Friday, April 29, 2011

About EnableSuToRoot registry key for SUA

User Account Control is enabled by default. When User Account Control is enabled, any application or task that impersonates another user who is a member of the Administrators group (by using the su, cron, or login utilities, setuid, any of the setuid or exec_asuser family of calls, as examples) always runs in the security context of a standard user account.
Note
When an application impersonates a standard user, it will have the complete security context of a standard user. For more information about standard users, see the Microsoft Web site topic "Developer Best Practices and Guidelines for Applications in a Least Privileged Environment," Introduction section (http://go.microsoft.com/fwlink/?LinkId=70243).
With default settings, an application cannot impersonate the root user. You can control this behavior by modifying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA\EnableSuToRoot.



How to modify the EnableSuToRoot registry key



Important
The Administrator account is disabled by default in Windows 7 and Windows Server 2008 R2 to help protect computers and data from access by unauthorized or malicious users, and it must be enabled for users to impersonate the root user or Administrator. Because the Administrator account must first be enabled to change the setting of the EnableSuToRoot registry key, the procedure to complete this task immediately follows. You must be a member of the Administrators group on the local computer to complete the following procedure.

To enable the Administrator account

  1. Click Start, right-click Computer, and then click Manage.
  2. In the hierarchy pane of the Computer Management snap-in, open Local Users and Groups.
  3. Select Users.
  4. In the results pane, right-click Administrator, and then click Properties.
  5. Clear the check box for the Account is disabled option.
  6. Click OK.
  7. Close the Properties window, and then close the Computer Management snap-in.
Perform the following steps to change the setting of the EnableSuToRoot registry key after you install Subsystem for UNIX-based Applications.

To change the setting of the EnableSuToRoot registry key

  1. Click Start, click in the Start Search text box, and type regedit to open Registry Editor.
  2. In the hierarchy pane, open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA.
  3. In the results pane, double-click EnableSuToRoot.
  4. In the Value data box, enter 0 to disallow impersonation of the root user, or 1 to allow it.
    The default setting is 0.
  5. Click OK.
  6. Close Registry Editor; if prompted, save your changes.

When the value of this key is set to 0 (the default setting), impersonation of the root user is disallowed. When the value is set to 1, impersonation of the root user is allowed. When an application impersonates the root user or Administrator account, the application has the administrative security context of the root (Administrator) user.

Setuid and Administrative Privilege


If users who are members of the Administrators group attempt to mark applications with the setuid attribute, they would succeed only if they are allowed to run applications and perform tasks in an administrative security context.
The following is an example of how to mark the binary file /bin/regpwd, which is typically marked with the setuid attribute:
  1. Open a Korn shell (ksh) with elevated privilege as described in this topic.

  2. Type chmod +s /bin/regpwd and then press ENTER.

  3. Type exit to close the ksh session.

Modify the number of connections

Better to modify in order to allow other connection and virtualization of other machines as:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\Connections\MaxNumFilters

Tuesday, April 26, 2011

About Text Editors

Graphical Vim

Download and install from their site.

Notepad++

Download and install from their site.
set NOTEPADPP_PATH=D:\Program Files (x86)\Notepad++\notepad++.exe
set %PATH%=%NOTEPADPP_PATH%;%PATH%

7Edit (HL7 editor)

Download and install it from their site.

UltraEdit

Download and install from their site.

HexEdit

Download and install from their site.

DanSharp-XmlViewer

Download and install from their site.

DanSharp-XmlViewer

Download and install from their site.

XmlCopyEditor

Download and install from their site.

XmlNotepad

Download and install from their site.

YAML for .NET

Download and install from their site.

About Code Comparison

Code Compare 2

Download and install it from the site.

P4 Merge

Please refer to http://www.perforce.com/perforce/products/merge.html

KDiff 3

Download and install from their site.

About Time Tracker

Grindstone 2

You may try to download and install it from their site.

Wednesday, April 20, 2011

About Windows Services for UNIX SFU or Subsystem for UNIX-based Applications SUA

Windows Subsystem for UNIX-based Applications

It runs on Windows 2000, 2000 Service Pack 3, 2000 Service Pack 4, Server 2003 & Windows XP.
Download from its site.
When installed on C:\ it creates automatically the following environment variables:
set INTERIX_ROOT_WIN=C:\SFU\
set SFUDIR=C:\SFU\
set INTERIX_ROOT=/dev/fs/C/SFU/
set OPENNT_ROOT=/dev/fs/C/SFU/
set SFUDIR_INTERIX=/dev/fs/C/SFU/
set LD_LIBRARY_PATH=/usr/lib:/usr/X11R6/lib
set XAPPLRESDIR=/usr/X11R6/lib/X11/app-defaults
set XCMSDB=/usr/X11R6/lib/X11/Xcms.txt
set XKEYSYMDB=/usr/X11R6/lib/X11/XKeysymDB
set XNLSPATH=/usr/X11R6/lib/X11/locale

Tuesday, April 19, 2011

About Case sensitivity & security for SUA Programs

When installing Utilities and SDK for Subsystem for UNIX-based Applications, you might want to choose whether to change the default behavior of object names such as file names to being case sensitive. The choice you make will affect system security as well as how Subsystem for UNIX-based Applications functions.
In Windows, the names of most objects (such as files and directories) are case preserving, but case insensitive. That means you can use uppercase and lowercase characters when naming such objects, but Windows does not distinguish between names based on case alone. For example, you cannot have two files in the same directory named sample.txt and Sample.txt because Windows regards the names to be identical for the purposes of identifying files. The UNIX operating system, on the other hand, is fully case sensitive, and so UNIX computers distinguish between object names when the only difference between those names is the case of characters used in the object names. On most UNIX computers, therefore, sample.txt and Sample.txt could appear in the same directory, and the UNIX computer would distinguish between them when performing operations on the files. For example, the command rm S*.txt would delete Sample.txt but not sample.txt.
In order to implement typical UNIX behavior, the SUA subsystem is normally case sensitive when working with file names. This can present security issues, particularly for Windows users who are accustomed to the case-insensitive conventions of Windows. For example, a Trojan horse version of edit.exe named EDIT.EXE could be stored in the same directory as edit.exe. If a user were to type edit at a Windows command prompt, the Trojan horse version (EDIT.EXE) could be executed instead of the standard version. If case sensitivity is enabled, Windows users should be made aware of this possibility.
In Windows Server 2003, the default behavior of subsystems other than the Win32 subsystem is to be case preserving but case insensitive; in previous versions of Windows, such subsystems were fully case sensitive by default. In order to support standard UNIX behavior, you have to do the following to enable Case sensitivity.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To enable Case-Sensitivity:
    click Start -> Run. type regedit.
    traverse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
    Double Click on obcaseinsensitive -> Set the value to 0.
To disable Case-Sensitivity:
    click Start -> Run. type regedit.
    traverse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
    Double Click on obcaseinsensitive -> Set the value to 1.
 Notes:
  •     you need administrator privileges to do this.
  •     You will have to restart the machine for this setting to take effect.

About setuid behavior for (chown & chmod) SUA programs

According to the POSIX standard, a file has permissions that include bits to set a UID (setuid) and set a GID (setgid) when the file is executed. If either or both bits are set on a file, and a process executes that file, the process gains the UID or GID of the file. When used carefully, this mechanism allows a nonprivileged user to execute programs that run with the higher privileges of the file's owner or group. When used incorrectly, however, this can present security risks by allowing nonprivileged users to perform actions that should only be performed by an administrator. For this reason, Utilities and SDK for Subsystem for UNIX-based Applications Setup does not enable support for this mechanism by default.
You should enable support for setuid behavior only if you are sure you will be running programs that require support for this behavior. Even if you do not enable support for setuid behavior when installing Utilities and SDK for Subsystem for UNIX-based Applications, you can enable it later.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To enable Setuid:
    click Start -> Run. type regedit.
    traverse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA
    Double Click on EnableSetuidBinaries -> Set the value to 1.
To disable Setuid:
    click Start -> Run. type regedit.
    traverse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SUA
    Double Click on EnableSetuidBinaries -> Set the value to 0.
Notes:
  •     you need administrator privileges to do this.
  •     You will have to restart the machine for this setting to take effect.
  •     This is deprecated for the current release, since this has a security impact.

About Console2

Installation

Refer to their web site.

Environment Variables

You can add to PATH the installation path using CONSOLE_PATH:
set CONSOLE_PATH=D:\Console2\

About EverNote

Installation

Refer to their web site.

iOS

Just install from AppStore.

Sunday, April 10, 2011

About DropBox

Installation

Read, download and install from their site.

Environment Variables

Under non Windows:
export DROPBOXDRIVE=$HOME/Dropbox


Under Windows and Cygwin:
set DROPBOXDRIVE=%HOME%\Dropbox

iOS

Just install from AppStore.

Linux

Under Fedora, optimize Dropbox you need gtk, glib, nautilus & libnotify:
&] rpm -qa | grep gtk ; yum list | grep gtk #install if is not present
&] rpm -qa | grep glib ; yum list | grep glib #install if is not present
&] rpm -qa | grep nautilus ; yum list | grep nautilus #install if is not present
&] rpm -qa | grep libnotify ; yum list | grep libnotify #install if is not present
&] wget  https://www.dropbox.com/download?dl=packages/nautilus-dropbox-0.6.2-1.fedora.i386.rpm
&] sudo rpm -i nautilus-dropbox-0.6.2-1.fedora.i386.rpm



Under Ubuntu/Kubuntu/Debian, optimize with Dropbox you need gtk, glib, nautilus & libnotify.

Windows and Cygwin

Just install the auto-installer.

Friday, April 8, 2011

About Security

Anti-theft security

I found a good solution for laptops called PreyProject.

Hard Drive Security

I have found a good solution for Hard Drives called BitLocker.

Sunday, April 3, 2011

About Python

On Windows

Always read the open source project site.
Use the following environment variables:
PYTHONHASHSEED=random
PYTHONHOME=C:\Python27
PYTHONIOENCODING=utf-8
PYTHONPATH=C:\Python27\Lib;C:\Python27\DLLs;C:\Python27\Lib\lib-tk
PYTHONWARNINGS=default
PYTHONY2K=True

HTMLCode

HTMLCode Content