Author: AFinn

End Of Support: Windows XP Service Pack 1

Windows XP with Serivce Pack 1 is no longer publicly supported by Microsoft as of October 10th, 2006.  Microsoft will not issue bug fixes nor security updates for this level of the operating system.  To continue support, you should deploy Service Pack 2 for Windows XP.  You can find more details here.
 
There was a considerable amount of concern about deploying Service Pack 2.  A lot of people were scared that the new Windows Firewall would break their networks.  By default it was turned on but anyone who did some research would have found they could control it centrally with either registry edits or Active Directory Group Policy.
 
Other concerns were raised about the increased level of security in the subsystem.  This caused some fear and rightly would have required regression testing for all business applications.  Another complicating factor was that many vendors acted as if Service Pack 2 was sprung on the world by surprise.  Companies such as SAP were allegedly slow to support the service pack for their products.  Of course, Microsoft had a substantial publicity and public beta program building up to the release of Windows XP Service Pack 2 that gave these vendors absolutely no excuses.
 
Given that Service Pack 2 for Windows 2003 is on the way, I’d recommend you make sure all of your Windows 2003 servers are upgraded to Service Pack 1 and not give your vendors any room to wiggle out of their responsibilities.

Virtual PC 2007 Beta

A blank page has appeared on Connect that informs us a Beta for Virtual PC 2007 is on the way.  It will be publicly available on the 11th of October.  No other details are available.

Virtual PC 2004 is now a free product and one that any self respecting sys admin should aim to use.  VMware’s excellent alternative still requires a purchase, giving Microsoft an advantage.  VPC allows you to run virtual machines just like you can with Virtual Server 2005 R2.  In fact, the machines are compatible.

I’ve used VPC before for lab work and for testing.  Where I also see it being useful is where you want administrators to use non-admin accounts for day-to-day office work such as email and browsing and a dedicated account for admin work.  Run-As is painful to use (who wants to keep banging in the password?) so an alternative is to run a VM with only the admin tools installed.  The administrator can log into their physical machine with a non-admin account and into a VM with their admin account.  This isolates their email and internet activity from their administrative rights and provides a layer of defense against viable threats.

Windows Vista Enterprise (requires software assurance) will include a virtualisation solution built into the OS.  I’m guessing now that VPC 2007 will be a solution for those who do not buy Vista with software assurance.

Forefront Security For Sharepoint Beta

Microsoft has just launched the beta for Forefron Security for Sharepoint.  It’s Microsoft’s antivirus solution for this key Office System product.  Microsoft aims to launch it at the same time as Microsoft Office Sharepoint Server 2007 and Sharepoint Services 3.0.  This could be relatively soon, i.e. early 2007.  Microsoft says this new product will deliver the following:

  • Protection against the latest threats. Forefront Security for SharePoint simultaneously utilizes up to five antivirus engines from leading security vendors to provide customers with increased protection against malware threats, inappropriate content and dangerous files types. This latest release includes the new Microsoft Antivirus engine.
  • Integration to help optimize server performance.: Integration with Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0, as well as scanning innovations and performance controls, help ensure optimal collaboration server performance.
  • Simplified management control.: Forefront Security for SharePoint provides centralized management control to help ensure organizations can simply and cost-effectively deploy, manage and maintain the security of their collaboration servers.

You can register for the beta on Microsoft’s Connect website.

WSUS 3.0 Whitepaper

I’ve just added a whitepaper on WSUS 3.0 to my website.  I go into the reasons for automated patching, the options, an overview os WSUS 3.0, deploying it and configuring/using it.

Note: the document is based on Beta 1. 

When people think about IT security, they think about firewalls and antivirus. Firewalls are important but only go so far as to protect your network against a direct attack. A firewall will only prevent illegitimate forms of traffic from the internet. It doesn’t stop traffic on legitimate ports or downloads. Firewall defences have been compared to eggs: hard on the outside but soft on the inside. Anti-virus will only protect you against known threats. Many organisations have made the mistake of thinking that firewalls combined with antivirus will give them a complete defence against threats. That’s a nice wish but it’s not true.

Consider the SQL Slammer virus that hit the Internet in early 2003. Within minutes of its release it crippled networks worldwide. How did this work? Surely people had firewalls in place? Yes they did. Was the antivirus up to date? Yes it was. The problem was that once it could easily get past the firewall and it was unknown to antivirus vendors. It also took advantage of a known flaw in Microsoft’s products that Microsoft had previously released a patch for. In fact they released the patch several months before hand and those organisations that had deployed it were protected against the virus. Microsoft had already released a free to use product called SUS that serviced the Windows product range but few had heard of it. In fact, few had any implemented process for regularly testing and deploying Microsoft updates.

In late 2003 a new virus started to cripple networks. Microsoft Blaster took advantage of a flaw in the RPC service. Surely in the time that had passed people had learned their lessons about keeping their machines up to date? It appeared that most had not. Microsoft had previously released an update to protect their products but few had deployed it.

Since this time Microsoft has spent much time campaigning and trying to raise customer awareness about the need to regularly test and deploy updates. A replacement for SUS called WSUS (2.0) was released. WSUS, again a free to use product, services all of the Microsoft product range and makes it easier for administrators or security officers to test and deploy updates on a production network.

My experience working on client sites and speaking with administrators is that both the awareness of this problem/solution and adoption of WSUS have been minimal. Many large organisation and government agencies do not maintain patch updates. This is either because they are not aware the solution exists, despites Microsoft’s efforts, or because they do not sufficiently understand the problem.

With this document I aim to show how you can manage updating your entire Microsoft network with minimal manual effort by using WSUS 3.0.

The document continues …

Update for the SMS 2003 Inventory Tool For Dell Computers

Microsoft has posted an updated version of the SMS 2003 Inventory Tool for Dell Updates.  This is necessary in order to download the latest catalogs from Dell.  This free feature pack will enable administrators to report on, manage and update BIOS, firmware and drivers on their Dell servers.  It works pretty simiarly to the SMS software updates engine used to deploy Microsoft secuirty updates.  This is the quote from the Microsoft post:

"SMS 2003 Inventory Tool for Dell Updates is an add-on to SMS 2003 Service Pack 1 (SP1) that enables customers to use the SMS 2003 Software Update Management feature to update their Dell servers. Customers will be able to deploy BIOS, firmware, and driver updates to their Dell servers using the same process that they use for deploying security and other updates with SMS.
SMS 2003 Inventory Tool for Dell Update includes the following components:

  • Setup – Windows Installer based setup that allows SMS administrator to install all required components on the SMS site server.
  • Inventory Tool for Dell update (scan tool) – this tool is being built using SDK components provided by Dell Inc. It scans a Dell server for installed and missing updates, just like MBSA scans the computer for Microsoft security updates.
  • Sync tool for Dell update – this tool downloads a catalog from Dell’s website on a recurring schedule. This catalog describes all published Dell updates.
  • Update to Distribute Software Update Wizard (DSUW) – Setup will install an update to DSUW to show new UI that allows to manually import multiple component updates contained within a single system update.
  • Version 3.0 must be installed to coincide with work with the latest Dell catalog".

VML Vulnerability In All Current Windows Platforms

All current releases of Microsoft Windows are vulnerable to a new security threat in the implementation of Vector Markup Language.  This threat enables attackers to take control of a vistims computer.  Microsoft is taking this one really seriously.  Not only is there sample explout code on the Internet but Microsoft is also feeling the heat after a percienved slow reponse in recent months.  Microsoft is stating that at the very latest, a patch will be released on October 10th (patch Tuesday) but they will attempt to release an update before then.