According to You Had Me At EHLO... a new version of Exchange Server Best Practices Analyzer has been released. If you don't know ExBPA by now then it's time to get acquainted with it. IMHO it should be part of every Exchange Admins toolbox!
Check the overview or the Microsoft Exchange teams blogs about it here and here and also you can find the history behind the tool here.
Wednesday, June 29, 2005
Update Rollup 1 for Windows 2000 SP4
has finally been released -
Interestingly it won't be delivered to Windows 2000 through automatic updates until each server has been moved to Windows Update v6. See more info here and in the KB.
The Update Rollup contains all security updates produced for Windows 2000 between the time SP4 was released and April 30, 2005... The Update Rollup also contains a number of updates that increase system security, reliability, reduce support costs, and support the current generation of PC hardware.
Interestingly it won't be delivered to Windows 2000 through automatic updates until each server has been moved to Windows Update v6. See more info here and in the KB.
Sunday, June 26, 2005
Windows AntiSpyware beta update
The beta 1 just got updated. The second beta refresh (!) build is 1.0.614. The Microsoft AntiSpyware Update start menu shortcut does not seem to update it despite what the download page claims. Maybe I'm just too fast...
The update is a genuine Microsoft Windows update - which reminds me of an article on slashdot.org claiming that the check was cracked by the Indian researcher Debasis Mohanty.
The update is a genuine Microsoft Windows update - which reminds me of an article on slashdot.org claiming that the check was cracked by the Indian researcher Debasis Mohanty.
Friday, June 24, 2005
TechEd Europe T minus 9 days
Per and I will both be at TechEd Europe in Amsterdam. I'm personally looking forward to the Pre-Conference day with Jesper Johansson and Steve Riley on the topic "Be Secure: How to Build a Defense-in-Depth Strategy for your Environment - Today!" they are both great speakers and always fun to listen to (Even though they also can be busted as you can hear approx 17 minutes into this webcast where Steve just has been 'taught' by an MVP why 802.1x on Wired Lans isn't perfect and why a personal firewall in this case will lower your security ;-)
Anyway we look forward to seeing both former and current customers/colleagues and maybe even a reader or two (If its two its probably all of our readers ;-) My e-mail at TechEd will be My.Initials@mseventseurope.com or as usual My.Initials@inceptio.dk.
Anyway we look forward to seeing both former and current customers/colleagues and maybe even a reader or two (If its two its probably all of our readers ;-) My e-mail at TechEd will be My.Initials@mseventseurope.com or as usual My.Initials@inceptio.dk.
Top client/server support issues in Microsoft Exchange
PSS has gathered a good list of KB's / their top issues in the following areas -
You can find the KB article here
• Microsoft Outlook. This includes topics that are related to Microsoft
Exchange connectivity.
• Microsoft Outlook Web Access.
• Exchange Mobility. This includes topics that are related to remote
procedure call (RPC) over HTTP.
You can find the KB article here
Wednesday, June 15, 2005
Nasty stuff - Vulnerability in SMB Could Allow Remote Code
This is bad news. Even though most systems will be protected from internet attacks, this opens up for a new worm flooding your internal network.
Get the update distributed right away!
For those of you with NT4 systems - hmmm - bad luck??
Get the update distributed right away!
For those of you with NT4 systems - hmmm - bad luck??
Customers who require additional support for Windows NT 4.0 SP6a must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options.
Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office.
Tuesday, June 14, 2005
Microsoft Security Initiatives in SP1 and SP2 - nothing but a complex toy?
I've written an essay on the security initiatives in SP1 and SP2 for the Industry insiders forum and it can be found here or in this post -
I recently read Kevin Day's book "Inside a Security Mind" - not because I pretend or intend to be a security guru but because I'm aware of the fact that we as a industry need to change focus in terms of security.
Working as a Solution Architect and Managing Consultant I've been pushing security focus to my customers for a long time - both in term of technology itself and more importantly around the processes involved in implementing and supporting technology - and it's quite frankly at times an uphill process. The comment from Kevin Day's book that triggered me to write this article was –
The same applies to the security initiatives in Windows Server 2003 SP1. These includes the Windows Server Post-Setup Security Updates (PSSU) that works as a firewall blocking all incoming traffic during OS installation until all required security updates has been installed and the person installing the server presses "Finish" in the wizard that pops up after logon. PSSU is luckily on by default in slipstreamed Windows 2003 SP1 installations.
