Wednesday, June 29, 2005

ExBPA v2.1 Released

According to You Had Me At EHLO... a new version of Exchange Server Best Practices Analyzer has been released. If you don't know ExBPA by now then it's time to get acquainted with it. IMHO it should be part of every Exchange Admins toolbox!
Check the overview or the Microsoft Exchange teams blogs about it here and here and also you can find the history behind the tool here.

Update Rollup 1 for Windows 2000 SP4

has finally been released -
The Update Rollup contains all security updates produced for Windows 2000 between the time SP4 was released and April 30, 2005... The Update Rollup also contains a number of updates that increase system security, reliability, reduce support costs, and support the current generation of PC hardware.

Interestingly it won't be delivered to Windows 2000 through automatic updates until each server has been moved to Windows Update v6. See more info here and in the KB.

Sunday, June 26, 2005

Windows AntiSpyware beta update

The beta 1 just got updated. The second beta refresh (!) build is 1.0.614. The Microsoft AntiSpyware Update start menu shortcut does not seem to update it despite what the download page claims. Maybe I'm just too fast...
The update is a genuine Microsoft Windows update - which reminds me of an article on claiming that the check was cracked by the Indian researcher Debasis Mohanty.

Friday, June 24, 2005

TechEd Europe T minus 9 days

Per and I will both be at TechEd Europe in Amsterdam. I'm personally looking forward to the Pre-Conference day with Jesper Johansson and Steve Riley on the topic "Be Secure: How to Build a Defense-in-Depth Strategy for your Environment - Today!" they are both great speakers and always fun to listen to (Even though they also can be busted as you can hear approx 17 minutes into this webcast where Steve just has been 'taught' by an MVP why 802.1x on Wired Lans isn't perfect and why a personal firewall in this case will lower your security ;-)

Anyway we look forward to seeing both former and current customers/colleagues and maybe even a reader or two (If its two its probably all of our readers ;-) My e-mail at TechEd will be or as usual

Top client/server support issues in Microsoft Exchange

PSS has gathered a good list of KB's / their top issues in the following areas -
• Microsoft Outlook. This includes topics that are related to Microsoft
Exchange connectivity.
• Microsoft Outlook Web Access.
• Exchange Mobility. This includes topics that are related to remote
procedure call (RPC) over HTTP.

You can find the KB article here

Wednesday, June 15, 2005

Nasty stuff - Vulnerability in SMB Could Allow Remote Code

This is bad news. Even though most systems will be protected from internet attacks, this opens up for a new worm flooding your internal network.
Get the update distributed right away!

For those of you with NT4 systems - hmmm - bad luck??
Customers who require additional support for Windows NT 4.0 SP6a must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options.
Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office.

Tuesday, June 14, 2005

Microsoft Security Initiatives in SP1 and SP2 - nothing but a complex toy?

I've written an essay on the security initiatives in SP1 and SP2 for the Industry insiders forum and it can be found here or in this post -

I recently read Kevin Day's book "Inside a Security Mind" - not because I pretend or intend to be a security guru but because I'm aware of the fact that we as a industry need to change focus in terms of security.

Working as a Solution Architect and Managing Consultant I've been pushing security focus to my customers for a long time - both in term of technology itself and more importantly around the processes involved in implementing and supporting technology - and it's quite frankly at times an uphill process. The comment from Kevin Day's book that triggered me to write this article was –
“.. a security device, no matter how expensive or complex, is nothing more than a toy if it does not function within a greater security framework.”
I principally agree with this statement as it relates directly to some of the solutions I have seen at customers and in terms of XP SP2 it reminds me of one of the first customer comments I heard about the Windows XP SP2 firewall - "Very fine – but how do we disable it?". From a short-sighted manageability point of view, I understand the comment, but from a security Point of View the possibility of implementing a managed firewall is an opportunity that I personally would not let go.

The same applies to the security initiatives in Windows Server 2003 SP1. These includes the Windows Server Post-Setup Security Updates (PSSU) that works as a firewall blocking all incoming traffic during OS installation until all required security updates has been installed and the person installing the server presses "Finish" in the wizard that pops up after logon. PSSU is luckily on by default in slipstreamed Windows 2003 SP1 installations.
Furthermore the Security Configuration Wizard and its 50+ role-based configurations allows us to create templates/roles for all servers in a organization – allowing us to take a role-based approach towards the security configuration on servers. Using the “scwcmd transform” command takes SCW to the next step by converting our templates to group policies that now can be linked to our OU structure and further enhancing the roll-out of our security policies to servers that are domain members (Be aware though that IIS settings aren’t deployable through group polices and therefore NOT part of the transformation).

One of the main advantages of the enhancements in both service packs is that when properly implemented they are a good start towards the “principle of least privilege”; in terms of OS hardening almost everything incoming is blocked by default – except the settings/roles you have defined as allowed.

This essay is not meant to be a review of all the security enhancements in SP1/SP2 but I feel the need to comment that I’m not saying SCW or the firewall in SP2 are perfect. An important feature missing in the firewall is outgoing connections – including which applications are allowed to initiate these (Although I recognize the fact that it would be hard to implement and manage in a corporate environment) another is the many different tools used for security configuration. Furthermore, I think it’s disappointing that Microsoft didn’t have the nerve to enable the firewall by default in a slipstreamed Windows Server 2003 SP1 installation (Although I’m sure they had good reasons for this) – so that “everything” was blocked by default and you had to use SCW to open the server for the necessary applications/usages. Last but not least I’m painfully aware of the work required to actually making these technologies work in an existing production environment (But I personally think it’s worth the effort).

Back to the point that relates to one of the Ten Immutable Laws of Security "Technology is not a panacea" and Kevin’s point about expensive/complex toys. If the full functionality of the Service packs isn’t implemented in your organization or if they are implemented in a environment where the proper processes around security isn’t in place or where simple things as password protected screensavers are disabled (as I’ve seen in our of my enterprise clients, due to a Managing Director that was annoyed with having to unlock Windows when returning to his desk) and/or the rest of the organization isn’t security aware – then whatever security initiatives Microsoft makes it’s almost a dead end game.

I do believe however that the enhancements in SP1/SP2 are much more than toys and that you and I can use it to make a difference - they are way better than the current situation where machines are often attacked during installation or before they are fully patched – and I do believe that if we all try to influence the people around, below and/or above us that we can help to raise the security bar and awareness in our respective companies and in the industry (Just to be clear - I don't think its Kevin’s point either that we should give up on security if all processes/systems aren’t in place ;-)

So come on – let’s join forces and go and test and design the firewall for our XP clients and role-based security based on GPO and SCW for all our servers (Btw. don’t use it with SBS 2003 and do try this Google search for other known issues).

Wednesday, June 08, 2005

SAP Enterprise Portal 5.0 / AD Schema conflict

SAP Enterprise Portal 5.0 requires schema changes in Active Directory and if you have SAP installed with EP 5.0 SP5 Patch 3 hotfix 2 and higher or EP 5.0 SP6 Patch 1 then it is supported on Windows 2003 - but the schema changes made by SAP Portal conflicts with the Windows 2003 schema upgrade process. During the adprep /forestprep process you will get a failure with an error like "cn=uid,cn=schema,cn=configuration windows 2000 schema and extended schema does not match" and a message to contact your supplier/vendor responsible for the schema changes for assistance.

SAP Note Number 640923 addresses this and the solution is basically to change the DN from uid to SAP-UID and add some entries to SAP Portal that tells it where to look for its usergroupmap.