RSS

Daily Archives: March 14, 2012

How to Control Skype in a Corporate Setting.

As usual these instructions and notes are written mainly for me as a cook book to use at various clients.
There is no warranty or guarantee express or implied in these notes so be careful.

If you are a professional network administrator you know that you need to check and often control the software that in your environment.  Skype, while common for personal use is seldom used in the corporate world and for good reason.  There are several important things you need to know about Skype:

  1. Skype is a “distributed application” and so even when you are NOT in a call, Skype is using your CPU and more importantly your bandwidth to route OTHER peoples calls.  On a single computer, this is not often a problem but on a corporate network the resulting bandwidth drain can cause serious problems.
    .
  2. Skype has file and screen sharing which will breach nearly every corporations security policies.
    .
  3. Skype “for home” has no call tracking, monitoring or control mechanisms which will breach some security policies.
    .
  4. Skype “for home” will have corporate users expensing $1.12 calls which will make everyone nuts.
    .
  5. Skype has removed their “Guide For Network Administrators” as of version 3 in about 2007 and stopped making their management templates available.  Fortunately, I have confirmed that the template I provide below functions on the 2010 version of Skype (v4.2) and I certainly hope it continues to function under v5 due out in the fall.
    .

The solutions to these problems is to:

  1. Register with Skype Business and then use Skype Manager.
    • Watch this Skype Manager Video to get the core ideas.
    • Skype Manager will let you create and control accounts in a consistent way
    • Skype Manager will let you print a report of each users calls
    • Skype Manager will let you add core profile information for each user
      .
  2. Download the Administration Templates, add them to your Windows domain, and set your policies.  Note that I used an old “v1.7” Skype admin template from 2006 and enhanced it with a DISABLE SCREEN SHARING option so you will not find “my” “v1.8” template anywhere else on the web but here.
    • If you have a Windows 2008 domain or newer, use THIS .ADMX template
      • Copy these files to your \\<domain>\sysvol\<domain>\Policies\PolicyDefinitions
        • If you do not have a PolicyDefinitions folder, just create one
        • If this freaks you out, read THIS about how to create a central store.
          .
    •  If you have a Windows 2003 domain or older, use THIS .ADM template
      • Use your Group Policy Management Console to IMPORT this template.
        .
    • Skype Group Policy in .ADMX and .ADM Server 2008 and Server 2003 Screen ShotAfter the template is added you should use your Group Policy Management Console to set your policies under COMPUTER CONFIGURATION, POLCIES, ADMINISTRATIVE TEMPLATES, SKYPE
      .

      • I shut down the following Skype Features:
        •  FILE SHARING
          •  Skype offers no antivirus scanning on transfer and I will not intentionally leave malware detection to the desktop AV scanner alone.  It should go through other several scans and it does not so I killed it
          • I don’t want files to easily leave the company.  Data protection is king.
        • SCREEN SHARING
          • I don’t want information leaving the company or accidentally accessed via sharing
          • Users can view others people screens but not share theirs
        • PREVENT SUPERNODE
          • this stops the Skype client from using network bandwidth for OTHER people
        • DISABLE LISTENING TO TCP
          • this stops the Skype client from receiving uninvited connections
        • DISABLE SKYPE PUBLIC API
          • this stops third party plugin / extras from working
        • DISABLE NEW VERSION CHECKING
          • I will update clients when I think they should be.
          • I don’t want users pestered with upgrade notices
            .
    • Apply that new Group Policy to the OU’s you are concerned with and either wait a few hours for them to be automatically applied or just run gpupdate /force manually on the machine in question.
      .
    • If you don’t like the to use Group Policy you can simply create your own registry entries underHKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\SKYPE\PHONE.  You can also download my reg file to get started.
      .
    • Some of you may find this Skype forum thread (particularly the end) to be useful.
    • A thorough analysis of Skype and its security implications for organizations can be found on this  University of Texas page.  Specifically, you may find there detail Group Policy / Registry detail to be quite useful:

    DisableFileTransferPolicy—Disables file transfer to prevent the user from sending and receiving files using Skype.

