Blog du Tristank : Security

Vista Black Edition comments from the MMPC

tristank — Wed, 21 Oct 2009 04:06:22 GMT

Matt McCormack, MMPC Melbourne (that is the most awesomely alliterative signature block I’ve seen for a while) comments on an amusingly ironic infection detection we’ve seen from MSE:

http://blogs.technet.com/mmpc/archive/2009/10/20/vista-32-bit-black-hat-edition-2009-iso.aspx

ISA Server 2006 TCP Retransmits

tristank — Wed, 14 Oct 2009 04:24:20 GMT

Health Checks

I perform ISA Server Health Checks for Premier Support (via Premier Field Engineering) as part of my role.

I’ve seen something a few times recently that I thought it might be helpful to call out, while poking around in the Performance Monitor TCPv4 counter area.

The Problem

In short: Lots of TCP retransmissions per second.

Like, lots. More than 1% is annoying; any more than 5% and you pretty surely have a problem.

Recently, I’ve been seeing 20%.

That’s right, kids, according to Perfmon’s statistics, one in five TCP packets requires retransmission.

If your ISA Server seems like it might be a bit slow, and you haven’t looked yet, go look. I’ll wait. You’re interested in the TCPv4 object, specifically the Segments/sec and Segments Retransmitted/sec counters.

What I’ve seen looks like this:

The green area is TCPv4\Segments/sec. The red area is TCPv4\Segments Retransmitted/sec. They’re using the same scale.

Notice that the retransmission figures track with the overall volume.

This 20% figure has been seen across Intel and Broadcom server NICs, so I don’t think it’s specific to either vendor.

Fixing It

In at least one of the places I found this, a simple driver upgrade to the latest version available looked like it fixed the problem.

Otherwise, it could indicate a NIC issue, or a hardware issue with the switch.

If you find yourself in this situation, and do resolve it, please do post details in the comments section below.

ISA Server 2006 on Windows Server 2008: Nup

tristank — Thu, 04 Jun 2009 18:52:46 GMT

Yuri’s blog explains some of the detail. But there’s slightly more subtlety to it, which I’ll try to snake-oil in front of you here:

Can I install ISA 2006 on 32-bit Windows Server 2008 ?

No, it only runs on Windows Server 2003. Okay, so technically, it also runs on Windows 2000, but if you’re installing it like that now, you should check the calendar. Windows 2000 is old, man.

Why not ISA Server 2006 on Windows 2008?

Whenever I asked that, people mumbled about TCP/IP stack changes. Sounds plausible, so I let it slide.

Well can I install ISA 2006 on 64-bit Windows Server 2008 ?

No. Wait – sort of, not really. Do you count virtualization?

What do you mean?

Hyper-V or an SVVP-validated platform. (Details on security. And the inimitable “Jim Harris” apparently pretending to be Jim Harrison. Giggle.)

Er, if I do count virtual machines?

Yes. You run it in a 32-bit Windows Server 2003 guest.

Isn’t that cheating?!

No. Well, maybe. Sorry, did you have a point there?

What about Windows Server 2003, x64 Edition?

Installing ISA on it? No. It’s 32-bit only and uses kernel-mode software; you can’t mix and match 32-bit with 64-bit k-mode drivers. Hint: I just helped you study for 070-351.

What about Service Pack 2?

X64 Edition?

Yes!

No.

You’re not being helpful.

Oh really? Your eyes are the wrong shape.

The next version of ISA Server, called Forefront Threat Management Gateway (TMG, or, I guess, Timmy to his friends (yep, I’m betting the G ends up semi-silent)), is available in its initial release in the Windows 2008 Essential Business Server thingo, which is 64-bit only.

The next standalone (i.e. non-EBS-integrated) release is currently available in Beta form, and runs exclusively on Windows Server 2008, x64 edition.

That was more helpful.

You still look funny.

Hey, why don’t your links open in new windows?

Because I think it’s nice for the reader to be able to choose whether an informational link should appear in the current frame or a new tab (or a new window).

Sometimes (probably quite often on this blog), you’ll be done with the content at the current page you’re reading, and just want to replace it with something else. Forcing a new window isn’t polite in the age of tabbed browsing.

Let the user choose.

I agree, that’s so wise. You’re like, amazing.

I know.

IIS WebDAV Security Advisory

tristank — Tue, 19 May 2009 09:49:20 GMT

Today, an IIS 5.0 to 6.0 security advisory was released:

Vulnerability in Internet Information Services Could Allow Elevation of Privilege

http://www.microsoft.com/technet/security/advisory/971492.mspx

If you’re using WebDAV on any version prior to 7.0 (where it was completely rewritten, and released as an add-on module after ), you’ll want to read the advisory, and take appropriate action.

Mitigating factors are listed in the advisory.

On the ISA Server Security Update

tristank — Wed, 15 Apr 2009 03:57:59 GMT

Rambling my way to a point

One of my most favourite “Favorites” (read: “he snarled”) in recent weeks has been the ISA Server Product Team’s Build Numbers post.

They helpfully list the version numbers of each ISA Server, um, version, along with a link to the most recent hotfix for that version. That’s so helpful.

But: In most cases, you had to use the self-service hotfix feature to get that hotfix. Which is better than calling someone, but still not quite one-click conweenyence.

And there was some useful stuff fixed in each – you can do the research (hint: research is typically along the lines of “isa server hotfix site:support.microsoft.com” in whatever search engine you use).

Back to the security update: if you look at the file list for the security updates, they look a lot like the file lists for the recent hotfixes.

(Aside from a little while ago: nice that we’re again using KB articles for file information and not just “you should read the bulletin” placeholders. Makes it easier to reliably find file version information in the one place. No idea who changed it in the first place, but my blunt message to you: that was suboptimal.)

I know you love short versions, Glenda

So, long story short, by applying the security update, you’re getting the most recent build of those binaries for your ISA Server.

Just one caveat: remember that with this patch, you’ll need to reapply it if you make any significant installation-level changes to ISA later (see the bulletin for that).

Antivirus software on ISA Server

tristank — Thu, 09 Apr 2009 02:44:00 GMT

There are two major classes of Anti Virus software (yes, I know I used one word above, it’s called SEO, okay?) that can be used on an ISA Server computer:

ISA-integrated antivirus scanning products
Regular desktop/server antivirus products

The first category is the cooler of the two, and typically involves a Web Filter and/or an Application Filter. It’s been designed to work with ISA Server, and will likely scan HTTP streams while ISA is processing them.

The second category is more common – a desktop or server antivirus product is installed on the ISA Server. That’s probably a good idea from a Defense In Depth perspective.

But if you’re using the second category (or it’s just part of your server build), did you know that there are a set of exclusions we recommend you should use?

The ISA Server product team did some great work in pulling together a set of recommendations for when Antivirus is used on ISA Server. Have a read, have a think, and then check whether yours is implemented correctly. If it isn’t, outages, poor performance and other issues might arise.

And (sorta getting into the ramble here) have you ever noticed that Support people tend to make uncomfortable noises about Antivirus products when you mention they’re installed (if not outright suggesting that you disable and/or uninstall them straight-off)? Well, that’s because when they’re not configured in a way that doesn’t interfere with the operation of other software, they really have, statistically, experientially, and commonly, been known to cause problems.

It’s almost a cliche to be asked to remove AV software while troubleshooting a problem – but the cliche came from somewhere to begin with. Configuring the AV as recommended is an excellent way of minimizing that risk.

SMB/CIFS support for File:// URLs in CRL Distribution Points: Nup

tristank — Tue, 24 Mar 2009 02:45:00 GMT

According to Brian Komar, CDP and AIA extensions won’t work any more with file://\\server\share URLs as of Windows Vista SP1 / Windows Server 2008.

Note: With the release of Windows Vista Service Pack 1, support for Common Internet File System (CIFS) or Server Message Blocks (SMBs) through a File URL was dropped for AIA and CDP retrieval.

From Windows Server 2008 PKI and Certificate Security, page 245.

Why post it here? Because I couldn’t find this information on the interwebs, only in a book. I spent 20+ minutes looking!

A book. In this day and age!?

Aha! Here's the KB article describing the change! http://support.microsoft.com/kb/946401

(if like me you got hung up on SMB or CIFS being a keyword for the change, well, there ya go. I guess that file:// just implies whatever you've got going on in your redirector, so while SMB/CIFS might be most common in Windows networks, it could have been NCP/NFS/Whatever here.)

Hope that saves you some searching, future-Tristan.

IAG – now available for Hyper-V

tristank — Thu, 29 Jan 2009 12:47:03 GMT

Of all the things I could be doing right now, blogging is the one that won. Feel special? Procrastination, but with a helpful bent.

IAG SP2 is now a VHD for Hyper-V

Your mission, Jim, is to make that into a song.

The most interesting “wow” moment I had today was reading that IAG (Intelligent Application Gateway - that’s that Whale SSL thingo) is now available without accompanying hardware.

Previously (as I understand it) IAG 2007 was only available on a hardware appliance of sorts.

Now, at least as far as the Technet Deity is concerned, IAG 2007 SP2 is licensable as a Hyper-V Virtual Machine, if you don’t want to go for the hardware.

The VHD includes IAG 2007 SP2 (I’m downloading the trial now, to get up to Mischief) and ISA Server 2006 (for the firewalling capabilities), running on Windows Server 2003.

I’m something of a noob to IAG, so, um, if you want to ask something, go hit them up instead.

But yay, can’t wait to try it out.

That Memory Leak Revisited

tristank — Wed, 25 Jun 2008 08:59:22 GMT

While searching for memory leaking troubleshooting techniques that could be applied to 64-bit Windows (for the DHCP Server memory leak I found I had the other day), I stumbled across the answer to my problem in an internal tool (weird that I missed it from a web search the first time, but c'est la vie).

A Windows Server 2008-based DHCP server that is configured in a workgroup environment may consume too much memory

http://support.microsoft.com/default.aspx/kb/949530

And that's my problem! One REG command (and one restart of the DHCPServer service) later, I'm waiting to see how it went, but it all looks promising, based on that article. Neat-o.

The Cat's Out Of The Bag: ISA Server will become ForeFront TMG

tristank — Wed, 09 Apr 2008 09:21:00 GMT

So, we all know that ISA 2006 doesn't work on Windows Server 2008. Massive architectural changes to the IP stack, blah blah, etc, etc.

People (uh, yeah, just "people") have been asking about what's to become of ISA Server for a while:

"There's no ISA 2008 announced!" they'd scream.

"This surely means the end of one of the best product lines Microsoft has produced!" might have also been heard (in a somewhat muffled way).

"Won't Tristan be out of a job?" one person wailed, unconvincingly.

Well, that's right - the plan at this point is that there is no ISA Server 2008.

(pause for effect, teeth-gnashing, gasping, horror to subside)

As of the next version, Internet Security and Acceleration Server is ForeFront Threat Management Gateway!

(Now you're going to tell me that ISA was a perfectly good name and not at all unwieldy...)

See our well-formed Press Release for details!

Microsoft also today announced the name of its next-generation network edge security product, Forefront Threat Management Gateway. Forefront Threat Management Gateway is the future version of Microsoft ISA Server and will extend the capabilities of ISA Server 2006 with new features and security technologies, designed to help provide multiple-threat protection, simplified management and secure connectivity, and will be built on Windows Server 2008. More details about Forefront Threat Management Gateway will be available later this year.

Excellent! So, key takeaway: we are working on a successor. The product isn't going away!

There's an early beta available from here, though it's downloading at a slow trickle for me right now (got excitement?).

So, go forth and, you know, Manage Threats! In the future!

IIS7 Modules Aplenty - WebDAV, Bitrate Throttling

tristank — Sat, 15 Mar 2008 14:51:00 GMT

New modules, supported by Microsoft, are now officially RTMd (RTWd?) and available for use with IIS 7.0.

WebDAV

Yay new WebDAV! Yay being able to enable it on specific parts of a site! Yay better!

Robert: http://blogs.msdn.com/robert_mcmurray/archive/2008/03/12/webdav-extension-for-windows-server-2008-rtm-is-released.aspx

Downloads:

• Microsoft WebDAV Extension for IIS 7.0 (x86) http://www.iis.net/go/1621/
• Microsoft WebDAV Extension for IIS 7.0 (x64)http://www.iis.net/go/1618/

Media Bitrate Throttling

Yay something about bandwidth for media files!

Vishal: http://blogs.iis.net/vsood/archive/2008/03/15/bit-rate-throttling-is-now-released.aspx

Downloadies:

· 32 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1640

· 64 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1641

Intro:

The Internet Information Services 7.0 (IIS 7.0) Media Pack – Bit Rate Throttling module provides the ability to throttle progressive downloads of media files (in which audio/video playback starts as soon as sufficient data has been buffered on the client) based on the content bit rate. For sites that deliver audio and video files that may not be watched in their entirety, this module could significantly reduce your media-related bandwidth costs. A secondary feature of the Bit Rate Throttling Module is that it can also be used to throttle non-media ("Data") file types at specified bit rates.

Don't Forget The New FTP Server While You're At It

I already mentioned this, but I'll list it here as a one-stop convenience (aww, aren't I nice?)

Replaces FTP6 (that shipped in the box) with FTP7: FTP with SSL, virtual hostname support, extensibility, right-click-and-add-FTP-to-a-website publishing integration... loads of cool stuff.

Microsoft FTP Publishing Service for IIS 7.0 (x86)

Microsoft FTP Publishing Service for IIS 7.0 (x64)

"Stacking" NTLM Authentication

tristank — Tue, 11 Mar 2008 09:30:49 GMT

This question came up today (well, actually, it was about four weeks ago I started typing this, but bear with me), and it's been a little while since I've rambled about authentication protocols, so let's enjoy a nice, calm discussion on a ~~Monday~~ Tuesday arvo.

The request was something like:
In a Web Publishing scenario, can I do NTLM at the ISA Server and NTLM at the Exchange server too?

No

And the answer is - well, no.

There's no way for the client browser to distinguish between the ISA Server (first) saying 401 WWW-Authenticate: NTLM , and then the IIS Server saying 401 WWW-Authenticate: NTLM.

Because it appears to be a repeated authentication sequence when the connection is already authenticated from IE's perspective (and IE doesn't think it's talking to a different server), IE assumes there's been an auth failure (why else would the server challenge again?).

So, lots of authentication prompts are going to happen. The solution (as described) is not workable.

But

With ISA 2006 and its amazingly-useful-how-did-we-ever-live-without-them Authentication features:

What you could do is Integrated Windows Authentication at the Exchange server (i.e. allow Kerberos), and use protocol transition at the ISA Server, from whatever form of authentication you can accept from a client to Kerberos Credential Delegation (or even another protocol, depending on the auth method used by the listener).

So

The question itself was a "no", but the question almost always isn't actually the question. That one's for free.

Special note: I worked really hard on the headings for this post. I hope it was appreciated.

SetSPN improvements in Windows Server 2008! W00t!

tristank — Fri, 21 Dec 2007 10:21:00 GMT

All this stuff is based on a prerelease (RC1) version of Windows Server 2008 and may change before final release. Cheques may not be honoured.

I had a happy moment one night in India when the trainer for our IIS 7.0 TTT course discussed some of the Kerberos-related improvements in IIS7.

... SetSPN got revamped.

We all know (or knew, before my wiki collapsed) that duplicate Kerberos SPNs are bad. (The Wiki is still down, by the way, sorry).

We know that it's been a little bit iffy configuring said SPNs and that the chance of getting it wrong was quite high - there was no control that prevented the registration of the same SPN twice, against different accounts.

Worse: SetSPN was focused on the account (security principal) only - if you thought you had a duplicate, you needed to use a customized LDIFDE command to track it down based on the SPN, as SetSPN wouldn't search by SPN, only by account.

Buuut: Some wonderful SDE that should really be on my Christmas card list decided that SetSPN could become an all-singing all-dancing SPN troubleshooting tool!

Yes folks, SetSPN now has SANITY CHECK (-S) switches and FIND THE PROBLEM (-X) switches! HOW COOL IS THAT!?

In order to not break backwards compatibility (I infer; I didn't actually participate in the conversation or decision making process), these are implemented as new switches, not old ones: Existing scripts that rely on creating duplicates (and then presumably resolving that situation shortly afterwards) won't (er, shouldn't) suddenly break.

C:\Users\Administrator>setspn
Usage: setspn [modifiers switches data] computername
Where 'computername' can be the name or domain\name

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage:   setspn -R computername
-A = add arbitrary SPN
Usage:   setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage:   setspn -S SPN computername
-D = delete arbitrary SPN
Usage:   setspn -D SPN computername
-L = list registered SPNs
Usage:   setspn [-L] computername
-Q = query for existence of SPN
Usage:   setspn -Q SPN
-X = search for duplicate SPNs
Usage:   setspn -X

Examples:
setspn -R daserver1
It will register SPN 'HOST/daserver1' and 'HOST/{DNS of daserver1}'
setspn -A http/daserver daserver1
It will register SPN 'http/daserver' for computer 'daserver1'
setspn -D http/daserver daserver1
It will delete SPN 'http/daserver' for computer 'daserver1'
setspn -F -S http/daserver daserver1
It will register SPN 'http/daserver' for computer 'daserver1' if no such SPN exists in the forest

So, any instructions out there that currently use the positively archaic SETSPN -A can now be updated to use the shiny new SETSPN -S.

Again, I ask you: How cool is that!?

I should add that I haven't actually tried this yet, just gurgled at the wonderful new options and imagined their effect. If it throws a "NotYetImplementedException", please forgive my enthusiasm :)

401.3, you say? Not 403?

tristank — Mon, 22 Oct 2007 12:35:12 GMT

You're running an IIS 6.0 website, and you have a virtual directory configured for anonymous authentication only (that is, you've unticked Integrated Windows Authentication).

Using a web browser, you try to access a file in that virtual directory. http://example.com/vdir/something.txt

What's a web browser?

Know what IE is, Leon?

Yeah.

Same thing.

I've never seen an IE. But I know what you mean.

Anyway, the something.txt file is ACLd such that the anonymous user account (IUSR_MACHINENAME) doesn't have any NTFS permissions to it. IIS impersonates the anonymous user for any anonymous request, and if it's knocked back, it 401s the client with a WWW-Authenticate header describing the types of authentication supported.

Now IIS needs to ask for some kind of credential, but the only authentication method ticked is Anonymous. So IIS can't ask for credentials. It can't 401 with a WWW-Authenticate header because it's got nothing to put in it. It won't send a 403 because it hasn't yet made a good-faith attempt to impersonate a user other than Anonymous.

But you haven't configured it to ask for credentials. You could tick Integrated Windows and make the pain go away. Or you could allow the Internet Guest Account (at least) Read access to the file. But you're not doing that, Leon.

Why is that, Leon?

Do you make these questions up yourself, or do you have them written down for you?

Actually, people come to me with questions all the time, and I sometimes write them down.

Like this one: tell me only the good things that come to your mind, about... Personal Web Server on Windows 95.

Personal Web Server? Let me tell you about Personal Web Server...

Tip o' the Week: WEVTUTIL for EVTX/EVT file conversion

tristank — Fri, 05 Oct 2007 09:19:19 GMT

This week, a pointer to a solution to a problem I occasionally hit.

Windows Vista (and by extension Windows Server 2008, I assume) utilizes a new EVTX log format for event log exports. It's XML-based, natch.

Problem: Everyone's Favourite Log Digestion Tool Log Parser uses system APIs to read event log exports, and the old .EVT event log format isn't "native" any more. Long story short, it chokes on them.

This, to put it mildly, was annoying, as most customers haven't moved to Windows Server 2008 yet (I mean, it's only five months from release - is there ever a better time?) and so supply event logs in the old format when asked.

Anyway - you can convert the old-school event logs into shiny new event logs through the user interface (just double-click the EVT, wait for it to open and display in chronological order; then do a Save As, pick a location and filename and answer an obscure question about language formatting; then find and open the newly-resaved log file), but bluntly, the GUI process leaves a bit to be desired if you have the slightest inkling towards type-A behaviour, and all I really want is something that'll work in Log Parser, really.

WEVTUTIL (and NeilCar) to the rescue. It's included out of the box, and it'll convert those dusty old event logs from the command line, with nary a GUI or common dialog in sight, ready for consumption by Logparser, or any other EVTX-friendly file muncher.

Neil's example (for the click-inhibited):

wevtutil epl application.evt application.evtx /lf:true

Bewdiful.