I've got the Blue Magnfying glass to go with my Green Check

Today he's gone from being a security friend and guru, to a Small Business Security guru.  It's cool to see this come to the marketplace.  I find that it adds a great deal to my already daily routine of my morning email.... in the next phase, SBS 2003 R2 will give me "green checks" in my daily email.

But today, I get blue magnifying glass every day at 6 a.m that keeps me aware and is part of that "hardening me" the business owner process.

Scorpion Software releases Firewall Dashboard for Microsoft's Small Business Server 2003

Chilliwack, BC: March 22, 2006 - Scorpion Software Corp. today announced the general availability of version 1.0 of Firewall Dashboard, a security analytics tool to proactively identify threats before they become problems to small businesses that are using Microsoft's Small Business Server 2003 (SBS 2003). With the Firewall Dashboard, owners of SBS 2003 can now change their raw firewall logs into meaningful and interpretable graphical threat assessments. With its unique ability to first aggregate log data, and then filter out network chatter, users of Firewall Dashboard can easily peel back the layers of firewall event complexity to find the real issues their network is facing. More information about the Firewall Dashboard is available at http://www.scorpionsoft.com/products/fwdashboard/.

"The Firewall Dashboard is our first security analytics tools to help small businesses understand the real threats to their business." says Dana Epp, Scorpion Software's President and computer security software architect. "We want to get relevant computer security intelligence information to business owners, and we are pleased to have worked with the small business community in designing and testing this product. With over 100 SBS servers already running the Firewall Dashboard during its development process, we continue to receive great feedback from SBS administrators and business owners in the field who are actually using the product every day." Testimonials from some of those users can be viewed at: http://www.scorpionsoft.com/products/fwdashboard/testimonials.html

Pricing and Availability

Firewall Dashboard is available today to customers worldwide through Scorpion Software resellers and the Scorpion Software Company Store at https://secure.scorpionsoft.com/store/. MSRP for a single one year license of the Firewall Dashboard is $95 USD. Resellers can purchase the Firewall Dashboard Reseller Pack, a five (5) unit bundling of one year licenses for $356.25 USD.

About Scorpion Software Corp.

Scorpion Software Corp. is a leading provider of security analytic tools for small business, helping organizations proactively identify and remediate network and server vulnerabilities by getting relevant computer security intelligence information to business owners. Headquartered in British Columbia, Canada, Scorpion Software helps small businesses manage online risk while offering unprecedented automated audit reporting and analysis. More information about the company is available at www.scorpionsoft.com.

Small Business Server hardening guidance

On the Security 360 webcast that was on earlier today, the topic was on "browser hardening".  And the VERY first question was about Small Businesses and they were looking for guidance on hardening.. and the question included hardening of the SBS box.  I tell ya... us SBSers are EVERYWHERE aren't they? 

Here is the guidance I would highly recommend as guidance for locking down a SBS box.

1. Walk to the server.
2. Turn around.
3. Yes, I said turn around.
4. I really mean, you need to turn around.
5. Walk to the nearest workstation that has a user working on it.
6. Shove the user aside (nicely of course, but you want to be in front of that user's workstation using their session).
7. Click on the date and time in the corner.

Got that?

So why is that a hardening step for locking down a SBS box?

Because I would strongly argue that your biggest threats on a SBS network is the end users.  End that have local administrator rights.  End users that can download and click.  And if you can click on that date and time and it comes up and allows you to modify it, that user most definitely has the right to introduce risks into your system.  So lets talk about how we can harden the workstations, shall we?

Want to harden a SBS server and network?  Start by hardening the user. 

• You don't surf at the server
• You don't use the server as a workstation
• You educate your users that "download here for free" translates into "yes, you really do want malware on your box, don't you?"
• You have an acceptable use policy that says "yes, this is okay to do" and "no, this isn't appropriate for our firm" - check with the sans.org policy site to set up an acceptable use policy.

So that that you have that education task out of the way... you harden the desktop.  Here's the hard part... you need to check with the applications that are poorly written and won't work under these conditions.  Some of these things are not for all..but it will take YOU some time to do, so play first on your own boxes before rolling this out to your clients.

• Get more control using Group policy - Consider IE active X browser filtering using this KB by Nick "the naked MVP" Whittome -
  • Outlook Web Access and Small Business Server Remote Web Workplace do not function if XP Service Pack 2 Add-on Blocking is enabled via group policy:
    http://support.microsoft.com/kb/555235/en-us
  • I honestly do not think that we do enough in group policy in SBS.  We have the GPMC tool right under the hood and all it takes is us to get up to speed.  GRAB A BOOK.  And read this spreadsheet to see all the potential for things you can control.
• Use ISA 2004 (only in premium) or your firewall software to block sites
  • We had this the other day... mysite.com is not for business and thus sites like those should not be used in the office.  Bad sites introduce risk. 
• Get those workstations down to "normal" user mode.
  • Sit down with that client/customer and see what key line of business applications they have.  If they are "designed for XP" they will natively run under this 'normal' user mode or LUA.  If they are not logo'd, come out to the newsgroups, communitities and google on ways to get that app down to 'normal user' mode.  Yell at the vendor. 
  • So many of the latest security vulnerabilities will launch things in the 'context' of the user, so the lower rights you have, the better you are
  • Review Aaron's blog about these issues
• Get patches on those boxes/Get on the latest software.
  • When SBS 2k3 R2 comes out, the "green check" of updates will be there to help keep that system up to date.  You don't have to wait until then or buy it if you don't want to.  Download WSUS now.
  • IF YOU DO NOTHING ELSE, FLIP YOUR SYSTEMS OVER TO MICROSOFT UPDATE.  Yes, I know I'm yelling, but we truly now, with Microsoft update, have the ability to patch our entire system (YES even ISA Server 2004 - which hasn't needed a patch yet), so all the way from the workstations to the server can now be done by MU.  If you have not, all you have to do is go to Windows Update and on the right hand side is the place to click to "flip the bits" over to Microsoft Update.
• Install the same sort of security at home that you do at the office
  • We buy Trend pccillian for all home pcs (especially those that remotely connect back to the network)
  • We require that they have XP sp2, firewalls and all the normal stuff I have here at the office.
• Follow some of the information and guidance on Dana's blog.  He had a webcast on Compliance at the SBsummit..

But even with all of this... what's the best way to harden a SBS server and a network?

You start by hardening ME.  Me the business owner.  Me the onsite admin.  You harden me, you get me to understand that you can't just harden the server, that "I" have to change.  I can't download things like I used to.  I can't surf like I used to. I have to be a little less trusting.  A little more aware.  A little more paranoid.  Accepting of the balance between security and business that I need.  We need to work on this together.  You need me to understand that there's no easy fix.  No one button that I can point you to.

You don't get it by downloading a guide.

You start by hardening ME.

Only then will you have a hardened Small Business Server network.

The "Canary"

So what is a "canary" in patch testing anyway?  Since you probably cannot recreate exactly a replica of your client's (or your) network for testing purposes.... you choose a "canary".  Back in the days of coal miners, they would take a canary into the coal mine and if the bird survived, they knew they still had good air... if it didn't.. well. then......you know you are in trouble.

So when you start testing the "now" optional patch that will soon be part of a security patch, you need to select a person, a patient person, and ask them to be your canary.  The system that is prepared to be your early warning system.  To ensure that the "other systems" survive.  Thus take that patch and Install it now on one machine.  Ensure that the person using that systems tests all the line of business applications that firm needs for business and reports back to you regarding all the key line of business applications that do not function as they should.  Contact the app developer and ensure they are aware.  If there are issues, things you just can't get around, contact Microsoft on this to see if they can work with the vendor in solving the issue.

Already there are known issues http://support.microsoft.com/kb/912945/en-us:

You may experience an access violation in the Google Toolbar when you close a window that contains an inactive ActiveX control. Microsoft and Google technical teams have been working together to address this issue. Google is expected to fix this problem by using its automatic "servicing mechanism" for Google Toolbar users. This problem affects Google Toolbar versions before version 3.0.129.2. Visit the following Google Web site to download the latest version:

Start testing that IE patch now

MSFT Upstate NY Technology News and Events : Internet Explorer ActiveX Update being deployed - April 11th 2006:
http://blogs.technet.com/upstate-ny-technology/archive/2006/03/20/422522.aspx

http://support.microsoft.com/kb/912945/en-us is right now in the "optional" section.  Take a "canary" or your own shop and install this and see what it does to web apps.

That Active X patch will be in the next IE update.

What's a "canary" you ask? You take a person, patient, a bit of a uber technologist in the firm you do patching for, you deploy the patch to that person first and ask him or her to monitor the patch impact.  Check those line of business applications.  Ensure that web apps aren't affected in a dramatic way to stop business.  Start now by testing this patch.  It's in Microsoft update in the center section.  And remember ..this patch isn't there because of a security issue, but because of the way our American patent law works.

Testing plans

Identify the operating system subject to testing.

Identify the service pack level.

Identify the hotfixes installed on your systems (if in addition to security fixes).

Identify critical third party applications.

Identify third party applications that have had patching historically.

Identify those files used in patches that may have causes issues in the past. Are the included in this current patch? Assign testing resources appropriately.

Study the bulletin to determine if you can uninstall the patch. If not, determine if additional resources for testing or imaging need to be in place before approving the patch.

Test the installation of the patch both manually and via your automated patch technology.

Can you uninstall the patch using add/remove program or your patch tool?

Review the processes of your line of business applications. Are they performing as expected?

Attempt to replicate a production environment using imaged data. Having an exact image provides the best testing bed.

Set up performance and monitoring tools to review your testing machines43 such as PerfMon, tools from Sysinternals44 and review all log files.

Confirm the installation of the patches via registry review or other means.

(OPTIONAL) Confirm the effectiveness of the patch using testing code.

Follow any additional procedures your situation requires.

Approve the patch for release.

PREPARE BACKUPS.

The "real" LUA instructions for Quickbooks

The other day I said that it got a lot colder because Intuit finally came out with official instructions to run Quickbooks as a non admin.

Well.. we just warmed up a bit... as while there is a web page with instructions... the instructions are wrong and are missing a key element that makes them not work properly.

In the "official" instructions they say that you need to

Edit permissions to Allow: Full Control for QuickBooksUser in the Access Control List for the following files and registry keys:

File System:

• C:\Program Files\Intuit *this is the default folder; adjust the folder name as appropriate for custom installations.

• C:\Program Files\Common Files\Intuit

Registry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Intuit

• HKEY_CLASSES_ROOT\QuickBooks.CoLocator <<< this key is wrong<<<<

• HKEY_CLASSES_ROOT\CLSID\{E53C85D6-E6D9-4BCF-A623-72062A99AA7F}

There's one problem...that one setting, HKCR\Quickbooks.CoLocator should be HKCR\Quickbooks.CoLocator.1

Tested here and you can see that the LUA setting works with the CoLocator.1 which ends up being the same as the community instructions here.

Dear people who code at Intuit:

If you can't get access to this link, let me know.  There is a document newly released on the web that is the "logo" requirements for Windows Vista.  You might need to take a look at this when coding your Quickbooks 2007 version... you remember..the one that was stated will run with normal user rights?  Since you are going to be changing your software ...since it can't do that now... you might as well make sure it fits the guidelines for Vista while you are under the hood fixing things.

Just holler if you can't download it... I'll make sure you get a copy.  Just send and email to sbradcpa -at- pacbell.net

Here.. lemme make it a little easier for you....just make sure you pay attention to this section:

1.1     Follow User Account Protection Guidelines

A user’s Windows experience is more secure when applications run with only the permissions they need.  Unless an application is designed to be run only by system administrators, it should run with least privilege.

Every application must have an embedded manifest to define its execution level:

<requestedExecutionLevel level="asInvoker|highestAvailable|requireAdministrator" uiAccess="true|false"/>

Most applications should have level=asInvoker (leastPrivilege in Beta 1).  Applications that are designed to be run by system administrators may define a higher execution level, and the justification must be documented.

Most applications should run with uiAccess=false.  Applications that need to drive input to the UI of another window may set uiAccess=true, and the justification must be documented.

Patch Tuesday

Those pesky Dat files

For a brief period on Friday, McAfee's security tools killed more than viruses.

An error in McAfee's virus definition file released Friday morning caused the company's consumer and enterprise antivirus products to flag Microsoft's Excel, as well as other applications on users' PCs, as a virus called W95/CTX, Joe Telafici, director of operations at McAfee's Avert labs, told CNET News.com.

"At about 1 p.m. PST we started getting reports that people were seeing an unusual number of W95/CTX infections in their environment," Telafici said. "Files that we did identify would probably be deleted or quarantined, depending on your settings."

More:

http://news.com.com/2100-1002_3-6048709.html

Okay first we had Trend with a bad dat file...then Microsoft Antispyware flagged Norton as a bad file...then we have McAfee flagging Excel... and Sandi reports that Trend is flagging Windows Genuine Advantage....  and yet the funny thing is most people freak out when you say you are going to turn on automatic updates in patching and possibly nail a network... what about all the OTHER gunk we are automatically updating all the time around our networks and not even blinking an eyelash?

Patch Tuesday coming... well.. next Tuesday

http://www.microsoft.com/technet/security/bulletin/advance.mspx

On 14 March 2006 Microsoft is planning to release:

Security Updates

•	One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for this is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scanning Tool.
•	One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for this is Important. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

Microsoft Windows Malicious Software Removal Tool

•	Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

•	Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
•	Microsoft will release one NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Would you live there?

I want you to think for a moment....

If your computer you use was a house would you live in it?

If your computer you use was a city, would you want to live there?

Just think about that for a moment... all of those items I asked you to think if you wanted to do with it... are all about trusting something.  Trusting the house to be safe and secure and liveable.  Trusting the city to be civil and a nice place to raise children and a good economy for jobs. 

Think of where your computer goes and what it does and what you do with it.  Do you trust it? 

Do you trust your network?  If your network was a city would you live there?  If your network was a State would you want to live in that State?

Now think of the Internet.  Think of what goes on in the Internet.  Do you trust it?  Do you feel that it's safe and secure? 

Think of it as a place to live.  A Country.  A city.  A house.  Where you would be, day in and day out.  It would be your home.  Would you want to live there unprotected?  Without a policeman?  Without a guarddog? Without the infrastructure of a 911 call system, and fireman, and doctors? 

So tell me... if you ...right now ... today... live in a house that you consider safe enough.  If you live in a city that you consider good enough to raise children and provide jobs.  If you live in a State or Country that you like to live in.  If you couldn't dream of living in a place that didn't have the basic infrasture of SECURITY as it's foundation.....you couldn't dream of living in a place where there isn't the assurances of fire protection, and emergency services, and protection, and medical attention that proactively ensures that you stay well and eat right and exercise and all of that.......

If that sounds like a really good way to live.....where you would want to be...

...then why do we do what we do to our computers?

...the very things that many of us depend on for our businesses?

...the very things that provide us with jobs?

....why do we not take care of them proactively... why do we instead spend money on the equivalent of the emergency room medical treatment....why do we not ensure we have adequate safety and protection so that we can minimize the risk....

...why do we with our computers and networks live in the equivalent of a crime infested neighborhood, not caring about cleaning up the crack houses and drug addicts, not caring about the drive by shootings and the muggings.  Not caring about our very lives.... why does it seem that if we "lived in our computers" it wouldn't be a good place to live at all....

so I want you to think about that....

If where your data lives.. is not where you'd like to live....

...why do you let your data live there and not protect it?

I'm looking for software ..and oh... I'd prefer it to be free...

I see this a lot on listserves and newsgroups....

"I have a client looking for a solution to encrypt email....oh and he'd prefer free"

"I'm looking for a RSS reader.... oh and I'd prefer free"

(Forest Gump like voice) My Mamma said that nothin' in life is for free, that there is a price to everythin....

Now I'm not saying that you can't find some software that will fit your needs and may be free or low cost, but folks, we really need to stop and remember what our Mothers taught us.  People cannot live off of air.   Sure software coders probably can get by with a box of Twinkies and Mountain Dew...but if you are running a business, and you expect to be paid for what you do, why should you consider the things you rely on any differently.  Someone normally "pays" for everything...whether that comes in the form of advertisements, banner ads, emails coming to you regarding the product you downloaded, them selling your email address everywhere, or worse case scenerio.... a malware on your system

Take a look at incidents.org for an example of this...

So when your client....or YOU...want "free software"...in the words of Sgt. Phil Esterhaus on the TV show years ago... "Let's be careful out there"......

You might get more than you paid for.....

Get ready for LUA - webcast

Applying the principle of least privilege webcast and whitepaper

A defense-in-depth strategy, which involves overlapping layers of security, is the best way to counter malicious software threats. The least-privileged user account approach is an important part of that defensive strategy. This approach ensures that users follow the principle of least privilege and always log on with limited user accounts. In addition, this strategy aims to limit the use of administrative credentials to administrators, and then only for administrative tasks. This webcast explains the principle of least privilege, discusses why it is an important part of a defense-in-depth strategy, and presents the tools and resources that can help implement it.

Presenter: Mike Smith-Lonergan, Technical Program Manager, Microsoft Corporation

Mike Smith-Lonergan is a technical program manager with the Solutions for Security and Compliance team at Microsoft, where he is currently working on security solutions for the upcoming release of Microsoft Windows Vista. Mike is a Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and a Microsoft Certified Systems Engineer (MCSE). Armed with a Master’s degree in business administration, Mike spent five years duking it out with hackers as a security consultant with Microsoft Consulting Services.

About Risk

Hey ... this is a pretty cool web site that has a online checklist about business risks.....  http://www.getsafeonline.org/nqcontent.cfm?a_id=1275 Which in chatting with Dana is I think what I'll chat about at SMBTN Spring Conference.  I'm probably still going to do a quick "get ready for WSUS" overview and hit the main troubleshooting pieces... like the fact that you can click on start, type in run, then windowsupdate.log and there's your update history on that box.  Look for the "errors" and google them up.

In fact the overall sections are pretty good at getting you thinking about risk.

So, do you sit down and talk to your clients about risk?

(Insert software choice that will cause religious wars) cracked in (insert time amount that sounds insanely short)

You've probably seen the headlines that it was proven that Mac's can be cracked in about 30 minutes with some unpublished exploits out there.  Well it turns out that it's a little harder than it seems.... http://test.doit.wisc.edu/  but it makes me bring out the tinfoil nonetheless.

The SBS platform was "outted" in a USA Today article about a year or so ago about how fast it was to crack... the only problem was it was sitting bare on the Internet with a sucky password of "Password" and no firewall.  You try and survive standing in the middle of the 405 Freeway in the number one lane at the 7:45 am rush hour and see if you fare as comparatively well in what I would call a comparable test to what they did to that SBS box.

Once upon a time there was a book that said that you should plan assuming that you will get intruded on and design your network accordingly...but I think we need to also put a bit of business realism in this thought process as well and understand that ...yes...beleive it or not... even with running with administrator rights.... yes, even with running without spyware and antivirus... I do know folks...mostly uber geeks who can run their computers and not get nailed by anything bad.  Yes they are a "bit more intelligent than the average bear", but the reality is they aren't downloading stupid stuff.

The other day on the Managed Services listserve someone said that he didn't push all of his clients to run as local admin....as he couldn't push them.  And you know what... I think I agree.  But I think in order for you do to this, you need to know your clients and know their risks.  There are some clients and some end users that I just know are going to get nailed unless I do something to help.  That antivirus isn't enough, that anti spyware isn't enough that they need additional help.  But the there are some folks (and what they are using) that sometimes you just can't push it and you know you'll have to wait until Vista's LUA/UAC/UAP to come out.  And then to go yell at your software vendors to do a better job....because quite frankly some of this protection could be done a lot more natively than it is done now.

So what about you... do you do a "risk analysis" of your clients?

Seeing an issue with Window Genuine Advantage?

Eric Vogel reported that the Genuine Advantage update was having a bit of issues.  I had installed it on my XP workstation the other day with no issues, but there were newsgroup reports of problems in addition to Eric's report.

Looks like there's a solution.... as reported in the newsgroups

If you received this error 0x80070005, go to the WGA diagnostic tool which has been updated.

SMBTN Spring Conference

I'm making a mad dash down to Los Angeles on a Saturday and then back home Sunday at the end of March/first of April for the Spring SMBTN Conference.... and while I could talk about WSUS and patching issues.... since I did that last year and I seemingly have done it a lot lately... I think I'm going to ask for feedback.

If you are attending the SMBTN Spring Conference... what topic are you interested in?  I'd like to make it interactive.  So here are some ideas I have....

• I could do WSUS (especially since it's under the hood in the R2 era) and discuss what patches come out on WSUS but since I've done that... I'm like hmmmmmm
• I could do a brainstrorming sesson on the real risks of a SBS network.  I still strongly believe that we immediately jump to the "Oh we MUST do THAT since that's best practices" but it's my belief that you can't say that without looking at the data you are protecting.
• I could do a talk on the Support resources and stuff available from PSS Security... how they will handle issues with a security patch, how they have investigators that review issues, what the MSRC is and what resources there are to keep aware of breaking security issues (hmmm...that one isn't a bad idea....)
• I could do one on investigating audit logs ....

In fact the more I think about this... since Dana Epp will be there too, I'll probably bounce this off of him too since it's always fun to do a he said/she said presentation.

But got any other ideas that you'd like to see discussed and/or talked about?

Psssttt... don't tell Dana that I need to download the latest Firewall Dashboard beta as mine expired yesterday and I forgot to download it and install it today....

Today's security advisory that was released

 ********************************************************************
Title: Microsoft Security Advisory Notification
Issued: February 28, 2006
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Security Advisory (912945)
 - Title:    Non-Security Update for Internet Explorer

 - Web site: http://go.microsoft.com/fwlink/?LinkId=59550

Okay so read that........

And this is a non security update that replaces a security update and will be replaced by a security update, but it's not a security update.

Got that?  (yeah... I'm going huh?  as well)

Okay so you want to know what this is really all about?

• http://news.com.com/Microsoft+tweaks+browser+to+avoid+liability/2100-1012_3-5980658.html
• http://news.com.com/Microsoft+loses+in+Eolas+patent+ruling/2100-1012_3-5885657.html
• http://news.com.com/Microsoft+ordered+to+pay+521+million/2100-1012_3-5062409.html?tag=nl

Is leaving computers turned on a massive security risk?

There's a thread going on PatchManagement.org listserve and according to some folks I am severely deficient in allowing my end users to leave their computers on.

Because they say, when a system is turned on, it opens up a hole for intruders to drop things on those boxes.

They only want the systems on when a user is there, and they trust their users to patch their machines.  That to leave the machines on for remote access is insane of me to even think of doing.

I find these 'absolute' conversations to be quite interesting.  Because it's my belief that there is no such thing as a black and white answer in security.  It's about risk analysis and finding a balance.  Of being just enough security, of the right amount, at the right time, in the right amount of annoyance so that end users don't find a way around it.  Because at the end of the day, security HAS to take an equal weight with the business of the firm.  If it takes an extreme higher priority, then you might as well turn off the computers and servers, and stop doing business.  Because if you go and live on an island with no computers and no need for interactions, that's probably the only way you will be absolutely secure from all technology risks like Identity Theft and what not.  Of course then you will have a new set of risks to worry about.  Just go ask the folks on the TV show Lost about the risks they face "without" technology around.

I find the thoughts that "you must turn off your system otherwise bad guys are sitting there dropping bad things on your systems" to be an interesting thought.  If you believe your internal network to be that infected, then yes, design your network with that risk and threat in mind.  In my mind you must then design the network such that you assume all tcp/ip packets are hostile and you cannot trust anything that you cannot verify coming from something you trust.

It's my understanding that Microsoft designs their network in this manner with an IPSec set up so that unless you have a SmartCard you don't get domain access.  Conversely all the new Network Access Protection stuff that's coming down the pipeline looks very interesting to better protect and 'vet' the connections coming into our networks.  But in a small network, it's my opinion that I can still do what I need to do to have a somewhat more 'trusted' internal network.  Now I'm sure I'm absolutely the naive one, but with the additional tools I have  --like the SBS build in monitoring email, and ISA 2004 and the Scorpion Software's Firewall Dashboard (that just is releasing a final beta as a matter of fact) can help keep me a smidge informed that once something happens (please note I said when not if as one should always be prepared for the worst) I can act as fast as I can to take whatever actions I need to do.

But I think for someone to say "look at the packets hitting your desktop firewalls, all those bad guys trying to intrude" means that I shouldn't be just calmly looking at those firewall logs, but having a heart attack and freaking out and trying to either block the entry point, or figure out what machine on my internal network has gotten owned and starting an investigation.  As someone coined the term... "draining the network" at that point and rebuilding it.

I guess I'm of the opinion that if I can't reasonably protect with "good enough" security machines that are merely turned on, how in the world can I protect them when there are end users sitting at those machines using them?  Our end users are not trained in security AT ALL.  The entire computing industry has done a poor job in educating us at all on technology, let alone securely operating computers.  Walk into ANY office and talk to an end user about the application they are using and I'll bet you that they don't know how or if their systems are being backed up, they don't know anything about patches, or care about firewalls, don't understand that bad guys are being paid $10,000 a pop for vulnerabilities, and I would argue that it's not their job to be that geeky and know all about that... it's mine.  There job is to just do what they need to do, sticking sticky notes on the monitor for all the 'to dos' that they need to do.

I don't trust my end users to be on top of patching like I am and I want to be the one installing and approving patches.  I don't want them to be the one assigning risks to email attachments, it's my job.  There are some users of technology that telling them to look for a button in a tool bar is asking them way way too much.  Now maybe we shouldn't have those folks using computers, but the ugly reality is that we have these users in our networks, using technology.  So we'd better plan our networks for these folks.  Ensuring that as much as we can we build in secure processes that aren't such an extreme bother that folks go around it and find another way to do their job. 

I know they say that the network guys shouldn't be in charge of the security because there's a conflict of interest, but where is it in the computer security book that the folks on the business side can't be involved in this process of security as well.

Because folks at the end of the day this is about acceptable risk.  And quite honestly I cannot see how you can make a determination without a business hat at the table.

I just don't think that the risks that are acceptable for my network are acceptable for yours.  Especially not if we're not the same size and you don't have the technology that I do (like Remote Web Workplace).

And you know what.... that's OK.

Windowsupdate.log

You running Microsoft update?  You are?  Good.

I want you to click, Start, Run and in the box type in windowsupdate.log and hit enter.

Now scroll around that file... see what it is?  Is the history of your Security Updates.

I'm stealing these from Robear.....in case you need any WU/MU info.

How to troubleshoot Windows Update, Microsoft Update, and Windows Server Update Services installation issues:
http://support.microsoft.com/?kbid=906602

1. See the "Need more help? Tell us what problem you are having" section of http://support.microsoft.com/?scid=ph;en-us;6527

3a. Check Windowsupdate.log (%windir%\Windowsupdate.log) for errors associated with the download/install.

How to read the Windowsupdate.log file:
http://support.microsoft.com/?kbid=902093

3b. Compare errors to those listed here: http://inetexplorer.mvps.org/archive/windows_update_codes.htm and/or go to http://windowsupdate.microsoft.com > click on Help and Support link in left pane > Solve problems on your own.

4. Windows Update Checklist:
http://www3.telus.net/dandemar/updtcl.htm

5. Windows Update-specific newsgroup: news://msnews.microsoft.com/mi­crosoft.public.windowsupdate

Archive of Windows Update newsgroup: http://groups-beta.google.com/group/microsoft.public.windowsupdate

Installing Quickbooks 2006 on a network

***** AUDIENCE AFFECTED *****

QuickBooks ProAdvisors and/or their clients who are installing and 
configuring QuickBooks 2006 on a network.

***** KEY INFORMATION *****

There have been a number of questions that have surfaced around 
networking QuickBooks 2006. Many of these questions have stemmed 
from the fact that QuickBooks 2006 has changed the way it accesses 
company files from previous versions. The purpose of this alert is 
to ensure that you have the information and resources you need to 
optimize for this new environment.

The process for how company files are accessed is different because 
QuickBooks 2006 is now built on top of a robust SQL database. This 
new database will enable us to deliver some significant performance 
and functionality improvements year over year, and we’ve only begun 
to realize these advantages in QuickBooks 2006. 

In response to the questions, we have created a NEW support 
Web page dedicated to setting up QuickBooks 2006 on a network. 
This page contains a variety of reference materials including; 
a useful installation guide, tips & tricks on optimizing QuickBooks 
2006 performance and more.  It will be updated on a frequent basis 
and will contain the latest and most up-to-date information.

As a result, we recommend that you use the following Web page as 
your one-stop resource in order for you to successfully install 
QuickBooks 2006 on a networked environment:

http://www.quickbooks.com/support/networking


***** QUICKBOOKS 2006 NETWORK SET-UP FAQs *****

The use of file servers has generated a number of questions. 
Therefore we start this list of FAQs by addressing file-server 
installations, as taken from the new Web site: 


> Why do I need to install QuickBooks on my data-only file server?

If you designated one computer to hold company files only, even 
though that computer is not used for data entry, you should install 
QuickBooks on that computer (this is a change from previous versions 
of QuickBooks).
The QuickBooks 2006 software includes a database manager, which 
is a software component that manages QuickBooks company files. The 
database manager is responsible for managing users who are working 
in a company file, including users who are accessing the file from 
a remote computer. Users communicate with the database manager, and 
the database manager communicates with the company file, making 
sure that data is verified before it is saved.
Any QuickBooks company file that is opened in version 2006 must 
be linked to, and hosted by, a database manager. Because all the 
communication between the user and the data file takes place through 
the hosting database manager, QuickBooks works smoothly and 
efficiently when the database manager is installed on the same 
computer as the company files.


> Does QuickBooks need to be running on the data file server to 
access a company file from another computer?

No. After installing QuickBooks 2006 on a data-only file server 
and turning on hosting, you do not have to open QuickBooks on the 
server in order to let remote users access the files stored on that 
computer from another computer. Only the other computer, the one 
being used by a QuickBooks data entry person, needs to be running 
QuickBooks 2006.
When you install QuickBooks 2006, the QuickBooks database manager 
is configured to run automatically, without the need to open 
QuickBooks. This function is technically called "Running as a 
Service", and it means that Windows runs the database manager 
automatically when you start the computer.


> Do I need to buy a license for the data file server copy of 
QuickBooks?

If you are not going to use the computer on which the data 
files reside for QuickBooks data entry, you do not need to buy 
a license for the software. When you use a data file server, 
data entry is performed by users working at remote computers 
that are running licensed copies of QuickBooks.


> How do I make sure that the data file server is properly set 
up to manage company files?

You must configure QuickBooks as the host of the data files 
that are on the data file server. After you install QuickBooks, 
open the software and enable the Multi-User hosting function by 
selecting File > Utilities > Host Multi-User Access. This 
configures QuickBooks 2006 as the host for all QuickBooks 2006 
data files on the computer for all users that access the files.
In addition, you must make sure that users have sufficient 
permissions to work with the data files, which is the same 
requirement that exists in previous versions of QuickBooks 
(as well as all software data files). Create a folder for your 
QuickBooks 2006 data files and share it, making sure that all 
users can save data. See the QuickBooks 2006 Network Installation 
Guide (available from www.quickbooks.com/support/networking) to 
learn how to set permissions.


> I have installed QuickBooks 2006 on my file server. Do I need to 
open every data file on my file server before remote users can 
access them? 

No. QuickBooks may prompt you to do this if you have attempted 
to open a data file on the file server from a remote computer that 
has not been accessed through the Database Manager.

This request is generally the result of not having the level of 
permissions that QuickBooks requires. On the computer that holds 
the data file(s), you should have a local user account for every 
user who accesses the file from another computer. That local user 
account must be configured for Power User permissions (or higher). 
As an alternative, you can also create a local Power User and have 
all users log in to the computer holding the files with that user 
name, instead of creating user names for all your network users on 
that computer. Details about executing these tasks are available in 
the Installation Guide and Technical White Paper available from 
www.quickbooks.com/support/networking.

If you prefer not to use Power User permission levels, you can 
open each data file on the file server. This automatically creates 
a small file linked to the company file, and the database uses that 
small file to enable remote users to work on the company file. You 
only need to open the file once.

However, this approach could be quite cumbersome for an accounting 
firm that accesses multiple data files, and we are continuing to 
look at how we can improve this process. As an immediate step, 
Intuit has a utility that creates the small file automatically for 
every file in the QuickBooks 2006 data file folder. This means you 
don't have to open QuickBooks and open each file. You can download 
the utility from: www.quickbooks.com/support/networking.


ADDITIONAL FAQS.  The following FAQS relate to questions that are 
not specific to the data-file only server model.

> How do I install QuickBooks on my network where multiple 
computers are running QuickBooks and each computer has its own set 
of data files?

If you have multiple computers on your network that house 
QuickBooks data files, merely install QuickBooks on each computer. 
(Note: Since no computer in this scenario is a data-only file 
server, you must have a paid QuickBooks license for each QuickBooks 
installation.) If users on other computers need to access any of 
the files on the computer, configure the QuickBooks software for 
multi-user access. After you install QuickBooks, open the software 
and enable the Multi-User hosting function by selecting File > 
Utilities > Host Multi-User Access. This configures QuickBooks 
2006 as the host for all QuickBooks 2006 data files on the 
computer, including users who access the files from remote 
computers.
It is possible (and common) for QuickBooks users to store data 
files on their own computers, but occasionally need to access data 
files that are on another computer. This works the same way it did 
for previous versions of QuickBooks, as long as the QuickBooks 2006 
software is configured for multi-user hosting.
Note that it is important in this case to always open files that 
are on a given machine’s local disks using the local disk’s drive 
letter (i.e. c:\ or d:\) and not through a mapped drive letter or a 
network file path.


> QuickBooks asks me if I want to open the company file in 
"Alternate" mode. What is this?

The “Alternate” mode is in contrast to the “Recommended” mode of 
installation. You see this message when you try to open a data file 
on another network computer, and that computer is not configured for 
hosting QuickBooks data files. No QuickBooks database manager is 
controlling this file. This could mean that QuickBooks 2006 is 
installed on that computer, but the hosting mode has not been 
configured, or it could mean that the file is on a computer that 
is not running QuickBooks.

THE OTHER NETWORK COMPUTER HAS QUICKBOOKS 2006 INSTALLED.

If the 
computer has QuickBooks 2006 installed, open QuickBooks on that 
computer and configure Hosting Mode by choosing File > Utilities > 
Host Multi-User Access. This enables the database service, and 
hereafter the file will open normally from a remote computer.

THE OTHER NETWORK COMPUTER DOES NOT HAVE 

QUICKBOOKS 2006 INSTALLED. 

If the computer does not have QuickBooks 2006 installed, you 
should install it. If nobody is using QuickBooks on that computer 
(that is, you are installing the QuickBooks software solely to 
manage the data files on that computer), you are not required to 
buy a license for the software.

ADDITIONAL NOTE ON OPERATING SYSTEMS. If you serve your company 
files from a Novell or Linux file server we STRONGLY recommend that 
you set up a Windows machine to service your company files for 
QuickBooks 2006. Otherwise no SQL database server, including the one 
in QuickBooks, can deliver appropriate levels of performance or 
reliability accessing the database across a network. For more 
information the Alternate Mode, see the technical White Paper at: 
www.quickbooks.com/support/networking.


*****ADDITIONAL RESOURCES*****

TECHNICAL SUPPORT: We have also established a network helpdesk for 
QuickBooks ProAdvisors which will be staffed with agents 
experienced in networking issues, in order to provide you with 
the best possible help. You can either access this helpdesk by 
calling the QuickBooks ProAdvisor support line at 888-333-3451 
Monday through Friday during the hours of 6:00am – 6:00pm Pacific 
Time. Or you can take advantage of our online call-back tool at: 
www.quickbooks.com/pap/callback.  (Be sure to check the box 
designating that you are a QuickBooks ProAdvisor.)

----------

(C) 2006 Intuit Inc. Intuit, the Intuit Logo, QuickBooks, and 
QuickBooks ProAdvisor are registered trademarks and/or registered 
service marks of Intuit Inc. in the United States and other 
countries. Other parties' trademarks or service marks are the 
property of their respective owners and should be treated as such.


This notice is provided as a convenience for our customers and is 
not intended to supplement, modify, or extend the Intuit software 
license agreement between Intuit and the customer for any Intuit 
product or service. Terms and conditions subject to change without 
notice.

Issues with connectivity?

Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

Lately some folks have been complaining about RWW 'dropping' out after someone sitting there and using it and there's two things you might want to check....first I've noticed sometimes with folks on Linksys routers getting that 'drop' issue...and secondly you might try that patch to see if that helps.

Download details: Update for Windows Server 2003 (KB898060):
http://www.microsoft.com/downloads/details.aspx?FamilyId=A0245532-0ACE-4B85-85BF-758E936173DF&displaylang=en

And yes that's a Windows 2003 sp1 patch (which means it's still valid for us under the hood) and I've applied that here at the office and at home with no problems.

P.S.  I'm lifting up Alun's comment into the main post as another thing you might want to look at..

The Trend login script

And while I'll run this first as an admin (after all SBS connectcomputer sets us up and admin) after I flip the users to regular user, it seems to keep on working just fine.

The L2TP connection attempt failed error because security policy for the connection was not found.

 Passing this along in case someone else hits this:

"We implemented a new IPSec VPN using ISA Server 2004.  Cool
idea - our PPT VPN just wan't cutting it.

I gladly installed the requisite certificates on my machine to gain
access to the new VPN.  Had to battle with the box for a while as my
Cisco VPN client was blocking my MS VPN client from functioning.  After
hours of battle, I got them installed in the proper order so I can use
both on my system.

To test the new VPN, I plugged into a DMZ port outside of our firewall,
received a public IP address, then launched the IPSec VPN.  Worked
great.

Went home, looking forward to the new connection.  No go.  Error msgs at
the starting gate.

(Error says --

Error 791:  The L2TP connection attempt failed error because security policy
for the connection was not found.


Stupid me, I followed the context of the error msg.  Found my certs.
All looked good.  Deleted certs and re-installed certs.  No luck.
Searched google.  Hundreds of copies of the error msg, but not one post
about a solution.

Went back to work.  Operates fine at work.  Back home, no go.

Sent the issue to our lan admin - he tries it on his system - works fine
from work and home.

We configured a router at work and had me plugin to a NAT'd connection
at work outside the firewall.  This did it - the connection failed.

More research, no answers.

Last night I pulled up the help files for my actiontec DSL modem.  At
the very bottom of that page was a reference to a Microsoft KB article
about VPN connections and NAT routers.  Read that KB and it pointed to
two other articles.  One article nailed it:

http://support.microsoft.com/kb/818043/)

"Microsoft has released an update package to enhance the current
functionality of Layer Two Tunneling Protocol (L2TP) and Internet
Protocol security (IPsec) on computers that run Microsoft Windows 2000,
Microsoft Windows XP without service packs installed, and Windows XP
with Service Pack 1 (SP1).This functionality is included in Windows XP
Service Pack 2 (SP2). Computers that run Windows XP with a service pack
do not have to install this update package.

This update includes improvements to IPsec to better support virtual
private network (VPN) clients that are behind network address
translation (NAT) devices. If you apply this update to a computer that
is running Windows XP, and if the IPsec service encounters a runtime
error and cannot start for any reason, the IPsec driver operates in
block mode because it cannot secure network traffic."

Sounds good, right?  I'm running XP SP1 (I don't want to limit my
outbound half-open tcp connections), so I figure maybe this is it, and
I'm eager to try the patch.  KB article includes information on
obtaining Win2K SP4 patch.  However, there is no patch for XP SP1.
Instead, it says to install XP SP2.  Right.  Not gonna go there.
Stymied again.

Turns out that KB 842933 (http://support.microsoft.com/?id=842933) is
applicable to XP SP1 and includes ipsec.sys.  Wouldn't ya know, it's the patch for "The following
entry in the [strings] section is too long and has been truncated" error
message when you try to modify or to view GPOs in Windows Server 2003,
Windows XP Professional, or Windows 2000"

Installed that this morning.  Rebooted.  Connected through NAT'd router
at work.  Launched VPN.  Bingo.  Connection succeeded.

I'm a happy camper.

Thanks MS for not mentioning in the 818043 article that this is solved
for XP SP1 in 842933."

Are patches tested?

Mike asks "was KB 913446 tested" and the answer is yes, Mike it was.  You see the problem is not with the patch...  the problem is in the deployment engine.

You see there are two things that have to be good and solid for a security patch to work exactly as expected.... the first is the patch itself... and in this case the patch was just fine..... and the engine to push the patches.  Obviously in this case that was the issue.

So Mike...sometimes the problem is not the patch...it's how the patch gets to you and the engine it uses to be installed.

Don't think that patches aren't tested.  As they are.  It's just that sometimes the engine needs a bit of carburetor cleaner is all.

BTW the issue with this bulletin has been cleared up.  It's now MU installing here just fine and Bobbie Harder confirms that the issue is fixed and will be ensured to not happen in the future.

Bulletins out today

www.incidents.org is reporting issues with deploying 06-007 with MU/AU.

Remember if you have issues, call 1-866-pcsafety if you have issues with security patches 

Microsoft has released the security bulletins and patches for February:

MS06-004: Cumulative Security Update for Internet Explorer (910620)
Critical
http://www.microsoft.com/technet/security/bulletin/MS06-004.mspx

MS06-005: Vulnerability in Windows Media Player Could Allow Remote Code
Execution (911565)
Critical
http://www.microsoft.com/technet/security/bulletin/MS06-005.mspx

MS06-006: Vulnerability in Windows Media Player Plug-in with
Non-Microsoft Internet Browsers Could Allow Remote Code Execution
(911564)
Important
http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx

MS06-007: Vulnerability in TCP/IP Could Allow Denial of Service (913446)
Important
http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx

MS06-008: Vulnerability in Web Client Service Could Allow Remote Code
Execution (911927)
Important
http://www.microsoft.com/technet/security/bulletin/MS06-008.mspx

MS06-009: Vulnerability in the Korean Input Method Editor Could Allow
Elevation of Privilege (901190)
Important
http://www.microsoft.com/technet/security/bulletin/MS06-009.mspx

MS06-010: Vulnerability in PowerPoint 2000 Could Allow Information
Disclosure (889167)
Important
http://www.microsoft.com/technet/security/bulletin/MS06-010.mspx

ISO image of 06-004 through 06-009 patches available here:
http://tinyurl.com/cjwm2

Symantec and Microsoft Antispyware

This alert is to notify you that Microsoft and Symantec are aware of an
issue currently affecting customers using both Microsoft Windows
AntiSpyware Beta 1 and versions of Symantec AntiVirus (SAV) Corporate
Edition and Symantec Client Security (SCS).  The issue involves a
Windows AntiSpyware Beta 1 signature (5805) released at 11:30pm on
Thursday, February 9th which incorrectly identified a registry key
affecting these Symantec products as belonging to a password stealing
malware known as PWS.Bancos.A.  
 
Customers running Symantec's consumer products, Norton Antivirus and
Norton Internet Security, are not impacted by this issue.  This issue
also does not affect customers using Symantec's software alongside
Microsoft Windows Defender Beta 2 either in Windows XP or preview
versions of Windows Vista.
 
Customers running Symantec Antivirus (SAV) Corporate Edition versions 7,
8, 9 or 10 or Symantec Client Security (SCS) versions 1, 2 or 3 in
combination with Windows AntiSpyware Beta 1 could be impacted by this
issue. The beta software will prompt and allow the user to remove a
registry key containing subkeys belonging to these Symantec products.
The deletion of these registry keys will cause all versions of the SAV
and SCS software to stop operating correctly.  No files are removed in
this situation, only registry keys.
 
Once this issue was discovered, Microsoft quickly released a new
signature set (5807) to remove this false positive. Both companies are
working jointly together to identify the number of affected customers,
which we believe to be very limited.

Microsoft and Symantec have worked jointly on an automated tool to
repair installations of Symantec's software that were affected by this
issue.  This tool is available at no charge from Symantec Product
Support Services.

If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team

Wanna encrypt email?

A question today from the mailbag asked "what do you recommend for being able to encrypt email using Outlook 2003 of course?  Our small business is a nonprofit health care provider, and we need to be able to do this when patient information is involved as per HIPAA.  Anything that works particularly well for SBS?"

First off in this arena SBS isn't unique.... the same PKI deployment issues affect our SBS boxes and big server land boxes and this is why encrypted email hasn't yet caught on.  As you know with Alice and Bob (the she and he of Cryptography) for Alice and Bob to encrypt email they have to swap certificates first.

Out of the box SBS 2003/Outlook 2003 does not encrypt email...and you have to add digital certificates (purchase them from Verisign).  Now you "could" do an entire PKI infrastructure rollout and all that....but normally I've found for small businesses, a firm wide PKI infrastructure may not be worth it and just the Verisign digital certificates are enough.

Here's a past post about how the digital cert thing works.....

Patch time for Sam the SBS Server

Q.  Hi Sam...my goodness Sam...you act like you are really happy about something

A.  Oh my yes.. I a SOOO excited!

Q.  Why is that?

A.  The folks at Microsoft update are ensuring that all my fellow SBS server are going to get a very special patch!

Q.  A special patch?

A.  Yes, you see, that statement that I can do more with less, weeeellll.... I kinda got a little carried away with that logo.

Q.  You did?

A.  Yes, you see I had a slight glitch in my software and I could singlehandedly mail out a huge amount of email.  Which wasn't exactly the greatest thing to be written up about.

Q.  No kidding.

A.  But Nick posted that really soon this patch will be sent out to all my fellow SBS boxes as a high priority patch.

Q.  Oh that's really cool!

A.  Oh no kidding.  Yeah the gang listened and now we'll all be patched up.  Now then.... this stll means that if they do get this patch that they don't have my Service Pack 1 on them, so if you do get offered up KB835734 you might want to see what else needs to be installed.  Don't forget, next week is Patch Tuesday when security patches come out!  Happy patching!

On the list of things for Valentine's day....

Just a news flash for you guys... "I" may see it as romantic for a guy to patch my computer on Patch Tuesday to be the perfect Valentine's Day present...but the average gal will not.

Chocolate... flowers..... card.... something other than patch deployment to her computer on that day....

...trust me on this one.....

********************************************************************
Title: Microsoft Security Response Center Bulletin Notification 
Issued: February 09, 2006
********************************************************************

Summary
=======
As part of the monthly security bulletin release cycle, Microsoft 
provides advance notification to our customers on the number of new 
security updates being released, the products affected, the 
aggregate maximum severity and information about detection tools 
relevant to the update. This is intended to help our customers plan 
for the deployment of these security updates more effectively.

In addition, to help customers prioritize monthly security updates 
with any non-security updates released on Microsoft Update, Windows 
Update, Windows Server Update Services and Software Update Services 
on the same day as the monthly security bulletins, we also provide:

.	Information about the release of updated versions of the 
Microsoft Windows Malicious Software Removal Tool.

.	Information about the release of NON-SECURITY, High Priority 
updates on Microsoft Update (MU), Windows Update (WU), Windows 
Server Update Services (WSUS) and Software Update Services (SUS). 
Note that this information will pertain ONLY to updates on Microsoft 
Update, Windows Update, Windows Server Update Services and Software 
Update Services and only about High Priority, non-security updates 
being released on the same day as security updates. Information will 
NOT be provided about Non-security updates released on other days.

On 14 February 2006 Microsoft is planning to release:

Security Updates

.	One Microsoft Security Bulletin affecting Microsoft Windows 
Media Player. The highest Maximum Severity rating for this is 
Critical. These updates will not require a restart. These updates 
will be detectable using the Microsoft Baseline Security Analyzer 
and the Enterprise Scanning Tool.

.	Four Microsoft Security Bulletins affecting Microsoft Windows. 
The highest Maximum Severity rating for these is Critical. Some of 
these updates will require a restart. These updates will be 
detectable using the Microsoft Baseline Security Analyzer.

