E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

So is "fill in the blank" HIPAA compliant?

One of the questions that get thrown to me every now and then is ... “is fill in the blank HIPAA compliant“.  That “fill in the blank” could be anything from an application...all the way to SBS itself.  The problem with a lot of documentation  is that it's not really SBSized.... so when I stumbled on this site... with the tale tell blue “Small Business Specialist” logo in the corner and called Brad.. as he and I said... the two of us....gushing both about SBS and why we like the SBS community.. we were 'preaching to the choir'.

Brad works to help small rural hospitals in Montana meet compliance and said that HIPAA is just about doing the right thing.  I ssooooo agree.  HIPAA, SOX, all of these regulartory 'pushes' to make us more compliant...it's just good business...and good security practices....I'm checking out his stuff now.. looks promising.  Ordered a kit in fact.  We chatted on the phone that you HAVE to have the policy in place.  You can't just put in the technology... you HAVE to have the policies..and they HAVE to be enforced equally for all.

Pretty cool that he was also Small Business Solution Partner of the year like that [oh yeah...that was built around SBS btw]

So if you need more Hipaa stuff try out this blog...

If you want to check out a bunch more ...really non SBSized..but still interesting nonetheless links on security, policy, and all sorts of things... here's this listing.

Oh.. and can SBS be HIPAA compliant?  Of course it can.  It all depends on who's driving the server... not the server itself....

You could have 74 additional servers if you really wanted to....

Once again, let's get the misconceptions about the SBS platform blown away tonight shall we?

No... SBS 2003 does not have to be the ONLY server on the Subnet.  It DOES have to be the PRIMARY domain controller and hold the FSMO roles.. however if you really wanted to have 74 additional servers and no clients....

Go knock yourself out..it will support it.

I don't need a trust in a small business dude... I have two servers here just fine.

...next... dude.. that's Windows 2003 server that forces that documentation of why the server shut down... if you don't want it google and shut it off.. most consultants LIKE it because it documents when the owners have mucked with the server... and lethargic?  Lemme guess... you beleived the 'minimum standard specs“ of RAM didn't you?

1 gig of RAM and nothing less is what I recommend for a real production box...you can get away with 512....with a small one or two client network...but mine isn't lethargic one bit. 

Bored to tears waiting for me to ask it to do something yes... lethargic...no.

To defrag or not defrag that is the question...

The solution just as simple: Defragment daily. By keeping the number of fragments low, you eliminate one of the biggest barriers to maximum system performance.

So now we have a little too much security....but maybe not enough?

So setting up a color scanner/printer/copier and setting up the scan to smb/scan to ftp ...and I thought I'd be nice to myself and set the scan “to” to end up in the same folder that my other black and white scanner/printer/copier is scanning to... so step one I renamed the folder I was scanning the other stuff to [note to self, do not call a scan to folder the same name as the copier as invariably you'll get another copier by another vendor and want to scan to the same folder].  So after I renamed it, made sure everything was working on the old scanner, I went to the new one... so I'm trying to set up an address book...and dang... can we have a bit more step by step SBSized instructions please? 

Bottom line... somehow while setting the address book so end users could just press a button and scan to 'their' shared spot...I've ended up getting a master login and password to the scanner.  Now...do I know what login and password it wants as the login to this device?  Of course not.  Is is any of the usernames and passwords that I think it should be?  Of course not.  And of course right now I'm half BLIND in typing in info into the onscreen digital keyboard.

Dr. Jesper Johansson rolled over in his not yet entered into grave when I said I was setting up scan to FTP for the old Konica scanner/copier/printer... man I'm rolling over in MY not yet entered into grave setting up this copier.

To get the functionality that I KNOW I will need to have... I have to leave a password...an authentication means...an entry point...  to my network ON that device.  I can guarantee you right now that there is no way in God's green earth [or in the case of where I live... a little brown and dry these days with the summer heat] that I am going to get people to 'log' into this sucker.  So in order for it to scan what it needs to do...and shove it up to the network where I need it to go.... I will have to leave behind ...ON THIS DEVICE... a user that has right.  Now... what I WILL be doing after I figure out how to get myself full access back to that copier and finish setting up the buttons... is reviewing what rights that user has on my system.  I already have such a 'generic' user account because next to my Konica copier/scanner/printer is a flat screen monitor, a small keyboard, and one of those small form factor Dell machines so that as people scan, they can open up Adobe acrobat and check the process of the scanning.  I'm planning to do the same for this new color printer copier.  The real question is...I just used the standard 'SBS' normal user template and I probably need to triple check that the wizardized template is as locked down as it can be.  Like for example.. I need to give access from that user account to ONLY THAT one folder on the server.  There's no need for it to have the full rights and accesses that the rest of my users have at all.  Especially now that I'm hardcoding the dang thing into the operating panel of a copier on lease for heavens sake. 

Maybe that's something we all need to ask ourselves more of... for every user that we set up.... do they really need everything that we're setting up for them.  Lock such access accounts down...and in my network diagram.. I'll be putting a BIG RED X on that copier reminding myself that there's a username and password on that device.  In fact... if we aren't doing that already... on your network diagrams that you are building for your clients... make sure you include copiers/scanner/printers, phones, and anything else hanging off that network with a password.  Document EXACTLY all the devices, all the systems, all the locations where those passwords are stored. 

Remember that as you change the passwords ... they too need to be changed.  Don't forget to manually adjust your DSRM Administrator password too in the meantime until we get that DSrestore fix.

Well... I'm off to go see if I can hack my way into a Ricoh copier...

Oh and Vista/Longhorn ..whatever you guys up in Redmond are calling the next server... you guys thinking about making an uber uber lowered rights user account for such access like this?  If not... can ya think about it?

P.S.  Page 84 in the security reference book... login name for the Ricoh copier...lower case admin..no password... in case you accidentally do what I did...and yeah..we'll be changing that from the default and documenting that on our master password listing.......oh and.. I ..um.. found out I don't have to go blind... I can log in via IP and enter this stuff in the address book that way via a web browser.... you would think by now I'd be geeky enough to learn..wouldn't ya...

End users and screensavers

Recently at my own office I enabled the option to turn of a password protection on the screen when someone walked away for more than an hour.  Merely turning off the screen isn't good enough protection when working with client information.. I mean...duh... you are still logged in with access to that network.  Some folks really liked it and really wanted it, some people ...well let's just say I had to use the peer pressure from the ones that liked it.....it was funny because there was a recent thread on a Hipaa listserve about some of the flexibility you must build into a techology/people issue. 

You must protect Patient Identity Information.. and thusly you must set up the system so that when someone walks away from that system, it locks the access.  Hipaa final security rule (164.312(2)(iii)) requires automatic logoff....  Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity ...and while it's a standard...it's an “addressable standard” and thus you can set the value for what is appropriate.  Some places you need less time to ensure that patient data is kept secure from prying eyes in public places, some places you need more time.  Make a compromise as to what works in your environment. 

Personally I think this is something that all of us that have sensitive information need to implement.  All I did on my network is enable it on group policy and made sure that it would be password protected.  I didn't even list a manditory screensaver at all.

P.S.  Looking for HIPAA resources?  I'll post more tonight..but the listserve I was referring to in the above post is the WEDI one at  http://subscribe.wedi.org - specifically the security workgroup list

Sometimes you decide not to be a geek

When I was setting up the server at the office, the HP that I have has an uber remote management feature... Integrated Lights Out.. you could even hook up a public IP address to it and truly reach out and touch that box remotely.  Even if it was turned off... as long as there was power to it... you could reach the box.  I looked at it and thought.. you know... if my box was truly that horked... I'd want to drive in the car and fix it at the office...

So when reading today's security alert regarding the issue, I found it funny as a workaround to this issue...

To eliminate this vulnerability until ILO version 1.81 becomes
available, unplug the power cord whenever the server is powered
down. This will prohibit the remote access exploit.

Kinda eliminates a lot of other problems too, now doesn't it?

 -------- Original Message --------
Subject:     [security bulletin] SSRT051005 rev.0 - HP ProLiant DL585 Servers Unauthorized Remote Access
Date:     Wed, 10 Aug 2005 10:11:38 -0700
From:     security-alert@hp.com
To:     bugtraq@securityfocus.com



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

HP SECURITY BULLETIN

HPSBMA01220     REVISION: 0

SSRT051005 rev.0 - HP ProLiant DL585 Servers Unauthorized Remote
                  Access

NOTICE:
The information in this Security Bulletin should be acted upon
as soon as possible.

INITIAL RELEASE:
09 August 2005

POTENTIAL SECURITY IMPACT:
Unauthorized remote access

SOURCE:

Hewlett-Packard Company
HP Software Security Response Team

VULNERABILITY SUMMARY:
A potential vulnerability has been identified with the HP ProLiant
DL585 server, where a remote unauthorized user may gain access to
the server controls, when the server is powered down.

REFERENCES:
None

SUPPORTED SOFTWARE VERSIONS*:  ONLY impacted versions are listed.
HP ProLiant DL585 Integrated Lights Out (ILO) firmware prior to
version 1.81

BACKGROUND:

RESOLUTION:

Until a new version of the Integrated Lights-Out firmware (version
1.81) for ProLiant DL585 servers is available, HP is providing the
following workaround:

To eliminate this vulnerability until ILO version 1.81 becomes
available, unplug the power cord whenever the server is powered
down. This will prohibit the remote access exploit.

This Bulletin will be updated when version 1.81 of the Integrated
Lights-Out (ILO) firmware becomes available.

BULLETIN REVISION HISTORY:
Initial release
   9 August 2005



SUPPORT: For further information, contact normal HP Services
support channel.

REPORT: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert@hp.com. It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information. To obtain the security-alert PGP key please send an
e-mail message to security-alert@hp.com with the Subject of
'get key' (no quotes).

SUBSCRIBE: To initiate a subscription to receive future HP
Security Bulletins via Email:

http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&
langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your IRTC security bulletins and patches
    - check ALL categories for which alerts are required and
      continue.
Under Step2: your IRTC operating systems
    - verify your operating system selections are checked and
      save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php

Log in on the web page
 Subscriber's choice for Business: sign-in.
On the Web page:
Subscriber's Choice: your profile summary
  - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
 relates to is represented by the 5th and 6th characters of the
 Bulletin number:
   GN = HP General SW,
   MA = HP Management Agents,
   MI = Misc. 3rd party SW,
   MP = HP MPE/iX,
   NS = HP NonStop Servers,
   OV = HP OpenVMS,
   PI = HP Printing & Imaging,
   ST = HP Storage SW,
   TL = HP Trusted Linux,
   TU = HP Tru64 UNIX,
   UX = HP-UX,
   VV = HP Virtual Vault

System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products the
important security information contained in this Bulletin. HP
recommends that all users determine the applicability of this
information to their individual situations and take appropriate
action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP
will not be responsible for any damages resulting from user's use
or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either
express or implied, including the warranties of merchantability
and fitness for a particular purpose, title and non-infringement."


(c)Copyright 2005 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP nor its affiliates,
subcontractors or suppliers will be liable for incidental, special
or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration.
The information in this document is subject to change without
notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.

When patching this month.. a little reboot ahead of time is in order

This month, more than any other month, would be a good month to remember some of the wise moves in patching....

REBOOT YOUR SERVER

That's right I said reboot your server.. go over there and cycle it off and then back on.  If it reboots in a reasonable time frame you are good to go.  If, however, hours and hours later you are still standing there and if... right next to your server you have an APC device and if... you haven't signed up for their newsletters ...and if you haven't downloaded the Powerchute upgrade .... you could be stuck with a Grinding server.

Reboot, check your log files, and then apply the patches this month.