THE OFFICIAL BLOG OF THE SBS DIVA

There's a vendor out there that is drinking the Security Koolaid.  To the point where that I can even see the telltale sign of a red tongue and a Koolaid mustache on their mouth.  Now this isn't a vendor that you would normally think would be drinking the Security Koolaid... and it's certainly not the vendor you are probably thinking that I'm talking about.....
 

This is a vendor that... indeed may be setting the path for my Accounting Industry by being one of the first to step up to the bar and do the right thing.  Dr. Jesper Johannson in his "Is that Application Really Safe"  presentation talks about how accounting applications are some of the worst offenders for being a security minded application.  And it's true.  Here when we should be the bellweather of the industry..the shining light of best practices... the standard setter.... so many times I hear from folks that it's the "beancounter program" that makes them make compromises in their networks.  Even my fellow CPAs... sorry guys, I have to beat up on ourselves... we really don't take the time sometimes to think about security.  We want to get the job done for our clients and sometimes, like in any business, security has to take a back seat.  We blindly email files containing sensitive data and never even think of what we're doing.

So when the other day I had a conversation with some folks from this Company... it was refreshing to hear in the phone call that they were drinking that Security Koolaid.   And lots of it.  To the point that they will be pushing us in the future....not us pushing them. 
 

But you know something else.... don't just lay this in the lap of our vendors... as fellow Security MVP Harry Waldron pointed out ... Security is spelled sec-U-R-IT-y.  Security isn't just about "them" ... it's about "You".  "You are it."  You are part of it.  Part of Security.  You are in fact the biggest part of the security piece... and without "You", this vendor can drink enough Security Koolaid to make them a sugar diabetic but it's not going to help secure your network, your data, your clients data.  You have to help this process by being an aware end user and not blindly do stuff like we're doing these days.  By setting up your network properly, configuring it properly.  By having security policies, and set forth to your employees an acceptable use policy of what they can and cannot do on your network.  "You" first have to help this process...it can't just be on the backs of vendors.
 

....so ...guess which vendor I talked to the other day that is on their way to getting Security? 

....wanna guess?

....give up?

....and no this isn't an early April Fool's day joke either... I'm serious here.

... I really and truly feel that this Vendor "gets" security and will be pushing us to "get" it too in the near future ...

....the vendor is....believe it or not.... this one!

I can hardly wait.. it's right around the corner... RFC day...

I think this is a fav... http://klubkev.org/~ksulliva/rfc-april1/rfc1925.txt 

   (3)  With sufficient thrust, pigs fly just fine. However, this is
        not necessarily a good idea. It is hard to be sure where they
        are going to land, and it could be dangerous sitting under them
        as they fly overhead.

I think we need to send this one to Eric Ligman

http://klubkev.org/~ksulliva/rfc-april1/rfc2324.txt

Subtitled... okay MBSA 2.0 is closer...but I STILL cannot consistently scan my domain worth a darn.....

Okay so we already heard from a poster that he used a dll exclusion in the firewall...

So we went back into our Small business server firewall settings... and clicked on "define program exceptions"

And then on "Show" and added an exclusion exactly like this:  %WINDIR%\SYSTEM32\dllhost.exe:10.0.0.2:Enabled:WSUS Port so that it ended up looking like that:

(Remember I'm still on that old fashioned SBS IP addressing that we used to use in the 4.0 days)  And now... on those workstations that are checking into the MBSA console..they are properly scanning the patch status... but I still do not have a consistent scan-ability of the network.  Even when I added the extra RPC connectivity allowance like Level Platforms needs.

I'm still getting way too much of this error on some of the workstations...an  then I'll scan again and won't get it for those same workstations.... I am scanning by netbios domain name... so why isn't this still working?  Or I should say...consistently working?

But I'm not.. I DID put in the netbios based domain name.... and I kid you not.. many of the people I talk to say that they tried MBSA 2.0... couldn't get consistent scanning results... got frustrated and dropped using it.... because they too couldn't get it to scan through the firewall.

