Monday, December 15, 2014

Extend System Partition on a Windows Server 2003 VM using Dell ExtPart

There is no native tool that enables extending system partitions (C:\ drives) on Server 2003. There are multiple ways to perform this task, however, the only method that can be done online utilises a Dell utility called ExtPart. It can perform the extension of the system partition with no downtime although sometimes booting into Safe Mode and then running ExtPart is necessary to clear locks on the disk.
Note: This applies to Server 2003 only, newer versions of Windows do not suffer from this limitation, Disk Management as well as the diskpart are able to extend system partitions on-the-fly.

The first step is to download the ExtPart utility from this link. Click on the Download File link and save it to your desktop. The file is a self-extracting zip file called ExtPart.exe per the below:
20140201130639
Double-click on it and accept the default path it will extract the utility to:
20140201130715
Click on Unzip and the files will be extracted successfully:
20140201130747
To demonstrate how useful ExtPart is we will use an example whereby our demo VM has a 15 GB C:\ drive and it needs to be increased to 30 GB. A screenshot of the the current state of the C:\ drive is below:
20140201125606
We go into the VM settings and can see that the virtual disk is indeed 15 GB in size:
20140201125846
We increase the virtual disk size to 30 GB and apply the change:
20140201130043
Within the VM load Disk Management and select Action > Rescan Disks so that the system sees the newly added 15 GB of storage:
20140201130150
After the re-scan completes you will now see the extra 15 GB of unallocated space:
20140201130240
Now we need to run the ExtPart utility expand the C:\ drive so that it utilizes the 15 GB of unallocated space. To proceed, open the command prompt and go to the location where you extracted the ExtPart utility, in my case, C:\dell\ExtPart:
C:\>cd C:\dell\ExtPart
Then run ExtPart.exe:
C:\dell\ExtPart>extpart.exe
Enter the volume that is being expanded, in this example it is the C:\ drive so enter just C: without the backslash:
Volume to extend (drive letter or mount point): C:
Then enter the amount in MB to increase the volume by, I entered 15343:
Size to expand the volume (MB): 15343
The output will confirm the new size of the volume (C:\ drive), which is 30678 MB:
New volume size          :30678 MB (32169069568 bytes)
The full sequence of commands can be seen in the screenshot below:
20140201131412
When going back into Disk Management and re-scanning the disks, we can see that there is still 31 MB that is unallocated:
20140201131316
To add that remaining 31 MB to the C:\ drive, we go back to ExtPart and perform the same series of steps but this time add 31 MB:
Size to expand the volume (MB): 31
A screenshot of those steps is below:
20140201131707
Now going back into Disk Management you can see that the C:\ drive is using all of the provisioned space in the disk:
20140201131606
If the utility returns an error such as “the disk is not accessible” or “unable to connect to C:” then reboot the VM into Safe Mode and then run the same ExtPart commands. This is caused by various services locking the disk and preventing ExtPart from extending the volume. Booting into Safe Mode starts up the OS in a clean state, so only minimal services and drivers will run, thereby allowing ExtPart to expand the volume without interruption.

Original Link:

Monday, December 8, 2014

Administrator Password Reset Laserjet M2727 MFP - Cold Reset

To do an NVRAM reset follow these steps:

1. Turn off the printer.
2. Hold down the Cancel button and the right arrow button and while holding them turn on the power.
3. Wait for the message Permanent storage init. Then release the buttons.

Wait for about 2 min. When the printer is back at the ready screen it has been reset.

Original Post:

Friday, September 19, 2014

Mount an ISO image in Windows 7, Windows 8 or Vista

The freeware utility from Microsoft to mount ISO Images doesn’t work in Windows 7 or Vista. Thankfully there’s another utility that does.

Mounting an ISO Image in Windows 7 or Vista

The utility that we will use is called Virtual Clone Drive. This utility will let you mount .ISO, .CCD, .DVD, .IMG, .UDF and .BIN files. Download the utility and start the setup process.
virtualclonedrive2.png
Select Yes or OK at the hardware prompt and continue. You might have to restart your computer. Now you should be able to mount any ISO image by just double-clicking on the file. You can also right-click on the cd-rom drive to mount or unmount an image.