.	One Microsoft Security Bulletin affecting Microsoft Windows 
and Microsoft Office. The highest Maximum Severity rating for these 
is Important. These updates will require a restart. These updates 
will be detectable using the Microsoft Baseline Security Analyzer.

.	One Microsoft Security Bulletin affecting Microsoft Office. 
The highest Maximum Severity rating for this is Important. These 
updates may require a restart. These updates will be detectable 
using the Microsoft Baseline Security Analyzer.

Microsoft Windows Malicious Software Removal Tool

.	Microsoft will release an updated version of the Microsoft 
Windows Malicious Software Removal Tool on Windows Update, Microsoft 
Update, Windows Server Update Services and the Download Center. 
Note that this tool will NOT be distributed using Software Update 
Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

.	Microsoft will not release any NON-SECURITY High-Priority 
Updates for Windows on Windows Update (WU) and Software Update 
Services (SUS).

.	Microsoft will release one NON-SECURITY High-Priority Updates 
on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, 
products affected, restart information and severities are subject to 
change until released. 

Microsoft will host a webcast next week to address customer 
questions on these bulletins. For more information on this webcast 
please see below:
.	TechNet Webcast: Information about Microsoft's February 2006 
Security Bulletins (Level 100)   
.	Wednesday, 15 February 2006 11:00 AM (GMT-08:00) Pacific Time 
(US & Canada) 
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1
032288940&EventCategory=4&culture=en-US&CountryCode=US

At this time no additional information on these bulletins such as 
details regarding severity or details regarding the vulnerability 
will be made available until 14 February 2006.
********************************************************************

Support: 
========
Technical support is available from Microsoft Product Support 
Services at 1-866-PC SAFETY (1-866-727-2338). There is no 
charge for support calls associated with security updates. 
International customers can get support from their local Microsoft 
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx
 
Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
  valuable information to help you protect your network. This
  newsletter provides practical security tips, topical security
  guidance, useful resources and links, pointers to helpful
  community resources, and a forum for you to provide feedback
  and ask security-related questions.
  You can sign up for the newsletter at:

  http://www.microsoft.com/technet/security/secnews/default.mspx

* Protect your PC: Microsoft has provided information on how you 
  can help protect your PC at the following locations: 

  http://www.microsoft.com/security/protect/

  If you receive an e-mail that claims to be distributing a 
  Microsoft security update, it is a hoax that may be distributing a 
  virus. Microsoft does not distribute security updates via e-mail. 
  You can learn more about Microsoft's software distribution 
  policies here: 

http://www.microsoft.com/technet/security/topics/policy/swdist.mspx

WMF revisited?

A new advisory today indicates there's another WMF expoit out there and it's not related to the issue fixed in the first patch of the year.

The good news is that it only affects really old browsers (IE 5.01 sp4 on Windows 2000 sp4 and IE 5.5 SP2 on Windows ME.

Microsoft Security Advisory (913333): Vulnerability in Internet Explorer Could Allow Remote Code Execution:
http://www.microsoft.com/technet/security/advisory/913333.mspx


*Note *This is not the same issue as the one addressed by Microsoft Security Bulletin MS06-001 (912919).

Do your applications you install make you more insecure?

 -------- Original Message --------
Subject:     Windows Access Control Demystified
Date:     31 Jan 2006 23:08:18 -0000
From:     sudhakar+bugtraq@cs.princeton.edu
To:     bugtraq@securityfocus.com


Hello everybody,

We have constructed a logical model of Windows XP access control, in a declarative but executable (Datalog) format.  We have built a scanner that reads access-control configuration information from the Windows registry, file system, and service control manager database, and feeds raw configuration data to the model.  Therefore we can reason about such things as the existence of privilege-escalation attacks, and indeed we have found several user-to-administrator  vulnerabilities caused by misconfigurations of the access-control lists of commercial software from several major vendors.  We propose tools such as  ours as a vehicle for software developers and system administrators to model and debug the complex interactions of access control on  installations under Windows.

The full version of the paper can be found at:

http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf

All the vendors and CERT are aware of this paper. The bugs are *not* remotely exploitable. The CERT id is VU#953860.

regards,
Sudhakar Govindavajhala and Andrew Appel.

Bio:

Sudhakar Govindavajhala is a finishing PhD student at Computer Science department, Princeton  university. His interests are computer security, operating systems and networks. Sudhakar is looking for employment  opportunities.
Andrew Appel is a Professor of Computer Science at Princeton University.  He is currently on sabbatcal at INRIA Rocquencourt. His interests are computer security, compilers, programming  languages, type theory, and  functional programming.

------------------------------------

 This Alert is to advise you that Microsoft Security Advisory (914457),
Possible Vulnerability in Windows Services ACL's, has been released on 7
February 2006.

Microsoft is aware of published information and proof-of-concept code
that that attempts to exploit overly permissive access controls on
third- party (i.e., non-Microsoft) application services. This code also
attempts to exploit default services of Windows XP Service Pack 1 and
Windows Server 2003. If these attempts were successful, a user who has
low user privileges could gain privilege escalation.

Microsoft has investigated these reports and the findings are summarized
in the chart below. Microsoft has confirmed that customers who run
Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 are not
vulnerable to these issues because security-related changes were made to
these service packs as part of our ongoing security improvement process.
Users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may
be at risk, but the risk to Windows Server 2003 users is reduced.

Users are encouraged to contact their third-party software vendors whose
products require services installation to determine if any non-default
Windows services are affected.

Microsoft is not aware of any attacks attempting to use the reported
vulnerabilities or of customer impact at this time. Microsoft will
continue to investigate the public reports to help provide additional
guidance for customers as necessary.

Mitigating Factors:

*    The latest Microsoft operating systems, including Windows XP
Service Pack2 and Windows Server 2003 Service Pack 1 are not vulnerable
to these issues.
*    A malicious user who launches an attack based on the finder's
report would require at least authenticated user access to the affected
operating systems
*    Two of the four services identified in the paper (NetBT and
SCardSvr) require an attacker to already be running in a privileged
security context. Additionally, the two services that do allow an
authenticated user to attack are vulnerable only on Windows XP Service
Pack 1.
*    Firewall best practices and standard default firewall
configurations can help protect from attacks that originate outside the
enterprise perimeter. Best practices also recommend that personal
firewalls be used within a network and that systems connected to the
Internet have a minimal number of ports exposed.

More information can be found:
http://www.microsoft.com/technet/security/advisory/914457.mspx
Microsoft Security Advisories are located at this location:
http://www.microsoft.com/technet/security/advisory/default.mspx

If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team

------------------------

Okay would it be mean of me to ask them to run their tool on Intuit's Quickbooks?....okay okay.. yeah.. I know....bad Susan...bad Susan....

ISA 2004 tracking file (like your C: drive wasn't full enough already?)

In the newsgroups today... Gary reports the following:

-----------------------

Well, here's a reason not to install ISA2K4/SP2: It will create a new 400mb 
file, Windir\Debug\ISALOG.BIN, and a second, new 400mb file, ISALOG.BAK, on 
the C: drive. According to my admittedly superficial reading of the technote 
(google ISALOG.BIN), this file's purpose is for troubleshooting by MSSupport 
in the event of problems with ISA 2004.
 
You can get rid of this by going to HKLM/Software/Microsoft/ISATracing and 
setting the BootTracing parameter to 0. Then reboot and delete both 
ISALOG.BIN and ISALOG.BAK.
 
The technote further says that you can prevent the creation of these files 
by adding the reg key and value before installing SP2.
 
Below is the relevant info from the technote:
 
Nearly one gig of space taken up on crowded C: drives JUST IN CASE 
MSSupport wants to look at the log file. Someone at MSSupport has lost his 
mind.
 
GaryK
 
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sp2.mspx
(search page for isalog.bin)
Tracing
Service Pack 2 includes an error-level tracing mechanism that operates 
continually in the background. If necessary, the tracing information is 
available for Microsoft Product Support Services. The tracing mechanism does 
not collect personally identifiable information.
 
Tracing takes place in the background, and has a negligible affect on ISA 
Server performance. A 400 megabyte (MB) file (%windir%\debug\isalog.bin) is 
created by Service Pack 2 on each computer running ISA Server services, to 
contain the tracing information.
 
We recommend that you use the default settings for this feature. 
However, if you want to modify the tracing mechanism, you can do 
so through the registry key 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ISATrace. 
To change the size of the file used by tracing, change the value of 
CircularlLogSizeMB. To disable tracing, change the BootTracing value to 0. 
This does not delete the file, which has to be deleted manually. 
After registry changes, restart the computer so that the changes 
take effect. If you create the registry key before installing 
Service Pack 2, and set the BootTracing value to 0, the 
tracing file will not be added during the installation, and tracing 
will not be enabled.
----------------------------

And of course ...what does that do to an already full C:... 

yeah you guess it.  Fill it up even more...

There appears to be a way to move it to another drive letter before you install.. 

checking and will post and update to the blog

Patches protect you from viruses?

"Notice: To protect your system from viruses, Dell recommends that you download any recommended patches and hotfixes by visiting the Microsoft Support website at support.microsoft.com or by selecting Tools -- Windows Update in your Internet Explorer browser"

I have some issues with that statement... for one... viruses can be unleashed on fully patched systems and do damage, so the statement that patching alone protects you isn't good enough.  Secondly that statement is from page 7 of the "Setup and Installation Guide" of a Dell OEM SBS server.

• Where's the discussion of configuration of automatic patching and flipping to Microsoft Update (should you want to do that)?
• Where's the discussion of obtaining a desktop/server/email antivirus to protect all the methods of potential infection?
• Where's a discussion that patches come out once a month and therefore expect a possible reboot of the machine if you set up automatic patching?
• Where's a link or discussion of what Service packs are appropriate for a SBS box.
• Where's a discussion how you shouldn't even be using the Internet Explorer browser on your server

Yeah yeah... probably way over the head and in the next part of the server install set up from Dell..but I just though it funny that they define "viruses" as being preventable by patching.

Remember the 123 protect my PC:

• Firewall
• Antivirus
• Patching

Maybe they shouldn't be running a computer?

http://www.cnn.com/2006/TECH/internet/01/31/kamasutraworm/index.html

Apparently the world will come to an end tomorrow...that is if you clicked, and installed, and not have up to date antivirus...

Sometimes folks just have to learn a lesson and you can't protect folks from their own stupidity.  This is one of those cases where... if they click...if they don't have up to date antivirus....maybe they shouldn't be running a computer.

Now... should computer users be better educated?  Oh yeah....

There are times the paranoia meets the blonde....

So I'm looking at my new and improved 443/4125 firewall dashboard going ..okay who the heck from this ip address is hitting me on port 443...as it's not my IP from home so who is that hitting my server and why are they banging on my port 443.  Exactly who the heck do they think they are anyway? 

So I go and pull an whois on it.....

Oh.

DUH.. all my cell phones syncing with my server you idiot........

OrgName:    Cingular Wireless National Networks
OrgID:      CWNN
Address:    Cingular Wireless, LLC
Address:    12555 Cingular Way, Suite 4546
City:       Alpharetta
StateProv:  GA
PostalCode: 30004
Country:    US

Firewall Dashboard...asking for good feedback

 So you tried it out yet? Remind me of someone I know who urges me not to just give feedback like...'this sucks' or 'that's broken'... he wants me to say why something is broken and if I were in charge of the universe...what would I do to fix the item I'm complaining about.

So do you give good feedback?  Now's your chance.

When the community talks, we listen!

With the latest release of the Firewall Dashboard behind us, Scorpion Software is now taking some time to plan the commercial launch of the product later next month. When I was talking to some of my colleagues about the best way to ensure we seriously take into consideration what the SBS marketplace is wanting, I felt the best way was to ask you directly. And some of you already know that. I have been trying to make a few personal phone calls in an effort to discuss this with you. Realizing I just can't get to all of you, I thought maybe it was time to do a survey and try to collect as much community insight as I could.

This email is a call to action. I am personally asking that each and every one of you who have been on the beta of the Firewall Dashboard to take a few moments to answer 7 questions to the best of your knowledge and experience. It will help Scorpion Software to formulate the best way to go to market with our product, and allow us to continue to build the best executive firewall dashboard for Small Business Server. We want to service you, and ask that you please take a few moments to let us know how we can best do that. Good or bad, we want to hear from you.

How can you do that? By simply filling in the 7 questions on the online survey that we have prepared. Answering the questions honestly and thoroughly will go a long way to help us understand how you feel about the Firewall Dashboard, and how we can service you and the SBS community going forward.

The survey will be online for the next week, but we would love to hear from you sooner than that. Please take a few moments and take action by filling out the online survey. Your responses will go a long way to help the Firewall Dashboard to reach the SBS community.

Thank you very much for taking the time to help us out. I look forward to having Scorpion Software meet your organization's needs in the near future.

Sincerely,
Dana Epp
President, CEO
Scorpion Software Corp.

ISA 2004 sp2 (do not do this remotely and read the release notes)

ISA server 2004 sp2 just released on the download site and since we are READING the release notes before installing...they say...

If ISA Server services are installed, ISA Server will enter lockdown mode during installation. Following installation, the ISA Server computers or array members will have to be restarted

That means... you either have that SBSPodcast recommended setting where your IP address is a trusted network.... or better yet, you don't do this SP remotely at all and you do any firewall service packs on site.

Can we wait until it ships before wacking off the security please?

http://www.msreadiness.com/WS_abstract.asp?eid=15003662

Come and join us for the “Windows Client Licensing and Windows Vista” introduction to the Windows Vista Enterprise License and upcoming improvements to Software Assurance Benefits (SAB) 3.0. This is our second Windows Client Licensing and Windows Vista web seminar that will provide greater licensing details than what was covered previously back in September. This session will focus on training our volume licensing reseller partners on: Windows Vista value propositions, Windows Vista Enterprise License, SAB 3.0 and Windows Vista Skus. We will provide you with the strategic guidance and compelling value propositions to convince your customers to renew their existing Windows Client Enterprise Agreement (i.e., maintain within Platform EA) and Software Assurance licenses, and consider the purchase of a new Windows Client that includes Software Assurance. You will also learn about all the licensing changes to SAB 3.0 and the impact for your customers.

Uh... it's still in beta last I checked and we're having webcasts already on licensing?  I guess maybe we need this lead time to figure out the licensing or something.  Today Dana showed me a link to a guy who's top "tip" for Vista is turning off User Access Control.

Nice.

We say we want security ...and the first thing we wack off is that security feature.  Nice going...

A beta release of IE 7 means....

Beta -- http://en.wikipedia.org/wiki/Development_stage#Beta When a beta becomes available to the general public it is often widely used by the technologically savvy and those familiar with previous versions as though it were the finished product

Translation? You as the IT pro can start playing with it.....do you install it in clients? Uh...no.

Spyware Sucks : Installation tips for IE7 Beta 2 Preview:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/01/82205.aspx
Spyware Sucks : Heads up for SBS Sites using self-signed certificates:
http://msmvps.com/blogs/spywaresucks/archive/2006/01/31/82198.aspx
Spyware Sucks : IE7 Beta 2 has gone live:
http://msmvps.com/blogs/spywaresucks/archive/2006/01/31/82195.aspx

In case RWW doesn't want to play nice..make IE7 act like IE 6:

Problems with web sites - Internet Explorer 7:
http://www.ie-vista.com/sites.html

MyWife Malware

 This alert is to notify you of the release of Microsoft Security
Advisory (904420).

Microsoft wants to make customers aware of the Mywife mass mailing
malware variant named Win32/Mywife.E@mm. The mass mailing malware tries
to entice users through social engineering efforts into opening an
attached file in an e-mail message. If the recipient opens the file, the
malware sends itself to all the contacts that are contained in the
system's address book. The malware may also spread over writeable
network shares on systems that have blank administrator passwords.
Customers who are using the most recent and updated antivirus software
could be at a reduced risk of infection from the Win32/Mywife.E@mm
malware. Customers should verify this with their antivirus vendor.
Antivirus vendors have assigned different names to this malware but the
Common Malware Enumeration (CME) group has assigned it ID CME-24.

On systems that are infected by Win32/Mywife@E.mm, the malware is
intended to permanently corrupt a number of common document format files
on the third day of every month. February 3, 2006 is the first time this
malware is expected to permanently corrupt the content of specific
document format files.  The malware also modifies or deletes files and
registry keys associated with certain computer security-related
applications. This prevents these applications from running when Windows
starts. For more information, see the Microsoft Virus Encyclopedia
(http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Mywife.E@mm).

As with all currently known variants of the Mywife malware, this variant
does not make use of a security vulnerability, but is dependant on the
user opening an infected file attachment. The malware also attempts to
scan the network looking for systems it can connect to and infect   It
does this in the context of the user. If it fails to connect to one of
these systems, it tries again by logging on with "Administrator" as the
user name together with a blank password.
Customers who believe that they are infected with the Mywife malware, or
who are not sure whether they are infected, should contact their
antivirus vendor.  Alternatively, Windows Live Safety Center Beta Web
site (http://safety.live.com) provides the ability to choose "Protection
Scan" to ensure that systems are free of infection. Additionally, the
Windows OneCare Live Beta (http://www.windowsonecare.com), which is
available for English language systems, provides detection for and
protection against the Mywife malware and its known variants.

For more information about the Mywife malware, to help determine whether
you have been infected by the malware, and for instructions on how to
repair your system if you have been infected, see the Microsoft Virus
Encyclopedia
(http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Mywife.E@mm).

For Microsoft Virus Encyclopedia references, see the
"Overview" section. We continue to encourage customers to use caution
with unknown file attachments and to follow our Protect Your PC guidance
of enabling a firewall, getting software updates, and installing
antivirus software. Customers can learn more about these steps by
visiting the Protect Your PC Web site
(http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx).   
Suggested Actions:

*    Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known
malicious software. You should always run antivirus software on your
computer that is updated with the latest signature files to
automatically help protect you from infection. If you don't have
antivirus software installed, you can get it from one of several
companies. For more information, see
http://www.microsoft.com/athome/security/downloads/default.mspx

*    Use caution with unknown attachments
Use caution before opening unknown e-mail or IM attachments, even if you
know the sender. If you cannot confirm with the sender that a message is
valid and that an attachment is safe, delete the message immediately,
and run up-to-date antivirus software to check your computer for
viruses.

*    Use strong passwords
Strong passwords on all privileged user accounts, including the
Administrator account, will help block this malware's attempt to spread
through network shares. 
*    Remove unneeded network shares
Malware can often spread over network shares. Remove unneeded network
shares that are mapped to your computer. To remove network shares in Windows XP
o    On the Start menu, click My Computer.
o    On the Tools menu, click Disconnect Network Drives...
o    In the Disconnect Network Drives dialog box, click the drives to
disconnect and click OK.

*    Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance
of enabling a firewall, getting software updates and installing
ant-virus software. Customers can learn more about these steps by
visiting Protect Your PC Web site (http://www.microsoft.com/protect).
For more information about staying safe on the Internet, customers can
visit the Microsoft Security Home Page
(http://www.microsoft.com/security).

More information can be found:
http://www.microsoft.com/technet/security/advisory/904420.mspx
Microsoft Security Advisories are located at this location:
http://www.microsoft.com/technet/security/advisory/default.mspx

If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team

A blog should not have email

The RSA Security Conference is coming up and if you remember last year's conference Bill Gates made two announcments.... one was that IE 7 was going to be released for Windows XP and the second was that Antispyware was to be free to individuals.  It will be interesting to see what keynotes there are this year.  Last year the major ones were webcast.  So I'm out on the site and they have a new "Security Exchange" that includes Blogs....well..let's just say it has "one" blog.  And here's the kicker that made me laugh.  When you go to the page where the blog content is, there isn't ...that I can see anyway... a RSS subscribe icon.  Instead there's a place to click to..... "Subscribe to receive emailed updates of new blog entries from Ira Winkler"

Uh... gang... there's this thing called RSS? You know it's where you have a RSS reader like Newsgator or RSS bandit and all your RSS feeds come to you...and they aren't jumbled in all with all that junk mail I already get?

It's bad enough that the Orange XML tag is "RSS" on some pages and "XML" on another...but can we have another standard?  A blog standard?  That it comes with a XML feed that can be sucked in?

Not emailed, thank you very much.

https://www.rsaconference.com/exchange/blog_view.aspx?id=3

Trend and the dog file

Trend and Compression issues

So in this corner is Trend...recommending that you uncheck "use compression" on the IIS web sites because otherwise the install will not go well.....

...but in this corner is Microsoft with their WSUS install info that "does" check "use compression"

1. Some clients have been impacted by a known issue in with Windows Server 2003 http.sys and IIS. In some cases, this transient issue will appear to prevent clients from checking in, because they receive invalid responses from the server after some attempts. It was previously believed to be an issue with IIS compression and there was a workaround suggested to disable compression, and then rename the %windir%\system32\inetsrv\suscomp.dll file and restart the IIS, and the Update Services service. Further Investigation shows the problem source to be a known condition with IIS and http.sys, which is not related to compression, and for which there is an available hotfix. It is not recommended to disable compression as this will not impact the problem source, and possibly increase network traffic & server load, while reducing the number of clients you can effectively serve. Further information about the issue and obtaining the hotfix can be found: http://support.microsoft.com/?id=898708 . This hotfix does require Service Pack 1 be installed to the Windows Server 2003

Yeah, one could argue that as SBSboxes we don't have THAT many clients to worry about...but it's still interesting to see the Vendors recommend two different things...

Trend.... v2 or v3?

Les Connor has always been our "Les is More" guy... and when he posts...this is not done lightly...

Folks, I've been using Trends's products on SBS since 4.5 - it's been a pretty good trip.

CSM v2 was(is) the icing - very very reliable antivirus and anti-spam capabilities - as close to zero maintenance as you can get or would want. There were a couple of things that could have been better integrated - but on the whole a really solid solution for SMB.

I don't take this recommendation lightly - I've worked hard to try and make V3 work - but I just can't afford to use it any longer.

CSM v3 hasn't proven to be an improvement. The integrated console is nice - but the product (mostly the console) is unreliable, and the anti-spam feature is a step backwards in performance and features.

I'd recommend staying with V2, and would still recommend V2 for new installs - and will be installing V2 on new SBS networks - as IMHO it's still the best thing going.

I *do* have *some* faith that progress is being/will be made, and there will be an updated version of CSM for SMB that will be as good (probably better) than V2. I'll be among the first to acknowledge it when it arrives.

--

Les Connor [SBS Community Member - SBS MVP]

-----------------------------------------------------------

SBS Rocks !

In case you don't want to install V3, V2 still is available and the keys still work... 

http://www.trendmicro.com/download/product.asp?productid=39

Terry posts in.....

If you're having trouble connecting your workstation to your SBS server, and you've recently installed Trend Micro CSM 3.0, and you may also have recently upgraded to SBS SP1  ------ check to see if you have the following within the affected workstatation's event viewer/application log :

event ID 1006 - windows cannot bind to local domain, group policy processing aborted

event ID 1030 - windows cannot query for the list of group policy objects ....

If so, it's likely have the "Trend Micro Client/Server Security Agent Personal Firewall" service started on your SBS server.  Even though the default for Trend's Firewall utility is to have it disabled within the application, the service itself has been installed, started and set for automatic start up.  Stop this specific service on your server, change it's startup status to disabled, and the workstation error messages should disappear.

Additional ---- from what I've read elsewhere, this condition sometimes manifests itself on only a few workstations in your SBS environment....sometimes it's only one workstation that seems to be affected (haven't figured that one yet).  However, if you do have this configuration (using Trend Micro CSM 3.0), you might want to check the event viewer/application logs on your workstations for error codes 1006 & 1030.  A couple of the more notable symptoms is the increased time it takes a workstation to boot up (the "applying personal settings" splash screen runs longer than normal), and connecting to Exchange server via Outlook client is problematic.

Trend's KB link is here....

