SSL Version 2 (v2) Protocol Detection
 
Synopsis :
 
The remote service encrypts traffic using a protocol with known
weaknesses.
 
Description :
 
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.
 
See also :
 
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
 
Solution :
 
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
 
Risk factor :
 
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
 
Nessus ID : 20007
----------------------------------------------------------
SSL Medium Strength Cipher Suites Supported
 
Synopsis :
 
The remote service supports the use of medium strength SSL ciphers.
 
Description :
 
The remote host supports the use of SSL ciphers that offer medium
strength encryption, which we currently regard as those with key
lengths at least 56 bits and less than 112 bits.
 
Note: This is considerably easier to exploit if the attacker is on the
same physical network.
 
Solution :
 
Reconfigure the affected application if possible to avoid use of
medium strength ciphers.
 
Risk factor :
 
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
 
Plugin output :
 
Here are the medium strength SSL ciphers supported by the remote server :
 
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
 
The fields above are :
 
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
 
Nessus ID : 42873
--------------------------------------------------------------------
SSL Weak Cipher Suites Supported
 
Synopsis :
 
The remote service supports the use of weak SSL ciphers.
 
Description :
 
The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.
 
Note: This is considerably easier to exploit if the attacker is on the
same physical network.
 
See also :
 
http://www.openssl.org/docs/apps/ciphers.html
 
Solution :
 
Reconfigure the affected application if possible to avoid use of weak
ciphers.
 
Risk factor :
 
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
 
Plugin output :
 
Here is the list of weak SSL ciphers supported by the remote server :
 
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
 
The fields above are :
 
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
 
Other references : CWE:327, CWE:326, CWE:753, CWE:803, CWE:720
 
Nessus ID : 26928
-----------------------------------------------------------------

These three error messages pretty much mean that you need to turn off SSL 2.0 due to exploits that were found after the standard was created. You need to turn off any encryption suites lower than 128bits. The third error message says we need to turn off anything for less than 56bits, but this will be accomplished by turning of anything less than 128bits. Basically your are modifying the settings that restrict the use of specific protocols and ciphers that are used by the schannel.dll. More detailed information can be found at Micorsoft’s KB187498 or KB245030

How do we do this?

Disabling SSL 2.0 on IIS 6

1. Open up “regedit” from the command line
2. Browse to the following key:
   HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
3. Create a new REG_DWORD called “Enabled” and set the value to 0
4. You will need to restart the computer for this change to take effect. (you can wait on this if you also need to disable the ciphers)

Disable unsecure encryption ciphers less than 128bit

1. Open up “regedit” from the command line
2. Browse to the following key:
   HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
3. Create a new REG_DWORD called “Enabled” and set the value to 0
4. Browse to the following key:
   HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
5. Create a new REG_DWORD called “Enabled” and set the value to 0
6. Browse to the following key:
   HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
7. Create a new REG_DWORD called “Enabled” and set the value to 0
8. Browse to the following key:
   HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
9. Create a new REG_DWORD called “Enabled” and set the value to 0
10. You will need to restart the computer for this change to take effect.

How to verify the changes?

Now that you have made these changes how can you be sure that they have taken place without having to go to your boss or higher authority just to find that you did them wrong. Well I found a nice tool called SSL-SCAN which you can download at http://code.google.com/p/sslscan-win/ for the Windows port or you can download an compile for your favorite operating system at the original project SSL-SCAN site http://sourceforge.net/projects/sslscan/. This tool provides some great detail about what is allows and not allows plus some analysis of the SSL certificate itself.

Below the screen shot shows that we have disabled any ciphers that attempt to use the SSL 2.0 protocol and we’ve disabled all ciphers that less than 128bit.

phpMyAdmin Export Config

• Change the export type to SQL
• Under Options – Uncheck Comments, Change the SQL compatibility mode to MSSQL
• Under Structure – Uncheck Add IF NOT EXISTS, ADD AUTO_INCREMENT value, Enclose table and field names with backquotes
• Under Data – Uncheck Extended inserts

These options will ensure that the INSERT lines will be valid when importing.

