Ch 17 Lab #2: Secure a Customer's Wireless Network

In this task we are tasked with securing a customer's SOHO wireless network. The customer wants several security mechanisms but doesn't know the correct terminology for them. Each of the items the customer wants is listed in the procedure area in the customer's own words. You must recommend each security method and decide where you will implement it - for example, on a router, a WAP, or a computer OS. We will use the latest and greatest options available to us.

CH 17 Lab #1: Software Firewalls for Mac

In this lab post we will be discussing the built in software of Mac OS X 10.8 (Mountain Lion). Previous versions will be similar.

OS X includes a firewall that can block unwanted incoming connections to your computer. A firewall can shield the services on your computer from other computers while you're on networks or the internet. Services that were turned on in Sharing preferences already appear in the lists of apps and services that can accept incoming connections. To prevent incoming connections from accessing one of these services, you must turn off the service in Sharing preferences.

Setting Up a FTP Server

In this lab we look at setting up an FTP server.

I used this guide to help me get set up.

Here is a screenshot of access to the ftp server I set up on my machine.

Setting up a Windows as a Web Server

In this lab we look at Windows built in utilities to enable a web server.

1. Start by going to the control panel > Programs > Turn Windows Features on / off.
2. Check all the boxes for Internet Information services. The system will take a moment to install the new features and enable the web server.
3. Open Notepad and create your html code. Here is the very simple code I used in this example

4. Save the file to C:/inetpub/wwwroot as a .html file. 

5. Open a web browser and type localhost/homepage.html or yourip/homepage.html

Troubleshooting a Network Issue

Q: Hypethetical:Your local network works but you are not able to connect to Google or any other outside website. You administrator has manually configured your network connection, but it is incomplete ie DHCP was not used. What is missing?Give me your theory--document. Use the problem solving model.

A: Using the Six-Step CompTIA A+ Troubleshooting Theory:

1. Identify the problem: Internet is inaccessible.
2. Establish a theory of probable cause:  DHCP was not used. The network protocol could not configure devices that are connected to the network. 
3. Test the theory to determine the cause: Turning on DHCP should configure the device and assigne an IP address (hypothetical). 
4. Establish a plan of action to resolve the problem and implement the solution: Turn on DHCP so that the devices can be configured and IP address assigned. 
5. Verify full system functionality and, if applicable, implement preventative measures: Verified that DHCP was turned on and that machines on the network could connect to the internet. 
6. Document findings, actions, and outcomes: The work order was logged on my daily work log. 

Chapter 16 Lab #3: Mapping a Network Drive

For this lab I set up a remote network shared drive on my laptop. I was then able to save files from my mac onto the shared drive on the laptop.

Chapter 16 Lab #2: Using Remote Desktop and Remote Assistant

Remote Desktop Connection

For the first section of this lab, we are using Remote Desktop to connect to another machine.

"Remote Desktop Connection is a technology that allows you to sit at a computer (sometimes called the client computer) and connect to a remote computer (sometimes called the host computer) in a different location. For example, you can connect to your work computer from your home computer and have access to all of your programs, files, and network resources as though you were in front of your computer at work. You can leave programs running at work and then, when you get home, you can see your work computer's desktop displayed on your home computer, with the same programs running."

Chapter 16 Lab: Locate Neighboring Computer IP

In this lab we are pinging neighboring computers to ensure that we can establish a connection.

The image below shows that the first tracert showing an error due to the windows firewall. The second tracert shows a succeeded ping after the firewall was turned off.

Command Line Analysis: "Netstat"

"Netstat" is a command line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface and network protocol statistics. It is available on Unix-like operating systems including OS X, Linux, Solaris, and BSD, and is available on Windows XP, Vista, 7, and 8.

The Netstat command can show details about individual network connections, overall and protocol-specific networking statistics, and much more, all of which could help troubleshoot certain kinds of networking issues.

Rescue Kit: Trinity Home

What is the Trinity Rescue Kit (TRK)?

www.trinityhome.org

Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

- Easily reset windows passwords with the improved winpass tool
- Simple and easy menu interface
- 5 different virusscan products integrated in a single uniform commandline with online update capability
- Full ntfs write support thanks to ntfs-3g
- Winclean, a utility that cleans up all sorts of unnecessary temporary files on your computer.
- Clone computers over the network via multicast.
- Wide range of hardware support (kernel 2.6.35 )
- Contributed backup utility called "pi", to automate local machine backups
- Easy script to find and mount all local filesystems
- Self update capability to include and update all virusscanners + local changes you made to TRK.
- Full proxyserver support.
- Run a samba fileserver (windows like filesharing)
- Run a ssh server
- Recovery and undeletion of files with utilities and procedures
- Recovery of lost partitions
- Evacuation of dying disks
- Full read/write and rpm support
- UTF-8 international character support (select keyboard language from the scrollable textmenu at startup)
- 2 rootkit detection uitilities
- Most software updated to recent versions
- Literally thousands of changes and bugfixes since version 3.3
- Elaborated documentation, including manpages for all commands (also TRK 's own)

Today we will look at Winpass and Winclean. 

