CISSP FREE CPEs

Every year 20 Continuing Professional Education Credits (CPE) are required to maintain your CISSP credential (along with upholding the (ISC)2 Code of Ethics and the Annual Maintenance Fees). At the end of 3 years 80 CPEs are required to be in good standing.

CPEs are broken into Groups; Group A’s activities include: Direct Information Systems Security Activities and align with one of the 10 body of knowledge domains (BOK). Group B’s activities include Professional Skills activities and cover areas a Security Professional would encounter.

But where can you get CPEs? According to their brochure you can get them by doing the following:

  • Attending educational courses or seminars
  • Attending security conferences
  • Being a member of an association chapter and attending meetings
  • Serving on the board for a professional security organization
  • Volunteering for a government, public sector and other charitable organizations, including (ISC)2 volunteer committees
  • Completing higher academic courses
  • Providing security training
  • Publishing security articles or books
  • Participating in self-study courses, computer-based training or Web casts
  • Reading an information security book or subscribing to an information security magazine

Here’s a good article which lists 10 Ways to Get Free CPEs for Your CISSP

The list includes:

  • Get a Degree
  • Watch Videos at The Academy Pro
  • Watch SANS Webcast
  • Listen to Webcasts and Podcasts. Keep a record of date of the podcast and the date you listened. Include the description as well.
  • If you Work for the Federal Government, learn from Virtual Training Environment
  • Department of Homeland Security (DHS) / Federal Emergency Management Agency (FEMA)

Here are some of my favorites reads and podcasts

 

You can check your CPE status on the (ISC)2 website: www.isc2.org/cpe

Amazon AWS S3 – Give User Access to Bucket

I was working at giving access to one of my Amazon S3 buckets to my cousin to share large files; but was having difficulty. I looked at using Dropbox to share files, but I didn’t want him to have to register on the site; I only wanted to provide him a private URL, username and password. The material was confidential, so I didn’t want to use Pastebin or some similar site.

So here’s what I did.

I created the S3 Bucket in the AWS Console.

I created a user for him in IAM and an auto-generated password; then put the user into a group.

I created an alias to my Amazon domain.

After several hours of Googling and setting user permissions, creating Bucket Policies and testing with the AWS Policy Generator, I found my answer here.

Can’t access bucket with user who has IAM policy applied

https://forums.aws.amazon.com/message.jspa?messageID=222596

 

I set a Group Policy, first by going to the IAM console

 

 

 

 

 

 

 

 

Clicked on Groups

 

 

 

 

 

 

 

And added the following JSON statement

 {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:Get*",
                 "s3:List*"],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": ["s3:ListBucket", "s3:GetBucket"],
      "NotResource":["arn:aws:s3:::<BucketName allowed access>"]
    }
  ]
}

 

 

Now it works. Yay!

Outsourcing Active Directory

I came across a discussion, recently dealing with outsourcing Active Directory; and it got me thinking: Why not?

In very large organizations the IT department is divided into specialist areas: Infrastructure, Desktop Support, Server, Application and Active Directory Services. Regional and local sites make requests from HQ  for a new user to be added to Active Directory, which can take a few days to complete; because they need to follow of the controls for a safe AD. Why not simply have a third-party administer AD, while the strategy and design of AD remains within the company?

There seems to be 2 parts of the puzzle here:

  1. Firstly, the math; does it make economic sense to do outsource Active Directory.
  2. Secondly, risk; how much risk is the company willing to accept?
  3. The follow up question organizations should ask if they are entertaining this idea is; what is the ROI vs the risk?

The Report to Executives should include sections about the following:

  1. How much money would be saved
  2. What the contractual obligations and SLAs would be for the third party administering the Active Directory (and their consequences for not meeting or breaking them)
  3. The contract should included the permission to audit their IT; allow an annual PEN test, including social, on their infrastructure; and their notification policy of attempted breaches.
  4. Besides the economic value of outsourcing Active Directory what are the psychological repercussions to staff and clients on a daily basis — staff cuts, morale,etc — and if a breach occurred — marketplace reputation, liability.
Part of the key to undertaking this project would be to classify the importance of AD contents; beyond the name and security and distribution groups the users belong. Will the other fields be used as well? Department, telephone numbers, address, manager (reports to).
Side note: I don’t know why and I’ve never seen any documentation on it beyond this, but there is a  CarLicense attribute in AD, that doesn’t appear in the GUI, but does when looking at the user properties.
Keep in mind that some breach scenarios may be the same if the Administration of AD were internal, but some are exclusive to External parties. some examples include: a rogue employee giving access to unauthorized users (intentionally or not), sending confidential information to another unauthorized, hacking.

Are Telephone enabled Devices safe?

An article on SecurityTube.net. About war Texting, got me thinking about all the 3G and telephone enabled devices we take for granted – Security Cameras, Traffic Control systems, home controls, SCADA Sensors, and now cars can be unlocked via SMS. We use these devices for convienence obviously, but we must begin the conversation about how to protect the devices.

If hackers can gain access to the DoD, NSA and currently the zeitgeist on APTs is that malware has gone undetected for YEARS in these systems, then the next logical progression is that the hackers will get access to these telephone enabled devices and use them for profit or terrorism. Imagine the gridlock!

These devices work on text messaging. It’s similiar to botnets using twitter; following a twitter account and when the hacker tweets a specific command, that looks innocuous, the malware starts; except this time, the hacker dial numbers to be able to upgrade software, or download data. Think about the rise of text spam.

These Telephone enabled devices can’t be firewalled or restricted like an IP network. So understanding these threats, should help manufacturers come up with creative and secure solutions.

Create a Service from an Application

Today I needed to create a service on a remote computer that will run when the user has logged out and this is how I did it using the SC command:

 

sc \\<computername> create <ServiceName> binPath= “c:\Program Files\<full local path>.exe” type= own start= auto displayname= <DisplayName> error= normal

 

I used this article to help me:

Time Server

To query the Time server using the command prompt

Net time /querysntp

 

Here are the Registry settings

AllowNonstandardModeCombinations

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpServer

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry indicates that non-standard mode combinations are allowed in synchronization between peers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1.

AllowNonstandardModeCombinations

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry indicates that non-standard mode combinations are allowed in synchronization between clients and servers. The default value for domain members is 1. The default value for stand-alone clients and servers is 1.

AnnounceFlags

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server.

  • 0x00 Not a time server
  • 0x01 Always time server
  • 0x02 Automatic time server
  • 0x04 Always reliable time server
  • 0x08 Automatic reliable time server

The default value for domain members is 10. The default value for stand-alone clients and servers is 10.

CompatibilityFlags

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the following compatibility flags and values:

  • DispersionInvalid: 0x00000001
  • IgnoreFutureRefTimeStamp: 0x00000002
  • AutodetectWin2K: 0x80000000
  • AutodetectWin2KStage2: 0x40000000

The default value for domain members is 0x80000000. The default value for stand-alone clients and servers is 0x80000000.

CrossSiteSyncFlags

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry determines whether the service chooses synchronization partners outside the domain of the computer. The options and values are:

  • None: 0
  • PdcOnly: 1
  • All: 2

This value is ignored if the NT5DS value is not set. The default value for domain members is 2. The default value for stand-alone clients and servers is 2.

DllName

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the location of the DLL for the time provider.

The default location for this DLL on both domain members and stand-alone clients and servers is %windir%\System32\W32Time.dll.

DllName

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpServer

Version

Windows Server 2003 Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the location of the DLL for the time provider.

The default location for this DLL on both domain members and stand-alone clients and servers is %windir%\System32\W32Time.dll.

Enabled

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry indicates if the NtpClient provider is enabled in the current Time Service.

  • Yes 1
  • No 0

The default value on domain members is 1. The default value on stand-alone clients and servers is 1.

Enabled

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpServer

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry indicates if the NtpServer provider is enabled in the current Time Service.

  • Yes 1
  • No 0

The default value on domain members is 1. The default value on stand-alone clients and servers is 1.

EventLogFlags

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the events that the time service logs.

  • Time Jump: 0x1
  • Source Change: 0x2

The default value on domain members is 2. The default value on stand-alone clients and servers is 2.

EventLogFlags

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the events logged by the Windows Time service.

  • 0x1 reachability changes
  • 0x2 large sample skew (This is applicable to Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 only)

The default value on domain members is 0x1. The default value on stand-alone clients and servers is 0x1.

