security.crudtastic.com

This is more for me than anyone else .. but i’m sure someone will find this useful.

I’ve just had the requirement to create a collection in Microsoft SCCM that excludes a pre-existing collection. Although it is a fairly straight forward task, trying to get the correct SQL query to do it was a pain (lack of support in the office). So after a bit of googling and a bit of testing I created the following SQL query that did the job.

First the set up

1. Check the properties of the existing collection that you want to EXCLUDE. There should be a collection ID that looks something like SMS000ES (where SMS is the site code and 000ES is the ID)
2. Create a new collection and choose to “Edit Query Statement”
3. Select the Criteria tab in the “Edit Query Statement” window and choose “Show Query Language”
4. Paste the following into the Query Statement window
   

"select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System where
SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Workstation 5.1"
and SMS_R_System.Client = 1 and SMS_R_System.ClientType = 1 and SMS_R_System.ResourceId
not in (select ResourceID from SMS_CM_RES_COLL_CP20001E)" 

!!Remember to change the text in red to the value you got in step 1

Refresh the newly created collection to ensure the machines you wanted to exclude have in fact been excluded

That’s basically it, you can also do a similar thing with Active Directory OU’s.

Hope that helps someone else as well.

SANS Institute is pleased to announce SANS Critical Infrastructure Protection at Oceania CACS 2009 from 10-11 September 2009.

Full details for the SANS event can be found at http://www.sans.org/canberra09_2/. An overview of the entire ISACA CACS 2009 event can be found at http://www.isaca-canberra.org.au/CACS2009

The critical infrastructure of a nation is the system of highly complex and interdependent physical and cyber-based assets essential to the minimum operations of a nation’s economy and government. It includes, but is not limited to, communications, energy, banking and finance, transportation, water supply, and emergency services. It could be owned and operated by the government or the private sector, or both. Much of our nation’s critical infrastructure has historically been physically and logically separated; they were systems that had little interdependence. But as a result of advances in information technology over the past several decades and the necessity of improved efficiency, these systems and assets have become increasingly automated and interlinked. Unfortunately these same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities requires flexible and evolutionary approaches that span both the public and private sectors and protect both domestic and international security.

Because of imbalances in military strengths, our future enemies – including nations, groups, or individuals – may seek to harm us in non-traditional ways, including attacks within our country against our critical infrastructure. Because our economy is increasingly reliant upon interdependent and cyber-supported infrastructures, non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy. This new threat is visible in the terrorist attacks on the World Trade Center in 1993 and 2001, Timothy McVeigh’s truck bomb attack on the Alfred P. Murrah Federal Building in Oklahoma City in 1995, natural events (such as category 5 hurricanes), and growing numbers of cyber espionage attacks against the military, civil government, and the private sector.

This course begins by examining in depth the events of the past 20 years, including the lessons learned about the interdependencies of the critical infrastructures following the Oklahoma City bombing and the terrorist attacks against the World Trade Center and what we learned in the aftermath of hurricanes Katrina and Rita in the summer of 2005. While there are many cross-sector interdependencies to consider, we will focus on the dependence of the various infrastructure sectors on the Internet and the impact of highly complex computer controlled systems. We will also discuss the creation of the Department of Homeland Security and its role in protecting the nation’s critical infrastructures from cyber intrusions.

Authored and presented by one of the nation’s leading experts on critical infrastructure protection and cyber warfare, you will receive detailed explanations of specific pervasive Internet technical problems and conduct in-depth examinations of the types of attacks that might do the most harm to your organization and your infrastructure sector. We will take a comprehensive look at the current Internet governance model, and you will learn how to develop business continuity and disaster recovery plans to counter current cyber threats and threat actors that take advantage of this model. You will also gain knowledge about the new directions being taken by criminals, terrorists, spies, and nation states and what our nation is planning to do for the defense of our critical infrastructure against these new threats. Finally, you will learn how to protect your networks from the dangers lurking in cyberspace while developing a full understanding of emerging techniques used to detect and contain outbreaks of malicious activity on the Internet.

