Monday, August 29, 2011

New worm (Morto.A) targeting weak passwords on Remote Desktop connections (port 3389)

There is a new worm out there that spreads by targettting weak passords on Remote Desktop Connections.

Win32/Morto.A is a worm that allows unauthorized access to an affected computer. It spreads by trying to compromise administrator passwords for Remote Desktop connections on a network.


Aliases
Trojan horse Generic24.OJQ (AVG)
Trojan.DownLoader4.48720 (Dr.Web)
Win-Trojan/Helpagent.7184 (AhnLab)
Troj/Agent-TEE (Sophos)

Details:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A

Friday, August 19, 2011

Provisioning mailboxes to Exchange 2010 using FIM 2010 (and the proxyAddresses issue)


When you are using FIM (Forefront Identity Manage) to provision mailboxes to Exchange (in my case Exchange 2010) and would like FIM to generate the e-mail addressen and additional proxyAdresses (aliasses) you will run into an issue!

FIM 2010 is perfectly capable of generating unique e-mail addresses and filling up the multi-value attribute proxyAddresses with all additional aliases you might want. When you look at the contents of the property proxyAddresses in Active Directory you could see something like this:

SMTP: firstname.lastname@domain.com
smtp: <first letter of firstname>.lastname@domain.com
smtp: lastname@domain.com

The fact that the first line has SMTP spelled with capitals mean that this is your default reply address.

As you might know, Exchange 2010 has a default E-mail address policy called “Default Policy”. That contains something like % m@domain.com. This policy cannot be removed nor disabled.

Question: What happens when we provision a mailbox to Exchange2010 using FIM2010 and flow attribute with the content provided earlier (the thee smtp addresses)?

Answer: The mailbox will be created, however because the default e-mail address policy runs, the primary e-mail address (SMTP) will be reset to % m@domain.com! In addition, FIM will return an error stating “exported-change-not-reimported”.

The solution would be to disable the “automatically update e-mail addresses based on e-mail address policy” option. You could do this of course i.e. by using PowerShell. However, you can only do this after the mailbox is created. Within FIM, this would mean customization to able set the option on the mailbox. And you would have to perform the export again to set the correct ProxyAddresses.

There is a way to solve this within one single flow. The Active Directory attribute msExchPoliciesExcluded on the userobject is used to specify whether or not the “automatically update e-mail addresses based on e-mail address policy” option is selected on the mailbox. If the option is selected, this attribute empty and when it is not selected, it contains the value {26491cfc-9e50-4857-861b-0cb8df22b5d7}.

You might have guessed the solution by now, I simply flow the string “{26491cfc-9e50-4857-861b-0cb8df22b5d7}” to the attribute msExchPoliciesExcluded during the creation of the mailbox. By doing so the option is not selected, the Exchange Mailbox policy is not being executed for this user and the proxyAddresses I configured (within the same flow) are correctly set! This is done with code-less provisioning within the existing synchronization rule! See screenshot below.

Thursday, August 11, 2011

You experience a long domain logon time in Windows Server 2008 R2 after you deploy Group Policy preferences.

Article ID: 2561285 - Last Review: August 10, 2011 - Revision: 1.0
You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer

Assume that you have a client computer that is running Windows 7 or Windows Server 2008 R2 in a domain environment. You deploy Group Policy preferences (GPP) to the client computer by using item-level targeting using security groups. In this situation, a user of the client computer experiences a long domain logon time. This issue becomes more noticeable if the domain controller is only reachable over a slow link.

This issue occurs because item-level targeting uses recursive group membership queries to determine which groups the computer is a member of. The expected behavior of item-level targeting is to query the groups that the computer is a member of.

The Remote Desktop Gateway service incorrectly blocks a user account whose name contains localized characters in Windows Server 2008 R2

Article ID: 2578133 - Last Review: August 10, 2011 - Revision: 1.0
The Remote Desktop Gateway service incorrectly blocks a user account whose name contains localized characters in Windows Server 2008 R2

Consider the following scenario:
  • You configure a Remote Desktop Web Access (RD Web Access) server on a computer that is running Windows Server 2008 R2.
  • You use a user account to try to connect to a remote desktop server through the RD Web Access server.
  • The user account name contains localized characters.
In this scenario, you cannot connect to the remote desktop server. Additionally, you receive the following error message:

Remote Desktop can’t connect to the remote computer "<name>" for one of the these reasons:

1) Your user account is not authorized to access the RD Gateway "<name>"
2) Your computer is not authorized to access the RD Gateway "<name>"
3) You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)

Contact your network administrator for assistance.
 

