All posts by admin

Typos in phishing e-mails

Finally got an answer to a question that has been bugging me for years – why do phishing e-mails contain typos and grammatical errors?

For me, a typo clearly signals that the phishing e-mail isn’t genuine. If my real bank sent me an e-mail, surely they’d be able to spell? Given that internet fraud is such big business, surely scammers can employ people who can write proper English?

Well, it turns out the typos may be deliberate. To successfully scam someone the victim needs to be massively gullible. Identifying such a victim is difficult. By making the phishing e-mails less than realistic, only really gullible people will be taken in. So typos are a deliberate attempt to get gullible people to self-select. If they were more realistic, more normal people would click on the links, and further down the line the normal people would realise it’s a scam and pull out. It’s basically a way of say “If you believe this e-mail, full of typos and other hints that it’s a scam, is really from your bank, well, you’re exactly the kind of person we want to hear from, so click here!”

 

HP tools on ESXi (switching from hpacucli to hpssacli)

I’ve blogged in the past about using HP’s hpacucli tool to view the status of my Proliant hardware. One of my new Gen9 servers failed yesterday, and I was distressed to discover hpacucli wasn’t installed on the server. I believe this is because it is no longer supported on Gen9 Proliants and you should now use hpssacli.

So to use this on ESXi, use Putty to connect to the server, then use one or more of the following useful commands, to get any info you might want:

esxcli hpssacli cmd -q “ctrl all show detail”
esxcli hpssacli cmd -q “ctrl all show status”
esxcli hpssacli cmd -q “ctrl all show config”

Quote of the day

“A decision was wise, even though it led to disastrous consequences, if the evidence at hand indicated it was the best one to make, and a decision was foolish, even though it led to the happiest possible consequences, if it was unreasonable to expect those consequences.” –Herodotus

Find Microsoft Serial Numbers

Occasionally, you may want to find out the serial number you have used to install Microsoft Office. There is no easy way to find this, other than using 3rd party tools. You can, however, view the last five digits. This is often all you need to tie the installation to a particular licence or product card. Microsoft include a handy script that just does this. Just run:

cscript “C:\Program Files\Microsoft Office\Office15\OSPP.VBS” /dstatus

This is for Office 2013. For Office 2010 replace the Office15 with Office14. You can also run it from the 32-bit install path (Program Files (x86)).

Remotely turning on remote PowerShell commands

In my last post I gave a Powershell command that accesses the registry. Doing this for a remote PC requires that the PowerShell command be run on the remote PC. This requires remote PowerShell to be enabled, which it is on Windows 7.

To turn it on, you use the PowerShell command Enable-PsRemoting -Force

However, you can run this on a remote Powershell session until you enable remote PowerShell sessions. Catch-22.

To turn it on, I used the code here.

The script basically uses Task Scheduler to create a task on the remote PC that runs the Enable-PsRemoting command and then deletes the task.

Once this is done, you can run a remote PowerShell session with this command:

Enter-PSSession -ComputerName remotepc

Getting a list of installed applications using Get-WmiObject

I use this all the time for finding out what is installed on a remote PC, and, importantly, what version is installed:

Get-WmiObject -Class Win32_Product -comp REMOTEPC -filter "Vendor like '%Adobe%'" | Select-Object -Property Name,Version

However, the fatal flaw with this command is that it doesn’t always include every bit of software that is listed in Add/Remove programs.

Here we see the result of running this command for all installed Adobe products.

adobe2

Now compare this with Add/Remove programs and we see that InDesign and Photoshop are NOT listed.

adobe

This is because the Win32_Product class can only display applications installed using the Windows installer and Adobe products are provisioned through the Creative Cloud application suite which isn’t based on the Windows installer framework.

 

Monitoring external vendors connecting to our domain

I have a number of vendors and consultants who work for us and as a result require access to our servers. Often times, they require remote access. Generally I prefer to give them a LogMeIn user account under our main account, so that I can view and control access. They can then log in to LMI and select from a list of servers that I have provided access to. Sometimes they prefer to use their own LMI or Teamviewer account, which I may be OK with.

I’m not comfortable about providing so many external people with administrator access to our servers, but it’s often necessary. One thing that helps is being notified when they have logged on.

The first thing I did was to change the audit settings in LMI to e-mail every time a user logs on (or fails to log on) to LMI.

The second thing I did was create a logon script that e-mails me every time these external users log on to any server. To do this I created an AD group called ‘External Users’ and add all the vendors and consultants to this group (each vendor has his own AD account).

Then, I created a new group policy to apply my logon script (which I saved in the netlogon folder) to this group. You specify the script under User Configuration > Policies > Windows Settings > Scripts > Logon. I also added a seperate script for Logoff, although this should really be the same script but with a different parameter (you can specify parameters within Group Policy. I aplied this group policy to the ‘External Users’ AD group.

Now, whenever they log on, I get an e-mail. This works great. It took me a while to realise that, by default, Windows 2012 server (and Windows 8 clients) have a five minute delay before running scripts. To overcome this limitation, I create an AD group called ‘Windows 2012 Servers’ and added all my 2012 servers to it. I then created a new group policy called ‘Windows 2012 Servers’ and changed the setting for Computer > Policies > Administrative Templates > System > Group Policy > Configure Logon Script Delay from ‘Not Configured’ to 1 minute. Now the logon script will e-mail after a minute when the external logs on to a Windows 2012 server.

One problem I have is that external users don’t always bother to log off. So I am not notified the next time they use the server, which might be a few days later, because they are still logged on to their original session. A quick and dirty way to overcome this is to force them to logoff. Run the command line qwinsta /server:MyServer. This will display any logged on users. Make a note of the ID of that session and type rwinsta /server:MyServer to log them off. This will work regardless of whether they are using RDP or are logged on to the console (it will tell you which).

 

Power usage of hard drives

I’ve been trying to decide between putting 16 300GB disks into a server, or 8 600GB disks. The cost of the former is a little more, but those extra spindles result in double the IOPS. I was wondering if the cost of powering them would influence me.

A quick Google indicates that SFF SAS disks consume about 39kWh per year when idle, and a little more when busy. So let’s call it 45kWh. Electricity is currently around 12 pence per kWh. So that works out at £5.40 per year per disk. So an extra eight disks in my bigger array would cost an extra £43.20 per year, or around £250 over the six year life-cycle of the server. This is not enough to influence me either way.

The other issue with lots of spindles is that it increases the probability that your RAID 10 array will fail as a result of two mirrored disks failing at the same time.

Using Group Policy to set the logon picture

My previous post described how to set a default background picture for the Windows logon screen. It turns out this didn’t look so good – the picture interfered with the logon field and text.

So it was decided to set the background to a plain colour, and have a custom logon picture, and use what was the background picture as the logon picture instead.

To do this, we need to create a 128×128 pixel bitmap, and use group policy to copy this to location %ProgramData%MicrosoftDefault Account Pictures. Within this directory there are actually two bitmaps – one for guest and one for standard. I replaced both with my customer bitmap.

Finally, you need to force users to use this one, and not change it with their own custom one.

This is set in Computer Configuration > Administrative Templates >Control Panel > User Accounts by enabling ‘Apply the default user logon picture to all users’.