Default security permissions on Windows Registry keys.

Registry keys with permissions

At work, I’m working on a registry key permission error.  Something which worked on Windows 2000, now doesn’t work on Windows XP.  It’s security related, hope to solve it today.

One of the questions I had was: “What are the default registry security permissions for Windows 2000 and Windows XP?”  Couldn’t find anything.

So I created my own, using the Microsoft Sysinternals AccessEnum tool.  The above graph just shows how much Microsoft has tighten registry security, from operating system to operating system.

You can find the attached spreadsheet summary here.

Bookmark and Share

What? WindowsUpdate doesn’t work with a non-activated Windows XP?

And I only just realised it now. *
Windows Activation Required Now I’m not going to complain about Microsoft.  If you have a valid license key, you should activate it. 

But I don’t want to activate Windows as I’m just doing some tests, part of the Undelete series of posts.  And before someone says “Dude, you should activate it.”.  Well, in future,  I don’t want to go though the re-activation hell process, with some worker based offshore.

Automatic updatesBut Microsoft does offer a work-around, Automatic Updates, but I just don’t care for it.

Perhaps the fact that AU has rebooted my PC in a middle of a 4GB download has soured my experience.

So what to do instead?  Not patch?  No, you have to patch, it’s the prudent thing to do.

No, instead, I grabbed a copy of AutoPatcher.  I wrote about AutoPatcher here.  To recap, I like it because it works, and it’s free.  And 66 updates later, Windows XP will be a little bit more secure.
AutoPatcher - showing only 66 updates to apply.

* most of the Windows XP installs I work with have a Corporate license which is already activated. (a VLK.  In Microsoft Vista/Windows 7 licensing speak, it’s a MAK type key)

Bookmark and Share

Windows Update website – Error 0×800C0002

Internet Explorer 5 About screen Had this error while trying to update a Windows 2000 SP4 test box.  As it’s a test box, it has the bare minimum installed.

Microsoft’s solution?

  • clean the Internet Explorer cache
  • Delete some files in the WindowsUpdate directory
  • Delete some DLL’s.

None of those worked.

The actual solution which worked for me? Install Internet Explorer 6.

Other things I could have tried?  Autopatcher, which I wrote about here. Except that Autopatcher no longer supports Windows 2000.  :-(
Or apply the patches one by one, after running an MBSA scan? Maybe.

IE6?  Well I did say it was a test box.

Bookmark and Share

Windows Update website – Error 0×80240025

on a Windows XP PC.  As I wrote in Windows Update: Network policy settings prevent you from using this website …, you’d often see a Windows Update error when your Corporate IT types block access on purpose.

But wait!  I’m my Corporate IT type!  What did I do to break it for myself???

Well somewhere along the line, I configured a system group policy to block access to Windows Update, and I ended up tripping over my own trap.

The solution/work-around was to delete the
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate - "DisableWindowsUpdate" key.

Once I did that, the Windows Update site worked with no errors.

You can download a .reg file which does that, and the other two registry keys I mentioned in the earlier article, right here.

Bookmark and Share

Twelve Password Managers

Sorry - Your Password Isn't Not Long Enough

You might have seen this cartoon here before, but it’s worth repeating, as it’s that time of month.

In some cases, passwords need to longer than the 12 digit codes needed to arm a nuclear weapon.

I’m not the first to notice this. Jesper M. Johansson wrote about in-actionable security advice in an Microsoft Technet magazine article series called Passwords and Credit Cards.

So how do people remember passwords?

  1. Write them down and stick them under a keyboard (aka Koolpin$Gorge*)
  2. Store them in a password spreadsheet/document?
  3. Use a password manager?

It’s option 3 for me.  I use the LastPass password manager. But here are some others to consider:

Name and download link Comments
1Password Macintosh only, as used by Leo Laporte.
LastPass I use this.  There is a portable version called “LastPass Pocket”.   Does form-filling as well.
Keepass Free.
Microsoft Credential Manager Free with Windows 7.  Stores Windows and website logons.
Passgen Written by the great Jesper M. Johansson.  Hosted by Steve Riley.
Not a password manager as such.
Passpack They blog! (thanks Louise)
Password Manager XP I know large companies which use this.
Password Minder Written by Keith Brown.  Worth a look.
Password Safe As mentioned by Jesper.  Free.
RoboForm More of a "web form filling" application, but it stores passwords as well.   There is a Windows Mobile version.
Sticky Password Evolved from the multi-Pass password manager.
UsableLogin Generate unique secure passwords for each website you login to.

