Spam-proof your website

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I found an interesting article on the OutFront (FrontPage support) website which gives some practical advice on how to prevent your e-mail address from being harvested and then abused by spammers. Basically, it involves converting e-mail addresses displayed on websites to unicode (for which a unicode converter may be useful). Let’s see if it works…

Allowing files to be replaced as part of an FTP rename operation

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Yesterday, one of my clients came across an interesting scenario. They use FTP to poll sales data from their retail outlets back to a central location. As part of this process, the polling file is renamed to filename.bak; but what if filename.bak already exists from an earlier poll? The existing NT 3.51 FTP Server network component allows the rename with no problem, but XP’s FTP Server (part of IIS 5.1) does not, producing an error:

550 filename.bak: Cannot create a file when that file already exists

A quick search on the ‘net unearthed Microsoft knowledge base article 309634 . Once I had extracted the mdutil.exe utility from a Windows 2000 CD (see Microsoft knowledge base article 240225) I was able to run the following command:

mdutil set msftpsvc/1/AllowReplaceOnRename 1

A restart of the IIS Admin service was all that was needed then to allow the rename to take place within the polling process.

Installing the “Energy Blue” theme on a computer running Windows XP Professional

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Microsoft has released the “Energy Blue” theme (used in Windows XP Media Center Edition 2005) for tablet PC users. The theme provides new colours, new effects and a new wallpaper, which according to Microsoft “will give your Tablet a fresh, updated appearance”.

The normal setup mechanism will not allow the update to install on non-Tablet PCs, but as hinted by the Windows IT Pro magazine network WinInfo Daily Update, it is still possible to install the theme on a PC running Windows XP Professional. To do this:

  1. Use a third-party extraction utility (e.g. WinZip) to extract the files within the downloaded file (WindowsXP-TabletPC-EnergyBlueTheme-x86-ENU.exe) to a temporary folder.
  2. Once extracted, copy the files as follows, creating folders as necessary (once all files are copied, the temporary folder created in step 1 may be deleted):
    • royale.theme -> %systemroot%\Resources\Themes
    • royal.msstyles -> %systemroot%\Resources\Themes\Royale
    • shellstyle.dll -> %systemroot%\Resources\Themes\Royale\Shell\Homestead
    • shellstyle.dll -> %systemroot%\Resources\Themes\Royale\Shell\Metallic
    • shellstyle.dll -> %systemroot%\Resources\Themes\Royale\Shell\NormalColor
    • shellstyle.dll -> %systemroot%\Resources\Themes\Royale\Shell\Royale
    • energybliss.jpg -> shellstyle.dll -> %systemroot%\Resources\Themes\Royale\Wallpaper
  3. Within the Display Properties select the Energy Blue theme from the drop-down selection on the Themes page. A new Color Scheme called Royale will also be available on the Appearance page.

Windows NT 4.0 and Windows 98 threat mitigation guide

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Microsoft has published the Windows NT 4.0 and Windows 98 threat mitigation guide, which identifies security issues in networks that include computers running Windows NT 4.0 and 98, explaining the best hardening strategies that an organisation can use until they are able to upgrade these operating systems.

Windows AutoPlay on a USB flash drive

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve been looking at using the AutoPlay functionality in Windows to launch an HTML document each time I insert a USB flash drive. Controlled using a file called autorun.inf, AutoPlay is designed for CDs, but I see no reason why it should not work with other removable media.

There is an excellent overview of the autorun.inf file on the Moon Valley Software website. Although autorun.inf files are easy to edit using a standard text editor such as Notepad, the Moon Valley Autorun.inf Editor is a free download from the Moon Valley Software website, which includes a particularly useful feature to locate and display icon resources within a .DLL.

Using this, I soon had a file which changed the icon and name for the USB flash drive when I inserted it, but I could not get it to automatically launch an HTML document.

After some searching (most notably a TechRepublic post), I discovered that the open command in autorun.inf only recognises programs. Windows 2000 and later recognise the shellexecute command to open other file types, for example:

[autorun]shellexecute=index.html

Once open= is replaced with shellexecute=, the context menu in Windows Explorer recognises index.html as the default action for the device, but for some reason it does not launch when I insert the USB flash drive into either of the PCs I’m using today. I checked out Microsoft knowledge base articles 155217 and 314855 but found the PCs were correctly configured to AutoPlay.

Searching the ‘net brought up a host of utilities (some free, some not) which are designed to extend the AutoPlay functionality, but by far the most useful utility was autorun.exe (a free download from the Tarma Software Research website, not to be confused with Peter Harrison’s AutoRun from the imagespro.com website). I found that autorun.exe would execute the commands in my autorun.inf file, but still not automatically launch when the USB flash drive was inserted.

(Probably) the smallest server in the world

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

This weekend, I set up my new network attached storage (NAS) unit, which may well qualify as one of the world’s smallest (and least expensive) servers. It’s a Linksys Network Storage Link for USB 2.0 Disk Drives (NSLU2), coupled with one of my ultra-portable external storage devices.

The NSLU2 is a low-cost device for converting any USB storage into NAS. It is basically a tiny Linux server with an 10/100 Ethernet port and two USB 2.0 connections (mine cost £59.99 from Amazon). What’s more, it seems to have developed quite a following with those who are hacking the device to make it a more useful Linux server.

The NSLU2 gets slated in a CNET review, but basically you get what you pay for and for this price I’m not sure that you can really go wrong. It seemed to me that most of the CNET feedback was from consumers (with limited technical knowledge) who expected to connect their FAT or NTFS-formatted USB disks and access them across the network. The NSLU2 won’t let you do that as it uses the Linux ext3 file system, but once formatted on the NSLU2 they should still be readable on a Windows system with an appropriate file system driver.

Having said that, Linksys do not help themselves and much of the negative feedback will be down to the terrible documentation supplied with the product. I needed to carry out some Internet research before I could get mine working using two important pieces of information:

  • It initially uses an IP address of 192.168.1.77/24 (not DHCP). To change that using thesupplied software you need your client to be on the same subnet. Alternatively just go to http://192.168.1.77/ and it will launch straight into the web interface.
  • The initial administration username and password are both set to “admin”.

I’m not going to provide a full review as there are some good ones out there already – the best ones that I’ve found have been at MacOS X Hints (concise) and at Tom’s Networking (more extensive).

Basically, for low-cost NAS, the NSLU2 is great; but it is definitely for a SOHO environment only, and I’m already looking at the Buffalo LinkStation Network Storage Center for when I need some more storage in a few months time. The main reason I didn’t go with the LinkStation from the start is that it’s a £220 investment and for £60 my NSLU2 will keep me going for a few months until it starts a new life as a Linux project.

Links

Linksys Network Storage Link for USB 2.0 Disk Drives
Linksys NSLU2 datasheet
Hacking the NSLU2: Part 1; Part 2; Part 3; Part 4; Part 5
Linux on the NSLU2
NSLU2 Linux
Buffalo LinkStation Network Storage Center

Ultra-portable external storage

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve found the solution to my portable storage needs: an old (20Gb) laptop hard disk from my internal IT support department and a cheap (£2.99 + postage) USB enclosure picked up from eBay.co.uk. One of my clients bought something similar a few months back and it has taken me this long to get hold of a suitable hard disk; but now I have a decent amount of portable storage that I can format with NTFS (or any other file system I choose) and transfer between PCs at home and work.

The enclosure I bought is mostly aluminium, with a single LED to indicate power and/or drive access, and is just big enough for a slimline (9.5mm) laptop disk drive. It has a Y-shaped connector cable, with two USB 2.0 connectors at the forked end and a proprietary connection at the other, which is used to power the unit. I’ve found that I need to use both connectors to draw enough power on a Compaq or Dell laptop (The Compaq and IBM desktop PCs I tried seem to work with just one connection). Supplied with a driver CD (for Windows 98), screws, and a mock-leather wallet, I had no problems getting Windows XP to recognise it (without any additional software), and whilst the disk I was given only spins at 4200 RPM, it seems plenty fast enough for my needs.

Mozilla Firefox – make the switch today!

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Alex Coles showed me the Firefox browser last week and ever since then I’ve been hooked! With the recent (and highly-publicised) run of flaws in Internet Explorer (IE) resulting in bodies such as US-CERT advising users to consider switching to an alternative browser, the browser marketplace has been opened up again, leading to IE’s market share slipping and the Mozilla website reporting 3,592,687 million downloads of the Firefox preview release as I write this (1.3 million of which were in the first week).

So why is Firefox so great? Well, for a start it’s fast. It takes about the same time as IE to launch, but seems about 4 times faster to render popular websites (e.g. BBC, or The Register). Previously, I had thought it was my connection that was slow – not my browser! One of the major features is tabbed browsing – I wasn’t convinced as to the difference between multiple tabs in a single browser and multiple copies of a browser, but it just seems easier to work with! Installation is easy too – it’s compact (at 4.5Mb) and even imports my IE settings. Like the latest IE version, it has an integrated popup blocker; but it also includes integrated search tools for Google, Yahoo and others in its toolbar. It just seems more elegant.

Actually (much to my own surprise) I’m becoming a bit of an open source fan. I use FeedReader as my RSS aggregator and now Firefox is my browser of choice. I’ll probably start looking at the Mozilla Thunderbird e-mail client too.

Internet Explorer is not dead – it still holds more than 90% of the market, but as Firefox rises in popularity, perhaps Microsoft will look seriously at a full redesign, including a host of new features? We can but hope.

Get Firefox!

No feature pack for ISA Server 2004

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last week I was at a Microsoft TechNet evening where the speaker indicated that there may not be a feature pack for ISA Server 2004 and instead any new features will be held over for ISA Server 2006 (codenamed Wolverine). This includes network access protection (NAP) and all of the other filters, tools, etc. that did not make it into ISA Server 2004.

The issue of NAP is an interesting one as the Microsoft website indicates that this will be incorporated into Windows Server 2003 release 2.

The perils of running an unsecured FTP server

Posted on By Mark Wilson
This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last week I got hacked.

I’d opened up my previously stealthed firewall to:

  • Access my home network when I’m at work;
  • Allow one of my friends to post some large files to my FTP server.

The trouble is that I hadn’t been carrying out the best practices that I would advocate for my enterprise clients. Despite last month’s post on securing IIS, I had just opened up the standard ports to a standard IIS server which wasn’t even in a demilitarized zone (DMZ).

I didn’t think I’d be a target for a hacker but within a few days some guys in Italy and Belgium had started abusing my FTP server to dump their files (this article from ZD Net leads me to believe that it’s a common practice). I don’t know what the contents were. I deleted them quickly to be safe and shut down the firewall until I could implement something more secure.

Thankfully, I got off lightly (this time). I checked the logs last night and my new security measures are keeping the intruders out. If you do need to provide an FTP service, you might like to read the windowsecurity.com article with 10 steps to secure an FTP server.