Burn ISO to Bootable USB drive
I'm tired of always using CDs/DVDs, so why not unleash the power of USB?
http://www.pendrivelinux.com/boot-iso-from-usb-flash-drive
This tool lets you burn a standard ISO to a USB.
Lets you also have multiple ISOs on the key to choose for the boot sequence.
Delicious!
Sending vCard – “You can’t send a message on behalf of this user unless you have permission to do so … ” – Outlook 2010
If you run into this message while trying to forward a vCard using Outlook 2010 (likely 2007 as well), you are dealing with a hidden x400 "FROM" address inside the contact metadata. When a contact is created, outlook will cache the "from" address and reference it instead of the actual account being used to send. You will see this when contacts are imported and exported between exchange services, and apparently POP3 as well.
Sadly, there are only 2 resolutions and neither of them are global.
1) When you see the “FROM” field appear while forwarding a contact, manually click "From" -> "other e-mail address" -> and choose your name from the list.
This will change the “from” address to your correct address, hit send, and life is good.
2) You can manually create new contacts and copy the information from the old to the new.
DO NOT right click and copy a contact, you need to make a new contact and copy each field over individually.
If you copy a contact, it will transfer the x400 metadata.
I strongly feel this is a bug and Microsoft should look at removing the reference to the old address.
How to find all users in active directory with the “password expires” setting enabled or disabled
Just quick tip for those running into the need to query users who's passwords are set to expire, or vice versa.
Open up the Windows PowerShell and use the two following commands:
1) To show your list of users and their settings
dsquery user "ou=someOU,dc=yourdomain,dc=ca" -limit 0 | dsget user -email -pwdneverexpires
2) To update all users to yes or no
dsquery user "ou=someOU,dc=yourdomain,dc=ca" -limit 0 | dsmod user -pwdneverexpires yes
This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes.
I ran into a unique situation where removing an exchange database was testing my sanity and I definitely want to post the solution for anyone else that runs into the same issue.
Here's the scenario: Exchange 2010. You are looking to move all mailboxes out of a particular database. After moving all the mailboxes you request exchange to remove the database through the EMC or shell, when suddenly:
This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database <Database ID>. To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Archive. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Arbitration. To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID>. To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID> -Archive. Arbitration mailboxes should be moved to another server; to do this, run the command New-MoveRequest <parameters>. If this is the last server in the organization, run the command Disable-Mailbox <Mailbox ID> -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox. Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan <MailboxPlan ID> -Database <Database ID>.
As you are a brilliant IT wizard, you immediately remember to check if you moved all the archive and arbitration mailboxes.
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes" -Archive
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes" -Arbitration
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Get-Mailbox -Database "Staff & Testing Mailboxes"
No results are returned ... why does exchange think there are mailboxes left inside?
Good question!
When the database removal request begins a validation process is completed to ensure no user mailbox attributes are linked to the database. In very rare instances, you may find a particular attribute has failed to update or be reset and thus ... it fails. In our particular case, an existing mailbox had the "online-archive" feature removed and during the process, the "msExchArchiveDatabaseLink:" attribute was still referencing this old database. So how did we find it?
Easy!
1) Load the command prompt and run "dsquery * domainroot -attr * -limit 0 > results.txt"
This will dump the attributes for every object in AD to a text file you can search through.
2) Open the text file with notepad and search for a unique string from your database name. In our case, "Testing" worked out great from "Staff & Testing mailboxes"
3) We found the single attribute that was causing the removal process to think there were still active mailboxes in the database.
msExchArchiveDatabaseLink: CN=Staff & Testing Mailboxes,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=XXXXXXX,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=XXXXXXX,DC=XXX
If you look directly above this row, you will find a few values that will help you identify the user account in question that has this attribute set.
In our case, we found these records a few lines above:
sAMAccountName: jon
userPrincipalName: jon@doe.com
mail: jon@doe.com
Now we know which user has a reference to the old database, and which attribute.
4) Load ADSIEDIT.MSC and browse to the user object under the default naming context. Right click the object, properties, scroll down until you find "msexcharchivedatabaselink" and clear it. After you save it should be "<not set>".
If you're not familiar with ADSIEDIT, open it, choose the default naming context and you will be provided with a list of objects similar to your active directory users/computers. When you find the user that had the bad link, right click their object and select properties. Within is a fantastic list of all sorts of attributes ... including the one you need to change (msexcharchivedatabaselink).
BE CAREFUL USING ADSIEDIT ... you can do SERIOUS damage. You've been warned!
After you reset this value, try removing the database again and you should find success. If not, run the dsquery again and look for other objects referencing the old database.
Some other things to mention ... although likely not necessary ... during the process, I also:
- Deleted the System Mailbox record for this database using the DSQUERY Results and ADSIEDIT ... not sure if this was another contributing factor to the success.
- With SP1, mailboxes are moved and the existing copy is left in the old database as a disconnected "SoftDeleted" status. I manually removed these as well, not sure it this was another contributor factor to the success.
If you want to remove all disconnected mailboxes from a database, run the following command
Get-MailboxStatistics –Database “dbname” | Where-Object {$_.DisconnectReason –eq “Disabled”} | ForEach {Remove-StoreMailbox –Database $_.database –identity $_.mailboxguid –MailboxState Disabled }
If you want to remove all soft-deleted mailboxes from a database, run the following command
Get-MailboxStatistics –Database “dbname” | Where-Object {$_.DisconnectReason –eq “Softdeleted”} | ForEach {Remove-StoreMailbox –Database $_.database –identity $_.mailboxguid –MailboxState Softdeleted }
Thanks to: http://www.howexchangeworks.com/2010/09/purge-disconnected-or-soft-deleted.html
For the softdelete info!
Social Engineering – Hacking – How to Protect Yourself
I feel it necessary to educate you on one of the more popular “hacking” methods currently used by a variety of groups all around the world. While normal hacking methods are still an on-going threat, hackers are intelligent and innovative and you should be prepared for “Social Engineering”.
-------------------
Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. In the United Kingdom, social engineering using impersonation (e.g. to gain information over the phone) is known informally as blagging. In addition to criminal purposes, social engineering has also been employed by debt collectors, private investigators, bounty hunters and tabloid journalists.
A study by Google researchers analyzing fake AV distribution found that up to 90% of all domains involved in distributing fake antivirus software used social engineering techniques.
Sourced from: Wikipedia.org.
-------------------
In our industry, the most dangerous and commonly used method of Social Engineering is the “Fake Helpdesk”, or more accurately described as “tricking employees into thinking the person on the phone is a legitimate helpdesk technician from the IT department.”. It’s VERY common to find employees doing exactly what the fake support technician requests without any inquiry as to the reason for the support work, or a request for identification.
Even with all the right infrastructure in place including firewalls, intrusion prevention packages, real-time monitoring solutions, and strict password policies, a simple phone call from a patient and polite hacker can penetrate your entire network in minutes. We’ve seen it, this should be taken very seriously.
How to protect yourself
1) Ask for identification (name, company, phone number and website).
2) If you receive a call or email from anyone requesting you complete a task or provide information and you do not recognize the caller, start asking questions.
3) If you receive a call or email, NEVER give out your information.
4) If you receive a call or email, NEVER accept technical support unless you are 100% confident the person is someone you’ve dealt with before. If you haven’t, see 3).
5) If you receive a call, the caller should have no objection letting you call them back at their head-office after you find the number yourself (use their website).
6) Verify the user calling is from a company you normally deal with.
7) If something doesn’t feel right, call your manager.
8) Call your IT Department to verify the legitimacy of the call.
Educate Your Team
Ensure your staff are aware of the threat and educate them. Make sure they possess the knowledge to ask the right questions and contact the right people if something doesn’t add up.
Test You Staff
Be pro-active and attempt a “Social Engineering” hack at your locations. How difficult it is to acquire information from your staff? More training may be required. Take the time to educate your team, this threat is real and you need to take precautions.
