THE OFFICIAL BLOG OF THE SBS "DIVA" : Security

I'm going naked

bradley — Thu, 03 Dec 2009 03:45:00 GMT

.... on my server when it comes to Antivirus. Yes you read that right. Why? Because at this point in time I really feel that my antivirus vendors are putting me more at risk with the software on than off.

Why do I say this? Because I don't trust antivirus anymore. At least not on my Servers these days. Sure the fix for the tdi.sys is now included in SP2, but I am really questioning why we knee jerk install antivirus on the servers these days. For sure not on hyperV boxes that should only be HyperV and nothing else in that role.

But even for SBS boxes... I'm going naked.

If we have mail hygiene in the front...

If we have antivirus on the workstations....

If we have a firewall that is a business class that is used to block sites appropriately....

If we use Opendns to additionally filter....

If we move our workstations to not have local administrator rights (I mean you have to go out of your way in SBS 2008 to get local admin)

I know you'll say ... but Susan it's belts and suspenders.

But I don't TRUST that belt and I sure don't TRUST that suspender. I don't want a firewall driver on my server that ALREADY has a firewall that works. I don't want software that doesn't stop the rogue antivirus. I'm using other defensive means

So when you build your SBS 2008 boxes, make sure SP2 is on there first and foremost. It will only MU/WU down when all other "Important" patches are hidden or installed. Manually download it if you must. Get it on the box... THEN... sit back and decide if the risk of that antivirus software is really and truly worth it. Don't knee jerk install it just because...because it quite frankly doesn't make as much sense anymore.

Okay so what KSOD?

bradley — Tue, 01 Dec 2009 02:56:00 GMT

I'm not saying that there isn't historical issues with the black screen of death (aka KSOD) that Mark Crall probably lost a few dents in his head to a few months back, but tonight as the Techmeme articles are parroting the "Latest Microsoft Patches cause black screen of death", I'm asking ...okay are all of the folks supposedly impacted by this not calling in, not posting in a newsgroup, not posting in a forum and only silently suffering?

I will be the first to eat crow (rather than leftover turkey) if something comes out of this, but right now I'm doubting Thomas for sure.

Microsoft investigates Windows 'black screen of death' triggered by recent security updates | Security - InfoWorld:
http://www.infoworld.com/t/security/microsoft-investigates-windows-black-screen-death-triggered-recent-security-updates-424

"Searches of Microsoft's support forums today, for example, turned up only one "black screen" thread with posts after the Nov. 10 security updates had been released. Four different users on that Windows 7-specific thread said that they faced a blank screen."

Microsoft investigating 'black screen of death' | Beyond Binary - CNET News:
http://news.cnet.com/8301-13860_3-10406369-56.html

"So this is a problem that ostensibly would have happened 20 days ago? Does it happen right away, or under certain circumstances.

Cause if its supposed to happen right away, I'm sure we would have heard about it before a press release from a software vendor. People love to jump on any problems that MS has, I'm surprised it would have stayed quiet for 3 weeks."

"I loved this line from the link "If you Google Black Screen then you will find a whopping 80Million plus results" except all but the computer world article and Cnet article are between 1 and 5 years old."

I felt naked....

bradley — Mon, 30 Nov 2009 07:12:00 GMT

And now I'm not .....

Now protecting the RWW access (especially for the administrator account)...

And the cool thing is that I can now use iPhones and Windows mobile phones to be portable softtokens

I've also added the protection to the RDP access to the server so that it's not open. Mind you I already limited the RDP access to certain IP addresses, but this tightens up security that much more.

And you can extend the password policy and let people change them LESS often to then ensure that they choose better passwords.

Your mailbox has been deactivated

bradley — Mon, 16 Nov 2009 20:29:00 GMT

The zip file attached has a low detection at this time...

Subject:    your mailbox has been deactivated
Date:    Mon, 16 Nov 2009 21:26:25 +0100
From:    support@msmvps.com <support@msmvps.com>
To:    <administrator@msmvps.com>

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, msmvps.com technical support.

Virustotal. MD5: 6d0898ff5ea2a6581f1ca3fdd55d840d Trojan.Dropper Win32:Trojan-gen Trojan.Agent-128597:
http://www.virustotal.com/analisis/6399729d05ff10775fa1e068369d1433e7173680d00ce00a6bb33e6fbed31970-1258403165

Yes today is Patch Tuesday

bradley — Tue, 10 Nov 2009 20:16:00 GMT

Seen on a Zdnet ad today... yes on Patch Tuesday.

Switch from Microsoft Exchange to Google Apps:
http://www.google.com/apps/intl/en/business/switch_exchange.html

Mind you the google love affair isn't with everyone...

http://www.crn.com/software/221600713;jsessionid=C5XJFRLZLPDQJQE1GHPSKHWATMY32JVN?pgno=1

For solution providers, however, Google has been a different type of 
disruptor. Back in January, Google unveiled a reseller program 
http://www.crn.com/software/212900623  for Google Apps Premier 
Edition and Google executives declared that would put them on equal 
footing with Microsoft in the channel. But VARs that have tried to work 
with Google say the company has offered little to back up this claim.

