Monthly Archives: December 2006

You are browsing the site archives by month.

Debugging a bit of .NET

In our SBS world the addition of .NET 2.0 sometimes mangles our Remote Web Workplaces, Companywebs and what not… and the trick is to go into IIS, into the properties of the web sites and ensure that all the default SBS sites are on .net 1.1 and not 2.0.


Down at friends for the New Year and we can’t get the XBox/Media Center extensions loaded up and I’m wondering if .NET 2.0 is messin’ with it.


I’ve found this blog post http://blogs.msdn.com/astebner/archive/2005/12/06/500801.aspx and this one http://blogs.msdn.com/astebner/archive/2006/06/01/613975.aspx and the .net sp1 won’t install…


And in searching I’m finding this KB http://support.microsoft.com/kb/922377 and I had to laugh… that’s the first time I’ve seen in a KB article a link to a blog… that shows you, doesn’t it, how “authoritative” we are now when dealing with blogs, doesn’t it?  They are linked in KBs.


So now off to go clean up some .NETs.


(for the record I had to “reinstall” .net 2.0 in order to uninstall it, then I reinstalled .net 1.0 and .net 1.1.  Then I ensured that this value was in the registry, and that did the trick… just remember sometimes on .net …. it’s easier to pretend to reinstall it to get yourself in a position to uninstall it.

3G versus Edge

Using the Sierra Wireless Aircard and when there is 3G connectivity you can tell that the speed is definitely faster (and as Chris Rue would say) would be sweeeeeetttt for Remote Web Workplace on the road.  Even Edge/GPRS isn’t that bad and certainly better than dial up.


But so far.. I’ve hit “pockets” of 3Gism on this road trip and certainly it’s not as solid of 3G coverage as one would think traveling from Fresno to Bakerfield to Los Angeles to Anaheim (yes, going to Disneyland for the New Year…blogging will be light)


But if you have solid 3Gism… remoting will be very nice.

New Year Belly Button Reflection

It’s time for that annual traditon of sitting down and belly button gazing.  And it’s a good idea for us all to look back while we plan forwrd. 


Vlad’s done his.. http://www.vladville.com/2006/12/new-year-resolution-time.html and to be honest with you, I don’t think he needed to apologize for things said…. because at the end of the day…. I feel that all of us (most of us) know that all this stuff isn’t a religion, it’s just about business. 


I think at the end of this year, as the new year begins, as new products come out, we all need to step back and look at the business side of things.


Because we can always solve the technology problems, I would argue… it’s the solutions needed for the business that need our attention. 


So start with your business.


Grab a sheet of paper. (hopefully grab your December 30th accounting program and pull up an end of the year to date balance sheet.  Now then, pencil out what your budget is for the coming year.  If you are savvy, you’ll project your budget by month.  Plan on your cash flows.  Plan your education budget for the year, plan on our sales targets, plan on your expense categories.


Now I want you to think about your future.  What’s your retirement plans like? If you are single shop…what are you doing to ensure that your retirement years are reasonably taken care of?  Are you spending on things that will give you value and revenue?


So do a bit of reflection… of planning… of thinking of where you want your business to be at in a year….plan for it….so that this time next year, it will be a reality.

The reminder of security

The other day the conversation came up about blank passwords on accounts in Win2k3 and XP and I made the point that in a default installed system, that a blank password on an account meant that it could not be remotely accessable from the Internet.  The argument can be made that if you could physically secure a device, that the account would actually be more secure as it could not be remotely accessed.


I went on to say that my Tablet PC had an administrative account that had a blank password. 


Now to many that seems like a insane thing to do for a person who has volunteered on various Security groups and has a GSEC certification to boot.


But I do it for a reason.  To remind me that key data should never be on that device in the first place.  Part of it is to prove the point that when you work in an industry like mine, client information and client data should never be on a mobile device.  The laptop is used for Remote web workplace, blogging, internet access and personal (but not business) emails.  There is truly more client data on my cell phone than there is on that laptop.  Because the laptop is designed (on purpose) to be an expendable device, it’s a reminder to never put any information on that laptop that I care about.  Because truly, if I lose the laptop, regardless if I have a password on an account or not, law number 3 of computers states that should I lose physical security of a device, it’s no longer mine.


http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true


Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore


Oh, the things a bad guy can do if he can lay his hands on your computer! Here’s a sampling, going from Stone Age to Space Age:


He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.

