Selective Domain/Forest Trusts – episode I

 

Max, my buddy recently shared a concern he had in his organization (say Piglet Inc.,). They just acquired another company (say Ducklings Inc.,) and now they have trust relationship between the two ADs. He is paranoid about this level of trust due to the fact that the other domain/forest is not directly managed by his IT department. A very useful feature in such a scenario is “Selective Trusts”. This feature is inherent in Windows 2003 and can be used as long the forest functional level is set to windows 2003, in the trusting domain. Ofcourse, if the trust is a two-way transitive trust, then both the forest should be at the “windows 2003” functional level.

A simple netdom command will put his concerns to rest and get him to sleep better.

on the trusting domain, enter the below netdom command:

Netdom trust <trustingDomainName> /domain:<trustedDomainName> /SelectiveAuth:Yes

/usero:<domainadministratoraccount> /passwordo:<domainadministratoraccountpassword>

eg:-

Netdom trust piget.com /domain:duckling.com /selectiveAuth:Yes

/usero:pigletadmin /passwordo:oinkoink

To disable Selective Trust, just issue the same command with /SelectiveAuth:No

By doing this, you can pick and choose which users or groups get access to what resources or computers in your domain.

Let’s say for example, Scrooge from HR team in Duckling Inc., needs access a share on Piglet’s HR File server named “Porkie”, under normal circumstances, Scrooge would try to access it using the below URL: \\Porkie\sharename, and as long as he had access to the share, he could get in. And if “Authenticated Users” had access to the share, then he wouldn’t even need any more access privileges, he would just get in.

But, with Selective Auth on, this would not work. There is a special Object access right “Allowed to Authenticate” that needs to be granted to Scrooge on the computer object “Porkie”, before he can get access to the resources.

How does this actually work in the background ???? Well that’s for episode II

Empathy the new IM for Gnome

Historically, Pidgin has been the choice of IMs provided with Gnome or Linux. Pidgin has been the choice of multi-protocol clients for a huge crowd including windows enthusiants too. It enjoys a loyal following of developers and supporters from across the globe, who have volunteered a lot of plug-ins to Pidgin. This has made Pidgin quite a heavy app. I have been waiting to test Empathy from the time i heard it was in the works by the Gnome Development team.

A little bit about Empathy. Empathy is a messaging client that supports text messaging, Voice and most importantly Video calls. It also supports File transfer over XMPP or local networks, which I am not too keen on, but the support for Video chat in a multi-protocol IM is awesome. It supports Voice and Video using the open protocols, SIP and XMPP (think jabber and jingle). Empathy also supports location information.

Installing Empathy could be as easy as running

# yum install empathy

Loaded plugins: refresh-packagekit
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package empathy.x86_64 0:2.26.2-1.fc11 set to be updated
--> Processing Dependency: telepathy-salut for package: empathy-2.26.2-1.fc11.x86_64
--> Processing Dependency: telepathy-haze for package: empathy-2.26.2-1.fc11.x86_64
--> Processing Dependency: telepathy-gabble for package: empathy-2.26.2-1.fc11.x86_64
--> Processing Dependency: telepathy-filesystem for package: empathy-2.26.2-1.fc11.x86_64
--> Running transaction check
---> Package telepathy-filesystem.noarch 0:0.0.1-3.fc11 set to be updated
---> Package telepathy-gabble.x86_64 0:0.7.26-2.fc11 set to be updated
--> Processing Dependency: libloudmouth-1.so.0()(64bit) for package: telepathy-gabble-0.7.26-2.fc11.x86_64
---> Package telepathy-haze.x86_64 0:0.3.1-1.fc11 set to be updated
---> Package telepathy-salut.x86_64 0:0.3.9-1.fc11 set to be updated
--> Processing Dependency: libavahi-gobject.so.0()(64bit) for package: telepathy-salut-0.3.9-1.fc11.x86_64
--> Running transaction check
---> Package avahi-gobject.x86_64 0:0.6.25-3.fc11 set to be updated
---> Package loudmouth.x86_64 0:1.4.3-5.fc11 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package                   Arch        Version               Repository    Size
================================================================================
Installing:
empathy                   x86_64      2.26.2-1.fc11         updates      1.4 M
Installing for dependencies:
avahi-gobject             x86_64      0.6.25-3.fc11         updates       30 k
loudmouth                 x86_64      1.4.3-5.fc11          updates       79 k
telepathy-filesystem      noarch      0.0.1-3.fc11          fedora       3.5 k
telepathy-gabble          x86_64      0.7.26-2.fc11         updates      330 k
telepathy-haze            x86_64      0.3.1-1.fc11          updates       57 k
telepathy-salut           x86_64      0.3.9-1.fc11          fedora       248 k

Transaction Summary
================================================================================
Install      7 Package(s)        
Update       0 Package(s)        
Remove       0 Package(s)        

Total download size: 2.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/7): avahi-gobject-0.6.25-3.fc11.x86_64.rpm            |  30 kB     00:01    
(2/7): empathy-2.26.2-1.fc11.x86_64.rpm                  | 1.4 MB     00:20    
(3/7): loudmouth-1.4.3-5.fc11.x86_64.rpm                 |  79 kB     00:02    
(4/7): telepathy-filesystem-0.0.1-3.fc11.noarch.rpm      | 3.5 kB     00:00    
(5/7): telepathy-gabble-0.7.26-2.fc11.x86_64.rpm         | 330 kB     00:07    
(6/7): telepathy-haze-0.3.1-1.fc11.x86_64.rpm            |  57 kB     00:03    
(7/7): telepathy-salut-0.3.9-1.fc11.x86_64.rpm           | 248 kB     00:01    
--------------------------------------------------------------------------------
Total                                            53 kB/s | 2.1 MB     00:40    
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : telepathy-filesystem-0.0.1-3.fc11.noarch                 1/7
  Installing     : telepathy-haze-0.3.1-1.fc11.x86_64                       2/7
  Installing     : avahi-gobject-0.6.25-3.fc11.x86_64                       3/7
  Installing     : telepathy-salut-0.3.9-1.fc11.x86_64                      4/7
  Installing     : loudmouth-1.4.3-5.fc11.x86_64                            5/7
  Installing     : telepathy-gabble-0.7.26-2.fc11.x86_64                    6/7
  Installing     : empathy-2.26.2-1.fc11.x86_64                             7/7

Installed:
  empathy.x86_64 0:2.26.2-1.fc11                                               

Dependency Installed:
  avahi-gobject.x86_64 0:0.6.25-3.fc11                                         
  loudmouth.x86_64 0:1.4.3-5.fc11                                              
  telepathy-filesystem.noarch 0:0.0.1-3.fc11                                   
  telepathy-gabble.x86_64 0:0.7.26-2.fc11                                      
  telepathy-haze.x86_64 0:0.3.1-1.fc11                                         
  telepathy-salut.x86_64 0:0.3.9-1.fc11                                        

Complete!

or

# apt-get install empathy

based on your distribution. you can also build it from the sources. I use Fedora 11 and i had to have farsight2 and gstramer-plugins installed to get video and voice calls working. Once empathy starts you can add your yahoo and gtalk accounts…even MSN accounts without any problems. Just remember to change the default ports to 80 instead.

Video and Voice using gtalk work flawlessly.

I like the smoother interface of Empathy and the clean look. Thanks to the team, they did a wonderful job.

Learning PowerShell with Kiran …… day two

Getting help

Powershell is an excellent tool in that, all the required documentation is built into the shell itself. You do not have reference and developer documentation etc., as you do a lot with vbscript.

help <cmdlet or alias>

will give you the needed help required with the syntax. If you need a more detailed help explaining all the options or examples, then just use the switch –detailed or –full

help <cmdlet or alias> –full

help <cmdlet or alias> –detailed

eg: help <Get-ChildItem> –full

Help feature also supports wildcards. ie., if you are looking for a cmdlet to stop a process, then you could simply “help *process* ” as shown below:

from the above, it is relatively easy to figure out that, “Stop-Process” is the cmdlet, you can use to stop a process. Quite powerful isn’t it.

Working with Aliases

Using Aliases instead of cmdlets is convenient. ‘causing typing long cmdlet names is not only cumbersome, its also prone to mistakes, and you easily get frustrated if you use them regularly. So, to keep your sanity, PowerShell provides the alias feature. If you are from the *nix world, then you already know what alias is. Aliases can be used to call the cmdlets with shorter names for convenience instead of using their full cmdlet names.

dir, ls, copy, cd are system assigned aliases for Get-ChildItem, Copy-Item, and Set-Location. PS has many more aliases and to list them, you can use the command…..wait, how can we find out what command do we use…let’s try using help here.