Furthermore the Security Configuration Wizard and its 50+ role-based configurations allows us to create templates/roles for all servers in a organization – allowing us to take a role-based approach towards the security configuration on servers. Using the “scwcmd transform” command takes SCW to the next step by converting our templates to group policies that now can be linked to our OU structure and further enhancing the roll-out of our security policies to servers that are domain members (Be aware though that IIS settings aren’t deployable through group polices and therefore NOT part of the transformation).
One of the main advantages of the enhancements in both service packs is that when properly implemented they are a good start towards the “principle of least privilege”; in terms of OS hardening almost everything incoming is blocked by default – except the settings/roles you have defined as allowed.
This essay is not meant to be a review of all the security enhancements in SP1/SP2 but I feel the need to comment that I’m not saying SCW or the firewall in SP2 are perfect. An important feature missing in the firewall is outgoing connections – including which applications are allowed to initiate these (Although I recognize the fact that it would be hard to implement and manage in a corporate environment) another is the many different tools used for security configuration. Furthermore, I think it’s disappointing that Microsoft didn’t have the nerve to enable the firewall by default in a slipstreamed Windows Server 2003 SP1 installation (Although I’m sure they had good reasons for this) – so that “everything” was blocked by default and you had to use SCW to open the server for the necessary applications/usages. Last but not least I’m painfully aware of the work required to actually making these technologies work in an existing production environment (But I personally think it’s worth the effort).
Back to the point that relates to one of the Ten Immutable Laws of Security "Technology is not a panacea" and Kevin’s point about expensive/complex toys. If the full functionality of the Service packs isn’t implemented in your organization or if they are implemented in a environment where the proper processes around security isn’t in place or where simple things as password protected screensavers are disabled (as I’ve seen in our of my enterprise clients, due to a Managing Director that was annoyed with having to unlock Windows when returning to his desk) and/or the rest of the organization isn’t security aware – then whatever security initiatives Microsoft makes it’s almost a dead end game.
I do believe however that the enhancements in SP1/SP2 are much more than toys and that you and I can use it to make a difference - they are way better than the current situation where machines are often attacked during installation or before they are fully patched – and I do believe that if we all try to influence the people around, below and/or above us that we can help to raise the security bar and awareness in our respective companies and in the industry (Just to be clear - I don't think its Kevin’s point either that we should give up on security if all processes/systems aren’t in place ;-)
So come on – let’s join forces and go and test and design the firewall for our XP clients and role-based security based on GPO and SCW for all our servers (Btw. don’t use it with SBS 2003 and do try this Google search for other known issues).
I recently read Kevin Day's book "Inside a Security Mind" - not because I pretend or intend to be a security guru but because I'm aware of the fact that we as a industry need to change focus in terms of security.
Working as a Solution Architect and Managing Consultant I've been pushing security focus to my customers for a long time - both in term of technology itself and more importantly around the processes involved in implementing and supporting technology - and it's quite frankly at times an uphill process. The comment from Kevin Day's book that triggered me to write this article was –
“.. a security device, no matter how expensive or complex, is nothing more than a toy if it does not function within a greater security framework.”I principally agree with this statement as it relates directly to some of the solutions I have seen at customers and in terms of XP SP2 it reminds me of one of the first customer comments I heard about the Windows XP SP2 firewall - "Very fine – but how do we disable it?". From a short-sighted manageability point of view, I understand the comment, but from a security Point of View the possibility of implementing a managed firewall is an opportunity that I personally would not let go.
The same applies to the security initiatives in Windows Server 2003 SP1. These includes the Windows Server Post-Setup Security Updates (PSSU) that works as a firewall blocking all incoming traffic during OS installation until all required security updates has been installed and the person installing the server presses "Finish" in the wizard that pops up after logon. PSSU is luckily on by default in slipstreamed Windows 2003 SP1 installations.
Furthermore the Security Configuration Wizard and its 50+ role-based configurations allows us to create templates/roles for all servers in a organization – allowing us to take a role-based approach towards the security configuration on servers. Using the “scwcmd transform” command takes SCW to the next step by converting our templates to group policies that now can be linked to our OU structure and further enhancing the roll-out of our security policies to servers that are domain members (Be aware though that IIS settings aren’t deployable through group polices and therefore NOT part of the transformation).