Data Structure / Table Definitions
phpMyAdmin does not intemperate data definitions to be compatible. So you have to options here, use Microsoft Management Studio to create your tables or modify the SQL script to be compatible. Here are is an example of a definition that I fixed and what I did.

• ID Field is AUTO_INCREMENT in MySQL, for MSSQL use “IDENTITY(1,1)PRIMARY KEY”
• INT does not allow specificaton of lenght, remove these entries “(11)” after each INT
• DATE is not a valid datatype for MSSQL, replace with DATETIME
• Any Data Field name that is also a Keyword for MSSQL needs to be Double Quoted
• Remove ANY comments from the phpMyAdmin export, even if you didn’t check this there still maybe some in there. Be sure to check the end of the file for them.

For other datatype issues you may need to consult – http://webcoder.info/reference/MSSQLDataTypes.html and check to see if it is even a valid data type. Most datatype errors are easily resolved by Googling the error that is returned.

Data Insertion
If you have used phpMyAdmin export specifications from earlier in this article your data should mostly script in just fine. However, you may need to encase any of your Data Field names with double quote if the word is also a keyword. For example I have used the word Procedure which requires double quote or MSSQL thinks you are calling a stored procedure. To do this I would suggest a program called TextPad that not only does really fast replacements and can do it across multiple files but also is able to handle a few hundred megabyte text file with ease.

If you are using an AUTO_INCREMENT field you will need to add “SET IDENTITY_INSERT field_name ON;” line in before inserting any entry that tries to set that field to a specific value. This happens when your AUTO_INCREMENT ID field has already been created from MySQL. If you don’t do this you will receive an error of “Cannot insert explicit value for identity column in table ‘field_name’ when IDENTITY_INSERT is set to OFF.”

When doing bulk inserts you will be required to keep your single SQL file < 25 megabytes. Microsoft SQL Management Studio will prompt you with "The operation could not be complete. Not enough storage is available to complete this operation" or "System.OutOfMemoryException". To divide up these files I used a free program appropriately called TextWedge which was able to handle up to 100MB SQL files and easily divided them up. You may have to open SQL Studio, execute one 25MB SQL script then close and repeat depending on how much data you have to move.

I’m not sure how I got this little bug but it was one of the most stubborn apps that I had seen in quite a while. The hardest part about this is that it won’t let you download or execute applications that are used to remove it or identify what malware I had on my system. When I come across malware I typically go download MalwareBytes Anti-malware (MBAM) and run it and problem solved, however this time it wouldn’t download the application until I renamed it to just a generic “Setup.exe” and saved it. After it was installed I then was unable to execute it as “mbam.exe” I had to rename it to “notepad.exe” which then allowed me to execute it. Once I got it to run it removed some of the fake AV items, but after a few reboots and even safe mode the H8SRT Trojan was still on my computer. I did a bit of internet research and found out that Kaspersky has created a removal tool for TDSS.Rootkit which the H8SRT Rootkit is based. Once I downloaded and ran the Kaspersky tool: TDSSKiller, I follow up with another round of MBAM and now my system is clean.

Download TDSS Killer: http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Kaspersky Documentation on TDSS Killer: http://support.kaspersky.com/viruses/solutions?qid=208280684
Kaspersky Free Virus Removal Tools: http://www.kaspersky.com/removaltools
Download MBAM: http://www.malwarebytes.org/mbam-download.php

So now the question becomes, how do you add permissions to a service?

Microsoft has an answer with a little known command line application called subinacl. This application allows you to view and edit security information for files, registry keys, and services. This can be handy if you are writing a script to change permissions on registry keys or files but the real power lies within the ability to edit the security information on services.

The syntax for subinacl: SUBINACL /SERVICE \\MachineName\ServiceName /GRANT=[DomainName\]UserName[=Access]

The Access parameter is broken down like this:

F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands

For my example I just needed to allow the Domain Users group access to run the OpenVPN service.

subinacl /service OpenVPN /GRANT=DOMAIN\Domain Users=TO

You may need to execute this from the folder where subinacl.exe is located. Also if it is running the command on a local system you can just type the name of the service and not the UNC path to the service.