    DisableContactImportPolicy—Disables import contacts.

    DisablePersonalisePolicy—Disables personalization to prevent the user from changing sounds.

    DisableLanguageEditPolicy—Disables language edit to prevent the user from editing language strings.

    WebStatusPolicy—When enabled, always publishes the user’s status on the Web as Skype buttons. When disabled, prevents the user from publishing status on the Web.

    DisableApiPolicy—Disables the Skype Public API to prevent third-party applications from accessing Skype functionality.

    DisableVersionCheckPolicy—Disables new version checking by preventing Skype from detecting new versions and updates.

    MemoryOnlyPolicy—Runs in memory-only mode so Skype does not store any data on the local disk.

    ListePortPolicy—Sets the listening port where Skype listens for incoming connections.

    ListenPort—Listening port number.

    ListenHTTPPortsPolicy—When enabled, listens on HTTP (port 80) and HTTPS (port 443) ports. When disabled, does not listen on HTTP/HTTPS ports. When not configured, lets the user decide.

    DisableTCPListenPolicy—Disables listening for TCP connections to prevent the Skype client from receiving incoming TCP connections.

    DisableUDPPolicy—Disables UDP communications to prevent the Skype client from using UDP to communicate with the network.

    DisableSupernodePolicy—Prevents the Skype client from becoming a super node or relay host.

    ProxyPolicy—Establishes the proxy policy.

    ProxyType—Establishes the proxy type.

    ProxyUnset—Unset

    ProxyAutomatic—Automatic

    ProxyDisabled—Disabled

    ProxyUnset—Unset

    ProxyHTTPS—HTTPS

    ProxySOCKS5—SOCKS5

    ProxyAddress—Proxy address (host:port)

    ProxyUsername—Username

    ProxyPassword—Password

    The following is a list of configurable registry entries that apply to the Windows Skype Client as taken from the Skype Guide for Network Administrators (HKLM is short for HKEY_LOCAL_MACHINE) (Skype, 2008):

    HKLM\Software\Policies\Skype\Phone, DisableApi, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableFileTransfer, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, MemoryOnly, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableContactImport, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableVersionCheck, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisablePersonalise, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableLanguageEdit, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, ListenPort, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, ListenHTTPPorts, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableTCPListen, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableUDP, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableSupernode, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, ProxySettings, REG_SZ = {string}

    HKLM\Software\Policies\Skype\Phone, ProxyAddress, REG_SZ = {string}

    HKLM\Software\Policies\Skype\Phone, ProxyUsername, REG_SZ = {string}

    HKLM\Software\Policies\Skype\Phone, ProxyPassword, REG_SZ = {string}

    HKLM\Software\Policies\Skype\Phone, WebStatus, REG_DWORD = {0,1}

    These same registry settings are available for the current user at HKEY_CURRENT_USER\Software\Policies\Skype\Phone but the HKEY_LOCAL_MACHINE entries take precedence.

Advertisements
 
Leave a comment

Posted by on March 14, 2012 in Tips

 

Tags: , ,

Critical Windows bug could make worm meat of millions of high-value machines

Critical Windows bug could make worm meat of millions of high-value machines

Microsoft has plugged a critical hole in all supported versions of Windows that allows attackers to hit high-value computers with self-replicating attacks that install malicious code with no user interaction required. The vulnerability in the Remote Desktop Protocol is of particular concern to system administrators in government and corporate settings because they often use the feature to remotely trouble-shoot e-mail servers, point-of-sale terminals and other machines when they experience problems. RDP is also the default way to manage Windows machines that connect to Amazon’s EC2 and other cloud services.

