tag:blogger.com,1999:blog-8441165121070781172024-02-20T19:23:59.932-08:00Beyond Cyber & CyberSecurityCyber Security Forensic ServicesRobert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-844116512107078117.post-67596038460546601242014-09-13T03:30:00.000-07:002014-09-13T03:30:24.867-07:00<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">What am I doing up?</span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">It's Friday night / early Saturday morning.</span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">I should be in bed, sleeping.</span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">I was, but awoke full-on. Sometimes that happens.</span></span><br />
<br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;"><span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">I stumbled upon a new tool this morning.</span></span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">This is what happens when your mind wanders into the Information Security sector of the Internet.</span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;"> </span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">I was perusing my gmail email account and a LinkedIn group that I subscribe to pushed an email that looked interesting. One thing, actually one link lead to another and I found myself at a reverse engineering page that described a dissection of some malware.</span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">Then, a reference to a reverse engineering tool I am not familiar with was mentioned.</span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">That tool is PEStudio.</span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">You can find it here. </span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">http://www.winitor.com/</span></span><br />
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;"><br /></span></span>
<span style="font-size: x-small;"><span style="font-family: Verdana,sans-serif;">As a security tool it looks promising. I love good code. I love code that does what the author says it does. Have downloaded and will be investigating more in the AM over some coffee and breakfast.</span></span><br />
<br />
- CiaoRobert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-7365477727285085182014-05-03T13:43:00.001-07:002014-05-03T13:43:27.878-07:00Windows XP - Local Policies, Audit Policy - Setting SecEvent.evt Logs<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"></span><br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Windows XP SP3</span></b><br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span></b>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Local Policies, Audit Policy</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-size: small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Personal notes:</span></span><br />
<span style="font-size: small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">- Increase the log size to 4096 KB</span></span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><span style="font-size: small;">- "Overwrite events as needed" - Radio Button</span></span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit account logon events</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain </span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If success auditing for account logon events is enabled on a domain controller, an entry is logged for each user who is validated against that domain controller, even though the user is actually logging on to a workstation that is joined to the domain.</span><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span></i>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default: Success.</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit account management</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit each event of account management on a computer. Examples of account management events include:</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">A user account or group is created, changed, or deleted.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">A user account is renamed, disabled, or enabled.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">A password is set or changed.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default:</span></i><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> Success on domain controllers.</span></i><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> No auditing on member servers.</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"></span><br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit directory service access</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Note that you can set a SACL on an Active Directory object by using the Security tab in that object's Properties dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default:</span></i><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> Success on domain controllers.</span></i><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> Undefined for a member computer.</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit logon events</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit each instance of a user logging on to or logging off from a computer.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more information about account logon events, see Audit account logon events.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default: Success.</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit object access</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit the event of a user accessing an object—for example, a file, folder, registry key, printer, and so forth—that has its own system access control list (SACL) specified.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default: No auditing.</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit policy change</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default:</span></i><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> Success on domain controllers.</span></i><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> No auditing on member servers.</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"></span><br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<br />
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit privilege use</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit each instance of a user exercising a user right.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. </span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default: No auditing.</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for Audit privilege use. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the FullPrivilegeAuditing registry key.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-size: x-small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Bypass traverse checking</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Debug programs</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Create a token object</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Replace process level token</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Generate security audits</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Back up files and directories</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Restore files and directories</span></span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Caution:</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit process tracking</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate an audit entry when the process being tracked fails.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default: No auditing</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Audit system events</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">This security setting determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a system event is executed successfully. Failure audits generate an audit entry when a system event is attempted unsuccessfully.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Default:</span></i><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> Success on domain controllers.</span></i><br />
<i><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> No auditing on member servers.</span></i><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span></b><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<b><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Additional resources:</span></b><br />
<span style="font-family: Verdana,sans-serif;"><span style="font-size: x-small;">http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itcim.doc%2Ftcim85_install140.html</span></span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Configuring Windows XP auditing manually</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Manual audit configuration should be performed on the audited system. In most cases, you must log in as Administrator to be able to adjust the audit settings.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">Windows Security Log</span><br />
<br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">In Microsoft® Windows®, auditing can be switched on and off for a number of event categories. Within each category, the auditing of successful and failed attempts can be controlled independently.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">To turn on auditing of Windows XP events:</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> Run Local Security Policy snap-in from Start → All Programs → Administrative Tools or Control Panel → Administrative Tools.</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"> In the snap-in tree select the Audit policy node (see Figure 17): </span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span><span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;">---------------------------------------------</span><br />
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><br /></span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-84955540375231962732012-06-03T06:55:00.001-07:002012-06-03T07:00:10.188-07:00HoNe - Running Process Cyber Attack Sensor<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>June 3, 2012 | Robert Cazares</b></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><br /></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">I found this to be noteworthy of coming back to for further investigation in using this tool.</span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><br /></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">Hone is a unique open source tool developed by Pacific Northwest National Laboratory for correlating packets to processes to bridge the HOst-NEtwork divide.It is designed to determine which applications are communicating with external network, correlate packets to the responsible processes in Linux systems. Diagnose connections by adding process information.
