Excellent Article on Security Settings after an AD Install

On Windows Security.com there is an excellent article on the Top 10 Settings to make after installing Active Directory.

See http://www.windowsecurity.com or for the direct link to the article:
Top 10 AD Settings after Installing AD

Active Directiry Export with LDIFDE

The LDIFDE export tool can be helpful to move the entire domain out and have it available for importing. I would not recommend this as a backup and restore mechanism. But to create an exact replica of the live domain as described above, the LDIFDE tool can be the vehicle to export your domain to the test environment and keep it up to date. My issue with test domains is that they stray from the live environment, and keeping them current is important. You can export your entire domain as is with this easy one-liner:

LDIFDE -f c:domain-out.file

LDIFDE can interpret this file in an import, and it’s readable in a text editor. It’s easy to blur the differences between LDIFDE and CSVDE when you read their descriptions, but I like CSVDE because you can export by a particular organizational unit (OU). This is handy, as LDIFDE will take the entire directory, which includes user accounts as well as printers, computer accounts, domain controllers, and other Active Directory objects. LDIFDE will tend to have a larger export file because of its scope.

More Details on Microsoft’s KB 237677

IP Tools – Website like DNS Stuff

IP Tools it’s how DNS Stuff used to be!!

Use the following tools for free:

  • Ping
  • Domain Info
  • IP to Country
  • CIDR
  • Traceroute
  • DNS Lookup
  • Spam DB Lookup
  • Whois Lookup(Domain)
  • Reverse DNS Lookup
  • Decimal to hex
  • Resolve Host
  • URL Obfuscator
  • Free Email Address
  • URL De-obfuscator
  • ISP Cached DNS
  • IP Routing Lookup
  • Whois Lookup(IP)
  • Abuse Contact Lookup
  • Hex to decimal
  • Tracepath


Knoppix NSM Security Distro

Knoppix-NSM is dedicated to providing a framework for individuals wanting to learn about Network Security Monitoring (NSM) or who want to quickly and reliably deploy a NSM capability in their network. Our goal is to provide an introduction to NSM and a distribution that can be used as a launch pad to bigger and better things. We have tried to do most of the hard work to help you get up and running as fast as possible so you can spend more time learning about NSM, leaving the details as a latter exercise once familiar with the concepts.

Knoppix-NSM is based on KNOPPIX Technology, which means that you can test all the tools in a live session running on the CD without the need for a HardDisk Drive (HDD) installation. Knoppix-NSM has the added bonus of being able to install to a HDD so you can deploy a NSM framework into your production network and use it for realtime monitoring.


Debian openssh/openssl — predictable random number generator

Information and details regarding the Debian OpenSSH and OpenSSL Security Vulnerabilities:
DSA-1576-1 openssh — predictable random number generator.
DSA-1571-1 openssl — predictable random number generator.

A vulnerability in Debian's openssl package (DSA-1571-1, CVE-2008-0166) indirectly
affects OpenSSH. As a result, all user and host keys generated using broken versions
of the openssl package must be considered untrustworthy, even after the openssl
update has been applied.

Regenerate any affected user keys:

OpenSSH keys used for user authentication must be manually regenerated,
including those which may have since been transferred to a different system
after being generated.

New keys can be generated using ssh-keygen, e.g.:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 [email protected]

HD Moore's webpage on the vulnerability.

TCPDUMP and WinDump

TCPDUMP and WinDump are command-line tools for monitoring network traffic.
They can capture and display the packet headers or show what connections are currently active.

TCPDUMP is used in *NIX operating systems e.g. Linux and BSD’s
Here is a quick run down with examples of using both utilities:
TCPDUMP and WinDump

What’s Running Windows Utility

What’s Running is a product that gives you an inside look into your Windows 2000/XP/2003 and Vista system.

It’s like Sysinternals Process Explorer with a little more features (slightly different).


  • Processes
  • IP-Connections
  • Services
  • Modules
  • Drivers
  • Startup
  • System information

More info and download:http://www.whatsrunning.net/whatsrunning/main.aspx

Microsoft Security Assessment Tool 3.5

Microsoft Security Assessment Tool 3.5 or MSAT version 3.5 is an update to this excellent tool that does not get the exposure it deserves.

MSAT Overview:
The Microsoft Security Assessment Tool 3.5 is the revised version of the original Microsoft Security Risk Self-Assessment Tool (MSRSAT), released in 2004 and the Microsoft Security Assessment Tool 2.0 released in 2006. Security issues have evolved since 2004 so additional questions and answers were needed to ensure you had a comprehensive tool set to become more aware of the evolving security threat landscape that could impact your organization.
The tool employs a holistic approach to measuring your security posture by covering topics across people, process, and technology. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance. These resources may assist you in keeping you aware of specific tools and methods that can help change the security posture of your IT environment.

There are three assessments that define the Microsoft Security Assessment Tool:

  • Business Risk Profile Assessment
  • Defense in Depth Assessment (UPDATED)
  • Mid-Market Security Core Infrastructure Operations Assessment (NEW)

The questions identified in the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group and additional security resources valued in the industry.


MSAT Download Page

Vista Network Stack Mods

Vista and Windows Server 2008 Network Stack mods allow for network tuning.
If you are running Vista and finding network speeds are way down, you can try the following netsh commands to turn off Vista’s Autotuning features (No reboot required).

Disable Autotuning:

  • netsh interface tcp set global autotuning=disabled
  • netsh interface tcp set global chimney=disabled
  • netsh interface tcp set global rss=disabled

Enable Autotuning:

  • netsh int tcp set global autotuning=normal

Show the current setting:

  • netsh int tcp show global

I’ve found Vista SP1 to be fine with just the default settings enabled for both WS2003 and Ws008 servers.

More Information – links: