Using GPMC (Group Policy Management Console) on Windows 2003 x64

If you have attempted to install the GPMC (Group Policy Management Console) on Windows 2003 x64 version, you have encountered this problem; and it is frustrating. The error you receive if you attempt to install GPMC on x64 states that you have to uninstall the "previous" incompatible version of .NET. Microsoft has indicated that Vista comes with both x86 and x64 versions of GPMC, so they have it available. But, the company has indicated that an x64 version will not be released for "older" versions of Windows – for some unknown reason (i.e. forcing people to upgrade to the less-than-popular Vista).

So, I went looking for a way to work around this problem because I don’t want to run XP 32-bit or Vista just to use GPMC on my 2003 x64 system. After some venting on forums with other like minds, I came across the way to run GPMC under 2003 x64. The trick is to prevent the GPMC msi from "checking" on what version of dotNet that Windows is running. The reason this works is because GPMC will work with the version of .NET that comes with 2003 x64.

To do this, make a copy of the GPMC msi installer (so that you are not modifying the original), then open it using an MSI editor (like Orca) and perform the following changes:

  • Delete the BlockOnNoNetFramework item from the InstallExecuteSequence section.

  • Delete the BlockOnNoNetFramework item from the InstallUISequence section.

Save this MSI, then install it by right-clicking it and choosing Install.
Then, to ensure proper operation after installation, perform the following steps:

  • Choose Start -> Administrative Toos -> and Right-click “Group Policy Management” and choose “Author”
  • Choose File -> Add Snapin – > Choose “Active Directory Users and Computers”
  • Choose OK, Choose File->Save, then File->Exit
  • Lastly, go to %systemroot%\System32 and copy gepedit.msc and rsop.msc to the %systemroot%\SysWOW64 folder

Then, you are all set.

Now, why can’t Microsoft just do this? Seems silly in my opinion.

Group Policy Blog

.     .    .   .  . .. .  .   .    .     .

"We learn from history that we do not learn from history."
Georg Wilhelm Friedrich Hegel

DST 2007 (Daylight Savings Time – 2007 Updates)

A little under the radar in 2005, the U.S. Congress extended the Daylight Savings Time (DST) rules for the United States (and some parts of our friends to the North adopted the same changes). The summarized version is that DST for areas that observe it is 4 weeks longer than before. It will start 3 weeks earlier (2nd Sunday of March – this year, March 11), and end 1 week later (first Sunday of November – this year, November 4). Here is the Wikipedia page explaining the specifics of the Energy Policy Act of 2005 and how it affects DST.

Personally, I would have preferred to have DST extended on the back end – up here in New England when we go off of DST in the late fall, it starts getting dark @ 16:00 and in the dead of winter it is pitch black by 16:15.
However, I won’t look this gift horse in the mouth – which leads me to the problem for computing.

IT folks like myself have a unique issue similar to dealing with Y2K – for as long as PCs have existed, DST rules have been the same. However, unlike Y2K, this one should be less of an issue and most applications and operating systems allow for customized DST settings (locales throughout the world often observe non-standard rules based on borders with countries, other states, etc.).

For users like the “rest of the world,” this also presents some usability concerns of which everyone should take note. Professionals, students, etc. are increasingly reliant on their electronic calendars for keeping appointments, ToDo lists, meetings, etc. Those that “live by PIM” will need to note that when making appointments in March and April, the new rules will apply – and many people are already planning (or have planned) their Spring calendars which means this is a problem now (not just in March).

However, many IT shops have not yet deployed all the necessary updates / changes required to accommodate the new rules. Some systems are harder than others to update and this will take some time, especially in medium to large organizations.

Advice to users: Check with your IT staff about the status of the DST2007 changes in your environment now.

Advice to IT types: Begin your updates now if you haven’t already – To those that have already done the job, good job.

Windows XP Service Pack 2 and higher has been updated by Microsoft through the standard Windows Update methods. If you have turned off Automatic Updates or haven’t applied everything, please apply the patches now. If you are unsure, simply go to the Microsoft Update site and run the scan.

Windows XP SP1 and lower – Update your machine to Service Pack 2 for gosh sake – you are vulnerable to all kinds of ugly things.

Windows 2000-based machines and lower are currently unsupported by Microsoft (some larger organizations might have purchased “extended” support for these older operating systems). There is a big ugly method detailed and supported by Microsoft (referenced below for the obligatory link), but it is certainly not for the average user. Thankfully, a company named IntelliAdmin (a company that makes professional Windows administration tools) has published a free tool that updates your “older” Windows operating system for you with quick clicks.