Download subinacl.exe from Microsoft
For more information about this command please visit: http://support.microsoft.com/kb/288129

Now Scroll though this list of products and makes sure that any of the products you support has a check by it. If you have moved everyone off of the older version of the product you can uncheck it as well. I probably wouldn’t adjust anything in Classifications as the defaults here are relatively acceptable. Once finished press OK at the bottom.

Next we need to cleanup the server and remove any old updates. To do this from Options select Server Cleanup Wizard. Ensure that the options are correct and just click Next.

This should remove old updates from the database as well as updates that have been updated and clean up any computers that haven’t contacted the WSUS server in 30 days. It may take a few minutes to process depending on how large your WSUS database and update archive has grown to. It saved me about 20% when I adjust off Office 200 and a few other products we didn’t support and got rid of all of those updates that had been updated or not approved.

Enjoy a nice clean WSUS server!

1. Download the correct AHCI driver from support.dell.com website. The driver should be called “Intel Matrix Storage Manager (OS Pre-Install Driver Only)” or something close to that
2. Restart the PC and press F8 repeatedly to boot the computer to Safe Mode
3. Open up the device manager and locate the current SATA controller (Intel(r) ICH10 Family 4 port Serial ATA Storage Controller) it will probably show 2 of them
4. Right click on the first one and select Update Driver
5. When the wizard pops up select No, not this time > Install from a list or specific location (Advanced) > Don’t Search. I will choose the driver > Have Disk button
6. Browse to the Drivers you downloaded and select the file named iaStor.inf, now uncheck the Show compatible hardware
7. You should now be presented with a list of drivers, this is where trial and error comes in. You will need to select the correct driver for your chipset. Here is a list of what I have for the AHCI driver for each model.
      Dell Optiplex 960 – Intel(r) ICH10D/D0 SATA AHCI Controller
      Dell Optiplex 760 – Intel(r)ICH10D/D0 SATA AHCI Controller
      Dell Optiplex 755 – Intel(r) ICH8R/DO/DH SATA RAID Controller [This is using RAID 1]
      Dell Optiplex 755 – Intel(r) ICH9 SATA Controller [Non RAID Install]
8. Now apply the driver to the second SATA controller
9. Restart the computer, now enter the BIOS and change the SATA controller to AHCI mode
10. Let it boot into Windows normally, If it crashes or fails to boot to Windows upon restart, boot back to BIOS change it back to ATA mode, then press F8 to get the windows boot menu and select Last Known Good Configuration. This should get you back in to Windows normally. Now restart the process at step 2, this time trying a different driver at step 6 and 7
11. Done
]]> http://www.waynezim.com/2009/07/install-windows-xp-on-dell-optiplex-755-760-960-without-ahci-sata-driver/feed/ 21 http://www.waynezim.com/2009/07/how-to-use-wmi-filtering-to-improve-group-policy-administration/ http://www.waynezim.com/2009/07/how-to-use-wmi-filtering-to-improve-group-policy-administration/#comments Mon, 13 Jul 2009 20:05:30 +0000 Wayne Zimmerman http://www.waynezim.com/?p=415 Group policy is one of the most versatile and powerful ways to manage your workstations in your domain. However, using just basic Group Policy to object relationship links you can limit the customization that is possible with group policy. Today I will show you how to add WMI (Windows Management Interface) Filtering to your group policy. This will allow you to build a kind of rule, and allow you to pick and choose which workstations get the policy and which don’t. My goal today is to apply my group policy to only workstations that start with the name of shs-exam. This is basically all the workstations that reside in our exam rooms and I would like them to have a special set of settings, however I want them to co-exist in my Active Directory structure in the proper ‘departmental’ organizational units that I already have.
Requirements
• Group Policy Management Console (gpmc.msc)
• Preexisting Group Policy needing WMI filtering
• Understanding about WMI Information

Configuration

1. Open your Group Policy Management Console and browse to WMI Filters in your Domain.
2. Go ahead and Right Click on WMI Filters and select New
3. Give the WMI Filter a nice descriptive name and give more detailed text in the Description if needed.
4. To build your actual query for WMI you need to think of this as a question to ask the PC and if it returns any result then the Group Policy will be applied to it. The query I have built asks it to return name for the computer and if the name contains “SHS-EXAM” then it will return the name and get the group policy applied, if not then nothing happens and the group policy is skipped.