One of the main advantages of the enhancements in both service packs is that when properly implemented they are a good start towards the “principle of least privilege”; in terms of OS hardening almost everything incoming is blocked by default – except the settings/roles you have defined as allowed.
This essay is not meant to be a review of all the security enhancements in SP1/SP2 but I feel the need to comment that I’m not saying SCW or the firewall in SP2 are perfect. An important feature missing in the firewall is outgoing connections – including which applications are allowed to initiate these (Although I recognize the fact that it would be hard to implement and manage in a corporate environment) another is the many different tools used for security configuration. Furthermore, I think it’s disappointing that Microsoft didn’t have the nerve to enable the firewall by default in a slipstreamed Windows Server 2003 SP1 installation (Although I’m sure they had good reasons for this) – so that “everything” was blocked by default and you had to use SCW to open the server for the necessary applications/usages. Last but not least I’m painfully aware of the work required to actually making these technologies work in an existing production environment (But I personally think it’s worth the effort).
Back to the point that relates to one of the Ten Immutable Laws of Security "Technology is not a panacea" and Kevin’s point about expensive/complex toys. If the full functionality of the Service packs isn’t implemented in your organization or if they are implemented in a environment where the proper processes around security isn’t in place or where simple things as password protected screensavers are disabled (as I’ve seen in our of my enterprise clients, due to a Managing Director that was annoyed with having to unlock Windows when returning to his desk) and/or the rest of the organization isn’t security aware – then whatever security initiatives Microsoft makes it’s almost a dead end game.
I do believe however that the enhancements in SP1/SP2 are much more than toys and that you and I can use it to make a difference - they are way better than the current situation where machines are often attacked during installation or before they are fully patched – and I do believe that if we all try to influence the people around, below and/or above us that we can help to raise the security bar and awareness in our respective companies and in the industry (Just to be clear - I don't think its Kevin’s point either that we should give up on security if all processes/systems aren’t in place ;-)
So come on – let’s join forces and go and test and design the firewall for our XP clients and role-based security based on GPO and SCW for all our servers (Btw. don’t use it with SBS 2003 and do try this Google search for other known issues).
Friday, June 10, 2005
Good overview of AD enhancements in SP1
Just a quick note - I found a nice overview of the New Active Directory features in Windows Server 2003 with Service Pack 1 (SP1).
Wednesday, June 08, 2005
SAP Enterprise Portal 5.0 / AD Schema conflict
SAP Enterprise Portal 5.0 requires schema changes in Active Directory and if you have SAP installed with EP 5.0 SP5 Patch 3 hotfix 2 and higher or EP 5.0 SP6 Patch 1 then it is supported on Windows 2003 - but the schema changes made by SAP Portal conflicts with the Windows 2003 schema upgrade process. During the adprep /forestprep process you will get a failure with an error like "cn=uid,cn=schema,cn=configuration windows 2000 schema and extended schema does not match" and a message to contact your supplier/vendor responsible for the schema changes for assistance.
SAP Note Number 640923 addresses this and the solution is basically to change the DN from uid to SAP-UID and add some entries to SAP Portal that tells it where to look for its usergroupmap.
SAP Note Number 640923 addresses this and the solution is basically to change the DN from uid to SAP-UID and add some entries to SAP Portal that tells it where to look for its usergroupmap.
Thursday, May 26, 2005
Reports on Microsoft Update v6 release !
Just a quick notice - it just thought that Microsoft Update v6 was released including updates Office 2003 (That I hadn't seen as part of the Beta) and through automatic updates. Typing http://windowsupdate.microsoft.com forwarded me to http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us. Also I found a few similar reports on Google. But in my case it related to the fact that I'm testing MBSA 2.0 which has a checkmark for Configure computers for Microsoft Update and scanning prerequisites under Check for security updates - these checkboxes causes computers scanned to use Microsoft Update v6 ;-)
Wednesday, May 25, 2005
DNS Zone Transfer from Bind to Windows Server 2003 "silently" fails
It seems there are a few "interesting" oddities with DNS on Windows Server 2003 (See my earlier post on replication problems during a domain upgrade).
The last one I encountered is replication of secondaries from Bind DNS servers to Windows Server 2003 that fails (Its also a problem with SP1 according to my sources - but I haven’t tested that yet).
