We have a security appliance that manages user passwords.  One feature of this appliance is it can initiate a RDP session to a Windows box and pass the user’s credentials for authentication, which allows the users to access the remote system without knowing their password. 

Related Posts

• Microsoft releases load simulation tools for desktops
• Fix: rdpclip.exe won’t run on Windows Server 2003
• A Portable Remote Desktop Connection (mstsc.exe)
• Howto: Install rdesktop on SLES 10 SP2 Linux
• Howto: Log Connections to Specific Ports and Processes on Windows Machines

The  Internet Explorer nag  This page contains both secure and non-secure items. Do you want to display the nonsecure items is sooo annoying.

To disable this popup in IE6:

Tools > Internet Options > Security 

Related Posts

• Howto: Disable the clicking sound in Internet Explorer and Windows Explorer
• New Internet Explorer 7 0-day exploit
• Howto: Import Organizational Root CA certificates into Internet Explorer to get rid of Security Alert pop-ups
• Cannot Uninstall IE7 from Windows Server 2003
• Howto: download a web browser from Windows when your web browser doesn’t work

SANS has reported a Microsoft IE7 0-day expoit that is now in the wild. This vulnerability is not adderssed by the forthcoming December 2008 patch Tuesday releases, or by the MS08-073 patch that was released on 12-09-2008.

Analysis shows the current exploit checks for the following conditions:

The user has to be running Internet Explorer
The version of Internet Explorer has to be 7
The operating system has to be Windows XP or Windows 2003

SANS has not yet confirmed if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).

ThreatExpert has a very nice overview of the modifications the exploit makes to compromised computers.

Additional Resources:

ZDNet Security Blog
Secunia Advisory

Related Posts

• Direct patch download links for MS10-002 KB978207
• Howto disable the Internet Explorer popup: This page contains both secure and non-secure items. Do you want to display the nonsecure items?
• MS08-067 vulnerability, exploit, and reverse engineering in detail
• Out of the Box, the ASUS Eee PC is Incredibly Insecure
• Cannot Uninstall IE7 from Windows Server 2003

IE7′s Phishing filter, which is supposed to be a layer of defense against Internet bad guys, drives me crazy.  The performance impact is noticeable, since every DNS request made by the browser has to be redirected to Microsoft to be checked against a database of known malicious sites.  I typically disable the Phishing filter the first time I start a fresh IE7 installation because of this problem. 

Unfortunately, one of the nice things that was present in IE7 that disappears once the Phishing filter is disabled is the green bar that shows you are on a web site that uses Extended Validation (EV) certificates.  EV certs are harder to obtain because the end user must pass a more rigorous identity verification screening process in order to purchase the certificate.  According to Verisign:

“Extended Validation SSL Certificates were created in direct response to the rise in Internet fraud, eroding consumer confidence in online transactions. In 2005, 84% of respondents to a Forrester Research study said they don’t think retailers are doing enough to protect their customers online and 24% did not make purchases online due to security concerns.* Before customers share their confidential data online, they want proof of identification from a trusted source. The Extended Validation SSL Standard raises the bar on verification of SSL Certificates and enables visual displays in high security browsers.”

You can see IE7 is not displaying the EV Certificate green bar for Paypal.com when the Phishing filter is disabled.

I’m not sure what the rationale was behind the decision to make the EV certificate display go away when the Phishing filter is not in use, but here’s how to re-enable it in IE7:

In Internet Explorer select Tools – Internet Options - Advanced.  Down at the bottom of the list check the Check for Server Certificate Revocation box.  Restart Internet Explorer for the change to take effect.

Now you can see the green bar associated with Paypal’s EV certificate is visible.

Please see Microsoft KB 928089 for a Phishing filter patch that may increase performance.

Related Posts

• IE7 RDP web client fix
• Howto disable the Internet Explorer popup: This page contains both secure and non-secure items. Do you want to display the nonsecure items?
• New Internet Explorer 7 0-day exploit
• Cannot Uninstall IE7 from Windows Server 2003
• Howto: Thwart Internet Browser Third Party Cookies

When trying to uninstall Internet Explorer 7 on a Windows Server 2003 SP2 machine, the Remove button may not be visible in Add/Remove programs. Sometimes the button is visible, but clicking it displays the following:

“An error occurred while trying to remove Windows Internet Explorer 7. It may have already been uninstalled.
Would you like to remove Windows Internet Explorer 7 from the Add or Remove programs list?”

KB 948093 explains “This behavior occurs if Internet Explorer 7 was installed on Windows Server 2003 Service Pack 1. Service pack 2 was installed later than that.”

Microsoft’s resolution is to

1. Uninstall SP2 and reboot
2. Uninstall IE7 and reboot
3. Reinstall SP2 and reboot

Personally, if I was Microsoft I would have included step 4, go directly to Microsoft Update and apply all applicable patches and updates, then reboot again.