Looking at the output, I am tempted to try “Get-Alias”

That’s it. That how we explore the power of PS.

If I want to know the available aliases for Get-ChildItem, then I have to look at help to see all the option and switches provided by the cmdlet.

PS> help Get-Alias –full

shows this interesting example

 

Exactly what we need. Now let’s try that.

Understanding the above command in its simplest form(don’t get hung up on the functions, neither will I), its piping the output of the get-alias command and filtering out only the data where “Get-ChildItem” exists in Column “Definition”. Awesome…. Now this means, that PS also supports piping.

You can create your own aliases using the “New-Alias” command option. We have seen this in the second screenshot (help *alias*). The command syntax can be obtained by looking up help on New-Alias.

In its simplest form, you can use the command as below:

PS> New-Alias –name d –value GetChildItem

or

You could also specify it as below:

PS> New-Alias d GetChildItem

‘cause PS does not require you to specify the positional parameter name, if its specified in the right order. ie., in this case the first parameter that New-Alias takes is “-name” and the second parameter that it takes is “-value”. As long as we have the right values in the right order, PS will interpret them properly.

To check if the command worked, lets retry the get-alias command using where_object filtering:

Yes, “d” does show up as an alias. Lets run the command:

Delete an Alias

I’m not sure if you remember the screenshot from Day One, which reveals that Alias is also loaded as a PSDrive. which means I can also get a list of aliases by issuing a “Get-ChildItem” or “dir” against it as shown below:

which also will probably allow me to use “Remove-Item” to remove any alias that I do not need. Let’s try it.

Yup. That worked.

Finding the required cmdlet

In the beginning of this post, we used “help” command to search for required cmdlets. This is only looking at the documented help topics to get you the required information. If there are cmdlets that are not documented, then you would not find them. To find any cmdlet, you should ideally use the “Get-Command”.

Just issuing “Get-Command” by itself will list all the available cmdlets in the shell.

To understand the syntax of Get-Command let’s run “help Get-Command”

Notice the “-verb” and “-noun” parameters. This is what makes Get-Command powerful and useful in searching cmdlets. Remember on Day One we talked about how PS uses verb-singularnoun convention to name all its cmdlets. The power of doing so is revealed now.

eg: you want to look for a process on your machine and kill it, and we obviously do not know the cmdlet to do that. So lets use Get-Command to achieve this. Since we want to look at process let’s ask for all command lets that match the noun process.

So, we have two choices with processes. “Get-Process” and “Stop-Process”. See how powerful and easy it makes finding cmdlets. In addition to this the parameters support wildcards too as shown below

PS Snap-ins

Cmdlets themselves are packaged in snap-ins. Each snap-in adds additional functionality and cmdlets to the shell. Very much like mmc snap-ins. The cmdlets used to manage snap-ins can be found by using the Get-Command described above.

 

We can make an educated guess, that Add-PSSnapin is to add new Snap-ins and Remove-PSSnapin is to remove Snap-ins from the shell. Get-PSSnapin is probably used to get details about a Snap-in. Let’s check.

As evident, running Get-PSSnapin, when run by itself, lists all the available snap-ins on this computer. We also notice that it can used to search for a particular snap-in using the –name parameter, which also accepts wildcards. In this case, we tried to look for any snap-in that has the word “Utility” in it.

To see available cmdlets in a snap-in, we may have to look at Get-Command cmdlet’s syntax more closely.

oh, wait, yes, Get-Command takes –pSSnapIn as an argument. Wonderful. Let’s try that:

This is nice if you want to find the cmdlets in a particular Snap-in.

PipeLine

When a cmdlet runs, its actually working with the actual objects and outputs the actual objects. These objects by default are piped to a default cmdlet Out-Default. Out-Default command is the cmdlet which actually converts the output a cmdlet, to text and displays it on the console. To prove this, try the below:

The output of both the commands is same. This shows you that all cmdlets run in a pipeline as shown below

Sometimes, there are cmdlets that only process the input, but produce no output. Like Stop-Process. Stop-Process can take its input, and stop the process as shown below, but will not produce any output.

These kind of cmdlets often have a “-passThru” parameter which passes the input back to the output for further processing, as shown in the example below:

Notice how the –PassThru parameter actually passed the object after its done processing, back into the pipe, in this case to the default Out-Default, resulting in displaying the process that’s being stopped. This is awesome.