"They wasted weeks of our time, asked us to do their homework for them, 
paid us for none of our time and effort, and then awarded the business 
to someone else that hadn't put in any of this time and effort," said 
Daniel Duffy, CEO of Valley Network Solutions, a Microsoft Gold partner 
in Fresno, Calif. "In many ways, Google is exactly like Microsoft at its 
worst -- behaving badly, acting like a schoolyard bully, and taking 
advantage of others just because they can."

But regardless today "is" Patch Tuesday and you should be reading

The Microsoft Security Response Center (MSRC) : November 2009 Security Bulletin Release:
http://blogs.technet.com/msrc/archive/2009/11/10/november-2009-security-bulletin-release.aspx

Security Research & Defense : Details on the License Logging Service vulnerability:
http://blogs.technet.com/srd/archive/2009/11/10/details-on-the-license-logging-service-vulnerability.aspx

Security Research & Defense : Vulnerability in Web Services on Devices (WSD) API:
http://blogs.technet.com/srd/archive/2009/11/10/vulnerability-in-web-services-on-devices-wsd-api.aspx

Security Research & Defense : Font Directory Entry Parsing Vulnerability In win32k.sys:
http://blogs.technet.com/srd/archive/2009/11/10/font-directory-entry-parsing-vulnerability-in-win32k-sys.aspx

So you have an app you want on Win7 and you don't want it to throw off a UAC warning?

bradley — Wed, 04 Nov 2009 02:59:00 GMT

So you have an app you want on Win7 and you don't want it to throw off a UAC warning?

LUAbuglight it!

Find the offensive permission sticking part of the program and adjust the registry permissions or file permissions. Very very very cool tool. I'll blog it in action later.

http://blogs.msdn.com/aaron_margosis/pages/LuaBuglight.aspx

LUA Buglight 2.1 is here. LUA Buglight identifies admin-permissions issues ("LUA bugs") in desktop applications. I've made a lot of changes to LUA Buglight since the last "2.0 Preview" that I posted, so the version number has been bumped up:

Support for Windows 7, Vista and XP, and corresponding Servers (2008 R2, 2008, 2003)
Support for x64 (except on XP/2003)
Completely revamped Reporter -- streamlined and with more detailed results

Note: The new Reporter has necessitated a new file format, so the new Buglight cannot read reports generated from older versions of Buglight.

One thing that is seriously missing is documentation -- I hope to have that posted here in some form soon. The basics:

On XP/2003, you need to run it as a standard user, and you need the username/password for an administrative account; on Vista and higher, you need to run it non-elevated as a member of the Administrators group, with UAC and admin-approval mode enabled.
Tell it what program to run, then run it. Whenever your app performs an action that fails unelevated, it will repeat the operation with admin rights before returning control back to the program. If it fails without admin rights and succeeds with admin rights, details about that operation get logged.
Click the "Stop Logging" button to close the log file; by default this will also open the Reporter and show the results.

Another feature that isn't present yet is that while LUA Buglight does an excellent job of identifying when a program performs operations that succeed only when run as administrator, right now it doesn't provide the details to fix it if you can't modify the source code. My plan is to turn that into a community effort by documenting the report's XML format and then providing some PowerShell scripts that process the results and point to app-compat shims, permissions changes, or other mitigations for the identified problems.

I wish I could work on LUA Buglight full time, but it's an unfunded, spare-time effort, outside of my day job. I know that LUA Buglight would be a lot more useful with documentation, but it's more useful posted without documentation than it is not posted at all waiting for me to write up documentation.

More information will be posted to this blog.

Net patch gets offered up all by itself

bradley — Tue, 03 Nov 2009 06:09:00 GMT

One of the recent changes to the net family patches is now 951847 is offered up all by itself on Microsoft Update.

If you are deploying patches in other ways, it's a wise idea to take from Microsoft update.

Just do that one all by itself.

So what if you have an older version of Quickbooks that they are not patching?

bradley — Sun, 01 Nov 2009 23:59:00 GMT

How to fix a potential security issue in QuickBooks 2007, 2008, and 2009. - THE OFFICIAL BLOG OF THE SBS "DIVA":
http://msmvps.com/blogs/bradley/archive/2009/11/01/how-to-fix-a-potential-security-issue-in-quickbooks-2007-2008-and-2009.aspx

So... what do you do about this for older versions of Quickbooks that won't get patched?