But this reminds me of an email thread I had today with a guy about keeping "some" network goo... as a balance between security and that managability that I need to have ....as while Dr. Jesper Johansson is talking about Server and Domain Isolation techniques... I'm sitting here poking holes in the firewall and knocking off the Strict RPC compliance in ISA server because I want.... no... I NEED to have managability of the network.  I NEED to have a foundational bit of 'goo' that runs throughout my entire network so that I can scan them and get assurances that they have protections in place... I mean yeah... scan my SBS box and it says I have "Severe risks" ...but right now.. the fact that I can't scan my entire network... I think ..means I have a bigger risk.  I mean I know I can't do the Server and Domain isolation stuff the big server guys have to do... but it sure would be nice if I could scan the network with MBSA....

Stay tuned.... we're getting closer.....

So what's your IMF settings?

Some here are 6, archive, 2.... 5 would be better but gives a few false positives...

Some are reject =6, move to junk =4

Some use the IMF archive manager....some use the one from Hello

Delta airlines seems to get knocked out at 7... but putting it at 8 lets in too much gunk

...so what do you use?

Just a nice friendly reminder... that when us non big server land people start mucking around in group policy..your first step should be to do these steps....

Go down in the group policy management console.. in that bottom section....

Right mouse click on Group Policy Objects... 

Ensure you've clicked on "backup all" ...or at least the one you are mucking with...

And make sure it says this:

Because while you are attempting to put in the registry keys for MBSA..and you've obviously screwed something up.... so it looks like this....and when you go to edit it and it looks like this....

Which in turn gives you that error.... you can at least restore the policy from the backup you just made... granted you will go "Oh #%@#$ for a split second as you momentarily think you've horked yourself good as you can't get back into the very template you've screwed up...

As with everything in life.. make sure you have a backup.....

(stay tuned... MBSA still not working...)

Okay big server land people.....why isn't there an 'edit' key in the Group Policy Object Editor?

In the group policy...you type these GUID thingys in by hand?

I mean ...really... you never make mistakes when setting up group policy settings or something?  So why no edit button? You guys think typing this stuff in by hand builds character or something?  I mean look at the gunk I need to type in there... and for the record... when giving us SBSers instructions on group policy..don't assume that all of us have been in there enough to know that when typing in a new key we will truncate the "HKEY_LOCAL part and just need "MACHINE" up there.....


HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82 C345492}
\Endpoints REG_MULTI_SZ "ncacn_ip_tcp,0,n"

Yuck .. I have to manually type in MACHINE..wack... Software.. wack... yadda yadda

2. Configure Windows Update Agent to use this static custom port by setting a registry key as follows: HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82 C345492}\
Endpoints REG_MULTI_SZ "ncacn_ip_tcp,0,n"
(where n is the port number you have decided to use.) You may also configure the endpoint using the Component Services application in Control Panel. The Windows Update Agent - Remote Access endpoint is located under the path Component Services\Computers\My Computer\DCOM Config. Right-click and select Properties, then use the Endpoints tab on the Properties page to configure the static port.

And why do instructions like this assume that once we get to Component Services section.... in the control panel...that we'll even have a clue of what to do when we get there? I mean like look at this:

Okay.. I see the static endpoint in the Dcom protocol ...but.. now what.. do I need a protocol sequence of connection-oriented TCP/IP?  I guess so but the instructions don't say to mess with that....but gang....don't assume that we've been under the hood before and when giving instructions.. be specific...because if there's anything else in there... we're going to ask and wonder if we need to select anything....

P.S... skip the GUI?  Edit the text file?  Import them from the command line?  Are you insane?  ...excuse me... what do you think I am.... a big server person?

Brian Kruse has made a new post: re: MBSA 2.0...so what am I missing?.

Ran into this myself...after going through the KB article I finally found someone's post that led me to try the following which worked on a non-ISA system so it may or may not work with ISA.  I added an exception to the GP firewall settings to allow C:\WINDOWS\SYSTEM32\dllhost.exe to accept requests from the server only.  You'll have to use %windir%\system32\dllhost.exe in the GP since the : won't work. Hope that helps!

It's pretty obvious from posts out here that none of us have gotten this to work natively on the SBS box... and there won't be a new release to get this to work... we need to adjust the firewalls to get it to work.... stay tuned as I'll get the definitive answer on this....

MBSA 1.2....just went...scanned bam...bing done.

MBSA 2.0 with the XP sp2 firewalls..even with my modfications for additional managment...either MBSA doesn't find the machines....or when it does find them... it can't scan the windows catalog due to firewall issues....and of course we really don't want to turn off the firewalls at the workstations.....

...and so the instructions are as follows to get MBSA to work are below ....

I got the COM hotfix .. I think (I mean right?  it's in 05-051.. I don't have to edit or flag with extra keys to get those extra COMy things installed right?

And it sounds like I need to deploy that registry key?... so like.. can I ask a stupid question... I mean I know us SBSers have our own policy and all that...but it seems to me that other than this issue with MBSA it's kinda of a decent group policy template for everyone to suck down and use in a network... so why isn't that reg key policy already to go inside of every Windows 2003 server that would be used to control any XP sp2 firewall?  I mean like why isn't there a blonde "install this to decently manage, patch and control your network" adm template that would just be there for a typical firm?

Does anyone have MBSA 2.0..not three mind you... scanning consistently on a SBS 2003 with ISA 2004 that didn't add this group policy registry key..and if so how did you do it?...Otherwise I'm about to add another setting to the default SBS group policy for XP sp2 firewalls.

------------------------------------- 

Please refer to:

MBSA 2.0 Frequently Asked Questions
http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx

Please search for the question:

How can I scan a computer that is protected by a firewall?

Generally, there're 3 steps to complete the task. Step 2 is optional in
case there's any unmanaged computers which does not belong to your
domain. For your convenience, I copied the steps here:

Step 1: Review system requirements

MBSA cannot scan a remote computer protected by a firewall unless the
firewall is configured to open the ports that MBSA uses to communicate
with the computer. The Windows Update Agent implements a remote scanning
interface based on DCOM. The account being used to scan must possess
local administrator rights. The computer must also be configured to meet
the following conditions:

- The Server service, Remote Registry service, and File and Print
Sharing service must be running on the remote computer. 
- The required ports must be open on the firewall.
- The Windows Update Agent must be installed and the Automatic Updates
service must not be disabled.

Remote computer scans are performed using TCP port 135, a dynamic or
static DCOM port, and ports 139 and 445. In a multi-domain environment
where a firewall or filtering router separates the two networks, TCP
ports 135, 139 and 445 and UDP ports 137 and 138 must be open in order
for MBSA to connect and authenticate to the remote computer being
scanned. You must allow these ports to be open on the remote firewall if
a personal firewall is being used.

Note: The use of DCOM for remote scanning through Windows Firewall on
all versions of Windows XP may require a post-SP2 hotfix as described in
Microsoft Knowledgebase article 895200, "Availability of the Windows XP
COM+ Hotfix Rollup Package 9". Customers may now obtain this fix by
installing the COM+ update (KB 902400) using these procedures:

1. Download the update from
http://www.microsoft.com/downloads/details.aspx?FamilyId=20F79CE7-D4DB-4
2D7-8E57-58656A3FB2F7 on the Microsoft Download Center.

2. Copy the update to the computer you are updating and open a command
prompt on that computer.

3. Run the update using the command line options described in KB article
824994 (specifically, the /B:SP2QFE command line option). Doing this
will install all of the Windows XP COM+ Hotfix Rollup Package 9 fixes,
in addition to the fixes released in the security bulletin MS05-051.

Step 2: Configure Unmanaged Computers

DCOM allocates a dynamic port by default, but a firewall blocks access
to these ports unless explicitly opened by using the following
procedure:

1. Open port 135 and a custom port in your firewall (some firewalls may
allow port 135 by default). The port you select should be checked to
ensure it is appropriate, or not associated with other applications.

