Thursday, August 6, 2009

Secedit.sdb Locking out local changes.

Can't open the Secedit.sdb?

Run esentutl /g to check the integrity of the security database at
%windir%\Security\Database\Secedit.sdb.

Next try:

esentutl /redb in the c:\winnt\security directory.

Next try:

Run esentutl /p to check the integrity of the security database at
%windir%\Security\Database\Secedit.sdb.\

Remember to kill all the edb files and the log files and move the ones in the Logs directory out of it.

Now the really crazy crap:

If your getting and error to the tune of:

Denied access to database in the local policy make sure that you have the "everyone" group permissions on c:\%systemroot% -- or c:\winnt or c:\windows which ever the case may be.

Check our your setting in the registry:

HKLM\CCS\Control\LSA

Set lmcompatibilitylevel to a dword value of 2
set restricanonymous to a dword value of 1

Then kick down a key to the

HKLM\CCS\Control\LSA\MSV1_0

Make sure the following keys are set to:

ntlmminclientsec to dword, hex 0x20080030
ntlmminserversex to dword, hex 0x20080030

---------and for the love of everything that is whole watch out for Virus scanners and IDS killing your changes in the registry and on the file permissions.

Helps if you rip it out of the domain then stick it back in after you make the changes.


Scott.
.

Monday, July 27, 2009

Striking Red

We got some iris red the other day from Gaffer that does not strike until it is left in the annealer for about 4 hours at 915f.

It was really strange and interesting to have a color you have no idea about how it will look until you pull it out of the annealer.

Just strange. We will have a look at it this afternoon. It is completely clear going into the annealer....just fun.


Scott.
.

Thursday, July 23, 2009

Microsoft Jet Multiple Vulnerabilities (Ms99-030)

Of course you can't download what they point you to in Retina. They never point you to the right file do they.


Do a search on this one.

jet35sp3.exe

Download that one and it will Fix your dll that nothing else seems to be able to do.


Scott.
.

How to fix the Visual Basic 6.0 ActiveX runtimes Code Execution

Download the .msi that you can't get installed.

Crack it open with some software off the net so you can get at the files and just drop them into the c:\windows\system32 directory on top of the others.

It will fix all four of the ones your having issues with.

msflxgrd.ocx
mscomct2.ocx
ComCT232.ocx
MSDatGrd.ocx

If you don't know how to crack open an .msi just look it up on google.


Scott.
.

Disable SSLv2 Support

1. Load regedt32.exe from Start->Run
2. Expand System->CurrentControlSet->Control->SecurityProviders->SCHANNEL
3. Expand the Protocols branch
4. You will then need to expand the SSL2->Server
5. Select the value Enabled in the Server Folder, if it is not there make a dword.
6. set it to ZERO!

ZIPPITY DO DA!


Scott.
.

Sunday, July 19, 2009

Citrix and Stigs

Boys and girls this one gets sticky!


#1. If you doing farms you need to make sure to skip the MinEncrytion reg setting in LSA.

#2. If you do set it make sure to hit every single server in the farm and every server that has a published application on it becasue they all need to have the same setting. No Basic vs. 40 bit vs 128 bit. You will have one huge headache.


Scott.
.

Thursday, July 16, 2009

Gpupdate for windows 2000

Just putting it here so I don't have to find it again.

Windows 2003 server
Gpupdate /force


Windows 2000 server
secedit /refreshpolicy machine_policy
secedit /refreshpoliyc user_policy

Wednesday, June 24, 2009

Network Access: Shares that can be accessed anonymously

For 2003 servers goto Group Policy:


Windows settings>Security Settings>Local policies>Security Options>

Network access: Shares that can be accessed anonymously

Remove:

COMCFG
DFS$

Apply and move on to the next problem.

Scott.
.

SQL Service Pack will not install due to previous install attempt.

Pretty simple eh?


---------------


In Registry Editor, expand the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

On the File menu, click Export.

NOTE: In Microsoft Windows 2000, click Export Registry File from the Registry menu.

In the File name text box, type: "Session Manager Key" (without the quotation marks)
Click Save.

In the right-pane of the Registry Editor window, right-click PendingFileRenameOperations. On the shortcut menu that appears, click Delete.

In the Confirm Value Delete message dialog box that appears, click Yes.

On the File menu, click Exit.


Reboot that sucker and come back and try again....Keep in mind you dinking around with the registry...This gives you a backup of the key but your still playing with fire if you don't know what your doing. Pretty safe change to be real about it...


Bonus plan, if the reg setting continues to come back just smoke it and done reboot and launch the sqlpatch. Should work just as well....my ideas allway work some of the time.


Scott.
.

Null Session Registry Settings

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa


This change in secregvl.inf under:



MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM,4,%RestrictAnonymousSAM%,0


Or if you pushing group policy:

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Set it to disable for a value of 1 to get the retina scan high off you machine.

Microsoft SQL sp_replwritetovarbin Memory Corruption (959420) - SQL Server

SQL2000-KB960083-v8.00.2282-x86x64-ENU

In my case the patch that it always wants to put here is Retina wants you to use:

SQL2000-KB960082-v8.00.2055-x86x64-ENU.exe

Does not work if you already have sp3 installed. Bummer, just use the one above.

Scott.

.

Monday, June 22, 2009

Microsoft Internet Explorer Cumulative Security Update (958215) - 2003

Microsoft Internet Explorer Cumulative Security Update (958215) - 2003


Ok guys this is a 2003 server and the retina update is saying I need to apply a patch. Problem is that patch does not install because I have already patched this machine up to top end specs. Retina will no let go and remove the high. Here is the reg. key you need to change to get past this one. Do both.



HKEY_CLASSES_ROOT\CLSID\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} = Shell.Explorer.1[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}] "Compatibility Flags"=dword:00000400

HKEY_CLASSES_ROOT\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2} = Shell.Explorer.2[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}] "Compatibility Flags"=dword:00000400


Scott.
.

Stig - Security Technical Implementation Guides

Greeting.


Lets just get to the chase here. I have to STIG a whole bunch of computers and I need a place to keep track of the things that I find that are a bit out of the norm. That way I don't go looking for them 50 times over the course of doing this.


You get a free ride.


Scott.
.