We interview Sam the SBS server who’s getting ready to celebrate New Year’s Eve with his network

Q.  Hi Sam, how’s it going!

A.  Not bad. Can’t complain, keeping a watch on things here, getting ready to celebrate the New Year.

Q.  So this has been a big year for you hasn’t it?

A.  Oh no kidding, two major milestones this year, my Service Pack came out and now I have my own patches on Microsoft Update that are unique to me.

Q.  That’s pretty cool.

A.  No kidding.  In 2006 the next version of SBS 2003 called SBS 2003 R2 is coming out and Patching will be built inside of me.  I’m really exciting about that.  I can’t go into details…but I’m really excited about it.  I’ll be able to control and manage the patches on all the machines under my control, so I’ll be even more better able to protect Samantha the SBS Workstation.

Q.  That’s really cool.

A.  And let me bring this up again, last year Samantha and I talked about this and we did some of this..but really not enough at all.

Q.  Enough of what?

A.  “This” meaning where I’m doing a lot more of the managing and protecting of her.  Like for example… take the bad stuff on the ‘net today.  Many of these bad things can be mitigated or lessened if she doesn’t have rights over what she does and runs as a ‘regular’ user’.

Q.  But isn’t this hard to do with some of the applications that she is running?

A.  Oh, no kidding, but we have to do this.  Samson, the new Vista operating system is going to be joining us at the end of 2006 and he’s going to be helping out in this LUA or restricted user, but we really have to push our vendors now to do this.

Q.  You really feel strongly about this don’t you?

A.  Yes, I do.  People always say that I don’t do ‘best practices’ and this is one area that I can do best practices.  Because my owners are much more agile than big firms they can get rid of old operating systems, ensure that I have only machines that I control that help me secure and don’t hinder me.

Q.  Edward the Windows 98 machine is really causing issues with you isn’t he?

A.  Oh, no kidding, I can’t control him at all, he has no sense of security whatsoever and he’s really frightening me these days with all the risks he takes.

Q.  So we’ll keep this brief as I see you are getting ready for your party…but in closing…

A.  In closing, I’d say that for 2006 I’m making a resolution to get more secure this year.  Better on patching.  Better on Control.  There are a lot of things I can do best practices on…and helping Samantha the SBS workstation be more secure is one I can do.

Q.  Happy New Year Sam!

A.  Happy New Year to all in the SBS communities as well.


…so we’re in the car driving to Los Angeles and the radio DJ talks about an upcoming story on radio

“A problem in Microsoft Windows?  Nahhhhhhhh” she says…….

The chatter on SBS listserves today is one of disappointment.  This security issue points out the problem we have down here in SBSland.  The “test” problem.  For large firms they have the resources to test, to have matching images on the desktops, to try to understand the risk for their firm.  Down here we rely on the guidance we get from official sources. 

So the gang is now stratching their heads as to how we went from “DEP” works to one where only “Hardware DEP” works.  They are seeing that antivirus and spyware bloggers first brought up the issue that software DEP wasn’t working [especially on real world boxes]. 

Getting good info is hard….and unfortunately this event just pointed out how hard.


 *I have DEP enabled on my system, does this help mitigate the vulnerability?*
Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.


….so what am I going to do? Nothin’ for now because the office is closed and the machines are off so they are as protected as they can be….. ask me next Tuesday and I’ll let you know what my risk tolerance is then…. for now… I’m sitting tight….


 Shavlik Provides Workaround For Zero-Day WMF Exploit

On December 28^th , Microsoft announced a Security Advisory (912840) for a zero-day exploit that could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Malicious code on a number of web sites exploited the vulnerability on users’ machines. Microsoft has not issued a patch for this security exploit at this time. Users running a fully patched version of Microsoft Windows are still vulnerable to attack.

For administrators that cannot wait for Microsoft to issue a patch to protect against this vulnerability and need an immediate workaround, Shavlik Technologies has released updated XML files for Shavlik NetChk Protect, its patch and spyware management solution, to help users protect against this attack. Shavlik NetChk Protect allows users to un-register the SHIMGVW.DLL files that enable the malicious code to attack systems on Windows XP and Windows 2003. This is a workaround recommended by the United States Computer Emergency Readiness Team (CERT) as an option for vulnerability protection. Shavlik Technologies cannot validate this as a proper fix. To read more about this vulnerability, visit the CERT web site at _

Shavlik Technologies recommends that administrators determine their security needs and implement this workaround only if it offers an acceptable solution to their individual security needs and all risks are understood. By offering this workaround, Shavlik Technologies puts the option for protection in the hands of the administrator. Users should be aware that by un-registering the .dll file, other applications that use this .dll file can break, but this is the only workaround available at this time, as quoted from the advisory.

For Shavlik HFNetChkPro™ users, Shavlik Technologies has developed a workaround to help administrators address this vulnerability. For more information visit Shavlik’s Support Forum at _

The Microsoft Security Advisory affects the following operating systems:

         o Windows 2000 SP 4
         o Windows XP
         o Windows Server 2003

More information on the Microsoft Security Advisory can be found on Microsoft’s Web site at: _http://www.microsoft.com/technet/security/advisory/912840.mspx_.

Users are affected by either navigating to web sites that contain a link to a Windows Metafile that exploits this security vulnerability, or opening an email attachment that exploits this security vulnerability.

When Microsoft releases a patch to protect against this vulnerability, Shavlik NetChk Protect will include this patch and will allow users to re-register the .dll file, returning the system to its previous state.

For further information about this zero-day exploit, visit Shavlik’s Security Center at _www.shavlik.com_


See that?

That’s a Dell OEM with a Nvidia driver up in the “High Priority” patches.

I do not do video drivers via Microsoft update just because I’ve had bad personal luck with them… but I never get a video driver up there in high priority on a box that I’ve flattened…yeah yeah… I know… I should just flatten these guys and start again…you’d think I’d learn…

One of the suggestions I see on many of the Security sites are to unregister certain DLL’s to ensure that this WMF vulnerability can’t be exploited.  Now maybe it’s just me…but unregistering DLLs that break image, thumbnails and what not… and especially if I have to worry about registering those files and sticking them back in seems to me a bit drastic.  To me the saner approach is to …again…use our Risk Analysis view….

Which machines in my office are most at risk…. uh… honestly?  Mine.  But do give extra protection for all in the office…what’s an easy protection mechanism that I can do on my network?

Steps I’ve already done…block files at the mail gateway ….block image types at the firewall…..

Okay so what else can I do on my machine…. Enable DEP protection for all programsViruslist says that DEP is marginally effective and doesn’t work if you have image viewers like Irfanview.  Yo.  Folks.  Irfanview is a known image program in the forensic biz that can view ANYTHING.  I don’t define it as the ‘viewer of choice for many’.  Geeks maybe.  But my Mom and Dad?  No.

Do I have it on any other machine except for mine?  Nope.  Does it appear that enabling DEP for all programs is effective for mere mortals that have normal software at this time?  Yes.  Can DEP be enabled without major impact?  You bet your bippy.  Working just fine here and so I’m thinking…why the heck am I leaving it at the default?

P.S. Knowing my luck I’ll probably find out that bippy means something obscene….

Since we’re in paranoid mode today…did you catch this statement in that NPR article?  “They can prepare to work from home, in case it becomes hazardous to be in contact with other people. “

Guess what we have inside every SBS 2003 box that is married with XP sp2 workstations?  The ability to easily work from home.  Remote Web Workplace is truly the killer app of SBS 2003.  Dave even said that his boss is making his employees manditorily work from home one day in the future to test their ability to have all the technology needs at home addressed before they are required to do something like this [even if it’s not due to something like sickness or whatever].  His boss just wants them to ‘test’ it before it’s needed for real.

As many have pointed out …the instructions for blocking ‘just’ the WMF extensions won’t protect me if the threat vector comes in via renamed files…. but I think folks are missing the point here.  NPR the other morning had a news report on the communication regarding the potential for a Bird Flu Pandemic.  They discussed how there’s a fine line between communication and ‘freaking someone out’.  And they said that when a person get communication that helps them act on something so that they feel part of the solution, that person feels calmer. 

I think this occurs in Security communication as well…..that’s exactly what’s going on here…there’s a psychological affect of “me” taking proactive measures to block what I know I can easily do at the border.

“Lanard and Sandman say risk communicators must walk a tightrope. On one side is the risk of promoting irrational fear. On the other side is irrational complacency. The goal is to instill appropriate fear that gets people to take appropriate precautions.

Lanard says accomplishing this means presenting information that is accurate, complete, and often frightening.

“Good information should increase the level of fear in people that haven’t been thinking about it at all,” she says. “It should decrease the level of fear in people who are over-imagining how bad it could be.”