Did you know?
1) Caller ID can be faked (or in fancy terms, SPOOFED)? Although it might say “Royal Bank” or “SIRKit Ltd”, this can easily be manipulated.
2) Banks and Government agencies will never call you and ask for your personal information. You will always have to call them.
3) Banks and Government agencies will never e-mail you a request for information. You will always have to call them, or use their website.
4) Legitimate organizations will never e-mail you with a link to change your password or provide login details.
5) E-mail is rarely encrypted. Never send sensitive information via email. EVER.
6) You will never be notified by e-mail that you’ve won anything of significance. It’s pretty much guaranteed to be fake.
7) E-mail addresses can be faked. Although your e-mail application says billgates@microsoft.com or kris@sirkit.ca, it’s not guaranteed that the e-mails originated from these addresses.
8) When you click on a link in an e-mail, verify the web address AFTER the page loads. Always look at the name right before the .com, .net, .org or .ca. This is the TRUE domain.
Hopefully this gives you a bit of insight into the threat.
If you have any questions at all, please do not hesitate to contact us.
Trend Micro – Worry Free Business Security – Firewall Port Ranges Failing/Not Working
We recently applied an upgrade from Worry Free Business Security 6.0 SP3 to 7.0. After the upgrade we noticed whitelisted Ephemeral and other port ranges in the firewall policies were not allowing traffic in. After numerous hours verifying everything was correctly setup we got in touch with Trend Micro and they sent back a patch to resolve the issue. We haven't seen this online yet, so I figure this may help a few of you.
--------------------------------------------------------------------------------
Good Day.
Please apply the attached Hotfix to the WFBS Server. Unzip password: novirus
Let the agents update afterwards then observe if the issue persists.
We are looking forward to your reply.
Technical Support – Worry-Free Products and Services Trend Micro, Inc. “Securing Your Journey to the Cloud”
--------------------------------------------------------------------------------
Download: http://www.sirk.ca/downloads/WFBS_70_WIN_All_HFB1461.zip
After applying this patch and allowing the update to propagate down to the clients, the port ranges started allowing traffic through.
Windows 2008 R2 – cryptosvc – the service name is invalid – windows backup fails – sfc fails – windows updates fail
The title of this article sounds ... well just terrifying. If you run into a system with this many issues, its likely easier to just rebuild it from scratch, right? WRONG! I'm stubborn and figure some things are worth the challenge. Ultimately, this was a fairly critical exchange server that would take a lot of work to rebuild.
To approach a problem like this, we follow the trail of issues.
First noticed issues: Windows Backups are failing and Windows Updates will not install.
The system is Windows 2008 R2 64bit Enterprise Edition with Exchange 2010 SP1.
1) Verify the system filesystem integrity using SFC
C:\>sfc /scannow
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log
From this you would normally interpret corruption and seek out the affected files by using the following command:
C:\Windows\system32>findstr/C:"[SR] Cannot repair member file" %windir%\Logs\CBS\CBS.log
The interesting thing in our case was the "findstr" command returned nothing. So we skipped this step and moved onto the next one for the time being. Who wants to dig through tens of thousands of lines? not me!
2) Diagnose and attempt to repair the Windows Backup issues
The Windows Backup utility was failing with "The operation was stopped. Detailed Error: The System Writer is not found in the backup". System State Backup Failed.
First thing to check is THAT exactly.
c:\> vssadmin list writers
You're looking for this:
Writer name: 'System Writer'
Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Instance Id: {05407ce0-b537-4973-a731-e7ed614a9a9e}
State: [1] Stable
Last error: No error
If your list does not include the "System Writer", that's a problem. A fairly common one at that. The windows backup utility requires this tool.
If you dig around online you'll find an arsenal of articles outlining permission errors on a specific set of windows folders that cause the System Writer to fail. We've done the research for you. The following script will reset permissions on those folders back to default.
Create a batch file called "fixPermissions.bat" and copy/paste the following:
------------------------------------------------------------------------------------------------------------
Takeown /f %windir%\winsxs\filemaps /a
icacls %windir%\winsxs\filemaps /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps /grant "Administratoren:(RX)"
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "Administrators:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant "BUILTIN\Users:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames\*.* /a
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "BUILTIN\Users:(RX)"
net stop cryptsvc && net start cryptsvc
------------------------------------------------------------------------------------------------------------
Run it from an elevated command prompt to ensure you have adequate permissions. As the impressive matrix like text runs down your screen, take notice to the very last command when it all finishes.
"net stop cryptsvc && net start cryptsvc"
You should see this:
The Cryptographic service is stopping..
The Cryptographic service was stopped successfully.
The Cryptographic service is starting.
The Cryptographic service was started successfully.
At this point reboot your system and run "vssadmin list writers" to verify if the "System Writer" is now listed. If so, you can test your backup again and it's likely to be working. If the VSS Writer is NOT Listed, but the "Net start cryptsvc && net start cryptsvc" was successful, you are experiencing a different issue and the following steps are not applicable (Please contact our support team if you require assistance).
In our case, the "cryptsvc" doesn't appear to be registered correctly. Instead or returning the successful stop/start on the Cryptographic service, we received:
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
3) Verify the Cryptographic service is enabled and operating correctly
Start -> services.msc
Wait! "The service name is invalid" actually means it's not registered and you'll likely realize that when you can't find the service in the services list.
At this point you'll likely start wondering how the? where did it go? We honestly couldn't tell you, but it's really easy to fix. Using another Windows 2008 R2 System, export the missing registry values .
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc
If you load regedit and browse to this location, you'll notice the CryptSvc is missing. On your secondary system, right click the CryptSvc and export it to a file. You can then double click this file on your problematic system to import the missing values.
If you do not have access to another system, copy the content below into a registry file and double click to load.
File Name: cryptsvc.reg (use whatever you want as long as it ends in .reg)
------------------------------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc]
"DisplayName"="@%SystemRoot%\\system32\\cryptsvc.dll,-1001"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\
00,69,00,63,00,65,00,00,00
"Description"="@%SystemRoot%\\system32\\cryptsvc.dll,-1002"
"ObjectName"="NT Authority\\NetworkService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\
00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
00
"ServiceMain"="CryptServiceMain"
"ServiceDllUnloadOnStop"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc\Security]
"Security"=hex:00,00,0e,00,01
------------------------------------------------------------------------------------------------------------
Once you've loaded the registry file and repaired the missing data, reboot your system. You should now see the "Cryptographic Services" running in the "services.msc" list, "sfc /scannow" will return no errors, the "System Writer" will show up in the "vssadmin list writers" list, and your Windows Backup and Windows Updates will complete successfully.
Hopefully this helps you avoid a complete re-installation!
Samsung SyncThru Web Service default Username and Password
We had some fun getting in touch with someone at Samsung who actually knew what we were talking about.
As such, hopefully this saves you all some time.
Username/ID: admin
Password: sec00000 (that's 5 zeros)
The session setup from the computer %% failed to authenticate. The following error occurred: Access is denied.
Event ID: 5805
The session setup from the computer %computername% failed to authenticate. The following error occurred:
Access is denied.
We ran into a client with PCs that would not authenticate to his domain controllers.
After further investigations, the client had configured an RODC for a remote office and had not yet added the specific user or computer groups to the trusted list.
Just for those how are not aware, EVERY COMPUTER in a domain has an account (just like a user account, except it ends with $).
Add User & Computer Security Groups to the RODC Cache:
Active Directory Users & Computers -> Right Click -> Properties of the RODC -> Password Replication Policy -> Add
Choose the Computers individually or add the entire "Domain Computers" security group, or even better, create a new security group for the specific computers you would like this RODC to authenticate.
Once you've added them to the "allow" status in this window, reboot the PC and allow 15+ minutes for replication to the RODC to complete.
Voila!