After the first successful replication of a secondary zone or after a Reload from Master (Full Zone Transfer / AXFR) Windows will request Incremental Zone Transfers (IXFR) from the BIND server. Windows then expects to receive an IXFR back but instead receives an AXFR that starts and ends with an SOA - Windows then (correctly IMHO) detects the first SOA as a "bad packet" as it should have been a record instead and drops the zone transfer.
The problem is further described in KB 841467 but there is an error in the KB as it states that a Transfer from Master will work - this isn't correct as only a Reload from Master will work (At least in the environment I worked with - Windows 2003 without Servicepack 1 and Borderware firewall with Bind 8.x).
The hotfix itselfs contains a new version of dns.exe and you don't have to boot after applying this hotfix if you manually stop the DNS service before installing it (IMHO the package should do this for you - but thats just my opinion ;-)
Furthermore according to THE book on DNS (DNS and BIND from O'reilly - if in doubt) IXFR didn't work well in BIND until version 8.2.3 (And better yet 9.x)
The last one I encountered is replication of secondaries from Bind DNS servers to Windows Server 2003 that fails (Its also a problem with SP1 according to my sources - but I haven’t tested that yet).
After the first successful replication of a secondary zone or after a Reload from Master (Full Zone Transfer / AXFR) Windows will request Incremental Zone Transfers (IXFR) from the BIND server. Windows then expects to receive an IXFR back but instead receives an AXFR that starts and ends with an SOA - Windows then (correctly IMHO) detects the first SOA as a "bad packet" as it should have been a record instead and drops the zone transfer.
The problem is further described in KB 841467 but there is an error in the KB as it states that a Transfer from Master will work - this isn't correct as only a Reload from Master will work (At least in the environment I worked with - Windows 2003 without Servicepack 1 and Borderware firewall with Bind 8.x).
The hotfix itselfs contains a new version of dns.exe and you don't have to boot after applying this hotfix if you manually stop the DNS service before installing it (IMHO the package should do this for you - but thats just my opinion ;-)
Furthermore according to THE book on DNS (DNS and BIND from O'reilly - if in doubt) IXFR didn't work well in BIND until version 8.2.3 (And better yet 9.x)
Sunday, May 22, 2005
Two new public patches for MPS
According to Conrad there are two new patches released for MPS (Microsoft Provisioning System) -
FIX: Event ID 5896 is logged every 15 to 60 seconds on a server that is running the Provisioning Audit and Recovery Service component in Microsoft Provisioning System 2.0
FIX: You receive a "The parameter is incorrect" error message, and the CreateMailbox procedure does not succeed in Microsoft Provisioning System
Thanks to Conrad for telling us about these ;-)
FIX: Event ID 5896 is logged every 15 to 60 seconds on a server that is running the Provisioning Audit and Recovery Service component in Microsoft Provisioning System 2.0
FIX: You receive a "The parameter is incorrect" error message, and the CreateMailbox procedure does not succeed in Microsoft Provisioning System
Thanks to Conrad for telling us about these ;-)
Thursday, May 19, 2005
SP1 for SBS 2003 has been released
Microsoft has finally released SP1 for SBS 2003. This contains among other updates/fixes support for these server components -
Service Pack 1 for Windows Server 2003
Service Pack 1 for Exchange Server 2003
Service Pack 1 for Windows SharePoint Services 2.0
Service Pack 4 for WMSDE
Service Pack 4 for MSDE
Service Pack 4 for SQL Server 2000
ISA Server 2004 with Service Pack 1
Windows SBS 2003 SP1
Windows SBS Upgrade Best Practices
Installation Instructions
Release Notes
Setup for Microsoft Windows SBS Premium
What's new for SP1
The ISA 2004 bits needs to be ordered on CD from here (The link is currently broken - I will update if its changed).
For gotchas with SP1 and general tips and tricks for SBS i would recommend that you check out the SBS Diva's blog. It so happens that I'm responsible for two small instalations of SBS 2003 - so I guess I need to take the time to read all these papers :-
Service Pack 1 for Windows Server 2003
Service Pack 1 for Exchange Server 2003
Service Pack 1 for Windows SharePoint Services 2.0
Service Pack 4 for WMSDE
Service Pack 4 for MSDE
Service Pack 4 for SQL Server 2000
ISA Server 2004 with Service Pack 1
Windows SBS 2003 SP1
Windows SBS Upgrade Best Practices
Installation Instructions
Release Notes
Setup for Microsoft Windows SBS Premium
What's new for SP1
The ISA 2004 bits needs to be ordered on CD from here (The link is currently broken - I will update if its changed).
