Tuesday, January 19, 2010

Enable DEP using GPO and Powershell

As a response to recent security threats, it is highly advised to enable Data Execution Prevention (DEP). However, how to succeed in such a goal using group policy?

Why is there no administrative template for enabling DEP?

The DEP setting is defined inside the boot.ini file.
Thus it is not as simple as setting a registry value.
In addition, we have to be aware of the following issues:
- on windows XP, there is no command such as bcdedit, thus you will have to write an additional appropriate script to the one described here. This is really risky, since if the boot.ini is badly formatted, the system just will not boot anymore!
- on windows Vista, enabling it will break Bitlocker.
- on Windows 7, no problem. First of all, DEP is enabled as default, but you since you are reading this post, you probably want to enforce it.

How to enable DEP on a single computer?

A lot of websites already cover this topic.
They do not explain it is possible to define the DEP enhancement using command line: (as an administrator)
%windir%\system32\bcdedit /set nx [MODE]
where [MODE] is either: {AlwaysOff; AlwaysOn; OptOut;OptIn}

- AlwaysOff : This does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor will run in PAE mode with 32-bit versions of Windows unless the /NOPAE option is also present in the boot entry.

- AlwaysOn : This provides full DEP coverage for the entire system. All processes always run with DEP applied. The exceptions list for exempting specific applications from DEP protection is not available. System Compatibility Fixes (“shims”) for DEP do not take effect. Applications which have been opted-out using the Application Compatibility Toolkit run with DEP applied.

- OptOut : DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using System in Control Panel. IT Pros and Independent Software Vendors (ISVs) can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes (“shims”) for DEP do take effect

- OptIn : On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in"

How to enable DEP on a domain?

Please note:this is one possible solution for Windows Vista and Windows 7 computers.
1/ install the powershell feature on windows vista versions (it cannot be removed on windows 7)

2/ use startup scripts to enable Unrestricted execution policy for powershell scripts:
- Create a GPO
- navigate to Computer configuration > Policies > Windows settings > Scripts (startup / shutdown)
- add a command startup script: "powershell set-execution policy unrestricted"

3/ add this powershell script inside the Machine>scripts>startup folder of the GPO:
$winver = (Get-WmiObject Win32_OperatingSystem).version
$MODE = "AlwaysOn" #of whatever DEP option you want to set
if($win -lt $WIN_VISTA) { #code for windows XP
# write your own script editing the bcdedit

} else if ($win -eq $WIN_VISTA) { #code for windows vista
# check if bitlocker is enabled. see the bitlocker manipulation using powershell link below
# if bitlocker is disabled, then enable DEP

} else { # win 7 and greater
%windir%\system32\bcdedit /set nx $MODE


- my colleague Pascal Sauliere for his advises regarding DEP related issues on Windows XP and Vista.

Sunday, January 10, 2010

Administrative template for Microsoft Security Essentials

Microsoft security essentials market

Small and very small home businesses usually do not need powerfull features such as protection analysis, but also NAP and SCCM integration provided by Microsoft Forefront Protection Suite 2010

In that case, it is economically more interesting to use Microsoft Security Essentials. This antispyware, antimalware, antirootkit Microsoft software is available for free since the 29th September of 2009.

Microsoft Security Essentials administrative template

However, if you are an IT administrator of your home-based business, manually configuring MSE settings for each desktop could be a pain in the head, because MSE does not support Group Policy settings. A workaround to this problem is to use the administrative template for Microsoft Security Essentials I created.

How is it achieved?

Well, keep in mind this solution is not as powerfull as a classic group policy administrative template, first because Security Essentials does not support group policy settings. It means we can not enforce settings in the same way we can with Forefront EndPoint protection. This administrative template actually applies registry values under HKLM\Software\Microsoft\... instead of HKLM\Software\Policies\Microsoft

What are the limitations?

