Wednesday, December 21, 2011

Signing off!

Since I'm no longer doing network admin work and am doing full time security work, I'll be migrating my infosec posts to my new blog http://www.pwnag3.com. However, networkadminsecrets.com will never die. The 3 to 4 people who read this blog will be happy to know that. Gabe, you don't count.

Hasta Luego!

Monday, October 10, 2011

SharePoint Report Viewer Edit Items Permission

If you run the SharePoint 2010 report viewer web part, you have probably already created a new permission level with limited rights to view the report. However, you may notice that the "Edit Items" permission level is required to render your report. This is obviously a problem because if your users have this permission, they can change the layout of this page, which is bad. What the regular user will see is the "Edit Page" option as a part of the Site Actions menu. This is the problem we're going to solve.

To get around this, you need to go your report library where your report is located. Hit the drop down menu next to your report and you should see "Publish Major Version." As soon as you do this, you can go back to your "Report Viewer" permission level (or whatever name you gave it) and remove the Edit Items level. When you revisit your page you will see that the report will run, and the user can no longer edit the web page.

Tuesday, September 13, 2011

CISSP Review, Strategy and Advice

Today I found out that I am one step closer becoming a CISSP by passing the exam. I realize there are quite a few reviews on this so I'll only add what I think is beneficial.

I put off this certification for years because it isn't that technical and I thought it was going to be boring. I also thought it was just about reading a book and taking an exam; I was wrong. The first mistake I made with this certification in the beginning was that I underestimated the amount of information there was to know. Even if you have worked in the common bodies of knowledge you still have to go through the CISSP's version and terminologies or you wont be ready for the exam.

The biggest piece of advice I can give for the exam is to focus on CONCEPTS. You really need to understand why things are the way they are in the CBK. I went through about 4000 practice questions on cccure.com but only about 5% of them were like the questions on the exam. I also used all the Shon Harris exam questions that came with the 4th edition of her book. But again, the questions were different on the exam. However, these are great tools to practice what you know. Instead of just memorizing answers, make sure you know WHY the answer is correct. I promise you, this is the best advice I can give.

Use multiple sources of information to study. I read this somewhere else but didn't really start utilizing this strategy until about half way through my studying. The reason this helps is because your brain will process the concepts in two different voices which actually helped me remember things during the exam.

My Study Strategy and Lessons Learned

Here are the resources I used to study:
First bit of advice on strategy: make sure you have one. Don't just start haphazardly reading and studying. Have a plan and try to stick to it, the organization will pay off. If I had to do it differently, here is what I would do: read the official guide first. It's kind of a rough read but anything that doesn't really make sense or isn't clear, you can reinforce with the Shon Harris book. Then, as you begin taking practice tests, review what you know with the Eric Conrad Study Guide. This strategy worked for me and I wish I would have had this written down prior to beginning to study. I didn't really have a solid study process and as I was getting closer to my exam date, I started to panic.

I hated this entire process and the exam was hard but the worst part was probably waiting for your results. I got mine about 4 weeks after I took the exam. This was torture! I do think there is value in the content and I did learn a lot, more than I expected ;)

I hope this helps!

Wednesday, August 31, 2011

SharePoint 2010 Authentication Prompts in Document Library

SharePoint 2010 is an incredible product however, it is a beast. There are so many moving parts and nothing is really "simple." One of the things I recently ran across was a lot of authentication prompts and security warnings when users would open a document in a document library or save to a document library. This totally ruins the user experience. They're already leery of the application and if you make them authenticate all the time, they'll hate you. In addition, you don't want to use the "Remember Password" box because when their password changes, they'll be screwed.

I had a hard time finding a concise solution to solve this problem, so here is what I used and had the best success with:
  1. Add your site to the Trusted Sites Internet Zone.
  2. Go to Internet Options - Security - Highlight the Trusted Sites Check Mark - click on custom level - scroll to the bottom and in the user authentication section select "Automatic logon with current username and password."
  3. This can be done via group policy by going to:  User Configuration - Policies - Administrative Templates - Windows Components - Internet Explorer - Internet Control Panel - Security Page - Trusted Sites Zone. From here find "Logon Options" and enable it. Pick the "Automatic logon with current username and password option."
This will get rid of most of the prompts however, there is one more change you need to make if you're getting prompts when users are saving a new document up to a document library:
  1. The changes are in reference to this KB http://support.microsoft.com/kb/943280
  2. You need to adjust the AuthForwardServerList to include your URL. You can use a * if you want. Make sure you use the full URL like https://*.domain.com
  3. This can also be done via group policy by following this post: http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/b26d9599-9a70-4f44-b19d-08b3a42669f2/
  4. One thing to note from that link that the author does not tell you, you have to modify this GPO registry item so that it is set to CREATE since it is a NEW reg key:


Monday, August 29, 2011

SQL Server Maintenance Plan Execution Failed

Problem:
No matter what type of SQL Server Maintenance Plan you create and no matter what credentials you use, the plan always fails with "Execution Failed." There is almost no information to go on either. Event logs, SQL Agent logs....nothing is reporting a problem.

