Closet Genius Technology Blog

2006-09-07T17:03:00.001-05:00

Finally Retiring the Closet Genius Blog (Updated)

This blog is inactive but will remain online so old posts show up in Bing searches ;)

I'm actively blogging over at TechNet. However, my target audience is limited to ten Microsoft enterprise clients in the KC Metro area. If you're still interested - my new blog URL is http://blogs.technet.com/jcent

Thanks for reading.

--Jeff

2006-08-31T22:39:00.000-05:00

The Blogoshpere is Listening - SUS v1 Usage Dropping

I’m not seriously taking credit for this, but new information has come to light that says SUS v1 usage is declining. So, if you’re one of those people who upgraded to WSUS recently – give yourself a pat on the back. If you’re still on the fence, I hope it’s not barbed wire :P

And while I have your attention, a little piece of info regarding WSUS 3.0 Beta 2. I noticed my test server wasn’t synchronizing Exchange IMF updates, which has enabled much more SPAM to find my inbox. I filed a bug on Connect and found out this is a known issue. The most recent IMF update available via WSUS 3.0 Beta 2 is dated 5/11/2006. By contrast, WSUS 2.0 (or just plain WSUS if you prefer) is hosting an IMF update dated 8/10/2006. Just another reminder that this beta, like all betas, should be deployed with care.

Still running SUS? Migrate Now!

2006-08-17T23:02:00.000-05:00

I heard a startling fact today – the number of SUS servers synchronizing with Microsoft has actually gone up in recent months. Yes, you read that right…SUS (the v1 product that’s not even available for download anymore) is increasing in popularity.

Here’s the really scary part – Microsoft will stop delivering updates to SUS servers on December 6, 2006 (official link). This means all clients and servers that pull updates from SUS will go unpatched unless someone takes action soon. Last time I checked December 6th is less than 4 months away. Furthermore, the fact that December’s Patch Tuesday falls on the 12th means that SUS admins really only have 3 months to migrate to WSUS.

OK – now for some good news. Upgrading to WSUS is about as straightforward as it gets. Microsoft even provides a Step-by-Step Guide to walk you through the upgrade. Since WSUS is free, and has similar hardware/software requirements to SUS, there really isn’t any reason NOT to upgrade. If you can think of one, feel free to leave a comment and we’ll chat :P Or better yet, just check out the WSUS FAQ and get on with the upgrade.

Upgrading to WSUS 3.0 Beta 2

2006-08-16T23:59:00.000-05:00

OK, this post is all about the WSUS upgrade experience. Before we go forward it’s important to reiterate the importance of only upgrading lab/test servers. Enough said.

In-Place Upgrades Fully Supported

Up to this point in the beta I’ve mainly focused my testing on clean installs. Granted, I’ve been looking at WSUS 3.0 builds for quite a while… and the time to test upgrades usually occurs around Beta 2. So – no time like the present.

Tonight I upgraded one of my test VMs from WSUS 2.0 SP1 (build 2.0.0.2620) to 3.0 Beta 2. Everything upgraded just fine – and I was pleasantly surprised that all my 2.0 settings were maintained. For instance, I never sync drivers (just a personal preference) and only specify certain product categories. The post-upgrade configuration wizard allows you to select these and many other options, as you can see in the screen shots below.

Furthermore, both upgrades and clean installs honor your preferred language settings – in my case English only. So far, so good.

Additional Upgrade Notes:

WSUS 3.0 uses the new SQL Server 2005 Embedded Edition (Windows) as its database engine. This is known internally as ‘wYukon’ – and you can think of it as the new and improved wMSDE. The existing 2.0 database is backed up in case something goes awry during the upgrade. I’m going to look into the recovery steps to make sure they match up with the ones for WSUS 2.0 SP1 (see Issue 7 in the SP1 Readme). More info on that piece in the near future.
The entire upgrade process took about 25 minutes on my virtual machine. Granted, this machine only had one client and a simple computer group design. However, I’m guessing a typical upgrade will run less than an hour. Keep in mind that the IIS services are restarted during upgrade… so if you’ve co-located WSUS with other web apps, those apps will bounce during upgrade. But hey, you’re doing this in a test lab, right?
Your computers and update approvals should come across just fine – be sure to bug this if yours don’t.
If you want to verify your clients are getting upgraded to Beta 2 code – take a look at %systemroot%\windowsupdate.log. Scroll toward the bottom and look for info about the version of wuauclt.exe on the system. Connecting to WSUS 3.0 Beta 2 will update your wuauclt.exe file (and others) to 7.0.5451.90.
Check out the WSUS 3.0 Photo Gallery for screen shots of my upgrade as well as the UI shots I posted Monday.

I highly recommend others test the in-place upgrade to identify any issues at this point in the dev cycle. My guess is that most WSUS admins will opt for in-place upgrades at RTM – so we want to work out all the issues now while there’s still time to fix ‘em. And don’t forget to log your bugs and suggestions on Connect. If you’re not much of a ‘bug basher’ at least vote on existing feedback entered by other testers. You’d be surprised how quickly Connect bugs/feedback make their way to the product group.

First Impressions: WSUS 3.0 Beta 2

2006-08-14T23:40:00.000-05:00

Welcome to the first post in a series on WSUS 3.0 Beta 2. Throughout the week I’ll highlight new features in WSUS 3.0, and also share some of my experience working with the product up to this point.

First Impressions:

Not counting installation, the first change you’ll notice in WSUS 3.0 is the shift from a web-based interface to one built on top of the Microsoft Management Console (MMC). In addition to bringing the product in line with other Microsoft products, the MMC enables some rich functionality. For instance, many objects in the MMC hierarchy have useful home pages with relevant status and reporting information. Here’s a screen shot of the top-level WSUS home page showing the status of my lab server ‘WSUS3’.

Moreover, you can right-click almost anywhere in the UI and find all kinds of useful tools. A perfect example is the ability to add/remove columns from the Updates list. In WSUS 2.0 you were limited to a hard-coded set of columns (Title, Classification, Release Date, and Approval). But what if you wanted to group items by MSRC Severity, or sort them by KB Article Number? These scenarios and more are possible with WSUS 3.0. Take a look at these customized Updates views and see for yourself.

Updates Sorted by MSRC Number

Updates Grouped by Classification

Hey, this ain’t your father’s WSUS. And we’re not talking about superfluous changes just for the sake of ‘oohs and ahhs’ (sorry Vista team). The new UI will improve your productivity right out of the gate. Like Office 2007, it may take some getting used to – but in the end it’s a huge win for WSUS admins. Bravo WSUS team!

‘Big Ticket’ Items:

Several other WSUS 3.0 features are worth mentioning in this initial post. We’ll delve into some of them in more detail later this week.

‘WSUS Reporters’ Delegated Administration: A frequent request from medium and large organizations is the ability to provide users with view-only access to WSUS reports. This is often required for internal and external auditors. However, up to this point WSUS reporting was an all or nothing proposition. If you could run reports, you could just as easily approve updates or delete entire computer groups. Not exactly an optimal solution. WSUS 3.0 solves this problem with the addition of a ‘WSUS Reporters’ security group, which restricts group members to reporting functionality only. While this is a step in the right direction, many of you have been asking for an even more robust delegated admin model. Unfortunately delegated reporting is as far as the product team decided to go in v3. But hey, its free… and there’s always room for improvement in v4.
Clients in Multiple Target Groups: WSUS 2.0 targeting was limited in the sense that a computer could only belong to one group. Furthermore, there was no nesting hierarchy, which resulted in a long list of computer groups for some large WSUS deployments. Both issues have been addressed in WSUS 3.0. Computers can now belong to more than one group (e.g. Test PCs & Prod PCs) and admins can create a logical computer group hierarchy to match their testing and deployment needs.
Reporting Improvements: It’s almost not fair to call the reporting changes ‘improvements’. We’re talking about a complete overhaul. The WSUS product group decided to scrap the current reporting infrastructure and instead take advantage of the Visual Studio Report Viewer. In addition to a much friendlier and customizable UI, the new report viewer offers something many WSUS administrators have long clamored for – the ability to export report data to either PDF or Excel formats. That should make the CxO-types happy!
Simplified Configuration: All the new functionality in WSUS 3.0 is worthless if the out-of-the-box experience (OOBE) stinks. Once again the team has done everything but reach through the computer and set it up for you. And for once, the WSUS OOBE Wizard is one that I can actually live with (unlike many others that raise my blood pressure). For instance, the WSUS OOBE ensures that you get the right update languages, the right products and update classifications, and even sets up an initial synchronization schedule. Obviously you can go back and change these settings at any time – but having a fairly intelligent UI wrapper around the initial setup process should cut down on support calls and ensure a positive end-user experience.

Prerequisites:

Unlike its predecessor, WSUS 3.0 cannot be installed on Windows 2000 Server. This doesn’t mean it won’t deliver updates to Windows 2000 machines – just that the WSUS server itself must run Windows Server 2003 SP1. I’m guessing this prerequisite will upset a few of you, and I can understand your situation. Not everyone has budget for software upgrades right now… but then again we aren’t looking at public availability until sometime next year anyway. So now would be an excellent time to put in a few grand for a new server and a copy of Windows Server 2003.

Make sure to peruse the WSUS 3.0 Readme for a full list of prerequisites and known issues. And don’t forget this is still beta software. Even though I’ve given the product mostly praise in this post, there are still a few loose ends that need to be ironed out before RTM. I recommend limiting WSUS 3.0 deployments to the test lab, or possibly a limited pilot deployment within your IT department. Please don’t unleash this on your end-user population quite yet ;)

What’s Next?

Stay tuned to WindowsConnected for more information on WSUS 3.0 Beta 2. And if you’re one of those ‘picture is worth a thousand words’ people, don’t forget to visit the screen shot gallery.

WSUS 3.0 Beta 2 Available on Connect

2006-08-14T13:03:00.000-05:00

Windows Server Update Services (WSUS) 3.0 Beta 2 is now available on Microsoft’s Connect web site. I’ve posted some screen shots in the WSUS 3.0 Gallery – and will upload my initial review later tonight.

Here’s Microsoft’s take on the WSUS 3.0 Beta 2 release:

Microsoft Windows Server Update Services (WSUS) 3.0 Beta 2 delivers new features that enable administrators to more easily manage and deploy updates across the organization. WSUS 3.0 Beta 2 benefits include a new MMC-based user interface with advanced filtering and reporting, improved performance and reliability, branch office optimizations and reporting rollup, and a Microsoft Operations Manager management pack.

Stay tuned to WindowsConnected throughout the week for more info on WSUS 3.0.

Register Now for WSUS 3.0 Beta 2

2006-08-14T00:16:00.000-05:00

The next release of WSUS (referred to as v3.0) will hit the Beta 2 milestone VERY soon ;) Make sure to get your hands on it by going to this link on Connect. WSUS 3.0 Beta 2 isn’t intended to replace your existing WSUS production servers just yet – so plan on a limited test deployment for the time being. That said, I’ve had the pleasure of working with 3.0 for quite a while now – and the team has done an excellent job of ensuring core functionality… as well as adding a lot of cool new features.

More WSUS 3.0 info COMING SOON!

It's Vista, not Veesta

2006-08-04T09:37:00.000-05:00

Funny story – I’m in the waiting room at the car dealership this morning catching up on e-mail. CNN Headline news is on in the background. Robin Meade starts into a story about Microsoft unleashing Vista on a group of black hat hackers… then refers to the upcoming release as ‘Veesta’ instead of Vista. I just about spit out my coffee. Thanks for the laugh, Robin.

IE 7 Pushed as High-Priority Update

2006-07-26T14:26:00.000-05:00

I’ve already had a couple inquiries about today’s IE 7 distribution announcement. Their concern is specifically around how to block IE 7 upgrades in a managed environment. Apparently Microsoft anticipated this level of concern, and they’ve posted an FAQ for your viewing pleasure.

Bottom line: Customers will have more ways to block IE 7 than they can shake a stick at… including SMS, WSUS, Group Policy, and a dedicated blocking tool.

One cool thing you’ll notice in the FAQ is that installing the blocking tool today won’t prevent you from being able to distribute IE 7 at a future date using WSUS or SMS – or by manually installing it from Windows/Microsoft Update. All the blocking tool does is prevent the unmanaged Automatic Updates service from downloading/installing IE 7.

Life Needs a 'Best Practices Analyzer'

2006-07-25T15:47:00.000-05:00

Wouldn’t it be nice if you could sit down at your computer, answer a few simple questions, and then be given a set of instructions for fixing/improving your life? Heck, the only thing better than that would be an ‘undo’ button for those little mistakes we all make. But alas, we’ll have to wait a few more years for the geniuses at Google to come out with those services (in perpetual beta, I’m sure).

All joking aside, Microsoft has some excellent tools to offer in its growing suite of Best Practices Analyzers (BPAs). As of today there are 4 separate BPAs:

Exchange Server BPA: This is by far the most robust of all Microsoft BPAs. In fact, other Microsoft product groups are so enamored with the Exchange BPA that they are writing their own rule-sets to tie into the Exchange BPA engine.
SQL Server BPA: Unless I’m mistaken (and believe me, you all will let me know if I am) the SQL Server BPA was the first BPA released by Microsoft. While not as polished or current as the Exchange BPA, the SQL BPA has still come in handy on customer engagements to find config/security issues w/ SQL Server 2000.
ISA Server BPA: Microsoft released a new ISA Server BPA build today, which is what prompted me to write this post. If you’ve ever run the Exchange BPA – this one will look very familiar. Remember what I said about other product groups using the Exchange BPA engine? The ISA Server BPA is a perfect example. Like the SQL and Exchange BPAs, I’ve found this one very helpful in identifying issues, as well as documenting the current state of a customer’s environment before making changes.
BizTalk Server 2006 BPA: I’m not a BizTalk guy, so I’ve never needed to use the BizTalk BPA . However, no post about BPAs would be complete without it… so there you go.

One last thing – if you’re a Microsoft Operations Manager guru, you want to check out the Exchange BPA Management Pack (MP) for MOM 2005. This MP essentially deploys the Exchange BPA to your Exchange servers and then executes a BPA scan on a pre-defined schedule. It’s even smart enough to fire MOM alerts if something looks out of the ordinary.

If you have any BPA feedback (good/bad/ugly), please post a comment for the benefit of the community. And keep your eyes peeled for more BPAs in the near future.

Exchange '07 In Production - Don't Even Think About It

2006-07-24T09:15:00.000-05:00

Exchange 2007 Beta 2 drops today, and I know some of you are very excited. However, please save yourself a lot of time/money and don’t introduce Beta 2 into your production environment. This means no in-place upgrades and no new server installs that join your existing organization.

The only way to test Beta 2 in a ‘live’ environment is to deploy a separate AD Forest and create the necessary trusts and connectors. See the Exchange Server 2003 Release Notes for more information on deploying Exchange 2007 Beta 2 in a separate forest (specifically the section Cross-Forest Connectors: Exchange 2007 to Exchange 2003).

I’ll post more on this topic as soon as I get the code implemented in my test lab. Stay tuned…

Hmmm... Should I Patch My ATM Machines?

2006-07-18T22:03:00.000-05:00

I subscribe to quite a few RSS feeds and mailing lists… but the following thread on Shavlik’s Patch Management list really takes the cake. Be afraid – be very afraid:

Post Subject: Patch Management for Automated Teller Machines (ATM)

Hi All,

The company that I work with will be rolling out ATM's with WinXP Operating system. These ATM's will be connected to our Backend system thru TCP/IP. I am just wondering how members of this list from the Banking Industry deploy patches to these ATM's.

Do you employ automated patch deployment using WSUS, BigFix, Shavlik, Patchlink etc...? Or do you do manual deployment of patches? Or do you apply patch at all?

Is hardening the OS and limiting the ports open will suffice not to install patches?

I ask this because during deployment of patches there will be downtime which may affect the business. On the other hand if the ATM is infected with a virus due to absence of a patch this will also affect the business.

I hope that you can help me on this. Thanks in advance for your replies.

** Name withheld to protect this guy (and his employer)

…And an Interesting Reply

I'm in the banking field. We have 11 new ATMs that run XP... Our first concern was patching. We were told by the service provider that we were responsible for patching, but that if we "broke" something in the process that they wouldn't fix the ATM. So if a patch causes an incompatibility with the ATM software we would have to fix it ourselves.

What's our approach? We don't have one yet.

** Name withheld

…Finally, a Voice of Reason

For Diebold Automated Teller Machines we test all announced MS patches and post advisories on our Diebold Customer Internet Support (DCIS) site.

Diebold Customer Internet Support (DCIS) is a system designed by Diebold to keep you current on software updates for Microsoft Windows(r) operating systems deployed on your Diebold ATMs.

