Microsoft released a new Security Advisory yesterday responding to reports regarding a vulnerability that could let attackers take control of older versions of Windows, primarily 2000, XP, and Server 2003.  The vulnerability is found in their Visual Basic Scripting, VBScript, used through Internet Explorer.

This tactic can be used to lure users to a suspicious site and be prompted to hit their F1 key ... some cases if the dialog is ignored the site will continue to prompt until they either kill their IE session or log off completely.

Microsoft urges users to not hit F1 if presented to do so by any website.  They also provide further workarounds in their security advisory article:

http://www.microsoft.com/technet/security/advisory/981169.mspx

Keep in mind this exploit does not affect Windows Vista, 7, or Server 2008.

Always practice safe web browsing.

This has been an annoyance for some time … maybe it’s just my generation, but I have a problem that the default setting for Facebook is to share, almost, everything public.  I keep hearing it’s the public era, where all your social data should be public – for all to see – by default.

No thank you Facebook!  In this post I’ll walk through making your profile a bit more private and even a little more secure from new people you friend.  I mean, you don’t give a random person you just met at school, work, or on the street your phone number, address, birthday, favorite whatever!  Why should new friends on Facebook be any different?

First things first, let’s make sure your Facebook profile isn’t searchable publically … for example if someone Google’s your name they would find your Facebook profile come up as a search result.

Click to read more ...

Typically when you host websites that require 99.999% uptime you create a basic webfarm that sits behind an F5 BigIP ... not every company has a budget to do high availablity or DR correctly.  So I wasn't shocked when I was tasked to write a script to modify DNS CNAME records target host FQDN with a new FQDN.

Welcome to my situation :)  If we lose an IIS server we would have to move all the sites that box was hosting to another and then update the CNAME's target fully qualified domain name field.

Found a bunch of great stuff online on how to modify a single record ... that's great for updating maybe a handful, not if it's over 100+ records and I'm not about to do that manually via MMC console!  So I need to get a little creative and here's what I came up with.

$CNAMES = import-csv "Path to CSV file"
$Query = "Select * from MicrosoftDNS_CNAMEType"
Foreach($CNAME in $CNAMES)
{
$CNAME
$Record = Get-WmiObject -Namespace "root\microsoftdns" -Query $Query -ComputerName dnsserver | Where-Object{$_.Ownername -match $CNAME.Aliases}
$Record.RecordData = "FQDN of new IIS server"
$Record.put()
}

The script can be modified to update any kind of DNS record, so it's not locked into just updated CNAME's.

I pretty much have a bunch of CSV files that contain a single colmn called Aliases, these CSV files hold all the CNAME aliases for all our sites.  As you can see in the first line of the script I pretty much delcare $CNAMES to import in all the data from the CSV file to be used later in the script.  I then declare what kind of DNS record I'm looking for as $Query.

In order to apply the change to each row in the CSV file I needed to place the PowerShell command that will be making the change in a Foreach statement, hence the Foreach($CNAME in $CNAMES).  The next few lines are pretty much the meat and potatoes of the script and is pretty self explanitory and accurate with what you might find searching the web.

Now with the $Record.RecordData = "FQDN of new IIS server" can easily be changed to allow the person running the script to enter what FQDN to change to manually.  By simply changing that line to $Record.RecordData = Read-Host "Enter the new Target Host FQDN", the Read-Host cmdlet asks for user input on the console allowing the user to type whatever he/she wants ... what is typed in the console the script will use to modify the CNAME with.

Of course this script is available for you to use in anyway shape of form ... but I do not take responsibility if something goes wrong.  As any administrator will tell you, test first and test again.  Any script examples I post is 'use at your own risk'.  Look at what the script is doing rather than copy, paste, and execute.  Don't know what a certain parameter or commandlet does - Google search :)  Thanks.

Ever since I started getting into PowerShell a co-worker pointed me in the direction of Quest Software, which I spoke about in past posts ... they not only have, probably, the best PowerShell script editor; PowerGUI, they also have the best PowerShell commands for Active Directory management/automation.

Help make your job a little easier with PowerShell and ActiveRoles Management Shell for Active Directory!

http://www.quest.com/powershell/activeroles-server.aspx

Many of the Active Directory related scripts I post on this site uses Quest Software's cmdlets ... it's truly miles ahead of having to do tasks within ADUC or through the clunky command prompt tools of the past :)

They just recently updated to version 1.3 that added a bunch of cmdlets like:

• new-qadcomputer
• set-qadcomputer
• disable-qadcomputer
• enable-qadcomputer
• reset-qadcomputer

These new cmdlets greatly helped reduce my workload, scripts I'll be sharing with my visitors in the near future!

Give it a look!

It's been in the news the last couple of days, Microsoft has reported a new vulnerability in it's web browser, Internet Explorer.  IE 6/7/8 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are all vulnerable.

You can find the details of this vulnerability from the following Microsoft Security Advisory:
http://www.microsoft.com/technet/security/advisory/979352.mspx 

Microsoft annouced they will release an out of cycle update for this Vulnerability, that should be released today.

There is a workaround that you can apply to your system to help protect yourself.  In the above link they mention setting the Internet zone security setting to high will protect users from this attack.  You can find this setting in Internet Options, and click on the Security tab.

This one is pretty serious ... reports link this vulnerability being used in the china-based attack on Google's Gmail service last week.

Today Microsoft along with the US-CERT announced two important updates that fix some vulnerabilities found in the Microsoft operating system.

http://www.us-cert.gov/cas/alerts/SA10-012B.html

The vulnerabilities that were found, and are addressed in the US-CERT security alert was a vulnerability in the Embedded Open Type font engine.  The other was multiple vulnerabilities in Adobe Flash Play 6 that is included in Windows XP by default.

US-CERT recommends all users installed the latest Windows Updates available from Microsoft and upgrade (or remove) Flash Player.

So please go do your Windows Updates and keep your computer safe!

As an IT professional and starting a new job you always find yourself needing to learn the new environment around you.  Most companies don’t have much documentation or design diagrams of how their infrastructure is currently setup or how it looks.  This is pretty common with Active Directory and Exchange environments.  Sure you can always fire up Active Directory Users and Computers, Sites and Services, or Domains and Trusts … but depending on the size of the environment getting all that information can take time.  Microsoft’s Active Directory Topology Diagrammer (ADTD) can help!  Running this tool you can read your entire Active Directory structure and automatically output that information into a Visio 2003 or 2007 diagram.

All you need to do is provide a domain controller, check the information you would like the tool to look for and then just hit the Discover button.  The tool will query your AD/DNS environment and provide you with a status, which you can then click Draw! and all the information will be drawn to a Visio document.

I’ve used this tool against Windows 2000, 2003, and 2008 Active Directory installations; it also seemed to work well discovering Exchange 2003 and 2007 organizations.