2. Configure Windows Update Agent to use this static custom port by
setting a registry key as follows:
HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82
C345492}\Endpoints REG_MULTI_SZ "ncacn_ip_tcp,0,n" 
(where n is the port
number you have decided to use.) You may also configure the endpoint
using the Component Services application in Control Panel. The Windows
Update Agent - Remote Access endpoint is located under the path
Component Services\Computers\My Computer\DCOM Config. Right-click and
select Properties, then use the Endpoints tab on the Properties page to
configure the static port.

Step 3: Configure Managed Computers

Use Group Policy to deploy specific administrative firewall and COM+
settings to target computers. You may use the Group Policy editor to
create the needed configuration settings as documented in "Deploying
Windows Firewall Settings for Microsoft Windows XP with Service Pack 2",
in the section entitled "Deploying Windows Firewall Settings With Group
Policy".

Windows Firewall Settings: The following Windows Firewall settings
should be used:

- Windows Firewall: Allow remote administration exception. Used to
enable remote configuration using tools such as Microsoft Management
Console (MMC) and Windows Management Instrumentation (WMI).
- Windows Firewall: Allow file and print sharing exception. Used to
specify whether file and printer sharing traffic is allowed.
- Windows Firewall: Define port exceptions. Used to specify excepted
traffic in terms of TCP and UDP ports. In this step, define the same
ports as you selected for unmanaged computers and from the system
requirements step.

Additional details on the settings available within the administrative
template for Windows Firewall have been documented in "Using the Windows
Firewall INF File in Microsoft Windows XP Service Pack 2" the sections
labeled "Enabling Remote Administration" and "Adding Static Ports to
Windows Firewall's Default Exceptions List".

COM+ Settings: The COM+ endpoint registry settings for the Windows
Update Agent can be configured as a Group Policy registry policy object.
Guidance on how to create a policy for this is located in the Microsoft
Knowledgebase article 323639, and includes a generic sample that you can
modify. When doing this, you must base the policy registry key on the
following:

HKEY_LOCAL_MACHINE\Software\Classes\
AppID\{B366DEBE-645B-43A5-B865-DDD82
C345492}\Endpoints REG_MULTI_SZ "ncacn_ip_tcp,0,n" 
(where n is the port
number you have decided to use.)

Note: When using this method, be aware that additional administrative
template settings may be needed in order to remove this registry setting
when the functionality is no longer desired.

So I turned on a workstation...one that hadn't been on in a while... and kinda forgot about it... and tonight I was checking the ISA logs to see why the MBSA 2.0 wasn't scanning the network like it should (long story...still in investigation...stay tuned to the blog) and I realized that every minute or so there was this "heartbeat" in the ISA logs.

http://66.151.158.177:80/l?526=-1N8753

....what tha?  says I and I start looking at the computer it's coming from...

So visions of OH MY GAWD I HAVE A TROJAN I'M OWNED .... I'LL BE LICKING STAMPS UNTIL THE DAY I DIE INFORMING CLIENTS THAT MY NETWORK HAS BEEN OVERTAKEN BY ZOMBIES SENDING OUT PHONE HOME MESSAGES TO SOME FOREIGN COUNTRY LOCATED IN......hang on...let me check who's IP that is...... THE TERRORIST COUNTRY OF.....hang on lemme look this up on Arnis... THE TERRORIST COUNTRY OF...Atlanta, Georgia? 

Huh? 

OrgName:    Internap Network Services
OrgID:      PNAP
Address:    250 Williams Street
Address:    Suite E100
City:       Atlanta
StateProv:  GA
PostalCode: 30303
Country:    US

Okay so I calm down enough to realize that the 'heartbeat' I'm seeing is a leftover..old... left to expire from not being paid...but not yet uninstalled...the way we remoted into one pc a few years ago install of ...

Yup... "Gotomypc".

