THE OFFICIAL BLOG OF THE SBS DIVA

So one of the points that Amy Babinchak made in AU at the SMB security summit was that each time there was a rule in ISA that said "let the world in" you needed to stop and ask yourself why.  RDP from THE WORLD may not be a wise move.  You can easily ...even without a static IP, limit the access to a range of IPs that represent your ISP.  So even if you have a Dynamic IP address, all you need to do is to place the ISP's range as the "from" access and you will be allowed to RDP to that server.

 Concerned that you'll be on the road and need to connect?  Connect first to your server and then to the clients.

But bottom line, review the globe.. WHY do you need it?

So let's say you want to be alerted when someone does a password attempt on your system.  Go into the health monitor, copy the Account Lockout alert service and edit it to look for event 529 in the event logs.  Adjust the Actions to not only log to the system but to email you when someone does a bad password attempt and voila... you now have a early warning system when someone from remote is banging on things. 

I personally limit the access to port 25 to only those ports that need access to the servers at ExchangeDefender.com and don't get drive bys... but if you are concerned.....

The Official SBS Blog : Network Behind a Network:
http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx

Today's sbs blog post brought to you by Wayne McIntyre

http://www.pcworld.com/article/id,139492-c,internetexplorer/article.html  $521 million

http://seattlepi.nwsource.com/business/329766_msfteolas31.html $60 to $70 a share for the shareholders in dividends

http://www.theinquirer.net/en/inquirer/news/2006/08/23/microsoft-and-autodesk-lose-product-activation-patent-suit $158 million

How many billions of dollars have been spent that provided no benefit, protected no clients, gave no needed features?

http://www.usdoj.gov/atr/cases/f227500/227585.htm 
First, the California Movants argue that extension of the Final Judgment is necessary to "pry open" the OEM channel to non-Microsoft web browsers.⁽⁷⁾ They make no showing, however, that any conduct by Microsoft (either in violation of the decree or otherwise) has foreclosed the OEM channel to third-party browsers. Rather, they simply state that to date, no OEM has shipped a non-Microsoft web browser as the default web browser. This is a non sequitur. The Final Judgments do not mandate that OEMs, who are not parties in this case, install non-Microsoft web browsers as a default. The Final Judgments only seek to ensure that Microsoft does not block the OEM distribution channel.

Funny, I don't see any non Apple browser shipped in the Macintosh.  Nor do I see any other OEM channel other than Apple.  Okay so one could argue that they aren't in a "monopoly" position, but why not ensure that from the get go that monopolistic practices aren't followed by manufacturers?  Why is it that in the supposed "name of ensuring competition", that all I see is companies being forced to pay patent settlements in millions of dollars. 

In reading some of the stuff on http://www.usdoj.gov/atr/cases/f227500/227585.htm is there anyone else besides me wondering how much money has been spent in "compliance" that gives no value, provides no real competition, provides nothing other than making a bunch of attorneys rich?  I thought this country was founded on capitalism and building a better mousetrap theory? 

I mean given the unofficial survey I did of college students on the train home where I saw two MacBooks, two Vista laptops and one XP, hasn't mere "mousetrap" provided more leveling of the playing field than any judicial ruling that required the removal of a media player, a browser and what not?

How much money has been spent on this stuff?  Has it added security?  Has it provided more competition?  Has it really?

http://www.usdoj.gov/atr/cases/f225600/225691.htm 
Changes to Internet Explorer were delivered to consumers on August 14, 2007, and changes for Windows Media Player were delivered on August 28, 2007. Microsoft plans to incorporate the changes to Windows XP into Service Pack 3 and will make its proposed changes to the code available for review by the TC in the near future.

Somewhere in http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx is something that the DOJ demanded as part of it's settlement.  What it is, I don't know.  How it has security impact is debatable.  Questionable, even.  But because some Judge or Attorney who probably still runs Windows 98 and Word Perfect deemed it appropriate, something they deemed as increasing competition is probably in that patch.

