David Overton's Blog and Discussion Site
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small.  

Browse by Tags

  • Windows Intune and firewalls / proxies

    We had this question circulate around at work, so I wanted to share.  Window Intune needs access to the internet.  This means that the services need unhindered access to the internet.  While for most of us, once we are connected, we are connected, some firewall / proxy devices require extra information to be entered into a browser and this is something that Windows Intune cannot deal with. Luckily, Richard at Windows Intunepedia has written about this and quite some time ago .  The key elements are: Ports 80,443 will be needed for outgoing communications and the firewall / proxy must be as follows: If the client computers exist behind an authenticating proxy server, you must configure the proxy server as follows: 1. Confirm that the proxy server supports HTTP and HTTPS. 2. Enable either Non-auth or Negotiate (Kerberos) authentication methods on the proxy. If your proxy server is using the Negotiate (Kerberos) authentication method then you must configure it to allow authentication using computer...
  • Windows Intune Case Study - Ontario Systems, helping to prove Card Industry (PCI) Data Security Standard certification PC update reporting

    Ontario Systems is a larger Windows Intune reference with 350 employee PC’s to manage. They needed a better way to manage mobile computers and Windows Intune was the answer to their problems as it enabled them to manage these computers providing they were connected to the Internet and verify this management to enable PCI certification. The two most notable benefits (besides saving money) were: More control, better insight. With the ability to monitor PCs, distribute software and updates, and perform remote tasks from a single console, Ontario Systems has more control and better insight into its PC environment. The IT department will save up to an hour each time it delivers the software updates that employees need to work productively and securely. “Being able to use Windows Intune to issue a security update or remotely initiate a malware scan without interrupting our employees’ workday saves time for the IT staff and helps avoid hours of PC down time,” says Hughes. Better security compliance. By using Windows...
  • How to get SBS 2008 to "fix" managing WSUS after you have manually upset it

    Today's post covers what to do when SBS says it no longer can change the WSUS settings from the console.  The exact message is "Windows Small Business Server Update Service is not running because it automatically turns off if you customize Windows Server Update Services (WSUS)". One way round this problem is to manually change all the settings in the WSUS console (from Administrator Tools, select Microsoft Windows Update Services 3.0 SP1) and change the settings as per instructions found at http://blogs.technet.com/sbs/archive/2006/07/13/441594.aspx .  I'm a sort of "quick fix" kind of guy, so the easier way is to go to the same tool, but then run the wizard.  The steps are: Start the Wizard   Click through the first two screens and set the updates to come from Microsoft Update Configure the proxy if required and press next.  Then press Start Connecting.  When done, press Next again. Select the language(s) you want to download Make sure "All Products"...
  • How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too

    Hi, someone asked in the forums how if the backups on SBS 2008 and Windows Server 2008 were encrypted and the answer is no, even if the drives being backed up are BitLocker protected ( more details here ). However you can get encrypted backups with a bit of effort. To do this you will need to at least BitLocker enable your removable drives and optionally your system disk. I used the information at http://blogs.msdn.com/askdavid/archive/2007/06/08/enabling-bitlocker-on-removable-drives-usb-flash-drives-usb-hard-drives.aspx as a guide to putting together what I needed to do, so many thanks David Chandra for this. This same process can also be used on Windows Vista There are a couple of snags however and you need to work out which scenario you wish to have (if you have a TPM chip then option 2 & 3 can be replaced with entering a key into the TPM prompt: encrypt just the backup disks you will need to run a script each time a volume is added back to the system encrypt the system disk and the backup disks and you...
  • SBS 2008 Forefront Virus protection for e-mail Errors or Warnings - “At least one of the engines enabled for update has not been updated in the last week” – how to solve

    My SBS 2008 installation is pretty good, but one area I’ve noticed some problems was with ForeFront. I either had errors or at best warnings all the time about the scan engines. I would go and hit a manual update, but the bar would be 30-90% across and suddenly stop. When I looked in the event log I could see errors like these below. Searching the internet delivered me the KB article http://support.microsoft.com/kb/939411/en-us which talks about timeout issues, however even with the recommended change things did not resolve themselves. Source: GetEngineFiles Event ID: 6014 Level: Error Description: Microsoft Forefront Server Security encountered an error while performing a scan engine update. Scan Engine: AhnLab Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/AhnLab Proxy Settings: Disabled Error Code: 0xC0001F58 Description: The operation timed out. Source: Microsoft Forefront Security Event ID: 7003 Level: Warning Description: Not all of the selected engines enabled for updates...
  • Internet Explorer security vulnerability fix now available – think of it as an early Christmas present… now about Firefox’s 3 issues this week…

    I think everyone knows that an urgent security issue has arisen in IE this week and Microsoft has taken the (wise) decision to publish a fix outside the normal 2nd Tuesday release cycle. Some have said switch browser because of this issue, but not only can that be complex, but most browsers suffer security issues so once again the only real protection is to wrap in cotton wool and hide. Or, use the built in features of Vista and IE7/8 which means protected mode and NOT running as admin. You might ask why a Christmas present? Well, if this continued un-patched then your information is seriously at risk and that would make for a very bad Christmas if your credit card information was stolen!! Either way, if you have IE on your systems then you will need to update your systems urgently. Of course, my Hyper-V server (or Windows Core for that matter) don’t have IE, so no updates for them!!! Just for completeness, here is the information from the Technet newsletter Internet Explorer Security Update I wanted to...
  • Invalid certificate issued to localhost.localdomain when remotely access SBS 2008 from a Windows PC

    This is another question I was recently asked. One particular user noticed that the certificate they saw when accessing their server from the internet did not match that when accessing from the LAN. The certificate looked something like this: This was a little strange as when the system was accessed from the intranet, all things appeared fine. The culprit for them was the SBS 2003 self signed certificate on the same machine. By removing the certificate and then installing the correct new one things got better. To remove the old certificate, start MMC.exe and accept the UAC prompt. Now press Ctrl+M to add a new snap-in and select Certificates and when asked, add for the user account . The do the same again, but select Certificates and Computer Account and hit OK to accept the current computer. Now expand out Personal Certificates and remove any SBS 2003 self signed certificates. To load the new certificates open a browser inside your SBS 2008 network and point to http://companyweb/Lists/Announcements/DispForm.aspx...
  • Important Microsoft security update – update your machines now!

    DavidOverton.com rebooted today due to an emergency security update – an “out of band” release from the normal “patch Tuesday” process.  It is worth considering updating and reboot your computers and servers asap.   More information on this can be found at http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx .  Impacted systems below:   Operating System Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update Microsoft Windows 2000 Service Pack 4 Remote Code Execution Critical MS06-040 Windows XP Service Pack 2 Remote Code Execution Critical MS06-040 Windows XP Service Pack 3 Remote Code Execution Critical None Windows XP Professional x64 Edition Remote Code Execution Critical MS06-040 Windows XP Professional x64 Edition Service Pack 2 Remote Code Execution Critical None Windows Server 2003 Service Pack 1 Remote Code Execution Critical MS06-040 Windows Server 2003 Service Pack 2 Remote Code Execution Critical None Windows Server 2003 x64 Edition Remote...
  • Configuring OneCare for Servers in SBS 2008

    The Console setup process ( Once SBS is set up, how to do the basic configuration through the management console ) sets up SBS 2008 for use. OneCare for Servers provide anti-malware capabilities and is an important part of the system integrity. SBS 2008 comes with a trial of OneCare and so far I’ve found it very effective. Setup today requires two updates that it downloads and applies itself: Notice that the initial configuration immediately informs you that you need to update Start the process, tell OneCare which country you are in and and accept the EULA. The download starts, updates and finishes If you have an activation key, or wish to purchase one you carry on through the process, switching to a web site to complete the process Note, DO NOT try to activate your trial in the Technical Preview unless you have already been provided with a key If you have been going through the Console in order then this is it baring the enabling of Office Live. Finally, all the SBS 2008 entries can be found at http://davidoverton...
  • Why those Mac OS X vs Windows adverts are just so wrong … and so would the Linux vs Windows if they ran them

    What an amazing graphic … it talks about security issues and fixes. The nice “Apple” man seems to be hiding how many problems he has on his adverts :-) What is also interesting is how many issues are stilling being found on the various implementations of Linux. Obviously there is still more detail around this, so for the full rundown have a look at http://blogs.technet.com/security/archive/2008/01/23/download-windows-vista-one-year-vulnerability-report.aspx . ttfn David Technorati Tags: Apple , Microsoft , Redhat , Ubuntu , Security , Updates
  • How to get DNS and DHCP working on a Windows Server from behind the Windows Firewall

    I have a Windows Home Server at home and I decided I wanted it to be responsible for handing out DHCP and DNS addresses in the house. All very good, but when I set up the services none of it worked because of the built in Windows Firewall. While I could have just turned off the Firewall I decided to learn how to put the holes into the firewall to make it work with the firewall, thus maintaining better security. A quick search of the web showed me many settings, but it did not seem to cover the whole picture – then I came across the MS site Windows Firewall Settings which has things broken down into these four handy sections that shall for ever more be my guides to ports and firewalls in the Microsoft world. What is more, as you will see later, the tips in here as to how to get things working, getting over common hurdles is quite stunning too: Windows Firewall Settings: Optional Components Windows Firewall Settings: Remote Administration Tools Windows Firewall Settings: Server Roles Windows Firewall Settings: Services...
  • Understand the key security engineering activities that you need to be aware of in application development. Written by a Microsoft UK employee - "The Developer Highway code" as a download or a traditional book

    It you write code then you need to understand how to write secure code. If you want to understand how to write code that is secure by design then you need to seek the help of people who "have been there". Microsoft has helped thousands of people write applications that do not leak information and Paul's book has helped even more. The Developer Highway Code , written by Paul Maher of Microsoft, is a concise handbook that captures and summarises the key security engineering activities that should be an integral part of the software development process. This companion guide should be a must for any Developer, Architect, Tester etc. undertaking software development...The book is presented in easy to read checklist form, covering essential guidance on writing and releasing secure code. The book has been downloaded by over 100,000 people and over 20,000 actual books are out there ... and now it has been updated!! In case you are still not convinced, please read the following endorsements: “The developer...
  • Latest news, events and downloads in the Security world from Microsoft - Windows Server 2008, Mobile, employee habits, Antigen, IPSEC, ForeFront, NAP, XP Firewall, System Center

    Each month the TRM blog product this great summary of the Microsoft world in various product areas. The blog can be found here http://blogs.technet.com/trm/ News Help your customers securely deploy Windows Server 2008 with the Windows Server 2008 Security Guide! http://go.microsoft.com/fwlink/?LinkId=92550 Every day, adversaries attempt to invade your customers’ networks and access their servers—to bring them down, infect them with viruses, or steal information about customers or employees. Your customers are looking to Microsoft and Windows Server® 2008 to help them address these threats. To assist customers in taking full advantage of the rich security features in Windows Server 2008, Microsoft has developed the Windows Server 2008 Security Guide. The Windows Server 2008 Security Guide provides IT professionals with best practices, predefined security templates, and an automated deployment tool to help strengthen the security of servers running Windows Server 2008. Supporting Your Family, Friends, and Neighbours...
  • Small Business Server 2008 (formally known as Cougar) announcement

    Today is the start of the Server 2008 PR ramp up. I can today tell you a bit more about Cougar, as was, or SBS 2008 as it will be, the new "family" that SBS is part of and a bit more on Windows Essential Business Server 2008 (aka Centro). Hopefully there will be a couple of surprises and also confirmation of some of the rumours around there. I've sliced the press release made today into 3 sections. This blog entry is based on the SBS 2008 section of which there is an extract below of some key points. The whole press release can be found at http://www.microsoft.com/presspass/press/2008/feb08/02-20EBFamilyPR.mspx . Windows Small Business Server 2008 Multiplies Business Growth Windows Small Business Server 2008,previously known by the code name “Cougar,” is ideal for organizations with up to 50 PCs, helping them protect business data, expand business productivity and present a professional image to customers. The new version adds a range of features and capabilities to the current, award-winning Small...
  • Windows Essential Business Server announcement

    Today is the start of the Server 2008 PR ramp up. I can today tell you a bit more about Cougar, as was, or SBS 2008 as it will be, the new "family" that SBS is part of and a bit more on Windows Essential Business Server 2008 (aka Centro). Hopefully there will be a couple of surprises and also confirmation of some of the rumours around there. I've sliced the press release made today into 3 sections. This blog entry is based on the Essential Business Server 2008 section of which there is an extract below of some key points. The whole press release can be found at http://www.microsoft.com/presspass/press/2008/feb08/02-20EBFamilyPR.mspx . <snipped> Windows Essential Business Server 2008 for Midsize Companies Windows Essential Business Server 2008 is designed for the needs of midsize organizations with up to 250 desktops, helping IT professionals take control of their systems, reduce time spent “fighting fires” and focus more on strategic efforts to drive business growth. The solution includes built...
  • "Windows Essential Server Solutions family of products" announcement

    Today is the start of the Server 2008 PR ramp up. I can today tell you a bit more about Cougar, as was, or SBS 2008 as it will be, the new "family" that SBS is part of and a bit more on Windows Essential Business Server 2008 (aka Centro). Hopefully there will be a couple of surprises and also confirmation of some of the rumours around there. I've sliced the press release made today into 3 sections. This blog entry is based on the "family" section of which there is an extract below of some key points. The whole press release can be found at http://www.microsoft.com/presspass/press/2008/feb08/02-20EBFamilyPR.mspx . To help small and midsize organizations improve business efficiency, increase productivity and drive growth, Microsoft Corp. introduced the Windows Essential Server Solutions family of products, built on Windows Server 2008 and the newest Microsoft server technologies and services. The company also unveiled details about the newly named Windows Small Business Server 2008. The Windows...
  • Security Vulnerability Research & Defence blog - worth a read for sure - eg MS08-001 - The case of the Moderate, Important, and Critical network vulnerabilities

    My background covers security and I've started reading this blog ( Security Vulnerability Research & Defense ) - it is excellent and definitely worth a read to understand how vulnerabilities work and how to mitigate them!! MS08-001 - The case of the Moderate, Important, and Critical network vulnerabilities Security bulletin MS08-001 addresses vulnerabilities described by two separate CVE numbers, as you can see in the bulletin. This post provides an overview of the two issues, the affected platforms and notes on the severity. We’ll be following this post up with two further entries that look at each issue in more detail. CVE-2007-0066 describes a vulnerability in parsing ICMP router advertisement packets. These packets are not processed by default on any supported version of Windows. If a computer is configured to process router discovery protocol packets and encounters this type of malformed packet, the Windows kernel will bugcheck (blue screen of death) and reboot. A separate blog post goes into more...
  • Windows Small Business Server 2003 at risk from critical flaw

    Hopefully everyone has seen this, but if not: Windows Small Business Server at risk from critical flaw Microsoft initially omitted Small Business Server from its list of critically affected OSes, but is now offering patches via its automatic update services In an update to its MS08-001 security bulletin, Microsoft said that the latest release of Windows Small Business Server was also critically at risk from a bug in Windows' networking software. The flaw is also considered critical for Windows XP and Vista users. Microsoft did not say why it had initially omitted Small Business Server from its list of critically affected operating systems, but it said that the product's users were being offered patches via Microsoft's various automatic update services. "Customers with Windows Small Business Server 2003 Service Pack 2 should apply the update to remain secure," Microsoft said in its updated bulletin. The bug lies in the way Windows processes networking traffic that uses IGMP (Internet Group...
  • Make sure your Oracle based applications are being patched - it seems most don't bother! Then don't get complacent as 20% of Windows applications go un-patched too.

    It is funny. As people get more used to patching operating systems they seem to think that makes them bullet proof on the whole system, yet this is simply not the case. With Microsoft products people are used to patching them as needed to reduce the security risks on their systems. Others will sight that their systems are already secure and therefore don't need patching. I remember a few years ago watching the outcome of a Hackathon and the losing team lost not because of the OS security, but because of the application on top of it being unpatched and insecure. If you have an application that uses Oracle, check it is being patched and secured as in a single month Oracle have been known to release 40+ patches. Now before you go and pat yourself on the back for being so good at not having any Oracle systems, you might need to check your Windows applications are also patched. Fro the Windows patch story, look at One-fifth of Windows apps go unpatched - down from 28% last May, but still need to be careful Survey...
  • One-fifth of Windows apps go unpatched - down from 28% last May, but still need to be careful

    I like Secunia as an organisation. They present huge amounts of data that you can then pick into if you disagree with it. For example, ZDNet recently said that 2007 saw more serious security flaws for Apple OSX compared to Windows using the information provided by Secunia's web site. They also run a scan on people's PC to determin how good/bad they are and while things have improved - it is again too easy to be one of the people throwing things saying "I'm alright because I run Windows Update or applied Service Pack 1". One-fifth of Windows apps go unpatched Updates are available, but users haven't installed them, says Secunia December 28, 2007 (Computerworld) -- One in five applications installed on Windows PCs are missing security patches, a Copenhagen-based vulnerability tracker has reported. According to Secunia APS, more than 20% of the applications scanned by its Personal Software Inspector (PSI) utility were open to attack because available fixes for security flaws had not been...
  • Macworld - First Trojan reported for the iPhone

    Ahh, once again the joys of lessening the security on a device to enable modification or easier use shows its dark side. Once upon a time geeks could open and hack the software they bought and make their own world a better place. Now, more people do this without the knowledge of the risks they are taking or how to manage them. The result is that "other" things start to happen showing that the need for knowledge is even more important, especially with regard to security. First Trojan reported for the iPhone by Jim Dalrymple While not a huge risk, the first Trojan for the iPhone has been discovered. The first reports came from iPhone enthusiast site Modmyifone.com and were later confirmed by security research company F-Secure. <sniped> F-Secure reported that it was an 11-year-old kid playing with XML files who created the Trojan. “Next time it might be someone else with more skills and with specific target,” they said. Macworld | First Trojan reported for the iPhone ttfn David Technorati Tags: Security...
  • Windows Server 2003 is beginning to feel left behind with the arrival of Windows Server 2008 inside the Microsoft datacenter - fun videos to watch and learn a few reasons why to use Windows Server 2008

    I saw these and they just made me laugh while sharing a few things about WS2008 vs 2003. Unlike some "new and improved" washing powders, Windows Server 2003 is a good product, but some key areas have been improved to meet people's new and different needs, such as more security, sharing of information, web based applications, minimal systems and virtualisation. The blog entry (which was obviously written before RC1 appeared, but posted afterwards) can be found at Windows Server Division WebLog : About Lone Server . If you want some fun, skip the soapbox video and look at the long video from the blog / link below. About The Lone Server Once I was almost famous. For years, my friends and I were on the front lines: we were the Windows Server 2003 servers that powered Microsoft.com, one of the hottest Web sites in the world. Then, early last summer, everything changed. Quietly, without warning, the new kids took over. Windows Server 2008. Yes, I know, the product’s not even done yet. These were Beta 3...
  • How to Disable Internet features of Office 2007

    I saw this go around on a thread at work and I have seen it requested for those security conscious partners, so here is the answer (courtesy of Eric Ellis): 1) Via the Office Customisation Tool (OCT) and a custom MSP: — or — 2) Via Group Policy: The difference between the two is that using the OCT will preset the desired configuration during the initial installation (or in a maintenance mode change), but users can change the settings if they desire. Group policy enforces the desired configuration, and if a user makes a change to the setting, they will revert back to the settings defined in the policy during the next application session. ttfn David Technorati Tags: Office 2007 , Security , Internet , Group Policy , Office Customisation Tool , OCT
  • If you are a developer, what can Windows 2008 do for your developments... lots maybe

    Sorry to sound so vague, but I have to start by saying that Windows Server 2008 is a server platform, not a cure for cancer, so lets put it in perspective and set our expectations high, but not stupidly high expecting it to be revolution. Server 2008 is a quality evolution of Windows Server 2003 and extends and enhanced the Server 2003 offerings. However, if you plan on building applications for the future then Server 2008 will be the place to be. Microsoft have released a document called the "Windows Server 2008 Developer Story" that has a wealth of information on Server 2008 developer directions and how they combine to offer something greater than the sum of the parts. The download site describes itself as: Windows Server 2008 Developer Story An executable containing the Windows Server 2008 Developer Story The Windows Server 2008 Developer Story introduces users to new features of the Windows Server 2008 operating system by providing a cohesive story about how the features fit together to make a compelling...
  • Office 2007 SP1 is here and it does more than just update the desktop - SharePoint gets AJAX for example

    I'm sure you have heard that the Office 2007 Service Pack is here. Darren Strange has documented what is in it and how to get it at Office 2007 sp1 ready for download today and OfficeRocker! : More detail about sp1 . In answer to Susanne's post at here , hopefully this post has some more info in it One of the little things he puts that I like is: Some other factoids about sp1 There are roughly 2500 fixes in SP1. This an average size for a service pack, but the issues fixed are very important to our customers. Almost 20% of those fixes are direct result of customer requests. Over 500 of those fixes focused on security. There are a total of 24 different releases in 38 languages. There are 683 distinct packages. All have released simultaneously today. If you get the whitepaper then you would be keen to see the information below. Notice that SharePoint amongst other things a developer update to support Ajax and that other server products (Groove and Project Server) are also updated. Stability Microsoft continues...
1 2 3 4 5 Next >

(c)David Overton 2006-17