Remote Desktop session does not respond to keyboard input or mouse input after it loses the focus

Article ID: 2579381 - Last Review: August 10, 2011 - Revision: 1.0
A remote desktop session does not respond to keyboard input or mouse input after it loses the focus in Windows 7 or in Windows Server 2008 R2

A fix has been released for the scenario where the remote desktop session does not respond to any of the keyboard or mouse input in some scenarios.

The issue occurs because the remote desktop ActiveX object does not deactivate the focus of the remote desktop session when the focus is lost. Because the focus is still activated, the remote desktop ActiveX object cannot set the focus of the remote desktop session again when you change the focus back to the session.

Wednesday, August 10, 2011

No access to allowed applications managed by AppLocker

This new update fixes the issue where you manage software restriction policies by applying AppLocker rules from a Group Policy Setting (GPO). In this scenario, you cannot access allowed applications because the synchronization mechanism between Group Policy and AppLocker is broken.


Article ID: 2568041 - Last Review: August 10, 2011 - Revision: 1.0
You cannot access allowed applications that are managed by AppLocker in Windows 7 or in Windows Server 2008 R2


Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250)

A new important security update has been released for Remote Desktop Web Access, for details see below.

Article ID: 2546250 - Last Review: August 9, 2011 - Revision: 1.0
MS11-061: Vulnerability in Remote Desktop Web Access could allow elevation of privilege: August 9, 2011

Executive SummaryThis security update resolves a privately reported vulnerability in Remote Desktop Web Access. The vulnerability is a cross-site scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the site in the context of the target user. The XSS Filter in Internet Explorer 8 and Internet Explorer 9 prevents this attack for its users when browsing to a Remote Desktop Web Access server in the Internet Zone. The XSS Filter in Internet Explorer 8 and Internet Explorer 9 is not enabled by default in the Intranet Zone.

This security update is rated Important for all supported editions of Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the manner in which the logon page for Remote Desktop Web Access validates input parameters. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

More info:
http://www.microsoft.com/technet/security/bulletin/MS11-061.mspx
http://support.microsoft.com/kb/2546250/en-us?sd=rss&spid=14134

Friday, August 5, 2011

Recommended Updates for Group Policy in Windows Client and Server Products

Microsoft has released a list of recommended hotfixes and updates for issues that occur in an Active Directory environment using Windows Group Policies or Windows Group Policy Preferences. Although it’s not a comprehensive list (and not intended to be) it is a good aggregate of common issues seen with Group Policy and Group Policy Preferences.

Group Policy and Group Policy Management Console Updates:

2261826 You cannot find a network drive in the "Browse For Folder" dialog box in the GPMC MMC snap-in on a computer that is running Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2261826

927908 Some security policies are displayed as "Not Defined" in the RSoP snap-in on a Windows Server 2003-based domain controller.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;927908

981750 Error message occurs when you use GPMC to view a software restriction Group Policy setting in Windows 7 and in Windows Server 2008 R2: "An error has occurred while collecting data for Software Restriction Policies"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;981750

2258620 You cannot find the "Find Now," "Stop," and "Clear All" buttons in the GPMC snap-in on a computer that is running Windows 7 or Windows Server 2008 R2.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2258620

976922 The "Run only allowed Windows applications" Group Policy setting displays no entries on a computer that is running Windows Vista, Windows Server 2008, or Windows 7.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;976922

2409336 "Unable to cast object of type 'System.String' to type 'Microsoft.Group.Policy.Reporting.Extensions.Registry.RegistryValue'." error message when you try to generate a report for a GPO.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2409336

Group Policy Preferences Updates:

951430 A non-administrator user cannot log on to a domain from a computer that is running Windows Server 2008 if you set the locale information for the user by using a Group Policy preference setting.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;951430

982606 The value of the "State" registry item is changed after a Group Policy preferences setting is applied in Windows Server 2008, in Windows Vista or in Windows Server 2008 R2.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;982606

974266 Group Policy Preferences Client-Side Extension Hotfix Rollup.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;974266

2385775 Group Policy Modeling Wizard fails when you have registry updates in the Group Policy preference on a computer that is running Windows Server 2008 R2.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2385775

979731 Some Group Policy preferences are not applied successfully on computers that are running Windows 7 or Windows Server 2008 R2.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;979731

Source: http://support.microsoft.com/kb/2590914/en-us?sd=rss&spid=14134

Monday, August 1, 2011

Post SP1 KB articles related to Remote Desktop Services


This blog post contains a list of post SP1 KB articles related to Remote Desktop Services updates up until 31st of July. Some of them superseed earlier KB articles. For the latest KB articles always check http://support.microsoft.com/.


2548538 Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/?id=2548538

2545735 "The home folder could not be created" error when an administrator tries to set Remote Desktop Services Home Folder for a user account in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/?id=2545735

2538047 Audio capture redirection feature does not work after a second remote desktop connection is created in Windows Server 2008 R2
http://support.microsoft.com/?id=2538047

2536989 Single Sign-On (SSO) feature does not work after you enable the RemoteFX feature in Windows Server 2008 R2
http://support.microsoft.com/?id=2536989

2536840 IP addresses that are used for reconnection are not listed completely in the RD Connection Broker setting in Windows Server 2008 R2 or in Windows 7
http://support.microsoft.com/?id=2536840

2525608 The "RemoteApp and Desktop Connection Management" service cannot start on a computer that is in a disjointed namespace and that is running Windows Server 2008 R2
http://support.microsoft.com/?id=2525608
Supersedes:
2415644 "Could not find destination computer" error when you connect an assigned VDI desktop that is deployed through Remote Desktop Connection Broker in Windows Server 2008 R2
http://support.microsoft.com/?id=2415644

2525246 "0x0000003B" Stop error when you remotely control a Remote Desktop session in Windows Server 2008 R2
http://support.microsoft.com/?id=2525246

2522762 RemoteApp application does not work correctly from RD Web Access in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/?id=2522762
Supersedes:
2524668 The single sign-on feature does not work in Windows 7 or in Windows Server 2008 R2 when you try to start a full remote desktop connection through RD Web Access
http://support.microsoft.com/?id=2524668
2522743 You cannot use a calendar control in a RemoteApp application when you use the RDC 7.0 client to connect to the RemoteApp application from a computer that is running Windows 7 or Windows Server 2008 R2
2446026 An application that uses the Remote Desktop Connection ActiveX control to provide virtualized sessions crashes in Windows Server 2008 R2 or in Windows 7
http://support.microsoft.com/?id=2446026

2519550 An incorrect program icon appears on the task bar in a remote desktop session that is running in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/?id=2519550

2497787 The Remote Desktop Gateway service crashes under a heavy workload in Windows Server 2008 R2
http://support.microsoft.com/?id=2497787

2479710 Remote Desktop service crashes when Group Policy settings are refreshed in Windows Server 2008 R2 after you enable the "Required secure RPC communication" and "Set client connection encryption level" Group Policy settings
http://support.microsoft.com/?id=2479710

2465772 An application or service that uses Winsock API or Winsock Kernel API may randomly stop responding in Windows Server 2008 R2 or in Windows 7
http://support.microsoft.com/?id=2465772

2431799 Stop error 0x0000007E occurs when multiple users establish Remote Desktop Services sessions to a Windows Server 2008 R2-based computer
http://support.microsoft.com/?id=2431799

2424375 A remote desktop session may be incorrectly disconnected when a smart card is removed in another remote desktop session in Windows Server 2008 R2
http://support.microsoft.com/?id=2424375
Supersedes:
2301288 A Remote Desktop Services session is disconnected automatically if you apply the "Interactive logon: smart card removal behavior" Group Policy setting in Windows Server 2008 R2 or in Windows 7
http://support.microsoft.com/?id=2301288

Source http://blogs.technet.com/b/yongrhee/archive/2011/07/31/list-of-remote-desktop-terminal-services-related-hotfixes-post-sp1-for-windows-server-2008-r2.aspx