NTFS Inheritance Rule Change

Up until recently, NTFS permissions have followed these inheritance rules:

• If a file or folder is copied to some other location, it will inherit the new location's NTFS permissions.
• If a file or folder is moved to some other location on a different disk drive, it will inherit the new location's NTFS permissions.
• If a file or folder is moved to some other location on the same disk drive, it will retain the original location's NTFS permissions.

One of the NTFS inheritance rules changed in Windows 2008, R2, Windows Vista, and Windows 7. Now if you move a file or folder, it will inherit the new location's NTFS permissions, even if the new location is on the same disk drive. This is a radical shift that you need to taken into account when you're moving files.

You can find a reference to this change in the Notes section in the Microsoft article "Inherited permissions are not automatically updated when you move folders".

Thanks to Murat Yildirimoglu, an MCSE and MCT in Istanbul, Turkey, for the article.

---

Subscribe in a reader Subscribe by Email

How to Test LDAP over SSL Connections

This article explains how to test that a directory server (typically, a Domain Controller or ADLDS server) is configured properly for LDAP/SSL connections. The tools described work with Windows-based systems (Windows XP and above).

First, you will need the LDP.exe utility. LDP is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory, ADLDS or ADAM.

LDP can be found for different platforms in the following locations:

• Windows XP Service Pack 2 Support Tools


• For Windows 2000, the support tools are located on the Windows 2000 CD in the Support\Tools folder


• Windows Server 2003 Service Pack 2 32-bit Support Tools


• LDP.exe is installed by default in Windows Server 2008 and Windows Server 2008 R2 installations

To test LDAP over SSL connections, do the following:

• Run the LDP utility (typically, click Start > Run > LDP)


• In the LDP menu, click Connection > Connect


• Enter the directory server name or IP address, the port (typically, 636 for secure LDAP), and check the SSL checkbox, as shown below, then click OK:



• If the connection is successful, you will see a list of output similar to this:

Note that the connection string in the title of the LDP window indicates that the connection is made using ssl

• If you get an error saying, "Cannot open connection," LDP cannot establish a secure connection to the directory server. In this case, it's very likely that the server is not configured properly for LDAP over SSL. Verify the server name/IP address and port number. You can also use the Portqry tool to verify that the directory server is listening on the correct port. Use "portqry /n servername /e 636" to check that servername is listening on endpoint (port) 636.


• The following LDP output indicates that the connection failed because the certificate used in the SSL connection cannot be trusted:

ld = ldap_sslinit("dc01", 636, 1);
Error <0x0> = ldap_set_option(hLdap,LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: {empty}
Error <0x51>: Fail to connect to dc01.

I found a cool utility on Novell's website that can be used to view the SSL certificate on a remote directory server. Download the View Directory Certificate utility and extract the files to a temporary folder. Then run ViewDirCert.exe:

Specify the directory server or IP address and click View Certificate. The certificate details will be displayed in a new window. If the certificate was generated by an untrusted Certificate Authority (CA) or is a self-signed cert that the host does not trust, you will see a warning as shown below:

You can configure the host to trust this certificate by either adding the CA to the local machine's Trusted Root Certifications Authorities store or by importing the self-signed certificate into the local machine's Trusted Root Certifications Authorities store.

---

Subscribe in a reader Subscribe by Email

Users... Ugh

Quote of the day:

"And don't even get me started on the kind of trash that average users install on their machines when they have local-admin rights. It's amazing how the most unsophisticated user, incapable of so much as a password reset without help-desk support, can find a way to install complex multi-tiered client-server front-end applications if the reward involves shopping or sports."  -- Bill Boswell, TechNet Magazine

---

Subscribe in a reader Subscribe by Email

How to Convert Local and Global Groups to Universal Groups

As you may know, Exchange Server 2007 and Exchange Server 2010 force you to create all new distribution groups as universal distribution groups.

The reason for this is that Exchange 2007/2010 requires a local Global Catalog (GC) server in the Exchange site to query for group expansion. A GC can expand domain local, global, and universal groups. However, domain local groups (and sometimes global groups) can only be expanded within the domain local scope. If the GC is a member of the companyabc.com domain, it will be unable to expand a domain local group in the sales.companyabc.com subdomain.

Universal groups can be used anywhere in the same Windows forest. A GC is able expand universal groups in any domain or subdomain in that forest, as long as the domain functional level (DFL) and forest functional level (FFL) are at least Windows Server 2003 Interim Level.

Obviously, the issue with group expansion only occurs in multi-domain "enterprise" environments, but Exchange 2007/2010 doesn't care. Distribution groups and mail-enabled security groups must still be universal groups, even in a single domain environment.
If you're moving from Exchange 2000/2003 to Exchange 2007 or Exchange 2010, you're going to want to convert all your domain local and global distribution and mail-enabled security groups to universal groups so they can be managed using the Exchange management tools.

You can change group types and group scope using Active Directory Users and Computers (ADUC), but you can only do one group at a time. When I first started writing this article I was convinced that Powershell was the best way to do this. But due to limitations in the way that Powershell accesses Active Directory, my scripts were getting quite large and complicated, even when using third party Powershell extensions like Quest's free ActiveRoles Management Shell for Active Directory. I started to look for other ways to perform bulk changes of distribution and security groups.

The most efficient way I found is to use the internal Windows dsquery and dsmod tools. These handy and oft-forgotten tools are installed with the operating system in Windows 2000 and later.

The following command will produce a list of all the groups in the domain and their scope (domain local, global, or universal) and whether the group is a security group. The output is redirected to the Groups.txt file:

This command can take a while to run if the domain contains a large number of groups. It took about a minute to process over 6,100 groups.

dsquery group -limit 0 | dsget group -samid -scope -secgrp > Groups.txt

The command to convert all domain local and global groups (both distribution and security groups) is:

dsquery group -limit 0 | dsmod group -c -q -scope u

The first part of this command uses dsquery to query AD for all groups and then pipes the collection to dsmod to convert each group to a universal group. The -c switch tells dsmod to output any errors and continue. The -q switch tells dsmod to run in quiet mode (suppress successful changes).

Note: Some groups cannot be converted to Universal groups. All of the Windows built-on groups are global and cannot be converted to a different group scope.

Also know that a global group cannot have a universal group as a member. When you see this error, it means that the group is a member of another group that cannot be converted to a universal group (for example, the built-in Account Operators group. Sometimes, this can be like chasing a rat down a hole. The groups may be so deeply nested that it's hard to find the group that is preventing the conversion.

Sometimes it helps to run the conversion command again. For example, dsmod may be unable to convert Group-A to a universal group because it contains the domain local group, Group-B. Later in the process, Group-B is converted from a local group to a universal group. If you run the conversion again, Group-A can now be converted.

Note: Exchange 2007 and Exchange 2010 will automatically convert universal distribution groups to universal security groups if the distribution group is used to apply security settings for a MAPI or Public Folder. My next article will cover this in more detail.

---

Subscribe in a reader Subscribe by Email

How to turn off the "Do you want to view only the webpage content that was delivered securely?" security warning in IE8

A common question I hear from users of Internet Explorer 8 is, "How do I disable the 'Do you want to view only the webpage content that was delivered securely' in IE8?", as shown below.

Before I explain how, you should understand what it's warning you about. You will see this warning whenever HTTP (non-secured) elements are displayed on an HTTPS (secured) web page, which means these elements are not encrypted. Typically, these elements are just embedded images, but they could also be areas of the page where information can be entered.

By clicking Yes (the default), you will only see the secure areas of the page and will know what areas are secured. If you disable the warning, you will not know which (if any) of the elements are the page are not secured.

To disable the security warning, follow these steps:

• Click Tools > Internet Options
• Click the Security tab
• Click the Internet zone and click the Custom Level button
• Scroll down to the Miscellaneous area and change Display mixed content (shown on the left) from Prompt to Enable
• Click OK

---

Subscribe in a reader Subscribe by Email

Be Aware: Windows Server 2008 SP2 Re-enables Disabled NICs

Be aware installing Windows Server 2008 Service Pack 2 (SP2) will re-enable any network adapters that were disabled prior to the update. This will also affect computers updated with Windows Vista Service Pack 2.

[Before installing SP2]

[After installing SP2]

This is important for several reasons. It is best practice on Hyper-V servers to disable the virtual NIC assigned to VM guests, so that a host with a dedicated management NIC does not use the NICs assigned to VM guests. SP2 re-enables all these virtual NICs, as well.

Sometimes disabled NICs should only be enabled for disaster recovery purposes. Enabling these NICs at startup could have dire consequences in these rare situations.

It's important to understand that if you're using the Windows Firewall, the server uses the most secure firewall network profile for all NICs. If your domain joined computer has more than one NIC, but only the NIC that is used to connect to the domain is enabled, the Windows Firewall uses the Domain Network profile. However, after installing SP2 the computer will start up with all NICs enabled. If the previously disabled NICs are not connected, the Windows Firewall will use the Public Network profile, which uses much different firewall policies -- potentially causing service interruptions.

My advice is to document your network connections prior to installing Windows Server 2008 SP2, so you can reconfigure them when your done with the update.

---

Subscribe in a reader Subscribe by Email

Steve Riley let go from Microsoft

Wow, here's a shocker. Steve Riley, a popular Microsoft security expert, has been let go by Microsoft just 5 days before TechEd begins. Steve writes,

"... as a part of Microsoft’s second round of restructuring, my position was eliminated yesterday and my employment with Microsoft has ended."

Steve was scheduled to provide several sessions at this year's Teched, most of them I scheduled myself to attend. I can't say how many sessions he had since Microsoft has already removed his name as a speaker from the TechEd session schedule.

Steve’s career at Microsoft began in 1998 in the telecommunications practice of Microsoft Consulting Services. When he left he was a senior security strategist in Microsoft's Trustworthy Computing Group. He promises that he's not disappearing and will remain in the security industry.

Good luck, Steve! We'll miss you at this year's TechEd.

---

Subscribe in a reader Subscribe by Email

Stop Spamming Yourself!, Part 2

Frequently, you may receive spam from the Internet that appear to come from your own domain name. This is a common tactic used by spammers to bypass spam filters.

In an earlier article, I showed how to configure Exchange 2007 to reject all SMTP emails from the Internet that supposedly come from your own domain name. We did this by adding your domain name to the Sender Filtering / Blocked Senders configuration on the Edge server.

While this works perfectly, it goes against a Microsoft best practice and doesn't provide for any exceptions. This article will show how to accomplish the same thing using an Edge Transport Rule, as well as how to configure an exception. Let's get started.

• Logon to the Edge Transport server, open the Exchange Management Console, and navigate to Microsoft Exchange > Edge Transport > Transport Rules tab.
• Click New Transport Rule in the Actions pane to open the New Transport Rule wizard.
• Enter a name for the rule and any comments, as shown below, and click Next.

• For the Conditions in Step 1, click "when the From address contains text patterns" and "from users inside or outside the organization"
• In Step 2, click the words "text pattern" and add your domain name (i.e., extpa.com). Click the work "Inside" and change it to "Outside". Click Next

• Now we will set the Action to take upon these messages. In Step 1, click "set the spam confidence level to value" and "reject the message with status code and response"
• In Step 2, set the SCL to "-1". We do this so that the exceptions configured on the next page will not go to the users' Junk E-mail folders in Outlook. Click Next.

• For the Exceptions in Step 1, click "except when the text specified words appear in a message header"
• In Step 2, click "specific words" and add the domain of the sending server (i.e., opentable.com). OpenTable.com is an online restaurant reservation system that emails invitations to people when a reservation is made. It spoofs the emailed invitation to looks like it came from the sender. Because of this, it would normally be rejected if it weren't for this exception.
• Click "message header" and enter "Receive". Click Next.

• Click New and Finish to create the new Transport Rule.

The rule will now reject all emails from the Internet that claim to be from your domain name, unless the SMTP Receive header contains the text "opentable.com". It will also set the SCL so that the exception will not be classified as spam by Outlook.

The rule above can also be configured using the Exchange Management Shell using the following command:

new-TransportRule -Name 'Reject inbound emails from expta.com' -Comments 'Exception: Opentable.com' -Conditions
'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromAddressMatchesPredicate','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromScopePredicate'
-Actions
'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SetSclAction','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SmtpRejectMessageAction'
-Exceptions
'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.HeaderContainsPredicate'
-Enabled $true -Priority '0'

The code above is meant to entered as one single line.

---

Subscribe in a reader Subscribe by Email

How to Invoke the Window Update Dialog from the Command Line

To run the Windows Update client from the command line, run the command WUAUCLT /ShowWU.

This is useful when the Windows Update icon disappears when you click it. Typically, this means that the Windows Update client is corrupt. When you run wuauclt /ShowWU on these machines, it will bring up the Windows Update dialog box above, but it will show some type of error indicating that it could not download updates. Installing the current Windows Update client will fix this.

You can download the latest Windows Update client (7.2.6001.788) from these locations:

• WindowsUpdateAgent30-x86.exe
• WindowsUpdateAgent30-x64.exe

---

Subscribe in a reader Subscribe by Email

How to Install a new Certificate on ISA 2004

If you use ISA 2004 to secure an SSL-enabled website such as Outlook Web Access (OWA), you need to install a web listener in ISA. This web listener intercepts (listens) for SSL web traffic destined for the HTTPS server.

Usually, you'll set this up when you configure your ISA server, but eventually the certificate you installed will expire and need to be replaced. This post describes how to do this.

In a nutshell, you have to install the certificate on the OWA server, configure IIS to use it, and then export it with the private key as a PFX file. Then you import the PFX file to the Personal store for the local computer on ISA. Just follow the bouncing ball...

First, you need to request and order a new SSL certificate. This can be done several ways, but usually ends with you getting an email from the certificate authority (i.e., Verisign) with your new certificate. The certificate is in the format of:

-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----

You simply need to copy and paste the certificate into Notepad and save it as something like C:\Webmail.cer. Be careful to only save the text between the BEGIN and END CERTIFICATE statements (including the leading and trailing dashes).

Now you need to import the certificate into IIS on the web server. Again, there are several ways to do this depending on how you ordered your cert, but this should work everytime:

• Click Start > Run and enter MMC
• Click File > Add/Remove Snap-in and add the Certificates snap-in
• Select Computer account > Next > Finish > OK
• Now your should see Certificates MMC for the local computer, as shown here:

• Expand Certificates (Local Computer) > Personal
• Right-click Personal and select All Tasks > Import
• Browse to the C:\Webmail.cer file you saved earlier
• Click Next to store it in the Personal store and Finish to complete the import
• Don't close the Certificates MMC yet. You'll need it later in this process.

Next, you need to tell IIS to us the new certificate.

• Open IIS Manager and navigate to the Default Web Site that uses SSL
• In IIS 6, view the properties of the web site and click the Directory Security tab. Then click Server Certificate, Next and Replace the Current Certificate. Select the new cert you imported and compete the wizard.
• In IIS 7, click Bindings and edit HTTPS. Then select the new cert you imported and close the Site Bindings window and IIS Manager.

Now that IIS is using the new certificate on the OWA server, you need to export the cert and its private key to import on the ISA server.

• Now go back to the Certificates MMC and click refresh on Certificates in the Personal store
• Select the certificate you imported
• Right-click the certificate and select All Tasks > Export
• Click Next and choose Yes, export the private key
• Click Next twice and enter a password for the exported file.
• Complete the wizard, saving the PFX file in a temporary location
• Copy the PFX file to your ISA 2004 server

Next, we import the certificate into ISA and configure the ISA listener.

• On the ISA server, double-click the PFX file you exported
• Follow the Certificate Import Wizard and place the file in the computer's Personal store
• Now open the ISA Server Management Console
• Select the Firewall Policy
• Click the Toolbox tab on the right and expand Web Listeners
• Double-click the web listener you want to update to edit it
• Click the Preferences tab and click Select
• Select the new certificate and close the listener properties
• Apply the ISA changes

Finally, you're done!!!

---

Subscribe in a reader Subscribe by Email

Stop Spamming Yourself!

We all knew that the huge decrease in spam that occurred after mccolo.com was shutdown would be short-lived.

Recently, I've a seen large increase in the amount of spam to me apparently coming from me.

Note: Exchange 2003 and 2007 displays the "from" address
of these emails as the full SMTP address (i.e., jeff@expta.com), rather than the resolved name (Jeff Guillet), to show that the email actually came from outside the company.

To stop spamming yourself, configure your SMTP gateway server to reject all external emails from your domain(s). Here's how to do this using the Exchange 2007 Edge Transport server:

1. Open the Exchange Management Console (EMC) on the Exchange Edge Transport server


2. Expand Microsoft Exchange and select Edge Transport


3. Double-click Sender Filtering to open its properties


4. Click the Blocked Senders tab and click Add


5. Select Domain, enter your SMTP domain name, Include all subdomains, and click OK


6. Click OK again to close the Sender Filtering Properties window

Now the Edge server will not accept non-authenticated emails from your domain to your domain. Note that this does not affect any external Windows Mobile or Outlook Express clients from sending email into your domain, as long as these users are authenticated.

You can use the following VB script to test the new settings:

'VBScript to test SMTP email

CONST mailServer = "incoming.mydomain.com"
CONST emailAddress = "user@expta.com"

Set objEmail = CreateObject("CDO.Message")
objEmail.From = emailAddress
objEmail.To = emailAddress
objEmail.Subject = "Test Message"
objEmail.Textbody = "This is a test message."
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = mailServer
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send
MsgBox "SMTP Email sent successfully to " & emailAddress, vbInformation, "TestSMTP"

Change the mailServer variable to use your Edge Transport server name and the emailAddress variable to use your internal SMTP address. The script will send SMTP email to the email address from the same email address.

Before Sender Filtering is enabled, the script will return a success message:

After Sender Filtering is enabled, the script will return a Sender Denied message:

---

Subscribe in a reader Subscribe by Email

New Windows Update Client Available

Microsoft is releasing a new version of the Windows Automatic Update client, version 7.2.6001.788, for Windows XP, Vista, and Windows Server 2000, 2003 and 2008.

This update includes the same performance enhancements available in the last client:

• Improves scan times for Windows Update
• Improves the speed at which signature updates are delivered
• Enables support for Windows Installer reinstallation functionality
• Improves error messaging

This version also fixes a bug that limited the client to only downloading 80 updates at a time. This is important when trying to update an XP RTM computer, for example, since there are far more than 80 updates for this build.

The update will be slowly rolled out via Windows Update and WSUS over the next two months. You can also download the update directly from Microsoft here.

It may be important to know that Windows Update will automatically update the Windows Automatic Update client software, even if the computer is configured not to download automatic updates. The only way to prevent this is to completely turn off Automatic Updates (not recommended).

---

Subscribe in a reader Subscribe by Email

Cannot Add a Site to Trusted Sites

I ran into a weird problem today with a Windows Server 2003 SP2 server, where I could not add a site to the Trusted Sites zone. The error I got was, "There was an unexpected error with your zone settings. Unable to add this zone."

To fix the issue, enable Internet Explorer Enhance Security Configuration in Add/Remove Windows Components, add the desired site to the Trusted Sites zone, and then disable Internet Explorer Enhance Security Configuration again. That seems to fix the corruption in the Trusted Sites zone information. Future sites can then be added without issue.

---

Subscribe in a reader Subscribe by Email

Hiding in Plain Sight

Which Post-It note contains the correct password?

---

Subscribe in a reader Subscribe by Email

Using Exchange 2007 Header Firewall

Each time an SMTP email is passed from one server to another, the receiving server records the hand-off in the SMTP headers of the email. This is usually recorded like this:

Received: from ex01.companyabc.com (10.12.1.81) by edge.companyabc.com (12.5.1.168) with Microsoft SMTP Server id 8.1.278.0; Fri, 20 Jun 2008 15:17:46 -0700

Customers often do not like their internal email infrastructure exposed in the SMTP headers for security reasons. It displays private information, such as internal IP addresses and SMTP versions that can be used by bad guys for targeted attacks. In the example above, SMTP Server id 8.1.278.0 tells me that edge.companyabc.com at public IP 12.5.1.168 is running Exchange Server 2007 SP1.

You can remove this information from the SMTP headers on Exchange 2007 using a concept called Header Firewall. This is done using the remove-adpermission cmdlet in the Exchange Management Shell. If you use Exchange 2007 Edge server(s), run the following one-liner:

Remove-ADPermission -id "EdgeSync - companyabc to Internet" -User "MS Exchange\Edge Transport Servers" -ExtendedRights Ms-Exch-Send-Headers-Routing

Note: Replace "EdgeSync - companyabc to Internet" with the name of the Internet bound send connector. You can run the Get-SendConnector cmdlet to display the names of all the Exchange send connectors.

For Exchange 2007 implementations that do not use Edge servers, use the following:

Remove-ADPermission -id "companyabc to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-Routing

Again, replace "companyabc to Internet" with the name of the Internet bound send connector.

Essentially, you want to remove the rights of the last user account that will handle the outbound SMTP from reading the Ms-Exch-Send-Headers-Routing attribute in Active Directory. For Edge servers that will be the MS Exchange\Edge Transport Servers user account and for everything else it will be NT Authority\Anonymous Logon. Doing so will remove all the internal relay entries in the header before the last Exchange server, making the email appear like it originated from that last server.

---

Subscribe in a reader Subscribe by Email

Pre-Conference Session with Marcus Murray

Monday I attended the pre-con session, "Step-By-Step Guide to Hack-Proofing Your Microsoft Network" by Marcus Murray. Marcus is a security rock star! Very funny and engaging.

Last year he scared the hell out of me when he demonstrated how easy it is to compromise a system and domain. Since then, I've unplugged the network cables from all my servers as a security precaution, but I'm sure that would only slow him down a little.

The session was very good, but it was a little slower paced than I was expecting and hoping for. The basic security concept is "you can't fix stupid." If the users have elevated rights (by that, I mean running with more permissions than they need to have to do their work) it's very easy to compromise their machine and use it as a springboard to the rest of the network.

The takeaway is this: You must kill your users. Kill zem all.

---

Subscribe in a reader Subscribe by Email

New Certifications

May 2008 was a busy month for me.

In addition to writing a book, I passed five exams in the first three weeks and earned my MCITP:Enterprise Messaging Administrator (the premier Exchange 2007 administrator certification) and three MCTS certifications (SCOM 2007, ForeFront and Exchange 2007).

That makes 34 exams in a row that I've passed without failing, including my CISSP. Yes!! The streak remains unbroken!

I've put together a certifications page that lists the current certifications that I hold, which I'm rather proud of.

Tomorrow I'm off to TechEd and I can't wait! I'll be blogging at least once a day while I'm there. Check my blog all week. If you're going to TechEd yourself, I might meet you at the TechEd Blogger Ultra Lounge. See you there!

---

Subscribe in a reader Subscribe by Email

Automatically Reset the FTP Service in Windows Server 2008

One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:

net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc

The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

• Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task


• Name the task, "Reset FTP Service" and click Next


• Choose When a specific event is logged as the Task Trigger, click Next


• Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next


• Select Start a program and click Next


• Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next


• Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish


• In the Properties window select Run whether user is logged on or not and Run with highest privileges


• Click OK


• Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

---

Subscribe in a reader Subscribe by Email

New File Extensions Blocked in Outlook 2003 SP3

After several months of testing, a client recently deployed Service Pack 3 for Microsoft Office 2003 to nearly 10,000 clients via WSUS. They have a scripted routine that they follow during testing of patches and updates to ensure that there are no interoperability issues, but of course, you can't test everything. I mean, how are you going to know that a certain update will prevent an HP 4200 printer from feeding from the secondary paper tray? And yes, I've actually seen that happen.

Well, shortly after deployment they start getting complaints that emails with links to Public Folders (XNK files) can't be opened on Outlook 2003. Could it be that Microsoft actually did this on purpose? After an hour or so of re-reading all the scattered documentation for Office SP3, including Information about certain file types that are blocked after you install Office 2003 Service Pack 3 and the Downloadable list of issues that the service pack fixes, I couldn't find anything that documented this change.

I opened a case with Microsoft and found that not only are XNK extenstions blocked, but several others are as well. Here's an unofficial list of the extensions blocked by Outlook 2003 SP3 (I apologize for all the blank space that Blogger inserts before this table, please scroll down):

File Extension	File Type
.ade	Access Project Extension (Microsoft)
.adp	Access Project (Microsoft)
.app	Executable Application
.asp	Active Server Page
.bas	BASIC Source Code
.bat	Batch Processing
.cer	Internet Security Certificate File
.chm	Compiled HTML Help
.cmd	DOS CP/M Command File, Command File for Windows NT
.com	Command
.cpl	Windows Control Panel Extension (Microsoft)
.crt	Certificate File
.csh	csh Script
.der	DER Encoded X509 Certificate File
.exe	Executable File
.fxp	FoxPro Compiled Source (Microsoft)
.gadget	Windows Vista gadget
.hlp	Windows Help File
.hta	Hypertext Application
.inf	Information or Setup File
.ins	IIS Internet Communications Settings (Microsoft)
.isp	IIS Internet Service Provider Settings (Microsoft)
.its	Internet Document Set, Internet Translation
.js	JavaScript Source Code
.jse	JScript Encoded Script File
.ksh	UNIX Shell Script
.lnk	Windows Shortcut File
.mad	Access Module Shortcut (Microsoft)
.maf	Access (Microsoft)
.mag	Access Diagram Shortcut (Microsoft)
.mam	Access Macro Shortcut (Microsoft)
.maq	Access Query Shortcut (Microsoft)
.mar	Access Report Shortcut (Microsoft)
.mas	Access Stored Procedures (Microsoft)
.mat	Access Table Shortcut (Microsoft)
.mau	Media Attachment Unit
.mav	Access View Shortcut (Microsoft)
.maw	Access Data Access Page (Microsoft)
.mda	Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mdb	Access Application (Microsoft), MDB Access Database (Microsoft)
.mde	Access MDE Database File (Microsoft)
.mdt	Access Add-in Data (Microsoft)
.mdw	Access Workgroup Information (Microsoft)
.mdz	Access Wizard Template (Microsoft)
.msc	Microsoft Management Console Snap-in Control File (Microsoft)
.msh	Microsoft Shell
.msh1	Microsoft Shell
.msh2	Microsoft Shell
.mshxml	Microsoft Shell
.msh1xml	Microsoft Shell
.msh2xml	Microsoft Shell
.msi	Windows Installer File (Microsoft)
.msp	Windows Installer Update
.mst	Windows SDK Setup Transform Script
.ops	Office Profile Settings File
.pcd	Visual Test (Microsoft)
.pif	Windows Program Information File (Microsoft)
.plg	Developer Studio Build Log
.prf	Windows System File
.prg	Program File
.pst	MS Exchange Address Book File, Outlook Personal Folder File (Microsoft)
.reg	Registration Information/Key for W95/98, Registry Data File
.scf	Windows Explorer Command
.scr	Windows Screen Saver
.sct	Windows Script Component, Foxpro Screen (Microsoft)
.shb	Windows Shortcut into a Document
.shs	Shell Scrap Object File
.ps1	Windows PowerShell
.ps1xml	Windows PowerShell
.ps2	Windows PowerShell
.ps2xml	Windows PowerShell
.psc1	Windows PowerShell
.psc2	Windows PowerShell
.tmp	Temporary File/Folder
.url	Internet Location
.vb	VBScript File or Any VisualBasic Source
.vbe	VBScript Encoded Script File
.vbs	VBScript Script File, Visual Basic for Applications Script
.vsmacros	Visual Studio .NET Binary-based Macro Project (Microsoft)
.vsw	Visio Workspace File (Microsoft)
.ws	Windows Script File
.wsc	Windows Script Component
.wsf	Windows Script File
.wsh	Windows Script Host Settings File
.xnk	Exchange Public Folder Shortcut

Nothing p$%#es me off more than undocumented changes in functionality. At this point in time, this information is not documented ANYWHERE on Microsoft's website.

I certainly don't mind Microsoft fixing security holes, but for crying out loud, DOCUMENT IT!!! How do they expect us to roll out critical patches and updates if they change functionality and don't tell anyone? No one looks good when that happens.

---

Subscribe in a reader Subscribe by Email

TechEd 2008 Registration is Open!

TechEd 2008, the premier Microsoft IT learning experience, opened today for registration. I signed up as soon as the website came live. As you may know, TechEd is divided up into two separate events this year, Tech·Ed U.S. Developers (June 3-6, 2008) and Tech·Ed U.S. IT Professionals (June 10-13, 2008).

I'm thrilled to see that Marcus Murray is presenting a pre-conference seminar, "A Step-By-Step Guide to Hack-Proofing Your Microsoft Network." I wrote about Marcus at last year's TechEd, where he scared the living bejezus out of everyone in packed conference rooms. I can't wait to see what he's going to show off this year. I've removed the NIC from all my servers just to be safe. :)

As Brian Marble reported, TechEd 2008 will also be one of Bill Gates last public speaking engagements before he retires from Microsoft and embarks on his full time gig of giving money away. Bill and Melinda's philanthropy astounds me and warms my soul.

I'll be attending the Tech·Ed U.S. IT Professionals session. Let me know if you'll be going, too!

---

Subscribe in a reader Subscribe by Email

Exchange ActiveSync Policies

Exchange Server 2007 provides ActiveSync mailbox policies to allow administrators to manage the Windows Mobile devices that attach to the network. This allows you to apply a common set of policy or security settings to a group of users or even an individual user.

Exchange 2007 RTM included 16 policy settings. That number climbs to 27 in Exchange 2007 SP1 for the Exchange 2007 Standard CAL. The SP1 Enterprise CAL offers an additional 16 settings. Settings that only exist in the Enterprise CAL, such as controlling POP and IMAP, Bluetooth, WiFi, the camera and text messaging, make that CAL a compelling choice for some customers.

The Exchange Team blog has an in-depth explanation of ActiveSync policies, as well as a great chart that shows the different policies for each version and CAL. Read What's New for Exchange ActiveSync Mailbox Policies in Exchange Server 2007 SP1? Microsoft also has a policy reference on MSDN, Understanding Exchange ActiveSync Mailbox Policies. Keep in mind that these settings only apply to devices that support them. Some only work on Windows Mobile 6 and some mobile device vendors may strip support for them from their mobile devices.

Another important change in SP1 is that it now publishes a default EAS policy, where RTM requires you to manually apply the default policy.

---

Subscribe in a reader Subscribe by Email

DEP and Virtual Machines

Data Execution Prevention (DEP) is a security feature included in all versions of Windows since XP SP2. It’s intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.

DEP runs in two modes: Hardware-enforced DEP for CPUs that support it, and software-enforced DEP for CPUs that don’t. Software DEP is performed by the operating system, and as such, has a (small) performance hit.

It may make sense to disable DEP in virtual machines (especially test VMs) to eek out a little more performance. Read on for an explanation of how to do this.

Software DEP configuration is controlled through switches in the Boot.ini file.

There are four options to set the DEP mode are:

• OptIn - Enables DEP only for OS components, including the Windows kernel and Windows drivers. Administrators can enable DEP for selected executable files with the Application Compatibility Toolkit (ACT).
  
• OptOut - Enables DEP for the OS and all processes, including the Windows kernel and Windows drivers. However, administrators can disable DEP on selected executable files with the Control Panel System applet.
  
• AlwaysOn - Enables DEP for the OS and all processes, including the Windows kernel and Windows drivers. All attempts to disable DEP are ignored, and all DEP configuration options are disabled.
  
• AlwaysOff - Disables DEP. Attempts to enable DEP selectively are ignored, and the DEP GUI is disabled.

In Windows Server 2008 and Vista, you use bcdedit to set the DEP mode. The DEP configuration can be viewed using the bcdedit /enum osloader /v command. To configure DEP, use the /set nx switch. For example, to set the currently booted OS to DEP AlwaysOff, you would use the command:

bcdedit /set nx AlwaysOff

You configure DEP in other operating systems from the Advanced tab Performance Settings of the System Control Panel applet.

---

Subscribe in a reader Subscribe by Email

Fixing Incorrect Directory Permissions in WSUS 3.0

I have a client with a fairly large WSUS deployment, comprised of 36 WSUS servers servicing over 10,000 computers and servers in a distributed environment. Recently, we upgraded the entire WSUS 2.0 SP1 infrastructure to WSUS 3.0. I noticed the following event on many, but not all, of the WSUS downstream servers:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Core
Event ID: 10012
Date: 1/2/2008 Time: 7:30:49 AM
User: N/A
Computer: SAFS01
Description: The permissions on directory D:\WSUS are incorrect.
For more information, see Help and Support Center at blah, blah, blah

These servers also suddenly began to fail its synchronization from the upstream server. Strangely, they all had been working fine for a few weeks after the upgrade. The solution is to modify the directory permissions as follows:

• The root folder of the local content directory must have at least Read permissions for the Users security group and the NT Authority\Network Service account. In other words, if the WSUS content directory is D:\WSUS\WSUSContent, the D:\WSUS directory must have the correct permissions. The BITS service will fail if these permissions are not set.
  
• The content directory itself (in the above example, the WSUSContent directory) must have Full Control permissions for the NT Authority\Network Service account.
  
• The temporary ASP.NET directory (%windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files) must have Full Control permissions for the NT Authority\Network Service account.
  
• The system %TEMP% directory (usually %windir%\TEMP) must have Full Control permissions for the NT Authority\Network Service account.

After the permissions have been set correctly restart the Update Services service and check the Application event log for errors. You should be able to perform a synchronization successfully now.

---

Subscribe in a reader Subscribe by Email

How to Overcome Windows Protected Groups Permissions Problems

Windows Active Directory protects certain built-in groups from ACL modifications. The purpose of this is to prevent these groups, and their members, from becoming inaccessible by applying restrictive permissions to them. For example, an administrator my accidentally (or maliciously) assign Deny All permissions to the Domain Admins group. Doing so will prevent the Domain Admins group members from managing the domain.

To fix this condition, the AdminSDHolder process reapplies default ACL permissions to all protected groups. This background occurs roughly once per hour. A side affect of this is that it removes the permissions inheritance attribute from all AD objects that are members of these protect groups. Membership is transitive, meaning that a user may be a member of a group that is a member of a protected group and will be affected by this process. A common side effect of this behavior is that affected users cannot change properties of their user object in AD or reset their own passwords using ADUC.

As a resolution you can modify the ACL permissions on the AdminSDHolder container in the System container of the domain. The ACL permissions applied to the AdminSDHolder container act as the "template" that is applied to all Windows Protected Groups.

The protected groups in Windows 2000 are:

• Enterprise Administrators
• Schema Administrators
• Domain Administrators
• Administrators

The protected groups in Windows Server 2003 and in Windows 2000 after you apply KB327825 or Service Pack 4 are:

• Administrators
• Account Operators
• Server Operators
• Print Operators
• Backup Operators
• Domain Administrators
• Schema Administrators
• Enterprise Administrators
• Cert Publishers

In addition, the following users are also considered protected:

• Administrator
• Krbtgt

The following steps explain how to modify the permissions on this container to allow members of these groups to modify their own attributes and reset their passwords using ADUC.

• Run Active Directory Users and Computers (ADUC) with Domain Admin rights


• View advanced features by selecting Advanced Features from the View menu


• Select the System container in the selected domain


• Right-click the AdminSDHolder container and select Properties


• Click the Security tab and the Advanced button


• Under Permission Entries select SELF and click Edit


• Assign SELF Full Control permissions. Click OK.


• Click OK to close the Advanced Security Settings for AdminSDHolder window


• Click OK to close the AdminSDHolder Properties window

The new settings will propagate to all members of the Windows Protected Groups the next time the AdminSDHolder background process runs (about an hour).

---

Subscribe in a reader Subscribe by Email

How Strong is Your Password?

Think you have a strong password?

Microsoft has a nifty password checker that evaluates the strength of your password. Check it out here.

If a string of random characters is hard to remember, try using a passphrase instead. Something like, "I love my job!" turns out to be the best strength and is easy to remember.

---

Subscribe in a reader Subscribe by Email

Automatically Reset the FTP Service

[Click here for a Windows Server 2008 version of this article]

A client of mine utilizes the Microsoft FTP service in Windows Server 2003 IIS 6.0 on a public web server.

Unfortunately, the FTP service is notoriously insecure since it transmits passwords in plain text. It also does not offer any way to block brute force or dictionary attacks. Because of this, the client was seeing multiple failed logins from the Administrator account, several times per second. These show up as warnings in the System event log from the MSFTPSVC source with event ID 100. Since I always rename the Administrator account as a standard best practice, it was obvious these attempted logins were coming from an attacker.

Windows Server 2008 will offer Secure FTP (or FTP over SSL) as a separate download for IIS7, which will be the first major improvement to the protocol since it was developed. But being that my client is running Windows 2003, this isn't an option.

The solution I used involves the Windows EventTriggers utility. I created a batch file named C:\Scripts\ResetFTPService.bat, as follows:

net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc

The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, I use EventTriggers as follows:

eventtriggers /CREATE /TR "Reset FTP Service" /TK C:\Scripts\ResetFTPSVC.bat /L System /EID 100 /SO MSFTPSVC /RU ""

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source MSFTPSVC is logged in the System event log. The /RU switch causes the task to run under the Local System account, which has the rights necessary to run unattended.

---

Subscribe in a reader Subscribe by Email

Good Day Today

Today was a good session day. I got to start and end it with Marcus Murray, who finished the day to a PACKED session in the TLC Library showing how easy it is to perform a buffer overrun exploit. Scary, scary stuff. The guy is a rockstar.

Other sessions included Paul Robichaux, talking about Forefront Security for Exchange, and a good session on architecting and upgrading WSUS 3.0.

I got to see our friends at Sam's Publishing in the vendor booth. Sams publishes the Microsoft "Unleashed" series, including Microsoft Exchange Server 2007 Unleashed and Microsoft Exchange Server 2003 Unleashed, both of which I am a cowriter of. Fellow CCO consultant, Michael Noel was there at the Sams booth on Tuesday. Be sure to check out his sessions on SharePoint 2007 here at TechEd!

I'll post a summary of the items discussed at the WSUS session in a future blog. For now, I'm going to get ready for the Microsoft Influencer's Party at Margaritaville and the Double-Take party at the Hard Rock. Woo-hoo!

---

Subscribe in a reader Subscribe by Email

Knocked my Socks Off

My first session this morning was "Why I can Hack Your Network in a Day!", by Marcus Murray. The information and demos he gave were absolutely frightening. He showed how to gain full access to almost any domain with ease. Amazing stuff. It's his first US TechEd and I'm sure it won't be his last. Now if he'd only do a session on securing networks, I'll sleep better.

---

Subscribe in a reader Subscribe by Email