This class is designed to give the student a full examination of the scope of critical infrastructure vulnerabilities, the dependence of critical infrastructures on the Internet, and Internet security problems. No laptop is required, but the subject material requires at least a working knowledge of computer networks and business decision making. The ideal student is a manager, supervisor, senior engineer, or other professional with a strong working knowledge of plant operations or a government official with responsibilities for CIP policy development wanting to learn more about the interdependence of critical infrastructures and the dangers posed by the global Internet.

Register now to ensure you don’t miss out on this event – http://www.sans.org/canberra09_2/register.php

Shearwater Solutions and SANS Institute partner are pleased to once again bring four outstanding courses to SANS Sydney 2009, 9-14 November. Enhance your skills by taking advantage of this hands-on training loaded with practical tools and cutting-edge information covering Security Essentials, Network Penetration Testing, and Web App Pen Testing.

Choose from the following 6-day, hands-on, immersion security and pen testing courses:

SANS Sydney 2009 PDF Brochure

Well, another SANS event has come to an end. This one was personally my most favourite SANS event to date. This year I got chosen to help facilitate the SEC504 – Hacker Techniques, Exploits & Incident Handling track with John Strand (see pauldotcom.com). As usual the weather was cold, the days were packed, and the courses were awesome. A bit of an unexpected highlight this year was the food .. definitely a step up from last year (wish I could say the same for the Crowne)!

The full line up of courses were

* SEC401: SANS Security Essentials Bootcamp Style – Mark Hofman
* SEC504: Hacker Techniques, Exploits & Incident Handling – John Strand
* SEC560: Network Penetration Testing and Ethical Hacking – Bryce Galbraith
* SEC508: Computer Forensics, Investigation & Response – Chad Tilbury

I heard really good reports from all classes (both staff and students).

As for the SEC504 class .. well John Strand is an absolutely great guy. I think he must have covered more distance than any other instructor at the Canberra event. He can’t stnad still and loves to just walk amongst all the students while he’s teaching (I like that style .. it kind of keeps you concentrating while he’s moving about), or maybe he just has a mild case of A.D.D. Having done Security Essentials last year, this course was really what I was wanting. There was some seriously useful (if not scary) information that gets taught and demonstrated during the class. Knowing this information will make you look at your entire infrastructure in a totally different manner, which will hopefully help you detect and react better to intrusion attempts.

Of course, to defend against a hacker, you have to think like a hacker, and this course shows you how to do some basic “hacking”. This all culminates in the day 6 capture the flag hacking challenge. The goal of this challenge is to compromise 4 machines, grabbing 4 different files (or flags) and putting that information together to solve a final challenge. The class all did extremely well in this challenge with the bulk of students obtaining 3 of the 4 flags.

A full overview of the course is available here

I personally cannot recommend SANS courses highly enough. I have obtained many security certifications during my career, and the SANS/GIAC certs are by far the most useful and practical certs out there!

A quick heads up .. SANS are coming to Sydney on the 9-14th of November. If you can get along, I strongly recommend you do so. More info can be found at http://www.sans.org/sydney09/

You never know when this will come in handy .. so I’ll drop it here for future reference (quite possibly only mine). Here’s a list of Windows Server 2008 and Vista Event IDs (after the break).

continue reading…

It seems some people are having issues finding netcat for Windows (I seem to have found it pretty easily).

Anyway .. for those of you that are having issues you can get it from here http://security.crudtastic.com/nc111nt.zip

I won’t bother with a tutorial for it, there’s them of them around. Enjoy!

Well, It’s day 4 of SANS Canberra .. I’m doing SEC504 – Hacker Techniques, Exploits, and Incident Handling. All I can say is WOW!

John Strand (check out www.pauldotcom.com) is taking the class .. he’s an awesome guy with some great stories (and he’s pretty smart too)!

I must say that the course is making me look at a lot of things differently .. and I’m pretty sure (from what I’ve seen) that most corporate networks would be compromised in one way or another (even mine), in fact, I’d be surprised if my computers at home aren’t shady in one way or another!

Anyway .. enough rambling. Once I get back home after the course, I’ll do a write up on here. My one regret was missing the bootcamp tonight where they made a malicious USB stick with U3 that launched metasploit as soon as it was inserted.