Aidan Finn, IT Pro

Our friends across the water are starting Daylight Savings Time earlier this year … three weeks earlier.  To accomodate this you’re going to need to deploy some updates.  Microsoft has prepared a page with a complete explanation of the situation.

This is one of those situations where you will have wished that you monitored Microsoft’s support policies.  They are only producing updates for currently supported products.  The Windows 2000 update is only available under extended support.

The update is available now as part of WSUS updates and Windows Update.  It’s currently listed as an optional update but it’s likely to increas to Important or Cirtical.

It’s important thet North Americans, anyone managing branches in North America or anyone with machines that roam there read this article and take the actions they deem necessary.

As always, test the update first before deploying it in a live environment.

Colm Torris at TechNet Ireland has announced another event that will be held on February 15th in the Griffith College Conference Centre.  The even will feature John Craddock and Sally Storey, a pair of consultants/authors who are usually featured as pre-conference class hosts at Microsoft Europe events.

The event is all about securing your network and will go on for a full day.  Topics will include:

• Identifying business assets
• Threat modeling
• Security policy and response planning
• Deploying IPSec for domain and server isolation
• Building rules and filters
• Identifying protocol and port requirements
• Firewall configurations
• Managing server roles and lockdown policies
• Patch management and compliance testing
• Creating Software Restriction Policies (SRP)
• Least privileged user access
• Establishing client security and software policy
• Client and server attack vectors
• Managing through group policies
• Network Access Protection (NAP)
• Vista security enhancements

Colm recommends that you register ASAP because this sort of event fills up quickly.

Microsoft has released a new MOM 2005 management pack for Sharepoint Server 2007.  The details from Microsoft are:

This Management Pack quickly brings any failures or configuration problems to your attention, which increases the availability and performance of Office SharePoint Server 2007. This Management Pack also provides the knowledge and expertise you need to leverage MOM 2005 and get an immediate return on your investment.

Feature Summary:

• This Management Pack alerts you about the following critical conditions:
• Shared Services Provider (SSP) provisioning failed
• Site Directory scan job failed
• Enabling features failed on some sites
• Administration site for the SSP is missing
• Enabling features on existing sites failed
• The Office SharePoint Server Search service is not running
• The Microsoft Single Sign-On service is not running
• The Office Document Conversions Launcher service is not running
• Failed to connect to parent server farm
• SSP synchronization failed
• The Office Document Conversions Load Balancer service is not running
• Failures in content deployment jobs
• Poor cache performance
• Error during document copy or move operations
• Errors with the Information Rights Management (IRM) features
• Failures in the Document Conversion feature
• Out of Memory exceptions coming from form business logic
• Denial of Service scenarios
• Failures during form processing or while loading business logic assemblies

The following updates will be available from Microsoft Update in the following few hours:

Critical

• MS07-002: This update resolves vulnerabilities in Excel that could allow remote code execution – Office
• MS07-003: This update resolves vulnerabilities in Outlook that could allow remote code execution – Office
• MS07-004: This update resolves vulnerabilities

Important

• MS07-001: This update resolves a vulnerability in Office that could allow remote code execution. User interaction is required for an attacker to exploit these vulnerabilities – Office (Brazilian Portuguese Grammar Checker)

There’s only 4 updates this month.  Early notifications said there would be 8 but Microsoft changed their minds very late in the process.

Neither Windows Vista nor Office 2007 appear to be affected.

I’ve just finished a guide to Microsoft’s Forefront Client Secuity 2007.  It’s based on the current public beta release.

No one can reasonably argue against the need to deploy anti virus software. It’s been common practice for many years. Recently, the need for a solution to other forms of malware, i.e. spyware, has become apparent. Leading vendors introduced solutions that worked, and in some cases, worked very well indeed.

But recently, we’ve seen things change. The need for anti malware solutions has not abated. Far from it, there’s a bigger need than ever. Unfortunately we’ve seen some of the major players in the anti malware market lose sight of what they should be doing. Instead of giving us a reliable anti malware solution with simple deployment, reliable updates and dependable reporting they’ve decided to give us frequently changing all-in-one security solutions. They end up being unreliable and hence insecure, too complex to configure and in some cases buggy to the point where agents on computers no longer function correctly.

I’ve recently had the *ahem* pleasure of working with the latest version of the product from the largest player in the anti malware market. Their product used to be seen as a market leader but it soon became clear to me that in the case of this Synful product, the cure was worse than the disease. Unfortunately, my experience was not unique. On chat forums I noticed that many were in agreement with my findings. Many others were also unhappy with their experiences with a McScanner from another vendor.

In 2003, Microsoft purchased a Romanian anti-virus company called GeCAD. Microsoft also purchased an anti spyware company called Giant in 2004. Soon afterwards we saw the beta release of a standalone antivirus product that would eventually become known as Defender. But there was no word about an anti virus solution for quite some time. Some bits of information were released or leaked out. We heard there would be a corporate solution. It would be controlled via group policy. Updates would be deployed via WSUS.

Defender was released as a standalone product as a free download for XP and as an included feature with Vista. Our first glimpse of the Microsoft anti spyware engine was in Microsoft Antigen 8.0 in the summer of 2006 which was quickly updated to Forefront Security for Exchange. Then we saw the beta release of the home security solution called OneCare which included anti spyware and antivirus defences. Obviously, given the time that had passed since the initial purchase in 2003, Microsoft had been doing some serious development and engineering.

Finally, in the end of 2006 at IT Forum in Barcelona, we saw the first public beta release of Forefront Client Security (FCS). FCS would be the corporate solution from Microsoft for defending Microsoft networks against malware threats.
With much fanfare, Microsoft representatives proudly presented their product. I watched webcasts and read updates. I quickly signed up for the beta and read documentation. It was pretty clear to me that Microsoft had listened to the market and heard what people wanted from an anti malware solution. I kept hearing the same messages for Microsoft about FCS, over and over again:

• It was simple. There is no need to have more than one dialog box to define agent policy.
• It reused available technologies we are familiar with. It uses group policy to distribute agent policy and WSUS to approve and distribute updates.
• It is reliable. There is no need for an anti malware solution to be a firewall, an intrusion detection system, a kettle, a kitchen sink, etc.
• It produces timely and accurate status information in simple and accessible ways.

It all sounds amazing. It sounds perfect. But is it all too good to be true? The rest of this document will be spent looking at the product. I’ll be looking at the below while giving my opinions:

• System requirements.
• Architecting the solution.
• Deploying the solution.
• Usage of the solution.

For the purposes of this document I have been using the latest public build of FCS (beta 2) on Windows 2003 R2 with Windows XP SP2 in a VMware environment. I have also downloaded and installed the pre-requisites, including WSUS (2.0)

The document continues …

Microsoft has released a hotfix that is a pre-requisite for Forefront Client Security on Windows XP SP2.  FCS is Microsoft’s new anti malware solution for corporate networks.  It’s currently in public beta. 

This hotfix must be installed on your XP SP2 clients prior to installing the FCS client.

I’m actually in the middle of writing a document on FCS.  It’s taking a bit longer than I expected but I expect to post it here in the next few days.  At first glance on reading the documentation, I wasn’t so impressed with the architecture but once I realised how it could be employed on medium to large networks I started to see how it could live up to the simplicity promise and reduce h/w expenditure for security solutions in a multi-branch network.

I saw something on MR&D earlier today and Bink has just confirmed it: ISA 2007 has been release to selected testers for a private beta.  Some new features allegedly include:

• Full NAT support
• Redundant ISP connections
• IPv6 support (the Chinese deployment is really forcing this)
• SSL VPN connectivity (an intersting solution from the Whale Communications acquisition)
• Support for 64 bit computing (this will be required for SBS "Longhorn").

The beta for WSUS 3.0 is coming to an end.  The first release candidate will be available sometime this quarter.

Office 2007 will be added as a category in time for it’s first expected update.  This is expected either in February or March.

You’ll often find people on support forums looking to know if their disk subsystem has been adequately configured for tehir Exchange server.  Sure, we’d all love to have a disk susbsystem with arrays for OS< paging file, database log, database, database log n, database n, etc but few have the budget.  But the question always remains, will my server handle the load?

Microsoft have given us a tool that will let us know if the subsystem is capable or not.  You run the tool and specify a number of users to simulate.  You then use your performance monitoring tools to monitor the server and the disks.  Microsoft does mention that this should not be done during production operation. 

There’s a 32bit and a 64bit version and it’s supported on newer version of ESE.DLL on Windows 2000 and Windows 2003.  They also list newer WIndows OS platforms… I guess this means "Longhorn".

Back in October I posted some information about the then forthcoming Desktop Opimisation Pack (Optimization for anyone with a USA spell checker!).  I just noticed on Bink today that the pack is now available to download on the MSVL site. 

This pack will be of great use to anyone who is considering deploying Windows Vista in the near future.  I won’t rehash everything I wrote before … you can read that in my original post.  But this pack will aid systems administrators in the deployment and management of their desktop network:

• Application deployment will become a breeze where you will no longer have to worry about applications working on Vista or with each other.
• Group Policy management can become more structured and controlled.
• Detailed information (even more than SMS can do!) about the deployed applications can be gathered.
• Helpdesk will be armed with desktop diagnostics and repair tools.

Each of this suites is a result of Microsoft acquisitions of best of breed, innovative solutions in the last year: Softricity, Winternals, AssetMetrix and DesktopStandard.

Here’s the bad news.  This pack is only available to software assurance customers.  Considering how PO’d many people are with SA after the XP "experience" I don’t think many will re-up this time around, despite the promise of a new release of Windows Vista "R2" in two years time.  This will also alienate customers who cannot afford or justify SA, probably leaving them on XP or W2K for many more years.  And as far as I know (I could be wrong here), the Desktop Optimisation Pack still will cost around $10/seat for SA customers.

We’ve seen Microsoft change some licensing terms for the benefit of customers in recent years, e.g. Virtual Server and Virtual PC so I really hope they change their minds about restricting this pack to SA customers only.