Windows 7 – My Take

October 15th, 2011 by Sjan Evardsson

Having just completed a Microsoft certification (MCTS 073-680) I have learned more about Windows 7 (and some about Server 2008 R2) than I have in over a year of using it. To be fair, I do not use Windows 7 as my primary platform, but I do use it in a VM on a fairly regular basis. For the most part I pretty well like Windows 7, at least as far as Windows goes. But that is not the primary point of this post. I would like to point out what I feel are some security-related pros and cons of some new (and some not-so-new) features in Windows 7 and Server 2008.

BranchCache: In a typical main office / branch office setup with a file server in the main office, every time a user in the branch office opens a file from the file server (in the main office) it travels across the WAN link. This is not only a waste of limited bandwidth, but it is slow, leading to things like users copying files to their local machine, grabbing copies of several files onto a thumb drive while in the main office and even (I have seen this), emailing the file to their private (non-work) account. BranchCache helps out here, with only one copy of any file accessed going across the WAN to be cached in the branch office (thus the name). Every time the file is opened after that in the branch office it is opened from the local copy. The only time files are transferred across the WAN again are when they are modified on either end.

  • Pros:
    • Removes the need for users to come up with “creative” ways to get copies of files from the main office to work on.
    • Files are encrypted in transport.
    • Only one copy of any file is ever cached at the branch office, and it is kept up-to-date with the version at the main office.
  • Cons:
    • Requires Server 2008 R2 at the main office, with Active Directory and Certificate Services.
    • Using “Hosted” BranchCache (where the cache is held on a server in the branch office) requires Server 2008 R2 with Active Directory and Certificate Services at the branch location as well.
    • Using “Distributed” BranchCache (where the cache is held on the peer user machines in the branch office) can lead to more trips across the WAN for the files, since whenever a machine is powered down or unplugged from the network part of the cache goes down with it.

BitLocker: Full-drive encryption. Sweet! But … ?

  • Pros:
    • With a TPM the entire drive can be encrypted.
    • With a TPM, removing the drive and placing it in another machine means it will not boot without the presence of a recovery key.
    • Can require a USB key and password to boot.
  • Cons:
    • Without a TPM the drive cannot be locked to a particular boot environment.
    • With a TPM BitLocker can be configured to boot with nothing more required than the TPM itself. If you set it up this way, why bother? The machine will boot and the drive’s contents will be available regardless.
    • Only available for Windows 7 Enterprise or Ultimate editions.

Network Access Protection: This is a really good idea, and not limited to Server 2008 R2, but around since Server 2008. NAP allows a server to check connecting clients (either through VPN or DirectAccess) to make sure they are up-to-date with OS patches, have the proper version and patch level for software and anti-virus and are not running anything blocked through Group Policy Application Security settings.

  • Pros:
    • Computers that do not pass the NAP requirements can be shunted off to a quarantine network where the needed updates can be pushed to the computer before they are allowed to connect to the internal network.
    • NAP can enforce Application Security policies, and can keep remote users up-to-date with the patches and application versions used in the internal networks.
  • Cons:
    • NAP requires that connecting computers have the proper settings in their local Group Policy Object to allow DHCP or IPSec NAP Enforcement, which can make implementation difficult if they are not connected internally first, to get those Group Policy settings pushed to them.
    • NAP is likely to make some users unhappy when they cannot simply log on to the VPN and start to work, but instead are forced to wait for updates. This could cause the sort of push-back that makes admins likely to scrap these sorts of setups.

DirectAccess: I am so unsure about this one. The definition from TechNet:

DirectAccess allows remote users to securely access internal network file shares, Web sites, and applications without connecting to a virtual private network (VPN). ... DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the internal network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.

  • Pros:
    • DirectAccess connects via ports 80 and 443, meaning that it works from within most firewalls (in hotels, coffee shops, airports, etc).
    • Even when connecting via port 80 all DirectAccess communications are encrypted.
    • Bi-directional access means that admins in the internal network can access the connected machine as if it was in the internal network to push out Group Policy changes, provide remote assistance, etc.
  • Cons:
    • DirectAccess connects before the user even logs on. This means that if the machine is on and has internet connectivity it is connected to the internal network.
    • Since it does not require the user to take any action to connect (like connecting to a VPN) the user is less likely to be aware that anything they download (like this “really cool Java game”) also has access to the internal network.

A scenario: Company A and Company B both have Windows networks with Server 2008 R2 and traveling users with Windows 7 Enterprise laptops with a TPM. Both companies have set the laptops up with BitLocker full drive encryption and boot protection. Both companies have set the laptops up with DirectAccess. Company A is quite a bit stricter than Company B, however. Company B’s laptops are set to boot automatically without a USB key or password, while Company A requires both. Further, the local Group Policy security settings on Company A’s laptops will log the user off and shut down the computer if the USB key is removed. Company A has gone a step further in implementing NAP to ensure that all their traveling computers are always up-to-date.

While User A (from Company A) and User B (from Company B) are having drinks in an airport lounge their laptops are stolen. Both User A and User B think p@ssw0rd is a good enough password. The thief opens the laptop from Company A and cannot boot it without the USB key which is in User A’s pocket. The Company A laptop is only as useful to the thief as the hardware. The Company B laptop, however, will boot (automatically decrypting the drive) and will also connect to Company B’s internal network. A couple guesses later the thief is logged on as the laptop’s user and connected to Company B’s internal network with all the access that the user would have were they plugged in locally.

There is room to implement a great deal of security in Windows 7, but there is also a lot of room to totally mess it up. As I said earlier, I am not sure that DirectAccess is such a good idea, but I guess it depends on how the rest of the system is configured and how well users are educated.

Using the COM class for PHP backgrounding in Windows

July 2nd, 2008 by Sjan Evardsson

I was having a difficult time finding a reliable way to run a background PHP process in Windows, when that was called from an active PHP page. In the *nix world it is relatively simple: by using shell_exec() (or the bactick operator) you can redirect the output to another stream or file and the process will run in the background with no blocking. In Windows, however, this doesn’t seem to work well (or at all, depending on what you are calling via shell_exec()). I did find the answer, though, from piecing together info from the PHP documentation for shell_exec() and the COM class.

That, with a little trial and error and I was able to get a PHP page to fire off a command-line PHP process to run an import of several years data into a new reporting schema. Since this import relies on some serious data manipulation it has a tendency to time out for large data sets. So, I set up the command line script to run six months worth of data and before it exits it starts a new background process for the next six months of data. In this way I was able to complete a many-hour process without worrying about timeouts. I did notice that running in the background (actually in an “invisible” command shell) that the process ran slower than when running in the foreground. This was acceptable, however, since the page returns immediately while the processing begins and the application is still usable while the process is running.

Here is how I call it from the page:

if(isset($_SERVER['PWD'])) { // *nix
    $basepath = dirname(__FILE__).'/';
    $php = 'php';
} else {
    $basepath = dirname(__FILE__).'\\';
    // edit to match your installed target environment
    $php = "C:\\php516\\php.exe";
}
ignore_user_abort(true);
set_time_limit(0);
$arg1 = 'foo';
$arg2 = 'bar';
$runCommand = "$php -q {$basepath}my_background_running.php $arg1 $arg2";
if(isset($_SERVER['PWD'])) { // *nix
    // *nix: Use the backtick operator or shell_exec()
    $nullResult = `$runCommand > /dev/null &`;
} else { // Windows: use the php COM class
    // WScript.Shell gives you the command line
    $WshShell = new COM("WScript.Shell");
    $oExec = $WshShell->Run($runCommand, 7, false);
}

I do the same from the background script to call itself recursively right before it exits.

I didn’t find the Microsoft documentation for the Windows Script Host Shell until today during lunch. I found the location in the Practical PHP Programming Online Book where he says to use the Google search “wshell object” msdn which will result in the first link pointing at the MSDN documentation. (I have a feeling it moves around quite a bit, since every link I have run across up to now that points directly at the documentation results in a nice 404 error page at Microsoft.)

Boot Camp + Parallels + XP = Validation Nightmare

April 11th, 2007 by Sjan Evardsson

I have been running XP (WinXP Pro, SP2, retail version) under Parallels for a bit, and decided I wanted to give the Boot Camp with Parallels option a try. After finding some rather lengthy and questionable instructions on moving a Parallels image to a Boot Camp partition I decided to go the clean install route.

I deleted my Parallels XP image (and subsequently ended up wishing I hadn’t) and used the Boot Camp assistant to set up my hard drive and install XP. I got XP set up and running, but had to call Microsoft to get it ‘activated’ since it saw it as a new install. Once that was taken care of I installed Office, and got the same kind of headache there – where the key wouldn’t work, because it said it had been installed on too many machines. I decided to leave that be for the time until I felt like waiting on the MS phone queue again.

I rebooted into OS X and loaded my now ‘active’ and ‘valid’ Windows XP under Parallels. As soon as it booted it gave me the message that I had 3 days to activate it as the hardware had changed significantly and it was no longer valid. I ddn’t feel like fighting it so I closed down Parallels and rebooted into XP where, surprise, I got the 3 day warning again!

So not only does loading the same image in a VM result in XP thinking it isn’t a valid copy, but it changes something in the registry somewhere, so that booting back into natively results in the same thing. I thought the concept of hardware profiles would help with this sort of thing, but apparently not. This is something that MS needs to address sooner rather than later as multicore machines make virtualization more common and loading a native image in a VM becomes a more common way of doing that.

An interesting side note: I got fed up with the whole validation issue and removed the XP partition and re-installed XP under Parallels the same way I did originally. I expected the phone calls for the XP key and the Office key etc, etc – but, it just accepted the keys and validated no questions asked.

Technorati Tags: , , ,

Vista Speech Command exploitable

January 31st, 2007 by Sjan Evardsson

Talk about fast! George Ou at zdnet posted an article about this particular gem.

Essentially, a user with the Speech Command feature enabled can browse to a web page which starts a sound file (like just about every mySpace page) containing clearly recorded commands, and the Speech Command feature will execute those commands without any other user interaction. While not every command is enabled through Speech Command, George explains why you should disable Speech Command until there is a fix:

The fact that a website can play a moderate level sound file to
interact in a way with the desktop by activating an idle speech
command system and be able to delete user documents with zero user
interaction is serious by any stretch of the imagination.

Update: Microsoft has confirmed this exploit.

Technorati Tags: , ,

Cure for the External Drive Blues

January 26th, 2007 by Sjan Evardsson

I have been looking all over for a way to format an external drive so that I can use it under Linux, Windows and OS X. The reason for this is simple, I currently use Windows and Linux all the time, and I am planning on upgrading my rig to a MacBook Pro just as soon as I can. Since I expect to be running OS X, Windows and Linux I needed to find a format for my 300GB external drive that would work with all of them.

While FAT32 is an option, it has some serious limitations. Like a maximum file size of 1 byte less than 4 GB. That and the way that FAT32 partitions over 32 GB (while supported under Windows) tend to get a little, shall we say, flaky.

Before today what I had found was as follows:

OS File System Read Write
Windows XP Ext2 / Ext3 application no
HFS+ application no
NTFS native native
Linux Ext2 / Ext3 native native
HFS+ in kernel in kernel
NTFS in kernel no
OS X Ext2 / Ext3 no no
HFS+ native native
NTFS in kernel no

Note: native = default or standard in a “vanilla” install | in kernel = modules available for kernel insertion, although not default.

Well, that was before I found these today: kernel modules for both OS X and Windows for full read and write support of Ext2 / Ext3 file systems. I have installed Ext2 IFS for Windows and pounded on it already. It works (so far) like a charm. I don’t yet have a Mac to test the Mac OS X Ext2 Filesystem but I will do so as soon as I can. Assuming they are building this as a loadable module for the Darwin kernel (does the OS X Darwin kernel allow insmodding?) then it should be a snap. What surprised me is that the Ext2 IFS for Windows is an actual NT Kernel module, not an app or service. It’s actually kind of cool to see my Linux partitions show up under XP as lettered drives!