5. Add your WMI Query, mine is Select name from Win32_ComputerSystem WHERE NOT name LIKE “%SHS-EXAM%” This will basically select all computers that are not named “SHS-EXAM”
6. Now press Save
7. Now that we have successfully made the WMI Filter we need to apply it to the proper group policy, so go to your Group Policy Objects under your domain and select the one you wish to add the filter to.
8. The last section on the screen should be WMI Filtering, just drop down the list and select the WMI Filter you just made

Reference Material

• WQL (SQL for WMI) (Windows) – This is a great list of advanced operators and examples to get you close the the proper syntax
• HOWTO: Leverage Group Policies with WMI Filters – This article explains in detail how to create a WMI filter to determine the scope of a Group Policy based on computer attributes.
• Paessler WMI Tester – This tool can help you test your WMI queries before deploying them in Group Policy use. I use this tool all the time to help find information about a workstation.
• Microsoft Win32 Classes Reference – This is a Microsoft’s reference for all of the objects and events for WMI. You can use this to find that specific settings you need to filter on.
]]> http://www.waynezim.com/2009/07/how-to-use-wmi-filtering-to-improve-group-policy-administration/feed/ 1 http://www.waynezim.com/2009/07/how-to-slipstream-drivers-into-a-windows-installation-using-nlite/ http://www.waynezim.com/2009/07/how-to-slipstream-drivers-into-a-windows-installation-using-nlite/#comments Thu, 09 Jul 2009 18:11:47 +0000 Wayne Zimmerman http://www.waynezim.com/?p=366 Slipstreaming drivers in to your Windows installation can either make your Windows install super simple or just make it possible. Most modern SATA and RAID controllers need specific drivers for Windows to see and use the hard drive, and with most newer computers not having a floppy drive and most unable to use a USB attached one this leaves you to only option to add the correct driver to the CD using this slipstream technique. Besides adding hard drive controller drivers so you can install windows you can also add whatever other drivers you would typically install in Windows and put them in the install. Today I will be walking you though adding a RAID card driver to a Microsoft Windows 2003 Standard Edition installation.

Requirements
• Microsoft Windows OS CD (2000,XP,2003 / Any Flavor)
• nLite 1.4.9.1
• RAID or SATA Driver needing to be added to your Windows Installation
• Knowledge and Software to Burn an ISO image

Directions
Get the nLite software installed and fire it up, the software is pretty much a glorified wizard, but I will still take you step by step though it.

1. Select your language, I would suggest English in your case and press Next
      
2. Click Browse and use the Browse for Folders dialog box, now Select your CD-ROM drive that contains your Microsoft Windows CD, then click Next
         
3. Since you selected the CD in the first option, it should now Warn you and prompt you as to a Folder it can use to copy the files off the Windows CD and customize them in. I just made a folder in my Misc folder for this version of Windows
         
4. Now you should see a progress bar box, it is coping the files from the CD to the directory you selected so they can be customized. Once finished it should identify your OS, now press Next
         
5. This screen would allow you to import a previous set of nLite settings if you had used it before, however we haven’t so just Next though this window
      
6. Now you can see all the different areas that nLite can customize to make your installation go easier, however we are only interested in adding some drivers so we can actually install Windows so select Drivers and Bootable CD because we want to be able to boot to the CD and maybe burn it at a later date, then press Next
         
7. You will now be presented with the Drivers screen which will allow you to add drivers to your installation. To add a driver click on the Insert button. It should give you a small menu asking you to Select Single Driver or a Multiple Driver folder, for our use we just need to add the one Single Driver so select that.
         
