Monday, 10 December 2007

Simple Active Directory

Active directory is a bit of an animal.

Many problems can reside inside active directory if its not well maintained most of us will see error in the event log and that will be our first clue that something as gone wrong.

If you are lucky enough to have some reporting tools deployed on your server then you might notice them before that.

Most common error is site to site replication these errors no so hard to deal with. First check the server you are trying to replicate with is up and running you can ping it you can net view to it and if you have the support tool and resource kit install you can RPC ping as well

So first you ping in this case my domain controller is Aero-dc.domain.com we an IP of 10.0.10.2

Ping aero-dc.domain.com

If you get a reply this means that the network is running doesn’t mean the server is working so next we do a net view to see if the shares such as sysvol are there

Net view file://areo-dc.domain.com/

If you can see there then all is good and you are most likely looking at DNS errors where the DNS entry is wrong or lookup to the DNS is not possible because the link is down

Some useful command you can use from the command prompt are,
This one is useful to check server is correctly registered with the DNS
netdiag /test:DNS /v

This one is useful to see the replication history
repadmin /showreps

If you are still having active directory issue, I would suggest you contact some one that knows it well google news groups are always a good place if you are not in a hurry to fix little issues.

Simple QoS

Lots of people run networks with high speed internet connections these days and almost all of them complain that they are not getting the service they want out of the line, well basic answer is get more speed, the second answer is define what you want most.

A basic QoS (quality of service) config will give you much of that internet back, also and this is something to remember unless your router is also your switch you will need a switch that can also deliver QoS other wise it will just get stuck in the LAN traffic.

So here is a simple example for your WAN interface, this will make sure your out bound traffic to the net and normally is the out bound that is the slower speed for you, is controlled. As an example if you upstream (connection to the internet leaving your router) is 512kbs and your downstream (speed from the internet to you) is 2048kbs then is safe to say that the bottle neck will be on your upstream.

Now lets look at an example bit of code, we create a class map with a name in this case highpriority so show that these type of traffic are most important and will reserve a % of bandwidth for them

Router(config)#class-map HIGHPRIORITY
match http
match pop3
match smtp
policy-map HIGHPRIORITY_POLICY
class HIGHPRIORITY
bandwidth X



X = the total % or in kbs of the bandwidth you want to allow for your
Traffic i.e. bandwidth 70 would mean 70% of the total so if your line as 512kbs the then it would mean 358kbs was now for use by traffic matching highpriority class

All this is fine but we still need to apply this is your WAN interface so just go under the WAN interface and do:

Router(config-if)#service-policy output HIGHPRIORITY_POLICY

That’s it a simple QoS for you internet connection the match set are upgraded with each ISO version so check the router for options.

Sunday, 21 October 2007

using Netsh with DHCP

You can use Netsh commands for Dynamic Host Configuration Protocol (DHCP) in batch files and other scripts to automate tasks. The following example batch file demonstrates how to use Netsh commands for DHCP to perform a variety of related tasks.

In the circumstance of this example procedure, DHCP-01 is a DHCP server with the IP address 192.168.0.2. The procedure adds a new scope to DHCP-01 with the name MyScope, IP address 192.168.10.0, subnet mask 255.255.255.0, and comment NewScope. It then configures the scope with an address range (192.168.10.1 through 192.168.10.254), an exclusion range (192.168.10.1 through 192.168.10.25), and router IP addresses (DHCP option 003). The scope is then set to an active state.

For more information, see Setting up scopes, Setting up options, and DHCP options

For more information and a complete list of Netsh commands for DHCP, see Netsh commands for DHCP

In the following example procedure, lines that contain comments are preceded by "rem," for remark. Netsh ignores comments, i've also highlighted the commands for you.

===========================================================

rem one DHCP server:
rem (DHCP-01) 192.168.0.2

rem 1. Connect to (DHCP-01), and add the scope MyScope with IP address 192.168.10.0,
rem 1.1 subnet mask 255.255.255.0, and the comment NewScope.
netsh dhcp server 192.168.0.2 add scope 192.168.10.0 255.255.255.0 MyScope NewScope

rem 2. Connect to (DHCP-01 MyScope), and add IP address range 192.168.10.1 to 192.168.10.254 for distribution
rem 2.1 and the default ClientType of DHCP.
netsh dhcp server 192.168.0.2 scope 192.168.10.0 add iprange 192.168.10.1 192.168.10.254

rem 3. Connect to (DHCP-01 MyScope), and add IP exclusion range 192.168.10.1 to 192.168.10.25
rem 3.1 and the default ClientType of DHCP.
netsh dhcp server 192.168.0.2 scope 192.168.10.0 add excluderange 192.168.10.1 192.168.10.25

rem 4. Connect to (DHCP-01 MyScope), and set the value of option code 003
rem 4.1 to list two router IP addresses (10.1.1.1, 10.1.1.2).
netsh dhcp server 192.168.0.2 scope 192.168.10.0 set optionvalue 003 IPADDRESS 10.1.1.1 10.1.1.2

rem 5. Connect to (DHCP-01 MyScope), and set the scope state to active.
netsh dhcp server 192.168.0.2 scope 192.168.10.0 set state 1

rem 6. End example batch file.
===========================================================


The following table lists the netsh dhcp commands that are used in this example procedure.

Command Description
server
Shifts the current DHCP command-line context to the server that is specified by either its name or IP address.

add scope
Adds a new scope to the specified DHCP server.

scope
Switches the command context to the DHCP scope that is specified by its IP address.

add iprange
Adds a range of IP addresses to the current scope.

add excluderange
Adds a range of excluded addresses to the current scope.

set optionvalue
Sets an option value for the current scope.

set state
Sets or resets the state of the current scope to either an active or inactive state.

Here is a list of DHCP options i've not had chance to try them all but i'm sure you will fine them useful anyway

1 Subnet Mask.
2 Time Offset (deprecated).
3 Router.
4 Time Server.
5 Name Server.
6 Domain Name Server.
7 Log Server.
8 Quote Server.
9 LPR Server.
10 Impress Server.
11 Resource Location Server.
12 Host Name.
13 Boot File Size.
14 Merit Dump File.
15 Domain Name.
16 Swap Server.
17 Root Path.
18 Extensions Path.
19 IP Forwarding enable/disable.
20 Non-local Source Routing enable/disable.
21 Policy Filter.
22 Maximum Datagram Reassembly Size.
23 Default IP Time-to-live.
24 Path MTU Aging Timeout.
25 Path MTU Plateau Table.
26 Interface MTU.
27 All Subnets are Local.
28 Broadcast Address.
29 Perform Mask Discovery.
30 Mask supplier.
31 Perform router discovery.
32 Router solicitation address.
33 Static routing table.
34 Trailer encapsulation.
35 ARP cache timeout.
36 Ethernet encapsulation.
37 Default TCP TTL
38 TCP keepalive interval.
39 TCP keepalive garbage.
40 Network Information Service domain.
41 Network Information Servers.
42 NTP servers.
43 Vendor specific information.
44 NetBIOS over TCP/IP name server.
45 NetBIOS over TCP/IP Datagram Distribution Server.
46 NetBIOS over TCP/IP Node Type.
47 NetBIOS over TCP/IP Scope.
48 X Window System Font Server.
49 X Window System Display Manager.
50 Requested IP Address.
51 IP address lease time.
52 Option overload.
53 DHCP message type.
54 Server identifier.
55 Parameter request list.
56 Message.
57 Maximum DHCP message size.
58 Renew time value.
59 Rebinding time value.
60 Class-identifier.
61 Client-identifier.
62 NetWare/IP Domain Name.
63 NetWare/IP information.
64 Network Information Service+ Domain.
65 Network Information Service+ Servers.
66 TFTP server name.
67 Bootfile name.
68 Mobile IP Home Agent.
69 Simple Mail Transport Protocol Server.
70 Post Office Protocol Server.
71 Network News Transport Protocol Server.
72 Default World Wide Web Server.
73 Default Finger Server.
74 Default Internet Relay Chat Server.
75 StreetTalk Server.
76 StreetTalk Directory Assistance Server.
77 User Class Information.
78 SLP Directory Agent.
79 SLP Service Scope.
80 Rapid Commit.
81 FQDN, Fully Qualified Domain Name.
82 Relay Agent Information.
83 Internet Storage Name Service.

85 NDS servers.
86 NDS tree name.
87 NDS context.
88 BCMCS Controller Domain Name list.
89 BCMCS Controller IPv4 address list.
90 Authentication.
91 client-last-transaction-time.
92 associated-ip.
93 Client System Architecture Type.
94 Client Network Interface Identifier.
95 LDAP, Lightweight Directory Access Protocol.

97 Client Machine Identifier.
98 Open Group's User Authentication.
99 GEOCONF_CIVIC.
100 IEEE 1003.1 TZ String.
101 Reference to the TZ Database.
102
111
112 NetInfo Parent Server Address.
113 NetInfo Parent Server Tag.
114 URL.

116 Auto-Configure
117 Name Service Search.
118 Subnet Selection.
119 DNS domain search list.
120 SIP Servers DHCP Option.
121 Classless Static Route Option.
122 CCC, CableLabs Client Configuration.
123 GeoConf.
124 Vendor-Identifying Vendor Class.
125 Vendor-Identifying Vendor-Specific.

128 TFPT Server IP address.
129 Call Server IP address.
130 Discrimination string.
131 Remote statistics server IP address.
132 802.1P VLAN ID.
133 802.1Q L2 Priority.
134 Diffserv Code Point.
135 HTTP Proxy for phone-specific applications.
136 OPTION_PANA_AGENT.

Saturday, 20 October 2007

To Promote or Demote a Server to a Domain controller

To Promote a Server to a Domain controller you will need to carry out the following:

Click Start, select RunThen Type DCPROMO.EXE Press Enter

You will then be presented with the Active Directory Installation Wizard Window:

Click Next.You will then be presented with the following window:

Select “Additional domain controller for and existing domain”
Click Next.


In the Network Credentials window enter the username and password for a Domain Admin in the domain you're trying to join. Also enter the full DNS domain name.
Click Next.


Note: This step might take some time because the computer is searching for the DNS server.
Although the wizard will let you get to the last window and begin to attempt to join the domain, if you enter the wrong username or password, because of the wrong credentials you'll get an error message:

If you enter the domain name in a wrong way you'll get an error message:


In the Additional Domain Controller window type or browse to select the domain to which you want to add the additional DC.


The location of the files is by default %systemroot%\NTDS, and you shouldn't change it unless you have performance issues in mind. Click Next.

The default location of the files is %systemroot%\SYSVOL, and you shouldn't change it .
This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll create, and will be replicated to all other Domain Controllers.

Click Next.
Enter the Restore Mode administrator's password. You will need this password if you ever need to restore the AD.

Click Next.
You will now be presented with a Summary Screen where you can review your details. If all looks correct click next.


The server will now go through the process of configuring and setting up AD. This can take some time so be patient. You should never click cancel when the server is going through this process, as it can cause serious problems on the server.


If all went well you'll see the final confirmation window.

Click Finish.


You must reboot in order for the AD to function properly.

Click Restart now.


Demoting a Domain Controller
Click Start, select and click on Run, type dcpromo, and then click OK.


This starts the Active Directory Installation Wizard. Click Next.

There is a check box in the Remove Active Directory screen.

If this computer is the last domain controller in the domain, click to select the check box. Otherwise, click Next.

In the next screen, set the password for the administrator account on the server after Active Directory is removed. Type the appropriate password in the Password and Confirm Password boxes, made note of this Password and then click Next.

In the Summary screen, review and confirm the options you selected, and then click Next.

The wizard begins the process of removing Active Directory from the server. After the process is finished, a message indicates that Active Directory was removed from the computer.

Click Finish to quit the wizard.
Restart the computer.

Wednesday, 3 October 2007

How am I going to manage this network?

When building a network there are some things you should take into account.
How many server do you have how many workstation, how many network devices, these can become quite hard to maintain in large numbers, and often you are fire fighting because you don’t know what is happening till its too late.

So lets look at some options to avoid that one you could look at the event log in the hope of seeing it before there is a problem… effective but bad for your eyes and you will most likely fall sleep looking at it, the more common approach is to use network monitoring service like SNMP most of us will use SNMP but what you might not have thought of is that you should be using SNMP version 3 as earlier version send the log in clear text and this is not good if the log is about a hacker, sadly only vista and window server 2008 have this native so you will have to get some 3rd party agents for now but don’t worry there are plenty of free ones, also remember SNMP can increase network traffic by 20% so get rid of those old hubs and switches for switches and make it 10/100/1000 for god sake we are in the 21st century after all, ideally layer 3 if you have a really large 300 plus devices in one site then you best to look at layer 4.

Also avoid using well known SNMP community like public and private as the hackers will try those names first. So now you have some system logs and because SNMP is common to Unix, Linux, Windows and Most network device you have some way of seeing all the events on your network, now there are some free tool and some paid tools that will help you make since of the logs but that is really up to you what you use, just make sure it a interface you can understand and is on a server so you can look at it remotely after all its good to work from home isn’t it.

Also think about the domain structure of your network when picking a solution, as some are not designed to work on multi domain environments, this may or may not be important to you, however this might be important at a later date, forward planning is always wise.

Next we need a patch management tool after all we don’t want to do all those up date by hand do we… so in the windows corner we have WSUS3 (Windows Server Update Service Version 3) and in the other corner we have SMS (System Management Server) and just to make it all fair we have ZEN works, personally I like ZEN best but that just my opinion.

Make sure where you have multiple sites, it’s important not to eat up all your site to site links with sending and deploying patches so try to have a local deployment server to each site in the same way you do for local authentication to the domain, after all you never know when you’ll need that bandwidth for playing LAN game of counter strike hehehe.

So we now have away of deploying patches to the server and workstation, what else do we need… well this is the part where common tasks come in, you know that thing we are supposed to do but never have time for what you call it again “System Maintains”

Yes this is where the real fun begins, every good administrator should have a pocket full of scripts for backup reboot and all manner of system jobs we don’t want to stay around for ourselves, sadly I’m not going to help you here as scripts will change from system to system so try to make sure you are running the same version OS at least.

Oh what the hell here have a script just for fun, you can run this to copy all the m4a aka iPod files to your hidden share on the server and deletes the files from the workstation I have this running on logon, this is good fun when you have those iPod or iTunes users that just won’t take a hint that they should use the company network for storing there music, takes awhile to run in the background because it finds all drives so if they have there iPod connected you will wipe it too “a little evil smile forms on my face as I type this”

=======================================================
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colFiles = objWMIService. _
ExecQuery("Select * from CIM_DataFile where Extension = 'm4a'")

For Each objFile in colFiles
strCopy = "\\fileserver\Media Archive$\" & objFile.FileName _
& "." & objFile.Extension
objFile.Copy(strCopy)
objFile.Delete
Next
=======================================================

Remember this is only as good as your desktop usage policy… oh yes IT isn’t all fun and games, it was once but that’s all gone now… so put your law hat on and get ready for one more lesson, users the lovely people we are forced to answer the phone too are just like any other network component if not correctly configured will cause network storms, so your patch to the faulty OS is the desktop usage policy if applied correctly you will be able to stop even manager dead in their tracks when he asks for something you don’t want to give him, there are fair to much in it for me to detail here so for now know that you don’t have to start from scratch, just do what all good administrators do Google for one and mod it where needed.

Follow up on the making things easier comment get rid if you can of any hardware that is not standard so you can create standard builds for workstations and deploy them from the network, after all you wouldn’t want to get out of bed go all the way to the office and spend 2 hour reinstalling the OS just because that dweeb in accounting messed up his PC again because he found some naked woman site with a virus on it. You can use Microsoft RIS (Remote Install Service) there are other systems imaging tool so picking one that is best for you, as some can’t work on newer hard hardware so test them before committing to it.

And one last point get a VoIP office phone, welcome to not going to the office except for those dull office meetings.


Ok I'm off to play counter strike good luck with your networks and rememeber its them or us and there can be only one, so kick ass.

Saturday, 29 September 2007

Clustering DHCP

If you have your cluster built already and you plan to run DHCP it on the cluster you will need to perform these steps

If the DHCP server was not on the cluster before then you will need to move the DHCP to the Cluster this will be covered in Moving DHCP in the pervious posting for the export and import routine.

You will need to install DHCP on all the server in the cluster that you want to run it on so please follow these steps.
Click Start, click Control Panel, and then double-click Add or Remove Programs.
Click Add/Remove Windows Components.
In the Windows Component Wizard, click Networking Services in the Components box, and then click Details.
Click to select the Dynamic Host Configuration Protocol (DHCP) check box if it is not already selected, and then click OK.
In the Windows Components Wizard, click Next to install the selected components.
Insert theWindows Server 2003 CD into your computer CD drive or DVD drive if you are prompted to do this.
Setup copies the DHCP server and tool files to your computer.
When Setup is complete, click Finish.

Checking the configuration.
Click Start, click then Control Panel, then click Administrative Tools, and double click Cluster Administrator.
Expand the Groups and then Cluster Group if DHCP_Resource is present then you are done.

If DHCP_Resource is not present you may create it by right click, New, enter the name DHCP_Resource and the resource type DHCP Service and the Cluster Group Name, then click Next, now Add the servers in the cluster you want this to run on and click Next. You will need to enter the path of the DHCP database files, this need to be on the cluster disk so all server can see it in this example E drive
E:\winnt\system32\dchp
Enter this path for Database, Audit and Backup path and click Finish.

Now right click on your new resource and click Set resource online.
Now click Start, click Control Panel, and click Administrate Tools, double click on DHCP Administrator and create your scope.

Moving DHCP from one server to another.

Export the DHCP database from a server that is running Microsoft Windows Server 2003
To move a DHCP database and configuration from a server that is running Windows Server 2003 to another server that is running Windows Server 2003:

Log on to the source DHCP server by using an account that is a member of the local Administrators group.

Click Start, click Run, type cmd in the Open box, and then click OK.
Type netsh dhcp server export C:\dhcp.txt all, and then press ENTER.
Note You must have local administrator permissions to export the data.


Install the DHCP server service on the server that is running Windows Server 2003
To install the DHCP Server service on an existing Windows Server 2003-based computer:

Click Start, click Control Panel, and then double-click Add or Remove Programs.
Click Add/Remove Windows Components.
In the Windows Component Wizard, click Networking Services in the Components box, and then
click Details.
Click to select the Dynamic Host Configuration Protocol (DHCP) check box if it is not already selected, and then click OK.
In the Windows Components Wizard, click Next to install the selected components. Insert the
Windows Server 2003 CD into your computer CD drive or DVD drive if you are prompted to do this. Setup copies the DHCP server and tool files to your computer.
When Setup is complete, click Finish.

Import the DHCP database
Note You may receive an "access denied" message during this procedure if you are not a member of the Backup Operators group. If you receive an "Unable to determine the DHCP server version for server" error message, make sure that the DHCP Server service is running on the server and that the user logged on is a member of the local Administrators group.Important Do not use Dhcpexim.exe to import a DHCP database in Windows Server 2003. Additionally, if the target Windows 2003 server is a member server, and if you plan to promote it to a domain controller, we suggested that you perform the DHCP database migration before promoting it to a domain controller. Although you can migrate the DHCP database to a Windows 2003 domain controller, the migration to a member server will be easier because of the existence of the local administrator account.


Log on as a user who is an explicit member of the local Administrators group. A user account in a group that is a member of the local Administrators group will not work. If a local Administrators account does not exist for the domain controller, restart the computer in Directory Services Restore Mode, and use the administrator account to import the database as described later in this section.

Copy the exported DHCP database file to the local hard disk of the Windows Server 2003-based computer.

Verify that the DHCP service is started on the Windows Server 2003-based computer.

Click Start, click Run, type cmd in the Open box, and then click OK.

At the command prompt, type netsh dhcp server import c:\dhcpdatabase.txt all, and then press ENTER, where c:\dhcpdatabase.txt is the full path and file name of the database file that you copied to the server.Note When you try to export a DHCP database from a Windows 2000 domain controller to a Windows Server 2003 member server of the domain, you may receive the following error message:
Error initializing and reading the service configuration - Access Denied
Note You must have local administrator permissions to import the data.

To resolve this issue, add the Windows Server 2003 DHCP server computer to the DHCP Admins group at the Enterprise level.

If the "access is denied" error message occurs after you add the Windows Server 2003 DCHP server computer to the DHCP Admins group at the Enterprise level that is mentioned in step 4, verify that the user account that is currently used to import belongs to the local Administrators group. If the account does not belong to this group, add the account to that group, or log on as a local administrator to complete the import.

Thursday, 21 June 2007

eMail

One of the most important things do with email is MX records, I’m surprised with how often these are over looked, and MX record can be a IP address but most common is for it to be a A name record an A name record also know as a host record is simply a host ie a computer name to an IP address.

When a query is done most MX records respond with something like this you can have many MX records, the email will way contact the one with the lowest number first and then work its way up.

MX preference = 20, mail exchanger = secondary.mail.com
MX preference = 10, mail exchanger = primary.mail.com

And the A name query looks like this

Name: primary.mail.com Address: 205.158.62.116

Now because there is traffic routing and other many factors that we cannot control sometime the mail will go to the second MX or high if you have one because it can get to the first, so it’s as important to make sure these mail server accept the messages and much as the primary on does, otherwise you end up with missing email or failure with message deliveries.

You must create at least two independent mail servers on more than one site using your ISP is often the easiest way.
And also make sure all of your server listed in the MX records respond to the domains you have.

Tuesday, 5 June 2007

Windows 2003 R2 DHCP Error

Seems to be a bug in the setup where the windows firewall is on still after you have run the setup, this blocks the DNS and the DHCP also File and Print sharing in not enable as an exception, a quick fix to this is to create and exception for the BOOTP and DNS server.

Goto the control panel and open the Windows Firewall and on the Exceptions tab click the add port, you’ll need to do this for both UDP port 53 and UDP port 67 then make sure they are ticked and any others you might need like File and Print Sharing.

This bug also comes up on SBS 2003, I recommend rerunning the SBS wizard.

Tuesday, 29 May 2007

Upgrading your Windows SharePoint from SQL 2000 or MSDE to SQL Server 2005

Before we begin

There are eight steps, the three things you should know before you start are, one the name of your Sharepoint databases and two the SQL instance you are using

Step one

First stop the SharePoint sites in IIS if you’re not sure of them, then you can get a list from the SharePoint administration site before you begin.

Step two

Next you’ll need to stop the SharePoint Timer Service you can do this from the services MMC (I would suggest you put it on manual till you complete the upgrade)

Step three

Stop the SQL instance that your SharePoint is installed too (for most of you it will be MSSQL$SHAREPOINT) take the SQL database %SystemDrive%\Program Files\Microsoft\SQL Server\MSSQL$SHAREPOINT\data

If you are unsure of the system path you can get is by looking at the properties of the SQL service, inside the data directory your will find your SQL data copy these to a safe location the first database is normally STS_servername_1.mdf and STS_Config.mdf you’ll also need the log files STS_servername_1_log.LDF and STS_Config_log.LDF (Other database will only exist if you created them and hopefully you will not forget them when backing them up)

Step four

Now that you have your databases safely copied you can goto the add remove programs and remove the SQL instance the normal label “Microsoft SQL Server (Sharepoint)” remember whatever the name of the instance will have to use later when installing SQL 2005.

Step five

Install Microsoft SQL 2005 remembering that you need to do the following one install the “Management Tools” this option is not selected by default, two remember to select the instance name that matches the one you removed earlier. (Windows Authentication Mode and two use the SQL cluster account or the local system account if you have only one Sharepoint server)

Step six

After the install open the SQL Server Management Studio and connect to your instance, on the right hand side you’ll have the Object Explorer and under that the Security create a new login type the name NT Authority\Network Service if this name is wrong it will not work.

You also need to give the NT Authority\Network Service some roles right click on it and select the login properties click the Server Roles and select the dbcreator and securityadmin roles

Create another login DomainName\SBS SP Admins

Step seven

Your need to reattach the database so from Microsoft SQL Server Management Studio under the Object Explorer right click on the databases and select Attach then click add, you are adding the same databases you made copies of in step three remember to add the STS_servername_1.mdf first then the config database.

Step eight

Restart the SharePoint Timer Service you stopped in step two and then lastly restart the sites in IIS your upgraded is now complete.

Monday, 28 May 2007

Cisco Privilege Access

Why Privilege access?
The basic username and password gives you access to the router with maybe an enable password standing between you and doing anything with it, this is fine for a single user device but when you want to split the access in to roles such as monitoring, administration and remote access the access of each needs to be defined.

Let’s split this into roles
Administrator this is level 15 the highest
Support this is level 5/6 are the most common
Monitoring is level 3/4 are the most common
Remote Worker

The Cisco privilege mode works by allowing the level you set access to the commands you set and if you don’t set any other they won’t have any others example.

Username admin privilege 15 secret password
Username support privilege 6 secret password
Username monitoring privilege 3 secret password
Username vpn privilege 0 secret password

privilege exec all level 3 show
privilege exec level 6 reload
privilege exec level 6 configure

This command means only people with privilege level 6 and higher can perform a reload, but level 3 can use the show command.

You can use lock and key as well, in this example the enable password sets the privilege level not just the user account, so the support or any other user can use the enable command and the password to get level 15 access

enable secret level 15 password

Username admin privilege 15 secret password
Username support privilege 6 secret password

Here is a example the admin user has all access to the router.
The monitoring user can issue show commands.
The support user can do the same as monitoring user and issue change of ip commands on any interface and bring it in and out of shutdown, and lastly restart the router.

Username admin privilege 15 secret password
Username support privilege 6 secret password
Username monitoring privilege 3 secret password

privilege interface all level 6 shutdown
privilege interface all level 6 ip
privilege exec level 6 configure terminal
privilege exec level 6 reload
privilege exec level 3 show

The basic rules you should be thinking of when building your privilege list, is to keep in mind what each level should be able to do

Level 15 – all commands
Level 6 – limited commands
Level 3 – read only
Level 0 – no access

You should now have a basic understanding of privilege levels now and you can explorer these commands from here.

Saturday, 12 May 2007

Windows XP Firewall from Domain Policy

BP (best practice) for computers in a domain is to set a domain policy for workstation and laptop by placing them into an OU (organisation unit) for each type.

From the AD (active directory) create and new GP (group policy) and link it to the OU you want it to apply to, such as Laptops or Workstations even Servers remember computer components can only be applied to computers and user components to users so if the computer or user does not sit in that OU it will not apply to them.

In the GP you created you find lots of sub keys the one we are look for in this example is:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall

Under this you have two sub keys Standard Profile and Domain Profile.

The first is the Domain Profile is the profile that applies to the computer when it is on the domain LAN, the second Standard Profile applies to the computer when it is NOT on the domain LAN ie off site or disconnected.

Recommend for these policies is as follows,
Enable Protect all network connections – Local and Domain
Enable Define program exceptions – Local and Domain
Enable Allow local program exceptions – Local and Domain
Enable Allow file and printer sharing exception – Domain only
Enable Allow Remote Desktop exception – Domain only
Enable Define port exceptions – Local and Domain
Enable Define local port exceptions – Local and Domain

In the local port and program exceptions you will need to define some rules, if you click on the show button you will be shown a list of one’s that have already been defined.

Port syntax
6129:TCP:*:enabled:dameware
It breaks down into portnumber:tcp/udp:ip-range:enabled/disabled:portname

Program syntax
%Programfiles%\test.exe:172.16.0.1,172.16.1.1/24:enabled:test program
It breaks down into program-location: ip-range:enabled/disabled:portname

Thursday, 3 May 2007

Exchange SMTP Problems

Checking you email server setup is a very importent because its better than having users telling you they are not able to send email, and that's just one reason.

You can check your domain name record by doing a domain name look up also called a NSLOOKUP here is an example lookup.

C:\Documents and Settings\Administrator>nslookup

Default Server: ns.isp.co.uk
Address: 195.186.44.13


> set query=any

> domain.net
Server: ns.isp.co.uk

Address: 195.186.44.13

domain.net

primary name server = server.domain.net
responsible mail addr = admin.domain.net serial = 2007032026
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)

domain.net nameserver = ns2.isp.co.uk
domain.net nameserver = ns.isp.co.uk domain.net
MX preference = 10, mail exchanger = server.domain.net domain.net
MX preference = 20, mail exchanger = smtp.isp.net domain.net

text = "v=spf1 mx ~all"

ns.isp.co.uk internet address = 195.186.219.229
ns2.isp.co.uk internet address = 195.186.218.7
server.domain.net internet address = 195.186.174.123
smtp.isp.net internet address = 195.186.131.8
>

Now you check your mail server has a revise domain name record setup, if it doesn’t the some mail server such as AOL and Yahoo and others will not accept email from you.

>set query=ptr
>195.186.174.123
Server: [195.186.44.13]
Address: 195.186.44.13
Non-authoritative answer:
123.174.186.195.in-addr.arpa name = server.domain.net

174.186.195.in-addr.arpa nameserver = ns.isp.co.uk
174.186.195.in-addr.arpa nameserver = ns2.isp.co.uk
ns.isp.co.uk internet address = 195.186.219.229
ns2.isp.co.uk internet address = 195.186.218.7
>

Make sure you FQDN (Fully Qualified Domain Name) on the server matches the MX record; you can do this by telneting to your mail server.

telnet server.domain.net 25

You should see a response like.

220 server.domain.net Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959

If you receive a response like the one below then you’ll need to make some changes as it is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1)

220 domain.net Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959

If you follow all these rule you should be able to email anyone and everyone.

Sunday, 22 April 2007

Cisco PIX NAT

In this example well deal with using a pool of addresses from 195.184.199.3-6

Define a single outside global address to PAT into:

global (outside) 1 195.184.199.6 netmask 255.255.255.248

Statically Translate the inside hosts to public IP Addresses this will convert the traffic from that NAT address to the public IP you can check that this is working by visiting web sites that display your public IP, but you will not be able to except inbound traffic to the address yet.

static (inside, outside) 195.184.199.3 "internal IP" netmask 255.255.255.255
static (inside, outside) 195.184.199.4 "internal IP" netmask 255.255.255.255
static (inside, outside) 195.184.199.5 "internal IP" netmask 255.255.255.255

Perform the Translation on inbound traffic going out (the statics will occur first and all other hosts will be NAT effected)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Then you need to create an access-list that allows the outside traffic to hit the public addresses of 195.184.199.3, 195.184.199.4 by default PIX boxes do not except traffic to hit the public interface so you have to create the exceptions you need e.g. allows http, smtp and ftp access.

ip access-list Outside_in permit tcp any host 195.184.199.3 eq 80
ip access-list Outside_in permit tcp any host 195.184.199.4 eq 25
ip access-list Outside_in permit tcp any host 195.184.199.3 eq 21

Now Apply the access list to the outside interface for it to take effect access-group Outside_in in interface outsidenow you have access to the servers on those inbound ports and IP’s

Saturday, 14 April 2007

CRM, SharePoint and Dynamics

SYMPTOMS

One or more users can not logon to your site

You have an error in the event log with a source of Source DCOM – please note this is just a sample error and the CLSID unique to each server.

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

When you explorer the DCOM you find it matches the IIS WAMREG Admin Service and the permissions are correct to start but still you have this error.

CAUSE

This can relate to NTLM permissions in IIS for that or even all sites stopping that application pool from starting correctly you can fix this by resetting the NTLM permissions on the IIS server and therefore the application pool as well.

FIX

Start a command prompt.

Locate and then change to the directory that contains the Adsutil.vbs
file. By default, this directory is C:\Inetpub\Adminscripts.

Type the following command, and then press ENTER:

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc/NTAuthenticationProviders

The following text should be returned:

NTAuthenticationProviders : (STRING) "NTLM"

Now clear your event log and restart your server when it starts up you should have a clean event log.

Friday, 13 April 2007

Externally accessing OWA (Outlook Web Access)

You may have check the NTLM is correct a you can log on to other sites but not the OWA

Option One
The first thing you can try is to install fix 831464 - FIX: IIS 6.0 Compression Corruption Causes Access Violations however this might not work.


Here is Option Two.
Clear the IIS server files by going to your Windows\IIS Temporary Compressed Files directory.

Select all of the content in this directory and delete it, then ether go to a command prompt, type "iisreset" or the IIS MMC and restart it from there.

And lastly you must make sure you clear the browser history and cashe, then retry logging on.

Thursday, 12 April 2007

Using SSH on Cisco Routers

In the days we live in you never know who is monitoring traffic on your LAN your WAN or just plain internet.

Now you want to still administer your routers and switches without someone logging your password, since telnet sends the username and password in clear unencrypted text it’s not very secure, the answer to this is to use SSH (Secure Shell) to do this you will need to setup SSH on your router or switch.

To start you will need to login, and get to enable mode.

We are going to make the router in our example then name gatekeeper.cisco.com

hostname gatekeeper

Now your router or switch is called gatekeeper, personal I would use something a bit more inventive, next we need to set the domain normally this would be your domain but in this example cisco.com

Ip domain-name cisco.com

Now you a encryption level recommended is 1024 bit but you can use between 512 and 2048 for this example we’ll use 1024

crypto key generate rsa 1024

Next we will set the SSH time out for 60 seconds to login with username and password before it times out, the max setting for this is 120 seconds or 2 minute in English.

ip ssh timeout 60

and last of all we’ll set the number of password try’s before it disconnects the user, in this example 3

ip ssh authentication-retries 3

And that’s how simple it is, the only think that remains is to use a SSH client you can find many of them around for all platforms I personal quite like PuTTY.

You can also use the show ssh and show ip ssh commands

show ssh shows the active sessions

show ip ssh shows the status and version running on the router

Sunday, 8 April 2007

Cisco Access lists part 2

Cisco Access lists part 2

Ok last time we looked at access lists for blocking and permitting traffic now we’ll look at their uses with route-map command we are going to cover some NAT (Network Address Translation)and even some VPN so let’s look at how access list can help with NAT.

This is the basic network address translation command note how it looks to list 1 for the IP range to translate.


ip nat inside source list 1 interface Dialer0 overload


access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255


Now let’s look at another kind of NAT using route-map to translate the IP range, the route map name is NONAT in this case it defines a list of addresses not to be translated to the outside world, in this example traffic heading to 192.168.55.0 subnet does not enter the public internet, but all other traffic does.

ip nat inside source route-map NONAT interface Dialer0 overload

route-map nonat permit 10
match ip address 125

access-list 125 deny ip 172.16.0.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 125 permit ip 172.16.0.0 0.0.255.255 any


Now we have a look at the role access list play in a VPN first of all you need encryption in this case I’ve decided on 3 DES and to use pre shared keys so that the encryption password is not sent over the public internet.

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

crypto isakmp key ENA8LE address 195.168.235.17 no-xauth

crypto ipsec transform-set My-VPN esp-3des esp-md5-hmac


Now you have picked an encryption type you need to use it below there is a statement to you the encryption type and to the IP address the only thing left to know is what addresses are public and private, this is defined by the match address command that here match to list 110 also since we’re using NAT still we have list 105 for all other transitions.

crypto map cm-cryptomap 110 ipsec-isakmp
set peer 195.168.235.17
set transform-set My-VPN
match address 110

ip nat inside source list 105 interface Dialer0 overload

access-list 105 remark Traffic to NAT
access-list 105 deny ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 172.16.1.0 0.0.0.255 any

access-list 110 remark Site to Site VPN
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.1.0 0.0.0.255 any


Now you see how an access list fits into a VPN and NAT this still doesn’t fully explore their full range of abilities as there are many other functions they can be used with as well such as routing protocols and rate limit.

Saturday, 7 April 2007

Cisco Access-lists

Access list in a Cisco is a way of bunching together IP and Ports into a Do and Do Not list and Where To Go and Not Go.

Note all of the commands used in this example are for 12.4 IOS
Let’s being with the most basic of access lists IP access lists these run between the numbers of 1 and 99 most common in permit and deny to router for telnet, NAT (Network Address Translation) commands and Route Maps.

First we’ll show an example with putting an access list on the router to allow telnet to it only from permitted locations in this case the local LAN (Local Area Network) and Remote Admin Office.

Create the access list.

access-list 2 remark The local LAN.
access-list 2 permit 172.16.1.0 0.0.0.255

access-list 2 remark Remote Admin Office.
access-list 2 permit 195.184.235.17


Now tell it to use the access list for remote connections

line vty 0 4
access-class 2 in

Now only people on the LAN and at the remote IP can access the router, now let’s look at building access list for traffic from the internet to the router for this we want to control the network using Ports TCP/UDP and ICMP you do this by using 100 to 199 and/or 2000 to 2699 numbered access lists, your interface may change depending on how you’re connected as an example if you’re using an ATM (Asynchronous Transfer Mode)terminated on RJ11 there are other kinds of termination but for this example I’m going to use a PPPoA (Point-to-Point Protocol over ATM) because that’s what we use here in England for ADSL (Asymmetric Digital Subscriber Line)

access-list 101 remark permit domain lookups
access-list 101 permit udp any eq domain any

access-list 101 remark permit web browsing lookups
access-list 101 permit tcp any eq 80 any

access-list 101 remark permit SSH
access-list 101 permit tcp any any eq 22

access-list 101 remark permit telnet
access-list 101 permit tcp any any eq telnet

access-list 101 remark deny ping to your router but not from it
access-list 101 deny icmp any any echo

access-list 101 remark deny all other traffic and log it
access-list 101 deny ip any any log

Now you have to set the interface this applies to in this case dialer0

interface dialer0
ip access-group 101 in

Now you have a list you might need to debug it from time to time

If you’re watching the console you can see traffic by using the Terminal monitor command from your deny log you can see things like this

01:05:28: %SEC-6-IPACCESSLOGP: list 101 denied tcp 24.118.18.108(37845) -> 195.184.85.134(62227), 1 packet

To help you debug this i’ll translate for you.
The message reads Time then it say IP log then the number of the access list in this case 101 then the status of the data denied the protocol in this case TCP the IP it came from then port number, then destination ie your router and the port number it was going to on your router.

So this reads access-list 101 stopped TCP from 24.118.18.108 on port 37845 to 195.184.85.134 on port 62227

In the extend IP access list 100-199 2000-2699 you can use ports, host and IP ranges and times in the standard IP 1-99 group you can only use Host, IP ranges.

For those of you reading closely you’ll have noticed I said time ranges without having given you an example well that because we’ve not got that far yet, I strongly recommend if you’re not 100% sure what traffic your looking to allow and block that you read up on the 7 Layer ISO right now.

Ok now that I’ve mentioned time lists I might as well continue, yes not only can you block ports and ranges you can make exceptions based on times of day or even day of the week make sure your router time is setup right or is using you network as the server or you may have some interesting cut off times.

time-range no-http
periodic weekdays 8:00 to 18:00

time-range udp-yes
periodic weekend 12:00 to 20:00

ip access-list 102 deny tcp any any eq 80 time-range no-http
ip access-list 102 permit udp any any time-range udp-yes

interface ethernet0
ip access-group 102 in

Now you begin to see how you can use even times of day to permit traffic or access, you might deny FTP and Telnet sessions after work hours so you know someone is not trying to access your network while you’re at home.

And there is something else you can to with access lists you can name them to make them more friendly, this use full if you don’t like numbers much so here are some more examples


Example one

ip access-list standard prevention
deny 171.69.0.0 0.0.255.255

interface ethernet0/1
ip access-group prevention in


Example two

time-range no-http
periodic weekdays 8:00 to 18:00

time-range udp-yes
periodic weekend 12:00 to 20:00

ip access-list extended strict
deny tcp any any eq http time-range no-http
permit udp any any time-range udp-yes

interface ethernet0
ip access-group strict in

this covers most of the basic access lists now there is one last thing to think of we have been looking at traffic entering an interface but you can also control the traffic leaving the interface as well in fact you can do both at the same time

ip access-list extended internet
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit tcp any any eq 1723
permit gre any any
permit tcp any any eq 22
permit tcp any any eq telnet
deny icmp any any echo
deny ip any any log

ip access-list extended lan-network
permit tcp any any eq 80
permit udp any any eq 53
deny ip any any log

interface dialer0
ip access-group internet in
ip access-group lan-network out

This ends this brings an end to our talk about access lists today I will hope to write more on access lists in the coming month.

If you have question on this feel free to drop me a line, I’m also open to suggestions on how to make this more user friendly to understand.

Thursday, 5 April 2007

Securing your web server

OK for anyone that hasn’t yet read or understand the basics of protecting your web server here are some rules.
One if anyone can see the web server on non public ports such as Microsoft SQL, MySQL,NetBIOS, Telnet, SSH and RDP other than you then there is a risk of being hacked or attacked be virus’s, worms or denial of service attacks.
If your web server sits on your Company LAN your system administrator will have most likely taken steps to secure it from attacks but when it is off site you must take some kind of protection most Co-locations or hosted servers have some form of firewall but not all also if your like me and trust no one, not even your ISP then there are some more things you can consider.
First Way
Make sure only ports you want the external public use to see ie HTTP HTTPS are open you can do this in a few ways, with windows you can configure the network adapter to allow only port 80 and 443, this may cause some problem with logon and other services the way around this is to add a virtual adapter ie the Microsoft Loopback Adapter so that other services that need to interact with the OS can use that adapter and not the physical adapter and IP, only problem is that this also prevents access to the server from any other locations as well making very secure but hard to update or fix remotely.
Second Way
You can use a firewall device to limit the traffic to the web server and provide VPN access to the local LAN allowing you to update and make changes without compromising the security of the server, I personal use either a Cisco PIX or LAN Cisco router for this but I know most of you will use what you know best.
These are not the only ways and far from a complete list.

