My company is switching from using Symantec Antivirus over to F-Secure, and we needed a way to silently uninstall the existing Symantec installation before rolling out the new solution to avoid a sneakernet installation procedure.
Our initial thought was to add the uninstall procedure to the existing logon script, but that would cause a fair bit of problems as the uninstall required a reboot. I know my users would get very cranky if they logged on and the computer immediately rebooted. Another issue would be that the same logon script is executed when the users login to our Citrix servers, but I could work around that by checking the computername that the script ran on.
We ended up with the following solution:
1. Create a share on the fileserver for uninstall logs
2. Create a batch file that silently uninstalls Symantec Antivirus and reboots the computer
3. Schedule the batch file to run, on the client computer, after hours
The command to uninstall our version of Symantec Antivirus would be: %windir%\system32\msiexec.exe /q/x {848AC794-8B81-440A-81AE-6474337DB527} /Lv+ \\fileserver\share\%computername%-savuninstall.log
This performs a silent uninstall of the application identified by the GUID, and logs the process to a logfile named after the computer it was ran on.
The second part of this was scheduling this batch file to be run on our XP clients remotely. A small utility called schtasks, included in Windows XP, enables you to add scheduled tasks remotely and fit the bill perfectly. The command we ended up running was:
schtasks /create /tn "Symantec Uninstall" /ru domain\administrator /rp password /tr \\fileserver\share\uninstall.bat /s computername /sc once /sd 29/01/2007 /st 22:00
This adds the batch file created earlier as a once-off scheduled task, on the client, that runs as the domain administrator.
The log files enables us to track the progress of client uninstall, and provides us with a list of computers ready for F-Secure deployment.
All in all a no-fuzz silent removal of Symantec Antivirus, without sneakernet intervention.
another “how to change the administrator password in Windows” hoax is in the wild.
A recent posting on internetbusinessdaily.net shows a way to get cmd.exe to run instead of the default screen saver, and if you then issue the net user command to change the administrator password.
This approach is just as flawed as the previous bogus security claims. This only works if you already have administrative privileges, so there is no need to actually do the whole copy routine outlined in the post. Just issue the net user command directly, and you’re done.
Of course, you are only protected if your system uses the NTFS filesystem, as FAT32 doesn’t give you any file level security at all.
Can we now stop with the bogus claims? If you have administrator access, you can change the administrators password. Gee, there’s a surprise…
Another incredibly stupid "Windows XP security bug" hoax has emerged, this time on YouTube.
Can you believe it? If you have local administrator access, you can change a local users password! Truly incredible news!
This is another example of a "security issue" that isn't even close to being one. The other one is a bit more clever though, this one is just plain stupid.
The recently surfaced "Windows XP Privilege Escalation Exploit" is really no such thing. In fact, it's not even close. At first glance, it does look valid enough, but the fact remains that it's not even close to being a real exploit.
Let me explain why. In the original article, you can read:
Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.
While this is true, one rather important thing is left out. You need to have local administrator access to be able to do this. This whole "exploit" is based on scheduling a task and having it run as local system.
By default, the only account(s) that can schedule tasks on Windows XP and Windows Server 2003 (and I imagine Vista too) are members of the local administrators group. Imagine that? For this so-called exploit to be possible, you have to have local administrator privileges!
The original author claims that you can even reset the administrator password this way. Well, so can any user that has local administrator access to begin with. Where is the problem? The only scenario were this might be a problem if some system administrators lets their users schedule commands on domain controllers, or other servers, but that would be very bad system administration to begin with. And we all know what problems bad sysadmins can get themselves into.
What annoys me with this whole thing, is that everyone and their mother seems to be jumping on the bandwagon and screaming exploit. It's not! Being able, as administrator, to run a command prompt or even a whole desktop as local system poses no significant risk what-so-ever.
Move on, there is nothing to see here. I claim FUD.
, a Wordpress Support Maven and frequent flyer in #wordpress has posted his reasoning behind going back to Windows XP after a short affair with Ubuntu. I have to say that I agree wholeheartedly with his experience. Linux simpy isn't ready for desktop usage, at least for people who want to use their OS and not fiddle around with their OS.
I love Linux, don't get me wrong. My own webserver runs Linux (of the Debian flavor), but my desktop remains XP. Why? Well, simply put; I like it. It's as easy as that, and it's not due to lack of experience with Linux either. I find using Linux on a desktop cumbersome, even obtrusive in ways and it "just doesn't feel right".
I also happen to manage roughly 25 servers, and about 110 clients on a daily basis, spread over 2 continents and 5 countries (Thats not counting our ships). If it wasn't for using Windows 2003 Servers, Active Directory, Citrix and Windows XP clients that would pretty much be an unsurmountable task. I want to enable my users to do their job, not battle with their computers. Of course, Microsoft being a market leader helps in a way, since everyone knows how use a computer with Windows on it. Thats just the way it is. I'm not saying that this is necessarily a good thing, but it does help me in my day to day job.
If I were to give my users a Linux box, I seriously doubt that it would increase their efficiency at all. As far as I'm concerned, running Linux on the desktop is still something reserved for those with a special interest in it, it's not for people who actually want to spend time using their computers for their day-to-day tasks.
: I think VMWare has struck gold with the newly released VMWare Player. It really opens up an alley of virtualization for everyone that I'm sure will find loads of good uses in the time to come.