Following Locked Accounts to Find a Conficker Infection

I recently had several users reporting that they were unable to log in because their accounts had been locked out.  This perplexed me, because we have really lax account lockout policies.  There's no way one user, much less a bunch of users, could have tried enough wrong passwords to actually lock their accounts all on the same day.  Something fishy was going on and it was going to require some investigation.

I started with the Account Lockout Tools from Microsoft.  You can find those here, http://www.microsoft.com/en-us/download/details.aspx?id=18465

After you download and install them, you'll have to go find the files, they don't add icons to the Start Menu for you.  The default install location for the files is C;\Program Files\Windows Resource Kits\Tools.  The one you'll want to run is lockoutstatus.exe.

When you run the lock out status utility you'll provide it with a username and domain of an account that has been locked out.  The utility will run against all of your domain controllers and list which one the account was locked from, it will also give you a time too.

Once you know which DC is was locked on we need to go look at the Event Viewer on that server.  Check out the security logs.  If your server logs are like mine then there are a bunch of events listed.  To make things easier filter the log to only show Event ID 4740.

If you've got a machine infected with conficker like I did you'll probably have a lot of these User Account Locked events.  Technically, it could be an individual or organization trying to hack your system too.  But in my experience and in this environment it's usually some kind of virus doing it.

Most of the events had time stamps really close together.  I looked through the logs around the time of the lock event reported from the lockoutstatus tool and found where that user account had been locked.  This event and the others were a red flag that something was going on, as this lock event and several of the others were happening in the middle of the night.  That wasn't all though, the lockout events were scattered all over the day.

Now, let's use this information to track down our conficker infected machine.  Open up one of these events and scroll down in the General tab and look for the Additional Information section at the bottom.  What you want to find is the Caller Computer Name, this will be your infected machine.

Event ID 4740, look for the Caller Computer Name

You might also want to scroll through and look at several of the events to see if they're all coming from the same machine.  In my case I actually had 3 old machines that hadn't been patched correctly and were infected.

One of the easiest and fastest ways to verify a conficker infection is to use to the Conficker Eye Chart.  Yes it has a ridiculous name, but it's simple, fast, and it works.  If you haven't used it before, it just loads a web page that pulls images from the major security vendors.  Since conficker blocks access to those domains based on what images load and which ones don't you can tell if you're infected and possibly by which variant.

Once I had confirmed that it was conficker, I ran the Microsoft Malicious Software Removal Tool to remove the infection.

This sounds like a long process but don't get discouraged, in reality it flows pretty quickly.

A New Chromebox from Dell?

I swear this blog isn't just about Chrome devices, there's just been so much news about them lately and they're such a good fit for education.

It looks like Dell may be preparing to release a Chromebox.  They may have gotten to the Chromebook party really late but it looks like they might show up at the Chromebox party pretty close to everyone else.  Well, I guess technically Samsung has had a Chromebox out for years, but one person doesn't make a party.  They were just really early, because it seems like the Chromebox party is just starting.

I haven't seen any direct press from Dell about a standalone Chromebox, but I've seen Dell mentioned several times as being one of the providers of the Chromebox for Meetings* hardware.  In fact, here is Dell's own press release where they mention that they are developing a Dell Chromebox for meetings.  Surely if they're developing one for meetings they'll develop one that's not just for meetings.... You know, one that's good for regular day to day use, too.

If you happen to be stuck in a Dell only shop, it looks like you will not be left high and dry when it comes to Chromeboxes.

It looks like the Chromebox vendors are started to really line up.   It seems like Samsung has had one forever (they're on their 2nd generation) and now HP, Asus, and Dell are going to be releasing models.


*Just in case you missed the "Chromebox for Meetings" news, I'm not kidding, they really chose to call it Chromebox for Meetings, here's a link to the Google page to prove it:
http://www.google.com/intl/en/chrome/business/solutions/for-meetings.html

VDI and Chromebooks

VDI, Virtual Desktop Infrastructure, right? In the K-12 market it hasn't made a whole lot of sense.  There are some good use cases for it (customized lab environments anyone?), but the cost of maintaining it hasn't made sense.  The dollar cost and the manpower cost, too.  Traditionally, school technology departments have been understaffed.

VDI falls into the category of nice to have, but not very feasible to implement.  The obvious problem is cost.  You want me to deploy $300+ thin clients?  Wait, I'm getting fully functional refurbished computers for $300 or $500 (depends on the model).  Ok, so just deploy those desktops and then use them as clients.  That would work... Except now we're maintaining a bunch of desktops and a bunch of virtual machines.  Remember what I said about the manpower cost?  We're already under staffed as it is, who's going to keep all of those machines up and running?

That's where the Chromebooks come into play.   They can be had for less than $300, which makes them cheaper than thin clients.  And those are even portable in a laptop form factor too.  How about desktops?  That hasn't been as cheap until just recently (see my post here http://practicalschooltech.blogspot.com/2014/02/an-affordable-chromebox-finally.html).  Combine that $179 Chromebox with a monitor, keyboard, and mouse and now you've got a full thin client for around $300 too.

You might be wondering now, what's the big deal.  Now you've got to maintain all of those Chrome devices and the VDI.  Chrome devices don't have that much administrative overhead.  They patch themselves, there's no software to install, and a reboot fixes most problem.  Still got problems?  Swap one Chrome device for another, all the users stuff follows their login so it's seamless to them, and work on the malfunctioning device on your own schedule.  The users are happy and the tech staff is happy too.

