Please pay my updated
blog a visit for the most current stuff (25 Nov 2006).
Below is a potpourri of OnE (Odds & Ends) from in-depth knowledge, field interactions,
exchanges and practical experiences, available categories currently (more to come ...):
[Security Windows] 20051029 Missing Network Drive
If you are still using legacy method (user specific) to map user home network folder such as the
following in an Active Directory 200x environment ...
... be aware that the "TCP/IP NetBIOS Helper" NT service must be started on the Windows client machine
("Server" NT Service can be set to manual) ...
... otherwise the mapped drive letter will mysteriously disappear (without any clues
as to where and why).
[Security WSUS] 20050820 A Question of Schedule
In a Group Policy Object (GPO) under Computer Configuration > Administrative Templates > Windows Components
> Windows Update, the "Configure Automatic Updates" option can be enabled as shown:
WSUS provides a new deadline option to override the client settings configured in a GPO.
Here, 25 Aug 2005 is a Friday:
The illustrations depict date and time for both settings to be similar. Tests revealed that WSUS and
Automatic Update (AU) client will be confused by the settings, which essential are the same (at least
for that one day). The end result is that patches will not be rolled out at all, regardless of how long
a client waits for the approved patches. To fix this, change the deadline date and time to a future
schedule or fall back to "Use client settings to determine update installation time".
This remedy action may cause other strange phenomenon to show. Certain Windows systems, in particular
Win 2000, will forever show either "Needed" or "Reboot required". This is despite the fact
that the patch has been successfully installed and machine auto-started (with option 4 for automatic
updating). It is worthwhile to mention that the latest Win Installer and BITS + WinHTTP combo were
previously installed on these systems.
If the administrator immediately runs a check against update.microsoft.com,
the affected patch is not offered, indicating that it is not needed (already installed). Add/Remove Programs
verifies this as well.
As a result of the checks, these odd reports can be safely ignored. Nevertheless,
change management logs should be updated to avoid future confusion on status of affected
patches. Of course the best way is to stay away from setting the schedules (within GPO and
WSUS) to collide in the first place. A bug perhaps, or just an undocumented feature?
[Security WSUS] 20050815 Win Installer 3.1 (v2), BITS 2.0 + WinHTTP 5.1 and WSUS
Windows machines (Win 200x, XP) configured as WSUS clients (using Automatic Update service) will be
identified as required to have the following installed ...
... failing which patch update may not work properly or efficiently.
Note that Windows Installer 3.1 is already included with Win Server 2003 SP1.
[Security AD] 20050721 Security Active Directory - Server Operators Group Limitations
From KB 125782:
If you want the pseudo-administrators to have limited administrative capabilities on the domain
servers, add them to the Server Operators group on a server in the domain. This allows them to shut
down the server, share and stop sharing directories, and backup and restore files. It
does not allow them to change any user attributes, add drivers, or take ownership of files.
In an Active Directory 200x domain environment, there are several administrative tasks that a member of
the 'Server Operators' security principal cannot perform using native MS tools on a local
(branch office) Domain Controller.
Most are not immediately obvious or documented by MS. A few are listed below:
- System State cannot be backup using the BackUp applet (option not available)
- 'Access Denied' - chkdsk, Security Event Log, Disk Management, Disk Defragmenter, AT Scheduler*
- security patch management e.g.
- read-only access to NTFS file structure (i.e. cannot adjust file / folder permissions)
- no RDP remote access or log on locally rights to Domain Controllers (default setup)
Organizations that have a common, single AD domain supported by multiple Domain Controllers
in different branch offices and operated by diverse local IT (non-AD) teams will be affected the
Technically speaking, there is no local Administrator account residing on a Win 200x
based Domain Controller (DC) running Active Directory. To be able to conduct operational
tasks, including some listed previously, administrative rights / permissions need to be
assigned. The only way to enable this on a DC is to include accounts (from different IT
teams) in the 'Domain Admins' security group.
If permitted, a huge security risk will undoubtedly trigger immediately. Such accounts will
have automatic and transparent access to other (non-local) DCs located elsewhere within the
enterprise, straight away breaking the "segregation of duties" security model. It also goes
against the best practice of limiting the number of trusted accounts that should be maintained
in the highly sensitive 'Domain Admins' security group. How can control be guaranteed under
such circumstances? Sarbanes-Oxley, HIPAA, Basel II, etc. - anyone?
Should a locally applied security patch on a DC introduce replication errors, this will
propagate throughout the AD replication domain. "Roles & Responsibilities" will be in conflict
since the cause may not be easily identified, leading to inconsistent and non-standard
implementations, particularly when no formal process exists describing how such tasks
(and incidents) should be managed. Who should then assume the task of problem resolution?
Time will invariably be wasted on cleaning-up and fixing an incident which could be easily
prevented in the first place!
Having a dedicated AD team responsible for the global AD service is one possible approach.
This can help prevent most of the issues discussed, while maintaining standards, compliance and
adherence to industry best practices, supported by a framework of well defined policies, processes and
clear roles and responsibilities definitions. Otherwise, IT management is the only body that
ultimately must bear all risks and consequences if security is allowed to lapse by mere oversight
or pure ignorance.
Today, AD is already a key pillar in many organizations' core infrastructure worldwide and therefore
should never be taken lightly.
* workaround described in Win 2000 Resource Kits
"Allow server operators to schedule tasks (domain controllers only)".
[Security Windows] 20050718 Microsoft Malicious Software Removal Tool - Availability and Supported Platforms
This free MS tool is updated on the second Tuesday of each month at the same time as
"Patch Tuesday" for MS security bulletins. Even if the latter has no updates,
MS may still update the tool with new detection signatures and cleaning instructions.
It offers a one-stop shop approach to detect and fix a potentially infected
machine. This is based on a predefined list according to prevalence and threat
levels as established by MS.
Execution of the tool can be carried out by a user with local machine administrative
(prerequisite IE and ActiveX), as part of XP's Automatic Update process or
(KB890830). Results of the scan are logged in %windir%\debug\mrt.log.
The tool runs only on Win Server 2003, XP and 2000. Legacy platforms
such as NT 4.0, Windows ME and 9x are not supported. Note that
the current version does not support remote scanning.
Unfortunately, corporates that deploy Software Update Services (SUS) or
the newer Windows Software Update Services (WSUS) will not be able to
use them to roll-out the tool either. Nevertheless, MS SMS (Systems Management
Server) or Active Directory Group Policy Login Script are two options available
to use this tool to perform automatic regular scans on the network.
[Virtual PC 2004] 20050716 "Hang" after Resume from Hibernation
describes a PSS supported hotfix that addresses this issue, which can
manifest itself easily if Virtual Machines (VM) are still running when the
host machine hibernates then resumes. Symptoms range from unresponsive mouse
and keyboard actions. To avoid this from happening, ensure a constant power
supply feed is always available or disable hibernation altogether.
[MOM2005 OnE] 20050622 SQL Server 2000 + SP4 = MOM 2005 not happy
MOM 2005 can be configured with SQL Server 2000 as the database repository, where the
latter must be installed with SP3a or above (according to documentation). If SP4
is used, MOM 2005 will refuse to start the installation process, stating "Failure"
is caused by SQL Server 2000 (SP4). One workaround is to uninstall SP4 and put SP3a instead.
[VirtualPC OnE] 20050501 Virtual PC 2004 Slow Startup or Sign-in (all MOC courses)
If waiting for minutes (or even hours) to get to the sign-in page (Ctrl-Alt-Del)
keeps happening, changing the network properties of each virtual machine
to NAT prior to starting will speed things up tremendously.
[SharePoint OnE] 20050420 Windows SharePoint Services (SPS) 2.0 Download
SPS is a free, separate
(STSV2.exe) for installation on W2k3. Installation considerations include NTFS partition,
Web server (IIS 6.0 worker process isolation mode), ASP.NET, WMSDE or SQL Server 2000, etc..
Some guidebooks may not provide installation instructions. To get started, look
for "Windows SharePoint Services Administrator's Guide" on the
SPS home page.
To specify a destination folder for installation, click Cancel after STSV2.EXE extraction
completes and setup has just started. Use the syntax:
"%ProgramFiles%\STS2Setup_1033\setupsts.exe" /datadir="D:\program files\STS2Setup_1033\"
(where D: = target drive, 1033 = US English, the last backslash \ is important)
[Security Windows] 20050415 Win Server 2003 SP1 Application Compatibilty List
for potential application compatibility issues with
W2k3 SP1. An example list includes Exchange 2003, Citrix XPe FR3,
VMWare GSX Server, ISA 2004, Oracle, SAP, Compaq Insight Manager, etc.
[Security Windows] 20050412 Win XP SP2 "D-day"
Beginning on this date, MS will push out SP2 if Win XP is still not
up to this SP level, regardless of the registry fix MS provided previously.
For corporate environments using Active Directory Group Policy and Software
Update Services (SUS), rollout can be tightly controlled until the organization
is ready. Home/SOHO users can regain control by disabling "Automatic Update"
(not recommended) or set to "Notify me before update and notify before
installation". Download and/or installation can then be personally scrutinized
via the Custom install (not Typical) option.
[Security Windows] 20050401 Win Server 2003 SP1: Security Configuration Wizard (SCW)
SCW is not installed by default after successful installation of W2k3 SP1. Use the
desktop link provided or Add/Remove Programs > Windows Components to install.
[Windows OnE] 20050331 Win Server 2003 SP1: Missing Windows Explorer Status Bar
After installing W2k3 SP1, the status bar in Windows Explorer will disappear
if it was turned on previously. Manually setting it again will fix the issue.
[Windows Scripting] 20040830 OS Language code
[HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language] is one reliable way to
check for the (4 digit) language ID or code installed on a Windows platform
(Win 2000 and above). See
KB 246664 for more information.
Value name and data: "Default" = 040c (France French), 0409 (US English), 0407 (Germany German), etc.
Value name and data: "InstallLanguage" = same or different as "Default"
[Security Windows] 20040618 Delegated permissions are not available and
inheritance is automatically disabled
Installation of SP4 or hotfix
on Win 2000 will cause previously delegated permissions on an OU to be removed
silently. Win Server 2003 is also affected.
See KB 817433
for more info.
[Security ISA] 20030424 ISA Server 2000 on Win Server 2003
ISA Server 2000 SP1 and "Required Updates for Windows Server 2003" must be
applied in order to run properly on Win Server 2003 (except Web Edition).
[Bug Sygate] 20050827 SSA 4.1 Does Not Download IDS/IPS from SSE 3.x
IDS/IPS signatures updated on a SSE 3.5 backend will not be automatically downloaded
by SSA 4.1 clients, a known bug acknowledged by Enterprise Support. Manually replacing
sdi.dat and trojan.dat is one way to resolve this issue. Contact Enterprise Support
for other possible workaround.
[Security Sygate] 20050716 Multiple or Duplicate Entities in SMS Machine Groups (SSE 3.x/4.x)
As early as Apr 2005, Sygate Enterprise Support was aware of a strange problem
affecting SSE 3.x. SMS machine groups may be populated with machines that
are not designated for a particular group. In several cases, a machine can
appear more than once in the same (but wrong) SMS machine group, all indicating
a "live" connection with the green dot indicator. Even if these 'stray' machines
were to be manually transported back to the correct groups, it can re-occur
at random to the same or different machines.
Enterprise Support only recently acknowledged other identical cases which affect
SSE 4.x as well. Accordingly, a fix is provided in SSE 4.1 MR1 but a patch may not
be available separately. Contact Enterprise Support for more information.
[Security Sygate] 20050711 Handling IDS/IPS Library Updates (SSE 3.x/4.x)
Sygate Management Server does not have a built-in roll-back feature to
manage IDS/IPS signatures. This means that if the new IDS/IPS library causes any
issues, the only remedy is to re-import a previously backup and working copy of
the database. Alternatively, the new signatures can be selectively disabled
to help mitigate the situation. Contact Enterprise Support for the import / export scripts.
[Security Sygate] 20050522 SSA Crashes under Extremely Low Disk Space Conditions
SSA will attempt to continue logging (syslog.log, seclog.log, etc. depending on settings)
even if free disk space is critically low, eventually crashing and leaving the OS unstable
Some symptoms: smc.exe may appear to be active (Task Manager); SSA icon at system tray
disappeared (may need to move mouse pointer over); Services applet indicates that the 'Sygate Security Agent' services
is started. Crash of smc.exe is captured in the Event Log.
If "Policies > Advanced Settings > Block All Traffic While Agent is not running" in SMS is
not enabled, the machine is fully exposed and vulnerable to attacks.
A Personal Firewall is a vital defense component in today's highly interconnected world. It should
continue to function and not simply crash (poor design), perhaps temporary halt logging under such
critical conditions (and resume when conditions improve), while still protecting the machine.
Enterprise Support acknowledged that this is an issue (potentially affecting all SSA versions).
A feature request has been filed. However, whether this will make it to the next major SMS release
(coming real soon) or SSA rebuilds is still an open question.
[Security Sygate] SSA 4.x and SSE 5.x (SSE 2005)
Sources revealed that present SSA versions (4.x and 3.x) are not expected to be compatible
with the next generation of SSE products. Server (SSE 3.x/4.x) and client upgrades are foreseen.
[Security Sygate] 20050415 Win Server 2003 SP1 Compatibility (SSE 4.x)
SSE 4.1 and agents have not yet undergone full QA qualification on W2k3 SP1.
No known field problems have been reported.
[Security Alert] 20050411 Sygate Denial of Service (DoS) (SSE 3.x/4.x)
Sygate Security Enterprise (SSE) Denial of Service on the
Sygate Security Agent (SSA) versions 3.5, 4.0 and 4.1 in "Server Control" or
"Power User" modes. Turn on password protection for SSA export/import function
in these modes (not default). Alternatively, upgrade to SSA 3.5 b2580, SSA 4.0 b2715
or SSA 4.1 b2827. More info available
[Security Sygate] 20050411 Sygate SSA 4.1 and Win XP SP2 Security Center (SSE 4.x)
SSA 4.1 b2824 is the first build of SSA that is properly recognized by the security
center console (SC) in Win XP SP2. SC does not display any details of the monitored
services (firewall, automatic updates, anti-virus) in an Active Directory environment,
particularly when Windows Firewall is already configured via Group Policy.
[Security Sygate] 20050207 Sygate SSE 4.1 GA available
Announced is the general availability of SSE 4.1 for both Windows and
Solaris platform. See the accompanied release notes for features description.
SSE 4.0 to 4.1 direct upgrade is supported but 3.x users need to migrate to
interim version(s) first. For more information, contact Sygate Enterprise Support.
[Security Sygate] 20040915 NetBIOS Protection (SSE 3.x/4.x)
This feature only works against hosts outside of the local subnet hence is not
a reliable means to protect mobile hosts in remote locations. Separate rules
targeting NetBIOS in different Sygate "locations" are essential.
[Security Sygate] 20040910 Advanced Settings via-à-vis Locations (SSE 3.x/4.x)
Advanced Settings such as "NetBIOS Protection", "Enable anti-IP spooling"
and "Enable portscan detection" can only be configured per Sygate Management
Server (SMS) Group level. A Sygate "location" is controlled by such global
settings in SSE 3.x and 4.x. More flexible and granular control (i.e. advanced
settings at a "location") is expected to be included in SSE 5.x (SSE 2005).
[Security Sygate] 20040830 Non Server-controlled SSA DNS domain Rule support (SSE 3.x/4.x)
SSA in power-user or client-control mode does not have an option to define
a rule based on a DNS domain (e.g. blacklist-dns.com), although this feature is
configurable on SMS (in server-controlled mode).
[Security Sygate] 20040825 Toggle Windows Firewall in SSA 4.x (SSE 3.x/4.x)
SSE 4.x agents (SSA 4.x builds 2634 retail or higher) already support
Win XP SP2. With SSA b2710 and above, it is possible to control the on/off
state of the built-in Windows Firewall when smc.exe starts. In setaid.ini,
ensure that "DisableWinXPFirewall=1" under "[CUSTOM_SMC_CONFIG]" is set prior
to installation or upgrade. Alternatively, create a key
"HKLM\Software\Sygate Technologies, Inc.\Sygate Personal Firewall", type D_WORD,
"DisableWinXPFirewall" with a value of 1. Reference Sygate TechNote 081604NHCO-01.
[Security Sygate] 20040820 SSA 4.x and SSE 3.x (SSE 3.x/4.x)
Any SSA 4.x can be used against a SSE 3.x backend. New features such
as 802.1X (in SSA 4.1) will not be recognized by the older SSE however.
[Security Sygate] 20040820 LAN Enforcer Host Remediation (SSE 3.x/4.x)
SSE through 4.x has canned and basic functionality in the area of
extending checks against Windows hosts. English is the only supported
language, and core components such as Service Pack levels and Internet
Explorer (and its variants) cannot be easily verified, resulting in
the wrong patch being pushed out for Host Integrity / Remediation, potentially
leading to system crashes or instability. User definable enhanced Boolean logic
(AND, OR, NOT) may appear in SSE 5.x (SSE 2005) to address such serious
[Security Sygate] 20040818 Windows Script Host (WSH) has terminated (SSE 3.x/4.x)
Host Integrity / LAN Enforcer component is dependent on WSH to function
properly, which in term relies on the Visual Basic and Java Script provided
in Internet Explorer. (Re)installation of WSH may be necessary to resolve
problems associated with this Sygate functionality (WSH
[Bug Sygate] 20040714 Fail to contact server for more than 10 times (SSE 3.x/4.x)
This error will prevent SSA from contacting SSE, causing SSE to not
able to propagate new or updated profiles even though SSA still checks back at
the predefined heartbeat intervals. There is no built-in option to push changes
from SSE (to SSA) nor being notified of clients in this dangerous state for an
extended period of time [Note: SSE 2005 may fix this]. Machine reboots typically
will bring SSA out of this zombie or hang state.
This phenomenon is due to a very insidious and difficult to track bug. SSA does
not accurately interpret values "RefreshSeconds" and "TimeoutSeconds" in
sylink.xml above the default of 60. This should be fixed in later SSA builds such
as 4.1 b2827. Contact Sygate Enterprise Support for more info.
[Bug Sygate] 20040708 No Wildcards support in Rulesets (SSE 3.x/4.x)
The "?" and "*" characters are useful when a pattern check needs to be
enforced. Although they are perfectly legal and actually accepted within a
Sygate ruleset, the underlying SMS engine does not interpret this correctly.
The end result may cause unexpected problems, including blocking of smc.exe (SSA)
and all network traffic (fail close). Check with Sygate Enterprise Support for status.
[Security Sygate] 20040702 IDS/IPS Global Setting - False Positives (SSE 3.x/4.x)
A global setting, IDS/IPS is an all-or-nothing configuration for the entire
SSE 3.x/4.x infrastructure. This can lead to severe false positives especially
when one relies on the factory default setting of automatic download (and
application) of IPS signatures, since there is no means of administrative
control to conduct testing at SMS Group level for instance. Expect this to
change in SSE 5.x (SSE 2005).
[Security Sygate] 20040604 No Location-based Rulesets (SSE 3.x/4.x)
If rule X is originally defined in location "Office" and is needed in
"LAN", the rule must be manually copied to the target. No global Sygate
"location" can be defined to allow inheritance (and customization) to
take effect like other functional areas within SSE. This may be fixed in
SSE 5.x (SSE 2005).
[VMWare Workstation] 20050721 VMWare Workstation 5 - Snapshot Feature Unavailable
Pre-VMWare Workstation 5 images must first be power-off and cannot contain any snap-shots
to avoid problems with the missing Snapshot features (sub menus dimmed). This is essential to
support the new Cloning function. If the GUI does not provide any visible means to gain access,
delete or rename the files vmname.vmx.sav, vmname.vmsd and nvram.sav. Any previous snapshots
will be discarded and lost though.
Next, upgrade the virtual machine via VM > Upgrade Virtual Machine (caution: one way street!).
The Snapshot features will then be fully accessible again. To complete the VM upgrade, power-on
the virtual machine then VM > Install VM Tools (restart required).
Always remember to make a backup copy of VMs prior to performing any upgrade.
[Security NAV] 20050531 Norton Anti-Virus Erratic Behavior under Low
If the drive where Norton Anti-Virus installed on is critically low on disk space,
threshold appears to hover about 30 MB, "Auto-Protect" may not be enabled even
if the GUI indicated otherwise. If Sygate / Host Integrity check is enabled, it
will typically enter the fail state. Furthermore, if "Auto-Location Switching" to a
quarantine location is enabled, the rules may prevent legitimate connections from
[Security Shavlik] 20050418 HFNetChkPro 5.x
HFNetChkPro 5.x will prompt to uninstall older versions if found on the same
computer. Configuration will be preserved though. Among other things, setup
requirements include MDAC 2.8, MSJET 4 SP6, MSXML 4 and the .NET Framework 1.1
or later. A functioning internet connection is needed to activate your purchased
copy of the product.
[Security Alert] 20050417 Firefox 1.0.3 released
(fixes a host of recently discovered security
[Security Shavlik] 20050415 HFNetChkPro 4.3.x "httpdnl - No available validations"
HFNEtChkPro 4.3.x may lose its registration information after W2k3 SP1 is
applied on an existing installation. Attempts to reregister online will result
in this error message. Contact Shavlik support for a fix.
[Security Shavlik] 20050408 HFNetChkPro 5.0.1
Official support for W2k3 SP1 is announced with this HFNetChkPro
version per Shavlik newsletter. Check with Shavlik for details.
[Security Symantec] 20040808 Symantec Anti-virus LiveUpdate for non-Administrators
To allow a non-administrator on a Windows machine configured as managed NAV client to
have the ability to update AV signatures, the following is needed:
Windows Registry Editor Version 5.00