While it may have been an expired account.. it had a red X in the corner... it was alive enough to do a heart beat out to the Gotomypc/Webex servers.

Just a FYI... clean up those kinds of programs on computers.....

A connected USB floppy disk drive does not work when you press F6 to install mass storage drivers during the Windows XP installation process:
http://support.microsoft.com/?kbid=916196

I have a server.. it has no floppy drive.  Now if I want to have SATA drives or something... I need to ensure that I can hit F6 during the install and get the drivers on the box...but ... hmmmmmm may need to warn someone about the fact that there might be times that you can't use a USB floppy... at least on a XP machine.  Wonder if the same is true for a 2003 box?

After you restart a Windows XP-based computer, the desktop is displayed upside down:
http://support.microsoft.com/?kbid=915164

Hello?

Yes my computer is upside down?

Excuse me?

It's upside down!

...and a 13 year old on the website solved the issue...

Someone asked me ... if a vendor shouldn't be able to have a compelling reason to get you to upgrade.  I mean let's face it.... vendors don't want you to be satisfied..they want you to want more.  To think you need more.  So they are going to want to stick a carrot out there to make you upgrade.

So here's where my geek view meets my beancounter view.....

Geek views....

Read both Wayne's blog and Nick's blog....they have the view (and rightly so) that line of business applications are deadly slow in updating.  That you don't rip out the working SQL database with a new one until the line of business vendor signs off...and they normally take like a service pack or two before they feel confortable updating.  Add on top of that that recoding and testing is like .... oh... slow as molasses..... like watching grass grow... or any other trite statements about how you don't do this easily.  They also have a view that SBSers should be able to compartmentalize SBS and allow not only for additional CAL rights for the SQL 2000, but downgrade just the SQL part back to the SQL 2000 from the SQL 2005 workgroup.

Beancounter views....

A vendor needs a carrot.  They need something to get you to upgrade.  Yeah it's a bit sucky on this...but hey...that's business.  SBS has always been from day one a "bundle" and Microsoft has never allowed a person to "just" upgrade a part of the software ..it's an all or nothing.  So if you want those additional Exchange cal rights or those additional SQL 2005 workgroup cal rights?  You'll need to eat the carrot and upgrade.  And you'll have to upgrade to SQL 2005 workgroup and not get downgrade rights to SQL 2000.  You need SQL 2000 because of your sucky line of business app  is waiting for service pack 3 before he or she even begins looking at SQL 2005 workgroup?  Sorry you'll have to stay back on SQL 2000. You'll have to order the SBS 2003 sp1 sku.

So what do you think?    ... yeah there will be a need for SBS 2003 SP1 in the channel for a long time as those line of business apps are slow....but if you want R2... as a business owner I think it's fair to ask you to eat the carrot.  As a geek... yeah I know that those applications won't be ready for SQL 2005 workgroup for a long...long time.

But the business side of me thinks that the vendor should be consistent in how it's bundled the software in the past... and allowed their carrots....

So what do you think?

I got pinged on IM with two questions from my nephew tonight ....

The Official SBS Blog : Meet the SBS Team!:
http://blogs.technet.com/sbs/archive/2006/03/27/423296.aspx

...and ... yes Bob, I've met him, and he seems like a reasonable guy for a Boss to me too...

In January there was an unpatched IE flaw..one that had folks scrambling for cover.  And someone came out with a "community fix".  Fast forward to March and deja vue again.

Unpatched IE flaws.. patch in the works... antivirus vendors having protections in place..... we have mitgations .... and we have a community patch.....

Okay gang let's take a lesson from last time again.....

I CANNOT SET YOUR RISK TOLERANCE LEVEL FOR YOU.

Only you can look at your firm and your desktops and your risk tolerance and you know how your clients surf and how you have your network setup to know if you should use anyone of these mitgations or do nothing at all.

Only you can do that.  So I'm not going to tell you or recommend that you take any other action other than to remind you that we're in this same position and we will again.  So if you are sitting there and you feel you are at extreme risk... then figure out if you truly and really are at risk...or if you are merely in a state of fear because you don't know the true risks of your network.

