Security

WSUS fubar - Microsoft Desktop Search

Robert Kloosterhuis — Thu, 25 Oct 2007 13:49:36 GMT

Thank you Microsoft, for once again bypassing my Windows update policies. I can now go explain to my managers why 500 workstations and 12 servers have ended up with Microsoft Desktop Search, without anyones explicit approval. To illustrate how totally stupid this is, check out these screenshots out of our WSUS box:

As you can see above, our current update policy only allows Security updates, Critical Updates and Security Roleup Packs to be automaticly installed ("Approve for Installation") on select computer groups (most of them test groups)

All other catagory of updates are set to "detect only" for all computers. Meaning that all other update catagories, including the "update" categorie are only detected, so I can see what systems are actually asking for a non-security update, and approve them when needed. Updates under these catagories are not installed automaticly.

Just to re-itterate: Updates of the "Update" categorie, are only suppose to automaticly be "Approve for Detection". And not "Approve for Installation"

So imagine my horror, when yesterday, after several frantic phonecalls from my support teams, I found 5 particular updates as follows:

These 5 updates where pushed on the 23rd of October, together with a bunch of Internet Explorer Security Roleup pack updates not listed here.

The alarming thing about the above list, is the Appoval column.

Its set to Install.

I never approved these updates for installation.

These updates are suppose to be automaticly set to "Approve for Detection" only. What is even worse, is that, not only are they set to "Install", they are set to "Install" for "all computers.", which ignored any of my predefined computer groups. You can see that here:

These 5 updates, totally and utterly ignored the settings if our WSUS server, and did its own thing, installing forcefully on every single system in WSUS, inluding servers such as SQL servers, file servers, and several domain controllers.

I didnt even think it was technicly possible that these updates could override the WSUS server settings. This proves they can, and moreover, in the largest Microsoft update fuckup to date, that Microsoft has more control over what updates you recieve in your Enterprise, than your own administrators.

The question now is, how this could have happened. Was this a mistake on Microsofts part? Perhaps, because it was also the .net Framework 3.0 that was approved in this way. One can theorise about MS wanting to forcefuly push MS Desktop Search as some kind of play against Google desktop, sure, but .Net 3.0 too? And at the same time? Surely they would have known what kind of shitstorm this would cause!

So my money is on an honest-to-god mistake on Microsofts part. We can probably expect some kind of enterprise Desktop Search de-installation tool in the next week or so.. perhaps ;)

In the meantime, administators and IT managers around the world, are going to have to ask themselves weather they still trust Microsoft. Especially considdering that whatever they push can apparently override server-specific settings.

-------------------------------------------------------------------------

Update:

Microsoft WSUS team have responded with a post here
I responded on that post with the following:

I blogged about this happening to me here:

http://geekswithblogs.net/jemimus/archive/2007/10/25/116319.aspx

Now i I understand the above correctly...

There is a good chance I approved for installation, the update to Windows Desktop Search back in february.

I would have done that in the understanding that it would apply -only- to systems that already had the Windows Desktop Search tool installed.

That understanding has come from the behavior of Microsoft updates in general: -Updates- to components of Windows and other applications, only apply to systems that have that component or application installed.

Makes sense. After all: You cannot update software that isn't installed in the first place... cause its not there yet.

Now what I understand from the post above, is that the update revision 105, released a few days ago, is not simply an update.

It is in fact the entire Windows Desktop Search installer, with the ability to also replace/update previous installations.

And because of the WSUS feature to always aprove new revisions is also turned on on my WSUS server, 105 was also, automaticly approved. Cause its a -revision- of the feb update.

However.. you changed the scope of applicability of 105.

In my opinon, this is a very dangerous sequence of events, because the logic is not apparent to most admins I am guessing (based on what I have read so far).

The combination of both a revision, -and- a scope change at the same time, seems an inherently bad choice.

For all intense and purpose, the effect of the scope change for clients that did not have the WDS previously installed, does not constitute an -update-, and it should not be presented as such.

That means it should have been presented as a completely seperate item in WSUS, and should not have included the wording "update" anywhere in the discription.

I have read on the thread here: http://episteme.arstechnica.com/eve/forums?a=tpc&s=50009562&f=12009443&m=796005818831&r=845007818831

that exactly the same thing happened with "Client Update for Microsoft Forefront Client Security (1.0.1703.0)", which similarly was extended in scope.

The term "update" should mean just that. You should not be using the term so generically, and wrapping up "new" installation functionality into one and the same package.

Keep it separate. Keep the language clear to us admins who have probably very little time to devote to patch management already.

--------------------------------------------------------------------

Update 2

Copy-paste of my comment on the Microsoft Update product team blog

After reading this:

http://blogs.technet.com/wsus/archive/2007/10/25/wds-revision-update-expanded-applicability-rules-auto-approve-revisions.aspx

I have a better understanding of what might have happened. And it seems like the behavior is by design.

However, I believe the way this update was packaged and presented, undermines the logic we have come to expect from WSUS updates.

The problem is that the package is presented internally as a revision -update-, which are by default -always- automatically approved (your other approval settings don't override this), but it was combined with a scope change, that allowed the package to also install WDS on systems that did not have it previously.

It is the second behavior that causes the problem. Installation on systems that did not have it previously, is NOT an -update-, they should not behave as such.

Revision 105 was called "Windows Desktop Search 3.01 for Windows XP (KB917013)". Classification: Update

Now from the name alone, it looks like its not an update, but a complete installation (which it was). I never got to see the name before the fact of course, because it auto-approved and installed itself.

The classification is "Update", and this is what troubles me. Surely, if this "update" can install itself on systems without previous revisions, it does not belong in the "update" classification?

This should have been split into 2 packages.

1. An -update- with new revision number 105, possibly with a slighty differnet name including the word "update". This would have been automatically approved if the default option for revisions auto-approving was not altered by the admin. The scope would be only install on systems with previous revisions of WDS

2. A new package, called "Windows Desktop Search 3.01 for Windows XP (KB917013)", possibly a new revision number, but certainly a different classification. I don't have a list of all the WSUS classifications here, but I am sure there is one that is suitable, wasn't their something for new Windows features?

-------------------------------------------------------

A VB Script that checks registry for installed hotfix

Robert Kloosterhuis — Fri, 21 Oct 2005 07:00:00 GMT

You may find this usefull!
I am quite new to scripting, so I am sure that I could have done things much better than I did in this script. So I would very much appreciate any feedback, tips and comments!

The next version of this script should allow command line input aswell, so you dont have to supply a list of servernames. Also next version will check with WMI directly, instead of checking the registry.

———————————————————————-

'Checks the registry of each computer listed in INPUT_FILE_NAME
'for a the hotfix listed in HOTFIX
'It uses the WMI registry provider to do this.
'Besides writing to the screen, it writes the output to
'the file in OUTPUT_FILE_NAME in comma delimted format, producing 2 columns:
'the computer name, and the result of the query
'
'21/10/2005 Robert Kloosterhuis: v1.0
'http://www.geekswithblogsnet/jemimus

On Error Resume Next

INPUT_FILE_NAME = "serverlist.txt"
OUTPUT_FILE_NAME = "scan_hotfix_MS05_051.csv"
HOTFIX = "KB902400"

Const FOR_READING = 1
'objFSO.OpenTextFile method uses paramater value 8 to append to file
Const FOR_WRITING = 8
const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002

Set StdOut = WScript.StdOut

'Set up objFSO variable for file reading and writing operations
Set objFSO = CreateObject("Scripting.FileSystemObject")

'delete OUTPUT_FILE_NAME if it already exists
Set oldfile = objFSO.GetFile(OUTPUT_FILE_NAME)
oldfile.delete

'Set up the output file
Set objOutputFile = objFSO.OpenTextFile(OUTPUT_FILE_NAME, FOR_WRITING, true)

'Read the input file
Set objFile = objFSO.OpenTextFile(INPUT_FILE_NAME, FOR_READING)
strComputers = objFile.ReadAll
objFile.Close

'Make an array out of the list it reads from the input file
arrComputers = Split(strComputers, vbCrLf)

'setting up some initial values
DIM result
DIM noresult
result = 0
noresult = 0

'Our main loop. Everything below this is run for every entry in the imput file
For Each strComputer In arrComputers

  'first column in the file we are writing to is the computer name.
  'Every bit of info we want to provide is ended with a comma for delimitation
   objOutputFile.Write
   objOutputFile.Write
   objOutputFile.Write strComputer
   objOutputFile.Write ","


  Err.Clear
  'Connect to the WMI registry provider
  Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
    strComputer & "\root\default:StdRegProv")
        'Error Handling If it cant connect to the WMI provider,
        'exit with the Error Description
     If Err.Number <> 0 Then
          Wscript.Echo strComputer & " " & "Error Number " & _
          Err.Number & ": " & Err.Description
          Err.Clear
           Else

          'The Registry path we are going to read from
    strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix"
    objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

    'Everytime we run though the loop, these values are reset first.
    result = 0
    noresult = 0

    'If it comes across the hotfix we are looking for,
    'it changed the value for this loop
    For Each Subkey in arrSubKeys

        IF Subkey = HOTFIX Then
        result = 1
        noresult = 0

        Else
        noresult = 1

     End IF

    Next


     'Now we have a value, lets print some text about it,
     'both to the screen, and to our output file
     IF result = 1 Then

       WScript.Echo strComputer & " " & HOTFIX & " installed!!!"
       objOutputFile.Write HOTFIX & " installed!!!"
     Else
       WScript.Echo strComputer & " " & HOTFIX & " not found!"
       objOutputFile.Write HOTFIX & " not found!"
     End IF

       'End with a comma for this column
       objOutputFile.Write ","

     end if

     'Start a new line
     objOutputFile.Writeline

Next
objOutputFile.Close

———————————————————————-

Security Park - It is the employer not the employee who is the weakest link in a company###s IT security

Robert Kloosterhuis — Tue, 21 Jun 2005 15:34:00 GMT

Security Park - It is the employer not the employee who is the weakest link in a company###s IT security

It is the employer not the employee who is the weakest link in a company's IT security

SurfControl has today announced the results of a new UK survey that uncovers an alarming level of complacency by employers when it comes to combating spyware in the workplace. The poll found that 21.3 percent of all respondents' employers did not prohibit the use of Instant Messaging to contact friends, Web-based email, recreational surfing, downloading free software, personal online banking, storing personal files, sharing free music/video files, playing online games, running CD-Rom/DVD media or the use of USB flash drives on work PCs.

Read more

—————————————-

Well I agree with the sentiment.. well some of the sentiment, if not all of what they claim are ‘threats’.

One has to bare in mind who sponsored this report, and who is presenting the news: Surfcontrol; and they have a rather large stake in this kind of discussion.

Litterally anything can be a threat if you look hard enough. I would not call IM-ing friends a threat. I might call file-transfer via IM a threat, but not much of one… Use of USB drives? Well its the same issue: not being able to fully control what files pass in and out of your network.

At the moment, with the current state of affairs when it comes to files and file-systems, I would say its just about impossible to lock down your network to stop foreign files from entering your network. They trick is to mitigate what threat they do pose. AV on the desktop is one part of that, a strickt and enforced lockdown policy of the desktop enviroment is another.. and the same can be said for permiter defenses…

Its that old cost vs usability vs security arguement. You can have a little of all three, but not all at the max level. People use IM and play games to give themselves a little distraction, which I believe is a healthy thing, in moderation. Not to mention IM being the perfect productivity tools if used for work purposes.

USB sticks? Well they have taken the place of floppies. I often see people resulting to USB sticks if its the easiest alternative for getting to their data. Shutting off access to USB may mitigate some of the foreign-file threat, but I dont think it stands in relation to the added support costs you incurr, or the effect it has on worker morall. Instead, perhaps you should be focussing on giving your users what they need: Easy (and secure) access to their files; remove their reason for trying to work around the system.

And what the hell is wrong with ‘Web-based email’, ‘recreational surfing, personal online banking’. How is this a security threat? yah sure.. downloading trojans perhaps .. spyware? Mabe.. . .. how about a software restriction policy then? If you run windows 2000 and up, you already have the mechnism to impliment it… just a case of doing it.
How about locking down Internet Explorer? Turn of ActiveX via group policy.. its not perfect.. but its a start! Think about running Firefox on desktops yet… might be worth considdering!

I am against the view that Surfcontrol seems to take, that any freedom you give employees, both online and off, is always a bad thing. Try turning off all net access in your company, and lets see what it does for morale? Work should be a place you want to go to, or at the very least, not mind going to, so that means employees should be giving at least some thought to distraction and relaxation, finding that balance of productivity and fun. Blanket blocks on certain activities are not the awnser, a far more nuanced approach is needed that combines and weighs out those important ellements in the way that best suits your companies needs: cost vs usability vs security.

Security Park - New ISO 17799 Security Standard Published

Robert Kloosterhuis — Tue, 21 Jun 2005 15:04:00 GMT

Security Park - New ISO 17799 Security Standard Published

New ISO 17799 Security Standard Published

The official revision of the ISO 17799 security standard is now available. This has been under development for several years, and introduces a number of major changes to ISO17799. The old version, published initially in 2000, has been withdrawn with immediate effect.

ISO 17799 now contains eleven content sections, as opposed to ten in the old version, with some existing chapters being re-worked and re-named.

The new section format is as follows:
1) Security Policy
2) Organizing Information Security
3) Asset Management
4) Human Resources Security
5) Physical and Environmental Security
6) Communications and Operations Management
7) Access Control
8) Information Systems Acquisition, Development and Maintenance
9) Information Security Incident Management
10) Business Continuity Management
11) Compliance.

The new version also introduces security controls to address a variety of issues not previously covered. These include outsourcing provision and patch management. Other areas have been extended, such as employment termination, and distributed communication.

In addition to the content itself, steps have also been taken to make the standard more 'user friendly.'

The following official outlet (BSI) has been updated to provide copies of the new standard:
http://www.standardsdirect.org/iso17799.htm

The ISO 17799 Toolkit, the standard's support kit, has also been updated to include the new version: http://www.17799-toolkit.com

———————————

I have often heard of this standard, but have not actually paged thought it yet. Hope to soon.

A Holistic View of Enterprise Security, Rafal Lukawiecki

Robert Kloosterhuis — Fri, 22 Apr 2005 08:53:00 GMT

Update 12/05: Steve Lamb notices that Rafal is doing the same seminar in the UK soon.

----------------

Attended a Microsoft Expert Conference today, the topic was Holistic Security and Digital Trust, and the speaker was the very excellent Rafal Lukawiecki.

Sessions included:

A Holistic View of Enterprise Security, Rafal Lukawiecki
The tough realities of today make security of enterprise systems one of the highest priorities on most IT Professionals’ agenda. This conceptual, rather than technical, session will overview security from a holistic, process-oriented perspective. While still uncommon, this approach seems to best model the threats that affect our installations. This way of looking at security is based on risk assessment and worries about all aspects of the system equally: we do not want to be building bullet-proof steel doors in a house made of paper walls. After discussing the main challenges that make achieving optimal security difficult, we will concentrate on three process-based holistic approaches: OCTAVE, Simplified Security Risk Analysis, and Threat Modeling. Also in this session we will attempt at categorizing all security technologies into active and passive approaches, thus providing a structure to the remainder of the seminar.

Active Security Common Practices, Rafal Lukawiecki
Starting with the concept of Defense-in-Depth we will look at all of the main aspects of the operational environment that require being secured using active technologies. We will look at the techniques and guidance available for securing applications, hosts and the network itself. Specifically, we will debate some of the challenges posed by in-house enterprise applications, as well as those provided by vendors such as Microsoft. While discussing the available security technologies, we will attempt to provide a fairly complete list of those that you should consider employing, including: Windows XP SP2, Patch Management and WU/SUS/SMS, ISA, Server Hardening Guides, IPSec, MOM, 802.1x/WPA, and Identity Integration. We will close this session with a brief discussion of the checklists of the ‘Top 10’ suggestions for securing the primary Microsoft server systems.

