firewall

Don’t overlook thrift stores when looking for software

Dave Farquhar Software , , ,

Need a cheap copy of Windows or Office? Don’t need the newest, buggiest, clunkiest version?

Visit your local Salvation Army Thrift Store.I was flipping through CDs at a Salvation Army store over the weekend. The software was mixed in with the music. I found several copies of Windows 95 and Windows NT 4.0, and numerous copies of Office 97, all marked at $3.

Windows 98 is probably more useful, which is probably why I didn’t find any copies of it. But NT4 is reasonably fast and stable (by Microsoft standards) as long as your hardware is supported.

Office 97, on the other hand, had all the major functionality of later versions but is a lot less CPU- and memory-intensive. Remember, when it came out, 133 MHz PCs were above average, and 32 MB of RAM was usually considered excessive.

Just make sure the disc is original, the right disc is in the case, and it includes the CD key. I found a number of odd things in Windows 95 CD cases–some more useful than Win95 and some a whole lot less. None of it would have mattered since they would have required a different CD key from the one on the jewel case.

And make sure that if you’re going to run this stuff and connect the computer to the Internet that you’re sitting behind a reasonably good firewall. A Linksys router or wireless access point is perfectly adequate. Microsoft no longer provides security fixes for this old software, so you could be more susceptible to attacks than someone running the latest and worst.

I was definitely glad to stumble across a source of legal and useful commercial software. I know it’s just a matter of time before I’ll need it, and I’d much rather pay $3 for Office 97 than $300 for a newer version that didn’t really add anything useful besides ribbon toolbars, new Clippy animations, and a soundtrack by Robert Fripp.

Another meaningless security report…

Dave Farquhar Software , , , ,

So Symantec is saying that IE is more secure than Mozilla-based browsers because there were 25 security vulnerabilities disclosed in the first half of 2005 for Mozilla, as opposed to 13 for IE.

Such reports are fine for Clueless Information Officers. Let’s analyze this like someone who actually knows what to do with that thing that sits between your ears.First and foremost, Mozilla lacks tight integration into the operating system, making it fundamentally less dangerous. Internet Explorer is like a bank that leaves its vault open after hours because it locked the front door. Since Mozilla lacks those ties that go directly into the operating system, it’s like a bank that locks the front door and the vault. The more locks the crook has to crack, the better.

Also, past performance isn’t necessarily an indication of future gains. People who invest know this all too well. Remember, the first half of 2005 was when Mozilla was seeing explosive growth. It was still a young product and had a lot of things to shake out.

But the potential is certainly there. Let’s look at Apache vs. IIS. You see fewer Apache vulnerabilities than IIS, even though Apache’s source code is visible for everyone to see, and even though Apache is a much larger market. Mozilla has this same potential.

In the meantime, Mozilla is still a minority browser. Since most hackers these days are motivated by profits, they’re going to do the same thing any other businessman does: Look for volume. Internet Explorer still has 12 times the exposure that Mozilla does. And Internet Explorer is often used in corporate environments, since many corporate intranets rely on IE-specific technology. That makes it an attractive target, since it’s easier to get through a browser than it is a corporate firewall. And once you do manage to get in, there’s a lot more good stuff inside a corporate LAN than there is inside a home LAN.

And by Symantec’s own admission, “at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred.”

That tells us the Mozilla developers are working faster than the would-be Mozilla hackers, and it also suggests that hackers are looking harder at Internet Explorer.

Also, Symantec is being selective about the flaws it’s looking at. The article states that it only counts confirmed flaws. IE has 19 unconfirmed flaws versus 3 unconfirmed flaws for Mozilla. So IE has 19 unconfirmed and unfixed flaws plus 13 confirmed flaws, for a total of 32. Mozilla has 25 confirmed flaws plus 3 unconfirmed and unfixed, for a total of 28.

I don’t know about anyone else, but I’m more concerned about those unconfirmed and unfixed ones. As long as I’m running the current version of either browser, I’m protected against those 25 big bad flaws (for Mozilla) or the 13 (for IE) from earlier in the year. I can’t do anything about those 19 unfixed Internet Explorer flaws.

Frankly, I think Symantec is just trying to get a headline on a slow news day, and maybe trying to kiss up a bit to Microsoft, with whom it’s always had a very close relationship since Symantec traditionally has been willing to write the pieces of software that Microsoft for whatever reason doesn’t want to touch.

I’m sticking with Mozilla Firefox. Not only is it the safer browser when you look at the things that actually matter, it’s also the better one.

Punishing the curious for something that should have never happened

Dave Farquhar net.culture , , ,

I saw a story on the news tonight about more than 100 students who won’t be getting into MBA programs. Why? When they applied to a number of prestigous universities, a posting on a bulletin board claimed to let them view their records and see if they were admitted or not.

It didn’t work for all of them. But those who tried to peek are being punished.My question is why is this information on the public Internet to begin with? This is precisely what intranets are for: You put sensitive information on a web server behind a firewall. Then you define one or more computers who can see it. The rest of the world can’t access it, because the rest of the world doesn’t know it exists. But those who are authorized to see it can see it, through the convenience of a web browser.

Leaving this kind of information on a web server that’s open to the public via the plain old Internet is akin to keeping student records, finals, and other sensitive information at the campus library. If it’s out where someone can see that it’s there–or might suspect it’s there–then someone’s going to look. It shouldn’t be there in the first place. I had professors who never kept tests in their office because some student at some point in time had broken in, hoping to get a preview of the final.

Punishing applicants for typing in a link that they figured wouldn’t work anyway accomplishes little or nothing, except to say that some of the nation’s finest universities have given no thought whatsoever to their computer security and network design.

I hope their graduates are smarter than the people who run the place. But that’s probably a given.

Fixing Backup Exec with Hisecweb installed

Dave Farquhar Windows , , ,

If you run your web servers on Windows under IIS, you’d better install the Hisecweb security template unless you want to find yourself hosting a warez site.

But Hisecweb breaks Backup Exec. So what do you do when upgrading to Apache and Linux isn’t a solution?The problem is that Hisecweb makes the system state (shadow copy components in Windows 2003) and SQL server not show up in the selection list. Not only does it not show up in the selection list, Backup Exec cannot find the resources. So backups fail, and if you have to restore from them, you won’t have the registry or a number of system files, which vastly reduces the value of your backup.

The solution is to tell Backup Exec not to use null sessions on those components, which seem to be one of the many things disabled by Hisecweb. On the server being backed up, go into Services and disable your Backup Exec Remote Agent. Now, fire up Regedit. Navigate to HKLM\Software\Veritas\Backup Exec\Engine\NTFS and locate the key called Restrict Anonymous Support. Set this value to 1. Close the registry editor and restart the Backup Exec Remote Agent service.

SQL Server and the system state or shadow copy components should now show up in the selection list for the server you just changed.

This registry hack can also fix visibility problems when the two machines are on different sides of a firewall.

Freesco still works as a router/firewall in a pinch

Dave Farquhar Linux , , , , ,

I set up a Freesco box over the weekend. It makes less sense now that router/switch/firewall combos from the likes of Linksys sell for $50 than it did when they sold for $200, but if you’re long on unused PCs and short on cash, it still works.

My old walkthrough no longer applies directly to the current version 33, but if you’re reasonably technically competent it should get you on your way.As far as what hardware to use, I had a Kingston 10 megabit (NE2000 clone) PCI card and a D-Link card based on a Realtek 8139 chipset. They worked fabulously. The 8139 is a workhorse; networking guru Donald Becker blasted it in print–it’s the only chipset I think he’s ever said anything bad about–but until you start routing between a 100-megabit network and a gigabit network you probably won’t notice, especially if you’re using a 200+ MHz machine as your router, which in these days of $30 Pentium II PCs, is likely.

All you need is a computer with 8 megs of RAM, two NICs, and a floppy drive. To make it easier on yourself, make sure it has PCI slots, use two PCI NICs, and and 16 megs of RAM or more. Since 32-meg sticks are useless to most people these days, they’re cheap.

I suspect that if you have a pile of unused hardware that you’re looking to turn into a router, chances are decent you have a pile of network cards in that stash. Try a few different PCI cards. Life sometimes goes a bit easier if the two cards have different chipsets on them, but it’s not usually necessary to mix it up.

Give yourself a time limit. Mess around with it for an hour. If you get frustrated after an hour, go out and buy a Linksys or a D-Link or a Netgear. If you don’t have it working after an hour but you’re fascinated and you’re learning a lot, then keep plugging away at it. The knowledge you’re gaining is worth more than 50 bucks.

Things to look for in a wireless router

Dave Farquhar Servers and Networking , , , , , ,

It’s the time of year that a lot of people buy computer equipment, and wireless networking is one of the things people look for. But what things should be on the shopping list?

I was hoping you’d ask that question.Compatibility with what you already have, if possible. Routers are available that speak 802.11a, 802.11b, and 802.11g, or all three. If you already have some wireless equipment, look for something that can speak its language.

Cordless phone interference. 2.4 GHz cordless phones will interfere with 802.11b and 802.11g. 802.11a works at a different frequency, but it might be cheaper to replace your 2.4 GHz phone with a 900 MHz phone.

Speed. 802.11a and 802.11g operate at 54 Mbps, which is considerably nicer than 802.11b’s 11 Mbps, although both are much faster than current U.S. broadband connections, which tend to top out around 3 Mbps. If you move a lot of files around, you’ll appreciate the 54 Mbps speed. If your primary use of wireless is sharing an Internet connection and a printer or two, 802.11b is probably fast enough, and it’s usually cheaper, with the downside of shorter life expectancy.

802.11g is currently the most popular standard, because it gives 54 Mbps speed and offers compatibility with existing 802.11b equipment. Use this information as you will. If you’re of the security by obscurity mindset, 802.11a is a better choice, as a wardriver is more likely to be driving around with an 802.11b or 802.11g card. If you want to make sure your buddies can hook up when they come over, or you can hook up at your buddies’ places, 802.11g is the better choice.

Brand. Match the brands of router and cards, if at all possible. This makes configuration and security much simpler.

WPA. The encryption used by older standards is relatively weak. You want to enable 128-bit WEP (256-bit WEP is better but still not as good as WPA), change the SSID and disable SSID broadcast, and hard-code your MAC addresses so that only your cards can use your router. This protects you from someone driving around your neighborhood with a laptop and using your Internet connection to send out spam or transfer illicit material that can be traced back to you. Do you want the RIAA suing you because someone used your Internet connection to download 400 gigs’ worth of boy-band MP3s off Kazaa? Worse yet, if that happens, word might get out that you like that stuff.

WPA adds another layer of protection on top of these (which are standard issue by now). Rather than the security key being fixed, it’s dynamically generated from trillions of possibilities. Sufficient CPU power to crack WPA and either monitor your transmissions or use your access point might someday exist, but for now it gives the best protection available, so you should get it and use it. This USRobotics whitepaper on security ought to be a must-read.

Built-in firewall with port forwarding. This is a standard feature on all brand-name units and ought to be on the off brands as well, but it doesn’t hurt to double check. Hardware firewalls are far superior to software firewalls–they don’t annoy you with popups and they can’t be disabled by a malicious process. Port forwarding is necessary for a lot of games, and also if you want to run your own mail or web server.

Hackability. By this I don’t mean the ability of an outsider to get in, I mean your ability to add capability to it. The Linksys WRT54G is based on Linux, so it has a big following with an underground community adding capabilities to it all the time. If you want to take advantage of this, look for a WRT54G or another device with a similar following.

Backup Exec misadventures

Dave Farquhar Servers and Networking , , ,

(Subtitle: My coworkers’ favorite new Dave Farquhar quote)

If your product isn’t suitable for use on production servers, then why didn’t you tell us that up front and save us all a lot of wasted time?

(To a Veritas Backup Exec support engineer when he insisted that I reboot four production web servers to see if that cleared up a backup problem.)When I refused to reboot my production web servers, he actually gave me a bit of useful information. Since Veritas doesn’t tell you this anywhere on their Web site, I don’t feel bad at all about giving that information here.

When backing up through a firewall, you have to tell Backup Exec what ports to use. It defaults to ports in the 10,000 range. That’s changeable, but changing it through the user interface (Tools, Options, Network) doesn’t do it. It takes an act of Congress to get that information out of Veritas.

What Veritas doesn’t tell you is that the media server (the server with the tape drive) should talk on a different range of ports than the remote servers you’re backing up. While it can still work if you don’t, chances are you’ll get a conflict.

The other thing Veritas doesn’t tell you is that you need a minimum of two, and an ideal of four, ports per resource being backed up. So if the server has four drives and a system registry, which isn’t unusual, it takes a minimum of 10 TCP ports to back it up, and 40 is safer.

Oh, and one other thing: If anyone is using any other product to back up Windows servers, I would love to hear about it.

Squeezing some life out of an aging Windows 2000 PC

Dave Farquhar Windows , , , , , ,

I can safely say I really did write the book on Windows optimization (Optimizing Windows for Games, Graphics and Multimedia, O’Reilly, 1999, ISBN 1565926773) but that was five years ago and covered Windows 95 and 98.

Windows 2000 and XP are a different animal, and are as similar to the obscure OS/2 operating system from IBM as they are to Windows 95/98.

Here’s what I did when my work computer slowed to the point that I could no longer do much work.Clear some disk space. This is a biggie. NTFS, Windows’ file system, really doesn’t like it if the amount of free space on a disk drops below 15 percent. That’s stupid, but it’s reality, and since I don’t have Mr. Gates’ phone number I can’t do much but live with it. I went to Start, Search, picked Files and Folders, typed *.* in the name field and Drive C in the Look in: field, then hit Search Now. When it finished, I clicked on the field that says Size, and scrolled all the way down. I found lots of big files I didn’t need. I found a mystery file that was 600 megs in size. A Google search revealed that some obscure application I had used once had created that file. That was nice of it. After five minutes’ work, I had freed almost a gigabyte of disk space.

Uninstall old printer drivers. I had a bunch of printer drivers installed for printers I don’t use anymore. They were taking up disk space and memory. I only have 192 megs of RAM and most of it was in use by the time the computer booted, before I’d even loaded any programs. That’s no good. So I removed the drivers for my girlfriend’s Epson color printer (in the Add/Remove Programs control panel) and then I went into Printers and deleted the network printers of old clients and other printers I can’t remember ever using (in most cases you can just delete the printer and it will offer to remove the drivers).

Stop unnecessary services. If you right-click on My Computer and hit Manage, then double-click on Services and Applications and then on Services, you’ll find all sorts of stuff that Windows runs just in case you need it. Most of it is necessary, but for me, several were just chewing up more RAM than I could afford.

Computer Browser. This service, despite what you hear elsewhere, has nothing to do with web browsing, My Network Places, or anything else useful. All it does is permit your computer to participate in browser elections. What are those? It’s a long story, but the gist of it is that on a Windows network, one computer gets to keep the list of computers on the network, and every time you turn a computer on, the computers running the Computer Browser service fight over who gets to keep that list. Sound useless? Unless you’re in an office network with a file server and a very small number of computers, it’s very useless. Most of the time it’s just chewing up between 2 and 8 megabytes of your precious RAM. Forget that.

HID Input Service. I plugged a USB mouse into this computer once and it loaded this. Next thing I knew, my available memory had dropped by 6 megabytes. Six megabytes! For a stupid mouse? I use a USB mouse occasionally, but not every day, and certainly not often enough to be able to afford dedicating 6 megs to something that sits there waiting for me to plug one in. I’d leave it if I had 512 megs of RAM but I didn’t, so I disabled it.

Automatic Updates and Background Intelligent Transfer Service. I keep Automatic Updates turned off because it doesn’t work with our firewall, but whether the option is turned on or off, these services are loaded and chewing up memory. So I disabled these services. I have mixed feelings on Automatic Update. If you can’t remember to visit the Windows Update site once a month, you should leave it turned on. But since it won’t work for me anyway, I have to leave it turned off, so I might as well recover the memory.

Remote Registry Service. This allows a network administrator to connect to your computer and make changes. In a home environment you won’t use this. At work you’ll probably get your hand slapped if you disable it. It uses about a meg.

By trimming some of this dead wood, I was able to gain almost 32 megs of RAM.

Uninstall programs you’re not using anymore. I had several programs that I hadn’t used since Clinton was president that were taking up space on my drive, and some of them had been so nice as to install services that were running all the time and chomping some of my very scarce system RAM. Clearing those out gained me a couple hundred megs’ worth of disk space and nearly 20 megs of RAM.

Clear the browser cache. Internet Explorer keeps pieces of web sites on disk in case you ever visit them again, because it’s much faster than downloading them again. The problem is it does a terrible job of cleaning these up, so the result is you have, in all likelihood, tens of thousands of tiny files, if not hundreds of thousands, that you’ll never use again. Right-click your IE icon on the desktop, hit properties, and click Delete Files. You’ll save yourself some disk space, but more importantly, you’ll make this next step a lot faster and more effective.

Defrag. I used to be really good about defragmenting my drives but it looks like I’ve been lax lately because my C drive was in bad, bad shape. Go to Start, Programs, Accessories, System Tools and pick Disk Defragmenter. Run it once a month.

My drive, as it turned out, was hopelessly fragmented. The system was much peppier after I ran it.

I hope these steps will be helpful. It’s not as good as getting a new computer, but it’s much easier to live with now. If your system is bogged down, and like mine, it’s an old laptop that uses scarce and expensive memory and is out of slots anyway, this will make it easier to live with.

VMWare is in Microsoft\’s sights

Dave Farquhar Servers and Networking , , , , ,

Microsoft has released its Virtual Server product, aimed at VMWare. Price is an aggressive $499.

I have mixed feelings about it.VMWare is expensive, with a list price of about 8 times as much. But I’m still not terribly impressed.

For one, with VMWware ESX Server, you get everything you need, including a host OS. With Microsoft Virtual Server, you have to provide Windows Server 2003. By the time you do that, Virtual Server is about half the price of VMWare.

I think you can make up the rest of that difference very quickly on TCO. VMWare’s professional server products run on a Linux base that requires about 256 MB of overhead. Ever seen Windows Server 2003 on 256 megs of RAM? The CPU overhead of the VMWare host is also very low. When you size a VMWare server, you can pretty much go on a 1:1 basis. Add up the CPU speed and memory of the servers you’re consolidating, buy a server that size, put VMWare on it, and then move your servers to it. They’ll perform as well, if not a little bit better since at peak times they can steal some resources from an idle server.

Knowing Microsoft, I’d want to give myself at least half gig of RAM and at least half a gigahertz of CPU time for system overhead, minimum. Twice that is probably more realistic.

Like it or not, Linux is a reality these days. Linux is an outstanding choice for a lot of infrastructure-type servers like DHCP, DNS, Web services, mail services, spam filtering, and others, even if you want to maintain a mixed Linux/Windows environment. While Linux will run on MS Virtual Server’s virtual hardware and it’s only a matter of time before adjustments are made to Linux to make it run even better, there’s no official support for it. So PHBs will be more comfortable running their Linux-based VMs under VMWare than under Virtual Server 2003. (There’s always User-Mode Linux for Linux virtual hosts, but that will certainly be an under-the-radar installation in a lot of shops.)

While there have been a number of vulnerabilities in VMWare’s Linux host this year, the number is still lower than Windows 2003. I’d rather take my virtual host server down once a quarter for patching than once a month.

I wouldn’t put either host OS on a public Internet address though. Either one needs to be protected behind a firewall, with its host IP address on a private network, to protect the host as much as possible. Remember, if the host is compromised, you stand to lose all of the servers on it.

The biggest place where Microsoft gives a price advantage is on the migration of existing servers. Microsoft’s migration tool is still in beta, but it’s free–at least for now. VMWare’s P2V Assistant costs a fortune. I was quoted $2,000 for the software and $8,000 for mandatory training, and that was to migrate 25 servers.

If your goal is to get those NT4 servers whose hardware is rapidly approaching the teenage years onto newer hardware with minimal disruption–every organization has those–then Virtual Server is a no-brainer. Buy a copy of Virtual Server and new, reliable server hardware, migrate those aging machines, and save a fortune on your maintenance contract.

I’m glad to see VMWare get some competition. I’ve found it to be a stable product once it’s set up, but the user interface leaves something to be desired. When I build or change a new virtual server, I find myself scratching my head whether certain options are under “Hardware” or under “Memory and Processors”. So it probably takes me twice as long to set up a virtual server as it ought to, but that’s still less time than it takes to spec and order a server, or, for that matter, to unbox a new physical server when it arrives.

On the other hand, I’ve seen what happens to Microsoft products once they feel like they have no real competition. Notice how quickly new, improved versions of Internet Explorer come out? And while Windows XP mostly works, when it fails, it usually fails spectacularly. And don’t even get me started on Office.

The pricing won’t stay the same either. While the price of hardware has come down, the price of Microsoft software hasn’t come down nearly as quickly, and in some cases has increased. That’s not because Microsoft is inherently ruthless or even evil (that’s another discussion), it’s because that’s what monopolies have to do to keep earnings at the level necessary to keep stockholders and the SEC happy. When you can’t grow your revenues by increasing your market share, you have to grow your revenues by raising prices. Watch Wal-Mart. Their behavior over the next couple of decades will closely monitor Microsoft’s. Since they have a bigger industry, they move more slowly. But that’s another discussion too.

The industry can’t afford to hand Microsoft another monopoly.

Some people will buy this product just because it’s from Microsoft. Others will buy it just because it’s cheaper. Since VMWare’s been around a good long while and is mature and stable and established as an industry standard, I hope that means it’ll stick around a while too, and come down in price.

But if you had told me 10 years ago that Novell Netware would have single-digit marketshare now, I wouldn’t have believed you. Then again, the market’s different in 2004 than it was in 1994.

I hope it’s different enough.

Basic Internet Explorer troubleshooting

Dave Farquhar Software , , ,

I did a little moonlighting this past weekend fixing Internet Explorer for somebody. It’s been several years since I’ve used that web browser regularly, but if someone pays me to fix IE, then I fix IE.

The problem was that after he paid someone else to fix his spyware problems, IE quit displaying SSL (secure) sites. So much for online banking and bill paying.

So here are some simple things to try if IE breaks and switching to an alternative browser like Opera or Mozilla isn’t an option.My guess is he got trigger happy with disabling stuff. IE was about as secure as it was going to get, but it was no longer useful as a web browser either. It was kind of like taking the tires off your car to keep it from getting in a wreck. The "Cannot display this page" page gave some troubleshooting information. It didn’t help. I searched Google for information. There were some suggestions of things to enable. It didn’t help.

So I figured I’d just download IE6 and see if running the installation program would give me an option to do a repair install. No dice. The installation program couldn’t access the Internet to phone home to Microsoft.

Two words: Personal firewall. I went looking. I found two. I uninstalled one. No dice. I uninstalled the second one and enabled Microsoft’s built-in firewall. It still couldn’t call home. This was weird.

As a last resort, I went into Tools, Internet Options, and cleared the browser cache and the history and everything else you could clear. And then I stepped through each tab, resetting the defaults everywhere I could.

In all honesty, I couldn’t see what difference there was between the defaults and the settings he had after I’d followed all those suggestions I found online. But after I reset the defaults, his browser was displaying SSL pages again.

All I can think of was that there may have been some hidden setting or settings in the Registry that got wiped out when I reset the defaults.

Then I went back and tightened things down a bit more–stuff like ActiveX controls and the like.

It’s always best to start with the simplest known configuration that works, then secure it one step at a time. That was definitely the case here.