Monthly Archives: March 2006

You are browsing the site archives by month.

Drinking that Security Koolaid


There’s a vendor out there that is drinking the Security Koolaid.  To the point where that I can even see the telltale sign of a red tongue and a Koolaid mustache on their mouth.  Now this isn’t a vendor that you would normally think would be drinking the Security Koolaid… and it’s certainly not the vendor you are probably thinking that I’m talking about…..
 


This is a vendor that… indeed may be setting the path for my Accounting Industry by being one of the first to step up to the bar and do the right thing.  Dr. Jesper Johannson in his “Is that Application Really Safe  presentation talks about how accounting applications are some of the worst offenders for being a security minded application.  And it’s true.  Here when we should be the bellweather of the industry..the shining light of best practices… the standard setter…. so many times I hear from folks that it’s the “beancounter program” that makes them make compromises in their networks.  Even my fellow CPAs… sorry guys, I have to beat up on ourselves… we really don’t take the time sometimes to think about security.  We want to get the job done for our clients and sometimes, like in any business, security has to take a back seat.  We blindly email files containing sensitive data and never even think of what we’re doing.


So when the other day I had a conversation with some folks from this Company… it was refreshing to hear in the phone call that they were drinking that Security Koolaid.   And lots of it.  To the point that they will be pushing us in the future….not us pushing them. 
 


But you know something else…. don’t just lay this in the lap of our vendors… as fellow Security MVP Harry Waldron pointed out … Security is spelled sec-U-R-IT-y.  Security isn’t just about “them” … it’s about “You”.  You are it.”  You are part of it.  Part of Security.  You are in fact the biggest part of the security piece… and without “You”, this vendor can drink enough Security Koolaid to make them a sugar diabetic but it’s not going to help secure your network, your data, your clients data.  You have to help this process by being an aware end user and not blindly do stuff like we’re doing these days.  By setting up your network properly, configuring it properly.  By having security policies, and set forth to your employees an acceptable use policy of what they can and cannot do on your network.  “You” first have to help this process…it can’t just be on the backs of vendors.
 


….so …guess which vendor I talked to the other day that is on their way to getting Security? 


….wanna guess?


….give up?


….and no this isn’t an early April Fool’s day joke either… I’m serious here.


… I really and truly feel that this Vendor “gets” security and will be pushing us to “get” it too in the near future …


….the vendor is….believe it or not…. this one!

It’s that time of the year again…

I can hardly wait.. it’s right around the corner… RFC day


I think this is a fav… http://klubkev.org/~ksulliva/rfc-april1/rfc1925.txt 


   (3)  With sufficient thrust, pigs fly just fine. However, this is
        not necessarily a good idea. It is hard to be sure where they
        are going to land, and it could be dangerous sitting under them
        as they fly overhead.


I think we need to send this one to Eric Ligman


http://klubkev.org/~ksulliva/rfc-april1/rfc2324.txt


   This document describes HTCPCP, a protocol for controlling,
   monitoring, and diagnosing coffee pots.

 

Let’s not isolate ourselves too much….

Subtitled… okay MBSA 2.0 is closer…but I STILL cannot consistently scan my domain worth a darn…..


Okay so we already heard from a poster that he used a dll exclusion in the firewall…



So we went back into our Small business server firewall settings… and clicked on “define program exceptions”



And then on “Show” and added an exclusion exactly like this:  %WINDIR%\SYSTEM32\dllhost.exe:10.0.0.2:Enabled:WSUS Port so that it ended up looking like that:


 


(Remember I’m still on that old fashioned SBS IP addressing that we used to use in the 4.0 days)  And now… on those workstations that are checking into the MBSA console..they are properly scanning the patch status… but I still do not have a consistent scan-ability of the network.  Even when I added the extra RPC connectivity allowance like Level Platforms needs.


I’m still getting way too much of this error on some of the workstations…an  then I’ll scan again and won’t get it for those same workstations…. I am scanning by netbios domain name… so why isn’t this still working?  Or I should say…consistently working?


Why am I seeing error “Could not resolve the computer name: name. Please specify computer name, domain\computer, or an IP address.”?
A.

This error is common when scanning based on an IP address range. This is because MBSA will convert the range into a list of specific IP addresses for that range and attempt to resolve each IP address into the associated NetBIOS computer name. When that name resolution cannot be performed because the computer is switched off, or the IP address is not in use, this error will be returned.

