The application of technology to road safety

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier this afternoon, as I drove home in the dark across Buckinghamshire, Oxfordshire and Northamptonshire, it struck me just how many satellite navigation systems people are fitted in cars today (at least, I assume they were sat-nav devices, and that people were not just watching TV!). I don’t have sat-nav for two (three) reasons – I have a map book, I have a very good memory for remembering routes (and I was too tight to specify another £1200 options last time I ordered a car); however I do acknowledge that not everyone is a comfortable with their route planning capabilities and everyone I know with a Tom Tom raves about it.

My car tells me when I, or one of my passengers, isn’t wearing a seatbelt. It also turns on the wipers when the windscreen is wet. So, in general, I would say that applying technology to increase driver comfort and safety is a good thing.

It’s sad though, that technology hasn’t been used to detect when a driver needs to use their lights, or when there is a fault with a vehicle and it is unsafe to drive. On the same journey, the first hour of it was spent driving in fog (although visibility was still about 400 metres) – that meant that there was a mixture of people driving without lights (!) and people who thought they needed to use their rear fog lights even though I was right behind them and perfectly aware of their presence.

A few months back I had a rant about the replacement of real police by cameras in the name of road safety – my point being that a traffic policeman can exercise judgement over an issue that’s much broader than simply speeding, whereas a camera can’t. At the same time, I’ve seen a rise in unchecked vehicle defects. A few weeks back I followed a car for several miles which was belching out black noxious fumes. Today, I followed a car with only one working brake light which was directly above the rear fog light that was dazzling me. Later, a 7.5 tonne truck pulled out in front of me to overtake someone, and I saw the indicators on the side of the cab, but narrowly avoided a collision as his rear indicators didn’t work and it was all a bit too late.

Instead of all these gadgets, please can someone apply technology (or even people) to road safety – and I don’t just mean the politically correct issue of excess speed.

Wireless security and secure remote access

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last night, I attended Steve Lamb‘s Microsoft TechNet UK briefing on wireless security and secure remote access. I won’t repeat the entire content here, because Steve has an article in the November/December issue of Microsoft TechNet magazine, entitled improve your web security with encryption and firewall technologies, which, when combined with Kathryn Tewson and Steve Riley’s security watch: a guide to wireless security article, just about covers the content of the event. Having said that, there were a few more snippets that came out during the presentation, which I’ve plagiarised (and extended) in the rest of this post…

Wireless Security

Anyone who needs to secure a Wireless network at home should check out Steve Lamb’s blogcast on securing a wireless router and Windows XP and, although I’ve already linked it above, I’ll repeat that Kathryn Tewson and Steve Riley’s security watch: a guide to wireless security article is also worth a read. Further information is also available on the Microsoft website.

Some additional notes that I took during Steve’s presentation were that:

  • Wireless network keys can be stored on a USB token.
  • Wired equivalent privacy (WEP) is often considered insecure but consider the name – the equivalency part indicates that it offers the same level of security as a wired network. Yes, it can be broken into, but so can a wired network with public access to the building). Wi-Fi Protected Access (WPA) (or preferably WPA2) is better and dynamic WEP is a half-way house, but whatever security is employed, the wireless network still needs to be easy to use.
  • There are sites on the ‘net that will show you how to break a wireless (or other) connection (if you think it’s irresponsible of me to link that site, you could also find it using a search engine, so I figure that it’s better that the methods are well known, than only being known by the bad guys).
  • Contrary to popular belief, there is no point in securing the SSID for a network as it is transmitted unencrypted (even on a network secured with WPA or WPA2). Ditto for media access control (MAC) addresses, which are easily spoofed.
  • Even WPA doesn’t do anything to prevent a denial of service (DoS) attack and WPA2 (802.11i) doesn’t stop all DoS attacks.
  • 802.1x is port-based authentication and applies equally to both wired and wireless networks. It does have weaknesses, including that it will only authenticate the initial connection. In a wireless configuration, man-in-the-middle (MitM) attacks can be guarded against by requiring the WAP to identify itself using certificates (using a group policy object).
  • WEP requires Windows XP. WPA requires Windows XP SP1, WPA2 requires Windows XP SP2 and a hotfix (see Microsoft knowledge base article 893357).
  • The Windows 2000 Internet authentication service (IAS) can be used as the RADIUS server component in a secure wireless deployment; however Windows Server 2003 supports auto-enrolment (which when used for computer and user certificates will make life much easier).
  • Windows XP will (by default) allow access to its nearest access point, even if it is not secure.

Very importantly – if (like I did), you think that your wireless network (e.g. at home) doesn’t need to be secured because there’s no data of value to be had and anyway, you have bandwidth to spare which you don’t mind your neighbours using, consider the implications of someone using your wireless network to access the Internet and perform illegal activities, which your ISP can trace back to you via your IP address. Having thought about that, I’ll be buying a new wireless access point very soon.

Secure Remote Access

Microsoft are positioning virtual private networking (VPN) technology as no longer the best solution for providing corporate remote access and I tend to agree. The idea of giving an untrusted computer an IP address from the internal network fills me with fear (unless some quarantining is in place). VPNs “blur” the network edge and anyway, do remote users need full network access? I’ve often accidentally printed a document in the office whilst working at home and then had to ask a colleague to retrieve and dispose of it for me (wasting paper, printer resources and somebody else’s time). Some solutions will use VLAN technology to limit the network access for VPN users – there are other methods too, especially when considering that 90% of VPN users only really want to read their e-mail. For example, Outlook Web Access, whilst having improved it’s interface capabilities dramatically with each new release, is still not really a great solution for access from outside the corporate firewall (it’s good for allowing users to access mail without setting up a MAPI profile, but is heavily reliant on ActiveX controls, which may not be allowed in an Internet cafe, and is also a risk if the remote client has a keylogger installed) – full client Outlook using HTTPS over RPC on a notebook/tablet PC is a far better option – totally transparent from an end user perspective (although still a problem if access is required if an e-mail links back to internal resources to retrieve a document).

Steve Lamb’s TechNet magazine article (and my previous post on securing the network using Microsoft ISA Server 2004) elaborate on the need for application layer firewalling rather than blindly allowing HTTP and HTTPS traffic through the firewalls. Other measures employed include pre-authentication and URL scanning.

SSL VPNs are another method of providing remote access (even though they are not really VPNs, but are actually just remote desktops in a browser). Windows Terminal Services can provide basic SSL VPN functionality, which can also be extended with products from Citrix.

Operating over the remote desktop protocol (RDP), which is based on the International Telecommunications Union (ITU) T.120 protocol family and is therefore independent of network and transport protocols, these solutions use compression and caching to reduce bandwidth requirements and support network load balancing. Windows Server 2003 brings a number of terminal services enhancements (over Windows 2000) including:

  • Connection to the console session (in remote administration mode).
  • Control of RDP options via group policy.
  • WMI provider for scripted terminal services configuration.
  • ADSI provider for access to per-user terminal services profiles.
  • Improvements to the terminal server manager MMC snap-in (reduced automatic server enumeration).
  • Ability to limit users to a single session.
  • Improved security:
    • Remote Desktop Users security group (which can be used in place of the Everyone group to fine tune access control.
    • 128-bit RC4 encryption.

Securing terminal services comes back to the well-known principle of defence in depth:

  • A physically secure terminal services server.
  • A secure operating system configuration.
  • A secure terminal services configuration.
  • Network path security.
  • Using the registry to fine-tune control over terminal server sessions (probably overkill, but using group policy to control access is a similar principle).

Using the remote desktop web connection ActiveX control, terminal services can be provided across the web (and optionally secured using HTTPS). The initial client contact is to http(s)://servername/tsweb/ and the ActiveX control is downloaded over HTTP (TCP port 80) or HTTPS (TCP port 443). Once the browser has the ActiveX control installed, the user can connect to the terminal server over TCP port 3389.

If full VPN access is still required (and hopefully the methods above will avoid the requirement for this), then VPN server placement must be carefully considered. Running an encrypted PPTP or L2TP+IPSec VPN connection through a standard packet filtering firewall effectively bypasses the firewall as the VPN port will be open on internal and external firewalls and the traffic inside the connection will not be inspected.

Most network administrators will be alarmed if you propose the installation of ISA Server as the corporate firewall even though ISA Server 2004 has now achieved common criteria evaluation assurance level 4+. ISA Server 2004 is a perfectly good firewall (assuming that the underlying Windows platform is also well-managed), but it will probably be easier to justify to network administrators by using ISA as an additional server in the DMZ, or as the inner firewall (between the DMZ and the internal network). This way, the encrypted connection can be terminated at the ISA server and the firewall can inspect the inbound traffic.