1. Urge your client base to upgrade to start with as they won't be patching older versions of the ActiveX.

2. Uninstall older versions

3. If you don't want to uninstall older versions, as uninstalling 10 years of Quickbooks is a bit daunting, the you can set a Killbit

4. To set it via a reg key, see the download here:
http://msmvps.com/media/p/1736945.aspx

Or you can copy this text and put it in a reg file (if you aren't comfy downloading a file from a blog site)

=============copy from here=================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{596801D8-2C9D-4627-9C67-195CB81B655A}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03C3A013-02F2-4e56-87A8-B74A7C5DC75B}]
"Compatibility Flags?=dword:00000400
=============to here=======================

5. To set it via group policy see this:
The GPOGUY-- Group Policy Blog: ActiveX Killbits and Group Policy:
http://sdmsoftware.com/blog/2009/07/activex_killbits_and_group_pol.html

What you are doing is setting a killbit like here: How to stop an ActiveX control from running in Internet Explorer:
http://support.microsoft.com/kb/240797

If you need to undo this, then go into the registry and remove the killbits you set.

How to fix a potential security issue in QuickBooks 2007, 2008, and 2009.

bradley — Sun, 01 Nov 2009 23:51:00 GMT

How to fix a potential security issue in QuickBooks 2007, 2008, and 2009. See Web version.

	FIX FOR POTENTIAL ACTIVEX VULNERABILITY

	Dear Susan Bradley, We've recently released a fix to address a potential security vulnerability within QuickBooks. The issue was related to the use of ActiveX technology in some versions of QuickBooks. On learning about the issue, we fixed the problem, tested the fixes within the identified versions of the software, and have released updates that will address the vulnerabilities. We are unaware of any customers affected. Identified versions are the Windows desktop versions of Intuit® Quickbooks® 2007 through 2009 Simple Start, Pro, Premier and Enterprise Solutions 7.0, 8.0, and 9.0. What Is ActiveX? ActiveX is a distributed object system and protocol technology developed by Microsoft. Microsoft updates its implementation of ActiveX controls from time to time through scheduled security updates. Many software and Web companies use ActiveX in their offerings. Important: If exploited, this vulnerability could allow a hacker to access the data on the user's computer. Therefore ProAdvisors will want to make sure that clients follow through with installing recent updates.

	IF YOU HAVE CLIENTS IN QUICKBOOKS 2007, 2008, or 2009

	Requested Action. Where possible and appropriate, please encourage your clients to update their QuickBooks software. Public Announcements. Clients who are registered owners of QuickBooks 2007, 2009, and 2009 are likely to receive direct notification from Intuit. Please be prepared to answer their questions and continue to encourage them to keep their versions of QuickBooks updated with the most current release. Please remind all of your clients to keep their software updated. Not all QuickBooks users are registered with Intuit; some may not receive a direct notification.

	TWO FILES NOW PROTECTED

	With current releases, two ActiveX controls are now protected that would otherwise retain potential vulnerabilities: HtmlHelper.dll QBInstanceFinder.dll For the identified versions of QuickBooks, enabling and approving automatic updates, or manually downloading the update and then applying the updates, will eliminate potential risk.

	WHERE TO FIND THE QUICKBOOKS UPDATES

	For information on the most recent updates available for QuickBooks 2007, 2008, and 2009, including access to manual downloads, can be found at this link; users are asked to identify the product they need to update: http://support.quickbooks.intuit.com/support/productupdates.aspx Some clients may appreciate a reminder where they can learn more about the most current releases for their U.S. products. Versions in Other Countries In rare cases, some U.S. ProAdvisors may have clients who work with a Canadian or United Kingdom version of QuickBooks. Information on these versions follows: Canadian customers can download the patch from these sites: QuickBooks: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html SuccesPME customers can download the patch from: http://support.intuit.ca/succespme/fr-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html United Kingdom customers can download the patch from this site: http://support.intuit.co.uk/quickbooks/en-gb/kb/update/update-quickbooks-to-new-product-update/Update_main.html Technical Support Contact Information QuickBooks ProAdvisors looking for technical support are directed to the support site for accounting professionals at http://accountant.intuit.com/support/support.aspx Technical support for non-U.S. versions of QUickBooks can be found following: Canadian customers please visit us at http://support.intuit.ca/quickbooks/index.jsp French Canadian customers please visit us at http://support.intuit.ca/succespme/index.jsp U.K. customers please visit us at http://support.intuit.co.uk/quickbooks/index.jsp

	COORDINATED EFFORT WITH OTHER AGENCIES

	As a further precaution, we will coordinate release of this information with US-CERT (http://www.cert.org) and with Microsoft, for a future release within their regular security updates for ActiveX control configuration. However, at this time, downloading Intuit’s patch is the only immediate way to eliminate the vulnerability in our currently supported versions of QuickBooks.