You could also create HTML files with ConvertTo-HTML parameter eg: If you wanted to look at the 10 newest application log events into an HTML file, you would do that as below:

 

In this case the pipe would look like below:

 

This pipelining feature puts awesome power in the admin’s hands.

Learning PowerShell with Kiran …… day two

Getting help

Powershell is an excellent tool in that, all the required documentation is built into the shell itself. You do not have reference and developer documentation etc., as you do a lot with vbscript.

help <cmdlet or alias>

will give you the needed help required with the syntax. If you need a more detailed help explaining all the options or examples, then just use the switch –detailed or –full

help <cmdlet or alias> –full

help <cmdlet or alias> –detailed

eg: help <Get-ChildItem> –full

Help feature also supports wildcards. ie., if you are looking for a cmdlet to stop a process, then you could simply “help *process* ” as shown below:

from the above, it is relatively easy to figure out that, “Stop-Process” is the cmdlet, you can use to stop a process. Quite powerful isn’t it.

Working with Aliases

Using Aliases instead of cmdlets is convenient. ‘causing typing long cmdlet names is not only cumbersome, its also prone to mistakes, and you easily get frustrated if you use them regularly. So, to keep your sanity, PowerShell provides the alias feature. If you are from the *nix world, then you already know what alias is. Aliases can be used to call the cmdlets with shorter names for convenience instead of using their full cmdlet names.

dir, ls, copy, cd are system assigned aliases for Get-ChildItem, Copy-Item, and Set-Location. PS has many more aliases and to list them, you can use the command…..wait, how can we find out what command do we use…let’s try using help here.

Looking at the output, I am tempted to try “Get-Alias”

That’s it. That how we explore the power of PS.

If I want to know the available aliases for Get-ChildItem, then I have to look at help to see all the option and switches provided by the cmdlet.

PS> help Get-Alias –full

shows this interesting example

 

Exactly what we need. Now let’s try that.

Understanding the above command in its simplest form(don’t get hung up on the functions, neither will I), its piping the output of the get-alias command and filtering out only the data where “Get-ChildItem” exists in Column “Definition”. Awesome…. Now this means, that PS also supports piping.

You can create your own aliases using the “New-Alias” command option. We have seen this in the second screenshot (help *alias*). The command syntax can be obtained by looking up help on New-Alias.

In its simplest form, you can use the command as below:

PS> New-Alias –name d –value GetChildItem

or

You could also specify it as below:

PS> New-Alias d GetChildItem

‘cause PS does not require you to specify the positional parameter name, if its specified in the right order. ie., in this case the first parameter that New-Alias takes is “-name” and the second parameter that it takes is “-value”. As long as we have the right values in the right order, PS will interpret them properly.

To check if the command worked, lets retry the get-alias command using where_object filtering:

Yes, “d” does show up as an alias. Lets run the command:

Delete an Alias

I’m not sure if you remember the screenshot from Day One, which reveals that Alias is also loaded as a PSDrive. which means I can also get a list of aliases by issuing a “Get-ChildItem” or “dir” against it as shown below:

which also will probably allow me to use “Remove-Item” to remove any alias that I do not need. Let’s try it.

Yup. That worked.

Finding the required cmdlet

In the beginning of this post, we used “help” command to search for required cmdlets. This is only looking at the documented help topics to get you the required information. If there are cmdlets that are not documented, then you would not find them. To find any cmdlet, you should ideally use the “Get-Command”.

Just issuing “Get-Command” by itself will list all the available cmdlets in the shell.

To understand the syntax of Get-Command let’s run “help Get-Command”

Notice the “-verb” and “-noun” parameters. This is what makes Get-Command powerful and useful in searching cmdlets. Remember on Day One we talked about how PS uses verb-singularnoun convention to name all its cmdlets. The power of doing so is revealed now.

eg: you want to look for a process on your machine and kill it, and we obviously do not know the cmdlet to do that. So lets use Get-Command to achieve this. Since we want to look at process let’s ask for all command lets that match the noun process.

So, we have two choices with processes. “Get-Process” and “Stop-Process”. See how powerful and easy it makes finding cmdlets. In addition to this the parameters support wildcards too as shown below

PS Snap-ins

Cmdlets themselves are packaged in snap-ins. Each snap-in adds additional functionality and cmdlets to the shell. Very much like mmc snap-ins. The cmdlets used to manage snap-ins can be found by using the Get-Command described above.