MS Word 0-day: Round 3

December 15th, 2006 by Sjan Evardsson

Yesterday eWeek reported another 0-day exploit for Microsoft Word. While Microsoft has not publicly acknowledged the threat, has issued a bulletin warning of it and a has been released publicly.

From the CERT bulletin:

Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory.

According to the eWeek article, currently only BitDefender recognizes the threat. Testing on a fully patched and up-to-date WinXP SP2 I can at least vouch that AVG doesn’t recognize it as a threat yet. Opening the POC in Microsoft Word results in successful execution of the exploit (which in the POC merely crashes Word.) Attempting to open the POC in OpenOffice results in OO reporting an error.

My recommendation: use .

Zero-Day Exploit Alert: WebViewFolderIcon setSlice Vulnerability

October 4th, 2006 by Sjan Evardsson

This is a Critical exploit, capable of executing code as the user running Internet Explorer. Reports of this in the wild as well as a temporary patch can be found at the Internet Storm Center.
From the eEye Digital Security Alert:

The PoC is an integer overflow-based heap overflow, in the DSA_SetItem function in COMCTL32.DLL. An arithmetic overflow can occur during multiplication to calculate the desired size for a call to ReAlloc, that isn’t reproduced during a subsequent call to memmove, so the allocated size can be smaller than the copy size and result in a heap buffer overflow. …

This vulnerability can result in remote code execution in the context of the logged in user. In order to exploit this an attacker must create a malicious website or leverage a site that allows for custom user content.

While the vulnerability was posted on the Browser Fun Blog on July 18th, the exploit first appeared over the weekend. The Microsoft Security Advisory has details on how to patch manually and how to apply the manual change to group policy.

Affects:

  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 1
  • Windows XP Service Pack 2
  • Windows Server 2003
  • Windows Server 2003 Service Pack 1
  • Windows XP Professional x64 Edition
  • Windows Server 2003 for Itanium-based Systems
  • Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Server 2003 x64 Edition

Code for IE exploit posted

September 17th, 2006 by Sjan Evardsson

Hackers Post Code for New IE Attack

Although the hackers are calling it a 0day exploit, it seems that it isn’t really. It is one of many that can be easily found using the AxMan ActiveX fuzzing engine. It seems that the guys over at xsec.org are trying to take more than reasonable credit for writing code to exploit a known vulnerability.

HD Moore, head of the Metasploit project was quoted in the article as saying:

“This is one of the many exploitable bugs that can be discovered using AxMan and one of the few that I didn’t include in Month of Browser bugs due to the ease of exploitation. I still have three or four left in IE that have similar impact.”

There is also a Secunia Advisory related to this exploit.

Here they come . . .

August 14th, 2006 by Sjan Evardsson

In the eEye security bulletin for today the news of not just one, but two worms in the wild based on the Server Service vulnerability. If you still haven’t patched do it now, unless you’ve been infected, in which case eEye recommends “to wipe the system clean and rebuild it from the last uninfected backup.”

Patch! Patch! Patch!

August 11th, 2006 by Sjan Evardsson

As much as this should be ingrained in our computing habits, this still needs to be said: Apply patches when they come out!

The Microsoft Security Bulletin MS06-040 came out on the 8th, and a module to exploit the flaw came shortly after. Tech e-zine eWeek reported that Immunity and Core Security Technologies had both released what they deemed “reliable exploits” for the flaw and declared it wormable on all Windows versions.

Dave Aitel, CEO of Immunity said in an interview with eWeek “A worm is coming. This bug is just too easy to exploit.”

This is a vulnerability that would allow for remote takeover of an unpatched Windows machine. It will be interesting to see how widespread the damage is when (not if) a worm is released.

Patches are available from the bulletin (follow the links) or from Windows Update.