Now you might be wondering why I don’t just change the screensaver time-out or turn off the requirement for a password. Well even though I’m a local administrator, there is a domain-wide GPO that prevents me from doing so. (Yes I know I can edit the registry, but that setting doesn’t survive a GP refresh.) I understand the reason for the policy, but five minutes seems a bit too short.

I wanted to fix this problem AND keep my job at the same time. Alice’s “dipping duck” inspired me to write a simple program to simulate mouse movement.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

#include <windows.h>
 
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow )
{
    HANDLE htmr = CreateWaitableTimer(NULL, TRUE, L"CheckIdle");
    LARGE_INTEGER lidt;
    LASTINPUTINFO lii;
 
    __int64 qwdt = -30 * 10000000; // 30 seconds
    lidt.LowPart = (DWORD) (qwdt & 0xFFFFFFFF);
    lidt.HighPart = (LONG) (qwdt >> 32);
 
    while( TRUE ) {
        SetWaitableTimer(htmr, &lidt, 0, NULL, NULL, FALSE);
        WaitForSingleObject(htmr, INFINITE);
 
        RtlZeroMemory(&lii, sizeof(LASTINPUTINFO));
        lii.cbSize = sizeof(LASTINPUTINFO);
        BOOL ret = GetLastInputInfo(&lii);
 
        int threshold = 3 * 60; // 3 minutes
        int idletime = ret ? (GetTickCount() - lii.dwTime) / 1000 : 0;
 
        BOOL scrnsvr = FALSE;
        SystemParametersInfo(SPI_GETSCREENSAVERRUNNING, 0, &scrnsvr, 0);
 
        if( idletime > threshold && !scrnsvr ) {
            MOUSEINPUT mi;
            RtlZeroMemory(&mi, sizeof(MOUSEINPUT));
            mi.dwFlags = MOUSEEVENTF_MOVE;
            mi.dx = 1;
            mi.dy = 1;
 
            INPUT in;
            in.type = INPUT_MOUSE;
            in.mi = mi;
 
            SendInput(1, &in, sizeof(in));
        }
    }
 
    return 0;
}

Every thirty seconds the program checks to see if the computer is idle. After three minutes of inactivity (and if the screensaver isn’t running), it moves the mouse cursor one pixel down and to the right. If I lock the workstation or manually activate the screensaver, the program won’t do anything. To compile this program, create a new empty C++ Win32 application project. Add a new cpp file, drop in the code above, and hit “Build Solution”.

Now the screensaver won’t be a nuisance when I’m trying to read. I just have to make sure to hit Win-L before I leave my desk!

My goal was to get CLAWS running the way RIT uses it, and then write patches to the main codebase. If certain people in high places liked the changes I made, they could take the patches and apply them upstream. Even if that doesn’t happen, I could always fork the project and continue development on my own. For political reasons, I’d have to wait to do this until after I graduate.

The PAWS Project is aimed at taking what is now a very RIT-centric software system and transforming it into something the general public can use. Much to the chagrin of some un-named information security officials, CLAWS is open source and so I can (at very least) develop from the r2977 snapshot.

In the coming few months I plan to have my documentation finished for building and installing CLAWS. I should have a lighter schedule this summer, so I’m hoping to get most of my development work done then.

The CLAWS central server manages communications between the various clients and back-end systems. A self-help tool allows students to activate an account and edit identity and mail preferences. The Help Desk client provides account management functions for staff that streamlines account creation and maintenance across the multiple systems.

Right now, CLAWS is used in production by both students and Help Desk staff. We are presently working to integrate IPEdit functionality into CLAWS. Visit the project homepage for more information.

My first chore was to install Windows Server 2003 and configure it to be a domain controller. This part was fairly easy, although a little time-consuming. Once that was working I was able to quickly join the Windows machines to the domain. Now to deal with Linux… for that I chose Windows Services for Unix. This software alters the AD schema to allow for Unix account attributes. On the Linux machines, I installed OpenLDAP, a Kerberos client, configured PAM… and voila! Now AD users can authenticate on the Linux machines.