Sandman and Lanard say that in the short run, individuals can do far more than the government to protect themselves.

For example, he says, people can keep extra food in case a pandemic disrupts distribution systems. They can prepare to work from home, in case it becomes hazardous to be in contact with other people. They can learn proper hand washing techniques to keep from spreading the virus.

And Sandman says there’s another reason for the government to involve the public in any bird flu preparations.

“Everything that’s known about the psychology of fear tells us that people can tolerate more fear if there is something for them to do,” he says. “So it’s not just inaccurate for the government to imply that the government will take care of it. It’s not only getting in the way of the public’s beginning to take preparedness more seriously. It’s getting in the way of the public’s ability to endure the threat of the pandemic itself.””

…see the correlation between Pandemic communication and Security communication here?  So give me something to do…even as stupid as building a block for WMF files and I won’t feel as scared.  Give me a role and I feel like I’m helping.  Make me feel dependent on things I can’t control and I do freak out.

Communicate with me…give me something to do….and I feel better.

Okay so even before I blocked the WMF’s via ISA server so that they are blocked while surfing…the first thing I did [because I knew easily how to do this] was to go into my antivirus program that protects my Exchange server and add WMF file extensions to be blocked at the server [in fact why do I need them anyway… I think I’ll leave the setting exactly like that from now on]

So on my Trend Exchange a/v it looks like this:

So what if you were insane, stupid, or too cheap to buy a Antivirus that covers your Exchange server?  And boy you have to be all three these days not to get an antivirus suite that does this….but say you were… what else could you EASILY do on your SBS box to block those kinds of files….

If you’ve never done this before… you rerun the “Connect to Internet Wizard” and rerun the wizard to add file type blocking at the server…remember it looks like this:

Click on “add” to add the WMF file blocking:

And click OK…but what if you already did that and you don’t want to rerun the wizard?

No problem… just follow this prior post…but here’s a trick I found… Nathan said to right mouse click and click on “edit” but on my newly pristine server… I had no edit and Notepad sucked as an XML editor.  So I brought it over to my workstation where I have Frontpage, right mouse clicked on Edit, opened it in Front Page, clicked on “Reformat XML”

And edited the page in a much more user friendly format

<Attachment Enabled=”True” Extension=”wmf” Description=”WMF Zero Day”/> which looks like this

Remember these are kinda like those backwards group policy settings where “True” is a good thing…. so when we get all done, I saved the file on my workstation and then stuck it back up on the server and it looks like this:

My resulting XML file…. is copied below:


<?xml version=”1.0″ encoding=”utf-8″ ?>

    <SaveToFile Enabled=”False” Location=””/>
        <Attachment Enabled=”True” Extension=”ade” Description=”Microsoft Access project extension”/>
        <Attachment Enabled=”True” Extension=”adp” Description=”Microsoft Access project”/>
        <Attachment Enabled=”True” Extension=”app” Description=”FoxPro generated application”/>
        <Attachment Enabled=”True” Extension=”bas” Description=”Microsoft Visual Basic class module”/>
        <Attachment Enabled=”True” Extension=”bat” Description=”Batch file”/>
        <Attachment Enabled=”True” Extension=”chm” Description=”Compiled HTML Help file”/>
        <Attachment Enabled=”True” Extension=”cmd” Description=”Microsoft Windows NT Command script”/>
        <Attachment Enabled=”True” Extension=”com” Description=”Microsoft MS-DOS program”/>
        <Attachment Enabled=”True” Extension=”cpl” Description=”Control Panel extension”/>
        <Attachment Enabled=”True” Extension=”crt” Description=”Security certificate”/>
        <Attachment Enabled=”True” Extension=”csh” Description=”Unix shell script”/>
        <Attachment Enabled=”True” Extension=”exe” Description=”Program”/>
        <Attachment Enabled=”True” Extension=”fxp” Description=”FoxPro file”/>
        <Attachment Enabled=”True” Extension=”hlp” Description=”Help file”/>
        <Attachment Enabled=”True” Extension=”hta” Description=”HTML program”/>
        <Attachment Enabled=”True” Extension=”inf” Description=”Setup Information”/>
        <Attachment Enabled=”True” Extension=”ins” Description=”Internet Naming Service”/>
        <Attachment Enabled=”True” Extension=”isp” Description=”Internet Communication settings”/>
        <Attachment Enabled=”True” Extension=”js” Description=”JScript file”/>
        <Attachment Enabled=”True” Extension=”jse” Description=”Jscript Encoded Script file”/>
        <Attachment Enabled=”True” Extension=”ksh” Description=”Unix shell script”/>
        <Attachment Enabled=”True” Extension=”lnk” Description=”Shortcut”/>
        <Attachment Enabled=”True” Extension=”mda” Description=”Microsoft Access add-in program”/>
        <Attachment Enabled=”True” Extension=”mdb” Description=”Microsoft Access program”/>
        <Attachment Enabled=”True” Extension=”mde” Description=”Microsoft Access MDE database”/>
        <Attachment Enabled=”True” Extension=”mdt” Description=”Microsoft Access add-in data”/>
        <Attachment Enabled=”True” Extension=”mdw” Description=”Microsoft Access workgroup information”/>
        <Attachment Enabled=”True” Extension=”mdz” Description=”Microsoft Access wizard program”/>
        <Attachment Enabled=”True” Extension=”msc” Description=”Microsoft Common Console document”/>
        <Attachment Enabled=”True” Extension=”msi” Description=”Microsoft Windows Installer package”/>
        <Attachment Enabled=”True” Extension=”msp” Description=”Microsoft Windows Installer patch”/>
        <Attachment Enabled=”True” Extension=”mst” Description=”Microsoft Windows Installer transform; Microsoft Visual Test source file”/>
        <Attachment Enabled=”True” Extension=”ops” Description=”FoxPro file”/>
        <Attachment Enabled=”True” Extension=”pcd” Description=”Photo CD image; Microsoft Visual compiled script”/>
        <Attachment Enabled=”True” Extension=”pif” Description=”Shortcut to MS-DOS program”/>
        <Attachment Enabled=”True” Extension=”prf” Description=”Microsoft Outlook profile settings”/>
        <Attachment Enabled=”True” Extension=”prg” Description=”FoxPro program source file”/>
        <Attachment Enabled=”True” Extension=”reg” Description=”Registration entries”/>
        <Attachment Enabled=”True” Extension=”scf” Description=”Windows Explorer command”/>
        <Attachment Enabled=”True” Extension=”scr” Description=”Screen saver”/>
        <Attachment Enabled=”True” Extension=”sct” Description=”Windows Script Component”/>
        <Attachment Enabled=”True” Extension=”shb” Description=”Shell Scrap object”/>
        <Attachment Enabled=”True” Extension=”shs” Description=”Shell Scrap object”/>
        <Attachment Enabled=”True” Extension=”url” Description=”Internet shortcut”/>
        <Attachment Enabled=”True” Extension=”vb” Description=”VBScript file”/>
        <Attachment Enabled=”True” Extension=”vbe” Description=”VBScript Encoded script file”/>
        <Attachment Enabled=”True” Extension=”vbs” Description=”VBScript file”/>
        <Attachment Enabled=”True” Extension=”wsc” Description=”Windows Script Component”/>
        <Attachment Enabled=”True” Extension=”wsf” Description=”Windows Script file”/>
        <Attachment Enabled=”True” Extension=”wsh” Description=”Windows Script Host Settings file”/>
        <Attachment Enabled=”True” Extension=”xsl” Description=”XML file that can contain script”/>
        <Attachment Enabled=”True” Extension=”wmf” Description=”WMF Zero Day”/>

So…. let’s see….. we have a Zero Day WMF exploit nailing even fellow MVPs …. websites that nail you with malware so bad you have to flatten and rebuild….that merely visiting the web site..no clicking…. will nail you…. and Trend [and most a/v companies] has the definition for this in there ‘beta’ def but not their released one….so what’s a gal to do?

So I already blocked WMFs in email in the Trend Antivirus

  • I don’t want to pull down a beta def file
  • I’m not sure I want to unregister a dll…….shimgvw.dll
  • So how about looking at what my ISA server can do ‘eh?

Jesper’s Blog : Blocking certain extensions in ISA server:

Very cool huh! And how about we block those wmf’s via ISA server.

So we go into the ISA management console..and we access the SBS Internet Access Rule [on mine this is rule 23]

  • Click on Protocols
  • click on Filtering
  • Click on configure http
  • Click on Extensions
  • Choose “Block Specified Extensions and allow all others” and then put the list in you want to block
  • Click “add” and put in wmf.

Click OK, click apply and now when i go to the test page… voila…the image doesn’t show up.

Is this cool or what?  Now I feel a lot better since Trend hasn’t updated yet.