Monday, 2 April 2007

Network Control

Here is a good rule to remember if it’s made it to the server it’s got too far.

let’s look at what that means, the easy its way is to imagine your dangerous data packet if you come from the internet we want to know you’re not going to get to the server where you might do some harm, so the first and last point you should reach is the firewall, but what if you make it past that? Is there anything else to stop you? 9 times out of 10 the answers is no but lets imagine you don’t come from the internet for a second lets imagine you come from that local LAN… has this just filled you with a feeling of doom and dread? Well if it has you’re not alone this is often over looked.

Here is a quick check list for you.

1. How many protocols are you running? IPX, Apple Talk, NetBIOS, TCP/IP first see if you and reduce the number to one where possible as it will make your life easier, most hardware uses TCP/IP so this isn’t a question that comes up much these days.

2. What are the ports you really need open for your services to run try to make a list and then what servers and service they relate to, ICMP, SMTP, TFTP, FTP, POP, HTTP, HTTPS, SMB, RPC, RDP, TELNET, SNMP these are the most widespread.

3. Are you running two or more network adapters, can you allow one type of permitted traffic on the LAN and another type for the Internet

4. Can you move the servers to a safe zone like a DMZ (De-military Zones) so even LAN traffic is checked by the firewall? This might sound a bit extreme never the less it’s a good way to protect them from all kinds of DOS (Denial of service) attacks

Now you’re thinking this as all very extreme and only for the big boys in the blue chip companies and PLC’s well believe it or not I’m talking about a small 20 user company with ADSL and windows 2003 one maybe two servers, Shock horror I’m talking about your size business!!!!!!!!! Well if your reading this then yes I most likely am talking about your business and if you’re from a big blue chip or PLC’s don’t be shy if you need help just drop me a line I never tell anyone who I’ve worked for.

Monday, 26 March 2007

Malware

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a portmanteau of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, West Virginia, and several other U.S. states [1].
Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or
bugs.
Purposes
Over the years, people have written malicious software for a number of different purposes.
Many early infectious programs, including the
Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks -- generally intended to be harmless or merely annoying, rather than to cause serious damage. Young programmers, learning about the possibility of viruses and the techniques used to write them, might write one just to prove that they can do it, or to see how far it could spread.
A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. Many DOS viruses were designed to destroy files on a
hard disk, or to corrupt the file system by writing junk data. Network-borne worms such as the Code Red worm or Ramen worm fall into the same category. Designed to vandalize Web pages, these worms may seem like an online equivalent of graffiti tagging, with the author's name or affinity group appearing everywhere the worm goes.
Revenge is sometimes a motive to write malicious software. A programmer or system administrator about to be fired from a job may leave behind backdoors or software "time bombs" that will allow them to damage the former employer's systems or destroy their own earlier work.
However, since the rise of widespread broadband Internet access, a greater portion of malicious software has been focused strictly on a profit motive. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in
spyware -- programs designed to monitor users' Web browsing, display unsolicited advertisements, and redirect affiliate marketing revenues to the spyware creator. Spyware programs don't spread like viruses; usually they are installed by exploiting browser security holes, or are installed like a Trojan horse when the user installs other software.
Infectious malware: viruses and worms The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. Originally, the term computer virus was used for a program which infected other executable software, while a worm transmitted itself over a network to infect computers. More recently, the words are often used interchangeably.
Today, some draw the distinction between viruses and worms by saying that a virus requires user intervention to spread, whereas a worm spreads automatically. This means that infections transmitted by email, which rely on the recipient opening an attachment to infect the system. This is classified under viruses.

Trojan horse (computing)
In the context of
computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.
Often the term is shortened to simply trojan, even though this turns the adjective into a noun, reversing the myth (Greeks were gaining malicious access, not Trojans).
There are two common types of Trojan horses. One, is otherwise useful software that has been corrupted by a
cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities. The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.
Trojan horse programs cannot operate autonomously, in contrast to some other types of
malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.





Zombie computer
A zombie computer, abbreviated zombie, is a computer attached to the
Internet that has been compromised by a security cracker, a computer virus, or a trojan horse. Crackers almost always target the Windows operating system because of its vast user base, security problems and perceived lack of technical savvy of its users. Generally, a compromised machine is only one of many in a "botnet", and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the vector tends to be unconscious, these computers are metaphorically compared to a zombie.


Infected zombie computers — predominantly Windows PCs — are now the major delivery method of spam.
Zombies have been used extensively to send
e-mail spam; between 50% and 80% of all spam worldwide is now sent by zombie computers. This allows spammers to avoid detection and presumably reduces their bandwidth costs, since the owners of zombies pay for their own bandwidth.
For similar reasons zombies are also used to commit
click fraud against sites displaying pay per click advertising.
Zombies have also conducted
distributed denial of service attacks, such as the attack upon the SPEWS service in 2003.

Spam Prevention Early Warning System
The Spam Prevention Early Warning System (SPEWS) is an anonymous service which maintains a list of
IP address ranges belonging to Internet service providers which host spammers and show little action to prevent their abuse of other network's resources. It is used by numerous Internet sites as a source of information about the senders of unsolicited bulk email, better known as spam.

SPEWS itself publishes a large text file containing its listings, and operates a database where users may query the reasons for a listing. Users of SPEWS can reprocess these data into formats usable by software for
Stopping Spam.

For instance, until recently many mail sites used a
DNSBL based on SPEWS data, operated at spews.relays.osirusoft.com. This DNSBL was shut down on August 27, 2003 after several weeks of denial of service attack. A number of other DNSBLs exist based on the SPEWS data, which remain accessible to the public.

There is a certain degree of controversy regarding SPEWS' anonymity and its methods. SPEWS remains anonymous to avoid harassment and
barratrous lawsuits of the sort which have hampered other anti-spam services such as the MAPS RBL and ORBS. Some regard this anonymity as irresponsible, while others find it sensible. In addition, many ISP clients whose providers are listed on SPEWS take umbrage that their own IP addresses are associated with spamming, and that their mail may be blocked by users of the SPEWS data.
The social issues of who do I allow to send me data remain unresolved for now but one thing that we are all sure of is that it can not continue in its current form, as software writers struggle to come to grips with business relationships to establish what is safe, a yet large problem remands with