Aidan Finn, IT Pro

Microsoft has released a document that describes how they deploy and manage security updates for their servers.  As you can imagine on a 55,000-71,000 user network (size varies depending on what you read), MS has a lot of servers around the world.  Even though they have applied centralisation and consolidation practices, there is always a need to run operating systems and machines in various locations.

In my travels over the years since automated patch management solutions became commonplace, I’ve come across three types of sites/administrators:

• Complete Automation:  I say complete but there’s always a couple of machines that are manually managed for some reasons.  But the idea is that they automatically manage not only the desktops but also the servers.  I’ve been in this category as an admin.  It worked beautifully.  You can maintain your security levels with confidence using differing installation and reboot schedules for servers than you would for desktops.  Reports can indicate your success levels.  Using something like MOM 2005 you can monitor the health of your network afterwards.  In the two years that I managed a network with SUS/WSUS 2.0, I never had a bad patch.  Despite some misconceptions, MS patches are quite healthy (the reason they take their time releasing them is so they can hammer them in testing) and you can be in complete control over what you deploy.
• Automation of desktop patching:  They don’t trust the patch deployment solution to patch their servers or they don’t trust the patches.  OK … so you won’t deploy patches to 100 servers that are in easy reach of you and that you have backups of but you will patch 10,000 PC’s automatically?  That makes sense … NOT!  If there’s something I want to get updates onto ASAP it’s my servers.  That’s where my data is and where my applications are hosted.  I want those resources secured and quick.  I hear loads of of comments like "we patch them every X months" or "we patch them when there’s a real threat" but honestly, I often never see a single update on these servers.  And these are the people who get hammered by the Nimdas and Blasters of the world.  Usually these are also the admins who don’t keep up to date with security alerts or IT news so even if their latter excuse was truthful, they’d probably only update after an infection has hit them.
• No updates of any kind: "We don’t trust patching", "We’ve got a firewall", "We’ve got anti malware".  Hah!  I hope you’ve got insurance or you’re not attached to the idea of bringing in a pay check on a regular basis.  Since I started working with automated patching in 2003, I’ve not had a single MS update break a PC, server or application that was under my control.  I personally don’t know anyone who has either.  The arguments about firewalls … that makes me laugh.  They’ve no understanding of what a firewall is.  Does your firewall block email attachments?  How about web downloads?  Nope, because if they did then you’d break basic functionality of these tools.  How about an application filter to strip malformed traffic, e.g. ISA?  Even then, you sometimes hear of threats that use legitimate traffic but exploit buffer overflows (a much less common threat in MS products since a code review in 2003).  The anti-malware solution … that’s OK if you’re talking about a known virus.  But that didn’t stop Nimda or Blaster or SQL Slammer which hammered in the Internet in a matter of minutes.  And what about other attacks such as DOS or hacking?  Anti-malware doesn’t stop those … don’t forget that it is estimated that 75% of all security threats are from employees, not malcontent teenagers in their parents basements or big-bad spies from competing countries/companies.

I would urge anyone to take a read of Microsoft’s document.  It’s evidence of their "eat our own dog food" approach.  I’d also urge you to have a read of my WSUS 3.0 beta guide.

You should already be familiar with MSI.  This database is how we often package software for distribution.  Sometimes it comes as is, sometimes we can apply a transform to customise the install and sometimes we repackage the software using something like AdminStudio.  The idea is that we can simply deploy software in a predictable and automated way.

SoftGrid was acquired by Microsoft last year.  The only thing that prevented people from being interested in the solution was the price.  MS cut the price and packaged the solution as SoftGrid for Desktops and and SoftGrid for Terminal Services.

SoftGrid offers you a third layer of virtualisation.  We have the server/desktop, session virtualisation and now we have application virtualisation.  By sequencing and application, we can isolate the application from the operating system, providing it with it’s own copy of system files, registry, etc.  The result is that once incompatible applications can now run on the same computer.  Other benefits include:

• Rapid deployment: you can deploy just the core components of the application via a stream.  Additional components are downloaded as required by the user.
• Integration: SoftGrid can integrate into Active Directory for permissioning of streams and with SMS for deployment and auditing.
• Self-Service: Users can provision their own applications via a self service website which can include a workflow for approval of licensed installations.

It appeared to me that this solution was always better known in the Terminal Services world.  The obvious benefit was that the need for application silos would be less, e.g. traditionally incompatible applications could now be installed on the same terminal server.  The only remaining reasons to separate users or applications would be resource or maybe even security based.  The same benefits also apply to the desktop but the financial savings were greater for the TS world, thus the original pricing was less of a deterrent.

Brian Madden has reported that famed consultants, Login Consultants, have created a free solution to convert MSI package into SoftGrid sequences.  If you’re already using software distribution solutions, e.g. Citrix Presentation Server, SMS, GPO, then it’s likely that you’ve packaged applications as MSI.  You could now rapidly deploy the SoftGrid solution by converting these MSI files.  Brian also points out that you should apply best practices for sequencing as advised by Microsoft.

Credit: Brian Madden.

SP2 for SQL 2005 is now available.  You can check out what’s changed and what’s new in a document that can be downloaded.

The March 2007 issue of TechNet magazine is out and features content on SQL Server:

• New Tools to Diagnose Index Health
• Achieve High Availability for SQL Server
• Simplify Database Maintenance with Table Partitions
• Top Tips for SQL Server Clustering

Dave Northey of MS Ireland has written a 3 part series on virtualisation covering the server, desktop and application.  You should check this out if you’re interested in this technology.  If you’ve been following this blog you’ll know that I’m a big fan of virtualisation.  If fact, if you’ve downloaded any of my docs or browsed my personal website you’ll have accessed a virtual machine.  If you send me a mail then you’re hitting another VM. 

