Pages

7/30/2004

::Spyware::


Spy Blaster at www.spyblaster.com is actually a rogue spyware tool that actually makes these problems worse. There are now a multitude of untrustworthy "spyware" products out there. These can be trusted:
Ad-aware, Pest Patrol, Spybot Search & Destroy, and Webroot Spy Sweeper
Spybot and Ad aware have free versions.
Be sure to run Ad Aware engine 6.181 and update to the latest "pattern" file every time.
Run Spybot 1.3 with the latest updates.
Often "cleaning" doesn't even work unless you turn off WinXP system restore and run removal in safe mode.
HijackThis.exe is good for finding browser helper objects.
Also, see my prior posting about using ActiveX filters.
Once you are really messed up with spyware it is often easier(and faster) to just wipe out your machine and start fresh.

7/27/2004

AD::Exchange::LDP


Using ldp.exe to look up a user in the active directory
Great tip about using LDP.EXE to lookup what user has a particular mail nickname. My more brute force standby method would have been to use LDIFDE to export them all and then search the entire list. http://datacomguy.tripod.com/blog/2003/08/exchange-2000export-e-mail-aliases.html

Using LDP to lookup user object:
1. Start ldp.exe
2. Connection | Connect and choose your DC
3. Connect | Bind and authenticate
4. View | Tree and browse to the top-level OU from which you want to search
5. Connect | New to clear the right pane
6. Right click on that OU and choose Search
7. To search on the alias, use: “(&(objectclass=*)(mailnickname=aliasnamehere))“

Further information: http://support.microsoft.com/?kbid=224543

7/22/2004

SMTP::Headers::Manual testing


I was trying to explain how to do this to somebody today and decided to look for a reference about it rather than try to make my own.
Low and behold:

http://support.microsoft.com/default.aspx?kbid=153119&product=exch2k

Windows::Time


Set time to Naval Observatory
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314054
Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Time Service is to ensure that all computers that are running Microsoft Windows 2000 or later in an organization use a common time.

To ensure appropriate common time usage, the Time Service uses a hierarchical relationship that controls authority, and the Time Service does not permit loops. By default, Windows-based computers use the following hierarchy:
All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. It is recommended that you configure the PDC operations master to gather the time from an external source. This event is logged in the System event log on the computer as event ID 62.

Administrators can configure the Time Service on the PDC operations master at the root of the forest to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative. Use the following net time command:
net time /setsntp:server_list

The United States Naval Observatory runs several SNTP time servers that are satisfactory for this function, for example, ntp2.usno.navy.mil (at 192.5.41.209) and tock.usno.navy.mil (at 192.5.41.41).

After you set the SNTP time server as authoritative, run the following command on computers other than the domain controller to reset the local computer's time against the authoritative time server:
net time /set

Cisco::Switch::Inline Power


Worth noting:  the "old" inline power modules from Cisco provide "Cisco proprietary" inline power to Cisco devices.  The new "AF" standard modules provide the "new" standard POE power.
And the 4506 switches can have a limited power capacity that must be planned for.   There is a calculator at:
http://tools.cisco.com/cpc/launch.jsp
I can't fill up my 4506 chassis with inline power modules and provide power to all the modules and still have redundancy for the 2800W power supply. 

This link contains more details about power supplies and providing inline power with 4500 series switches:
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_data_sheet09186a00801f3dd9.html
It is possible to add an external power source using a "shelf" and installing power supplies in it to provide for power supply redundancy:

WS-P4502-1PSU
Catalyst 4500 Aux. Power Shelf (2 slot), incl. one PWR-4502

PWR-4502
Catalyst 4500 Aux. Power Shelf Redundant Power Supply

To get one each of the above would be about $6K




7/16/2004

Exchange Technical Information


While googling it is sometimes easy to forget to check the obvious. The excellent technical information provided by Microsoft is not to be ignored:
Microsoft Exchange Server: Outlook Information

Check out this great PDF from the top of the list above:

Client Network Traffic with Exchange 2000

Outlook/Exchange Network Traffic


This is an excellent article:
Control Client Network Traffic

It contains an interesting discussion of the Exchange Provider binding order contained in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Exchange\Exchange Provider\ Rpc_Binding_Order
The article defines them as follows:
Network Protocols for MAPI Clients
Registry protocolMeaning
ncalrpcLocal RPC calls (client and server on the same system).
ncacn_ip_tpcTCP/IP transmitted over Winsock. The client locates the server using DNS, a local hosts files, or a raw IP address, but not NetBIOS.
ncacn_spxNovell SPX using the NetWare Bindery to locate the server. NetBIOS is not used.
ncacn_spNamed pipes. The client locates the server using a NetBIOS computer name, WINS, or LMHOSTS.
netbiosThe default NetBIOS protocol.
ncacn_vns_sppBanyan VINES.


And recommends removing the bindings that you do not use. e.g. vines, novell....


7/13/2004

SpyWare


Kill ActiveX spyware before it loads
Download a reg file to merge to set the "kill bit" on bad ActiveX spyware to prevent them from loading.
http://www.spywareguide.com/blockfile.php

See info at:
http://support.microsoft.com/support/kb/articles/q240/7/97.asp

VOIP::Video Conferencing::ISDN



AT&T IP Gateway Services is an interesting solution to provide bridging and gateway services to an IP video conferencing endpoint without being required to provide ISDN BRI services to the endpoint location. If you already have excess capacity on an AT&T internet T1/T3 connection you can use that to make the connection to the service. And there is no monthly recurring charges - only usage charges. Details: http://www.business.att.com/products/productdetails.jsp?productid=vgs

I plan to use an ISDN backup to this solution which could also provide add'l capacity to make one more call if we ever need it. This ISDN switcher can be used to share this between up to 4 endpoints (one at a time.) http://www.covid.com/VConferencing/CVD5316.html

7/10/2004

More DNS



From: MyITForum

Have you pinged a machine before by name, got a reply, but when you attempt to connect to it, you connect to a different machine name or cannot connect at all? If you shook your head in agreement, nodded, mumbled something about this happening to you, then this article may shed some light.

Windows 2003::DNS


Interesting contribution to MyITForum:

FEATURED ARTICLE:
---------------------------------------------------------------------
Windows Server 2003: The EDNS0 enigma
by Marcus Oh, Contributor myITforum.com

During a migration to Windows Server 2003, we upgraded our root
domain name server (DNS). Although everything appeared fine, we
started receiving complaints about getting to certain sites. Areas of
Yahoo, such as mail.yahoo.com and finance.yahoo.com, seemed to be the
biggest issue. At first, it looked like Yahoo was unresponsive to
queries. However, we found host records to other sites were resolving
properly, but their MX records were not. This meant that e-mail was
not routing!

As a means of troubleshooting, we double-checked all our DNS
configurations. Everything looked fine. As a second step, we gathered
network traces to find out what was going on. The traces showed
packets leaving the root DNS server, destined for Yahoo, but showed
no replies returning.

The problem here is that Windows 2003 enables Extension Mechanisms
for DNS (EDNS0 as defined in RFC 2671), a standard introduced in
1999, by default. EDNSO allows requestors to advertise their EDNS0
capabilities, hence receiving UDP packets larger than 512 bytes.

While this in itself is not problematic, some firewalls do not allow
UDP packets larger than 512 bytes. This explains why the network
traces showed nothing returning! Our DNS servers were sending out
packets advertising themselves as capable of EDNS0, and our firewalls
were dropping the responses. Turning off EDNS0 support allowed all
queries to work as expected.

If you're experiencing the same issue or planning an upgrade of your
own, this command will disable this enabled-by-default feature:

dnscmd ServerName /Config /EnableEDnsProbes 0


Good to know!

7/08/2004

WAN::Internet::Redundancy



Interesting load balancing product at http://www.firewalls.com/pc/viewPrd.asp?idcategory=42&idproduct=129

Cisco::Firewall::Redundancy



This poor guy at http://www.dslreports.com/forum/remark,10404384~mode=flat has my same problem.

I get no help from their recommendations. I've been down that thought process before and I still don't think I can NAT two separate IP subnets through PIX and get them routed out the correct default route that way.

Cisco::Firewall



For troubleshooting PIX to PIX vpn:

show crypto isakmp sa


This has acted kind of squirrely lately.

Cisco::Router::Firewall::Routing Based on Source Address


with hint from http://puck.nether.net/lists/cisco-nsp/9020.html
The setup for policy based routing to accomplish this is something like:

access-list 1 permit 1.2.3.192 64.0.0.0
!
interface ethernet0/0
ip policy route-map policy-map
!
route-map policy-map
match ip address 1
set ip next-hop 1.2.3.193


The Cisco docs are at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/5rbook/5riprout.htm#xtocid2198498

But this doesn't seem to work on PIX firewall.....

7/07/2004

Enterprise Instant Messaging


Client user demands "chat" features for our extranet for yet another ball and chain on their attorneys. I'm philosophically opposed. I spent some time researching security/etc.
MEMORANDUM
To: My Boss
From: DataComGuy
Re: Instant Messaging for Extranets

Public Instant Messaging Inadvisable
There are public instant messaging (“IM”) systems, such as ICQ, MSN, Yahoo Messenger, and AOL Instant Messaging (AIM.) These services provide a freeware client to users and integrate them using a public directory service to authenticate users and public chat servers to connect them. The use of Public instant messaging systems from the corporate network presents many security concerns.
  • Privacy:
    Communications take place in clear text, unencrypted, over the internet. In many cases, even a chat session between two people inside the same corporate network at adjacent desks will pass outside the organization over the internet through a public server and back in.

  • Network Security:
    For public IM services to operate within a corporate network environment, best practices for firewall configuration would need to be ignored in order to allow network traffic to pass to and from the workstations running the IM client software. Many of these changes would impact security all the servers and users connected to the network. The few security features that are available with public IM systems rely on the users’ installing additional security software or making software configuration modifications on the IM client. This reduces network security to it’s weakest link. If a single person fails to follow security guidelines the entire network is vulernable.

  • Authentication:
    Public IM systems allow anyone to join their directory service. As a result there is no way to know for certain who you are communicating with. When directory security is breached there is also a great possibility for an increase in unsolicited commercial e-mail (SPAM). The IM client itself is another SPAMMERS use to pass unsolicited messages. Although public services may take precautions, methods have been found to send broadcasts of unsolicited commercial mail or other objectionable messages. In addition, the directory service itself can be compromised to obtain lists of e-mail addresses for sending “traditional” SPAM.

  • Virus Infection:
    Most public IM services allow the exchange of files, bypassing network based virus protection. This substantially increases the risk of virus infection. In addition, it is likely that viruses will be developed that exploit instant messaging clients to propagate themselves and/or execute.. Often IM client software includes scripting features which would facilitate the creation of malicious message content. Already many IM script worms have been identified such as W32Aimven.worm , W32Aplore@mm, andW32Holar.A@mm.

  • Policy Enforcement:
    When IM is used, there is no way to enforce corporate policies about file downloads, virus scanning, or security settings for the entire organization. Chats cannot be monitored and logged to enforce policies regarding communications.


  • Enterprise Instant Messaging
    There are several products on the market in the category of Enterprise Instant Messaging. Many of these products have simply taken the same insecure public class products above and moved them inside a firewall. While this addresses network security concerns it also prevents communication with users outside the network.

    Other products are gateways that encrypt traffic to and from public services. Some might proxy these sessions to insulate user machines from direct communication with the internet and may prevent inbound chat attempts from all but approved senders. Some of these products may provide policy enforcement options to require users’ IM clients to have their security features configured properly. This class of products doesn’t address privacy concerns with the public directory service and is trusting the outside directory service to authenticate users. Most of these products still present network security concerns because the users’ on the inside of the network are still connecting at a packet level with users outside the network.

    The most secure products in this category have directory service and other servers that are installed in a DMZ network that can be protected from the internet and requires no direct communication between internet machines and machines on the inside network. IBM Lotus Quickplace is an example of a product that creates this type of DMZ environment. The best products also provide administrative control to enforce corporate policies by such things as preventing file transfers, logging communications, encrypting communications, and so on.

    IBM Lotus Sametime server is a good choice for enterprise instant messaging. Sametime integrates with our IBM Lotus Quickplace extranet servers which could allow chat features to be added to the meeting rooms in addition to other IM features.

    Instant Messaging


    Does anybody use Enterprise IM? How do you handle security, viruses, etc? Does it integrate with AD or do you have to administer yet another directory?

    Here's a product I ran across and don't have time to look at right now.
    OmniPod