CERT RECOMMENDATION: Management of the Security Function

CERT uses the term “governing“ instead of management and I thought the list noted below provides an excellent representation of what's involved in managing the security function within an organization.

CERT: Governing for Enterprise Security

The following elements of governance with respect to their role in governing for enterprise security:

  • Awareness and understanding - Governing boards and senior executives are aware of and understand the criticality of governingfor enterprise security:
  • Protection of shareholder (or equivalent) value: They understand what actions are necessary to protect shareholder/stakeholder value with respect to enterprise security (such as protecting reputation and brand, and protecting customer privacy).
  • Customer satisfaction: They understand what enterprise security actions are necessary to retain current customers and attract new customers (such as sustained marketplace confidence in comparison to competitors).
  • Strategies and plans - Strategies and plans for enterprise security demonstrate how they support business objectives.
  • Investments: Investments in enterprise security are aligned with and allocated so as to meet strategies and plans, taking risks into account (see risk management). Costs are optimized.
  • Reporting: Status against plans is regularly reported, up to the Board. Performance against measures is monitored. Corrective action is taken when necessary.
  • Policies - Policies, standards, guidelines, procedures, and measures for enterprise security exist and are regularly reviewed and enforced.
  • Responsibilities - Responsibility and corresponding accountability and authority for enterprise security are clearly defined.
  • Controls - Internal security controls are defined to effectively protect assets. Assets may include information, hardware, software, processes, services, physical facilities, knowledge, and people.
  • Risk management - Risks to critical assets are identified and managed consistent with the enterprise's tolerance for risk. Asset protection investments are made commensurate with Liability risks. The enterprise understands its liability and exposure when connected to the Internet, and takes necessary due diligence actions to minimize liability risk and exposure.
  • Oversight - The enterprise is regularly evaluated and audited to ensure an acceptable level of compliance to requirements, both internal and external, for example, regulations, standards, audit criteria, market sector requirements, and security requirements and objectives.
  • Public disclosure - The enterprise is open to public disclosure of its security state, where such disclosure is required.
[Via A .Text Community]

Microsoft Announces new Express Products!!


In the TechEd Europe keynote today we officially announced the new Express products that are available to download right now:


  • Visual Basic 2005 Express Edition (download)
  • Visual C# 2005 Express Edition (download)
  • Visual C++ 2005 Express Edition (download)
  • Visual J# 2005 Express Edition (download)
  • Visual Web Developer 2005 Express Edition (download)
  • SQL Server 2005 Express Edition (download) – Note, SQL Express is included as an optional component in the installers of the other Express products. 


As I had blogged before, you finally get to see the big picture of everything we’re offering in Visual Studio 2005.  On the high end, we’re adding new tools and support for enterprise developers, testers, architects, and team collaboration through Visual Studio Team System and Team Foundation. On the low end, we’re adding new tools for students and non-professional developers through five new developer tools and a lightweight, entry-level database.


There are a couple of challenges for beginning developers and people evaluating our developer tools. One is the lack of tools focused for entry-level programmers.  Visual Studio .NET is a very powerful tool, but beginning programmers or developers who just program on the side, can get lost in the complexity. So we decided to build tools, documentation, and Starter Kits with the beginning programmer in mind.


Another challenge is the barrier to evaluate Visual Studio.  Downloading Express is a matter of minutes, not hours, in fact the C# IDE alone weighs in around 24MB and with a 20MB framework, the install is only about 54MB. That’s a huge reduction from the 3GB of a full VS install J


·        We want to hear from you, I’m consolidating comments and will pass them on internally, please let us know what you think!

·        What do you think about Express?

·        Is this a good idea, would you recommend Express to friends interested in starting to program?

·        What are your favorite features of Express?

·        What features do you think are missing from Express?



[Via Microsoft WebBlogs]

Gates says Microsoft cutting virus combat time

Microsoft Corp. is cutting the time it takes to blitz viruses but needs personal computer users to turn on their auto-updating features to help it combat potentially dangerous attacks, Bill Gates said today.
[Via Computerworld Security News] Computer security experts said a virus designed to steal financial data and passwords from Web users rippled across the Internet on Friday, exploiting a vulnerability in servers using Microsoft's IIS software. Known as the "Scob" outbreak, the attack has been termed more dangerous than the recent "Sasser" and "Blaster" infections. "We will guarantee that the average time to fix will continue to come down," said Gates, the software giant's chairman, who was in Australia for a charity launch. "The thing we have to do is not only get these patches done very quickly ... we also have to convince people to turn on auto-update." The Microsoft Windows auto-update feature, which is not turned on by default, allows security and other software to be updated and installed automatically. Gates also said Microsoft would revamp its Internet search site in July with a new search engine, using its dominant industry position to take market share from Google Inc.

SoftGrid Enterprise Edition

Softricity announced today SoftGrid Enterprise Edition, an application management platform that uses virtualization technology to transform large organizations into utility computing environments. Designed for large-scale, geographically dispersed IT environments, SoftGrid Enterprise will enable customers like Northeastern University to manage applications with minimal IT support, ensure immediate access to all applications in case of disasters, and provide applications to end-users in real-time regardless of their location

SoftGrid's Application Portability supports the deployment of virtualized applications via CD or data keys instead of network delivery.

More information at the softricity website...
[Via Thincomputing.net] A Starter Kit ára $15.000, licenszelés a cocurrent user-ek alapján történik. A leírás alapján nagyon kíváncsi lettem, de lehet, hogy az életben nem látok ebb?l még egy demo-t sem.

Can your firewall thwart today's threats?

Two Avanade consultants outline ways to get maximum protection from your perimeter defenses.
[Via Computerworld Security News] To deal with modern security issues requires questioning conventional wisdom and the best practices that haven't helped us very much. We tell customers to ask themselves if their firewall: Provides deep analysis for the HTTP protocol? Analyzes data originated by HTTPS? Analyzes XML? Restricts HTTP methods? Defeats tunneling applications, including peer-to-peer systems? Allows third parties to extend the firewall to implement countermeasures to emerging threats? Protects the data transports for business-critical messaging, through validation and protocol assurance? If the answer to any of these questions is "no," then it's unlikely the firewall will protect against today's threats.

Microsoft: Getting to Secure Enough

Opinion: Robert L. Mitchell says Windows XP Service Pack 2 is notable not just for what it does but also for showing how far Microsoft may be willing to go to improve the security of Windows.
[Via Computerworld Security News]

Missing Open Source Security Tools?

Kinetic writes "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few. However, with the world of security ...
[Via Slashdot] Nekem egy jó bandwidth management hiányzik.

Hosting an Enterprise Financial Forecasting Application with Terminal Server

PUBLISHED June 2003. Discussion of how Microsoft uses the Terminal Server component on five computers running Windows Server 2003 to centrally host a financial forecasting application for up to 2,700 users worldwide.
[Via Microsoft Download Center] Ugyan a méretek nagyok, a módszer ugyanaz.


The Thin-Client Challenge: Citrix vs. Microsoft

In June, Tarantella began shipping its New Moon Canaveral iQ v2.0 software, which is optimized for the Windows Server 2003 platform. [LinuxInsider]


IETF Releases Anti-Spam Sender ID Internet Draft Specification

The IETF has released a revised version of the Internet Draft MTA Authentication Records in DNS from the MARID Working Group, now called the 'Sender ID' specification.

Jointly authored by Jim Lyon (Microsoft) and Meng Weng Wong (Pobox.com), the Sender ID draft represents a merger of the Sender Policy Framework (SPF) specification and Microsoft's Caller ID for E-mail proposal. The authors "hope to simplify industry adoption of effective e-mail authentication technology, thereby helping more swiftly provide greater spam protection to e-mail users worldwide."

Meng Weng Wong has authored a separate informational I-D Behind The Curtain: An Apology for Sender ID. It explains that "Sender ID follows from a set of design decisions; those decisions were motivated by philosophical, engineering, and political considerations. The document reviews some of the important choice that distinguish Sender ID from alternative possibilities in the same space."


[Via A .Text Community]

IEEE Approves 802.11i ...sufficient security for wireless connections

Dozix007 writes "IEEE has approved a new wireless security protocol dubbed 802.11i, intended to finally provide sufficient security for wireless connections ...
[Via Slashdot]

InfoWorld notices that Microsoft's security record is improving

InfoWorld: Windows Server 2003 vanishes from vulnerability list.

"Has Microsoft finally turned the corner on security? So I called up Microsoft to ask the question; their public relations agency eventually tracked down Michael Howard, senior program manager of Microsoft's security business and technology unit. I asked him if the company has finally managed to get security right. "Yeah," said Howard.

[Via Scobleizer: Microsoft Geek Blogger]

Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network

Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network The greater majority of security breaches stem from human error. (That is because crackers with limited knowledge can easily cut deep into systems that are erroneously configured. On more carefully configured networks, 90 percent of these self-proclaimed "super crackers" couldn't get the time of day from their target.) These human errors generally occur from lack of experience. The techniques to protect an Internet server have not significantly changed over the past few years. If a system administrator or security administrator fails to catch this or that hole, he needs to bone up on his advisories. The author now lives quietly in southern California with a Sun SPARCStation, an IBM RS/6000, two Pentiums, a Macintosh, various remnants of a MicroVAX, and his wife. Author: Mark Taber


AOL Employee Sells 93 Million Email Addresses

An AOL engineer was arrested this week and charged with selling over 93 million AOL email addresses to spammers. The 24-year-old employee was arrested at his home in West Virginia on Wednesday, while a compatriot, who brokered the email addresses to
[Via Windows & .NET Magazine - Windows & .NET Magazine]

How Microsoft Develops Its Software

crem_d_genes writes "David Gristwood has a post on his blog that notes '21 Rules of Thumb - How Microsoft Develops Its Software', on which he will elaborate at ...
[Via Slashdot] A címben írt anyag itt van: How Microsoft Develops Its Software


UPHClean v1.5e - User Profile Hive Cleanup Service

UPHclean is a service to help with slow log off and unreconciled profile problems.

On Windows 2000 the service deals with application event log event 1000 from source Userenv where the message indicates that the profile is not unloading and the error is "Access is denied". On Windows XP and Windows 2003 the equivalent events are 1517 and 1524 from source Userenv.

To accomplish this the service monitors for logged off users that still have hives loaded. When that happens the service determines which applications have handles opened to the hives and releases them. It logs the application name and what registry keys [more ...]
[Via Thincomputing.net]

MS plans to offer own anti-virus software | Technology News Article | Reuters.com

Technology News Article | Reuters.com SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) plans to offer its own anti-virus software and has a major security update to Windows in the works. Now some investors are speculating that the world's largest software maker could be planning an even bolder move by acquiring a major software security maker.

Xgrid Agent for Unix

mac-diddy writes "Someone on Apple's mailing list for Xgrid, Apple's clustering software, just announced an 'Xgrid agent for Linux and other Unix platforms' ...
[Via Slashdot] Jó lenne egy "otthoni" grid server és grid agent szabad forráskóddal.


Apple remote controls Windows

Apple Computer announced on Monday network management software that will help administrators remotely control systems running Mac OS X--or the Windows or Linux operating systems. Apple ware remotely controls Mac, Linux, Windows | CNET News.com
[Via servergeek.net] Várom a párját.

Bob Dylan to Be Honored by Scottish University (Reuters)

Reuters - Iconic folk-rock singer Bob Dylan will collect an honorary degree from Scotland's St. Andrews University Wednesday -- only the second time he has accepted such an accolade in his 40-year career.
[Via Yahoo! News - Entertainment]
[Listening to: All Along the Watchtower - Bob Dylan - (2:32)]
Na most összejött, ezt hallgatom. Bár ez jobban illik most:
[Listening to: Knockin' On Heaven's Door - Bob Dylan - Pat Garret & Billy The Kid (so (2:29)]

A new web-based newsreader to access 2,400 public newsgroups. Give it a try!

Our friend Laura John from MSDN just posted a nice blog entry about the new web-based newsreader many of us have been working on lately. mary Jo Foley recently published an article that announced the next-coming release of this web application. It shipped as planned June 8th.  Kudos to the Office product group, the MS.COM Platform and Operations teams who have worked like crazy in the last few months to ship this web-based newsreader. Kudos too to people in the product web sites, Technet and MSDN web sites who have worked hard to adopt rapidly and make sure that we would ship simultaneously across the dozens of web sites we have on MS.COM. And a big thank you to all the customers and MVPs who have constantly sent us feedback all along on how to build this application.

We know that many people will still prefer a rich downloadable client (like OE or others). But we created this version to make sure that everybody, even behind a firewall where the NNTP port would have been shut down for technical reasons, can still access the Microsoft publics newsgroups. For all the people who don't want or don't know how to set up a newsreader, or for those who know but are traveling or accessing the web on a different machine than their normal one, this is a pretty cool web application. In addition to that you can immediately filter the answered / unanswered questions, identify the posts from the Microsoft Valuable Professionals (MVPs), send feedback to Microsoft, get notified every time a new post appears on the thread / question you care about, view the threads identified by other community members as valuable. And there is much more. Go give it a try and tell us what you think.

Right now we think about the next version and about how to articulate this with a web-board type of online experience (more moderated, more private, more “personalizable” etc...).

For now, feel free to visit the main site here ; all the newsgroups can be accessed from the major product pages of MS.COM (ex: TechNet newsgroups page). Next step is to continue to deploy internationally. We will keep you posted.

More to come

.olivier ribet

[Via Microsoft WebBlogs]

Threat Modeling

Threat Modeling To protect your applications from hackers, you have to understand the threats to your applications. Threat modeling is comprised of t Read More

If you don't have an MSD2D.com account, please register first, it's free and takes only a minute.
[Via MSD2D News]

The complete windows 2003 hotfix and security pack

Dr.Conti released version 1.0 of a new Windows 2003 Post RTM pack (46-all-in-one).

So if you want all the fixes in one big archive the scramble for version 1 which was release today (22.06.2004)

Get this hotfix pack at pubforum.net

[Via Thincomputing.net] Current VERSION 1.00 (22.06.2004) Full list of available post Windows 2003 RTM Hotfixes is available here. The COMPLETE W2K3 Hotfix / Hotfix & Security Pack is available for download via FTP to registered users only. The link is send on Friday. Like always, run the UPDATE.BAT after all, to apply all the hotfiex at once. Then reboot. Status for 22.06.2004 - 46 in total. Of course tested for viruses with the latest Symantec Antivirus defenitions.

Windows event logs to RSS feed

Egy alkalmas ASP.NET program:
Here is something completly silly. How to generate a RSS feed (which is used to syndicated news, like ours here) from the windows event logs.

Follow this link for more information about how to implement this

Source: jernstrom.org
[Via Thincomputing.net]


Ben Affleck Wins $356,400 at Poker (AP)

AP - Ben Affleck won $356,400 at a poker tournament that also earned him a seat in next year's World Poker Tour Championship, casino officials said.
[Via Yahoo! News - Entertainment] Másrészt tudjuk , hogy hullik a hátszőrzete.

