At work, I’m working on a registry key permission error.  Something which worked on Windows 2000, now doesn’t work on Windows XP.  It’s security related, hope to solve it today.

One of the questions I had was: “What are the default registry security permissions for Windows 2000 and Windows XP?”  Couldn’t find anything.

So I created my own, using the Microsoft Sysinternals AccessEnum tool.  The above graph just shows how much Microsoft has tighten registry security, from operating system to operating system.

You can find the attached spreadsheet summary here.

And I only just realised it now. *
Now I’m not going to complain about Microsoft.  If you have a valid license key, you should activate it. 

But I don’t want to activate Windows as I’m just doing some tests, part of the Undelete series of posts.  And before someone says “Dude, you should activate it.”.  Well, in future,  I don’t want to go though the re-activation hell process, with some worker based offshore.

But Microsoft does offer a work-around, Automatic Updates, but I just don’t care for it.

Perhaps the fact that AU has rebooted my PC in a middle of a 4GB download has soured my experience.

So what to do instead?  Not patch?  No, you have to patch, it’s the prudent thing to do.

No, instead, I grabbed a copy of AutoPatcher.  I wrote about AutoPatcher here.  To recap, I like it because it works, and it’s free.  And 66 updates later, Windows XP will be a little bit more secure.

* most of the Windows XP installs I work with have a Corporate license which is already activated. (a VLK.  In Microsoft Vista/Windows 7 licensing speak, it’s a MAK type key)

Had this error while trying to update a Windows 2000 SP4 test box.  As it’s a test box, it has the bare minimum installed.

Microsoft’s solution?

• clean the Internet Explorer cache
• Delete some files in the WindowsUpdate directory
• Delete some DLL’s.

None of those worked.

The actual solution which worked for me? Install Internet Explorer 6.

Other things I could have tried?  Autopatcher, which I wrote about here. Except that Autopatcher no longer supports Windows 2000. 
Or apply the patches one by one, after running an MBSA scan? Maybe.

IE6?  Well I did say it was a test box.

on a Windows XP PC.  As I wrote in Windows Update: Network policy settings prevent you from using this website …, you’d often see a Windows Update error when your Corporate IT types block access on purpose.

But wait!  I’m my Corporate IT type!  What did I do to break it for myself???

Well somewhere along the line, I configured a system group policy to block access to Windows Update, and I ended up tripping over my own trap.

The solution/work-around was to delete the
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate - "DisableWindowsUpdate" key.

Once I did that, the Windows Update site worked with no errors.

You can download a .reg file which does that, and the other two registry keys I mentioned in the earlier article, right here.

You might have seen this cartoon here before, but it’s worth repeating, as it’s that time of month.

In some cases, passwords need to longer than the 12 digit codes needed to arm a nuclear weapon.

I’m not the first to notice this. Jesper M. Johansson wrote about in-actionable security advice in an Microsoft Technet magazine article series called Passwords and Credit Cards.

So how do people remember passwords?

1. Write them down and stick them under a keyboard (aka Koolpin$Gorge*)
2. Store them in a password spreadsheet/document?
3. Use a password manager?

It’s option 3 for me.  I use the LastPass password manager. But here are some others to consider:

* a server, for a sensitive organisation, had the server password stored under the server keyboard.
Koolpin Gorge was where the server guy took his last annual leave.

edited 21 September: let’s make it 8 password managers, thanks for the comments folks.
edited 12 October: added Passgen tool description and link.
edited 27 May: added Password Minder.
edited 31st October: added Microsoft Credential Manager & Sticky Password

This is a small script I wrote many years ago to uninstall security patches.  I customise it when I need it.

In this example, I’ve customised it for MS09-032, but the principles apply to most patches.

Note that I don’t check for admin rights, I’m assuming that I’ll be using a desktop software deployment tool to run it on the user’s desktop.

' VBscript to roll back a security patch, in this case MS09-032.
‘ Dale Robinson – 2006 –> 2009

Option Explicit
On Error Resume Next

Dim bUninstallFileExists, OSSystemRoot, objWSHShell, objEnv, sMS09032Installed, sPatchCmd,sUninstallExe

Set objWSHShell = WScript.CreateObject("WScript.Shell")
Set objEnv = objWSHShell.Environment("Process")

' MS09-032 sets this registry key if it's installed.


(more…)

It was a Microsoft Word (VBA) application written back in 2001.

Essentially what it does is:

1. user selects a letter type.
2. the user then enters some customer reference numbers.
3. the VBA application does an Oracle database lookup to convert those customer reference numbers into names and postal addresses.
4. which the VBA then uses to “mail merge” into whatever number of letters need to be sent out.

And it was broken.

I had a feeling that writing about patch management policy would come back to bite me (and it did).

(more…)

… from using this website to get updates for your computer.
If you believe you have received this message in error, please contact your system administrator.”

This often happens on Corporate networks because your Corporate IT guys don’t want you to apply updates which they have not been approved.
As updates can break things.  (see tomorrow’s post for an example of a patch which breaks things).

But what if you’re the Corporate IT guy and you want to apply patches for testing?

You need to change two registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
set DisableWindowsUpdateAccess to 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
set NoWindowsUpdate to 0

You can download a .reg file which does that here.

This post brought you by my frustration in having to find these registry keys every month, and my co-worker Ant, who recently asked “how do I disable the policy?”

Update: and if it still doesn’t work, have a read of Windows Update website – Error 0×80240025.

A good patch management policy is needed to protect you from risk, and to encourage the attacker to find easier/unpatched victims.  Selfish but true.

1. Know your risk.
   Security is risk management, it’s as simple as that.
   Know your environment, and the vulnerabilities which apply.
   Determine what is more critical to patch first.
   Rule of thumb: servers should be patched first
2. Have some sort of patch management system.
   You need to somehow to get the patches out to your computers, and that “somehow” is a deployment tools (Microsoft SMS/SCCM/WSUS, Shavlik)
   A good patch management product will also allow third-party patch rollout (ie. Adobe Flash, Adobe Reader, Firefox etc.)
3. Deploy your patches to pilot groups first.
   There is no sense in deploying a patch everywhere, if it breaks something.  If you do that, it’s just like deploying a virus.
4. Make sure your Pilot Group:
   * pilot group deployment list is up to date (people change their job positions, computers are replaced).
   * that your Pilot Group Testers are aware that they need to report any problems they’re found.
5. Have a back-out process.
   If the patch does break something, you should know how to uninstall it.
6. Use a mailing list like BugTraq
   Know what threats have been created.  And migrate against them as soon as possible.

Ever take one of those Facebook quizzes to find out which superhero most resembles your dog, or have a friend who seems to spend most of their life doing so? Then you might be in for a surprise when you take this quiz and learn just how much of your personal information these quizzes can access.

Even if your Facebook profile is “private,” when you take a quiz, an unknown quiz developer could be accessing almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. Facebook quizzes also have access to most of the info on your friends’ profiles. This means that if your friend takes a quiz, they could be giving away your personal information too.

But don’t take our word for it – take this quiz and see for yourself!

(And, yes, we know it’s a little weird to warn you about Facebook quizzes by asking you to take a Facebook quiz – but at least you know who we are and that we have a real privacy policy that we’re committed to upholding. Can you say the same for every unknown author of every quiz you or your friends take?)

It’s amazing what information a quiz/application can collect from your profile.

You can change what information is available by going in Privacy –> Applications.