My boss had created an excel spreadsheet to aid us in our network configurations. Unfortunately he’s not a very good speller. There were quite a few spelling errors that were driving me nuts, so I was going to update the template with the correct words. Unfortunately, again, he locked the spreadsheet to prevent changes to the code. And he was on vacation.

So a brief google search found this gem (JSBI), which I’ll repost here just in case it disappears.

Open the spreadsheet with the locked cells or sheets.
Open the Macros area (2007/2010 it’s View tab, then Macros)
Select Record Macro
Just click OK (keep the name Macro1)
Then click Stop Recording
View Macros
Edit Macro1
Copy the below in place of what is there:

Sub Macro1()
'
' Breaks worksheet and workbook structure passwords. Jason S
' probably originator of base code algorithm modified for coverage
' of workbook structure / windows passwords and for multiple passwords
' Jason S http://jsbi.blogspot.com
' Reveals hashed passwords NOT original passwords
Const DBLSPACE As String = vbNewLine & vbNewLine
Const AUTHORS As String = DBLSPACE & vbNewLine & "Adapted from Bob McCormick base code by" & "Jason S http://jsbi.blogspot.com"
Const HEADER As String = "AllInternalPasswords User Message"
Const VERSION As String = DBLSPACE & "Version 1.0 8 Sep 2008"
Const REPBACK As String = DBLSPACE & "Please report failure to jasonblr@gmail.com "
Const ALLCLEAR As String = DBLSPACE & "The workbook should be cleared"
Const MSGNOPWORDS1 As String = "There were no passwords on " & AUTHORS & VERSION
Const MSGNOPWORDS2 As String = "There was no protection to " & "workbook structure or windows." & DBLSPACE
Const MSGTAKETIME As String = "After pressing OK button this " & "will take some time." & DBLSPACE & "Amount of time " & "depends on how many different passwords, the "
Const MSGPWORDFOUND1 As String = "You had a Worksheet " & "Structure or Windows Password set." & DBLSPACE & "The password found was: " & DBLSPACE & "$$" & DBLSPACE & "Note it down for potential future use in other workbooks by " & "the same person who set this password." & DBLSPACE & "Now to check and clear other passwords." & AUTHORS & VERSION
Const MSGPWORDFOUND2 As String = "You had a Worksheet " & "password set." & DBLSPACE & "The password found was: " & DBLSPACE & "$$" & DBLSPACE & "Note it down for potential " & "future use in other workbooks by same person who " & "set this password." & DBLSPACE & "Now to check and clear " & "other passwords." & AUTHORS & VERSION
Const MSGONLYONE As String = "Only structure / windows " & "protected with the password that was just found." & ALLCLEAR & AUTHORS & VERSION & REPBACK
Dim w1 As Worksheet, w2 As Worksheet
Dim i As Integer, j As Integer, k As Integer, l As Integer
Dim m As Integer, n As Integer, i1 As Integer, i2 As Integer
Dim i3 As Integer, i4 As Integer, i5 As Integer, i6 As Integer
Dim PWord1 As String
Dim ShTag As Boolean, WinTag As Boolean
Application.ScreenUpdating = False
With ActiveWorkbook
WinTag = .ProtectStructure Or .ProtectWindows
End With
ShTag = False
For Each w1 In Worksheets
ShTag = ShTag Or w1.ProtectContents
Next w1
If Not ShTag And Not WinTag Then
MsgBox MSGNOPWORDS1, vbInformation, HEADER
Exit Sub
End If
MsgBox MSGTAKETIME, vbInformation, HEADER
If Not WinTag Then
MsgBox MSGNOPWORDS2, vbInformation, HEADER
Else
On Error Resume Next
Do 'dummy do loop
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
With ActiveWorkbook
.Unprotect Chr(i) & Chr(j) & Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If .ProtectStructure = False And .ProtectWindows = False Then
PWord1 = Chr(i) & Chr(j) & Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
MsgBox Application.Substitute(MSGPWORDFOUND1, "$$", PWord1), vbInformation, HEADER
Exit Do 'Bypass all for...nexts
End If
End With
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
Loop Until True
On Error GoTo 0
End If
If WinTag And Not ShTag Then
MsgBox MSGONLYONE, vbInformation, HEADER
Exit Sub
End If
On Error Resume Next
For Each w1 In Worksheets
'Attempt clearance with PWord1
w1.Unprotect PWord1
Next w1
On Error GoTo 0
ShTag = False
For Each w1 In Worksheets
'Checks for all clear ShTag triggered to 1 if not.
ShTag = ShTag Or w1.ProtectContents
Next w1
If ShTag Then
For Each w1 In Worksheets
With w1
If .ProtectContents Then
On Error Resume Next
Do 'Dummy do loop
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
.Unprotect Chr(i) & Chr(j) & Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If Not .ProtectContents Then
PWord1 = Chr(i) & Chr(j) & Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
MsgBox Application.Substitute(MSGPWORDFOUND2, "$$", PWord1), vbInformation, HEADER
'leverage finding Pword by trying on other sheets
For Each w2 In Worksheets
w2.Unprotect PWord1
Next w2
Exit Do 'Bypass all for...nexts
End If
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
Loop Until True
On Error GoTo 0
End If
End With
Next w1
End If
MsgBox ALLCLEAR & AUTHORS & VERSION & REPBACK, vbInformation, HEADER
'
End Sub

Then run Macro1. This may take a while depending on the speed of the machine. It looked like excel locked up on my test system. After a minute or two the alerts pop up with the password. In my case it was “password123”. Secure? Sure.

The last few weeks of the year are usually the best to start testing systems at my current job. We currently have the following security measures in place:

Cisco Firewalls
Juniper Firewalls
Cisco IPS
Cisco Switches with ACLs on each VLAN
Secured Syslog Server
Secured Snort (IDS) Server
McAfee Antivirus
Windows Updates*

*Windows Updates are not forced on the Dev Team or Server Farms – Those updates are installed manually usually once a quarter (after testing).

Seeing as it’s Tuesday December 28th, I had some free time to test out the Antivirus installed on each system. Most exploits today are not actually against the OS (Microsoft has done a pretty decent job lately with security issues, even with that huge DLL issue) and are instead targeting 3rd party applications.

What do you consider a 3rd party application? The biggest two are:

Adobe (PDF Reader, Flash Player)
Sun (Java)

So I decided to test in my VMWare environment using the latest and greatest updates for Windows XP. Why did I choose XP over 7? Looking over my log files I see that most visitors to my site include XP users. XP has also been around long enough to get all the kinks worked out. And finally, I chose to use PDF/Java exploits, so the OS doesn’t really matter as much.

Please don’t visit these websites unless you know what you’re doing. And I used smartscan/quickscan whenever possible.

Test 1 (Nod32/Threatfire):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Nod32 Antivirus 4.2.67.10 5739
Threatfire 4.7.0.17
Secunia PSI 2.0.0.1002 100%
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
Blocked by Nod – Downloaded Java (c:\doc and set\Administratorupdate665744669.exe) **PDF/Java/Trojan**

expa82.co.cc/bl2/
Blocked by Nod **Trojan**

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe, Cleaned by Nod **Trojan**

marinada3.com/77/throatnut.php
Blocked by IE – Java exploit blocked by Nod (Freezes IE) **Java/Trojan**

Malwarebytes:
Objects infected: 3 (3 are non-infection related)

Verdict:
Clean system, difficult to infect on accident.
Performed scan by Nod32/Threatfire – nothing found.

Test 2 (McAfee):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
McAfee VirusScan Enterprise 8.7i 6210.0000
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
Allowed to download – no extra processes

expa82.co.cc/bl2/
Allowed to load page – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe, allowed to install (load.exe, csrss in temp folder)

marinada3.com/77/throatnut.php
Blocked by IE – no extra processes

Malwarebytes:
Objects infected: 14 (3 are non-infection related)

Verdict:
CSRSS.EXE running as SYSTEM and Administrator. Infected system.
Performed scan by McAfee – nothing found.

Test 3 (McAfee/Threatfire):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
McAfee VirusScan Enterprise 8.7i 6210.0000
Threatfire 4.7.0.17
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
Allowed to load page – file would not download

expa82.co.cc/bl2/
Allowed to load page – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe, Threatfire detected and blocked the installation, then found and blocked load.exe

marinada3.com/77/throatnut.php
Blocked by IE – no extra processes

Malwarebytes:
Objects infected: 4 (3 are non-infection related)

Verdict:
Only infection file was located as a temporary internet file download and was not referenced in the registry. “Clean” system.
Performed scan by McAfee and Threatfire – nothing found.

Test 4 (Nod32):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Nod32 Antivirus 4.2.67.10 5739
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
Blocked by Nod

expa82.co.cc/bl2/
Blocked by Nod

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe – Not found by Nod32

marinada3.com/77/throatnut.php
Blocked by IE – Java exploit blocked by Nod32

Malwarebytes:
Objects infected: 13 (3 are non-infection related)

Verdict:
Infected system, somewhat hard to infect on accident, but a definite possibility. CSRSS.exe is loading.
Performed scan by Nod32 – nothing found.

Test 5 (No AV):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
IE reported this site as BAD – File not found to download

expa82.co.cc/bl2/
Site loaded fine – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe – Saved and run successfully

marinada3.com/77/throatnut.php
Blocked by IE – Java exploit allowed to load – no additional processes

Malwarebytes: (google searches redirected to other websites, had to kill load.exe)
Objects infected: 14 (3 are non-infection related)

Verdict:
It’s always better to have some sort of antivirus software installed. So I can’t recommend this at all.

Test 6 (Microsoft Security Essentials MSE):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
IE reported this site as BAD – File not found to download

expa82.co.cc/bl2/
Site loaded fine – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe – Saved and run successfully

marinada3.com/77/throatnut.php
Blocked by IE – Java exploit allowed to load – no additional processes

MSE found a few files it needed to send in for verification, but did not block anything.

Malwarebytes:
Objects infected: 12 (3 are non-infection related)

Verdict:
MSE didn’t actively block anything – it only found the files when I scanned the computer using MSE. I prefer a more active participant.

Test 7 (Microsoft Security Essentials MSE with TF):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408
Threatfire 4.7.0.17

cryyahoo.info/tre/boba.exe
IE reported this site as BAD – File not found to download

expa82.co.cc/bl2/
Site loaded fine – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe – Threatfire blocked the installation

marinada3.com/77/throatnut.php
Blocked by IE – Threatfire blocked the java exploit from running

MSE, like in the previous test, did not block anything.

Malwarebytes:
Objects infected: 3 (3 are non-infection related)

Verdict:
MSE didn’t actively block anything – it only worked well with TF in finding new problem programs. I still prefer a more active participant, but MSE and TF worked well.

Final Results:
So it appears as though Threatfire really does help out. It also appears that Nod32 is only slightly better than McAfee and MSE edged them both out. McAfee did not find the infections on access or during a scan. Nod32 blocked only one file on access, but found nothing during a scan. MSE blocked nothing during on access, but found a couple files with issues during a scan.
I also realize that I didn’t include Adobe Reader as part of the package. Since I’ve already disposed of the virtual machines I don’t think I’ll go back and correct this error.

No AV – 11 infections
McAfee – 11 infections
Nod32 – 10 infections
MSE – 9 infections
McAfee with Threatfire – 1 infection
Nod32 with Threatfire – 0 infections
MSE with Threatfire – 0 infections

Final recommendation:
While I will continue to use Nod32 alongside Threatfire (I pay for the Nod32 subscription), and will continue to recommend it to my peers/clients, I must say that for the average home user MSE has come through with flying colors. However, when utilizing MSE you MUST scan your system after each download or on regular scanning intervals. Their lack of on-access scanning is my major gripe at this time.

I had a developer trying to connect to the admin panel of IIS7. They could open the MMC just fine, but when they clicked on the server (local server) it would give a failure:

There was an error connecting. Do you want to specify different credentials?

And then it would fail again.

Open a command prompt on the server:
%windir%\system32\inetsrv\appcmd list sites

So I edited the redirection.config file given, and found that one of the developers had put
Changed it to false, and yay it works! Oh, I had to close IIS Admin and reopen.

I was trying to get back into the Remote Installation Server (RIS) setup and wanted to run sysprep on my newly formatted laptop. I then wanted to take the image and be able to install it on different hardware but maintain the basic software suite I have grown accustomed to.

All of my stuff is running on 7 at this point save for a few virtual XP testing machines.

You MUST have the AIK (automated installation kit) installed! http://www.microsoft.com/downloads/en/details.aspx?FamilyId=94BB6E34-D890-4932-81A5-5B50C657DE08&displaylang=en
http://www.microsoft.com/downloads/en/confirmation.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en