This valuable system provides:

Custom user profile to view Windows software updates specifically for your deployed Diebold ATMs
Microsoft bulletin link for each Windows software update
Direct link to the Windows software download sites
Downloads Windows software update tracking
Secure customer administrator access and option to add 4 additional customer users to access DCIS

This service is available to all Diebold customers with a current service contract free of charge. You can register at the following site https://patchaccess.diebold.com/DCIS/DCISLogon.asp

Donn Bohn
Diebold Global Software and Services

Jeff’s Thoughts

ATM machines shouldn’t run XP (sorry, Microsoft). Seriously, when XP launched it was all about the ‘eXPerience’. What kind of ‘eXPerience’ do you need on an ATM? I get frustrated enough when people decide to use the ATM for all their banking (deposits, stamps, etc.) while I’m just wanting a quick cash fix. I can’t even imagine waiting in line behind some customer watching streaming video, or synchronizing their iPod. :P
Regardless of what OS is being used on said ATMs – your IT security policy must include patch management. Yes, that includes you too Mr. Linux Zealot.
If your vendor isn’t supportive of security best practices, spend your money elsewhere. Otherwise, your customers will!

Be Careful with WSUS SP1

2006-06-21T23:55:00.000-05:00

While most users have been unaffected by the upgrade to WSUS SP1, there are a number of scenarios where problems may occur. Microsoft just released an updated WSUS SP1 Readme file that details all current known issues. I’ve seen a couple of these first hand, and helped others with them via the WSUS public newsgroup. I even had a guy approach me at Tech-Ed with a failed upgrade (he renamed his server after installing WSUS, but before upgrading to SP1).

Even though WSUS SP1 is a ‘true’ service pack (meaning no new features) it’s still wise to look before you leap. If you find any additional issues with WSUS SP1, please post them to the public newsgroup ‘microsoft.public.windows.server.update_services’ and the product team and MVPs will do our best to help.

Finally... Cisco VPN Client for Vista Beta 2

2006-06-15T15:24:00.000-05:00

After months/years of waiting, Cisco has finally published a Vista-compatible VPN client. The version number is 4.8.01.0410, and the download is approximately 11MB. I haven’t had a chance to install and test this yet since I’m on my way to another Tech-Ed 2006 session. However, I wanted to get the info out to the community as soon as possible. I’ll post some screen shots and a brief review as soon as possible.

Note: You need a valid Cisco CCO login to access the VPN client software. However, there are no specific requirements to be on Cisco’s beta program or anything. The Vista VPN client appears at the top of the list of Windows VPN client downloads.

Update: The new VPN client works like a champ under Vista Beta 2. Check my photo gallery for screen shots of the install and runtime experience.

Update 2: I've had several requests, but unfortunately I can't share this software via e-mail or any other mechanism. Thanks for understanding.

Ready or not - Here's the June IE Security Update

2006-06-13T13:07:00.000-05:00

In a previous blog post I discussed the April IE security update and its ramifications for Siebel and other 3rd party applications. Well, the 60–day reprieve patch originally offered to mitigate these issues is no longer valid once you install MS06–021 (released today). I’ve heard rumors that some large Microsoft customers have access to a custom hotfix that extends the 60–day reprieve. Unfortunately I can’t verify this information – so please contact your PSS TAM or Microsoft Account Rep regarding this patch if you haven’t already.

For what it’s worth, my own company recently updated our Siebel servers to be compatible with the IE ActiveX changes (Siebel update number 7.7.2.6 MR). There are many other versions of Siebel out there (7.0, 7.5, 7.8, etc.) so your mileage may vary.

Note: While you’re patching MS06–021, be sure to install MS06–023 as well. It’s important to apply both updates, otherwise IE is still vulnerable.

Happy Patching!

SMS 2003 R2 Released to Manufacturing

2006-06-12T15:09:00.000-05:00

It appears that Systems Management Server 2003 R2 has released to manufacturing. Continuing the ‘R2’ strategy, SMS 2003 R2 adds functionality on top of an existing product in an evolutionary way (unlike revolutionary upgrades, such as the eventual upgrade from SMS 2003 to System Center Configuration Manager 2007).

Here’s a brief overview of the new features in this release:

Inventory Tool for Custom Updates – Allows you to scan for and deploy 3rd party software updates.
Scan Tool for Vulnerability Assessment – Uses the MBSA 2.0 engine to scan for common misconfiguration scenarios, such as a blank administrator password.

Find out more about the SMS 2003 R2 update, and register for the free download here.

Badges... We Don't Need No Stinkin Badges

2006-06-12T08:05:00.000-05:00

Trying to make sense of ‘who’s who’ at Tech-Ed? Here’s a tip – check their badge color:

Blue – Staff (Both Microsoft and External Vendors)
Black – Crew (sort of an ‘Uber-Staff’ badge – don’t mess with these people)
Green – Attendee
Grey – Trade Show Only
Orange – Exhibitor
Purple – Tech-Ed Sponsor and Exhibitor Booth Staff
Red – Media/Analyst
Yellow – Speaker

TechEd 2006 Keynote & Virtual TechEd

2006-06-11T16:37:00.000-05:00

We’re here at TechEd 2006 in Boston waiting for the keynote to begin. If you’re not able to watch it in person – check out the following web streams:

View at your preferred bit rate:

In addition to the above keynote links, Microsoft is making other streaming content available throughout the week. Check out the TechEd 2006 Webcast Series page where you can find 100+ live and pre-recorded sessions.

One more thing before I sign off – Microsoft has posted a site called Virtual TechEd with all kinds of useful blog links. Enjoy!

WSUS SP1 Released to the Web

2006-05-31T18:43:00.000-05:00

WSUS SP1 is finally available. Here are the links… scroll down further for the highlights of this release:

Download Packages:

Full Install & Update Package in One File - 160MB
SP1 Update Only – Coming Soon Via WSUS Content Sync

Documentation:

Preview of What's New in WSUS SP1:
WSUS SP1 is a service pack release that improves the security, reliability, scalability, compatibility, and performance of WSUS.

These are the new features and improvements:

Windows Vista client support: Computers running Windows Vista can be updated by WSUS SP1 Server.
More client language support: Support for all Office and Windows Vista languages.
New version of WMSDE: The WMSDE instance will be upgraded to WMSDE SP4 by WSUS SP1 (WSUS RTM uses WMSDE SP3).
Performance improvements: WSUS SP1 includes various performance improvements to accelerate user interface response times.
All hotfixes: WSUS SP1 includes all changes and hotfixes that have been released since WSUS RTM.
Support for SQL Server 2005

Enjoy! Report any issues to the WSUS public newsgroup (microsoft.public.windows.server.update_services) or your Microsoft support rep.

What Symantec Could Learn from Microsoft

2006-05-29T14:15:00.000-05:00

People can joke all they want about the number and severity of Microsoft security vulnerabilities, but all this practice has enabled them to develop an excellent security response system.

Symantec should take note. Their most recent security vulnerability (SYM06-010) has spawned a confusing array of maintenance and point patches. Initial media reports claimed that only version 10.1 was affected. However, after reviewing the most recent Symantec e-mail bulletin it appears that version 10.0 is affected as well.

In Symantec’s defense, the vulnerability information page for SYM06–010 is fairly well laid out. In fact, I like that I don’t need to expand a nested hierarchy to get the information I’m looking for. See Microsoft security bulletin MS06–018 as an example. Scroll down to the General Information section… why should I have to click so many ‘+’ symbols? At least give me an expand all option or something.

Oh, and this guys post is classic. According to him, now that a patch is released there’s nothing to worry about. Here’s his quote:

“The issues of remote code execution have been resolved now, thanks to the fix which means that the products are no longer vulnerable to a stack overflow”

Please move along… nothing to see here. What a joke. How many people spent their holiday weekend patching Symantec products? Not very many, I’m sure. This issue will continue to dog Symantec for many weeks to come. I sincerely hope we don’t see any widespread attacks as a result of this vulnerability. Anyway, it’s too bad we have a double-standard when it comes to reporting security issues.

Here is a list of things I’d like to see from Symantec:

Simplify the servicing of your software. Not everyone understands the difference between maintenance releases, point releases, etc.
Offer an RSS feed of Symantec product vulnerabilities (including Veritas and other recent acquisitions). The Symantec Security Response page would be a good place to locate such a feed.
Provide a security bulletin search tool similar to the Microsoft one found here. Let me choose my product version, my OS, etc. and show all applicable updates.

What do you think? If you’re a Symantec customer, how did you learn about the SYM06–010 vulnerability? What about vulnerabilities 001 through 009?

Get Ready for WSUS SP1 and Vista Updates

2006-05-27T00:06:00.000-05:00

WSUS SP1 is right around the corner, and so is the ability to have your Vista Beta 2+ clients sync updates from WSUS. Check out this link for information on how to point your WSUS SP1 server to an alternate update stream so you get Vista updates.

Basically it breaks down like this…

At the command prompt type:

cscript.exe "%programfiles%\update services\tools\ToggleMUUrl.vbs" beta

This enables your WSUS box to sync with a special version of Microsoft Updates that includes Vista patches. To revert back to the normal update stream, type the following command:

cscript.exe "%programfiles%\update services\tools\ToggleMUUrl.vbs"

Stay tuned to the WSUS Team Blog and this site for an announcement on SP1 availability.

Be Careful with Groove 2007 Upgrade

2006-05-26T12:57:00.000-05:00

I’ve been a Groove user ever since Microsoft acquired the company last year. I primarily use Groove for folder synchronization and a couple small collaboration workspaces. With Groove 2007 finally hitting Beta 2 I decided it was time to upgrade from Groove 3.1. I held off until now based on my testing of Groove 2007 Beta 1 and Beta 1 TR (those still seemed a little rough around the edges).

Here are a couple things to keep in mind as you evaluate migrating to Groove 2007 Beta 2, or installing it for the first time:

Folder synchronization has been locked down for your own protection… and there’s no way to change it. For example, in Groove 3.1 I could set up folder synchronization between my laptop and desktop PCs and sync just about any file I wanted. Now, with Groove 2007 Beta 2 there are some new limitations. It’s not that these limitations are new – just that they’re forced down our throats with no way to change them. Here’s a screen shot of the file types you won’t be able to sync in Groove 2007 Beta 2 (click image to zoom).

Note: The blocked file types window above has a scroll bar – so you can’t see all the file types. Here is a complete list:

*.ade, *.adp, *.app, *.asp, *.bas, *.bat, *.cer, *.chm, *.cmd, *.com, *.cpl, *.crt, *.csh, *.der, *.exe, *.fxp, *.hlp, *.hta, *.inf, *.ins, *isp, *.its, *.js, *.jse, *.ksh, *.lnk, *.mad, *.maf, *.mag, *.mam, *.maq, *.mar, *.mas, *.mat, *.mau, *.mav, *.maw, *.mda, *.mdb, *.mde, *.mdt, *.mdw, *.mdz, *.msc, *.msh, *.msh1, *.msh2, *.msh1xml, *.msh2xml, *.mshxml, *.msi, *.msp, *.mst, *.ops, *.pcd, *.pif, *.plg, *.prf, *.prg, *.pst, *.reg, *.scf, *.scr, *.sct, *.shb, *.shs, *.tmp, *.url, *.vb, *.vbe, *.vbs, *.vsmacros, *.vsw, *.ws, *.wsc, *.wsf, *.wsh

In my testing I’ve noticed some problems upgrading existing workspaces from 3.1 to 2007. This is supposed to be supported in this build, but it’s been hit/miss for me so far.
Speaking of upgrades – keep in mind that anyone or any PC you are synchronizing files/workspaces with will need to upgrade to Groove 2007 within 60 days of the first upgraded client. In other words, don’t go upgrading your 3.1 corporate workspaces unless you know everyone else will also be upgrading to Groove 2007. To quote the movie PCU, “Don’t be that guy”.

At the root of the file blocking issue described above is the fact that all stand-alone Groove 2007 beta testers are essentially ‘managed’ by Microsoft enterprise policies at the moment. If you were to download and install your own Groove Server infrastructure you could specify the approved/blocked extensions yourself. However, don’t take this lightly – setting up a Groove Server environment of your own is no small task.

SQL Server 2005 SP1 via WSUS

2006-05-19T14:42:00.000-05:00

Attention WSUS Admins: SQL 2005 SP1 will be available via WSUS starting next week – 5/23 to be exact. The WSUS version of SP1 won’t patch the Express version of SQL 2005, just the Server SKUs. This marks the first time a SQL service pack will be available via WSUS. Good work Microsoft!

Here are a couple important links where you can find more about this upcoming release, and all other WSUS-supported updates.

Happy patching!

Another Terrorist Casualty: Blue Security

2006-05-19T14:29:00.000-05:00

Just finished lunch and was browsing my RSS feeds. I ran across the following article on Slashdot (amazingly – the article itself hasn’t been ‘Slashdotted’ as of 1:00pm my time):

Blue Security Kicked While It’s Down

If that doesn’t scare your pants off, please seek medical attention immediately.

But seriously… this IS scary stuff – and it isn’t the first time a piece of ‘critical infrastructure’ has been attacked by terrorists. I sincerely hope the National Strategy to Secure Cyberspace is more than just politics, or else it’s only a matter of time before we see a September 11th type attack that does more than take out Blue Security and a few innocent bystanders.

So, aside from ranting – what can we do? For starters we can educate those around us on how to secure their home/work PCs. I blogged about this back in Dec. 2004, and continue to spend a few hours now and then making sure my friends/family have all the latest patches and up-to-date security software. It might not seem like much, but if all of us ‘geeks’ secured 10 to 15 home PCs – that’s a lot less bots for the bad guys to use as ‘technology IEDs’.

On the work side there’s a lot we can do as well. Since I’m a Microsoft-focused guy… here’s a link to the Ten Principals of Microsoft Patch Management. And patch management isn’t just a Microsoft issue – last time I checked there were some nasty OS X, QuickTime, and Java, vulnerabilities that needed patching too. Patching is only part of the solution… but that’s a topic for another post.

Have a nice weekend.

Playing Catch-Up

2006-05-10T22:32:00.000-05:00

Things have been a little busier than normal lately. I just wrapped up a 3200 user e-mail migration for a local client (Sendmail to Exchange). I’ve also been working on a new room addition for our house. Add to that the normal grass mowing, car maintenance, time with my wife and daughter… and needless to say blogging has been at the bottom of the list. So, consider this the first in a series of ‘catch-up’ posts.

US Legislation Regarding the Internet

In my opinion, government involvement in technology and the Internet (short of its creation) isn’t a good thing. Think back to the Telecom Act of 1996 if you need a history lesson. That didn’t exactly turn out in favor of us consumers, did it?

Fast-forward to 2006 and check out the info on H. R. 5252 – also known as the Communications Opportunity, Promotion, and Enhancement Act of 2006. Smells dirty already, huh?!?! Anyway, this is all about controlling access to the Internet – specifically prioritization of traffic. The big boys like AT&T and Verizon (remember – the companies created by the Telecom Act of ‘96) aren’t too keen about people like Vonage using the Internet to bypass their bread and butter circuit-switched business. This is only one area addressed by the bill, so take a look and make sure to contact your representative (House, Senate) if you disagree with this legislation like I do.

Vista Performance Rating

If you’ve played with any of the Vista betas you may have seen a Performance Rating. My laptop scores somewhere between 2 and 4 depending on the component. I found a good article on MSDN that describes how the ratings are generated. Should be interesting to see how this shakes out over time.

Windows PowerShell (a.k.a. Monad)

I’ve been forcing myself to learn PowerShell lately. The reason I’m enduring this pain is because Microsoft is basing many of their upcoming server applications on PowerShell. Exchange 2007 will be the first, followed by SMSv4 and MOMv3. If you haven’t taken a look at PowerShell yet, now is the time. I think the idea of parity between the command-line and the GUI is a good thing… but for some reason I’m having a hard time digesting the PowerShell language/syntax. Someone sent me a cool Matrix-looking PowerShell script – and it took me 10 minutes to figure out how to run it. How sad is that :P I’ll post more about my newbie PowerShell adventures in a future blog post.

Lots of New Exchange Tools

2006-04-05T22:55:00.000-05:00

Looks like the Exchange team has been busy lately. Here’s a list of new/updated downloads that appeared today:

Exchange Server Profile Analyzer: Collects statistics on server usage for capacity planning, health monitoring, etc.
Application Analyzer 2006 for Lotus Domino: Reports on your currently deployed Lotus Domino-based applications with the purpose of helping you plan a migration to Exchange/SharePoint
Exchange Server Best Practices Analyzer 2.6: This is a new version of my favorite Exchange tool. Read more about all the exciting new and improved features on the EHLO Blog.
Exchange Server Performance Troubleshooting Analyzer: Not to be confused with the Profile Analyzer, this tool is all about diagnosing performance problems on production systems. Hopefully you won’t need this little gem (because you load test and over-build before going live, right?!?!)… but if you do, it can be a life saver.