I think my favorite read is this section:  http://www.usdoj.gov/atr/cases/f225600/225658.htm  .... titled " The Final Judgments Have Protected the Development of Competing Middleware Products" where they argue that due to the Judgements applications and browsers like Firefox, iTunes, Google, software as a service has been impacted, enhanced and protected by the Final Judgments.

To argue that the settlements by the DOJ have in any way impacted the rise of iTunes is laughable.  To argue that the DOJ had a hand in increasing Firefox penetration is hilarious.  THEY BUILT A BETTER PRODUCT THAT SOLVED A NEED.  Basic business 101.  It had nothing to do with the millions of dollars ...potentially billions of dollars that have spent on these lawsuits.

Is the marketplace changing? 

Do posts like the links at the bottom indicate a mood shift, a reevaluation of the marketplace?  And were a SINGLE one of these posts....  influenced at all by what the Department of Justice did ....or is it all the result of businesses building something for a customer base?   I'd argue that the DOJ/EU judgments did nothing to impact or foster competition.  Sure, the marketplace is moving.  Changing.  It did before and will again.  Technology should evolve.  But it has nothing at all to do with judgments that were made.

So... how much money has really and truly been wasted... in the name of competition and anti-trust... and patent enforcement....and ...well all of that..... and as consumers of software we haven't seen an impact?

Are any of these posts a result of the DOJ settlements/judgments?  Or are the just an acknowledgement that times change and so do businesses?

• http://smallbizthoughts.blogspot.com/2007/11/evil-plan-how-to-kill-most-successful.html
• http://sbsc.techcareteam.com/archives/128
• http://www.vladville.com/2007/11/vista-sp1-vs-xp-sp3-performance-stats-flawed-samples-or-market-reality.html
• http://scobleizer.com/2007/11/16/the-serverless-internet-company/

So your client bought a Vista Home premium and now you are wanting to tweak it for that setting that allows the Administrator to silently elevate rather than to get the (supposedly) annoying UAC prompt and you are looking for secpol.msc on Vista Home Premium?

And you find out ...it's not there.. so now what?

Regedit and find the section of the Vista registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

Change the value of ConsentPromptBehaviorAdmin to a "0" from the listed "2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"
"ConsentPromptBehaviorUser"
"EnableInstallerDetection"
"EnableLUA"
"EnableSecureUIAPaths"
"EnableVirtualization"
"PromptOnSecureDesktop"
"ValidateAdminCodeSignatures"
"FilterAdministratorToken"


http://www.computerperformance.co.uk/vista/ConsentPromptBehavior.htm

The AT&T edge sync'd and then it didn't... and I was getting a 0x80072efd error...

Googled.. and it was due to this:  http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=994379&SiteID=17 

What I realized is that for one reason or another my PDA picked up the office Proxy Server settings.  Once I removed the proxy setting it was able to sync over the air with no problems.

Proxy can be found by going to:

Start
Settings
Connections Tab
Connections Icon
Task
Manage existing connections (Your mobile providers network should appear)
Proxy Settings Tab
Uncheck This network users a proxy server to connect to the internet.

Ok

It was picking up the proxy server settings..

http://tech.yahoo.com/blogs/patterson/5383

I was setting up a phone tonight and remembered that I couldn't call the time lady at 767-8900 (also dial-able as pop-corn) any more to check the phone.

California's time lady got deprecated back in September.  Word is they said that the equipment was aging and that time is available in so many other ways.  But the Time lady was one constant for ensuring that time was correct.

At the tone tine time will be.... 11:28 p.m. Pacific Standard Time...

<beep>

Welcome! We are going to be in your area demoing Microsoft Office Accounting 2008 and answering your questions! Here's a great chance to learn about using this great financial management software and to network with fellow users in your area!

Here's your opportunity to discover the NEW Office Accounting 2008 features and be a part of a fast growing, local community of fellow product users. Please join us for this free event. Refreshments will be provided.

