Monthly Archives: June 2004

You are browsing the site archives by month.

I just majorly re-edited the old MAC integration post to reflect new info….

Eriq Neale graciously updated his MAC/SBS information and gave me permission to just point all you guys over to his fantastic site that has all the full details!


Very cool!  Thank you Eriq!

Small Business Server 2003 – Backup and Restore CHAT

Small Business Server 2003 – Backup and Restore
Join experts from the SBS team on June 30th 2004 to discuss tips, techniques, and best practices for SBS backup and restore.


June 30, 2004
2:00 – 3:00 P.M. Pacific time
5:00 – 6:00 P.M. Eastern time
21:00 – 22:00 GMT
Enter Chat Room
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015

Threat Modeling and Risk Analysis….

So my Threat Modeling book came in today from Amazon.com [I’ve only preordered it for ages] and even before I’ve started reading it I’m doing a bit of “threat modeling/risk analysis” here at the office today. 

Internet Explorer.  Unless you’ve been living under a rock, you’ll know that IE has a bit of issues lately.  Per newsreports, one of the web sites that was unpatched for 04-011 and thus was vulnerable to being overtaken and used in the browser attack was Kelley Blue Book.  That sort of hit a little too close to home.  Since that would be a business site that I would consider “trustworthy” I’d probably be adding that to a trusted zone if I needed it to work. 

First and foremost as administrator I need to ensure that the firms data remains secure.  If I can’t control what is going on on my workstations, I’m not controlling my network.  My workstations are where my vulnerabilties are.  Jeff Middleton just said it yesterday.  Security isn’t about following a
“readers digest how to” book, it’s about *administration and control.*

So I made a risk analysis.  I know that I don’t have my entire office running as user because either the applications I run won’t support it, or in my role as network enabler, I’m unwilling to push my office workers into a “painful” and loss of productivity position.  So I’ve done things like running with IE in high security, adjusting the Trusted site zone to be no lower than medium.  I have certain positions locked down, but not my IT workers who aren’t ready for a lack of control.

Today I decided to roll out XP sp2 to my higher risk workstations [like mine].  I know that I’m going to have to work something out around Shavlik.com’s patch progam that needs outbound NetBIOS connections [and inbound return responses], but right now I’ve not been seriously hampered by running a firewall inside my firewall.

Off to check out the Threat Modeling book….

UPDATE – another mitigation alternative is to run this IE registry tool here from eEye. This “kills“ the adodb bit.

Closing the adodb issue closes the possiblity for this latest zero vulnerability from running, as it requires it to run. Microsoft has not considered the fact that the adodb issue allowing code to be run in the “My Computer” zone to be a security problem, however multiple issues of this have been made.

So Thomas is trying to find documentation about adding a second server in the KBs…..

…and he’s not finding anything……


….because it’s not in a KB.  It’s in a whitepaper! 


SBS 2000 ~


Microsoft TechNet: Adding a Server to Your Existing Small Business Server 2000 Network:
http://www.microsoft.com/technet/prodtechnol/sbs/2000/maintain/addsrvrs.mspx


SBS2k3 ~


Download details: Deploying Windows Server 2003 Terminal Server to Host User Desktops in a Windows Small Business Server 2003 Environment:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0A06E845-57EF-43EB-802F-F274FD937400&displaylang=en


The moral of this story is YES you can add a second server, a member server, a backup domain controller [remind me to blog on the “Myths of SBS by the way”] and here is the exact instructions on how to do it.


The myth belief in the public is that SBS can only have one domain controller and thus it’s a platform “prone to failure”.  Poppycock! Rubbish! Steve Foster [SBS bud] would say.  First off, knock wood, I’ve never had an issue only having one Primary domain controller, and two, if you want a backup domain controller, stick one on there dude!  There’s nothing stopping you!


Just remember that while you can log in, your email is still down.  Also remember that unless you have disabled cached credentials, you can get on that profile even if the network is offline.  It will find the network once it finally comes back.


Don’t panic when you read that the SBS platform only has one domain controller.  That SHOULD read one “PRIMARY“ domain controller.


 

SBS Knowledge base articles

New this week


841773 – BUG: SQL Server Setup stops responding when you upgrade an instance of SQL Server Desktop Engine (Windows) to SQL Server 2000:
http://support.microsoft.com/?kbid=841773
841211 – The updated “What’s new in Exchange Server 2003″ guide for Exchange Server 2003 Service Pack 1 is available:
http://support.microsoft.com/?kbid=841211


Updated


836413 – You receive an “unexpected error occurred” error message when you try to access resources on a Windows-based network from your Macintosh computer:
http://support.microsoft.com/?kbid=836413
833992 – Scheduled POP3 connector e-mail message downloads may not occur on your Windows Small Business Server 2003-based computer:
http://support.microsoft.com/?kbid=833992

It’s the home stretch for XP sp2 ……

“We’re on the home stretch for Windows XP SP2! I can’t begin to tell you what a relief it is to see it almost done.” says Michael Howard on his blog.   I agree.  In looking over the Secunia advisories for Internet Explorer… IE is getting pretty nasty these days …..


The following are unpatched:
Secunia – Advisories – Internet Explorer File Download Error Message
Denial of Service Weakness:
http://secunia.com/advisories/11868/

Secunia – Advisories – Internet Explorer Security Zone Bypass and
Address Bar Spoofing Vulnerability:
http://secunia.com/advisories/11830/

Secunia – Advisories – Internet Explorer Local Resource Access and
Cross-Zone Scripting Vulnerabilities:
http://secunia.com/advisories/11793/   <<< this is the Russian IIS one
that is currently being exploited>>

Secunia – Advisories – Microsoft Internet Explorer and Outlook URL
Obfuscation Issue:
http://secunia.com/advisories/11582/

Secunia – Advisories – Windows Explorer / Internet Explorer Long Share
Name Buffer Overflow:
http://secunia.com/advisories/11482/

Secunia – Advisories – Internet Explorer/Outlook Express Restricted Zone
Status Bar Spoofing:
http://secunia.com/advisories/11273/


…..you get the idea….. basically walk down the IE advisories and see which ones don’t point to a security bulletin…..but even then, I think I’m going to keep running in high security.  There’s no reason that web sites should do “stuff” without my permission.