* a server, for a sensitive organisation, had the server password stored under the server keyboard.
Koolpin Gorge was where the server guy took his last annual leave.

edited 21 September: let’s make it 8 password managers, thanks for the comments folks.
edited 12 October: added Passgen tool description and link.
edited 27 May: added Password Minder.
edited 31st October: added Microsoft Credential Manager & Sticky Password

Bookmark and Share

VBscript to uninstall a Microsoft security patch

This is a small script I wrote many years ago to uninstall security patches.  I customise it when I need it.

In this example, I’ve customised it for MS09-032, but the principles apply to most patches.

Note that I don’t check for admin rights, I’m assuming that I’ll be using a desktop software deployment tool to run it on the user’s desktop.

' VBscript to roll back a security patch, in this case MS09-032.
‘ Dale Robinson – 2006 –> 2009

Option Explicit
On Error Resume Next

Dim bUninstallFileExists, OSSystemRoot, objWSHShell, objEnv, sMS09032Installed, sPatchCmd,sUninstallExe

Set objWSHShell = WScript.CreateObject("WScript.Shell")
Set objEnv = objWSHShell.Environment("Process")

' MS09-032 sets this registry key if it's installed.

(more…)

The case of the broken Microsoft Word VBA application

It was a Microsoft Word (VBA) application written back in 2001.

Essentially what it does is:

  1. user selects a letter type.
  2. the user then enters some customer reference numbers.
  3. the VBA application does an Oracle database lookup to convert those customer reference numbers into names and postal addresses.
  4. which the VBA then uses to “mail merge” into whatever number of letters need to be sent out.

And it was broken.

I had a feeling that writing about patch management policy would come back to bite me (and it did).

(more…)

“Windows Update: Network policy settings prevent you

… from using this website to get updates for your computer.
If you believe you have received this message in error, please contact your system administrator.”

Network policy settings prevent you from using this website

This often happens on Corporate networks because your Corporate IT guys don’t want you to apply updates which they have not been approved.
As updates can break things.  (see tomorrow’s post for an example of a patch which breaks things).

But what if you’re the Corporate IT guy and you want to apply patches for testing?

You need to change two registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
set DisableWindowsUpdateAccess to 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
set NoWindowsUpdate to 0

You can download a .reg file which does that here.

This post brought you by my frustration in having to find these registry keys every month, and my co-worker Ant, who recently asked “how do I disable the policy?”

Update: and if it still doesn’t work, have a read of Windows Update website – Error 0×80240025.

Bookmark and Share

A good patch management policy

A good patch management policy is needed to protect you from risk, and to encourage the attacker to find easier/unpatched victims.  Selfish but true.

  1. Know your risk.
    Security is risk management, it’s as simple as that.
    Know your environment, and the vulnerabilities which apply.
    Determine what is more critical to patch first.
    Rule of thumb: servers should be patched first
  2. Have some sort of patch management system.
    You need to somehow to get the patches out to your computers, and that “somehow” is a deployment tools (Microsoft SMS/SCCM/WSUS, Shavlik)
    A good patch management product will also allow third-party patch rollout (ie. Adobe Flash, Adobe Reader, Firefox etc.)
  3. Deploy your patches to pilot groups first.
    There is no sense in deploying a patch everywhere, if it breaks something.  If you do that, it’s just like deploying a virus.
  4. Make sure your Pilot Group:
    * pilot group deployment list is up to date (people change their job positions, computers are replaced).
    * that your Pilot Group Testers are aware that they need to report any problems they’re found.
  5. Have a back-out process.
    If the patch does break something, you should know how to uninstall it.
  6. Use a mailing list like BugTraq
    Know what threats have been created.  And migrate against them as soon as possible.

Bookmark and Share

Facebook Privacy Quiz

ACLU-NU Ever take one of those Facebook quizzes to find out which superhero most resembles your dog, or have a friend who seems to spend most of their life doing so? Then you might be in for a surprise when you take this quiz and learn just how much of your personal information these quizzes can access.

Even if your Facebook profile is “private,” when you take a quiz, an unknown quiz developer could be accessing almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. Facebook quizzes also have access to most of the info on your friends’ profiles. This means that if your friend takes a quiz, they could be giving away your personal information too.

But don’t take our word for it – take this quiz and see for yourself!

(And, yes, we know it’s a little weird to warn you about Facebook quizzes by asking you to take a Facebook quiz – but at least you know who we are and that we have a real privacy policy that we’re committed to upholding. Can you say the same for every unknown author of every quiz you or your friends take?)

It’s amazing what information a quiz/application can collect from your profile.

You can change what information is available by going in Privacy –> Applications.

FaceBook applications & quizs can see Profile picture/basic & personal info, current location, work/education history; and on it goes.

Bookmark and Share

Page 1 of 712345»...Last »

Calendar

March 2010
S M T W T F S
« Feb    
 123456
78910111213
14151617181920
21222324252627
28293031