Monthly Archives: May 2009

You are browsing the site archives by month.

One person’s bsod does not mean that all of us will get bsod’s

While I’m a person who recommends that you don’t have to be first to install a Service pack, lately I’ve seen a little bit of a disturbing trend where someone will get a bad install or a BSOD and they will roll back to pre service pack without doing more investigation.


First some rules when it comes to the worse case scenerio of a BSOD.  That to me is not necessarily the worse thing you can happen to your system.  Worst case is that the system doesn’t boot and provides no clues at all.  A BSOD with a dump file left on the box means that you can debug what freaked out the system.  A BSOD on one system doesn’t mean that you’ll get a BSOD on another system.


http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx


BSOD’s 99.999999999% of the time are a third party driver.  Firing up the debugger and running it more often than not will point you in the right direction of what needs to be tracked down.


Do take a backup.


Do plan.


Do consider a Service pack a time that you need to also update the bios on the server, the nic drivers and in general look over the other “stuff” of a server that may need updating.


Don’t willy nilly install it without planning.  But one person’s story of a bad or failed install may not be indicative of the experience you have.  Not all servers are alike.  Not all systems have the same drivers.


So a story about one person’s incident may not be signs of across the board issues.

Notes from the Seattle SBS build day

Listening to the gang in Seattle at the SBS build day and found a “I didn’t know that” tidbit in Tyler’s slide deck:


If you use group policy preferences to map drives AND the vista workstations are local admins still, the mapped drives won’t ‘take’ unless you put in this registry key.  This key, aka the enable linked connections (that Chad’s blogged about as well) will only impact you when your Vista’s are local admins.

Create EnableLinkedConnections DWORD registry key:
HK_LM\Software\Microsoft\Windows\Current Version\Policies\System\EnableLinkedConnections = 1


Drive Mapping via Group Policy Preferences not working for Vista clients – Aimless Ramblings from a Blithering Lunatic . . .:
http://msmvps.com/blogs/cgross/archive/2009/03/25/drive-mapping-via-group-policy-preferences-not-working-for-vista-clients.aspx


Some other key take aways that I talked about:


Tattoo this blog post to your forehead:
The Official SBS Blog : SBS 2008 Migrations from SBS 2003 – Keys to Success:
http://blogs.technet.com/sbs/archive/2009/02/19/sbs-2008-migrations-from-sbs-2003-keys-to-success.aspx


Don’t install a patch that needs WGA UNTIL you’ve put the proper key in the box:
MPECS Inc. Blog: Ack! SBS 2008 Not Genuine!:
http://blog.mpecsinc.ca/2009/05/ack-sbs-2008-not-genuine.html

Philip’s Checklist:
MPECS Inc. Blog: SBS 2008 Setup Checklist V1.2.0:
http://blog.mpecsinc.ca/2009/05/sbs-2008-setup-checklist-v111.html

This not fixed in Win2k3 sp2:
The Official SBS Blog : Cannot resolve names in certain top level domains like .co.uk.:
http://blogs.technet.com/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx

This is included in Win2k8 sp2 so if you install SP2 you’ll get this needed fix
New AFD connections fail when software that uses TDI drivers is installed on a Windows Server 2008 or Windows Vista SP1 system that is running on a computer that has multiple processors:
http://support.microsoft.com/default.aspx?scid=kb;en-us;961775


 

Does OpenDNS impact surfing speed?

http://msmvps.com/blogs/bradley/archive/2009/05/29/so-what-do-i-block.aspx


So I was asked if the use of OpenDNS makes a noticable slow down in surfing.  Not that I’ve seen.  And actually I think it speeds it up.  Like I said I do have little weird page issues only because I choose to block doubleclick.net but that’s my choice.  (For example the final checkout page at Amazon has ads that are blocked by Opendns so as you ‘exit’ the store it will warn you that some content is not ssl protected.  Since I’m exiting the store anyway, it makes no impact to the security of the transaction.


Impact on surfing?  None that I can see.


Ability to instantly block bad sites across all networks?  Including my Dad’s?  Priceless.

Server Fault: Calling All Lusers

Coding Horror: Server Fault: Calling All Lusers:
http://www.codinghorror.com/blog/archives/001269.html


I’m sad to say….


a. No


b. Yes


c.  Yes


d.  Yes


e.  Yes and I look for the new ones each year


And unasked question f.  Did you already go to ServerFault and see if there were SBS questions and how well they were being answered?


Guilty as charged.


New forum from the StackOverflow gang.  Check it out.

So what do I block

After this morning’s presentation on “Stupid users and Attackers” I’ve been asked what categories and sites I block using OpenDNS.  One nice thing about OpenDNS is that I can manage several networks just from one console.  So the sites I block on one network can be different from another.


For example at the office I found that I had to reopen the “proxy-anonymizer” as there was a site we used (I forget now which one) that was being blocked. I also have uploaded a custom logo so that when people know they’ve been blocked, they know we mean it to be blocked.


But you may need to play around with the settings and not use the high and choose custom settings based on the needs of the firms.



I’ve also added some specific urls and blocked domains that I feel don’t add anything but risk.  This is where my choice to block doubleclick comes in. Does is slightly make Amazon.com give off a weird message when you check out?  Yes it does, but if you tell people what to expect, it’s not an issue.



And if the top things blocked are stuff like this?  I don’t think it needs to be in my networks in the first place.


Group policy Defaults for SBS 2008


Links to to detailed pages that show the group policy settings




Under Domain Controllers
Default Domain Controllers Policy


Under MyBusinessOU, Computers, SBSComputers



Under MyBusinessOU, Users, SBSUsers
Small Business Server Folder Redirection Policy


An entire zip file of the raw (as in no wizards run) Group policy settings of a freshly built SBS 2008 box if you need to do any comparisons for any reason is located here: http://msmvps.com/media/p/1693429.aspx

Get your UAC Defense in Depth Slider shirts here!


If you want to make your own Windows 7 Tshirt – you can download the images from here:
http://cid-c756c44362cd94ad.skydrive.live.com/browse.aspx/Windows%207?uc=2  They are in various image types and sizes for your use.

You can print out the images (some of them are large for good resolution) and then print them with a color printer on iron on transfer paper –examples include the products below:
http://www.avery.com/avery/en_us/Products/Crafts-%26-Scrapbooking/Fabric-Transfers/T_Shirt-Transfer_08938.htm
http://desktoppub.about.com/od/transfers/a/IronOnTransfers.htm
http://www.proworldinc.com/
http://www.mcgpaper.com/tshirt1.html


If you want to get a more “professional” image of the UAC pull up your Defense in Depth Slider – I’ve uploaded the image to CafePress.com so that you can buy shirts from them:
http://www.cafepress.com/windows7


Remember to bring your UAC slider bar all the way to the top



That’s what the shirt is all about.  Zip your slider up for best protection!

So what’s the real default policies?

http://msmvps.com/blogs/bradley/archive/2009/05/28/so-what-s-the-default-group-policies-for-sbs-2008.aspx


Ignore that post.  I forgot and picked the server that was in the middle of migrating from SBS 2003 to SBS 2008 and it has 2k3 leftovers still in it.


Stay tuned for the RIGHT default policies on a clean box (formatted nicer as well)

So what’s the default group policies for SBS 2008?

Ignore this post.  I picked the SBS 2008 box that was in the middle of the migration from SBS 2003 to SBS 2008.

I’ll redo this post (and format them a better way) and post up the default Group policy settings.

Starting off with the first policy – Default Domain Policy

 






 

Default Domain Policy
Data collected on: 5/28/2009 3:12:20 PM

 


General
Details
Domain smallbusiness.local
Owner SMALLBUSINESS\Domain Admins
Created 5/24/2009 10:01:50 PM
Modified 5/25/2009 8:48:04 PM
User Revisions 1 (AD), 1 (sysvol)
Computer Revisions 7 (AD), 7 (sysvol)
Unique ID {31B2F340-016D-11D2-945F-00C04FB984F9}
GPO Status Enabled
Links


LocationEnforcedLink StatusPath
smallbusiness No Enabled smallbusiness.local


This list only includes links in the domain of the GPO.
Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
WMI Filtering
WMI Filter Name None
Description Not applicable
Delegation

These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
SMALLBUSINESS\Domain Admins Edit settings, delete, modify security No
SMALLBUSINESS\Enterprise Admins Edit settings, delete, modify security No



Computer Configuration (Enabled)

Policies
Windows Settings
Security Settings

Account Policies/Password Policy
PolicySetting
Enforce password history 24 passwords remembered
Maximum password age 0 days
Minimum password age 0 days
Minimum password length 0 characters
Password must meet complexity requirements Disabled
Store passwords using reversible encryption Disabled

Account Policies/Account Lockout Policy
PolicySetting
Account lockout duration 10 minutes
Account lockout threshold 50 invalid logon attempts
Reset account lockout counter after 10 minutes

Account Policies/Kerberos Policy
PolicySetting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Local Policies/Security Options

Network Security
PolicySetting
Network security: Force logoff when logon hours expire Disabled
Public Key Policies/Encrypting File System

Certificates
Issued ToIssued ByExpiration DateIntended Purposes
Administrator Administrator 5/23/2012 10:05:09 PM File Recovery


For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authorities
Properties
PolicySetting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only





User Configuration (Enabled)

Policies
Windows Settings
Remote Installation Services

Client Installation Wizard options
PolicySetting
Custom Setup Disabled
Restart Setup Disabled
Tools Disabled

Webcast on risk and threats tomorrow

Tomorrow I’ll be doing a presentation that while it has SBS 2008 in the title, isn’t just about SBS.  It’s really about Risk assessment.


If you attend I’ll be giving away to one lucky random attendee, a copy of Mark Minasi’s Securing your Windows Systems CDrom – http://www.minasi.com/seccd/


Who knows, I may throw in a bonus Windows 7 tshirt to a lucky viewer!


Which is the bigger threat to a small firm? External attackers or Stupid Users? Perhaps both? Join Susan Bradley, Patch Watch author for Brian Livingston’s Windows Secrets as she guides you down the resources and tools she uses to secure and protect a small firm from both kinds of attackers. Along the way she’ll point out the security features of SBS 2008 and resources to keeping both the server and users safe and secure on the Internet Highway.


https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=259640


How many of you have found rogue antivirus programs on workstations?


How many of you have found enough IE toolbars to sink a ship on a workstation?


Is Google a risk to use as a search engine?


How many of you get calls from clients that have to deal with users going to twitter, facebook, and have you considered what the impact of these social sites have on the security and privacy of the employees of the network?


What proactive steps are you doing to ensure that you are balancing the needs of the business with the needs to secure the business?


Do you need to worry about Zero Day attacks?


What’s the best way to secure a Windows XP machine?


Does Cloud offerings help or do they bring risks as well?


All of this and more will be answered on 5/29/09 at 9:00 AM Pacific.  Sign up here:  https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=259640