How to Connect to the Console Session on Windows

The original title for this post was going to be “I Cannot Believe I Did Not Know This Until Now.” Now it’s a thinly veiled mock up of the source document’s title: How to Connect to and Shadow the Console Session with Windows Server 2003 Terminal Services (2008 features sourced from here). The following feature becomes priceless when two people are logged in remotely and you get that frustrating

"The terminal server has exceeded the maximum number of allowed connections."

Stupid machine, don’t give me an error, then kick off the person who can fix it! Well, until now, I was the stupid admin who didn’t know you could do this:

2003,XP SP1,2: mstsc /v:IPorHostname /console
2008,Vista,XP SP3: mstsc /v:IPorHostname /admin

to log into the physical console session. Sweet!

On a related note, if you want to view a session, you can use

shadow 0

to view that session (0 for physical console in Windows 2003). You will have to be authorized by the user that is logged in however, so no spying by default.

Note: Windows 2008 is better about managing additional log in attempts. If the max number of terminals is reached, the new connection can pick which user they want to log off, and the user about to be logged off has the option to allow, allow by ignoring, or deny the request.

Not that a hard reboot won’t do it either… kidding! But in all seriousness…

June 20th, 2009 | jim | Tags: , , , , .
Categories: Windows | Comments: No Comments

Active Versus Passive FTP on Windows 2003

For the first bit, please refer to Slacksite’s article for an excellent writeup on the difference between Active and Passive FTP.

Windows IIS’s FTP server is configured to use ports 1025-5000 for Passive FTP traffic by default. You can follow the steps at Microsoft’s support page to change the Passive FTP port range.

To enable Passive FTP, Windows Firewall must be configured to allow traffic from these ports. After verifying that the above port range is what you would like open to FTP traffic, each port number must be opened one by one. However, a simple script to automate this process is described here.

And here is a random link (ok, the link itself isn’t random, but the link behind the link is).

June 18th, 2009 | jim | Tags: , , , .
Categories: Internet, Windows | Comments: No Comments

Conficker Update Part 3

According to http://forum.drweb.com/index.php?showtopic=277240 , Win32.HLLW.Shadow.based is a a variant of Conficker/downadup.

Symptom: Every available port from 1024-5000 is used to connect to various servers on destination port 445. Basically, the worm opens these connections to download and wait for malicious binaries.

The removal tools at http://www.bdtools.net/ does not detect this variant, and you have to use Dr.Web’s Cureit to detect and remove it. According to them, the recommended procedure is to install the following hotfixes:
* MS08-067
(http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx);

* MS08-068
(http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx);

* MS09-001
(http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx).

And then run Cureit, a fully functional shareware app.

In case you’re reading this from an infected server, I’ve downloaded and included some of these files here (because if you’re infected, you won’t be able to access certain sites, drweb.com being one).

June 12th, 2009 | jim | Tags: , , , , , .
Categories: Internet, Security, Virii, Windows | Comments: No Comments

Conficker Update Part Deuce

UPDATE 11 Jun 2009: Locally hosted bdtools removal tools (availabe at downadup.org for single computers and network. Cheers =D

Our favorite worm got an update 8 April according to Network World. Read more here…
And of course, at downadup.org.

April 14th, 2009 | jim | Tags: , , , , , .
Categories: Internet, Security, Virii, Windows | Comments: No Comments

Conficker

If you haven’t heard about the growing population of Windows machines hosting this prolific worm, educate yourself, particularly if you run Windows networks. This worm has been spreading like the plague since at least November 2008, and is presently estimated as having infected about 10 million machines. That’s a big botnet. It’s an active one too, regularly “dialing home” to now over 50,000 domains to receive updates. Its variants spread through various mediums, and favor network shares and USB drives.

If you can stand the gripes from your users, disabling Autorun through a forced registry setting (scripts, custom built ADM) is not a bad idea in general, so what if they have to open the folder and double-click the executable that’s likely in the top-level directory anyways?. Read the Cert/CC blog for more about this work around. Of key importance is that for whatever reason, the setting in HKCU overrides the HKLM setting. It may go without saying, but your best bet is cover both fronts.

If your network is infected presently, the following site hosted by BitDefender has a good list of symptoms to look for. In addition, the company has recently published both a single-workstation tool and a network tool to remove the worm from your computers. You can find these resources at http://downadup.org/.

March 23rd, 2009 | jim | Tags: , , , , , .
Categories: Internet, Security, Virii, Windows | Comments: No Comments

« Previous PageNext Page »