 

We can make an educated guess, that Add-PSSnapin is to add new Snap-ins and Remove-PSSnapin is to remove Snap-ins from the shell. Get-PSSnapin is probably used to get details about a Snap-in. Let’s check.

As evident, running Get-PSSnapin, when run by itself, lists all the available snap-ins on this computer. We also notice that it can used to search for a particular snap-in using the –name parameter, which also accepts wildcards. In this case, we tried to look for any snap-in that has the word “Utility” in it.

To see available cmdlets in a snap-in, we may have to look at Get-Command cmdlet’s syntax more closely.

oh, wait, yes, Get-Command takes –pSSnapIn as an argument. Wonderful. Let’s try that:

Free Anti-SPAM Gateway (MailCleaner)

 

There are one too many options when it comes to using a Unix Email Gateway. Some complicated to install and manage, and some do not provide all the needed features. Hands-down MailScanner is one of the best Anti-SPAM engines out there. But it does not have a built-in web GUI. There is one web GUI available for people who want to check out MailScanner in its true form, MailWatch. But even Mailwatch leaves a lot to be desired out of a SPAM interface and end-user interface. Before you Mailwatch fans flame me out, I will admit that Mailwatch has been the leading UI to work MailScanner, and I personally used it for a long time, i.e., before I laid my hands on MAILCLEANER.

MAILCLEANER is simply one of the best open-source SPAM gateways available out there. It is offered as a complete solution. Its an out-of-the-box solution, that can be used as a virtual image or installed on to a server. The author of MailCleaner does a good job of answering questions on the forums, though the updates are not as often as you would like them to be.

You can download the install set from the product’s main open-source site MailCleaner. If you can afford it, the author also has a commercial offering here.

As known universally, its never a good idea to expose your organization’s primary email server to the Internet directly. Yes, even if its just port 25. ‘cause if you ever become the victim of a comprise which results in a Denial-Of-Service of the server or the server crashes, then:

a) incoming email capability is lost (no incoming emails/communication, from clients, vendors, customers and prospects)

b) outgoing email capability is lost (no outgoing emails/communication to clients, vendors, customers and prospects)

c) all internal email communication is also lost.

A typical deployment scenario for this would be like below:

 

 

 

OR

 

 

Yes, MailCleaner can only be used as an incoming email/SPAM gateway, which is adequate and suffices most of the small/medium size business requirements.

Installation is pretty straight forward, pop the CD in and boot.

Selecting the highlighted option will erase all disks on your system and install Mailcleaner. The installation itself is completely automated, and requires no user interaction. Once the distribution is installed, you can login using the default credentials below:

user: root

passwd: def

As always it is highly advisable to change the default password immediately on login. You can change that using the command below:

# passwd

After you change the password, the first thing you want to do is change the keymap, ‘cause the default keymap for MailCleaner is French. This could get tricky ‘cause the “/” key is located above “7”. So if you wanted to type in a forward slash “/”, then you would type in “Shift +7”. Also the keys for “y” and “z” are interchanged, in the french layout.

To change the keymap you have to issue the command below (for US keymap):

# loadkeys /usr/share/keymaps/i386/qwerty/us.kmap.gz

remember to use “Shift+7” for “/” and “z” for “y” and “y” for “z”

To make this change permanent, you have to copy the file /etc/console/boottime.kmap.gz as below:

# cp /usr/shar/keymaps/i386/qwerty/us.kmap.gz /etc/console/boottime.kmap.gz

The default IP address of MailCleaner is as below:

to change the default IP and assign your own static IP (Yes, you should assign it a static address, assigning a DHCP is a bad bad idea), you have two options

i) run the ip_configurator script in the system as below:

# /root/bin/ip_configurator

 

 

ii)you have to edit /etc/network/interfaces file and change the entries. To do that type in the below command:

# nano /etc/network/interfaces

 

Now you are ready to run the MailCleaner install set. To start the installation type in the below command, and follow through the various prompts. Defaults will suffice for the most part. You may customize it if you choose:

# /root/mailcleaner_install.sh

Host ID has to be “1” if this is the first mailcleaner server in the network. And the final option

“process with an interactive installation (y/N): N

The answer should be “N” for first time installers, otherwise you will get errors and the installation will fail. After answering “N”, mailcleaner install script will go ahead and build a bunch of modules and dependencies. This will take a while depending on your system. One done. go ahead and visit the webpage of mailcleaner

/admin">/admin">http://<hostname>/admin

or

/admin">/admin">http://<IPaddressOfYourMailcleanerServer>/admin and login using the admin account and the password you configured in the previous install step

 

 

Configuration aspects of MailCleaner coming up soon…….

