Replies

In addition to what Paul says, remember that you need to be on Ethernet, not on a wireless connection to join the domain.

Just a guess here, but many windows 8 (.1) Pro machines are likely to be laptops or tablets and could be trying to connect over wfi.

Win8(.1) Pro does connect just the same as Win 7, Vista and XP etc. I joined a Win 8.1 Surface Pro2 just a week or two ago to our domain. We use an USB to Ethernet adapter to make sure they have a wired connection first then join.

Please keep us updated – I’m interested to find out what your solution might be.

Do you still run EAM? EAM provides protection against CryptoLocker, through it’s behavior detection feature, so you’d be safe just from using it, anyhow :).

Actually Rui, you have got me thinking now. Due the change of circumstances that I referred to in another place a few weeks ago, I no longer need to run Virtual Box at home. If I must have access to the platforms that my VM’s supported, I have plenty of other resources available to me elsewhere.

So….maybe, it’s time for me to revisit Online Armor + EAM while at home.

I think it’s a balancing act Rui.

As you may recall, some time ago, I ran Online Armor in conjunction with Emsisoft Antimalware and was very impressed with them. Unfortunately, I then started to suffer from BSOD’s triggered by the incompatibility of Online Armor and Virtual Box, which I needed to run for other purposes. It resulted in me having to remove Online Armor.

If I had Online Armor still installed on systems at home, I would be quite happy that the HIPS would give me measures needed to prevent CL, but for the reasons above I can’t run them, so I need extra layers. My children would not know how to react, so they also get additional layers of protection too.

At work, it’s a different story. The effort to configure an interactive HIPS in a commercial environment coupled with the inability of non technical staff, who are under pressure to get their work done, would result in simply clicking the accept button when whichever HIPS tool used requests permission. Yes, I agree people shouldn’t click, but it’s really hard to get the message across and people are human after all. I would like to lock down opportunities for people to make mistakes, but to a certain extent, I’m prevented from doing so.

So, at work, we do have HIPS in our Endpoint Security, but it’s silent. I’ve also deployed additional software restriction policies, by group policy, over and above those required to meet company operating policies and receive automated emails through task scheduler if somebody tries to do something they shouldn’t.

I do get occasional problems with restrictions being triggered and can sympathise when bobprimak asks why does Windows allow execution of apps from %appdata% with very little security requirements by default. It’s one of the biggest and most obvious differences between Windows and other families of Operating Systems. In fairness to Microsoft, it stems from historical configurations of their OS that wanted to be easy to use, but in so doing left gaping holes that have now for the most part been plugged. But the legacy continues: why does some software want to run from places that it shouldn’t? It would be nice to say “ban everything from running from there”, but the world turns to a different tune.

In my view HIPS is the go to solution for the home user if they are competent to use it proactively. Failing that something like the Crypto Prevent tool is a useful addition…..but at work, it’s not so quite so straightforward and, yes, I worry a little. :huh:

Do you mean this advice perchance

Read through that thread from start to finsih to refresh the memory.

What you need to do is identify the index number of the adapter you wish to enable and disable, then put that index number in to the wmi command inside the batch files previously created.

So, to fix the batch files for the new adapter:

[*]Click Start. Enter “CMD” (without the quotes) in the Search Program and Files box
[*]Right Click on the CMD prompt that appears at the top of the menu and select Run As Administrator
[*]In the command window that opens enter the following code: “wmic nic get name, index” Without the quotes

Take a note of the index number of the network port you want to enable and disable. Last time it was 7, but this time it maybe something different.

Now you need to edit the batch files to update them with that index number.

Copy the two batch files to somewhere else to act as a backup first.

Next, Right click on the Internet off.bat file and choose edit. This will open notepad and allow you to edit the file. Find the line that says “wmic path win32_networkadapter where index=XX call disable” Replace XX with the index number you just noted above

Close Notepad and choose save.

Then, Right click on the Internet on.bat file and choose edit. Find the line that says “wmic path win32_networkadapter where index=XX call enable” Replace XX with the index number you just noted above.

Close Notepad and choose save.

If you have correctly identified the adapter the updated batch files will enable and disable correctly again.

It’s not the desktop Outlook program, but the built in Android email app connects just fine to Exchange using active sync and integrates with Contacts & Calendar too.

I suspect the PC shop you took the problem to may be being a little short with the detail. Rather than needing a CGA monitor, my guess is that the CGA and EGCVGA drivers will not work with a modern motherboard equipped with an on-board gfx controller or a pci-e based card. Finding an old monitor is unlikely to fix the problem.

So, what to do? Well, although I don’t use this, I have heard good stories about DOSBox, which comes with it’s own graphics rendering engine and may display the graphs that you need.

I think there is more to your requirement than in your original request and it sounds a bit complicated the way you intend to do it. As Paut T suggested a VPN would not know how to route outgoing connections to hosts over the internet.

If your customer requires to track, monitor, or control his user’s internet access, then a VPN is not the way to do it. A VPN will provide secure point to point communications. This can be made anonymous at the far end and is sometimes used to transit national boundaries where restrictions would otherwise prohibit. But a VPN does not in itself control, log or otherwise monitor traffic. To do that you need a Proxy. In fact, reading between the lines, I think your dialer is in part a Proxy service, but not one that we might describe as normal.

I recommend that you deploy a full proxy server. Have your users authenticate against that Proxy Server using Active Directory – no additional authentication, just the single sign on in AD. The proxy server can be configured to log, monitor or control users actions in pretty much any way you wish. It can then also dial out the http requests over a VPN service if you need that secure point to point or anonymous connection.

The VPN forms part of the network connection operating at Layer 3 while the Proxy implements your control, monitoring and logging at the transport Layer 4.

It’s almost impossible to do something wrong with CryptoPrevent; one click to apply.

CryptoPrevent includes an optional Whitelist Editor which makes it very easy.

CrytoPrevent includes a single-click “Undo”.

Post #11 mentioned that “Many legitimate programs use local and roaming appdata locations for executables, including lots of Google programs (such as chrome and numerous update files).”. I’ve found that many Sysinternals and Nirsoft utilities do the same (perhaps just the portable versions).

Bruce

Thanks Bruce,

I do not use Crypto Prevent, preferring to edit the Software Restriction policies myself and distribute via GPO. I’ve only come across two user applications in my deployment that have had an issue: Spotify (which the user shouldn’t have been using anyway) and Foxit Reader Updater, which was easily added to my whitelists. I’ve not had any problems with Sysinternals since my deployment (I use various tools from the suite every day); and haven’t had need to use any Nirsoft utilities since deployment, but will watch out for it.

I did encounter an issue installing MS Office on a new setup, but rather than set a whitelist entry on my DC and force a GPO update, I cheated and logged onto a local account on the machine, installed Office and then returned to the domain login.

However, bobrobert should not have had any issue removing or reversing the Software Restriction Policies. Based on your comments, if he was using Crypto Prevent, it should simple process. If manually setting Software Restriction Policies, just remove the policy setting and reboot.

[EDIT]

Curously enough, throughout October we had numerous (dozens and dozens, if not into the hundreds) of invoice-12345.pdf.exe attachments arrive by email. All were caught by our Antivirus (though I don’t want to rely on that in the future). Since the beginning of the first week in November, we have had none, and our background rate of spam has also reduced too. Anecdotal, perhaps, but I wonder if it has either gone to ground, or is being more actively being filtered by service providers / law enforcement.

Actually I have a VPN dialler that as soon as user log-ins into his/her machine dial a VPN connection for internet access.

You have a somewhat unusual configuration. No doubt there is a very valid reason for this configuration, but it is difficult in this circumstance to answer without understanding the reasons reasons why you need a VPN for internet access for all users.

You do not describe the VPN dialler, but often these tools will have settings to route internet traffic automatically.

Alternatively you could deploy an on-site proxy server which manages all internet traffic: it could even direct this traffic over a VPN if needed. This provides a single point for configuration as Paul T suggested.

Failing that, setting a per computer static route in the AD Computer logon script should meet the requirement, but that may have unwanted implications for the reasons why you need VPN access for internet traffic.

The incoming email will be queued by the originating servers. Between 48 to 72 hours is typical before expiry of the message. If the originating server is configured normally, the sender will receive a non-delivery notice if the message fails to be delivered to the recipient server due to it being offline.

Google, or other 3rd party systems (e.g. Exchange Online) can be used to provide high availability alternatives to an onsite Exchange server, or as a fall-back. There would be costs associated and you would also need to adjust the MX records in your DNS.

A word of warning. I followed the advice about local security policy & Software Restrictions Policies and everything was fine until I downloaded a program which wouldn’t launch. When I “tried” to reverse the restrictions Windows wouldn’t load and I was left with a blank desktop. Obviously I did something wrong. Eventually I restored my system. Not for the faint hearted.

At a guess, you used the CryptoPrevent tool from earlier links and have a “home” (i.e. not a -pro) version of Windows. That may make it much more difficult to add whitelisted programs to the software restriction policies because you do not have the gpmc console. I presume reversal of the software restriction policies on a “home” version involves editing the registry, which certainly can lead to serious problems if not performed correctly.

If you do have Pro or above it’s a fairly straightforward task to add a whitelisted application. The Software Restriction Policies are perhaps buried deep for those unfamiliar with gpmc, but not overly complex to add once the correct policy is located.

However, consider that software you are trying to run is attempting to execute from within the user profile. There should be very few reasons for an application to do so; and that should trigger questions about the software and its developers.

You can use your Logon scripts.

If you want specific users to have certain static routes configured, you could call a batch or powershell script from within the logon scripts. However, I think this would need local admin privileges for the user account.

If you want specific machines to have static routes, you could configure that on the computer account logon rather than the user account. This would use the System account and not require elevated user permissions.

I general, allowing users to add or modify static routes is a potentially dangerous thing to do for the security and health of your network: if you need static routes, I think it would be preferrable to configure it on the computer account rather than for the user.

DSL provider has a direct download file off their server. http://support.hickorytech.net/myspeed/

I’ve got Ubuntu installed as a dual boot option on the desktop; I’ll give it a shot.

That site appears to measure reasonably accurately on my system, though it might be better to use a speed testing service that does not require java to be enabled in the browser (but that’s a different story!).

If you have Ubuntu installed as dual boot, it’s even better: use the same hardware, but an independent OS and compare the throughput. If the same slow speeds, you have a hardware issue; if better on Ubuntu there is a problem with the configuration of Win7. Think about packet sizes and mtu settings on the NIC on the bad machine and compare to those on the good machines.

How are you measuring download speeds? Is this a valid measurement or an artefact of the measurement technique?

One way to test throughput speeds is as follows:

[*]Get rid of any 3rd party download tools.
[*]Transfer a large file via an http get request directly from a webserver.
[*]Time the download accurately and calculate true download speed.
[*]Do this on all three machines and compare.

I suggest using something like a Linux distro download to use as the seed for the large download file: Try this one, which should be 708 MB

I think it will be difficult to say with certainty why it is working now, but any tweaking of the registry to change or delete the NETBIOS name or other entries could have changed the MAC address and consequently, with the passage of time, updated the ARP cache in the router.

With a new MAC address and a flushed ARP cache it would work.

I’m quite willing to accept that this explanation could turn out be a complete red herring and that there may be another reason, but a cloned MAC address and ARP cache is where I would start.