THE OFFICIAL BLOG OF THE SBS "DIVA"

We interview Sam the SBS server who's getting ready to celebrate New Year's Eve with his network

Q.  Hi Sam, how's it going!

A.  Not bad. Can't complain, keeping a watch on things here, getting ready to celebrate the New Year.

Q.  So this has been a big year for you hasn't it?

A.  Oh no kidding, two major milestones this year, my Service Pack came out and now I have my own patches on Microsoft Update that are unique to me.

Q.  That's pretty cool.

A.  No kidding.  In 2006 the next version of SBS 2003 called SBS 2003 R2 is coming out and Patching will be built inside of me.  I'm really exciting about that.  I can't go into details...but I'm really excited about it.  I'll be able to control and manage the patches on all the machines under my control, so I'll be even more better able to protect Samantha the SBS Workstation.

Q.  That's really cool.

A.  And let me bring this up again, last year Samantha and I talked about this and we did some of this..but really not enough at all.

Q.  Enough of what?

A.  "This" meaning where I'm doing a lot more of the managing and protecting of her.  Like for example... take the bad stuff on the 'net today.  Many of these bad things can be mitigated or lessened if she doesn't have rights over what she does and runs as a 'regular' user'.

Q.  But isn't this hard to do with some of the applications that she is running?

A.  Oh, no kidding, but we have to do this.  Samson, the new Vista operating system is going to be joining us at the end of 2006 and he's going to be helping out in this LUA or restricted user, but we really have to push our vendors now to do this.

Q.  You really feel strongly about this don't you?

A.  Yes, I do.  People always say that I don't do 'best practices' and this is one area that I can do best practices.  Because my owners are much more agile than big firms they can get rid of old operating systems, ensure that I have only machines that I control that help me secure and don't hinder me.

Q.  Edward the Windows 98 machine is really causing issues with you isn't he?

A.  Oh, no kidding, I can't control him at all, he has no sense of security whatsoever and he's really frightening me these days with all the risks he takes.

Q.  So we'll keep this brief as I see you are getting ready for your party...but in closing...

A.  In closing, I'd say that for 2006 I'm making a resolution to get more secure this year.  Better on patching.  Better on Control.  There are a lot of things I can do best practices on...and helping Samantha the SBS workstation be more secure is one I can do.

Q.  Happy New Year Sam!

A.  Happy New Year to all in the SBS communities as well.

...so we're in the car driving to Los Angeles and the radio DJ talks about an upcoming story on radio

"A problem in Microsoft Windows?  Nahhhhhhhh" she says.......

The chatter on SBS listserves today is one of disappointment.  This security issue points out the problem we have down here in SBSland.  The "test" problem.  For large firms they have the resources to test, to have matching images on the desktops, to try to understand the risk for their firm.  Down here we rely on the guidance we get from official sources. 

So the gang is now stratching their heads as to how we went from "DEP" works to one where only "Hardware DEP" works.  They are seeing that antivirus and spyware bloggers first brought up the issue that software DEP wasn't working [especially on real world boxes]. 

Getting good info is hard....and unfortunately this event just pointed out how hard.

 *I have DEP enabled on my system, does this help mitigate the vulnerability?*
Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.


http://www.microsoft.com/technet/security/advisory/912840.mspx

....so what am I going to do? Nothin' for now because the office is closed and the machines are off so they are as protected as they can be..... ask me next Tuesday and I'll let you know what my risk tolerance is then.... for now... I'm sitting tight....

------------ 

 Shavlik Provides Workaround For Zero-Day WMF Exploit

On December 28^th , Microsoft announced a Security Advisory (912840) for a zero-day exploit that could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Malicious code on a number of web sites exploited the vulnerability on users’ machines. Microsoft has not issued a patch for this security exploit at this time. Users running a fully patched version of Microsoft Windows are still vulnerable to attack.

For administrators that cannot wait for Microsoft to issue a patch to protect against this vulnerability and need an immediate workaround, Shavlik Technologies has released updated XML files for Shavlik NetChk Protect, its patch and spyware management solution, to help users protect against this attack. Shavlik NetChk Protect allows users to un-register the SHIMGVW.DLL files that enable the malicious code to attack systems on Windows XP and Windows 2003. This is a workaround recommended by the United States Computer Emergency Readiness Team (CERT) as an option for vulnerability protection. Shavlik Technologies cannot validate this as a proper fix. To read more about this vulnerability, visit the CERT web site at _http://www.kb.cert.org/vuls/id/181038_.

Shavlik Technologies recommends that administrators determine their security needs and implement this workaround only if it offers an acceptable solution to their individual security needs and all risks are understood. By offering this workaround, Shavlik Technologies puts the option for protection in the hands of the administrator. Users should be aware that by un-registering the .dll file, other applications that use this .dll file can break, but this is the only workaround available at this time, as quoted from the advisory.

For Shavlik HFNetChkPro™ users, Shavlik Technologies has developed a workaround to help administrators address this vulnerability. For more information visit Shavlik’s Support Forum at _http://forum.shavlik.com/viewtopic.php?t=2731_

The Microsoft Security Advisory affects the following operating systems:

         o Windows 2000 SP 4
         o Windows XP
         o Windows Server 2003

More information on the Microsoft Security Advisory can be found on Microsoft’s Web site at: _http://www.microsoft.com/technet/security/advisory/912840.mspx_.

Users are affected by either navigating to web sites that contain a link to a Windows Metafile that exploits this security vulnerability, or opening an email attachment that exploits this security vulnerability.

When Microsoft releases a patch to protect against this vulnerability, Shavlik NetChk Protect will include this patch and will allow users to re-register the .dll file, returning the system to its previous state.

For further information about this zero-day exploit, visit Shavlik’s Security Center at _www.shavlik.com_ <http://www.shavlik.com>.

As I'm on my way to Disneyland for the New year.....

Everyone have a happy and safe New Year!

HA!

See that?

That's a Dell OEM with a Nvidia driver up in the "High Priority" patches.

I do not do video drivers via Microsoft update just because I've had bad personal luck with them... but I never get a video driver up there in high priority on a box that I've flattened...yeah yeah... I know... I should just flatten these guys and start again...you'd think I'd learn...

One of the suggestions I see on many of the Security sites are to unregister certain DLL's to ensure that this WMF vulnerability can't be exploited.  Now maybe it's just me...but unregistering DLLs that break image, thumbnails and what not... and especially if I have to worry about registering those files and sticking them back in seems to me a bit drastic.  To me the saner approach is to ...again...use our Risk Analysis view....

Which machines in my office are most at risk.... uh... honestly?  Mine.  But do give extra protection for all in the office...what's an easy protection mechanism that I can do on my network?

Steps I've already done...block files at the mail gateway ....block image types at the firewall.....

Okay so what else can I do on my machine.... Enable DEP protection for all programs.  Viruslist says that DEP is marginally effective and doesn't work if you have image viewers like Irfanview.  Yo.  Folks.  Irfanview is a known image program in the forensic biz that can view ANYTHING.  I don't define it as the 'viewer of choice for many'.  Geeks maybe.  But my Mom and Dad?  No.

Do I have it on any other machine except for mine?  Nope.  Does it appear that enabling DEP for all programs is effective for mere mortals that have normal software at this time?  Yes.  Can DEP be enabled without major impact?  You bet your bippy.  Working just fine here and so I'm thinking...why the heck am I leaving it at the default?

P.S. Knowing my luck I'll probably find out that bippy means something obscene....

Since we're in paranoid mode today...did you catch this statement in that NPR article?  "They can prepare to work from home, in case it becomes hazardous to be in contact with other people. "

Guess what we have inside every SBS 2003 box that is married with XP sp2 workstations?  The ability to easily work from home.  Remote Web Workplace is truly the killer app of SBS 2003.  Dave even said that his boss is making his employees manditorily work from home one day in the future to test their ability to have all the technology needs at home addressed before they are required to do something like this [even if it's not due to something like sickness or whatever].  His boss just wants them to 'test' it before it's needed for real.

As many have pointed out ...the instructions for blocking 'just' the WMF extensions won't protect me if the threat vector comes in via renamed files.... but I think folks are missing the point here.  NPR the other morning had a news report on the communication regarding the potential for a Bird Flu Pandemic.  They discussed how there's a fine line between communication and 'freaking someone out'.  And they said that when a person get communication that helps them act on something so that they feel part of the solution, that person feels calmer. 