That means potentially millions of endpoints are at risk of being hit by a powerful computer worm that spreads exponentially, similarly to the way exploits known as Nimda and Code Red did in 2001. “This type of vulnerability is where no user intervention or user action is required and an attacker can just send some specially crafted packets or requests, and because of which he or she can take complete control of the target machine,” Amol Sarwate, director of Qualys’ vulnerability research lab, said in an interview. While RPD is not enabled by default, he said the number of machines that have it turned on is a “big concern” because it is so widely used in large organizations and business settings.

The bug affects Windows XP and all versions of Windows released since, including the developer preview of Windows 8. It was privately reported by Luigi Auriemma, an Italian security researcher who frequently focuses on vulnerabilities in industrial control systems and SCADA, or supervisory control and data acquisition, systems used to control dams, gasoline refineries, and power plants. Microsoft said there’s no indication the vulnerability is being used in the public to attack Windows users at the moment, but the company predicts that could change. “Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Suha Can and Jonathan Ness, of Microsoft Security Response Center Engineering, wrote in an advisory published Tuesday.

They urged users to “promptly apply” an accompanying security update. Those who can’t update right away and are running Vista or a later version of Windows should enable Network Level Authentication, a feature that requires users logging in to RDP boxes to have security credentials before gaining access. The RDP fix is one of six security patches Microsoft shipped as part of its most recent Patch Tuesday. In all, they fix at least seven vulnerabilities. Only the RDP bug is rated critical. Four bulletins were classified as important and one was rated as moderate.

 
Leave a comment

Posted by on March 14, 2012 in Security, Tips

 

Tags: , , , ,

How to create a bootable Windows 7 USB flash drive

The USB flash drive has replaced the floppy disk drive as the best storage medium for transferring files, but it also has its uses as a replacement for CDs and DVDs. USB drives tend to be higher in capacity than disc media, but since they are more expensive, they cannot (yet) really be used as a replacement. There are reasons why you would, however, choose a USB device over a DVD disc, and bootable software is definitely one of them. Not only is it faster to copy data such as setup files from a USB drive, but during usage the access times are also significantly faster. Therefore, installing something like Windows 7 will work that much faster from a USB drive than from a DVD (and of course, is particularly useful for the PCs without an optical drive; this isn’t something we should just leave for the pirates to enjoy).

This guide will show you two different ways to create a USB flash drive that works just like a Windows 7 DVD. In order to follow this guide, you’ll need a USB flash drive with at least 4GB of free space and a copy of the Windows 7 installation disc.

Windows 7 USB DVD Download Tool

You are normally given this tool when you purchase from the online Microsoft Store.windows_7_usb_1.png

The easiest way to turn a USB flash drive into a bootable Windows 7 installer is by using the tool Microsoft offers, cunningly named the Windows 7 USB/DVD Download Tool. To get started, download the installer [exe] from Microsoft.com and follow the basic steps to put it onto your computer; you can put it on the computer you plan to install Windows 7 on or another one, it doesn’t matter.

windows_7_usb_2.png

Once it is installed, it should create an icon on your desktop, so double-click that to open. If you can’t find it, use the search function in the Start Menu with a keyword like “USB.” Launching it should give you the above screen, and step one is to find the Windows 7 .ISO file. The tool only accepts .ISO images, so we recommend that you convert yours if it’s in a different DVD image format.

windows_7_usb_3.png

Step two is straightforward: simply choose USB device.

windows_7_usb_4.png

In step three, all you have to do is make sure that you are choosing the correct USB device. If you have other data on the device, move it to your hard drive, another USB device, or somewhere else before proceeding.

windows_7_usb_5.png

The tool will prompt you if it detects data on the device. Once your data is backed up elsewhere, click Erase USB Device.

windows_7_usb_6.png

You will get another prompt warning you that all the data will be wiped. Click Yes to continue.

windows_7_usb_7.png

The format will be very quick, while the copying of the files will take a little bit more time (about 10 to 15 minutes).

windows_7_usb_8.png

Once the process is complete, you should get the above confirmation message. At this point you can close the tool and use the USB drive to install Windows 7. Remember that you’ll have to choose to boot off the USB drive. Before doing so, you may want to open up the USB drive and double click on setup.exe to see if everything looks okay. If you want to be able to do this manually, see my other post on this.

 
Leave a comment

Posted by on March 14, 2012 in Tips

 

Tags: , , ,

How to install / Dual boot Linux from Windows using UNetbootin

A few days ago a friend of mine was ready to enter the Linux world (sic!). He downloaded a Fedora ISO but he didn’t have a blank CD to burn it. So he asked me for a way to install Linux through his Windows system. So, in this guide I will describe you how to install a Linux distribution from a Windows system so that you don’t have to burn a CD. I will use a freeware application called UNetbootin. UNetbootin is a tool that allows you to either create bootable Live USB driers for a variety of Linux distributions such as (Fedora, Ubuntu, Debian, Gentoo, openSUSE etc.) or make a “frugal install” directly on your local hard disk drive if you don’t have a USB drive. It can both load distributions by automatically downloading the ISO images or by using existing ISO files. Apart from a Windows 2000/XP/Vista version it has Linux versions also with precompiled packages for Ubuntu, Debian, openSuse and Gentoo. Therefore, you can use it to install Linux from another Linux! In this tutorial I have installed Ubuntu Iterpid Ibex 8.10, for which I had previously downloaded an ISO image, through a Windows XP system. The procedure is the same to install any distribution through Windows and Linux. So download the latest stable version of UNetbootin and let’s get started. This is the main window of UNetbootin. You can see the list of available distributions that UNetbootin can download for you. Various versions of each distro are supported. Apart from the Distribution and Diskimage options you can do a custom installation using a specific kernel and initrd as well as custom kernel options but I believe this will confuse most people and since it isn’t a common situation I won’t refer at all to this option.

As I’ve said before I will not use the automatic download but the Ubuntu 8.10 LiveCD ISO (1) I have in my disk. Moreover I won’t use a USB driver. Just my hard disk (2). Of course if your motherboard supports booting from USB drives and you own a large enough USB drive select this one in the Type drop down box.

UNetbootin will download files (if you have chosen the download ISO option), extract files from the ISO image, copy them to a temporary image, install a bootloader and prompt you to reboot your system.


When you reboot select UNetbootin from the list.

Next click on the find /unetbtin/menu.lst option.

And select UNetbootin.

The installation process should begin.

Ubuntu 8.10 is a LiveCD so just click the install icon to install it locally. I won’t post here details about the installation process of Ubuntu since this isn’t the subject of this unebootin guide. Just be very careful when you partition your system. You don’t want to install Linux on a existing Windows partition, do you? If you are interested you can read my Ubuntu Installation guide for more details.

Once the installation completes just reboot your system and select Windows from the GRUB boot menu. Another boot menu will appear, the Windows bootloader this time. Here choose again Windows. You will be prompted to Run UNetbootin.exe. This will automatically remove it from your system, along with the Windows bootloader.

Now you have a dual boot Windows-Linux. Enjoy!

Note: Apart from Ubuntu 8.10 I have tried the same using a Fedora 10 LiveCD ISO. However I had a few problems with it and I didn’t install it. The first problem was the following error message:

Warning could not find root filesystem
Create symlink dev/root and then exit the shell to continue install.
I solved this by typing:

ln -s / /dev/root
However I got another error next saying:

bug in initramfs /init detected. Dropping to a shell. Good luck!
There is an open bug in RedHat’s bugzilla for this so there is nothing I can do. I don’t know if there is the same problem with the normarl Fedora DVD ISO. If anyone tries it just drop me a comment here.

Raffyememon.wordpress.com

 
Leave a comment

Posted by on March 14, 2012 in Tips

 

Tags: , , ,

 
%d bloggers like this: