Monitor .Net Activity like Regmon or Filemon

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ Security
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - Event ID: 675 Can anyone tell me how to begin troubleshooting this issue? The IP address in question is a DC running DHCP and DNS. I am getting continual Pre-authentication failures although the network seems to be running fine. This account is not the only one giving me the failures. Pre-authentication failed: User Name: Administrator User ID: Domain\Administrator Service Name: krbtgt/Domain.LOCAL Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.60.9 Thanks, Steve Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94711
  - 2
    - How can my CSP DLL enter the Win2000 CSP list? HI,ALL I have wrote my CSP DLL(25 functions CPXXXXX) and register it(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider). But while I use Win2000 "certificate server" ,Ican't find my CSP name. If my DLL function wrong or other? How can i enter the Win2000 server CSP list? Thanks! Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94709
  - 3
    - How can my CSP DLL enter the Win2000 CSP list? HI,ALL I have wrote my CSP DLL(25 functions CPXXXXX) and register it(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider). But while I use Win2000 "certificate server" ,Ican't find my CSP name. If my DLL function wrong or other? How can i enter the Win2000 server CSP list? Thanks! Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94708
  - 4
    - Safest Way to Invoke Remote Script Synchronously What is the safest way to invoke a script remotely on a Windows host synchronously, and retrieving a return code to the caller at program termination? Because the target system is in a no man's land, I do not want to open up RPC port, and God forbid with have to involve the abomination that is DCOM. I want something extremely simple and special purpose, with good authentication features on the program server. What are my options? Commercial software is okay. -- Will Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94702
  - 5
    - Microsoft Security Bulletin(s) for 9/11/2007 Note: There may be latency issues due to replication, if the page does not display keep refreshing September 11, 2007 Today Microsoft released the following Security Bulletin(s). Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details. Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided. Bulletin Summary: http://www.microsoft.com/technet/security/Bulletin/ms07-Sep.mspx Critical Bulletins: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827) http://www.microsoft.com/technet/security/Bulletin/ms07-051.mspx Important Bulletins: Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution (941522) http://www.microsoft.com/technet/security/Bulletin/ms07-052.mspx Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778) http://www.microsoft.com/technet/security/Bulletin/ms07-053.mspx Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099) http://www.microsoft.com/technet/security/Bulletin/ms07-054.mspx This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so. If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary -- -- Melissa Travers, MCSE MVP Lead - Exchange Server, Windows Security, ISA Server, Virtual Machine & Microsoft Dynamics Please do not send email directly to this alias. This alias is for newsgroup purposes only. This posting is provided "AS IS" with no warranties, and confers no rights. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94691
  - 6
    - VPN Client and Machine Certificates for Unattanded VPN access Hi There, I am looking for information on if it is possbile to get the MS VPN Client to use digital authentication certificates issued into the machine certificate store for establishing an IPsec VPN? I have a number of XP workstations acting as information kiosks that will require secure access to a network with no user intervention. I want to know if it is also posible to get XP to establish this VPN at boot time rather than have a user start this manually?? Any help would be great. Mike Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94689
  - 7
    - Port 3137 On one of my clients I am seeing alot of incoming and outgoing connections on this port (3137). I cannot seem to pin it on one program! Has anyone been seeing traffic like this! System fully patched etc.... Thanks -- http://www.goldwatches.com/ http://www.jewelerslounge.com/ Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94679
  - 8
    - PC shutdown safer than sleep? With hi-speed internet conn'n, is your pc vulnerable to attack if not shut down overnight? Most discussions re shut down versus sleep only discuss power usage. I think this question relates to xp or Vista. I have both. -- thanx in advance, Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94678
  - 9
    - Access to CRM from outside the domain Is is possible to get to a windows 2000 CRM from a system outside the domain? When I get to the domain controller CRM url with IE, iaam asked for the user and password. I introduce domain\username and password or username@domain and password of an administrative user in the domain with no luck. what is the problem? Thanks. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94674
  - 10
    - Hacked I'm running exchange 2003 on server 2003 with all the latest patches and fixes applied. I have the latest version of norton corperate antivirus with all the updates. I've done a full scan and the server is clean. Yet every 2 or 3 days I see that a new user has been added "hello5" and programs have been installed. I can delete the programs and the user I've disabled remote desktop and changed the admin password, but still this person still gets to the server. does anyone have any idea how to find out where he comes in from and how to block it Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94670
  - 11
    - services.exe process is running eating away 50% of Processor time Hi I have an Windows XP sp2 Recently i formatted my system but after it got formatted my system has become slow I check the task manager and there was a Process services.exe which is taking lot of processor time(more than 50% of the processor time) Can any one give suggestions on this Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94668
  - 12
    - Windows Security Alert I have been getting two pop ups constantly and I don't know if they are Windows generated or from a spyware. One of the messages is as follows: Windows Security Alert Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system & Internet files. Run full scan now to pervent any unathorised access to your files. Click YES to download spywear. (Notice the misspelled words pervent & unathorised) Another message wants to direct me to another web site. How do I find and delete this stuff? I have run Norton and Windows Defender. They both have found a Trojin and I instructed them to remove but, it still pops up. -- WRA Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94663
  - 13
    - Encryption of USB stick question Hi, Please advise if this is the incorrect newsgroup for my question. Can you please suggest a suitable method / software / freeware to encrypt a USB stick? There are a number of documents on the USB stick that I would like to make secure if the stick was lost, it would not be possible to read the documents. I do not want to encrypt each file but rather the whole USB stick. Thanks, and look forward to your reply. Kind regards. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94660
  - 14
    - CISA Certification Practice Exam CD for sale Hello I have taken and passed CISA exam in December of 2006. Now I am trying to sell this CD on Ebay. If you are preparing for the CISA Certification exam then this is a worthy investement. http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=150157407464 Thank you and Good luck with your exam preparation. Regards, NJ Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94658
  - 15
    - SSL Query Hi, SSL can be used in the following 2 situations: 1. Where Server and Client know each other 2. Where Server and Client does not know each other e.g. secure public sites like e-bay In the first scenario above, Server will have Server Certificate and Client will have Client Certificate. Server will encrypt a message using Client's public key and Client will encrypt a message using Server's public key. Each will use their own Private key to decrypt the same. Now, in the second scenario above, Server will have Server Certificate but Client will not have Client Certificate. Client can encrypt a message using Server's public key. But how the Server will send the encrypted message in absence of no Client Certificate? or is it that a temporary public-private key is provided to the client? Thanks, Tim Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94654
  - 16
    - Access encrypted files Hello guys my question is: I recently had to re-format/ire-install my xp os .When i did that i lost access to the encrypted files in the additional hd,I used a data recovery software to retrieve the old os,how can i find the keys manually so i can import them to the current os? Thank You David Costa Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94652
  - 17
    - Track transfer of files from desktop system Good day. I have a situation that I would appreciate some feedback. We recently had a Manager who moved to a direct competitor and are trying to ascertain if he would have transferred files. No keystroke logging problems were installed and I do not think that there is any way to recall this type of data. I would appreciate your thoughts on this. The system in place in XP Service pack 2. -- Trinidad Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94647
  - 18
    - How to detect keylogging / screen captuer software I believe one or more of our computers in our corporate network have keylogger/screen capture software installed. What software can detect these? I contacted http://www.spectorsoft.com and they claim there is nothing that can detect their software. This is very troubling if not? Does anyone know if the hard drive is re-formatted will that remove these applications or are they put someplace harder to get rid of? Thanks! Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94636
  - 19
    - DirectX Keylogger I wanted to test antikeylogger programs so I wrote my own key logger.. But instead of hooking the keyboard input API (which everyone does) I had it use direct to take the user keys.... None of these programs caught it! What do you guys say in reference to this? -- http://www.goldwatches.com/ http://www.jewelerslounge.com/ Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94633
  - 20
    - OneCare safety scanner: Error 0x04500816 occurred. Today I tried to scan my computer using OneCare safety scanner. Previous scans where successful. But today the error 0x04500816 occurred. I tried Error lookup utility to find out what 0x04500816 stands for but this seems to be no common HRESULT... Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94620
  - 21
    - Event Viewer - Security Log Folks, We are seeing this entry in the Security log of our event viewer on one of our servers. It is usually followed by a failed attempt to login with a standard user account. The account usually gets "locked out" This is what we see prior to the "lock out" Logon Failure: Reason: Unknown user name or bad password User Name: isdiua Domain: CCI-USA Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Has anyone see this before? Is someone piggybacking on someone's login the network from a remote computer? Please advise. CCI Helpdesk. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94617
  - 22
    - MS security patch adding restricted sites to Internet Options? Does anybody knows... if a recent MS security patch adds a long list of restricted sites to the network zones in Internet Options? Having those sites listed seem to obstruct HTML emails from functioning properly from within Outlook 2003. The other, more dominating opinion is that the restricted sites were added by a adware program like spybot or ad-aware. Can someone please identify the MS security patch, so we can take steps to address this issue? Please Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94616
  - 23
    - Reporte de BUGs. When an API failure is found, where should the "advisorie" be sent to? We have a POC. Regards. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94609
  - 24
    - Internet Explorer options changed Hi I logged in to Windows XP this morning, and then installed a security update (a hotfix for windows media player 11). I then opened IE7 but noticed my homepage was set to a different homepage. I went on to ebay.co.uk and the login said "Hello Andrew2000eagle. Not you? Sign In", which is not me. So I'm wondering how this has happened, has someone hacked in to my computer and changed some settings? How can I tell if someone is accessing my computer without my knowing? Is there any way of knowing? Cheers Heywogr Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94606
  - 25
    - Domain Isolation and non-windows IPSec capable systems Did anyone make a study, created a whitepaper or simply written some documentation about the topic in Microsoft? I find myself most of the time suggesting Ipsec as a good way to protect lan traffic for my customers but since we don't live in a simple world there are always non-microsoft systems around the network that could take advantage of ipsec but i've never got into trying to make them talk ipsec with the rest of the domain. Nowdays almost any OS can talk IPSec but we miss guidelines on how to implement it with IPSec and Domain Isolation on Linux, UNIX-Based systems, ecc..; in many scenarios i have to deal with legacy IBM systems running OS400 or linux systems and it's a shame to make exceptions to these systems. I'd like to know if any of you digged into this matter and what your consideration are on the subject. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94604
- Next
  - 1
    - remove certificate authority server I find I have a root enterprise cert server that was created by a previous admin. The server was taken offline and removed from the domain a year ago. At that time, no one knew it was a cert server. I now need to create another server as the root cert server. Nothing is using the original server, so how can I safely remove it as a cert server? Again, it does not exist in the domain at all, but when I run certutil, it returns this server as the certificate server. Thanks! Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94601
  - 2
    - folder access I have a Windows XP Pro sp2 desktop (desktop A) that logs into a domain network. This user does not have access to private folders on the server but is able to access them. I check on permission on the server and this user has no permissions at all. I login as this user on a different Windows XP desktop (desktop B) and that user is not able to connect to those private folders. I login as a different user on (desktop A) and could not access those private folders. I also ran virus scan and spy ware on the desktop and found nothing. Any type of help would be helpful. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94599
  - 3
    - How does MBSA collect it's data? Hi! I got the task of resolving why some patches aren't visible as installed by MBSA. In my organisation patching is done eother on the client OR at the installaion point, (read Office 2003). Now when the installation point is patched there are, of course, no record of this patch being installed in either ARP or the registry. MBSA doesn't report the patch being installed and as a result the machine is deemed unsafe. My suspicion is that MBSA reads the registry to determine what patches are installed. Can anyone confirm if this is the case or if not, what does MBSA collect it's data? If it would read the actual file versions of the computer everything would be OK but that seems not to be the case. -- /Hasse Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94593
  - 4
    - Re: Account Lockout Policies {...reposting...I think I might have triggered a word filter on the Microsoft servers, never saw it arrive there...} Account lockout is a poor substitute for good passwords -- and is one of the most expensive security features you can use. Let's think about this by considering the threat. What threat does account lockout (attempt to) mitigate? Password guessing. How can you make password guessing attacks become useless for an attacker? Two ways: implement lockouts or use good (meaning long) passwords. Consider the first choice, account lockouts. The typical cost to an organization to reset locked accounts is US$75 per help desk call. In a medium or large organization, this can become a very high monthly maintenance cost. In nearly all instances, the call results from users locking themselves out, not users encountering locked out accounts because some bad guy was trying to guess passwords. Account lockouts have one more -- very bad -- problem: they *create* opportunities for bad guys to conduct denial-of-service attacks against accounts or entire domains! Even if you use a timed unlock of, say, 15 minutes, then the attacker can write his script to churn through thousands of bogus logon attempts every 15 minutes 2 seconds. So, contrary to your claim, enabling this setting actually can have significant impact on usability. Account lockout is there for people who absolutely need it. But I can't think of any instance where this is true. Instead, have a policy that requires simple passwords at least 15 characters long. Forget about complexity rules that force people to write down passwords. A simple 15-character passphrase (think short sentence) is easy to remember, quick to type, and far stronger than any short complex password. A passphrase like this will withstand any kind of automated password attack, including those based on rainbow tables. And you can even use a method that helps you remember unique phrases for each site, if you wish: * web mail: "my dog and i got the mail" * shopping: "my dog and i bought some stuff" * office: "my dog and i went to work" * photo site: "my dog and i admired some art" This is why we disable account lockout by default. There are much better -- and much less expensive -- ways to mitigate the threat. You're right, there's no built-in method to automatically disable unused accounts. A variety of third-party products can provide you with this functionality. I suspect some of them might be free, perhaps simple scripts even. I tried searching on "automatically disable unused accounts" and saw a few hits that looked promising. This particular function, however, rightly belongs in the HR process. A number of customers I've spoken with have automated the account creation/disablement/deletion process, incorporating it into HR systems. When a new user is hired, the account is created; when the user departs, the account is disabled; some time later, it's deleted. The HR systems take care of this, not domain or enterprise administrators. I wrote more about this subject here: http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx Password expiration is an important setting for everyone. It mitigates two threats: employees sharing passwords and bad guys discovering passwords. Because we can eliminate the second threat using long simple passphrases as I described above, then we have only one remaining threat: password sharing. Your estimation of how prevalent this threat is in your environment will guide you toward choosing an expiration time that works for you. 42 days is a reasonable default; our own corpnet uses 70 days. My experience with most customers shows that password sharing isn't a problem. So for those who do enforce long simple passphrases, I suggest that a reasonable default for expiration is 120 days. Windows begins notifying you 14 days before your password expires. You can change this time period through group policy. I was in a similar situation recently. Last month my domain password expired while I was in Australia for TechEd there. I could continue to log on to my laptop with cached credentials (so I'm not sure why you say your laptops become bricked?), but couldn't use Outlook Web Access or RPC+HTTP of course. So I connected to a Terminal Server computer we have on the Internet, logged on there, and changed my password. -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley http://www.protectyourwindowsnetwork.com > > > "Anteaus" <Anteaus@discussions.microsoft.com> wrote in message > news:8303A854-B8AC-4AA9-9B4C-CA68C2374739@microsoft.com... >> Not a solution, but I 've always thought Windows' default security >> policies >> were daft, what with having faddist password-change requirements, yet NO >> protection against dictionary attack, and NO way of identifying or >> closing >> disused accounts. >> >> It stands to reason that any system which permits remote access MUST have >> a >> limit to the number of password-entry attempts in a given period, >> otherwise a >> correct guess is inevitable given enough time. Yet, while windows has >> this >> capability it's (inexplicably) turned off by default. Even though >> turning it >> on has no significant impact on system useability. Why not, for heavens >> sake? >> >> Disused accounts represent a serious security problem, especially with >> many >> sites now granting remote access, thus there may be any number of >> remotely-accessible accounts lying open for which the user has long-since >> left the company, but for which the personnel dept just plumb forgot to >> tell >> I.T. about. Yet, Windows provides NO way of closing accounts which have >> not >> been used for a substantial time, which would seem to be one of the most >> sensible and basic precautions to take against this occurrence. >> >> The other side of this is that despite its laxness in other respects, >> Windows sets a 42-day password-expiry policy, and worse, does so >> 'silently' >> without telling anyone it's done so. This is extremely bad. >> >> I've had cases where laptops in overseas locations have unexpectedly >> demanded a password-change in situations where there was no way to rejoin >> the >> domain within the time limit. This effectively 'bricks' the laptop until >> it >> can be shipped back to base. Highly embarrassing for me, and could have >> cost >> the company an international deal. >> >> It's time someone persuaded MS to see sense over these poorly thought-out >> security policies. >> >> 1. Ditch password-expiry, or at least WARN the user that it exists, right >> from first logon. (timebomb icon in sytem tray?) >> >> 2. Set password-lockout (dictionary-attack protection) ON by default. >> >> 3. Provide a means to identify/close disused accoutns. >> >> >> Just my two cents worth. >> Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94591
  - 5
    - help understanding private/public certs Hi, we have to communicate with a customer who insist of using secure communication. The communication will be done by a SOAP application developed in .NET, to the customers werbservice. Now the customer has sent us a public key to connect to their service, and they have asked us to send them our public key. So, I went to verisign and ordered a standard SSL test certificate. I did this by generating a CSR from IIS6. After giving this on the VeriSign site I got a certificate with which I could fininsh the pending request in IIS6. Now how I see this cert on IIS is that connecting clients can validate our webserver with VeriSign to see if it is trusted. But how can I send a public key to our customer. How do I generate this public. Or is it the same key I have received from VeriSign? I have tested adding this cert to a webbrowser and connect to the webserver, but this doen't seem to work. Just can't grasp this certificate realm, if somone could shed some light on this matter, please... Thanks in advance. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94582
  - 6
    - Fore Front Updates hello, i have installed the client security on my computers in the office and started working with the software, however, after a week on some of my computers the definitions stopped updating automaticly and even after pressing the "check for updates..." button i get - "no new definitions available" while other copmuters are up to date and get the latest definitions. i have to download the mpam-fe.exe file and run it manually on each station. it happens both on vista and xp stations... what can be the cause and how do i fix it? Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94578
  - 7
    - Update KB939683 - why now I just received this update through Auto Updates. Why isn't anything written about it in microsoft.com? Also why did I get this update just now (Aug. 3 2007)? Windows XP Update for Windows Media Player 11 for Windows XP (KB939683) Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94566
  - 8
    - history My boyfriend checked the computer's history and found something private that I wrote, without looking through my files, I'm wondering how you can not only look at the computer's history, but delete it too? -- mznookie Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94557
  - 9
    - Does Vista supports Intrusion Detection Hi again, an other question ... Does Vista support Intrusin detection with native tools e.g. Firewall? Thanks for your help! H. Small Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94556
  - 10
    - preventing Vista Firewall from beeing disabled by users Hi, exists a way to prevent users from disabling the Firewall built in Vista? In the group policies I found only the options to define rules for in and out going traffic but no hint for aktivating the FW. IÂ´ll be happy for any help! Thanks H. Small Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94555
  - 11
    - 10% Off All ChicagoCon 2007 Boot Camps for MCPs!! Hello Fellow MCPs and Security Professionals, I'm Don of the online magazine www.ethicalhacker.net. As many of you may know, we are putting on a security training event named ChicagoCon that combines a professional security conference, certification training and a hacker con into a single, unique event from Sept 17 - 23, 2007. Our ECC courses are provided by an ECC ATC of the Year, CISSP is endorsed by ISC2 with the exam on site, Linux+ is being taught by the author of "Linux for Dummies", Expert Pen Testing by Jack Koziol of the InfoSec Institute... and the list goes on!! I know it's last minute, but now that the early registration discount deadline has passed, we are now able to offer discounts to communities such as this one. So I am pleased to be able to offer a 10% off any course to portal members if they contact me directly at don@digitalconstructionco.com. Courses Include: - Breakfast, lunch and most dinners - All study materials, computers and your certification exam - All keynotes, presentations and events. Sorry... because of space restrictions, only paid attendees are allowed. In the tradition of the Ethical Hacker Network, we love free giveaways, so each attendee will receive a bag full of FREE STUFF including books, t-shirts, magazines, an EH-Net version of BackTrack2 (with Metasploit 3 and packaged as a VMware Virtual Appliance) and more. Course Offerings: Management PMP/CAPM - Project Management SOX/COBIT - Compliance CISSP -- Security Management (7-Day Course) Beginner Ethical Hacking Fundamentals (Network+/Security+) Linux+ - Open Source Operating System CCNA - Cisco Certified Network Associate Intermediate CEH (CNDA) - Certified Ethical Hacker CHFI - Certified Hacking Forensics Investigator SNPA -- Securing Networks with Cisco PIX / ASA Advanced CEPT - Certified Expert Penetration Tester Web Application Hacking Keynotes by: John C. Dvorak - PC Mag Steve Hunt - Industry Analyst Lance Spitzner - Founder of the Honeynet Project Doug Steelman - DoD GIG (Global Information Grid) Dean Turner - Symantec's Director, Global Intelligence Network Evening Presentations (similar to Black Hat) Include: Live demos of Metasploit Live demos of Cain & Abel Malware Analysis in Front of your Eyes eVoting Myths Debunked Blackjacking author Dan Hoffman For more detailed info, visit www.chicagocon.com. Remember, you MUST contact me directly to get your discount!! I'll see you in Chicago, Donald C. Donzal, CISSP, MCSE 2003, CEH, Security+ SME don@digitalconstructionco.com Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94554
  - 12
    - Which is more secure Outlook or Hotmail? Outlook which has certificates encryption and signing seems very private and secure. Are there any vulnerability points between me and recipient of my email when I use Outlook to encrypt and sign? How does Hotmail compare security and privacy-wise with Outlook? Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94550
  - 13
    - mixed authentication and LogonUser token in forms ticket - safe? Hi I've implemented a mixed forms/windows authentication solution loosely based on the following example http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=a12e9f53-695f-452f-87d0-abbe9f12351e - an overview of this is as follows: IIS has anonymous access enabled and also has windows integrated authentication enabled my web.config has forms authentication on and impersonation off In my global.asax.vb I handle FormsAuthentication_Authenticate and if the user is authenticated via windows auth on the browser's user, I construct a windows principal for the forms authentication to use based on the following windows identity: Dim ident as WindowsIdentity = New WindowsIdentity(request.GetUserToken(), authType, WindowsAccountType.Normal, True) If the windows authentication fails, the user is kicked to forms authentication and must sign in. I validate their password against the domain via a Win32 call to LogonUser(). The result of this is an IntPtr to a user handle if supplied credentials are valid. I call CloseHandle() on this and return the IntPtr, which I then stick in the forms cookie's user data: ' COM interop functions Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As [String], ByVal lpszDomain As [String], ByVal lpszPassword As [String], ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phToken As IntPtr) As Boolean Private Declare Auto Function CloseHandle Lib "kernel32.dll" (ByRef handle As IntPtr) As Boolean ' COM constants Private Const InteractiveLogon As Integer = 2 Private Const DefaultProvider As Integer = 0 Public Shared Function AuthenticateAgainstDomain(ByVal domain As String, ByVal username As String, ByVal password As String) As IntPtr ' Dim handle As IntPtr = IntPtr.Zero Dim logonSucceeded As Boolean = LogonUser(username, domain, password, InteractiveLogon, DefaultProvider, handle) If Not logonSucceeded Then Dim errorCode As Integer = Marshal.GetLastWin32Error() LogException(ExceptionType.AuthenticationError, String.Format("Unable to logon user. Error code {0}.", errorCode)) End If CloseHandle(handle) Return handle End Function When the forms ticket is presented by an authenticated user during Application_AuthenticateRequest event, I extract the IntPtr user token and construct a windows identity from it: Dim authcookie As HttpCookie = Request.Cookies(FormsAuthentication.FormsCookieName) Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authcookie.Value) Dim token As IntPtr = New IntPtr(Integer.Parse(ticket.UserData)) Dim ident as WindowsIdentity = New WindowsIdentity(token, "NTLM", WindowsAccountType.Normal, True) My question is this: obviously, this works in my test environment but is this safe in production? Can the IntPtr handle be relied on or will it be released at some unspecified point in the future? Regards Iain Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94548
  - 14
    - Account Lockout Policies My apologies if I'm not posting in the correct newsgroup. My question is if there's a way to set up a security policy on Windows 2003 DC which is lockout or disable a user that dosn't log into the domain for a specified amount of time. For example a user that hasn't logged into the domain for 30 days will be locked out??? Thanks Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94539
  - 15
    - Yellow Shield system tray icon I've had a few times when the yellow shield icon will appear for just a moment upon startup. I have a feeling it means nothing. When it's time for auto updates, that shield icon works normally for me. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94537
  - 16
    - Access denied on Homeshare with FQDN, fine with Shortname I'm getting a strange error where I am getting an access denied on my homeshare. But only when using FQDN to define my server. If I change from \\servername.domain.local\homeshare$ to simply \\servername\homeshare$, everything works. This is only happening on some Vista machines that are in the same OU as the other Vista machines. This problem does not manifest itself on XP. Any ideas why Vista doesn't work with FQDN defined homeshares.... or at least on SOME of my machines? NOTE: I can also *fix* this problem by leaving it an FQDN, but changing from user-specific to Everyone or Authenticated Users on the Share ACL. Well, that's not really fixing it.... Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94533
  - 17
    - PKI User Certificate on Smart Card auto renewal ? Hello I'm using a Enterprise issuing CA with an enrollment Station to issue smart card certificate on behalf of users. everything works fine. now i'm not sure how to enable and configure the environment to make an automatically renewal of the certificate on the smart card, without the user visiting the Enrollment Agent. Is it only necessary in the template, or do i have to configure a group policy to initiate the renewal proces`s ? Thanks, -- ~~~~~~~~~~~~~~~~~~~~ ..is an MCSE 2003 and MCDBA ~~~~~~~~~~~~~~~~~~~~ Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94532
  - 18
    - Patches installed during shutdown I just received update 933360 through Autoupdates. The yellow shield near the clock as usual and I wasn't sure why I was getting updated. Nothing happened for 10-15 minutes and then it said it would install the patch during shutdown, which it did. I understand this is because I shut down after the loading and before the installing of the update. It's only installed updates this way one time before. My autoupdate time is set for 3AM. Why did it install that way? Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94529
  - 19
    - Patches installed during shutdown I just received update 933360 through Autoupdates. The yellow shield near the clock as usual and I wasn't sure why I was getting updated. Nothing happened for 10-15 minutes and then it said it would install the patch during shutdown, which it did. I understand this is because I shut down after the loading and before the installing of the update. It's only installed updates this way one time before. My autoupdate time is set for 3AM. Why did it install that way? Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94528
  - 20
    - IE bypasses Zonealarm I have Zonealarm Version 7 and use Opera and Firefox exclusively on XP. However recently I brought up the IE browser which is hidden in Wordpad. ( Click Help Topics in Wordpad, Click the Question Mark top left and click jump to URL) I was able to connect to www.aliceinvideoland.co.nz and use its search functions( even though there was a specific block on " Mobile code" Zonealarms name for a mix of Javascript, vbscript, Java and Active X) Opera and Firefox were unable to get through this block to operate the search function as one would expect. When this block was removed Firefox and Opera could then access the site to use the search function. This implies that this embedded IE is able to do an end run around firewalls even though the Firewall is specifically set to black code from a specific site. I must admit to be most unpleasantly surprised when IE broke security in this fashion. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94525
  - 21
    - MSRootkit revealer & trustworthy applications Hi, We developped a product that uses file filters to hide specific internal files. Our internal files are hidden for other applications. The (very good) tool MSRootkit revealer shows these files, and so displays warnings. This is normal. My question is : is there a way for this tool to consider specific applications or files to be trustworthy applications, and so that it displays no warnings ? For example our product could be signed by MS, or something like that. thanks J. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94521
  - 22
    - SSL not trusted Hello, I created 2 tier CA infrastructure - ofline root CA, and domain joined subordinate CA. I created certificate and installed it on web server. When someone visits our page, gets message that certificate is not trusted, if i try to install certificate on the client in IE, it finishes with success message. But next time when i visit same site, server certificate still not trusted, if i install root CA certificate on client, then it is ok. The Question - How i can create certificate that could be trusted simple by installing web servers certificate and will that certificate work with mobile devices (ActiveSync). -- Muson Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94517
  - 23
    - programer problem windows defender said that FREDOME.EXE might be causing a problem on my computer. I know that this is some sort of security program. I have BellSouth internet security. But can not find any info on this program. Any suggestions? -- Maggie Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94514
  - 24
    - zlob removal please help HI my computer appears to ahve been infected with zlob.................pc-cillin does not find it howerver, nor does housecall........ symptoms are popups that take us to a download site for virus removal software....these pop up all over the place and to close down your have to click a second pop up to release them....... I have a flashing security symbol in the right hand corner of the toolbar on desktop that keeps popping up infomfing me i have spyware and need to download programs to remove. I looked zlob up in the wikipedia and follows instructions there to down load spyhunter.................spyhunter finds at least 20 problems each time its run, supposedly removes them but the next scan shows almost as many..........i also followed the manual removal instructions but still have the security icon in the tray flashing at me............... spyhunter scan last night showed no infections, cookies etc...............started up this morning and checked the bank and now i hvae bloody zlob showing again........ Is it as dangerous as it sounds???? Can someone please help me remove it????? a program that is trustworthy or a mnaual way to delete???? I also used an online scan of avg as suggested but that showed nothing........................very confused................comp is definatley doing some strange stuff but half the virus scans i used have found nothing and spyhunter finds well over 20 each time usually.................even after manual removal. PLEASE help if you can??? THanks Zoe Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94510
  - 25
    - CA's and Certificates for MOM or System Center OM I am having some difficulty understanding and configuring CA's for monitoring ofdomains outside the trust realm. I have loaded Microsoft's Certificate Services, and in reading the instructions have tried going to http://<computername>/certserv but page cannont be found. I am not opposed to using Verisign or Thwate, but not sure what I need. I am running Windows Server 2003 R2x64 Standard. Tag: Monitor .Net Activity like Regmon or Filemon Tag: 94509