I’ll give the new ExBPA a try tomorrow. I’m currently building a 4000+ mailbox FE/BE Exchange 2003 environment for a client here in KC. We’ve got clusters, SAN connections, antivirus, and all kinds of other goodies for ExBPA to report on. More info soon…

Microsoft Sets Virtual Server Free

2006-04-03T12:52:00.000-05:00

In a not-so-unexpected move, Microsoft announced today that Virtual Server 2005 R2 is now available for free download. The only “catch” is that you must register using your Passport to gain access to the download. But seriously, if you’re interested in Virtual Server, something as simple as Passport registration won’t stand in your way.

Note: On my first visit to the download page (following registration) I couldn’t find the download links. I’m used to them appearing right at the top, or in some cases toward the bottom in a table. To increase uptake of this download, Microsoft decided to hide the links in the middle of the page :P In fact, if you click the “Download Files Below” link you will be taken to the end of the web page – with no sign of the actual binaries. Simply scroll up a little bit and you’ll see the download links in the “Instructions” section. Sheesh!

The 32–bit download is 28.4MB, while the 64–bit edition weighs in at 31.1MB. And, by the way – these are both Virtual Server Enterprise Edition. This means you aren’t limited to just 4 processors as with the Standard Edition. Regardless, you’ll need a beefy 64–bit box to hit the hard-coded limit of 64 simultaneous VMs.

While this is an exciting development for many of us in the Microsoft world, I’m sure the VMware forums are already chock-full of VMware Server fans extolling the virtues of their product over Virtual Server. In some cases they might be correct. For instance, if you want 64–bit guest machines you should look at VMware Server. Also, if your guests need more than one virtual processor you should also consider VMware Server. However, realize that VMware Server is still in beta – and that you are complicating your support options if you run into problems. Unless you have a Premier Support agreement with Microsoft, a PSS engineer may require you to repro your VMware guest issue on physical hardware before providing support. Check this VMware-authored PDF for more info on the topic of Microsoft support.

Aside from the fact that Virtual Server is now free, two other things caught my eye.

Linux Additions for Virtual Server (available for Connect beta participants)
The fact that Microsoft made this announcement at LinuxWorld

Not sure there will be a lot of interest in the Linux Additions. My personal opinion is that most Linux Admins would balk at having their server virtualized atop a “Micro$oft” product. However, there may be some niche applications running on Linux at “Microsoft-friendly” shops where this kind of thing makes sense. Who knows… but if the global adoption of Virtual Server is only 5000 customers to-date, I’ll wager that about 5 of them will use these additions in production. The biggest benefit I see is the ability to use Virtual Server as a test environment for Linux… not production.

Mike Nash Hasn't Left the Building (Yet)

2006-03-31T00:39:00.000-06:00

It has been widely reported that Mike Nash is stepping down as Corporate Vice President of Microsoft’s Security Technology Unit. Heck, even Mike’s own bio on Microsoft.com speaks of his position in the past-tense. Well… to everyone’s surprise, Mike took center stage and posted to the MSRC blog yesterday regarding the upcoming IE update. At the end of his post Mike offered up his e-mail address for any feedback or questions. Given the fact that I’ve devoted most of my time over the last few weeks to the upcoming IE ActiveX changes, and the fact that I still had unanswered questions, I figured I’d drop him a line.

Guess what? He replied to my e-mail within a couple hours and answered all my questions! I guess he must have some extra time on his hands now that he’s a “short-timer” ;) But seriously – thanks Mike! I appreciate the prompt response and helpful information. Mike also gave me permission to share this info with the community.

Here’s the skinny on my questions, and Mike’s answers:

Question: What is the delivery mechanism for the 60–day “reprieve patch” that allows customers to keep IE ActiveX functionality as-is? Note: Mike refers to this as a compatibility patch.

Answer: The compatibility patch will be available to any customer who wants it from the download center. Customers that want it need to install it on top of the April security updates.

Question: Will the compatibility patch be available via WSUS or Microsoft/Windows Update?

Answer: No, it will be a manual download from the Download Center.

Additional Info from Mike: Once the compatibility patch is deployed, you will be able to disable it using a feature key. This will enable someone who deployed the compatibility patch to go to the new behavior even if they deployed the compatibility patch.

Note: What Mike doesn’t mention, but is documented elsewhere on Microsoft.com, is that the compatibility patch will be overwritten by the June IE Cumulative Rollup. So when he talks about disabling the compatibility patch with a feature key – he’s only referring to those customers who want to disable the compatibility patch during the 60–day window between April 11 and June Patch Tuesday.

So there you have it, folks. If you are paying special attention to the next IE rollup like I am, this should help you plan your deployment strategy. And if anyone out there is asking “why should I care?” – check out KB912945 for a list of applications that have issues with the new ActiveX behavior. The show-stopper for most people is Siebel. My current client relies on Siebel for day-to-day operations. As of today, Siebel still doesn’t have a patch for their ActiveX controls to make them compatible with the KB912945 update. They have promised a patch in the May/June timeframe, but that will be cutting it close (remember, we need time to test, test, test). Bottom line – if Microsoft hadn’t stepped up and offered the “reprieve patch”, 3.7 million Siebel customers would have had to choose between a crippled Siebel client, or a vulnerable browser. Not exactly a win-win situation. As it is now, we’ll all have 60 more days to hammer on our internal developers and 3rd party software providers to get compliant with the changes in KB912945. Siebel, are you listening?

Microsoft Client Protection - One Step Closer

2006-03-21T22:23:00.000-06:00

Those of you running Windows Server Update Services (WSUS) will notice a new product available on your synchronization options page tonight. Selecting this new product, called Microsoft Client Protection, provides update support for Microsoft’s upcoming corporate antivirus solution (Codename Jamaica). However, unless you’re involved with the Jamaica TAP or TechBeta this change will do you absolutely no good. In fact, it will only clutter your WSUS interface. So, instead of going through the trouble of enabling it just to get a peek – check out the screen shots here instead.

I’ll provide more updates on this new product as they become publicly available.

Mix06 IE Build Available for Download

2006-03-20T09:26:00.000-06:00

UPDATE: —The download is now live— Since Josh is out of town I guess it’s up to me to “break” some news for a change. The Mix06 IE build is now available for download (link). Well… almost. I downloaded a copy of the new build – but after looking more closely, it is actually the previous Beta 2 Preview. I’m guessing it’s just a matter of time until the new build propagates throughout the download server farm.

Here is a screen shot of the updated download page for any nay-sayers out there…

How to Provide Spyware & Virus Feedback to Microsoft

2006-03-19T18:16:00.000-06:00

Now that Microsoft is getting serious about the Spyware and Antivirus market, they have streamlined the way customers submit malicious code samples and detection feedback. If you run across some nasty code, or have a bad detection experience – here are the addresses to use:

avsubmit@submit.microsoft.com – (virus/worm/trojan/etc.)
windefend@submit.microsoft.com – (spyware samples)

If your submission is related to false positive or false negative detection, please indicate this in the subject line of your e-mail. Add the word “infected” if you’re submitting a .zip or .rar containing infected code.

Thanks to Randy Treit, Antimalware Team PM, for the information.

SharePoint: Easily Recover Deleted Documents

2006-03-19T17:57:00.000-06:00

I recently wrote an article for TechNet Magazine about SharePoint disaster recovery. The main theme of the article (link) is that without proper planning, and potentially some 3rd party software, you could be in for a nightmare if called upon to restore an individual document.

Today I stumbled across a new download from the guys over at MindSharp that provides the coveted “SharePoint Recycle Bin” functionality for exactly zero dollars (or euros, lira, etc. depending on your location). The only catch is that you need to subscribe to their Premium Content section to gain access to the download. And just in case you’re wondering – registration for the Premium Content section is free as well. Once you’ve set up an account you gain access to deployment guides, archived webcasts, and more – in addition to the aforementioned recovery tool. It doesn’t get any better than this!

I just finished downloading and deploying the MindSharp tool, officially named the Deleted Items Document Library. Installation took all of 60–seconds for a new document library. Installation into existing document libraries is a little more complicated… but it can also be done in minutes – not hours. Excellent step-by-step documentation is included in the .zip download, so you don’t even need to be a SharePoint guru to figure this stuff out.

Anyone running SharePoint Portal Server 2003 or Windows SharePoint Services should run, not walk, to the MindShare site to register for this excellent download. Many thanks to Todd Bleeker for his time spent writing and packaging this tool for all to use.

"Prettying-up" Perfmon

2006-02-16T22:57:00.000-06:00

I’ve always had a love/hate relationship with Windows Perfmon (or System Monitor if you prefer). On one hand it is an excellent tool for baseline performance analysis, and troubleshooting. But on the other hand the UI stinks and export options are severely limited. Seriously – have you ever tried to print out a Report view? Absolutely ridiculous.

While I can’t promise to solve all Perfmon’s issues with this post, I will tackle a couple big ticket items.

What’s up with the vertical lines?

Best-practices recommend grabbing statistics from a new system right after it enters production. This way you’ll have a known good baseline to refer back to in the future. Trust me – there’s nothing worse than trying to track down a performance issue with no frame of reference. Alright, enough preaching – back to the dreaded vertical lines.

Here is a screen shot of Perfmon displaying 8 hours worth of logged data.

Kind of an ugly picture with all the vertical lines, huh? Try the fix referenced in Microsoft KB article 283110 and you’ll get the following screen instead.

Now for the lack of commas

Another pet peeve of mine is the lack of commas in Perfmon’s report view. Not a big deal for some people, but when I’m looking at more than six digits in a row I get all cross-eyed. Here’s what I’m talking about.

No problem… just check out Microsoft KB article 300884 for another quick fix.

That’s all for now, folks. Hopefully after implementing these two tips your experience with Perfmon will be more love than hate.

Windows Defender Updates via WSUS

2006-02-14T12:34:00.000-06:00

Note: Check me out on WindowsConnected.com

I’m trying out a new collaborative blogging environment over at WindowsConnected.com. You can find my posts on the front page, and in Jeff’s Connected Corner. In the short-term I will post entries in both locations (Blogspot and WC)… although I may eventually phase out this blog if things work out well over there.

So – without further delay, here is the scoop on Windows Defender Updates via WSUS.

WSUS – Definition Updates for Windows Defender Beta 2

Those of you running WSUS should check your synchronization logs... you likely have a nice surprise.

The first Windows Defender Beta 2 definition update is now available. This 1.6MB download will bring your newly downloaded Windows Defender Beta 2 spyware definitions up-to-date (version 1.13.1272.4). If you don't see this download in your list of available updates, check your Options | Sync Options | Update Classifications for a category called Definition Updates. Check this guy and re-sync. That will get you on your way. Enjoy!

ISA Server 2004 SP2 - BITS Caching

2006-01-30T23:26:00.000-06:00

I was browsing the Microsoft Downloads page tonight and found an interesting little gem titled Providing Security for Corporate Resources at Microsoft by Using ISA Server 2004. This download is a Microsoft IT Showcase document, and it sheds some light on how Microsoft IT uses ISA Server 2004. However, the most important point of this document is that it provides some interesting information on ISA Server 2004 SP2. Being an MVP for Windows Server Update Services (WSUS), the info on BITS Caching caught my attention. Here is a quote from the aforementioned doc:

BITS Caching

Microsoft IT uses the BITS caching feature of ISA Server 2004 SP2 to reduce bandwidth and the number of individual downloads that are required to update client software on the corporate network. By using BITS caching, Microsoft IT has served over 70 percent of software update requests from the cache.

This is an interesting statistic, although it leaves me with several questions.

Are these strictly WSUS-delivered updates, or does this figure include SMS 2003 Advanced Client BITS downloads as well?
In what scenarios were the statistics gathered? Branch office? Telecommuter? Both?

Regardless – this is exciting new functionality for ISA Server 2004. Just be glad it’s coming in a Service Pack, and not an R2 release ;)

Identity Theft - Where Are Your Backup Tapes?

2006-01-18T13:15:00.000-06:00

I stumbled across some interesting information while doing “financial triage” for a friend recovering from a nasty divorce. The information comes from a company called ChoicePoint. You might remember ChoicePoint as one of several companies that reported identity disclosure incidents last year. One document on their privacy site really caught my attention. It’s a document detailing 144 instances of identity disclosure – some much worse than that of ChoicePoint.

After browsing through this PDF document you’ll quickly learn that hackers and lost backup tapes are the main sources of identity disclosure. So… do you know where your backup tapes are? And are your servers and workstations locked down tight? If you don’t feel 100% certain about either of these questions, take action now. Otherwise we might see your company on the 2006 Information Disclosure list.

WMF Ramblings and Other Stuff

2006-01-03T22:57:00.000-06:00

OK – not much time to blog tonight… but I did want to share a couple things. First, if you are interested in checking out Microsoft’s antivirus/backup/firewall solution – Windows OneCare – just browse on over to www.windowsonecare.com and click the Get the Beta link. I’ve been running OneCare for about 6 months now and am fairly impressed with it. Until December you had to be invited to participate, but now the beta is open to everyone… so go get it!

OneCare isn’t designed for business use – but rather for the casual home user (think your parents, college-age kids). OneCare does an excellent job of “dumbing-down” the technical jargon. Here is a screen shot of an alert I got tonight on my home Media Center PC re: the new WMF issue:

Excellent segue into my next topic – the WMF security exploit. In case you’re out of the loop you can read this Microsoft Security Advisory. For another take on the subject, you can read the SANS ISC blog. Make sure to pay special attention to the 3rd party fix. I can’t recommend you install this, but it does put some extra pressure on Microsoft to get us something sooner rather than later.

Finally – did everyone see the Sony rootkit settlement? Can’t believe this came to fruition. Check out the article in USA Today… and add up the dollars in your head. I’ll take a wild guess and say that someone is going to get fired over this. Well deserved, in my opinion. And for what it’s worth, I haven’t bought a Sony product since this story broke.

Until next time – stay safe, and avoid any Paris Hilton.wmf files, will ya?!!?

French Lessons and MOM 2005 SP1

2005-12-15T13:08:00.000-06:00

I’ve been looking for a way to run the MOM Operator Console Notifier along with the SP1 version of the MOM Operator Console. Unfortunately, the MOM 2005 Resource Kit (which contains the Notifier) hasn’t been updated to support SP1. Installing the Operator Console Notifier on top of an SP1 machine results in a lovely notice that your Operator Console is newer than expected – and the install bombs. What a bummer – the Operator Console Notifier is one of my favorite gadgets :-(

Fortunately, the two years of French I took back in High School really came in handy. After Googling for “operator console notifier” SP1 I found a helpful French MSDN blog related to this issue. In all seriousness, I didn’t really need to understand French to get the point of the article.

Navigate to HKLM\Software\Microsoft\MOM\2.0\Setup
Temporarily rename the registry value UIVersion to 5.0.2749.0
Install the Operator Console Notifier
Set the UIVersion value back to 5.0.2911.0
Enjoy!

Thank you – or should I say merci – Stephane.

BTW – Here is a screen shot of the Notifier app for those of you not familiar with it.

Update on Recent WSUS Changes

2005-12-12T12:34:00.000-06:00

I thought I’d circle back and update everyone on the recent WSUS changes covered on this blog.

New Products: WSUS now offers product updates for Small Business Server 2003. To date, two updates are available via WSUS for your SBS servers.
Not-So-New Products: The inclusion of Microsoft Codename Max is actually an error. Don’t expect to see any updates published for this beta product. In fact, the listing of Microsoft Codename Max in WSUS will be removed when WSUS SP1 ships sometime in 2006.
Exchange IMF Updates: While some of you may have noticed the appearance of an IMF update, you probably also noticed that you couldn’t deploy it to any of your servers. This update was only intended for a small group of beta testers, and should never have been released to the entire WSUS ecosystem. No worries – it should be expired from your WSUS systems by now. Feel free to find it and set its approval status to Declined if you want. We’ll eventually see this kind of update via WSUS, but not quite yet ;)

Stay tuned to this blog and the WSUS Wiki for more information as it becomes available.

More WSUS Updates

2005-12-07T15:21:00.000-06:00

For those of you running Exchange 2003, WSUS is now offering Exchange Intelligent Message Filter updates.

One thing I have yet to confirm is whether or not these updates are specific to Exchange 2003 SP2, or if they will also work/install on SP1 servers. As you probably know, Microsoft updated the IMF engine in Exchange 2003 SP2, and it now filters phishing messages in addition to SPAM.

Finally... Updated Virtual Server 2005 Additions

2005-12-05T23:04:00.000-06:00

Those of you not planning an upgrade to Virtual Server 2005 R2 anytime soon should check out the updated VM Additions just posted to the Microsoft download page. These VM Additions allow you to run Windows Server 2003 SP1 guests under the original version of Virtual Server 2005 without enduring a serious performance hit. I’m guessing most people who tried updating their Windows 2003 guests to SP1 already got these updated VM Additions from PSS… but just in case you’ve been waiting – go and get ‘em. No PSS call required ;)

New Products Appear in WSUS

2005-11-28T21:45:00.000-06:00

Two new products appeared in my WSUS Add/Remove Products list tonight. They might have been there for a couple days, but they are definitely new. Here is the screen shot for those of you who don’t know what I’m talking about (click to enlarge):

Up until this point WSUS was only capable of updating Exchange, SQL, Office, and multiple flavors of Windows. That is all about to change over the coming months… these two new products are just the tip of the iceberg.

FYI – there are no actual updates available for either Max or SBS. I forced a content sync after selecting the new products, but found no new updates. I suggest you check the Add/Remove Products list at least once a week to see what pops up. It’s interesting that Microsoft chose to include Max as one of the first additional WSUS product types. I doubt many people even know this product exists, and even fewer are clamoring for an automated way to update it ;) Regardless, forward progress on the WSUS front is a good thing. Stay tuned to this blog and the WSUS Wiki for more info on this and other WSUS topics.

New RSS Bandit Version Available

2005-11-28T12:47:00.000-06:00

Looks like the long wait is over… RSS Bandit 1.3.0.38 is finally available. If you aren’t familiar with RSS Bandit, or if you aren’t yet addicted to RSS – you need to download this software. Until this release I have had constant problems with disappearing toolbars and other random issues. I’m happy to report that after installing 1.3.0.38, these issues seem to be resolved. Enjoy!

Internet Explorer Zero-Day Exploit

2005-11-21T13:29:00.000-06:00

Updated as of 5:30pm Central Time

SANS broke a story this morning regarding a publicly available exploit for an unpatched Internet Explorer vulnerability. For those of you not hip to all the security lingo – a zero-day exploit breaks down like this:

Bad guy code is in the wild
Vendor patch is nowhere to be found

While SANS recommends using an alternate browser (not a bad idea for the casual surfer) some businesses rely on web sites and applications that are customized for Internet Explorer. Given this situation, what tangible things can you do to protect your IE users until a patch is released? Here is what I’ve found so far in my limited testing of the proof-of-concept code (click this PoC link at your own risk):

Mitigation: Disable Active Scripting in Internet Explorer’s Advanced Security Settings
Steps: Open IE… Tools… Security Tab… Highlight Internet Zone… Click Custom Level… Scroll down to Scripting section and disable Active Scripting
Ramifications: I implemented this setting on my own XP SP2 machine after posting this blog entry, and can honestly say I was surprised at how many sites malfunctioned – or failed completely. For instance, I spend a lot of time on various Microsoft sites that use Passport. Forget it – Passport requires Active Scripting. Bottom line – be careful about implementing this workaround without adequate testing.

Here is a screen shot of the Active Scripting setting for your enjoyment (click to enlarge):

Note: One thing to be aware of is the negative effect this setting may have on your web applications. An example is Outlook Web Access – which will not render at all with Active Scripting disabled. Here is a screen shot of OWA after making the changes above (click to enlarge):

An easy work-around (which you should replicate for all your internal and trusted partner sites) is to add the broken sites to your Trusted Sites list. This is accomplished in the same area where you set the option to disable Active Scripting… except this time you want to add a site to the Trusted Sites list. A picture is worth a thousand words – and I’m running short on time:

Finally, all these settings can be configured via Group Policy if you are in an Active Directory environment… or if you use another product like ZENWorks to push Group Policy to your clients. Here is one more screen shot for you – this is the location to visit if your clients are running XP SP2. Other OS GPOs will look different.

So, until you see a notice from Microsoft regarding their suggested work-arounds, you can use the procedures in this post to protect yourself from the proof-of-concept code. With the SANS Internet Storm Center at Yellow Alert, it is only a matter of time before we hear something from Microsoft. Keep an eye on the Microsoft Security Advisories page for an official announcement.

64-bit Craziness

2005-11-19T15:57:00.000-06:00

In case you haven’t heard, Microsoft recently announced a major 64–bit strategy shift. Check out this article from InfoWorld for all the details. Bottom line: Most upcoming server software in the 2007+ timeframe will be 64–bit only. Examples include Exchange 12 (might RTM in late 2006), Small Business Server “Codename Longhorn”, and Windows Server “Codename Centro” (think of Centro as SBS for mid-size companies).

Don’t get me wrong – I’m all for rapid adoption of new technology. You won’t find me recommending anything but the latest and greatest, except in situations where application compatibility or budget stand in the way. However, I think Microsoft’s x64 strategy jumps the gun by about 2 years. Here are my thoughts on the subject:

The mainstream 64–bit version Windows Server 2003 (x64 Edition, not Itanium) was launched in April, 2005. Additionally, most server hardware in early 2005 was 32–bit. If you consider that customers typically depreciate hardware on a 3–5 year schedule, this means 32–bit Windows servers will be prevalent until 2008 at the earliest, and 2010 at the latest.
While I always recommend a fresh install of any server OS or application, many customers still elect to perform in-place upgrades from one version to the next. For instance, I’ve completed numerous in-place upgrades from Windows 2000 to Windows Server 2003. Heck, one time I was even brought in to perform an in-place upgrade of an active-passive Exchange 2000 cluster to Exchange 2003 and Windows 2003. That might sound scary to some of you, but with good planning and testing I completed the upgrade without incident. In fact, we only had 10 minutes of end-user downtime during the entire upgrade. My point is this – the customer already owned the next version of Windows and Exchange thanks to Software Assurance, but they didn’t have budget for new hardware. Imagine the same scenario a couple years from now. In order to exercise their SA upgrade rights and migrate from Exchange 2003 to Exchange 12, the customer will most likely need to purchase new x64 hardware. Believe me, situations like this could place a serious damper on SA sales – or even worse, it might put customers in a situation where they think the upgrade is a no-brainer, and only later discover the additional upgrade costs. I imagine the Microsoft sales force is already thinking of these scenarios – but if they aren’t, this is something that could negatively affect their cash registers.
Speaking of Exchange 2003, let’s take a look at the Microsoft Support Lifecycle. Exchange 2003 will enter the Extended Support phase on 10/1/2008, while Windows 2003 will hit even earlier (7/1/2008). Assuming a conservative Exchange 12 launch date of Q1 2007, customers who deploy Exchange 2003 between now and then will have a short 18–month window after the Exchange 12 launch in which to to perform an OS rebuild, or purchase new x64 hardware. If customers delay any longer they will be out of mainstream support. This isn’t to say Extended Support is a bad thing – it just rubs some people the wrong way. So… given Exchange 12’s underlying OS and hardware requirements, I believe mainstream support for Exchange 2003 should be extended by 12 months at the very least. I’ll even go a step further. I think the Exchange team needs to reconsider their decision to make Exchange 12 x64 only.

OK – enough x64 ranting. I’m actually very excited about x64 Windows and other server applications, so don’t take this post out of context. Click the comments link below and let me know your thoughts on x64 and the new Microsoft strategy.

New Blog Tagline and Other Updates

2005-11-16T08:45:00.000-06:00

I liked the title of my recent post “So Much to Blog… So Little Time” enough to make it a permanent blog tagline (see the About section at the top of the right column). I’ll still be covering the same stuff – but hopefully visitors will get the idea if they haven’t seen a new post in over a week.

Playing XBOX 360 at Target

I went shopping at Target with my daughter last night and was surprised to see a newly minted XBOX 360 display in the electronics section. A couple Target employees were playing some D&D first-person game (don’t know the name) and asked if I wanted to play. My daughter was kind enough to wait patiently while I drooled all over myself at the new graphics capabilities and the new controller (which also rocks, btw). One employee confirmed the rumor that each store will only have 10 or 15 units to sell on opening day/night. I’m not planning to pick one up until sometime next year (hint, hint – I have a February birthday people). Anyway, just wanted to add to the 360 hype. This thing is going to rock!

New Search Software from Microsoft

This is an exciting time if you’re interested in the latest and greatest Microsoft technology. For instance, yesterday Microsoft released the new Windows Desktop Search tool. They also released an updated MSN Search Toolbar. Let me save you a little confusion and clarify the difference between these two products.

Windows Desktop Search (WDS) is a stand-alone search tool that replaces the Search Companion software built into Windows 2000 and XP (you know, the one with the annoying dog who asks you what you want to find). As such, it is only capable of searching the file system.
MSN Search Toolbar (which adds IE tabbed browsing, Outlook Searching, etc.) is now positioned as some sort of enhancement to WDS. Basically, if you want to be able to search Outlook you need more than just WDS.

My understanding is that Microsoft broke out the WDS component from the MSN Search Toolbar so corporate customers could deploy it without adding a toolbar, or anything MSN-related to their business PCs. Honestly I think this approach is confusing. Most Microsoft shops that will take the time to deploy WDS are probably also running Exchange/Outlook, which means they’ll need the MSN Search Toolbar anyway. The smart thing to do would have been to include Outlook search in WDS – and keep all the other MSN stuff (IE tabs, pop-up blocking, form-fill, etc.) in the MSN Search Toolbar. Heck, they could have gone a step further and just called it the MSN Toolbar again and left search solely in the hands of WDS. But, last time I checked I wasn’t involved in Microsoft product development or marketing – so they didn’t for my opinion ;)

Note: Both products are designed for manageability (via Group Policy .adm files) and ease of deployment/servicing (AD/SMS deployment, WSUS/MU patching). This is very cool – and will encourage deployment in large organizations who require these capabilities.

It's Patch Tuesday!

2005-11-08T12:16:00.000-06:00

Like the rest of you, I’m patiently waiting for Microsoft to announce their November patches. Based on the Advance Notification bulletin, we’ll only have one critical patch, and two other non-security (but still high-priority) updates. Only a little while longer until we know for sure.

Obviously not the “No Spin Zone”

I love it when business-types try to spin a huge failure into a “logical progression of their core competency” (or some other jargon like that). Check out this interview with Matthew Gilliat-Smith, CEO of First 4 Internet, regarding the Sony DRM saga. I got a kick out of his description of F4I’s rootkit as benign. According to my MSN Encarta dictionary, benign means:

kindly: as in a benign tumor
harmless: neutral or harmless in its effect or influence
favorable: mild or favorable in effect

The cobbled-together code that comprises F4I’s XCP copy protection is hardly benign. In fact, Sony’s own FAQ page has a list of known issues with their CDs – including one titled Player takes up a large percentage of CPU cycles. You’ll love the solution, which basically says “quit other applications so our rootkit can have more resources”. Oh, and while you’re there, make sure to look at the troubleshooting section which recommends that corporate users without local admin rights should contact their IT department to install the Sony/XCP rootkit. That’d be an interesting help desk call ;)

And you gotta love the blogosphere. I didn’t even have to drop $15 on a CD to conduct my own testing of this rootkit and the associated uninstall/unhide utility. Mark Russinovich quickly updated his blog with additional information – effectively answering all my questions and hopefully yours too.

Recommended Patch List

I hope to find time to update my recommended patch list today or tomorrow. I’ve fallen behind on this lately, but still feel that it is an important enough resource to maintain. I use the list myself during my day job as a consultant - and it only takes a few extra minutes to prop it for the 20 or so people who grab it each month. Stay tuned.

The Sony DRM/Rootkit Saga Continues

2005-11-03T06:54:00.000-06:00

I found an interesting and humorous post while scanning my RSS feeds this morning. Check out this link from Secunia re: the Sony rootkit debacle (if it isn’t a debacle yet, it will be soon). I especially like their proposed solution – “Use another product”. I’d like to suggest another one – “Write your Representative”.

While you’re at Secunia, I’d seriously consider adding their RSS feed to your feed viewer. They generate a lot of traffic, but it’s worth it to stay on top of emerging security threats. One interesting thing you’ll notice if you subscribe is the number of security issues affecting non-Microsoft products. Huh, I thought only Microsoft products had security problems?!?

UPDATE: Sony has a web site where you can request permission to uninstall their rootkit. Thanks, Sony – that’s very generous of you. I’d suggest giving them a piece of your mind via the feedback form.

UPDATE 2: Here are a couple new links. First, Sony’s FAQ site now links to a utility from their DRM provider First 4 Internet (F4I). This update (confusingly named Service Pack 2) supposedly removes the “component” from your system. I don’t know about you, but I live by the rule “fool me once, shame on you – fool me twice, shame on me”. I’d avoid this update like the plague. The only true cure for a rootkit'ed machine is a rebuild.

UPDATE 3: This ZDnet article leads me to believe the only thing the F4I patch does is unhide the DRM software, and not actually remove it. The article even mentions that the F4I “cleanup” utility will be included in DAT updates from all the major AV vendors. I don’t believe everything I read – so I think I’ll go buy one of these CDs and conduct my own research. This is a perfect time to fire up VMware Workstation and break some stuff ;)

So Much to Blog, So Little Time

2005-11-02T07:04:00.000-06:00

Anyone else’s life been nuts lately? Maybe it has something to do with the approaching holiday season… but needless to say, blogging has been low on the priority list.

Shameless Plug: My New TechNet Article Goes Live

My SharePoint DR article just went live on the web. The print version has been out for a little over a week – so you may have already noticed it if you are a loyal fan ;)

Anyway, the cool thing about this TechNet Magazine release is the availability of a .chm file download and a new RSS feed. You have to jump through a few hoops to get the .chm file to work with XP SP2, but hey – that’s the trade off between security and usability that we all balance on a daily basis.

Speaking of “Live” – Check out Microsoft Live

Google, are you listening? IT Industry, are you listening? Microsoft is at its best when it has serious competition… and Microsoft takes the Google threat seriously. Check out the Microsoft Live beta site ASAP for a preview of what I like to call “Google on steroids”.

Sit back for a minute and compare the new Live Mail to Gmail. I’ve been beta testing Live Mail for about 6 months now, and I can tell you it’s far superior to Gmail (which I also use, btw). Check out the new Safety Center. There’s no way Google could have pulled that off. There’s some serious code-slinging going on in Redmond. Personal note to South Korea and the EU: Please move along, there’s nothing to see here ;)

What’s Up with Sony and the Music Industry?

In my opinion the money/power-hungry governments of the world should divert a little attention away from Microsoft and toward Sony and the music industry. It recently came to light that Sony is embedding a rootkit (F-Secure link, Sysinternals link) in their audio CDs to thwart music pirates. Note to Sony: real music pirates aren’t going to be affected by this since they don’t buy CDs in the first place. Note to self: disable auto-play on CD-ROM drive, scan for rootkits, buy music from iTunes or MSN. Done.

Windows Vista and The Importance of Metadata

2005-10-02T21:50:00.000-05:00

I’ve been running Windows Vista on my production laptop for a couple weeks now. For those techies in the audience, I’m running build 5219 – the same build distributed to PDC attendees in early September. This build is somewhere between Beta 1 and Beta 2 quality, and runs fairly well considering where we are in the development cycle. I don’t recommend Vista for the average user; however, it has been quite educational for me as a consultant and general IT enthusiast. I even get the coveted “Aero Glass” interface thanks to LDDM drivers for the ATI video card in my HP nc8000 laptop. Truthfully, though – I often disable the Vista “eye-candy” in order to gain more performance.

Note: Aero Glass can be disabled by the pressing CTRL + SHIFT + F9.

While many blogs and industry journalists are focused on the look and feel of Vista, I’d rather highlight something that isn’t getting much attention – metadata. What is metadata, you might ask? Metadata is simply data that describes other data. For instance, when you write a Microsoft Word document you have the option to add metadata such as a subject, author, keywords, or other information. This metadata is saved with the document and is viewable by anyone with access to the file. Below is a screen shot of the Microsoft Word metadata entry screen. You may have seen this screen before and never thought twice about it. Vista is about to change all that.

In my opinion, a key advancement in Vista is the ease with which metadata is exposed to a user. For instance, the default Windows Explorer view of a user’s documents now includes a column listing document keywords. Here is a screen shot that shows the new interface and how easy it is to discover document metadata without the need for a right-click or any other action on the part of the user.

The interface element at the bottom of the Explorer window is called the preview pane, and it can be enabled or disabled based on your preference. However, before you go disabling it to save screen real-estate, understand that the preview pane provides an easy way to modify metadata. Simply left-click on the Keywords to change or add to them. The same thing goes for comments, project, and any other metadata field associated with the file in question.

While a well-structured metadata model can surely boost productivity and improve search results, I have some concerns about the average “knowledge worker” experience. For instance, there is no way to ensure that the keywords I choose to describe a document will be the same as another user. The keyword field is a free-form text entry box, not some kind of drop-down menu, or radio-button interface. This means I could describe a document by using the keyword AD, while another user might use Active Directory. One way around this is to create a robust document template structure, and require that users create new documents from templates with pre-populated metadata. This approach is a little draconian in my opinion – but I think it highlights the type of discussions that organizations need to have over the next few months/years. Finally, metadata isn’t only being consumed and displayed by Vista. SharePoint products also take advantage of metadata, and those products are shipping today. Let me know your thoughts about metadata using the comments link below.

New Office 12 User Interface

2005-10-01T19:17:00.000-05:00

I’m blogging from Redmond following the MVP Summit. While I can’t share much of what I’ve learned this week due to non-disclosure agreements, I will share some stuff that is already public (but that may be hard for the average person to find). The first thing I want to pass along is a link to a public blog with information on the new Office 12 User Interface (UI).

