Lee Desmond

Site Home Background Contributions Tech Tips Events motd / blogs Feedback

             Please pay my updated blog a visit for the most current stuff (25 Nov 2006).

Below is a potpourri of OnE (Odds & Ends) from in-depth knowledge, field interactions, exchanges and practical experiences, available categories currently (more to come ...):

Microsoft

Sygate Enterprise

Others

---

Microsoft

[Security Windows] 20051029 Missing Network Drive

If you are still using legacy method (user specific) to map user home network folder such as the following in an Active Directory 200x environment ...



... be aware that the "TCP/IP NetBIOS Helper" NT service must be started on the Windows client machine ("Server" NT Service can be set to manual) ...



... otherwise the mapped drive letter will mysteriously disappear (without any clues as to where and why).



[Security WSUS] 20050820 A Question of Schedule

In a Group Policy Object (GPO) under Computer Configuration > Administrative Templates > Windows Components > Windows Update, the "Configure Automatic Updates" option can be enabled as shown:



WSUS provides a new deadline option to override the client settings configured in a GPO. Here, 25 Aug 2005 is a Friday:



The illustrations depict date and time for both settings to be similar. Tests revealed that WSUS and Automatic Update (AU) client will be confused by the settings, which essential are the same (at least for that one day). The end result is that patches will not be rolled out at all, regardless of how long a client waits for the approved patches. To fix this, change the deadline date and time to a future schedule or fall back to "Use client settings to determine update installation time".

This remedy action may cause other strange phenomenon to show. Certain Windows systems, in particular Win 2000, will forever show either "Needed" or "Reboot required". This is despite the fact that the patch has been successfully installed and machine auto-started (with option 4 for automatic updating). It is worthwhile to mention that the latest Win Installer and BITS + WinHTTP combo were previously installed on these systems. If the administrator immediately runs a check against update.microsoft.com, the affected patch is not offered, indicating that it is not needed (already installed). Add/Remove Programs verifies this as well.





As a result of the checks, these odd reports can be safely ignored. Nevertheless, change management logs should be updated to avoid future confusion on status of affected patches. Of course the best way is to stay away from setting the schedules (within GPO and WSUS) to collide in the first place. A bug perhaps, or just an undocumented feature?



[Security WSUS] 20050815 Win Installer 3.1 (v2), BITS 2.0 + WinHTTP 5.1 and WSUS

Windows machines (Win 200x, XP) configured as WSUS clients (using Automatic Update service) will be identified as required to have the following installed ...
• Windows Installer 3.1 (v2) is available (KB893803)
• Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)
... failing which patch update may not work properly or efficiently.

Note that Windows Installer 3.1 is already included with Win Server 2003 SP1.



[Security AD] 20050721 Security Active Directory - Server Operators Group Limitations

From KB 125782:
[quote]

If you want the pseudo-administrators to have limited administrative capabilities on the domain servers, add them to the Server Operators group on a server in the domain. This allows them to shut down the server, share and stop sharing directories, and backup and restore files. It does not allow them to change any user attributes, add drivers, or take ownership of files.
[unquote]

In an Active Directory 200x domain environment, there are several administrative tasks that a member of the 'Server Operators' security principal cannot perform using native MS tools on a local (branch office) Domain Controller. Most are not immediately obvious or documented by MS. A few are listed below:
• System State cannot be backup using the BackUp applet (option not available)
• 'Access Denied' - chkdsk, Security Event Log, Disk Management, Disk Defragmenter, AT Scheduler*
• security patch management e.g. windowsupdate.microsoft.com
• read-only access to NTFS file structure (i.e. cannot adjust file / folder permissions)
• no RDP remote access or log on locally rights to Domain Controllers (default setup)

Organizations that have a common, single AD domain supported by multiple Domain Controllers in different branch offices and operated by diverse local IT (non-AD) teams will be affected the most. Technically speaking, there is no local Administrator account residing on a Win 200x based Domain Controller (DC) running Active Directory. To be able to conduct operational tasks, including some listed previously, administrative rights / permissions need to be assigned. The only way to enable this on a DC is to include accounts (from different IT teams) in the 'Domain Admins' security group.

If permitted, a huge security risk will undoubtedly trigger immediately. Such accounts will have automatic and transparent access to other (non-local) DCs located elsewhere within the enterprise, straight away breaking the "segregation of duties" security model. It also goes against the best practice of limiting the number of trusted accounts that should be maintained in the highly sensitive 'Domain Admins' security group. How can control be guaranteed under such circumstances? Sarbanes-Oxley, HIPAA, Basel II, etc. - anyone?

Should a locally applied security patch on a DC introduce replication errors, this will propagate throughout the AD replication domain. "Roles & Responsibilities" will be in conflict since the cause may not be easily identified, leading to inconsistent and non-standard implementations, particularly when no formal process exists describing how such tasks (and incidents) should be managed. Who should then assume the task of problem resolution? Time will invariably be wasted on cleaning-up and fixing an incident which could be easily prevented in the first place!

Having a dedicated AD team responsible for the global AD service is one possible approach. This can help prevent most of the issues discussed, while maintaining standards, compliance and adherence to industry best practices, supported by a framework of well defined policies, processes and clear roles and responsibilities definitions. Otherwise, IT management is the only body that ultimately must bear all risks and consequences if security is allowed to lapse by mere oversight or pure ignorance.

Today, AD is already a key pillar in many organizations' core infrastructure worldwide and therefore should never be taken lightly.

* workaround described in Win 2000 Resource Kits "Allow server operators to schedule tasks (domain controllers only)".



[Security Windows] 20050718 Microsoft Malicious Software Removal Tool - Availability and Supported Platforms

This free MS tool is updated on the second Tuesday of each month at the same time as "Patch Tuesday" for MS security bulletins. Even if the latter has no updates, MS may still update the tool with new detection signatures and cleaning instructions.

It offers a one-stop shop approach to detect and fix a potentially infected machine. This is based on a predefined list according to prevalence and threat levels as established by MS.

Execution of the tool can be carried out by a user with local machine administrative rights directly on-line (prerequisite IE and ActiveX), as part of XP's Automatic Update process or off-line (KB890830). Results of the scan are logged in %windir%\debug\mrt.log.

The tool runs only on Win Server 2003, XP and 2000. Legacy platforms such as NT 4.0, Windows ME and 9x are not supported. Note that the current version does not support remote scanning.

Unfortunately, corporates that deploy Software Update Services (SUS) or the newer Windows Software Update Services (WSUS) will not be able to use them to roll-out the tool either. Nevertheless, MS SMS (Systems Management Server) or Active Directory Group Policy Login Script are two options available to use this tool to perform automatic regular scans on the network.



[Virtual PC 2004] 20050716 "Hang" after Resume from Hibernation

KB 889677 describes a PSS supported hotfix that addresses this issue, which can manifest itself easily if Virtual Machines (VM) are still running when the host machine hibernates then resumes. Symptoms range from unresponsive mouse and keyboard actions. To avoid this from happening, ensure a constant power supply feed is always available or disable hibernation altogether.



[MOM2005 OnE] 20050622 SQL Server 2000 + SP4 = MOM 2005 not happy

MOM 2005 can be configured with SQL Server 2000 as the database repository, where the latter must be installed with SP3a or above (according to documentation). If SP4 is used, MOM 2005 will refuse to start the installation process, stating "Failure" is caused by SQL Server 2000 (SP4). One workaround is to uninstall SP4 and put SP3a instead.

[VirtualPC OnE] 20050501 Virtual PC 2004 Slow Startup or Sign-in (all MOC courses)

If waiting for minutes (or even hours) to get to the sign-in page (Ctrl-Alt-Del) keeps happening, changing the network properties of each virtual machine to NAT prior to starting will speed things up tremendously.

[SharePoint OnE] 20050420 Windows SharePoint Services (SPS) 2.0 Download

SPS is a free, separate download (STSV2.exe) for installation on W2k3. Installation considerations include NTFS partition, Web server (IIS 6.0 worker process isolation mode), ASP.NET, WMSDE or SQL Server 2000, etc.. Some guidebooks may not provide installation instructions. To get started, look for "Windows SharePoint Services Administrator's Guide" on the SPS home page.

To specify a destination folder for installation, click Cancel after STSV2.EXE extraction completes and setup has just started. Use the syntax:
"%ProgramFiles%\STS2Setup_1033\setupsts.exe" /datadir="D:\program files\STS2Setup_1033\"
(where D: = target drive, 1033 = US English, the last backslash \ is important)


[Security Windows] 20050415 Win Server 2003 SP1 Application Compatibilty List

Check out KB 896367 for potential application compatibility issues with W2k3 SP1. An example list includes Exchange 2003, Citrix XPe FR3, VMWare GSX Server, ISA 2004, Oracle, SAP, Compaq Insight Manager, etc.

[Security Windows] 20050412 Win XP SP2 "D-day"

Beginning on this date, MS will push out SP2 if Win XP is still not up to this SP level, regardless of the registry fix MS provided previously.

For corporate environments using Active Directory Group Policy and Software Update Services (SUS), rollout can be tightly controlled until the organization is ready. Home/SOHO users can regain control by disabling "Automatic Update" (not recommended) or set to "Notify me before update and notify before installation". Download and/or installation can then be personally scrutinized via the Custom install (not Typical) option.

[Security Windows] 20050401 Win Server 2003 SP1: Security Configuration Wizard (SCW)

SCW is not installed by default after successful installation of W2k3 SP1. Use the desktop link provided or Add/Remove Programs > Windows Components to install.

[Windows OnE] 20050331 Win Server 2003 SP1: Missing Windows Explorer Status Bar

After installing W2k3 SP1, the status bar in Windows Explorer will disappear if it was turned on previously. Manually setting it again will fix the issue.

[Windows Scripting] 20040830 OS Language code

[HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language] is one reliable way to check for the (4 digit) language ID or code installed on a Windows platform (Win 2000 and above). See KB 246664 for more information.

Value name and data: "Default" = 040c (France French), 0409 (US English), 0407 (Germany German), etc.
Value name and data: "InstallLanguage" = same or different as "Default"


[Security Windows] 20040618 Delegated permissions are not available and inheritance is automatically disabled

Installation of SP4 or hotfix KB 327825 on Win 2000 will cause previously delegated permissions on an OU to be removed silently. Win Server 2003 is also affected. See KB 817433 for more info.

[Security ISA] 20030424 ISA Server 2000 on Win Server 2003

ISA Server 2000 SP1 and "Required Updates for Windows Server 2003" must be applied in order to run properly on Win Server 2003 (except Web Edition). See this and KB 331062.

---

Sygate Enterprise

[Bug Sygate] 20050827 SSA 4.1 Does Not Download IDS/IPS from SSE 3.x

IDS/IPS signatures updated on a SSE 3.5 backend will not be automatically downloaded by SSA 4.1 clients, a known bug acknowledged by Enterprise Support. Manually replacing sdi.dat and trojan.dat is one way to resolve this issue. Contact Enterprise Support for other possible workaround.

[Security Sygate] 20050716 Multiple or Duplicate Entities in SMS Machine Groups (SSE 3.x/4.x)

As early as Apr 2005, Sygate Enterprise Support was aware of a strange problem affecting SSE 3.x. SMS machine groups may be populated with machines that are not designated for a particular group. In several cases, a machine can appear more than once in the same (but wrong) SMS machine group, all indicating a "live" connection with the green dot indicator. Even if these 'stray' machines were to be manually transported back to the correct groups, it can re-occur at random to the same or different machines.

Enterprise Support only recently acknowledged other identical cases which affect SSE 4.x as well. Accordingly, a fix is provided in SSE 4.1 MR1 but a patch may not be available separately. Contact Enterprise Support for more information.

[Security Sygate] 20050711 Handling IDS/IPS Library Updates (SSE 3.x/4.x)

Sygate Management Server does not have a built-in roll-back feature to manage IDS/IPS signatures. This means that if the new IDS/IPS library causes any issues, the only remedy is to re-import a previously backup and working copy of the database. Alternatively, the new signatures can be selectively disabled to help mitigate the situation. Contact Enterprise Support for the import / export scripts.

[Security Sygate] 20050522 SSA Crashes under Extremely Low Disk Space Conditions

SSA will attempt to continue logging (syslog.log, seclog.log, etc. depending on settings) even if free disk space is critically low, eventually crashing and leaving the OS unstable and exposed.

Some symptoms: smc.exe may appear to be active (Task Manager); SSA icon at system tray disappeared (may need to move mouse pointer over); Services applet indicates that the 'Sygate Security Agent' services is started. Crash of smc.exe is captured in the Event Log.

If "Policies > Advanced Settings > Block All Traffic While Agent is not running" in SMS is not enabled, the machine is fully exposed and vulnerable to attacks.

A Personal Firewall is a vital defense component in today's highly interconnected world. It should continue to function and not simply crash (poor design), perhaps temporary halt logging under such critical conditions (and resume when conditions improve), while still protecting the machine.

Enterprise Support acknowledged that this is an issue (potentially affecting all SSA versions). A feature request has been filed. However, whether this will make it to the next major SMS release (coming real soon) or SSA rebuilds is still an open question.

[Security Sygate] SSA 4.x and SSE 5.x (SSE 2005)

Sources revealed that present SSA versions (4.x and 3.x) are not expected to be compatible with the next generation of SSE products. Server (SSE 3.x/4.x) and client upgrades are foreseen.

[Security Sygate] 20050415 Win Server 2003 SP1 Compatibility (SSE 4.x)

SSE 4.1 and agents have not yet undergone full QA qualification on W2k3 SP1. No known field problems have been reported.

[Security Alert] 20050411 Sygate Denial of Service (DoS) (SSE 3.x/4.x)

Sygate Security Enterprise (SSE) Denial of Service on the Sygate Security Agent (SSA) versions 3.5, 4.0 and 4.1 in "Server Control" or "Power User" modes. Turn on password protection for SSA export/import function in these modes (not default). Alternatively, upgrade to SSA 3.5 b2580, SSA 4.0 b2715 or SSA 4.1 b2827. More info available here.

[Security Sygate] 20050411 Sygate SSA 4.1 and Win XP SP2 Security Center (SSE 4.x)

SSA 4.1 b2824 is the first build of SSA that is properly recognized by the security center console (SC) in Win XP SP2. SC does not display any details of the monitored services (firewall, automatic updates, anti-virus) in an Active Directory environment, particularly when Windows Firewall is already configured via Group Policy.

[Security Sygate] 20050207 Sygate SSE 4.1 GA available

Announced is the general availability of SSE 4.1 for both Windows and Solaris platform. See the accompanied release notes for features description. SSE 4.0 to 4.1 direct upgrade is supported but 3.x users need to migrate to interim version(s) first. For more information, contact Sygate Enterprise Support.

[Security Sygate] 20040915 NetBIOS Protection (SSE 3.x/4.x)

This feature only works against hosts outside of the local subnet hence is not a reliable means to protect mobile hosts in remote locations. Separate rules targeting NetBIOS in different Sygate "locations" are essential.

[Security Sygate] 20040910 Advanced Settings via-à-vis Locations (SSE 3.x/4.x)

Advanced Settings such as "NetBIOS Protection", "Enable anti-IP spooling" and "Enable portscan detection" can only be configured per Sygate Management Server (SMS) Group level. A Sygate "location" is controlled by such global settings in SSE 3.x and 4.x. More flexible and granular control (i.e. advanced settings at a "location") is expected to be included in SSE 5.x (SSE 2005).

[Security Sygate] 20040830 Non Server-controlled SSA DNS domain Rule support (SSE 3.x/4.x)

SSA in power-user or client-control mode does not have an option to define a rule based on a DNS domain (e.g. blacklist-dns.com), although this feature is configurable on SMS (in server-controlled mode).

[Security Sygate] 20040825 Toggle Windows Firewall in SSA 4.x (SSE 3.x/4.x)

SSE 4.x agents (SSA 4.x builds 2634 retail or higher) already support Win XP SP2. With SSA b2710 and above, it is possible to control the on/off state of the built-in Windows Firewall when smc.exe starts. In setaid.ini, ensure that "DisableWinXPFirewall=1" under "[CUSTOM_SMC_CONFIG]" is set prior to installation or upgrade. Alternatively, create a key "HKLM\Software\Sygate Technologies, Inc.\Sygate Personal Firewall", type D_WORD, "DisableWinXPFirewall" with a value of 1. Reference Sygate TechNote 081604NHCO-01.

[Security Sygate] 20040820 SSA 4.x and SSE 3.x (SSE 3.x/4.x)

Any SSA 4.x can be used against a SSE 3.x backend. New features such as 802.1X (in SSA 4.1) will not be recognized by the older SSE however.

[Security Sygate] 20040820 LAN Enforcer Host Remediation (SSE 3.x/4.x)

SSE through 4.x has canned and basic functionality in the area of extending checks against Windows hosts. English is the only supported language, and core components such as Service Pack levels and Internet Explorer (and its variants) cannot be easily verified, resulting in the wrong patch being pushed out for Host Integrity / Remediation, potentially leading to system crashes or instability. User definable enhanced Boolean logic (AND, OR, NOT) may appear in SSE 5.x (SSE 2005) to address such serious shortcomings.

[Security Sygate] 20040818 Windows Script Host (WSH) has terminated (SSE 3.x/4.x)

Host Integrity / LAN Enforcer component is dependent on WSH to function properly, which in term relies on the Visual Basic and Java Script provided in Internet Explorer. (Re)installation of WSH may be necessary to resolve problems associated with this Sygate functionality (WSH download).

[Bug Sygate] 20040714 Fail to contact server for more than 10 times (SSE 3.x/4.x)

This error will prevent SSA from contacting SSE, causing SSE to not able to propagate new or updated profiles even though SSA still checks back at the predefined heartbeat intervals. There is no built-in option to push changes from SSE (to SSA) nor being notified of clients in this dangerous state for an extended period of time [Note: SSE 2005 may fix this]. Machine reboots typically will bring SSA out of this zombie or hang state.

This phenomenon is due to a very insidious and difficult to track bug. SSA does not accurately interpret values "RefreshSeconds" and "TimeoutSeconds" in sylink.xml above the default of 60. This should be fixed in later SSA builds such as 4.1 b2827. Contact Sygate Enterprise Support for more info.

[Bug Sygate] 20040708 No Wildcards support in Rulesets (SSE 3.x/4.x)

The "?" and "*" characters are useful when a pattern check needs to be enforced. Although they are perfectly legal and actually accepted within a Sygate ruleset, the underlying SMS engine does not interpret this correctly. The end result may cause unexpected problems, including blocking of smc.exe (SSA) and all network traffic (fail close). Check with Sygate Enterprise Support for status.

[Security Sygate] 20040702 IDS/IPS Global Setting - False Positives (SSE 3.x/4.x)

A global setting, IDS/IPS is an all-or-nothing configuration for the entire SSE 3.x/4.x infrastructure. This can lead to severe false positives especially when one relies on the factory default setting of automatic download (and application) of IPS signatures, since there is no means of administrative control to conduct testing at SMS Group level for instance. Expect this to change in SSE 5.x (SSE 2005).

[Security Sygate] 20040604 No Location-based Rulesets (SSE 3.x/4.x)

If rule X is originally defined in location "Office" and is needed in "LAN", the rule must be manually copied to the target. No global Sygate "location" can be defined to allow inheritance (and customization) to take effect like other functional areas within SSE. This may be fixed in SSE 5.x (SSE 2005).

---

Others

[VMWare Workstation] 20050721 VMWare Workstation 5 - Snapshot Feature Unavailable

Pre-VMWare Workstation 5 images must first be power-off and cannot contain any snap-shots to avoid problems with the missing Snapshot features (sub menus dimmed). This is essential to support the new Cloning function. If the GUI does not provide any visible means to gain access, delete or rename the files vmname.vmx.sav, vmname.vmsd and nvram.sav. Any previous snapshots will be discarded and lost though.

Next, upgrade the virtual machine via VM > Upgrade Virtual Machine (caution: one way street!). The Snapshot features will then be fully accessible again. To complete the VM upgrade, power-on the virtual machine then VM > Install VM Tools (restart required).

Always remember to make a backup copy of VMs prior to performing any upgrade.

[Security NAV] 20050531 Norton Anti-Virus Erratic Behavior under Low Disk Conditions

If the drive where Norton Anti-Virus installed on is critically low on disk space, threshold appears to hover about 30 MB, "Auto-Protect" may not be enabled even if the GUI indicated otherwise. If Sygate / Host Integrity check is enabled, it will typically enter the fail state. Furthermore, if "Auto-Location Switching" to a quarantine location is enabled, the rules may prevent legitimate connections from succeeding.

[Security Shavlik] 20050418 HFNetChkPro 5.x

HFNetChkPro 5.x will prompt to uninstall older versions if found on the same computer. Configuration will be preserved though. Among other things, setup requirements include MDAC 2.8, MSJET 4 SP6, MSXML 4 and the .NET Framework 1.1 or later. A functioning internet connection is needed to activate your purchased copy of the product.

[Security Alert] 20050417 Firefox 1.0.3 released

Get it here today (fixes a host of recently discovered security vulnerabilities).

[Security Shavlik] 20050415 HFNetChkPro 4.3.x "httpdnl - No available validations"

HFNEtChkPro 4.3.x may lose its registration information after W2k3 SP1 is applied on an existing installation. Attempts to reregister online will result in this error message. Contact Shavlik support for a fix.

[Security Shavlik] 20050408 HFNetChkPro 5.0.1

Official support for W2k3 SP1 is announced with this HFNetChkPro version per Shavlik newsletter. Check with Shavlik for details.

[Security Symantec] 20040808 Symantec Anti-virus LiveUpdate for non-Administrators

To allow a non-administrator on a Windows machine configured as managed NAV client to have the ability to update AV signatures, the following is needed:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\PatternManager]
"EnableAllUsers"=dword:00000001