He could unplug the computer, haul it out of your building, and hold it for ransom.

He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I’ve configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).

He could remove the hard drive from your computer, install it into his computer, and read it.

He could make a duplicate of your hard drive and take it back his lair. Once there, he’d have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it’s almost certain that he would succeed. Once that happens, Laws #1 and #2 above apply.

He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.


Always make sure that a computer is physically protected in a way that’s consistent with its value—and remember that the value of a computer includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical computers like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other computers as well, and potentially using additional protective measures.


If you travel with a laptop, it’s absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth—also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Microsoft Windows® 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn’t been tampered with is to keep the laptop on your person at all times while traveling.


So if you design your system from the beginning with the thought that the device you use is expendable…. then you don’t use it as anything other than a conduit.  Thus no Outlook over http is allowed.  And as far as the risk of the device having a connection information left on it?  What’s the risk of a Remote Web Workplace web address if you have strong password and Scorpion Software’s RWW Guard?  If Internet temp files are dumped on exit?  If the risk of the device having data left behind on it is so great, then it should be encrypted.  If the risk of the device having an access/connection information on it, then don’t access from it.  See where I’m going here?


Remember that if you have physical access to a system, it is trivial to reset the password.   And if you reset the password it’s owned.  Thus the lack of a password on one of the accounts, therefore, is a mental reminder to me to consider that laptop expendable.  That to keep it physically secure.  To never store data on it.  And if it’s not physically secure, that it’s worthless to me as a secured and and therefore securable device.


Truly there is more risk to me of the loss of my cell phone with a domain password, with Outlook sync’d to the office server, than there is in a Vista Tablet pc that is not domain joined, dumps IE temp files, and is small enough that it travels everywhere I do and doesn’t have client data on it as I Remote Web Workplace back to the office.


Steal my laptop?  Go ahead.  Steal my cellphone?  And I’m using the remote wipe features of Exchange 2003 sp2/Mobile pack stuff.  In fact, if you truly do care about the information on that laptop such that you’d never let it leave your site without a password, then you install a remote “nuke and pave” program so that should it leave your physical custody, you still have a bit of control over that Law #3 above.  Now I’d argue if you lost a laptop, you’d probably for a little more comfort sake and piece of mind, change the passwords on your accounts even with my remote access policy.


But see where I’m trying to get you to see here?  That the risk is a direct relationship to the data on the device.  And the risk is physical security.  And once you lose that… it really doesn’t matter anymore if the password is one that’s long and complex …. or even blank.


Game is over.  Bad guys have won.


So unless that key data is encrypted on that device, or stored elsewhere, or … better yet, not on the device in the first place and merely used as nothing more than a dumb terminal of sorts…. whether you use a blank password ….or not….. if you lose physical access… you’ve already lost.


Protect the data.  The device is expendable.


P.S.  On Vista this is more of a exercise in just being unusual since the built in Administrator account is disabled anyway  ;-)

The annoying blurb is less annoying

So I bought an upgrade to our Policy Patrol Disclaimer software for my office and the cool thing about it is that I don’t have to annoy people with the annoying tax signature all the time:

Tax opinion disclaimer

This email contains tax advice. Please note that additional tax issues may exist that could affect the tax treatment of the tax shelter addressed in the advice. The advice does not consider or reach a conclusion with respect to those additional issues. Further, the advice was not written and cannot be used by the recipient for the purpose of avoiding penalties under code section 6662(d) with respect to those issues outside the scope of the advice.

That blurb only comes out when a “tax” key word is used in our emails.  Now granted the disclaimers in emails are silly…but silly or not.. we are required to do them in Accounting firms that might possibly give tax advice under Circular 230. 

But in general, any time someone posts that blurb.. or the one below to a listserve it’s really kinda dumb isn’t it?  As it really doesn’t belong there does it?

BTW in the Exchange 2003, custom event sinks aren’t worth the time and effort and this is much easier and way more dependable… Exchange 2007 will better support native disclaimers (or so I’m told)

Disclaimer – December 30, 2006

This email and any files transmitted with it are confidential and intended solely for Susan Bradley. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Red Earth Software. Warning: Although Red Earth Software has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.

This disclaimer was added by Policy Patrol: <http://www.policypatrol.com>

If your RWW is a little slow.. check your AD

http://blogs.technet.com/edwalt/archive/2006/12/29/when-a-user-logs-onto-rww-the-screen-hangs-at-loading.aspx


Guess that puts that old wives tale about how SBS can only have one server in the domain ‘eh?


Granted they were offline and thus causing the issue with RWW…but 24 servers ‘eh? 


 

Using ISA to protect the SBS mail server just a smidge more….

The recent closure of the Open Relay Database as reported by incidents.org points out how email and spam have changed over the years.  Once upon a time Open Relays abounded and was the main way that spam attacks were launched. Now spam comes and attacks us from various ways from spam bots to NDR attacks.  No longer is Open Relay our main SMTP security issue these days.  In fact Exchange 2003 is not a mail relayer by default.  Nevertheless, while our servers have gotten more secure, the spam impact is rising. As they’ve changed the playing field, we’re using different tools to fight back.  While the built in IMF spam filter in Exchange 2003 sp2 is an excellent spam filtering, there are new hosted solutions that place the burden of filtering on the backs of specialized vendors that can better see the Spam trends.  From vendors such as Postini, Microsoft’s Frontbridge, to the vendor that I personally use, ExchangeDefender.com it provides additional filtering in front of your Exchange server.

Hosted Exchange filtering provides several benefits.  The first being that these vendors specialize in seeing the trends of viruses and spam and thus can act on these trends much faster than I can.  Secondly they house the spam on their servers and not mine.  And last but certainly not least, one of the reasons that I chose this was to provide a more secure connectivity to my mail server.  I was able to do this by utilizing my ISA server 2004 to provide a bit more protection for my Small Business Server network. 

Before the change, I could literally see pings from various countries entering my network via the open port 25 that I used to accept inbound email connections.  Using an add on tool to ISA Server 2004, the Firewall Dashboard from Scorpion Software, you could see the various countries and IP addresses: 


Figure 1 – Scorpion Software’s Firewall Dashboard showing various SMTP connections


While attempts to guess a username and password on a mail connection on a network that has passphrases or a password policy that ensures that they are long, strong and not easily crackable at all, should not be a concern to the savvy network administrator, the reality is for many firms is that they would prefer to reduce an exposed attack surface if it’s reasonable to do so.  There have been cases where firms have been subjected to dictionary attacks and have had a password cracked merely to use the mail server and authenticate it to be used in more spam attacks.  These attacks called SMTP auth attacks have increased over the years.  In addition, the concern that I have with my firm located in California with data of California residents, is that should an attacker use a SMTP auth attack and through my own stupidity or misconfiguration, a password is cracked, that event would warrant a event under a law in California called SB1386 whereby I would need to notify clients of my firm’s that their sensitive data may have been breached.

In our case, it is extremely reasonable and extremely easy to limit the connections to our mail server ports with a bit of judicious editing to our ISA server policy that allows connections to our mail server.  The service that I use,
ExchangeDefender only connects to my server from a specific set of IP addresses.  Therefore, to ensure that we only accept inbound port 25 connections from those servers, we will set up rules in ISA Server 2004 to better protect the server and limit SMTP connections to only those 5 IP ranges.  This will then in turn, close down the potential for SMTP auth attacks and other misdirected connections to the port 25 in my server, thus reducing even more of an already limited attack surface via the server.

Our first step in the process is to determine the IP addresses that we need to restrict port 25 to.  The IP addresses are all Class C addresses.  We begin by launching the ISA management console as shown below:

Figure 2 – Default rules as provided by the SBS 2003 “Connect to Email and Internet Wizard”


In my case, my version of ISA server 2004 is installed on the SBS 2003 network server and has a rule wizard that has pre-built the access to the server for email.  I will edit that rule to provide the additional restrictions I need, but I need to remember that should I need to rerun the Connect to Internet and Email Wizard, or CEICW as it’s commonly called, that is inside the Small Business Server network, it will reset these email rules to default.  So at the end of this process, I’ll make sure that I backup the ISA configurations I’ve customized to ensure they are retained.

So we begin by editing the policy and providing the additional IP restrictions so that only the IP addresses from the ExchangeDefender servers can connect to the SMTP connection on my server.  In my example using SBS 2003’s ISA server configuration, it has built for me a SMTP access rule that I will edit.  Double check on the Smtp Server Access Rule and browse to the “From” tab.  From here you can see that the current allowed connections are from the entire Internet.  This is what we will be editing.

Figure 3 – Editing the SMTP server access rule
 


We will first begin by adding the necessary Address ranges that we need to limit connections.  After clicking on “Add” we are presented with a Network Entities screen.  We now need to click on “New” to add a new category of addresses that we will limit inbound port 25 connections from.  As you can see, you are presented with various ways that you can add different rules sets for access.  Ranging from “Networks” to sets, to various computers, to address ranges and so on.  This makes it easy to add a rule with a specific need in mind.

Figure 4: Defining the Network Entities


We will build a series of Address ranges based on the information given to us by the Hosted Antivirus and AntiSpam provider that we will use to limit the connections.  While we can use several categories of network entities to build the rule, including Address ranges for each range, Subnets for each one, the easiest way is to use the Computer Set rule and include in one set the five ranges that we have been given by the vendor to limit the connections to.  This allows for the best organized rule as all of the vendors IP ranges that he has given us to limit connections to will be included in one spot.  Be sure to add enough descriptive information to the rule set to ensure that you will remember the intent and to document it in your Firewall change log or whatever process you use to document firewall changes.

Figure 5: Using New Computer  Rule Element


When everything is all done, the rules we have built will be included as one set.  We can now easily remove the existing rule of “External” which allows all connections from all locations, with the more restrictive rule that only allows the 5 address ranges that have been specified.  And like all other edits to Firewall rules in ISA, it’s as easy as clicking on the “Apply” button to easily change the rule to our new edited one.
 
Figure 6:  Applying the new configuration



Last but not least, we need to remember that in the Small Business Server 2003 environment we need to remember that should we re-run the firewall wizard for any reason, any SBS wizard specific rule that we customized before will be reset back to the original once you rerun that wizard.  Therefore documentation of the changes you make, and ensuring that at the end of the process of customization you click on properties of the rule and you export the rule to allow for easy import will ensure that you can easily and quickly get the Firewall settings back as you need them to be.

Figure 7:  Exporting out the changed configuration


In reality for many of us that use the power of ISA 2004 to better protect and report on the Internet connectivity on our SBS 2003 networks, we typically only run the Connect to Email and Internet wizard once when initially setting up the ISA 2004 configuration.  After that first configuration, we tend to edit the rules as we need them and there is typically no need to rerun the setup wizard. 

You can now use or go to any number of port probing web sites and tools ranging from Steve Gibson’s veritable Shields Up on his
www.grc.com web site to Microsoft’s portquery tool and see that no longer is your port 25 seen open to the Internet and ready for drive by port 25 password attempts. While you are still fully able to get all of your cleaned and de-spammed email, you are no longer the fully exposed connection you once were.

Before you limit the connections, a port query response comes back with the following:

Data returned from port:
220 domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Mon, 25 Dec 2006 03:06:17 -0800
portqry.exe -n xx.xx.xx.xx -e 25 -p TCP exits with return code 0x00000000.


After you limit the connection, the response comes back as follows:

TCP port 25 (smtp service): FILTERED
portqry.exe -n xx.xx.xx.xx -e 25 -p TCP exits with return code 0x00000002.


Thus providing a bit more protection from drive by SMTP auth attackers.

