirty game – some gain some lose. You find some businesses that focus entirely on SEO techniques to get their sites ranked higher and tend to forget about unique content, about the services or products they provide and about ethical issues! While Google tries to crack down on sites that try to fool the system, so often the new countermeasures manage to penalize legitimate websites as well.For more details read Google’s blog post – Finding more high-quality sites in search

Protecting Consumer Privacy

The FTC (Federal Trade Commission) has proposed a framework for Businesses and Policymakers that would protect consumer privacy while encouraging the development of innovative new products and services. The draft focuses on three main elements which are the adherence to better privacy mechanisms by businesses throughout the whole process, provide simpler and meaningful privacy options to consumers and transparency of all data practices. These are categorized as Privacy by Design, Simplified Choice and Greater transparency. I will be providing you with some of the drafted best practices in future posts but let's start by explaining further the three main elements that make up the framework.

Privacy by Design: 'Companies should promote consumer privacy throughout their organization and at every stage of the development of their products and services.'

The framework suggests that companies should deal with data security from the beginning and not as an afterthought! Security best practices should lead the development of services and products which would include data accuracy, reliability, retention and other protective features. The draft insists of proper data management procedures that must be maintained throughout the whole life cycle of a product or service.

Simplified Choice: 'Companies should simplify consumer choice.'

The draft suggests that private data collected by businesses during rational operations, such as product fulfillment can do without the privacy options and the additional related steps presented to the consumers. The draft refers to these as common acc

Adobe Flash Player vulnerability

Adobe Flash Player and earlier which is present in a variety of Adobe products such as, Adobe reader and Acrobat contain a memory corruption vulnerability which can allow a remote attacker execute arbitrary code. These versions of Flash Players are present on all mainstream operating systems and users running these versions need to upgrade to the latest version of Flash Player. For more details about this vulnerability visit Adobe's Security Bulletin APSB11-02.

In critical environments or where the latest version cannot be deployed immediately, the following steps may be required:

Disabling Flash content in Web Browsers and Adobe Reader 9 or later
Disabling JavaScript in Adobe Reader
Preventing PDF documents from automatically opening in web browsers
Uninstall Flash Player

You may encounter some problems when uninstalling Flash Player while Adobe released an uninstaller and the steps required to overcome this problem. See Uninstall ActiveX. Note that this will not remove the instances of Flash Player that are installed with Adobe Reader or other Adobe products.

Takeown command-line tool

In Linux/Unix operating systems we find the chown command to change the owner of a file, and what about Windows? Since Windows 2000 as far as I can recall, we can use the Takeown command. It's not my intention to compare both commands but give and take, they are pretty much similar. Takeowner enables an administrator recover access to a file or a complete folder that previously was denied access to. By making the administrator the owner of the file or folder, access permissions can then be modified according to the administrator/IT requirements. You can have two scenarios, one instance is when a file or folder may have an unknown owner due to a deleted user account or some form of corruption in AD and another instance is when the administrator is asked by security staff to take ownership of files and folders that belong to a specific user. The command takeown allows you to take ownership of files on remote computers as well, for example:

takeown /s <destination> /u <domain\user> /p <password> /f <file> /a /r

Where /a – gives ownership to the administrators group instead of the current logged on user

and /r – performs a recursive call on all files and subdirectories of the target directory

For a full explanation of the takeown command and its parameters, from the command prompt type, takeown /?

Bear in mind that taking ownership of a file in Windows does not give you access rights, therefore, you need to set file permissions afterwards in order to be able to manage the data. From the command line you can use the Icacls command to modify the acce

Choosing your Cloud provider

There’s much we can do to secure our assets in the Cloud and I am quite sure that most of you, IT Security Pros are on the go! However, I would like to share with you a couple of points worth noting before choosing your Cloud provider.
During the search for Cloud providers take a note of certifications such as, ISO, PCI, etc. they have achieved as these will help you differentiate between providers that commit themselves to operational and security best practices and others that operate for the sake of making money. Remember that certifications and regular audits make vendors follow some rules! That’s a plus, isn’t it?
Search for online docs or FAQs on the provider’s site that state responsibilities and liabilities in clear English. Quite often customers come to know about liabilities after an incident which may have legal implications on the business. Therefore, I suggest that you understand the division of liabilities and responsibilities before signing any agreements.
Other aspects of the Cloud that implies direct or indirect security concerns are the account interface, data backup and management of resources. How secure the account interface is? What kind of backup mechanism they have, if any? How backup media is handled? Is data wiped out completely from terminated resources? Is the provider internal staff with higher privileges monitored?
These are the kind of questions we need to ask and if some providers lack to answer then I would place them in my blacklist. After all, cloud providers should deal with security as a business enabler!

Windows Task Scheduler vulnerability

An attacker could exploit Task Scheduler vulnerability by running a specially crafted application which allows elevated privileges to the logged on user. Therefore, an attacker needs to have a valid logon user account in order to be able to exploit this weakness. This vulnerability affects Windows Vista, Windows 7, Windows Servers 2008 and 2008 R2. Microsoft has released a security update that addresses the weakness in Task Scheduler while users who have enabled automatic updating need not to worry as the fix was included in December 2010 release updates.

For more information visit Microsoft’s security bulletin MS10-092

The whoami command-line tool

Most of you one day or another might have come across an end user permission issue and wanted to quickly verify the users’ permissions in the domain. Let’s say you are at an end user workstation and have limited or no access to remote admin tools. Then I suggest to go for the command-line tool whoami, a quick and easy tool that displays user, group, and privileges information for the user who is currently logged on to the local computer. This security command-line tool can be used on Windows Server 2008, Windows Vista and Windows 7.

If used without parameters, whoami displays the current domain and user name while the /all option would reveal information about the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.

A typical example is when users report that they have no access to a specific shared resource in the domain. The following example lists the groups the logged on user is member of in a list format:

whoami /groups /fo list

In order to get just the info you need and remove the extra bits you can pipe the output to the find command as shown below:

whoami /groups /fo list | find “Group Name”

Scroll to Top