<span id="read_more"> </span></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><br /></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">Available for Linux kernels 2.6.32 and later.</span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">Windows 7, Windows XP and a MacOS X version is planned. </span><br />
<span style="font-size: small;"><br /></span><br />
<hr />
</div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><span id="read_more"><br /></span></span></div>
<span style="font-size: small;"><b><span style="font-family: Arial,Helvetica,sans-serif;">Pacific Northwest National Laboratory Creates New Sensor To Stop Attackers In Their Tracks </span></b></span><br />
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><br /></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">Apr 11, 2012 | 05:06 PM</span><br />
<span style="font-size: small;"><br />RICHLAND, Wash. - The good guys have a new, innovative tool to help them identify and understand cyber attacks.<br /><br />Developed by a researcher at the Department of Energy’s Pacific Northwest National Laboratory, the new Hone cyber sensor determines how network activity on a computer is related to an application such as Internet Explorer or any running process. Finding these relationships enables cyber security experts to more quickly identify a potential problem and dissect how it works.</span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><br /></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">Full story is here: </span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">http://www.darkreading.com/advanced-threats/167901091/security/news/232900169/pacific-northwest-national-laboratory-creates-new-sensor-to-stop-attackers-in-their-tracks.html</span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><br /></span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">HoNe project at github can be found here:</span></div>
<div style="font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;">https://github.com/HoneProject/Linux-Sensor#readme</span></div>
<span style="font-size: small;"><br /></span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com1tag:blogger.com,1999:blog-844116512107078117.post-28948441030358699532011-04-13T13:49:00.000-07:002011-04-13T15:21:02.993-07:00Blindly restoring Windows XP screen resolution<span style="font-family:arial;">Applies to Windows XP (any version)</span><br /><br /><span style="font-family:arial;">Have you ever changed the screen resolution of your computer to where you have saved settings that your monitor cannot display? I have, several times. It's annoying at best to to have accidentally made a change and then not be able to see what you're doing.</span><br /><br /><span style="font-family:arial;">Here are the steps to restore your display.</span><br /><span style="font-family:arial;">Please note that you have to be logged in. </span><br /><span style="font-family:arial;">If you need to blindly login to your account, I'll save those steps for a different post.</span><br /><br />---------------------------------------------------<br /><span style="font-family: arial;font-family:arial;" >Take an educated guess and <right mouse="" click=""> place the mouse cursor someplace on the desktop where you are not hovered over any icons or the toolbar.</right></span><br /><ol style="font-family: arial;"><li><right mouse="" click="">Click the Right Mouse button.</right></li><li>On your keyboard, press the <up arrow=""> UP ARROW once, then press the ENTER key.</up></li><li>On your keyboard press the TAB <tab> key four times.</tab></li><li>On your keyboard, press the RIGHT ARROW<right arrow=""> key four times.</right></li><li>On your keyboard press the TAB key once.<br /></li><li>Then press the <left arrow="" key=""> LEFT ARROW key four or five times</left></li><li>Then press the ENTER key.<enter></enter></li></ol><span style="font-family: arial;font-family:arial;" >At this point you should have a viewable display.</span><br /><span style="font-family: arial;">The Monitor Setting dialog box will begin a countdown, "Reverting in n seconds".</span><br /><span style="font-family: arial;">Save your display settings.</span><br /><br /><span style="font-family: arial;">And that should do it!</span><br /><span style="font-family:arial;"><br /></span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-86534834183716734372010-03-09T00:05:00.000-08:002010-03-09T00:31:57.909-08:00There's something amiss in China - Increased daily spam<span style="font-family:arial;"> OK, so for the past few weeks I have noticed a marked increase in spam in my primary email Spam folder. I have been deleting messages <span class="blsp-spelling-error" id="SPELLING_ERROR_0">willy</span>-<span class="blsp-spelling-error" id="SPELLING_ERROR_1">nilly</span> from the folder, as I usually do, when I walk through my daily email reading and composition routine. </span><br /><span style="font-family:arial;"><br /> Yesterday, I decided to let the spam pile up for a 24 hour period and take note of how many spam messages I have received. I don't like to pick on or lean in one direction or the other without having at least some metrics to go on, but out of 98 spam messages, 24 of those messages DID NOT have Chinese characters in the subject line. </span><br /><span style="font-family:arial;"><br /> Whup, OK, as I was typing this the message count JUST jumped to 102. By way of supposition, that's approximately 80% of the spam I have received in the past 24 hour period is coming from China. </span><br /><span style="font-family:arial;"><br /> Delving a little deeper I took a random check of the email headers, and yes, unless they're totally forged headers, I have to say, they do originate someplace in China. Where in China? Not <span class="blsp-spelling-error" id="SPELLING_ERROR_2">important</span> at this time. It's notable that they come from over the China border to here, at my <span class="blsp-spelling-error" id="SPELLING_ERROR_3">gmail</span> account in the United States. </span><br /><span style="font-family:arial;"><br /> So, what's happening here? Why the sudden spike in spam to my <span class="blsp-spelling-error" id="SPELLING_ERROR_4">gmail</span> account originating in China? Is there a mechanism I can implement to block ALL email from China from reaching my email account? I don't know anyone in China. I'm not expecting any email from China. Why can't I simply block all these messages? It's annoying at the very least and it is spam. I am going to keep my eye on this for a while, compile some data, see how it goes and maybe publish my results after 30 days or so. Is it worth it? I'll keep you posted.</span><br /><br /><span style="font-family:arial;">- Robert <span class="blsp-spelling-error" id="SPELLING_ERROR_5">Cazares</span></span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-76048885656258805942010-02-27T06:45:00.000-08:002010-02-27T06:46:28.115-08:00FTK 1.8 notes<span style="font-family: arial;">FTK 1.8 notes - placeholder</span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-36482290131260398422010-02-10T12:51:00.000-08:002010-02-10T12:53:50.412-08:00cnbc.com - San Antonio: New Cyber City<p style="font-family: arial;" class="date"><span style="font-size:100%;"><span>Airtime: </span><span><script> document.write(cnbc_video_toDateString(1265829420000)); </script>Wed. Feb. 10 2010 | 12:17 PM ET </span></span></p><p style="font-family: arial;"><span style="font-size:100%;">Discussing why San Antonio is key to cyber security, with NBC's Janet Shamlian and Dr. Greg White, colonel for the U.S. Air Force and Fred Ramirez, CNF Technologies.</span></p><p><a href="http://www.cnbc.com/id/15840232?video=1410041474&play=1"><span style="font-size:100%;"><span style="font-family: arial;">http://www.cnbc.com/id/15840232?video=1410041474&play=1</span></span></a><br /></p><p><br /></p>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-69353169470609596502010-02-05T00:20:00.001-08:002010-02-05T13:34:03.507-08:00Windows 7 64-bit and 32-bit, Swiff Player, Flash 10 installation<span style="font-size:100%;"><span style="font-family:arial;">OK, so here's a work-around for you <span class="blsp-spelling-corrected" id="SPELLING_ERROR_0">who</span> have not been able to play .<span class="blsp-spelling-error" id="SPELLING_ERROR_1">swf</span> files on your Windows 7 64-bit and 32-bit systems.