The following topics and opportunities will be included at each session:

> Learn about new Office Accounting 2008 and how it can help better manage your business finances

> Create a networking and support community with your fellow users

> Share stories and best practices about improvements from your previous process

> Help direct Microsoft's future product development by providing feedback on the product or ideas on new feature enhancements

Be a part in establishing a local Office Accounting user group that will meet regularly in each region.

All meetings will be held at regional Microsoft offices; addresses and driving directions can be found on the individual pages at http://www.microsoft.com/about/companyinformation/usaoffices/default.mspx

A Microsoft Office Accounting team member will host the meeting. Please join us and learn how Office Accounting can help save time with everyday financial tasks and grow your business!

Sign up today by emailing Kathy Yakal at oausergroups@msn.com with your name, company, address, date and location desired. If you can't make the meetings but would like to share feedback, please send it to Kathy Yakal at oausergroups@msn.com.

We look forward to seeing you there!

Microsoft Office Accounting Team

There I said it.  I don't normally give up on technology but I've given up on trying to get an AT&T Tilt connected via bluetooth to act like a modem for a laptop.  Instead I will just loan out my wireless card that ALWAYS works.

All of the websites/and boards talked about ... well it works.. but don't forget to reset your phone after using it as it messes up the networking.  Huh?  Why is it with phones these days that the geeks consider what they do to get it to work normal?

It seems to me the cell phones have turned into the new arena of bad customer service lately.  Reminds me of the time that Lily Tomlin did the Ernestine skit where she said "We're the phone company... we don't care!  We don't have to!"

I as a customer of AT&T STILL waiting for the promised Windows Mobile 6 upgrade to the Treo 750, I am amazed that once again Microsoft Mobile platform is being totally slammed again by OEMs.  The folks on the forums are googling for bootleg versions of Windows Mobile 6 because they have had it with the vendor saying 'soon...soon".

http://forums.cingular.com/cng/board/message?board.id=palm&thread.id=11286&view=by_date_ascending&page=20

Meanwhile we are teaching people how to go download software from untrusted locations.  Way to go vendors. Lets train customers to go to bootleg sites just because they are so darn frustrated with the manner in which you are promising upgrades.

Just yesterday in fact, a fellow mvp who had a cab file that gave a Windows mobile 6 phone the ability to do RDP was asked to remove it from the file download location. The argument was that it was piracy.

Well excuse me but who is more of the pirate here?  If I'm a large corporate AT&T customer, word is that the upgrade is available.  If so, that makes AT&T more the pirate than their customers.

Sometimes I just don't get business.  Yeah if the goal is to make the customer so frustrated that they will give up and buy the new phones, I guess that's a win for the company, but it's not a good long term win in my book.  Verizon opening up the door to non Verizon phones is a start... a good start.. http://www.eweek.com/article2/0,1895,2222771,00.asp but it's one that should be sooner versus later.

It's funny isn't it that the item called "mobility" is offered by some of the least flexible vendors out there?

“Here at the Phone Company we handle eighty-four billion calls a year. Serving everyone from presidents and kings to scum of the earth. (snort) We realize that every so often you can’t get an operator, for no apparent reason your phone goes out of order [snatches plug out of switchboard], or perhaps you get charged for a call you didn’t make. We don’t care. Watch this [bangs on a switch panel like a cheap piano] just lost Peoria. (snort) You see, this phone system consists of a multibillion-dollar matrix of space-age technology that is so sophisticated, even we can’t handle it. But that’s your problem, isn’t it ? Next time you complain about your phone service, why don’t you try using two Dixie cups with a string. We don’t care. We don’t have to. (snort) We’re the Phone Company!”
– Lily Tomlin, as Ernestine

Still needing to get back to those old files after you installed Office 2003 sp3

http://support.microsoft.com/kb/938810/

Take the contents of this and put it in a text file and save it as officefix.reg, or download the zip file and unzip it.

