-
Mike from Bing posted on some SafeSearch updates to Bing, particularly around image search and video preview.
So, with the new explicit domain name (explicit.bing.net), a block is easy enough to implement with ISA Server and nothing extra.
If you’ve already got a site blocking rule enabled, all you need to do is add:
*.explicit.bing.net/*
To your blocked sites URL Set, and/or
*.explicit.bing.net
To your blocked sites Domain Name Set, if you’re using one.
If you haven’t yet configured a blocking rule for explicit Bing traffic, here’s how I just did it.
First, create a new Access Rule.
I’m calling mine “Block Explicit Sites”
Next – we want to Deny access to these locations.
Protocol selection: I’ve selected HTTP and HTTPS (not sure if HTTPS is ever used, but it’s coverage, innit?)
I’m picking All Protected Networks as the source, which covers every non-External ISA network (click Add… to see the list, then Add and Close the All Protected Networks Network Set).
For the target, we want to create a new URL set, which is probably enough to stop accidental browsing of the target domains for Web Proxy clients that aren’t doing their own name resolution, and won’t have a huge amount of DNS traffic associated with it.
I’ll call it Explicit Bing, and set the path to http://*.explicit.bing.net/*
This should apply to all subdomains, so if we end up with more specific categorization within the explicit domain at some point, it’ll automatically cover it.
Once that’s there, click OK, then add the Explicit Bing URL Set to the rule (find it under URL sets, click Add and then Close).
The Wizard should look like this:
From here, it’s just Next to apply to All Users (so it’s an anonymous blocking rule – doesn’t require authentication first in order to block someone) until the Wizard finishes.
There’s my rule:
My rule ended up at #16 in my list, so a little trick with reordering: Shift-select all 15 rules above it, and then right-click any of the selected rules, and choose Move Down.
And now, my new block rule is at #1. I do want it to be first as far as anonymous web traffic rules go, but I might, for example, want to position the Xbox rule or other rules ahead of it, depending on my traffic policy.
Enter the Change Tracking reason for later auditing…
And now it’s test time…
Right, well I can’t exactly show you the full search terms or the test results, but the images served from the explicit Bing domains were certainly blocked.
As a note – test from a client computer. The ISA Server itself may well have an “Allow CRL Downloads from any network using HTTP” System Policy rule in place which will run before any block lists. Disabling the System Policy rules and creating equivalent Access Rules that run after block lists will fix this.
-
Yuri’s blog explains some of the detail. But there’s slightly more subtlety to it, which I’ll try to snake-oil in front of you here:
Can I install ISA 2006 on 32-bit Windows Server 2008 ?
No, it only runs on Windows Server 2003. Okay, so technically, it also runs on Windows 2000, but if you’re installing it like that now, you should check the calendar. Windows 2000 is old, man.
Why not ISA Server 2006 on Windows 2008?
Whenever I asked that, people mumbled about TCP/IP stack changes. Sounds plausible, so I let it slide.
Well can I install ISA 2006 on 64-bit Windows Server 2008 ?
No. Wait – sort of, not really. Do you count virtualization?
What do you mean?
Hyper-V or an SVVP-validated platform. (Details on security. And the inimitable “Jim Harris” apparently pretending to be Jim Harrison. Giggle.)
Er, if I do count virtual machines?
Yes. You run it in a 32-bit Windows Server 2003 guest.
Isn’t that cheating?!
No. Well, maybe. Sorry, did you have a point there?
What about Windows Server 2003, x64 Edition?
Installing ISA on it? No. It’s 32-bit only and uses kernel-mode software; you can’t mix and match 32-bit with 64-bit k-mode drivers. Hint: I just helped you study for 070-351.
What about Service Pack 2?
X64 Edition?
Yes!
No.
You’re not being helpful.
Oh really? Your eyes are the wrong shape.
The next version of ISA Server, called Forefront Threat Management Gateway (TMG, or, I guess, Timmy to his friends (yep, I’m betting the G ends up semi-silent)), is available in its initial release in the Windows 2008 Essential Business Server thingo, which is 64-bit only.
The next standalone (i.e. non-EBS-integrated) release is currently available in Beta form, and runs exclusively on Windows Server 2008, x64 edition.
That was more helpful.
You still look funny.
Hey, why don’t your links open in new windows?
Because I think it’s nice for the reader to be able to choose whether an informational link should appear in the current frame or a new tab (or a new window).
Sometimes (probably quite often on this blog), you’ll be done with the content at the current page you’re reading, and just want to replace it with something else. Forcing a new window isn’t polite in the age of tabbed browsing.
Let the user choose.
I agree, that’s so wise. You’re like, amazing.
I know.
-
Bing, you say? Odd, I’m sure I’ve heard it somewhere before…
Wait! It was me!? I’d like to thank the Academy…
So, I assume I can look forward to a healthy bonus for coining the term!? Sure, the direction was apparently misguided, but the word is pure bing-y gold! Sigh.
Blog du TristanK: Inventing useful brand names since 2005.
(I’d buy Fjnorkel.com (that’s f-nyor-kul) right now, but I had to look up how to spell it twice while typing this sentence, which makes me a little concerned for how well people that didn’t make it up would remember it.)
-
A friend of my mother’s was introduced to me at a family barbeque, and started in. Background: lives in a nice suburban neighbourhood, sends her kids to private school.
“Lovely to see you!…
So how do you feel about working for them?” (measured tone)
Pretty good, most days?
“Microsoft is evil.”
(is-she-joking?-pause) Um, look, I think we make dumb decisions sometimes, but could I ask why you think we’re evil? Is this an EU thing?
“I read that the Bill Gates foundation was trying to find a cure for Malaria.”
(confused expression) you did say ‘evil,’ right?
“and you know what that means” (expectant eyebrow-arching)
Fewer dead people?
“Yes!” (triumphant look)
(thinking hard) I can’t see how that’s bad? Is this a theological thing?
“Well it’s for globalization, isn’t it?”
Uhm… what?
“The whole idea is that if Malaria gets eradicated, there will be more people to work in sweatshops.”
(I’d swear the whites of the eyes were in some way frothy at this point)
(Pause) Yes, I guess, that’s technically feasible in some way. Let’s just suggest that we have a programming sweat shop in the Malaria belt.
(Expectancy; exultation)
What I think you’re saying is that you’d rather that about a million people died each year, than, say, they all survived and a couple of thousand worked for very low wages.
(Derailment moment; this-isn’t-quite-the-slam-dunk-I-had-planned)
(nearly shouting) “Well, no, but curing Malaria means more cheap workers. And more cheap workers means more globalization. It’s being done for a profit motive.”
(trying to calm everyone down) Let’s just assume that you’re right and it’s all a big, costly, nefarious scheme to obtain more cheap workers. Just to be clear, I don’t think that’s the case.
Are you telling me that a profit motive that leads to survival for millions, and a small income for a few of them, is more evil than all those people dying, then? Isn’t survival a start?
“But globalization is bad! Sweatshops!”
(patience with crazy person expended) Malaria worse! Death! If you don’t live, it’s a bit awkward to say you’d like your living conditions to be improved, isn’t it?
The conversation turned to other things…
-
Today, an IIS 5.0 to 6.0 security advisory was released:
Vulnerability in Internet Information Services Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/advisory/971492.mspx
If you’re using WebDAV on any version prior to 7.0 (where it was completely rewritten, and released as an add-on module after ), you’ll want to read the advisory, and take appropriate action.
Mitigating factors are listed in the advisory.
-
Some love for my lil’ Dell Latitude XT! Dell won’t sell me a battery slice for it, but I can still glide my fingers across it creepily!
In this DuoSense Multi Touch RC Release: the pen should work as well as multitouch! No more having to pick one and stick with it! Yay!
All linked from the Download page – check the release notes (link in right hand column at top of page body) before you try them.
-
There’s a new MPS Reports version in town, with new features : new 64-bit friendliness, various forms of wizard-driven hotness for all the products the individual old tools used to support, etc, etc.
Call me old school if you want, but I typically prefer the convenience of “run this and send me the CAB file”, rather than “grab this, install the prerequisites, and choose the following options in the wizard, then send me the CAB file”. For newer OSs, that’s a non-issue as the pre-reqs (.Net 2.0 and Powershell) are built in; for older OSes, not so much.
A colleague sent me a set of direct download links to the old set, so I’m going to publish them here.
For whatever reason, the download pages to these editions were removed when the new version was published; personally, I’d have suggested that the new was added alongside the old – the old, for all their limitations, are well-understood and widely used.
But the files are still there, at least for the time being.
Update: Looks like the PFE edition is still available in a not-through-the-back-door way (thanks, PFE, you rock! Hey, *I* work for that organization! Yay!), and it’s the core old-school goodness you’ve come to know and love from MPS Reporting.
http://www.microsoft.com/downloads/details.aspx?familyid=00AD0EAC-720F-4441-9EF6-EA9F657B5C2F&displaylang=en
-
Awesome, in a word.
Max Payne® 2- The Fall of Max Payne
Wins my award for most heartbreaking game ever. With some pretty funky action along the way.
I wasn’t as much of a fan of the first one, though if you play them back to back, they run very well together.
(Though the part in MP2 that always troubled me was how the people you’re shooting at don’t get damaged per se; they just take an endless supply of bullets and get tossed around. Breaks suspension of disbelief. Well, that and the whole “Bullet Time” thing, which was done very well in this one.)
-
Spotted: a handy guide, to get your shiny new ADCS Web Enrollment* front end installed and pointed at your CA. With pictures and stuff. For WS2008.
http://blogs.technet.com/askds/archive/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy.aspx
* SEO sic (seriously? I’d have expected one to be red-squiggled, but nope)
-
Rambling my way to a point
One of my most favourite “Favorites” (read: “he snarled”) in recent weeks has been the ISA Server Product Team’s Build Numbers post.
They helpfully list the version numbers of each ISA Server, um, version, along with a link to the most recent hotfix for that version. That’s so helpful.
But: In most cases, you had to use the self-service hotfix feature to get that hotfix. Which is better than calling someone, but still not quite one-click conweenyence.
And there was some useful stuff fixed in each – you can do the research (hint: research is typically along the lines of “isa server hotfix site:support.microsoft.com” in whatever search engine you use).
Back to the security update: if you look at the file list for the security updates, they look a lot like the file lists for the recent hotfixes.
(Aside from a little while ago: nice that we’re again using KB articles for file information and not just “you should read the bulletin” placeholders. Makes it easier to reliably find file version information in the one place. No idea who changed it in the first place, but my blunt message to you: that was suboptimal.)
I know you love short versions, Glenda
So, long story short, by applying the security update, you’re getting the most recent build of those binaries for your ISA Server.
Just one caveat: remember that with this patch, you’ll need to reapply it if you make any significant installation-level changes to ISA later (see the bulletin for that).
-
There are two major classes of Anti Virus software (yes, I know I used one word above, it’s called SEO, okay?) that can be used on an ISA Server computer:
- ISA-integrated antivirus scanning products
- Regular desktop/server antivirus products
The first category is the cooler of the two, and typically involves a Web Filter and/or an Application Filter. It’s been designed to work with ISA Server, and will likely scan HTTP streams while ISA is processing them.
The second category is more common – a desktop or server antivirus product is installed on the ISA Server. That’s probably a good idea from a Defense In Depth perspective.
But if you’re using the second category (or it’s just part of your server build), did you know that there are a set of exclusions we recommend you should use?
The ISA Server product team did some great work in pulling together a set of recommendations for when Antivirus is used on ISA Server. Have a read, have a think, and then check whether yours is implemented correctly. If it isn’t, outages, poor performance and other issues might arise.
And (sorta getting into the ramble here) have you ever noticed that Support people tend to make uncomfortable noises about Antivirus products when you mention they’re installed (if not outright suggesting that you disable and/or uninstall them straight-off)? Well, that’s because when they’re not configured in a way that doesn’t interfere with the operation of other software, they really have, statistically, experientially, and commonly, been known to cause problems.
It’s almost a cliche to be asked to remove AV software while troubleshooting a problem – but the cliche came from somewhere to begin with. Configuring the AV as recommended is an excellent way of minimizing that risk.
-
Just following on from some Lifecycle-related musings.
24 months after SP2 was released, Windows 2003 SP1 will cease security update and hotfix support.
From the Lifecycle Supported Service Packs page:
Windows Server 2003 Service Pack 1 / 30-Mar-2005 / 14-Apr-2009
Windows Server 2003 Service Pack 2 / 13-Mar-2007 / Not Applicable
See Note
Support ends 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first. For more information, please see the service pack support policy at http://support.microsoft.com/lifecycle/Default.aspx#Service%20Pack%20Support.
When you upgrade to SP2, it’s an excellent time to apply other updates too.
My suggestion would be to test installing everything up to this minute, using WSUS, SCCM, SMS or whatever, but if there’s one update I suggest you should apply after SP2, it’s 948496. That’s the Scalable Networking Pack disablement fix. (If you didn’t know you were using SNP under SP1, you don’t want it under SP2).
-
According to Brian Komar, CDP and AIA extensions won’t work any more with file://\\server\share URLs as of Windows Vista SP1 / Windows Server 2008.
Note: With the release of Windows Vista Service Pack 1, support for Common Internet File System (CIFS) or Server Message Blocks (SMBs) through a File URL was dropped for AIA and CDP retrieval.
From Windows Server 2008 PKI and Certificate Security, page 245.
Why post it here? Because I couldn’t find this information on the interwebs, only in a book. I spent 20+ minutes looking!
A book. In this day and age!?
Aha! Here's the KB article describing the change! http://support.microsoft.com/kb/946401
(if like me you got hung up on SMB or CIFS being a keyword for the change, well, there ya go. I guess that file:// just implies whatever you've got going on in your redirector, so while SMB/CIFS might be most common in Windows networks, it could have been NCP/NFS/Whatever here.)
Hope that saves you some searching, future-Tristan.
-
http://support.microsoft.com/lifecycle/?p1=3071
I just saw the first case for a fair while come through on IIS 5.0; it prompted me to wonder when support for IIS 5.0 (as part of Windows 2000) expires.
Well, the answer is: 13th July 2010.
If staying well away from the leading edge - but still supported - is truly important to you, then outside of a Custom Support Agreement you have about a year to test and perform an upgrade to at least Windows Server 2003.
Don’t leave it till the last minute- virtualize those Win2K IIS servers, and try upgrading them to 2003, porting the app to 2003 or 2008 (in many cases, they’ll just be copy-able straight across), and generally getting ready for the transition.
It’s predictable; you can see it coming… take action now!
Other interesting lifecycle events: (by the way, a LifeCycle isn’t that awesome thing from the movie Tron, that’s a Light Cycle)
| | Mainstream End | Extended End (Dead!) |
Windows Server 2003
(IIS 6.0) | 13 July 2010 | 14 July 2015 |
| Office 2000 | Way Past | 14 July 2009 |
| Office XP | Back in 06 | 12 July 2011 |
-
Of all the things I could be doing right now, blogging is the one that won. Feel special? Procrastination, but with a helpful bent.
IAG SP2 is now a VHD for Hyper-V
Your mission, Jim, is to make that into a song.
The most interesting “wow” moment I had today was reading that IAG (Intelligent Application Gateway - that’s that Whale SSL thingo) is now available without accompanying hardware.
Previously (as I understand it) IAG 2007 was only available on a hardware appliance of sorts.
Now, at least as far as the Technet Deity is concerned, IAG 2007 SP2 is licensable as a Hyper-V Virtual Machine, if you don’t want to go for the hardware.
The VHD includes IAG 2007 SP2 (I’m downloading the trial now, to get up to Mischief) and ISA Server 2006 (for the firewalling capabilities), running on Windows Server 2003.
I’m something of a noob to IAG, so, um, if you want to ask something, go hit them up instead.
But yay, can’t wait to try it out.
