Aidan Finn, IT Pro

The Register reported today that there is an outage on the RIM network that is preventing messages from being transferred to/from Blackberry devices in North America.

For me, this provides another reason no to use Blackberry.  Personally, I’d not be happy with transferring messages over a 3rd party organisations servers.  I also don’t like the idea of installing some software on my Exchange servers that increases complexity AND requires a license/subscription per user.  Now, you have the fact that an outage on their network will prevent your messages from being transferred.

The solution?  Use the push email functionality that was introduced as of SP2 for Exchange 2003 and is native to Exchange 2007.  There is no additional software, no additional licensing and it grants you control over your Windows enabled PDA/phone devices.  Furthermore, it uses your Internet connection and nothing else.  You won’t care if Blackberry’s network goes down because no one else’s network or servers are involved in your message transfer.

So keep it simple and use the functionality that is there in the software you already own!

Credit: The Register.

Microsoft Security have seen some attacks on this vulnerability "in the wild" over the last few days.  It is not widespread yet.  MS is still working on a fix and hope to issue it in the May Patch Tuesday bundle.  If you are concerned then check out the article that I linked to a few days ago by Jesper Johansson.  MS also included some work arounds in their original security alert.

Microsoft has released an update that bundles all of the fixes to Exchange 2007 since its release.  They are highly recommending that it is installed on all E2007 servers.

Dell have updated their Inventory tool for managing Dell computers using SMS 2003 (SP1 or later).  This will enable you to manage BIOS versions, Dell management software and drivers using SMS 2003 on Dell computers.

It uses the old Inventory Tool method:

• An advertisement runs a synchronisation tool that downloads a catalog.
• You approve updates for deployment – this creates a package to be deployed to clients.
• An inventory tool runs on SMS clients (via an advertisement) to download and install the update packages.

I wonder if Dell and HP have started looking at Configuration Manager 2007?  It doesn’t natively use the Inventory Tool approach for software updates.  Instead it uses Deployment Packages and a new Client Agent.  3rd party catalogs can be imported into CM 2007 using the System Center Updates Publishing tool … it’s similar to the Custom Update Publishing Tool in SMS 2003 R2’s Inventory Tool for Custom Updates.

Microsoft has issued an alert over a vulnerability in Windows 2000 SP4, Windows 2003 SP1 and SP2 DNS.  You can safely assume that if you are not running a supported version of these OS’s (previous to these service packs) then you are affected.

Jesper Johansson has posted a blog entry showing how to apply Microsoft’s recommended mitigation action to a large number of computers via a server listing and a command line configuration.  It’s up to you if you wish to apply this change.  My advice is to do it if you feel if you are seriously at risk.  Make sure you have fully tested and have a back out plan that is also tested.  In the end, it’s up to you what you do!

The Microsoft Security Response team has said that they are working around the clock to develop a working and stable fix that they can deploy to close the vulnerability off.

The Register is reporting that, according to Panda Software (AV company), the two most common families of malware that are causing infections are Sdbot and Gaobot.  I suggest that you follow those links to read over what is causing this havoc.

Lets look at a few things.

Both of these forms of malware are OLD.  Microsoft has old software updates that are relevant to these malware products.  This is not a new story.  Nimda, SQL Slammer and Blaster all used vulnerabilities that MS had released updates for many months in advance.  These days, there are no excuses for not maintaining patch levels.  You’ve got a free solution like WSUS, SMS 2003 Inventory Tool for Software Updates and HFNetChk Pro all available to use.  Don’t fall into the trap that thinking updates are only necessary for MS products.  I only read today that 3 Cisco Wifi products had found to be vulnerable.  Many UNIX/LINUX’s have updates but they are never applied.  More importantly, every now and then you hear of problems with Checkpoint … funny … I can’t remember hearing of any problems on ISA 2004 or ISA 2006 🙂

Seeing as these products are old, you’d think that AV would protect people.  I can’t recall how many sites with Symantec or Norton I’ve visited where they’ve had problems with agents becoming orphaned or updates were failing.  And what’s worse?  These organisations accept these behavior and continue to subscribe to these "solutions".  My suggestions?  A) Replace these products with better solutions.  Check out AV-Comparatives for an idea how these companies rate.  And ask around.  Don’t just accept the word of a salesman or some marketing bluff.  B) Use a third party solution to audit your AV status.  I’ve used SMS in the past to audit the DAT files of Trend Micro OfficeScan, even though I had useful reports from the product itself.

Control access to non-relevant services.  What do I mean?  These products are spread by the likes of IRC … that’s a chat tool that is full of the sorts of advertising that … shall we say … isn’t child friendly.  What has this product got to do with doing your work?  For the vast majority of organisations it is totally irrelevant.  The solution is to set up your firewall(s) to only allow necessary outbound traffic from limited resources and to install a proxy server with proxy filtering software.  Using these you can control what is being done over your Internet link.  Depending on your jurisdiction and agreements with employees, you may even be able to monitor and report on their activity.  Check this out with all necessary lawyers/solicitors before attempting this.

How did this software install itself?  I can’t say for sure but it sounds like it requires local administrator access.  The truth is, most malware is pretty dumb.  It usually requires local admin access to install.  For years experts, including MS, have been saying that ordinary users should be running without admin access and admins should be running using "least privilege".  What’s that?  If you are a domain admin, do you really need to be logged into your PC as a domain admin to read your mail or surf the net?  Instead, why don’t you run a virtual machine (using one of the free products out there) on your PC that has all of your admin tools on it?  Log into your PC as an ordinary user and into your virtual machine as a admin/domain admin.  Your risk is limited and you have not made your job any more complicated.  In fact, it’s probably easier because VM’s are mobile and can be quickly replicated or reset to a previously known acceptable state.  And there’s better news if you have Windows Vista.  By leaving UAC enabled, you can log in as admin but still not run anything as admin unless it’s required and been OK’d by you when the OS asks.  E.G. you are browsing the net and a website tries to run a program on you PC without you initiating it.  It will require admin access, thus elevating it’s rights.  You’re actually logged in as an admin but you’re not actually using those rights.  The OS will request a rights change from you.  You’ll know something is wrong and can prevent the program from running.

Finally, you can take things a step further and lock down your desktop network.  Group Policy is a simple and quick way to accomplish this.  Lock down features of Windows that are not required or are considered a realistic risk.  You can use security templates to control rights assignment.  Make sure you understand this technology before trying it out!  You can use tools such as Desired Configuration Management from SMS 2003/CM 2007 to audit machine configurations.  And you can also use the SMS 2003 R2 Scan Tool for Vulnerability Assessment or the free Baseline Security Analyser to audit security configurations of your PC’s and servers against MS best practices.

I hope you can see that a few simple things will protect you.  Considering that these two families of malware are so effective, it would indicate that not everyone is listening to the advice.

Credit: The Register.

SCCP 2007 is now available on MS Connect for public beta testing.  SCCP offers you the ability to model and simulate loads and scalability for Exchange Server 2007 and Operations Manager 2007.  You can also introduce "what if" scenarios, e.g. what happens if a server is removed.

SCCP is the first component you should encounter when adopting Microsoft’s Dynamic Systems initiative (DSI).  DSI is a new approach that uses automation and built in knowledge to support the entire infrastructure lifecycle.  You’ll likely have read or heard about how MOM and SMS fit in to this … they are key components but ideally, they should come later.

The starting point is modeling.  You build a model using a tool that advises you on best practices, scalability and performance.  You can introduce scenarios such as growth, redundancy and disaster.  Using this model you can architect your infrastructure with predictable results.

Currently, SCCP only support Exchange and OM but we can expect future releases to include other tools.  We’ve seen Excel spreadsheets for modeling AD design so don’t be surprised to see that taken to the next level.  Also, I wouldn’t be surprised to see Visual Studio (if it already doesn’t do it) to include a modeling solution for business applications, including web servers, SQL servers, clusters, etc.

Taking you model, you architect and deploy your infrastructure.  You then can monitor it using OM 2007 – it includes a service modeling feature where your business application (consisting of many devices, servers or applications) is considers as a single offering or service.

The Windows Server Virtualisation team announced an update to release schedules yesterday.  The public beta of Windows Server Virtualisation (Longhorn Hypervisor) will be in H2 2007 and not H1 as previously announced.  SP11 for Virtual Server 2005 R2 will be released in Q2 2007 and not Q1 as previously announced – wow …. that’s great considering we’re already in Q2 🙂

The Longhorn Virtualistion product is being delayed because MS is making is more scalable, i.e. it will support 64 CPU’s in a host server.

Bink is reporting that Microsoft will be forcing OEM’s to halt XP OEM license bundling by early 2008.  In fact, some manufacturers will end XP OEM bundling this Summer.

Also, Vista Beta testers will soon be forced to upgrade/replace their test installations of Vista.  The RC versions will cease to work on June 1st.

Credit: Bink.

Microsoft has changed their licensing for Windows Vista for two scenarios that have been employed for some time by forward thinking organisations but have been ignored by Microsoft up till now.

Brian Madden has looked into these changes and analyses how they will impact MS customers.

OS Streaming

This is where a desktop operating system is not installed on a client PC.  Instead, it is streamed from a server(s) to clients as required, e.g. Ardence  This allows administrators to manage a single desktop image and to deploy changes very rapidly.  Strictly speaking, Brian says that you have required a license for the desktop and a license for the streamed image in order to comply with MS licensing.

The change that has been made to Vista licensing allows you to run this solution with a single desktop license for each client PC, as opposed to 2 per PC.

VDI

This solution is where clients access a server hosted virtual machine with a desktop installation via RDP, e.g. you could run Vista on VMware ESX and allow clients to RDP into their OS from a Wyse terminal.  Again, the solution gives a user their own desktop.  it has none of the complexity of server based computing (e.g. Citrix) and allows admins to update desktop images almost instantly.

Microsoft refers to this technology as VECD.  Again, Vista is being covered so that only 1 license per client is required.

The Catch

Vista Enterprise is the only edition being covered by this license amendment.  This version of Vista is only available to Software Assurance customers.

Brian goes into more detail and I’d highly recommend that you check out his post and his site for more details on these technologies.

Credit: Brian Madden.