Cryptography and PKI for Passive Security, Rafal Lukawiecki
Holistic security uses both active and passive technologies. Cryptography is the mainstay of passive approaches, primarily used to protect the data layer in the defense-in-depth view. This session aims to provide a good technical overview of all of the foundational concepts of cryptography in order to enable a IT security professional to make better decisions regarding the technologies used for protection. We will, at first, explain the concepts of hybrid, symmetric and asymmetric cryptography before moving onto the subject of hash and digest functions in order to explain the problems found with today’s digital signatures. With that introduced, we will look at the X.509 certificate standard, SSL and smartcards and move onto a rapid discussion of all of the current encryption algorithms such as AES, TripleDES, IDEA, RC2, RC4, RSA, ElGamal, ECC, and briefly touching on quantum cryptography. We are not going to discuss each of them in detail – instead we hope to provide enough information to allow you to make better choices when deciding on the technologies to use.

Digital Trust: Goals and Obstacles, Rafal Lukawiecki
Trustworthiness is as important as security of the system, according to its users, such as clients, employees and partners. Traditional paper-based trust increasingly has to be replaced with digital signatures and other legally-binding electronic forms of interaction between parties. PKI, Identity Management and Digital Signatures form the basis of Digital Trust. In addition, Time Stamp Authorities, Trusted Document Repositories and e-Notary Service are also vitally needed to build a usable infrastructure of digital trust. We will look at the standards and technologies that enable this concept, and, keeping with reality, we will point out a number of outstanding legal and social issues that may prevent your organization from successfully adopting some principles of digital trust. We will also briefly touch on Digital Rights Management as an aspect of digital trust and its relationship to privacy protection. This session is likely to be of more interest to those working in the public sector, governments, and bigger enterprises interacting with a large consumer base, and consultants working with them.

Really interesting material, and Rafal is a really excellent speaker!

In the Q&A I asked him about his view on the current standards in identity federation, and where the field was going. He said he was putting his money on the WS-series of standards being developed by IBM and MS.

Got the MSPress PKI book

Robert Kloosterhuis — Fri, 22 Apr 2005 08:31:00 GMT

It was funny. I had already picked up the Microsoft Windows Server(TM) 2003 PKI and Certificate Security from MSPress before I went to that session yesterday, and had already gone though the first chapter or so. Nice cross-media info-soaking, and relevant to my next MCSA module, 70-299.

I should make a new photocraph of my book case. (old one) There is a whole lote more blue in there now

ITT: Resultant Set of Policy, Services view or Remote Disk Management - "RPC Server is Unavailable" (Solved)

Robert Kloosterhuis — Wed, 19 Jan 2005 16:13:00 GMT

Update June 17, 2005:

Progress at least getting the remote disk management to work thought the SP2 firewall.
I am chaning the status to this issue to SOLVED

I can confirm that the solution suggested by Tori in the comments works. the following program exeptions must be added to your firewall policy in order for the Logical Disk Management Service to be accesable through the firewall, dispite having already turned on the options Allow Remote Administration Exception and Allow File and Printer Sharing Exception:

Define Program Exeptions:

(replace localsubnet with whatever access source you wish to grant, see the explain tab for more info )

c:\windows\system32\dmadmin.exe:locasubnet:enabled:Logical Disk Manager
c:\windows\system32\dmremote.exe:locasubnet:enabled:Logical Disk Manager Remote Access

As for other RPC errors using remote administratior, such as RSoP.. make sure you dont have the option Do Not Allow Exceptions turned on in your firewall domain policy. It easy to turn this setting on under the asumption that the setting would only effect locally logged on users. But it effectively turns off any other local exeptions you have defined in your policy.

------------------------------------------------------

Update 23 March 2005:

I have returned to this issue at work, purely by coincidence.
This time, its a very simple classroom setup, same configuration: GPO with settings for the SP2 firewall, firewall enabled, remote admin enabled, file and print sharing enabled.

Curiously, this time, resultant set of policy works oke though the firewall, but remote disk management ( Logical Disk Manager service ) does not. Had another look on google, but nothing new. Didnt find my blog post either, probably havnt used the right keywords often enough.

If I feel up to it, I will dig deeper.

------------------------------------------------------------

Original post,

Resultant Set of Policy - "RPC Server is Unavailable"

So there seems to be a problem with DCOM or RPC over the Windows XP SP2 firewall.

The problem above also manifests itself when you use MSinfo32.exe to collect info on an external computer. And also appears when you try access the disk manager of the remote pc, via the Computer Management Snap-in.

Discounted all other things, as RSoP and all of the abobe works just fine with the firewall turned off.