Boot Logging

Today we discuss the difference in the ntblog.txt (boot log) file when performing a normal start and a safe mode start. We began by enabling boot logging using msconfig.exe. Once enabled we restarted in order to make the changes go into effect and to generate our first "normal start" log. Once completed, we did a manual crash and restarted into safe mode. Again, we saved the boot log. Once we were up and running in normal mode we used WinMerge to compare the two files.

The comparison tool showed a very long list of drivers that did not load when using safe mode. The list can be found here. It appears that just primary drivers are loaded when booting into safe mode.

The following drivers were loaded in both instances:


Loaded driver \SystemRoot\system32\ntkrnlpa.exe
Loaded driver \SystemRoot\system32\halmacpi.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\mcupdate_GenuineIntel.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\BOOTVID.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\system32\drivers\ACPI.sys
Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\system32\drivers\vdrvroot.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_tg.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\drivers\volmgr.sys
Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
Loaded driver \SystemRoot\system32\drivers\intelide.sys
Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS
Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
Loaded driver \SystemRoot\system32\drivers\atapi.sys
Loaded driver \SystemRoot\system32\drivers\ataport.SYS
Loaded driver \SystemRoot\system32\drivers\msahci.sys
Loaded driver \SystemRoot\system32\drivers\amdxata.sys
Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
Loaded driver \SystemRoot\system32\drivers\fileinfo.sys
Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
Loaded driver \SystemRoot\System32\Drivers\msrpc.sys
Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
Loaded driver \SystemRoot\System32\Drivers\cng.sys
Loaded driver \SystemRoot\System32\drivers\pcw.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.sys
Loaded driver \SystemRoot\system32\drivers\ndis.sys
Loaded driver \SystemRoot\system32\drivers\NETIO.SYS
Loaded driver \SystemRoot\System32\Drivers\ksecpkg.sys
Loaded driver \SystemRoot\System32\drivers\tcpip.sys
Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys
Loaded driver \SystemRoot\system32\drivers\vmstorfl.sys
Loaded driver \SystemRoot\system32\drivers\volsnap.sys
Loaded driver \SystemRoot\System32\drivers\rdyboost.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_strg.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_pv32.sys
Loaded driver \SystemRoot\System32\Drivers\mup.sys
Loaded driver \SystemRoot\System32\drivers\hwpolicy.sys
Loaded driver \SystemRoot\System32\DRIVERS\fvevol.sys
Loaded driver \SystemRoot\system32\drivers\disk.sys
Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS

Blue Screen of Death Analysis

In this lab we initiate a manual BSOD and create a dump file. We also discuss ways to resolve BSOD issues in the real world environment.

To manually force a BSOD we created a new DWORD Value in regedit. The value was named "CrashOnCtrlScroll" and was placed in "HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > services > i8042prt > Parameters".  Right click the newly created DWORD Value and select Modify. Set the Value Data to "1".  Now when you hold right control and press scroll lock twice, it will cause a manual blue screen of death.

Deleting Internet Explorer and Comparing Registries

For this lab we examine the difference in registries after deleting Internet Explorer.

First we began by saving the entire registry before deleting Internet Explorer, and then again after. I searched the registry for "Internet Explore" before and after the deletion. It appeared that no changes to the registry were made. The screenshot below shows the different file sizes proving that some changes were in fact made.

Renaming the "Recycling Bin" Using Regedit.exe

In this lab we utilize the regedit.exe utility to change the name of the Recycling Bin to "My Junk".

First I found a tutorial on changing the name of the Recycling Bin here: http://www.sevenforums.com/tutorials/104976-recycle-bin-rename-windows-7-a.html

I used the tutorial to locate the correct key. After finding the key, I then utilized Microsoft's instructions on how to back up the registry key found here: http://support.microsoft.com/kb/136393

"Back up by Exporting a Portion of the Registry

1. Click the Start button, click Run, and type REGEDIT. Click OK.
2. In the Registry Editor, select the key you want to back up.
3. From the Registry menu, choose Export Registry File.
4. In the Save In list, select the folder where you want to save the backup.
5. In the File Name box, type a name for your backup file, such as "Options" or "Backup."
6. In the Export Range box, be sure that "Selected branch" is selected.
7. Click Save. The file is saved with a .reg extension."

After following all the steps of the tutorial, I was able  to successfully change the name of the recycling bin to "My Junk." This did require a log off and on to show on the desktop.