	THANKS FOR HELPING YOUR CLIENTS

	We may not say it often enough, but thanks for helping clients get the most out of QuickBooks software. We greatly appreciate the role you play in providing your clients with a superior experience using QuickBooks. As to the current issue, we have included some FAQs for your reference. Sincerely, ~ Your ProAdvisor Team,

	FOR YOU: FREQUENTLY ASKED QUESTIONS (FAQs)

	Questions Specific to Your Role as ProAdvisor We know you are likely to be running multiple versions of the software, each in its own directory. As much as possible, the following questions have been posed and answered in anticipation of your needs in supporting multiple clients on multiple versions of QuickBooks. We also include some additional questions that clients may have for you that are not directly addressed in the security alert that will be coming their way. Several terms used: Intuit updates its software from time to time by releasing software patches. Each update or patch is given a Release number for easy identification. In the notes that follow, you may see the term update, release, or patch, depending on the context, used interchangeably. FAQ1. Are any other Intuit products subject to this vulnerability? A1. At this time and to the best of our knowledge, other Intuit products do not have this vulnerability. If we learn otherwise, we will provide further guidance as soon as possible. FAQ2. Does this issue affect QuickBooks 2010? A2. No. Neither QuickBooks 2010, nor Enterprise Solutions 10.0, released in September 2009, are exposed to this vulnerability. Of course, we still encourage users to accept the most current releases for the software. FAQ3. What are the updates or releases that are required for 2007, 2008, and 2009? A3. Releases are cumulative in nature, and over time the most current release will have even a higher number. But for each of the following versions of QuickBooks, the release number shown marks the first introduction of the resolution of the security vulnerability: QuickBooks 2009: R8 QuickBooks 2008: R10 QuickBooks 2007: R13 The updates are also requested for the following versions of Enterprise Solutions: 7.0, 8.0, and 9.0. FAQ4. What if I have multiple Intuit products? Do I need to download and install the patch for each one? A4. If you have installed more than one of the identified versions of Quickbooks (2007-2009), you should apply patches for each version. This is because there are unique updates for each version to address the HtmlHelper.dll file. (The QBInstanceFinder.dll file is in the Common Programs folder, and one update will update all installed versions for that DLL file.) FAQ5. Are older versions of QuickBooks, that is, QuickBooks 2006 or earlier, subject to the ActiveX vulnerability? A5: Yes. Because these earlier versions are no longer supported, Intuit is unable to provide a tested solution to the vulnerability. See also the next two related questions. FAQ6. What if my client is still running an earlier, nonsupported version of QuickBooks? A6. Intuit strongly recommends that all users move to a currently supported version of QuickBooks. This recommendation will be clearly stated in the Intuit communications going to your clients on the topic. The Frequently Asked Questions that are meant to be posted for the benefit of QuickBooks users will also identify this need in the face of the potential vulnerability of QuickBooks 2006 and earlier. This means that there is no good solution to recommend to clients who continue to run QuickBooks 2006 and earlier, and the ProAdvisors who may grudgingly support them. Possibly the potential vulnerability will encourage such clients to upgrade at this time. So-Called "Kill Bit" Solution Not Recommended. In the case of systems administrators of networks where QuickBooks may have once been installed but is no longer used, Intuit has prepared some instructions that involve editing the Registry to disable calls to the Internet Browser. See here. Sometimes this approach is informally called the "kill bit" solution. NOT Recommended for Clients. This solution is not recommended for clients running an earlier version of QuickBooks. Besides the riskiness of editing the Windows registry, the kill bit solution has not been tested in earlier versions and could possibly interfere with some areas of functionality. Especially NOT Recommended for ProAdvisors. For ProAdvisors running multiple versions of QuickBooks, including QuickBooks 2006 and earlier, the kill bit solution is not recommended for the above reasons and also because the solution would also disable one of the DLL files used by ALL versions of QuickBooks, including those otherwise updated. Developing: Please understand that Microsoft continues to work on security updates for its ActiveX implementation, so more general solutions may be forthcoming from that source. If so, those general solutions may address vulnerabilities in QuickBooks 2006 and earlier. FAQ7. If I run an update for QuickBooks 2007, 2008, or 2009, won't that resolve the problem for ALL versions using the ActiveX controls? Including 2006 and earlier? A7. No. Of the two ActiveX control files identified above, one is maintained in common across versions of QuickBooks, but the other is specific to each QuickBooks version. Therefore running an update for one of the recent versions of QuickBooks does not remove the potential vulnerability for an earlier version of QuickBooks. FAQ8. I have one or more clients who are using a version of QuickBooks from outside the United States. What should I do? A8. The U.S. version of QuickBooks has cousins developed for local markets in Canada, the United Kingdom, Australia, and South Africa. The security issue is being addressed for these versions too; for more information, see the Support websites for these versions. See also the list of versions in the question below, on "How do I make sure I have the patch?" In the answer, we list specific versions from these countries. Websites for downloading the update for several countries are shown above. The following phone numbers are also available: Canadian customers: 1-888-829-1722 U.K. customers: 0845 606 2161

	FOR CLIENTS: FREQUENTLY ASKED QUESTIONS (FAQs)