Related Posts

• Howto disable the Internet Explorer popup: This page contains both secure and non-secure items. Do you want to display the nonsecure items?
• New Internet Explorer 7 0-day exploit
• Howto: Thwart Internet Browser Third Party Cookies
• IE7 RDP web client fix
• Howto: Delegate the enable/disable accounts permission in Active Directory

According to Wikipedia,

“HTTP cookies, sometimes known as web cookies or just cookies, are parcels of text sent by a server to a web browser and then sent back unchanged by the browser each time it accesses that server. HTTP cookies are used for authenticating, tracking, and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts.”

and

“Images or other objects contained in a Web page may reside in servers different from the one holding the page. In order to show such a page, the browser downloads all these objects, possibly receiving cookies. These cookies are called third-party cookies if the server sending them is located outside the domain of the Web page. Third-party cookies are used to create an anonymous profile of the user. This allows the advertising company to select the banner to show to a user based on the user’s profile. The advertising industry has denied any other use of these profiles.”

The problem with third party cookies is they are set on your computer by web servers you likely had no intention of visiting, and are used to track your web surfing habits. Steve Gibson’s Security Now! podcast episode #119 has a very detailed discussion about why third party cookies are bad. He also describes how PayPal and DoubleClick have a relationship that allows DoubleClick to place third party cookies when you are logged into PayPal’s secure web site, and why that’s probably not a good thing for privacy.

When I setup a new computer or image I generally block all third party cookies. It’s easy to do in Internet Explorer 7:

Tools – Internet Options – Privacy – Advanced – Override Automatic Cookie Handling – Block Third Party Cookies

It’s not quite as easy to block third party cookies with Firefox 2.x. You’ll have to follow these steps:

1) In the Firefox address bar (where you type the web site address), type about:config

2) In the filter box type network.cookie.cookieBehavior

3) Right click network.cookie.cookieBehavior and select Modify

4) Change the value from 0 to 1

Some web sites may not work properly without the ability to accept third party cookies, so instead of totally disabling third party cookies you can use a hosts file to specify which web sites you never want your browser to access. According to mvps.org,

“The Hosts file contains the mappings of IP addresses to host names. This file is loaded into memory (cache) at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local machine. Another feature of the HOSTS file is its ability to block other applications from connecting to the Internet, providing the entry exists.

You can use a Hosts file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the connection(s) that supplies these little gems.”

You can manually edit your hosts file to add entries for web sites you don’t want to ever visit. Or, you can use a freeware hosts file mangement application such as HostsMan or HostsXpert.

To manually edit your hosts file in Windows XP,

1) Click start – run – notepad c:\windows\system32\drivers\etc\hosts

2) add the IP address and name of the offensive web site

3) Click file – save – exit

If you have Windows Vista’s UAC enabled you’ll have to follow these directions in order to edit your hosts file.

If you don’t want to update your own hosts file and would rather use one pre-populated with offensive web sites, you can download one from MVPS. You’ll probably need to restart your computer to ensure the hosts file is reloaded.

If you experience poor performance when using a large hosts file, try disabling the DNS Client service. To do this:

1) Click start – run - and type services.msc

2) Right click DNS Client and select stop

3) Once the service stops, right click on DNS Client again and select Properties

4) Change the startup type from Automatic to Manual and click OK

Related Posts

• Howto: download a web browser from Windows when your web browser doesn’t work
• Howto disable the Internet Explorer popup: This page contains both secure and non-secure items. Do you want to display the nonsecure items?
• New Internet Explorer 7 0-day exploit
• Recommendations for securing Internet Explorer, Firefox and Safari web browsers
• Viewing Firefox’s Super Cookies

Every time I launch IE7 the Internet Explorer customization screen, http://runonce.msn.com/runonce2.aspx, has been displayed instead of the three home pages I specified in Tools – Internet Options. I had completed the whole customization processs many times, but Internet Explorer never seemed to remember the settings.

I found this thread that pointed me in the right direction for fixing this problem. To fix the problem, edit the following registry keys, or create them if they do not exist:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“RunOnceComplete”=dword:00000001
“RunOnceHasShown”=dword:00000001

Once I made the registry changes and restarted IE, all was good. My home page opened up as expected.

This site also has five different ways of deploying this change, from scripts to a small executable file.

[updated 02-06-2008]

Updated broken link to five different ways of deploying this change

Related Posts

• Howto: Configure the Windows 2008 Server Core Screensaver Activation Period
• Howto: Deploy F-Prot Antivirus 6.x with subscription key
• Howto: Disable Windows Simple File Sharing via the Registry and Local Security Policy
• IE7 RDP web client fix
• Howto: Reset a lost VMware guest password