Also note, that all the firewall settings are being pushed via Group Policy, and that the policy is not being overidden by anything above it, the application of the correct settings can be observed live on the client.

Now via Group Policy, you can set some settings that are suppose to open up all the management ports you could need within your lan/domain:

Windows Firewall: Allow local program exceptions

This will open up the following ports on the client machines:

TCP Port 135 for (DCOM) (DCE/RCP Endpoint Mapper)
TCP Port 445 for (RPC)

Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034.
If you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subnets from which these incoming messages are allowed.
If you disable or do not configure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the "Windows Firewall: Allow file and printer sharing exception" policy setting.
Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.
Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define port exceptions.

Then you also have this one:

Windows Firewall: Allow File and Print Sharing exception

This will open up the following ports on the client machines:

TCP Port 139 (Netbios Session Service)
TCP Port 445 (RPC)
UDP Port 137 (Netbios Name Service)
UDP Port 138 (Netbios Datagram Service)

Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.
If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it.
If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared and administrators cannot select it.
If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box.
Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo requests (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define port exceptions."

But unfortunatly, this doesnt seem to help.

Now MS KB article 875605 (How to troubleshoot WMI-related issues in Windows XP SP2) also tells me to
- Create a program exeption for uncecapp.exe - Done, no dice
- Explicitly open port 135 - Done, still no dice.
- Edit the DCOM remote launch permissions. - Done, officer, I still dont have any dice.

I really cant think of anything else at this point. I guess I will have to dig into DCOM and pull out the network monitor for this. *sigh*

Consulted sources so far:

http://www.ntcompatible.com/thread28557-1.html - SP2 Windows Firewall programs exceptions list issues... http://support.microsoft.com/kb/q204279/ - Direct Hosting of SMB Over TCP/IP
http://support.microsoft.com/default.aspx?scid=kb;en-us;840634 - You receive an "Access denied" or "The network path was not found" error message when you try to remotely manage a computer that is running Windows XP Service Pack 2
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2maint.mspx#EEAA - Changes to Functionality in Microsoft Windows XP Service Pack 2
http://www.911cd.net/forums/index.php?showtopic=5999&hl=mmc_sp2 - Diskpart And Nu2menu Problem
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngdepgp.mspx - Managing Windows XP Service Pack 2 Features Using Group Policy

My little MS Anti-Spyware test

Robert Kloosterhuis — Fri, 07 Jan 2005 16:20:00 GMT

http://www.xs4all.nl/~jemimus/blogpics/MS_anti_spayware_in_action.JPG

I had to turn off Symantec corperate edition first.. and allow everything on IE SP2 security bar, only then did it actually hit MS Anti-Spyware.

Some reports in the blogosphere about slow web surfing with all 3 agents on... I will give you my experiences after I try it a few days.

Passwords are dead.. tell me something I don't already know!

Robert — Wed, 17 Nov 2004 09:14:00 GMT

Dave over at eDave.org alerted me, via his podcast, to a keynote adress (link to Techworld.com) by Bill Gates, in which he says: "The move towards smart cards is the way forward," said Gates in his keynote at IT Forum, in Copenhagen this morning. "The idea is to have a smart card that connects up in the best way - a .Net based smart card."

Well Duh.

I mean Duh on Smartcards in general, and the idea that passwords are dead, (I'll have to dig in a little deeper to get what the difference is between a .net based smartcard, and the 'classic' one you can use today.)

I'll tell you something else.. I dont think passwords ever had any life to them to begin with.

People just dont take passwords seriously. I see this is in every aspect of computer use, from the postit-sticking end user, to the password-printout toting sysadmin. Most companies i have been at dont have any kind of password policy in place, and those who do usualyl stick to the 3-month, strong password policy, which is usualy a faliure because some, if not most uses, will write down there hard-to-remember passwords somewhere nearby their pc's.. and sometimes on the good ole post-it on the screen.

Not only do these people often not realise why passwords are used to begin with, but stringent password policy is usally such a pain-in-the-ass for users, that they start to work around it in these kind of manners.