Remember the 10 laws of security?  I’d say IE is letting rule number 2 to get broken.


Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more
Law #5: Weak passwords trump strong security Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web Law #9: Absolute anonymity isn’t practical, in real life or on the Web
Law #10: Technology is not a panacea Law #10: Technology is not a panacea


http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

…so you want to support ISV’s better?

So over on Mary Jo’s blog she’s been talking in the past about how Microsoft is making a bigger push for supporting ISV’s [you know,  Developers, developers, developers….] and just today the “blog” worked in a mysterious way.  The other day I posted about how to get hotfixes.  And I admit when I call, I’m normally getting one hotfix at a time AND I’m in the USA where I can call an 800 number 24/7.  Today in the comment section, I got a post from Mica about how he was an ISV/OEM and he had gone through the KBs and tracked down a whole bunch of hotfixes that he needed for a project that he is developing.  He had called PSS and the contact there had asked Mica to email him the list of patches.  The PSS contact forwarded the request to the Windows 2003 server group and that’s where the ball got dropped. 


Bottom line Mica never got his patches.  So I asked Mica for the PSS contact and then started a series of follow up emails and bottom line Mica now has his patches that he needs [thanks Brad].


But here’s the /rant part of the email:


It shouldn’t be this hard.


Why can’t there be a web site that an ISV or OEM uses an authenticator …say passport [yeah I know, we all hate to use it for authentication but get over it] to get into and then can download whatever hotfixes they need.  We all know they aren’t regression tested.  We all know that we should test them first [for the record I’ve historically had more good experiences with hotfixes than Service packs …but that’s another story].


Make it easier for ISV’s and OEMs to get these hotfixes.  I totally understand that there is no such thing as “perfect“ software and never will be, but I would want my manufacturer to have the ability to ensure he’s got the latest “whatever“ he needs to build me the best system ever.

If you are a Trend Micro customer….. READ THIS

http://www.trendmicro.com/en/support/npf/overview.htm


Be sure to apply the Service Pack or upgrade to a product version using the new pattern file numbering format by September, 2004. Trend Micro currently estimates that it will be able to continue releasing the old 3-digit pattern files until September 2004, at which time support for the 3-digit numbering format will cease and new anti-virus pattern files will be released in the new multi-digit format only. This date is subject to change, however, based on the volume of new computer viruses and the resulting demand for new pattern files. Accordingly, Trend Micro customers are strongly encouraged to apply updates or service packs as soon as possible.

In the words of Sgt. Esterhaus, “And hey, let’s be careful out here….”

News reports are saying that high traffic web sites that IIS 5.0 sites were not patched with 04-011 security hot fix [hello people let’s patch!] have been infecting people browsing the infected web sites.  If you are running XP sp2, you are protected.   But what if you can’t run the RC [after all it still “is” in beta], how can you protect yourself while surfing.

1.  Alternative browser.  I’m not a fan of this one because I have no patch tool to help me patch the browser. 

2.  Run with IE in High security and do a little tweaking.

Download a tool:

http://www.microsoft.com/windows/ie/previous/webaccess/pwrtwks.mspx

I blogged about this before.  This little IE addition adds a quick shortcut under “Tools” for “add to trusted sites”.  When you get to a web site that you really “need” to have working [like a business site] you can add the site to the trusted zone and hit “refresh” and voila.

Then, I go to tools, Internet options, Security, and I click on the “trusted sites” and I click on custom level and instead of “low” I change it to run as “medium” [prompt me for stuff like scripting and downloads… don’t just “do” stuff].  Then I click on Internet and change it to “high security”.  THEN, and here’ s the fun part.  When I need to go to a web site that will not work in “high security” and it’s a web site THAT I TRUST, I then add the web site to my “trusted sites” with the toolbar.  Yes the tool bar works with IE 6.0 and even under XP sp2.

3.  Try to run with less privileges.  A blog recently opened up recommending ways to do this.

I really recommend that we all try to push our vendors to support “user” and limit the privileges.  We do NOT need to be admins on our own boxes anymore.

Notice in SBSland our threat vectors here.  Not so much our SBS boxes themselves, it’s our workstations that are the big targets.  Your threats are YOU surfing the web, not THEM out there.

[for those of you not old enough, Sgt. Esterhaus was the character on the 1981-1987 USA cop show called “Hill Street Blues”, he would end each roll call with “…and hey, let’s be careful out here…”]

One more note – keep your antivirus up to date on your workstation as well. 

….so I’m looking for a “beginners guide to Sharepoint in the SBS platform”….

….and either I’m blind or not googling properly… we do have our MVP friend Mike Walsh’s site that is specficially WSS, Home – WSS FAQ: http://wss.collutions.com/default.aspx but now I’m searching for webcasts [under the theory a picture is worth a 1,000 words] and finding a lot on Sharepoint PORTAL server but not on WSS.


I found this blog, but it lists SPS not WSS.  MSDN has some stuff, but no pictures.


AH HA… this might just be what I’m looking for… I found this on the Sharepoint customization site.  But I think there still needs to be more content specifically “for” Sharepoint on SBS.  We do have a couple of unique things.  So far I haven’t found any “basic” documentation on the web that helps a newbie get a handle on it.


I’ll keep looking….