CSED 431 Week 8

CSED 431 Week 8 -- March 22

Networking
State exam

Viruses

Spyware Protect 2009

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fFakeSpypro

It appears to be quite effective at installing itself as an ordinary user. It is able to:

provide an endless stream of popup windows advising you that your computer is infected
provide an endless stream of firefox windows that appear to be virus-related
block the execution of other programs with the warning
Windows has determined that the file ***.exe is infected, and has blocked execution
I am not sure at what level this is done.
Survive logon/logoff and reboots, by making user-specific registry entries to restart itself

How can you tell when a virus is running as an ordinary user?

One big clue is that only some accounts are infected. If an administrative (power user) account is infected, the whole system is compromised.

What can you do about it?

One strategy is to delete the account, create a new account to replace it, and change the ownership on all the files. This has the effect zapping the registry entries for the afflicted account.

Julie Amero case

On October 19, 2004: Amero was a substitute teacher (7th grade) at Kelly Middle School, Connecticut. At some point early in the school day, the teachers' desk computer starts displaying an onstoppable stream of pornographic web pages. Clicking the close button on one simply brings up others. This is by now a well-known java-script vulnerability.

Amero had been told never to disturb anything in the classroom, and in particular not to turn the computer off. So she didn't. She had apparently no idea how to turn off just the monitor. She spent much of her day at her desk, trying to fix the problem by closing windows.

Someone apparently decided that she was actively surfing porn. Within two days, she was told she couldn't substitute at that school; she was arrested shortly thereafter.

Amero had complained to other teachers later that day. Why she didn't demand that something be done during the lunch hour is not clear. Why she didn't tape something over the screen is not clear. Amero claimed that two kids used the computer before the start of class, at a hairstyles site, but others claimed that could not have happened because it was not allowed.

It later turned out that the school's content-filter subscription had lapsed, and so the filter was out of date. Also, the computer had several viruses or "spyware" programs installed. In retrospect, some sort of javascript attack seems to have been the proximate cause.

In January 2007, she was convicted of impairing the morals of a child. This was despite computer-forensic evidence that a hairstyles site triggered a scripting attack that led to the Russian porn sites.

The prosecutor's closing arguments hinged on the idea that some of the links in question had "turned red", thus "proving" that they had been clicked on (ie deliberately by Amero) rather than having been activated via scripting. This is false at several levels: link colors for followed links can be any color at the discretion of the page, and if a page has been opened via a script, links to it are indistinguishable from links that were clicked on.

In June 2007 Amero was granted a new trial, and in November 2008 she pleaded guilty to a misdemeanor disorderly conduct charge and forfeited her teaching credentials.

Amero's failure to regard the computer problem as an emergency probably contributed to her situation.

Wireless

General view

iwlist wlan0 scan

A "station" (that is, a wireless computer) must associate with an access point before any traffic can flow! This is sort of a software equivalent of plugging in, except that you have to be in range (I guess you have to be in range to plug into a wire too).

What about using wireless networks for a classroom lab? There are a few problems:

Wireless networks tend to get "stuck" much more regularly than wired, necessitating administrative maintenance.
On many computers, connecting to the wireless network is an active step that must be taken after each reboot.
Wireless networks have problems when everyone accesses something at the same time (even more than wired).

Windows Server 2008

Previous configuration
How do we get DHCP working?
I have not figured out what the problem was. We were getting the status page, with no options for adding "scopes".

Disabling CNTL-ALT-DEL
    Control Panel => Admin Tools => Local Security Policy => Local Policies => Security Options
    => Interactive Logon: Do not require CNTL+ALT+DEL

Routing problem

Configuration:
    Choose configuration/enable
    Custom
    => LAN

After all this was done, DNS worked just fine. Nothing else did. I eventually figured out how to turn off Windows Firewall with Advanced Protection. But that wasn't the problem either! The problem was the linux firewall left over from our virus lab.

Note that Windows is really big on enforcing password rules. There are standard account rules, and there are also rules forbidding shared folders except by accounts with passwords. The latter rules have their place, but make it difficult to make some folders "public" to all.

Roles

Adding Roles
Managing Roles

Adding Active Directory Domain Services role

First add the role
Then do the ADDS Installation Wizard

new domain in new forest
domain name: csed.cs.luc.edu
Accept dynamic IP address (10.0.5.2) for link to outside. It's a "reserved" DHCP entry, so it's ok.
Accept other problem
Restore password: make one up. I used "snorri".
Try running wireshark while DNS is configuring itself, to watch for queries.
problem with credentials: the "owner" account isn't necessarily a member of the Domain Admins group.

Once you are a domain, you can run the tools
    Active Directory Computers & Users
    Active Directory Sites & ..
    Group Policy thingie

All these are in Administrative Tools.

Mandatory profiles:
http://support.microsoft.com/kb/307800

Lab

Log into winser08.

Verify that the following roles are working:

Network Policy and Access Services
DHCP

The network diagram you are heading for is as follows:

        +-----------------------------------------------------------+
        |                        laptop                             |
        |       +---------+                                         |
       10.0.5.1 |         | 10.11.12.1    10.11.12.0/24           |
        |-------| winser8 |--------------+-----------------+    |
        |       |         |        |                 |        |
        |       +---------+            |                 |        |
        |    10.0.5.5            win1              win2       |
        |                                                           |
        +-----------------------------------------------------------+

Verify that win1/win2 are able to get to the internet (using winser08 as a router).

1. Change the configuration on winser08 so that CNTL+ALT+DEL is not needed.

2. Make sure the "machine name" of winser08 is actually that; change it with the control panel if necessary. It was winser08-pld on some machines. Change it now before you're stuck.

3. Enable the role Active Directory Domain Services. You will also have to enable the DNS role. Ignore the DNS errors, or else use 147.126.68.1 as the referring DNS server.

4. Activate things to make your server a domain controller

5. You will now have to authorize DHCP. Do it.

6. Use the Group Policy thing to change the domain password policy to 4 chars, no complexity.

8. Have win1 or win2 join your newly formed domain.

9. Add some users using the domain controller, and use those accounts to log into win1/win2.