</span><br /><br /><span style="font-family:arial;">I have tested this on both 32-bit and 64-bit systems with instant success. However, I make no guarantees or warranties and YMMV. What I can tell you is that after after a few hours of research and banging, it works for me.</span><br /><br /><span style="font-family:arial;">This "fix" is simple. Really, it is.<br /><br /></span><span style="font-weight: bold;">- 64-bit systems</span><br /><span style="font-family:arial;">1) Install Adobe Flash 10 (</span></span><span style=";font-family:arial;font-size:100%;" ><span name="subject">Adobe Flash Player Standalone Installer, </span></span><span style="font-size:100%;"><span style="font-family:arial;"> version </span><span class="patchtitle" style="font-family:arial;">10.0.42.34</span></span><span style=";font-family:arial;font-size:100%;" ><span name="subject">) </span></span><span style="font-size:100%;"><span style="font-family:arial;">from<br /></span></span><span style="font-size:100%;"><a style="font-family: arial;" href="http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_10_active_x.exe">http://fpdownload.macromedia.com/get/flashplayer/current/licensing</a><a style="font-family: arial;" href="http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_10_active_x.exe">/win/install_flash_player_10_active_x.<span class="blsp-spelling-error" id="SPELLING_ERROR_10">exe</span></a>.</span><span style="font-size:100%;"><br /></span><span style="font-size:100%;"><span style="font-family:arial;">2) When installation is completed, n</span></span><span style="font-size:100%;"><span style="font-family:arial;">avigate to C:\Windows\<span class="blsp-spelling-error" id="SPELLING_ERROR_2">SysWOW</span>64\<span class="blsp-spelling-error" id="SPELLING_ERROR_3">Macromed</span>\Flash and make a copy of Flash10d.<span class="blsp-spelling-error" id="SPELLING_ERROR_4">ocx</span> in the same directory.</span><br /><span style="font-family:arial;">3) Rename the copy of Flash10d.<span class="blsp-spelling-error" id="SPELLING_ERROR_5">ocx</span> to Flash.<span class="blsp-spelling-error" id="SPELLING_ERROR_6">ocx (you will still have </span></span>a copy of </span><span style="font-size:100%;"><span style="font-family:arial;">Flash10d.<span class="blsp-spelling-error" id="SPELLING_ERROR_5">ocx)</span></span><br /></span><span style="font-size:100%;"><span style="font-family:arial;">4) Install <span class="blsp-spelling-error" id="SPELLING_ERROR_7">Swiff</span> Player 1.5 (http://www.globfx.com/downloads/swfplayer/)</span><br /><span style="font-family:arial;">5) Run <span class="blsp-spelling-error" id="SPELLING_ERROR_8">Swiff</span> Player and load your .<span class="blsp-spelling-error" id="SPELLING_ERROR_9">swf</span> files.</span><br /><span style="font-family:arial;">6) Enjoy!</span><br /><br /><span style="font-weight: bold;">- 32-bit systems</span><br /></span><span style="font-size:100%;"><span style="font-family:arial;">1) Install Adobe Flash 10 (</span></span><span style=";font-family:arial;font-size:100%;" ><span name="subject">Adobe Flash Player Standalone Installer, </span></span><span style="font-size:100%;"><span style="font-family:arial;"> version </span><span class="patchtitle" style="font-family:arial;">10.0.42.34</span></span><span style=";font-family:arial;font-size:100%;" ><span name="subject">) from</span></span><span style="font-size:100%;"><br /></span><span style="font-size:100%;"><a style="font-family: arial;" href="http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_10_active_x.exe">http://fpdownload.macromedia.com/get/flashplayer/current/licensing</a><a style="font-family: arial;" href="http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_10_active_x.exe">/win/install_flash_player_10_active_x.<span class="blsp-spelling-error" id="SPELLING_ERROR_10">exe</span></a>.<br /></span><span style="font-size:100%;"><span style="font-family:arial;">2) When installation is completed, navigate to C:\Windows\System32\Macromed\Flash and make a copy of Flash10d.<span class="blsp-spelling-error" id="SPELLING_ERROR_4">ocx</span> in the same directory.</span><br /><span style="font-family:arial;">3) Rename the copy of Flash10d.<span class="blsp-spelling-error" id="SPELLING_ERROR_5">ocx</span> to Flash.