Blog: Security and Compliance

Be mindful about what filtering software you use.  Some web filtering software gathers data on chats.  Software produced by EchoMetrix and sold under the Sentry and FamilySafe brands reads private chats then the company sells information to third parties. The company reportedly collects data on what kids are saying about movies, music or video games in chats carried out through services such as Yahoo, MSN, AOL, and other services.  Supposedly, no identifiable information is disclused because the program does not record children's names or addresses.  This is definitely an example of why it's good to read through the user agreements of the software you use.

Click here to read the original article.


 

I was recently configuring an ISA server for a network support customer including automatic configuration using WPAD.  The customer had a 2008 SBS server and a 2003 ISA server (running ISA 2006).  I added a "wpad" alias (CNAME) to the DNS server on the SBS box to allow clients to automatically detect the new ISA server.  However, when I tried to resolve the entry on the SBS server as well as other hosts on the network, it never would resolve.  I tried other CNAME entries on the server, and they all worked fine.  I tried removing the entry and reading it, but got the same behavior.  I decided to let it sit overnight to see if it was a timing issue.  The next day, I still couldn’t resolve "wpad" or "wpad.bofc.local".  I started digging and found that the DNS service on Windows Server 2008 has a built-in "block list" for some potentially dangerous DNS names.  The default list includes "wpad" and "isatap".  Gotcha!  Since I wasn’t concerned with blocking any DNS names, I decided to turn off the "block list".  I used the following dnscmd command: [more]

dnscmd /config /enableglobalqueryblocklist 0

Other helpful commands when dealing with this include (from http://technet.microsoft.com/en-us/library/cc995158.aspx):

To check whether the global query block is enabled, type the following:
dnscmd /info /enableglobalqueryblocklist

To display the host names in the current block list, type the following:
dnscmd /info /globalqueryblocklist

To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0

To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0

To remove all names from the block list, type the following:
dnscmd /config /globalqueryblocklist

To replace the current block list with a list of the names that you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…


 

There is a conflict between some network providers and the PGP password filter that handles keeping the domain password synchronized with the boot password.  Specifically, if you have a Symantec SNAC Network Provider, it can cause a password change to break the single sign-on feature.  What you do to fix it is: [more]

Pull up the Provider Order screen via:

Control Panel -> Network and Sharing Center -> Manage network connections -> Advanced (I had to press and release the Alt key to get the Advanced option in the menu – you may or may not have to) -> Advanced Settings -> Provider Order tab.

Once in the Provider Order tab, I saw PGPpwflt was at the bottom of the list and Symantec SNAC Network Provider was at the top of the list.  I moved the Symantec provider to the bottom of the list which left things like:

This fixed the problem.

Note: This is best done before you change your password!


 

I had several issues getting my PGP Desktop software to correctly talk to the PGP management server.  First, I went through the default install without any problems.  I configured my private/public keys and encrypted my disk.  I got word from Chris Brewer later, however, that I wasn’t showing up in the PGP server.  We both tried several things to get me in.  I tried importing my private key to the server, but it failed and the log was saying I wasn’t part of the managed domain.  We eventually called PGP support and got my PGP Desktop software reconfigured to use my domain credentials and register with the server.  Turns out I should have done a custom install and targeted our PGP management server… rather than the default stand-alone install.  I was now showing on the server, but I was showing to be decrypted.  My disk, however, was encrypted.  I decided to decrypt and re-encrypt now that I was talking to the server.  This was about a 24-hr process.  After re-encryption and multiple reboots… I still was showing to be “unencrypted” on the server.  The PGP support guy had mentioned the Mac client had some issues reporting properly to the management server and he had  a special build he could let us try.  Once we got it, I installed it and rebooted and everything was fixed.


 
 

Though the Security Zones GUI under Internet Properties only has four well defined “zones”, you can actually create your own custom zone pretty easily.  We had to do this for a customer that needed some very specific (wide-open) security settings for their site to work properly.  Rather than comprise the security of the other “Trusted Sites”, we created a new zone for the one specific site.  The easiest way to do this is by using the GUI to get all your settings just so (by editing one of the built-in zones).  Then, from the registry editor, export the edited zone’s registry key located under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones.  The zones are numbered 0-4, but you can check the “DisplayName” entry to make sure you are exporting the right zone.  You can then edit the exported REG settings to increment the zone number by one, and change the “DisplayName”, “Description”, and “PMDisplayName” to whatever you want.  The “PMDisplayName” is what will show in the IE status bar when you visit the included site/sites.  Save your changes and import the modified zone REG file.


 

If you attempt to run Bit Locker Drive Preparation Tool on Windows Vista with SP2 installed it will produce an error.  The problem is with the installer package. You can uninstall SP2 or perform these steps to bypass the error by extracting the install files:[more]

  • After downloading Bit Locker Preparation Tool to the C: drive. Run the following at the command prompt.
  • expand -f:* "C:\Windows6.0-KB933246-x86.msu" %TEMP%
  • pkgmgr.exe /n:%TEMP%\Windows6.0-KB933246-x86.xml
  • Run “C:\Program Files\BitLocker\BdeHdCfg.exe” and it will repartition your drive to allow Bit Locker to work properly.

 

I had a problem using selfssl.exe (part of the IIS 6 resource kit) to generate more than one self-signed certificate on a specific server. The issue came up after I created a second self-signed certificate with a different CN. The certificate was installed on a separate site (same IP different port) than the first one I generated. The behavior was very strange. As soon as I generated the second certificate, the site with the first certificate would not load at all. If the certificate was removed, it worked fine. So, I regenerated the first certificate with selfssl.exe and the second stopped working. After some searching, I found that some others have had this problem as well: http://blogs.msdn.com/david.wang/archive/2005/04/20/SelfSSL-Bug-with-websites.aspx. These certs have always worked fine, but I think it may be best to limit use to one self-signed certificate per server. [more]Oh, and the blogs post mentions a new version…it doesn’t work either. The only way to get it to work is with ssldiag, but it is not a trivial process.


 

I had a customer that had a “virus detected” warning pop-up on the server every morning.  She tried to do LiveUpdate (as the warning suggested), but it would fail (the AV is way out-of-date).  She was sure there was a problem with the definitions.  I checked the server, and all the definitions on the server and clients were current.  I got to looking, and it appears the alerts were coming from viruses in the server’s quarantine.  Apparently a virus had been detected and cleaned, but when the backup job would try to access the quarantine, it would see the virus and pop-up the warning message.  I cleared the quarantine and the pop-ups stopped.


 

About a year ago Microsoft released the BitLocker Drive Preparation tool to help with the disk partition changes to support BitLocker.  Information on using this tools is located at http://support.microsoft.com/kb/933246.  However it hasn’t been updated to work with Vista SP2.  If you try to install it on SP2 you get an error indicating it doesn’t apply to the installed OS.  Until Microsoft updates the tool, you’ll need to install it before installing Vista SP2.