I think this occurs in Security communication as well.....that's exactly what's going on here...there's a psychological affect of "me" taking proactive measures to block what I know I can easily do at the border.

"Lanard and Sandman say risk communicators must walk a tightrope. On one side is the risk of promoting irrational fear. On the other side is irrational complacency. The goal is to instill appropriate fear that gets people to take appropriate precautions.

Lanard says accomplishing this means presenting information that is accurate, complete, and often frightening.

"Good information should increase the level of fear in people that haven't been thinking about it at all," she says. "It should decrease the level of fear in people who are over-imagining how bad it could be."

Sandman and Lanard say that in the short run, individuals can do far more than the government to protect themselves.

For example, he says, people can keep extra food in case a pandemic disrupts distribution systems. They can prepare to work from home, in case it becomes hazardous to be in contact with other people. They can learn proper hand washing techniques to keep from spreading the virus.

And Sandman says there's another reason for the government to involve the public in any bird flu preparations.

"Everything that's known about the psychology of fear tells us that people can tolerate more fear if there is something for them to do," he says. "So it's not just inaccurate for the government to imply that the government will take care of it. It's not only getting in the way of the public's beginning to take preparedness more seriously. It's getting in the way of the public's ability to endure the threat of the pandemic itself.""

...see the correlation between Pandemic communication and Security communication here?  So give me something to do...even as stupid as building a block for WMF files and I won't feel as scared.  Give me a role and I feel like I'm helping.  Make me feel dependent on things I can't control and I do freak out.

Communicate with me...give me something to do....and I feel better.

Okay so even before I blocked the WMF's via ISA server so that they are blocked while surfing...the first thing I did [because I knew easily how to do this] was to go into my antivirus program that protects my Exchange server and add WMF file extensions to be blocked at the server [in fact why do I need them anyway... I think I'll leave the setting exactly like that from now on]

So on my Trend Exchange a/v it looks like this:

So what if you were insane, stupid, or too cheap to buy a Antivirus that covers your Exchange server?  And boy you have to be all three these days not to get an antivirus suite that does this....but say you were... what else could you EASILY do on your SBS box to block those kinds of files....

If you've never done this before... you rerun the "Connect to Internet Wizard" and rerun the wizard to add file type blocking at the server...remember it looks like this:

Click on "add" to add the WMF file blocking:

And click OK...but what if you already did that and you don't want to rerun the wizard?

No problem... just follow this prior post...but here's a trick I found... Nathan said to right mouse click and click on "edit" but on my newly pristine server... I had no edit and Notepad sucked as an XML editor.  So I brought it over to my workstation where I have Frontpage, right mouse clicked on Edit, opened it in Front Page, clicked on "Reformat XML"

And edited the page in a much more user friendly format

<Attachment Enabled="True" Extension="wmf" Description="WMF Zero Day"/> which looks like this

Remember these are kinda like those backwards group policy settings where "True" is a good thing.... so when we get all done, I saved the file on my workstation and then stuck it back up on the server and it looks like this:

My resulting XML file.... is copied below:

===============================

<?xml version="1.0" encoding="utf-8" ?>

<SecAttsConfig>
    <Enabled>True</Enabled>
    <SaveToFile Enabled="False" Location=""/>
    <UnsafeAttachments>
        <Attachment Enabled="True" Extension="ade" Description="Microsoft Access project extension"/>
        <Attachment Enabled="True" Extension="adp" Description="Microsoft Access project"/>
        <Attachment Enabled="True" Extension="app" Description="FoxPro generated application"/>
        <Attachment Enabled="True" Extension="bas" Description="Microsoft Visual Basic class module"/>
        <Attachment Enabled="True" Extension="bat" Description="Batch file"/>
        <Attachment Enabled="True" Extension="chm" Description="Compiled HTML Help file"/>
        <Attachment Enabled="True" Extension="cmd" Description="Microsoft Windows NT Command script"/>
        <Attachment Enabled="True" Extension="com" Description="Microsoft MS-DOS program"/>
        <Attachment Enabled="True" Extension="cpl" Description="Control Panel extension"/>
        <Attachment Enabled="True" Extension="crt" Description="Security certificate"/>
        <Attachment Enabled="True" Extension="csh" Description="Unix shell script"/>
        <Attachment Enabled="True" Extension="exe" Description="Program"/>
        <Attachment Enabled="True" Extension="fxp" Description="FoxPro file"/>
        <Attachment Enabled="True" Extension="hlp" Description="Help file"/>
        <Attachment Enabled="True" Extension="hta" Description="HTML program"/>
        <Attachment Enabled="True" Extension="inf" Description="Setup Information"/>
        <Attachment Enabled="True" Extension="ins" Description="Internet Naming Service"/>
        <Attachment Enabled="True" Extension="isp" Description="Internet Communication settings"/>
        <Attachment Enabled="True" Extension="js" Description="JScript file"/>
        <Attachment Enabled="True" Extension="jse" Description="Jscript Encoded Script file"/>
        <Attachment Enabled="True" Extension="ksh" Description="Unix shell script"/>
        <Attachment Enabled="True" Extension="lnk" Description="Shortcut"/>
        <Attachment Enabled="True" Extension="mda" Description="Microsoft Access add-in program"/>
        <Attachment Enabled="True" Extension="mdb" Description="Microsoft Access program"/>
        <Attachment Enabled="True" Extension="mde" Description="Microsoft Access MDE database"/>
        <Attachment Enabled="True" Extension="mdt" Description="Microsoft Access add-in data"/>
        <Attachment Enabled="True" Extension="mdw" Description="Microsoft Access workgroup information"/>
        <Attachment Enabled="True" Extension="mdz" Description="Microsoft Access wizard program"/>
        <Attachment Enabled="True" Extension="msc" Description="Microsoft Common Console document"/>
        <Attachment Enabled="True" Extension="msi" Description="Microsoft Windows Installer package"/>
        <Attachment Enabled="True" Extension="msp" Description="Microsoft Windows Installer patch"/>
        <Attachment Enabled="True" Extension="mst" Description="Microsoft Windows Installer transform; Microsoft Visual Test source file"/>
        <Attachment Enabled="True" Extension="ops" Description="FoxPro file"/>
        <Attachment Enabled="True" Extension="pcd" Description="Photo CD image; Microsoft Visual compiled script"/>
        <Attachment Enabled="True" Extension="pif" Description="Shortcut to MS-DOS program"/>
        <Attachment Enabled="True" Extension="prf" Description="Microsoft Outlook profile settings"/>
        <Attachment Enabled="True" Extension="prg" Description="FoxPro program source file"/>
        <Attachment Enabled="True" Extension="reg" Description="Registration entries"/>
        <Attachment Enabled="True" Extension="scf" Description="Windows Explorer command"/>
        <Attachment Enabled="True" Extension="scr" Description="Screen saver"/>
        <Attachment Enabled="True" Extension="sct" Description="Windows Script Component"/>
        <Attachment Enabled="True" Extension="shb" Description="Shell Scrap object"/>
        <Attachment Enabled="True" Extension="shs" Description="Shell Scrap object"/>
        <Attachment Enabled="True" Extension="url" Description="Internet shortcut"/>
        <Attachment Enabled="True" Extension="vb" Description="VBScript file"/>
        <Attachment Enabled="True" Extension="vbe" Description="VBScript Encoded script file"/>
        <Attachment Enabled="True" Extension="vbs" Description="VBScript file"/>
        <Attachment Enabled="True" Extension="wsc" Description="Windows Script Component"/>
        <Attachment Enabled="True" Extension="wsf" Description="Windows Script file"/>
        <Attachment Enabled="True" Extension="wsh" Description="Windows Script Host Settings file"/>
        <Attachment Enabled="True" Extension="xsl" Description="XML file that can contain script"/>
        <Attachment Enabled="True" Extension="wmf" Description="WMF Zero Day"/>
    </UnsafeAttachments>
</SecAttsConfig>

So.... let's see..... we have a Zero Day WMF exploit nailing even fellow MVPs .... websites that nail you with malware so bad you have to flatten and rebuild....that merely visiting the web site..no clicking.... will nail you.... and Trend [and most a/v companies] has the definition for this in there 'beta' def but not their released one....so what's a gal to do?

So I already blocked WMFs in email in the Trend Antivirus

• I don't want to pull down a beta def file
• I'm not sure I want to unregister a dll.......shimgvw.dll
• So how about looking at what my ISA server can do 'eh?

Jesper's Blog : Blocking certain extensions in ISA server:
http://blogs.technet.com/jesper_johansson/archive/2005/12/28/416565.aspx

Very cool huh! And how about we block those wmf's via ISA server.

So we go into the ISA management console..and we access the SBS Internet Access Rule [on mine this is rule 23]

• Click on Protocols
• click on Filtering
• Click on configure http
• Click on Extensions
• Choose "Block Specified Extensions and allow all others" and then put the list in you want to block
• Click "add" and put in wmf.

Click OK, click apply and now when i go to the test page... voila...the image doesn't show up.

Is this cool or what?  Now I feel a lot better since Trend hasn't updated yet.

Peter reminds us that on 12/31/2005 SBS 4.5 is DEAD and is no longer supported as an operating system.

http://www.microsoft.com/lifecycle

Rest in Peace SBS 4.5.

Rock on SBS 2003!

On the security listserves, there's discussion of a image vulnerablity that uses WMF files to inflect/inject malware... and one of the posters had a line about it that had me laughing ... "a good bug wasted on a malware site".

The discussion of this bug [for which at this time, there is no patch] is discussed on

http://www.f-secure.com/weblog/archives/archive-122005.html#00000752
http://isc.sans.org/diary.php?storyid=972
http://www.heise.de/newsticker/meldung/67794

And as reported by Andreas Marx, some A/V companies are already creating signatures for this.....

AntiVir TR/Dldr.WMF.Small
Dr Web Exploit.MS05-053
F-Secure Exploit.Win32.Agent.r
Fortinet W32/WMF-exploit
Kaspersky Exploit.Win32.Agent.r
McAfee (BETA) Exploit-WMF trojan
Symantec (BETA) Download.Trojan

If you enable DEP to cover all programs the WMF exploit attempt will result in a warning as per www.incidents.org but folks are recommending a blended protection:

• Using up to date antivirus
• Enabling DEP
• Teaching users not to click on suspicious links
• Blocking wmf files at the border

So remember my Kerberos Errors post the other day?  J.P. posted back with the final resolution to his last one remaining Kerberos errors that he was getting.....and sure 'nuff... HP printer toolbox software... I'm blogging his resolution here for the next person who ends up with Kerberos errors all over their log files and time sync isn't the resolution....

Well, plugging right along, I eliminated the other three remaining kerberos
errors on login.  They were caused by (you guessed it), HP monitoring
"Toolbox"  software. 

With some trial and error on the client end with MSConfig I was able to
narrow it down to the HP Toolbox printer monitoring software.  In researching
the Toolbox software and it's known issues, I came across an article
describing the exact setup.  SBS Premium, XP SP2 workstations, kerberos
errors with firewall on, none with it off, HP printer on a workstation and
shared.

The fix was to go to a command prompt, navigate to c:\windows\system32 (or
the default system32 folder for your OS) and then enter the following command
"hpbpro.exe -regserver" (without the quotes) and if you still have the errors
follow the same process except use the command "hpbpro.exe -service"

Okay so you wanna do a temporary "anything out the door in ISA 2004"?  Just so you can see if something works, or temporarily allow something out and you'll figure it out later?

No prob....just go to the Firewall Policy in the ISA console and then the SBS Internet access rule and add "All Users" in addition to the "SBS Internet Users" and click okay and then "Apply" at the top.... now anything inside will go outside.....

To undo it just take out all users and you are back to the normal SBS default rule set/setup.

Two follow ups...

ONE - this is TEMPORARY and I'll wack you upside the head with my 2x4 if you leave it permanently...now with the ISA monitoring ...man there is NO NEED for you to leave this like this... as you can tell what is being blocked.....

TWO - Obiwan had a great idea to build another rule set and leave it disabled and just 'enable' it when you needed to rather than messing with [and possibly screwing up] an existing rule.

....free subscription to US only [sorry about that check out www.technetmagsubs.com/zout] and on the cover is the ad for an article inside that says "Security Alert:  Disable your admin account" and I first thought...okay.... who's come up with that idea.... as do that on a SBS box and you'll find that when you apply Service Pack 1 the SBS part of the install won't work....

...so I flip to page 75 and .... oh...it's him.

Giving that he's now an honorary SBSer guess I'll cut him some slack now. 

:-)

...so we ask around the communities that I hang in and the consensus comes back that while 2005 was a good year for the Admin and business crowd, it was not for the home front.  Just today a client brings in a computer that I needed to post some journal entries to the accounting program and she says "it does some wacko stuff when I go on the Internet" [she's on dial up] and I notice that she's got Xp sp2 waiting down in the system tray to be loaded up.  Knowing that Xp sp2 doesn't like malware on the box 'before' installing it, I attach it to an external access to our dsl and plug in the RJ 45. 

The second it has a tcp/ip connection and I launch IE is when the fun starts.  I first install the MVP hosts file to get it to a state where I can even work with the system as IE freezes up too much without that.  Then I boot into safe mode and use Counterspy, Microsoft Antispyware, Windows Safety live and Trend's Housecall, and each one finds a new little critter that the other one didn't find.

I boot into normal mode and now the popups have stopped and the machine appears ready enough for the Xp sp2 application.... I also notice on this box that had the firm's accounting application on it was AOL's IM program that was pretty obviously used by a teenager and it reminds me of the cardinal rule of mixing "business with pleasure"

Buy a computer for your teenager and have them screw that machine up.

In the home office security checklist...it makes this clear but doesn't stress this enough...

"Don't let children use your business computer without your supervision. Ideally, you should not allow your children to use your home office computer. If your computer needs to serve both your business and family, be sure to supervise your children whenever they use it."

I would say don't let them use it period...buy a new computer....don't let them near the one you use for business or the office.

Matt talks about an experience I've noticed as well... you get to an airport and you say "Hey, free wifi, that's so cool!" and then you realize that some ports are blocking and you can't do all the things you wanted to do in that time your plane is held over.  It gets back to that net neutrality again, where the pipe you log on to is able to allow you to do what you want it to do. 

I always carry my Cingular Wireless card for the PC so that no matter where I'm at, if it can get cell phone connection, I can get online...and if I'm at a place without cell phone coverage...man that is roughing it way too much for my level of comfort.

...so I'm calling product activation because I'm doing a migration from an old wheezy computer to my new HP here at home and I love it when I have to explain with first the Product Activation people and then with the Licesning number ( 888-352-7140 ) people that yes, SBS requires activation, and no I'm not calling about Windows XP.

...there are times that embracing the "spots" ... i.e. the differences of SBS are very rewarding ...as in the remote web workplace that we have that one one else has.... and then there are times when you have to point out to Microsoft employees themselves, that no, we're SBS... we're different...every version of SBS needs activation...yes, even if it's Action pack or MSDN or Volume license.... that the spots get just a smidge frustrating.

A post in the newsgroup today reminds me of something I saw after the application of Service Pack 1 on my server.... I had this insane number of Kerberos errors in the log file of the server, but not on the workstation.  So I looked at what was on that workstation that was 'different' than the other workstations and there were three things.....

1. Extra NIC helper software over and above the standard NIC software [management software]
2. HP printer software that loaded up an apache monitoring web app.
3. Outlook BCM [and I don't use BCM] that came from the OEM image

Bottom line I ripped out all three of the software that was unique to this platform and it shut up.  Now my strong guess was that it was the NIC management helper software, but it points out that the more I standardize, the easier it is to troubleshoot.

Watching a show on Cspan today reminds me that technology has allowed us a lot of opportunity.  Having the ability ....for even a small firm.... to be a flexible employer means that you can be more responsive to keeping and retaining employees.  The fact that with a relatively small dollar investment even small firms can have [and I would argue easier] remote connectivity than big firms means that we as small firms are tons more flexible and responsive.

When you set up remote connectivity, much of it is based on policy.  It's cheap to ensure that you have a business machine to remote into the office as well as a "teenager" machine.  Or how about upgrading the computers at the office and then 'handing down' the old computers from the office to the home workers. 

When you think about it, ensuring that your customers and clients that are still using a peer network are aware of the flexibility that having a network that is built for mobility means that that client is now much more ready for keeping and maintaining employees.