Kerpau!

Today, I happened upon a customer’s Windows server that had a broken firewall. The firewall was not even enabled which explained why it was not working (duh). But when I went to enable it, the selection was grayed out! A check of the group policies revealed that a GPO was not controlling the setting. At this point it was clear that the server’s security had been compromised.

After a rootkit and antivirus scan came up clean I proceeded to get the firewall up and running until a replacement server could be brought online later that day. Here is the process I used to get it back online. Incidentally, I did these steps over a Remote Desktop connection and maintained connectivity (except for reboots) the entire time. I performed these steps on a Windows Server but I believe they will work for a Windows XP computer. Another error I have seen is “Due to an unidentified problem, Windows cannot display Windows Firewall settings.”

If you just want to re-enable the ability to turn on the firewall, delete the following registry keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

However, to re-install the Windows firewall, copy the following text into a Notepad document and name the file Sharedaccess.reg.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
“DependOnGroup”=hex(7):00,00
“DependOnService”=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
“Description”=”Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.”
“DisplayName”=”Windows Firewall/Internet Connection Sharing (ICS)”
“ErrorControl”=dword:00000001
“ImagePath”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
“ObjectName”=”LocalSystem”
“Start”=dword:00000002
“Type”=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
“Epoch”=dword:00002cd0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
“ServiceDll”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019″

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019″

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
“ServiceUpgrade”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
“All”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
“0″=”Root\\LEGACY_SHAREDACCESS\\0000″
“Count”=dword:00000001
“NextInstance”=dword:00000001

Right-click Sharedaccess.reg and select merge.

Reboot the server.

Reset the firewall rules back to the default settings to get rid of any unwanted rules the attacker may have configured.

netsh reset firewall

Configure the firewall to allow approved network traffic such as Remote Deskop and Web connections.

Get rid of any unwanted Winsock Layered Service Providers (LSP).

netsh winsock reset catalog

Double-check to make sure Remote Desktop connections are allowed by the firewall.

Reboot

The server should still be considered “contaminated”, so get a fresh installation of Windows up and running as soon as possible to replace the current server.

I’ve been saving event log files for a long time. But doing this with Windows event logs has always been awkward. I have used third party solutions and self-written scripts but neither have been ideal. So here’s the latest solution I’m trying out. It’s simple, elegant and uses group policy. Event logs archiving with GPO

Every once in a while I go looking for these return codes and end up spending several minutes searching the Internet for them. Of course, this time I ended up finding them in the obvious place - the README for Robocopy. Here they are, for posterity.

The return code from Robocopy is a bit map, defined as follows:

Hex Bit Value Decimal Value Meaning If Set
0×10 16 Serious error. Robocopy did not copy any files. This is either a usage error or an error due to insufficient access privileges on the source or destination directories.
0×08 8 Some files or directories could not be copied (copy errors occurred and the retry limit was exceeded). Check these errors further.
0×04 4 Some Mismatched files or directories were detected. Examine the output log. Housekeeping is probably necessary.
0×02 2 Some Extra files or directories were detected. Examine the output log. Some housekeeping may be needed.
0×01 1 One or more files were copied successfully (that is, new files have arrived).
0×00 0 No errors occurred, and no copying was done. The source and destination directory trees are completely synchronized.

You can use this information in a batch file to report the most serious anomalies, as follows:

if errorlevel 16 echo ***FATAL ERROR*** & goto end
if errorlevel 8 echo **FAILED COPIES** & goto end
if errorlevel 4 echo *MISMATCHES* & goto end
if errorlevel 2 echo EXTRA FILES & goto end
if errorlevel 1 echo Copy successful & goto end
if errorlevel 0 echo –no change– & goto end
:end