Notes: If you are going to reinstall this utility, make sure you uninstall it first, or you’ll BSOD yourself repeatedly. Also, as of the latest version, this utility should work on Windows 7 or Vista 64 bit edition.


Alternatives
  • Virtual CD-ROM (Microsoft) – This utility has recently been updated but it is still fairly old.
  • Alcohol 52% – Free version of Alcohol 120, but it bundles a browser toolbar that they claim isn’t spyware. It’s unacceptable.
  • Daemon Tools – Well known tool, but the latest version installs spyware on your computer, and the old version doesn’t work in Vista or 7.
At this point, Virtual CloneDrive is by far my favorite free utility.
Download Virtual CloneDrive from slysoft.com

Mounting an ISO Image in Windows 8 or 8.1

Now that Windows 8 is finally upon us, it’s worth noting that ISO and VHD mounting is built right into the operating system. All you need to do is right-click, double-click, or select and use the Ribbon to Mount an ISO image. It’s just that simple:

Once you’ve done so, you’ll see the ISO mounted as a new drive in Computer. You can right-click there to unmount when you’re done.

ORIGINAL:

Tuesday, September 2, 2014

Setting Up Your iPhone, iPad, & iPod With Microsoft Exchange 2010 E-Mail

The following article below will get your Microsoft Exchange 2010 mailbox setup on your iPhone:
Note: Your device must be a 3G, 3Gs, and with a 4.0+ iOS
Note: Before we get started, please be sure your administartor has purchased you an Activesync license and assigned to your email address.
1. Tap the Settings icon on the iPhone
 
2. Next, tap Mail, Contacts, Calendars. Add Account then Microsoft Exchange.
 
3. Tap Add Account then Microsoft Exchange.
   
4. The Exchange setup screen will open; you'll then enter the following information:
  • Email - Enter your entire email address (e.g., myname@mydomain.com), using all lowercase letters.
  • Domain - leave this field empty.
  • Username - Enter in your entire email address.
  • Password - Enter in the password for your email account.
  • Description - Enter a descriptive name for your account (e.g., My Work Account). This description will only be visible to you.

5. Tap the Next button and the device will attempt to verify the account. You may receive an "Unable to Verify Certificate message," go ahead and Tap the Accept button.
6. The device will than continue verifying the account. Once complete, tap the Server field, and enter in "connect.emailsrvr.com" minus the parenthesis.

7. Tap the Next button and the device will then try to create a secure (SSL) connection to your Exchange server. When connected, you'll see check marks along your settings to confirm that your account has been verified.

8. Tap the ON/OFF buttons to select which information to synchronize with the Exchange server and then tap the Done button when finished.

Note: Your iPhone may take a moment to sync all your information depending on how much you have on the Exchange server. To learn more about the mail settings on your device tap Settings from the home screen, than Mail, Contacts, & Calendars and than select your account. You'll be able to customize how much data you would like to sync from the server.

Original Link:

Set Up Microsoft Exchange 2013 on Your iPhone



For Exchange 2013 packages

Follow the steps below to sync your Microsoft Exchange package to your iPhone, allowing you to access your Exchange account wherever you go.

The steps and images in this article reflect the iOS 7.1.1 operating system.
Step 1
First you will have to select the Settings icon on the iPhone.
The Settings icon is located on the home screen
The Settings icon is located on the home screen
Step 2
Scroll down and select the Mail, Contacts, Calendars section.
Mail, Contacts, Calendar can be found in the Settings menu
Mail, Contacts, Calendar can be found in the Settings menu
Step 3
At the top, select Add Account...
Add Account is listed under Accounts
Add Account is listed under Accounts
Step 4
Select the Exchange type of mail account.
Exchange is shown among other options
Exchange is shown among other options
Step 5
Enter values for the required fields:
FieldInput
EmailThe full e-mail address that is linked with your Exchange account
PasswordThe password chosen when setting up your Exchange account
DescriptionThe full e-mail address that is linked with your Exchange account
The basic e-mail settings screen
The basic e-mail settings screen
Step 6
Enter values for the Server address and Username:
FieldInput
Server1.exchange.1and1.us
UsernameThe full e-mail address that is linked with your Exchange account
The further settings screen
The further settings screen
Step 7
Once connected, the phone will prompt you to choose which services you would like to sync with your iPhone. Enable synchronization of the services you wish by changing the selection to ON.
When you are finished, select the Save button at the top right.
The synchronization screen
The synchronization screen
Your Exchange account should now successfully be setup on your iPhone and the services you have chosen to sync with it will begin synchronization at this point. Please do allow time for your iPhone to sync with your 1&1 Exchange account as many Exchange profiles are large and may take some time depending on the current connection type and speed of your phone.

Sunday, August 17, 2014

How to Protect Your Business from Phone Hackers

Phone Protection
Businesses requirement to manage clients proficiently and viably calls for a steady change in their telephone framework. What’s more, they have to minimise issues, for example, unauthorised utilization of telephone services and toll fraud (Phone Hacking). One of the real tests is to screen the uncalled for utilization of corporate correspondence offices for toll calls. The abuse of authorisation codes is a significant concern for different sorts of businesses. Toll fraud can happen with TDM and IP-based voice frameworks. From representatives that try to make a couple of free calls to programmers, any telephone framework could be helpless. Notwithstanding, call logging programming can dispose of this issue by guaranteeing that a phone framework is not traded off. Call logging includes catching call records, archiving them in a database, and after that recovering them by method of a reporting interface.
Call logging programming can track toll misrepresentation and give cautions and reports of abnormal phone action. The programming enactss as a framework watchdog for VoIP requisitions, cautioning overseers of any suspicious calling movement. This incorporates calls to global ends of the line, visit lines, stimulation services, grown-up services, and that’s just the beginning. In the period of terrorism, it is paramount for calls to be followed.
Reports prepared by call logging programming might be utilized to build business effectiveness with extra mixed programming modules. Phone call information might be gathered and broke down for different purposes incorporating the overseeing of expenses. By taking a gander at these records, a business can figure out toll duplicity as well as screen the expense of calls and make important move to lessen such takes. It is likewise conceivable to figure out the amount of unused or abused developments in a system.
Call logging programming likewise empowers businesses to enhance the execution of workers by examining how rapidly they address inbound calls. The information could be utilized to prepare and order staff to end up additional profitable. With security being a real concern, it is critical to pick the right telephony framework, for example, Cisco Phones and Mitel Phones that offer call logging characteristics to help avoid dangers, for example, toll cheating. Cisco IP Phone s emphasize the bound together interchanges framework that gives clients a protected correspondences system.

Counteractive Action is Superior to Cure:

So what pragmatic measures can telecom or IT administrators take to help anticipate being an alternate casualty of wrongdoing?
A standout amongst the best methodologies to enhancing the security of telephony frameworks incorporates leading customary reviews of:
  • Station benefits and confinements
  • Voice and information calling examples
  • Public and private system steering access
  • Automatic way determination
  • Software characterized systems
  • Private exchanged and pair systems
Different measures incorporate evaluating the design of your PBX in the light of known programmer methods and looking at arrangement portions against best practice and any administrative prerequisites that may relate to your industry area.
Guarantee default voicemail and support passwords are changed and acquaint an arrangement with anticipate effectively guessable passwords being utilized.
Verify that the arrangement requests consistent watchword changes and make moves to guarantee the approach is authorized.
Introducing a call logging result, to furnish notice of suspicious action on your PBX, is a convenient measure and one that can frequently bear the cost of profitable unanticipated cautioning of a strike. Audit existing PBX control works that could be at danger or which could permit slips to happen, as well.
Be conscious that numerous voice frameworks now have an IP address and are in this way associated with your information system – evaluate what procurements you need to section both systems. Security exposures can likewise come about because of the way various PBX stages are joined over a corporate system or from interconnectivity with existing provisions.
Research and examine working framework shortcomings – incorporating explanatory discoveries, make suggestions, prioritisation and alleviation or conclusion needs – and execute a standard calendar of exploring server administration packs, patches, hot-fixes and against infection programming.
Call logging programming is utilized by numerous businesses over the globe to screen and oversee phone calls, cut expenses, and increment bargains and benefit. In this way, little and medium ventures with a fundamentally high calling action should think about putting resources into call logging software.
Good phone systems are very useful when doing business in any company. The managers, employees, owners of the businesses, suppliers and the consumers of the company goods and services use phone systems to communicate to each other making the process of goods and services easy to produce and offer to their clients. Clients will ask questions and give their feedback through the phone. This makes the service delivery more professional and many client will prefer a company with a good phone framework and this will increase the profits in the business.


Thursday, August 7, 2014

ESXi vSphere client error " You do not have permission to Login to server"

 
 
This post is for the administrators who are more familiar with managing ESX hosts and new to  ESXi hosts. There are many environment with lot of ESX hosts and  ESXi hosts are introduced to the environment  after the vSphere 5. only ESXi will be available post vSphere 5 and ESX is discontinued. So there are many administrators who are new to ESXi management. When you tried to connect to your ESXi host directly via vSphere client as like connecting to ESX server. You may face the error message ” The vSphere client could not connect to “x.x.x.x”. You don’t have permission to login to the server”
Don’t be panic and don’t try to restart your management services as all administrators do when they are not able to connect to the host via vSphere client.This above error is because of the “ESXi Lockdown Mode is Enabled” in your ESXi host.

When ESXi Lockdown mode is enabled, it will not allow any other user other than vpxuser have authentication permission and no other users can perform operations against the host directly. Lockdown  Mode forces all operations on the host to be performed through vCenter server. Root user account can be used to login to DCUI when ESXi lockdown mode is enabled.
I believe this is informative for you. Be social and share the posts in social media !!!! Thanks.

Original Post:

Monday, August 4, 2014

10 steps to harden Windows Server 2008



sasquatch.jpg





Ever
since it’s debut, Microsoft Windows 2008 Server has
awed security and systems administrators with its complex and innovative features.
With threats becoming each day more immanent and efficient, security system administrators
face the tedious task of protecting Microsoft’s new giant. In this article we compiled
some of the industries best practices such as NIST to
show you some of the features and ways to reduce your windows 2008 servers’ exposure.





1.
Configure a security policy





The
first step in securing the 2008 server is to configure a security policy. In order
to configure a security policy, you will need to use the SCW (
Security
Configuration Wizard
),
which can be installed through “add and remove windows components”.
The
SCW detects ports and services, and configures registry and audit settings according
to the servers “role” or installed applications. The SCW uses a set of XML templates
which can easily be deployed and managed.
The
version of SCW in Windows Server2008 includes over 200server role configurations
and security settings than the version of SCW in Windows Server2003. Also, by
using the version of SCW in Windows Server2008, you can:

  • * Disable unneeded services based on the server role.
  • * Remove unused firewall rules and constrain existing firewall rules.
  • * Define restricted audit policies.
>>

SCW_ConfigAction_Fig1_small.png






The
server’s operating system will be changed according to the profile or template selected.
Administrators
can create custom profiles and deploy them using a set o XML files.




2.
Disable or delete unnecessary accounts, ports and services







Attackers
often gain access to servers through unused or not configured ports and services.
To limit entry points, server hardening includes blocking unused ports and protocols
as well as disabling services that are not required. Although this can be done as
seen above using the SCW, the server administrator would need to double check to see
if all the services are configured properly and that only the necessary ports are
open.
During
the installation of the 2008 server, by default, three local user accounts are automatically
created: the Administrator, Guest and Help Assistant. The Administrator account bears
high privileges, and requires special diligence. As a security best practice the administrator
account should be disabled or renamed to make it more difficult for an attacker to
gain access.
Both
Guest and Help Assistant accounts provide an easy target for attackers which exploited
this vulnerability before on the earlier Windows Server 2003. These
accounts should be disabled at all times.



3.
Uninstall Unnecessary Applications

Remember,
your server is a vital part of your network and services that you provide. The number
of applications installed on these servers should be role related and set to a minimum.
It is a good idea to test these applications out in a separate environment before
deploying them on the production network. Some applications make use of service backdoors,
which can sometimes compromise the overall security of the server. After installing
each application, make sure that you double check to see if the application created
any firewall exception or created a service user account.






      • * Belarc
        Advisor
        :
        The Belarc Advisor “builds a detailed profile of your installed software and hardware,
        missing Microsoft hot fixes, anti-virus status, and displays the results in your Web
        browser.” This tool is free for personal use. Commercial, government, and non-profit
        organizations should look at their other products which include many more features
        for managing security on multiple computers.


      • *
        Microsoft SysInternal Tools
        :
        Microsoft provides a set of tools which can be used to monitor the server’s activity.
        These tools include: REGMON, FILEMON,
        Process Explorer, Root Kit Revealer. These tools are great for understanding what
        a certain application or software does “under the sheets”.


4.
Configure the windows 2008 Firewall

Windows
2008 server comes with a phenomenal built in firewall called the Windows Firewall
with Advanced Security. As a security best practice, all servers should have its own
host based firewall. This firewall needs to be double checked to see if there are
no unnecessary rules or exceptions. I have outlined some of the new features that
the Windows Server 2008 provides.






      • * GUI
        interface
        :
        a MMC snap-in available for the Advanced Firewall Configuration.


      • * Bi-directional
        filtering
        :
        the firewall now filters outbound traffic as well as inbound traffic.

      • * IPSEC
        operability
        :
        now the firewall rules and IPSEC encryption configurations are integrated into one
        interface.
      • * Advanced
        Rules configuration
        :
        you can create firewall rules using Windows Active Directory objects, source amp;
        destination IP addresses and protocols.




wfas.jpg






5.
Configure Auditing






One
of the most significant changes on Windows
Server 2008
auditing is that now you can not only audit who and what attribute
was changed but also what the new and old value was.
This
is significant because you can now tell why it was changed and if something doesn’t
look right you’re able to easily find what it should be restored to.





Another
significant change is that in the past Server versions you were only able to turn
auditing policy on or off for the entire Active Directory structure. In Windows Server
2008 the auditing policy is more granular.

As
a security best practice, the following events should be logged and audited on the
Windows Server 2008.


        • *
          Audit account logon events
        • *
          Audit account management
        • *
          Audit directory service access

        • *
          Audit logon events

        • *
          Audit object access

        • *
          Audit policy change
        • *
          Audit privilege use
        • *
          Audit process tracking

        • *
          Audit system events


audit.png



Most
log events on the event viewer have registered incident ID numbers; these numbers
can be used to troubleshoot the server. http://www.eventid.net/ is
a good site which aids security and system administrators in finding out what actually
happened with their servers. A best practice would also be to forward these audit
logs to a centralized server as required by PCI
DSS 10.5.3
and other industry standards. Windows
Server 2008
offers a native log subscription feature which forwards all system
and security audit logs to a centralized server.







6.
Disable unnecessary shares



Unnecessary
shares pose a great threat to vital servers. After a server or application deployment,
system and security administrators should check to see if the server has any unnecessary
shares. This can be done using the following
command:
· Net
Share


This
will display a list of all shares on the server. If there is a need to use a share,
system and security administrators should configure the share as a hidden share and
harden all NTFS and Share permissions.




C:\Documents
and Settingsgt;net share


Share
name Resource Remark
——————————————————————————-
ADMIN$ C:\WINDOWS Remote
Admin
C$ C:\ Default
share
IPC$ Remote
IPC




In
order to create a hidden share, put a $ sign
after the share name. The share will still be accessible; however it will not be easily
listed through the network. Example:

· Accounting$



7.
Configure Encryption on 2008 server

According
to industry best practices, such as HIPAA and GLBA require
that certain servers which host sensitive information should make use of encryption. Windows
Server 2008 provides a built in whole disk encryption feature called BitLocker
Drive Encryption
(BitLocker). BitLocker protects the operating system and data
stored on the disk. In Windows Server 2008, BitLocker is an optional component that
must be installed before it can be used. To install BitLocker, select it in Server
Manager or type the following at a command prompt:

· ServerManagerCmd
-install BitLocker –restart




bit.jpg






8.
Updates amp; Hot fixes

Updates
and hot fixes are key elements when hardening a server. System and security administrators
should be constantly updating and patching their servers against zero day vulnerabilities.
These patches are not limited to the operating system, but also any application which
is hosted on them. Administrators should periodically check the vendor’s websites
for updates. Windows Server 2008 offers a set of tools which helps administrator update
and patch their servers.


·
*
WSUS: Windows
Server Update Services (WSUS) provides a software
update
service for Microsoft
Windows
operating
systems
and other Microsoft software. By using Windows Server Update Services,
administrators can manage the distribution of Microsoft hot
fixes
and updates released through Automatic
Updates
to computers in a corporate environment. WSUS helps administrators
track the “update health” of each individual server.





·
*
MBSA: Microsoft
Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional
that helps small- and medium-sized businesses determine their security state in accordance
with Microsoft security recommendations and offers specific remediation guidance.
Improve your security management process by using MBSA to detect common security misconfigurations
and missing security updates on your computer systems.






wsus.gif







9.
Anti Virus amp; NAP




Anti
Virus software is also a crucial step for hardening a server. Windows Server 2008
offers a set of tools which can help combat unauthorized network access and malicious
code execution.
Windows
Server 2008 offers a Network Access Protection (NAP), which helps administrators to
isolate viruses from spreading out into the network. Windows server 2008 NAP uses
a set of policies which cleans the affected machines and when they are healthy, permits
them access to parts of your production network.
NAP
consists of client server technology which scans and identifies machines that don’t
have the latest virus signatures, service packs or security patches.Some of
the key functions of a Windows Server 2008 NAP server includes:
        • * Validating
          Machines
          :
          The mission of NAP is to preserve the integrity of the network by allowing only healthy
          machines to have IP addresses.
        • * Restricting
          Network Access
          :
          Computers or servers which don’t meet the established policy standards can be restricted
          to a “quarantine” subnet where they would later be remediate the security issues.
        • * Fixing
          Unhealthy Machines
          :
          Windows Server 2008 NAP has the ability to direct hosts to a remediation server, where
          the latest antivirus signatures and patches are deployed through SMS packages.

vista-nap.jpg




10.
Least Privilege






The
concept of least privilege has been adopted by many of today’s industry standards.
A hardened server needs to have all its access reduced to a bare operational minimum.
Most of the known security breaches are often caused by elevated privileges bared
by accounts. Server services should not be configured using enterprise wide administrator
accounts. Windows Server 2008 has a couple of tools which can aid administrator to
grant or revoke access to specific sections of the server.



  • * Script
    Logic’s Cloak
    : Script
    Logic Cloak is a product which enhances the Windows NT File System (NTFS) by providing
    increased security,
    more accurate audits and a vastly streamlined experience for users of the network.



  • * PolicyMaker
    Application Security:
    PolicyMaker
    is an add-on
    for the Group Policy Management Console (GPMC). This tool allows administrators to
    adjust application privilege levels to the lowest possible point in order to limit
    damages stemming from network attacks or user error. The ability to control security
    at such a granular level also helps organizations comply with regulatory mandates
    such as the Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley acts.




On
the next Post I will go over each feature here described, creating a setp by step
guideline on how to configure and install the following features:

*
SCW

*
Bitlocker

*
NAP

*
Windows Firewall with Advanced Security


Original Post:

Windows 2008R2 Server Hardening Checklist

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.

How to use the checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.

How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Windows Server 2008 Benchmark . The CIS document outlines in much greater detail how to complete each step.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data , required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data , all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.

Server Information

MAC Address                                                                                                                               
IP Address
Machine Name
Asset Tag
Administrator Name
Date
StepTo DoCISUT NoteCat ICat II Cat IIIMin Std
Preparation and Installation
1If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.§ !5.1
2Consider using the Security Configuration Wizard to assist in hardening the host.§
Service Packs and Hotfixes
3Install the latest service packs and hotfixes from Microsoft.§ !!5.2
4Enable automatic notification of patch availability.1.6.1§ !!5.3
Auditing and Account Policies
5Configure Audit policy as described.1.2!6.1
6Set minimum password length.1.1.4§ !
7Enable Password Complexity.1.1.5§ !
8Configure event Log Settings.1.4§ !6.1
Security Settings
9Disable anonymous SID/Name translation. (default)1.9.6!
10Do not allow Anonymous Enumeration of SAM accounts (Default)1.9.37!5.5
11Do not allow Anonymous Enumeration of SAM accounts and shares.1.9.38!5.5
12Disable the guest account. (Default)1.9.5!5.12
13Digitally Encrypt or Sign Secure Channel Data (Always). (Default)1.9.125.6
14Digitally Encrypt Secure Channel Data (When Possible). (Default)1.9.13!5.6
15Digitally Sign Secure Channel Data (When Possible). (Default)1.9.14!5.6
16Place the University warning banner in the Message Text for Users Attempting to log on.1.9.27-28§ !5.10
17Disable the sending of unencrypted password to connect to Third-Party SMB Servers. (Default)1.9.32!5.6
18Do not allow Everyone permissions to apply to anonymous users. (Default)1.9.40!5.12
19Do not allow any named pipes to be accessed anonymously.1.9.41!5.12
20Restrict anonymous access to Named Pipes and Shares.1.9.43!5.12
21Ensure that no shares can be accessed anonymously.1.9.44!5.12
22Choose "Classic" as the sharing and security model for local accounts. (Default)1.9.45!5.12
23Do not store LAN Manager hash values1.9.46!5.13
24Set LAN Manager Authentication level to NTLMv2 only1.9.47!5.13
Additional Security Protection
25Disable or uninstall unused services.!5.4
26Disable or delete unused users.!5.4
27Configure User Rights to be as secure as possible.1.81§ !
28Ensure all volumes are using the NTFS file system.§ !
29Use the Internet Connection Firewall or other methods to limit connections to the server.1.5§ !5.5
30Configure file system permissions.§ !
31Configure registry permissions.§ !
Additional Steps
32Set the system date/time and configure it to synchronize against campus time servers.§ !
33Install and enable anti-virus software.§ !!3.1
34Install and enable anti-spyware software.§ !3.2
35Configure anti-virus software to update daily.§ !3.3
36Configure anti-spyware software to update daily.§ !3.3
37Configure a screen-saver to lock the console's screen automatically if the host is left unattended.§
38If the machine is not physically secured against unauthorized tampering, set a BIOS/firmware password to prevent alterations in system startup settings.!4.1
39Configure the device boot order to prevent unauthorized booting from alternate media.!4.1
40Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.§ !5.7
41Install software to check the integrity of critical operating system files.§ !5.8
42If RDP is utilized, set RDP connection encryption level to high.
Original Post:
§ !5.6 

 

Sunday, August 3, 2014

How To Completely Clean Your Hacked WordPress Installation


WordPress hacker removal spray... use in a well ventilated area. Getting hacked sucks, plain and simple. It can affect your rankings, cause your readership to be exposed to virus and trojan attacks, make you an unwilling promoter to subject material you may not actually endorse, and in many cases cause the loss of valuable content. However, once it happens it is usually best to not procrastinate on the clean up process, since a speedy restore will most times minimize the damage that was caused.
While almost all sources will recommend that you upgrade your WordPress to the latest version, what the majority neglect to tell you is that in most cases simply doing so will not prevent the attackers from getting back in, even if there are no known exploits with the latest version. The hackers may have left a back door file hidden in a directory where it wouldn’t get overwritten with an upgrade, or inserted code into your theme, or simply created an account that they then granted admin privileges to. Any one of those would allow them back in, even after you patched what was wrong the first time. Therefore I am providing this step by step process on how to completely clean out and restore a WordPress installation that has been hacked.

1. Backup the site and the database.

Even a hacked copy of your blog still probably contains valuable information and files. You don’t want to lose this data if something goes wrong with the cleanup process. Worst case scenario you can just restore things back to their hacked state and start over.

2. Make a copy of any uploaded files, such as images, that are referenced.

Images are generally exempt from posing a security risk, and ones that you uploaded yourself (as opposed to ones included with a theme, for instance) will be harder to track down and replace after things are fixed again. Therefore it is usually a good idea to grab a copy of all the images in your upload folder so as to avoid broken images in posts later. If you have any non-image files that could potentially have been compromised, such as zip files, plugins, or php scripts that you were offering people, then it is a good idea to grab fresh copies of those from the original source.

3. Download a fresh version of WP, all of the plugins you need, and a clean template.

Using the WordPress automatic upgrade plugin does make it easier to upgrade every time a new version comes out. However, it only replaces WordPress specific files, and does not delete obsolete ones. It also leaves your current themes and plugins in place, as is. This means that if used to upgrade a blog that has already been compromised, it can very well leave the attackers a way back in. It is best to start over from scratch as far as the files portion of your installation goes. Note that if you use the EasyWP WordPress Installer script that I wrote it saves you from having to download, unzip, and then upload all of the core WordPress files, although you will still need to grab fresh copies of the themes and plugins that you want to use.

4. Delete all of the files and folders in the WP directory, either through FTP (slower) or through cPanel’s File Manager (faster).

Now that you have fresh copies of all the files you need, and copied all of your uploaded images, completely delete the entire directory structure your blog is in. This is the only surefire way to completely remove all possibly infected files. You can do this through FTP, but due to the way that FTP handles folder deletion (ie. it walks the directory structure, stores each and every file name that needs to be deleted, and then sends a delete command for each one), this can be slow and in some instances cause you to get disconnected due to flooding the server with FTP commands. If available it is much faster to do this through either cPanel’s File Manager, or via command line if you happen to have shell access.

5. Re-upload the new fresh copies you just grabbed.

This step should be self explanatory, but I would like to mention that if your FTP client supports it (I use FileZilla, which does) and your host allows it, then increasing the number of simultaneous connections you use to upload can greatly reduce your overall transfer time, especially on servers or ISP’s where latency is more of an issue than bandwidth. In FileZilla this setting is found by going to “Edit -> Settings -> File transfer settings”:
FileZilla settings panel
Also, if not using the EasyWP WordPress Installer script, don’t forget to edit and rename your wp-config.php file (when freshly unzipped this is named wp-config-sample.php).

6. Run the database upgrade (point your browser at /wp-admin/upgrade.php).

This will make any necessary changes to your database structure to support the newest version of WordPress.

7. Immediately change your admin password.

If you have more than one admin (meaning any user with editing capabilities), and cannot get the others to change their passwords right then, I would change their user levels until they can change their passwords as well. If there is anyone in your user list that has editing capabilities, and you do not recognize them, it’s probably best to just delete them altogether. If changing passwords is something you hate doing, then maybe my new memorable password generator can make that a little less stressful for you. :D

8. Go through the posts and repair any damage in the posts themselves.

Delete any links or iframes that were inserted, and restore any lost content. Google and Yahoo’s caches are often a good source of what used to be there if anything got overwritten. The following query run against the database can help you isolate which posts you want to look at:
SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
If you did not change the default prefix for WordPress tables, than you can copy and paste that directly into a query window and run it, and it should pull up any posts that have been modified to hide content using any of the methods I have come across so far (iframes, noscript tags, and display:none style attributes). To get to a query window in cPanel, you would click on the MySQL® Databases icon, scroll to the bottom of the page, and then click on phpMyAdmin. Once the new window or tab opens, you would click on the database in the left hand side that your blog was in, and then in the right side at the top click on the SQL tab. Then just paste the query into the large text area and hit the Go button.
Note, however, that there may be other types of injected content that I haven’t seen yet, and that a manual inspection looking for the types of patterns that first alerted you to the fact that your blog was hacked is always a good idea.

UPDATE: 9. (still valid in 2014) If you are having issues cleaning the installation yourself

When I wrote this post back in 2008 I intended it to be a do it yourself guide for the non-techie. However, I do realize that some people would still rather a professional programmer perform many of the steps I outlined here. If anyone has had their WordPress installation hacked, and either is uncomfortable attempting to clean it on their own, or has tried to do so with no success, I am available on a case by case basis. Most cleanings can be performed in about one hour, two at the most. The time can vary depending on the size of the blog, the amount of customization to the original theme, and the number of plugins installed. Feel free to contact me here if you feel like you could benefit from my help. Please include the site and any details that you think might be relevant (pro theme, anything you may have tried on your own, etc.) in the contact form.

UPDATE #2: 10. A note on hosting.

This past year (2010) has seen multiple waves of attacks on people’s websites that happened not due to insecurities within the WordPress platform itself, as has historically been the issue, but rather due to vulnerabilities with the actual hosts. Some of the bigger names that were hit include GoDaddy, Rackspace Cloud, MediaTemple, and Network Solutions, for instance. It is very important that you use a host that is not only well versed in security, but one that is stable and has knowledgeable tech support as well.
My personal recommendation for shared hosting is Hostgator. It is where this blog and many other sites of mine are currently hosted. Yes, that is an aff. link, but I would recommend them even if it wasn’t. For a dedicated solution that is both affordable and robust I use The Planet, which is where I host Bad Neighborhood. Both companies are ones that I have been using for years without issues, and that I do recommend to my own clients when they find themselves dissatisfied with their current hosts. If you were hacked, and your WordPress was up to date when it happened, then a change of hosts is something you should consider looking into.

Original Post: