RSS

Tag Archives: security

How to Control Skype in a Corporate Setting.

As usual these instructions and notes are written mainly for me as a cook book to use at various clients.
There is no warranty or guarantee express or implied in these notes so be careful.

If you are a professional network administrator you know that you need to check and often control the software that in your environment.  Skype, while common for personal use is seldom used in the corporate world and for good reason.  There are several important things you need to know about Skype:

  1. Skype is a “distributed application” and so even when you are NOT in a call, Skype is using your CPU and more importantly your bandwidth to route OTHER peoples calls.  On a single computer, this is not often a problem but on a corporate network the resulting bandwidth drain can cause serious problems.
    .
  2. Skype has file and screen sharing which will breach nearly every corporations security policies.
    .
  3. Skype “for home” has no call tracking, monitoring or control mechanisms which will breach some security policies.
    .
  4. Skype “for home” will have corporate users expensing $1.12 calls which will make everyone nuts.
    .
  5. Skype has removed their “Guide For Network Administrators” as of version 3 in about 2007 and stopped making their management templates available.  Fortunately, I have confirmed that the template I provide below functions on the 2010 version of Skype (v4.2) and I certainly hope it continues to function under v5 due out in the fall.
    .

The solutions to these problems is to:

  1. Register with Skype Business and then use Skype Manager.
    • Watch this Skype Manager Video to get the core ideas.
    • Skype Manager will let you create and control accounts in a consistent way
    • Skype Manager will let you print a report of each users calls
    • Skype Manager will let you add core profile information for each user
      .
  2. Download the Administration Templates, add them to your Windows domain, and set your policies.  Note that I used an old “v1.7” Skype admin template from 2006 and enhanced it with a DISABLE SCREEN SHARING option so you will not find “my” “v1.8” template anywhere else on the web but here.
    • If you have a Windows 2008 domain or newer, use THIS .ADMX template
      • Copy these files to your \\<domain>\sysvol\<domain>\Policies\PolicyDefinitions
        • If you do not have a PolicyDefinitions folder, just create one
        • If this freaks you out, read THIS about how to create a central store.
          .
    •  If you have a Windows 2003 domain or older, use THIS .ADM template
      • Use your Group Policy Management Console to IMPORT this template.
        .
    • Skype Group Policy in .ADMX and .ADM Server 2008 and Server 2003 Screen ShotAfter the template is added you should use your Group Policy Management Console to set your policies under COMPUTER CONFIGURATION, POLCIES, ADMINISTRATIVE TEMPLATES, SKYPE
      .

      • I shut down the following Skype Features:
        •  FILE SHARING
          •  Skype offers no antivirus scanning on transfer and I will not intentionally leave malware detection to the desktop AV scanner alone.  It should go through other several scans and it does not so I killed it
          • I don’t want files to easily leave the company.  Data protection is king.
        • SCREEN SHARING
          • I don’t want information leaving the company or accidentally accessed via sharing
          • Users can view others people screens but not share theirs
        • PREVENT SUPERNODE
          • this stops the Skype client from using network bandwidth for OTHER people
        • DISABLE LISTENING TO TCP
          • this stops the Skype client from receiving uninvited connections
        • DISABLE SKYPE PUBLIC API
          • this stops third party plugin / extras from working
        • DISABLE NEW VERSION CHECKING
          • I will update clients when I think they should be.
          • I don’t want users pestered with upgrade notices
            .
    • Apply that new Group Policy to the OU’s you are concerned with and either wait a few hours for them to be automatically applied or just run gpupdate /force manually on the machine in question.
      .
    • If you don’t like the to use Group Policy you can simply create your own registry entries underHKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\SKYPE\PHONE.  You can also download my reg file to get started.
      .
    • Some of you may find this Skype forum thread (particularly the end) to be useful.
    • A thorough analysis of Skype and its security implications for organizations can be found on this  University of Texas page.  Specifically, you may find there detail Group Policy / Registry detail to be quite useful:

    DisableFileTransferPolicy—Disables file transfer to prevent the user from sending and receiving files using Skype.

    DisableContactImportPolicy—Disables import contacts.

    DisablePersonalisePolicy—Disables personalization to prevent the user from changing sounds.

    DisableLanguageEditPolicy—Disables language edit to prevent the user from editing language strings.

    WebStatusPolicy—When enabled, always publishes the user’s status on the Web as Skype buttons. When disabled, prevents the user from publishing status on the Web.

    DisableApiPolicy—Disables the Skype Public API to prevent third-party applications from accessing Skype functionality.

    DisableVersionCheckPolicy—Disables new version checking by preventing Skype from detecting new versions and updates.

    MemoryOnlyPolicy—Runs in memory-only mode so Skype does not store any data on the local disk.

    ListePortPolicy—Sets the listening port where Skype listens for incoming connections.

    ListenPort—Listening port number.

    ListenHTTPPortsPolicy—When enabled, listens on HTTP (port 80) and HTTPS (port 443) ports. When disabled, does not listen on HTTP/HTTPS ports. When not configured, lets the user decide.

    DisableTCPListenPolicy—Disables listening for TCP connections to prevent the Skype client from receiving incoming TCP connections.

    DisableUDPPolicy—Disables UDP communications to prevent the Skype client from using UDP to communicate with the network.

    DisableSupernodePolicy—Prevents the Skype client from becoming a super node or relay host.

    ProxyPolicy—Establishes the proxy policy.

    ProxyType—Establishes the proxy type.