But whatever you do... test.  Because I can't do this for you.  Only you can decide what is the acceptable risk for your firm, your clients, your networks.

There's a new graphic in the side bar of the blog... it indicates that due to the fact that I'm a SA customer I'll be getting SBS 2003 R2.  The one with "just WSUS".  Yeah it's the one that no one in the Var/Vap world is seemingly excited about...but I am.

I got the graphic off the Official SBS blog.

It's times like these that I still say I represent the end user view... because I still think it's cool that SBS will have a patch engine under the hood in the future.

I'm outting myself tonight and saying that I still get goosebumps when thinking how far we've come in patching our SBS boxes that it can now be even be considered a marketing feature.  Back in the 4.5 days...heck even the 2000 days ...there's no way that the "patchability" of a network could even be considered an advantage.  Could even be touted as a feature. 

But hey.... I'm a patchaholic.

Want to know more about the SBS 2003 R2 stuff?  Check out two chances to talk to the SBS Podcast gang on Wednesday.

I'm not pulling your leg, honest:
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx

Read Sandi's excellent article about the myths of the Internet...

The question came up on a listserve of how effective "System restore" was to go back "before" an infection by a trojan.

"Antivirus utilities can affect whether your system can be restored to a previous point. If a restore point contains an infected file because the utility is not set to clean the file within the restore point, or if an infected file has been removed from a restore point by an antivirus utility because it could not be cleaned, System Restore will not recover the computer to this partial or infected state. If System Restore could not restore your computer to a previous state, and you suspect that one or more restore points contain infected files or have had infected files removed by the antivirus utility, you can remove all restore points from the System Restore archive by turning off System Restore and then turning it back on. "

But the question is now..do you know when you had the "incident"?  Because truly.... malware, spyware and viruses are an "incident".  The best way to handle a security incident is to install from trusted media.. that's right you start over....

Help: I Got Hacked. Now What Do I Do? - Microsoft TechNet: Security Management Column:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Hi,

Since this seems to have been a popular topic, I thought I'd let you know that I've solved this problem for those that have SBS2003, MCEs, and MCXs (and aren't afraid to do some tweaking). I posted a "how-to" guide on TheGreenButton.com ).

For whatever it's worth,

David

Hey thanks David!  What's he's done is give the info on how to have a MCE retain the media center extenders and still have RWW access!

So you want to try this "non admin" thingy I keep harping about but you have this application that updates like every week... so how do you update it..but still run as LUA at the same time?

Well in Aaron's blog he has some ideas in part one... but one way you can consider running that "one" app is setting up a batch file that does a RunAs in front of the application.  Tristan has an old blog post on the topic.

If the application only needs updating by one person.. let that one person handle the updates.. if it depends on all workstations needing updates... well you'll need to decide the best way to handle this.. maybe not right now (and especially not during tax season...) but just keep in mind how your clients work and need to have their applications to run.  For those that need constant updating.. you might need to anticipate those needs.

A major thing I like about the Mssmallbiz.com site is the fact that it's a sharepoint site that sends me alerts.  Today Eric asks on the blog "what do you think it should be named?"... as naming does mean that folks immediately know what the 'thing' is about.  It helps people know immediately what they'll find at the site.

So you up for a little renaming to help clarify the site to newbies?

He offered up....

• Small Business Fellowship – A Lord or the Rings fan?  “Welcome to the Fellowship of Small Business”
• Small Business Channel – A place you “tune in to” to get information, ideas, resources, etc. while remaining true to the focus being around those who supply the technology solutions to Small Businesses
• Small Business Collective – A Star Trek fan?  Join the Collective today.  “Resistance is futile.”
• Small Business Society – An upscale place?

I think Small Business Jedi Council should be one up for a vote... but I'm probably the only one to think that ...not to mention George Lucas might want some royalties or something.... I think I like Small Business Channel.

What about you?