Since MSE does not support group policy settings, it basically means an administrator / end-user would be able to change some settings inside the MSE User Interface. Of course, the settings defined inside the group policy containing this administrative template would be applied again each time a group policy update would be run, but this solution does not permit a precise control over settings such as Forefront Protection Suite 2010 does.

To conclude

Still it is pretty efficient to define Microsoft Security Essentials settings for several computers.

Going further

If you are interested in writing your own administrative templates for Active Directory, I advise you to check the Introduction to Windows 2000 group policy whitepaper. It really is a good start in order to create custom classic administrative templates.

RSync for Windows: cwrsync

RSync is a very popular backup software in the Unix world. Unfortunately, there is no native port of it. An alternate answer would be cwrsync. It comes as a single installer containing a minimal cygwin x86 set, and the latest x86 compiled Rsync.

Integration with Windows server
The installer setups a new classic windows service:
Since its a service, we have to choose a user account for running it. This permits controlling very precisely the permissions the rsync user will be granted.

Permissions, privileges
In my example, I wanted to perform an incremental backup solution using dirvish (which relies on rsync) on the linux server. That is why I only needed READ permissions for the account backupsvc (and since it is also a service account, the right Logon as a service also has to be granted):

RSync shares configuration
You then have to define "shares" (similarily to smb). In our example, the share is named "test", and it points to the folder C:\Shares
We assigned read-only = true, for the rsync server not to try to write anything to the share. Note: if we would have set it to false, we however could adjust this thanks to NTFS permissions.
Transfer logging is especially important when your rsync synchronization fails.
hosts allow is not really usefull, since we will control this later using the Windows Firewall.

Network security
From the RSync Wikipedia article it binds by default on TCP 873, but also UDP 873.
The Windows Firewall with Advanced security lets us control precisely the remote IP initiating a connection to the rsync server.

Running processes
Once the Rsyncserver service is started, there are 3 processes running under the account previsouly defined:
- conhost: for the service to be controlled as a classic windows service.
- cygrunsrv.exe*32 : Cygwin environnment
- rsync.exe*32: rsync service

Please note that these processes are only x86 processes at the time I am writing these lines.

You have to be carefull on:
- permissions on files/folders to be backed up
- permissions/rights granted to the service running the rsync server service
- firewall rule
- rsync config file

From a debian server:

Going further
If you are interested in setting up an incremental backup on a debian server, I advise you to check the dirvish and rsync websites.

Wednesday, January 6, 2010

Disabling Adobe Javascript using GPO

Since the recent highlighted Adobe Acrobat PDF security issues, especially
- APSA09-07 in which Adobe advised to disable Javascript (until a patch would be released on the 12th of January 2010!)

A lot of domain administrators / security administrators are searching for a way to mass disable the Adobe Javascript.
This is one easy solution to mitigate most of the heap spray attacks using Adobe Javascript. But recently, a PDF exploit not using Javascript was successfull.

As far as I know, here are several answers to mitigate that problem, including:
- Using a third party PDF reader such as FoxIt Reader
- Using Adobe Customization Wizard to customize Adobe applications before deploying them
- Using GPO to set registry values disabling Adobe Javascript

I will present the third one:

Using GPO to disable Adobe Javascript

1/ Create an administrative template file.
On a DC, navigate to %windir%\inf

2/ create a new Text file "adobe.adm"

3/ Fill it with the following content: (don't forget to add a return line after the END CATEGORY item)


CATEGORY "Adobe Acrobat/Reader 9.x"

POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"


4. Create a new GPO,
- Navigate to User Configuration > Policies > Administrative Template
- Then add the adobe.adm template file we previsouly created.
- and select "Disabled" for the Javascript Reader 9.x settings:

5. Close the GPM editor

6. As a user member of the security group / OU on which you choosed to apply the GPO:
- close Acrobat Reader 9.0
- gpupdate /force
- open Acrobat Reader 9.0, Edition > Preferences > Javascript

And as you can see, Javascript is now disabled!

Et voila!