On the IT department side, things are usually not much better. Often have I run situations where either the password policy, and I use the term policy lightly, is to have a single administrator account+password, that is used everywhere, or to have so many passwords for so many different systems, that administrators have to go around with printed lists of passwords (which get lost and may fall into wong hands, I have seen exaples of this often)

Of course both methods are as incorrect as you can possible imagine. The correct way security should be handled in with single sign-on, as much as possbile. Give admins their own, private, admin account, and give them the rights to do their work, no more, no less.
Audit them, have a good audit policy in place, disallow use of general accounts like the administrator account, in fact accounts like this should be disabled or at least renamed.

Across disparate systems, one should try to impliment single sign-on technologies, with products such as Microsoft Identity Integration Server (MIIS), and/or other federated directory syncronisation services. A good security infrastructure is only succesfull if its not a burden, if it is transparent to those who use its services.

MIIS 2003 manages information by receiving identity information from the connected data sources and storing the information in the connector space as connector space objects or CSEntry objects. The CSEntry objects are then mapped to entries in the metaverse called metaverse objects or MVEntry objects. This process allows data from separate connected data sources to be mapped to the same MVEntry object.

For example, an organization's e-mail system can be linked to its human resources database through the metaverse. Each employee's attributes from the e-mail system and the human resources database are imported into the connector space through management agents. The e-mail system can then link to individual attributes from the employee entry, such as the employee telephone number. If an employee's telephone number changes, the new telephone number will automatically be propagated to the e-mail system.

When it comes to loging on in the first place, like I said, passwords are basicly useless in my eyes.. i have seen many kind of password security basicly made useless by human nature, and the associated lack of interest in security, or an understanding of why it is nessesary.

Two or Three factor authentication scemes are the way to go of course, like our dear friend Bill says, but this technology is by no means new. Here is a copy-paste from the Server 2000 resource kit:

Windows 2000 supports logging on with a smart card for the network logon process by using extensions to the Kerberos v5 protocol. For logging on to a network, users usually press CTRL+ALT+DEL to initiate the Windows 2000 secure logon sequence. When the smart card logon process is enabled, a user inserts the smart card to initiate the Windows 2000 secure logon sequence. The user is then prompted to enter the PIN for the smart card. If the user's PIN and smart card credentials are valid, the user is logged on and granted rights and permissions for the user account.

When an administrator enrolls for a smart card logon certificate on behalf of the user, Windows 2000 automatically maps the smart card certificate to the user's account in Active Directory. Therefore, smart card certificates for logging on to the network must be issued by a trusted enterprise CA.

If you deploy smart cards for logging on to the network in a domain and allow some users to log on without smart cards (for example, with CTRL+ALT+DEL for Windows 2000–based clients or with NTLM for clients based on Microsoft® Windows® 98 and Microsoft® Windows NT®), the security of the network becomes only as good as the weakest password in the system. For maximum network logon security, deploy Windows 2000 and smart cards for all users and require that smart cards be used for logging on to all computers in your domains, including logging on from a remote location.

In every single way, smart cards are better. They are far more user friendly than having to come up with strong passwords every other month, and they are of course more secure.. because of the two-factor method of authentication.. something you have: Your smart card (with a digital certificate on it), and something you know: Your pincode. Without both of these coming together at the right time, you cannot log in.

Combine this with the optional, but encouraged third factor, something you are: Retinal scan, fingerprint, face scan, etc, and you can now start talking about security seriously.

Of course... if the local admin password on, for example, your SQL server is weak, the whole excersise is probably for nought.

Sarbanes-Oxley kicks in - I wish the EU had this...

Robert — Tue, 16 Nov 2004 08:32:00 GMT

http://news.com.com/Sarbanes-Oxley+kicks+in/2100-7355_3-5453279.html?tag=nefd.top

Oke.. I like this legislature...

Sarbanes-Oxley is forcing coorperations all across the US to get their acts together when it comes to auditing and securing data and transactions.
A large part of this comes down to IT departments of course, as much of Sarbanes must be achieved on a technology level.
Its forcing companies to get large parts of their IT in order, probaby more than ever before. I get the strong feeling that its being taken very seriously by most folks, and that is great, because the kind of mind-set it perpetuates is healthy, and will most likely benefit IT organisations and the businesses their support on a larger scope than what is needed simply to comply with Sarbanes.

I wonder if any EU version of such a set of laws would be taken half as seriously by the average EU member state.