Monthly Archives: December 2007

You are browsing the site archives by month.

A rule for ISA

Charlie needed to connect to Gmail’s nntp folders inside of Outlook.  He had ISA’s rules to not be all open and realized it was impacting Gmail. 

(Necessary if you’re going to use Outlook rule processing, since SBS
doesn’t include a default rule for this.) You’ll need to add an ISA Rule
to make it work on some machines. I could post the XML file, but it’s
easy enough to set up:

1.) Open ISA Mgmt console. 
2.) Scroll down to near the bottom, just about the SBS Internet Access
Rule
3.) Click Tasks tab on right, click Create a New Access Rule
4.) Give it a name – “Gmail SSL Allow” (or whatever). Click Next
5.) Select Allow, click Next.
6.) Select This Rule Applies to Selected Protocols from the drop down
list. 
7.) Click Add. Expand Mail. Select IMAPS (and IMAP4 if you also use
non-secure IMAP servers somewhere.) Click Add. Click Close.
8.) Click Next to move to the Access Rule Sources page. Click Add
9.) Expand Network Sets, select All Protected Networks. Click Add. Click
Close.
10.) Click Next to move to the Access Rule Destinations. Click Add.
11.) Expand Networks, select External, click Add. Click Close.
12.) Click Next to move to the User Sets. I leave this at All Users. 
13.) Click Next to move to the Completing New Access Rule page. 
14.) Click Finish. Then Click Apply to make the rule actually active. 

You’re in business. 

Charlie. 

Are we really any more secure?

http://jetlagged.blogs.nytimes.com/2007/12/28/the-airport-security-follies/


My favorite flight attendant speech was the time on one flight during the safety speech he said “If you have not driven a car since 1964, please pay attention to the seat belt demonstration”.


But it’s true.. are we really any more secure?

PCI/DSS compliance in the SMB world

http://msmvps.com/blogs/bradley/archive/2007/12/27/one-function-one-server-is-it-realistic-today.aspx


In my opinion a SBS box can’t store, process or transmit credit cards under the PCI/DSS regulations.  Even Centro/Essential Business server is probably pushing the envelope of an acceptable setup. 


If you want to “pass the test” without having to document your compensating controls, it is my opinion that any server setup in a small firm would not pass muster of 2.2.1


2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)


So how do you handle storing, processing or transmitting credit cards if you are a SMB shop and think that having umpteen servers per role doesn’t gain any security?


Here are some ideas of the ways around the issue: 


Storing credit cards — I’d argue that first you don’t store credit cards period.  Time Magazine’s headline is that there are record data breeches and many if not most of them are when “data is at rest”.  http://www.time.com/time/world/article/0,8599,1699049,00.html  It’s from a stolen laptop, or a lost backup tape.  Bottom line don’t store credit cards on the server.


Processing credit cards — if you think about many places you can use alternative ways to process them.  In our office we have a merchant machine that runs through it’s own network and is not connected to ours.


Transmitting credit cards — the same rules apply.  The merchant machine separates out the handling.


So what do you think?  Read the PCI/DSS standards.  https://www.pcisecuritystandards.org/tech/pci_dss.htm


I still argue that you don’t store, process or transmit over your SMB server connection.  Make the issue moot.

The best thing about Vista

In XP this happens…



 



However in Vista … only this happens



http://www.microsoft.com/technet/technetmag/issues/2008/01/SecurityWatch/default.aspx 


“Windows® versions prior to Windows Vista® will, by default, automatically run programs designated in the autorun.inf file on CDs, but not on USB drives. By lying about itself, the U3-enabled USB flash drive fools the OS into autorunning something called the U3 launcher. The U3 launcher, in turn, can start programs, give you a menu, or do pretty much anything that you could do with the computer yourself.”

Use the Burlaps.. I mean BurFlags

I was having a message indicating I had journal wrap errors.  When I did the edit for journal wrap errors, it got me into worse errors.


I had Userenv errors and dcdiag that indicated that it was not a happy camper…




Not good.  What I should have done what the BurFlags edit


http://support.microsoft.com/kb/290762


Authoritative FRS restore


loadTOCNode(3, ‘notice’); Use authoritative restores only as a final option, such as in the case of directory collisions.

For example, you may require an authoritative restore if you must recover an FRS replica set where replication has completely stopped and requires a rebuild from scratch.

The following list of requirements must be met when before you perform an authoritative FRS restore:

1. The FRS service must be disabled on all downstream partners (direct and transitive) for the reinitialized replica sets before you restart the FRS service when the authoritative restore has been configured to occur.
2. Events 13553 and 13516 have been logged in the FRS event log. These events indicate that the membership to the replica set has been established on the computer that is configured for the authoritative restore.
3. The computer that is configured for the authoritative restore is configured to be authoritative for all the data that you want to replicate to replica set members. This is not the case if you are performing a join on an empty directory. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
266679 (http://support.microsoft.com/kb/266679/) Pre-staging the File Replication service replicated files on SYSVOL and Distributed file system shares for optimal synchronization
4. All other partners in the replica set must be reinitialized with a nonauthoritative restore.
To complete an authoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
1. Click Start, and then click Run.
2. In the Open box, type cmd and then press ENTER.
3. In the Command box, type net stop ntfrs.
4. Click Start, and then click Run.
5. In the Open box, type regedit and then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
7. In the right pane, double click BurFlags.
8. In the Edit DWORD Value dialog box, type D4 and then click OK.
9. Quit Registry Editor, and then switch to the Command box.
10. In the Command box, type net start ntfrs.
11. Quit the Command box.
When the FRS service is restarted, the following actions occur:
The value for the BurFlags registry key is set back to 0.
An event 13566 is logged to signal that an authoritative restore is started.
Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
The FRS database is rebuilt based on current file inventory.
When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.


Yup ..it sure did…….


Event Type: Information
Event Source: NtFrs
Event Category: None
Event ID: 13516
Date:  12/29/2007
Time:  10:54:28 PM
User:  N/A
Computer: KIKIBITZFINAL
Description:
The File Replication Service is no longer preventing the computer KIKIBITZFINAL from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type “net share” to check for the SYSVOL share.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


And now when I do DCDiag….


Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.


C:\Documents and Settings\Administrator.KIKIBITZRTM>dcdiag


Domain Controller Diagnosis


Performing initial setup:
   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\KIKIBITZFINAL
      Starting test: Connectivity
         ……………………. KIKIBITZFINAL passed test Connectivity


Doing primary tests


   Testing server: Default-First-Site-Name\KIKIBITZFINAL
      Starting test: Replications
         ……………………. KIKIBITZFINAL passed test Replications
      Starting test: NCSecDesc
         ……………………. KIKIBITZFINAL passed test NCSecDesc
      Starting test: NetLogons
         ……………………. KIKIBITZFINAL passed test NetLogons
      Starting test: Advertising
         ……………………. KIKIBITZFINAL passed test Advertising
      Starting test: KnowsOfRoleHolders
         ……………………. KIKIBITZFINAL passed test KnowsOfRoleHolders
      Starting test: RidManager
         ……………………. KIKIBITZFINAL passed test RidManager
      Starting test: MachineAccount
         ……………………. KIKIBITZFINAL passed test MachineAccount
      Starting test: Services
            IsmServ Service is stopped on [KIKIBITZFINAL]
         ……………………. KIKIBITZFINAL failed test Services
      Starting test: ObjectsReplicated
         ……………………. KIKIBITZFINAL passed test ObjectsReplicated
      Starting test: frssysvol
         ……………………. KIKIBITZFINAL passed test frssysvol
      Starting test: frsevent
         ……………………. KIKIBITZFINAL passed test frsevent
      Starting test: kccevent
         ……………………. KIKIBITZFINAL passed test kccevent
      Starting test: systemlog
         ……………………. KIKIBITZFINAL passed test systemlog
      Starting test: VerifyReferences
         ……………………. KIKIBITZFINAL passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ……………………. ForestDnsZones passed test CrossRefValidation


      Starting test: CheckSDRefDom
         ……………………. ForestDnsZones passed test CheckSDRefDom


   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ……………………. DomainDnsZones passed test CrossRefValidation


      Starting test: CheckSDRefDom
         ……………………. DomainDnsZones passed test CheckSDRefDom


   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ……………………. Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ……………………. Schema passed test CheckSDRefDom


   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ……………………. Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ……………………. Configuration passed test CheckSDRefDom


   Running partition tests on : Kikibitzrtm
      Starting test: CrossRefValidation
         ……………………. Kikibitzrtm passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ……………………. Kikibitzrtm passed test CheckSDRefDom


   Running enterprise tests on : Kikibitzrtm.local
      Starting test: Intersite
         ……………………. Kikibitzrtm.local passed test Intersite
      Starting test: FsmoCheck
         ……………………. Kikibitzrtm.local passed test FsmoCheck


C:\Documents and Settings\Administrator.KIKIBITZRTM>


A much much happier camper…


P.S.  …what does BurFlags get it’s name from anyway?

Installing Exchange 2007 into a SBS 2003 network

Ron was adding an Exchange 2007 into a SBS 2003 network and was hitting issues. 


Alexander came to the rescue with this answer…

I did such an installation myself.

Guess what!! The schema role transfer is not necessary. Apparently the 
author of that article was having some problems with the schema master and 
went with a solution that you would only use on a test machine.

The full details are available here:
http://www.exchangeinbox.com/article.aspx?i=85&t=5
http://www.exchangeinbox.com/article.aspx?i=86&t=5

Notes:
1. These articles don’t mention SBS anywhere because the procedure works on 
both SBS and non-SBS.

2. At the end here you end up with a co-existing Ex2003 and Ex2007. If you 
want to drop the Ex2003 you will need to do a bit more research on that 
step.



– Alexander Zammit WinDeveloper Software IMF Tune – Unleash the Full Intelligent Message Filter Power http://www.windeveloper.com/imftune/

About those stale records…

http://msmvps.com/blogs/bradley/archive/2007/12/28/disabling-dns-dynamic-updates.aspx


(and make sure you read Evan’s comment on that post — http://msmvps.com/blogs/bradley/archive/2007/12/28/disabling-dns-dynamic-updates.aspx#1425781


A follow up to this… we were questioning if we needed to set this box in DHCP… but that setting is only needed for 9x era workstations


 


Then we were checking in DNS if we needed to set any of these boxes to clear out the stale entries



http://support.microsoft.com/kb/816592


SBS does secure dynamic updates


By default, dynamic update security for Windows Server 2003 DNS servers and clients is handled in the following manner:

Windows Server 2003-based DNS clients try to use nonsecure dynamic updates first. If the nonsecure update is refused, clients try to use a secure update.

Also, clients use a default update policy that lets them to try to overwrite a previously registered resource record, unless they are specifically blocked by update security.
By default, after a zone becomes Active Directory-integrated, Windows Server 2003-based DNS servers enable only secure dynamic updates.
By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates. This enables all updates to be accepted by passing the use of secure updates.



So I think the real issue is that as we retire or repurpose old workstations, we’re not removing them in Active Directory like we should.


In server management, when you need to remove an old system, right mouse click and click on Remove Computer from Network.  It’s this action that will remove the system from AD as it should and also from WSUS appropriately.



http://technet2.microsoft.com/windowsserver/en/library/92d228d2-4fe2-40b9-88a7-2a5a2bee85081033.mspx?mfr=true


If you read that you can see that the response on setting the scavenging settings can have it’s issues.


By default, the aging and scavenging mechanism for the DNS Server service is disabled. It should only be enabled when all parameters are fully understood. Otherwise, the server could be accidentally configured to delete records that should not be deleted. If a record is accidentally deleted, not only will users fail to resolve queries for that record, but any user can create the record and take ownership of it, even on zones configured for secure dynamic update.



 


What is probably a better recommended is to periodically right mouse click on DNS, and click on scavenge stale resource records, especially when you are adding a new computer to an existing position (like repurposing a workstation).



For best results, remove the old workstation with the remove computer wizard.


When repurposing a workstation, flip/drop it back to workstation mode and then rerun /connectcomptuer if you plan to use connectcomputer to reattach.



Could you set the DNS to do an automatic scavenge?  Brian Desmond says that our networks, setting that probably won’t cause issues.  But you have to set it in two places, on a per zone basis and on the DNS server.   I think part of our problem is that we’re not removing the computers properly and that’s what’s getting us into trouble.  I know when I was reminded of that ‘remove computer from network wizard’ I went… “uh… what remove computer wizard?”


So bottom line, that setting in DHCP doesn’t do what we think it does.  And we’re better off clicking on that Scavenge Stale Resource Records every now and then.

Disabling DNS dynamic updates

From the mailbox… 


We have a few inherited SBS 2003 boxes, in addition to ones we have deployed ourselves. On two of the inherited ones, we were having problems with RWW making connections to specific client machines. It turned out that the machines had multiple DNS A records on the SBS box (accumulated over time when they had changed IP for whatever reason) so RWW was having trouble finding the right IP. This was solved by editing the properties on server in the DHCP MMC, and checking “Enable DNS dynamic updates…” on the DNS tab, thus having the client machines update the SBS DNS each time they pulled a lease. At first I assumed that this was an oversight in the original setup, but as I rolled out new SBS box last weekend I noticed that by default it didn’t have that boxed checked either, so that caused me to wonder if I had solved the original problem in “best practice” manner. So I guess the summary of this question is: Is there a reason why SBS 2003 does not by default “Enable DNS dynamic updates” via DHCP? I assume that the server that DHCP would be updating would be the SBS server, and we’re not talking about external ones (which would have obvious security concerns). One curious thing I did find while I was googling this was: http://www.sbsireland.com/Forums/tabid/52/forumid/5/postid/93/view/topic/Default.aspxWhich made it appear that in fact the SBS setup specifically disables this…which really made me wonder if we had done the right thing…Any direction you could point me in would be very helpful!


Just to let Kris know that I’m still trying to get the official reason as to why SBS 2003 has “Enable DNS dynamic updates” unchecked.  Because we don’t have it enabled, you can be like Kris and end up in a situation where the DNS/A records are pointing to the wrong or non existent box.


I think it’s okay to enable that, but I’m checking and will let you know for certain.  The way to test for this is to ping the workstation by IP and name and see if it responds to the right IP address that it’s supposed to.  If not flush out the offending stale DNS/A workstation (just go into DNS and delete the workstation) and it will repopulate with the right one.


I think it will be okay to change this setting…but I’ll update this post when I know for certain.  I’m seeing this issue more and more as we get crustier and move around workstations.  Look in your DNS and see if there are workstation/A records that are old and just don’t belong anymore.


Disabling DNS dynamic updates

By disabling the Domain Name System (DNS) dynamic updates function, the responsibility of managing the DNS server is returned to the administrator. Disabling DNS dynamic updates might be suitable for networks where hosts rarely change locations, where growth and change are infrequent, and when stricter DNS server administration is required

Digital Certificates: Do They Work?

http://www.codinghorror.com/blog/archives/001024.html


Jeff has a great blog post about the issue I see with security certificate notifications… we ignore the warnings and don’t understand them.


My favorite cert issue was the one I spotted on my trade association web site for the login page…. or rather the password reminder page.


The page gives an error with the usual Red IE7 “don’t go here”.  Well I went there and then was nosy to see what was the Certificate error.  I was expecting a broken certficate chain, a wild card or different domain or something.


Nope.  Someone forgot to renew something.



And I’ll bet no one is in the office this week to remember to renew it.


 

What’s the lifecycle?

Just for grins I wanted to see the support lifecycles on various platforms. 


NOVELL: Support Lifecycle:
http://support.novell.com/lifecycle/
Novell will provide a minimum of five years General Support for platform and operating system products, including its revisions, starting with the date of a product’s general availability. When General Support ends, Novell will offer extended support for a minimum of two years


redhat.com | RHEL Errata Support Policy:
http://www.redhat.com/security/updates/errata/
For a period of 7 years from initial release (General Availability), Red Hat will provide errata maintenance for Red Hat Enterprise Linux. To facilitate the rapid adoption of new enterprise hardware and software yet retain the high standard of stability inherent in the Red Hat’s enterprise products, the 7 years is divided into three phases of maintenance.


Microsoft Support Lifecycle:
http://support.microsoft.com/lifecycle/?p1=3223



 

Bottom line 13 years.

 

What’s fascinating is that for documents, we normally only have to keep financial documents for 7 years.  

 

Still looking for Apple’s support lifecycle page by the way. http://www.apple.com/search/support/?q=lifecycle http://www.apple.com/search/support/?q=life+cycle If anyone has a link I can put it up on this page as well.