04/18/11

Permalink 08:56:31 am, by Fred Parks, 184 words
Categories: General Security, Systems Security Management

User account not shown in Active Directory unless Advanced Mode enabled - Cisco Unity is the Culprit

I recently ran into a situation where certain users in Active Directory were just not showing up for some administrators while other admins could see them just fine. Upon further investigation it became evident that if the Advanced Mode of Active Directory Users and Computers was not enabled, the user accounts were hidden. Using the Attribute Editor tab of the user's account I took a look at the attribute "showinAdvancedViewOnly" and sure enough the setting was enabled.

Cisco Unity was installed in this environment and the users that were not showing up in AD also happened to have the setting "Show subscriber in email server address book" unchecked in Unity. Unity was not only making the change that was intended for removing the user from the address book but was also setting the attribute "showinAdvancedViewOnly" as well.

If you experience the same issue the workaround is simple. Edit the attribute "showinAdvancedViewOnly" on the user's account with either the built-in Attribute Editor tab of the user account page (if you have AD 2008) or use a tool like ADSIedit or LDP.exe to perform the change.

Permalink 08:55:05 am, by Derrick Taylor, 122 words
Categories: Systems Security Management

Powershell scripting with ESX 4.x

 

VMWare now includes Powershell integration into their VI Toolkit releases. This allows us the ability to run cmdlets and scripts from Powershell to control your VMWare environment, making manual and time-consuming tasks much quicker and easier.

You can get the latest VI Toolkit here: http://communities.vmware.com/community/vmtn/vsphere/automationtools/powercli

The toolkit itself is regularly updated with new commands, so you'll want to make sure you keep it up to date. Once the toolkit is installed, it creates a shortcut to a new Powershell. This will launch Powershell with the VMWare cmdlets loaded. If you attempt to launch the old Powershell link and run any VMWare supported commands, they would fail because PowerShell would not be aware of them.

 

02/12/11

Permalink 10:17:35 am, by Derrick Taylor, 520 words
Categories: Systems Security Management

Disabling the Status Notification Pop-up in HP's Universal Print Driver.

HP's universal Print driver can help ease managing drivers for printers in a big way. It can help keep the server's driver repository cleaner, it helps to make setting a Print server up much easier, and it gives more management options.

 

That being said, there is one option, the "Status Notification Pop-up" which some IT professionals would prefer their users not be bothered with. This is a pop-up that shows up on any client's PC which uses the printer when they print, or if the printer has an issue like low toner, out of paper, etc.

 

In the printer's settings itself there is an option to disable the notifications. However once you change the setting, apply it, and close the properties page, the setting is not saved. There is a way to not only disable this option (on all existing and future printers,) but also grey it out so it cannot be changed.

 

This will work whether you have already installed and configured all of your printers or not. If you have already set them up, don't worry, any settings inside the printer's driver that you've changed will not be reverted back to defaults.

 

First you need the UPD (Universal Print Drivers',) Install.exe file. Open command prompt and get to the directory you have the install.exe file in. We'll just go with "folder" as our example for now:

 

C:\Folder

 

Now you can type install.exe /gdssnp /ni

The /gdssnp will make a registry change to disable the SNP, while the /ni will make it so the actual printer install doesn't happen but the other steps along the way will.

 

Running this command will also make it so any new printers created will not use it.

 

The whole process can take upwards of 45 minutes. There is a point to where you will think it's locked up, but just give it time. It should finish.

 

If you run the installer with the /gdssnp switch like we've discussed, it will make the following registry change to every existing printer using the driver:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\<PrinterName>\PrinterDriverData

SSNPDeviceUpdateInterval         REG_DWORD         0x00000000 (0)
0 = Normal
1 = Minimize
SSNPNotifyEventSetting                 REG_DWORD         0x00000001 (1)
0 = Disabled,
1 = When Printing,
2 = On Warnings or Errors
3 = On Errors only
SSNPShowAlertLink                 REG_DWORD         0x00000001 (1)
0 = Hide
1 = Show
SSNPShowShopLink                 REG_DWORD         0x00000000 (0)
0 = Hide
1 = Show
SSNPShowSSNSettings                 REG_DWORD         0x00000000 (0)
0 = Hide
1 = Show
SSNPShowSupportLink                 REG_DWORD         0x00000000 (0)
0 = Hide
1 = Show

 

If you prefer, you can go through and manually change the registry entry for every printer. But that could be a tedius and long process if you have a lot of printers.

 

There are several other switches you can run the UPD installer with, making managing and setting up the print server much easier, including (but definitely not limited to,):

  • /q         Quite mode, no prompts
  • /nd        Does not set the printer as default
  • /dst        Disables the Services tab
  • /dos        Disables the Online Support option
  • /dssnp        Disables the Status Notification Pop-up for the printer you are currently installing.

The full list and other options can be found easily in HP's support documents. Just go to HP's website and search for Universal Print Driver.

02/05/11

Permalink 10:25:07 am, by Fred Parks, 155 words
Categories: Privacy

Multiple websites prompting to download xd_proxy.css file all related to Facebook code change

During the past several days and even continuing through today, there have been reports of many websites prompting users to download a file named “xd_proxy.css.” Some have raised some concerns as to whether this behavior is somehow related to malware but it appears to go back to a programming issue to do with Facebook and external sites that interface with Facebook.

According to Bug 14978 on the Facebook Developers Bug Tracker forum, there seems to be an issue with sites that have the “Like” button that interfaces with Facebook on their page. Based on the comments of many of the developers that have posted to the forum, this all started after Facebook made a change to the way it exchanges data with external websites (possibly this change).

Here’s an explanation of what a CSS file is used for normally.

http://en.wikipedia.org/wiki/Cascading_Style_Sheets

http://www.fileinfo.com/extension/css

 

Installing an SSL certificate on your Domain Controller

If you are in process of replacing your Domain Controllers from Server 2003 to Server 2008 R2, you will need to either move or replace your certificates as well. First you obviously have to add the 2008 servers to the Domain, Promote them, and assign their respective roles. Then you will need to Install an SSL certificate on each.

Microsoft has a technet article going over all the details of every environment and how to handle getting it configured here:

http://technet.microsoft.com/en-us/library/cc782583(WS.10).aspx

I'm just going to go through the quick process many people will use. That process should be followed if you are going to be using a Standalone CA to process certificates for a Domain Controller.

First off, on the Domain Controller we need to create an .inf file with the contents:

;;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------

Now in Command Prompt type:

certreq -new request.inf request.req

A new file is now created named request.req. Take that file and move it to the CA server.

Now run:

certreq -attrib "CertificateTemplate:DomainController" request.req

This will create an ID. Write that ID down as we will need it later.

Now we need to create an ASN file. There are a few ways you can do this, but the best way is to use the script MS put together for us here:

http://technet.microsoft.com/en-us/library/cc775547(WS.10).aspx

It will create an ASN file as well as several other files. Take the newly created ASN on the CA as well.

Now if you are running Server 2008 run the following command with elevated privlidges (If not, run it normally):

certutil -setextension <RequestID> 2.5.29.17 1 @<dcname>.asn

And from the CA run:

certutil -resubmit <requestID>
certreq -accept <dcname>.p7b

At this point you are finished. You should test to make sure it is functioning properly.

<< 1 2 3 4 5 6 7 8 9 10 11 ... 41 >>

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

Archives