Jensen Harris: An Office User Interface Blog

I think it’s about time Office got a UI overhaul. I think I heard that the Office team asked customers what features they wanted in the next version, and something like 50% or more of their requests were for features that are already in Office. Basically, the UI has gotten so overwhelming that users aren’t getting the full value of their software. Office 12 will surely change that, and probably add some other goodies along the way. Keep an eye on Jensen’s blog for more information. Office 12 is expected to ship around the same time as Vista – likely in October of 2006.

Office 2003 SP2 Available Through WSUS

2005-09-29T00:09:00.000-05:00

Microsoft released Office 2003 SP2 yesterday, which should be old news to those of you who installed the Update Services Notification tool mentioned in an earlier blog post. SP2 is a very stable service pack that should be deployed to your Office 2003 clients as soon as possible. I was involved in the private beta of SP2, and can attest to its quality based on first-hand experience.

In typical Microsoft fashion, new features are bundled inside Office 2003 SP2. The most important addition is an anti-phishing filter in Outlook 2003 SP2. In order to enable this feature you must also install the newest Junkmail filter, which was released in tandem with SP2 (and also available via WSUS). After applying both SP2 and the updated Junkmail filter, potential phishing messages will simply end up in the junk mail folder along with traditional SPAM. If you dig into the Junk E-mail options inside Tools | Options you will notice a new check-box that you can use to enable or disable this new feature (it is enabled by default).

The other new feature that you may or may not notice is a new set of “presence” icons in all the Office applications. Instead of the “little blue man” icon, which is meant to represent a person – you will now simply see a colored circle. Nothing major – just something meant to unify Office with the new Office Communicator 2005 client interface.

Office 2003 Knowledge Gems

2005-09-12T22:42:00.000-05:00

I’ve been spending a lot of quality time with Office 2003 lately – mostly due to the fact that I am helping my current client upgrade their 800+ desktops from Office 2000. I will post a few blog entries over the next week or so and share some interesting knowledge gems from my deployment.

Corporate Error Reporting

If you purchase Software Assurance with your Microsoft Products, then you have access to Corporate Error Reporting (CER) 2.0. CER allows you to collect crash messages from your newly deployed Office 2003 clients, enabling you to spot problems early and provide a pro-active deployment experience. We are using CER to collect errors from our pilot deployment of approximately 20 Office 2003 Professional clients. Client PCs are configured using a special CER Group Policy template to forward crash messages to the internal CER server (instead of sending them directly to Microsoft). Once a sufficient number of crashes are logged in CER, the administrator can upload them in bulk to Microsoft for analysis. Microsoft usually responds quickly with potential fixes, if they exist.

Setting up CER is a snap, and testing it couldn’t be easier. CER is just a specially-permissioned shared folder on a network file server, along with a 32–bit GUI to scan and analyze the directory of uploaded crash messages. Office 2003 clients have an application called Microsoft Office Application Recovery that can manually create a crash condition to aide in testing your CER deployment. This is especially useful because to be honest – legitimate crashes don’t happen that often. To simulate a crash, simply launch an Office 2003 application, run Office Application Recovery (under Microsoft Office | Microsoft Office Tools | Microsoft Application Recovery) and select “End Application”. This will cause the application to terminate and then send the crash message to CER for analysis. Pretty cool stuff. And I’ve also discovered that CER isn’t limited to collecting crash information on Office 2003. It can also collect info on Media Player, Internet Explorer, and several other Microsoft products. If you are paying for Software Assurance – you should definitely check out CER to get more value out of your SA investment.

August Microsoft Patch Recommendations

2005-08-15T21:57:00.000-05:00

Whew! It has been a busy couple of weeks since my last post. On a personal note, our family decided we didn’t have enough chaos in the house – and that a dog was the perfect solution. Those of you with pets can probably appreciate the extra care and attention this new family member deserves. Aside from stuff on the home front, work has been nuts. I’m assisting a client with a large Novell to Microsoft migration project, playing both Project Manager and Architect. Fun times

Anyway – back to the topic of my post. I just uploaded my monthly Microsoft patch recommendations for August. For the first time in a long time there are more patches for servers than for workstations (based on my recommendations, at least). Take a look at the Excel version, or the HTML version if you prefer. And whatever you do, beware of non-firewalled Windows 2000 Professional systems – especially laptops and teleworker PCs. The Zotob worm is spreading (vulnerability mitigated by MS05–039).

Using Vista Beta 1 With VMware Workstation

2005-07-29T11:55:00.000-05:00

I found an excellent post in the VMware forums last night while trying to figure out how to get audio working inside a Vista Beta 1 guest. I contacted the author (forum name lpsi2000) and he gave me permission to re-post the steps here. Hopefully my blog will rank higher in the search engines than the original post in the VMware forums – thus getting this solution better exposure. Hey, it’s all about helping each other.

Create a New Virtual Machine
1. Memory 512MB
2. Hard Disk (IED 0:0) 20GB
3. CD-ROM (IDE 1:0) Pointing to the Vista Beta1 ISO Image
4. Ethernet 1 "Bridged" or “NAT” depending on your preference

Start the New Virtual Machine
1. Boot to the DVD to begin setup
2. When you get to the part where it asks to pick the disk, delete the existing partition.
3. Recreate the partition
4. Exit the install and reboot the VM
5. During the VM BIOS hit F2 then change the boot order to have the CD/DVD be the first boot device
6. Save and Exit the BIOS
7. When you get to the part where it ask to pick the disk again, highlight then choose format
8. Now select again then choose install
9. It will now start the installation process
10. After a couple of reboots (after the first reboot, please change VMware BIOS, the CD/DVD-ROM should now be the 3rd device) and 45 minutes later (depending on your host machine), the install will be done .
11. You are now logged in but no network, video, and sound
12. Install the VMware tools to get the video going
13. After VMware Tools reboot and the video will be better
14. Still no network or sound, activate the VMware tools so the VM can see the tools on drive D:
15. Goto Device manager, right click the ethernet controller, go to properties, then reinstall the driver.
16. During the reinstall it search the CD-ROM (VMware tools) for the right network driver.
17. You should now have network and able to surf the Internet with IE 7, but still no sound
18. Surf to www.soundblaster.com
19. select drivers from the right bottom panel
20. then North America/United States/English then Go
21 then choose Sound Blaster/Other/16PCI then click Next
22. Choose English/Windows XP/Drivers then Go
23. Download the "Driver release for SB PCI 128 Vibra / PCI 16"
24. Run the installer then reboot and viola you should have sound.

I was able to skip steps 2–7 by pre-formatting the disk in another VMware guest image… but the choice is yours. Steps 17–24 is where I was stuck before I ran into lpsi2000’s post. Thanks again lpsi2000!

Contributing to the WSUS Wiki:

2005-07-25T21:12:00.000-05:00

I finally got around to working on the WSUS Wiki tonight. If you aren’t aware of this site, or are wondering what the heck a Wiki is, read on for more info.

A Wiki is a community-driven web site where any Internet user can add/update/delete content. The goal of the WSUS Wiki is to create an evolving and improving community site where users can find answers to WSUS deployment and operations issues. It is currently maintained by a core group of WSUS experts, Microsoft MVPs, and even Microsoft employees. Tonight I made some simple typo and grammar corrections, and also created a new page titled WSUS Advanced Deployment Options.

Examples of other Wikis include the popular Wikipedia (Wiki Encyclopedia), Wiktionary (Wiki Dictionary), and Wikibooks (collaborative textbooks).

I plan to stay involved with the WSUS Wiki as I gain more experience with the product through customer deployments. Stay tuned for more updates soon!

New Product Category in WSUS - Windows XP x64 Edition:

2005-07-21T12:47:00.000-05:00

Microsoft recently added a new product category to WSUS – Windows XP x64 Edition. Don’t confuse this with Windows XP 64–Bit Edition Version 2003. The difference is as follows:

Windows XP x64 Edition is for 64–bit systems running AMD64 processors and Intel processors with EMT technology, which are referred to as x64 platforms.
Windows XP 64–Bit Edition Version 2003 is for 64–bit systems running Intel Itanium processors. These processors are much less common than the AMD64 or Intel EMT chips that ship in new PCs. If you have one or more Itanium processors, you’ll know it – there is no mistaking the price difference ;)

Here are screen shots of the WSUS product categories page before and after this change:

Here is a screen shot of updates applicable to the new platform:

Keep an eye on the To Do list on your WSUS Administration home page for notifications about these types of changes. Expect to see more product categories in the near future (SMS, ISA, MOM, and eventually Longhorn).

Recommended Microsoft Patch List Updated for July:

2005-07-15T09:24:00.000-05:00

I just uploaded the newest version of my Recommended Microsoft Patch List to the download site. You can find both HTML and Microsoft Excel versions of this list. In my opinion, none of the July patches warrant installation on dedicated server systems. However, all three should be deployed to your end-user PCs.

Keep in mind that my recommendations are just that — mine. They do not represent the views of Microsoft or my employer, LRS. Sorry, just had to get that out of the way now that my blog is getting more traffic.

Microsoft Updates and RSA Secure ID:

2005-07-12T21:31:00.000-05:00

Today I had the pleasure of working with a customer who uses RSA Secure ID for VPN and MS Terminal Services access. Without getting into too much detail, let’s just say anyone currently running RSA, or evaluating an RSA deployment, should pay special attention to Microsoft security updates and service packs. Please realize that while RSA offers enhanced security for Windows networks, it comes at a price – mainly additional planning, testing, and the occasional troubleshooting exercise. Read on for more information.

Issue #1: RSA Secure ID Agent 6.0 and Windows Server 2003 SP1 Domain Controllers don’t play well together.

If you try to update any Windows 2003 Domain Controller running RSA Secure ID Agent 6.0 to SP1 (either on purpose, or as the result of Automatic Updates) you will find yourself locked out after a reboot. This is a known issue, and is resolved by RSA 6.0 Agent Patch 2. Unfortunately, most people will discover this incompatibility after running into the problem. If you find yourself in this situation, simply boot your DC using the Windows install CD and run a repair operation. This replaces the GINA and some other stuff that RSA and 2003 fight over. Fun times! Don’t forget to apply Agent Patch 2 before attempting the SP1 update again ;)

Issue #2: Recommended lock down procedures for the RSA ACE Server prevent Windows Automatic Updates from functioning.

The RSA ACE Server (recently renamed RSA Authentication Manager) is the heart of an RSA deployment. It processes requests from RSA Agents for dual-factor authentication. Anyway – the primary ACE server, and any replica ACE servers, are a critical security risk if compromised. Therefore, RSA recommends very strict lock down procedures for these servers. While I’m all for the concepts of least privilege and a reduced attack surface, some of the RSA recommendations will cause you problems if you want to use Automatic Updates or install Windows 2003 SP1. RSA recommends disabling multiple services – including the Cryptographic Service and the Distributed Transaction Coordinator. Neither AU or SP1 will work correctly with these two services in this state. No problem – simply configure them for manual or automatic startup type and you are good to go. You can either leave these two services in an operational state at all times, or only change their startup type when you need to run updates. The choice is up to you. And by the way – make sure you apply RSA ACE Patch 2 while you’re at it. This is recommended if you are also updating your RSA Agent installs to Patch 2.

Friday Afternoon Blogging:

2005-07-08T16:45:00.000-05:00

I just finished writing a big proposal for a company client (big Exchange and Active Directory migration). All that hard work deserves some blogging on a Friday afternoon. Hey, smokers get a break every few hours. Call this a blogging break!

So, I’ve been using Groove Virtual Office for the last couple days. I have to say that I’m very impressed. Those of you not in the loop on Groove shouldn’t feel bad. I didn’t know about it until Microsoft announced their intent to acquire Groove earlier this year. Groove can best be described as a P2P collaboration tool for businesses. I know P2P has some negative connotations – but Groove isn’t anything like BearShare, Kazaa, or Morpheus. Check out the flash demo or read more about what Groove can do for you and your business.

Without a doubt, my favorite Groove feature is its ability to create an offline cache of all my important SharePoint sites. With this functionality, I can post documents, announcements, etc. to my SharePoint sites without even being connected to the Internet or my company’s LAN. When I’m connected next, Groove provides a simple “synchronize now” button that uploads my changes to the SharePoint site. This works with both SharePoint Portal Server 2003 and Windows SharePoint Services. Very cool stuff. If you are a heavy SharePoint user like me – this feature alone makes Groove Virtual Office worth the $179 price. Check out the free 60–day demo at www.groove.net. If you want someone to collaborate with while you are testing – my Groove ID is centimano-at-msn.com.

Microsoft Security Advisories:

2005-07-01T15:15:00.000-05:00

In order to stay relatively up-to-date with the changing IT security landscape, I subscribe to several notification services and RSS feeds. One recent addition is the Microsoft Security Advisory service. This pilot offering is designed to provide information outside of the normal Patch Tuesday communication loop. A great demonstration of this new service is the recent advisory regarding a new Internet Explorer vulnerability.

Last night around 7:30pm I received an e-mail from Microsoft containing this information. It seems that a new security hole in IE has been discovered and publicly announced. This last fact is important – and ties in nicely with the purpose of security advisories. Allow me to explain…

In a perfect world, security researchers find bugs, then report those bugs privately to the affected vendor (in our case, Microsoft). At this point, Microsoft attempts to validate that the report is actually a bug. If it is, they immediately go into triage mode and work on a fix. This fix is what you are used to seeing on Patch Tuesday. So, in this scenario, there is no public announcement of the vulnerability before Patch Tuesday.

Now – let’s jump over to the real world. Some security researchers don’t like to play by Microsoft’s rules. They would rather grab their 15 minutes of fame by publicly announcing the vulnerability before Microsoft has had a chance to provide a fix. This is exactly the case with the IE vulnerability mentioned in last night’s Security Advisory. Now Microsoft must rush out a fix since the exploit code is available for any script-kiddie to play with after school. This could result in a less-than-stellar patch due to inadequate time for testing, etc. Basically, in this scenario everyone loses.

I commend Microsoft on their efforts to improve communication about security issues. This hasn’t always been the case, but instead of beating them up over past mistakes – I’d rather focus on the positive steps they are taking now. And as for those limelight-stealing security researchers, well – that is a subject for another day.

Check out the full list of available security communications at the Microsoft Technical Security Notifications web site. Stay informed, and stay safe.

Testing BlogJet

2005-07-01T13:21:00.000-05:00

I’m testing a new blogging application - BlogJet. It's a Win-32 client for Blogger (as well as for other blogging services). I’m hoping it will enable me to spend less time tweaking my HTML and more time posting. I’ll post my thoughts about BlogJet over the next few days/weeks.

2005-06-24T21:48:00.000-05:00

Two New Items Worth Mentioning:

It's a Friday night and I'm playing single parent while my wife is out of town. What better time to catch up on blogging (now that the little one is fast asleep).

Google Blogger Adds Image Support
Up to this point, all the images on my blog have been hosted on my personal web site. This was necessary because Blogger lacked native image hosting capabilities. However, thanks to the beauty of RSS feeds (InsideGoogle), this evening I was alerted to the addition of image support on Blogger.com.

Here is a screen shot of this post in-progress with my mouse hovering over the new Add Image icon.
Very cool stuff! This new feature will make blogging with pictures, and screen shots much easier. Thanks Blogger!

MSN Updates Windows Desktop Search... Again
I've been using the MSN Search Toolbar Suite for several months now. In fact, I think its official name recently changed to the MSN Search Toolbar with Windows Desktop Search. Nice and concise, huh?!?! Since this blogging stuff doesn't pay by the word (heck, it doesn't pay at all) I'm going to refer to it as MSN Desktop Search from here on out, ok?

Anyway, MSN Desktop Search is essentially Microsoft's forray into the desktop search market, which is all the rage these days. The big benefit of running this tool on your PC is twofold:

You can quickly find stuff you've lost
You get new uber-cool tabs in Internet Explorer

There are plenty of articles on the web that provide a basic overview of MSN Desktop Search - so I will spare you the details. If you are interested, check out this review from Paul Thurrott.

For this post I'm mostly interested in the new Internet Explorer tabbed interface. Tabs aren't new -- Firefox, Opera, and Maxthon users have had tabs for some time now. However, tabs ARE new to IE -- and they are delivered as part of the MSN Desktop Search application. A picture is worth a thousand words...

The addition of tabs to IE was added a few weeks ago in a maintenance release of the MSN Desktop Search application. Being a true geek -- I was probably one of the first to fire up this new feature. However, also being someone who likes well-behaved software -- I was probably one of the first to quickly disable tabs as well. They were just too buggy for everyday use. IE windows would freeze, tabs would lock up or not close at all. I was very dissapointed

So, today I wasn't surprised to see another maintenance release of the MSN Desktop Search application. I was optimistic for this release as I downloaded and installed it. And guess what -- IE tabs are now usable. Check them out for yourself. Go to http://desktop.msn.com and download the MSN Desktop Search application. Take it for a spin and let me know if you think IE tabs are ready for prime time.

2005-06-20T20:28:00.000-05:00

June 2005 Patch Tuesday Recap

I just finished updating my monthly Patch Recommendation spreadsheet. Check out the links to your right. There are both HTML and Excel versions for your viewing pleasure. Lots of patches this month -- although once I finished dissecting them, only a handful apply to each OS flavor. Take a look and let me know if you have any thoughts/questions.

2005-06-12T12:02:00.000-05:00

Hidden Gem: Update Services Notifications (Updated)

I was poking around the WSUS downloads page over the weekend and found a cool utility buried within the API Samples and Tools download. This utility, called Update Services Notifications, is designed to send e-mail alerts when new updates arrive on your WSUS server. Additionally, the same tool can send daily and weekly status reports of WSUS activity.

Here's the trick to installing this little gem. First, download and install the core API Samples and Tools package. Next, browse to the following path and run "setup.msi".

c:\Program Files\Update Services API Samples and Tools\Update Services Notifications

After the install is finished you will have a new shortcut on your All Programs menu called Update Services Notifications. Click this shortcut and you will be greeted with the following configuration screen (click thumbnail for full image).

Once you fill out and confirm the Update Services Notifications window, a new service will be installed and activated on your server. You can double-check this by opening services.msc and looking for Update Services Notifications Service. The service should be started and set for automatic startup.

Your first notifications should arrive within 5 minutes. I've included both a synchronization notification message, as well as a weekly status report. You can view details about each message type by clicking the thumbnail below.

2005-06-07T21:28:00.000-05:00

How to Build a Virtual Test Environment for WSUS

So, you want to check out WSUS but don't have a real lab environment for testing? That’s OK - just virtualize. Don’t have virtualizaion software? No problem – trial versions of Virtual PC 2004, Virtual Server 2005, and VMware Workstation 5 are only a download away.

Introduction to Virtualization
Virtual machines enable users to run multiple operating systems concurrently on a single physical server, providing for much more effective utilization of the underlying hardware. Several virtualization software packages exist for the Windows platform. Without question, the two most popular desktop solutions are Microsoft Virtual PC 2004 and VMware Workstation 5. Another product, Microsoft Virtual Server 2005, is optimized to provide this capability on top of Microsoft Windows Server 2003. Given that Microsoft offers a 180-day evaluation of Virtual Server 2005, I will use it as the foundation for the remainder of this article. However, all the concepts should translate to Virtual PC 2004 or VMware Workstation.

Learn About Virtual Server 2005
To learn more about Virtual Server 2005, and how it can be used in a test environment, watch the following free webcast from Microsoft TechNet:
TechNet Webcast: Setting Up a Virtual Test and Development Environment

Evaluate Hardware Requirements
In order to run Virtual Server 2005, you need to meet some minimum hardware requirements. The following requirements are not absolute product minimums; however, they will provide adequate performance for real-world testing. You can load Virtual Server 2005 on your main desktop PC (as long as you run Windows XP Professional) or maybe you have an old server lying around that you can resurrect for testing.

Processor: Pentium III 1GHz minimum
Hard Disk: 40GB available (7200 or 10k RPM drives improve performance)
Memory: 1GB RAM (The more RAM, the more virtual machines)

As an example, a Pentium III, 1GHz desktop system with 1GB RAM can run 3 concurrent virtual machines. One of these machines would be the WSUS server, and the other two could be desktop systems (2000 or XP) or additional server systems (2000 or 2003). You will want to configure the WSUS virtual machine with 256MB RAM and give each of the other images 160MB RAM. This configuration will provide decent virtual machine performance while still allowing your host OS enough RAM to run day-to-day apps such as Outlook, IE, etc. Don't expect "snappy" performance -- but this will work. Obviously, a Pentium 4 or top-shelf AMD processor will help.

Register for Free 180-Day Virtual Server 2005 Trial
Microsoft offers a 180-day free trial of Virtual Server 2005 on its web site. Check the following page for all the details:
Virtual Server 2005 Evaluation Kit

As an added bonus, the Virtual Server 2005 Evaluation Kit also includes a 180-day trial version of Windows Server 2003 Enterprise Edition. Windows Server 2003 is not required for Virtual Server 2005 (it will run under Windows XP), but it is recommended.

Note: There is a known issue with Virtual Server 2005 running Windows Server 2003 SP1 guest virtual machines. Basically, performance stinks. You have a couple options. First, don’t upgrade your guest virtual machines to SP1 (you can still apply all the pre-SP1 security updates without incident). Second, register for the Virtual Server 2005 SP1 Beta program (link). Virtual Server 2005 SP1 includes code changes to deal with guest machines running Windows Server 2003 SP1. Your third and final choice is to wait until the end of June for Microsoft to release a hotfix for Virtual Server 2005 to fix this issue. You can read more about this issue on Megan Davis’ blog at http://blogs.technet.com/megand, or check the associated Microsoft Knowledge Base article.

2005-06-06T10:11:00.000-05:00

The Week of Update Technologies

Its official -- Steve Ballmer announced the immediate availability of Windows Server Update Services and Microsoft Update this morning during his TechEd 2005 keynote. These technologies have been in testing for some time now, and I am very excited to be able to blog about them this week. I plan several articles over the next few weeks, including the following:

How to build a WSUS test lab on a tight budget
WSUS licensing ramifications
Express install packages (aka "Uber Updates")
Making sense of the WSUS documentation

Be sure to check out the official WSUS product page, and also the Microsoft Update web site.

2005-05-31T20:35:00.000-05:00

Microsoft Licensing Rights for Virtualized Desktop Environments

I conducted some research on Microsoft virtualization products the other day in preparation for a customer presentation. While digging through various licensing resources (read: boring) I found some interesting licensing changes that I was not aware of. First, let me stress that the following changes only apply to those of you who license your Microsoft software under one of the volume licensing programs. If you purchased your copy of Windows or Office off-the-shelf, or it came with your PC -- you are out of luck.

Hidden within a Microsoft Licensing Brief from May 2004 (MS Word document) is new language regarding the use of virtualized desktop environments. It breaks down like this:

If you have a valid license for Windows XP Pro or Windows 2000, you can run one additional OS inside a virtual machine (Virtual PC 2004 or VMware) at no additional charge. This means you can use Virtual PC or VMware to run legacy applications that require NT 4 inside a virtual machine without needing to buy a second OS license. The additional benefit to this scenario is that your virtual machine can access a Windows network without the need for a second Windows CAL. Very cool stuff! And the virtual guest isn't limited to just NT -- you could run Windows 9x, Windows 2000 Professional or Windows XP Professional. The only thing you can't do is run any flavor of Windows Server as the host OS, or the virtual guest. This licensing benefit is for desktops only.

But wait, there's more! Let's say you are also licensed for Microsoft Office in addition to Windows. The same license brief says that you can run Microsoft Office inside the virtual machine for no additional charge - as long as the virtualized Office installation is one version older than the one running on the host. This means that if you run Office 2003 on your host you need to install Office XP (or earlier) in your guest OS. Sounds weird -- but it's true.

Microsoft's policies regarding virtualized server environments are much more strict. Check out this licensing brief (MS Word document) for information on server licensing changes.

2005-05-27T12:19:00.000-05:00

Two Great New TechNet Resources (UPDATED)

Interop and Migration Content Filter
This new tool is probably most helpful for those of you in the consulting world. However, if you’ve ever wondered “how does x technology interoperate with y technology”, where x=Linux, Novell, IBM, etc. and y=Microsoft product, then you are in luck. I haven’t noticed any new content inside this tool; however, the next time I need to answer the above question I know just where I’ll go. I know it will save me several minutes/hours of searching for the right resources.

RSS Feeds of Recent KB Articles (UPDATED)
I’ve been a big fan of a service called KBAlertz for quite some time now. KBAlertz offers a service where you subscribe to different Microsoft content areas (say, Windows 2003, Exchange 2003, etc.) and then anytime a new KB article is posted you receive an e-mail. This is an excellent way to stay on top of emerging issues in the areas you care about most.

At first I thought this new TechNet service was going to make KBAlertz obsolete. However, after an e-mail exchange with Scott Cate at KBAlertz, I discovered that he has offered his own RSS feeds for quite some time. So now you have two choices -- continue to use KBAlertz feeds (which Scott says are updated more frequently than Microsoft's own feeds) or go straight to the horses mouth and use the TechNet feeds. Check out this page for all the details on TechNet's RSS service, and also some recommended RSS aggregators (my favorites are SharpReader and RSS Bandit).

BTW -- I’m subscribed to the following KB article feeds:

Exchange 2003
ISA 2004
Media Center 2005 (TiVo killer)
Outlook 2003
SBS 2003 (I run SBS 2003 as my home server)
Virtual PC 2004
Virtual Server 2005
Windows Server 2003
Windows XP

2005-05-11T15:37:00.000-05:00

May, 2005 Patch Day: Baseline Spreadsheet Updated

An updated baseline spreadsheet is available using the links to your left. The month of May brings us one lonely patch for Windows 2000. This isn't to say all security issues are resolved -- far from it. Check out the Secunia database of reported, yet unpatched vulnerabilities at www.secunia.com. Of particular interest are the pages on Windows Server 2003 and Internet Explorer. But don't think Microsoft is the only guilty party -- check out Firefox and Red Hat Linux while you're at it. Humans are fallible. Get used to it. ;)

2005-04-20T22:32:00.000-05:00

April Microsoft Patch Recommendations

I just updated my Microsoft Patch Recommendation spreadsheet and web page for your viewing pleasure. There are a number of important updates this month -- so please review the information and patch accordingly.

2005-03-16T20:44:00.000-06:00

Useless Trivia: Windows Server 2003 Cache.dns File

I was doing some research tonight and I got curious about the Windows Server 2003 cache.dns file. For those of you who aren't up-to-speed on such things, the cache.dns file is responsible for "priming" your DNS servers so they know how to resolve the root Internet servers -- and thus, the rest of the Internet. My curiosity was mostly focused on the topic of updates to the root servers, and specifically how new server addresses find their way into the Windows Server DNS cache.dns file.

After some digging I found Microsoft KB article 815024, which discusses a recent update to the cache.dns file. It seems that this update, released in July, 2003 as part of Windows 2000 Server SP4, contains a minor update to the cache.dns file. So it seems that Microsoft refreshes the cache.dns file via service packs. That's all fine and good, but this new cache.dns file is already out-of-date. Sigh... guess my search isn't over just yet.

If you want to see the most recent cache.dns file, check ftp://rs.internic.net/domain/ and look for a file called named.root. As you will see, there are a couple differences between this file and the Windows Server cache.dns file. First of all, they have different names. Secondly, if you open each file with Notepad, you will notice that the named.root file isn't formatted like the Windows cache.dns file. However, this second point doesn't seem to be a show stopper. I fired up one of my test Windows Server 2003 machines and copied the named.root file to c:\windows\system32\dns. After renaming the existing cache.dns file to cache.old, I then renamed named.root to cache.dns. I then restarted the DNS service, and voila -- my root hints were updated.

The only difference between the vanilla Windows Server 2003 root hints file and the one I downloaded from InterNIC is the address of b.root-servers.net. The old address is 128.9.0.107, and the new address is 192.228.79.201. If you want, you can simply use the Windows DNS graphical administration tool and manually update the b.root-servers.net entry. Either way, it doesn't really matter -- since both the old and new addresses respond to DNS queries. I'm not sure how long this will hold true, but if you are a geek like me, you will want the latest and greatest cache.dns file. :)

2005-02-14T16:33:00.000-06:00

Boson Cisco Simulators Rock

I got my first Cisco certification, a CCNA, in 2000. To accomplish this task I used several self-study courses along with a stack of routers and switches from our lab. I can remember many days at my desk with the drone of Cisco fans about to put me to sleep. I would read about a new router or switch function, then fire up HyperTerminal and put my new knowledge to use. Not a bad way to learn for a hands-on guy like myself. The only problem was that I often left the office to work on billable consulting assignments, and couldn't exactly lug the router/switch rack with me wherever I went.

Fast forward to 2005. Being primarily a Microsoft-focused consultant, my Cisco certifications expired in 2003/2004. I've always wanted to renew my CCNA since I frequently encounter Cisco gear in the field. However, the thought of sitting with a rack of Cisco gear, and those fans, just about caused me to shelve the whole idea.

Enter Boson NetSim. This amazing software package allows me to use my laptop to simulate a full Cisco lab, complete with routers, switches, and hosts. No more noisy rack of Cisco gear. I can now study for my CCNA anywhere at any time. I can even load actual router config files I encounter in the field directly into the Boson NetSim software, and test various configuration changes without worrying about affecting the client's network.

This is truly amazing software. I know Boson has been around for a while, but if you are like me and just discovered them -- you are in for a pleasant surprise.

2005-02-09T11:37:00.000-06:00

Updated Patch Baseline Spreadsheet

I just finished updating my Microsoft Patch Baseline spreadsheet to include the updates released yesterday. This month was a busy one for Microsoft -- and it will be a busy one for you too, I'm sure. Twelve new updates were released on 2/8/2005, along with the re-release of one more update from 2004. I have taken the time to analyze the security bulletins to understand the scope of each vulnerability. Please take a look at the links on the left to download the updated spreadsheet. I provide both Excel and HTML versions for convenience, since most servers do not have Excel installed locally.

2005-01-26T09:44:00.000-06:00

Funny: Microsoft = giantcompany.com

I've been testing Microsoft's new AntiSpyware beta for the last few weeks. You can get your own copy of this public beta at http://www.microsoft.com/spyware. The software is pretty well behaved, mostly because it really isn't a beta at all. Microsoft purchased AntiSpyware from a company called Giant, which had been selling AntiSpyware for quite some time. Immediately after purchasing Giant's assets, Microsoft re-branded the Giant product and launched it as Microsoft AntiSpyware Beta. The only noticeable changes between Giant's version, and the beta released by Microsoft, are the removal of all references to Giant, and the removal of a cool utility called a secure file shredder. This utility was able to integrate directly into Windows Explorer, allowing you to right-click on a folder or a file and have it securely deleted (i.e. not moved to the recycle bin). For some reason Microsoft chose to remove this feature. Hmmm...

Anyway, now for the funny part of my post. I was running Microsoft AntiSpyware yesterday and encountered my first bug. The screen shot below was presented for my information.

I guess they didn't remove every reference to Giant after all. Giant's former website was www.giantcompany.com. I find this funny because of all the grief people give Microsoft for being an 800-pound gorilla. So, if you have problems with any Microsoft software - just e-mail support@giantcompany.com. It'll make it to the right place ;)

2005-01-11T22:26:00.000-06:00

January 2005 Patch Day

I have a headache... and surprisingly it's not because of Microsoft's January 2005 security bulletins. I just finished driving from my home in eastern Kansas to Jefferson City, Missouri in dense fog and rain. Lots of 18-wheelers, and some idiot that passed me doing 100MPH. Needless to say, I'm really not in the mood for Patch Day.

The good news is that this month (while having two critical vulnerabilities) isn't really a bad month. Three total vulnerabilities, and none of them "wormable". In my vocabulary, "wormable" vulnerabilities are ones that can be exploited remotely with no user intervention, using commonly open ports/services. These are the Blaster/Sasser variety vulnerabilities. January 2005 holds no such vulnerabilities. Guess that means I can knock off early, take two aspirin, and update my patch baseline spreadsheet in the morning.

Update: The Excel and web version of my patch baseline spreadsheet are current. Enjoy!

2004-12-23T22:48:00.000-06:00

2005: The Year of Safe Computing

I wrote the following article specifically for my non-technical friends and family. Most of you who read this blog are savvy enough to skip over this entry. However, if you have an uncle, mother, or grandpa who just can't seem to make sense out of computer security, maybe you can forward this blog entry to them. Merry Christmas!

In lieu of sending Christmas cards, I've decided to invest my time writing an article on how to make 2005 the Year of Safe Computing. As most of you know, I work as a consultant in the IT industry. My job requires that I stay on top of several technology areas, and one of these areas is computer security. My goal with this article is to demystify computer security so you can better protect and maintain your home computer. I am focusing on three security topics that I feel will provide improved security without requiring too much effort to implement. So, grab a cup of coffee or hot chocolate and read on.

The three focus areas for this article are as follows:

Armor Your PC: Firewalls
Clean and Inoculate Your PC: Viruses, Spyware, Etc.
Protect Your Privacy: SPAM and Phishing

1. Armor Your PC: Firewalls
Simply put, a firewall is a software program or hardware device that protects your PC from unsolicited communication. Such unsolicited communication often comes from hackers who prey on unsuspecting Internet-connected PCs. Hackers can send data to your PC over the Internet that will cause it to crash, or worse, they can install programs called "back-doors" that give them full control over your PC and all the data on your hard drive.

