Security

Modifying RDP5 & 6 to always connect local drives as well as USB devices…

Dave Caddick — Fri, 20 Jun 2008 13:24:03 GMT

So if you have a look at the MSTSC.EXE file that starts the RDP session and use the /? to call further info from the component you get something very much like this:

But if you dig a just a touch deeper you will find that the MS Terminal Services Client or RDP Client as it is more commonly known draws the config information for most of its settings from the simple DEFAULT.RDP file that will typically be saved in the Users profile. (see example below)

So if you want to make changes to the way it behaves then it is fairly straightforward to make the changes in the GUI of the Client and then use the “Save As…” command from within the GUI – but what happens if you’d like to replicate this as standard behavior across multiple devices?

Search in the target computer to find the default.rdp file? (they should be hiding in each users profile) This is the settings that are used when the RDP Client is used – so open default.rdp in notepad or similar and you will find it is pretty straightforward to read?

Here in this example I have set the local C,D and E drives to be visible:

But at the same time some of these settings are pretty easy to guess at and start modifying with a reasonable degree of being able to accurately guess what they will change? I’ve highlighted some of the pretty obvious ones?

++++Example++++++++++++++++++++++++++++++++++++
screen mode id:i:2
desktopwidth:i:1280
desktopheight:i:800
session bpp:i:32     <<< Colour depth
winposstr:s:0,3,0,0,800,600
full address:s:
compression:i:1
keyboardhook:i:2    <<<Keyboard Shortcuts
audiomode:i:0   <<<Sound
redirectprinters:i:1   <<<attach local printers? 1 is on
redirectcomports:i:0
redirectsmartcards:i:0
redirectclipboard:i:1
redirectposdevices:i:0
drivestoredirect:s:C:;D:;E:;
displayconnectionbar:i:1
autoreconnection enabled:i:1
authentication level:i:0
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
disable wallpaper:i:1    <<<part of controlling “the experience”
disable full window drag:i:1
allow desktop composition:i:0
allow font smoothing:i:0
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
gatewayhostname:s:      <<<Part of the TS Gateway from here down
gatewayusagemethod:i:0
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
++++Example++++++++++++++++++++++++++++++++++++

If this is the case then make the changes to the user's default.rdp – then use the “save as”... then test Test, and then replicate to the same location on all devices?

Mixed Novell and AD Authentication issues

Dave Caddick — Wed, 26 Mar 2008 22:55:21 GMT

Recently I have been looking in to some issues relating to mixed Novell and AD Authentication at customers sites and there does not seem to be too much information that is readily available so I thought it might be useful if I post some of the details and links here as a helper to others? ;-)

One of the most interesting points is that it would appear that Novell really hasn't done much to the Novell Client in quite a while, and even with the advent of Vista it has not so much revisited the classic 4.91 SP4 version but simply created a new one from scratch that has no backwards compatibility or any relationship to the 4.91 version....

Also something to be aware of is that quite some while back it would appear that Novell did try for a Catalogue of sorts that may or may not have been somewhat similar to AD's implementation but it was dropped from NDS ver. 8.x and above - so if you are trying to get Contextless Login working the only other real alternative is to use a method of creating an Alias for all Users in one specific OU and then referencing all Logins to search that one specific OU at login.

Now if you are like me, this appears to be almost laziness on the part of the developers? Surely they could do better than this? And even if you do get Contextless Login working what it actually amounts to is that the user can use either the short User ID <davidca> or the UPN <david.caddick@novell.com> and when you either use:

Tab Key
Mouse to move to the Password box
Click on OK

you will then find that the Contextless Lookup is evoked and your user name is changed to match the Case of exactly what it is the NDS

Anyway, here is the documents that might prove useful if you are investigating similar issues?

One of the most useful documents would appear to be this one:

Configure AutoAdminLogon for Novell Clients for Windows NT/2000/XP

AutoAdminLogon can be implemented in any of the 5 combinations listed below. For each version of the client, we will describe which combinations can be implemented and how to implement those combinations.

Auto login to NDS and NT
Auto login to NDS and manual login to NT
Auto login to NT and manual Login to NDS
Auto login to NT and disable login to NDS
Manual login to NDS and NT

There is also this document that is more specific to Terminal Server/Citrix ~~Presentation Server~~ XenApp Server environments:

LDAP Contextless Login in Terminal Services Environments

In all versions of the Novell Client for Windows 2000/XP/2003 prior to and including Novell Client 4.91 SP3, the LDAP Contextless Login support will only perform a contextless lookup if a user interactively changes the contents of the "Username:" field or the "Tree:" field of the Novell Client login dialog.

As such, the LDAP Contextless Login support was not able to benefit scenarios involving Windows Terminal Services environments where TSClientAutoAdminLogon was being used in conjunction with credentials pre-supplied in the terminal connection, and/or with TSClientAutoAdminLogon in Citrix Metaframe environments that were launching published applications.

The widely used workaround for this limitation was to move or alias eDirectory users into a single container, such that in absence of contextless login support the terminal service environment could successfully default to a single context for all eDirectory user logins.

If you do have issues relating to getting Contextless Login working correctly the most authorative document I could find would appear to be this:

Setting Up LDAP Contextless Login and LDAP Treeless Login

Several large Novell customers have used LDAP Contextless Login to facilitate the merging of several trees in to one global tree. Before LDAP Contextless Login, users were often annoyed by being required to change their context information in the login screen when changes took place in the tree structure. This resulted in IT costs to manage and support the change. LDAP Contextless Login makes it easier for users to work in the new global tree because it makes it unnecessary for the users to manage or know about changes to their organization's name or its placement in the hierarchy. Because users no longer need to enter their context to authenticate, the context can be changed on the back end as many times as necessary without the users needing to know and without the costs associated with managing and supporting these changes.

The Lightweight Directory Access Protocol (LDAP) is an Internet communications protocol that lets client applications access directory information. It is based on the X.500 Directory Access Protocol (DAP) but is less complex than a traditional client and can be used with any other directory service that follows the X.500 standard. Lightweight Directory Access Protocol (LDAP) Services for Novell eDirectory is a server application that lets LDAP clients access information stored in eDirectory.

If your network has LDAP Services for Novell eDirectory set up on your eDirectory tree and you are running Novell eDirectory 8.5 or later, users who are logging in to the network from Windows can log in to the network without having to enter their context in the Novell Login screen. To log in, users need to know only their username, password, and the name of the tree that is running LDAP Services. Optionally, you can also have users log in to the network without having to specify the eDirectory tree name.

User objects can be located in the tree by username or e-mail address. You can also enable wildcard searches. If wildcard searches bring up multiple usernames, the user is prompted to select his username.

Will Altiris ever be more than a subsidiary?

Dave Caddick — Sat, 22 Mar 2008 04:47:13 GMT

It is something of a shame that Symantec is not making the best of this acquisition, especially when you consider the amount of change and hype in the Virtualization space over the last 14 months since Symantec announced the purchase?

I made the comment only a few weeks ago (Thinstall quick out of the blocks) that it was quite gratifying to see good technology not sitting by the sidelines waiting for the politics and marketing to settle before it can again back on with getting the work done - but in this case it looks like Symantec are still dragging the chain?

Symantec creates an Endpoint Virtualization Business Unit

Friday, March 21, 2008 | 0 Comments

After over one year since the acquisition, Symantec is finally operating the integration of Altiris in its corporate departments.

It's not clear anyway if and in which way the security giant will pitch the successful Altiris application virtualization product: SVS.

The subsidiary in fact will disappear inside the Symantec Security and Compliance department, while a brand new Endpoint Virtualization department will be created, as reported by eWeek.

There are no details available yet but this reorganization may mean just two things:

the first option is that Symantec plans to use SVS only to deliver virtualized versions of its endpoint security agents (the anti-virus is probably the first in the list)

the second option is that Symantec will seriously enter the corporate desktop virtualization market, a space where VMware, Microsoft and few others are already busy with VDI, application virtualization and virtual machines security wrappers

In the first case Altiris SVS would be clearly out of the application virtualization market. In the second case Symantec may soon need more than just SVS to compete with the other players.

virtualization.info: Symantec creates an Endpoint Virtualization Business Unit

Ask and you shall receive? ;-) Now Clarkson knows a bit more about the modern world?

Dave Caddick — Tue, 08 Jan 2008 00:28:16 GMT

Well I do find this amusing as last night we were just watching the Top Gear episode where Ranulph Clarkson and Ranulph May attempt to race Ranulph Hammond to the North Pole using a truck - as ever Jeremy Clarkson is forever the irreverent motor mouth and larrikin in a likeable way and we actually found ourselves cheering for Hammond to beat them with the Dog Sled.

So it's no surprise to see Clarkson so spectacularly misjudge how easy it can be to have your Banking details abused? I guess he has learnt a little about how technology works? ;-)

Clarkson's 'steal my ID' stunt backfires

Top Gear chap shoots self in foot

Gobby TV presenter Jeremy Clarkson has been forced to reverse his position after he lost money after publishing his bank account details in a newspaper column.

The Top Gear presenter rather rashly published his account details in a column in The Sun to back up his claims that the child benefit data loss furore, which resulted in the loss of unencrypted CDs containing bank details of 25m people, was a lot of fuss about nothing.

Clarkson published his bank account number and sort code, along with clues to his address, insisting that the worst that could happen was that someone could pay money into his account.

Days later Clarkson was forced to admit he was wrong after an unidentified prankster set up a £500 direct debit from the presenter's account in favour of charity Diabetes UK, the BBC reports.

"The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again," Clarkson said in a column published in the Sunday Times. "I was wrong and I have been punished for my mistake."

Clarkson, never one to shy away from colourful or controversial commentary, is now hopping mad over the data loss. "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy," he said. ®

Clarkson's 'steal my ID' stunt backfires | The Register

Tweak Vista's warnings

Dave Caddick — Mon, 07 Jan 2008 23:44:22 GMT

I have been trying Vista on a corporate Laptop over the holidays in advance of getting hold of the "Approved" corporate image for my laptop and in some ways it's a clunker - so if you know what you're doing and want to "trim" some of those annoying messages and confirmations then this might be just the tool for you?

Vista4Experts

Current Version: 1.0.0.1

Download Vista4Experts

Vista4Experts is kind of a treat for computer experts who don't want security center notifications, User Account Control dialogs, automatic Windows Defender scannings, automatic update installations (which cause you to reboot your system if you don't react quickly enough). People who want MSDN (or google) set as default search engine in the Internet Explorer search bar, who want the start menu power button to shut down the system instead of hibernating it, etc. These and many more fixes are included in Vista4Experts. All of these changes can be discarded, enabled or reversed. Vista4Experts is the first expert utility of its kind and works on every platform.
This is a free software and so it is given without warranties, this means the use of this tool is at your own risk. I take no responsilbity for any damage that may unintentionally be caused through its use.

I realize, of course, that many fixes in Vista4Experts lower Windows Vista's default security, but that's the difference between users who feel enough confident to decide what's best for their system and users who don't. Many of Windows Vista's security features are extremely annoying to many developers and other IT experts.
I even think it's bad that Microsoft didn't provide a permanent way to disable the driver signature verification and making it possible only for signed drivers to run on x64 (that if the user isn't in the mood of pressing F8 on every boot). This is my system and I want to run any driver that I want to! I'm pretty sure I won't involuntarily execute a rootkit, don't worry about me Microsoft...

Download Vista4Experts

NTCore's Homepage

Production Servers now at 95% Virtualization

Dave Caddick — Mon, 17 Dec 2007 00:10:48 GMT

I found this article today at CIO via an Article at Doug Browns site www.dabcc.com and thought it too good to just post the quote. This is exactly why Virtualization is shaking up the IT market so much - it has the capacity to drastically change the way you think about "Flexibility" and "Agility".

Being able to provision on the fly in 30 minutes or so doesn't hurt either - and it's this very reason that makes concepts like VDI seem so very attractive.

Virtualization at Warp Speed: How One Company Made it Fly
Want to virtualize 95 percent of your production servers within a year? Vincent Biddlecombe did. Here's how the CTO of logistics company Transplace went from having no virtualization expertise in house to running the company's mission-critical app on a VM.
By Laurianne McLaughlin

December 12, 2007 — CIO — Many CIO's wonder how far and how fast they can run with virtualization right now. Once you get an initial taste of the cost savings, flexibility, and speed of provisioning that server virtualization enables, you want to make a fast break for a larger victory. Vincent Biddlecombe, CTO of Transplace, doesn't wonder anymore: He just completed an instructive sprint.

Since mid-2007, Biddlecombe has virtualized almost all the production servers at Transplace, a third-party transportation logistics provider. (The company helps customers such as retail chain stores maximize efficiency in their supply chain and shipping activities.) And he's been running his company's most critical application—a home-grown transportation system—on a VMware ESX environment for a month now, with no major hiccups.

By the way, Biddlecombe didn't have any virtualization or VMware expertise in house among his 100 IT staffers when he started this project: "We were a Sun group," he says. To address this issue, he hired a consulting partner, Catapult Systems, to bring VMware knowledge to his group.

Timing is Everything

For Transplace, the 2007 sprint toward virtualization made sense on both a business level and a technology level, Biddlecombe says. The business desire: Transplace works with its customers via Software-as-a-Service (SaaS), so the company needs the best scalability, availability and manageability they can get for hosting customer data. Virtualization appealed for both disaster recovery and scalability reasons, Biddlecombe says. "We can simply add capability as we need it."

On the technology side, Transplace's internal systems were due for a facelift. In early 2007, Transplace decided to move its production data center from the corporate office in Plano, Texas, to an offsite co-location facility in nearby Dallas. (Transplace also has a test/development and disaster recovery facility in Lowell, Ark.) At about this time, the company was due to upgrade its server hardware, Biddlecombe says, so it made sense to roll out the virtualization effort with that server upgrade.

For Transplace's database applications, he switched from Sun servers (running Solaris) to IBM mid-range servers (p570 servers using the Power6 processor and running AIX). For Transplace's middle-tier servers, he switched from Sun servers to Dell PowerEdge 2950 servers, using VMware's ESX Server software for virtualization. (For storage, Transplace chose Network Appliance's FAS 3070 storage systems.)

"We wanted to provide an environment where we could have maximum availability between our production and disaster recovery data centers," Biddlecombe says. "By using a combination of VMware with the storage, we've effectively copied our servers out to the disaster recovery center."

Today, Transplace's production environment is almost completely virtualized, and Biddlecombe estimates it will be 95 percent virtualized by year's end. That's quite an achievement, says Burton Group research analyst Chris Wolf. "From my experience, organizations that are able to virtualize 40 percent of their servers in a year are doing really well," Wolf says.

In total, Biddlecombe's IT group now runs about 110 VMs. In fact, the only significant applications that he's not running on a VM right now are his Microsoft Exchange servers and SQL server databases—both known for being extremely I/O intensive. (They hog resources on physical servers to the point that it doesn't make sense to virtualize them in many cases).

The Mission-Critical App Goes Virtual

The thought of running mission-critical ERP applications on a virtual machine makes many CIO's nervous—too nervous to try it (even now that ERP giant SAP has announced support for its products running on VMware.) But not Biddlecombe. As for Transplace's mission-critical app, a transportation management system, the first month of its virtualized run, coming to a close now, has proven pretty uneventful, Biddlecombe says. He saw no major pitfalls or performance issues.

This transportation management system determines, for instance, which orders need to be shipped together for consolidation purposes, how the order should be best shipped (parcel, full truckload or other options), which shipping carrier is optimal, and so on. This system also handles freight audit and payment. Effectively serving as Transplace's ERP system, the transportation system handles 4 million shipments per year, or about $2.75 billion in transportation spending annually. Developed in-house using Java, it runs on BEA WebLogic application servers and Oracle for database work.

Biddlecombe has dedicated 50 VMs to support the components of the transportation system running on WebLogic, and 50 to 60 VMs for some other components and everything else.

To determine the right number of VMs and balance workloads on the servers running those crucial VMs, the IT team did extensive prototyping. But they had an advantage that not all companies have with their ERP systems: Since the transportation system software was developed in-house, Biddlecombe's team knew a lot of its performance quirks already. "We're intimately familiar with what our software needs," says Biddlecombe, who has been with Transplace for three years and served as CTO for fifteen months.

Interestingly, Biddlecombe has not found it necessary yet to invest in any new third-party management tools from any of the virtualization upstarts, though he is scoping out one emerging need. Favoring a layered monitoring approach, he currently uses HP's Business Availability Center tools at the top level, HP's SiteScope at the next level (measuring factors like memory utilization in every app in every VM) and then network and database monitoring tools. He's also using VMware's vMotion tool to move VMs around as needed.

"The one area we haven't addressed is, are all the VMs sized properly," Biddlecombe says. "I think we've given some VMs more memory than they need. Our emphasis to date has been application performance. The last layer will be reducing VM resources so they have just enough," he says. The IT team can get some of the memory data from the SiteScope tool, but they have to do one VM at a time, he notes. This is the need that's making him consider finding another management tool.

For securing the virtual environment, Transplace's IT team applies the same security tools (McAfee antivirus and others) and practices that they would with a physical server, Biddlecombe says.

Provisioning in 30 Minutes or Less

As for metrics to prove his success, Biddlecombe says he wasn't able to do many before and after comparisons because so many factors changed at once: a new data center location, new hardware and all those new VMs all got wrapped up into the same effort. What he can measure however, is how quickly he can provision a new server or new computing power to the business side. It used to take him a week to provision a server: Now it takes 30 minutes.

"We have gained a dramatically increased capacity to provision new servers, and more scalability," he says.

The ability to scale to add VMs right away helps Transplace deal with any spikes in data throughput from its customers: "Because we're SaaS, our customers benefited immediately," he says.

And when IT wants to create a test and development VM, or a business executive needs a new customer demonstration environment, IT can do it within the half hour, he notes.

In another benefit of the highly-virtualized environment, the servers at the disaster recovery site can serve double duty, Biddlecombe says. They can be test VMs one moment, and disaster recovery the next. "We don't have to have 100 servers just standing there waiting for disaster," he says.

What's next on Biddlecombe's to-do list with regards to virtualization? He'll continue to ensure that the backup strategy is solid, he says. "There's this concept that I'm putting a lot of eggs in one basket," he says. "We use VMware Consolidated Backup, but you also have to make sure all your OS patches are applied, backups done properly. You want to make sure you're doing the blocking and tackling."

Other stories by Laurianne McLaughlin

© 2007 CXO Media Inc.

Virtualization at Warp Speed: How One Company Made it Fly - CIO.com - Business Technology Leadership

HOWTO Configure Ubuntu for Active Directory Authentication

Dave Caddick — Wed, 24 Oct 2007 23:10:09 GMT

In one of those typical Internet moments when "it wasn't what I was looking for - but it looked like some very useful information that I would like the time to implement"?

I have been thinking of getting this working correctly at home based on some virtual machines, but as it's not something that has a burning need to get done it probably won't get done anytime soon - but I'm sure this will come up somewhere so thought it useful to point out that there is this comprehensive guide from Novell as well as the one at the Ubuntu Wiki site: ActiveDirectoryHowto

HOWTO: Configure Ubuntu for Active Directory Authentication

Introduction

There are two important concepts for users: authentication, and accounts. With Active Directory authentication uses the Kerberos 5 protocol, and account information uses LDAP. Therefore we need to configure Kerberos 5 and LDAP on Ubuntu in order to manage users in an Active Directory.

Throughout this article the following IP addresses are going to be used, adjust appropriately for your network.
IP address Description 10.30.2.1 Router and DNS server or proxy 10.30.2.2 DHCP and TFTP server 10.30.2.10 NFS server 10.30.2.20 LTSP server 10.30.2.100-200 LTSP clients
It is assumed Active Directory is configured with an AD realm of EXAMPLE.COM and we will create one user:
account name: wendy UID: 1002 GID: 1002 home directory: /home/wendy shell: /bin/bash
[edit]

Accounts

For LDAP accounts the software package libnss-ldap is required, in Ubuntu Dapper CD this is not in the main repository it is part of the universe repository, however if you are using an internet repository it is part of the main repository and you can skip to the next stage. In order to access to the universe repository edit the file /etc/apt/sources.list and uncomment the universe lines.
## Uncomment the following two lines to add software from the 'universe' ## repository. ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## universe WILL NOT receive any review or updates from the Ubuntu security ## team. deb http://hk.archive.ubuntu.com/ubuntu/ dapper universe main restricted multiverse deb-src http://hk.archive.ubuntu.com/ubuntu/ dapper universe main restricted
Then update the package list and install.
$ sudo apt-get update $ sudo apt-get install libnss-ldap
Enter the address of the Active Directory server.

The Active Directory is accessed with the LDAP protocol

Specify the LDAP search basedn

The LDAP search base DN is where to search for user account information

more at source... HOWTO: Configure Ubuntu for Active Directory Authentication - DeveloperNet

Change of location

Dave Caddick — Mon, 08 Oct 2007 23:08:46 GMT

Hi All,

I have been posting both at this site as well as at my new blogging home of www.techagility.info for a few weeks now, and although I still have some tweaking to do on the graphics side of things, it's time to open the doors for all. I will probably still drop the odd post this way, but essentially all is now going to the new site.

So the home page is at www.techagility.info and if you are after the feed then you can find it at www.techagility.info/feed

See you there? ;-)

Getting by without Windows Update - can you update non-Microsoft applications and components as well?

Dave Caddick — Fri, 05 Oct 2007 06:10:52 GMT

So for those of you who have seen or been feeling the issues recently relating to MS's **hidden/silent** update to the Windows Update client components Scott has now come back with not only an alternative, but a solution that further adds value by being able to check other applications and components.

In all fairness though I would strongly suggest that you ALWAYS make a point of checking that you have created a **valid** System Restore Point before updating things so that you can very easily roll back to a known point? I have been caught by this in the past and it's not nice to have to spend an evening to try and get things working again - only to have to resort to a previous ghosted image and then try to remember all the extras that you need to reinstall..... <sigh>

Get free patching without Windows Update

By Scott Dunn
My Sept. 20 and Sept. 27 articles about silent and flawed upgrades involving Windows Update have made many people wonder whether they should really trust Microsoft's installer.
Fortunately, there are alternatives to Windows Update that will keep your system fully patched without costing you a dime.

It's easy to replace Windows Update's functions

In my previous columns, I reported that Windows Update has been periodically installing at least a few small executable files without notice to users, even when those users have selected a do-not-install option in the Automatic Updates control panel. This stealthy behavior upsets many people, but they don't want to completely do without a method of installing new security patches from Microsoft.
Windows Update (WU) does three things when it scans a PC: it determines which upgrades are needed, downloads the relevant files, and ultimately installs them. Fortunately, you can replace each of these tasks without spending any money.
In doing so, you give up some of the ease of automation offered by WU and Microsoft Update, WU's big brother, which also upgrades Microsoft Office applications. But the good news is that using alternatives makes it easier to update software from all major vendors, not just Microsoft.
In two previous articles, I explained how to determine which security upgrades a system needs. The best free scanner to diagnose your patching needs is currently Secunia.com's Online Software Inspector. My Sept. 9 article explains how to use the service with Internet Explorer. A Sept. 13 article explains the steps using Firefox.
I'll show you today how to add to your monthly Software Inspector routine an alternative to Windows Update.
Not many completely free alternatives exist, but there are a few that are worth examining:
• The Software Patch
• Windows Updates Downloader
• Microsoft Download Center
• AutoPatcher
• WindizUpdate

The Software Patch is my number-one pick

The best updating tool I've found is a service called The Software Patch (SP). This Web site provides not only Microsoft security updates but also a great deal more. The site includes necessary hardware drivers and updates, Microsoft Office and WordPerfect service packs, patches for Adobe and Corel products, updates for games, and more.

Pros of using SP. The Software Patch has many positive attributes:

The site is well organized, grouping its downloads hierarchically by product type (hardware or software), then by subcomponent, and finally by whether an update is "essential" or "optional."

The service links to the vendors' own sites (Microsoft, Adobe, etc.) to download updates, so you don't have to worry that the patches were somehow altered by a third party. Since SP doesn't store patches on its own server, the service is unlikely to run into legal tangles with Microsoft.

I was able to download and install a handful of Windows patches from Software Patch on a test machine. Windows Update had failed to install these same patches due to the bug I reported in the Sept. 27 issue.

Cons of using SP. No site is perfect, of course. Among the downsides to using the Software Patch are the following:

The site is supported by advertising, including pop-up ads, some of which manage to evade pop-up blockers.

The site has no downloads for Windows 2000 or earlier versions of the OS.

Navigating to Microsoft.com via SP doesn't mean you'll necessarily avoid being checked by Redmond's servers for Windows Genuine Advantage (WGA) compliance. For example, if you download Microsoft's Windows Defender, a WGA check is built into the program's installer. (But also note that Microsoft.com doesn't currently require WGA compliance to obtain most of its security patches rated "critical.")

Software Patch lacks some useful tools found at Microsoft's Download Center — for example, MBSA (Microsoft Baseline Security Analyzer). In cases like this, you can usually find an alternative source for the program. For example, FileHippo.com offers a download of MBSA, both the current version 2.0.1 and the beta version 2.1.

Figure 1. The Software Patch site provides ways to upgrade a wide variety of products.

More at source... Get free patching without Windows Update

Microsoft's Silent Upgrade backfires spectacularly? Here's the fix

Dave Caddick — Fri, 28 Sep 2007 07:35:06 GMT

Looks like MS have not had a good month on this subject? Still, looks like there is light at the end of the tunnel? :-)

Stealth Windows update prevents XP repair

By Scott Dunn
A silent update that Microsoft deployed widely in July and August is preventing the "repair" feature of Windows XP from completing successfully.
Ever since the Redmond company's recent download of new support files for Windows Update, users of XP's repair function have been unable to install the latest 80 patches from Microsoft.

Repaired installations of XP can't be updated

Accounts of conflicts with XP's repair option came to our attention after Microsoft's "silent install" of Windows Update (WU) executable files, known as version 7.0.600.381, was reported in the Sept. 13 and 20 issues of the Windows Secrets Newsletter.
The trouble occurs when users reinstall XP's system files using the repair capability found on genuine XP CD-ROMs. (The feature is not present on "Restore CDs.") The repair option, which is typically employed when XP for some reason becomes unbootable, rolls many aspects of XP back to a pristine state. It wipes out many updates and patches and sets Internet Explorer back to the version that originally shipped with the operating system.
Normally, users who repair XP can easily download and install the latest patches, using the Automatic Updates control panel or navigating directly to Microsoft's Windows Update site.
However, after using the repair option from an XP CD-ROM, Windows Update now downloads and installs the new 7.0.600.381 executable files. Some WU executables aren't registered with the operating system, preventing Windows Update from working as intended. This, in turn, prevents Microsoft's 80 latest patches from installing — even if the patches successfully downloaded to the PC.
I was able to reproduce and confirm the problem on a test machine. When WU tries to download the most recent patches to a "repaired" XP machine, Microsoft's Web site simply states: "A problem on your computer is preventing the updates from being downloaded or installed." (See Figure 1.)
Figure 1. After a repair install of XP, which resets the operating system to its original state, Windows Update can't install the 80 most-recent patches from Microsoft.
__________
Most ordinary Windows users might never attempt a repair install, but the problem will affect many administrators who must repair Windows frequently. Anyone who runs XP's repair function will find that isolating the cause of the failed updates is not a simple matter.
Beginning in July, it is not possible for Windows users to install updates without first receiving the 7.0.6000.381 version of nine Windows Update support files. (See my Sept. 13 story for details.) If Automatic Updates is turned on, the .381 update will be installed automatically. If AU is not turned on, you'll be prompted to let Windows Update upgrade itself before you can installing any other updates. Consequently, users are forced to get the silent update before they can attempt to install Microsoft's latest security patches.
The problem apparently arises because seven of the DLLs (dynamic link library files) used by WU fail to be registered with Windows. If files of the same name had previously been registered — as happened when Windows Update upgraded itself in the past — the new DLL files are registered, too, and no problem occurs. On a "repaired" copy of XP, however, no such registration has occurred, and failing to register the new DLLs costs Windows Update the ability to install any patches.
Registering DLL files is normally the role of an installer program. Unlike previous upgrades to WU, however, Microsoft has published no link to an installer or a downloadable version of 7.0.6000.381. Strangely, there's no Knowledge Base article at all explaining the new version. The lack of a KB article (and the links that usually appear therein) makes it impossible for admins to run an installer to see if it would correct the registration problem.
One possible fix is to install an older version of the Windows Update files (downloadable from Step 2 of Microsoft Knowledge Base article 927891) over the newer version. This involves launching the installer from a command line using a switch known as /wuforce.
That corrects the registration problem, although even in this case you must still accept the .381 stealth update (again) before you can get any updates. The fact that the /wuforce procedure solves the problem suggests that the installer for .381 is the source of the bug.

Manually registering files solves the problem

If you find that Windows Update refuses to install most patches, you can register its missing DLLs yourself. This can be accomplished by manually entering seven commands (shown in Step 2, below) at a command prompt. If you need to run the fix on multiple machines, it's easiest to use a batch file, as Steps 1 through 5 explain:
Step 1. Open Notepad (or any text editor).
Step 2. Copy and paste the following command lines into the Notepad window (the /s switch runs the commands silently, freeing you from having to press Enter after each line):
regsvr32 /s wuapi.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups2.dll
regsvr32 /s wups.dll
regsvr32 /s wuweb.dll
Step 3. Save the file to your desktop, using a .bat or .cmd extension.
Step 4. Double-click the icon of the .bat or .cmd file.
Step 5. A command window will open, run the commands, and then close.
The next time you visit the Windows Update site, you should not have any problem installing the latest patches.
In my articles in the last two weeks on the silent installation of the Windows Update support files, I stated that the stealthy upgrade seemed harmless. Now that we know that version .381 prevents a repaired instance of XP from getting critical patches, "harmless" no longer describes the situation. The crippling of Windows Update illustrates why many computer professionals demand to review updates for software conflicts before widely installing upgrades.
"I understand the need to update the infrastructure for Windows Update," says Gordon Pegue, systems administrator for Chavez Grieves Engineers, a structural engineering firm in Albuquerque, N.M. "But I think Microsoft dropped the ball a little bit communicating how the system works. Administrators should know these sorts of things, in case problems arise."
A Microsoft spokeswoman offered to provide an official response about the situation, but I received no reply by press time.
If you ever need to run the repair option on XP, first see the detailed description provided by the Michael Stevens Tech Web site.
I'd like to thank Windows Secrets contributing editor Susan Bradley for her help in bringing reports of this problem to light.
Have a tip about Windows? Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your comments via the Windows Secrets contact page.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine's Here's How section.

Security

Modifying RDP5 & 6 to always connect local drives as well as USB devices…

Mixed Novell and AD Authentication issues

Anyway, here is the documents that might prove useful if you are investigating similar issues?

LDAP Contextless Login in Terminal Services Environments

Will Altiris ever be more than a subsidiary?

Symantec creates an Endpoint Virtualization Business Unit

Ask and you shall receive? ;-) Now Clarkson knows a bit more about the modern world?

Clarkson's 'steal my ID' stunt backfires

Top Gear chap shoots self in foot

Tweak Vista's warnings

Production Servers now at 95% Virtualization

Virtualization at Warp Speed: How One Company Made it Fly

Timing is Everything

The Mission-Critical App Goes Virtual

Provisioning in 30 Minutes or Less

HOWTO Configure Ubuntu for Active Directory Authentication

HOWTO: Configure Ubuntu for Active Directory Authentication

Introduction

Accounts

Change of location

Getting by without Windows Update - can you update non-Microsoft applications and components as well?

Microsoft's Silent Upgrade backfires spectacularly? Here's the fix

Stealth Windows update prevents XP repair