The error can also happen when using a domain name of domain members are not accessible on the network, such as a laptop computer roaming outside the wireless network, or a desktop computer that has been shut down.

If you specify a DNS fully qualified domain name (FQDN) as the domain to be scanned, you will also see these errors. In that case, you need to use the NetBIOS compatible domain name.


But I’m not.. I DID put in the netbios based domain name…. and I kid you not.. many of the people I talk to say that they tried MBSA 2.0… couldn’t get consistent scanning results… got frustrated and dropped using it…. because they too couldn’t get it to scan through the firewall.


But this reminds me of an email thread I had today with a guy about keeping “some” network goo… as a balance between security and that managability that I need to have ….as while Dr. Jesper Johansson is talking about Server and Domain Isolation techniques… I’m sitting here poking holes in the firewall and knocking off the Strict RPC compliance in ISA server because I want…. no… I NEED to have managability of the network.  I NEED to have a foundational bit of ‘goo’ that runs throughout my entire network so that I can scan them and get assurances that they have protections in place… I mean yeah… scan my SBS box and it says I have “Severe risks” …but right now.. the fact that I can’t scan my entire network… I think ..means I have a bigger risk.  I mean I know I can’t do the Server and Domain isolation stuff the big server guys have to do… but it sure would be nice if I could scan the network with MBSA….


Stay tuned…. we’re getting closer…..

What’s your IMF settings?

So what’s your IMF settings?


Some here are 6, archive, 2…. 5 would be better but gives a few false positives…


Some are reject =6, move to junk =4


Some use the IMF archive manager….some use the one from Hello


Delta airlines seems to get knocked out at 7… but putting it at 8 lets in too much gunk


…so what do you use?

Working with Group policy

Just a nice friendly reminder… that when us non big server land people start mucking around in group policy..your first step should be to do these steps….


Go down in the group policy management console.. in that bottom section….



Right mouse click on Group Policy Objects… 



Ensure you’ve clicked on “backup all” …or at least the one you are mucking with…


And make sure it says this:



Because while you are attempting to put in the registry keys for MBSA..and you’ve obviously screwed something up…. so it looks like this….and when you go to edit it and it looks like this….



Which in turn gives you that error…. you can at least restore the policy from the backup you just made… granted you will go “Oh #%@#$ for a split second as you momentarily think you’ve horked yourself good as you can’t get back into the very template you’ve screwed up…


As with everything in life.. make sure you have a backup…..


(stay tuned… MBSA still not working…)

Okay big server land people…..


Okay big server land people…..why isn’t there an ‘edit’ key in the Group Policy Object Editor?

In the group policy…you type these GUID thingys in by hand?

I mean …really… you never make mistakes when setting up group policy settings or something?  So why no edit button? You guys think typing this stuff in by hand builds character or something?  I mean look at the gunk I need to type in there… and for the record… when giving us SBSers instructions on group policy..don’t assume that all of us have been in there enough to know that when typing in a new key we will truncate the “HKEY_LOCAL part and just need “MACHINE” up there…..


HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82 C345492}
\Endpoints REG_MULTI_SZ “ncacn_ip_tcp,0,n”

Yuck .. I have to manually type in MACHINE..wack… Software.. wack… yadda yadda

2. Configure Windows Update Agent to use this static custom port by setting a registry key as follows: HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82 C345492}\
Endpoints REG_MULTI_SZ “ncacn_ip_tcp,0,n”
(where n is the port number you have decided to use.) You may also configure the endpoint using the Component Services application in Control Panel. The Windows Update Agent – Remote Access endpoint is located under the path Component Services\Computers\My Computer\DCOM Config. Right-click and select Properties, then use the Endpoints tab on the Properties page to configure the static port.


And why do instructions like this assume that once we get to Component Services section…. in the control panel…that we’ll even have a clue of what to do when we get there? I mean like look at this:



Okay.. I see the static endpoint in the Dcom protocol …but.. now what.. do I need a protocol sequence of connection-oriented TCP/IP?  I guess so but the instructions don’t say to mess with that….but gang….don’t assume that we’ve been under the hood before and when giving instructions.. be specific…because if there’s anything else in there… we’re going to ask and wonder if we need to select anything….


P.S… skip the GUI?  Edit the text file?  Import them from the command line?  Are you insane?  …excuse me… what do you think I am…. a big server person?


 


 

MBSA 2.0… apparently none of us are using it

Brian Kruse has made a new post: re: MBSA 2.0…so what am I missing?.


Ran into this myself…after going through the KB article I finally found someone’s post that led me to try the following which worked on a non-ISA system so it may or may not work with ISA.  I added an exception to the GP firewall settings to allow C:\WINDOWS\SYSTEM32\dllhost.exe to accept requests from the server only.  You’ll have to use %windir%\system32\dllhost.exe in the GP since the : won’t work. Hope that helps!


It’s pretty obvious from posts out here that none of us have gotten this to work natively on the SBS box… and there won’t be a new release to get this to work… we need to adjust the firewalls to get it to work…. stay tuned as I’ll get the definitive answer on this….

MBSA 2.0…so what am I missing?

MBSA 1.2….just went…scanned bam…bing done.


MBSA 2.0 with the XP sp2 firewalls..even with my modfications for additional managment…either MBSA doesn’t find the machines….or when it does find them… it can’t scan the windows catalog due to firewall issues….and of course we really don’t want to turn off the firewalls at the workstations…..


…and so the instructions are as follows to get MBSA to work are below ….


I got the COM hotfix .. I think (I mean right?  it’s in 05-051.. I don’t have to edit or flag with extra keys to get those extra COMy things installed right?


And it sounds like I need to deploy that registry key?… so like.. can I ask a stupid question… I mean I know us SBSers have our own policy and all that…but it seems to me that other than this issue with MBSA it’s kinda of a decent group policy template for everyone to suck down and use in a network… so why isn’t that reg key policy already to go inside of every Windows 2003 server that would be used to control any XP sp2 firewall?  I mean like why isn’t there a blonde “install this to decently manage, patch and control your network” adm template that would just be there for a typical firm?


Does anyone have MBSA 2.0..not three mind you… scanning consistently on a SBS 2003 with ISA 2004 that didn’t add this group policy registry key..and if so how did you do it?…Otherwise I’m about to add another setting to the default SBS group policy for XP sp2 firewalls.


————————————- 

Please refer to:

MBSA 2.0 Frequently Asked Questions
http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx

Please search for the question:

How can I scan a computer that is protected by a firewall?

Generally, there’re 3 steps to complete the task. Step 2 is optional in
case there’s any unmanaged computers which does not belong to your
domain. For your convenience, I copied the steps here:

Step 1: Review system requirements

MBSA cannot scan a remote computer protected by a firewall unless the
firewall is configured to open the ports that MBSA uses to communicate
with the computer. The Windows Update Agent implements a remote scanning
interface based on DCOM. The account being used to scan must possess
local administrator rights. The computer must also be configured to meet
the following conditions:

– The Server service, Remote Registry service, and File and Print
Sharing service must be running on the remote computer. 
– The required ports must be open on the firewall.
– The Windows Update Agent must be installed and the Automatic Updates
service must not be disabled.

Remote computer scans are performed using TCP port 135, a dynamic or
static DCOM port, and ports 139 and 445. In a multi-domain environment
where a firewall or filtering router separates the two networks, TCP
ports 135, 139 and 445 and UDP ports 137 and 138 must be open in order
for MBSA to connect and authenticate to the remote computer being
scanned. You must allow these ports to be open on the remote firewall if
a personal firewall is being used.

Note: The use of DCOM for remote scanning through Windows Firewall on
all versions of Windows XP may require a post-SP2 hotfix as described in
Microsoft Knowledgebase article 895200, “Availability of the Windows XP
COM+ Hotfix Rollup Package 9″. Customers may now obtain this fix by
installing the COM+ update (KB 902400) using these procedures:

1. Download the update from
http://www.microsoft.com/downloads/details.aspx?FamilyId=20F79CE7-D4DB-4
2D7-8E57-58656A3FB2F7 on the Microsoft Download Center.

2. Copy the update to the computer you are updating and open a command
prompt on that computer.

3. Run the update using the command line options described in KB article
824994 (specifically, the /B:SP2QFE command line option). Doing this
will install all of the Windows XP COM+ Hotfix Rollup Package 9 fixes,
in addition to the fixes released in the security bulletin MS05-051.

Step 2: Configure Unmanaged Computers

DCOM allocates a dynamic port by default, but a firewall blocks access
to these ports unless explicitly opened by using the following
procedure:

1. Open port 135 and a custom port in your firewall (some firewalls may
allow port 135 by default). The port you select should be checked to
ensure it is appropriate, or not associated with other applications.