Access to -Save in- bar

You know the one: - in every "Save as" dialogue: The 5 icons on the left.

Can we change these in Longhorn or IE7 (hey the teams back you never know)

id like to make them other destinations - rather than Recent/desktop/docs/computer/network

( for the record - id make mine:
Clients / webserver / desktop / music / photos  )

perhaps i could if i tried editing the registry - not sure

should be easy to make ...easier?


* or is this one of those: no it needs to be the same on all Windows installs for familiarity

[Via Channel9 Forums] Egy olyan "rejtélyre" derül fény, ami akár kényelmesebbé is tehetné munkánkat. Hibásnak tartom azt a módszert, hogy egy alkalmazás - amely függ egy registry kulcs értékét?l - , ha ez a kulcs egyáltalán nincs is definiálva, "A" módon m?ködik. Ha definiált, de üres akkor "B" módon, ha nem üres akkor meg nincs dokumentálva vagy jól el van dugva.

Microsoft Product Support's Reporting Tools

Download the scripted system configuration gathering tools. The Microsoft Platform Support Reporting Utility facilitates the gathering of critical system and logging information used in troubleshooting support issues.
[Via Microsoft Download Center] Például a Network csomag tartalma: MPSRpt.cmd - Command script used to create all the reports. 2000.cmd - Contains all commands to run if machine is running Windows 2000. NT4.cmd - Contains all commands to run if machine is running Windows NT 4. XP.cmd - Contains all commands to run if machine is running Windows XP. Net.cmd - Contains all commands to run if machine is running Widnows .Net. Finish.cmd - Contains all commands necessary to build the cab file. CHOICE.EXE Version 5.2.3765.0 - Resource Kit utility to allow you to pick an OS if one is not automatically determined. MAKECAB.EXE Version 5.2.2765.0 - Resource Kit utility to compress all files into a single cab file. QFECHECK.EXE Version 5.00.2195.3137 - Resource Kit utility to dump out a list of installed hotfixes (Windows 2000 only). DUMPEL.EXE - Resource Kit utility to dump the event logs to a text file. DUMPEVT.EXE - Utility that dumps Event Logs in EVT format. PSTAT40.EXE Version 4.00 - Resource Kit utility to dump running processes and device drivers 4.0. PSTAT50.EXE Version 5.2.3772.0 - Resource Kit utility to dump running processes and device drivers 2000. REG.EXE Version - Resource Kit utility to dump registry values. GETVER.EXE - Utility used to determine version of Windows NT running. CheckSym.exe Version 2.3 - Utility that gathers version and symbol information from executable files. Checksym.txt - Readme file for CHECKSYM.EXE. EULA.TXT - End User License Agreement. Readme.txt - This file NetDiag.exe - Utility that gathers network information. DCDiag.exe Version 5.0.2195.4827 - Utility that gathers information from a Domain Controller. DCDiag2k3.exe Version - Renamed DCdiag.exe for Windows 2003. NetXP.exe Version 5.1.2600.0 - Renamed Netdiag.exe from Windows XP. Net2K3.exe Version 5.2.3790.0 - Renamed Netdiag.exe from Windows Windows 2003 Server. Tstst.exe - Utility to gather Terminal Services configuration information. gpreults.exe Version 5.00.2184.1 - Resource Kit utility to dump the Group Policies on this box. gpres2k3.exe Version 5.2.3790.0 - Renamed GPresults.exe for Windows 2003. ISAinfo.vbs Version 1.8.8 - Collects Configuration of ISA 2000 Server. Ahogy látszik, nincs itt olyan nagy titok, a meglév? eszközöket használja fel alkalmas parancs file-ok segítségével. A lényeg ott van, hogy ezek testre szabhatók, alkalmasak akár távoli felügyeleti report eszközeinek is.

PSS and Memory Dumps

On exchanfe Backups folyt.:

A whitepaper which describes memory dump files and their use by Product Support Services (PSS) has just been released to the web.  The paper was created in response to customers who have voiced frustration with requests to obtain multiple memory dump files to troubleshoot certain problems and wanted to understand the processes used by PSS to collect and analyze those files.  I remember working on all of the types of cases in PSS that required a memory dump to find root cause.  In many cases, it was difficult for a customer to schedule any down time because of SLA agreements, etc., so asking them to get dumps that could require up to 15+ minutes of down time was not always acceptable.  Hopefully this document will help explain the importance of capturing memory dumps and help everyone understand why PSS frequently requests them.

The paper discusses the following key areas:

  • Definition of a memory dump file 
  • Differences between full memory dump files and mini memory dump files
  • An explanation of why it takes so long to create a memory dump file 
  • An overview of tools that are used to capture memory dump files 
  • A discussion of capturing hangs, performance problems and crashes with memory dump files
  • An explanation of why engineers will need multiple memory dump files to diagnose certain problems 
  • A chart that customers can view to set their expectations on the type of data PSS needs to begin troubleshooting certain conditions

Currently this document is found here: http://support.microsoft.com/support/exchange/content/whitepapers/MemoryDump.doc

[Via Microsoft WebBlogs] Hasznos eszközök találhatóak a hivatkozott doku végén: ... FOR MORE INFORMATION For the latest information about Exchange, visit the following Microsoft Web sites: " http://support.microsoft.com/default.aspx?pr=exch2003 " http://support.microsoft.com/default.aspx?pr=exch2k " http://www.microsoft.com/exchange/ For additional information about how to collect memory dump files and scenarios where memory dump files can be useful on Exchange Server 2003 computers and Exchange 2000 Server computers, click the following article numbers to view the articles in the Microsoft Knowledge Base: 241215 How to use the Userdump.exe tool to create a dump file 823150 How to gather data to troubleshoot Exchange Server 2003 virtual memory 325044 HOW TO: Troubleshoot virtual memory fragmentation in Exchange 2003 and Exchange 2000 286350 Use ADPlus to troubleshoot "hangs" and "crashes" ...


Windows XP Service Pack 2 - Security Information for Developers

With Windows XP Service Pack 2 (SP2), Microsoft is introducing a set of security technologies that will help improve Windows XP-based computers' ability to withstand malicious attacks from viruses and worms. These technologies include:
  • Network protection
  • Memory protection
  • Improved email security
  • Safer browsing
Together, these security technologies will help make it more difficult to attack Windows XP, even if the latest patches or updates aren't applied. These security technologies together are particularly useful mitigation against worms and viruses. To developers these technologies will have impacts on the applications that they create and the tools they use. This page contains resources to assist developers in dealing with these impacts.

More information: Microsoft® Security Developer Center
[Via A .Text Community]

Tunneling ssh over DNS

Dan Kaminski, the Jedi master of packet-level hacking, has figured out how to tunnel ssh over DNS, a stupendously weird and cool feat. Ever been at an airport or coffee shop with WiFi that redirects you over and over again to the same captive portal page no matter what you do? With Kaminsky's tool, you could circumvent any captive portal that allows DNS to slip through. Here's the presentation he gave at the LayerOne conference in Los Angeles.
Reverse Serial Propagation

Can be quickly and statelessly deployed

* Scan networks with generic recursive probe
* For each incoming request seeking to service the probe, return whatever(TTL=0) and probe with an actual block request
 - If a block request comes back from the recurser, populate the server
 -If the population packet drops, the upstream should retransmit
* Move back through the file after each server group fills up
* Can be much slower to populate!

480k Powerpoint Link (via Oblomovka)
[Via Boing Boing]

Solution Accelerator for Consolidating and Migrating File and Print Servers from Windows NT 4.0

[Via Bink.nu RSS]

On Exchange backups...

Repairing Exchange Databases folytatás:

Some of you might wonder - why write about this subject? Well, every day I see customers calling in with Exchange servers that have experienced some sort of disaster... we all know that hard drives eventually die, power failures happen and file-level Anti Virus software can mess Exchange database or transaction logs up if not configured correctly. (More on that subject HERE.)

In many of those cases - we need to go back to restoring a backup of Exchange databases in order to get the maximum amount of information back after the failure.

Unfortunately - in MANY cases (way too many!) when we get to try restore a backup, we realize that:

 - backup is not good (can't restore, bad tape, etc...)
 - there is no backup of Exchange on the tape (just some logs were backed up)
 - backup did not run for few months (nobody checked if it was running)
 - something else - but read: there is no backup because of it :(

Really, on the question "To backup, or not to backup" the answer is:

"The need for backup is directly proportional to the amount of grief that you would have if your data (in this case - Exchange databases and transaction logs) disappeared today."

This could be then expanded to say that the backup has to be not just taken, but also tested to see if it is good. Please note here that I am not even considering what kind of hardware Exchange is running on. It really does not matter if databases are on RAID 5 or logs are on the Mirror. It does not matter if everything is on the SAN somewhere. It seems like many people think that - if the storage solution costs a lot, then it is "foolproof" and backups are the thing of the past. Unfortunately not so. In fact - the way I see it - if a company spent a lot of $ on the storage solution, they need backups even more, as their Exchange data is obviously that much important to them, right?

Also - we have to make sure that we are taking the RIGHT type of backup. Granted, there are MANY backup solutions out there. The main thing to consider, no matter what solution you pick, is that the solution needs to be Exchange-aware. So it has to be able to talk to our backup API (please note here that I will cover only the Online backups here).

In many cases that we see, the Exchange data is backed up by going to the backup software and then selecting the "Exchsrvr" folder and backing that up, as with any other folder on the hard drive. Well, this will not give us much if Exchange databases are actually mounted and running, as the database Store will have a file lock on the databases and some transaction logs. That will cause those files to get skipped, so they are not on the backup tape at all. The only time you can do a backup like this is when Exchange databases are offline or Store service is stopped. This right here accounts for about 40% of cases that I have seen when customers realize that they have no backup of Exchange info.

In W2K3, NTBackup's shadow copy will actually back up the databases while they are online. This is not necessarily a good thing--it can take a very long time and bloat your backup, and you have a database that's in the state it would have been in just after a crash. Admins should always exclude the Exchange data folders from conventional backup, not rely on the files being locked to prevent them from being backed up.

Another thing that is very common is using what is called an "Open File Agent" to be able to backup files that are currently in use by some other process (this is considered a "solution" to the above). Several 3rd party backup programs have this functionality. This is something that will be able to backup your databases even if they are in use, but if you try restoring them - you will in most cases have to eventually repair the databases in order to get them started, as databases restored in this way will be marked "inconsistent" or "dirty shutdown" because - well, they were inconsistent when the backup was taken, right? Store was still using them! So - restoring this type of backup in most cases (please note I said "most cases" as sometimes it is possible to replay the log files into the databases restored in this way, depending on the files that are restored) forces us to repair the database (repair = probable data loss + a lot of work + uncertainty of success). For what to do after the database repair, please go here.

Then there are products that backup mailboxes themselves, rather than databases. This is referred to "brick" or "mailbox level" backup. This is fine to do (even though Microsoft does not provide any APIs for it so we can not really support it as such) - but as long as this is done together with Online backup. This is because - if you have the mailbox-level backup, your data is really as good as the last backup is. Meaning - if you do a brick backup on Monday, and your database drive dies on Friday, you will be able to restore up to Monday, as there is no way to replay the transaction logs from Monday to Friday into the new database we had to create to restore the brick backup into.

If you are looking for this kind o backup, you could possibly look into the Exmerge tool, as it can be scripted to "backup" specific mailboxes into the PST files in the regular basis, and could do it "incrementally" too.

That brings us to:

How DO you backup an Exchange server?

Simply put - you need to use the backup that is "Exchange aware". That right there is the key. That will mean that we need software that either "out of the box", or through the use of a special add-on (also called an "Agent") - knows how to talk to our services to actually backup the database, any transaction logs that we might have to back up, purge the already committed transaction logs from the hard drive and - do all that while services are up and running and users are accessing the databases. It is important to mention here that Exchange online backup is the only type of backup that will purge already committed transaction logs from the hard drive after backup is completed successfully.

When in doubt - you can always use NTBackup. It might not have all the features of your Enterprise-grade central backup solution, but - it is great at backing Exchange databases up. When you install Exchange System Manager (ESM) or Exchange Administrator (for 5.5 servers) - the NTBackup program is extended to provide the ability to online backup Exchange servers. If everything else is questionable - this is something that you can always fall back to and make sure to have good backups.

And a main selling point of using an "Exchange aware" backup program: you don't have to know exactly how transaction logging works, how to determine which log files need to be replayed, etc. "It just works." If you're not doing online backups, then you need to become an expert in Exchange transaction log replay.

As a side note, MS IT uses NTBackup extensively as a part of the Exchange backup process.

Some related articles:

258243 How to Back Up and Restore an Exchange Computer by Using the Windows

298924 XADM: Do Not Back Up or Scan Exchange 2000 Drive M

311898 XADM: Hot Split Snapshot Backups of Exchange

Nino Bilic

[Via Microsoft WebBlogs]

Update to a webcast

This just in...

The presentation: Delivering Rich-Client Features with Thin-Client Delivery that was originally scheduled for Thursday, June 24, 2004 from 1:00PM-2:30PM will now be held on Friday July 16, 2004, at 11am.

TTFN - Kent

[Via Microsoft WebBlogs]

S & P: SMS Server 2003: Security

Follow these established best practices to create the most secure SMS environment possible, and then follow the guidance to maintain the most secure environment possible
[Via Microsoft Download Center] Scenarios and Procedures for Microsoft Systems Management Server 2003: Security Follow these established best practices to create the most secure SMS environment possible, and then follow the guidance to maintain the most secure environment possible.
[Listening to: Computer God - Black Sabbath - (6:15)]

Microsoft Exchange Server: Exchange Intelligent Message Filter

Microsoft Exchange Server: Exchange Intelligent Message Filter Microsoft Exchange Intelligent Message Filter provides server-side message filtering, heuristics-based message analysis, and support for per-message spam confidence level ratings. Find out how you can reduce spam while improving productivity and trimming costs by exploring the resources listed on this page. Note: Intelligent Message Filter can only be installed on a server running Exchange Server 2003 Standard Edition or Exchange Server 2003 Enterprise Edition. Download Majd még jól tesztelni fogom.
[Listening to: Walking to New Orleans - Fats Domino - (1:58)]

Inside look at Microsoft's security response center

ZDNet: A day in the life of a Microsoft security patch.

Interesting look at how Microsoft handles security problems.

[Via Scobleizer: Microsoft Geek Blogger]


Terminal Server Printer Driver Redirection Wizard

Terminal-Services.NET Cláudio Rodrigues, Microsoft MVP Terminal Server Printer Driver Redirection Wizard: this tool scans your event logs for printers that could not be mapped under terminal services sessions and helps you creating an alternative .INF file to make sure the next time your users logon, these printers get mapped.

Remote Network Technology Wiki - Remote Network Home

Remote Network Technology Wiki - Remote Network Home Welcome to the Remote Networking Technology Wiki The site has been moved to a permanent hosting site and is being actively revised. Some of the prior content is unavailable, but should be back online later this weekend. (October 24, 2003) Welcome to the Remote Networking Technology Wiki for information concerning the remote networking technologies included in Windows XP, Windows 2003, and the upcoming Longhorn release (including VPN, Remote Desktop, Remote Assistance, IIS, Offline Files, and Remote Security Issues). This forum is to provide information, links, etc. on issues commonly discussed in the Microsoft Newsgroups. ...

Terminal Services Support Center

Like Remote Desktop, this section contains links to Terminal Services-specific FAQs. Make sure you also visit the Remote Desktop Support Center to also troubleshoot RDP issues. This area is maintained by the Terminal Services MVP (Alex Angelopolous, Matthew Harris, and Vera Noest). ...

Keep others from tying up both Remote Desktop admin sessions

Keep others from tying up both Remote Desktop admin sessions I’m sure most of you use Remote Desktop for Administration (RDA) on your Windows servers. It is probably one of the most valuable parts of the Microsoft server operating system, in my opinion. One limitation of RDA is that you can only have 2 client connections on the server. Several times I’ve been unable to connect because someone has carelessly disconnected their session when they really should have logged off, and then reopened another session with a new connection. Then you have to go into the connection manager and kill one of the connections, hoping that the person wasn’t running anything important on that connection. Whoops! I have found at least one answer to this problem! In Windows Server 2003 (only), there is a new group policy setting called Restrict Terminal Services Users to a Single Remote Session. ...

Remote Desktop over a SSH tunnel client

From an email:

WiSSH is a new client that allows you to access Remote Desktop servers (running on Windows XP Pro) over a SSH tunnel..  Due to the way that Remote Desktop was architected in Windows XP, the standard tunneling procedure won't work when you try to use Remote Desktop over a SSH tunnel.  Windows 2000 and Windows 2003 Server do not exhibit this problem.

WiSSH allows access through the Gateway SSH server to Windows 2000 Terminal Servers, Windows 2003 Terminal Servers, Windows NT Terminal Server Edition, Windows XP with Remote Desktop enabled, and Windows 2000/2003 Servers with Remote Administration enabled.

Go here for the WiSSH website.

[Via Jeffrey's Ruminations - My Networking Blog]

Revised Remote Desktop Web Connection Client - User Supported

I have created a revised remote desktop web connection client webpage that will allow a user to specify a non-standard port for connection.  This is the number 1 feature that we see in the Microsoft public newsgroups relating to the web client software.  The revised version will also allow a user to specify a non-standard color depth, enable or disable drive and printer redirection, and connect to the console session of a Windows 2003 Server.  Finally, I have added a few checkboxes that will allow you to disable various User Interface features (i.e., Themes, Desktop Wallpaper, etc) to enhance your connection and usage speed.  In general, the new client replicates much of the functionality exposed in the desktop version of the Remote Desktop Connection Client.

To see (and use) the new client, visit here.  (Please note that this is the beta site for the new Remote Network Technology support website and many parts of the site don't work yet.... )

To download and use the new client, download the revised file here and replace or rename the original default.htm file in the C:\WINDOWS\WEB\TSWEB directory.

FYI:  I am also about to release a new tool (on the website) that will help end users determine their WAN IP Address as well as determine whether they are behind a NAT gateway device or not.  This is trivial for networking people, but it could be a useful check tool when supporting end users.  In the near future, there will also be a tool to allow a end user to check whether or not they have enabled port forwarding in their router to support Remote Desktop and to offer troubleshooting for connection difficulty...  These are waiting for me to get some spare time away from the office (we are about to move into a new wing of the building, so I am busy finishing up network wiring, installing patch panels, etc.).

Disclaimer:  The revised default.htm file was a modified version of the original web client provided by Microsoft to support some of the additional properties necessary to enable port forwarding, color depth, etc.  I have not seen any sort of problems with this release, but I am not responsible for any data loss or downtime caused by overwriting the production version client with this revised client.  The user shall heed all warnings displayed about enabling Folder/Drive Redirections. 

[Via Jeffrey's Ruminations - My Networking Blog]

Have you had your Window's fix?

Bill McCarthy gondolatai.

So MS tries to do the nice thing and give it’s software away. But then folks liken MS to a drug pusher for doing so and it gets nasty. L


Funny thing is, do drug pushers give away free samples? I would have thought with their short term memory problem etc, that would be a recipe for financial disaster as they wouldn’t remember who they gave the freebies to. Maybe people should put that to the test. Approach a drug dealer when you see one and ask for a free sample ;)


Of course the stupidity of the synonym is only exceeded by the stupidity of MS’s lawyers. Seriously suing someone for likening MS to a drug dealer is likely to bounce back on them *big time*. Going to be a lot of egg on some lawyer faces when the case gets dismissed, and then people say “see MS really is like a drug dealer”.


Then again, this free software initiative really is going about things the wrong way. Unfortunately it’s because of the way the software is designed, MS has no other choice if they are trying to stem the migration away from Windows. It’s a real pity, because as it stands Windows isn’t free, instead they have these occasional “tastes” of free windows.


I think the coolest way to go about this would be to componentalize MS software including Office and Windows. (of course componentalize isn’t a word *yet*).

What that would mean is there would be a basic version of windows that was free, or at least free to education and non profit organizations. A cut down version of XP home. If you wanted the windows network features that currently requires students to buy XP Pro, instead of having to buy a complete OS, you could purchase a *component* to enable that. Some of these features might be baked in, and just require licensing switches to turn them on, and others might be downloadable as extensions.


And the good news is that everyone wins. Customers get freedom of choice, and real low cost alternatives. Microsoft stems the flow away from Windows, and doesn’t get bad PR or likened to being a “pusher” for doing so. And *developers*, *developers* *developers* can all prosper too as many of the locked down integrated windows features against which you can’t compete, would become “extra components”, moving that ever so slightly more into the world of free enterprise. Realistically for MS though that competition would be minor and MS should have no legal problems in having package deals for their components.




[Via A .Text Community]

Event Log Monitoring with RSS

Greg Reinacker's Weblog - Event Log Monitoring with RSS "Thursday, April 3, 2003 Event Log Monitoring with RSS I've written some sample code to generate a RSS feed from the Windows Event Logs. This is very handy for monitoring servers - perhaps a poor man's SNMP monitor. :-) ... You can specify in the URL how many entries to return, and which logs to use. For example, http://example.org/Rss.aspx?num=20&logs=Application,System would return the 20 most recent entries, looking in both the Application and System event logs. ...

Intel 3.40EE & 560 (3.60E) Processors

Korábbiak folytatása: Intel 3.40EE & 560 (3.60E) Processors: "Intel 3.40EE & 560 (3.60E) Processors Stephen Cooper, June 19th, 2004 ..:: Introduction ::.. If we were able to take a step back in time, I'm sure that many of you reading this article would remember back when Intel proclaimed that processors in socket form were dead in the water. Intel, along with AMD, then progressed forward with slot mounted processors, which didn't exactly last all that long on the grand scheme of things. Sure, we had Slot A, Slot I and II, but those only lasted through a generation and a half of processors. If you take care to remember, both companies moved back to socket implementations by the time the 1.00GHz mark had rolled around, AMD with their well-loved Socket 462, and Intel with their Socket 370, and then Socket 423/478. Lately, it seems as though Intel and AMD have switched places when it comes to the socket merry-go-round that consumers must deal with. Not long ago, Intel had the 370, 423, and 478 processor sockets, a fact that wasn't looked well upon by many in our enthusiast community. AMD on the other hand had their Socket A, and, well, Socket A. Since then, Intel has stuck it out with the Socket 478 processor until today, where we'll be debuting the latest LGA 775 socket while AMD has gained a higher precedence in the community with their Opteron and Athlon 64 processor lines, and have also adopted 754, 940, and now 939 pin sockets. Funny how things work out isn't it?