	Anticipated Questions Posted for All Users For your reference, here are the FAQs posted for all users by Intuit about the security updates. Q1. What if I've uninstalled one of these products and no longer use it? Do I still need the patch? A1. If you have uninstalled QuickBooks, you should not be vulnerable to these vulnerabilities. If you have installed multiple versions of QuickBooks, you will be vulnerable if any affected version is still installed. Uninstalling all affected versions of the software will remove the vulnerability from your system. Q2. How do I download and install the update? A2. All users of an identified version of QuickBooks should download the security update at: http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx. Canadian users can also download the update from: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html When the page appears: Choose your product by clicking the product selector link. Click the Update button to start the download and click Go. Select Open or Run This Program from its Current Location to begin installing the update immediately. Restarting your computer is not required. If you don'rt have time to install the update, you can select Save or Save This Program to Disk and the update file, called qbwebpatch.exe, will download to your hard drive. You'll need to open that file to run the update. Q3. How do I check that the security update has been applied? A3. To make sure the patch has been applied and is installed on your system, open QuickBooks, and press the F2 key. In the display, you should see the product version information in the first line. Versions of QuickBooks with the patches applied are the following: QuickBooks 2009 R8 US QuickBooks 2008 R10 US QuickBooks 2007 R13 US QuickBooks 2006 R12 UK QuickBooks 2008 R12 UK QuickBooks 2009 R6 CAN QuickBooks 2008 R8 CAN QuickBooks MC R24 CAN QuickBooks 2009 French R6 CAN QuickBooks 2007 French R7 CAN QuickBooks 2009/10 AU (v18) Q4. What operating systems are supported? A4. The security update is available for all operating systems used by any identified versions of the Quickbooks applications: Windows XP, Windows Vista, and Windows 2000. [If you are running Windows 98 or Windows ME, you need to have Internet Explorer 6.0 or later installed before you can install the update. Go to the Internet Explorer 6 Downloads Web page to install a more recent version of IE. ] Note: Intuit products for Apple MacOS X are not affected. Q5: What if I have multiple Intuit products? Do I need to download and install the update for each one? A5. If you have installed more than one identified version of Quickbooks, you should apply an update for each version. Q6. I still have a trial version of Quickbooks installed on my system. Do I still need to apply the security update? A6. Yes. If you have any trial versions of one of the identified versions of Quickbooks installed on your system, you should download and install the security update. Q7. I only use the Internet on a periodic basis. Do I still need to download the security update? A7. Yes. If you installed an identified version of Quickbooks on your computer, the vulnerability poses a security risk regardless of whether you are currently connected to the Internet. We recommend that all users of an identified version download and install the security update. Q8. How do I ensure that my computer has not already been compromised? A8. If you have anti-virus software installed and have updates run automatically, the anti-virus software should detect the presence of any malware on your computer. If you want to determine if your computer has malware on it, run a complete scan of your computer using an anti-virus software product. Q9. I'm the administrator of my office network. Some machines have had QuickBooks installed at some point but don't any longer, and aren't getting automatic updates. What should I do to secure my network? A9. If you have had QuickBooks installed on some computers at some point, and are no longer running QuickBooks on those machines and receiving automatic updates, you can secure these machines by following these steps to edit the Windows Registry. Please back up the Registry before you implement the following changes: Copy the following text to a file with the ".REG" suffix. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{596801D8-2C9D-4627-9C67-195CB81B655A}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03C3A013-02F2-4e56-87A8-B74A7C5DC75B}] "Compatibility Flags?=dword:00000400 Import this into the registry by double-clicking on the .REG file and it will automatically be imported. This will disable the affected ActiveX controls. Q10. What if I use QuickBooks 2006 or a previous version? A10. Intuit wants your data to be safe. We recommend you upgrade to a newer version of QuickBooks (2007 or later) as soon as possible and follow the instructions to update that version. QuickBooks 2006 and prior versions are no longer supported and Intuit does not release updates for these products.

© 2009 Intuit Inc. All rights reserved. Intuit, the Intuit logo, Intuit ProConnection, Intuit ProLine, EasyACCT, Lacerte, ProSeries, QuickBooks, QuickBooks ProAdvisor, Quicken, and TurboTax, among others, are trademarks, registered trademarks and/or registered service marks of Intuit Inc. in the United States and other countries. Other parties' trademarks or service marks are the property of their respective owners and should be treated as such.

Program terms and conditions, pricing, features and service options are subject to change without notice.

This newsletter is provided as a convenience for our customers and is not intended to supplement, modify, or extend the Intuit software license agreement between Intuit and the customer for any Intuit product or service. Terms and conditions subject to change without notice.

If you would like to change your e-mail address in our database, please update your QuickBooks ProAdvisor Profile. Each newsletter or alert is mailed using the most recent listing in the ProAdvisor Database.

If you receive an e-mail message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to security@intuit.com.

Intuit Inc., Customer Communications, 2800 E. Commerce Center Place, Tucson, AZ 85706

Too much, too little, maybe just right?

bradley — Sun, 01 Nov 2009 03:54:00 GMT

For the past two years since we started rolling out Vista, I've felt like Goldilocks. I can't find an antivirus software I like. Trend was my choice until it started putting a firewall in there that made it not quite right. Then I was testing out Nod32 and it nearly was my choice until it too started to have known issues with iTunes and network icon interference.