Or you can use this http://msmvps.com/blogs/bradley/attachment/1367599.ashx downloadable file there.

Click on the file to have it insert the info into your registry.

-----------
REGEDIT4


[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]
"LotusandQuattroFiles"=dword:00000000
"DifandSylkFiles"=dword:00000000


[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock]
"FilesBeforePowerPoint97"=dword:00000000


[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileSaveBlock]
"Converters"=dword:00000000


[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
"FilesBeforeVersion"=dword:00000000


[HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Graphics Filters\Import\CDR]
"Enabled"=dword:00000001

I wanted to comment on this comment:

Nick MacKechnie's Weblog : MSTSC /console switch in Windows Server 2008 and Windows Vista SP1:
http://blogs.msdn.com/nickmac/archive/2007/11/28/mstsc-console-switch-in-windows-server-2008-and-windows-vista-sp1.aspx

Okay Nick ... I'll buy that but why not make it consistent?

Frank posted ....

Okay so we're going to reuse this blog post:  http://msinfluentials.com/blogs/jesper/archive/2006/09/29/Set-KillBit-on-Arbitrary-ActiveX-Controls-with-Group-Policy.aspx

And we're then going to add this blog post:  http://msmvps.com/blogs/bradley/archive/2007/11/27/apple-quicktime-rtsp-update.aspx

And let's see what we come up with shall we?

Remember our killbits we want to substitute in that blog post per CERT are

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69}

And we first begin by downloading the script http://msinfluentials.com/blogs/jesper/attachment/153.ashx

And stealing the steps from the blog post....

Copy the script above (everything between the begin and end tags) and paste it into a new text document. Save the document as "SlayOCX.vbs". Alternatively, just download and expand the SlayOCX_vx.zip file attached to this post.
Copy the SlayOCX.vbs file to \\<your domain>\sysvol\<your domain>\scripts. where you replace "<your domain>" with the full DNS name of your domain.
Open the GPMC (if you do not have the Group Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don't want to)
1. Right-click the domain or OU where you want to link the GPO - you may as well do it at the domain level - and select "Create and Link a GPO Here..." Name your new GPO "name of GPO"
2. Right-click the GPO "name of GPO" and select "Edit..."
3. Expand "Computer Configuration:Windows Settings" and click on "Scripts (Startup/Shutdown).
4. Double-click "Startup" in the right-hand pane
5. Click "Add..."
6. Browse to \\<your domain>\sysvol\<your domain>\scripts and select "SlayOCX.vbs". Click "Open"
7. In the "Script Parameters:" box type "-k 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B -l" without the quotes. Click "OK."
8. Repeat steps 8-10, but this time, type "-k 4063BE15-3B08-470D-A0D5-B37161CFFD69 -l" in the parameters box.
9. Click "OK" again.
10. Close the GPO editor and go back to the GPMC
11. In the "Security Filtering" pane remove "Authenticated Users" and click Add...
12. In the text box called "Enter the object name..." type "Domain Computers" or some other relevant group that you want to apply the policy to. Click OK.

The script should be run as a startup script, not as a logon script. Unregistering an ActiveX control is an administrative action, and as users should not be administrators, the script will not work properly as a logon script. Needless to say, this also means you have to restart the computer for the script to take effect if you run it from a GPO.

.......

Okay let's see if this works...

I unzipped the zip file and named it SlayOCX.vbs

I copied the file to \\nameofserver\sysvol\domainname\scripts

I opened the GMPC, and at the domain level I right mouse clicked and clicked on "Create and Link a GPO Here"

I named it EnableKillbitQT1 so I'd know it's the first Quicktime Killbit

I then clicked on Edit, and drilled to "Computer configuration:  Windows Settings" and then on "Scripts" (Startup/Shutdown)

I clicked add

I browsed to the \scripts folder and added the SlayOCX.vbs

In the script parameters box I typed in  -k 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B -l

I changed the authenticated users to domain computers..you'll need to click on the objects and add computers in order to get domain computers in the list

I did it all over again, this time typing in -k 4063BE15-3B08-470D-A0D5-B37161CFFD69 -l in the script parameters box

While I'm in the neighborhood.. let's build two more group policy settings to reregister the activeX once Apple gets their act together for a patch.