<span class="blsp-spelling-error" id="SPELLING_ERROR_6">ocx (you will still have </span></span>a copy of </span><span style="font-size:100%;"><span style="font-family:arial;">Flash10d.<span class="blsp-spelling-error" id="SPELLING_ERROR_5">ocx)</span></span><br /></span><span style="font-size:100%;"><span style="font-family:arial;">4) Install <span class="blsp-spelling-error" id="SPELLING_ERROR_7">Swiff</span> Player 1.5 (http://www.globfx.com/downloads/swfplayer/)</span><br /><span style="font-family:arial;">5) Run <span class="blsp-spelling-error" id="SPELLING_ERROR_8">Swiff</span> Player and load your .<span class="blsp-spelling-error" id="SPELLING_ERROR_9">swf</span> files.</span><br /><span style="font-family:arial;">6) Enjoy!</span><br /><br /></span><span style="font-size:100%;"><span style="font-family:arial;"></span></span><span style="font-size:100%;"><span style="font-family:arial;">Note 1: There is also a differing link to Adobe Flash 10 here:</span><br /><a style="font-family: arial;" href="http://get.adobe.com/flashplayer/otherversions/">http://get.adobe.com/flashplayer/otherversions/</a><br /><br /><span style="font-family:arial;">Here's another link that I leaned on that helped me through this nagging issue:</span></span><span style=";font-family:arial;font-size:100%;" ><span name="subject"><br />Adobe Flash Player Standalone Installer?</span></span><span style=";font-family:arial;font-size:100%;" ><br /></span><span style="font-size:100%;"><a href="http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/c8fe6d6f-ca63-4f2d-aa39-0365ca9c8b2d"><span style="font-family:arial;">http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/c8fe6d6f-ca63-4f2d-aa39-0365ca9c8b2d</span></a><br /><br /><span style="font-family:arial;"></span></span><span style="font-size:100%;"><span style="font-family:arial;">- Robert</span><br /></span><span style="font-size:100%;"><span style="font-family:arial;"><br />Updated Feb 5, 2010 - 1:32PM</span><br /></span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-55448429263972531622010-02-04T17:12:00.000-08:002010-02-04T17:54:11.081-08:00Control Sets and the Windows XP startup process<span style="font-weight: bold;font-family:arial;" >For our reference, we need to know which ControlSet is used for system startup.</span><br /><br /><span style="font-family:arial;">Typically, if the system\Select\Current value is set to 0x1 (Data: 0x00000001 (1)), then CurrentControlSet is pointing to ControlSet001.</span><br /><br /><br /><span style="font-family:arial;">For more detailed information see the below snippets and links.</span><br /><span style="font-family:arial;">--------------------------------------------------------------</span><br /><span style="font-weight: bold;font-family:arial;" >Control Sets and the Windows XP startup process</span><br /><span style="font-family:arial;">Published: November 03, 2005</span><br /><a href="http://technet.microsoft.com/en-us/library/bb457123.aspx"><span style="font-family:arial;">http://technet.microsoft.com/en-us/library/bb457123.aspx</span></a><br /><br /><h4 style="font-family: arial;">Startup Phases</h4> <p style="font-family: arial;"> The Windows XP Professional startup process closely resembles that of Microsoft Windows NT version 4.0, Microsoft Windows 2000, and Microsoft Windows Server™ 2003, but it significantly differs from Microsoft MS-DOS, Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Millennium Edition (Windows Me).</p><span style="font-family:arial;">--------------------------------------------------------------</span><br /><span style="font-family:arial;">Article ID: 100010 - Last Review: November 1, 2006 - Revision: 3.1</span><br /><span style="font-family:arial;">What are Control Sets? What is CurrentControlSet?