Providing admin tools to users without passwords.

Found a very useful way of providing users the ability to run administrative tasks without providing passwords to the users. By using the runas command you can launch programs with different credentials, however you need to enter a password. If you provide the user with the password then they could use it to do a lot of other things. Providing a user with a batch file helps, but it doesn’t take much brainpower to read the batch file and obtain the password. However, thanks to techtarget they suggest the use of Microsoft Script Encoder. This takes an existing vbs batch file and encodes the output. Although not pgp strength encryption it would be strong enough to deter the casual browser of your hard disk/batch files. (the only downside is providing a new file when the password to the account changes.)
Incidentally I’ve had to investigate this as one of our users can not admin our iis server settings despite being listed on the operators tab.

Top 75 Network security tools

Out of the Top 75 Network Security Tools listed on the page I have only NOT heard of 8 of the top 50. I’ve used probably half of the ones listed, the ones that I haven’t used are mainly the linux based ones but that will change over the next few months. (I’ve downloaded and played with Nmap recently – the front end to this makes light work of scanning a network although I still prefer GFI’s Scanner.

Another critical fix from Microsoft

Yet another Critical fix is available from Microsoft TechNet. I was tipped off to the existence of this one yesterday when attending the SANS security webcase which by the way was excellent. They showed you the tools to check/hack a web application complete with a walkthrough of how they had pentested a bank site and with no clever tricks managed to view users credit card numbers, bank information, log on AS the user and change the users passwords…..quite scary stuff! Needless to say the bank was anonymous!

Streaming music for Webconferences

I’m currently waiting for the SANS Web conference, “Is Your Web App Secure? How Do You Know?” , and they are playing “hold music” until it starts…and at a low quality stream it sounds awful. On a brighter note, the conference is advertised as featuring Ed Skoudis (whoever he is) with a “Exploiting Web Applications-Live Demo” featuring Caleb Sima so it should be interesting. Hope I don’t get a heartattack at all the weaknesses in my/our webpages!

Blaster Scanner

Its all very well Microsoft and other companies offering a MS03-026 scanning tool to check for vulnerable computers, but they’ve all identified one Windows98 pc on my network that is vulnerable, yet 98 is not affected according to their sites. This is a bit annoying when doing a double check scan of the local network.

Microsoft Security Readiness Kit CD

At first glance, the Security Readiness Kit sounds great, with a copy of the latest service packs and bug fixes all in one place. However, its not available until Early August 2003 (erm – its 3 days from September) – I guess this is Early August in Microsoft Terminology just like Copying files only ever takes two minutes to run – and the blurb says it will have patches up to June ’03. Not very helpful with all the patches that have been released since then and all the virus hassles we’ve had in the past couple of weeks!