CSED 431 Week 8 -- March 22
Networking
State exam
Viruses
Spyware Protect 2009
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fFakeSpypro
It appears to be quite effective at installing itself as an ordinary user. It is able to:
- provide an endless stream of popup windows advising you that your computer is infected
- provide an endless stream of firefox windows that appear to be virus-related
- block
the execution of other programs with the warning
Windows has
determined that the file ***.exe is infected, and has blocked
execution
I am not sure at what level this is done.
- Survive logon/logoff and reboots, by making user-specific registry entries to restart itself
How can you tell when a virus is running as an ordinary user?
One big clue is that only some accounts
are infected. If an administrative (power user) account is infected,
the whole system is compromised.
What can you do about it?
One strategy is to delete the account,
create a new account to replace it, and change the ownership on all the
files. This has the effect zapping the registry entries for the afflicted account.
Julie Amero case
On October 19, 2004: Amero was a substitute teacher (7th grade) at Kelly Middle School,
Connecticut. At some point early in the school day, the teachers' desk
computer starts displaying an onstoppable stream of pornographic web
pages. Clicking the close button on one simply brings up others. This
is by now a well-known java-script vulnerability.
Amero had been told never to disturb anything in the classroom,
and in particular not to turn the computer off. So she didn't. She had
apparently no idea how to turn off just the monitor. She spent much of
her day at her desk, trying to fix the problem by closing windows.
Someone apparently decided that she was actively surfing porn. Within
two days, she was told she couldn't substitute at that school; she was
arrested shortly thereafter.
Amero had complained to other teachers later that day. Why she didn't
demand that something be done during the lunch hour is not clear. Why
she didn't tape something over the screen is not clear. Amero claimed
that two kids used the computer before the start of class, at a
hairstyles site, but others claimed that could not have happened
because it was not allowed.
It later turned out that the school's content-filter subscription had
lapsed, and so the filter was out of date. Also, the computer had
several viruses or "spyware" programs installed. In retrospect, some
sort of javascript attack seems to have been the proximate cause.
In January 2007, she was convicted of impairing the morals of a child.
This was despite computer-forensic evidence that a hairstyles site
triggered a scripting attack that led to the Russian porn sites.
The prosecutor's closing arguments hinged on the idea that some of the
links in question had "turned red", thus "proving" that they had been
clicked on (ie deliberately by Amero) rather than having been activated
via scripting. This is false at several levels: link colors for
followed links can be any color at the discretion of the page, and if a
page has been opened via a script, links to it are indistinguishable
from links that were clicked on.
In June 2007 Amero was granted a new trial, and in November 2008 she
pleaded guilty to a misdemeanor disorderly conduct charge and forfeited
her teaching credentials.
Amero's failure to regard the computer problem as an emergency probably contributed to her situation.
Wireless
General view
iwlist wlan0 scan
A "station" (that is, a wireless computer) must associate with an access point before any traffic can flow!
This is sort of a software equivalent of plugging in, except that you
have to be in range (I guess you have to be in range to plug into a
wire too).
What about using wireless networks for a classroom lab? There are a few problems:
- Wireless networks tend to get "stuck" much more regularly than wired, necessitating administrative maintenance.
- On many computers, connecting to the wireless network is an active step that must be taken after each reboot.
- Wireless networks have problems when everyone accesses something at the same time (even more than wired).
Windows Server 2008
Previous configuration
How do we get DHCP working?
I have not figured out what the problem was. We were getting the status page, with no options for adding "scopes".
Disabling CNTL-ALT-DEL
Control Panel => Admin Tools => Local Security Policy => Local Policies => Security Options
=> Interactive Logon: Do not require CNTL+ALT+DEL
Routing problem
Configuration:
Choose configuration/enable
Custom
=> LAN
After all this was done, DNS worked just fine. Nothing
else did. I eventually figured out how to turn off Windows Firewall
with Advanced Protection. But that wasn't the problem either! The
problem was the linux firewall left over from our virus lab.
Note that Windows is really big on enforcing password rules. There are
standard account rules, and there are also rules forbidding shared
folders except by accounts with passwords. The latter rules have their
place, but make it difficult to make some folders "public" to all.
Roles
Adding Roles
Managing Roles
Adding Active Directory Domain Services role
First add the role
Then do the ADDS Installation Wizard
- new domain in new forest
- domain name: csed.cs.luc.edu
- Accept dynamic IP address (10.0.5.2) for link to outside. It's a "reserved" DHCP entry, so it's ok.
- Accept other problem
- Restore password: make one up. I used "snorri".
- Try running wireshark while DNS is configuring itself, to watch for queries.
- problem with credentials: the "owner" account isn't necessarily a member of the Domain Admins group.
Once you are a domain, you can run the tools
Active Directory Computers & Users
Active Directory Sites & ..
Group Policy thingie
All these are in Administrative Tools.
Mandatory profiles:
http://support.microsoft.com/kb/307800
Lab
Log into winser08.
Verify that the following roles are working:
- Network Policy and Access Services
- DHCP
The network diagram you are heading for is as follows:
+-----------------------------------------------------------+
|
laptop
|
|
+---------+
|
10.0.5.1
|
| 10.11.12.1
10.11.12.0/24
|
|-------| winser8
|--------------+-----------------+
|
|
|
|
|
| |
|
+---------+
|
| |
|
10.0.5.5
win1
win2 |
|
|
+-----------------------------------------------------------+
Verify that win1/win2 are able to get to the internet (using winser08 as a router).
1. Change the configuration on winser08 so that CNTL+ALT+DEL is not needed.
2. Make sure the "machine name" of winser08 is actually that;
change it with the control panel if necessary. It was winser08-pld on
some machines. Change it now before you're stuck.
3. Enable the role Active Directory Domain Services. You will also have to enable the DNS role. Ignore the DNS errors, or else use 147.126.68.1 as the referring DNS server.
4. Activate things to make your server a domain controller
5. You will now have to authorize DHCP. Do it.
6. Use the Group Policy thing to change the domain password policy to 4 chars, no complexity.
8. Have win1 or win2 join your newly formed domain.
9. Add some users using the domain controller, and use those accounts to log into win1/win2.