Wednesday, September 29, 2004

DNS in Windows - what I'd like to add

Here's a list of 10 things I'd like to see implemented in Microsoft's DNS server, in no particular order.

1. Some Equivalent of BIND's view feature. Uers with one server who want to both host AD and host Internet web sites could use this feature.

2. EDNS0 client awareness. It would be nice for DNS clients to have the option to use EDNS0 to get larger UDP packets back. This could be controlled by client UI (an additional check box), reg settings, and/or group policy.

3. DIG.exe, as a replacement for nslookup. Nslookup is ok if you know what you are doing, but not much help in diagnoisis.

4. Full support for DNSsec. The tools to create a key and sign a zone or specific resource record and generate NXT records are needed, as is client support for DNSSec.

5. Better DNS and DCHP integration. DHCP servers should replicate their DHCP databases etc, via AD and then to co-ordinate the zones. This would give a better intergration with DNS, and better control over DHCP servers.

6. An additional command in NET.EXE: net restart which would stop then start the respective service (e.g NET RESTART "DNS SERVER" to bounce the server). This should work with ALL NET services!

7. Decent documentation on DNS statistics provided by by dnscmd. There are hundreds of statistics produced - and these are not documented. I'd like to see better documentation on what these are, plus a -v option to only display some of them when really needed (and to limit the number shown by default).

8. English language explanations for DNS errors in AD. I see, all too often, bogus error messages that are _really_ DNS errors. For example, go to DNS, and delete the zone for your AD, then run one of the DNS tools. The error message (for example,RPC failure) might be strictly speaking true, but it's very little use in roubleshooting. I'd like to see better diagnostic messages returned from the MMC tools - and have them consistent. Ideally, these tools should work out that the DNS lookup has failed, do some more testing, then put up a more meaningful and accurate error message!

9. More prescriptive guidance for DNS.

10. DNS MOC course. A 2-3 day course covering all about DNS, including interop with BIND, setup, deployment, DNS architecture, troubleshooting.

I suspect there are more things you could add - let me know and I'll try to keep this list up to date!

Ed Foster's Gripelog || No IE? No Can See

I've just moved over to using FireFox as my browser. I'll post a longer artilce on why, but for now, it's what I'm using, and using very happily. However, there are some sites that will not render unless you use Internet Explorer. See this post over on Ed Foster's Gripelog, titled "No IE? No Can See."

One such page, as Ed reports, is the Microsoft KB search page. If you try to hit this page with Firefox (I'm using v1.0PR), you get bounced back to http://support.microsoft.com/default.aspx. For Firefox users, there is a simple solution - just download the User Agent switcher extension, change your user agent string to either Opera or IE, and it works.

Some people might call this a bit of pretty lame programming - I'm possibly not as charitable. But, at the end of the day, given how much better Google is in terms of searching MS content, and how much better a browser FireFox is, I'm just not prepared to give up a far superior browser in order to use a sub-optimal search facility, even if it does allow Microsoft to show the huge numbers of IE-enabled users are hitting their site, and how few folks use FireFox.

Tuesday, September 28, 2004

Here we go again

While all my systems are (now!) patched, and none seem to show any signs of infection, this article from easynews.com makes grim reading.

Make sure your IT People are aware of it and are dealing with it. As an interim measure, and for home users, consider blocking your firewalls to stop the virus from 'phoning home'. It's not a real defense, but it might stop a few issues. Having said that, the FTP site the virus was using seems down - but that could be for any number of reasons.

I guess the real question is, if a common component like a jpg decoder has a buffer overflow - just how good was the MS security push? If it left serious bugs like this, what other horrors are waiting?

Monday, September 27, 2004

Securing USB - Part 2

Over the weekend, I posted an blog entry regarding an XP2 registry key that could help to secure USB devices, and an ADM file to help set the regisry key via policy. Ben Smith, Microsoft Security Guru and a really nice guy made a great point over in the MCT forum: "Keep in mind, this feature has very limited security value. There are still many ways to use storage devices via USB to get data off the machine. For instance, an attacker could make the files .mp3 and copy them to an IPOD or .JPEG and copy them to a digital camera, or even plug a USB CDRW in and burn a disc. Great point Ben - this is registry key closes one hole, but by all means not all. Clearly, there needs to be more control, at the policy level, over all forms of writeable removeable-media. Just when you think you've closed a door, several more open up!

Speaking about patch management

Oddly - I am! I'll be giving a 200-300 level talk about Patch Management at Microsoft's upcoming Technical Briefing on October 4th. It' free - you can sign up by going here!

Saturday, September 25, 2004

Configuring USB Devices to be Read/Only - Windows XP SP2 only

There's been quite a bit of talk recently about the security risk posed by portable USB devices. I saw a neat entry over on Jerry Bryant's security blog which describes a new features that was added to SP2. Basically, there's a new registry key that will turn USB storage devices into Read Only! So I thought it would be fun to see if I could write an ADM file to deploy this via group policy. It turned out to be an interesting learning exercise!!

Here's the template file, ControlUSB.ADM:

#if version <= 2 #endif
CLASS MACHINE
CATEGORY !!WindowsSystemCat
 CATEGORY !!USBControlCat
   POLICY !!ConfigureUSBDeviceStatus
     KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
     VALUENAME "WriteProtect"
     VALUEON Numeric "1"
     VALUEOFF Numeric "0"
    #if version >= 3
      EXPLAIN !!USBUpdateCfg_Help
    #endif
  END POLICY
 END CATEGORY ;; USBControlCat
END CATEGORY ;; END CATEGORY ;; WindowsSystemCat
[strings]
WindowsSystemCat="System"
USBControlCat="USB Device Control"
ConfigureUSBDeviceStatus="Set ALL USB Devices on this System to Read Only"
SUPPORTED_WindowXPSP2="Windows XP SP2"
USBUpdateCfg_Help="Specifies whether this system's USB Drives are Read Only or Read Write"

To use this policy - first save it away with your other templates (%systemroot%\inf). Next open up either your local or the group policy editor, import the policy and away you go.

There is one small issue here that caused me to scratch my head. When I first imported the template, I could see the node in the MMC console tree, but the policy did not appear in the results window. I scratched my head for several hours, then got some help from my Greek MCT buddy Dimitris. He pointed out that I had to change the setting in the MMC (View/Filtering and de-select the 'Only show policy settings that can be fully manaThis happens because the registry key that is used for this setting is not part of Policy sub-key. If you apply this setting to a machine, then remove the policy, the setting will remain on your system (unless you reverse it, or take the registry key out). Once you change the view settings, the MMC tool even tells you this!

Friday, September 24, 2004

A new drop of MSH

MSH is Microsoft's next generation command shell. I've blogged about it here, here, here, and here (and from my log files, MSH seems to be a very popular search term!). The latest news is that MS has released a major new build of MSH, which I've been playing with. It's looking more and more complete. There are still a lot of rough edges! Get it and play!

Wednesday, September 22, 2004

Hacking Google - The Guide (and a tool to help!)

Google may be "just" a search engine for most folks, but it can also be a very serious hacking tool. This PDF from Johnny Long is on his I Hack Stuff site. If you want to learn more about what Google is telling other people about your site(s), read on! And if you want to get a tool to do it, take a look at SiteDigger from Foundstone. If you publish on or to the Internet, this is something you probably want to take a closer look at!

Sunday, September 19, 2004

Conversion to Pure Text

In the writing I do, I often copy text from one document (a web page, another presentation, an Excel spreadsheet) to whatever document I'm working on at the moment. This can include KB Article titles, quotes attributed to the author, as well as bits of one presentation that I'm recycling in the next. One problem with this is that the old formatting is often pasted in - and then has to be adjusted to fit into the formating of the newer document. Thanks to an entry on KC Lemson's blog, I've discovered PureText. PureText strips away all the formatting from the clipboard, so that when you do a paste, you paste just the pure text. And one very nice feature - the product is free!

Tuesday, September 14, 2004

Virtual Server 2005 is released

After a kind of a long wait, MS has finally released Virtual Server. It comes in two editions with pricing and details here. The basic version Standard Edition) will retail at US$499, with the Enterprise Edition priced at $999. WOW - that's cheap, compared to VMware.

Monday, September 13, 2004

Visual Studio 2005 Standard Edition announced

Today in Orlando, Microsoft announced a new edition of Visual studio, Visual Studio 2005 Standard Edition. This new edition was designed specifically for the needs of Visual Basic 6.0 and Web developers and contains much of the simplicity of the Express products that were announced at TechEd Europe. Standard Edition therefore becomes the entry point for professional development on the .NET Framework. Hopefully, we'll see the betas of this before long.

WinInfo Editors change their mind over HTML content

In a blog entry last week, I mentioned that Paul Thurrot's newletter had changed to a pretty appaling HTML format. Like a lot of readers, I was not happy, and both unsubscribed from the newsletter, and wrote in to complain.

A day later, I had a nice email from Janet Robins, Editor in Chief of Windows IT Pro, which says: "Thank you very much for taking time to provide feedback about our HTML newsletters. We've listened! We will be taking WinInfo Daily UPDATE back to text format beginning Monday, September 13." Great news - and I'll resubscribe!

Wednesday, September 08, 2004

WinInfo Daily Update has one less subscriber

I've been reading Paul Thurrott's daily news email for several years. But last week, the publishers switched to an HTML format. Yuck. It looks horrible in Turnpike (my news and mail reader). It does a passable job of rendering 'reasonable' HTML, but not this stuff. Count me as an ex-subscriber.

Blogger having problems today

It seems as though Blogger is having a few problems publishing blog entries today. I've managed to get most of today's entries posted, but it's taken a number of attempts. Blogger keeps giving a "java.net.SocketException".

Port Reporter

I've just finished writing a review of a cool new tool. Developed by PSS GURU Tim Rains, it's called Port Reporter. The review will be in my November column in ESM, so I can't give everything away - but it is a pretty cool tool.

Port Reporter is a windows service that logs all TCP and UDP port usage on any Windows system (Windows XP, 2003, 2000). These details can be analysed to find issues, such as malware on your system. This tool rocks!

The tool generates detailed log information about the usage of every network port by a system over time, and as such can generate a lot of log data. To help you analyse the log files, Tim has also produced a neat analysis tool, Port Reporter Parser which produces a wealth of summary information.

You can download Port Logger, and the port reporter parser tool, from Microsoft. Each of these are self extracting archives containing the setup programs. You have to manually configure the start up of the service.

For an outline of the tool, see Tim Rains' WebLog article about the tool. You can also see KB 837243 which describes this tool and the generated log files in more detail.

The tool has a bunch of little niggles, but it still rocks! Using it on my main workstation showed nothing bad (thankfully),but did reveal a couple of services that could be turned off. All in all, well worth the download and time to install and configure.

ISA 2004 Firewall Alert - read

Thanks to Jimmy Andersson (aka The Sweede) for pointing me to article over on Steven Bink's Bink.nu site.

My take is simple: Enable this Registry entry now and restart your ISA firewall. And Do it NOW!"

Microsoft extends SP2 Blocking via AU/WU (again)

While SP2 for Windows XP is a great update, it can cause issues. To enable users, particularly larger larger corporate customers, to get ready, Microsoft has again extended blocking of the update via Automatic Update and Windows Update.

AU and WU will now continue to honour the blocking mechanism that prevents the offering of Windows XP SP2 until Tuesday 12 April 2005.

Accoring to Microsoft, "beginning on Tuesday 12 April 2005 AU and WU will deliver SP2 regardless of the presence of the blocking mechanism. Note that this is also the scheduled day for a monthly cumulative security update".

Monday, September 06, 2004

Microsoft Technical Briefing - See Steve Ballmer in London

The UK Events booking site for the upcoming free Microsoft Technical Briefing is now accepting registrations.

This briefing contains both a developer and an IT Professional track, and concludes with Steve Ballmer giving a key note. The developer track will be a little more in depth than for the IT Pro track, but both should provide solid advice and guidance.

I hope to see you there!

Sunday, September 05, 2004

Ouch!

This article is really funny!

Then I saw the pictures - and these are funnier!

Enjoy!

Microsoft UK Event - Active Directory Basics

Thanks to a neat blog entry on Adam's blog, I've discovered I'm giving a talk on AD basics. This will be a pretty introductory level,but it should be fun! I've seen the initial slide deck which should be up on the web soon. These TechNet evening events are a lot of fun. There are a lot of the same faces each time, so the virtual community becomes physical. The events are also pretty casual and relaxed. So we can talk, with MS's blessing, pretty openly. During the break (where hopefully the beer is cold and the pizza hot), there are MS folks around to answer questions. There are on occasion there's even a goodies take away bag!

Microsoft Solutions Framework Version 4.0, Beta

Microsoft are in the process of updating Microsoft Solutions Framework, as part of the ongoing work on Whidbey, and Visual Studio. Details have been sketchy, but we're beginning to see some details. For reasons I can't quite totally work out, Microsoft has released part of MSF 4.0 via GotDotNet Workspaces. You can obtain the first deliverable, MSF Agile. This material is delivered as a sort of web site, with a root page (ProcessGuidance.html), which points to other documents.

MSF Agile is "a scenario-driven, context-based, agile software development process for building .NET and other object-oriented applications. MSF Agile directly incorporates practices for handling quality of service requirements such as performance and security. It is also context-based and uses a context-driven approach to determine how to operate the project. "

Three key changes from MSF 3.0 are:

1. The lifecycle for each iteration is slimmed down to just three phases: Plan, Develop, Test.

2. The roles change too, with only 5 roles: Architect, Business Analyst, Developer, Project Manager, and Tester.

3. Finally, the work products are different. New artifacts include: Threat Model Data Flow Diagram, and Quality of Services Requirements List. The Vision Statement is still included!

It looks an interesting approach. I'll have to read more about it to discern the deeper differences.

The Usefulness of MSF

Lorenzo Barbieri, recently picked up on a newsgroup post I'd made regarding the value of MSF. In the newsgroup post, I noted how I'd used MSF to design the extension to our house where the office now is. Although not following MSF rigorously, we did follow much of the spirit. We did some envisioning (the vision was "a great place to live and work"), and some scoping (i.e. what could we afford). We did multiple layers of design - conceptual (the architect's drawings), etc. As I noted in the blog entry, we spent more than we'd originally planned - but each cost addition was tested against the original vision - and where the addition made a difference we went ahead. We were also able to make great use of the trade-off triangle - when we discovered things that we did not know earlier. It was an interesting exercise, and certainly provided me with a great case study to use during my MSF trainer exam!

Wednesday, September 01, 2004

New visitor counter and site stats

I've just put a new visitor counter on this blog. I've been meaning to do this for a while, but finally found a neat place to get it from. Site Meter is a site that offers site meters. They have two variants: the basic free service and a paid service. Both services provide a visitor counter for your site/blog, and analysis of the hits your site gets. The paid service, costing US$6.95/months (US$59/year), provides extra analysis and some other features. This includes the Full IP address of each visitor, the internet service provider who manages(owns) the IP address, Recent Visitors by Search Words Report. And you can turn off the advertising on the reporting pages (they load faster too). There's also a FAQ describing the two account options. A neat facility of the service is the traffic prediction. If you take a look at the site, you can see the traffic projections for this blog.