For gotchas with SP1 and general tips and tricks for SBS i would recommend that you check out the SBS Diva's blog. It so happens that I'm responsible for two small instalations of SBS 2003 - so I guess I need to take the time to read all these papers :-
Slow blogging ahead
My blogging rate has slowed down lately. I'm using a lot of time trying to buy a new home and getting my old one sold..
Self-Service Password Reset Solutions with Microsoft Speech Server
Stumbled across this interesting webcast. I have discussed self-service password reset solutions numerous times with customers. This is an interesting new method using the phone system and your voice.
To see the webcast, you have to start here (incredible long URL). Most solutions are based on answers to enrolled questions, but VOICE.TRUST is using the voice itself as biometric! The VOICE.TRUST is the worst presentation - but the most interesting product.
To the techies: Do not ignore it just because it is a level 200 session.
To see the webcast, you have to start here (incredible long URL). Most solutions are based on answers to enrolled questions, but VOICE.TRUST is using the voice itself as biometric! The VOICE.TRUST is the worst presentation - but the most interesting product.
To the techies: Do not ignore it just because it is a level 200 session.
Installing Windows 2003 SP1 may cause network connectivity to fail - updated
I have run into this problem a couple of times and after discussing with PSS and a few of my colleagues it seems to be a problem that many users run into. The symptoms are -
Appearantly MS05-019 will be rereleased with a fix to the problem - I havent received any info on what happens to SP1.
Update - Microsoft has published a Security Advisory with further info and it states that the fix will be rereleased in June 2005.
You can find the KB article with more info here.
- Inability to connect to terminal servers or to file share access.
- Failure of domain controller replication across WAN links.
- Inability of Microsoft Exchange servers to connect to domain controllers.
Appearantly MS05-019 will be rereleased with a fix to the problem - I havent received any info on what happens to SP1.
Update - Microsoft has published a Security Advisory with further info and it states that the fix will be rereleased in June 2005.
You can find the KB article with more info here.
Wednesday, May 11, 2005
WPA2
With support from Microsoft for WPA2 on Windows XP Service Pack 2, you can secure your wireless network even further. Read this article from the Cable Guy explaining WPA2. I have already come across the 3Com wireless switches wx1200 and wx4400 supporting it. I have even come across a solution for a Leveno (former IBM) ThinkPad T42, supporting it on Windows 2000 Professional! It consists of a driver and the Access Connections package.
Wednesday, May 04, 2005
Changes to Functionality in Windows 2003 SP1
Microsoft has released an updated whitepaper on the changes in Windows Server 2003 SP1 (You can find the corresponding paper on XP SP2 here) - it contains some interesting information on e.g. updates to DFS and enhanced DNS tests in a new version of DCDIAG. Also if you are installing/testing SP1 then don't forget to download the updated Adminpak for SP1 from here.
Saturday, April 23, 2005
MOM Admin Console may fail with Windows Server 2003 SP1
Quote -
A problem has been identified in the MOM Administrator Console. After Microsoft Windows Server 2003 has been upgraded to Service Pack 1, the Administrator Console may fail when the Computer Groups node is selected. This fix resolves the issue.
Symptoms
When affected by this issue, the Administrator Console may fail with “The remote procedure call failed” error message. This will occur when the MOM 2005 Management Server is running on a server that has Microsoft Windows Server 2003 Service Pack 1 installed.
A problem has been identified in the MOM Administrator Console. After Microsoft Windows Server 2003 has been upgraded to Service Pack 1, the Administrator Console may fail when the Computer Groups node is selected. This fix resolves the issue.
Symptoms
When affected by this issue, the Administrator Console may fail with “The remote procedure call failed” error message. This will occur when the MOM 2005 Management Server is running on a server that has Microsoft Windows Server 2003 Service Pack 1 installed.
Wednesday, April 20, 2005
SMS and MOM are NOT going to merge
New directions for System Center! System Center is now a brand for number of products. Read it from the horse's mouth from the MMS press room. Or from the WinInfo Daily UPDATE. You can find it on the net here, and I just realized, that I can get it as RSS feed instead of by email.
Subscribe to:
Posts (Atom)