The other steveb - Steve Banks' Blog on SBS, EBS, and other Small Business Technology Topics : Windows Server 2003

Run update from console session! - MS07-049: Vulnerability in Virtual PC and Virtual Server that could allow privilege elevation

steveb — Mon, 20 Aug 2007 18:06:00 GMT

If you prefer to run Microsoft Updates from a TS session, then make sure you run MS07-049 from a console session per the KB 937986 (http://support.microsoft.com/kb/937986).

Taken from the KB:

When the update 937986 is applied on a remote machine by using Terminal Services, the update does not replace the vulnerable files if the /console option is not used. To avoid this issue, you must use the /console option as shown in this example:

mstsc /console /v:<machine name>
-Steve

Lost TS/RDP after running updates?

steveb — Mon, 30 Jul 2007 08:40:00 GMT

After experiencing Terminal Services intermittently hanging after applying Microsoft Updates I've come across one way that gets the server back up and responsive most of the time and a backup plan for when it still doesn't.

First, to cover yourself, it is a good idea to run a system state backup at minimum of the server before applying updates in case you need to get yourself out of a challenge resulting from the update. Then what I've started doing (wasn't an original idea, got it from others in the community) is creating a restart.bat file that consists of shutdown -r -f and a hard return to bounce the server. I then create a one time scheduled task and set it for about 30 minutes out from when I figure the updates should have been applied and the server restarted and back online. Most of the time a restart will "jump start" the Terminal Services and get them running if they hang. If I don't have to use it, I go into Scheduled Tasks and set the time back a day to disable it until next time. The other trick I ran across was the result of a desperate attempt to get a box back online one night as I was applying updates from my Vista Tablet PC. I've since tried this from XP Pro and it does not work, so seems to be a Vista only trick.

If TS/RDP hangs on the server, as Microsoft is beginning to admit is a problem finally, attempt to VPN from your Vista computer to the remote network using the remote domain's administrator account (I've only tried this with Windows PPTP so no idea about IPSec or edge VPN devices such as SonicWALLs but I'm guessing it would fail since the reason this is working has to be because Vista is authenticating as the remote administrative account). Once you have established the Windows PPTP VPN from your Vista box, open a command prompt by selecting off of your start menu, "right clicking" and running as administrator. Once inside the command window, type shutdown -i and drop in the name or IP address of the remote server you are wanting to get back your Terminal Services from and do a restart in the graphical interface. I have had this work all but once or twice (hence the new addition of the scheduled task restart batch file). When the server comes back online TS is normally responsive and you can head off to bed versus getting in the car and taking off to a client site in the middle of the night!

Steve

Microsoft releases the Malware Removal Starter Kit

steveb — Wed, 18 Jul 2007 19:39:00 GMT

This is from an email I received this week from Mark Clagett over at Microsoft. Running into an issue today where I sent it to an end user so figured I would post it here as well. Thanks Mark for sending out the notice! - Steve ________________________________________________________________________________________________________ I thought you’d be interested in this new Solution Accelerator from Microsoft – it’s called the Malware Removal Starter Kit. It’s a free download from TechNet, and provides you with excellent guidance and tools to help you restore PCs infected with malware. Here’s a quick overview of what the kit can do for your organization. Suggest you take a look!

PCs Infected with Malware? Every day, adversaries attempt to invade your networks and infect your systems with viruses, spyware, and other malware. In other cases, employees can open the door to malware by visiting infected Web sites, opening the wrong e-mail attachments, or running macros that contain viruses.As an IT professional focused on security, you know the risks first hand. You’ve installed antivirus software and you keep your protection updated. Sometimes, though, attacks are successful, and computers get infected. And once they are inside the organization, malware outbreaks can spread with alarming speed, compromising or destroying mission-critical data or personal information. Restore Infected PCs with the Malware Removal Starter Kit!When you discover PCs that have been infected with malware and your current antivirus tools can’t solve the problem, where do you turn next? Is there a way to restore infected PCs without completely rebuilding them from scratch? The Malware Removal Starter Kit, the newest Solution Accelerator from Microsoft, provides free, tested guidance to help you combat malware attacks and restore infected systems—so users can safely get back to work. The kit shows you how to use the Windows Preinstallation Environment (Windows PE) to discover malware by performing a thorough offline scan of your computers, uncovering malware that may be hiding in the operating system. And once malware is located and identified, it can be quickly removed from infected PCs with a number of free anti-malware tools, like the Malicious Software Removal Tool from Microsoft.The Malware Removal Starter Kit answers questions like:

· What are the keys to a reliable, effective response plan to remedy malware outbreaks?

· How do I build a bootable CD that lets me perform offline virus scans?

· How can I discover and remove viruses and other malware hiding in the operating system?

· How does the Malware Removal Starter Kit augment Microsoft’s anti-malware strategy?

Key Benefits

The Malware Removal Starter Kit is:

· Effective: Helps you to uncover malware that’s difficult to expose.

· Flexible: Lets you use best approach for the specific problem you’re facing.

· Reliable: Provides guidance thoroughly tested by Microsoft security experts.

· Simple: Offers a solution that is easy to configure and use.

· Free: The Malware Removal Starter Kit is a free download from TechNet. Download the free Malware Removal Starter Kit

Accessing the kit is easy, and it’s free! Click here to learn more or to download the kit.

DNS not resolving for a particular domain on your SBS box?

steveb — Fri, 06 Oct 2006 22:55:00 GMT

Had this request from another consultant this week so thought I would pass along the issue and the KB article for anyone who may happen to stumble across this in their favorite search engine.

"I have a client running SBS 2003 and all of a sudden they can't get to the Customer Login Page of Postini. They can go anywhere else. All workstations point to the server for their DNS but if I add an ISP dns as a second they can get to the site just fine. I have rebooted the server and the other standard things to flush dns to no avail."

Sounds like EDNS to me, so in reality (to quote Les Connor), “Nothing to fix, nothing is broken ;-). “

Most likely a piece of hardware somewhere on the route doesn't support EDNS. Basically, a device in the middle sees a packet greater than 512 bytes destined for UDP Port 53 as an attack, and truncates it. The DNS query is satisfied but not all the information is transferred. You can solve it two ways. One is to use a secondary DNS server for that particular domain by adding a specific referrer in your SBS DNS Server settings (in case that's not clear, not your NIC settings, but the DNS referrers is what you are adding that to) for the problem domain. The other Microsoft documented fix is as follows:

Run the following command on the Windows 2003 server:

dnscmd /Config /EnableEDnsProbes 0

Microsoft KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;828263

Steve

Run the following command on the Windows 2003 server:

dnscmd /Config /EnableEDnsProbes 0

Microsoft KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;828263

Steve