Alternatively, full details of the return code could be reported as follows:

if errorlevel 16 echo ***FATAL ERROR*** & goto end
if errorlevel 15 echo FAIL MISM XTRA COPY & goto end
if errorlevel 14 echo FAIL MISM XTRA & goto end
if errorlevel 13 echo FAIL MISM COPY & goto end
if errorlevel 12 echo FAIL MISM & goto end
if errorlevel 11 echo FAIL XTRA COPY & goto end
if errorlevel 10 echo FAIL XTRA & goto end
if errorlevel 9 echo FAIL COPY & goto end
if errorlevel 8 echo FAIL & goto end
if errorlevel 7 echo MISM XTRA COPY & goto end
if errorlevel 6 echo MISM XTRA & goto end
if errorlevel 5 echo MISM COPY & goto end
if errorlevel 4 echo MISM & goto end
if errorlevel 3 echo XTRA COPY & goto end
if errorlevel 2 echo XTRA & goto end
if errorlevel 1 echo COPY & goto end
if errorlevel 0 echo –no change– & goto end
:end

So Windows Server Service Pack 2 is out now. One of the new features it includes is Asynchronous UI. It sounds intriguing but what is it?

If you are creating a Microsoft® Windows® Forms application, and have an object with methods that may take some time to execute, you may want to consider writing an asynchronous API. Say, for instance, you have an object that downloads large files from a remote location. Without an asynchronous API, a client’s UI would freeze for the duration of the call. With an asynchronous UI, the client’s UI would not freeze. You could even construct the asynchronous API in such as way as to give progress updates to the caller, and give the client the opportunity cancel the call. Few situations are as frustrating as a frozen UI that can only be cancelled by resorting to Task Manager.

Programmers will have to write this into their applications but it sounds promising.

A quick note on the Windows Server 2003 SP2. I did a fresh install of an x64 server and ran the Service Pack 2 update. After rebooting, I ran Windows Updates and it turns out that KB931836 is not included in the service pack. It’s not a big deal to me but I did find it interesting and thought I would share.

For Windows, this is way more difficult than it should be. Unix/Linux solved this problem solved many, many years ago. The fact that Microsoft still hasn’t solved it is amazing to me. Fortunately, there are some third party products to help out the everyday, hardworking Windows sysadmin.

RunAs Professional
RunAs Professional is a substitute for Microsoft’s command runas.
RunAs Professional solves the problem that normal runas does not support the commandline parameter password.

RUNADMINBAT
Create a batch file (for example a logon script) for users. The batch file contains commands that require administrative privileges. Five steps to use the “runas” function from Windows 2000 and Windows XP pro with “runadminbat” in your scripts. No additional installation on your clients is necessary.

Encrypted RunAs
Encrypted RunAs is a small utility that is designed to make the job of Administrators a little easier, it can be used to run applications or software installations with access rights a standard user does not have.

TqcRunas
The power of RUNAS made scriptable, easy and secure.

NetExec
NetExec is a multisession extension for Windows NT and Windows 2000. Using NetExec it is possible to log on to a system with multiple accounts at the same time. So you can work with more than one user account simultaneously and switch between them without logging off and on.

CPAU
Command line tool for starting process in alternate security context. Basically this is a runas replacement. Also allows you to create job files and encode the id, password, and command line in a file so it can be used by normal users.

Open the Citrix Management Console and go to the Servers container. Select the Users Tab and double-click on a user’s session. Go to the Client Modules tab. If vdzlcn.dll is present, the connection is using SpeedScreen. The ZL stands for “Zero Latency” features. Page 397 of the Citrix MetaFrame XP Advanced Technical Design Guide says that vdzlcn.dll is the SpeedScreen module.

I’ve been following the Windows/Exchange DST issue for some time now and finally got around to doing the updates on my systems. Throughout February, I followed KB articles which were updated almost daily, Web seminars, blogs, chats and newsgroups.

Microsoft’s documentation has settled down and most of the conflicting or ambiguous sections have been resolved so I thought it was a good time to update everyone’s computers and calendars. Besides, March 11th is right around the corner. So after going through volumes of Microsoft’s information, I followed KB 930879, step-by-step and it was all I needed! Oh well. At least I was prepared.