</span><br /><a href="http://support.microsoft.com/kb/100010"><span style="font-family:arial;">http://support.microsoft.com/kb/100010</span></a><br /><br /><span style="font-weight: bold;font-family:arial;" >Of importance:</span><br /><span style="font-family:arial;">ControlSet001 may be the last control set you booted with, while ControlSet002 could be what is known as the last known good control set, or the control set that last successfully booted Windows NT. The CurrentControlSet subkey is really a pointer to one of the ControlSetXXX keys. Clone is a clone of CurrentControlSet, and is created each time you boot your computer by the kernel initialization process. In order to better understand how these control sets are used, you need to be aware of another subkey, Select. </span><br /><br /><span style="font-family:arial;"> Select is also under the SYSTEM key. Select contains the following values: </span><div style="font-family: arial;" class="indent"> Current<br /> Default<br /> Failed<br /> LastKnownGood </div><span style="font-family:arial;">"Each of these values contain a REG_DWORD data type and refer to specifically to a control set. For example, if the Current value is set to 0x1, then CurrentControlSet is pointing to ControlSet001. Similarly, if LastKnownGood is set to 0x2, then the last known good control set is ControlSet002. The Default value usually agrees with Current, and Failed refers to a control set that was unable to boot Windows NT successfully. "</span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-88553402462929426012010-02-03T20:45:00.000-08:002010-02-03T20:53:37.866-08:00Relative Identifier Allocation<div class="title" msxsl="urn:schemas-microsoft-com:xslt" style="font-family:arial;"><span style="font-size:85%;"> Relative Identifier Allocation </span></div><!--Content type: DocStudio. Transform: psdk2mtps.xslt.--> <p style="font-family:arial;"><span style="font-size:85%;">It is fairly easy for the system to generate a unique relative identifier for each account and group created on a stand-alone computer, where accounts and groups are stored in an account database managed by a local Security Accounts Manager (SAM) The SAM on a stand-alone computer can simply keep track of relative identifier values it has used before, making sure that it never uses them again.</span></p> <p style="font-family:arial;"><span style="font-size:85%;">Generating unique relative identifiers is a more complex process in a network domain Windows 2000 network domains can have several domain controllers, each of them a host for Active Directory, where account information is stored. This means that in a network domain there are as many copies of the account database as there are domain controllers. What is more, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a <i>multimaster operation</i> .</span></p> <p style="font-family:arial;"><span style="font-size:85%;">The process of generating unique relative identifiers is a <i>single-master operation</i> . One domain controller is assigned the role of <i>relative identifier (RID) master</i> , and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID, and the relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller asks the RID master for another block.</span></p> <p style="font-family:arial;"><span style="font-size:85%;">Each domain controller makes sure that when it has used one value in a block of relative identifiers, it never uses that value again. The RID master makes sure that when it has allocated a block of relative identifiers, it never allocates those values again. The result of this teamwork is that every account and group created in the domain has a unique relative identifier.</span></p> <p style="font-family:arial;"><span style="font-size:85%;">Several other tasks performed by domain controllers are single-master operations. For example, one domain controller in an enterprise is assigned responsibility for ensuring that each domain has a unique name and a unique domain identifier. The domain controller assigned that role is called the <i>domain naming master</i> . For more information about single-master operations, see <a id="ctl00_MTCS_main_ctl01" href="http://technet.microsoft.com/en-us/library/cc961936.aspx" onclick="javascript:Track('ctl00_MTCS_main_ctl00|ctl00_MTCS_main_ctl01',this);">"Managing Flexible Single Master Operations"</a> in this book.