Check out Dave’s series to see what we’re excited about:

• Part 1: Virtualisation – What is it? What’s all the fuss?
• Part 2: Virtualisation – Why should you care?
• Part 3: Virtualisation – What’s Microsoft got to offer?

The results for the Feb 2007 Anti-Virus Comparatives report was released today.  The big news is the poor performance of Microsoft’s OneCare, the home use product.  Faced with the same threats as the other products, it only successfully defended against 82.4% of them.  OneCare is still a fairly new contender in this field.  Given how focused Microsoft is in the anti-malware field right now, I would not be surprised to see them make some serious improvements. 

The performance chart (follow the "Comparatives" link) shows the big names performed as follows:

• GriSoft AVG Anti-Malware: 96.37%
• Kaspersky Labs AV: 97.89%
• McAfee Virus Scan: 91.63%
• ESET NOD32 AV: 86.71%
• Symantec NAV: 96.83%

The top performer was G DATA Security AntiVirusKit (AVK) at 99.45%.  There was no mention of Sophos or Trend Micro.

As you can see, none of them were perfect.  The last report I read had NOD32 at the top end of the charts so we can see that things do change quite quickly.  This makes it very clear and re-enforces that you must have a layered defense.  I’ve come across  organisations that trust their entire anti-malware defense to one vendor.  This report makes it clear that this opens a door into those networks.

E-mail has become the common source of threats.  It is more important than ever to run multiple engines on, at least, your gateways.  Using MS Forefront Security for Exchange (I’m assuming that it’s the same as MS Antigen for Exchange Messaging Security Suite) you could run 4 engines on your gateways and a different 4 engines on your mailbox servers.  To maximise performance but still have layered defenses you could scan mails with 2 engines (of the four) on the gateway at once and 1 at once on the mail box servers.

A second but less common source if you run a proxy filter will be web downloads.  I’ve come across some pretty poor solutions that intercept downloads and pause them until the entire file is downloaded and scanned.  This can break automated downloads, e.g. AV, WSUS, and can annoy users.  Try to pick a different solution than you have on your mail gateways.

A different vendor should then protect your servers.  And you may even consider yet another vendor for desktops but I would normally be happy with one vendor scanning internal servers, applications and desktops and ideally using different engines to those on the gateways.  Personally, I’ve been a fan of Trend Micro and have used it in a few sites.  I know people that I trust who speak very highly of Sophos and NOD32.  I’ve checked out MS Forefront Client Security.  I can’t speak for the engine but I do like how the architecture will work in multi-site deployments and how easy it looks to manage.

Credit: Bink.

Jesper Johansson posted a blog entry discussing the debate about what UAC really is and if it works or not.  Jasper is in a unique position to be able to comment on this because he is a former Microsoft employee and was a senior security expert with them.

Long story short … UAC is not an anti malware defense.  That’s what your anti malware products are intended to do.  UAC is intended to allow people who need to log in as local administrators to run with reduced privs and then be prompted to OK a process that requires elevated rights.  This can reduce the risk of malware executing, i.e. if something executes on your system and wants to use elevated rights then you are in a position to control that.  But as Mark Russinovich pointed out lately, there are ways and means around this, i.e. there are no firewalls between processes running on the same system.  Would you want them?  Probably not … imagine that no process could integrate with any other process.

Give it a read and follow the links that Jesper provides to make up your own mind.

Microsoft Small Business Server is an ideal server/domain solution for the small business.  The latest version is SBS 2003 R2.  It includes Windows Server 2003 R2 (server, active directory, IIS, etc), Exchange (mail), ISA (proxy & firewall), WSUS (patch management) and Sharepoint (web based collaboration).

A new step by step document has been released by Microsoft to guide you through an installation of SBS 2003 R2, including upgrades from previous versions.

A number of news sources published comments by Microsoft’s Mike Neil:

"Microsoft believes the claims made in VMware’s whitepaper contain several inaccuracies and misunderstandings of our current license and use policies, our support policy and our commitment to technology collaboration," said Mike Neil, Microsoft virtualization GM in a statement. "We believe that we are being progressive and fair with our existing licensing and use policies and creating a level playing field for partners and customers. We are deeply committed to providing high-quality technical support to our customers who are utilizing virtualization technology. In addition, we are committed to working collaboratively with industry leaders to foster an environment of interoperability and cooperation that best serves our customers."

“We believe it’s better to resolve VMware’s claims between our two companies so that we can better serve customers and the industry," Neil added in the statement. "EMC is a long-time partner of Microsoft. We’ve extended this courtesy to VMware due to our mutual customers and partnership with EMC. We are committed to continuing to collaborate with VMware as we have been doing on regular basis. Consistent with this, Microsoft believes that we will be able to accommodate a mutually agreeable solution between our two companies and clear up any existing misunderstanding with regard to the points raised in the whitepaper.”

It does read like that either Microsoft is taking the high road on this or that something else is in the works and this was released to keep the media quiet.  You could read more into the comments about being "best mates" with EMC who happen to own VMware but I’ll leave that up to your imagination.

Both make good products in this market.  I’d hope that for their customers, they can work things out like was done with Citrix and MS.

Credit: The Register.

I admit it, I know nothing about Groove.  My cloning hammock broke last Summer so I’ve just not had the time.  I do know it’s a collaboration solution that can integrate into the other Office 2007 system products, e.g. Sharepoint, Office, etc.  The emphasis is on the user being able to work when they want to and being able to work with who they want to.

Microsoft has released a document that describes how they deployed Groove 2007 to 8,000 users across their global operation.  Details of AD integration, Office and Sharepoint are also promised.