Then follow along: (I grabbed all this from http://technet.microsoft.com/en-us/library/dd744537%28WS.10%29.aspx)
Start, All Programs, Microsoft Windows AIK, Right-click on Windows PE Tools Command Prompt and select Run As Administrator.
copype.cmd x86 c:\winpe_x86
copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim
Dism /Mount-Wim /Wimfile:c:\winpe_x86\ISO\sources\boot.wim /index:1 /MountDir:C:\winpe_x86\mount
copy c:\winpe_x86\ISO\bootmgr c:\winpe_x86\mount
mkdir c:\winpe_x86\mount\boot
xcopy /cherky C:\winpe_x86\ISO\boot C:\winpe_x86\mount\boot\

copy "c:\program files\Windows AIK\Tools\x86\ImageX.exe" c:\winpe_x86\mount
Del c:\winpe_x86\mount\boot\BCD
Bcdedit /createstore c:\winpe_x86\mount\boot\BCD
Bcdedit /store c:\winpe_x86\mount\boot\BCD -create {bootmgr} /d "Boot Manager"
Bcdedit /store c:\winpe_x86\mount\boot\BCD -set {bootmgr} device boot
Bcdedit /store c:\winpe_x86\mount\boot\BCD -create /d "WINPE" -application osloader
The last command returns a GUID value. Substitute this value for in the following examples.
Bcdedit /store c:\winpe_x86\mount\boot\BCD -set GUID osdevice boot
Bcdedit /store c:\winpe_x86\mount\boot\BCD -set GUID device boot
Bcdedit /store c:\winpe_x86\mount\boot\BCD -set GUID path \windows\system32\winload.exe
Bcdedit /store c:\winpe_x86\mount\boot\BCD -set GUID systemroot \windows
Bcdedit /store c:\winpe_x86\mount\boot\BCD -set GUID winpe yes
Bcdedit /store c:\winpe_x86\mount\boot\BCD -displayorder GUID -addlast
oscdimg -n -m -o -bc:\winpe_x86\etfsboot.com c:\winpe_x86\mount c:\winpe_x86\winpe_x86.iso

Then burn the ISO (located in c:\winpe_x86\) to a CD. Now we’re done creating the PE environment.

I went on to run sysprep:
C:\windows\system32\sysprep\sysprep.exe

Enter System Out-of-Box Experience OOBE
Generalize
Quit

It took roughly 10 minutes to run the Sysprep cleanup.
And then booted off my CD (64bit in my case, so just change the appropriate x86 to amd64)

imagex /capture d: d:\data.wim "Drive D"

I was starting to notice that a few of the servers had different times on them. I only noticed because my desktop clock was different from my phone clock, and the phone system was pointing to my Ubuntu NTP server as it’s time server (which in turn is pointing to ntp.ubuntu.com I believe).

So, 2 domain controllers had the exact same time, 1 had a different time, and yet another still had another different time:
DC1 10:01:05
DC2 10:01:42
DC3 10:00:00 (PDC)
DC4 10:00:00

Not good. So the PDC was being read only by the newest of the domain controllers. So the other two were setup incorrectly. It’s never a good idea to have multiple domain controllers with different time on the clocks. That leads to a bunch of issues. Let’s find out how to fix and why it is wrong.

Check what NTP each DC is fetching information from:

Open a command prompt on any of the domain controllers.
w32tm /monitor /domain:DOMAIN_NAME_HERE

If on a workgroup, you can use the following:
net time /querysntp

If your PDC is not on the correct time, change the what NTP your server is fetching information from:

w32tm /config /manualpeerlist:IP_ADDRESS_OF_NTP_SERVER /syncfromflags:manual /reliable:yes /update

Update your other Servers/DCs to fetch NTP data from your PDC:

On your other servers, open a command prompt.
w32tm /config /manualpeerlist:IP_OF_PDC,0x8 /syncfromflags:MANUAL
net stop w32time
net start w32time
w32tm /resync

/update will allow you to not need to net stop/start the w32time service. I put both in here for my personal reference.

0x8 flag – send request as client mode
0x4 flag – send request as symmetricactive mode
0x2 flag – use as fallback only
0x1 flag – use a special polling interval

** EDIT 9/18/2015 **
Replaced my aging Ubuntu 12.04LTS (an upgrade from 8.04 to 10.04) with a CentOS7.x box for the primary NTP. Noticed that the managed phone clocks were about 2 minutes off from our desktop clocks. The phones were set incorrectly and I had our provider fix, but we were still about 60 seconds off from where we wanted to be.

The replacement server had the same IP, but did NOT have the proper restrict (restrict 10.0.0.0 mask 255.0.0.0) appropriate for our environment. Fixed and service ntpd restart.

Still no love. On the PDC I ran
w32tm /query /peers
And received a State: Pending
Ended up rewriting the manualpeerlist
w32tm /config /manualpeerlist:"10.0.0.254 0.us.pool.ntp.org" /reliable:yes /update
w32tm /resync
w32tm /query /peers
State: Active