So in addition to the desktop icon review tonight, I'm starting the process of removal of the various antivirus' I've been testing on various machines and starting to standardize on the one that I think will be the one I choose. But I want a wider beta so I'm going to be installing it on more machines. What is the maybe, hopefully, possibly just right antivirus? I'm leaning towards Forefront client security now. For those who have home users or home businesses, the Microsoft security essentials is my current choice of antivirus. Notice I didn't say "free" antivirus, I said antivirus. It's discouraging when we're paying annual subscriptions to products that are not catching rogue antivirus, causing slow downs of our systems, and in general, if they were operating systems, we'd be a lot more upset than we are right now.

So before you ask, can the management console of Forefront go on SBS 2008? Nope. Can't. But this is part of my larger test to see if the native notification of antivirus status is good enough for this Goldilocks.

I'll let you know how this fairy tale ends.

UAC on a Server

bradley — Thu, 29 Oct 2009 06:41:00 GMT

Sometimes (okay a lot of times) I have this annoying streak where I want people to ask themselves if there is a true risk to what they are doing. Too many times in security we turn knobs and do things just because some tool said so or some article said we all must do it. And I'm guilty of it too. The "best practices" mantra.

Sometimes the best practice of all is to patch yourself... as in patch your own stupidity.

Some people may freak out about what I'm about to post. Some people may question why I feel this way, but from day one I've cringed at that UAC on SBS 2008 and felt that if it annoyed me a little bit when I was working on the server, it certainly would be annoying to others. So today when I got this email....

With SBS2008 deployments we are finding UAC to be a pain whenever you need to change ini or script files etc from inside a folder that is secured be administrator group permissions rather than explicitly applied to the user account. Now I can accept this is UAC doing its thing and thats ok but the only way I have found to get around this is running notepad as administrator and then I can change the files as I need; the problem is, is that having to navigate through folders in this manner when trying to make changes to several config files is pretty clunky (in a recent sbs 08 deployment we had to disable uac and restart it to do all the changes to 30 odd ini files for an app that is used). I’m overly interested in changing folder permissions explicitly to get around this; have you got any thoughts of how we might get around this?

Thanks for your time.

It reminded me of that cringing I personally do and it made me once again question the sanity of this setting. UAC first and foremost is a tool to beat vendors over the head to write code better. That's it's basic goal in life. It's not to annoy you (even though for many of you in Vista it does a darn fine job of that), it's not there as a security boundary, it's there as a virtual 2x4 to hit some sense into coders that DEMANDED admin rights.

When you are on a server and ESPECIALLY as you set it up, what are you? You are an admin. You are god. You need to be in your "patched for stupid" mode. UAC is there more for the desktop, right? Intially I said that I wasn't going to beat anyone up they adjusted UAC down to silently elevate as I said I liked protected mode on. But there was a flaw in my thinking. There are times that there are apps on a server that many not behave with UAC is silently elevate mode and it may end up that it won't tell you if it needs RunAs or true admin rights and you'll be banging your head against a wall.

So fasten your seat belt because here I go more into a religious security position. I won't kill you if you turn UAC off on a SBS box.

On two conditions of course:

First you have to promise me you won't be surfing at that server. No facebook. No farm game on facebook while setting up the SBS box. The only sites that I'll allow you to go to are Microsoft.com and HP or Dell for drivers.

Secondly, before you work on that box, you patch your stupid. That means you do your adminy stuff and then get off the box when you aren't doing adminy stuff.

My 64bit vendors on the desktop tell me to turn off UAC while installing now.

So there you have it. Patch for stupid. Do only adminy stuff and I won't yell at you. Understand that when you are on that server you are God. Act accordingly.

The scariness of on premises

bradley — Thu, 29 Oct 2009 03:20:00 GMT

Vlad Mazek – Vladville Blog » Blog Archive » What’s left of the cloud after it’s done raining?:
http://www.vladville.com/2009/10/whats-left-of-the-cloud-after-its-done-raining.html

Since someone is once again taking pot shots at CPAs who are supposedly deathly afraid of cloud solutions [and since that's my cue to earn my MacBook from Vlad], sometimes even on premises solutions scare one a bit.

Take for example my HyperV beast I just set up where I want the full GUI on the outside of the HyperV because I want to run HP's insight manager software to alert me upon impending doom of raid failures and what not.

So I install the software and it wants an account to set up the database. Okay, let's use another account and not THIS account I say. So stupidly I set up ANOTHER administrator account and then have to go into the SQL config to allow that second user to have rights in SQL before the installer will set up the database. And then it says

Hmmm.. okay... I just built in a security dependency where there's a service running on that box that has rights on there that I may do not want. Needless to say I'll be going back again and trying to see if that process/service will run as a user, and not as an admin. How many more of these decision trees along the way build in chinks in the armors of our on premises servers? Conversely what are the decisions being made by the cloud vendors? If they run HP, what account rights have they selected at that point in the process? What other decision trees have been made along the way? Not all of this is exposed by an audit or in a SAS 70 report.