I tested the recycling bin to ensure that it was still operating as expected. Once it was verified, I used the backup registry key to restore the Recycling Bin to it's original name.

Analysis of CMD Commands: "FC" and "FIND"

Analysis of "FC"

The command FC is used to compare two files or sets of files and displays the differences between them. Once completed, FC will return lines that differ between the two files. If no lines differ, you will receive a message indicating no differences encountered.

Analysis of "FIND"

The "FIND" command searches for a text string in a file or files.  This is used to find text within a file and not the file itself. It is helpful to use the /N command so that the output displays the line numbers with the output.

Analysis of dwm.exe

This post encompasses an analysis of the dwm.exe process.

The dwm.exe process is the window manager that gives opened windows their translucent and other visual effects such as live taskbar thumbnails. The OS actually writes a picture of the window to memory and creates a composite view of all the windows on the screen before sending them to be viewed on the monitor. This allows the OS to use video card hardware acceleration to create very smooth animations for actions such as minimizing and restoring windows, and even transparency effects.

I was able to kill the process via the task manager. I had to kill it twice to actual get it to stop. After killing the process the windows I had opened simply defaulted to the "Basic Windows Theme" option as if I had made that selection in the control panel. You can also permanently disable the process by double clicking the process and in the general tab select the start up type as "Disabled."

Analysis of CSRSS.EXE

This post encompasses a lab wherein I research and examine the functions of the CSRSS.exe process in Windows.

"This is the user-mode portion of the Win32 subsystem; Win32.sys is the kernel-mode portion. Csrss stands for Client/Server Run-Time Subsystem, and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and implementing some portions of the 16-bit virtual MS-DOS environment." CSRSS is mainly responsible for Win32 console handling and GUI shutdown.

It is critical to system operation and terminating this process will result in system failure. CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Vista if the Task Manager is run in Administrator mode. On Windows 7 and Windows 8 Developer Preview, Task Manager will inform the user that terminating the process will result in system failure, and prompt if they want to continue. I was not able to kill the process in Windows XP, 7, or 8.

Some virus hoax emails claim that csrss.exe is a virus that has been confirmed by Microsoft, and that the user should terminate it immediately. This, obviously, would actually lead to system failure and a blue screen of death. CSRSS is called along with winlogon.exe at Windows start-up. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the start-up process with a Blue Screen of Death. This is caused by a failure to move out of kernel mode and into user mode, the "normal" operation of Windows. The error code for this fault is 0xc000021a.

Some viruses, spyware, and trojans are known to disguise themselves as the CSRSS.exe process. These types of threats may include, but are not limited to:

Nimda.E
W32/Netsky.ab
W32/VBMania

Sources:
http://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem
http://technet.microsoft.com/en-us/security/bulletin/ms13-033

Windows 7 Unattended Installation

This tutorial will cover the basic steps to create an unattended installation for Windows 7 using the Windows System Image Manager.

What is an unattended installation?
A hands-free installation.
An installation that requires no interaction while it's happening.
An installation where all the answers have been provided ahead of time.
A time saving feature!

Resources of an Unattended Installation:
Windows Automated Installation Kit, a free download from Microsoft:
http://www.microsoft.com/en-us/download/details.aspx?id=5753

Windows System Image Manager (A part of Windows AIK)

A source copy of Windows 7 OS

Simplified Steps:

1. After installing the Windows AIK open Windows System Image Manager.
2. In the the Windows Image box in the bottom left corner right click "Select a Windows Image" and browse to your Windows 7 installation iso (or DVD) and select the Sources\Install.wim file.

3. For this tutorial we will use the sample auto unattended file provided with Windows Image Manager and make adjustments as needed. In the Answer File box right click click "Untitled" and select "Open Answer File."The file is located at C:\Program Files\Windows AIK\Samples\autounattended_sample. 

4. In the Answer File box, we will be primarily working with the "1 windowsPE" pass and the "4 specialize" pass. 

• In the "1 windowsPE" pass we can set up our disk configuration and partitions. These settings will remain unchanged for this tutorial. 
• Under "UserData" we will input our product key. 
• In the "4 specialize" pass we can set up our computer name and OEM information.

5. Use the Tools drop down box at the top of Windows System Image Manager and select "Validate Answer File." This will check for errors and if found report them in the messages box.

6. Save the answer file by going to File > Save Answer File As > "autounattend.xml" (File must be named exactly!)

7. Use the Windows 7 USB/DVD tool to create a bootable USB or DVD. 

8. Copy the autoattend.xml file you just created to the root layer of the USB drive. Alternatively, you could use a third party program to create a new iso file that combines the Windows 7 installation with the autounattend.xml file. 

9. Use the Bootable USB drive to install Windows 7 as you normally would; except this time you can enjoy a glass of ice tea and a sandwich while windows installs without needing attention from you!

Diagnostic Program Review: Windows 8 Upgrade Assistant

For this assignment I reviewed Microsoft's Windows 8 Upgrade Assistant. This is a quick and simply tool to see if a system and associated programs and files will be compatibly with Windows 8. The utility can be found at: http://windows.microsoft.com/en-us/windows-8/upgrade-to-windows-8

The diagnostic program is very easy to use and straightforward. After installing and opening the program, you are greeted with this screen:

After a short moment the following screen pops up showing the number of apps are compatible and how many items need to be reviewed.

 Next I clicked on "See Compatibility Details" which brought up the screen below:

After reviewing the compatibility details, I closed the window and clicked next. The screen below shows that Windows 8 was compatible with the school computer that I ran this on. The screen also has a quick link to purchase the upgrade.

In summary, the program is quick and easy to use. Running the utility ensures that the system you are looking at upgrading is compatible with the new system.

Chapter 13 Utility Review: Windows 7 USB/DVD Tool

One of the utilities discussed in Chapter 13 (page 570) was a tool by Microsoft to create a bootable USB flash drive. This bootable USB comes in handy when you are installing on a system without a physical drive such as a netbook or other portable computer. The tool is extremely simple to use and makes creating bootable USB drives or DVD's very easy.

Instruction on downloading and using the tool can be found at:
http://www.microsoftstore.com/store/msus/html/pbPage.Help_Win7_usbdvd_dwnTool/

Steps to use the tool:

1. Click the Windows START button, and click WINDOWS 7 USB/DVD DOWNLOAD TOOL in the ALL PROGRAMS list to open the Windows 7 USB/DVD Download Tool.
2. In the SOURCE FILE box, type the name and path of your Windows 7 ISO file, or click BROWSE and select the file from the OPEN dialog box. Click NEXT.
3. Select USB DEVICE to create a copy on a USB flash drive or select DVD disk to create a copy on a DVD disk.
4. If you are copying the file to a USB flash drive, select your USB device in the drop-down list and click BEGIN COPYING. If you are copying the file up to a DVD, click BEGIN BURNING.

A screenshot of the utility is shown below:

CIST 1130 05/28/2013

Today I installed Windows 8 in the VMBox virtual environment. We began looking at the differences in Windows 8. We looked briefly at the different command prompts that could be brought up in Windows 8.

I looked further into the issue we saw last week where four of the machines were only showing 80GB of HD space. After seeing that the serial numbers of the HD's were different on these machines, I searched google for the serial number. I found that the drives were indeed only 80GB drives.

I had to reinstall Windows 7 on one machine due to a previous student installing ontop of the current install and had not first wiped the drive. I installed Virtual PC, Virtual PC XP Mode, and VMBox on all the remaining eleven machines. I One machine was not set up with the proper naming structure that was given by the instructor. I changed the computer name and password, and set up the guest account. I made sure all the remaining machines had the guest account set up and had the proper naming structure.

One machine was set asside as if it was not working. I hooked it up to diagnose. It appeared to be missing a hard drive. I was unable to verify this due to the computer cases being locked and we did not have a key.

CIST 1130 05/23/2013

Today we continued to install Windows 7 on the rest of the machines as we did last Tuesday. Three of the machines appared to have an issue with the hard drives. We began diagnosing the issue with the cmd and diskpart comands. We will explore these issues in more detail in the following class. 

We began installing Windows Virtuel PC and Windows XP Mode on a few of the machines. I had downloaded Virtual PC and Windows SP1 to my USB drive from home to help speed up our process today. Downloaded and installed Windows XP Mode as well as VBox.

I also reviewed Mr. Garber's instruction to create a bootable USB drive that was posted on the online class portal, Angel.

CIST 1130 05/21/2013

Tuesday May 21, 2013

Today we reinstalled Windows 7 on multiple machines. We booted from the DVD drive to get to the Windows Installation screen. Using the Custom (Advanced) option, we deleted two current partitions to create one new partition for our fresh install.  After two reboots Windows was up and running. We set up up new admin user names with passwords. Naming of the computers were as follows:

User-name: student-0X
Computer Name: computer-0X
Workgroup: A-245
Password: guest-0X

Once we had our admin profile set up, we set up a guest profile that did not require a password by going to the control panel > Users > Guest > and then clicking "Turn On." This profile will be used by other students in other classes without us having to worry about them changing any settings on our admin profiles. We rebooted to ensure both profiles were working as intended.

We spent the last few minutes of class updating windows and installing Windows 7 SP1.

About Me

Currently attend Lanier Tech to obtain a degree computer science. Expected graduation: Fall 2014.