There are several ways you can protect yourself from being attacked. The easiest way is to install a software firewall program, which can be purchased at any major electronics retailer. A software firewall instructs Windows to stop listening for communication from other PCs, and instead only allows outgoing communication such as web surfing, or checking e-mail. Most people are surprised to learn that their PC is actively listening for other PCs, which it readily responds to by default. Another option is to purchase a hardware firewall device, often called a broadband router. This may be a good solution if you have more than one PC in your home and you want to share Internet access. In this scenario, the hardware device acts as a firewall protecting the home PCs from inbound Internet traffic. With a hardware firewall you can safely share files between two or more home PCs without the fear that you are sharing your data with everyone on the Internet.

Below is a list of some popular software and hardware firewalls:

Note: If you are running Windows XP, make sure you upgrade to Service Pack 2 using the Windows Update feature (windowsupdate.microsoft.com). Service Pack 2 includes a software firewall that does an excellent job of protecting your PC. If you are running an older version of Windows, you need to invest some money in one of the solutions above. Regardless of the solution you choose, a firewall makes an excellent New Years resolution for 2005.

2. Clean and Innoculate Your PC: Viruses, Spyware, Etc.
Our second area of focus is malicious software, often called viruses, spyware, malware, and adware. Unless you've hidden under a rock the last few years you probably know that computer viruses can wreak havoc on computers, and sometimes the entire Internet. Big-name viruses such as Melissa, Slammer, Blaster, and Sobig have even made the prime-time news. Similar to the firewall advice above, you should install and run software that protects you from malicious software found in e-mail, floppy-disks, or Internet downloads.

There are plenty of antivirus software vendors for you to choose from. Here is a list of the most popular consumer packages:

You may also want to check out a subscription to MSN Premium, which offers both antivirus software and a software firewall as part of the subscriber benefits. I wrote an entire article on this service over at my MSN blog, which you can find by clicking here. Check it out if you are interested in an alternative approach to securing your PC while getting more enjoyment out of the Internet at the same time. Regardless of which antivirus software program you choose, please be aware that you need to keep your virus definitions updated on a daily or weekly basis. Virus definitions are lists of current viruses, which help the antivirus software recognize newly discovered threats. Most off-the-shelf antivirus software comes with a 1-year virus definition subscription at no charge, but anything beyond the first year will cost you between $15 and $30 dollars. This might seem like a racket, but it is a small price to pay to stay ahead of the bad guys.

A new type of malicious software is spreading like wildfire throughout the Internet. This new threat is known as spyware. Spyware is software that tracks your PC activities with the goal of sending you targeted advertising. Some of you may be infected with spyware right now and not even realize it. A more dangerous form of spyware is designed to capture your keystrokes, e-mail messages, and important data files, which are then used for illegal purposes. One reason spyware is such a problem is due to its distribution method. Spyware often rides "shotgun" alongside free software you might find on the Internet. If you have downloaded software such as Kazaa, or other file sharing programs, there is a good chance you have spyware on your computer. There are also numerous Internet Explorer toolbars that claim to offer enhanced search features, but instead simply track your web surfing habits to let advertisers know your interests.
Below is part of an e-mail I received from a friend who was infected with spyware.

"A massive number of pop up windows appeared on my computer, and I couldn't close them fast enough ... they just kept coming. I discovered on my computer a number of programs that I did not deliberately download, and several are preventing me from removing them. In addition, I'm very sorry to say, that under my "favorites" section in Internet Explorer have been added, without my knowledge, links to various websites, including several that are, let's say, very bad."

Does the above situation sound familiar? Has your PC been getting slower and slower over the years? This could be caused by many factors, but quite often it is due to spyware being installed without your consent. A new type of software known as anti-spyware is needed to fight this threat, since antivirus software does not protect you from spyware the same way it protects you from viruses. Isn't technology wonderful!?!?

Earlier this month Microsoft purchased Giant Software, maker of the premier anti-spyware product on the market. This purchase, along with the 2003 purchase of GeCAD, means Microsoft now has both antivirus and anti-spyware software expertise. The rumor mills are aflutter with speculation about Microsoft's plans for both technologies. I can assure you of one thing, Microsoft is getting serious about security. We won't likely see any of this technology directly integrated into Windows until 2006 at the earliest; however, Microsoft has promised a test version of their anti-spyware product sometime in January. Until an integrated antivirus and anti-spyware solution exists, other companies offer free and low-cost software to help you win the battle against spyware. My personal favorites are listed below:

Following the links above will take you to a page where you can download each product and read more about the installation process. I recommend running both Ad-Aware and Spybot Search & Destroy to get the best results. Anti-spyware solutions are not 100% successful at deleting all spyware, which is why it's a good idea to run more than one utility. Keep an eye on Microsoft's spyware page throughout the year for details on their anti-spyware offering.

3. Protect Your Privacy: SPAM and Phishing
The final topic for this article deals with a major annoyance for all users of Internet e-mail; SPAM and phishing. While SPAM is simply annoying junkmail, phishing attacks are SPAM e-mails with a deceptive message. Phishing messages often claim to come from your bank, brokerage firm, or other popular sites such as eBay, and implore you to quickly reset your password or divulge other important personal information. Unfortunately, those that fall for these scams often find that their information is later used for fraudulent purposes.

How can you spot a phishing attack?

Look for spelling mistakes, or poor grammar
If the message has an unusually urgent tone
If the web site address you are sent to is not legitimate, or is not secure
Be suspicious of requests for financial data or personal information

If you are not able to figure out whether a message is legitimate or not, call your financial institution and ask them to verify the message. All major financial institutions and online retailers are well-versed in spotting phishing attacks and will be more than happy to assist you. Check out this MSN page for a more detailed overview of phishing, as well as steps you can take to prevent yourself from becoming a victim.

Conclusion
Please consider the information above my Christmas present to each of you. I want to do whatever I can to help make your PC experience as safe and enjoyable as possible. Computers and the Internet are amazing tools that have changed our lives for the better. However, without the proper protection and safe computing practices, your PC could cause more harm than good. I strongly recommend you compare your current computing environment against my recommendations and implement any necessary upgrades to make 2005 the Year of Safe Computing.

2004-12-14T22:39:00.000-06:00

Microsoft December Security Updates

This month brings us 6 vulnerabilities, 5 of which were announced today, and one (a critical IE vulnerability) which was announced on December 1st. Of these 6 vulnerabilities the IE critical vulnerability is the one that should be on everyone's radar screen. Those of you running Windows XP SP2 and Windows 2003 are not affected by this critical vulnerability. However, anyone running Windows 2000 or Windows XP with SP1 should investigate the December IE patch immediately.

The only other item of interest this month is the WINS vulnerability detailed in MS04-045. This vulnerability could allow remote code execution in certain circumstances, most likely on Windows 2000 servers. I added this patch to my recommended patch baseline list due to this fact. However, if you are not running the WINS service on a particular server, then you do not need to worry about this vulnerability. In some situations with smaller clients, I have installed WINS on AD domain controllers since those servers are typically under-utilized. If your network fits this scenario, it is imperative that you apply the WINS patch. Remote compromise of a WINS server is one thing-remote compromise of an AD domain controller is another.

Have a happy holiday season...

2004-11-27T09:45:00.000-06:00

No More Service Packs for Windows 2000

I just read the official announcement concerning Windows 2000 SP5, or the lack thereof. I'm wondering about the "many customers" who told Microsoft they would prefer to leave Win2000 on SP4 until 2010, which is when support officially retires. Seriously--this is how long Win2000 will be in circulation given Microsoft's extended support lifecycle.

Here are some of my favorite quotes from the announcement FAQ:

"Because every update to Windows introduces the possibility of system instability at the customer's site (for example, an update to one part of the system causes some other part of the system--or an application--to fail), an Update Rollup will provide the maximum utility at the minimum risk of instability at this point in the Windows 2000 life-cycle."
**JC** Wait until the Linux zealots get a hold of this quote. Classic!

Q. Is this the first time Microsoft has done a rollup instead of a service pack?
A. No. Microsoft has done update rollups before. For information on previous rollups, visit the following links:

a. Windows NT 4.0 Post-Service Pack 6a Security Rollup Package
b. Windows 2000 Security Rollup Package 1 (SRP1)
c. Windows XP Update Rollup 1

**JC** Nice--we're comparing the forthcoming Windows 2000 rollup to these other earth shattering releases. I could understand if this was 2008 and we were discussing the end of Windows 2000 service packs. However, the last time I checked the calendar is just about to roll to 2005.

"Windows 2000 systems with SP4 deployed will be 'up to date' from a life-cycle policy perspective until the end of life (EOL) date of Windows 2000. The EOL date will be no sooner than January 1, 2010."
**JC** Again, where is the logic in this?

I can understand that Microsoft wants to move their "Sustained Engineering" resources onward and upward--but I believe this decision will rub a lot of customers the wrong way. Many customers I work with (mid-market, 1000-10,000 desktops) are planning to maintain their Windows 2000 Servers (mostly application servers) for quite some time. Granted, I see excellent momentum behind Windows 2003, especially for Active Directory domain controllers and Microsoft Exchange servers, just to name a few. However, I also know many customers who only recently migrated off NT 4.0 (which released in 1996).

Please don't think this is a Microsoft-bashing post, but instead just the honest opinion of someone who works in the trenches with techs and IT Managers on a daily basis. I can't think of one of them who would have said to Microsoft, "Sure, don't release any more service packs for Windows 2000".

2004-11-18T14:06:00.000-06:00

Windows Update Services Beta 2

Earlier this week Microsoft released Windows Update Services (WUS) Beta 2 to customers and private testers. WUS is Microsoft's second-generation security patch distribution software. Microsoft anticipates a spring 2005 release for the final version of WUS.

The only difference between the private and public WUS betas is the fact that private beta testers have a direct line of communications with WUS developers at Microsoft. Other than that, the code is identical. You can register to download WUS Beta 2 at this Microsoft web site.

Here are some early screen shots from my dev/test lab (a.k.a. my home network). Click each image for a full-size screen shot. Machine names have been hidden to protect the innocent.

Screen Shot 1: WUS Administration Home Page

Screen Shot 2: WUS Update Catalog

Screen Shot 3: Example Status Report

Screen Shot 4: Detailed Computer Status

2004-11-16T07:39:00.000-06:00

Check out the Windows Marketplace

Microsoft recently launched a new web site to showcase all the products and services that compliment Windows-based systems. Each product you find will have links to various online and brick & mortar retailers--including price comparisons. As a Microsoft MVP I've been writing reviews for numerous hardware and software products from Microsoft and 3rd party companies. Click on over to the Windows Marketplace and look for my reviews under the nickname KC_MVP. The Windows Marketplace should make holiday shopping easier for all the geeks in your family.

2004-11-07T16:28:00.000-06:00

More Info on W32.Spybot.Worm

I've noticed several visitors are reaching this blog after searching for help with W32.Spybot.Worm. I am posting a few more knowledge gems with the hope that my experience can lessen the effect of this virus on other networks. Click here for my previous W32.Spybot.Worm blog entry.

Tools
We relied on a couple tools to gain an understanding of what W32.Spybot.Worm was doing on the network. The first tool is Autoruns from Sysinternals. Autoruns will search all relevant registry keys and startup folders for programs that are set to run at boot time. This is how we discovered that malicious files named WinUSB2 and bling.exe were executing at startup.

Another utility from Sysinternals that came in handy was PSKill (part of the PSTools Suite). This little command-line utility allowed us to kill the WinUSB2 and bling.exe processes on all infected workstations. We needed this tool because simply trying to end the task via Task Manager wouldn't work. PSKill can kill tasks on the local system, or it can be run across the network to kill processes on remote machines. We wrote a quick and dirty batch file which called PSKill to stop WinUSB2 and bling.exe. This helped ease network traffic, which had been overwhelming the edge router.

Machine Repair
We ended up using the updated Symantec AV definition files to let SAV repair the machines. However, if Symantec had taken any longer to get the defs uploaded (it took them almost 24 hours) we would have taken matters into our own hands. Possible options for removing the offending registry keys and files remotely would have been Kixtart, or maybe just WMI (since all desktops are 2000 or XP). I'm glad we didn't need to go down this path.

2004-10-31T13:43:00.000-06:00

Firefox Use on the Rise

I thought I'd share my blog usage statistics with everyone to illustrate a point about browser usage.

As you can see from the above graph, Firefox 1.0 (which is still in testing) has reached 11% market share. I've been watching this number rise over the last couple weeks and figured now was a good time to bring this trend to light. What do you think about this new browser? Why are you using it? Do you still use Microsoft Internet Explorer for banking, Outlook Web Access?

2004-10-29T21:49:00.000-05:00

Symantec Client Security Best Practices

I'm going to be posting a few blog entries about a recent experience implementing Symantec Client Security (the corporate version of Symantec/Norton antivirus). This first entry is dedicated to a problem with the default installation options when implemented on Exchange servers.

I was working with a client this week and one of my tasks was to assist them with an upgrade from Exchange 2000 to Exchange 2003. Given that this is a single server swing upgrade I knew it would be a slam dunk. Basically we would install the new server on new hardware, move the mailboxes during a maintenance window, then decommission the old server. Boy was I wrong.

Once the new server was in place we started by migrating a few pilot mailboxes. We immediately noticed that mail was not flowing reliably between the old and new servers. We were also getting some ambiguous errors in the event log. To make a long blog entry short, the problem was with Symantec Client Security's advanced e-mail scanning component. Here are the exact error messages we received in the event logs.

Event Type: Warning
Event Source: MSExchangeMTA
Event Category: Interface
Event ID: 9318
Date: 10/27/2004
Time: 11:06:54 AM
User: N/A
Computer: SERVERNAME
Description:An RPC communications error occurred. Unable to bind over RPC. Locality Table (LTAB) index: 7, Windows 2000/MTA error code: 9297. Comms error 9297, Bind error 9297, Remote Server Name MAIL [MAIN BASE 1 500 %10] (14)

Event Type: Warning
Event Source: MSExchangeMTA
Event Category: Security
Event ID: 9297
Date: 10/27/2004
Time: 11:06:54 AM
User: N/A
Computer: SERVERNAME
Description:Calling client thread does not have permission to use MTA RPCs. Windows 2000 error code: 0X80070005. Client user account: NT AUTHORITY\ANONYMOUS LOGON. [BASE IL INCOMING RPC 25 237] (14)

It turns out that the default install of Symantec Client Security 9 also installs and activates a component which should only be used on 2000/XP client machines. This component, referred to in the install routine as POP3 Scanner, was intercepting all mail to and from our Exchange server and basically messing up the mail flow. We simply re-ran the install routine and de-selected this component (as well as the Outlook scanning piece which was also installed by default) and after a reboot the server was back to normal. The above event log messages were also gone once the server rebooted--and they haven't come back since.

I'll write a future blog entry on the steps required to create a custom Symantec Client Security package. It is wise to have a separate package for desktops, laptops, and servers. I sincerely hope the search engines pick up this blog entry so that any other individuals who may be fighting this issue can find my solution. We burned about 3 hours fighting this issue--and believe me it wasn't an enjoyable few hours.

One more thing... while we were already aware of the necessary file exclusions for Exchange servers (in other words, this had nothing to do with the above problem) you may want to check out this Microsoft article for full details. There are quite a few do's/don'ts regarding file system antivirus scanners running on Exchange servers.

2004-10-27T20:07:00.000-05:00

TechNet Magazine is Online!

If you can't wait for your printed copy of TechNet Magazine--head on over to this web site where you can read all the content online. This edition of TechNet magazine has excellent information on how to secure your Windows environment from the bad guys. There's also a cool article on integrating Cisco Unity and Microsoft Exchange ;)

2004-10-25T16:47:00.000-05:00

Free Software for Windows XP Users

The following link will take you to a site where you can download some cool *free* software for Windows XP. I've tried some of the software already--and I can vouch for the "coolness" of the USB Flash Drive Manager and Post-it Software Notes. As for the rest, you're on your own.

Note: if you don't already have anti-virus software on all your PCs, or if your antivirus software is out of warranty and no longer receiving updates, download the CA eTrust antivirus product. The core product is free and offers 1 year of free updates as well.

http://www.microsoft.com/windows/partnerpack/default.aspx?prereq=true

Enjoy!

2004-10-23T15:49:00.000-05:00

Premier Issue of TechNet Magazine is Ready!

Check out this link to order a free copy of the premier issue of TechNet Magazine. TechNet Magazine is targeted at IT Professionals and is published by the same team that publishes MSDN Magazine.

Once you get your hands on the magazine, turn to page 78. That's where you will find my article on Cisco Unity and Microsoft Exchange. This is my first published work--so I'm pretty excited. Check it out and let me know what you think.

2004-10-21T21:15:00.000-05:00

Fighting W32.Spybot.Worm

Over the last three days I have had the pleasure of assisting one of my clients with a serious virus infection. The circumstances which led to their infection are enough to warrant a blog entry all by themselves—but the fact that this was a new virus should make this both an entertaining and informative article.