This sounds good in theory, but how feasible is it, and how well does it work in practice?  I agree with the theory and in practice I don't know, because I haven't tried it yet.  But the feasible-ness has been a real question wondering around in my mind.  Sure, there were remote clients available for the Chrome devices, but no body had a whole package put together to build VDI and use a Chrome device as a client.  Was I missing something?  Was it just so obvious nobody had done it?  Was it not possible?  Did it just not work very well?

Since I don't have any VDI infrastructure in place I couldn't really test how well it worked in practice.  I've remoted hundreds of machines from my Chromebook, using both VNC and RDP.  I haven't had any problems there, but I'm not a typical end user.  I know the addresses of the machines that I'm connecting to and I'm so used to minor hiccups my mind just glosses right over them and I don't even notice them anymore.  With out actually having all the pieces to try it myself I needed to see someone else doing it, or at least trying it.

That's when I stumbled upon Citrix's VDI-in-a-Box setup.  Specifically, their HTML5 Receiver (which ironically, specifically targeted Chrome at first but now they've switched to HTML5).  Here's a post from Citrix themselves talking about it, http://blogs.citrix.com/2013/12/05/new-in-vdi-in-a-box-5-4-built-in-html5-receiver/, and check it out.  The first use case they mention is "schools", in fact that's the opening word of the post.  Exactly what I was looking for, somebody that was trying to put the pieces together.  Now I've just got to get my hands on a demo copy of the VDI-in-a-Box so I can try it out and see how it works.

Anybody out there had any experience with this yet?

Linksys Router Demo pages

A little bit off topic of practical school tech, but seeing that if you're here you can probably appreciate the technical nature of this post.

Ever try walking a friend through a router setup remotely?  Usually if you're doing this they don't have working internet so screen sharing is out.  Find yourself saying often, "Do you see something that says status?"  Or my favorite, "What does it say on the screen now?"  Usually while I'm saying these things I've got Google image search pulled up looking for a "linksys e6900 configuration screen" (or whatever model they have) and hoping that someone has uploaded a picture of it.  A picture is worth a thousand words, right?  Even a simple shot of the E6900 configuration page like this one can save an hour of trying to describe over the phone what button they are looking for.

If that pictures worth a thousand words, how much would an accessible interface be worth?

I think I'm a little late to the party but I found an awesome site the other day that is even better than a picture. Full, interactive copies of the user interface of multiple models including multiple firmware versions.

http://ui.linksys.com/

It's by Linksys so it's only their routers.  Take what you can get right?  It's even fairly up to date.  I couldn't find one of their latest models, but did see files from October or November of 2013.

Another day another Chromebox, or two.

HP announced today that they are going to be offering a Chromebox as well.  Here's their page if you're interested, http://h20435.www2.hp.com/t5/The-Next-Bench-Blog/HP-Chromebox-Chrome-simplicity-tiny-desktop/ba-p/87295.

Google announced their Chromebox for Meetings, too.  Technically it's not a new Chromebox, it's just a bundle that combines the new ASUS Chromebox, a camera, a speaker, a mic, and a remote.  Here's some of the details from Google on this one, http://googleblog.blogspot.com/2014/02/chromebox-now-for-simpler-and-better.html.

That's pretty amazing isn't it?  It seemed like the manufacturers were just going to let the Chromeboxes wither and die for so long and now they're popping up all over the place.  Check out the Chromebase that LG announced back in December, http://lgnewsroom.com/newsroom/contents/64056.  This one isn't really a Chromebox, but it's definitely not a Chromebook either.

Why is this even relevant to practical school tech?  ChromeOS devices are pretty easy to manage, fairly stable, designed to be reliable (mostly fanless and all solid state), and can be priced pretty cheap.  All important things for the education market.  Now let's see if we can get our hands on some so we can go kick the tires and see if they live up to all this hype.

An affordable Chromebox.... Finally

I really like the idea of ChromeOS devices for school use.  Think about it, automatic updating, very narrow attack vector, fast boot, plain and simple operation.  What's not to like about it? Ok ok I understand, everything has to be web-based.  But is that so bad?  Really, how often is your connection to the internet down?  I know lots of people talk about how good the cloud is and a lot of people preach about how bad the cloud is.  Wait a minute, I'm getting side tracked, I'll save this topic for another post, let's move on to what I was wanting to talk about.

Chromeboxes.  More importantly, affordable Chromeboxes.  Asus has announced a new Chromebox starting at $179 (really, read about it here http://www.asus.com/us/News/xjbJtLA1HEyUSUeo).  That's pretty cheap, right?  But you might be saying the Samsung Chromeboxes for $300 or $500 were affordable too.  Yes, they were affordable, until you consider that you can buy a refurbished computer for $500 (with a monitor.)  That's a full PC too, it runs Windows and everything.  Chrome versus Windows is going to be another post.

Back to the affordable Chromeboxes, in education every dollar counts, $179 is much more affordable than $300.  That's a lot more computers being made available for the students.  I'll call that a win.

Now for my rant.

Chromeboxes have been out for some time.  Just a small computer that runs ChromeOS, nothing particularly special.  The prices have been ridiculously high though.  Before today's announcement they were around $300 dollars.  That doesn't sound too bad for a computer.  But, Samsung has a whole Chromebook for $249.  Some might point out that that's obviously different because it's an ARM processor and the Chromeboxes all have Intel processors.  I could care less about that.  I need a computer that runs, the ARM based Chromebooks do that just fine.  Why not strip out the portable bits of a Chromebook and squeeze them into a super small package?  How much could you save if you cut off the screen, battery, keyboard and trackpad?