But that said... so I earn my Macbook commission for the month, for the record, Vlad, it's not that I hate cloud, rather my apps won't go up there at this time, and I need an on premises server.

Those apps need an on premises Exchange. I've done the research and pick the cloud where it makes sense for my business. I can't when my apps aren't up there or don't support up there.

Not all of us live in a Google browser world you know.

Searching for a bit of spam

bradley — Wed, 28 Oct 2009 07:14:00 GMT

Someone showed me this "trick" the other day. Google search on a web site, limiting the domain to just your domain and then search for "sex".

http://www.google.com/search?hl=en&lr=&rls=com.microsoft%3A*&q=sex++site%3Amsmvps.com&aq=f&oq=&aqi=

See how many blog spam/web site spam/bad content has ended up on the site that you weren't aware of it.

I got some cleanin' to do.

Some of the .NET patch install suggestions....

bradley — Thu, 22 Oct 2009 05:12:00 GMT

Some of the .NET patch install suggestions....

Newsgroups: microsoft.public.windowsupdate
References: <OSBXnxGTKHA.4360@TK2MSFTNGP04.phx.gbl>

"Shawn E. Hale"
news:OSBXnxGTKHA.4360@TK2MSFTNGP04.phx.gbl...

All other updates released this date installed fine with the
exception of KB953297. Another home computer installed this update
with no problem.

The only difference I can find is that the computer where the install
failed had .NET Framework 1.1 Hotfix KB928366 installed. The article
(http://support.microsoft.com/kb/953297) states that this recent
update "supersedes" the hotfix. I tried to uninstall the hotfix but
that lead to another problem where it could not find the "netfx.msi"
file to continue.

So I stopped that hoping to find another answer here. Any thoughts
on what I should do?

I had the same problem, all 100pc's on the network were failing (due,
I think, to previously installed Visual Studio .Net apps, which
updated dot net). It appears that the installer is referencing a
registry key to find the location of the netfx.msi file. When it
fails to find the file it errors out.

I grabbed the dotnetfx.exe file from
http://www.microsoft.com/downloads/details.aspx?FamilyID=a8f5654f-088e-40b2-bbdb-a83353618b38&displaylang=en ,
opened it with WinRAR (or use any comprssion program) and extracted
the netfx.msi to our network. I then entered the network location
into the registry key
[HKEY_CLASSES_ROOT\Installer\Products\DDE7F2BCF1D91C3409CFF425AE1E271A\SourceList\Net] "1"=hex(2):<long hex string you will need to change to your netfx.msi location

Then I re-ran the updates and it installed fine.

Hope this helps someone,
Box

Social engineering at it's finest

bradley — Tue, 20 Oct 2009 06:54:00 GMT

They are starting to spoof "upgrade" emails very nicely these days. Warn your customers that no upgrades will be emailed to them.

Inform them of exactly HOW you do updates and how you will not email them links like this. Set in place a process for how you inform folks of needed actions and ensure communication is done in such a manner that they know you are you and spoofs like this can't happen.

A big, big, big sigh

bradley — Fri, 16 Oct 2009 04:39:00 GMT

Jerome Chout : Do not apply KB974571 to LCS/OCS Servers:
http://blogs.technet.com/jchout/archive/2009/10/15/do-not-apply-kb974571-to-lcs-ocs-servers.aspx

This is one of those patch testing moments that you just shake your head and wonder who was asleep at the wheel here. Just for grins I installed 974571 on my Live Communication Server 2005. The minute you reboot the box, the internal IM dies and refuses to log in, the LCS server service fails to start. When you log into the box and check the event viewer, it's very obvious that LCS is having a problem.

There are times that I know that it's hard to find patch issues. We have a lot of software, we have a corner issues. This one... this is a big fat ooops that implies to me that someone somewhere didn't do a basic job of testing.

This is why I have the "canary plan" where I test patches first before installing them. This is why i know patches can be uninstalled. This why we don't have automatic updates on.

In my opinion, this one should not have gotten out the door like this. And when one does, it impacts patch trust.

And for me, that's a big big sigh.

One of the promised land issues in cloud deployments is that you never have to worry about upgrades.

bradley — Thu, 15 Oct 2009 05:02:00 GMT

Obligatory cloud paranoia post to justify the Mac Book from www.vladville.com

One of the promised land issues in cloud deployments is that you never have to worry about upgrades.

The reality is vastly different. Just ask the Sidekick folks about how well upgrades go. And on the Google doc front, just because someone else updates doesn't mean that the problems go away...

Bugs hit Google Docs after recent upgrade:
http://www.computerworld.com/s/article/9139350/Bugs_hit_Google_Docs_after_recent_upgrade

Bottom line, I don't care how big or small you are, there are risks in updating. Period. Whether we do it, he does it, they do it, we all deal with the resulting aftermath.

Seeing if we can freeze up again tonight

bradley — Thu, 15 Oct 2009 04:44:00 GMT

I have the KB974417 back on the blog tonight hoping it will slow down again so I can catch the blogs slowing down again. Why? Debugging is why. And we want to force a dump of the IIS processes. Now last night it worked fine right after I rebooted the server and when I logged back in later in the evening a few hours later was when I noticed the server was crawling.

So I'm hoping it will do it again and I can catch the hang in action.

Watch it... it will work fine tonight and not freeze up. There are times that sometimes removing and reinstalling a patch makes it play nice the second time around. Maybe it needs to be shown who's boss or something.

But if you later on hit the blog site and it's realllllly slow.. that means I'll be going "hooray it's freezing up again and I can run this debugger and see what's up". Okay yeah so I'm kinda weird that whenever something gets to the point where I'm installing the debugging tools I'm having fun, but hey...

Generally speaking, Microsoft always recommends to install security updates for the security consideration. There may be some conflicts existed after installing this update. I wonder whether it is possible for you to re-install the update and help to catch IIS hang dump files when you find the web server is hanging. In this way, we could find the root cause of your problem. Please follow below steps to collect IIS hang dump files for us:

[Action Plan]
===================================

Download and install the Microsoft Debuggers

If your server is a 32-bit, please download and install the Microsoft Debuggers from<http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx> (Debugging Tools for Windows).

If your server is a 64-bit, please download and install the Microsoft Debuggers from <http://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx#> (Debugging Tools for Windows).

Get the latest version of the debuggers from this site if multiple versions are present.

NOTE: You do not have to install them on your server, but can install on a workstation and then XCOPY the directory to your server. They will work on your server after you have done this without rebooting the server.

When you find the server come to crawl after re-install the update

===================

1.Run AutoDump Plus from a command line (cmd.exe), in the debugger's directory (Default is c:\Program Files\Debugging Tools For Windows) run the command (changing the path where you would like the files created in):

cscript adplus.vbs -hang -iis -o c:\iisdump –quiet

2. Wait for 60 seconds

3. Run command "cscript adplus.vbs -hang -iis -o c:\iisdump -quiet" again to generate another IIS dump files.

Please ignore any warnings. Please don’t log off the logon user and don’t close any command prompt window the tool generates. After a while, you should find the dump file in C:\iisdump.

Please send me all the files in c:\iisdump. Please also collect the HTTP ERR logs under C:\Windows\System32\logfiles\HTTPERR and IIS logs under C:\Windows\System32\logfiles for me.

Things to read, things to watch

bradley — Wed, 14 Oct 2009 05:14:00 GMT

Things to watch tonight -- http://ecn.channel9.msdn.com/o9/edge/2/0/4/1/1/oct2090msrcov_edge.wmv

Things to read tonight --

http://blogs.technet.com/msrc/archive/2009/10/13/october-2009-security-bulletin-release.aspx

http://isc.sans.org/diary.html?storyid=7345

Assessing the risk of the October security bulletins – Security Research & Defense blog
MS09-051: A note on the affected platforms – Security Research & Defense blog
MS09-050: Exploit timeline for SMB2 RCE vulnerability – Security Research & Defense blog
MS09-054: Extra info on the attack surface for the IE security bulletin – Security Research & Defense blog
MS09-061: More information about the .NET security bulletin – Security Research & Defense blog
Scanti-ly Clad – Another Rogue Stripped by MSRT – Microsoft Malware Protection Center blog

And I already had to pull this one - http://support.microsoft.com/default.aspx?scid=kb;en-us;974417 off the blog site as it was causing the site to resolve very poorly. I'll be calling into Microsoft support tomorrow (or rather emailing in) but when something worked before, and now it doesn't, sometimes don't do a "system rollback", think about which patch may be the trigger and pull off just that one.

Subject: Server upgrade warning

bradley — Tue, 13 Oct 2009 06:48:00 GMT

So a couple of folks have been reporting in the listserves that their clients have been getting a message indicating that a server upgrade 
will take place and to install the SSL update.


Given that this is the patch Tuesday week, it would probably be a good idea to remind your client base that you don't send them links to install
like this.  Remind them of what your emails look like.

All it takes is one person clicking on that link and if you don't have web filtering in place, or if the filters aren't up on the latest and greatest, or if
your client base still is not moved to non administrator, all it takes is one click to get in.

Subject: Server upgrade warning

Attention!

  On October 16, 2009 server upgrade will take place. Due to this the
system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail
service and the system as a whole. 
For compatibility of your browsers and mail clients with upgraded server
software you should run SSl certificates update procedure.
 This procedure is quite simple. All you have to do is just to click the
link provided, to save the patch file and then to run it from your
computer location. That's all.

URL removed

 Thank you in advance for your attention to this matter and sorry for
possible inconveniences.


 
System Administrator