Aug 24 2009

ISSA Journal Article

Published by under architecture,Security

I wrote an article that was published in the ISSA Journal in August 2009. The topic of the post was “De-perimeterized Architectures” and focuses on the Jericho Forum‘s work on a next generation architecture that accommodates the fact that the network perimeter is becoming more porous and passing more and more traffic in newer protocols than ever before.

A direct link to the article is here. (Be aware that you need to be a member of ISSA and must login to the ISSA website to read the article).

No responses yet

Jun 09 2009

SSH Server on Windows Server 2008 Core

Published by under Security,Windows

I’ve been playing around (in my copious free time 😉 ) with other methods of connecting to and managing Server 2008 Core. One of the things I’ve wanted to do was to be able to SSH directly to Server 2008 Core and have the same command line capability as I do on the console. To that end I did a quick search for similar work and found the following article at TechRepublic about installing an SSH server in Windows 2008. The difference that I wanted to do was to install it in Server Core rather than the full-blown version of 2008.

Like David Davis over at TechRepublic I decided to start with FreeSSHd as my SSH server. The first thing I needed to do was to get it onto the Server Core VM. Rather than downloading it to my desktop and then transferring it to the Server Core VM I decided that would rather download it directly to the Server Core machine. In order to do that I needed wget that would run on Windows. I used the wget binary I downloaded (to my desktop) from Bart Puype in Belgium. Once I copied wget to C:\Windows\System32 I used it download the FreeSSHd.exe binary from FreeSSHd.com.

To install freesshd, just run the freesshd.exe program and it will start up the install wizard. A couple of items to note — on Server Core do not bother with creating a Start Menu item for FreeSSHd and don’t bother with creating a desktop icon either. One of the problems that I encountered when I installed FreeSSHd on Server Core was that I could not configure the SSH server since the task bar icon did not appear on the right (as should be the case since there is no task bar in Server 2008 Core). To configure FreeSSHd I had to edit the freesshdservice.ini file in the C:\Program Files\freesshd directory (the default location for the installation).

A small point to note. Server 2008 Core’s firewall is on by default (even if it’s a domain joined machine) and the policy is to block all inbound connection attempts but to allow outbound connections. After installing FreeSSHd I needed to modify the firewall and decided to use netsh to do so. The command I used was

netsh advfirewall firewall add rule name="SSHd" dir=in action=allow protocol=TCP localport=22

Very simple…I love netsh 🙂
Another problem I ran into was getting the NT authentication to work. I did manage to get the password authentication working but I wanted to tie the FreeSSHd server into the Windows authentication. I’m still not 100% sure as to where the problem lies with the NT authentication integration and will investigate it further.

One of the biggest drawbacks to FreeSSHd is that there is very little (re: almost none) documentation that covers the freesshdservice.ini file. You need to read the forums over at freesshd.com in order to get a sense of what the settings are for the file and what specific changes to the file cause in the overall operation of the server. I hope to get that put together and posted here this summer as I think others will find it useful.

To get the password authentication working I installed FreeSSHd on a Windows Server 2003 system and then created the users I wanted there and copied over the relevant portions of the freesshdservice.ini file to the one on the Server 2008 Core VM. Then, to restart the service I would just issue the commands: net stop freesshdservice and net start freesshdservice and I was good to go. As you can see from the last capture in the gallery below I was able to connect to the server and log in using the account I had created on the Server 2003 system and copied over to the freesshdservice.ini file on the Server 2008 Core VM.

In the future I’m going to try some of the other freely available SSH servers and see if they provide an easier integration into Server 2008 Core.

One response so far

Apr 30 2009

Office 2007 SP2 and Windows 7 Beta 2

Published by under Windows

I’ve been using Windows 7 Beta 2 for about 2 – 2 1/2 months now and it’s been wonderful. Compared to how Vista was on the Toshiba Laptop I installed it on, Windows 7 has been snappy, responsive, and downright fun to use. Office 2007 has been solid, stable and very responsive.

Then, yesterday, I installed Office 2007 SP2. I installed it not just on my Win 7 laptop but also on my Vista desktop. On my Vista desktop Office has been just as good as before. However, on my Win 7 laptop I’ve noticed that Outlook has developed a serious problem. Starting Outlook will spike the CPU to 100% utilization for no reason. On top of that when I exit Outlook, the process stays running in the process table and chews up the CPU as well. The only way to truly resolve the problem is to kill the Outlook process in Task Manager. This is definitely not a problem that I’m seeing in Vista.

My next step is to download and install the Windows 7 Release Candidate which Microsoft just released today and see if the problem persists. If so, it’s a bug that I’ll need to file. The only problem is that I’m having trouble logging into the MSDN site since everyone and his brother appears to be trying to download the RC ISO. Looks like I’ll have to wait until Sunday or so to download the ISO and rebuild my laptop.

No responses yet

Mar 05 2009

Favorite Net Things

Published by under Thoughts

I stumbled across this on YouTube and remembered when I first heard this back around 2000. It’s a funny and enjoyable little take on the “Favorite things” from the Sound of Music.

One response so far

Feb 06 2009

Nerd, Geek or Dork test

Published by under Thoughts

OkCupid.com has a Nerd, Geek or Dork test. I came out as: 87% Nerd, 70% Geek, 52% Dork – which translates to being an “Outcast Genius” according to them:

For The Record:

A Nerd is someone who is passionate about learning/being smart/academia.
A Geek is someone who is passionate about some particular area or subject, often an obscure or difficult one.
A Dork is someone who has difficulty with common social expectations/interactions.
You scored better than half in all three, earning you the title of: Outcast Genius.

Outcast geniuses usually are bright enough to understand what society wants of them, and they just don’t care! They are highly intelligent and passionate about the things they know are *truly* important in the world. Typically, this does not include sports, cars or make-up, but it can on occassion (and if it does then they know more than all of their friends combined in that subject).

Outcast geniuses can be very lonely, due to their being outcast from most normal groups and too smart for the room among many other types of dorks and geeks, but they can also be the types to eventually rule the world, ala Bill Gates, the prototypical Outcast Genius.

Congratulations!

That’s good to know since I do work for Microsoft.

No responses yet

Jan 19 2009

Server 2008 DNS Global Query Block List

Published by under Windows

I recently promoted one of the Server 2008 VMs in my lab to a domain controller for the lab domain and installed the DNS role as well (so now I have three DNS servers in the VM lab — all three are domain controllers). The “firewall” to the VM lab is an ISA 2006 server with the Web Proxy Auto-Discovery (WPAD) configured and I have a CNAME entry in DNS for wpad so that the ISA firewall clients can dynamically detect the ISA server and configure the settings in IE.

According to the document, “Windows Server 2008 – DNS Server Global Query Block List” the initial query block list contains the entries ‘wpad’ and ‘isatap’ by default. However, when you install or upgrade a server to Windows Server 2008 and you install the DNS role the installation is supposed to detect whether entries already exist in DNS for the names ‘wpad’ and ‘isatap’ and to remove those entries from the block list upon detection (remember, this only occurs upon installation or upgrade — not later on during normal operation). It only detects, however, when the record is either an A (IPv4 address) or AAAA (IPv6 address). In my case the record is a CNAME and therefore ‘wpad’ was automatically added to the global query block list. This generates an EventID of 7600 with the following text in my case:

The global query block list is a feature that prevents attacks on your network by blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for WPAD.DOMAIN.TLD even though data for this DNS name exists in the DNS database. Other queries in all locally authoritative zones for other names that begin with labels in the block list will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.

Below is the current global query block list (this list may be truncated in this event if it is too long):
isatap
wpad

EventID 7600 - DNS Query Block List

EventID 7600 - DNS Query Block List

The solution can be found at the Forefront TMG (ISA Server) Product Team blog in their entry titled Windows Server 2008 DNS Block Feature. Additional information can be found on TechNet in the document “DNS Server Global Query Block List” under the Windows Server 2008 resource section covering the Domain Name System.

To make a long story short, the simple solution is to reconfigure the global query block list using the dnscmd command as shown below

Reconfiguring DNS Global Query Block List on Server 2008

Reconfiguring DNS Global Query Block List on Server 2008

No responses yet

Jan 15 2009

Migrating WSUS 3.0 SP1 susdb from SQL Server 2005 – Part 2

Published by under System Center,Windows

It took a little effort to figure it out along with some research but I’ve finally managed to move the SUSDB from the SQL Server instance running on my System Center Configuration Manager VM back over to the WSUS VM with SQL Server 2005 Express Edition. Essentially I followed a combination of procedures that can be found at the following links:

In essence I did the following procedure:

  1. Install SQL Server 2005 Express Edition SP2 on the WSUS VM
  2. Stop “Update Services” on WSUS VM (to avoid updating and locking the SUSDB on the SQL Server 2005)
  3. Stop “IISAdmin” service on WSUS VM (this also stops the World Wide Web Publishing Service, the Windows Remote Management (WS-Management) service, and the HTTP SSL service)
  4. On the SCCM VM, stop the “IISAdmin” service (as above that also stops three other dependent services)
  5. Detach the SUSDB on SQL Server 2005 – this can be done using either the SQLCMD command line interface with the ‘sp_detach_db’ command or the SQL Server Management Studio
  6. With the SUSDB database detached, copy it from it’s current location (under SQL Server 2005 SP2 it’s found in C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data) to the appropriate directory on the WSUS VM (the default location for the data files with SQL Server 2005 Express is the same as the full SQL Server)
  7. Once the SUSDB (and the attendant log file) has been copied over, attach it to the SQL Server 2005 Express instance. To do this I used the SQL Server Express Management Studio as shown in the picture below
  8. Adding SUSDB to SQL Server 2005 Express

    Adding SUSDB to SQL Server 2005 Express


  9. After attaching the database to the SQL Server 2005 EE I then followed through with the steps outlined in the >WSUS Support Team’s blog: How to migrate your WSUS Windows Internal Database to SQL Server 2005 Express Edition. Except that in this case I don’t think I really needed to add the NT AUTHORITY\NETWORK SERVICE account as a login on the SQL Server 2005 EE instance since the WSUS software and the SQL Server were on the same VM.
  10. Nevertheless, I added NT AUTHORITY\NETWORK SERVICE to the SQL Server 2005 EE logins as shown below
  11. Adding NT AUTHORITY\NETWORK SERVICE to SQL Server 2005 EE Logins

    Adding NT AUTHORITY\NETWORK SERVICE to SQL Server 2005 EE Logins


  12. I discovered that you also needed to add the NT AUTHORITY\NETWORK SERVICE as a user in the actual SUSDB. This is subtle point that is not made clear by the WSUS Team Blog on this issue in their post. To do that you need to go to the actual database (in this case SUSDB) and under -> Security -> Users you create an account for the NETWORK SERVICE account.
  13. Adding NETWORK SERVICE as a user on SUSDB

    Adding NETWORK SERVICE as a user on SUSDB


  14. You also need to add NETWORK SERVICE to the webService role in SUSDB as shown below
  15. Adding NETWORK SERVICE to webService role in SUSDB

    Adding NETWORK SERVICE to webService role in SUSDB

  16. Finally, I changed the SqlServerName registry key in HKLM\Software\Microsoft\Update Services\Server\Setup from the original SQL Server 2005 system (winsrv-ca) to the WSUS server (SCCM). However, because I went from a SQL Server 2005 system to a SQL Server 2005 Express Edition database I had to append the instance name (in this case SQLExpress) in order to get the MMC snap-in to work.

A bit of a sidenote — the name of my WSUS server virtual machine is SCCM and the name of the machine running the System Center Configuration Manager software is actually winsrv-ca. It’s kind of confusing but I had already installed WSUS on the virtual machine SCCM before I decided that adding System Center Configuration Manager would be pretty much an overload on that one machine. That’s why I ended up installing Configuration Manager on winsrv-ca and not SCCM…but I had already modified AD to point to SCCM for WSUS services so I found it less troublesome to just leave the names as they are)

Finally, the job is done. Yes, I realize that it’s probably not a big thing but I wanted to see if it could be done. Most of the sites out there talk about migrating the WSUS database either from the Windows Internal Database (SQL Server Embedded Edition) to a SQL Server 2005 system or from an older SQL Server 2000 database to a SQL Server 2005 database. I haven’t seen anyone who tried to go from a full blown version of SQL Server 2005 to a SQL Server 2005 Express Edition (which, in many cases is more limited that the Windows Internal Database that WSUS can use). Anyway, it was fun…with a few snags along the way…but fun nontheless.

One response so far

Jan 14 2009

Migrating WSUS 3.0 SP1 susdb from SQL Server 2005

Published by under Windows

In my VM lab at home I have a SQL Server 2005 system that is also running System Center Configuration Manager. This SQL Server is also hosting the WSUS susdb database. Unfortunately I have recently discovered that the SQL Server is getting hammered hard enough that it’s causing timeouts with disk reads/writes to the point that the underlying Server 2003 R2 OS thinks that the disk is going bad (which it’s not…the OS just thinks that). I’ve decided to migrate the WSUS susdb database from the SQL Server 2005 to the WSUS server itself.

The first problem I had was figuring out where I could find a copy of the Windows Internal Database (WID) or as it is sometimes called – SQL Server Embedded Edition. Well the problem here is that you can’t get it as a standalone product (just like you can’t get SQL Server Management Studio as a standalone product). It either comes with the OS (Server 2008) or with another product like WSUS 3.0. So, I have a few choices — either uninstall and then re-install WSUS 3.0 or move the susdb database from the SQL Server 2005 on the SCCM VM to a SQL Server 2005 database running on the WSUS VM or move the susdb database from the SQL Server 2005 on the SCCM VM to a SQL Server 2005 Express Edition running on the WSUS VM.

Given that I don’t really see the need for two full versions of SQL Server 2005 in my VM lab I have opted for option #3 — migrate susdb to a SQL Server 2005 Express Edition database on the WSUS VM. (BTW — asked around and no, this is not a supported configuration). But, since it apparently hasn’t been done before I figure — “why the hell not?

Now, it can be done…however there are limitations due to the SQL Server 2005 Express Edition software. My VM lab is only about 20 images. That’s one of the problems — SQL Server 2005 EE is limited in database size. But, given the small size of my VM lab this should not be a problem for me. As I get this project done I’ll post more updates.

No responses yet

Jan 13 2009

System Center 2007

Published by under System Center

I’ve been playing with System Center components for a while now to understand how Microsoft has evolved the Systems Management Server (SMS) product over the past few years. On the whole, I like it quite a bit — at least the components that I’ve seen up till now — Configuration Manager and Operations Manager. I have identified various pitfalls and various problems that a new admin or user might face with System Center components and I plan to start posting them here.

On the whole I find System Center to be among the better of the system management suites I’ve seen in a long time. I’ve played with HP OpenView (or as it is currently called, HP Operations Manager), CA Unicenter, Nagios, Big Brother and now with the System Center pieces. Overall it’s less of a resource intensive product set than say HP OpenView and CA Unicenter and provides a wider features set out of the box than either Big Brother or Nagios (although Nagios comes very close to matching many feature capabilties — but that’s another post for another time). I’m aiming to focus on the pitfalls and problems I’ve encountered with System Center and how to resolve them. I’m not reviewing the product to determine if it’s better or worse than another product — let someone else do that. I’m focusing on the technology.

No responses yet

Jan 01 2009

Return of the Zune

Published by under Thoughts

Well, last night Microsoft released it’s analysis of the bug that brought 30GB Zune’s to a standstill. The bug, as it turns out, is in a third party clock driver for the Zune. The solution — don’t turn your 30GB Zune on the last day of a leap year (yes, this bug will come back in 4 years if we don’t fix it — which we will but it may take some time). If you have turned on your Zune and it’s locked up then let the battery drain completely before recharging it in the morning. There’s more information on the FAQ over at the zune.net site

I woke up this morning, plugged the 30GB Zune in to the AC charger in the wall to recharge, went and took a shower and by the time I was ready to take the dog for a walk this morning it had recharged and booted up fully. So, I was able to enjoy the morning walk with the dog while listening to NPR. Sweet.

No responses yet

« Prev - Next »