So I did it… I cloned a domain join virtual machine… I did not sysprep it and I left the domain… so when I went back to the original machine no domain logins would work. Even worse I lost the local admin password. So how do you reset it… in linux it’s always a reboot away… Windows is a reboot and a few steps:
- Boot from the Micrsoft Windows Server 2008 DVD
- From the Install Windows menu, click “Next”.
- Select “Repair your computer”
- In the System Recovery Options, select the Operating System instance that you wish to repair and click “Next”.
- Select “Command Prompt”. The
- At the command prompt, run the following commands:c:
ren Utilman.exe Utilman.exe.old
copy cmd.exe Utilman.exe
- Reboot the server allowing Windows to load as normal
- At the logon screen, press Windows Key + U.
- As the command prompt, enter the following command:net user administrator New_PASSWORD
- Log into the server with New_PASSWORD
- Reboot into the repair command prompt
copy Utilman.exe.old utilman.exe
Reboot and enjoy
PHP is great and I love it, but it does have some basic things that can improve it’s security simple modifications to php.ini can really increase the security. Locate your php.ini (find / -name php.ini) and then modify the following items
#Avoids system calls and buffer overflows
disable_functions = exec,system,shell_exec,passthru
# Injection protection
register_globals = Off
# Turns off display of PHP version
expose_php = Off
#Escape incomming quotes to avoid injection
magic_quotes_gpc = On
These will take huge steps to protecting your system
As most of your are aware on a linux system root is the administrative account. It’s also the one account that exists on most linux systems. It is critical that your protect root’s password and login. Once someone has root they can do anything on your system. One of the most common methods for protecting root is to not allow anyone to login directly as root via anything but console. This stops brute force hackers from ever getting in as root directly. This is done by adding the following line to your sshd_config and restarting ssh.
Then restart sshd to pick up the changes:
This alone takes huge strides to protecting your linux system. Then people have to use normal user accounts then switch to root. This switch is done in two ways sudo and su. Both can be protected. Sudo stands for super user do and it a great way to provide people some root access without giving away the whole account. For example you can use sudo to provide a user access to run /etc/init.d/httpd as root but nothing more. It can also be used to become root without knowing root’s password. This is great for temporary root needs. It is recommeded that you use the program to visudo to edit sudo access (which is stored in /etc/sudoers).
So to run it as root
To give a user access to root and all commands add this line:
username ALL=(ALL) ALL
You can also use to to provide access to another shared user account (for example if I want a user to be able to become mysql without knowning the password)
username ALL = (root) /bin/su - mysql
Of course if they know the password for mysql they can just type:
su - mysql
If you want them to be able to execute a single command as mysql user you can use the following command:
username ALL = (mysql) /etc/scripts/command_to_run_as_mysql
All commands have to be preceded by sudo then command. sudo also supports groups of commands or even user groups to provide access, giving the full flexability of users and groups.
Once we have locked down users to using sudo we can remove their ability to change to root using su – (This is a step most people skip and you may want to skip it depending on your environment it will not work) You can controll who can execute the command su by using permissions. First make sure your already root 🙂 Then find the location for the su command using which
Now change the permissions on su so that only the owner and group can execute it.
Now create a group allowing access to use su: (wheel is a group name commonly used for this purpose)
Now add users to wheel with the following command:
useradd -G wheel username
Now only users in the wheel group can execute su further protecting it.
It’s a pain to enforce password length it always causes you to reset passwords over and and over again but it does provide better security. So here is how you enforce it in Linux. Inside the /etc/pam.d/system-auth file you modify the pam_cracklib.so line:
pam_cracklib.so retry=3 minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
So these settings are: (retry=3) allow 3 login trys, (minlen=10) minimum password length 10, (lcredit=-1) Minimum number of lower case letters is 1, (ucredot=-1) Minimum upper case is 1, (dcredit=-1) Minimum number of digits is 1, (ocredit=-1) Minimum number of other characters is 1.
To remember old passwords then add a line to pam_unix.so (this will remember 10 past passwords and they cannot be used sooner than minimum password change length times passwords to remember.)
If you want to enforce that the new password has different characters than previous remembered ones then add the following to pam_cracklib.so. At least 2 characters