Monthly Archives: June 2004

Uncategorized

Problems with Microsoft clusters

A few weeks back I was trying to configure a Windows 2000 cluster for a client. Nothing too unusual about that, but we still came across a couple of issues:

Firstly, the shared disk was on a SAN, with Veritas Volume Manager providing dynamic multi-path support. Veritas’ document describing how Volume Manager works with Microsoft Cluster Server suggests that once the Microsoft Cluster service is installed, it is possible to modify an existing Volume Manager installation to install the Volume Manager DLLs. We found that it is not enough for the Cluster service to be installed (i.e. present but without the Cluster Service Installation Wizard having been run) – the cluster has to be fully configured before the Volume Manager MSCS Support will install correctly;

The second issue was far more difficult to diagnose. We had a problem whereby the first cluster node would install without issue; however when we attempted to join the second node to the cluster it would fail and report the following message in %systemroot%\cluster.log:

[JOIN] Unable to get join version data from sponsor xxx.xxx.xxx.xxx using NTLM package, status 5.

The problem turned out to be related to the password length for the Cluster service account. When you set or change a password, Windows generates both a LAN Manager Hash (LM hash) and a Microsoft Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory; however LM hashes are relatively weak and are often disabled for security reasons, as described in Microsoft Knowledge Base article 299656.

Our Active Directory was running under Windows Server 2003 (albeit in Windows 2000 mixed mode), and because Windows Server 2003 is more secure by default, it does not store LM hash values for passwords.

According to Microsoft Knowledge Base article 272129, all cluster authentication is handled internally to the Cluster service. The only time the Cluster service contacts a domain controller for authentication is to validate the Cluster service account when the cluster is first formed. Every node that requests to join a cluster is validated using RPC communication over the private network by the node that owns the quorum resource. Only LM or NTLM authentication is used for this (i.e. not NTLM v2 or Kerberos).

According to Microsoft Knowledge Base article 828861, if a password of less than 15 characters is used for the Cluster service account, the setup process generates an LM hash to build a session key to authenticate whilst attempting to join the second node to the cluster. Because no LM hash is stored in Active Directory, the domain controller cannot build a matching session key and access is denied; however, when a password that has 15 or more characters is used for the cluster service account, the setup process cannot generate an LM hash and a Windows NT password hash is used to derive the session key instead. The domain controller is able to generate a matching session key and authentication succeeds.

The result of all this is that the Cluster service account must use a password that contains 15 characters or greater.

Incidentally, there is a really useful best practice guide for installing the Microsoft Cluster service on the Microsoft website. Microsoft Knowledge Base article 278007 describes some of the new features in Windows Server 2003 clusters in comparison with Microsoft Windows 2000 Advanced Server and Microsoft Windows 2000 Datacenter Server.

Uncategorized

Introduction to viruses, worms, and Trojan horses

Microsoft have published an interesting article to introduce the key concepts and differences between viruses, worms and Trojan horses. Some may find this a little simplistic, but it still contains some simple, practical advice that we should all be following.

Uncategorized

Clustered SQL Server dos, don’ts and basic warnings

I don’t know much about SQL, but I recently worked with a colleague in to produce a standardised SQL Server 2000 installation (clustered and standalone) for a client and came across some Microsoft advice which gives dos, don’ts and basic warnings for clustered SQL Server installations.

The article is basically a roll-up of information regarding running SQL on a Microsoft cluster for versions 6.5, 7.0 and 2000.

Uncategorized

Making websites work with Windows XP Service Pack 2

Just found this link on my colleague Owen Cutajar’s excellent blog, which is an article from Microsoft on How to Make Your Web Site Work with Windows XP Service Pack 2.

Uncategorized

Microsoft to withdraw support for VBscript

OK, we’ve all heard of Microsoft trying to withdraw support for a product (NT 4.0 anybody?), but at a recent partner event they stated that support for VBscript is to be phased out. Apparently there is a replacement product codenamed Monad, which will allow the scripting of console applications. When I pushed for timescales, I was told that it won’t be tomorrow, but could be as soon as 12-18 months before VBscript is withdrawn.

Expect to see an outcry soon from Windows system administrators everywhere!

Uncategorized

Microsoft Windows XP Service Pack 2 overview

A couple of weeks back I was at a Microsoft-hosted event to prepare partners for Windows XP Service Pack 2 (SP2).

The invitation to the event had intrigued me – after all I seem to remember Microsoft making a statement that there would be no new functionality in service packs – how could there be a 1-day event in preparation for a service pack?

Well, it seems that SP2 will be a big headache for many system administrators – and some of the reasons why are pointed out below.

Don’t confuse SP2 with XP Reloaded!

XP Reloaded is not a product – Microsoft says it’s a value-added initiative for XP (marketing hype to you and I).

So what is SP2?

SP2 is part of Microsoft’s Springboard initiative, which is basically about getting secure and staying secure. Springboard starts with SP2, but also includes Windows Update 5.0, Windows Installer 3.0, Windows Update Services (formerly Software Update Services) 2.0 and Windows Server 2003 Service Pack 1.

Springboard is a direct response to the ever closing gap between security updates and the associated exploits. Looking at some recent exploits, the days between patch release and exploit is become alarmingly close – especially when many of us need to test patches fully before deployment. Hiding behind a corporate firewall is no good either – many threats are from within the perimeter – laptops taken home, personal e-mail, etc. According to Microsoft: Nimda followed the Microsoft patch 331 days later; SQL Slammer 180; Welchia/Nachi 151; Blaster 25; and Sasser took just 17 days.

SP2 is a collection of patches and operating system enhancements, designed to improve security. The top line is that XP systems running SP2 will offer enhanced security through:

  • Resilience – through networking protection; data execution prevention; greater control when browsing; and more secure e-mail/instant messaging.
  • Management – through group policy enhancements.
  • Visibility -through Windows Security Center; and Internet Explorer (IE) user interface enhancements to provide more information.

And what isn’t SP2?

SP2 is not a “silver bullet”. It doesn’t protect customers from viruses and prevent data loss. What it does do is make it harder for a hacker to get through multiple levels of security.

So what does SP2 mean to you?

If you run Windows XP on your organisation’s PCs, or if your customers run Windows XP you cannot ignore SP2.

The key messages are:

  • For everyone with a web presence: Alert your customers that their web site experience may change if they run SP2.
  • For ISVs: Test your products against SP2 and make code changes where necessary.
  • For Windows XP customers: Rigorously test applications against SP2 before deployment.

When Microsoft rolled out SP2 internally, the key issues were around IE and the new Windows Firewall. 73% of issues were IE-related. 68% of these problems are fixed in later versions of SP2, but 32% require further action in order to make the application compatible.

Some SP2 features

The following gives a flavour of some of the new features in SP2:

  • The new Windows Security Center ties together many security elements into a new control panel applet. The most significant of the new features is the Windows Firewall (previously Internet Connection Firewall), which is now turned on by default for all connections and is loaded earlier in the boot process (in the kernel). For organisations using Microsoft Active Directory (AD), the firewall is controllable via group policy, with both domain and standalone profiles. It supports exceptions on a global or a subnet level, as well as the concept of application ports, which are opened only when an application is running, with any outbound traffic being allowed, but inbound only for a few seconds following an outbound request. The firewall also disables file and print sharing for all but the local network.
  • The Windows Firewall can be configured using a variety of methods including: the netsh command (which is scriptable); the netfw.inf file (during installation – developers can find the information they need on this in the Windows XP Service Pack 2 SDK); through the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter; using a new group policy template; or directly through the Windows user interface.
  • Some administrative tools will not work under SP2 as the Remote Procedure Call (RPC) service no longer allows anonymous logons (although exceptions can be configured in a new RestrictRemoteClients registry key).
  • DCOM now separates Everyone from Anonymous such that it now behaves more like Authenticated Users. This means that there are now two permissions levels (Launch and Access) for each of three security contexts (Administrator; Everyone; and Anonymous), configurable in Component Services.
  • The Add/Remove programs applet has some user interface enhancements including a new “show updates” checkbox.
  • The Alerter and Messenger services are now disabled by default.
  • Windows Messenger will now block unsafe file transfers (using a MIME sniff to check the file type – so its no good just changing the extension).
  • Outlook Express now uses plain text by default with an link to view HTML content where appropriate. There are also changes to the dialogs around attachment opening.
  • Basic authentication over HTTP is disabled by default under SP2 RC1, although it is rumoured that this will be dropped from the RC2 and RTM version of SP2.
  • The MS JVM is not removed or installed by SP2 (just left at the current state); however there is a new Microsoft Java VM which will only disable the MS JVM, rather than all JVMs (Sun JRE etc.).
  • IE now includes a popup blocker, as well as changes to the default security options. The new IE information bar traps ActiveX content in websites until the user enables it and all ActiveX components must be signed (including the installer). The popup blocker could have a major impact on websites that resize windows, etc. – and even adding a site to the trusted sites list (stored in HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow) will not allow some code to execute. Some of these settings can be overridden using group policy, although Microsoft were at pains to stress that these security enhancements are there for a reason and should not simply be turned off. As for Windows Messenger, MIME handling is used to enforce file type restrictions within IE. All of the security enhancements for IE are per security zone and exceptions can be specified.
  • SP2 supports No eXecution (NX) zones, although hardware support for this is limited at this time. These avoid buffer overrun attacks by splitting RAM into data (NX) and executable. Just In Time code will fail, unless explicitly marked with execute permissions when memory is allocated.
  • There are also changes to the Automatic Updates default client settings.
  • The Windows Security Center runs as a service and slightly annoyingly (but this is always going to be a problem where the code base is shared between consumer and professional versions of an operating system), it uses a different UI when running in workgroup mode; however it does highlight to users when they are not running up-to-date anti-virus (AV) software. Beware that some AV products may not be picked up by the Security Center even if they are present – of course Microsoft say that they have been working with leading vendors, but expect to see a raft of new AV products hitting the market soon.
  • Under SP2, wireless networking now has a new interface and there are new wizards for establishing WiFi and Bluetooth connections.

Other Springboard products

Windows Update 5 will feature a number of enhancements with a revised layout, drawing together content from the current Windows Update and Microsoft Update sites.

Windows Installer 3 will allow: smaller and more reliable patches; patch removal; and sequencing of patches.

Another new upcoming feature is an uninstaller for Windows Media Player 9 (only if installed on top of Windows XP – not if slipstreamed), along with revised license management.

Timescales

So when are we going to see SP2?

The current estimate is for release to manufacturing (RTM) in Summer 2004. According to Microsoft, over a million people are running the release candidate 1 (RC1) version, and RC2 is imminent (May/early June – but as the event was on 27 May, that seems unlikely).

And Windows Server 2003 SP1? The current estimate is Q1/05.

Preparing for SP2

The key areas in preparing for SP2 are to:

  • Plan testing and resources – this will identify how big a problem SP2 will be for your organisation to try and see what issues will be hit;
  • Test external web sites against SP2 – as part of their contracts, OEMs must move to SP2 within 90 days of RTM. That means that external clients with new PCs will be rolling SP2 out almost straightaway. There is also a rumour that Microsoft may classify SP2 as a critical update to force adoption;
  • Test internal applications on SP2;
  • Install all packaged applications (MSIs) and try each one on an SP2 computer – the main problems will be with DLL conflicts where the SP2 version is overwritten by the MSI installation.
  • Plan and test a deployment technique – this could be via SUS, SMS or Windows Update, but beware, SP2 is big!

Testing applications with SP2

Microsoft provides an Application Compatibility Toolkit which can be used to identify installed applications and then verify them to allow identification of known fixes, or where required to target remedial work with developer/vendors; although the SP2-aware version (v4.0) is some way off at the time of writing.

Applications should be tested on SP1 and SP2 PCs, to allow comparisons to be made and if necessary, any issues to be rectified. Following testing, applications can be ranked to allow an assessment of deployment risks, i.e. application is compatible; application requires basic compatibility modifications; application requires extensive modifications; application is incompatible. Once this analysis has taken place, the application benefits can be compared with the risk of not applying SP2.

For troubleshooting:

  • Installation: I have not installed SP2 (because I don’t run pre-RTM code on my laptop) but from what I have heard, even once you have downloaded a copy, it takes a considerable time to install (30 minutes, if virus checking is turned off). Most of the known issues with installation are hardware issues on tablet PCs, but there may also be problems where permissions have been changed in local policies. Also, some product keys that are known to have been compromised will no longer work under SP2.
  • Internet Explorer: Due to the significant changes that SP2 introduces to the browsing experience, IE will be one of the areas where many problems occur. Issues can be isolated by: attempting to replicate the problem on a computer with SP2 and all subsequent updates; adding the problem site to the trusted sites list; lowering security; and finally by switching off features introduced in SP2 via group policy or in the Tools menu. Once isolated, appropriate action can be taken and any features that have been disable may be re-enabled as appropriate.
  • Windows Firewall: The Windows Firewall is another significant change. Under SP2 it is enabled by default, for both domain and standalone profiles and because the firewall also disables file and print sharing for all but the local network there will be some inevitable problems for laptop users who take their PCs home. Exceptions may be required for management agents and administrative tools to work as required, and for remote desktop. Firewall activity is logged to %systemroot%\pfirewall.log.
  • DCOM and RPC: DCOM and RPC no longer allow unauthenticated connections by default. For DCOM, this can be changed in Component Services, and for RPC via the registry. Remember that DCOM is reliant on RPC.

Getting hold of SP2

SP2 is currently around 275MM, although this includes debug code at present and will shrink before RTM. It will be made available on CD, or via a smaller “express installation” for the web, although even that is 80Mb (about 9 hours on a dial-up connection!). Registered users will receive a free CD with SP2. A fully slipstreamed build will also be made available, and other languages will follow approximately 4 weeks after RTM.

Links

Windows XP Service Pack 2 Technical Preview Program
Group Policy Settings Reference for Windows XP Professional Service Pack 2 Release Candidate 1
Windows Application Compatibility Toolkit 3.0
Windows Update Version 5 Beta
Windows Update Services Open Evaluation Version

Uncategorized

Slow network copies – duplex mismatch?

Whilst copying some files across the network today it seemed to me that the operation seemed to be taking much longer than it should. It looks like there may have been a duplex mismatch as setting the network interface cards to 100/full instead of auto seemed to fix the problem.

I’m not sure if this is entirely accurate, but I remember an ex-colleague of mine telling me that the network speed can be auto-detected but auto-detecting the duplex is less reliable.

Uncategorized

Returning the cluster service on a Windows Server 2003 server to an unconfigured state

Over the last few weeks, I’ve been investigating some issues with a clustered server configuration. After having had to rebuild the servers on a number of occasions, I found the advice to return the cluster service to an unconfigured state in Microsoft knowledge base article 282227 extremely useful.

%d bloggers like this: