Reestablishing Trust Between a Workstation and Domain When the Local Administrator account is Disabled

Disclaimer: Circumventing windows security should NOT be taken lightly, and should only be used by an authorized person as a last resort in the course of recovery or repair. Mumbo Jumbo aside, remember that YOU ALONE are responsible for your own actions, so be sure that you know what you’re doing before making any changes!

From time to time, a workstation (usually a laptop) becomes disjoined from your domain, and starts throwing the following error:

"The trust relationship between this workstation and the primary domain failed."

When this happens, any attempt to login using a domain user account will fail. The traditional fix goes something like this:

  1. Log in using a Local Administrator Account
  2. Swap the domain membership to a workgroup (e.g. TEMP)
  3. Reboot and log back in (Local Administrator Account)
  4. Change the workgroup back to the domain

But what if the local user account is disabled, you’ve forgotten the password or someone changed it? That’s where Hiren’s Boot CD comes in!

If you’re not familiar with Hiren’s Boot CD, you’re missing out on a wealth of tools that can you help you recover data, clear viruses, and even reset passwords! In this scenario, we’re going to use the Offline NT Password Changer.

  1. Insert Hiren’s Boot CD and boot from your optical drive
  2. Navigate to the Offline NT/2000/XP/Vista/7 Password Changer
  3. Next, select the partition where Windows is installed (usually C:\)
  4. Verify that you’re using the correct Registry Path (usually Windows/system32/config)
  5. At this point, you can elect to enable disabled accounts (if the local Administrator account is diabled) and/or change the password. In either case, you’ll need to enter the username you’d like to edit – I would recommend a default user account (e.g. Administrator)
  6. When done, press ! to quit the editor, followed by Y to confirm your changes
  7. Remove Hiren’s Boot CD and reboot

I hope this helps someone! Feel free to post your comments or questions.

Further reading:

http://www.hirensbootcd.org
http://www.hiren.info

Adventures in Spam Land: Phishing Attempt Allegedly From “IRS.com”

Legal Disclaimer:
The article below describes my attempts to understand the origin of a fraud attempt made against my organization this morning. The article is not meant to defame any legitimate businesses whose domains may have been spoofed by a third party.

This article is for information/entertainment purposes only, and is provided “as is” without warranty of any kind! Any links or references to external sites are publicly available and provided solely for the convenience of the reader.

All third party content in this article is property of its respective copyright holders. I am not affiliated with any of the sites linked, and make no guarantees or warranties pertaining to these sites or their contents.

It’s tax season again, and for information security professionals, it means a whole slew of new phishing and identity theft attempts!

This morning, “webmaster@irs.com” sent 13 emails to my organization to advise the recipients that our tax appeal was rejected. Of those attempts, 3 got through before the Bayesian spam filter kicked in and blocked the rest.

Dear business tax payer, 

Hereby you are informed that your Tax Return Appeal id#0565677 has been DECLINED.  If you believe the IRS did not properly assess your case due to a misunderstanding of the situation, be ready to clarify and support your position. You can access the rejection report and re-submit your appeal by using the following link Online Tax Appeal [link omitted].

Internal Revenue Service 

 

Telephone Assistance for Businesses:

Toll-Free, 1-800-XXX-XXXX
Hours of Operation: Monday – Friday, 7:00 a.m. – 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

Just for fun, I decided to see how far down the rabbit hole leads:

Source IP: 87.120.210.83 (Host in Bulgaria)

Domain Registrar Information for irs.com:

Registration Service Provided By:
DOTTED VENTURES
Contact: +1.4159629700
Website: http://www.dottedventures.com
Domain Name: IRS.COM

Registrant:
Banks.com
222 Kearny Street, Suite 550
San Francisco, CA, 94108
Tel. +415.9629700
Creation Date: 28-Jan-1999
Expiration Date: 04-Dec-2014


Domain servers in listed order:
ns10.dnsmadeeasy.com
ns11.dnsmadeeasy.com
ns12.dnsmadeeasy.com
ns13.dnsmadeeasy.com
ns14.dnsmadeeasy.com
ns15.dnsmadeeasy.com

Administrative Contact:
Banks.com
222 Kearny Street, Suite 550
San Francisco, CA, 94108
Tel. +415.9629700
Creation Date: 28-Jan-1999
Expiration Date: 04-Dec-2014

Billing Contact:
Banks.com
222 Kearny Street, Suite 550
San Francisco, CA, 94108
Tel. +415.9629700
Creation Date: 28-Jan-1999
Expiration Date: 04-Dec-2014

As it turns out, irs.com is an HTTP redirect to banks.com/taxes.

At the very bottom of the page, they made it a point to put in the following disclaimer:

“This site is in no way associated with or endorsed by the United States Treasury Department or the Internal Revenue Service.”

 

Instead of putting it in plain text, it was actually an image with the ALT text description, “Disclaimer.” The only reason I can think of that someone would want to do that is to omit it from search engine spidering, but I would be hard pressed to think of a legitimate reason why a business would try to obfuscate the contents of a disclaimer like that!

There’s also a Better Business Bureau logo at the bottom. I went to bbb.org expecting to find a slew of fraud complains. Instead, I found that they’ve actually got an A+ rating!

Questionable SEO choices notwithstanding, I won’t speculate further on the legitimacy of Banks.com, Inc, but I will contact the proper authorities (the IRS) and let them sort it out.

Next steps:

The best thing to do with an email claiming to be from the IRS is to forward it to phishing@irs.gov. The IRS’ information security team will review it and take further action from there. 

Disabling SSL v2 in Server 2008 x64 and Server 2008 R2

Disclaimer: Always back up your registry prior to making changes!

Incorrect entries can cause unexpected behavior, and may even render your operating system unusable! I disclaim any responsibility for damages, loss of data or any other issues resulting from registry changes.

While this worked for me, every environment is different, so use this at your own risk!

I recently assisted a client with getting a Windows Server 2008 R2 machine in compliance with Payment Card Industry (PCI) standards.

PCI compliance is very important for eCommerce sites and anyone handling credit card information.

We used a 3rd party testing tool that scanned for open ports, SSL version support, as well as allowed encryption/cipher combinations. The first few tests failed due to SSL 2.0 support in Server 2008 R2/IIS7.5.

I found an article on Microsoft’s support site which described how to disable IIS protocols by modifying the registry (this can’t be done through IIS Manager):

http://support.microsoft.com/kb/187498

Here’s where it gets confusing. I followed the instructions and browsed to:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

As the article points out, the “SSL 1.0,” “SSL 2.0,” “SSL 3.0” subkeys are typically there. Note the use of the word Typically rather than Always, meaning that sometimes they’re bloody well NOT there, as was the case with my server!

The article goes on to say, “create a new DWORD value in the server subkey of the protocol.” I have big problem with this phrasing given the ubiquity of the word, “Server.” The instructions do not explicitly tell you to create a new subkey under “SSL 2.0” called “Server” and to place the DWORD in there, so naturally, I wrongly assumed that the DWORD went in “SSL 2.0” instead, which didn’t work.

After a little digging, I came across another a post on the IIS.net forums by a user named Pawel Dolny who did a much better job of explaining things:

http://forums.iis.net/p/1151822/1879690.aspx

When you follow his article, be sure to create subkeys called “Server” and “Client” in each of the SSL protocol keys, then add a DWORD in each called “Enabled” with a value of “0” to disable it (or 1 to enable it, as would be the case for SSL 3.0).

He also covers enabling/disabling ciphers. Once you’ve rebooted, you can test your site to verify the changes:

https://www.wormly.com/test_ssl

I hope this helps someone!

Chess is a Great Teacher: Life Lessons from Chess Grandmaster Henrik Danielsen

Note 10/30/2018: This post refers to a series of over 100 internet blitz games recorded and published by Henrik Danielsen. While his channel was lost due to his email account being hacked, I elected to republish the original post for posterity.

I discovered Mr. Danielsen’s work on his YouTube channel. His self-styled variant of the Bird’s Opening called the “Polar Bear System” is very interesting to watch, but perhaps more interesting for me was his live-game commentary.

So what does Chess have to do with IT Management? More than you might think! Understanding how components work together, making the most of strengths and weaknesses, planning ahead, perseverance in the face of adversity, execution and timing are all critical in the IT field, but also happen to be central themes in Chess!

In the process of watching his games, I collected little snippets of wisdom he imparts along the way. Amazingly, he does this while playing Live opponents in Blitz games (3 minute timer)!

Here are some of my favorites:

“Every young child is elastic, so keep your position elastic!”  (Live Blitz #106)

Are you keeping an open mind when it comes to evaluating new technologies? Is your production network capable of scaling to meet the demands of future growth, even if it grows quicker than what you’d originally anticipated? The most important thing to remember about change is that it’s going to happen, with or without you; either learn to adapt or be left behind!

 

“If you know where you’re going, you can get there very fast.”(Paraphrased in many of Live Blitz games)

No matter what you do to prevent them, problems will occur. Knowing your way around your management tools and network is the key to solving issues quickly!

 

“Everything has it’s own Rhythm…try to use the Rhythms that are successful.” (Live Blitz #51)

To me, this speaks to the importance of forming good habits. Whether it’s maintaining a healthy work/life balance, continual professional growth and learning or proactively managing your infrastructure (checking backups, testing fail-over capability, keeping up with documentation etc.).

 

“..It’s like you have to keep the pillow in front of his face and not let him breath.” (Hunting with the Polar Bear #2)

This one’s a bit sadistic, but a touch humorous as well, so I just had to throw it in :). The point he’s trying to get across is that you can’t let up when you’ve got your objective on the run!

 

“…remember our thoughts and our feelings are creating our reality, so you better think big, and you better be positive about your life.” (Live Blitz #81-82)

Set realistic stretch goals, determine what steps you’ll need to take to achieve them, then set a timeline for completion. Most importantly, stay positive!

Retrieving a copy of all Emails Sent To or Received From a Specific Domain in Exchange 2007

I recently received a request to locate and create a copy of every email sent to or received from a specific domain. Exchange 2010 possesses some inherent litigation hold and compliance management tools that could do this for you, and I even found a VB script for Exchange 2003, there was not much information out there for Exchange 2007.

Here’s what I did…

Step 1: Ensure that your account has “FullAccess” permissions to all mailboxes in your Exchange Database by running this command in Exchange Management Shell:

get-Mailbox -Database "[Database Name]" | Add-MailboxPermission -User [Your Admin Acocunt] -AccessRights FullAccess -InheritanceType All

Step 2: This hefty commandlet tells Exchange to search every mailbox in the database for a messages received from a specific domain, excluding the target mailbox as you can’t export a mailbox to itself:

Get-Mailbox -Database "[Database Name]" |?{$_.Name -ne '[Username of the Target Mailbox]'} | Export-Mailbox -TargetMailbox [Username of the Target Mailbox] -TargetFolder [Name of Folder] -senderKeywords:'*[domain name]'

Step 3: The last command does the same as the above, but looks for any emails sent to a specific domain:

Get-Mailbox -Database "[Database Name]" |?{$_.Name -ne '[Username of the Target Mailbox]'} | Export-Mailbox -TargetMailbox [Username of the Target Mailbox] -TargetFolder [Name of Folder] -recipientKeywords:'*[domain name]'

Once done, you can open the target mailbox in Outlook and save it to a PST. So there you have it!