Blog

In a story published at PCWorld.com yesterday, Symantec is blaming Microsoft for registry corruption after installing XP SP3

 http://www.pcworld.com/article/id,146228/article.html

Below is an article published yesterday on WIRED - it is a good article showing what is really happening in the computer forensics arena today.

http://www.wired.com/politics/security/news/2008/05/fbi_lab/

On March 4, 2008, the Securities and Exchange Commission proposed amendements to Regulation S-P: Privacy of Consumer Financial Inforamtion and Safeguarding Personal Information, which implements certain provisions of the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) for entities regulated by the Commission.  Comments were accepted through May 12th.  To read the proposal visit http://www.regulationsp.com/

 

The new business class Linksys router (RVS4000) has lots of great features (very much like Cisco’s IOS).  I was recently setting one up for a customer that had an SBS server and a Symantec mail appliance.  The SBS server was not going to use ISA so I needed to set up a VLAN on the Linksys for the DMZ.  This was all easy enough, but when it came to publishing ports, I ran into a limitation in the configuration interface.  I needed to publish RDP (TCP port 3389) directly to the SBS server on the main/default VLAN, and SMTP (TCP port 25) to the mail appliance on the DMZ VLAN.  Unfortunately, the web interface for configuring port forwarding on the Linksys only allows you to modify the last octet of a published address (pre-filling the first three octets from the default VLAN).  [more]I did some research and even called Linksys support, but this is “by design”.  I tried exporting the config to see if I could change the publishing definitions directly and just re-import, but the config also only saved the last octet.  I was able to work around this limitation by spliting their class C in half (255.255.255.128 as the subnet mask) and using the lower half for the internal LAN, and the upper half for the DMZ.  This way, I was able to publish ports on the two separate VLANs, but still have the traffic segmented.

I was testing Symantec Endpoint Protection for a short while. After uninstalling endpoint protection I began receiving an error every time that I opened outlook. The error said something to the effect of “Unable to load Add-on please uninstall”.

In Outlook 2003 you should be able to simply remove the add-on within the add-on manager. In Outlook 2007 though it requires a different method. I had to delete a file called Extend.dat (location: C:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Outlook) which is the file that stores the cached add-ons. After running Outlook again this file was recreated but this time Outlook did not give me an add-on error.  This seems to apply to other add-ons as well. While searching the web I saw people report that this also works for similar errors after uninstalling AVG antivirus.

There have been many reports (Google AMD XP "serice pack 3" or visit Microsofts support forum) of problems primarily with AMD based computers after installing XP SP3.  Tom's Hardware http://www.tomshardware.com/news/Windows-XP-SP3,5334.html was the first report of this we found, but Computerworld http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9084418 also posted an article the same day.

Microsoft has come out with a new way to handle license keys called Key Management Service. Through this new way of volume licensing, Server 2008 and Vista machines will check in with a server to be authenticated instead of having to check in at the Microsoft site.  To do this, you have to set up a KMS server (with software from Microsoft) as well as install a KMS Volume License Key (which is different than a traditional VLK). [more]

From Microsoft.com:

Microsoft Key Management Service (KMS) for Windows Server 2003 SP1 and later is part of Microsoft Windows Volume Activation 2.0. It allows enterprise users to host KMS on Windows Server 2003 to enable activation of Windows Vista and Windows Server 2008 using a KMS key.

Microsoft Volume Activation 2.0 is a set of technical and policy solutions provided by Microsoft’s Software Protection Platform (SPP) that gives Microsoft customers more secure and easier methods to manage their volume license keys.

KMS based activation allows enterprise customers to host a local service within their environment to enable activation of machines running Windows Vista and Windows Server 2008 volume editions within their environment, instead of activation directly with Microsoft. Computers that have been activated using KMS are required to reactivate by connecting to a KMS host at least once every 6 months.

KMS keys are provided through Microsoft’s Volume Licensing System portals (MVLS, eOpen). The KMS host needs to be activated once with Microsoft either online or via telephone.

The drawback to this service is that you have to obtain the key from MS using a volume license agreement. Another issue is that you have to have 5 Server 2008 installations or 25 Vista installs for this to work (and VM machines do not count towards this number).

Download the Microsoft Key Management Service

A few weeks ago, I was trying to backup the configuration for a Symantec Mail Security Appliance for one of our clients. The appliance sits in the DMZ and FTPs the backup file to another server on the internal network. To do so, I had to create an Access Rule to allow the FTP traffic through the ISA 2004 server. You would think that creating an inbound Access Rule to allow the FTP protocol to pass through the ISA server it would enable all inbound FTP traffic. However, this is not entirely the case. When you use the New Access Rule Wizard, you can choose the pre-configured protocol “FTP” to be the type of traffic that you are allowing. This is what I did in this particular instance. However, whenever I would try and transfer the SMS Gateway backup file, the write would fail. After checking folder and FTP account permissions 5,000 times, I happened upon a setting  the following setting by right clicking the the access rule I had already created and selecting the "Configure FTP" option: [more]

To make a long story short, when I added the preconfigured “FTP” protocol as the protocol I wanted to allow to pass through the ISA, it only enabled FTP Read access. There is nowhere in the creation of the rule, in the ‘Properties’ of the rule, or in the properties of the default FTP object to specify read/write access. Nor does it inform you that the default permission is being set as read only. You have to click right click on the rule you created and choose “Configure FTP” (not ‘Properties’) to uncheck the Read Only status of the rule. I suppose that this follows the general IT best practice of enabling only minimal required privileges, but some documentation or forewarning would’ve been nice! Consider yourself forewarned!

Exchange 2007 introduces a concept called back pressure. This is a monitoring feature in the Exchange transport service that watches system resources like available disk space and memory. If a resources exceeds a specified limit, Exchange stops accepting new connections and messages so that it can deliver the existing messages without being completely overloaded.  Exchange starts accepting new connections and messages once resources have returned to normal levels. A large number of event log messages about the back pressure situation are logged.  We had this problem at a customer site recently and had to increase the RAM of the Virtual Machine to fix it. [more]

View the TechNet article on Back Pressure for more details.