8. It should prompt you to select the INF needed for the install, browse to where your driver is and select it.
      
9. Now it should identify what the driver is actually for and it asks you to select a mode. Regular PNP Driver should be used with devices that will be installed during the installation (network, video, sound), Textmode Drivers are loaded before the Windows installation starts, it is the equivalent of pressing F6 during the install and pointing to a floppy disk for the driver. This is mostly used for hard drive controllers, because Windows needs to know how to use the hard drive before it can install anything to it. Once you have selected the correct mode press OK
      
10. If you need to add more drivers just repeat the last three steps of the process, we only need the one driver to see our new RAID controller so we will press Next and move on.
       
11. Since this was the only part of Installation we were customizing it now asks if we want to start the process of applying the changes, go ahead and press Yes. It will next present you with a quick little status screen about it integrating the drivers and provide you with a little summary. Once it has completed press Next
             
12. Now it will provide you with a screen to Burn to a CD or Create an image, for this example we will create an image, this way I don’t have to repeat this process next time I want this driver on this CD. Go ahead and customize the label, this can help you remember what you added to this customized Windows installation, just leave the rest to default and click Make ISO, it will then prompt you as to where to save the CD/ISO image, once you have found a good location (I typically have a CD Images folder on my C: drive) then press Save
             
13. You should now be presented a progress bar box of it saving the ISO file to your Hard Drive. Once finished it should show you that it was created successfully. now you can press Next and Finish to close the nLite program.
          
14. The last step is a bit more independent of your setup, but run your favorite CD burning program and select Burn Image and direct it to the ISO image you just saved. This will create a bootable customized Windows CD that you can use to install your system
]]> http://www.waynezim.com/2009/07/how-to-slipstream-drivers-into-a-windows-installation-using-nlite/feed/ 4 http://www.waynezim.com/2009/06/how-to-clone-disk-images-using-g4l-in-a-windows-environment/ http://www.waynezim.com/2009/06/how-to-clone-disk-images-using-g4l-in-a-windows-environment/#comments Tue, 30 Jun 2009 21:04:42 +0000 Wayne Zimmerman http://www.waynezim.com/?p=65 There are millions of workstations out in the world and I’m sure you have deployed your fair share of them. I recently received 25 brand new Dell Optiplex 760s to replace our GX270s that are getting close to the six year mark. I thought I would take this chance to document the process and share it.

Hardware Considerations
For the imaging process to work well you need PCs that have the same hardware, this makes it very simple to make an image for one PC and use it over and over again and get the same result every time. You can build an image on one model of PC then load it on a different one but it will most likely be missing drivers, but then if you load drivers and make a new image it will now support both types of computers. This won’t always work but it has with similar hardware like Dell Optiplex 740 / 745 / 755 / 760. I typically just have one type of image for each type of computer that I have, which just makes things simple.

Prerequisites
Before getting to far into this you will need to download and install an FTP server. You can put this on just about any workstation but keep in mind you will have to store disk images and it will be busy doing transfers when you are imaging PCs so you may want to make it a box that doesn’t do much. For an FTP server I would have to suggest Filezilla FTP Server, it runs on Windows fast, free and open source. For imaging software you will need to download the latest version of G4L or Ghost for Linux, you will need to burn the ISO image to a CD and use this a boot CD to backup or restore an image. Don’t let the Linux scare you, it has an easy to use menu that can allow anyone to image PCs.

Load PC to User Ready
Now that you have your batch of PCs, go ahead and load one up. Be sure to install software suites like Microsoft Office and any other utilities that may be necessary for you environment. You can join it to a domain however keep in mind it isn’t a good idea to join it to a domain then join it to a different domain depending on the settings you have, they may conflict.