 

LiveJournal Tags: opensource spam gateway,free antispam,free spambuster,free anti-spam,exchange,exchange email gateway,free email gateway,spam gateway,mailcleaner,front-end for MailScanner,Mailscanner GUI,web gui for mailscanner,unix email gateway,email gateway for exchange 2003 or 2007,mailcleaner how to,mailcleaner howto,install

Using Windows XP safely – Defend against spyware and virus

Keeping Windows Safe and Protect against Spyware and Malware

 

How can I stay virus-free or malware/spyware free, without disconnecting myself from the world. This is a question I get a lot from friends and family a lot. Windows XP puts a lot of power in the hands of the user and we quite often forget the capabilities and the powerful credentials which we use, until we get infected by a spyware or virus. My personal experience has been that, most of the anti-viruses or anti-spyware tools fall short to some extent, some greater than the other. The most commerical anti-virus programs are the ones that are the worst protectors in most of the cases. Also, as users we often find that we do not update the signatures as often as required, and we do not even update the operating system and the tens and hundreds of softwares and drivers we use on our systems.

An average computer uses atleast 30-40 different drivers on his machine. Almost all of these drivers run as the system user, the highest possible privilege that an any process can run as. The system account has unchallenged power/privilege on the system. An unpatched machine may have known vulnerabilities viz., buffer overflows, which can be targeted for an attack, and exploited.  A process that has been compromised using these exploits can alter user experience dramatically, without the active user's knowledge. In most cases, a spyware process running as the system user account can spawn new threads, or even new processes, can attach itself to any other process it needs to and can most definitely hide itself from the process list thereby totally evading detection from the trained eye. Most importantly it can disable any anti-virus or anti-spyware programs from either starting or alter their behavior such that they do not update themselves or report any problems ever.

There are umpteen number of attack vectors that an average computer user or a casual Internet user may not know of or even understand or comprehend. Technology has advanced so much and it has made computing and computer interaction totally seamless for the end-user, be it for business applications, social networking or casual browsing. The complexity of the software architecture and networking technologies behind keeping everything running has to be seamless for the advent and adoption of computers, Internet and its related technologies.

But luckily, its relatively easy to stay safe in this big bad world of Internet. And best of all, it doesn't have to cost you anything.

I'll list down the safe measures that I recommend and follow. Based, on my experience, this has helped a lot of computers stay safe and relatively unaffected by most epidemics.

a) Never use your computer/system as an administrator or any user with administrative privileges. This includes Power User privileges. The default account most people use on their windows XP home computers is an administrator. This leaves the user open to spyware/malware and virus attacks. I have a whole blog about running as a non-admin user here.

b) Inspite of the weaknesses I mentioned above, you should always use an anti-virus and anti-malware. For Anti virus, I recommend Avira. Its not memory intensive or processor intensive, and has one of the best protections around for the price (free). I recommend it over anti-virus programs such as symantec, mcafee or AVG. Spyware Doctor, which also comes as part of Google Pack, offers the best free protection from spyware available in the market today. The basic version/free version does not protect you in real-time, but if you follow all the steps in this blog, then you can still be safe without real-time protection.

c) Ditch IE as your browser. I agree that IE is one of the most easiest, and most user-friendly browser to use. But its also one of the most targeted browser for attacks. Try firefox. Firefox has some nifty add-ons that make it one of the best versatile browser in the market today. Using firefox with Adblock, and NoScript addons protects you from dangerous popups and scripts that can get you infected. NoScript publishers update thier software very often to protect against new spyware and malware infection techniques. A how to on adding these addons and using them in real world is detailed here.

d) Update Often. Configure your windows to update as soon as possible. Windows Update system is one of the best update tools available out there. Configure it to automatically download updates in the background and install security updates immediately. Since this will run as a service and do all the work for you in the background, you don't have to login as an admin to update your system.

e) Check for latest updates on any 3rd party softwares and update them too.

f) Due diligence is also one of the most important factor in keeping your system safe. The weakest link in system security is the end-user.

  1. Always use a complex, non-dictionary based password to protect your computer.
  2. Don't create or use any user account without a password assigned to it.
  3. Keep changing your passwords often, atleast once every 90 days.
  4. Don't visit sites you have no business going to, and these include clicking on funny video links in your emails, or any celebrity naked pictures links   sent by unknown people or even friends and family. Internet Porn and online videos are the leading sources of spreading spyware/malware or viruses.
  5. Don't fall for fraudulent emails a.k.a phishing attacks. Never click on any link received in an email. There is hardly any easy way for the end user to know that he is being directed to the correct website. If you need to go to Paypal or bank sites or any other site, type in the website URL in the browser yourself. Your financial or social institutions will never email you asking you to check back into the site using a link, to verify your username or anything.
  6. Be vigilant. I has known one too many users who just clicked on some pop-up windows or message popups, thereby allowing themselves to be willing infected. Its one of the easiest mistakes to do, and the most fatal too. So be vigilant and careful about what you are clicking on. A moment of patience, will save you hours of frustration and couple of hundred dollars in trying to get your computer fixed.

Running Windows XP as non-admin

 

Running Windows XP as the non-admin is one of the primary safeguards you can take to protect yourself. Remove your active user account from administrator group and the Power User group, or create a normal user account and start using that account instead. Always make the regular user account member of Network Operators group. This will enable them to change their network setting like IP address and gateway etc.,

It is relatively easy to upgrade your privileges to an admin account in order to install software or run any other administrative tasks if required.  The simplest form of this is to run a command prompt as administrator and run all your administrative tasks from that command window.

c:\> runas /user:administrator cmd.exe

This will open up a command prompt and ask you for the password of the local user account “administrator”. Provide that and if successful, it will launch a plain old command prompt console. From here you can launch or perform most of the administrative tasks including install new softwares, IE plugin’s etc., The command to launch most common applications are listed below:

Task

TASK	Command
Add/Remove programs	appwiz.cpl
Administrative Tools	control admintools
Computer Management	compmtmt.msc
Date & Time	timedate.cpl
Device Manager	devmgmt.msc
Display properties	desk.cpl
Event Viewer	eventvwr.msc
Internet Properties	inetcpl.cpl
Local Users and Groups	lusrmgr.msc
Mouse properties	main.cpl
Network Connections	ncpa.cpl
Power configuration	powercfg.cpl
Printers And Faxes	control printers
Registry editor	regedit
Scheduled Tasks	control schedtasks
Services	services.msc
Sound and Audio settings	mmsys.cpl
System Properties	sysdm.cpl
Windows Task Manager	taskmgr
Windows Firewall Settings	firewall.cpl

Some commands useful in XP professional or windows domain env. are as below

TASK	Command
Group Policy Editor	gpedit.msc
Computer Managment	compmgmt.msc
Security Center	wscui.cpl
Group policy update	gpupdate
Disk Management	diskmgmt.msc

 

But before you launch any applications, you should make a registry edit, to change the value of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Separate Process value to “1”. To do so, launch the command prompt as the administrator using the command below:

Now in the command prompt, type in regedit. This will openup registry editor for you. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, and change the registry key “SeparateProcess” value to “1” as shown below":

Without the registry entry, more than half the commands listed will fail, or will produce no output.

 

You can right-click on any executable and select “Run as” option as shown below, to launch an installation or any executable:

You will not be able to do the same with MSI install packages. You will have to launch a command prompt as administrator, navigate to the location of the MSI installer package and execute it from there.

And, yes your observation is correct. I customized my administrator command window to look different. It is fairly easy to do so with cmd.exe extensions. I have a shortcut made on my desktop to launch the command prompt as administrator. The shortcut is as below:

%windir%\system32\runas.exe /user:administrator "cmd.exe /k  cd c:\ && color f5 && title *****Local Admin console *****"

I also have a shortcut key assigned, enabling me to launch the administrator command window, from my keyboard. In my case, I have it as Ctrl + Alt + L.

There are couple of limitations as to what you can and what you cannot do with this administrator command prompt window. One major drawback is that you cannot launch Windows Update from this window. But this draw back is easily overcome by adjusting your windows update parameters in control panel to update automatically.

You can Launch Windows Explorer as administrator by typing in “Explorer” in the command window

You can launch IE as an administrator (useful, when you have to update adobe flash plugin etc.,) by typing the complete path to IE as shown below:

There are a lot of tasks you can perform using the windows command prompt launched as the administrator. Running as a limited user will help you stay safe, and the “Run as” options listed above will ensure that you do not miss the functionality either.