Resetting the local admin password on a more locked down server

A client recently had an issue where they had lost the administrator password on their offline root CA.

The well known method of copying cmd.exe over utilman.exe was not working

When trying to reset the administrator password, it appeared to work, but on reboot, the new password was not accepted.

To that end i utilise “net” to add a temporary admin account via

net user <username> /add
net localgroup administrators <username> /add
in addition, the server had been configured to not allow any other user but administrator to show up at the console….. this i hadn’t seen before.
After a bit of poking around, i found that the following registry keys were the culprit.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI] “LastLoggedOnProvider”=””
once those keys were set, i could logon as my temporary admin account.

SCEP 2012 vs others – making my blood boil

We’ve had a number of customers recently move to SCEP 2012 from other solutions, particularly mcafee, but also some symantec, sophos etc.

These have generally been customers on an EA, with core cal already purchased and additionally , SCCM 2007 or 2012 already in place for deployment…. so for these enviornments, there is a cost saving with SCEP (as its part of the core cal) and since the SCCM infrastructure is already in place, the management overhead (when other products were in use) is reduced.

The biggest thing i see – and continue to hear from customers is the about the massive performance difference on the workstations after moving from something like Mcafee to SCEP…. Mcafee is a machine crippler, plain and simple. For those of you that have it…. build up two SOE machines, one with Mcafee, one with with SCEP and have a look at the performance difference for yourselves.

Anyhoo – a few days ago, a customer was telling me about independant reports which claim SCEP is quite bad (for various reasons) and how superior the administration of EPO is, the feature set etc etc…. so, i went looking for these independant reports.

This is the first one i found – – and, well, as per the title of this post, my blood boiled.

This is flat out, religious style, mis-information, bullshit and quater truths trying to look legimate… some of the claims in the presentation are just ludicrous.

Now this slidehsow is based on FEP 2010 – but quite frankly, the majority of points have not changed between FEP 2010 and SCEP 2012 (but a couple have)

such as

Administration costs (slide 6) – These figures are just insane… where are these coming from ? 3 times as many new servers to deploy SCEP ? how? 1 server is required to deploy SCEP – and, if the organisation is already using SCCM (which isnt exactly uncommon!) – 0… none, nada, zilch new servers required to deploy. Even if geographically diverse orgs, if SCCM was only being used for SCEP – then 1 server is still only required, as BDP’S (SCCM 2007) or DP’s on a workstation (SCCM 2012) can be used for remote distribution (and this would depend on network speeds/topology etc)

The higher personell costs… well, intentionally vague because of what a ludicrous statement it is….. you need 1 (one!) automatic deployment rule to deploy updates… and in the client policy you set “deploy SCEP” to true…. now clearly this guy doesnt actually use the products he’s talking about, but think of the dumbest tech you possible can – even they could rollout and keep SCEP up to date, with a total admin effort of a few hours (a few mins for an SCCM experienced tech).

The comment about SCCM and forefront being “more complex to administer” – you’ve got to be fucking joking. EPO is definitely one of the better anti-virus administration tools out there – but it, as all software, has its own quirks and complexities too…. trying to clain that SCCM is more complex than EPO…. well ofcourse it is if you have used EPO for 5 years and never used SCCM! The same is true the other way around! Thats just a dodgey arguement.

License fee’s – well that all depends on if you are already licensed via an EA (which is very common in our market) – in which case its bundled in with your other CAL’s….. thats a very large and  important point to miss!

Licenisng for other OS’es – This is a fair point for FEP 2010, but as of SCEP 2012 SP1 (due Jan 2013-ish), SCEP supports MAC and Liunx

Admin and reporting (Slide 8)

EPO group membership is security orientated where-as SCCM collection membership is patch orientated…. just huh ? If i understood what he is getting at here, i could shoot it down…. but it just doesnt make any sense.

distributing updates faster – so… your saying you dont know how to configure SCCM ?

Reporting – No question, Mcafeee reporting is richer than SCEP reporting…. SCEP reporting will continue to get better over time (2012 is better than 2010, obviously)

Consoles (Slide 9)

Requires expertise in 6 different consoles! Thats just a flat out lie. SCEP requires you to know how to use the SCCM console, set policy, deploy software updates, view reports….. i.e. the normal things an SCCM admin already does. If you dont already use SCCM, then sure, you’ll have to learn SCCM, but again, the same is true for EPO!

Tampering and reboots (Slide 10)

“Barrage of windows updates, requiring many reboots” – so are we talking about general windows patching or antivirus here – you cant change topic when convienient. Sure windows updates require reboots, but this is completely seperate to antivirus – if you use mcafee, you still need to patch your machines, and those patches still will need reboots. What a disgusting twisting of the facts.

Tamper proof – “users can tamper with and disable forefront” ? really? So you haven’t configured SCEP to lock down the settings (the same as you need to in EPO) and then your complaining that users can change the settings you havent locked down?


There is no question Mcafee (and others) have been around longer, are more mature in some ways (reporting in particular) and have more “features”. I argue, and always will, that the additonal features (such as firewalls, execution prevetion etc) are a pain in the arse for most of our clients…. but sure there are some clients that have valid reasons for using them. The biggest doiwnside to these additional features is the crippling performance impact of mcafee (and others) – and important point which seems to have been left out completely. A number of these features are also already available within the OS and can be configured via group policy… sure its a different tool…. but show me one enterprise IT admin that doesnt know how to use group policy.

If you are a Microsoft-based IT enviornment already – chances are the licenses for SCEP are included in the licensing you already have – if you also already use SCCM for deployment, then you already have the infrastructure and skills to deploy SCEP very quickly and keep it easily updated. So its a very compelling case to look seriously at SCEP at save a big wad of cash….. if your not already licensed (which is unlikley if your an MS based enviornment) and dont have SCCM,  by all means, evaluate the different antivirus solutions for your company to see which ones meet your needs, but do not ever, use an “independent” report such as this one as a justification or to form part of your reasoning…. it is one of the most disgracefully, intentionally inaccurate pieces of “independent” advice I have ever seen.

Symantec infection report for 2011

found this over at anandtech –

which links to this PDF report –

I dont necessarily have a lot of time for Symantec – as obviously, increasing fear drives their business, but if you take the figures in the report as accurate – its quite interesting.

The title of the Anandtech article is clearly made to be provocative – but in this case, its a sentiment that, according to the report, is not only technically accurate, but is represented in the rest of society as well.

Action against symantec for scareware…

saw this link over at my prefered hardware news site –

Made me smile….

All antivirus or security vendors are preying fear to some extent… with firewalls – you dont get a firewall because someones attacking you, you get a firewall because it helps to make it more difficult for people to attack you (and by “you”, i mean your IT infrastructure). Its bascially the concept of “lets secure ourselves – because its just common sense… its quick/easy/cheap to do so and it will prevent us from being attacked in these <insert various attacks here> ways “. More to the point, there is simply no reason not to have a firewall… with even 1/4 competent admin, it wont break anything.

Antivirus has always been very much on the line between selling a valid service and selling fear… the “common sense” approach, particularly in the desktop antivirus market, seems to have given way to the “lets try and cover every possible scenario” – which is deomstrated by the major vendors products, which don’t just do antivirus anymore, they are also firewalls, software restriction enforcement points, network access control, malware etc

Desktop antivirus in particular has the issue of performance impact…. but with the advent of firewalls etc…. we then also have the issues of other mis-configurations…. the amount of issues caused by companies doing stupid fucking things such as putting their desktop antivirus product on their exchange servers for example…. stupid in the first place, but even worse when an update turns the firewall back on and port 25 incoming is blocked.

This happens so often now for our smaller clients (up to 500 seats) – that the first thing we do when a client rings and says “our server is busted” is disable or uninstall AV (if they have gone against our advice and put it on there) – and 90% of time, problem solvered.

Anyhoo – ive gone off on a bit of a tangent there (as usual) – i liked the term “scareware” – i hadnt heard it before – and i believe its a fair term for most of the marketing done by AV vendors these days. They have a commoditised market in base antivirus, so they are looking for ways to make themselves stay relevant – fair enough from a business point of view – but some of the additions are, in my mind, scareware!