FrequencyCorrectRate

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the rate at which the clock is corrected. If this value is too small, the clock is unstable and overcorrects. If the value is too large, the clock takes a long time to synchronize. The default value on domain members is 4. The default value on stand-alone clients and servers is 4.

noteNote
0 is an invalid value for the FrequencyCorrectRate registry entry. On Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2computers, if the value is set to 0 the Windows Time service will automatically change it to 1.

 

HoldPeriod

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the period of time for which spike detection is disabled in order to bring the local clock into synchronization quickly. A spike is a time sample indicating that time is off a number of seconds, and is usually received after good time samples have been returned consistently. The default value on domain members is 5. The default value on stand-alone clients and servers is 5.

InputProvider

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry indicates if the NtpClient provider is enabled.

  • Yes 1
  • No 0

The default value on domain members is 1. The default value on stand-alone clients and servers is 1.

InputProvider

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpServer

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry indicates if the NtpServer provider is enabled.

  • Yes 1
  • No 0

The default value on domain members is 1. The default value on stand-alone clients and servers is 1.

LargePhaseOffset

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies that a time offset greater than or equal to this value in 10-7 seconds is considered a spike. A network disruption such as a large amount of traffic might cause a spike. A spike will be ignored unless it persists for a long period of time. The default value on domain members is 50000000. The default value on stand-alone clients and servers is 50000000.

LargeSampleSkew

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows Server 2003 and Windows Server 2008

This entry specifies the large sample skew for logging in seconds. To comply with Security and Exchange Commission (SEC) specifications, this should be set to three seconds. Events will be logged for this setting only when EventLogFlags is explicitly configured for 0x2 large sample skew. The default value on domain members is 3. The default value on stand-alone clients and servers is 3.

LastClockRate

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry is maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is 156250. The default value on stand-alone clients and servers is 156250.

LocalClockDispersion

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the dispersion (in seconds) that you must assume when the only time source is the built-in CMOS clock. The default value on domain members is 10. The default value on stand-alone clients and servers is 10.

MaxAllowedPhaseOffset

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1.

In order for W32Time to set the computer clock gradually, the offset must be less than the MaxAllowedPhaseOffset value and satisfy the following equation at the same time:

|CurrentTimeOffset| / (PhaseCorrectRate*UpdateInterval) < SystemClockRate / 2

MaxClockRate

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry is maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860.

MaxNegPhaseCorrection

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the largest negative time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Special case: 0xFFFFFFFF means always make time correction. The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs).

MaxPollInterval

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the largest interval, in log2 seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested to do so. The default value for domain controllers is 10. The default value for domain members is 15. The default value for stand-alone clients and servers is 15.

MaxPosPhaseCorrection

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.

This entry specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Special case: 0xFFFFFFFF means always make time correction. The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hrs).

MinClockRate

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry is maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value for domain members is 155860. The default value for stand-alone clients and servers is 155860.

MinPollInterval

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the smallest interval, in log2 seconds, allowed for the system polling interval. Note that while a system does not request samples more frequently than this, a provider can produce samples at times other than the scheduled interval. The default value for domain controllers is 6. The default value for domain members is 10. The default value for stand-alone clients and servers is 10.

NtpServer

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Parameters

Version

Windows Server 2003 and Windows Server 2008

This entry specifies a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Each DNS name or IP address listed must be unique. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock.

There is no default value for this registry entry on domain members. The default value on stand-alone clients and servers is time.windows.com,0x1.

noteNote
For more information on available NTP Servers, see Microsoft Knowledge Base article 262680 (http://go.microsoft.com/fwlink/?LinkId=186067)

 

PhaseCorrectRate

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the rate at which the phase error is corrected. Specifying a small value corrects the phase error quickly, but might cause the clock to become unstable. If the value is too large, it takes a longer time to correct the phase error.

The default value on domain members is 1. The default value on stand-alone clients and servers is 7.

noteNote
0 is an invalid value for the PhaseCorrectRate registry entry. On Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2computers, if the value is set to 0, the Windows Time service automatically changes it to 1.

 

PollAdjustFactor

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the decision to increase or decrease the poll interval for the system. The larger the value, the smaller the amount of error that causes the poll interval to be decreased. The default value on domain members is 5. The default value on stand-alone clients and servers is 5.