-r 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B -l

-r 4063BE15-3B08-470D-A0D5-B37161CFFD69 -l

This time putting "r"s in front of the Script parameters.

Ensure that the group policy's "Link enabled" is not checked so that they don't kick in. (you'll enable and disable the other ones when you need to put them back)

Type in gpupdate /force to kick in the policy... and now let me reboot and see if it worked (if you don't hear back from me in a few minutes I probably just blew up the network)

P.S.  survived.... and the apple Leopard demo small movie won't run now so I guess it's working as expected ;-)

Are you evaluating the risk of the recent Apple Quicktime Zero day?  Taking any action? 

Errata Security: Apple Quicktime RTSP update:
http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html 

Block the rtsp:// protocol

Blocking the RTSP protocol with proxy or firewall rules may help mitigate this vulnerability. Note that RTSP (default 554/tcp and 6970-6999/udp) may use a variety of port numbers, so blocking the protocol based on a particular port may not be sufficient.

Disable the QuickTime ActiveX controls in Internet Explorer

The QuickTime ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4063BE15-3B08-470D-A0D5-B37161CFFD69}]
"Compatibility Flags"=dword:00000400

Disable the QuickTime plug-in for Mozilla-based browsers

Users of Mozilla-based browsers, such as Firefox can disable the QuickTime plugin, as specified in the PluginDoc article Uninstalling Plugins.

Disable file association for QuickTime files

Disable the file association for QuickTime file types to help prevent windows applications from using Apple QuickTime to open QuickTime files. This can be accomplished by deleting the following registry keys:

HKEY_CLASSES_ROOT\QuickTime.*

This will remove the association for approximately 32 file types that are configured to open with the QuickTime Player software.

Disable JavaScript

For instructions on how to disable JavaScript, please refer to the Securing Your Web Browser document. This can help prevent some attack techniques that use the QuickTime plug-in or ActiveX control.

Do not access QuickTime files from untrusted sources

Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Mark blogs about the Sharepoint toolkit that's finally been released!

For those that went to the World Wide Partner conference, this is the download version of the Sharepoint CDrom that was handed out.

SBSC & MSP Buzz » Blog Archive » Windows Sharepoint Services 3.0 Starter Kit:
http://sbsc.techcareteam.com/archives/125

Chris reminded me while we were in AU of the adjustment he made to the backup program in SBS.... 

http://support.microsoft.com/kb/839272

One disappointment was that I was unable to meet up with Sandi as she's just as passionate about security as I am.  But like many of us, sometimes community has to definitely take a back seat to one's job and a career.

Wayne's recent post is a reminder of sometimes hard choices have to been made... http://blog.sbsfaq.com/Lists/Posts/Post.aspx?ID=63

http://chrisara.blogspot.com/2007/11/dangers-of-public-display-terminal.html

That is just so wrong in so many ways.

No least privilege.  No caring about security... it astounds me how many times I see computers in states that are just not acceptable in business while traveling.

Like Chris said it reminded him of what Amy and Eriq said about domain admins ESPECIALLY need to be aware of least privilege.

Maybelline's Great Lash Mascara is only Great for about 9.5 hours of a 13 hour flight.  After that it starts sliding down your face in a notso great way.

When asked "Did you bring any food into the Country?" and you answer to the customs gentlemen, "well, yes if you count Vegemite food" and he just smiled.

Sydney's airport you leave your shoes on.   USA you have to take them off before going through security.  Seems to me that this should be uniform?  Wouldn't shoe risk be universal?

I really would pay big time right now...not for a shower..but for a manacure.  I'm starting to get stuck in the keys with my long nails.