Dear Mr. Cook and Mr. Bennett:

January 27, 2006

Scott Cook Chairman, Executive Committee

Steve Bennett, President and CEO

Intuit, makers of Quickbooks

Dear Sirs:

Just thought I’d type up this official blog post to let you and other firms like yours know that there’s some resources you’d probably need to pay attention to in the coming months.  You see there’s a new Operating system in beta testing right now, …it’s called Vista.  And in this new operating system it handles user rights a little differently than has been in the past.  Certainly a lot differently than Windows 98 anyway and even a bit different than Windows 2000 and XP logo program specifications that used to be the benchmarks in the past for a good way to code software.   

Vista will be going beyond those guidelines to something new… something called UAC. User Account Control.  There are already some resources that you might want to download and let the folks that work on developing your software know about. 

The first is a MSDN article called “Developer Best Practices and Guidelines for Applications in a Least Privileged Environment“ and it can be found at this link.  The second resource that you should have your folks subscribe to in their RSS reader is the UAC blog.  The User Account Control Blog is the team that used to be called LUA and then called UAP and now they are called UAC.  Yes, I know it’s sometimes hard to follow what the name of some of these Microsoft programs are as they keep changing (let’s not even bring up the WUS to WSUS naming shall we?) …but as long as you just remember that LUA/UAP/UAC is just another name for not requiring administrator rights to merely run a software program, and just subscribe to that blog, that should keep your developers well informed of what lies ahead.

In case your folks are not involved in a MSDN beta test of Vista, feel free to holler as I have a one or two Vista beta invites available that I can send to your employees. 

Speaking of Vista, fellow Security MVP Dana Epp blogged about some of the changes that Vista is making in an earlier blog post of his and it reminds me that while I’m on the beta, I keep forgetting to load up Quickbooks 2006 and see how it does on the current test build of Vista.

In the meantime, thanks again for Brad Smith’s statement that this will be fixed in the 2007 version and I’ll get cracking on updating the webpage on www.threatcode.com to document the 2006 instructions on getting Quickbooks to run without admin rights that “Tbone” posted to the Quickbooks community forum.

Thanks again for keeping us informed about the issues with the 2006 version and how we should install the R3 version directly.

Susan Bradley

Okay so how is this a "worm"?

When reports of this "worm" (and the word should be used loosely) came out it was impacting over 700,000 computers because there was a counter on the site... well now it comes out that there was a script running to up the count...so it's not 700,000...but more like 300,000.

Incidents.org has some write up on it...and in a listserve someone made a valid point.... this takes a "click" to infect....so...why is it being called a worm?

In the “Weekly Assessment” sent out last Friday, we provided our members with information regarding the W32.Blackmal.E@mm (Symantec) worm. This worm is expected to delete certain files from infected systems on the third of each month - starting on February 3rd. As there has been some confusion surrounding the various naming conventions for this worm, we would like to note that the Common Malware Enumeration (CME) group has assigned it the following ID: CME-2412. Some of the naming conventions associated with CME-24 are Win32/Blackmal.F (Computer Associates), Nyxem.E (F-Secure), Email-Worm.Win32.Nyxem.e (Kaspersky), W32/MyWife.d@MM (McAfee), and WORM_GREW.A (TrendMicro). The majority of the antivirus vendors are rating this worm a “Low”. We continue to recommend that our members review the publications supporting their AV solution, ensuring that the current protection updates against this threat are applied.

More info on the malware blog...

How do you get the Industry journalists to care?

Earlier today I was called by a journalist for my industry to ask some follow up questions about some statements I had made to an author... and it showcased to me just how far we need to go to get people to care about Computer Security.

---------------------------

Thanks for the follow up call regarding the article that was written for _my industry journal_.  I am concerned a bit that you stated that your reviewer of the article did not understand that running with administrator rights on our systems is a key factor of why we get malware and spyware on our machines.  By all means forward this email and my email address to him or her and I'd love to discuss this in greater detail.

In my own office I had a Secretary that was getting malware and spyware on her system and the antivirus and spyware tools would not stop them.  Remember that such software is always 'reactionary' and not proactive in defense.  Since I took the time to adjust her system to run without administrative rights, she can no longer surf to sites and download icons and emoticons that I have not authorized, she can no longer merely 'surf' to web sites that may infect her system.

Two actions can get malware on a system typically in my office.

1.  Clicking and downloading from web sites that are designed to 'trick' the user into installing spyware.
2.  Surfing to a site that injects the spyware into the system because it piggy backs on unpatched web browsers, Sun Java or other 'infection' means.

Now given that I keep my web browsers fully patched, the second risk is lessened, but unless we stop the end users from downloading and installing software that they are truly not authorized to install, we will always be one step behind the bad guys.

Moving to another web browser is not the answer in the fight against malware and spyware.

Let me point you to a couple of articles on this topic:

http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp

http://blogs.technet.com/jesper_johansson/archive/2005/11/30/415328.aspx

"Barring users from gaining administrative access—and thus restricting their ability to install such unwanted or malicious software—will automatically tighten security and will garner other benefits as well."

Spyware and Malware was voted number 10 of the Top Tech issues by the CITP and ISACA members in an AICPA poll recently.  Spyware and Malware is big business that includes Russian mobs and other criminal elements.  By not doing all we can to protect our weak links in our firms…the desktops… we are playing right into their hands.  Firewalls do not stop this activity.  Antivirus and Antispyware are always one step behind.  As long as we do not control our desktops and instead rely on the ability for our end users not be be 'tricked' and 'scammed' we cannot adequately protect our systems.  The average user doesn't want or need to be a geek, but we in business need to protect their systems accordingly.

http://www.crt.net.au/etopics/migmaf.htm

Vendors like Quickbooks that consistently require "Administrator" rights also impact our security decisions.  I built a web site to highlight these vendors www.threatcode.com They don't have to care about coding securely because we… the buying marketplace does not care.  We do not care because we do not know why running with administrator rights is dangerous.  It's a vicious cycle.  Because the marketplace doesn't care, the vendor won't change.

To give credit to Intuit, the maker of Quickbooks, they have stated that they will change the way the 2007 version of the software is built to be more secure.  But this was only after the SANS.org organization made them their first "Hall of Shame" vendor for coding in this manner:

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=59

Application Vendor Demands Unnecessary Administrative Privileges Violates Policy of Least Privilege

This new section allows the user community to share intelligence on applications that require users to lower their barriers to cyber attacks. Now that the US Air Force has established a minimum standard of due care, soon to be adopted by other government agencies, there is a standard against which to measure the application designers' security decisions.

The first inductee into the Application Security Hall of Shame is QuickBooks.

The latest release of Intuit's QuickBooks, widely used by accountants and businesses, negates the security attributes of the underlying operating system (e.g., Windows) on a computer using this Intuit product. Installation and operation of QuickBooks requires granting operating system "Administrative privileges" to the user, giving users complete control over the security features of the computer on which it is installed. In an enterprise setting, this hinders the organization's ability to ensure security policies are implemented appropriately for password control, user privileges, and other security disciplines for a computer with QuickBooks installed. This is an unfortunately perfect example of an application software product demolishing the security capabilities of the underlying operating system. Computers with unprotected operating systems are easy pickings for would-be intruders looking for personal identity and financial information in QuickBooks files.

In response to Newsbites' recognition, Brad Smith, senior vice president of QuickBooks, confirmed on December 2, 2005 that this problem will be fixed in the next major release (QuickBooks 2007), scheduled for delivery within 12 months.

--------------

Bottom line... as long as we don't know...don't understand.... we won't care.  We won't ask for vendors to make the software help us be more secure.  We and vendors both have to understand that that least privilege is an absolute minimun in this day and age of security issues.

Blame the fruitcakes in Calfornia on this one....

A followup post about the issue of Access and Excel

You cannot change, add, or delete data in tables that are linked to an Excel workbook in Office Access 2003 or in Access 2002:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;904953
 

Background and Summary

A recent decision from a court case has determined that certain portions of code found in Microsoft Office Professional Edition 2003, Microsoft Office Access 2003, Microsoft Office XP Professional and Microsoft Office Access 2002 infringe a third-party patent.  As a result, Microsoft must make available a revised version of these products with the allegedly infringing code replaced. 

To comply with the court order Microsoft is now requiring all future deployments of Microsoft Office Professional 2003 and Microsoft Access 2003 to include service pack 2. Microsoft is also requiring all new deployments of Microsoft Office XP Professional and Access 2002 to include a special patch.

Customers who have previously installed affected products are being requested to voluntarily install the patch although installation is not required. In order to ensure customers are aware of these new requirements, Microsoft has been mailing notification letters throughout the month of January.

We have received requests from customers to provide more information about the situation leading to this requirement. The attached frequently asked questions document goes into more detail on the circumstances related to this requirement, information on deployment and additional context to the legal situation.

Frequently Asked Questions

General Questions

Q: Who needs to install Microsoft Office 2003 SP2?

A: Any customer installing Microsoft Office Professional 2003 or Microsoft Office Access 2003 from the date of their notification must install Office 2003 SP2. All customers will have been notified, worldwide, by February 2006.  

Q: Who needs to install the patch for Microsoft Office XP Professional and Microsoft Access 2002?

A: Any customer installing Microsoft Office XP Professional or Microsoft Office Access 2002 from the date of their notification must install the special patch. All customers will have been notified, worldwide, by February 2006.  

Q: What if I am in the middle of an existing deployment of Microsoft Office Professional 2003? Am I affected by this requirement?

A: Yes. Customers currently deploying Microsoft Office Professional 2003 or Microsoft Office Access 2003 are required to apply service pack 2 to all computers from the date of their notification. All customers will have been notified, worldwide, by February 2006.  

Q: If I have a computer with Microsoft Office Professional 2003 already installed on it do I need to update that computer with Office 2003 SP2?

A: A customer is not required to install Office 2003 SP2 on any machine already deployed. However, Microsoft strongly recommends they do install SP2 as the service pack includes many product updates the customer will likely value.

Software Deployment and Technical Questions

Q: Can you explain to me exactly what product behavior needed to be changed to address the intellectual property concerns in question?

A: You can find more technical information on the patch at http://support.microsoft.com/default.aspx/kb/904953/

Q: The letter I received directed me to the Microsoft site http://office.microsoft.com/en-us/officeupdate/default.aspx, but this is a very general Office Update site. Is there a more direct link I can go to for downloading the appropriate patch for my software?

A: This is the Office Update site.  Clicking on “Check for Updates” link from this page will activate the process necessary to download the patch for Office XP or Office 2003 SP2.

To directly obtain the patch for Office 2003 please visit:

http://www.microsoft.com/downloads/details.aspx?FamilyId=57E27A97-2DB6-4654-9DB6-EC7D5B4DD867&displaylang=en

To directly obtain the patch for Office XP Professional and Access 2002 please visit: http://www.microsoft.com/downloads/details.aspx?FamilyId=7497D7F0-BEF5-4054-B854-B1240B5135F5&displaylang=en

Q: How can I find out if I have Office 2003 SP2 already installed on my PC?

A: You can find out if Office 2003 SP2 has been installed on a machine by starting any Office application, selecting the “Help” menu choice and then selecting the “About” menu choice. In the “About” dialog box, next to the product name, the letters “SP2” will be displayed.

Q: Must I download Office 2003 SP2 from the web?

A: Office 2003 SP2 is included in volume license media kits.  If volume license media kits are not part of your volume licensing program or you have not received a disk and prefer not to download the service pack over the Internet you may order a disk by visiting http://office.microsoft.com/en-us/FX010383631033.aspx

Q: Office 2003 SP2 makes more changes than simply updating the code affected by the US court case.  Is there a patch or hot fix I can use that takes care of the intellectual property concerns without making all the other changes related to this service pack?

A: Office 2003 SP2 is the only patch available to properly update Office Professional 2003 and Access 2003.

Q:  If a customer is only using Microsoft Access 2003 do they need to install Office 2003 SP2 or is there a separate Access only service pack?

A:  There is not a separate service pack for Microsoft Access.  Office 2003 SP2 is the correct patch to apply for suites and individual applications such as Access.

Q:  How will this affect Office 2003 SP1?

A:  Office 2003 SP2 is a cumulative release and includes SP1. This does not, however, affect the support policy for SP1.  Microsoft will continue to support SP1 as defined in the lifecycle support policy.  More information can be found at http://support.microsoft.com/.

Q: I deploy Microsoft Office using a standardized corporate installation image. Do installation images that have been previously created and tested with Microsoft Office 2003 need to be updated to include SP2?

A: Any new installation of Office Professional 2003 requires SP2 be applied. If you use a standardized installation image to facilitate corporate deployments you will need to update that image to include SP2.

Q: How does this affect Windows Terminal Server installations of Office 2003?

A: New installations would require Office Professional 2003 to be installed with SP2.

Q: If I just deployed SP1 do I have to go back and now deploy SP2?

A: No, you do not need to deploy SP2 on an existing installation. Only new installations of Office Professional and Access 2003 require deployment with Office 2003 SP2. Existing machines with no service pack or with service pack 1 do not need to be updated. However, Microsoft strongly recommends they do install SP2 as the service pack includes many product updates the customer will likely value.

Q: I have noticed that the date for Microsoft Office 2003 SP2 on the Microsoft download site has changed several times from its initial release. Has Microsoft changed service pack 2 and does that mean I need to download SP2 again and apply it to my machines?

A: No you do not need to download Office 2003 SP2 again or re-apply it to machines already patched with SP2. The contents of service pack 2 have not changed since its initial release.

Q: What are the system requirements for Office 2003 SP2?

A: Office 2003 SP2 system requirements are the same as the Office 2003 System requirements for Office client applications. In order to install SP2, you must have installed Office 2003 on a system that meets the installation requirements.

Legal Liability and Microsoft’s Indemnity Policy Questions

Q: Microsoft has told me that this action is required because of a ruling in a court case. Can you tell me which case this is and which court is involved?

A: The case which necessitated this action is Amado vs. Microsoft which was filed in federal court in California.  

Q: Am I considered out of compliance with my volume licensing agreement if I do not deploy Office 2003 SP2 in future installations?

A: Installation of Office 2003 SP2 is a requirement for any new deployments of Office Professional 2003, regardless of which licensing program you are enrolled in. Any future deployments of Office 2003 without Office 2003 SP2 included would be considered out of compliance with Microsoft’s licensing requirements.

Q: Are retail customers affected by this action?

A: Yes.  Our retail license has been changed and all retail boxes which contain the affected products will also include a disk with Office 2003 SP2.

Q: Is it correct that if I have deployed Office 2003 SP2 then I have nothing to worry about with respect to intellectual property infringement?

A: If Office 2003 SP2 is installed you are in compliance, you will not infringe the intellectual property that is at issue in this case.

Q: I thought that Microsoft’s indemnity policy meant that Microsoft stands behind their software and limits my liability against a third party suing me for intellectual property issues related to that software. Doesn’t Microsoft’s indemnity policy protect me from actions like this?

A:  Microsoft’s indemnity policy does cover your pre-existing installations with respect to intellectual property claims in this case.  Microsoft’s ability to protect customers from future infringement claims depends on our ability to change products to comply with court orders. Microsoft respects the intellectual property of others. As such, Microsoft’s licenses specify that new installations of affected products only be made with the appropriate patches applied.

Quickbooks 2006 - non admin rights instructions

So you are now installing the 2006 [the R3 version of course] and you want to run without admin rights on the 2006 version?

Here's the updated instructions:

QuickBooks Community - Running QB 2006 without Power User or Admin Privs.:
http://www.quickbooksgroup.com/webx/forums/install/385

I'll try to spare you any editorializing. Suffice to say, these changes will allow regular users to run and use QuickBooks 2006. Updating will not work unless you are an administrator, but it will abort relatively gracefully with a message along the lines of "Only adminsitrators are allowed to update QuickBooks." I'm not quite sure how I feel about this development. I can't verify this yet, but it seems that this is not a matter of file or registry permissions, or of windows installer policies, but rather a direct check of group membership tokens. In which case we'll probably just have to learn to live with it.

Is that where WSUS puts the IMF updates?

No wonder I'm not getting the Exchange IMF updates offered up to me on WSUS... I didn't have the box checked.  Or at least I think that's where they should be triggered from... but it's not clear is it? 

On the WSUS blog it sounds like this will be the section that will be updates for Windows defender, but I think these are also the place for the Exchange IMF junk file updates. 

WSUS in sychronizing now... I'll let you know if my guess is right.

Update:  Nope..not right... hmmm... wonder if I forgot the registry edit to enable detection or something?

...and as your domain admin, I'm not going to let you delete that

The IE7 blog talks about a feature that you can delete your IE 7 history.

Well first... delete is a relative term because in operating systems unless you write over it, it's not deleted, and secondly, I as an Admin will want that 'feature' turned off.

I want to see where you are going and what you are doing in my firm.. it's in my Internet Use Policy that I can do it in fact.

Patching risk

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System:
http://www.incidents.org/diary.php?storyid=1052

"Before he turns it off though he tells me something very worrisome. It went like: "We turned off the windows automatic updates". I wasn't sure if I'd wipe the harddisk or not at that point, but as such things would convince me to wipe, I answered "No problem, I'll enable it when I get home, thanks for the warning". Then he goes on to explain they do that always as "In our experience windows update and all those patches break more than the viruses harm you. Just add a good anti-virus program, we've already tightened up the windows firewall. You'll be safe, don't worry. In our experience it is best to install the service packs Microsoft brings out, but stay away from the crap in between". Painfully wrong advise in my opinion, from a shop I like a lot for their hardware."

I read that today and there's a part of me that sees that ...and it kinda in a weird way... breaks my heart.  That people have such an untrust about patches.  In my world, I have not had the issues with the individual patches, hotfixes and the like.  Service packs?  Now those are what are icky to me.  But security patches?  To me that's a normal monthly ritual now of test, deploy, evaluate.  In my network, in my workstations, on my computers, patches don't do more harm than the viruses that harm me.  If a virus harms me, it's because my defense isn't good enough.  They've broken in.  If a patch hurts me, even a little bit, that's just a normal process of software in my book.  Why would anyone want to choose a virus over a patch making the help file inside my tax program not work?  And honestly that's the last 'thing' that broke in my office.

The help file inside my tax program didn't work until I adjusted it. 

Now compare that with the risk of a virus that disrupts my network, my email, introduces a back door into my network or any other nasty thing...and someone thinks the risk of THAT is preferable over a possible issue with a patch?  I'm sorry but that risk is too great in my book.  You have a problem with your computer if a patch is an issue. 

Now that said.... many folks say that patching should not be knee jerk automatic in a business that depends on software... if you depend on an app...and that app has a history of breakage...then you need to fix the app, for find a way to protect that app, and mitigate the issues without patching.

That's the tricky part.  In most small firms, it's much easier to patch and risk the small chance of patch issues than to take the time to 'mitigate' for not patching.

Bottom line...don't turn off automatic updates...and Mr. Computer maker... I agree with the gang from Incidents.org... that's bad advice.

The Non Admin white paper is out!!!!

This technical white paper describes the least-privileged user account approach and provides information on related tools and resources.

Whoo hooo the LUA paper is out!  LUA...you know ... LUA.. Least privilege and non admin and all that.  If you want to begin to get control back over your network, this, in my opinion, is the way to go.  We HAVE to get control of the desktops.  And having your stupidest user [lets face it, we all have them] have the right to click, to install, to launch, to load, to do anything on their workstation...those days are over.  Vista will be doing a better job in this area...but Vista is later...not now and we need all the help we can get to take back our desktops and make them part of the security fabric of our network.

The XP sp2 firewall is step one.  Non Admin is step 2.  Now this is not a trivial task and takes time and energy to do.  But if you can do this... you will be one more step on the way to defeating the bad guys.

Demand that our vendors support this.

www.threatcode.com

It's time we start setting our risks...and not our vendors.

Looking for WSUS resources?

Need resources to get your brain around WSUS?

Here's my recommendations

• Books - as far as I'm aware there is no WSUS only book...but I do have WSUS info in the SBS Unleashed book
• WSUS on SBS whitepaper - download here
• WSUS wiki - linked here
• WSUS blog - http://blogs.technet.com/wsus
• WSUS listserve - sign up at www.patchmanagement.org
• WSUS webcast that I did [on patching]
• Patching Podcast - Vlad's SBSShow mp3

Btw ...just opened up a new category on the blog about WSUS

So how do I track RWW?

A commenter [I'm too lazy to go link it up as I was in the office at 6 ungodly am this morning to ensure that a Tax Webcast training seminar was working properly and right now I'm blogging as the Earl Grey tea attempts to clear the grogginess from my brain matter], was wanting to open up RWW for all employees but wanted to track/log/audit it.  And I got to thinking how I do it here.. or I should say...how I've started to be able to keep a real close eye on it here.

There isn't [as far as this sleep deprived brain can remember] a RWW log in database.....but.... the beta that I'm on with the Scorpion Firewall is giving me the tracking that keeps the paranoid me happy.  In the firewall dashboard new beta, Dana tracks connections...and guess what...443 and 4125 are just that...connections.. and every morning [since I set the dashboard email report up to hit my inbox at 6 a.mish like my other emails] I look and see just who connected in on port 443 and in particular 4125.  90% of the time the IP address I see that come in from is me at home [yeah it's pretty sad when you recognize your own IP].  But that 4125 port ... I should only see the connections I expect on that one.  Every now and then I see a 443 connection from Korea or Guatemala and I've been building up a 'block connection list'.  In fact I should take the time and dig up a really good 'this are typically bad IP addresses' list or just break down and get one of those ISA add in thingymajiggers [you expect me to coherently remember a vendor's name at this hour of the morning?] that do the work for you.

In the meantime, if anyone is more awake than I am.... comments about ISA add ons that you use and like would be appreciated so my brain doesn't have to wake up.

Hey... the antispyware thingys are going to be in WSUS

WSUS Admins:

Today you will see a new product category and update classification in your WSUS Synchronization Options dialog.  Windows Defender, formerly Microsoft Windows AntiSpyware (Beta), will as of today’s synchronization show up as a new Windows product category.  A new update classification will also come on line called “Definition Updates”.   Currently Windows Defender is only released as part of a VISTA beta release.  Definition Updates will only be available to beta participants from the Microsoft Update site, with Vista Windows Defender Beta installed.   Windows Defender beta will be available to down level clients, and Definition Updates available via WSUS in the coming months.   As with CodeName Max, when new product updates are released to MU, their categories and classifications also appear on the corresponding WSUS options dialogs.  Unlike CodeName Max, Windows Defender  Definition Updates will be available to synchronize to WSUS servers and approve for installation on clients in the coming months.  For right now, no Definition  Updates for Windows Defender will be available from MU to WSUS servers. 

To learn more about the Windows Defender Vista beta see:  http://www.microsoft.com/presspass/newsroom/winxp/12-19WinVistaDecCTPFS.mspx  Visit the Windows Defender team blog for the latest news on Windows Defender and Definition Updates availability via WSUS at  http://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx.

Thanks -Bobbie
--
Bobbie Harder
Program Manager, WSUS
Microsoft

The spyware guys know we don't care.

In a spyware listserve I hang in... comes a sad but true story.... in the registry log file of a malware and spyware'd computer was this line....

 HKLM\..\Run: [I downloaded pirated Software from P2P and now I post my Hijack log whining] C:\WINDOWS\system32\Fifa Football 2006 crack.exe

Look at that...the bad guys are laughing at us and how we download software.  How we don't care about security... how we don't even validate what we are downloading.  They know that people will download anything if given the choice. 

Look at that ...they are taunting us that we don't care enough about what we download...what we do on our computers...it's sad isn't it...that they know we don't care.

Knock it off Apple

Matt blogs....

Ever try to JUST install Quicktime recently?

AICPA names top 10 technologies

In today's Consulting Insights.. Bob Scott reports that the AICPA Top 10 Technologies is out..... and look what's number 10!

AICPA NAMES TOP TEN TECHNOLOGIES.
The American Institute of CPAs has named information security as its No. 1 technology issue for 2006, a repeat winner, and it's hard to disagree with the choice. I think this year's Top Ten is more practically oriented than some I've seen in the past. Either that, or I know more than I did and they were right all along. Issue No. 2 was assurance and compliance apps. Here are the rest of the winners:

• 3. Disaster and business continuity planning;
• 4. IT governance;
• 5. Privacy management;
• 6. Digital and authentication technologies;
• 7. Wireless technologies;
• 8. Application and data integration;
• 9. Paperless digital technologies; and
• 10. Spyware detection and removal.

Ensure tinfoil is in place please?

Quick you may need this protection..... especially if you go and listen to the latest Steve Gibson podcast about the 'rogue developers of Microsoft' who placed 'an intentional back door' into the operating system.  In the meantime you may wish to also read the MSRC blog and their take on the same issue.

Now Steve says 'he's leaning toward Open Source because you can review what's in there'.  Oh.. really ...just like this vulnerability in Novell's SuSe Linux that just came out today and appears to already be under attack.  The vendor was notified on 11/15 and the fix out 1/13/2006.  "Remote exploitation of a heap overflow vulnerability in Novell Inc.'s Open Enterprise Server Remote Manager allows attackers to execute arbitrary code."  Why isn't that a 'back door built by rogue developers like the WMF exploit?

Tim says he's waiting for next week in his blog about this...and that's exactly what Steve wants.  Look at the 'buzz' this one podcast has gotten.  Talk about a very VERY unprofessional way to handle this.  First off... Mr. Gibson, I email secure@microsoft.com ALL THE TIME and seemingly even with the spam filters that tend to mark my pacbell.net as spam, I get responses from them.  Secondly, whether he cares or not, on the backchannels of security listserves, his podcast is being ...well quite frankly...laughed at.  Next...for him to say that he is the 'first' in this charge.....he was not the first to charge that WMF issue was a 'backdoor', on January 2nd to be exact, other bloggers and companies did.

If you are going to charge something like this, Mr. Gibson... first off don't charge something of this magnitude without contacting the company first, secondly .... to podcast something when you aren't even sure of all the facts?  That's just irresponsible in my book.

Enough with the tinfoil folk... get real....flaw yes.  Intentional backdoor by rogue developers?  Get reasonable Mr. Gibson.

So what about coffee shops?

So in the comments of a previous blog entry about remote access, comes the question about 'coffee shop' access.

That is indeed in a different section, along with the information that before an employee takes a company laptop and is anticipated to use a Starbucks, they get a one on one training course on remote access.  I do and have allowed connectivity ala java, ala airport wireless and what not, but ensure that the employee understands the 'expected behavior' of each.

Starbucks access should always be a T-mobile web site access with an expected look.  So yes, I do allow this, but yes, there is the same stress of paranoia.  Now yes, there is the risk of someone putting up a fake AP and all that...but remember RWW is over SSL and thus information isn't passing in 'clear text'.  The other day I had a ping about a business owner who wanted to 'pop' back into his SBS box and one of the things that I warned the Admin was that when you use POP, you pass that username and password over clear text.

Is coffeeshop access secure?  Secure enough in my book.  I'm willing to accept the risks knowing that I have protection in place.

"You have successfully updated your computer"

.... yup...no reboot this month.  Did everyone catch that?

SBS aka 'the kitchen sink' normally has at least one patch that causes or forces a reboot...but not this month.  All of the patches that came down on this Patch Tuesday [excluding 06-001 for the WMF of course...as that was earlier...] did not force a reboot.

I personally thing that the "world record for uptime" that everyone boasts about is overrated...but that's just me...

What's in your remote access policy?

Here's a section of mine.....

In general:

When you are accessing the Firm’s network from a remote location, you must pay the same attention to security and privacy regarding client files that is required at the office.  Those employees previously identified by Management as needing remote access should ensure that at all times the connection to the Firm’s network does not in any way jeopardize the safety and security of the network.  Therefore, anyone with permission to run remote access is required to have installed an up to date antivirus and an active firewall on their personal home computer.  Periodic onsite visits by the Network Administrator may be required in order to approve a request for remote access and to maintain the access.  If you feel it is necessary for you to have remote access to the Firm’s computer network, please fill out a request form for remote or offsite access. [Please see a copy of this form in the appendix].

Remote access via Kiosks:

It is recommended that only personal equipment be used to remotely access the Firm’s network resources.  You should refrain whenever possible from using open, Internet café style connections.  Those users with remote connectivity will require special training on the risks of such access and will be instructed on ensuring that usernames and passwords are not saved on such devices.  This type of access should only be used in an emergency and only when deemed to be appropriate for the need.  Remote access may be necessary while traveling.  You should submit a request for a laptop for use while traveling prior to your trip.

...and we'll be adding a section on our Audiovox Cell phones as they have usernames and passwords on them.  Even with this... I monitor the access.  I have a rule that lets me know when a password attempt has been made on the system. 

But I think I'll be going back and beefing up that section and instead forbid Kiosk access entirely.  One should ensure they can 'trust' the device they are using to access the network with. 

A conversation on Malware

Microsoft TechNet Radio:
http://www.microsoft.com/technet/community/tnradio/default.mspx

Steve Santorelli spent most of his career in Scotland Yard, so what is he doing at Microsoft? Steve is putting his sleuthing skills to work for you. Working with international law agencies, he and others in his group are tracking down the criminals who are creating the malware that keeps your IT group up at night. Steve is about prevention — not through technology, but through law. He is making sure the creators of malware are brought to justice. Hear a conversation with Steven on the human side of malware

...now if they can just put a podcast feed on this site......

All port scan attacks in ISA

On a listserve today someone indicated that their client had shut off VPN because they were concerned about the 'intrusion' alerts they were getting and thought their server was compromised.

First... don't panic.  Many of these are false positives.

ISA Server Port Scan Alerts: Tip of the Month - December 2005:
http://www.microsoft.com/technet/community/columns/sectip/default.mspx

Two read that.

Three... check out a beta of a product that I think adds a lot more information and value to ISA server 2004.

The Scorpion Software Firewall Dashboard..."Cases 123-125: We have added a few new reports to show top service and connection usage so you can see what IS getting through your firewall. You can match this up against your server connection logs to see if things match up. There is a top service usage over the last 24 hours graph which shows the top 3 services against each other."

An ISO for the patches?

Two bulletins today

January 10, 2006

Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms06-Jan.mspx

Critical Bulletins:

Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

http://www.microsoft.com/technet/security/Bulletin/ms06-002.mspx

Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

http://www.microsoft.com/technet/security/Bulletin/ms06-003.mspx

/...they've done that thing where each Outlook patch has a separate KB article and then Exchange has a KB article number.  I understand the process [it's one vulnerability] but I see it as two programs/patches and thus track it differently/

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

Okay I'm leaving WMF's blocked

The other day I put in place blocking of WMF files in my network.... and I'm not going to adjust that setting one bit.

There is no need for my users to have or need that file and today's update on the MSRC blog proves that indeed.

http://blogs.technet.com/msrc/archive/2006/01/09/417198.aspx

Let's just keep those files blocked, shall we?

Over my dead body

On a couple of listserves and blogs the idea that now that this patch got out so quickly that all patches can get out this fast. 

First off, I think that's a simplistic view as not all patches are created equal.  This one was a small file.  Take a look at the IE patches and their file manifest.  Huge in comparison.  Thus to say that say an IE patch can be written, tested, and signed off in the same fashion as this patch is ... I think... too simplistic of a view of how 'change management' works and how each security issue is not the same as another. 

It's easy for bloggers to say 'oh we need to demand beta patches as admins can decide the risk and apply them" and not realize the near 'freak out' that I'm sure would result because quite honestly we have no clue whatsoever as to our real risks out here.  None.  Zilch.  And as a result, each of us would think that we are in need of that fix.  So what would happen?  Untested patches unleashed on our networks.  Okay so how do we track issues now?  Is it beta version 1 of that patch you are seeing that with or beta version 2?  Yeah right, that would work out well wouldn't it?  We'd have absolute freak out on our hands.

Furthermore, I don't see these posters and bloggers in the newsgroup on the day after patching when, on the rare occasion, we do see issues.  I don't see you there helping that computer user try to get that box into a usable condition.  It's easy to ask for this when you are where you are at and do have the resources to handle such things, unlike most home and small businesses.

Yeah there are times that I will look at how long a patch takes to come out and wonder ...gee..that's a long time... but at the same time... I ...nor many out here making these demands...have no idea of the process that it takes to get a patch out, coded, tested on the umpteen versions.  It's easy to say these things when we're on this side.

Some have suggested that beta patches be handled like KB articles so that you'd call into PSS to get them.  And all that would do would to get code that could be reverse engineered into the hands of the bad guys that much faster.

I'm not saying that I know the right answer here, the right balance, or anything.  But I'm tired of 'standards' and 'best practices' being used in such an easy way without understanding what you are saying and asking for.  Sometimes 'standards' force you into being too rigid and not being agile enough.  I'm not going to ask for a standard patch build timeline because we truly have no way to set such a standard.  Some issues may be so deep and embedded in the operating system that it will need additional analysis.

I do like the once a month patch deployment because it means I can plan my month and security accordingly. 

The standards that are in place now... a patch no sooner than it's ready... a patch for all critically vulnerable systems at the same time.... a patch for all languages..... a patch for all versions.....released on patch Tuesday unless it's an unusual event.....that's enough of a standard in my book.

Except for one more standard....... over my dead body will untested patches be unleashed on the SBS community.  That's one standard I will enforce.

So why aren't 98's being patched?

Microsoft Security Bulletin MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919):
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

A question that even I had came up on a listserve... why isn't this critical to Windows 98/ME machines?  Because on all the machines my fellow MVPs attempted to automagically infect with this exploit, none of them would automagically get nailed.  All of the 98's and ME's needed user intervention.  Now one could argue that Windows still has more stupid users, but the reality is, because the 9x series did not use the default viewer, they are less vulnerable.  Thus, not critical.  Thus, because 98's only get patched when it's a critical issue, there will be no patch.

Newsflash at 11....the sky will continue to fall....

In our continuing saga of keeping secure online...just wanted to update everyone that even though I'm fully patched the sky will continue to fall.

Why?

Read this.

In particular ...this..."Patches are always likely to be necessary because software will never be perfect as long as it is written by imperfect human beings,"

So to me..it's pointless to argue over the merits and numbers of patches and what not.  Because we will always want to interact with one another... we will always be at a slight risk.  Not to mention.... " Though Windows suffered fewer flaws it is still the platform with the most security problems, given its wider user base of less tech-savvy users."  ...that's politically correct speak for 'we got more stupid users than you do"

What I learned from this

First read a good blog post from Mike Nash on why this came out early.

And here's what I learned from this....

1. This is my firm and only I can decide the risks.  It got to the point yesterday and today that I was about ready to yell "enough" and stop reading the blogs, the news sites, the stories of how I was at risk.  So much of what we were getting as 'gospel' was second hand and third hand and never disclosed the actual methodologies of how numbers and stats were determined.  On the one hand there were folks saying they did see threats, on the other hand folks were not seeing any. 
2. The security biz is a PR opportunity.  Security should be icky and boring.  About as boring as reading financial statements.  Man the 'spin' on this issue was unbelieveable.  'The worst security event ever'.  'Every OS back to pencil and paper is vulnerable'.  [okay so now I'm exaggerating...but you get the idea].  Most of the headlines were not facts but spin jobs done to sell more product of 'fill in the blank'.
3. No one has a good handle on the true risks of their firm [and we may not ever].  My impression is from all this 'yes it works', 'no it doesn't', 'yes it's vulnerable', 'no it's not', is that none of us truly have a handle on what is installed on our systems and all of us have so much third party crap.  So much of this incident was fear of the unknown, fear that something bad was going to get us, yet .... it was said that it was not an RPC type issue, it would not turn into a worm and yet look how much at what we were freaking out on this.  On a daily basis we have risks out here on the Internet.  And if there's only a patch between you and the bad guys... maybe we are in more trouble than we think?  Maybe we need to ensure we have layers, and defensive moves, and stop running as admin....and all those things that we really should be doing so that we're not totally going wacko over a security issue that some bozo brain timed to screw up our holidays.

And now if you'll excuse me.... Shavlik is ready to patch and so am I.

...so you didn't get an email until hours later...

...well then you don't have instant paranoia now do you?

First off we should understand that mail servers take time... so don't expect the Microsoft security email to get to you immediately.  Next you can easily sign up for 'Instant Paranoia Alerts' on MSN....then you will get them and be instantly paranoid....but I think we should give everyone a break on this.

Security bulletin 06-001

Microsoft Security Bulletin MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919):
http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx

Gentlemen start your testing on the real patch

ONE OUT OF BAND PATCH HEADING OUR WAY

The sky must be falling

We have truly gone insane around here.....

Tonight comes this comment....

Is this blog payed for by Microsoft? This was the strangest thing I ever read. The 3rd party patch you're advicing people not to install is made by a very respected programmer and is also an adviced install by f-secure and others. (and it is reversible once the microsoft patch is released)

Advicing people not to patch their machines is just pure stupidity. I didn't know you were a Microsoft Extremist but now I do.

For the record Klas I can't make your risk analysis for you...only you can.  For number one..that post that I did is a cut and paste from the Security advisory apparently you didn't read it closely enough as I didn't post anything in there that wasn't a cut and paste.  For two, this blog comes out of my personal pocketbook, and is thus my opinion and only my opinion....for three, I'm not going on record as advising anything but this....

IF YOU DO INSTALL THIS PATCH TEST THIS SUCKER and understand that you have possibly put this in an unsupported position.

I find it insane that folks are wanting untested patches on their systems, both in the form of a third party patch or in the form of an untested Microsoft patch.  Sorry folks, but I don't see you in the newsgroups scraping the dead servers off the floor come the aftermath of Patch Tuesday.  F-secure doesn't understand my network, my risk tolerance, my lob apps any more than Microsoft does.  So if I do my own risk analysis and don't always follow Microsoft's advice, why should I follow anyone else's?

I'll bet you a 6 pack of Mountain dews that folks that are wanting a quick untested patch would also be the ones screaming bloody murder when their boxes got nailed by a bad patch.

I can't do your risk analysis for you...but neither can F-secure or anyone else.

Read this.

Make up your OWN mind please.  And I think we need to ask ourselves... if the existence of a patch is the only thing between us and utter doom... we got bigger problems on our hands as we can't patch everything around here.

ISA server team blog opens up!

ISA Server Product Team Blog : Welcome to the ISA Server Product Team Blog:
http://blogs.technet.com/isablog/archive/2006/01/03/416787.aspx

Very cool....

The risk

So as we get back to work all of us have to evaluate the risks… do we deploy a third party patch or do we check our other defenses to see if we have enough in place.  There’s been a couple of interesting threads on this that I wanted to capture.

1. If only they’d rip everything out and make it more secure, we wouldn’t have this.  The reality is folks, when business and security are weighed side by side, business will win hands down each time.  And if we are going to argue that we should rip out and make things more secure from the ground up, you’d better start at the very foundations of the Internet.  TCP/IP is not built with security in mind.  So if you want to build things from the ground up with security, then you’d better start ripping out from that level.  But given that we can’t even kill off Win 98, do you honestly think that this is a reasonable solution?  I’m not convinced that we can secure even things we design from the ground up….again it gets back to that secure enough argument.  Put too many barriers in my way and as a business person, I’ll find a way around those barriers to provide the collaboration w need.
2. Patches should be released when they are ready, not on an artificial time table and schedule.  Now this is where I will argue against this one, as I’ve been patching for a long time and I don’t think the folks saying this are remembering what it as like before.  The comments are ‘oh but then patching could be on ‘your timetable’ and I don’t think people understand that patching is not on ‘my’ timetable per se’ but on the bad guys time table.  It takes a mere 20 minutes after a patch is released to build an exploit.  I honestly don’t think all those folks who are asking for this truly remember the mess patching was a few years back when patches could come out any time, any day.  I will also strongly argue with the folks that say ‘oh just release a patch and then if there is a problem, release another’.  Yeah right, folks, be careful what you ask for ‘cause if you have just one bad patch that would nail our SBS boxes, just imagine how much you’d be screaming after that one. 
3. Getting good feedback.  The one area that I am a bit concerned about is the issue of ‘good feedback’.  There’s a difference between true facts and second hand information.  This event more than any other has proven to me that sometimes relying on others for your info could leave you confused and uncertain.  On the one hand, I’m not sure Microsoft sees all the ‘body counts’ I do since my communities don’t call PSS, don’t have TAMs and what not.  We don’t use the big programs that capture body counts [like postini and message labs]. I also hope that the a/v vendors are sharing information and not holding it back.  My SBS community sometimes isn’t nailed in the same way as the big server community.  Slammer, Idon’t feel had a lot of impact.  So the problem here is …what is real damage and what is psychological damage?  I hope that the consumer and small businesses are represented well enough when Microsoft makes their decisions, but I don’t know.
4. Using a third party patch.  I haven’t made up my mind on this one…. On the one hand if you have to depend on a third party patch for your protection because the risks are too great, I’m not sure that’s where we need to be heading.  Maybe we need to ensure we have other layers in place, because I’ve got tons of third party crap on my network that I know I can’t patch it all and I’m positivie that each one is introducing threats into my network.  On the other hand, I don’t like feeling that ‘patch Tuesday’ is being used as the release date for this one.  How many dead bodies does there have to be before an out of band patch is released?

It reminds me of my New Year’s trip to Disneyland.  Disneyland is a risk.  Yes, it’s the happiest place on earth, but in reality, folks have died there from accidents on equipment and devices meant to entertain.  I must trust that Disneyland has in place processes and procedures to ensure my day is safe.  But at the end of the day I have to trust that they’ve done their job.  I don’t have the same level of forced trust for my operating system.  I do have more control over it.  So the question becomes…. Whom do I trust?  What is my risk tolerance? 

All I know is that it’s easy to say stuff when I’m not the one making the final decisions.

Patch on the 10th

http://www.microsoft.com/technet/security/advisory/912840.mspx

What's Microsoft's response to the availability of third party patches
for the WMF vulnerability?
Microsoft recommends that customers download and deploy the security
update for the WMF vulnerability that we are targeting for release on
January 10, 2006.

As a general rule, it is a best practice to utilize security updates for
software vulnerabilities from the original vendor of the software. With
Microsoft software, Microsoft carefully reviews and tests security
updates to ensure that they are of high quality and have been evaluated
thoroughly for application compatibility. In addition, Microsoft's
security updates are offered in 23 languages for all affected versions
of the software simultaneously.

Microsoft cannot provide similar assurance for independent third party
security updates.

Why is it taking Microsoft so long to issue a security update?
Creating security updates that effectively fix vulnerabilities is an
extensive process. There are many factors that impact the length of time
between the discovery of a vulnerability and the release of a security
update. When a potential vulnerability is reported, designated product
specific security experts investigate the scope and impact of a threat
on the affected product. Once the MSRC knows the extent and the severity
of the vulnerability, they work to develop an update for every supported
version affected. Once the update is built, it must be tested with the
different operating systems and applications it affects, then localized
for many markets and languages across the globe.

P.S.  That's a cut and paste from the advisory folks... apparently you aren't reading them as this is a verbatim from that...and for the record this blog is paid out of my pocket.

Getting good information

...so we're in the car driving to Los Angeles and the radio DJ talks about an upcoming story on radio

"A problem in Microsoft Windows?  Nahhhhhhhh" she says.......

The chatter on SBS listserves today is one of disappointment.  This security issue points out the problem we have down here in SBSland.  The "test" problem.  For large firms they have the resources to test, to have matching images on the desktops, to try to understand the risk for their firm.  Down here we rely on the guidance we get from official sources. 

So the gang is now stratching their heads as to how we went from "DEP" works to one where only "Hardware DEP" works.  They are seeing that antivirus and spyware bloggers first brought up the issue that software DEP wasn't working [especially on real world boxes]. 

Getting good info is hard....and unfortunately this event just pointed out how hard.

Just a heads up the Security Advisory was updated

 *I have DEP enabled on my system, does this help mitigate the vulnerability?*
Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.


http://www.microsoft.com/technet/security/advisory/912840.mspx

....so what am I going to do? Nothin' for now because the office is closed and the machines are off so they are as protected as they can be..... ask me next Tuesday and I'll let you know what my risk tolerance is then.... for now... I'm sitting tight....

------------ 

 Shavlik Provides Workaround For Zero-Day WMF Exploit

On December 28^th , Microsoft announced a Security Advisory (912840) for a zero-day exploit that could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Malicious code on a number of web sites exploited the vulnerability on users’ machines. Microsoft has not issued a patch for this security exploit at this time. Users running a fully patched version of Microsoft Windows are still vulnerable to attack.

For administrators that cannot wait for Microsoft to issue a patch to protect against this vulnerability and need an immediate workaround, Shavlik Technologies has released updated XML files for Shavlik NetChk Protect, its patch and spyware management solution, to help users protect against this attack. Shavlik NetChk Protect allows users to un-register the SHIMGVW.DLL files that enable the malicious code to attack systems on Windows XP and Windows 2003. This is a workaround recommended by the United States Computer Emergency Readiness Team (CERT) as an option for vulnerability protection. Shavlik Technologies cannot validate this as a proper fix. To read more about this vulnerability, visit the CERT web site at _http://www.kb.cert.org/vuls/id/181038_.

Shavlik Technologies recommends that administrators determine their security needs and implement this workaround only if it offers an acceptable solution to their individual security needs and all risks are understood. By offering this workaround, Shavlik Technologies puts the option for protection in the hands of the administrator. Users should be aware that by un-registering the .dll file, other applications that use this .dll file can break, but this is the only workaround available at this time, as quoted from the advisory.

For Shavlik HFNetChkPro™ users, Shavlik Technologies has developed a workaround to help administrators address this vulnerability. For more information visit Shavlik’s Support Forum at _http://forum.shavlik.com/viewtopic.php?t=2731_

The Microsoft Security Advisory affects the following operating systems:

         o Windows 2000 SP 4
         o Windows XP
         o Windows Server 2003

More information on the Microsoft Security Advisory can be found on Microsoft’s Web site at: _http://www.microsoft.com/technet/security/advisory/912840.mspx_.

Users are affected by either navigating to web sites that contain a link to a Windows Metafile that exploits this security vulnerability, or opening an email attachment that exploits this security vulnerability.

When Microsoft releases a patch to protect against this vulnerability, Shavlik NetChk Protect will include this patch and will allow users to re-register the .dll file, returning the system to its previous state.

For further information about this zero-day exploit, visit Shavlik’s Security Center at _www.shavlik.com_ <http://www.shavlik.com>.

Oh let's just rip out those dll's shall we?

One of the suggestions I see on many of the Security sites are to unregister certain DLL's to ensure that this WMF vulnerability can't be exploited.  Now maybe it's just me...but unregistering DLLs that break image, thumbnails and what not... and especially if I have to worry about registering those files and sticking them back in seems to me a bit drastic.  To me the saner approach is to ...again...use our Risk Analysis view....

Which machines in my office are most at risk.... uh... honestly?  Mine.  But do give extra protection for all in the office...what's an easy protection mechanism that I can do on my network?

Steps I've already done...block files at the mail gateway ....block image types at the firewall.....

Okay so what else can I do on my machine.... Enable DEP protection for all programs.  Viruslist says that DEP is marginally effective and doesn't work if you have image viewers like Irfanview.  Yo.  Folks.  Irfanview is a known image program in the forensic biz that can view ANYTHING.  I don't define it as the 'viewer of choice for many'.  Geeks maybe.  But my Mom and Dad?  No.

Do I have it on any other machine except for mine?  Nope.  Does it appear that enabling DEP for all programs is effective for mere mortals that have normal software at this time?  Yes.  Can DEP be enabled without major impact?  You bet your bippy.  Working just fine here and so I'm thinking...why the heck am I leaving it at the default?

P.S. Knowing my luck I'll probably find out that bippy means something obscene....

WMF and blocking

As many have pointed out ...the instructions for blocking 'just' the WMF extensions won't protect me if the threat vector comes in via renamed files.... but I think folks are missing the point here.  NPR the other morning had a news report on the communication regarding the potential for a Bird Flu Pandemic.  They discussed how there's a fine line between communication and 'freaking someone out'.  And they said that when a person get communication that helps them act on something so that they feel part of the solution, that person feels calmer. 

I think this occurs in Security communication as well.....that's exactly what's going on here...there's a psychological affect of "me" taking proactive measures to block what I know I can easily do at the border.

"Lanard and Sandman say risk communicators must walk a tightrope. On one side is the risk of promoting irrational fear. On the other side is irrational complacency. The goal is to instill appropriate fear that gets people to take appropriate precautions.

Lanard says accomplishing this means presenting information that is accurate, complete, and often frightening.

"Good information should increase the level of fear in people that haven't been thinking about it at all," she says. "It should decrease the level of fear in people who are over-imagining how bad it could be."

Sandman and Lanard say that in the short run, individuals can do far more than the government to protect themselves.

For example, he says, people can keep extra food in case a pandemic disrupts distribution systems. They can prepare to work from home, in case it becomes hazardous to be in contact with other people. They can learn proper hand washing techniques to keep from spreading the virus.

And Sandman says there's another reason for the government to involve the public in any bird flu preparations.

"Everything that's known about the psychology of fear tells us that people can tolerate more fear if there is something for them to do," he says. "So it's not just inaccurate for the government to imply that the government will take care of it. It's not only getting in the way of the public's beginning to take preparedness more seriously. It's getting in the way of the public's ability to endure the threat of the pandemic itself.""

...see the correlation between Pandemic communication and Security communication here?  So give me something to do...even as stupid as building a block for WMF files and I won't feel as scared.  Give me a role and I feel like I'm helping.  Make me feel dependent on things I can't control and I do freak out.

Communicate with me...give me something to do....and I feel better.

Blocking those WMF's at the email border

Okay so even before I blocked the WMF's via ISA server so that they are blocked while surfing...the first thing I did [because I knew easily how to do this] was to go into my antivirus program that protects my Exchange server and add WMF file extensions to be blocked at the server [in fact why do I need them anyway... I think I'll leave the setting exactly like that from now on]

So on my Trend Exchange a/v it looks like this:

So what if you were insane, stupid, or too cheap to buy a Antivirus that covers your Exchange server?  And boy you have to be all three these days not to get an antivirus suite that does this....but say you were... what else could you EASILY do on your SBS box to block those kinds of files....

If you've never done this before... you rerun the "Connect to Internet Wizard" and rerun the wizard to add file type blocking at the server...remember it looks like this:

Click on "add" to add the WMF file blocking:

And click OK...but what if you already did that and you don't want to rerun the wizard?

No problem... just follow this prior post...but here's a trick I found... Nathan said to right mouse click and click on "edit" but on my newly pristine server... I had no edit and Notepad sucked as an XML editor.  So I brought it over to my workstation where I have Frontpage, right mouse clicked on Edit, opened it in Front Page, clicked on "Reformat XML"

And edited the page in a much more user friendly format

<Attachment Enabled="True" Extension="wmf" Description="WMF Zero Day"/> which looks like this

Remember these are kinda like those backwards group policy settings where "True" is a good thing.... so when we get all done, I saved the file on my workstation and then stuck it back up on the server and it looks like this:

My resulting XML file.... is copied below:

===============================

<?xml version="1.0" encoding="utf-8" ?>

<SecAttsConfig>
    <Enabled>True</Enabled>
    <SaveToFile Enabled="False" Location=""/>
    <UnsafeAttachments>
        <Attachment Enabled="True" Extension="ade" Description="Microsoft Access project extension"/>
        <Attachment Enabled="True" Extension="adp" Description="Microsoft Access project"/>
        <Attachment Enabled="True" Extension="app" Description="FoxPro generated application"/>
        <Attachment Enabled="True" Extension="bas" Description="Microsoft Visual Basic class module"/>
        <Attachment Enabled="True" Extension="bat" Description="Batch file"/>
        <Attachment Enabled="True" Extension="chm" Description="Compiled HTML Help file"/>
        <Attachment Enabled="True" Extension="cmd" Description="Microsoft Windows NT Command script"/>
        <Attachment Enabled="True" Extension="com" Description="Microsoft MS-DOS program"/>
        <Attachment Enabled="True" Extension="cpl" Description="Control Panel extension"/>
        <Attachment Enabled="True" Extension="crt" Description="Security certificate"/>
        <Attachment Enabled="True" Extension="csh" Description="Unix shell script"/>
        <Attachment Enabled="True" Extension="exe" Description="Program"/>
        <Attachment Enabled="True" Extension="fxp" Description="FoxPro file"/>
        <Attachment Enabled="True" Extension="hlp" Description="Help file"/>
        <Attachment Enabled="True" Extension="hta" Description="HTML program"/>
        <Attachment Enabled="True" Extension="inf" Description="Setup Information"/>
        <Attachment Enabled="True" Extension="ins" Description="Internet Naming Service"/>
        <Attachment Enabled="True" Extension="isp" Description="Internet Communication settings"/>
        <Attachment Enabled="True" Extension="js" Description="JScript file"/>
        <Attachment Enabled="True" Extension="jse" Description="Jscript Encoded Script file"/>
        <Attachment Enabled="True" Extension="ksh" Description="Unix shell script"/>
        <Attachment Enabled="True" Extension="lnk" Description="Shortcut"/>
        <Attachment Enabled="True" Extension="mda" Description="Microsoft Access add-in program"/>
        <Attachment Enabled="True" Extension="mdb" Description="Microsoft Access program"/>
        <Attachment Enabled="True" Extension="mde" Description="Microsoft Access MDE database"/>
        <Attachment Enabled="True" Extension="mdt" Description="Microsoft Access add-in data"/>
        <Attachment Enabled="True" Extension="mdw" Description="Microsoft Access workgroup information"/>
        <Attachment Enabled="True" Extension="mdz" Description="Microsoft Access wizard program"/>
        <Attachment Enabled="True" Extension="msc" Description="Microsoft Common Console document"/>
        <Attachment Enabled="True" Extension="msi" Description="Microsoft Windows Installer package"/>
        <Attachment Enabled="True" Extension="msp" Description="Microsoft Windows Installer patch"/>
        <Attachment Enabled="True" Extension="mst" Description="Microsoft Windows Installer transform; Microsoft Visual Test source file"/>
        <Attachment Enabled="True" Extension="ops" Description="FoxPro file"/>
        <Attachment Enabled="True" Extension="pcd" Description="Photo CD image; Microsoft Visual compiled script"/>
        <Attachment Enabled="True" Extension="pif" Description="Shortcut to MS-DOS program"/>
        <Attachment Enabled="True" Extension="prf" Description="Microsoft Outlook profile settings"/>
        <Attachment Enabled="True" Extension="prg" Description="FoxPro program source file"/>
        <Attachment Enabled="True" Extension="reg" Description="Registration entries"/>
        <Attachment Enabled="True" Extension="scf" Description="Windows Explorer command"/>
        <Attachment Enabled="True" Extension="scr" Description="Screen saver"/>
        <Attachment Enabled="True" Extension="sct" Description="Windows Script Component"/>
        <Attachment Enabled="True" Extension="shb" Description="Shell Scrap object"/>
        <Attachment Enabled="True" Extension="shs" Description="Shell Scrap object"/>
        <Attachment Enabled="True" Extension="url" Description="Internet shortcut"/>
        <Attachment Enabled="True" Extension="vb" Description="VBScript file"/>
        <Attachment Enabled="True" Extension="vbe" Description="VBScript Encoded script file"/>
        <Attachment Enabled="True" Extension="vbs" Description="VBScript file"/>
        <Attachment Enabled="True" Extension="wsc" Description="Windows Script Component"/>
        <Attachment Enabled="True" Extension="wsf" Description="Windows Script file"/>
        <Attachment Enabled="True" Extension="wsh" Description="Windows Script Host Settings file"/>
        <Attachment Enabled="True" Extension="xsl" Description="XML file that can contain script"/>
        <Attachment Enabled="True" Extension="wmf" Description="WMF Zero Day"/>
    </UnsafeAttachments>
</SecAttsConfig>

So if you have ISA here are some things you can do

So.... let's see..... we have a Zero Day WMF exploit nailing even fellow MVPs .... websites that nail you with malware so bad you have to flatten and rebuild....that merely visiting the web site..no clicking.... will nail you.... and Trend [and most a/v companies] has the definition for this in there 'beta' def but not their released one....so what's a gal to do?

So I already blocked WMFs in email in the Trend Antivirus

• I don't want to pull down a beta def file
• I'm not sure I want to unregister a dll.......shimgvw.dll
• So how about looking at what my ISA server can do 'eh?

Jesper's Blog : Blocking certain extensions in ISA server:
http://blogs.technet.com/jesper_johansson/archive/2005/12/28/416565.aspx

Very cool huh! And how about we block those wmf's via ISA server.

So we go into the ISA management console..and we access the SBS Internet Access Rule [on mine this is rule 23]

• Click on Protocols
• click on Filtering
• Click on configure http
• Click on Extensions
• Choose "Block Specified Extensions and allow all others" and then put the list in you want to block
• Click "add" and put in wmf.

Click OK, click apply and now when i go to the test page... voila...the image doesn't show up.

Is this cool or what?  Now I feel a lot better since Trend hasn't updated yet.

"A good bug wasted on a malware site"

On the security listserves, there's discussion of a image vulnerablity that uses WMF files to inflect/inject malware... and one of the posters had a line about it that had me laughing ... "a good bug wasted on a malware site".

The discussion of this bug [for which at this time, there is no patch] is discussed on

http://www.f-secure.com/weblog/archives/archive-122005.html#00000752
http://isc.sans.org/diary.php?storyid=972
http://www.heise.de/newsticker/meldung/67794

And as reported by Andreas Marx, some A/V companies are already creating signatures for this.....

AntiVir TR/Dldr.WMF.Small
Dr Web Exploit.MS05-053
F-Secure Exploit.Win32.Agent.r
Fortinet W32/WMF-exploit
Kaspersky Exploit.Win32.Agent.r
McAfee (BETA) Exploit-WMF trojan
Symantec (BETA) Download.Trojan

If you enable DEP to cover all programs the WMF exploit attempt will result in a warning as per www.incidents.org but folks are recommending a blended protection:

• Using up to date antivirus
• Enabling DEP
• Teaching users not to click on suspicious links
• Blocking wmf files at the border

A temporary 'out the door' policy in ISA 2004

Okay so you wanna do a temporary "anything out the door in ISA 2004"?  Just so you can see if something works, or temporarily allow something out and you'll figure it out later?

No prob....just go to the Firewall Policy in the ISA console and then the SBS Internet access rule and add "All Users" in addition to the "SBS Internet Users" and click okay and then "Apply" at the top.... now anything inside will go outside.....

To undo it just take out all users and you are back to the normal SBS default rule set/setup.

Two follow ups...

ONE - this is TEMPORARY and I'll wack you upside the head with my 2x4 if you leave it permanently...now with the ISA monitoring ...man there is NO NEED for you to leave this like this... as you can tell what is being blocked.....

TWO - Obiwan had a great idea to build another rule set and leave it disabled and just 'enable' it when you needed to rather than messing with [and possibly screwing up] an existing rule.

We're losing the war on the home front

...so we ask around the communities that I hang in and the consensus comes back that while 2005 was a good year for the Admin and business crowd, it was not for the home front.  Just today a client brings in a computer that I needed to post some journal entries to the accounting program and she says "it does some wacko stuff when I go on the Internet" [she's on dial up] and I notice that she's got Xp sp2 waiting down in the system tray to be loaded up.  Knowing that Xp sp2 doesn't like malware on the box 'before' installing it, I attach it to an external access to our dsl and plug in the RJ 45. 

The second it has a tcp/ip connection and I launch IE is when the fun starts.  I first install the MVP hosts file to get it to a state where I can even work with the system as IE freezes up too much without that.  Then I boot into safe mode and use Counterspy, Microsoft Antispyware, Windows Safety live and Trend's Housecall, and each one finds a new little critter that the other one didn't find.

I boot into normal mode and now the popups have stopped and the machine appears ready enough for the Xp sp2 application.... I also notice on this box that had the firm's accounting application on it was AOL's IM program that was pretty obviously used by a teenager and it reminds me of the cardinal rule of mixing "business with pleasure"

Buy a computer for your teenager and have them screw that machine up.

In the home office security checklist...it makes this clear but doesn't stress this enough...

"Don't let children use your business computer without your supervision. Ideally, you should not allow your children to use your home office computer. If your computer needs to serve both your business and family, be sure to supervise your children whenever they use it."

I would say don't let them use it period...buy a new computer....don't let them near the one you use for business or the office.

OOF messages

This time of year, people have a ton of out of office messages and they don't realize how much they 'leak' good social engineering information about their offices [or even a lot of funny information]

This was suggested as one way to combat the OOF messages that end up on listserves:

Microsoft Exchange Server: Suppressing Out-of-Office Generation:
http://www.microsoft.com/exchange/techinfo/tips/mailtip01.asp

The point is that OOF messages are not automatically set up to go outside the domain.  Exchange, by default, does not send them out the domain.

Why are they a security issue?  Because they disclose information that could be used to do Social Engineering in a firm.  Thus ensuring that only those people that NEED the information about out of office should get it.

To be honest with you, with my Audiovox 5600 Cell phone, I'm hardly out of touch to need a "Out of Office Message"

So my Dad has this card for a $1,000 online shopping spree...

And the first clue that this should be suspect is that on the card it says "Visit our website by typing into the address in your browser bar, do not use a seach engine to find the site"  Hmmm...now that's interesting that they say to type in the address and not use a search engine....

Maybe it's because the "word of mouth" out there is that this is a scam?

So what are the clues this is bogus?

1. The car dealership that Dad got this from isn't a major car dealership but one of the "sub" dealerships
2. The fact that they wanted us to just go to the site and not use a search engine

When getting these too good to be true offers... remember that they ARE too good to be true.

Patching Webcast for your viewing pleasure

View Recording

Recording Details

    Subject:              Patching your network - how to get started
    Recording URL:        https://www.livemeeting.com/cc/winserver_usergroup/view
    Recording ID:         B3H4JQ
    Attendee Key:         N"}P_8b

If you want the slide deck, it's at www.sbslinks.com/WSUS/WSUS.ppt 

Year end review...how was your year in Security?

Microsoft and Computer Security in 2005: Real progress was made by Microsoft and its industry partners in 2005.:
http://www.microsoft.com/presspass/features/2005/dec05/12-21Security2005WrapUp.mspx

Forget that Diet: Microsoft Encourages Consumers to Resolve to be More Secure Online in 2006: Q&A: Amy Roberts of Microsoft’s Security Technology Unit discusses the “Protect Your PC in 2006” resolution and other Microsoft consumer-security efforts.:
http://www.microsoft.com/presspass/features/2005/dec05/12-20Security.mspx

--------------------------

As we close the year... think of your security related issues in 2004 versus 2005

How was your year?

Better?
Worse?
Why?

(and please comment to the blog as I'd love to see your thoughts)

Call me wacko but the sight of this thrills me ....

Windows SharePoint Services components may be deleted after you reinstall the Intranet component of Windows Small Business Server 2003 SP1:
http://support.microsoft.com/default.aspx?scid=kb;en-us;909988

Look at this... it's our first automagically deployed SBS critical patch... isn't that COOL!  Do you realize how long and far we've come from the day I sat across from folks and explained to them how patching was one of the worst things I did on the SBS 2000 box?  Do you realize how far we've come from when I first read about a 99 page white paper from Jeff Middleton who suggested that patching needed to be done monthly?  Do you realize how far we've come from when Jeff explained the qchain process and the dependancies and how it was a mess?

We've come a long long way.....and yes.. that patch is SBS approved [pretty obviously SBS approved since it's specifically for us]

Sometimes it's embarrassing to be an Accountant

Truly there are times that when I'm at geek events I drop the "CPA" credential because second only to Attorneys, my profession has a reputation of being behind on technology.

These days I'm embarrassed as well by the Accounting applications... between ones that won't support patches past a Security patch in 2004, to my favorite poster child of Quickbooks that to this day requires local adminiatrator access, for a profession that prides itself on Accountability and SOX and all that control stuff....we sure don't know how to code up an application worth beans.

So in addition to the information here on how to get Quickbooks to share data on a server, and here, Stefan reports on the smallbizit listserve that to get the program to share out properly, he had to give the Quickbooks service account full control of the directory where the data is residing.  Also he had to exclude the service account from the password policy and set it to 'password never expires'.  Then you had to stop and restart the service.

Okay so I don't know about you but the fact that with a $39.95 password cracker program from www.elcomsoft.com I can hack the passwords of Quickbooks in mere seconds, the fact that they still require local admin rights in the 2006 version, that they won't even address the local admin issue until 2007, doesn't give me all warm fuzzys that that application is sitting on my domain controller.

When is the backbone of business, the accounting application, going to step up to the 'secure coding' initiative here?

Guys, this is embarrassing when it's the accounting applications leading the pack here.

Setting up automatic updates

This blog post started when someone insisted that Windows update 'forced a reboot' on a system, and I argued that it did not.  Sometimes I wish there was a handout with each new computer that would in picture format explain exactly how to secure a system, how to patch, how the process worked...because I think there would be a lot less folks thinking that Microsoft 'forced' things on people.  BTW the entire contect for this post came from inside the help file of a XP SP2 machine

Options for setting up Automatic Updates on your computer

To choose when and how updates will be delivered to your computer, you have four options:

Automatic (recommended)

Download updates for me, but let me choose when to install them

Notify me but don't automatically download or install updates

Turn off Automatic Updates

 Notes

• To open System, click Start, click Control Panel, click Performance and Maintenance, and then click System.
• Installing updates before you shut down your computer is another way to keep your computer up to date and more secure. This option is available only in Microsoft Windows XP with Service Pack 2 (SP2), Microsoft Windows Server 2003 with Service Pack 1 (SP1), or an x64-based version of a Windows Server 2003 or Windows XP operating system and only if important updates have been downloaded but not yet installed. Do not turn off or unplug your computer while updates are installing. Windows will automatically turn off your computer after the updates are installed.
• Only users with administrator privileges may add or remove programs, including Windows updates. It is strongly recommended that you log out of the computer administrator account when you are not performing tasks that require administrator privileges. If you are logged on as an administrator when your computer is the target of a virus or malicious user, the attack can cause extensive damage. For example, it might be able to reformat your hard drive, delete all your files, or create a new administrator account so the attacker can take over your computer. For more information about user accounts and why you should not run your computer as an administrator, see Help and Support.

So what's the best Antivirus?

I get asked this alot... what's the best antivirus for SBS 2003... and to be brutally honest... I'm not sure I know anymore.

You know the other day Vlad made a comment that the Microsoft Blogs being "filtered" and he says that I'm brutally honest..but you know what...there are times that even I hold back until I find out all the facts.  "Power brings with it great responsibility" and the SBS Podcast gang understand that.  So I totally respect that they are not ranty and fly off the handle and do what I do sometimes...just like today... this post is hard for me to do, because I know I have to be brutally honest.

If you would have asked me a month ago what I thought the best antivirus for SBS 2003 was I'd probably way less neutral than I am today.  From the 'chatter' on the newsgroups, the spam filtering on the version 3 of Trend's CSM suite, it's just not comparable to the version 2.  That combined with the fact that you have to watch the compression issue on the default web site and that some folks are ending up with Trend's firewall on the workstations [which shuts down traffic] and well... if you are looking to deploy version 3 on an existing 2.0 client... you might not want to do that...... you might want to hold off.... and if you are deploying a new client, you might want to ensure that you get a code that works on the version 2.0 and deploy that one.  Folks are having to install the Exchange IMF along side the version 3.0.  The issue is how Trend has place the handling of spam squarely in the hands of the end user in the version 3.0.  The problem is for some firms like mine... we want it centrally managed.  My boss doesn't want to handle the spam, he wants me to.  And while spam isn't exactly virus related...in his mind it is.

So... after hearing Hilton talk about this... and seeing stuff on the web... I think it's time I download some trials and take a look around.  I know that Eriq and Marina love Sophos, and Handy Andy loves Symantec [not the yellow box but the corporate version] ......

so..what's the best antivirus for SBS 2003?  I'll let you know... as I'm not sure....

The UI grab

...so if you've downloaded the patches and not rebooted the computer annoyingly about every 5 minutes or so reminds you that you haven't rebooted....

But here's the problem... on the XP annoying reminder... you can't see that there are two letters that will make the system thing you have said "yes, go head and reboot"

But you CAN see them on the Server version of the same.

See that "N" and "L"?  So if you are typing away and the Annoying 'Restart now" grabs the focus of the computer on you...and you just happen to type an "N"...guess what... there goes your system with anything you had open and running at that time and it's rebooting whether you like it or not.  Now on my laptop, if a patch has come down, I've opted on shutdown to choose the "don't install" but on shutdown there is a "install on shutdown" when the system has been set to detect patches.

I don't think all these choices are made clear enough, because so many people think that these options are force on them...and they aren't... they just don't understand what they are 'opting' into, that's all.

Well I'm patching the server in my jammies today

I had patched all my workstations earlier this week [remember ... I put Internet Explorer on high priority on the workstations, low priority on the servers] and this time I did it via Microsoft update versus my normal Shavlik just to point out a few things as a follow up to the Patching Podcast

First off... remember I said I always do the "High Priority" updates... this month the server needs the IE update and the fixer for the update mechanism.  I also do the monthly software removal tool.  Did you see the article that more of the malware found by that cleaner tool is rootkit based stuff these days?

I sometimes might do the optional... since I have no apps at this time that need .Net Framework 2 or Smart Card... there is no need at this time to add those.  I never ever do a driver from Microsoft update, but I do use it as an indicator that I need to go to the HP website and find a new one.....

Uh..note to self... go to HP and look for update NIC driver...

And the thing that I never do is the following setting:

See that "Automatic and install them automatically [and thus force a reboot]?  I never do that.  Now Chad and others, do select the "Download updates for me, but let me choose" which ends up with an icon in the system tray that looks like this:

So then, when you are ready you can click on the button and install the patches, but just be ready to reboot as the system will remind you that you are not fully patched unless you reboot for certain patches.  Rebooting isn't mandatory for all patches, but this month, to be protected you need to reboot.

Embracing our Spots.

You see that down there?  Windows Small Business Server in the Microsoft Update category?  Do you have any idea how cool that is to see that down there...ready to go... ready for any patches that are unique to SBS.

You know sometimes I think we SBSers argue so hard [too hard] that we are just like our big brother servers.  And you know what.... we're not.  And that's okay.  We have unique stuff just to us and they don't.

So make sure you flip youself over to Microsoft Update by going to Windows update and on the right hand side clicking on the button to switch to Microsoft Update and get all tingly when you see that "Windows Small Business Server" category.

What's on your To Do List?

1. Disaster recovery/business continuity
2. Employee awareness programs
3. Data backup
4. Overall information security strategy
5. Network firewalls
6. Centralized security information management system
7. Periodic security audits
8. Monitoring employees
9. Monitoring security reports (log files, vulnerability reports and so on)
10. Spending on intellectual property protection

According to this, This list further reinforces the reactive nature of information security. Awareness programs often score high as a strategic priority because they’re relatively low-cost.  One should expect number 10 on this list will shoot up in priority next year, given the steady stream of identity thefts and other major information crimes.

Now this is a bit "big server land", but i think even us SBSland folks can take a page out of this. This has been a year of disasters.... we started out the beginning of the year with the tsumani of last Christmas, we're ending the year with the Hurricanes that hit the USA. 

Think SBSized... but how are your clients on that list?

Is McAfee [and other preloaded software] a virus?

So it's that time of the year that we look around and ensure our systems are up to date before busy season and get new computers if needed.  So I go and I buy the Dell Optiplex line, this time making sure that I bought the extra PS2 port option which isn't really 'extra' per se at all as it doesn't come standard with the box.

So I boot up, get it up to a workstation mode [before joining the domain] and there's my first lovely Red Mcafee window that hits me in the face.... well...says I.... let's get rid of that since I have the firm antivirus.....and I realize that there's no "x" in the corner to shut down this annoying configuration wizard.  You have to go through about four screens before you can finally get to a place to cancel.  Then to rip it off the box, you have to remove about three McAfee programs that are on the system....and I don't want McAfee in the first place!

The major insult to injury is the fact that in being installed on the Optiplex, it has with it's McAfee Security Center, taken over the duties of the XP sp2 Security Center.  Even though the a/v is out of date, there is no little red icon of Windows down in the system tray telling me "I'm screwed", instead there's the 'normal' McAfee red icon that tells me nothing.  So I uninstall that... reboot the machine...and the XP sp2 security center does not restart... I ended up having to restart the box 'again' to get the Red shield down there like I wanted it to be, being the indicator of the patches and the antivirus.  I still don't have my fully functioning antivirus that I want... and everyone that I tell this rant to said "oh just flatten the box, those preinstalled things are like a virus".  But how's the Mom and Pop non geek person going to handle this?  They don't need a McAfee security center... how are they going to follow Microsoft guidance for how Microsoft update and patching works when there's no shield in the corner?  No icon? 

Mr. Dell?  I bought this computer.. I didn't give you the right to shove the antivirus that you made a corporate deal with down my throat.  It's getting to the point that I'd pay more for a plain computer, because quite frankly I've had enough of this.

Dear Susan Bradley, we are writing to inform you....

We are writing to inform you that on December _ of 2005, we discovered a security breach of our electronic records.  We quickly investigated the incident and determined that in November of 2005, a hacker penetrated our perimeter defenses and obtained unauthorized access to one of our servers, which contained our database of customer records.  That database contained the credit card numbers.......

uh oh.....oh yeah.... one SB1386 notification that I personally got today from a software vendor that.... well... lemme just say that I would be totally freaking if I were in their shoes right now.

Here's what they are doing...they contacted the U.S. Secret Service and is fully investigating the incident.  In the mean time, they deleted all of the credit card data from that database.  The recommended that I call the three major credit bureaus and put a 90 day fraud alert on my account and review the accounts for any unusual transactions, and request a free credit report.  They recommend that I keep a close eye on my accounts for the next several months and report any suspicious activity to the banks.  If I think my ID is being improperly used in any manner, that I should call the Federal Trade Commission at 1-877-IDTHEFT [877-438-4338].

Equifax

P.O. Box 740241

Altanta, GA  30374-0241

www.equifax.com

To request a credit report call 1-800-685-1111

To report fraud call 1-800-525-6285

Experian

P.O. Box 2002

Allen, TX 75013

www.experian.com

To request a credit report call, 1-888-EXPERIAN (397-3742)

To report fraud call the same number.

Trans Union

P.O. Box 1000

Chester, PA  19022

www.transunion.com

To request a credit report call 1-800-888-4213

You know...sending out a letter to your clients with this kind of information during the holiday season just might be a nice proactive feature to do.  There's a lot of potential for fraud these days. 

Bottom line folks... this isn't a trivial matter and while I know nothing about the underlying nature of the breach, it gets back to the threads of doing all you can to be proactive on security.  I'm not saying that this kind of event is at all likely to happen to a Small Business like it did this much larger one, but folks... if your small business clients are still running things like Windows 98 and Windows NT and they have confidential client data that includes potential identity theft data?  Boy I'd be sitting them down and getting them on XP sp2 and SBS 2003 as fast as I could.

Good Enough Security

The blog post is here.

The article is here.

Okay read both? 

The other day in a listserve someone asked about Tools to check the security of a server and he asked if MBSA was good enough....and I said....

Define your role and your boundaries.  If your job is to just look at the security of that server operating system and nothing else then yeah, MBSA would be a good start.
If it's the security of your network, I would argue it's not enough.

All MBSA will tell you is the status of patches and passwords and a few other 'baseline' security things.  In my little SBSland...here's what it doesn't tell me about the security of my servers.

It doesn't tell me if those servers are running Sun Java and need a JRE update [I don't run Sun Java on them for that reason...but in case I had it on my servers it doesn't tell me that]

It doesn't tell me about the patch status of the applications on my box.

It doesn't tell me if I was running Veritas Backup exec that there's a vuln in that.

It doesn't tell me that my AV is either up to date, working as it should, has a vulnerability, etc etc...

It doesn't tell me if someone has compromised my system, has cracked the admin password and is now relaying out spam email out my server.

It doesn't tell me if malware has infested my server and I'm now got a back door or root kit that has me owned by some former drug syndicate that is now making more money on malware than it did on drugs.

It doesn't tell me if my Secretary has downloaded something from NakedDancingPigs.com because on average 80 to 90% of my systems are running as local admin and has introduced a trojan into my system.

It doesn't tell me that the sales guy that has the Windows Mobile Audiovox 5600 cell phone just left it behind in the Burger King at the airport and it has on it a domain username and password.

It doesn't tell me that someone used a Kinkos kiosk computer to log in remotely to my network and a keylogger just grabbed a username and password.

It doesn't tell me how many of my staff are VPNing in over unsecured lines, with malware and virus infected machines ready to pounce on my servers.

You know what I think keeps me secure?
Paranoia.

Not tools, but paranoia.

http://www.protectyourwindowsnetwork.com/  is an excellent resource and book I think for kicking up that paranoia.

BTW two security bulletins out yesterday including one for that IE zero day and MBSA will indeed tell you which machines need that.

Number one on 'how to get your network hacked' as per Dr. Jesper Johansson and Steve Riley, NFC, is "don't patch".

Bottom line security isn't about absolutes... it's about balancing risk, isn't it?

Trend needed hotfix to send Perf reports out after V3

Wayne in the newsgroup reports that .....

FYI..There is a patch for Trend Micro V3 which corrects issues with SBS2003 Reports and other not being sent to external domains.

For more information read the thread Trend Micro V3 Issues 12/04/05

For  others who may have this issue you need; Client Server Messaging Security 3.0 - Messaging Security Agent Hot Fix - Build 1157

The zip file is; Smex_7.2_11571.zip

Which includes; csm_30_smex_72_win_en_hfb1157.exe

Which fixes:

"This hot fix corrects an issue that some MIME formats could cause    Message Module(TMMSG) to convert the original SMTP message into a wrong format. Converting the SMTP message into the wrong format  might cause Outlook Express to time out when retrieving email messages using the POP3 protocol."

Applies to SMTP too. Once the hotfix was applied SBS2003 Performance reports go straight out and Meeting Requests arrive intact.

Wayne

Okay I gotta rant... come on Trend "Request the smex70_win_en_hfb1157.exe file from TREND MICRO Technical Support.

Premium Support Program (PSP) clients can contact their Technical Account Manager (TAM) directly

No, Trend, you put a patch like that in a place that those of us who live in a 24/7 world work and live in can get to it.

[btw that wasn't Wayne ranting...that was me, Susan as usual!]

Issue with SUS Servers

This Alert is to make you aware of the release of Microsoft Knowledge Base Article 912307, Synchronizing SUS 1.0 SP1 Servers with Windows Update after December 12, 2005 may cause previously approved updates to be unapproved.

Microsoft is aware of an issue affecting Software Update Services 1.0 users where all previously approved updates, including security updates, have had the approvals removed and replaced with a status of 'updated'.

Microsoft is currently investigating the issue and has found that Windows Server Update Services users are not affected.

Microsoft has published a knowledge base article providing workaround information for customers who may be impacted by this issue. 

Microsoft will continue to investigate this issue to help ensure SUS administrators can deploy Windows updates properly. 

More information can be found at:

http://support.microsoft.com/?kbid=912307

WSUS IMF patch expiration

If you saw that ...and wonder what it was and what happened to it, this is that IMF patch that the SBS podcast gang were talking about that was the bogus patch.  Just mark it off and continue your patching.

Speaking of IMF...they will be having their deep dive on IMF next Monday!

Info on Trend CSM 3.0 suite upgrade

Need some resources for Trend's new 3.0 suite?

Check out this link!

So far the biggest issues I've seen is that it doesn't like compression turned on the web site [which WSUS has turned on] and that the firewall is supposed to not be turned on the workstations via deployment but sometimes gets enabled.

Have you WSUS's sych'd today?

Courtesy of Tom Alverson on the WSUS listserve via www.patchmanagement.org

New Update Alert

The following 26 new updates have been synchronized since Tuesday, December 13, 2005.

Critical and Security Updates

Non-critical and non-security Updates

New Updates Today

MS05-054: Cumulative Security Update for Internet Explorer (905915) Rated: CRITICAL
http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx

MS05-055: Vulnerabilities in Windows Kernel Could Allow Elevation of
Privilege (908523) Rated: IMPORTANT
http://www.microsoft.com/technet/security/Bulletin/MS05-055.mspx

Other non security patches released today:

Update for Windows XP (KB910437) Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service.

Update for Windows Server 2003 (KB910437) Install this update to prevent or resolve an issue in which Windows Update and Automatic Updates can no longer download updates after an Access Violation error occurs when using the Automatic Updates service.

Update for Windows XP (KB908521) Install this update to resolve various issues that can occur when you use remote procedure call (RPC) for client/server communication in Microsoft Windows Server 2003 and Microsoft Windows XP.

Update for Windows Server 2003 (KB908521) Install this update to resolve various issues that can occur when you use remote procedure call (RPC) for client/server communication in Microsoft Windows Server 2003 and Microsoft Windows XP.

Update for Windows Server 2003 (KB896427) Install this update to resolve an issue in which you cannot view the contents of a subfolder on a network share. This issue becomes apparent after you install Microsoft Security Bulletin MS05-011: Security Update for Windows Server 2003 (KB885250).

Update for Windows XP (KB835409) Install this update on Windows XP Service Pack 1 systems to resolve an issue where System Restore may not work correctly or certain services may not function properly after using System Restore on SP1.

Updated Malicious Software Removal Tool
http://support.microsoft.com/?id=890830

Sam the SBS Server is very upset today

I was going to interview Sam the SBS server for this ...but right now he's yelling and is so upset I can't calm him down enough for the Interview.  He's very upset that a year after he was deeply embarrassed by what he did that it happened again.  That people still have the original code on their systems and have not patched.

Server bug cripples Dublin law firms | The Register:
http://www.theregister.co.uk/2005/12/10/server_bug_cripples_dublin_law_firms/

He said that when this first happen it was Microsoft's fault.... now this is yours.

We now have this patch on the Microsoft update site.

You now have no excuse whatsoever to not have this patch on SBS 2003 boxes.  All you have to do is flip that server from Windows Update to Micrsoft update...which ... if you've ever WU'd that box it now recommend that you do so.

If these servers were installed by an IT Pro?  This is your job.  Both Sam and I cannot understand how the IT pros of the world not at LEAST know about Microsoft update, not trying to be learning WSUS, not be proactively helping your client to patch.  Want to know one of the ten ways to get your server hacked as per Johansson and Riley's book “Protecting your Windows Network“?

Don't patch it.

If this is a DIY setup, okay I'll cut you a little slack ...but even still... you don't even have to install WSUS... all you have to do is visit Microsoft Update as those SBS patches are now offered up.  I cannot believe that just as we reach the milestone of patches now being offered up on our boxes, that someone cannot find their way to Microsoft update... I cannot believe that they went this long without updating...that's RTM code of October of 2003 that hasn't been updated.

Let's review class of exactly how easy it is to visit Microsoft update.... start, click on Windows Update.

There?

Now on the right hand side, see that Microsoft Update box?  Click there and go through the process of installing it.  Download what it tells you to.

Heck, turn on autoupdates, because I'd rather you have unmanaged patches being installed on your box than none at all.

I'm sorry but I'm in a mood.... if you buy a computer READ THE INSTRUCTIONS.  It's our duty these days to patch.  It's our responsibility to learn the power of the technology we have.

Learn to patch.

Go to Microsoft Update.

Sam the SBS Server was ashamed of what he did the last time... today he's ashamed of us.   That we can't take the time to understand enough on how to keep him running.

If you don't have Microsoft Update 'flipped' to being the update mechanism on the server[s] you have and control, do it today. Make Sam the SBS Server proud of you and not embarrassed that you couldn't even keep him up to date.

Whoo hooo another SBS Support Podcast

The Official SBS Support Blog : Inside SBS Episode #12 - The ISA Server Meltdown:
http://blogs.technet.com/sbs/archive/2005/12/09/415881.aspx

The SBS gang have another podcast just in time for the weekend!

I need more granularity in my audit logs

Eric Fitzgerald is going to hate me.  I want more details.  More granularity.  I want more codes in my audit logs.  Why?

Because in order to figure out who is accidentially sliding files and folders underneath another one I have to track a couple of audit entries and I think the tracking of access needs to be way more granular than it is.

I had to set up auditing of Object Access and then enable the auditing of the folder for delete and write in order to track when a folder was accidentially being slid.  The events that show up in the audit logs indicate an access of “synchronize“. 

I don't think the number of audit codes are enough.  And I think kicking up the auditing is getting more and more important.  The Wall Street Journal has an article on how compliance is pushing a tech industry.

Bottom line.... I want more detail and more default auditing turned on, and I want to filter out for those events I don't need to audit. 

Does my filtering software have to be part of the native OS?  Not really.  Given my issues and needs and given this is now a “business issue“ this is where I go “okay I need to purchase a solution“, so I'm looking at GFI's SELMonitor.  But should the operating system natively be able to turn on more granualarity... I think so.  I think we're going to need a lot more codes than what are now available...but that's just my thoughts....

Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560

    Object Name:    F:\client data\Susan Bradley\Client
  
    Accesses:    DELETE
           SYNCHRONIZE
           ReadAttributes
              Privileges:    -
    Restricted Sid Count:    0
    Access Mask:    0x110080


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



---------------------------------------------------
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560

    Object Name:    F:\client data\Susan Bradley\Test
       Accesses:    SYNCHRONIZE
           AppendData (or AddSubdirectory or CreatePipeInstance)
              Privileges:    -
    Restricted Sid Count:    0
    Access Mask:    0x100004


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Write them down

You've seen it haven't you?  Documentation that says how to select a password and many times is says “Oh, heavens, don't write it down!“

My sister refuses to write down the password to her online banking accoount.   So what happens?  She forgets it and she has to reset it which normally means a long hold time on a lovely help phone line as by this time she's locked the account out.  Afterwards when we argue that she should write it down I remind her that every time we have this argument about her not writing down the password is each time she has to call and reset it because she can't remember it.

Have you read the article about writing down your passwords?

Writing down a password means I pick a better one.  Writing it down would mean I wouldn't argue with my sister each times she does online banking.  Writing it down is not the end of the world.

Setting passwords and password policies are, I think, one of the hardest things to do.  Why?  Because look at what happens with me and my sister.  I end up arguing with a person who is a very educated and talented person because she'd bought into the “don't write it down“ line.

It's okay to write down your passwords...just protect where they get written down to.

ISA Server Best Practices Analyzer

The Microsoft Internet Security and Acceleration (ISA) Server Best Practices Analyzer Tool is designed for administrators who want to determine the overall health of their ISA Server computers and to diagnose current problems. The tool scans the configuration settings of the local ISA Server computer and reports issues that do not conform to the recommended best practices.

Just out today is the ISA Best Practices Analyzer.. and lets just flat out admit up front that we flunk.  But it's okay because like we've said before, for what we do and who we are and the other practices we put in place, I can accept that I'm not running in a “Best for ISA” setup.  It's a best for me setup instead.

What's one place that we flunk? 

This recommendation:

This ISA Server computer is not hardened. We recommend hardening the Windows operating system running on ISA Server 2004 array members and Configuration Storage servers. A guide that describes how to harden the Windows operating system running on an ISA Server computer can be found here .

Actually for who we are and what we do we are about as hardened as we can be.  To get any more hardened we have to peel roles off...and I'll be honest with you ... until everyone of us is running with some sort of MOM Express managing multiple servers, I'm not convinced that a nicely monitored one server is less secure than three or four ignored ones.  I'll still argue that it's my daily 6 a.m email [and now my nightly midnight Scorpion Software firewall report] that make me secure.  The more things that are 'in my face' the more secure I am.

I'm also concerned that we're blindly wacking off some settings in ISA when we should be drilling deeper under the hood and understanding what's going on.  There have been some recommendations to wack off Strict RPC on that ISA and I think a bit more granular pruning of the RPC filters would be wiser.

The result of the Firewall Dashboard

So yesterday I found out via the Scorpion Software Firewall “in your face” Dashboard that my router had been pinging me to death.  So I “un RIP'd“ my hardware firewall on the outside about 9 p.m last night.

So what does my 'attack' radar look like today showing yesterday's attacks? 

It looks like someone ate a piece of Mince or Pumpkin pie is what it looks like.  Look at the reduction in pings.

And so far none of the annoying notifications that I was getting before.... ISA Server name: DOMAIN  -- ISA Server detected a port scan attack from Internet Protocol (IP) address 69.225.175.113. A well-known port is any port in the range of 1-2048. ..... that I would get... so we'll see if that fixes that issue.

The SANS “Application Security Hall of Shame” first inductee is Quickbooks

The SANS “Application Security Hall of Shame” first inductee is Quickbooks

In response to Newsbites' recognition, Brad Smith, senior vice president of QuickBooks, confirmed on December 2, 2005 that this problem will be fixed in the next major release (QuickBooks 2007), scheduled for delivery within 12 months.

And in one of my CPA lists, a poster asked “so we have to risk our machines because some of our clients are running 2006?  2007 is a long way off”.  To which I responded that we are risking our machines NOW.  Can you install software on your system now?  If so you are already running as an administrator and that means that malware can easily get in now too.

More info can be found on www.threatcode.com [and yes I need to add more to the nomination list and update the QB as non admin section]  You can see that more and more folks are saying that they don't want to hack up registries anymore.

Where I live and work

Where I live and work used to be a lot friendlier.  I could leave my defenses down.  I could leave my doors and windows open.  I could be open and friendly with everyone.  I could share out everything with all my neighbors.

But then 'they' moved in.  Criminals moved into where I live and work and now make more money off of my neighborhood than when they sold drugs.  I can't live and work the way I used to.  I now have to put locks and protection in place.  I can't be the trusting person I used to be. I must be more protective and proactive to secure where I live and work.

Think I'm taking about the house that I live or the office where I work?

I'm not.

I'm talking about the computer I use.  Criminals now make more money from cybercrime than drug crime.  So why in the world are folks still running an operating system who's threat level was build back when we trusted everyone, considered everyone our friend and had no paranoia.

This month's Redmond Magazine has an article about Anti-Spyware and one of the top five gripes is.....

Dearth of Support: Windows AntiSpyware runs on XP and 2000 machines. Users say they would like to see it run on Windows 98 machines as well.

Windows 98?  Folks... back in July of 1998 the AICPA journal ran an article about whether it was time to upgrade to NT from Windows 95.  Given that this is now 2005, almost 2006, I think the time has come folks. 

If where you live and work is a Windows 98, it's not safe enough or secure enough.  It's dragging down your neighborhood if you have it in your network.

Be a good cybercitizen and do your part.

Two security patches next week

Microsoft Security Bulletin Advance Notification:
http://www.microsoft.com/technet/security/bulletin/advance.mspx

Two patches next week and three non security updates on Microsoft update/WSUS next week.

Remember .... Second Tuesday of the month .... it's patch Tuesday.

So you want to know two ways you can check for issues with patches?  The first is right inside the article itself in the 'caveats' section.  Click there and there's the known issues.  The second is the "community method".  Go to www.google.com and then Google Groups and put in the KB article number and do a search.

Now you'll sometimes have to weed a bit through some postings, but if there's a trend of 'dead bodies' where folks are having issues, it should show up via that search of Usenet.

My ISA Server just got a smidge better [okay a lot better]

So I ran a test install of the Scorpion Firewall Dashboard on a VMware SBS 2003 [yes with ISA as you can do two nics] at home and the install was so nice and clean and easy and just sooooo cool...and well while the reports were fun.... well.. being a vmware stuck behind a real SBS box and a firewall meant that ...well, quite frankly the logs kinda boring ...that I wanted to see was it was like on a more 'production' system.

Now keep in mind that at the office ISA is 'behind“ a hardware firewall... but it's one that quite honestly I don't patch that one as well as I do the ISA server one.

So imagine my surprise when the graph that came up indicates that the hardware router I have on the outside is pinging my poor SBS box to smithereens.  Dana says it looks like every 30 to 45 seconds a RIP request is being fired to the SBS box.  He said that there should be a setting in the router to not do dynamic routing on the internal interface.  That should stop all that icky traffic like that.

Did I know that was doing that?  Nope.  Once again proving the power of “in your face“ email reports.

Suddenly I get this overwhelming urge to go stand up ISA servers all over the place to get more data.  This is cool.  If you haven't checked it out.. do it... and while it works on other firewalls... you know me I'm kinda partial to ISA server.

Sign up for the beta...and get more 'in your face' reporting from your firewall.

P.S.  I'm now RIP-less... I'll let you know what the updated firewall email looks like.

Paranoia for Laptops - it's already here

Abhi asks...when will we get the same level of support for a remote wipe of stolen or lost laptops....Abhi?  We already have the tools, we're just not using stuff already in the marketplace or stuff under our noses.  Steve Riley did an article on security of laptops and I already bought a service that monitors traveling laptops.

You know what?  We have these products now and sometimes we ask Microsoft for too much.  Let them do the core technology, but do we have to ask them to do everything including the kitchen sink around here?  I mean there already is technologies and services that do this?  Why are we needing more than the marketplace has already has in place.

So you want remote wipe?  We've got that.

You want security of data?  It's called EFS or PGP Drive.

Bottom line, it's already there.

Can I delete KB###### files?

You've seen them.  In the Windows subdirectory if you've been a good paranoid person, you'll find these KBinstall/log files all over that subdirectory.  Chris in the SBS podcast said that yes you could delete all these log files these especially if you knew the patches were installed.... and I'm going to disagree just a little bit.

Here's what I do... for one... make sure that C: drive is big enough that you really don't care, but since you do, go into add/remove programs and write down all the Windows KB article numbers in there on a piece of paper.

Now go into your windows folder that has those KBarticle numbers that correspond to all the patches on your box.  Delete the ones that YOU DON'T find on your listing.

What this allows you to do is easily remove any patch that is active on your system just in case you need to and review the log files.  The KBs that you don't see in that add/remove have been replaced with other patches and service packs. 

So I won't remove all of those log files....just some of them....

Deploying a third party cert

So someone the other day asked me about installing a Certificate authority on a SBS box.... and I argued with them and pointed to the post I had done the other day about self signed certs.  So today I realized that all we needed to know about how SBS handled the Certs and where it saved them was in the “More information“ click box inside the Connect to the Internet wizard.....

You'd think I'd learn to read by now wouldn't you....

Web Server Certificate

Several of the Web services require Secure Sockets Layer (SSL) to secure communications between a Web browser and your Web server. For the wizard to configure SSL, you must either have the wizard create a Web server certificate or you must provide a certificate file from a trusted authority.

A certificate is needed to establish identity and create trusts for the secure exchange of information. The certificate must be signed by a certification authority (CA). The wizard can create a certificate signed by your server, or you can obtain your own certificate signed by a commercial CA, such as VeriSign.

Option Description

• Create a new Web server certificate Click to create a self-signed certificate, and then type the full Internet name of your server that is used to access your server from the Internet.
  The certificate expiration period is set to five years. The certificate will also be saved as SBScert.cer in the Clientapps\SBScert folder so that it can be deployed to client computers by the Client Setup Wizard.
• Use a Web server certificate from a trusted authority Click to use a certificate obtained from a trusted authority, and then click Browse to locate the certificate.
  If you do not have an existing certificate from a trusted authority, but would like to obtain one, you must create a certificate request using the Web Server Certificate Wizard in Internet Information Services (IIS). To do so, complete the following:
  
  To create a certificate request
  
  Open Server Management.
  In the console tree, click Advanced Management, click Internet Information Services, click YourServerName (local computer), and then click the Web Sites folder.
  In the details pane, right-click Default Web site, and then click Properties.
  On the Default Web Site Properties page, click the Directory Security tab, and under Secure communications, click Server Certificate.
  On the Server Certificate page of the IIS Certificate Wizard, click Create a new certificate.
  On the Delayed or Immediate Request page, prepare a request to be sent later or immediately as needed.
  On the Name and Security Settings page, in Name, type a name for the new certificate. Next, select the appropriate bit length based on your organization's requirement. Verify with the CA that they support certificates of the corresponding encryption strength before submitting the certificate request.
  On the Organization Information page, in Organizational Name, type the legal name of your organization. In Organizational unit, type the name of your division of department. If your organization does not have a division, you can type the legal name of your organization.
  On the Your Site's Common Name page, type the common name for your site exactly as it appears to the external users, such as www.mydomain.com.
  On the Geographic Information page, type the required information.
  On the Certificate Request File Name page, type a file name.
  On the Request File Summary Page, click Next.
  Click Finish.
    Note
  
  To open Server Management, click Start, and then click Server Management.
  Once you have completed the process for obtaining the certificate, the organization will send you the certificate along with instructions for installing the certificate. You must then rerun the Configure E-mail and Internet Connection Wizard to change your Web server certificate settings.
  
    Notes
  
  This certificate is not deployed to client computers as is it already a trusted certificate.
  If you want users to securely access their Internet e-mail on the server using either Wireless Application Protocol (WAP) 2.x devices or Microsoft Smartphone 2002 or Microsoft Pocket PC Phone Edition 2002 mobile devices, either the server must have a commercial certificate from a trusted CA or you must follow a procedure so the device works with a self-signed certificate that you create. This procedure decreases the security of your mobile device. Therefore, the recommended and more secure method is to use a commercial certificate. For more information, see “Connecting Mobile and Remote Users” at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=33539).
  The 2003 versions of these mobile devices do not require a commercial CA for the higher level of security.  [The Audiovox 5600 will easily accept the self signed certs]
   
  Do not change current Web server certificate Click if you are rerunning the wizard, and you do not want to change the settings specified the last time you ran the wizard.

Two white papers on Blaster and Malware

Anti-Malware Engineering Team : Anti-Malware White Papers Posted:

From the Anti Malware blog and the Microsoft Download site are two whitepapers ......

• This white paper provides deeply quantitative details and statistics that Microsoft has observed regarding the initial and continued effects of the Win32/Blaster worm on the global computing infrastructure and Internet users worldwide.
• This white paper proposes a new method of dealing with polymorphic malware

Declaration of Administrators and End Users for installation of software and patch standardization

Sun Microsystems:
http://www.sun.com/2005-1004/feature/
read that link regarding the Google toolbar being now included in runtime updates

I hereby put forth a Declaration of Administrators and End Users for installation of software and patch standardization.

If software companies can do End User License Agreements, I can have my own agreement and declaration of rights.

Dear Software Vendors.

When updating me, you will not bundle in technologies that I didn't realize you were partnering with.  You will not make it confusing to my Mom and Dad when keeping their computers safe.  This has got to stop.  You say that this is being done to support free and open source software and all it is doing is adding tool bars I don't want, software I don't need.

I refuse to install any Sun Java Runtime as long as you bundle software with it.

I don't want to have the Yahoo toolbar with Adobe reader either.  I don't want MSN desktop search with my MSN IM.  I don't want to have to constantly monitor every single application for options, uncheck boxes or any other ways I have to constantly monitor for unknown applications entering into my networks, my parent's computers.

As an administrator, as an end user, I demand that you do not make me have to ensure I read every screen, click every click to only get the software that I thought I was getting.

I agreed to install one application from one vendor.  I did not give you the right to insert a tool bar that gathers information from me.  I did not give you the right to precheck "yes" to installing additional software.

I want all of my vendors to start agreeing on a patch installation standard.  I want them to publish in a database their supported versions, where one can easily go to see in the registry what version one has, and other such standard procedures to audit the application of patches.  I want to be notified via email or rss feed when you are releasing patches for my applications.

You want my trust?  So that I'll buy products from you?  Use your software?  Then you be way more transparent and accountable to me.

I'm the user of your software only as long as I want to be.

Remember that.

Susan Bradley
Admin

Yeah I know... it's Friday... I'm in a mood.....so....anyone know the email address for Scott McNeally?

SBS on WSUS and MU

Steve Mattox posted to the newsgroup.....

The SBS team is proud to announce the availability of Windows Small Business Server (SBS) on Microsoft Update (MU) and Windows Server Update Services

(WSUS).

Today, fixes to issues that are found in the SBS product will now be available through MU and WSUS.  Also today you will notice a change in the SBS download Center web page.

The Windows Small Business Server team is recommending Microsoft Update or WSUS to be the method for keeping your Windows Small Business Server network

Up-to-date and Secure.  For guidance and information, please visit the SBS download Center

(http://www.microsoft.com/windowsserver2003/sbs/downloads/default.mspx ).

If you are interested in installing WSUS, please refer to "Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services on

Windows Small Business Server 2003"

(http://www.microsoft.com/downloads/details.aspx?FamilyID=28c43d57-2e15-47b2-9a6f-1514aa3ed05f ).

What updates are available now?

There will only be 2 updates available through MU\WSUS at this time and they will only apply to SBS 2003.  These updates are not new; they are the

existing updates previously available through our Download center.

Hotfix for Windows Small Business Server 2003: KB 833992

·         Description: This download address a particular way mail downloads can fail when using the POP3 connector in Small Business Server 2003. This issue causes the process IMBDOWNL.EXE to be hung with the CPU utilization at 25, 50 or 100%. A warning with event ID 1067 will be recorded by the POP3 server in the event log when this error occurs.

·         Security/Critical/Recommended? Recommended

·         Available sources:  MU, WSUS, and DLC

·         New update/Changes to existing update? Re-release of old Update which was previously released through DLC

Update for Windows Small Business Server 2003: KB 835734 [my comment -- yeah finally the patch for .....yes, your SBS box is sending out all those emails patch]

·         Description: There is a problem with how the POP3 connector processes certain messages downloaded from a POP3 server. This problem could

result in the POP3 connector accidentally re-sending certain messages to recipients who are not part of the SBS server e-mail domain. This may happen

only in the cases where the POP3 connector is used to download mail from an external POP account. Customers using Exchange to host their mail internally

will not experience this problem. This update resolves this issue. All SBS customers are encouraged to install this update.

·         Security/Critical/Recommended? Recommended

·         Available sources:  MU, WSUS, and DLC

·         New update/Changes to existing update? Re-release of old Update which was previously released through DLC

What Updates will be available in the future?

All updates that SBS releases will be available on MU\WSUS.

What other products that SBS ships will be available on MU\WSUS?

The major products now supported are: Windows Server, Exchange Server, SQL, SharePoint Services and Outlook.  ISA will be supported from their ISA 2004

SP2 and on (Feb 06).  More products to come in the next wave.

How do I configuring WSUS?

As some of you have seen, SBS is now a category in WSUS Admin.  This category only covers SBS specific fixes.  You will need to select the other

available applications that are on your SBS server so that the updates for those applications will also be downloaded.

Upcoming Updates:

Yes, we are working on a Critical update to be released on 12/13.  This is an issue that was found were reinstalling Windows SharePoint Services will

randomly delete a document library.  This will only be applied to SBS SP1 Slipstream installations, not web downloads.

So now you have a server... what do you monitor?

I'm stealing a post from the newsgroup from fellow MVP Dave Nickason with my comments in italics...

FWIW, this is what I do:

• check all logs daily for errors or possible problems (or as close to daily as I can) [yup so do I - but remember your daily email will alert you... read it!]
• make sure the backup ran successfully, and that the designated person changed the tapes, also daily  [these days it's a usb harddrive]
• monitor the AV software to make sure it's updating the servers and workstations as it should be [this is where your early warning indicator is XP sp2 with the security center comes in handy-- when it freaks ....so do I]
• frequently check the server monitoring program to make sure no hardware is failed or failing.  I try to do this in the server room rather than remotely so I can make sure that there's not a vacuum cleaner plugged into the UPS or someone's coat hanging on a server [I lock the server room at night and check for physical issues, my HP machine has additional monitoring software that lets me know of issues[
• occasionally monitor the drives for free space [the daily emails tell me how much the server drives are growing]
• occasionally check the UPS status [one of our main printers is also in the network room so the green lights are pretty obvious]
• keep track of patch releases and install all necessary patches shortly after their release (you can subscribe to security alerts, etc. from Microsoft or watch for Susan Bradley to post something when they're released)  [who me?  Yeah I get the security alerts on my IM and my cell phone I also watch the chatter from the Patch Management listserve and Shavlik emails me with patches that are ready to use in their deployment tool.... unlike... uh.. WSUS who will shove stuff out without telling me.  I normally install patches depending on the risk, the 'chatter' on the backchannel regarding threats out there, and what firm deadlines might be of concern.  Most of the time I'll patch on a Friday, but there are times I have patched on “Patch Tuesday evening“. You do know about patch tuesday, right?  Second Tuesday of the month is the day the bulletins get released]

For Exchange, I do nothing except monitor the server logs daily and the database size occasionally.  Rightly or wrongly, I almost never defrag.  [same here, and mine is the biggest mailbox.  These days with 75 gigs it's less of an issue]

Two comments:  If you frequently monitor the server logs, you may spot something at the warning stage and avert a problem before it becomes critical (and thereby makes it into the e-mail report).  And, it's a good idea to do some monitoring so that you're familiar with how things run normally - this can help a lot in troubleshooting when something goes wrong.  [Honestly I think I'm going to set up some baseline Perf mons on my baby...we did it on the Yoda server box and Vlad constantly kept saying “baseline it“ “baseline it“ and all of us SBSers are going...do what-line it?

There's one more thing that has come in handy over the years... have the DSL modem in a place where you can see it.  There's been a couple of times that I've caught things [usually people downloading something they shouldn't... by seeing the solid lights on the DSL box and thinking to myself “okay what's doing a solid yank on our pipe like that?“  In a normal small office those DSL light connectors should blink.  Unless you are streaming media, watching a webcast, there's a pulse of activity, but not a solid light.  After a while as an admin, you'll know your firm's 'pulse“...and you'll know when something isn't right.  Every now and then pull up the live logging of ISA and see what's up and what your folks are doing.  Your acceptable use policy [you do have one, right?] says that you have the right to review anything and everything on that employee's system.  If your DSL modem is stuck solid on, fire up that ISA real time monitor and check it out.

Bottom line just be a smidge proactive, a smidge nosey, a smidge inquisitive... you'll be a very good SBS admin.

My soapbox

Brian Tankersley today talks about my soapbox issue. 

User rights.

I'm tired of the major accounting vendors setting such an horrible example of security.  We should be ashamed that our major accounting applications, the backbone our of financial records do this to us.  That they weaken our desktops so much as to introduce risk.

Dr. Jesper Johansson today talks about the story in his book where someone had administrator rights on their machines and one person did not.  One had a mess.  One did not.

Eweek did a study and 'found no persistent malware showed up on the system where the user was not an administrator'.

In the year 2006, that a major business accounting application can still code insecurely and be a top seller means that “we” the marketplace does not care. It's only when we do that things will happen.

Only 6

I was at yesterday's TS2 presentation and only 6 people in attendance were using WSUS.  Remember SBS 2003 in the R2 era will have WSUS inside the box.

Now I will still honestly tell you I vastly prefer Shavlik's push, patch, done versus WSUS's setup, tinker, approve, review reports....but gang... you need to download WSUS on your own systems and start playing with it now. 

To me WSUS isn't just a patching program, this is risk management for that firm.  And if you are not helping that firm deploy patches, service packs...why not?\

Want to stay safe and secure?  You patch.  To me it's just a natural part of the computing process.  And as long as I've built in the processes to ensure I have a easy way to recover on the rare remote chance something might occur, patching is not an issue.

Today in the newsgroup someone said “I have an old backup”...I'm sorry but with USB harddrives as cheap as they are, given that you can hang one off a shared drive off a workstation, you have NO excuse not to have a backup.  As easy as the SBS wizard is.....shame on you for not doing what you can to protect your business.  You have a responsibility to yourself, your family, your employees families this Christmas time to keep your business operational.

Patching and Backups.  Two EASY ways to keep yourself in business.

Antispyware gets an update

Microsoft Antispyware gets an extension of time so you should start seeing this pop up in your systems.....

So what do I choose in WSUS

Amy asks if we should just choose the “Windows Small Business Server” now as our only WSUS option, and I'll double check, but I think the answer is “no”.  It's my understanding that the patches that come under that section are unique to SBS only patches.  We haven't had one in a while, but it's things like the POP connector patches or our Sharepoint only patch.

Stay tuned, I'll let you know for sure though.

So what's the risk of Self Signed Certs?

You've seen it haven't you?  This:  The self signed cert prompt before getting into RWW.

So you are probably wondering why... with all my paranoia I don't go out and buy a third party certificate that I can trust from someplace like instantssl.com?

Because. 

Why do I trust them any more than I do my own box?

As it stands now I can make a workstation like my home one trust the certificate, I can easily click on View Certificate and examine that it came from my box, I can examine the SHA-1 thumbprint as I install it on my workstation.

An Expert on Encryption once came and did a presentation on the topic to our CPA group.  And he made the point that why do we trust any third party publishing certificate anymore than we do ourselves?  In the proper world of PKI and such topics, you should really meet a person face to face, swap identity information, and swap certificate information to ensure that you can confirm you got that certificate from that very person.  So if I can explain the process to my employees, if I tell them what the SHA-1 thumbprint is if they really want to be paranoid and check this, what's the risk of a self-signed certificate once I've installed it on a workstation to then accept the cerificate from my server?  Heck if I“m that paranoid I can type up the Thumbprint and have folks verify that.

Okay let's look how someone might trick me...or any of my employees that have remote access [remember not all do] with a self signed certificate especially if I've told them how to install it on their workstation once.

Okay they'd have to first build enough of web site that looked like the SBS front page.  They'd have to grab the DNS records and redirect those settings to their system. 

Do you get the idea that the risk of this...while ... I mean I can't honestly say it's non existent.... well let's just say that some bad guy is going to send a phishing email or trick one of employees to a web site to download malware is a greater risk.  The risk that employees today were using up your bandwidth to do Christmas shopping is greater.

So why would you need a third party certificate?

Do you need one for cell phones?  Nope.  You can add the cert to the phone.  In fact I do this all the time.

Do you need one for RWW for XP workstations?  Nope. As you can see above.

When 'might' you need one?  Macintoshes.  But even then we have a workaround for that too.

So why do we need to have a third party web site that we don't have control over be a verifier for my SBS box that I do have control over?  Some might say that using third party certs add more flexibility....but I just keep thinking about that padlock story.....

“There is a lesson here for security architects who worry at length about the number of bits of key to use in a cipher or the security of a CA, but not about the computer, operating system, protocol, human interface or physical environment of the application allegedly made secure by that cipher or PKI”

I'm spending my time and paranoia elsewhere thank you very much.....

More to WSUS

So Amy on the mssmallbiz lists reports that the WSUS syncronization options now list SBS as an option

Hey, cool, remember how any of our unique to SBS patches are only offered up on Shavlik right now?

Oh and another thing....

It would be really nice if there was a 'landing page' for all the post XP sp2 patches in one easy to click place.. I'm going to try out Windows Catalog and see if it will help.  The other day when I brought up a Dell Optiplex it needed 29 patches.... There are 70 critical patches I can put in a basket here but there are a lot of multi-language ones I don't need.... too bad I can't sort by language.  Hey you know... on the outside screen I said “English“ yet I get all the .Net service packs and patches in all the languages...what's up with that?  Weird.

Grrrr...and now the pop up blocker built into XP sp2 caused the download to fail so I have to start the selection process all over.  I wish Microsoft's own web sites would not do that.  Place nice with your own security controls, please?

There we go... there's the downloads starting... have to see if I can point MU/WU to this cdrom once I've burned it in.

I think I need to buy Dad DSL

Had to run home because I forgot that one of Dad's computers is not running XP sp2 [shame on me] and to bring it down on a dial up it would be 6 hours.... wow... I don't know how someone can fix a computer, secure a computer, keep it safe without DSL or cable modem.

Dad said “oh I'm going to build up a computer and then just have that one for the Internet... that way if it gets thrashed I won't care”.  While having a 'throw away” computer might we wise, I said to him that I didn't want him to get his system into that condition because I didn't want to know that a computer that our family owned was helping out the bad guys.

These 'bad guys' are changing our lives....look how much my Dad just takes it for granted... and he doesn't care.... but I think we do need to care.  We do need to secure...even for our home machines.... especially on our home machines.

They are waging war on us... it's time we wage war on them....and before someone says “Oh you just need to change operating systems“... no.  That's like saying “you need to move your house to a new neighborhood“.  No.  I'm not moving.  I'm drawing a line in the sand and saying ...enough.  I think we all need to do our part to clean up the Internet and stop taking it for granted. 

BTW in case you need this today.....some ideas on malware removal here....

http://wiki.castlecops.com/MRP

http://castlecops.com/article-6341-nested-0-0.html

So what data protection resources are there?

So what rules and laws are in place that you have to abide by for security personal identity information in your network?

Where do you live?  What clients do you serve?  If you have California residents you are bound by AB1950/SB1386... but if you are International there could be rules the world wide that affect you.

   This bill would require a business, other than specified entities,
that owns or licenses personal information about a California
resident to implement and maintain reasonable security procedures and
practices to protect personal information from unauthorized access,
destruction, use, modification, or disclosure.  The bill would also
require a business that discloses personal information to a
nonaffiliated third party, to require by contract that those entities
maintain reasonable security procedures, as specified.  The bill
would provide that a business that is subject to other laws providing
greater protection to personal information in regard to subjects
regulated by the bill shall be deemed in compliance with the bill's
requirements, as specified

Okay so is 'reasonable security procedures' defined?  Heck no.  So if that's the laws for “my“ state, what about yours?  Get your mouse out and start clicklin.....

Privacy Journal -

EPIC Bill Track - 109th Congress Privacy and Cyber-Liberties Legislation:
http://www.epic.org/privacy/bill_track.html

Legal Protections for Personal Data:
http://www.epic.org/privacy/consumer/legal.html

ConsumerPrivacyGuide.org | Law Protection:
http://www.consumerprivacyguide.org/law/

CDT's Guide to Online Privacy:
http://www.cdt.org/privacy/guide/protect/

Visa USA | Small Business & Merchants | Operations & Risk Management:

But if you need some 'basics' try here... in general the best thing to do is inventory where your PII is... then put safegards in to protect the data.

Computer Security Guidance Center from Microsoft Small Business Center:
http://www.microsoft.com/smallbusiness/support/computer-security.mspx

Security Toolkit PDF download from Microsoft Small Business:
http://www.microsoft.com/smallbusiness/support/security-toolkit-pdf.mspx

SMB signing... black and white revisited

In the SBS community there have been long standing discussions back and forth regarding the merits ....or lack therof... of the benefits of SMB signing.  If you are not aware... by default on a domain controller, the signing policies are enabled.  Over the years we've had discussions back and forth of the need for them.  Written up documentation about disabling them.  Mac's have to have them disabled.  Along with many of the older network scanners. 

So it's funny to see this post:

Yes, by now I'm sure my IP address has been tracked by the FBI and no, thank you, I don't want to see Paris's videos

Okay is it sad that I've had emails all day today with all of these and because they were about Paris Hilton and my IP address being tracked I just kinda went 'oh yeah...whatever...“?

'At least two of the English versions of WORM_SOBER.AG spoof the Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), alerting the user that the agency has found evidence of the user visiting "more than 30 illegal Websites", and asks them to complete the attached "questionnaire". Launching the attachment activates the Worm. Similarly, one of the German versions spoofs Bundeskriminalamt, and threatens legal action against the users' illicit downloads of films, software, and MP3s. The email promises more details of the case in the attached file.

Another version promises a free download of "video clips, pictures and more" of Paris Hilton and Nicole Richie, stars of "The Simple Life" reality television series in the U.S. Attachments are disguised as zipped files.

WORM_SOBER.AG can download and run executable files from certain Web sites that it points to. However, this worm does not seem to have any backdoor capabilities.'

I so totally block zip files  from even entering my Exchange server these days it's not funny.....

Dang, I'm impressed..that is indeed the CIA's phone number....

P.S.  if you are wondering.... yes, I use Thunderbird for my spammed to death, junk mail, every vulnerability listserve known to mankind email account.  I have several emails accounts....some go into Exchange.....some don't.  This one has a benefit of being my early warning system [even though I wasn't paying attention today].  In the Exchange server though, I block anything with a zip for just this reason.

Security Advisory posted tonight

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: November 21, 2005
********************************************************************

Security Advisory Released Today
==============================================

* Security Advisory (911302) 

  - Title:  Vulnerability in the way Internet Explorer Handles 
	    onLoad Events Could Allow Remote Code Execution

  - Web site: http://go.microsoft.com/fwlink/?LinkId=56599

Trend CSM 3.0 and the Compression issue

We've been tracking an issue with Trend CSM 3.0 getting installed on SBS boxes and with think we know the trigger event. 

Let's review the issues.... Mariette reported that the Security Center was 'choking' because Compression was checked and Trend's CSM 3.0 didn't like that there.  We think we found the trigger event.

WSUS

When Windows Software Update Services is installs is turned on compression on the web site, affecting all web sites.  During the beta we found we had some issues in that workstations would not check in with the WSUS server if compression was on and we were told to disable it temporarily, but that long term wise to grab a hotfix and install it.

From the WSUS wiki -- It is not recommended to disable compression as this will not impact the problem source, and possibly increase network traffic & server load, while reducing the number of clients you can effectively serve. Further information about the issue and obtaining the hotfix can be found: http://support.microsoft.com/?id=898708 .

See that article that talks about WSUS enables compression by default?  In the IIS, in “Web sites“, right mouse click, and click on service.  See what you have there.  If you have 'compress application files' on the outside affecting all sites, you'll probably have issues with Trend's dashboard.

To see what I mean.....

• This is a site WITHOUT compression enabled
• This is one WITH

So, for those in testing stage, I'd try installing that hotfix and see if that helps, otherwise follow Mariette's workaround to allow Trend to handle it's site without compression.

BTW for us SBS boxes... you probably are not going to massively affect traffic nor reduce the number of clients you can effectively serve.  Hey, we are SBS.  We don't have that many to serve in the first place!

Yes the sky is falling

Incidents.org reports a “0-day” for Internet Explorer and while one should always use caution these days when surfing I think we're not fixing the real problem here.  This issue along with many others can be mitigated against if we run any software program more securely.

The issues is javascripting that can leave the attacker in the “rights of the user”.  Don't run as admin or tighten up your browser ...which everyone should do...

Run IE in high security or if you are surfing on unknown places use 'drop by rights', but let's stop yelling the sky is falling and instead, lets fix the real problem.  We're trusting all of our browsers too much and our workstations that run as admin are not protected enough.  Firewalls are not enough here.

Update:  Read Dana's blog and reports are on Mozilla browsers it's a Denial of Service.  I'm going back to waxed string and paper cups.

Top issues with Microsoft Update and WSUS

Problem1

====================

Symptom:

---------------------------

You get a .Net error when accessing the WSUS Admin page:, such as:

Cannot execute a program. The command being executed was "c:\winnt\microsoft.net\framework\v1.1.4322\csc.exe" /noconfig

@"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\wsusadmin\f85b3721\1e6721d6\dzsrdqit.cmdline".

Solution:

----------------------------

Try stopping the IIS services, and the update services. Delete the files in the wsusadmin directory in the ASP.NET temporary files.

Start the update services

Start the IIS Services

Problem2

=======================

Symptom:

---------------------

Some clients fail during detection with "Failed to find token" 800706d3 In the windowsupdate.log:

Examples:

WARNING: Failed to evaluate Installed rule, updateId = {ED300F67-421C-4C08-B3BA-F35C55F3B427}.100, error = 0x80041017

WARNING: Failed to find token for SID S-1-5-21-535373826-676671268-524510473-1001 with hr = 800706d3.

Solution:

---------------------

If the Client for Microsoft Networks is not installed, you can get this error. Install/Enable Client for Microsoft Networks

Problem3:

==================