Hello group,

Are there any utilities for monitoring .Net assemblies? For instance,
one could use Filemon for access being denied at the file system, or
Regmon for access being denied in the registry. Is there an equivalent
for access denied by .Net's security model?

Thanks in advance,

J Wolfgang Goerlich

Top

Re: Monitor .Net Activity like Regmon or Filemon by Dominick

Dominick
Wed Sep 12 16:57:56 PDT 2007

what do you mean with ".NET Security Model" ?

CAS or ACL based security?

CAS - i am not aware of that - besided running in a debugger and catching
SecurityExceptions.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hello group,
>
> Are there any utilities for monitoring .Net assemblies? For instance,
> one could use Filemon for access being denied at the file system, or
> Regmon for access being denied in the registry. Is there an equivalent
> for access denied by .Net's security model?
>
> Thanks in advance,
>
> J Wolfgang Goerlich
>

Top

Re: Monitor .Net Activity like Regmon or Filemon by jwgoerlich

jwgoerlich
Thu Sep 13 04:33:10 PDT 2007

I was thinking CAS, but either would work. The debugger is a good
idea, I will give that a try.

Thanks,

J Wolfgang Goerlich

On Sep 12, 7:57 pm, Dominick Baier
<dbaier@pleasepleasenospam_leastprivilege.com> wrote:
> what do you mean with ".NET Security Model" ?
>
> CAS or ACL based security?
>
> CAS - i am not aware of that - besided running in a debugger and catching
> SecurityExceptions.
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
>
>
>
> > Hello group,
>
> > Are there any utilities for monitoring .Net assemblies? For instance,
> > one could use Filemon for access being denied at the file system, or
> > Regmon for access being denied in the registry. Is there an equivalent
> > for access denied by .Net's security model?
>
> > Thanks in advance,
>
> > J Wolfgang Goerlich- Hide quoted text -
>
> - Show quoted text -

Top