  • Click here for the link to the download page (the relevant download is about halfway down the page, first entry under the “Freeware” section).
  • Click here for more information about the tool itself.
  • Click here for Microsoft’s wonderfully painful workaround for older computers (ignore this if you wish to retain your sanity and just use the IntelliAdmin tool above ;-)
  • RedHat Linux users should update your OS accordingly
    • Red Hat Enterprise Linux 2.1 users must update glibc
    • Red Hat Enterprise Linux 3 and 4 must update the tzdata package.
  • Click here for information on updates for Novell SUSE Linux.
  • Click here for Cisco’s Daylight Savings Time 2007 document. — For most IOS-based systems, simply update the “summertime” command as follows:
    clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

    – where EDT above abbreviates Eastern Daylight Time (adjust accordingly for your Time Zone).

  • For Lotus Notes / Domino shops, most versions now rely on the host operating system’s time source, but some platforms (e.g. AS/400 – iSeries) still must be manually adjusted. The easy workaround for Domino admins is to update the DSTLaw parameter (Notes.INI) using manual methods or a configuration document.
    • Manual method: Open a Server Console and type:
      SET CONFIG DSTLaw=3, 2, 1, 11, 1, 1
    • Configuration document: Open the Servers/Configuration view and open the Configuration document that applies to your server(s). Goto the NOTES.INI tab of that document and click the “Set/Modify Parameters” button at the bottom of that page. Choose (or add) the

      parameter in the Item field, and make the value:

      3, 2, 1, 11, 1, 1

      Press Add, then OK, then Save & Close that document.

  • Click here for Microsoft’s full page of information of all DST2007-related changes required. For you Exchange and Outlook types, pay specific attention since updating the underlying OS is not enough.
  • Click here for Sun’s Java updates and information affecting Java programmers, users of Java-based applications, etc.

Have fun and enjoy the Daylight ;-)

.     .    .   .  . .. .  .   .    .     .

"I believe in God, only I spell it Nature."
Frank Lloyd Wright

Firefox flaw allows password compromise

Firefox has become the de facto browser for many Internet users due to its great feature set, extensibility, and generally higher security. A new phishing exploit against Firefox has generated a furious buzz on the Firefox bug page (bugzilla). The entry – found here – shows the details starting Nov. 12 of an "in the wild" attack against the Password Manager of Firefox. A user can be tricked into logging on to a page using the auto-populated credentials provided by Firefox and inadvertently disclose their ID and password to an attacker.
So far there is no patch for this flaw which would basically entail tightening up the verification mechanism prior to providing credentials to a page. Best advice at this time is to only log onto sites to which you directly visit (not sites you are redirected to). The nuances of this kind of attack make it difficult for the non-expert computer user to detect, so I sincerely hope we see a fix come from the Firefox community soon.

.     .    .   .  . .. .  .   .    .     .

"It has yet to be proven that intelligence has any survival value."
– Arthur C. Clarke

Falcown It! – Guide to the Working Actor

Ben Falcone made this useful video for all you struggling actors. This guy was one of the funniest guys in our high school, and has been successful in landing some memorable supporting roles in a variety of comedic movies and tv shows. His timing and visage are simply funny; you are ready to laugh just by they way his eyes prep you for the punchline.

Falcown it and book it!

.     .    .   .  . .. .  .   .    .     .

"I can’t eat, I can’t sleep, I can barely Bowflex!"
– Ben Falcone (as Howard on "Joey")

Spam Trends and Statistics – 2006-10 (October)

As everyone reading this message knows, spam (junk email) is an ongoing problem on the Internet. It has continued to increase on the Internet at-large, and the servers at my own organization receive more on average every week. This year (2006) in particular, a massive spike in spam volume was detected by Internet security companies monitoring the Internet’s email traffic volume.

In addition to being more voluminous, these spam messages are becoming more dangerous as well. Phishing, or the attempt to fraudulently obtain personal information from Internet users, is becoming more prevalent than ever before and attacks have become focused and targeted – often for obtaining IDs, passwords, credit card numbers, and other data used to impersonate or defraud victims. Additionally, spyware / adware continue to use email as a "vector of attack" or as a method to coax unsuspecting computer users to malicious websites…

Updated and Historical Statistics:

In Feb. 2005, my company was receiving approximately 40,000 email messages-per-day from the Internet.
In Oct. 2006, this number has increased to nearly 60,000 messages per day, close to a 40% increase in ~18 months. Our blocking performance in Feb. 2005 was 87% of all email, which allowed an average of 5,000 messages (spam and not spam) into the internal email system per day. Not a bad blocking rate, but still extremely disruptive on a per-user basis. Our latest blocking performance as of Oct. 2006 is over 98%, allowing only an average of 950 messages into our internal systems per day (detail below). To put that into perspective, our company has around 810 email users in the US at this time, so 950 emails equates to a little more than 1 message per user/per day allowed in – both legitimate and spam combined. In other words, as suspected the effectiveness of the anti-spam services employed internally has become better over time.

Massive up-tick in spam – 2006

In or around June 2006, a large and sustained spike in spam email distribution was detected by a spam tracking and blocking companies. This event is likely due to the growing use of malicious networks called botnets to distribute spam email (see Sidebar at bottom of this post for botnet info). One of the most common uses of botnets is to distribute and relay spam using the ensnared computers as relays for bulk email. This creates detection problems for us, since spam suddenly (not gradually) originates from many thousand different sources at once which doesn’t allow the artificial intelligence models to react in time to detect and efficiently block new spam messages. Additionally, the malicious software used to create botnets is usually installed through known and previously unknown vulnerabilities in Microsoft’s Internet Explorer browser and Windows operating systems. Sometimes, no user interaction is even required to become victimized, so that is why it is so important to keep up with Microsoft’s Windows and Office updates as they are released.

The charts and numbers

Below is a graph of the 2006-June event – notice that June and beyond experienced a doubling, tripling, and more of new spam messages and that rate has more-or-less been sustained through this week. Red represents total spam, blue represents known blocked hosts, and gold represents new spam events. The gradient y-axis is a scaled factor representation of volume and the x-axis represents dates (in weeks) – mm-dd-yy format.

Note: graph modified from original – Thanks to TQM3 External Link for the continued research and service to the community

Anti-spam vendor Postini External Link reports that nearly 80% of all email on the Internet is from known compromised systems hosting spam, while a more in-depth content analysis by multiple vendors has shown that less than 4% of all Internet email is legitimate email. This means that in practice, 96% of all email is junk mail of some kind which is staggering. While this may seem dubious at first, note the following per-day averages culled from my company’s own anti-spam server logs:
Average per-day incoming Internet mail stats: Note that we block outright 97.5% of all email received, and when combined with quarantined mail, this increases to 98.3%.

This percentage means the mail that reaches my users’ inboxes without any user action, on average, represents less than 2% of all the attempted delivered email. If we were to eliminate spam filtering, users could expect 50-70 more spam messages per-day / per-user on average, adding up to email being "lost in the shuffle" creating productivity loss, massive increase in resource utilization on email servers, and a lot of angry internal customers ;-)

Another interesting stat above – on average, we only receive 6 viruses-infected email messages per day out of 55,000+… a rounding error in raw number terms. This indicates the larger and irrefutable trend that email is no longer used as a conduit for spreading viruses as was once the case; rather it is being used to make money from spamming, phishing, identity theft, and other forms of organized crime.
Note: The caveat to this statistic is that our anti-spam server drops traffic from known spammer IP addresses and subnets, prior to the virus scanner analyzing the message. It could be that there are many more virus-infected email messages being dropped before virus analysis if those virus-infected messages come from known spammer IPs.

The massive up-tick in spam generated and sustained since 2006-June has created a "law of big numbers" problem that is allowing a higher raw number volume of spam through that would have otherwise been blocked pre-June 2006. Botnets are the primary cause of this effect and are the single biggest threat on the Internet at-large today.

Sidebar: For those not familiar with the term, botnets External Link are the result of a coordinated installation of a certain type of malicious software designed in such a way as to allow surreptitious and central control of many computers. After compiling the control of these computers (sometimes number in the tens or hundreds of thousands), hackers can use them to perform coordinated attacks against other systems, gather and amalgamate information on large numbers of people (for identity fraud, etc.), and are largely used in organized cybercrime today. The client computers that have this software installed are called "bots" or "zombies" since control of their operation has been seized by the hacker and they are no longer autonomous. The "net" part is the fact that they are operating as a distributed network of computing resources – thus, botnet

. . . . . .. . . . . .

"24-hour banking; I don’t have time for that"
– Steven Wright

Windows Update – A serious bug – Windows 2000 users take note..

SecurityNow (a combo of the venerable Leo and renowned security researcher Steve Gibson) has done a good job explaining a bug in one of last month’s Windows update. This bug, affecting Windows 2000 only, is in the original 920958 security patch and affects files that are compressed using NTFS compression. If you are running Windows 2000, use compressed files (that is, not ZIP files or RAR files, etc – but FILE or FOLDER compression from the Properties dialog of the file or folder on your drive), and have updated your computer in the past month either manually or via Automatic Updates, I strongly suggest that you download the hotfix for this bug to prevent your files from being lost.

Microsoft’s fix for the above bug can be found here External Link
More details from Microsoft can be found here External Link

Thanks to Leo and Steve External Link for their great podcast and all-around goodness.

.     .    .   .  . .. .  .   .    .     .

"One is enough for too much."
– The Shark

0day – VML flaw in Internet Explorer

Another previously unknown or unreleased flaw is being exploited "in the wild" in Internet Explorer.

This new exploit takes advantage of a previously unknown flaw in IE has been spotted actively installing malware in an effort to build a botnet on the Internet. It exploits a vulnerability that is unpatched (Microsoft didn’t know about the flaw until now), but there is a workaround that can mitigate the error (see below).

The timing of this exploit was done well. Just two weeks ago was Microsoft’s monthly "Patch Tuesday" so the company will need to quickly respond to this newfound issue. Hopefully MS will come out with a fix quickly which we will quickly deploy after testing.

 Here External Link is one of the articles that outlines the information succinctly.

The fun-loving folks @ Sunbelt External Link are credited with this discovery and should be commended for their continued work to protect the Internet community at large.


Clarification information:

  • IE is, Internet Explorer.
  • Malware is the general category of malicious software like viruses, spyware, trojan horse programs, keystroke loggers, etc.
  • Botnets are a fairly new construct – They are usually the result of a coordinated installation of a certain type of malware designed in such a way as to allow central control of many computers. After compiling the control of these computers, hackers can use them to perform coordinated attacks against other systems, gather and amalgamate information on large numbers of people (for identity fraud, etc.) – these systems are increasingly being used by organized crime. The client computers that have this software installed are called "bots" since control of their operation has been seized by the hacker. The "net" part is the fact that they are operating as a distributed network of computing resources – thus, botnet.
    Hackers that are creating botnets are often referred to as "bot herders" (as in herding sheep).
  • Vulnerabilities are bugs in software that are considered security exposures which can be used to compromise a computers integrity, confidentiality, or availability.
  • An Exploit is an attack software program that takes advantage of a software vulnerability. Exploits are usually used as a delivery mechanism for executing a malicious payload (often spyware, rootkits, keyloggers, etc.).
  • A 0day (pronounced Zero-Day) exploit is a type of exploit that is taking advantage of an unfixed and/or unknown software vulnerability.

Based on new as of last Thursday and Friday, an increasing number of sites are being logged as taking advantage of this flaw to install a variety of spyware. You need to protect your computer ASAP before Microsoft releases their patch for this VML flaw (likely to be released "out of cycle" or "out of band" based on customer demand).

The fix for your home PC system is to run a command on your computer to deactivate the affected component of Windows. Here is the command to run:

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

If you are an admin that wishes to push this out to all the PCs on your network, I suggest using a startup script and run this command in "silent mode" from within a BAT or CMD file – E.g.

regsvr32 /u /s "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Please take this action to protect your machine (and the rest of the Internet community for that matter) between now and the time that the software fix is released from Microsoft (slated for Oct. 10th so far, although a fix might be expedited given the public pressure on this one).

  • The hack has been "packaged" and is now for sale for $20 in a specific hacker community – even offering technical support service for the exploit (ugly).
  • The latest discovery of this 0day is installing over 50 kinds of malware (based on Sunbelt’s report) onto victim machines.
  • The fix above basically disables the affected sub-component of IE and Microsoft Office (not JavaScript this time as I had previously feared) known as Vector Markup Language (VML for short). VML is used to generate geometric shapes (often 3D) inside of a web browser – a very popular example of a VML implementation is Google Maps, and sometimes banner ads.
  • By disabling this buggy component temporarily, you prevent the exploit from functioning. You should  not experience much, if any, impact to your browsing experience unless all you do all day is surf Google maps or 3D rendering sites.

After running the commands above, do a reboot to ensure it has taken effect.

I’ll update the post once MS has posted the fix.

.     .    .   .  . .. .  .   .    .     .

"One is enough for too much."
– The Shark

Patch Tuesday – September

Hi all – Microsoft, Apple, and Adobe have recently released many updates. Rather than "parroting" what has been written by others, I’ll simply leverage their work… Brian Krebs, as always, did a quick summary to describe the updates and what to do to install them for this month. Give a check over to his blog entry for all the details for this months software update cycle.

Brian Krebs – September Updates blog entry External Link

.     .    .   .  . .. .  .   .    .     .

"One is enough for too much."
– The Shark

Firefox is out

Firefox has been updated to The release notes External Link show that both stability and security issues have been resolved. Likely, Firefox will prompt you to update it automatically (and should have by now if you are just reading this), but if not choose the "Help-Check for Updates" menu option. The main thing is to update any extensions you have installed previously (e.g. NoScript, AdBlock, Fasterfox, VideoDownloader, etc.). These are routinely updated and usually a good time to check for updates is when Firefox itself is updated…

.     .    .   .  . .. .  .   .    .     .

 "It is the mark of an educated mind to be able to entertain a thought without accepting it."
– Aristotle