    ProxyUnset—Unset

    ProxyAutomatic—Automatic

    ProxyDisabled—Disabled

    ProxyUnset—Unset

    ProxyHTTPS—HTTPS

    ProxySOCKS5—SOCKS5

    ProxyAddress—Proxy address (host:port)

    ProxyUsername—Username

    ProxyPassword—Password

    The following is a list of configurable registry entries that apply to the Windows Skype Client as taken from the Skype Guide for Network Administrators (HKLM is short for HKEY_LOCAL_MACHINE) (Skype, 2008):

    HKLM\Software\Policies\Skype\Phone, DisableApi, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableFileTransfer, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, MemoryOnly, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableContactImport, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableVersionCheck, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisablePersonalise, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableLanguageEdit, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, ListenPort, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, ListenHTTPPorts, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableTCPListen, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableUDP, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, DisableSupernode, REG_DWORD = {0,1}

    HKLM\Software\Policies\Skype\Phone, ProxySettings, REG_SZ = {string}

    HKLM\Software\Policies\Skype\Phone, ProxyAddress, REG_SZ = {string}

    HKLM\Software\Policies\Skype\Phone, ProxyUsername, REG_SZ = {string}

    HKLM\Software\Policies\Skype\Phone, ProxyPassword, REG_SZ = {string}

    HKLM\Software\Policies\Skype\Phone, WebStatus, REG_DWORD = {0,1}

    These same registry settings are available for the current user at HKEY_CURRENT_USER\Software\Policies\Skype\Phone but the HKEY_LOCAL_MACHINE entries take precedence.

 
Leave a comment

Posted by on March 14, 2012 in Tips

 

Tags: , ,

Critical Windows bug could make worm meat of millions of high-value machines

Critical Windows bug could make worm meat of millions of high-value machines

Microsoft has plugged a critical hole in all supported versions of Windows that allows attackers to hit high-value computers with self-replicating attacks that install malicious code with no user interaction required. The vulnerability in the Remote Desktop Protocol is of particular concern to system administrators in government and corporate settings because they often use the feature to remotely trouble-shoot e-mail servers, point-of-sale terminals and other machines when they experience problems. RDP is also the default way to manage Windows machines that connect to Amazon’s EC2 and other cloud services.

That means potentially millions of endpoints are at risk of being hit by a powerful computer worm that spreads exponentially, similarly to the way exploits known as Nimda and Code Red did in 2001. “This type of vulnerability is where no user intervention or user action is required and an attacker can just send some specially crafted packets or requests, and because of which he or she can take complete control of the target machine,” Amol Sarwate, director of Qualys’ vulnerability research lab, said in an interview. While RPD is not enabled by default, he said the number of machines that have it turned on is a “big concern” because it is so widely used in large organizations and business settings.

The bug affects Windows XP and all versions of Windows released since, including the developer preview of Windows 8. It was privately reported by Luigi Auriemma, an Italian security researcher who frequently focuses on vulnerabilities in industrial control systems and SCADA, or supervisory control and data acquisition, systems used to control dams, gasoline refineries, and power plants. Microsoft said there’s no indication the vulnerability is being used in the public to attack Windows users at the moment, but the company predicts that could change. “Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Suha Can and Jonathan Ness, of Microsoft Security Response Center Engineering, wrote in an advisory published Tuesday.

They urged users to “promptly apply” an accompanying security update. Those who can’t update right away and are running Vista or a later version of Windows should enable Network Level Authentication, a feature that requires users logging in to RDP boxes to have security credentials before gaining access. The RDP fix is one of six security patches Microsoft shipped as part of its most recent Patch Tuesday. In all, they fix at least seven vulnerabilities. Only the RDP bug is rated critical. Four bulletins were classified as important and one was rated as moderate.

 
Leave a comment

Posted by on March 14, 2012 in Security, Tips

 

Tags: , , , ,

Android falls flat in front of malware coming from Facebook

Google’s Android operating system has had its fair share of concerns as of late, with people growing concerned over flaws that have been unearthed at different times, and malware for the OS appearing on the Android Market. While the scale is still small enough to avoid, more crafty people are looking into ways to get their questionable apps on the OS so that they can cause havoc and potentially harvest details.

Google have tried to prevent this happening in the form of ‘Bouncer’, an automated scanner of the Android Market which picks up on malware and removes it. Bouncer came into use early in February, but it does not protect individual phones, nor does it prevent other sites from holding malware infested files. TechCrunch confirms that Sophos anti-virus have picked up on the flaw. The newest example is an application entitled “any_name.apk”; and it’s spreading via the Facebook for Android application.

When downloaded, the application installs without any permissions granted by the user, and the identity of what is being downloaded is also not made clear. This may not be the case assuming a phone maintains its default settings, since Android comes with a toggle against downloads from alternative sources. Many users do disable this though, so that they can download applications from locations such as the XDA Developers forum.

It seems that this APK is intended to call premium rate phone numbers or send them text messages, incurring large charges which can then be picked up by the fraudsters and con-men who operate the numbers, as well as likely having created the app. The app is also evolving quickly: the researcher who found it downloaded it from a different site a few days later, where it was called “allnew.apk”. The newer version worked in the same manner though was coded differently, which would imply that it is being constantly updated.

The malware associates itself with the Opera web browser for Android, including an encrypted configuration file with the dialling numbers for premium rate lines. Google have responded to the news, claiming that an install could not have happened in the manner depicted. According to Google a user would have to permit that the phone installed the application even if it was downloaded without their consent or knowledge. Sophos have not yet commented on this claim. Regardless, it may be worth unchecking the ability to download from other sources when not downloading an app, to help better maintain security.

 
Leave a comment

Posted by on February 27, 2012 in Tech-News

 

Tags: , , ,

 
%d bloggers like this: