Spread the word.  If you want to put in your blog site a campaign to showcase that you too are sick and tired of prechecking of software installers that are included in security updates. 

Put this code below into your blog site (in Community Server it’s in the News section) to showcase that you have had it with vendors that are sneaking software onto consumer machines in the guise of security updates.

=====start here=====
<a href=”http://www.bleepingcomputer.com/blogs/mowgreen/index.php?showentry=1564″><img src=”http://imk3xq.bay.livefilestore.com/y1p1UoWJx5pbfw0Eua0Ybyw20g4Nb3NSaNwtb57Dy3ITBVUguIg513j_SoQHAjUuLg0RuhDZVbD8AMTDiUbDfNb92wldtgJuOGU/banthechecksmall.PNG” alt=”[Security updates should only offer Security updates]” title=”Let's get vendors to stop offering toolbars and extra software with Security Updates” border=”0″ /><br /><br />
=====stop here=====

It will resolve into that red banned check logo you now see on the left side of the blog and point to Steve Wechsler’s campaign to stop vendors from doing this.

 As Bill Sanderson said it best (inspired by Steve Wechsler) …. “It’s time for security folks to come to a united front on this issue–Microsoft is guilty as well, with their toolbar installs pre-checked on certain Java updates.

In addition to an update process which is technically secure–(I think the community is pretty clear on this)–the process needs to be one consumers can trust–and that trust is violated when non-security related updates or add-ons are offered as part of what is fundamentally a security update process.

Microsoft’s own update process does this well.  We need to convince the competition that they don’t need that crutch to get their product out there.” 

Dear Mr. Jobs,

Glad you are feeling better and back to work.  Thanks for rushing out the iPhone patch for the Blackhat issue that was just announced this week.  http://support.apple.com/kb/HT1222 Kudos for getting a patch out that fast.  Bet ol’ Ballmer couldn’t patch his phone platform that fast, huh?

But can you do me a huge favor?  When you offer an update for iTunes CAN YOU STOP PRECHECKING SAFARI AND MOBILE ME?  I’m getting a tad tired of you and every other vendor that sees updates as a mechanism for cramming your applications down our throats.  We went down this road before and you had it unchecked.  Now you are prechecking it again. 

And don’t think that I’m letting any other vendor off the hook, Flash with their google toolbar, Sun Java with their Microsoft MSN (now Bing) toolbar….. enough with the prechecked crud you guys keep doing.

You are violating the trust of updaters.  It is no wonder that people are shutting off updates.  This post is dedicated to Mow.. Steve Wechsler who found his mother’s computer with every security patch installed toolbar known to mankind on it.

BleepingComputer.com -> Hey, Software “Vendors”, Stop installing CRAP with your security updates !!!:

Join me in demanding from our vendors that Security updates do not offer up toolbars or any other non security related updates.  No additional software should be prechecked when we are obtaining security updates.

That goes for Microsoft, Sun, Adobe, or any other vendor that prechecks a toolbar or other offering with a security update.

Grab your “Ban the check” logos from here:  http://cid-c756c44362cd94ad.skydrive.live.com/browse.aspx/Ban%20the%20Check?uc=1&nl=1

Brad Dinerman sent over a white paper of interest —

Fieldbrook Solutions – Brad’s TechTips for Security:

Former minister defends government departments’ use of Twitter | Politics | guardian.co.uk:

Is there a right way to use social networking tools and a wrong way?  I’d say yes.  I still don’t like it when someone urges people to use Twitter as a support tool.  To me it’s like going to an empty room and yelling “Help I have an issue” and hoping that there is some wacko person who just happens to walk by and hear your yell. 

That said, www.Tweetdeck.com  with a search on #blackhat and #defcon this week and you can learn the buzz around a conference.  That’s not good of course when someone you are following goes to a conference and your follow stream turns into “all conference, all the time” (check out http://www.twalala.com/login or www.twittersnooze.com for such times).  But there are risks of such platforms.  Short urls.  Tricked clicks.  Reputation hijacking.  It’s a scary place out there, so be prepared when folks ask you about the issues.

The Official SBS Blog : Microsoft Exchange 2007 SP2 installation is blocked on Windows SBS 2008:

Important update: Installing Microsoft Exchange 2007 SP2 on Windows Small Business Server 2008 currently causes problems in some web services of Windows SBS 2008 and requires manual steps to fix the problems. A prerequisite check is deployed in Microsoft Exchange 2007 SP2 setup program for Windows SBS 2008 so that Windows SBS users will be alerted and prompted before proceeding with installation.


I didn’t want to add my opinion to the original announcement….

At first I was in the SBSer mode and was slightly freaking out about this.  How DARE the Exchange team build a service pack that is blocked from installing via Microsoft update or WSUS?  How dare they manage to build such a beast of a service pack that it needs a separate KB reading or an installer to fix back up the things they break? 

But I then had to remind myself that Exchange’s servicing history (or lack thereof) has always been like this.  No Service pack has been able to be deployed via Microsoft update or WSUS.  And in fact patches only got MU-able after Exchange 2003 sp2.  I got lulled into a false sense of expectation of patching due to the fact that SBS 2008 jumped into Exchange 2007 sp1 and didn’t have to deal with the service pack.

Granted as well, that I really don’t want someone to blindly patch with this size and type of a Service pack without backing up the database first.  But with all that justification in my brain of how crappy Exchange historically has deployed service packs, and this really isn’t anything new, it is hard to justify the cost and potential for issues when there isn’t much of value in this Service pack for the SMB space.

You Had Me At EHLO… : Exchange Server 2007 Service Pack 2 available in Q3 2009:

Enhanced Auditing .  Okay maybe there’s value there.
Exchange Volume Snapshot Backup Functionality .  Already there in SBS and it’s about TIME that you released this, SBS and EBS has had it since they shipped and it was promised to normal Exchange servers for months now. 
Dynamic Active Directory Schema Update and Validation  – Schema updates shouldn’t be taken lightly and this is preparing the box for future ones
Public Folder Quota Management – hopefully they’ve thrown in more than just PowerShell commands as the GUI is lacking
Centralized Organizational Settings  – again a PowerShell update
Named Properties cmdlets  – Again this is another “I’ll have to see it before making judgment”
New User Interface for Managing Diagnostic Logging – finally more GUI!

Microsoft mainstream support policy for Exchange Server 2007 remains unchanged. Microsoft will continue providing support and Update Rollups to customers running SP1 for 12 months after SP2 ships.  Translation to me is that we have a full TWELVE MONTHS to get this sucker on our boxes,  Thus even once we get the SBS team wrapper, there is no rush to install this on Servers.

Bottom line …. this is a service pack that I’m having a hard time justifying a value to the customer for.  At least at first glance, this is one that I might apply to new clean servers, but existing SBS 2008 servers, I’m going to have to wait and see what value it has.

Other than 1 year from now I’ll urge you to update to be on the update rollups for Exchange 2007 sp2… I can’t see value it in …and a lot of risk.

The Official SBS Blog : Microsoft Exchange 2007 SP2 installation is blocked on Windows SBS 2008:

Important update: Installing Microsoft Exchange 2007 SP2 on Windows Small Business Server 2008 currently causes problems in some web services of Windows SBS 2008 and requires manual steps to fix the problems. A prerequisite check is deployed in Microsoft Exchange 2007 SP2 setup program for Windows SBS 2008 so that Windows SBS users will be alerted and prompted before proceeding with installation.

Microsoft Windows SBS team is working on a Microsoft Exchange 2007 SP2 installation tool on Windows SBS 2008. The tool will automate the Exchange 2007 SP2 installation with a better user experience. With this tool released, users can download the tool to the Exchange 2007 SP2 setup folder and launch the SP2 setup from the tool. The tool will remove the prompt, stop the FSE services, launch Exchange 2007 setup UI, and then perform post-setup cleanup after SP2 installation is successfully completed.

For users who want to deploy Exchange 2007 SP2 on their Windows SBS machines urgently, manual steps are provided in KB 973862. However, we strongly recommend users to leverage our upcoming installation tool for a successful SP2 installation. We will inform you via this blog when this tool is available.

Note: KB 973862 should be available next week. 


….T-E-M-P-O-R-A-R-I-L-Y…. right?  Just for testing?

And mind you I’m seeing more apps that demand that UAC is on or that the firewall is enabled.  Granted Live Mesh is not a normal app but I found it interesting that you can’t install Live Mesh unless the firewall is enabled.  But say you need for testing purposes (to deal with a sucky app to prove a point) that it won’t work with the firewall totally disabled.  And you notice in your 2003 or 2008 server that you can’t temporarily turn off the firewall by the gui interface or the netsh commands? 

The key is that you have to tell the group policy on the server to release control.  In SBS 2003 do the following…  http://www.sbslinks.com/group.htm  Launch the group policy management console on the server.  Right mouse click the Windows Firewall on the left slde.  Untick the “link enabled” setting.  At a command prompt type in gpupdate /force and hit enter.  This will leave the policy in place and allow you to go to the workstation and turn off (again temporarily) the firewall. 

On a Server 2008 box the setting is similar but this time go to the http://msmvps.com/blogs/bradley/archive/2009/05/29/group-policy-defaults-for-sbs-2008.aspx Windows XP policy or the Windows Vista policy and again, undo the link enable there. 

You may need to type in gpupdate /force at the workstation to force the group policy change faster, but that will allow you to manually adjust the firewall on the workstations.

Now, that you’ve proven to the vendor that the app works, ask them specifically for the ports or application they need opened up.  Go back up to the server and add your exclusions up in that firewall settings.  That way you can have your apps happy, and keep the firewall on the workstations.

Security Fix – Microsoft’s Emergency Patch Mess:

From the comments:

“I am not sure about the following comment Microsoft made regarding the release of these latest patches to IE. “We decided to issue these updates now rather than wait for things to get worse.” Why would Microsoft wait to release these patches? They should release them as soon as the patches are ready, especially if they are critical patches. The above statement makes me think Microsoft waits to release patches until things are bad. I do not understand that. “

Microsoft patches on a cycle that releases the patches on the second Tuesday of each month.  The reason that this is being released now, and not later in August is one word: BLACKHAT.  Tomorrow (Wednesday) at 3:15 p.m., three researchers are giving a talk on how to bypass the existing ActiveX blocker.

Microsoft BlueHat Blog : Black Hat USA Spotlight: ATL Killbit Bypass:

For more check out the upcoming newsletter at www.windowssecrets.com

If you are patching today for the out of cycle patches, be aware that the Exchange 2007 update rollup 9 is also out on the update site today.

You Had Me At EHLO… : Update Rollup 9 for Exchange Server 2007 Service Pack 1 has been released:

As Don reported, if you use Storagecraft you’ll want this patch as it fixes some issues with the backup.

Tonight I applied the patch to the two servers that run the blog site and one (Yoda) got stuck on shut down.  Fortunately the other (Brianna) didn’t so I was able to go to her and run a shutdown command of

shutdown -r -m \\Yoda

Mind you Philip recommended that I do a shutdown -r -f -m \\Yoda as that will force the reboot.  Now in a real production/we need this up all the time/server you would be wise to install a remote IP device that would allow you to get access to the server below the operating system.  Many of the quality servers have this with special network cards (iLos for HP, DRAC for Dell).

If you start moving more things in a hosted setting, having remote management below the OS level is key.