Finally, if a VPN connection must be used to extend the corporate network to remote clients, then network quarantine controls should also be put in place. Full network access protection (NAP) is expected with the next version of Windows Server (codenamed Longhorn) but even now, Windows Server 2003 SP1 routing and remote access service (RRAS) allows for the provision of network access quarantine control for remote clients. The current Microsoft implementation involves using the connection manager administration kit (CMAK) to construct a custom RRAS client which includes a number of post-connection actions. Until these are passed, then vendor-specific options remain in place which prevent the remote VPN client from accessing the network. Unfortunately it is also possible for a technically able user to spoof the message which allows the vendor-specific attributes to be removed, but in reality this is a small risk. Microsoft’s NAP and Cisco’s network access control (NAC) will make this far more effective, extending the scope of control to include wired and wireless clients (as well as VPN clients).

The joys of sending e-mail from a telnet session

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Whilst checking out Steve Lamb and Kathryn Tewson/Steve Riley‘s articles in the November/December issue of TechNet magazine, I came across a link to an article by R’ykandar Korra’ti asking how simple is SMTP? I remember having great fun sending SMTP directly by telneting into a server when I first learnt about Exchange Server back in 1996 and you can read how to do it. Then, just because I can, I sent myself a mail using a telnet connection to my ISP’s relay.

Introduction to Microsoft Small Business Server 2003

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few weeks back, I attended a Microsoft Event which was supposed to provide a technical overview of Microsoft Small Business Server (SBS) 2003. I was a bit disappointed with the quality of the event (and it looks like I wasn’t the only one) but it did at least give me a chance to see SBS, a product to which I have had very little exposure, mostly because my work tends to be with medium and large corporate environments and SBS is aimed at smaller businesses.

Despite its small business focus, SBS does seem to have quite a following and there were clearly many people in the audience with significant experience of the product – some of the links at the end of this post may also be useful for further information.

The principle behind SBS is the provision of an environment which runs on a single server, encompassing many of the facilities which would more typically be spread across a number of servers in a corporate environment, but which remains easy for a small business to deploy and manage. This does cause some complications (e.g. likely resource conflicts from the presence of SQL Server and Exchange Server on the same physical server) and also means that some of the product versions on which SBS is based are not the latest versions available as a standalone product (e.g. ISA Server 2000 – not 2004).

SBS is available in two editions – standard and premium. Both versions have the same base components (Windows Server 2003 Standard Edition, Exchange Server 2003 Standard Edition, Windows SharePoint Services Business Intranet, routing and remote access services, mobile user/device support, remote web workplace, shared network resources, backup/restore and task based management), but the enterprise edition is extended to include ISA Server 2000, SQL Server 2000 and FrontPage 2003.

From a management perspective, SBS is intended to allow a small business to be self-sufficient, with separate Administrator and Power User management consoles allowing easy management of users and computers along with wizards to assist in backing up and restoring data (including monitoring and reporting). Remote access is simplified with a number of wizards and the remote web workplace (http://servername/remote/) whilst intranet creation is handled with the WSS-based business intranet (http://servername/companyweb/), e-mail capabilities are provided through Exchange and enterprise edition users have access to SQL Server databases and improved internet security through ISA Server (SBS standard edition includes the standard Windows Firewall, which may be adequate for many small businesses but might not be flexible enough for others – having said that, I would probably place standard edition behind an Internet router with its own firewall capabilities).

Overall, SBS looks good, but the co-hosting of so many components on a single device (and Microsoft’s deliberate restrictions on scalability) mean that there are many gotchas to watch out for. To find out more, check out the following links:

Making Firefox pretend to be IE (user agent spoofing)

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Our corporate intranet doesn’t always play nicely with browsers that it doesn’t recognise. I’ve previously written about making Internet Explorer (IE) 7.0 pretend to be IE 6.0 but today I needed to change the behaviour of Firefox 1.5 to trick the intranet into thinking I’m using IE (I have IE installed, but as its not my default browser, clicking a link in an e-mail, for example, opens in Firefox), thus avoiding messages like the following:

Browser requirements
Internet Explorer 4 (or later) is required
Your current browser, Default 0.0, does not support the features and security requirements of this site

Thankfully, John Bokma’s article on changing the user agent in Firefox answered that question for me and after I’d entered a new general.useragent.override string in my about:config page everything jumped into life. For reference, my original (Firefox) user agent string was:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
and the override (mimicking my Internet Explorer configuration) is:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)

If you want to check your string, there’s a history (including why Microsoft Internet Explorer user agent strings pretend to be Mozilla) and detection script on Dan Tobias’ Web Tips site. Further information (including common user agent strings) can also be found on Wikipedia.

On a slightly different note, whilst I was researching this, I stumbled across an article on how to make Firefox look like Internet Explorer (i.e. visually, not programmatically).

Windows Server 2003 R2 is nearly ready

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

At today’s “What’s New in Windows Server 2003 R2” partner event, Annemarie Duffy, Microsoft UK’s Infrastructure Server Marketing Manager, first commented that Windows Server 2003 release 2 (R2) is “imminent” and then said that it is planned for release to manufacturing (RTM) within the next few days.

R2 is what Microsoft are calling a release update – released at approximately the mid point between major releases, as part what Microsoft calls its “predictable development lifecycle” (Windows Server 2003 was released in 2003 and the current estimated release date for the Windows Server product codenamed Longhorn is 2007). Microsoft claims that the R2 improvements build on Windows Server 2003 with service pack 1, supporting the organisation, customers, suppliers and partners through five pillars which provide new functionality to extend connectivity and control:

  • Identity management – Allowing the management of a single identity across partner, web and Unix applications.
  • Branch/remote office – Better connectivity, reliability and up to a 50% WAN traffic reduction.
  • Storage management – Better control over storage setup and a 10% lower management cost.
  • Web application platform – Latest 64-bit and Microsoft.Net technologies for doubling web application performance.
  • Virtualisation – Windows Server 2003 R2 Enterprise Edition and Virtual Server 2005 R2 represent the best value in server virtualisation with licensing now based on the maximum number of active virtual machines and not the number of images held, in addition to the inclusion of licenses for up to four guest instances of Windows Server 2003 R2 with each host.

(Note that these claims are from Microsoft’s marketing slides, and are not my comments).

Whilst Windows Server 2003 R2 will replace the existing Windows Server 2003 product with immediate effect, all of the new components are optional (and are actually installed from a second CD on top of an existing Windows Server 2003 installation with service pack 1 slipstreamed). This reduces the impact on organisations from a testing perspective, and is one of the reasons that this release update is not expected to include any kernel changes.

In terms of pricing and availability, if RTM is achieved next week then general customer availability should be around February 2006. Windows Server 2003 R2 is expected to be priced identically to Windows Server 2003 but there will be no upgrade SKU for existing licensed users. There will be no upgrade charge for Microsoft customers with software assurance (SA), e.g. as part of an enterprise agreement (EA), although a new server licence will be required for non-SA customers who plan to upgrade; however existing Windows Server client access licences (CALs) will remain valid (i.e. there will be no new R2 client licence). R2 will also share the same support lifecycle as Windows Server 2003 (i.e. extended support will end in 2013).

Watch this space for more information about some of the new features in R2 (basically as soon as I find time to write about them!). I’m particularly excited by the new licensing arrangements for virtualisation, the new print management capabilities, the new quota and file screening capabilities and the upgraded distributed file system (DFS) functionality, including remote differential compression (RDC). Active Directory federation services (ADFS), improved Unix interoperability and the updates to Active Directory application mode (ADAM) are also significant identity management enhancements and some of the figures quoted in relation to 64-bit computing support will definitely be worth investigating (especially with the rumours of Intel and AMD’s plans to move to an exclusively 64-bit platforms by the end of 2006 and Microsoft’s plans to make the Longhorn Server wave of products 64-bit only).

Finally, for those who want to know more and can’t wait for me to put aside some time with my keyboard, Microsoft is running a TechNet UK event next Wednesday evening (7 December 2005) at which Samm DiStasio (Director of the Windows Server Product Management Group, Microsoft Corporation) and Microsoft UK’s John Howard will present an introduction to Windows Server 2003 R2.

Finding a balance between an effective presentation and “death by PowerPoint”

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

If, like me, you attend a large number of presentations from suppliers and partners, you are probably acquainted with the concept of “death by PowerPoint” but more recently I’ve noticed a trend towards using alternative visual aids (or even none at all) to grab the attention of the audience.

A few weeks back, Microsoft’s Steve Lamb was planning to give a full day seminar with no PowerPoint slides. I don’t know how that went (probably quite well, as it was a technical event with lots of demonstrations) but I recently saw CA’s Executive Vice President for Technology Strategy and Chief Technology Officer, Mark Barrenechea, speak without PowerPoint and I found the event to be very disappointing. Far from inspiring the audience with his presentation, the lasting impression with which I left the impressive Ditton Manor venue was one of a poorly-prepared presenter who scribbled some unintelligible notes on a few OHP foils (remember them?) and ran out of time. I’m sure that Mark was actually extremely well prepared, but that was the impression with which I left the event (and that will stick in my mind).

Whilst dropping PowerPoint is a commendable idea, in order to dump the visual aids (in whatever form – PowerPoint, OHP foils, or flipchart), an extremely charismatic presenter is required who can hold the audience’s attention completely and, in the business world, there aren’t too many people who can carry that off well.

I’m sure there is a balance to be struck somewhere between PowerPoint overload and completely disregarding any pre-prepared visual aids. Personally, I find that a slide deck can be a useful aide memoire when presenting – maybe that’s what it should be (too many people try to cram too much information onto each slide).

Having said that the slide deck should just be an aide memoire, when attending events, I like to be given a copy on which to take notes. Having to wait a few days (or even weeks) to download the slide deck after the event doesn’t work for me, but by the same token, I rarely give out my slide deck in advance if I’m using PowerPoint at an internal meeting (because I find that a small audience of customers or management tend to jump ahead and read the slide deck rather than listen to the message I’m trying to present).

Today, I’m at an event with a difference. In common with many Microsoft technical events, today’s event includes a lot of demonstrations; however instead of the usual slide with the word “demo” emblazened across it, around which I’m normally madly scribbling notes, John Craddock and Sally Storey from Kimberry Associates have included slides called “doodles”. These doodles are one-slide summaries of the key points from the demonstration, which are not presented but which allow attendees to concentrate on watching the demonstration instead of writing notes. I’ll certainly give the concept a try next time I demonstrate a technology to an audience.

Using RIS to PXE boot non-Windows images

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve written a few posts previously for this blog about Microsoft Remote Installation Services (RIS), but today I needed to do something I knew was possible in theory but had never done before – using RIS to serve a boot image of something that’s not an unattended Windows setup.

Although slightly complicated by the need to use Active Directory for security, RIS is, at its most basic, a PXE server, capable of serving boot images via TFTP to suitable client PCs (before an operating system is loaded). In theory, any bootable floppy can be converted into a RIS boot image file but Microsoft doesn’t provide the tools – for that you will need the 3Com RIS Menu Editor (RISME). The original version of this is a free download from 3Com – later versions (e.g. emBoot RIS Menu Editor 2.0) are available for a small price (with a free trial period) but I found the 3Com version to be perfectly adequate (although it only runs locally on a Windows 2000 RIS server, whereas v2.0 of the emBoot product allows remote creation and editing of RIS menus and boot images, and supports Windows Server 2003).

After running RISME to capture an image from boot media, an additional folder structure will have been created on the RIS server, either in \\servername\RemInst\Setup\English\Images\3com\i386\ or in \\servername\RemInst\Setup\English\Tools\3com\i386\, depending on whether or not the image was created via the Automatic Setup or the Maintenance and Troubleshooting tabs.

Along with the image (.IMG) file (which can be edited directly using a utility such as WinImage), is an appropriate boot loader (.LDR) file and a RIS setup information (.SIF) file containing something similar to the following text:

[OSChooser]
Description = "description"
Help = "helptext"
LaunchFile = "Setup\English\Images\3Com\i386\tool1.ldr"
Version = "1.00"
ImageType=Flat

RIS should automatically pick up the new .SIF file and offer it as a menu choice in the OS Choices menu although it may be necessary to edit the User Configuration | Remote Installation Services | Choice Options within the Default Domain Policy group policy object in Active Directory to allow access to some of the RIS menus (e.g. Maintenance and Troubleshooting).

I now plan to use this method to deploy Ghost images (via an MS-DOS boot disk, captured as an image) and a PXE boot to a RIS server but for more information (including links to enable PXE booting of Linux), check out Google’s cached version of an article on how to use RIS to bootstrap other operating systems (unfortunately the original is no longer available online).

My iPod has died

This content is 18 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Just over six months ago, I bought an iPod Mini (then a few months later I started lusting for the new iPod Nano). Well, today my iPod Mini died. I was driving home when I got a call on my mobile phone. I pressed the iPod’s pause button, took the call on my phone, and when I went back to the iPod the screen was blank and I couldn’t turn it back on. I thought maybe the battery was dead (it shouldn’t have been as I charged it last night and had only used it for about 2 and a half hours) but when I got home I found that it doesn’t respond to power either. I’ve tried resetting (turn hold on, turn hold off, then hold the play and menu buttons together), but all to no avail.

At least it’s still under warranty but for any consumer electronic item to die after six months of use is not good. Grrrr…