My home-made DHCP/DNS configuration tool, however, was a little trickier. The data for this tool is stored in a MySQL database and accessed via a PHP script. If I wanted to grant someone access to the tool, I needed to first give them a MySQL account. Since Active Directory is basically an LDAP server, I rewrote the authentication mechanism to query AD.

With very little work, I was able to simplify authentication and account management. While this is not new technology, I still feel all warm and fuzzy with a sense of accomplishment.

Enter the “least privilege” security model. This approach to computing is very simple — only give yourself enough privileges to accomplish the task you need to perform. For example: do you need to be able to delete all of your system files while you write a letter in Microsoft Word? The answer would be “no, of course not!” But running with full privileges, you would be able to do so.

This is how malware spreads. Users visit websites that exploit known vulnerabilities in Internet Explorer. Since the default setup in Windows XP is to be an administrator, these programs can freely install themselves without your knowledge or consent. Working least-privileged solves this problem because without the privileges to tamper with system files, malware can’t invade your computer (easily).

Are you sold yet? Great! Now let’s set it up. Traditionally, working with with a non-privileged account has a real pain. But there are some tricks to help you.

1. Creating an Unprivileged Account

This step really depends on how you are setup right now. If you already have an account, then we need to adjust your privileges. Either way, you’ll need to logoff (Start > Logoff). Once you’re at the Welcome screen, press and hold the Control and Alt keys and the press the Delete key twice. You should now be presented with a login window. Type “administrator” for the user name and your password (or leave it empty).

Once logged in, pop yourself into the “User Accounts” control panel (Start > Control Panel > User Accounts). Select your own user account and choose “Change my account type”. Select “Limited User” and click OK. If you don’t have a password on your “administrator” account, you will want to set one now.

2. Turn-off Simple File Sharing (Optional)

This may fall more into the category of preference, but I think it makes life easier. Windows manages permission on securable objects (this includes files and folders) with Access Control Lists (ACL). When Simple File Sharing is turned-on, Windows will handle editing these lists for you. Doing this yourself gives you greater flexibility, but can cause you to lose data if you make a mistake.

To do this, open “My Computer”. From the “Tools” menu, choose “Folder Options”. Click on the “View” tab and you should see of list with checkboxes. Scroll to the bottom of this list, uncheck “Use Simple File Sharing (Recommended)”, and click OK.

3. Changing the Default Owner (XP Pro Only)

When a member of the Administrators group creates a file or folder, that user is the default owner. This can cause headaches when running least-privileged because you could end-up with write access to system files. By making the Administrators group the default owner, you eliminate that risk.

To accomplish this, you will need to open the Local Security Policy editor (Control Panel > Administrative Tools > Local Security Policy). In the left-hand pane, choose “Local Policies” and then “Security Options”. In the right-hand pane, find “System objects: Default owner for objects created by members of the administrators group”. Choose “Administrators Group” from the drop-down list and click OK.

4. Secondary Logon Service

What happens when you’re working and you need to make a change? Should you logoff and logon as an administrator? No!… there is an easier way. The Secondary Logon service allows you to run any application as another user by right-clicking on the file and choosing “Run As…”.

This should be enabled by default, but lets just make sure. Run the Computer Management applet (Control Panel > Administrative Tools > Computer Management). Choose “Services & Applications” and then “Services”. In the right-hand pane, find “Secondary Logon”, right-click, and choose “Properties”. Make sure startup type is “Automatic” and then click “Start” if the service is not already started.

5. Elevate Your Own Account (Optional)

Somtimes you need to make changes to your own account, but require administive privileges. You could change your account privileges (using Run As) and then logoff and logon again. But there is an easier way… Make Admin. This program will allow you to change your account privileges on-the-fly for specific applications.

Well, that was relatively painless (I hope). It will take some getting used to, but in the long-run, you’ll be glad you did. Oh, one more tip: you should do this on a clean install of Windows for best results.