Microsoft Releasing an Out-of-Band Security Update for Internet Explorer

 

Update Tuesday came and went this week with a few updates, but a vulnerability has been exposed for Internet Explorer versions 6-8 on Windows XP, 2003, Vista, and even 2008.  Microsoft has decided to release and out-of-band security update for this vulnerability due to its critical nature.  Unfortunately this zero-day exploit has not fix yet from Microsoft.  The update is expected to be released sometime today.  Be sure to sync up your WSUS servers after the exploit has been released. 

Remember my tips to subscribe to important security lists to stay on top of your networks.

Read Microsoft's Security Advisory

Server Updates

Every sysadmin knows that software of all kinds needs to be updated.  Sometimes the updates provide new features and enhancements, but many times the updates are bug fixes and security patches.  Keeping your servers, desktops, and software up to date can help prevent your networks from being comprimised.  

I've compiled a short list of best practices I use for patch management:

1. Schedule your patch management on a regular basis.  It is easy for the busy sysadmin to be distracted by all the end-users' needs which to them are always critical.  Prioritize a time for updates where you will not be distractec.  This may need to be after hours if necessary.  Many Windows updates require system restarts so be sure to schedule the restarts to minimize downtime, and be sure to check that the servers and services come back up afterwards.
2. Subscribe to mailing lists and/or rss feeds that provide you with information on exploits, patches, and security notices for the specific software you run.  Visit your vendor's website to see if they have these options available.
3. Keep a log of your patch installations.  I've created an Excel template that I print each week to record the packages and updates that I install on my Linux and Windows servers. Should something break due to the updates I will know exactly what has changed.  
   

Nagios Update

Nagios released another point update this past week bringing it to 3.0.6. The changelog reports only a few minor fixes and additions.  I noticed the available update during my weekly server updates time.  Remember that on Linux systems you must restart the service (daemon) to run the new version (command: service nagios restart).  

Nagios is an opensource service/host monitor that allows the everyday sysadmin to keep tabs on all of the crucial network services and hosts.  You can setup all kinds of checks and then be notified should any crucial hosts or services are down. 

Setting up your own Nagios installation can be difficult, but many tutorials exist online.  If you would like assistance designing and deploying your own Nagios installation please contact me.

Quick Tip for Windows Mobile

Press the Start key twice on your Windows Mobile device to jump back to the Today screen.

This can be useful to snooze or dismiss those reminders.

What I Use

Applications I use everyday:

• Microsoft Windows Vista Ultimate (32-bit) – If you pump enough RAM into Windows Vista it can be very usable. 
• Microsoft Outlook 2007 – I started using Outlook Express because it came with Windows, but when I saw the power and integration of Outook 97 I was sold.  Since then I’ve used every version.  I was even more hooked when I began using Outlook with an Exchange server.  Although I have tried many other PIM’s, still nothing compares to the productivity and utility of Outlook.
• Mozilla Firefox – Hands down FireFox is the best cross-platform browser. 
• Digsby – multi-protocol instant messenger app with social networking
• Winamp – tried and true media player with great keyboard shortcuts
• Google Chrome – the fastest browser for start times and load times, lacks extensibility of FireFox, but the features redefine browsing like Gmail redefined email
• Microsoft Virtual PC running Windows XP Professional – If you run Windows Vista and your a sysadmin, you have to run Windows XP too.  Just keep it clean and give it about 512 MB of RAM and it’s just like having a second computer around.
• andLinux – unique hybrid-virtualization of Ubuntu linux that allows me to run KDE apps natively in Windows (like Konsole for Linux server management)

 

Utilities/Tools

• Putty – for ssh/telnet management of servers, routers, and switches
• Launchy – application launcher to free you from the Start menu
• Switcher – Expose-like application for Vista, requires AERO
• reSizer – window placement and sizing with a mouse can be tedious, using reSizer I can move windows between monitors and resize to fit the screen without leaving the keyboard
• Remote Desktop Connection – remote management of all of those Windows servers out there

 

Server Applications I use regularly:

• Microsoft Windows Small Business Server 2003
• CentOS 4.x and 5.x
• Exchange 2003/2007
• Active Directory
• Sendmail
• Nagios
• Cacti
• SharePoint

FireFox Extensions

• GrandCentral Click to Call
• PDF Download
• Adblock Plus
• CyberSearch
• Delicious Bookmarks – delicious.com/wasserja
• Google Gears
• Tiny Menu

Why Does Windows Azure Matter?

Microsoft hosted their irregularly scheduled Professional Developers Conference (PDC) recently. (PDC events only occur when Microsoft are releasing new platform.) As the event grew closer we knew that Windows 7 would be a topic as well as their Live Services, but the “Cloud” OS was probably causing the most buzz around the tech industry. Thankfully we live in an era where we don’t have to sit through the long, dry Microsoft keynotes to get the lowdown on what Microsoft is up to. Microsoft announced their cloud platform called Windows Azure. Enterprise IT has been administering servers for years attempting to not only keep those end users happy, but also keep their servers in working order. Maintaining software and hardware on servers that are mission critical can be very costly and difficult. The arrival of virtualization for the Enterprise has dramatically increased the ability for IT staff to manage and maintain the server farms while decreasing costs including energy costs. The next step in the evolution of IT is hosted services. Microsoft and third parties have already been offering various hosted services for some time at varying levels of success. With Windows Azure Microsoft hopes to combine virtualization with hosted services by providing a cloud-based platform for developers, businesses, and the enterprise. In the future the everyday sysadmin will no longer responsible for server hardware and OS patches because Microsoft Exchange, SQL, Dynamics, Sharepoint, et. al. will be hosted by Microsoft on their Azure platform which is globally distributed. Of course not all current IT or business decision makers are going to want to start paying monthly fees for software they paid good money for. As the services Microsoft provides through Azure makes business sense they can migrate in a hybrid fashion to say hosting their Exchange "server" to the cloud while keeping their Sharepoint in house. The advantage comes to the small to medium sized businesses who may be thinking about upgrading their own servers and find that it would be more advantageous to pay for the software as a service instead of maintaining their own server(s) in house or paying a consultant.

So how does this affect the everyday sysadmin? How will the role and responsibilities of the IT staff change if we no longer have to maintain server software and hardware? Will we all become Helpdesk staff or will Microsoft take on that as well? I am assuming someone will still need to maintain accounts or maybe there will be a fancy web portal for the designated "technical" employee to add accounts and reset passwords. Downsizing may be in our future, or we will need to change along with everyone else in this fast-paced industry.

Useful Links:

• Microsoft's Azure website
• Paul Thurrot's take on Azure
• Mary Jo Foley's Summary
  

Internet Explorer 6 Comes to Windows Mobile

That headline has to be the most misleading one I’ve ever wrote.  Yes Internet Explorer 6 is coming to Windows Mobile.  It is not the version 6 that we have grown to loathe as system administrators, but it is based on current desktop IE 7 and maybe even 8.  The browser will support rich media such as Silverlight and Flash as well as AJAX.  Page rendering will be more close to the desktop alternative which of course has been around for years with Opera Mini (available for WinMo via Java) and recently with Safari for the iPhone.

And the bit about it coming to Windows Mobile is misleading because they just announced the availability of the updated mobile browser, but it will not be available on current handsets only future handsets.  Future here meaning many months until you see them overseas since carriers are not as strict and controlling about the devices.  Then maybe sometime in 2009 we may see WinMo handsets using the browser.  Alternatively the hardworking folks at ppcgeeks.com have been providing kitchens and ROMs for WinMo phones to help you keep your WinMo device running the latest software.  Flashing your phone with unsanctioned ROMs is not an easy process, but you may find yourself taking the plunge if your mobile drives you crazy like many other users.

The upside is that Windows Mobile is finally going to have a decent browser which may mean more developers coding websites to be friendly to Windows Mobile based devices. 

Here is a video of the browser in action. 

 

Keep in mind that Opera Mini, Opera Mobile, Safari, and Skyfire have already beat Microsoft to the punch so they will not get a lot of positive reviews for their efforts.

Cacti Breaks When RRDTool is Updated

Running updates can cause any sysadmin to break out in a cold sweat, especially when that service you and your users rely stops working.  Today I ran my updates on my CentOS 5.x server and noticed that the rrdtool package had been updated.  Like any good sysadmin I keep a log of the updates I install on each server so that I know what has been installed and so I know services to check later to make sure everything is still working. 

Since I have spent so much time with my Cacti monitoring system I knew that it was dependant upon the rrdtool.  When I logged into my Cacti everything appeared normal until I looked at my graphs.  All of the text on the graphs were missing.  I still had the pretty colors and the graphs, but there were no numbers, labels, headers, etc.  After searching around I found the solution in the Cacti forums.  The problem was related Cacti not being able to pass the default font variable to the specific version of the rrdtool 1.2.28.  So you have to put the path to the rrdtool font file in the Paths section under settings as well as the Font File fields under the Visual field.

The font path on my CentOS system is: /usr/share/rrdtool/fonts/DejaVuSansMono-Roman.ttf

Having a monitoring system like Cacti paired with Nagios can really help you and your IT department implement proactive measures to maintain your network.  If you would like assistance in putting together your own monitoring setup with Cacti and Nagios please contact me.

Nagios 3 Comes to CentOS

I manage quite a few CentOS servers of the 4.x and 5.x versions.  When I ran my yum updates this week I noticed that there was a Nagios update.  When I restarted Nagios I saw that it had been upgraded to version 3.  So far nothing broke because of the new version, but with the new version comes new features.  You can read the changelog here.

 

NOTE: The beauty of Linux is that you don’t have to restart your system when you install updates (except for the kernel).  But if the package manager (yum, apt, etc.) doesn’t restart the service the old binaries will still be running.  So for example when I installed the Nagios update today version 2.x was still running so I had to restart Nagios to actually be running 3.x (command: service nagios restart).

SSL Certificates and Outlook Anywhere with Exchange 2007 on Windows Server 2008

I have been setting up an Exchange 2007 server on Windows Server 2008. The outright drastic change of Exchange from the previous version both in the administrative user interface and underlying infrastructure is enough to make you second guess your Exchange expertise. Running Exchange 2007 on top of Windows Server 2008 more than doubles the learning curve. Two main points gave me quite the headache that I was able to overcome with lots of research and patience: SSL certificates and Outlook Anywhere.

SSL Certificates

Exchange 2007 introduced a lot of new ways for the Outlook client to be setup and connect quickly and seamlessly…for the end user. For the system administrator however one must purchase expensive, specialized certificates called a Unified Communications Certificate that allow for more than one URL in the certificate (Subject Alternative Names). For example if your exchange server is named “ex2007” you may need to have the following alternate names:

• ex2007
• ex2007.domain.local
• autodiscover.domain.local
• mail.domain.com
• autodiscover.domain.com

Microsoft was kind enough to include a certificate that will allow mail processing and other functions to work internally, but not externally. Generating the certificate also requires you to get your hands dirty in the Exchange Management Shell, a superset of the Power Shell. Since the server I was working on used split DNS I considered getting a wildcard certificate instead of a UCC. Unfortunately I read online that the Exchange 2007 POP3 and IMAP does not support wildcard certificates and neither do Windows Mobile devices. So I was about to give in and purchase a UCC when I saw a post saying that you can use a tricky SRV DNS entry in your public DNS zone to allow you to get away with a regular SSL certificate.

• _autodiscover._tcp IN SRV 0 100 443 mail.domain.com.

By placing this record in your public DNS zone the Outlook client will redirect the autodiscover.domain.com lookup to mail.domain.com. This allows the OWA webmail, Outlook Anywhere, POP3S, IMAPS, and SMTPS to all use the same simple SSL certificate of mail.domain.com.

TIP: Here is a tool to generate a EMS command for your certificate request: https://www.digicert.com/easy-csr/exchange2007.htm

Outlook Anywhere

Now that I tackled the overly complicated certificate issue, I ran into an issue in getting Outlook Anywhere to work. Outlook continually prompted me for my credentials and then told me Outlook must be online or connected to complete this action. After reviewing the Exchange configuration settings hundreds of times and making sure it was set according to Microsoft’s specifications I gave up. I assumed the unique setup I was working on just wouldn’t allow Outlook Anywhere to work. Then I noticed a Microsoft KB article highlighted in the msexchange.org newsletter: http://support.microsoft.com/default.aspx?scid=kb;en-us;954389&sd=rss&spid=10926. The article described the exact issue I was having in the exact scenario of my setup. I followed method 2 in the article and the issue immediately cleared up.

UPDATED:

Microsoft just released Exchange 2007 SP1 Rollup 4 which addresses the wildcard certificate problem (KB948896) as well as the Outlook Anywhere problem.

Blackberry Services Fail to Start

I was working with a customer who was having trouble with their Blackberry Enterprise Server not sending and receiving email. Apparently their server had lost power and ever since then the Blackberry Controller service would not start.

The Event log picture is displayed above, but for indexing purposes I will list the event details below:

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7024

Date: 9/3/2008

Time: 3:14:48 PM

User: N/A

Computer: SSIN2K3

Description:

The BlackBerry Controller service terminated with service-specific error 5003 (0x138B).

 

I determined the executable file from the services snap in and decided to run it from the command line.  It gave me the following error:

C:\Program Files\Research In Motion\BlackBerry Enterprise Server>BlackBerryController.exe

Starting ...

Could not connect to Service Control Manager. Using console mode ...

'BlackBerry Controller' - console mode (enter 'x' or 'X' to exit)

Starting Controller

Found Dispatcher for server SSIN2K3 as 'BlackBerry Dispatcher' at '\\127.0.0.1',

PID=9552

Failure, see log for details

Stopping BlackBerry Agent Controller...

BlackBerry Agent Controller Stopped

 

I found the logs located in C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs.  Choosing the folder named for today’s date, I looked through the logs and found one of the logs mentioned that it “could not start the syslog receiver subsystem.”  On a whim I remembered an issue I have had recently with SBS servers of the DNS Server service randomly taking high port numbers and locking them out.  So I stopped the DNS Server service, started the Blackberry Controller service and it worked.  Then I started the DNS Server service again, and the Blackberry mail is flowing again. 

 

UPDATED:

Some have asked how to permanently fix this issue because every now and then the DNS service will usurp those “random” UDP ports.  Here is Microsoft’s KB article on the fix. It involved editing the registry and specifying the range of ports the server can use. 

Thoughts on Standby, Sleep, and Hibernate

We all know the trend now is to be green.  More and more computer products are being released to be more power friendly.  Power management has been around for a long time for computers.  I can remember the first time I started using a laptop and found the standby feature.  I was so glad not to have to shutdown and startup every time I used my computer.  Then I found hibernate which made me even more happen.  Now with Windows Vista we have the hybrid which they have dubbed Sleep.

Standby – everything is shutdown except power to the RAM, almost instant resume.  (Sleep on Mac OS, Suspend on Linux)

Hibernate – everything in RAM is written to a hibernation file and the system is completely powered off, near instant resume.  (Safe Sleep on Mac OS)

Sleep – everything in RAM is written to a hibernation file and the system goes to standby.  In the case of a loss of power from A/C or battery, computer can resume from hibernation. 

I don’t know about the rest of you, but my experience with Sleep hasn’t worked as well as I’d like it to on my Lenovo T61.  The resume times from Standby work fine, but the hibernation takes forever.  Often times resuming from hibernation doesn’t work, which I admit may result from my obesessive excessive tweaking. 

I’ve been pondering the future of power management for computers as we see the move to 64-bit Windows (and other OS’es) and increased RAM.  Wouldn’t more RAM require more power to maintain the standby state?  And if I have six gigabytes of RAM, how long does it take to write six gigabytes of RAM to the hard disk?  And now I have this six gigabyte file taking up space on my hard drive.  Resuming from hibernation will take much longer, especially if we’re talking about 5400 RPM laptop/notebook hard drives.  What are we going to do to be able maintain low power states with the imminent changes of hardware?  I wonder if the hibernation file could be stored on a flash chip built into the hard drive or computer.  I wonder if that hibernation file could be regularly updated using something like rsync so that writing/reading the hibernation file could be expedited.  What are your thoughts?

Picky Printer Drivers

I didn’t realize that Terminal Services/Remote Desktop was so picky about printer drives.  Apparently you cannot simply just install the drivers on the server and then your printer will work.  There has to be special print drivers for Terminal Services to work.  You can adjust the printers it can support, but the process can become very hairy. 

Blackberry Enterprise Server Updates

Just received an email update from Blackberry notifying me of new service packs available for the Blackberry Enterprise Server for Exchange (and other mail servers). 

CentOS 5.2 Release

CentOS released an update to their latest version of their OS.  CentOS is the community version of the Red Hat Enterprise Linux product which has been stripped of proprietary binaries and artwork. 

CentOS 5.2 Release Notes

Microsoft Releases Windows Search 4.0

Desktop search has brought simplicity to the ever growing storage locations of files, folders, and email.  You no longer have to remember exactly which folder you filed that Word document or email into to recall it to your screen.  Simply use search to find what you are looking for.  Windows Vista shipped with Search integrated into the system.  Microsoft released Windows Desktop Search for Windows XP to bring that functionality to the "legacy" OS.  Now with version 4.0 comes some new features (mostly for enterprise group policy), speed, and efficiency.  The new version is available for download from Microsoft for Windows XP, Vista, 2003, and comes in 32-bit and 64-bit.  Microsoft plans to eventually release the update into the Automatic Update stream.

Ars Technica - Windows Search 4.0 adds features, speed, uses less resources

Google Desktop search is another alternative if you wish to not use Microsoft's desktop search.  Google does provide enterprise features to control the search product through group policy. 

Microsoft Updates Coming this June

Patch Tuesday is coming next week.  Be sure that your servers and clients get updated.  Of course if you're a sysadmin you should probably be using Microsoft's WSUS in conjunction with Group Policy to push out those updates effectively. 

Ars Technica - Microsoft Patch Tuesday for June 2008

IE7Pro - A Must Have Add-on for Internet Explorer If you Must Have Internet Explorer

While I wouldn't be a true everyday sysadmin if I didn't recommend you use FireFox as your primary web browser, some may still not be able to wean themselves off of their IE addiction due to habit or IE-only sites. IE7Pro steps in to help you get some of the best features of FireFox in Internet Explorer 7 (I haven't tested it with IE8 Beta yet).

• Enhanced tab management
• Crash recovery (get those tabs back in an IE crash)
• Proxy switcher
• Ad Blocker (Hurray!)
• Inline search
• Spell check

Head on over to pick up the free download and bring life back to Internet Explorer.

PointUI for you Windows Mobile Phone

I have been using PointUI for awhile now to help me bring usability back to my Windows Mobile phone. Ever since the iPhone's debut the need to use a stylus to work with your touch screen phone seems inefficient. Thanks the the developers of PointUI you can quickly access the things you need on your Windows Mobile phone with your fingers (for free). Head on over to PointUI's website to pick up the download. They recently updated the software to a new version which must be installed overtop of the old version. The updater in the older version doesn't pick up the new version for some reason which is why I'm just finding out about the new version.

Here is a video of the older version, but it will give you a good idea of the simplicity and beauty of the software.

Virus Alert: Downloader-UA.h

Not many new viruses seem to be reaching critical levels in the last few months, but the Downloader-UA.h has reached medium threat level for home users. Read over McAfee's description of the virus so that if you run into similar symptons you can be aware of what may be going on with your users.

Subscribing to some sort of virus alert list is essential for the Sysadmin. One thing any sysadmin hates is finding out about a problem after it has escalated to the point of a real problem. Subscribe to the McAfee AVERT Advisory list to stay on top of the latest viruses.