ResolvePeerBackOffMaxTimes

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the maximum number of times to double the wait interval when repeated attempts to locate a peer to synchronize with fail. A value of zero means that the wait interval is always the minimum. The default value on domain members is 7. The default value on stand-alone clients and servers is 7.

ResolvePeerBackOffMinutes

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with. The default value on domain members is 15. The default value on stand-alone clients and servers is 15.

ServiceDll

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Parameters

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry is maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default location for this DLL on both domain members and stand-alone clients and servers is %windir%\System32\W32Time.dll.

ServiceMain

 

 

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Parameters

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry is maintained by W32Time. It contains reserved data that is used by the Windows operating system, and any changes to this setting can cause unpredictable results. The default value on domain members is SvchostEntry_W32Time. The default value on stand-alone clients and servers is SvchostEntry_W32Time.

SpecialPollInterval

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determine by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.

SpecialPollTimeRemaining

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\TimeProviders\NtpClient

Version

Windows Server 2003 and Windows Server 2008

This entry is maintained by W32Time. It contains reserved data that is used by the Windows operating system. It specifies the time in seconds before W32Time will resynchronize after the computer has restarted. Any changes to this setting can cause unpredictable results. The default value on both domain members and on stand-alone clients and servers is left blank.

SpikeWatchPeriod

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the amount of time that a suspicious offset must persist before it is accepted as correct (in seconds). The default value on domain members is 900. The default value on stand-alone clients and workstations is 900.

Type

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Parameters

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry Indicates which peers to accept synchronization from:

  • NoSync. The time service does not synchronize with other sources.
  • NTP. The time service synchronizes from the servers specified in the NtpServer. registry entry.
  • NT5DS. The time service synchronizes from the domain hierarchy.
  • AllSync. The time service uses all the available synchronization mechanisms.

The default value on domain members is NT5DS. The default value on stand-alone clients and servers is NTP.

UpdateInterval

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.

This entry specifies the number of clock ticks between phase correction adjustments. The default value for domain controllers is 100. The default value for domain members is 30,000. The default value for stand-alone clients and servers is 360,000.

noteNote
0 is an invalid value for the UpdateInterval registry entry. On computers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2, if the value is set to 0 the Windows Time service automatically changes it to 1.

 

The following three registry entries are not a part of the W32Time default configuration but can be added to the registry to obtain increased logging capabilities. The information logged to the System Event log can be modified by changing value for the EventLogFlags setting in the Group Policy Object Editor. By default, the time service creates a log in Event Viewer every time that it switches to a new time source.

WarningWarning
Some of the preset values that are configured in the System Administrative template file (System.adm) for the Group Policy object (GPO) settings are different from the corresponding default registry entries. If you plan to use a GPO to configure any Windows Time setting, be sure that you review Preset values for the Windows Time service Group Policy settings are different from the corresponding Windows Time service registry entries in Windows Server 2003(http://go.microsoft.com/fwlink/?LinkId=186066). This issue applies to Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, and Windows Server 2003.

 

The following registry entries must be added in order to enable W32Time logging:

FileLogEntries

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the amount of entries created in the Windows Time log file. The default value is none, which does not log any Windows Time activity. Valid values are 0 to 300. This value does not affect the event log entries normally created by Windows Time.

FileLogName

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the location and file name of the Windows Time log. The default value is blank, and should not be changed unless FileLogEntries is changed. A valid value is a full path and file name that Windows Time will use to create the log file. This value does not affect the event log entries normally created by Windows Time.

FileLogSize

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

\W32Time\Config

Version

Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry controls the circular logging behavior of Windows Time log files. When FileLogEntries and FileLogName are defined, this entry defines the size, in bytes, to allow the log file to reach before overwriting the oldest log entries with new entries. Any positive number is valid, and 3000000 is recommended. This value does not affect the event log entries normally created by Windows Time.

Windows Time Service Group Policy Settings

You can configure most W32Time parameters by using the Group Policy Object Editor. This includes configuring a computer to be an NTPServer or NTPClient, configuring the time synchronization mechanism, and configuring a computer to be a reliable time source.

noteNote
Group Policy settings for the Windows Time service can be configured on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 domain controllers and can be applied only to computers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2.

 

You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:

  • Computer Configuration\Administrative Templates\System\Windows Time ServiceConfigure Global Configuration Settings here.
  • Computer Configuration\Administrative Templates\System\Windows Time Service\Time ProvidersConfigure Windows NTP Client settings here.Enable Windows NTP Client here.

    Enable Windows NTP Server here.

WarningWarning
Some of the preset values that are configured in the System Administrative template file (System.adm) for the Group Policy object (GPO) settings are different from the corresponding default registry entries. If you plan to use a GPO to configure any Windows Time setting, be sure that you review Preset values for the Windows Time service Group Policy settings are different from the corresponding Windows Time service registry entries in Windows Server 2003(http://go.microsoft.com/fwlink/?LinkId=186066). This issue applies to Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, and Windows Server 2003.

 

The following table lists the global Group Policy settings that are associated with the Windows Time service and the pre-set value associated with each setting. For more information about each setting, see the corresponding registry entries in “Windows Time Service Registry Entries” earlier in this subject. The following settings are contained in a single GPO called Global Configuration Settings.

Global Group Policy Settings Associated with Windows Time

Group Policy Setting Pre-Set Value
AnnounceFlags 10
EventLogFlags 2
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 1280000
LocalClockDispersion 10
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 54,000 (15 hours)
MaxPollInterval 15
MaxPosPhaseCorrection 54,000 (15 hours)
MinPollInterval 10
PhaseCorrectRate 7
PollAdjustFactor 5
SpikeWatchPeriod 90
UpdateInterval 100

The following table lists the available settings for the Configure Windows NTP Client GPO and the pre-set values that are associated with the Windows Time service. For more information about each setting, see the corresponding registry entries in “Windows Time Service Registry Entries” earlier in this subject.

NTP Client Group Policy Settings Associated with Windows Time

Group Policy Setting Default Value
NtpServer time.windows.com,0x1
Type Default options:

  • NTP. Use on computers that are not joined to a domain.
  • NT5DS. Use on computers that are joined to a domain.
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 0

Network Ports Used by the Windows Time Service

Windows Time follows the NTP specification, which requires the use of UDP port 123 for all time synchronization communication. This port is reserved by Windows Time and remains reserved at all times. Whenever the computer synchronizes its clock or provides time to another computer, that communication is performed on UDP port 123.

Cached Credentials

To see usernames and passwords in Windows run the following command from the command prompt:

 

rundll32.exe keymgr.dll, KRShowKeyMgr

 

 

WMI Command

To check WMI connectivity:

wmic /user:domain\user /node:IPAddress systemenclosure get serialnumber

Then it will ask for a password

Outlook 2010 address history

Have you moved computers and lost your address history? You know the history when you start typing an address and a list drops down to show you all the email addresses that match?

Well there’s a file, the <profilename>.NK2 file that needs to be loaded.

You have to copy it from your old location

  1. XP:
    • drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook.
  2. Vista and above:
    •  Drive:\Users\Username\AppData\Roaming\Microsoft\Outlook

Find the NK2 file and copy it to the new location

Then in a command prompt type: outlook.exe /importnk2

 

This came from AutoCompleteNames and Import Nk2 Files into Outlook 2010

Data Breach Investigations Report 2011

DBIR 2011

Includes Data from US Secret Service and Dutch High Tech Crime Unit

This is an awesome read, if you are interested in current, historical and future IT security trends. Here’s some tidbits:

  • Who is behind data breaches?
    • 92% stemmed from external agents (+22%)
    • 17% implicated insiders (-31%)
    • <1% resulted from business partners (-10%)
    • 9% involved multiple parties (-18%)
  • How do Breaches occur?
    • 50% utilized some form of hacking (+10%)
    • 49% incorporated malware (+11%)
    • 29% involved physical attacks (+14%)
    • 17% resulted from privilege misuse (-31%)
    • 11% employed social tactics (-17%)
The report consolidates all types of breaches to servers and data, including hacking, malware, social, misuse, error, physical and environmental. Using the A4 (Agent, Action, Asset, Attribute) elements and the VERIS framework The Report presents a grid depicting 630 individual Threat Events.
Here’s the report for you to read for yourself:
Data Breach Investigation Report 2011