Prepping a Windows Based Image for G4L
Once you have your PC happy with all the settings and software installed, start the clean up process. Go remove all Temporary Internet Files and History by going to Start > Control Panel > Internet Options, on the General Tab under Browsing history, click on the Delete… button, then Delete all.. at the bottom of the dialog box and confirm Yes. This will remove any browsing that you may have done while setting up the computer and loading drivers. Next, go to My Computer, right click on Local Disk (C:) go to Properties. Now on the General Tab, click on Disk Cleanup. Check all the items except Compress Old Files. Next go to the More Options tab and locate the System Restore Section and click on Clean Up and confirm the dialog box. This will remove any System Restore points that you don’t need and should free up some disk space. Press OK at the bottom and it should Clean Up the disk. Next do a defragmentation of the drive. You certainly don’t wanna be passing out new PCs with slow fragmented drives. You can just use the standard windows utility for that, since there shouldn’t be that much to fix. After that completes, you need to wipe the free space, the best tool that I have found for this is called Disk Redactor. Don’t let the cheezy website fool you, this is a good free tool that makes the free space empty. This is key because you don’t wanna backup an entire disk full of free space that has junk in it. It will make your disk image much larger than it needs to be. This part takes a while (depending on the size of your drive) so go find a nice cold beverage so you can be refreshed when it finishes. Once this finishes, Uninstall it, I can recall several times I have made images and accidentally left it installed. Trust me you don’t want your users calling you about it. Now it is Sysprep time, although sysprep is very powerful and can automate the windows setup, that is not the route we are going today. Simple always seems to be key for me. To install sysprep extract the sysprep version to C:\sysprep inside of there run sysprep.exe. I will warn you about SIDs and then give you some options. Click use mini-setup and click Reseal. Once the utility completes it will shutdown the PC.

Backing up an Image Using G4L
Power on the PC and insert the G4L CD and boot to it, either though a change in the bios or most Dell computers you can press F12 and get a boot menu. Once it has booted to CD you should receive a screen asking for which kernel just select the one that is highlighted by default. It should load two files then go in to awesome Linux boot script mode in which it detects the hardware just wait for this to finish. You should next receive some information about this project and the people behind it, just next on though it. A little more detection for network stuff and finally you should be presented with the G4L command line. Simply type G4L this will ask a few more things. Now, select Yes and accept the license agreement. Next, select RAW, this supports all file systems. Select Network Use because we want to copy the image to the FTP server. Lastly, fill out this screen based on your Network, you will need to specify the IP of the server for Config FTP as well as the username and password, Config useridpass, and a filename Config filename, change the compression to your preference I use Gzip but any one of these will do equally well. When naming the image you may want to consider putting parts of the computer model, OS, Service pack, or Hard Drive size, this will help in the future when you have 20 images and want to make sure you get the right one on the right workstation. When you have all your options in there select Backup and it will confirm your options with you one last time and then show you a progress bar. This part can take sometime to finish but once the image is uploaded you can start imaging it to other workstations. I have attached some screenshots of the G4L program so you can get a feel for where these items I talk about are located in the menu structure.

Restore an Image using G4L
To image a workstation boot to the G4L CD and go though the menus except select the Restore menu option instead of backup and it will transfer the image to the new workstation.


]]> http://www.waynezim.com/2009/06/how-to-clone-disk-images-using-g4l-in-a-windows-environment/feed/ 9 http://www.waynezim.com/2009/06/how-to-setup-a-legal-notice-before-login-in-group-policy/ http://www.waynezim.com/2009/06/how-to-setup-a-legal-notice-before-login-in-group-policy/#comments Fri, 19 Jun 2009 20:20:14 +0000 Wayne Zimmerman http://www.waynezim.com/?p=300 A few days ago I was tasked with setting up a notice to users before the actually log on to the computer to notify them that if they use this computer they agree to blah.. blah.. blah legal stuff. To solve this, I decided that this would be good to see on every computer we have in the organization so I added it to the Default Domain Policy, but this can be applied to users or computers at any level you see fit. This is a very easy setting that may also substitute for signing the computer usage agreements every year.

1. Open up your Group Policy Management Console (gpmc.msc)
2. Go to the Group Policy Object in your domain, right click on Default Domain Policy and select Edit…
3. Once the Group Policy Editor is up, using the treeview on on the left go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
4. To edit the title of the windows change: Interactive logon:Message title for users attempting to log on
5. To edit the message text change: Interactive Logon:Message text for users attempting to log on
]]> http://www.waynezim.com/2009/06/how-to-setup-a-legal-notice-before-login-in-group-policy/feed/ 0