</span></p><p style="font-family:arial;"><span style="font-size:85%;">Source: <a href="http://technet.microsoft.com/en-us/library/cc961984.aspx">http://technet.microsoft.com/en-us/library/cc961984.aspx</a><br /></span></p>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-65109196473437392732010-02-03T20:15:00.000-08:002010-02-03T20:18:26.957-08:00Windows - Well-known SIDs - RID's<p style="font-family:arial;"><span style="font-size:85%;">Well-known <a id="ctl00_MTCS_main_ctl01" href="http://msdn.microsoft.com/en-us/library/ms721625%28VS.85%29.aspx" onclick="javascript:Track('ctl00_MTCS_main_ctl00|ctl00_MTCS_main_ctl01',this);"><em>security identifiers</em></a> (SIDs) identify generic groups and generic users. For example, there are well-known SIDs to identify the following groups and users:</span></p> <p style="font-family:arial;"><!----></p> <ul style="font-family:arial;"><li><span style="font-size:85%;">Everyone or World, which is a group that includes all users.</span></li><li><span style="font-size:85%;">CREATOR_OWNER, which is used as a placeholder in an inheritable ACE. When the ACE is inherited, the system replaces the CREATOR_OWNER SID with the SID of the object's creator.</span></li><li><span style="font-size:85%;">The Administrators group for the built-in domain on the local computer.</span></li></ul> <p style="font-family:arial;"><span style="font-size:85%;">There are <a id="ctl00_MTCS_main_ctl02" href="http://msdn.microsoft.com/en-us/library/ms721629%28VS.85%29.aspx" onclick="javascript:Track('ctl00_MTCS_main_ctl00|ctl00_MTCS_main_ctl02',this);"><em>universal well-known SIDs</em></a>, which are meaningful on all secure systems using this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows systems.</span></p><p style="font-family:arial;"><span style="font-size:85%;">Source:<br /></span></p><p face="arial"><span style="font-size:85%;"><a href="http://msdn.microsoft.com/en-us/library/aa379649%28VS.85%29.aspx">http://msdn.microsoft.com/en-us/library/aa379649%28VS.85%29.aspx</a><br /></span></p><p style="font-family: arial;"><br /></p><p style="font-family: arial;"><span style="font-size:85%;"><br /></span></p>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-2574330432797456482010-02-03T13:52:00.000-08:002010-02-03T16:11:49.964-08:00Four Run keys that are in the Microsoft Windows XP registry<span style="font-family:arial;">This article lists and defines four Run keys that are in the Microsoft Windows XP registry</span><br /><span style="font-family:arial;">Source: </span><br /><span style="font-family:arial;">http://support.microsoft.com/kb/314866/EN-US/</span><br /><br /><span style="font-size:85%;"><span style="font-family: arial;">Run keys cause programs to automatically run each time that a user logs on. The Windows XP registry includes the following four Run keys:</span><br /><span style="font-family: arial;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</span><br /><span style="font-family: arial;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</span><br /><span style="font-family: arial;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</span><br /><span style="font-family: arial;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</span><br /><span style="font-family: arial;">Each of these keys has a series of values. The values allow multiple entries to exist without overwriting one another. The data value for a value is a command line.</span><br /><br /><span style="font-family: arial;">There are some special considerations for the third and fourth keys in the list, the RunOnce keys:</span><br /><br /><span style="font-family: arial;"> * Beginning with Windows XP, the values in the RunOnce keys are run only if the user has permission to delete entries from the respective key.</span><br /><span style="font-family: arial;"> * The programs in the RunOnce key are run sequentially. Explorer waits until each one has exited before continuing with normal startup.</span><br /><span style="font-family: arial;"> * By default, Run keys are ignored when the computer starts in Safe mode. Under the RunOnce keys, you can prefix a value name with an asterisk (*) to force the associated program to run even in Safe mode.</span><br /><span style="font-family: arial;"> * You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs.</span><br /><span style="font-family: arial;"> * Without the exclamation point prefix, a RunOnce value is deleted before the command runs. As a result, if a RunOnce operation does not run properly, the associated program is not asked to run the next time you start the computer.