Three Strokes of Bad Luck
Let me start by saying that this client is very security conscious. They employ the latest firewall technology. They use an industry-standard antivirus product suite. They even refer to my patch baseline spreadsheet and use Microsoft SUS to ensure that they are protected against the most critical Microsoft vulnerabilities. However, even all these technologies were unable to protect them from our friend W32.Spybot.Worm.

The first stroke of bad luck hit when their Exchange 2000-based antivirus product experienced a hiccup and let a few virus-infected attachments get into the network (it is programmed to block typical virus attachments ending in .pif, .bat, .exe, etc.) Now, in a perfect world this would never happen—but anyone who works with technology can tell you the world is far from perfect. The product in question is Symantec Antivirus for Exchange 4.5.2, which is actually a good product. Regardless, for some reason it had been misbehaving for a few days. Unfortunately, no one had looked at the Symantec logs to discover this until after the infection was already underway. Chalk this one up to bad luck exacerbated by overworked network administrators.

The second issue has to do with the W32.Spybot.Worm itself. This virus has been around for more than a year and consists of over 1000 variants. Unfortunately, for my client, the virus that made its way into their network was a new variant that had not been seen before. This means that all their virus protection was worthless since it did not “recognize” the signature of this version. Remember that antivirus products are reactive by nature—they are only as good as their definitions. And how are the definitions updated? You guessed it; people submit suspected viruses to the antivirus software vendor for analysis and inclusion in the next round of definition updates. That is exactly what happened in this situation. After a lengthy phone call with Symantec, they determined that we indeed had a new variant of W32.Spybot.Worm. We uploaded the files we thought were infected (which we sniffed out the old-fashioned way) and they wrote a new set of definitions. It took them almost 24 hours to get the file up on their web site. That is a long time to wait when 80% of your workstations are infected.

The third and final circumstance that led to this situation getting out of hand is missing patches. As I said earlier, the client uses SUS to deploy Microsoft critical security updates. Unfortunately, they had missed one important update known as MS04-011. Even less fortunate was the fact that the W32.Spybot.Worm variant that found its home on a couple machines via e-mail was now spreading throughout their network due to the MS04-011 security vulnerability. If all their workstations had the MS04-011 patch applied then the virus would have been confined to the few machines that received and opened infected attachments. However, the virus was able to spread beyond these initial machines WITHOUT user interaction. After much research and discovery, we came to the realization that the only machines not infected were Windows XP machines running SP2 and most of their servers that had the MS04-011 patch installed.

Preventing Future Outbreaks
Now that we have looked at the circumstances that led to the infection, let’s talk about some methods of preventing this type of incident.

1. Monitor your logs: It is possible that if the issue with the Exchange e-mail scanner had been discovered and fixed the virus wouldn’t have made it into the network in the first place. The Exchange e-mail scanner would have blocked the entire message due to its attachment name even though it did not know about this particular variant of W32.Spybot.Worm.

2. Audit your systems: Missing a critical patch the first time around is a legitimate mistake. Nevertheless, not auditing the systems on a regular basis to ensure the patches are distributed and installed correctly is a serious mistake. Granted, SUS v1 does not have built-in reporting capabilities, but the free Microsoft Baseline Security Analyzer can be easily configured for automated scans of the entire network. These scans can look for missing critical updates and alert the administrators that the initial installation was unsuccessful.

3. Block outbound traffic through your firewall: One of the methods this virus uses to propagate throughout the network is to download additional virus files from a remote server via FTP. Had the client’s firewall been configured to block these outbound FTP requests the virus may not have spread as efficiently. Most firewalls should only allow outbound web (http) and secure web (https) traffic by default. All other protocols should be blocked by default and exceptions made on a case-by-case basis. For instance, servers will most likely need access to other services such as DNS and SMTP. However, leaving outbound traffic wide open is not the best security strategy.

4. Use host-based intrusion detection: This is an awful big stick… but something that more organizations are warming up to. Host-based IDS is designed to monitor the behavior of the machine itself, looking for suspicious activities such as buffer overflows, unknown files writing themselves to critical system folders, etc. McAfee is beginning to offer this type of protection with their corporate antivirus products. It is not the best host-based IDS product on the market—but it is a sign that the technology is becoming more mainstream. My company is a Cisco partner and we recommend Cisco’s best-of-breed host IDS product called CSA. You can learn more about host IDS products by searching Google or visiting McAfee or Cisco’s web sites.

That’s all for this blog entry. I may expand on some of the points here in future articles. Drop me a comment if something is of particular interest.

2004-10-14T10:21:00.000-05:00

Updated Microsoft Patch Baseline Spreadsheet

I just uploaded my patch spreadsheet for your amusement. You can download an Excel version--or use the HTML version if you are viewing this blog from a machine without Excel.

After digging into the updates, there are really only 3 or 4 that need to be applied to each system type (Win2003, Win2000, XP). By far, the most critical is the Exchange Server 2003 SMTP/DNS vulnerability. Patch this one ASAP!

2004-10-12T23:08:00.000-05:00

October 12, 2004: Microsoft Patch Day Update

Whew--what a day! I spent most of the morning preparing for my presentation at the Virtual Server 2005 launch events (I'll be speaking in Kansas City, St. Louis, and Nashville). Everything was going along fine until lunchtime. That's when the monthly Microsoft vulnerability e-mail hit my inbox. I had to count them twice--but the total was still an unbelievable TEN vulnerabilities. In all fairness, one vulnerability only applies to NT 4.0 (which you aren't running anymore, right?). Still, nine vulnerabilities is a large number for one month. Well... no use complaining, let's jump right in and pick 'em apart.

Note: I'll update my patch spreadsheet tomorrow night on my way to St. Louis. For now you'll just need to combine the brief synopsis below with the current patch list to get the complete picture for each OS.

MS04-029: RPC Vulnerability in NT 4.0. In case you are wondering, NT 4.0 Workstation support is dead, and NT 4.0 Server support is on it's last leg (ends Dec. 31, 2004). Enough said.
MS04-030: WebDAV DoS Vulnerability. This update only applies to systems running IIS. Plus, WebDAV is not enabled by default in Windows 2003. So the real risk here is for web servers running Windows 2000 that don't have WebDAV disabled, or Windows 2003 servers that have WebDAV manually enabled. Bottom line - figure out where you stand with WebDAV and if you can't disable it then you should apply the patch for this vulnerability.
MS04-031: NetDDE Vulnerability. NetDDE is an older application communication technology that has mostly been replaced with DCOM. The NetDDE service is not enabled by default on any system. Therefore, unless you've enabled it (which probably means you need it) then you don't need this patch.
MS04-032: 4-in-1 Update for Kernel, etc. This is a high-priority update. Make sure you apply the update for these vulnerabilities on all workstations ASAP and on your servers during the next maintenance window.
MS04-033: Excel Vulnerability. Not a big deal if you're on the current service pack for your version of Office. You are running the most recent Office service pack, aren't you? If not, I'd suggest you spend your valuable time updating to the current Office service pack instead of only deploying the patch for this update.
MS04-034: Compressed (zipped) Folders Vulnerability. This vulnerability can only be exploited if you unzip a file using the built-in compressed folders utility (i.e. not WinZip). Therefore, if you are careful about your choice of ZIP files you can avoid this update on servers. I'd go ahead and apply it to workstations because you can never be too sure what users are going to do. ;)
MS04-035: SMTP Vulnerability. Another high-priority vulnerability to patch ASAP. Only applies to servers - not workstations. If you have Exchange 2003 servers which route mail to/from the Internet you need to apply this update IMMEDIATELY. If you have an SMTP relay server between your Exchange servers and the Internet you can relax a little bit. However, I'd say any Internet facing Exchange server should be updated on an emergency basis (with or without a maintenance window). This is a bad one!
MS04-036: NNTP Vulnerability. This vulnerability barely makes my "must-patch" list. However, in the rare instance that you are actually running NNTP you could be in for a serious hacking incident if you leave your servers unpatched. I'd still recommend disabling NNTP wherever possible (it's not required unless you're hosting newsgroups - Exchange public folders work fine without NNTP). If NNTP is disabled you can forego the patch for this vulnerability until the next service pack.
MS04-037: Windows Shell Vulnerability. 2-in-1 update. Both vulnerabilities are of the remote code execution family... which means they make my "must-patch" list. The only good news about these vulnerabilities is that they require user interaction to be exploited. And as you know, I give server administrators a lot more credit than the average user... meaning you can probably forego this update on servers and just focus on workstation deployment.
MS04-038: IE Cumulative Update. Always install the latest IE rollup fix. This update is no different. Run, don't walk, and install this on all servers and workstations.

Like I said before--Whew! It's 11:00 and I need my beauty sleep before tomorrow. I hope the descriptions above help you make sense of the October vulnerabilities. As always - your mileage may vary. I'll get the patch recommendation spreadsheet updated as soon as possible. Look for it in the next day or two. Until then, happy testing and patching (you are testing, right?).

2004-10-10T20:41:00.000-05:00

More Information About Verizon BroadbandAccess

Here are three JPG images (free of viruses) which should give you a better idea of the Verizon BroadbandAccess service I blogged about yesterday. First is a picture of the PCMCIA card which I plug into my Compaq laptop. The second image is of the VZAccess Manager software when connected to BroadbandAccess. I was downloading Windows XP SP2 at the time I took this screen shot - check out the speed! The last image is a similar screen shot, but this time I'm connected via NationalAccess - which is the slower cousin to BroadbandAccess. I occasionally hit spots where I can't get BroadbandAccess and am left with NationalAccess instead. NationalAccess is still nothing to laugh about, and provides a respectable 128kbps+ data rate.

2004-10-09T11:37:00.000-05:00

Verizon Wireless Broadband Service

I'm testing a new service from Verizon called BroadbandAccess. The service was just launched in Kansas City last week, and provides mobile data at speeds up to 2Mbit per second (similar to high-speed DSL and cable modem service). BroadbandAccess is the first true 3G technology available in Kansas City. 3G simply refers to 3rd generation wireless service (full definition). More importantly, unlike their competitors who claim to have 3G in Kansas City (cough, Sprint, cough) Verizon is the first to deliver this exciting technology.

While not perfect, the service is quite impressive. I achieve speeds in the 1.5Mbit range quite often - although 500-800kbps is more the norm. Still, this is a big improvement over the 56kbps service I've seen with my Sprint data service. Using this service I can download large document attachments in seconds, not minutes. Another benefit of having high-speed data anywhere in Kansas City is that I no longer need to choose my lunch spots based on who has wireless (802.11b). I often check e-mail and catch up on work over lunch, since my days are usually spent with clients in a billable capacity. The Kansas City airport is also serviced by BroadbandAccess, which means I don't need to pay Sprint $10 to access their hot-spot.

Broadband Access is $80 per month for unlimited service. Expensive? Yes! Bleeding edge? Yes! I'll post a picture of the wireless card and a few screen shots of the client software in a future blog entry. Feel free to post comments if you'd like more information or if you have your own experience to share.

By the way... I'm posting this blog entry from Borders using BroadbandAccess ;)

2004-10-04T20:24:00.000-05:00

Update on Recent Vulnerabilities

If you read my post dated 9.17 you'll undoubtedly notice the critical vulnerability in Microsoft's JPEG implementation. One glaring ommision in Microsoft's response to this vulnerability is their scanning tool... which is an exercise in frustration. It'll tell you you're vulnerable and recommend that you visit Windows Update and Office Update. OK - that's not so bad, right? The problem is that if you run the scanning tool again it will tell you you're still vulnerable - prompting another trip to Windows Update and Office Update. Try this utility from SANS instead. It will scan your system and give you a detailed list of all vulnerable or potentially vulnerable components. You'll need to do a little leg work on your own to figure out which program needs patching - but if you look at the path to the vulnerable component (e.g. c:\program files\Microsoft PictureIT) you can pretty much figure out what program really needs patching. Good luck... you'll need it.

2004-10-04T19:49:00.000-05:00

Microsoft MVP - MSN Client

I am proud to announce my selection as a Microsoft MVP for 2004-2005. This award came as a complete surprise. I will post more information about my MVP award and the MVP program very soon.

2004-09-17T10:13:00.000-05:00

New Microsoft Security Updates

This Tuesday, September 14th, 2004 was Microsoft's monthly "Patch Day". The patches for September are a little confusing at first glance - specifically the one related to JPEG image processing. Hopefully this post will clear up any questions you may have about the JPEG vulnerability and the associated patches.

First off, it's frightening that a JPEG image could introduce malicious code to your system. I can't remember how many times I've said jokingly "You can't get a virus from opening an image". I guess the old "never say never" wisdom holds true here.

Unfortunately, the JPEG vulnerability is not only present in the operating system on Windows XP and 2003, but also in Microsoft applications such as Office, Visio, the .NET Framework, etc. All affected applications must be patched or else the system is still vulnerable. In an effort to ease the administrative burdon of deploying these patches, Microsoft has published an article on how to deploy multiple patches using a batch file. See Microsoft KB article 885885 for more information.

Keep in mind that even though Windows 2000 and XP Service Pack 2 operating systems are not vulnerable -- it is highly likely that those systems are running a vulnerable versio nof Office, the .NET Framework, or Internet Explorer. The easiest way to make sure you are protected is to visit the Windows Update and Office Update web sites and have your system automatically scanned for vulnerable components.

Windows Update
Office Update (then click on Check for Updates)

2004-08-11T16:04:00.000-05:00

Microsoft Security Patches

I am often asked for my recommendations regarding which Microsoft patches to deploy to a given server or network of computers. Having been involved with supporting and troubleshooting Microsoft operating systems for over 10 years, I have developed a conservative approach to applying security updates.

I can remember many times when applying a security patch has actually caused more problems than it solved. Therefore, I only apply security updates if they address a direct threat to a system in the role in which it is operating. For instance, if there is an update released for IIS (Microsoft's web server software) I don't recommend automatically applying this to a file server. Furthermore, if there is a server security update to patch a vulnerability that can only be exploited by opening a malicious e-mail attachment, or by visiting a malicious web site, I do not recommend applying this to servers. The reason being -- servers aren't surf boards! The only web surfing that should occur on a server is an occasional driver download, etc. However, the same update is probably appropriate for desktop PCs since end-users are likely to run into these situations.

So, as you can see, my patching philosophy is a little different than what you may be used to. If you agree with my approach, feel free to download my Microsoft Patch Baseline spreadsheet. This spreadsheet lists my recommended patches for all currently supported Microsoft operating systems. I update this spreadsheet at least once per month, or more often if patches are released out-of-cycle, or if a new threat is discovered in the wild.

2007 and Beyond

2004-07-23T20:23:00.000-05:00

Curious what computing may look like in the year 2007? Microsoft is offering several concept videos of their next operating system, codename "Longhorn", which provide just such a glimpse. Head on over to the Longhorn Development Center and take a peek.

XP Service Pack 2 Demo

2004-07-22T15:48:00.000-05:00

One of my jobs for LRS (my current employer) is to make sure our sales staff stays up-to-date on new product offerings from Microsoft. One such offering, Windows XP Service Pack 2, is about to be released to manufacturing. I created a 10 minute demonstration video for our sales team that I am now making available via my web site. If you are interested in learning more about Windows XP SP2, click the following link. This is a very large file (33+MB) so if you are on a dial-up connection you could be waiting a while ;)

http://www.cgenius.com/downloads/xpsp2overview.wmv

Hey, I can post via e-mail

2004-07-17T22:24:00.000-05:00

I'm excited to announce that I will be posting more often than I have in the past. The biggest reason for this is the fact that I can now post to my blog via e-mail. This makes blogging much more convenient, meaning I can jot down a quick blog post and hit "send" and let Blogger.com do the rest.

Keep your eyes peeled for more posts soon.

-Jeff

2004-01-07T15:10:00.000-06:00

An attendee at one of my presentations made me aware of a little known fact about Microsoft Office documents. Documents edited by multiple people, and documents that are re-purposed from one client to another may contain confidential or unprofessional content that you do not intend to distribute. This information is hidden from most casual users, but is available to anyone who takes the time to look deeper. You can test this yourself by performing the following steps with Microsoft Word:

1. Open Microsoft Word
2. Choose File, Open
3. At the bottom of the Open dialog box, change the Files of Type from All Files to Recover Text from Any File
4. Now find a document that has been edited by multiple people or re-purposed from one client to another and open it
5. Cancel out of any error dialog boxes that appear, then scroll to the end of the document
6. You will see a list of fonts used, some bogus text, internal e-mail addresses, the location of the document on the network, etc.

Note: If the above steps do not work, you may be running a version of Word without support for Recover Text from Any File.

This issue has prevented some users in the legal profession (and possibly others) from adopting Microsoft Word. Until recently the only way to get around this issue was to convert the Word document to Adobe Acrobat or some other form of electronic document. However, today I noticed a new package on the Microsoft download site which promises to solve this issue for users of Microsoft Office XP and Office System 2003. The following link will take you to the download page where you can read more about this phenomenon and download the free update.

http://www.microsoft.com/downloads/details.aspx?familyid=144e54ed-d43e-42ca-bc7b-5446d34e5360&displaylang=en