Monthly Archives: May 2008

You are browsing the site archives by month.

SQL injection information from Harry’s blog

 While the default apps on a SBS 2003 (and upcoming SBS 2008) go through a SDL process so that I’m not concerned about SQL injection possibilities on my SBS box (nor do I have SharePoint exposed anyway) when you have third party and home grown apps, you really don’t know of what the coder did.


Review these and forward them on to your local dev guy to make sure they are aware of the problem. 


http://msmvps.com/blogs/harrywaldron/archive/2008/05/31/microsoft-best-practices-for-preventing-sql-injection-attacks.aspx


Microsoft has recently published a series of best practices to help developers build SQL code that is not susceptible to SQL injection attacks.


SQL injection attacks occur in applications that are poorly programmed. They are not a result of failures in the data base or supporting products.  When applications do not properly filter and control input data, there is a chance inputs can be manipulated, so that dangerous redirecting scripts may end up on the website


Once a web site is infected, the newly embedded script will then direct users to another dangerous website, that can automatically download malware on the user’s PC.  While these attacks have been around for years, malware authors are now using newly automated approaches to find susceptible servers automatically and infect thousands of websites in a single day.   


IT developers have an inherent responsibility to protect the privacy and integrity of customer information. These articles are “must reads” for any IT developer, for greater assurances in building secure applications.


Microsoft Best Practices for preventing SQL Injection Attacks

Microsoft Security Vulnerability Research & Defense Blog – SQL Injection Attack
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx  
 
Nazim’s IIS Security Blog – Filtering SQL injection from Classic ASP
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx 
 
Neil Carpenter’s Blog – SQL Injection Mitigation: Using Parameterized Queries
http://blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx 
http://blogs.technet.com/neilcar/archive/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets.aspx 
 
Michael Howard’s Blog -Giving SQL Injection the Respect it Deserves
http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx 
 
MSDN Article – Preventing SQL Injections in ASP
http://msdn.microsoft.com/en-us/library/cc676512.aspx 
 
Anti-Malware Engineering Team – When SQL Injections Go Awry, Incident Case Study
http://blogs.technet.com/antimalware/archive/2008/05/30/when-sql-injections-go-awry-incident-case-study.aspx 
 
A more general overview of SQL Injection attacks can also be here:
 
What are SQL Injection Attacks?
http://en.wikipedia.org/wiki/Sql_injection

The Carpet Bomb threat… or?

Microsoft released an advisory which I think is referring to the Safari “carpet bomb” threat.


http://www.microsoft.com/technet/security/advisory/953818.mspx


See


http://blogs.zdnet.com/security/?p=1212


and


http://www.oreillynet.com/onlamp/blog/2008/05/safari_carpet_bomb.html and


http://blogs.zdnet.com/Apple/?p=1424

Patching Flash – Brian’s excellent point

http://smbthoughts.com/2008/05/29/additional-adobe-flash-resources/


If you a MSP and you use a patching tool to deploy Flash, have you signed up for the right to redistribute Flash?


Brian makes an excellent point that you need to sign up for the right to do so.

The buzz on servers

The other day someone said that the business value they saw in SBS 2008 wasn’t that Exchange was bigger (it is), wasn’t that that SQL is on a separate box in premium, wasn’t that if everything comes to pass with software assurance promises, that will be one killer deal, it was that the file replication/branch office stuff/multiple servers/Win2k8 ness underneath the SBS box was the killer deal. 


 He said that underneath the SBS console, was the wind2k8 server management console and that he could see a lot of potential.


There is always the struggle for the folks that don’t want to trust the wizards to those that do.  For all those folks checking out the sbs 2008 RC0, remember that every time you run a wizard, it lays down a log file.  I dare you to find it and look at all the steps that wizard does.


I’ll be blogging about some of my favs, but this weekend I’m off on a train to San Francisco to visit with some gal pals (and no we’re not planning to go see Sex in the City or anything), so blogging will be light.

So what exactly is twitter anyway?

http://twitter.com/susanbradley (cough) someone isn’ t keeping up on the fake susan bradley twittering.


So what information gets out the door of your organization through social sites?  Do you google on your firm name?  Have a google news alert?  What about www.tweatscan.com ?


http://www.tweetscan.com/index.php?s=sbs+2008&u=&d=


Yup people even tweet about downloading SBS 2008…


Someone was asking what is Twitter and I said Twitter is a micro blogging site where you post little snippits of what you are doing to the site.


People either get it, or they don’t.

4 gigs is truly the minimum

Windows Small Business Server 2008 RC0 – First Impressions » Lukas Beeler’s IT Blog » Blog Archive:
http://projectdream.org/wordpress/2008/05/30/windows-small-business-server-2008-rc0-first-impressions/


Lukas FYI… when they say 4 gig minimum…they mean 4 gig minimum. IMHO 4 gig is the old 512 memory.. you’ll want more than 4 gig.


And regarding UAC … on a server Amy will say leave it on, I say I won’t freak if you adjust the setting to silently elevate but DO NOT disable UAC.  Leave it on, but let it silently elevate.


P.S. POP is still there… it’s even better now (sigh it will retrieve every 5 minutes) but the wizard does try to push you to a port 25 setup for sure.

The beta process

The WSSG Community Lead Blog : Thoughts on Sean’s post on Community Strategy; Are you Company-Centric or Customer-Centric?:
http://blogs.technet.com/kevin_beares/archive/2008/05/19/thoughts-on-sean-s-post-on-cummunity-strategy-are-you-company-centric-or-customer-centric.aspx


Some bugs you win, some you lose.


One that is in RC0 thanks to the folks on the activedir listserve that inspired it is the registry key value of DSRMAdminLogonBehavior.  You can read more about it here:


Windows Server 2008 Restartable AD DS Step-by-Step Guide:
http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx


At the end of the day everyone who is a beta tester has to remember and understand that Microsoft makes the final decisions.  And sometimes, it’s not the developers, nor the support folks but higher up in the food chain that makes the final call.  And it sure isn’t anyone that folks call “the MVPs” making final decisions.


Sometimes things get cut.  Take SCE.  I still say if I were in charge of the Universe that I would include SCE as a bonus in SBS 2008 premium and not be preconfigured.  Or perhaps hook it to var/vap/ Open License sales or something.  But to talk about SCE for two years after TechEd 2005, granted even though when it was first on the box I was freaking out as it was sucking down about 2 to 3 gigs when it was idling.  But I still don’t think that it should have been talked about for so long and then removed completely.  I still think that SCE’s developers should be locked in a room with nothing but Mountain Dew and forced to code on a 2 gig server or something, but that’s just my wacko opinion.


But at the end of the day you bug some, you win some, you don’t win others.  Life goes on.


It’s just code.  Life is too short to take it personal.

About that cloud….

Some online backup services insecure – heise online UK:
http://www.heise-online.co.uk/news/Some-online-backup-services-insecure–/110771


Does the cloud have maintenance windows that match your needs for maintenance?


Read that.  The Cloud has issues.  Be aware of that.

Cute Crall… real cute…

SBSC & MSP Buzz » Blog Archive » Hi Hilton!:
http://sbsc.techcareteam.com/archives/230


…to Mark Crall…the photo in question for you to obtain in Houston at the WWPC is you and Hilton from Australia…not Paris Hilton….


Nice try dude.

Patch your Flash

Adobe Product Security Incident Response Team (PSIRT): Potential Flash Player issue – update:
http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.html


UPDATE: We’ve just gotten confirmation from Symantec that all versions of Flash Player 9.0.124.0 are not vulnerable to these exploits. Again, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. Customers using multiple browsers are advised to perform the check for each browser installed on their system and update if necessary.


(If you need Kaseya advice got to the K forums or check out http://tech.groups.yahoo.com/group/SMBManagedServices/message/19999)