HOWTO Video: Account auditing for group membership changes

On one of the mailing lists I monitor I noticed many of the SMB admins do not know how to do account auditing. This is quite surprising to me, as I thought it was a given.

To help with this, for those that DON'T know how to do auditing, I have just did a quick 6min screencast to help you along. You can check it out at:

http://silverstr.ufies.org/AccountAuditing/AccountAuditing.htm

The video will show you how to quickly configure account auditing using the domain security policy and then use free Microsoft tools like EventCombMT to quickly query across all your servers in your domain looking for critical events like 660 (user added to a security group) and 661 (a user removed from a security group). From there... the world is in your hands. You can easily cross query looking for specific accounts etc to accomplish EXACTLY the kind of auditing we are talking about.

The security already exists in the system. You just need to learn how to use it. Hope the video helps.

Careful about the analysis you read about MS08-067

So unless you have lived under a rock since Tuesday, you know about MS08-067. It is a out-of-band security bulletin about a vulnerability in the Server Service that will allow complete code execution from a remote attacker. It's rather nasty. And there are PoC trojans and worms already in the wild.

But I don't want to talk about the vulnerability. Everybody in the world has been doing that. I want to talk about the ANALYSIS of it.

First off, there is some GREAT SDL analysis from Michael Howard over on the SDL blog. (You can read it here) Michael poses the question why SDL didn't catch this, and goes into detail discussing what mitigating circumstances exist around the code analysis... and how SDL DID work here. It's a great read.

What is MORE concerning to me though is some of the poor analysis. Jesper and I were looking at some decompiled code Alexander Sotirov released and it is apparent that there is some small but CRITICAL errors in his deciphering of the code. As an example, there is one block which reads:

while (*p != L'\\' || *p != L'/')
{
     if (*p == L'\0')
           return 0;
     p++;
}

It took me a few times looking at that code to realize that it is quite possible that the loop would cause the function to bail out way before it could get to the real meat of MS08-067, because the loop always results to TRUE. After looking further at the comments in the code and completing a truth table, it was clear to Jesper and I that this code seems suspicious... to many faults and a coding style that simply isn't how Microsoft writes code. BTW, if you don't see the problem with the loop, realize that it should be an AND, not an OR. A path of '\\server' will always bail. If this simple issue was wrong in the decompile, what else could be wrong?

Anyways, to confirm the code was questionable I loaded netapi32.dll into IDA Pro (god I love that tool) and broke it down to check. Sure enough... that code analysis was NOT correct. In a few places.

Lesson to learn here is that on the Internet, everyone has a voice. What you choose to believe is really up to you. But don't believe all the analysis out there. It simply isn't correct.

MS08-067 is bad. Patch NOW. Leave the code analysis to us. :)

Top 10 WOW Features on SBS 2008 which will make me switch from SBS 2003

SBS 2008 is an interesting beast. For some time now I have stated that I didn't feel there was an "WOW factor" in the product; SBS 2003 is just too damn good and there was no compelling reason to switch.

So last week while attending some deep dive training at Microsoft on the latest SBS 2008, I started to realize that I was wrong. There may not be a lot of SBS specific things that make a difference, but there is PLENTY of WOW in the product suite. So much so, that I am DEFINITELY upgrading.

Throughout the process, I started making a list of what I thought would really impact me and my business. And I promised my Microsoft MVP peers at the training that I would share them with the world, but only if some of them did so as well.

So to start the chain off, here are the "Top 10 WOW Features on SBS 2008 which will make me switch from SBS 2003", in no particular order:

1. Exchange "rooms" and "equipment" mailboxes for calendar and scheduling. What a neat feature in Exchange 2007. One of the problems in my office is double booking the board room, the projector, Virtual Server time etc. Now we can control that through the scheduling in Exchange 2007. When we need a room or some equipment, we can check the schedule right in our calendar, and it will show up as a "Required Resource"!
   
2. TS Remote Apps through RWW. With SBS 2008 Premium I can take advantage of the the terminal services infrastructure to deliver individual apps to my desktop ANYWHERE in the world, without having to worry about resource load, configuration conflict and what not. Even better, with RWW in SBS 2008, it becomes a link on the main page!! Talk about easy deployment and use.
   
3. Role based user templates to match our existing Corporate Security Policy. I own a company who focuses on security. It is nice to see that we can match the way SBS 2008 works with our existing workflow. Security in our office is defined by role and responsibility, and it aligns well with the user templates.
   
4. Directory level quotas and file screening with FSRM. This was just really cool to me. Quotas has existed before in R2, but it was typically defined by volume, NOT be user. And now I can use FSRM to further control WHAT sort of data can exist there. If I don't want to back up audio or video on a user's laptop, I can enforce such contols to limit our backup set. And since we do offsite backup which costs us by the MB, that will save me money. God I hate backing up iTunes libraries by accident on staff laptops and watching how expensive that gets.
   
5. Properly working Folder Redirection with offline syncing. Man I wish I had that recently. This week my laptop was toast, and I had to rebuild it. If I had folder redir with offline syncing, I wouldn't have lost as much data as I did. *sigh*
   
6. Ability to provide required TLS routed SMTP delivery in Exchange. Man I love this feature. In Exchange 2007 I can configure mail delivery DIRECTLY to a server if I like, and enforce SSL encryption when it occurs. So if I want to exchange a secure message between Microsoft and our office, I can do that... and KNOW no one will be sniffing the mail on the wire.
   
7. Sharepoint Wikis! Holy COW! Sharepoint's new Wiki feature is EXACTLY what we need in our office for centralized knowledge transfer. I can't WAIT to have staff work with me to move all our documented workflow directly into Sharepoint. Our current way with word documents has been cludgy, slow and prone to problems with multiple versions, ESPECIALLY with .docx files which are NOT natively supported on SBS 2003 Sharepoint. That is all going to go away with this new Sharepoint system. And better yet, no complex WIKI codes to worry about... a WYSIWYG editor built right in!!!
   
8. Modular Group Policy Preferences that follow users instead of logon scripts. One of the limitations with logon scripts is they trigger UAC prompts on Vista. And batch scripting is inefficient. In comes group policy preferences. To be honest, I don't know what the actual name of this feature is... but it is wickedly cool as it will follow you where ever you login, and "just work" with Vista. That will make things like mapping drives, configuring settings and what not just work on Vista. And thats a good thing.
   
9. SBS 2008 is officially supported in HyperV. SBS 2008 is the first iteration of the product that is fully supported by Microsoft virtualized. That will save us money on resources, power/energy consumption and make it easy to move across hardware platforms without worrying about affecting our servers. This gives us growth potential without killing our IT budget.
   
10. Built in Windows Deployment Services for mass client machine rebuilds. After having to rebuild my laptop in the field after a crash, I realized how bad I need Deployment services. Microsoft's "light touch" options to allow me to pixie/pe boot a machine and suck across and install default WIM images from a WDS server (built into SBS 2008) makes hardware independant deployment a BREEZE.
    

Over all, these 10 features make me realize the business benefits of SBS 2008. The WOW is the fact everything works together with refreshed code (Windows Server 2008, Exchange 2007, Sharepoint 2007, SQL 2008, etc) and will make our business IT infrastructure more streamlined, cost-effective, and in line with our business processes in the office. Many small pain points will be solved, and I believe we will see real returns in how more productive we can be in the face of system rebuilds, better information storage controls and backups.

So I will be upgrading to SBS 2008 when I can. Will you? If so, what's your top 10 reasons to do so? Blog it, and then leave me a comment here.