</span><br /><br /><span style="font-family: arial;">If more than one program is registered under any particular key, the order in which those programs are run is indeterminate. A program run from any of these keys should not write to the key during its execution. Doing so will interfere with the execution of other programs registered under the key. Furthermore, applications should use the RunOnce keys only for transient conditions (such as to complete application setup); an application must not continually re-create entries under RunOnce. Doing so will interfere with Windows Setup.</span><br /></span><br /><br /><div style="font-family: arial;" class="appliesTo"><hr /><h5>APPLIES TO</h5><ul><li>Microsoft Windows XP Home Edition</li><li>Microsoft Windows XP Professional</li><li>Microsoft Windows XP Professional x64 Edition</li><li>Microsoft Windows XP Driver Development Kit</li><li>Windows XP Embedded</li><li>Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)</li><li>Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li><li>Microsoft Windows Server 2003, Datacenter x64 Edition</li><li>Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)</li><li>Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li><li>Microsoft Windows Server 2003, Enterprise x64 Edition</li><li>Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li><li>Microsoft Windows Server 2003, Standard x64 Edition</li><li>Microsoft Windows Server 2003, Web Edition</li></ul></div><br /><span style="font-family:arial;">Windows 95, Windows 98, Windows ME, Windows 2000, Windows NT</span><br /><span style="font-family:arial;">http://support.microsoft.com/kb/137367</span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-11290079490279518162010-01-28T13:34:00.000-08:002010-01-28T18:34:46.227-08:00When standards bodies are the cyber threat<div id="article_author" style="font-family:arial;"><span style="font-size:100%;"> <span style="font-size:85%;"><span style="font-size:85%;"><span style="font-family:arial;">By A. M. Rutkowski, Yaana Technologies, Network World</span><br /><span style="font-family:arial;">January 28, 2010 12:59 PM ET</span></span><br /><a href="http://www.networkworld.com/news/2010/012810-standards-cyber-threat.html?source=NWWNLE_nlt_daily_pm_2010-01-28"><span style="font-size:78%;"><br /><span style="font-family:arial;">http://www.networkworld.com/news/2010/012810-standards-cyber-threat.html?source=NWWNLE_nlt_daily_pm_2010-01-28</span></span></a><br /></span></span></div>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-813094455279675492010-01-28T13:08:00.000-08:002010-01-28T18:35:34.403-08:00CNBC Video - Maryland's Bet on Cyber Security<span style="font-family:arial;">CNBC Video - Maryland's Bet on Cyber Security<br /><br /><span style="font-size:85%;"><a href="http://www.cnbc.com/id/15840232?video=1398428905&play=1">http://www.cnbc.com/id/15840232?video=1398428905&play=1</a><br />Airtime: Thurs. Jan. 28 2010 | 12:42 PM ET<br />The state is betting on its growing technology sector to capitalize on increased cyber security spending in the U.S., with Gov. Martin O'Malley (D-MD).</span><br /></span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0tag:blogger.com,1999:blog-844116512107078117.post-5657105842152035502010-01-28T11:37:00.000-08:002010-01-28T11:39:24.726-08:00Windows 7 - FTK 1.8 KFF database location<span style="font-size:85%;"><span style="font-family: arial;">Windows 7</span><br /><span style="font-family: arial;">FTK 1.8 KFF default database location -</span><br /><br /><span style="font-family: arial;">c:\programdata\accessdata\kff_databases\15.sep.2008</span></span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.comtag:blogger.com,1999:blog-844116512107078117.post-51347620167972386682010-01-28T11:22:00.000-08:002010-01-28T18:36:15.329-08:00Stellent INSO Viewer - supported file type list<span style="font-size:85%;"><span style="font-family:arial;">Oracle Outside In Technology 8.3.2 Supported Formats<br /><br /><a href="www.oracle.com/technology/products/content-management/oit/ds_oitFiles.pdf">www.oracle.com/technology/products/content-management/oit/ds_oitFiles.pdf</a><br /><br /><br /><br /></span></span>Robert Cazareshttp://www.blogger.com/profile/02234840491442279369noreply@blogger.com0