While I would never say that a firewall should be a “set it up and then forget about it”, typically the ISA 2004 configuration is straightforward enough that typically my only needs for adjusting are when my business needs change or a security stance changes have dictated a change in the firewall.  The rest of the time,  it just keeps doing what it does very well, being a great protection and reporting access tool for my business’ network.

And now, it gave me just a little bit more help in the war against SPAM.


(Now blogged from this location on my blog site, was formerly blogged at another location)


P.S.  as I’ve joked with folks.. the worse thing about all these external hosted spam filtering services is that they make your email boring.

Finally! Aircard 875 on Vista RTM


Okay so we’re a little less bleeding edge.. blogging from a Vista Tablet PC running a Sierra Aircard 875.


The trick is this driver — http://www.sierrawireless.com/resources/support/Software/3G_Watcher_Generic_1236.msi


Trick number 2 is to remove the Cingular connection manager and ONLY use the Sierra 3G watcher software.  That was the step I was missing.  I still had it on the machine.  Remove the Cingular connection and only use the Sierra software.


And there we go…. one Sierra Wireless 875 connected on a Vista laptop …that’s making this Internet connection to make this blog post as a matter of fact…. and a little less bleeding edge to boot…


…now … to find antivirus I like…..

When you are a bleeding edger..

So per the Sierra Wireless folks… to get my Sierra 875 card working on my Vista (upgraded from XP sp2 to Vista RTM Acer tablet pc) all I need is just the Sierra software and this driver package:


http://www.sierrawireless.com/resources/support/Software/3G_Watcher_Generic_1236.msi


But so far it’s not working.  So tonight I’ll see if I can remove all Cingular software and see if that alone will fix the issue.


So far the SIM card works in the old card that I have – the Sony Ericsson, and when I put the new SIM in the new Sierra Aircard, that combo works in a XP sp2, but I can’t get it to work in my Vista upgraded Tablet PC (personally bought mind you, and if I even see another blog post about who did or didn’t get a free laptop I may scream …. the blogosphere community is acting ridiciously but Microsoft and the bloggers both (I think anyway) blew this one in their handling of this … I agree with Scoble that I would have put in the documentation a required disclosure blurb, but I digress).


Someone was asking the other day why should they upgrade to Vista… if XP sp2 was good enough… and I said… (Disclosure – All Vista versions I am currently using are test versions on hardware I have bought personally using the version that I personally purchased from TechNet Plus — there how’s that for disclosure?) based on the issues that I’ve been going through we’re still in the bleeding edge stage of deployment.  Case in point, I’m paying $60 a month for a card that should give me 3G speed but I’m having to use my older, slower card that doesn’t do 3G to even connect.  Nearly all of my key line of business software is practically beating me over the head and saying to wait.  


Is XP sp2 good enough for business?  I’d argue if you have it set up and not running with Adminstrator rights, it’s a very stable platform and right now, without administrative rights, good enough for a very stable and secure business operating system.  In fact, when I’m doing beta testing on 64bit stuff, I’m using XP 64bit and not Vista 64bit for my virtual host base.  What makes Vista more attractive is the home user aspect…there’s some parental control stuff that is cool. 


As has been blogged before, you will need for the time being to manually add your Vista to your domain, as the SBS /connectcomputer fix up patch won’t be out until around the real launch date. 


Quite frankly when is “my” real launch date for Vista?  Around June of 2007.  By then I hope that all my line of business stuff with have tweaks and patches for Vista, and my Trend antivirus will also support it. 


Until then….. welcome to the bleeding edge folks….

Using ISA to protect Exposed ports

As a FYI a blog post I did on how to use ISA 2004 to better close your SMTP connection to the outside world … especially when you are connnected to ExchangeDefender.com is up on the ISA server blog


http://blogs.technet.com/isablog/archive/2006/12/28/exchange-spam-filtering-and-isa-server.aspx


Exchangedefender.com is the service that I use that prefilters, cleans and despams my firm’s email….


Bottom line it makes my email boring these days.  And I’m serious about that… it’s quite dull these days.  Only business email.  :-)


P.S.  The post is off the blog site.. sorry if you are looking for it.  No, I really won’t go into why it was removed (not for reasons some folks might be thinking of anyway).