2. Configure Windows Update Agent to use this static custom port by
setting a registry key as follows:
HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82 C345492}\Endpoints REG_MULTI_SZ “ncacn_ip_tcp,0,n”
(where n is the port number you have decided to use.) You may also configure the endpoint using the Component Services application in Control Panel. The Windows Update Agent – Remote Access endpoint is located under the path Component Services\Computers\My Computer\DCOM Config. Right-click and select Properties, then use the Endpoints tab on the Properties page to configure the static port. Step 3: Configure Managed Computers Use Group Policy to deploy specific administrative firewall and COM+ settings to target computers. You may use the Group Policy editor to create the needed configuration settings as documented in “Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2″, in the section entitled “Deploying Windows Firewall Settings With Group Policy”. Windows Firewall Settings: The following Windows Firewall settings should be used: – Windows Firewall: Allow remote administration exception. Used to enable remote configuration using tools such as Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). – Windows Firewall: Allow file and print sharing exception. Used to specify whether file and printer sharing traffic is allowed. – Windows Firewall: Define port exceptions. Used to specify excepted traffic in terms of TCP and UDP ports. In this step, define the same ports as you selected for unmanaged computers and from the system requirements step. Additional details on the settings available within the administrative template for Windows Firewall have been documented in “Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2″ the sections labeled “Enabling Remote Administration” and “Adding Static Ports to Windows Firewall’s Default Exceptions List”. COM+ Settings: The COM+ endpoint registry settings for the Windows Update Agent can be configured as a Group Policy registry policy object. Guidance on how to create a policy for this is located in the Microsoft Knowledgebase article 323639, and includes a generic sample that you can modify. When doing this, you must base the policy registry key on the following: HKEY_LOCAL_MACHINE\Software\Classes\
AppID\{B366DEBE-645B-43A5-B865-DDD82 C345492}\Endpoints REG_MULTI_SZ “ncacn_ip_tcp,0,n”
(where n is the port number you have decided to use.) Note: When using this method, be aware that additional administrative template settings may be needed in order to remove this registry setting when the functionality is no longer desired.

Step one, don’t panic….

So I turned on a workstation…one that hadn’t been on in a while… and kinda forgot about it… and tonight I was checking the ISA logs to see why the MBSA 2.0 wasn’t scanning the network like it should (long story…still in investigation…stay tuned to the blog) and I realized that every minute or so there was this “heartbeat” in the ISA logs.


 


http://66.151.158.177:80/l?526=-1N8753


….what tha?  says I and I start looking at the computer it’s coming from…


 


So visions of OH MY GAWD I HAVE A TROJAN I’M OWNED …. I’LL BE LICKING STAMPS UNTIL THE DAY I DIE INFORMING CLIENTS THAT MY NETWORK HAS BEEN OVERTAKEN BY ZOMBIES SENDING OUT PHONE HOME MESSAGES TO SOME FOREIGN COUNTRY LOCATED IN……hang on…let me check who’s IP that is…… THE TERRORIST COUNTRY OF…..hang on lemme look this up on Arnis… THE TERRORIST COUNTRY OF…Atlanta, Georgia? 


 


Huh? 


 


OrgName:    Internap Network Services
OrgID:     
PNAP
Address:    250 Williams Street
Address:    Suite E100
City:       Atlanta
StateProv:  GA
PostalCode: 30303
Country:    US


Okay so I calm down enough to realize that the ‘heartbeat’ I’m seeing is a leftover..old… left to expire from not being paid…but not yet uninstalled…the way we remoted into one pc a few years ago install of …


Yup… “Gotomypc”.


While it may have been an expired account.. it had a red X in the corner… it was alive enough to do a heart beat out to the Gotomypc/Webex servers.


Just a FYI… clean up those kinds of programs on computers…..

So you need to get a USB floppy disk on a server, do you?

A connected USB floppy disk drive does not work when you press F6 to install mass storage drivers during the Windows XP installation process:
http://support.microsoft.com/?kbid=916196


I have a server.. it has no floppy drive.  Now if I want to have SATA drives or something… I need to ensure that I can hit F6 during the install and get the drivers on the box…but … hmmmmmm may need to warn someone about the fact that there might be times that you can’t use a USB floppy… at least on a XP machine.  Wonder if the same is true for a 2003 box?