Repairing Exchange databases with ESEUTIL - when and how?

[Via Bink.nu RSS] Here's a nightmare scenario for an Exchange administrator: The disk system where your Exchange databases live goes insane and damages the database. No big deal, you think, I'll just restore it from backup and roll forward with the transaction logs. No data loss, although it will cost some downtime. Then you find that somebody put a 2 liter bottle of soda on top of the backup tapes. A bottle with a leaky seam. Not all things go better with Coke! Your Exchange database is unstartable and your backups are bad. What do you do next? Exchange includes two very sophisticated utilities that will come to your rescue: Eseutil and Isinteg. If there is salvageable data in your injured database, they'll stitch it back together for you. In actual practice, these two utilities are remarkably successful in fixing up a database (almost) like brand new. In fact, they may be a little too successful. I've seen too many administrators who've gotten careless with their backups because they know they can count on the repair tools to (almost) always save their bacon. That parenthetical (almost) is why you can't rely on repairing a database as your primary method of data recovery. Nothing beats having an extra copy of your data safely off in a second location (like on a backup tape). And repair can only repair what's still there. Massive damage to the existing database or complete loss of the drives is an all too frequent occurrence, even with today's redundant disk hardware. Read at source how to repair an Exchange database that won't start News Source: Ehlo blog


Looking Forward to Intel's Grantsdale and Alderwood

VL writes "Over the next several days, you'll be hearing a lot about Intel's significant upgrade to the Pentium 4 platform. Soon enough, that brand new ...
[Via Slashdot] Today marks the release of one of the most innovative tech launches in Intel's history.


acronymical identity

I'm awfull sorry, but the acronymical identity between
sfc (Windows 2000 System File Checker or Microsoft(R) Windows XP Windows File Checker) or
SFC (Sexual Freedom Coalition) and
SFC (Sztanya Ferenc Consulting) is unintentionally.

Paul Allen & Jimi Hendrix

Founder Paul Allen officially opens EMP by smashing a guitar in the manner of his idol, Jimi Hendrix. This particular guitar was a sculpture made by artist Dale Chihuly. Grant M. Haller / P-I Hendrix/asteroid/Microsoft Microsoft co-founder Paul Allen, the third wealthiest American, was seeking to acquire rights to the Hendrix legacy for his [$160] million Hendrix Museum in Seattle. In 1993 Mr. Allen loaned the Hendrix family $5 million to finance a lawsuit which resulted in the closing of the Hendrix production company in Hollywood. Szóval Seattle nem csak a: - kikötőjéről, - fémfeldolgozó iparáról, - gépiparáról híres :)) Ez az egész a Spektrum-on ma reggel látott Ezredvégi építmények című film kapcsán jutott eszembe. Jimi egyik álma a Sky Church is megvalósult. Hallgassuk meg akkor a Hey Joe, Purple Haze, The Wind Cries Mary című számait, vagy a Sunshine of your love című albumból bármit (akár a Morrison's Lament-et Jim Morrison-nal).


RE: FAQ: How Windows XP Service Pack 2 (SP2) Affects SQL Server & MSDE


FAQ: How Windows XP Service Pack 2 (SP2) Affects SQL Server and MSDE

Review this FAQ to find answers to common questions about how Microsoft Windows XP Service Pack 2 (SP2) affects installations of SQL Server 2000 and SQL Server Desktop Engine (MSDE). Microsoft recommends that SQL Server 2000 and MSDE 2000 customers update their systems by installing SQL Server 2000 Service Pack 3a (SP3a) and Windows XP SP2.

[Via A .Text Community]

More Power to Firmware

More Power to Firmware ... New Beginning 64-bit PCs do not use legacy BIOS. The IA-64 firmware is divided into three primary components: the Processor Abstraction Layer (PAL), the System Abstraction Layer (SAL), and the Extensible Firmware Interface (EFI). PAL abstracts the processor hardware implementation from the point of view of SAL and the operating system. Different processor models with potential implementation differences appear uniformly via PAL. Examples of the PAL layer's functionality include: Interruption entry points such as those invoked by hardware events (processor reset, processor initialization, machine checks, etc.) Procedures that can be invoked by the operating system or higher level firmware, such as procedures for obtaining processor identification, configuration, capability information, cache initialization, enabling and disabling processor features. PAL has no knowledge of platform implementation details. Note however that PAL is part of the IA-64 architecture. The firmware implementation of PAL is supplied by the processor vendor, and it resides in OEM flash memory. SAL provides an abstraction for the platform implementation, without any knowledge of processor implementation details. SAL is not part of the IA-64 architecture -- it is part of the Developer's Interface Guide for 64-bit Intel Architecture (DIG64). The firmware implementation of PAL is provided by the OEM. ...

HOBLink JWT - Java Client for Terminal Server

HOBLink JWT - Java Client for Terminal Server HOBLink JWT is a platform-independent, Java-based solution for accessing MS Windows Terminal Servers. It makes business-critical data in Windows-based applications available to all users, regardless of the type of hardware or operating system they are using. Test Drive HOBLink JWT Online!

Hammer of God Utilities (Terminal Services and other useful utils)

Hammer of God Utilities from Tim Mullen's (Thor@hammerofgod.com) site: UserInfo v1.5 (~ 41k - author: Thor) 
UserInfo is a little functiod that retrieves all available information about any know user from any NT/Win2k system that you can hit 139 on.  Specifically calling the NetUserGetInfo api call at Level 3, UserInfo returns standard info like SID, Primary group, logon restrictions, etc., but it also dumps special group information, pw expiration info, pw age, smartcard requirements, and lots of other stuff.  This guy works as a null user, even if the system has RA set to 1 to specifically deny anonymous enumeration.
UserDump v1.11 (~ 42k - author: Thor)
UserDump is UserInfo with a twist. It combines LookupAccountSID and LookupAccountName with UserInfo's NetGetUserInfo calls, resulting in a SID Walker that can dump every user in a domain in a single command line.  It gives you all the information that UserInfo does, but it lets you specify the number of users you want to walk.  Pretty cool.  Also runs as a null user, even with RA set to 1.
ProbeTS v1.0 (~ 33k - author: Thor)
Seeing Erik Birkholz and Clinton Mugge easily redirect terminal server requests to different ports at Blackhat scared me.  If you change the default Terminal Server port from 3389 to something else, it is basically undetectable unless you physically try each port.  This means that one of your admin people could easily hide a Terminal Server somewhere on your network that you would have no way of finding... and that ain't good.  ProbeTS gives you a leg up.  Though it takes a back door approach, ProbeTS will scan a full C-Class for you to determine if terminal services are being offered up regardless of what port is actually being used.  There is no magic here... You have to be able to hit the boxes with RPC, and you have to be an authenticated TS user on the target machine.  This would typically limit its use to Domain Admins, but it is more than you had to begin with.  Don't expect it to be too fast either- What you gain in being able to identify an any-port terminal server, you give up in speed.  Specifically, it loops through your C-Class, and asks every IP address for a terminal server handle.  If it gets one, it knows it is a TServer.  Simple, but effective. TSEnum Beta v0.91 (~ 33k - author: Thor)
This guy goes about things a little differently than ProbeTS does. There is certainly a place for ProbeTS in the LAN, but TSEnum has proven to be a bit more powerful- that is, if I can figure out why I am getting different results when I run it. Feel free to email me with any idiosyncrasies in its operation.
TSEnum (Terminal Server Enum) is actually a lot more than that- it is an EVERYTHING enumeration tool. Again, my goal was to find a good way to quickly scan the network for rouge Terminal Servers ala Erik and Clinton's hiding techniques. When a server/workstation joins the domain, it registers itself with the master browser. Part of this registration includes the server type, which can be retrieved via the NetServerEnum function. This is basically a remote API call that gets the target box to query its master browser for everything that it can see, and asks it to dump it all back to you. Cool stuff. What I need help with is the testing in different environments. I have been able to successfully enumerate all the servers in other domains with no credentials, and without having to do an anonymous net use first... But, sometimes it errors out on me, even when it worked previously. Go figure. So, give it a shot and let me know what you come up with. Thanks!

TransportEnum v1.0 (~ 33k - author: Thor)
When I was doing research for my RestrictAnonymous stuff, I basically went through lots of different Net API calls to see what I could do as an anonymous user. I was particularly interested in calls that could made as NULL even when RA was set to 1. The NetServerTransport Enum call is one such call that supports and SERVER_TRANSPORT_INFO_0 level structure return in such circumstances. It basically allows you to get the transport names (devices) in use on a box. With NT4, the protocol name usually contains the adapter type as well as the protocol, so it was pretty easy to see stuff like modems, net cards, etc in a dump... i.e. a box running TCP/IP on an Intel card would dump something like:
Transport: \Device\NetBT_E100B1
Address: 00a0c9740202
This was really useful to enumerate all the transport information, modems included, on a box/domain. However, in Win2k/XP, the transport name has changed to a Unicode character string that contains the device name, and what looks to be a CSID or something as in:
Transport: \Device\NetBT_Tcpip_{CE081110-126E-4BD1-88B0-2FF8C1D83D10}
Address: 00c0f06cdf7a
You get the protocol name still, but it is hard (for me without doing other research) to see if the device is a modem or not without finding out what that CSID is. So, hopefully, someone out there will come across this and have to time to contribute to the tool in regard to mapping out what the CSID means. Please let me know if you find anything interesting.

TSGrinder(About Damn Time!)
TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.
TSGringer is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file.  It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection.
Note that the tool requires the Microsoft Simulated Terminal Server Client tool, "roboclient," which may be found here:

There are still a couple of bugs we are working out- for instance, we've got a problem with using "l337" conversion with more than 2 threads open. There have also been requests to support standard brute-force-via-character-iteration attacks, and we will get to this when we can.  In the meantime, enjoy the tool, and let me know how it works for you.
For those interested in the Blackhat presentation Ryan Russell and I made in Vegas, you can find that here:

Go nuts!

SQueaL v1.0
SQueaL is my new rouge SQL2000 server impersonator written under Linux using DilDog's most excellent TalkNTLM C++ code (the Telnet Server exploit) as a basis. Though the packet structures and NTLM negotiation between an MS client and SQL200 are completely different than the standard NTLM authentication, and most parts of the code had to be completely rewritten for this to work, I must give credit to DilDog for making his code available. DBNETLIB supports NTLM authentication, and as shown in my presentations at Blackhat and Defcon (though my demo hosed up on me! Damn White Russians!) you can 'force' an MS client with DBNETLIB loaded (and guess what, it is on XP by default <bfg> ) to authenticate to you over port 1433. This guy will wait for a connection, negotiate NTLM authentication and parse out the plain-text username and domain, along with the NTLM response hash for your cracking pleasure. At some point, if I don't run out of Vodka, I'll try to duplicate SMBRelay-esk functionality to use the response to authenticate back to the client if 139/445 is open. I don't know how to do that yet, so I may be full of crap.
* 3/7/02 OK- Here it is. I have had mixed results in different environments with the tool. Sometimes it works, sometimes it doesn't. Here is the source, so you can all hack away at it and see how well you do. PLease let me know if you find something I need to know or if you have any ideas. Thanks.

Mutex v0.02 (~ 32k - author: Thor) (Link was broken, but fixed now 9/20/01)
Blaine Kubesh reported on a Security Focus list the fact that Nimba's execution relied upon a named mutex (MUTually EXclusive object) to run. Running a program that creates this named mutex first causes Nimda's load to fail (reportedly- I actually do not have the means to test it). Here it is; It is a simple console program that opens, creates the named mutex, and keeps running until you hit 'q' to close the handle and exit the program (leaving you exposed again). Note that this is ver 0.02, which fixed a problem where I named the handle, but did not actually name the mutex (Doh! Thanks to Jason Anderssen for bringing that to my attention.) Source code included (what little there is.)

URLScan DTS package v0.01 (~ 58k - author: Thor)
Microsoft's URLScan utility for IIS is great, but the urlscan.log file is pretty basic-
URLScan only lets you log to a text file in a simple one-after-another appended manner, and only
to a single file (no multiple files to break out week/month entries as IIS does).

This makes monitoring the entries in the log file difficult, which is a shame because it is good to
see what attempted URLs get filters for incident response. To help with this, I have created a DTS package
that runs on SQL2000 to automatically do the following:

1) FTP the urlscan.log file to a temp dir on the SQLServer (this way, you don't have to stop IIS).
2) Parse out the date,time, IP address (if available) and the URL that was filtered and post to
a temp table.
3) Select only the entries for the previous day, and post those to the warehouse table.

The urlscan.log file just keeps getting bigger and bigger, so at some point, you'll want to stop IIS and
delete that guy. The nice thing about loading it into a temp table first is that you can ensure that only
the day-by-day entries get posted into the warehouse table.

For each server you want to pull data from, just add another package and schedule execution appropriately- the current setup is designed for sequential downloads from multiple servers; in other words, you should only do one at a time, and give adequate time between schedules for each to execute- make sure you execute them after midnight so that all the entries for the day will be included.

If you want to pull multiple server asynchronously, you can customize each package to use a different temp file name and then all at the same time... Whatever you want to do. I am making the assumption that you have some idea how to use and configure DTS packages.

You only need to do 2 things to the package for it to work with your server:
1) Change the properties of the FTP task to point to your web server, and make sure you select the
urlscan.log file to get downloaded. The default dir on the server is C:\TEMP.
2) In the last SQL Task that posts data from the tmpURLScan table to the real URLScan table, change the
text string from 'SERVER' to the name of your server.
Note that this assumes you have a DB named IISLogs; you can change it to whatever you want, but know that you need to check for that in the data pump tasks.

This way, you end up with a great way to sort, retrieve, group and report on data in the log files.

A note about FTP server setup:
On the web server that you want to pull data from, just create a new FTP site that points to the directory containing the urlscan.log file. For security purposes, it should be read only, and limited to your internal IP addresses. I created a new user specifically for this purpose that only has read permissions to the URLSCAN.LOG file, with specific deny permissions on the rest of the files- you can never be too safe- the real reason I deny access on the other files is that would not want someone internally to be able to sniff the creds, FTP in, and look at my URLSCAN.INI file to see exactly what I had configured.
Good luck!

Win2k3 needs a service fast

Extreme opinions, or not? Win2k3 needs a service fast Practically useless say users By Nick Farrell: Thursday 17 June 2004, 10:12 NETWORK MANAGERS are starting to wonder if Microsoft is ignoring them when it comes to servicing Win2k3. While most of the media attention is focused on the latest service pack for Windows, some readers are tearing out their hair, provided they have hair, and stamping on their rabbits, over the state of Win2k3. One INQ reader who is in charge of a large network roll-out for a bank in Estonia said that the process had uncovered so many bugs in the O/S that he had to downgrade the entire project to the venerable Win2k. "Win server cannot operate on a DC as there are authentication errors, this is frequently also true for member servers," he said. Among the list of about a dozen faults, found include the fact that the Dynamic Host Configuration Protocol cannot operate on a DC as there are authentication errors. Terminal Server Manager can only manage the local server, not other terminal servers. Win2k3 terminal services have a number of significant performance issues. There is an unexplained system slowdown and https web availability is intermittent. "The LPD service does not accept jobs, because it considers them improperly formatted. Visual Source Safe refuses to work with Legato Networker backup. The vss bug list is VERY Long," he claimed. To be fair to Microsoft, it has released patches for most of the bugs that his company found, but that involved calling VoleSupport and paying its online support fees, he added. "At the moment, until a service pack is released, I can not recommend win2k3 for anything more than file and DC services. For all else, use win2k," he said. Other users who have contacted INQ have said that a simple roll-out takes a long time with no service pack. "What encouragement have I got to upgrade from Win2k3?" wrote another reader. "Win2k is working fine and with no guarantee of a SP1 date there is a huge risk in upgrading." But according to a SpokesVole, Microsoft has no plans to release SP for win2k3 until "much later in the year". Its targeted release date was supposed to be last year, and some thought it would be here by Easter. Now it seems Vole has not even got an accurate guess to give customers. µ

IBM brings grid to software vendors

InfoWorld:Seven independent software vendors (ISVs), including Citrix Systems Inc. and Cognos Inc., have been the first to take advantage of an IBM Corp. program designed to help bridge the gap between commercial software vendors and the world of grid computing. ... Citrix, for example, used the program to extend the load balancing capabilities of its MetaFrame software using IBM's Tivoli Orchestrator product. With the new grid-enabled MetaFrame, customers can tell the software to automatically add new servers to run the application, whenever it is being heavily used. "What this integrated service does is it effectively automates the process," said Chris Fleck managing director of strategic alliances with Citrix. ...
[Via Thin Computing Times] Nagy lehet?ségek nyílnak.


So What Is New In XP SP2 RC2?

Microsoft hasn't said much publicly, in terms of the feature tweaks it made between the March Release Candidate (RC) 1 beta of Windows XP Service Pack 2 and the RC2 variant that it made available for download this week. But the company now is confirming our short list of tweaks published earlier this year is accurate.
[Via Microsoft Watch from Mary Jo Foley]

Microsoft Virtual Server 2005, Enterprise Edition, Release Candidate

download page ... Important: This release candidate software expires January 1, 2005. An end-user license agreement (EULA) is required for its use, which you can download using the link to the right. The Virtual Server 2005 RC software is intended for evaluation purposes only and may not be used in a production environment. The following items are included in the release candidate download: • Virtual Server 2005, Enterprise Edition • Getting Started Guide • Virtual Server Administrator's Guide • Virtual Server Programmer's Guide • Release Notes ... Requirements Minimum CPU Speed 550 MHz or faster; 1.0 GHz or faster recommended Processor • Computer with up to 32 physical processors • Celeron, Pentium III, Pentium 4, Xeon, Opteron, Athlon or Duron processor required Memory 256 MB minimum; additional memory needed for each guest operating system Hard Disk 2 gigabytes (GB) of available hard-disk space; additional disk space needed for each guest operating system Display Super VGA (800 × 600) or higher resolution recommended Host Operating System • Windows Server 2003, Standard Edition* • Windows Server 2003, Enterprise Edition* • Windows Server 2003, Datacenter Edition* • Windows Server Small Business Server 2003, Standard Edition* • Windows Server Small Business Server 2003, Premium Edition* • Windows XP Professional (for non-production use only)

Terminal Services Tools from Matthew Harris MVP

Every TS administrator must have these things. Matthew Harris' Resume Hacks
Disable the X box on the Terminal Services Client
Change the client version of the Terminal Services Client
Add the clock to the taskbar through the registry
Make all processes appear in the Task Manager through a registry hack
Prevent disconnects and stabilize your terminal services connection
Fix your TSAdmin application when it becomes nonfunctional on the taskbar
Disable/Enable all terminal services logons through the registry
Restrict users to one session and reconnect them
Share the redirected printer automatically
Map your client's printer to an LPT port
Rename client redirected printers
Restrict users to only one terminal services session
Automatically connect disconnected users back to their sessions
Force software license compliance through a script
How to reset all your TS sessions at once
Hard to Diagnose Problems
Incorrect IE permissions can disable opening new IE windows

Microsoft AppLocale Utility

Run legacy applications without changing language of non-Unicode applications (system locale). Microsoft AppLocale Utility Alkalmas eszköznek látszik, bár az NBG Clean Registry™ RUS verzióval nem bírt elbánni, de a w.bloggar v3.03-mal igen.


Free terminal server tools

Have a look at the systemtools.com website! SystemTools TScmd - Developed by SystemTools. A command-line utility to set terminal server user settings. All eighteen (18) terminal server settings can be set. Includes documentation in readme.txt file. Password Age - Password Age (formerly "machines"). Displays the age of the password for user and computer accounts. For computer accounts, this information can be used to determine if the computer is no longer being used. For users, it can be used to determine which accounts are not being used or have expired. CopyPwd - Developed by SystemTools. CopyPwd is a command-line utility that allows copying any number of user or computer account passwords from one computer to another, ncluding domain accounts. CopyPwd can copy the passwords to/from any Windows NT or Windows 2000 computer. Full documentation and source code (under GNU licensing) is included. SystemTools Remote Control Manager (STRCM) - Developed by SystemTools. The STRCM helps in the installation, configuration, access, and uninstallation of remote control software products. Available either standalone or integrated into Hyena v4.3. Full source code is also provided, under GNU licensing. SystemTools RenameUser - Developed by SystemTools. A command-line utility to rename Windows NT user accounts from the command line. Generally, this utility should NOT be used under Windows 2000. LPRman - Utility that allows remote creation and management of LPR ports. Exporter [tm] - Developed by SystemTools. Exporter is a standalone command-line utility for exporting users, groups, group members, services, computers, shares, disk space, and printers (in any combination) from any or all computers on any Windows NT/Windows 2000 domain. Includes online .HLP documentation file. SystemTools NTconnect - Developed by SystemTools. Utility for creating a NetwareR - like login script, allowing commands for connecting drives and printers to be executed conditionally based on user and/or group membership. Also supports program execution and registry modification. Includes Help file and examples. NOTE: This utility will only run on NT clients; it will NOT run on Window 9x clients. SystemTools Logoff - Developed by SystemTools. This utility (15kb) logs off the current session. Includes source code and comments. DumpSec, DumpReg, DumpEvt - Must-have products from Somarsoft, Inc. to dump NTFS permissions user information, event logs, and registry information. DumpSec (formerly known as DumpAcl) also dumps out the users last logon information. These utilities are now maintained by SystemTools. Updated: DumpSec has been updated to v2.8.2; this new revision now recognizes and reports new Windows 2000 inherited ACLs correctly. NetUsers - A command-line utility to view the locally logged on users to a specified computer. Can be used to show the current interactive users, or a list of all users to ever logon through the computer. Use /? to view syntax. NetView - A command-line version of Network Neighborhood or Net View, which supports filtering of specific types of computers returned (SQL, workstations only, etc.). Use /? to view syntax. Win Info - A nice utility showing information about your NT installation including: version, build number, installation date, and whether it is a full or time limited version.