Original URL: http://www.theregister.co.uk/2011/02/11/contracting_internet/

Locking antlers with a network Nazi

Die! Symantec Endpoint Protection, Die!

By Trevor Pott

Posted in Servers, 11th February 2011 16:00 GMT

Some contracting jobs are fun. I love the sexy ones that task me with rolling my own data center or spending a week’s worth of off hours poking holes in someone else’s network.

Some contracting jobs are terrible; 14 consecutive hours of testing cables and ghosting workstations will leave me a gibbering mental wasteland. One recent job has left me feeling somewhat ambiguous.

It was simple enough; go to the site, rename and readdress up to five PCs to meet the newest conventions. Remove Office Pro and install Office Standard to ensure proper license compliance. Depending on the speed and number of the PCs, that’s maybe a couple hours’ worth of work. It could stretch to four hours in the absolute worst case.

The project started out with a misadventure. The location in question is on the other end of the city from my home; better than an hour away. I ran into a multi-vehicle accident and showed up onsite three minutes late. This was apparently too late; the individuals with the keys to let me into the building had left.

Round two saw me arrive early, only to discover that the required install media for Office was not present. Here, things got interesting. The office in question was a small two-PC affair that was part of a much larger network.

It is safe to say that this network was run by some of the darkest of network Nazis I have yet to encounter. I had in my grubby little mitts the domain administrator’s credentials – necessary for the work I had been asked to do – and yet could still accomplish nothing.

Internet access was locked down; Symantec Endpoint Security was set to <Nelson Muntz> Ha ha! </Nelson Muntz>. It was managed centrally and best of all there was nobody available with the rights to disable the thing.

USB ports and Optical drive access were locked down – even for the domain admin – and Symantec was configured in such a fashion that even if I physically added another node to the network with a share on it, it wouldn’t allow me to get the necessary files off.

Murder in Task Manager

Bonus points for originality were awarded to whomever it was on their network that kept punching in the wrong password for the domain admin account. I must have called my contact a half dozen times thanks to discovering that someone somewhere else had locked the account out. I pondered this for a while and then decided that for me to get anything done, Symantec Endpoint Security had to die.

Naturally it wasn’t very happy about this; it doesn’t allow you to easily terminate the process. In this situation, I can’t download any of the normal tools I would download to properly “kill -9” a windows process.

The process in question is preventing me from getting onto the internet to get those tools! Safe mode however changes the rules. By rebooting into Safe Mode with Networking, I could modify the service parameters. I was able to disable the service in the computer management console, and then murder it in Task Manager.

Thinking I was home free, I rebooted into regular Windows, only to find out that it refused to play with me unless the Symantec Endpoint Security service was running. Back into Safe Mode with Networking I went.

When I tried accessing the internet to get to Technet – and the Office ISO I needed to complete the job – I discovered that the network edge device was a Fortinet Security Appliance configured by some follower of Cthulhu.

Fortunately, I had a netbook and my HTC Desire. I set my Desire up as a Wi-Fi hotspot to share its internet connection with my netbook. I set the netbook up as a router and bridged its wired and wireless network connections. A quick change on the target computer to use the netbook as the internet gateway and suddenly I had access to Technet.

Had there been more than two computers to worry about, I would have set up a small HTTP server on my phone, downloaded the ISO to my phone and served it up from there. As it is, this solution cost me only about 500MB of my 5GB plan.

In the end, it took me three-and-a-half hours to work around all the security in place enough to do the simple job I was asked to do. I love a challenge; they are the fun part of this job. Still, the lack of organization and preparation on the client’s part cost them. I was there easily three times as long as should have been required.

The job had elements of fun – hey, I got an article out of it – but the inefficiency perturbs my inner nerd. What about you, dear readers? Share with us the best and worst of your “small jobs” in the comments section. ®