Are you using SQL aliases?

Solution:
Make sure you've set the alias for both the 32bit and 64bit drivers. We ran into this exact problem and as soon as we added the alias to the second section, all the maintenance plans ran fine.







Wednesday, July 20, 2011

FreeFloat FTP Buffer Overflow

The other day on exploit-db.com there was a new exploit for FreeFloat FTP 1.0. I took a quick look and decided to see if there were other commands that were vulnerable. I started fuzzing and I noticed quite a few commands were overflowing EIP with 41414141. ABOR, ACCT, ALLO etc etc.... I basically stopped looking because every single command I tried would crash the application.

It seems any unimplemented command caused the same buffer overflow. I posted my exploit on PacketStorm. I also noticed that basically any 4 letters you pretend to be a command....will overflow the buffer. PWND even worked!

If you're interested in buffer overflows or fuzzing, I highly recommend grabbing a copy of this POS software. Who ever coded this did absolutely no checking for user input at all. It really should be used as a learning tool. Everything I found was straight forward overflows. Good fun!

Friday, July 15, 2011

Lync Contact Card Regular Expressions

The contact cards in Lync are a nice feature but is a cause for confusion for some. You may notice that the phone number fields for some of your AD users do not populate or are not populated the same way you've inputted them into Active Directory. The reason is because the Lync server uses a generic set of regular expressions to format them into E.164 format. Why does it do this? A lot of people integrate their phone systems into their Lync server so that you can dial people directly from your computer, by clicking on their phone number. Phone systems need these phone numbers to be in a specific format so they can handle them accordingly.

A client of mine had a situation where multiple hands had been into Active Directory over the years and therefor employees phone numbers were entered in multiple formats. For example:

(111) 222 - 3333
111-222-3333
111-222-3333 x44
111-222-3333 x4444
111-222-3333 ex 44
etc....

This client did not have an integrated phone system but wanted to utilize the contact card functionality for reference without having to go through their entire AD and re-enter them all. Seems reasonable and easy enough eh? Meh.

Lync Server looks in your share that you setup during installation for address book files. This is typically in \\server\share\1-webservices-1\abfiles in the Company_Phone_Number_Normalization_rules.txt file. This is the file where the regular expressions need to go.

I contacted Microsoft Support (greatest enterprise support known to man) for some help with coming up with a series of regular expressions to help accommodate all of the different variations we could think of. Here is what they came up with and they work perfectly:


##COPY FROM HERE
## Normalize 10-digit phone number patterns from Active Directory into +E.164
##
##(\d{10})
##+1$1
##^\D*(\d{3})\D*(\d{3})\D*(\d{4})?\D*(\d*)$
##(?:\+?1[-. ]?)?\(?([0-9]{3})\)?[-. ]?([0-9]{3})[-. ]?([0-9]{4})?\D*(\d*)
##+1($1) $2-$3 $4


#For normal phone numbers with 10 digits
\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*
+1$1$2$3

#Various configurations of the 10 digits
\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*[Xx]+[\s()\-\./]*(\d\d\d\d)[\s()\-\./]*
+1$1$2$3;ext=$4

\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*[Xx]+[\s()\-\./]*(\d\d\d\d)[\s()\-\./]*
+1$1$2$3;ext=$4

\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*[Xx]+[\s()\-\./]*(\d\d)[\s()\-\./]*
+1$1$2$3;ext=$4

\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*[Ex]+[\s()\-\./]*(\d\d\d\d)[\s()\-\./]*
+1$1$2$3;ext=$4

\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*[Ex]+[\s()\-\./]*(\d\d)[\s()\-\./]*
+1$1$2$3;ext=$4

#For 10 digit numbers using X as the extension notation (2 digit extensions)
\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*[Ex.]+[\s()\-\./]*(\d\d)[\s()\-\./]*
+1$1$2$3;ext=$4

#For 10 digit numbers using X as the extension notation (4 digit extensions)
\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*[Ex.]+[\s()\-\./]*(\d\d\d\d)[\s()\-\./]*
+1$1$2$3;ext=$4

#For 10 digit numbers using Ex as the extension notation (4 digit extensions)
\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*Ex(\d{4})
+1$1$2$3 Ex $4

#For 10 digit numbers using ex as the extension notation (4 digit extensions and case sensitive)
\+?[\s()\-\./]*1?[\s()\-\./]*\(?\s*(\d\d\d)\s*\)?[\s()\-\./]*(\d\d\d)[\s()\-\./]*(\d\d\d\d)[\s]*ex(\d{4})
+1$1$2$3 Ex $4

##END OF COPY



Keep in mind, you'll have to regenerate your Address Book files manually or wait about 24 hours for the new database files to be updated. You also might need to delete your local galcontacts.db files that are located in C:\Users\user\AppData\Local\Microsoft\Communicator\sip_user@domain.com

Hopefully this helps you if you're in the same situation!