It’s time to take patch management seriously

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Windows updates don’t normally feature highly on this blog… after all, they come along every month, you test them (perhaps?), install them, and leave things along for a few weeks. Sometimes there’s an out of band patch release and that ought to indicate that there is a significant problem that requires attention. So why have I been hearing so much over the last few weeks about the Win32/Conflicker.B worm with people panicking to update systems, install the latest AV updates, and generally try and catch up after being so lackadaisical in the first place?

Let me explain what I mean… according to an e-mail I received from Microsoft last week:

Win32/Conficker.B exploits a vulnerability in the Windows Server service (SVCHOST.EXE) for Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows 2008. While Microsoft addressed this issue in October with Microsoft Security Bulletin MS08-067, and Forefront antivirus and OneCare (as well as other vendor’s anit-virus products) helped protect against infections, many systems that have not been patched manually through Server Update Services and Microsoft/Windows Update or through Automatic Updates have recently come under attack by this worm. Attacked systems may lock out users, disable our update services and block access to security-related Web sites:

In response to this threat, Microsoft has:

It is our hope that these resources can assist you in resolving issues with unpatched, infected systems and that you can apply MS08-067 to any other unpatched systems as soon as possible to avoid this threat.”

I’m sure there are some people who feel that applying updates is an intrusion, an unnecessary interruption into the day (these are probably the same people that advocate turning off user account control…). Others will claim that other operating systems don’t need patching so often (I don’t know about the frequency of updates but patches on my Macs always seem pretty big and Linux is in one big patch cycle as the open source model is one of continuous improvement). Personally, I’m glad that Microsoft settled down to a predictable monthly cycle and for those who think that’s a problem because it gives hackers a predictable timeframe for reverse engineering patches and attacking weaknesses in unpatched systems it’s all the more reason why every organisation’s IT security people should be ready to look at the update announcements on the second Tuesday of every month and then to act accordingly. And when a patch comes along outside that predictable schedule to consider that, yes it’s a pain in the neck, but it might just be important…

Which brings me back to the point. Conficker (also known as Downadup). As F-Secure put it:

“First — It was an out-of-band update.

Second — It was given an ‘Exploitability Index Assessment’ of ‘1 – Consistent exploit code likely’.

That kind of speaks for itself, doesn’t it?

Third — It allows for Remote Code Execution, in numerous versions of Windows (particularly critical for 2000, XP, and Server 2003).

All of these combined factors equals something quite serious that should be patched as soon as possible. If you are having difficulties with Automatic Updates, the bulletin links to manual downloads.

Security Update for Windows XP
Security Update for Windows Server 2003

It’s always a good idea to be ready for out-of-band updates. You can subscribe to Microsoft Security Notifications here.”

The other thing that this worm has awakened is corporate IT departments saying things like “how can we check that all our machines are updated with the Microsoft update and with the latest antivirus signatures?”. Well guys, there’s a feature called Network Access Protection (NAP) and it’s implemented in Windows XP SP3, Windows Vista and Windows Server 2008. Whilst you’ve all been bleating about how Vista is bad, perhaps you should have looked a bit further and seen some of the advantages it could bring. If you still can’t stomach a Vista upgrade because somehow you think that Windows 7 will be easier from an application compatibility standpoint (I have news for you…) or think that Microsoft and security in the same sentence indicates an oxymoron then there are plenty of third party endpoint security systems with similar controls…

Perhaps we need an outbreak like this from time to time to wake up the IT Managers and persuade them to spend some money on security improvements within the infrastructure.

Here endeth the lesson. Now go and update your systems.

For more information, check out Centralised information about the Conficker Worm and MS08-067 Conflicker worm update.

If you haven’t downloaded the Windows 7 beta yet, you need to do it soon!

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

When the Windows 7 beta was announced, it was originally limited to 2.5 million users. This was later relaxed but the shutters are about to come down again.

The Windows 7 team announced on Friday that, starting tomorrow, the Windows 7 website will be updated with a warning that time is running out. No new downloads will be possible after 10 February (but downloads in progress will continue) and on 12 February the tap will be turned off completely (product keys will still be available).

This applies to public downloads from the Windows 7 website – if you are a TechNet or MSDN subscriber, you will still be able to download the beta (and presumably the same rules apply for Microsoft Connect, although I’ve not heard anything official).

Coalface Tech: Episode 2 (interview with Microsoft’s Michael Kleef and Jason Leznek)

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Coalface Tech podcast graphic
After some late-night editing, Episode 2 of the Coalface Tech podcast that James Bannan and I produce is online at the APC Magazine Pro website.

As a result of my timezone blindness, combined with Skype problems, James and I didn’t manage to record our usual conversation for this episode but, a couple of weeks back, James hooked up with Microsoft’s Michael Kleef and Jason Leznek to chat about some of the management features in the Windows client and server operating systems as well as how we can start to prepare ourselves for Windows 7 and Windows Server 2008 R2.

If you like what you hear, then you might like to consider subscribing – there are two podcast feeds available (MP3 and AAC) – if you use iTunes then I recommend the AAC version as that’s the enhanced podcast with chapter markings and context sensitive links but MP3 should work for just about everyone. The AAC feed is also included in the Podcasts directory on iTunes:

Coalface Tech (MP3 podcast) Coalface Tech (MP3 podcast).
Coalface Tech (AAC enhanced podcast) Coalface Tech (AAC enhanced podcast) (or subscribe via iTunes).

If you don’t like it, please tell us why. We’re still learning how to do this podcasting stuff and there’s a lot to take on board but we really would like feedback – including suggested topics for discussion.

Going forward, James and I hope to get an episode out every month. They are time-consuming to produce though, so please bear with us if the schedule is not as regular as we’d like.

Finally, here are the show notes for episode 2:

  • Mark introduces the podcast.
  • James interviews Michael Kleef and Jason Leznek:
    • We start off with the guys introducing themselves.
    • Michael explains that group policy management is core to both the server and client versions of Windows 7, and how Windows PowerShell provides command line access to group policy objects.
    • Starter GPOs in Windows Server 2008 R2 are enhanced – providing templates of ADMX settings to kickstart creation of a new template.
    • Group Policy preferences are not known by many customers but are new in the Windows Server 2008 and Vista SP1 RSAT tools to do more than policy allows. Whereas policy enforces fixed settings, preferences are more like suggestions and can be targetted to provide a variety of settings, which can also persist across logons and in many cases remove or reduce the requirement for logon scripts.
    • James asks why GPO administration would need to be scripted – Michael explains that automation can be applied to backups, reporting and any other repetitive operations.
    • Jason suggests another scenario where different business units have similar but different settings and how scripting the policy creation can reduce the effort in creating the new objects.
    • Michael explained that these features will work downlevel where the client operating system supports the settings – not all settings will be applicable to downlevel operating systems and so policies may need to be written accordingly.
    • When asked what IT Pros can do to get ready for Windows 7 and Windows Server 2008, Michael suggests getting familiar with group policy preferences (and you only need a Vista SP1 machine – no domain changes needed – you could still be using Windows Server 2003). Jason added that it’s the RSAT tools that are required (including an updated version of GPMC). [of course there’s far more to do in order to prepare for a new operating system release but this needs to be taken in the context that Michael and Jason are subject matter experts for specific areas of Windows.]
    • Michael talked about how to work in a mixed environment – you might need separate policies for XP and Vista [and 7] in certain circumstances but many settings will work cross-platform.
    • When asked how the upgrade path will work as Windows Server 2008 R2 comes in – Michael stressed that fresh 64-bit installs will be required (R2 is 64-bit only and there is no direct upgrade path from 32-bit) but that services will co-exist between versions of Windows Server.
    • When asked about the implications for organisations moving to Windows 7 and Windows Server 2008 R2 in terms of business value, Jason explained that there is a better together concept with many new features benefitting from the latest client and server releases – for example: Direct Access enabled an end user to access network resources seamlessly without the need for a VPN; or branch cache, which allows files to be cached locally for efficient use of network bandwidth.
    • Like a dog after a bone, James keeps on digging to find business value in Windows 7 and Server 2008 R2 for those organisations that have already deployed Windows Vista. Jason talked about features like Bitlocker to go, which not supports the encryption of data on removable devices in Windows 7 as well as the productivity improvements that the technologies Jason had already highlighted could potentially provide.
    • Michael then explained how group policy applies to remote connections.
    • Just as the interview draws to a close, the conversation turns to application compatibility [probably the biggest sticking point when it came to Vista deployments and just as critical for a Windows 7 deployment…] and Michael referred to one of James’ articles in which he recommends that customers start testing applications on Windows Vista SP1 in preparation for Windows 7.
  • Please give us your feedback!

(Next time, we should be back to the normal format and we have a new team member as Alistair Weddell joins us to perform the post-production work that is the bulk of the effort in producing this podcast.)

Where have the import settings moved to in iTunes 8?

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’m pretty stressed out at the moment and I need something to help me relax, so I decided to buy some new music. I’m a big fan of BBC Radio 1’s Live Lounge (my claim to fame – Radio 1’s Jo Whiley went to the same school as me, albeit 7 years before I did!) so I bought all three Live Lounge double CDs (120 live tracks) from play.com 100x30Play.com for just £25.97 (once again, physical media was less expensive than digital downloads…).

Before I use CDs, I like to take a copy for my iTunes library and, when I imported the rest of my discs a couple of years ago, I used iTunes’ built in encoder to rip them as 192kbps MP3 files but these days I’m buying 320kbps tracks from 7digital, so I might as well rip at the same rate. The only problem was that I struggled to find the a dialog in iTunes 8 to adjust the import settings.

It turns out that Apple has moved the import settings from the Advanced menu to the General menu in iTunes 8:

iTunes 8 General Preferences

The dropdown doesn’t include 320kbps but this can be selected as a custom encoding rate:

iTunes 8 Import Settings

Incidentally, I found some notes from a recording engineer that make interesting reading – I’m encoding at a higher rate because I can, and as MP3 because I want portability, but he makes an interesting point about always enabling error correction.

Now those CDs have been ripped I add them to the collection in the living room, from where they will be slowly wrecked by my wife leaving them lying around in her car, or my sons thinking that CDs are pretty toys… but at least I have a pristine digital copy of my new music!
play.com 468x60

Gorilla-like camera grip from a flexible tripod

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

GorillapodAmazon ad tracking imageI’ve just got home and found that my latest Amazon purchase has arrived… a Joby Gorillapod (Original)Amazon ad tracking image. If you haven’t seen the Gorillapod – it’s a small and incredibly lightweight tripod made up of lots of ball and socket joints so it can be twisted into a variety of shapes to stand up or to wrap around something (e.g. a fence, or a signpost). This one is too small for an SLR (there are other models available for larger cameras) but it’s great for my Canon Digital Ixus 70 – the camera that I’ll take out with me to the type of places where I might actually want to be in the picture myself with some friends or family.

Launching the “buy Mark a new camera” appeal

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

As couple of weeks back, I started a digital photography course (evening classes) at my local college. I’m been taking pictures for about 25 years and I’ve attended courses before (when I lived in Australia I signed up for a black and white darkroom techniques course – it is truly amazing to see images come to life in a darkroom – as well as a photography course with pro photographer Naomi Burley which looked at everything from the basics of aperture and shutter speed to form, composition and generally taking good pictures) but I’m hoping to fill in the gaps between my traditional photography experience and my IT skills. Then I’ll finally pull my long-overdue portfolio together!

I’m not sure if there is something about IT that attracts people to photography – or if it works in reverse but, over the last couple of years, I’ve learned that many of the people I know in the world of IT are also keen on photography. Take for example, James O’Neill, IT Pro evangelist at Microsoft in the UK – I haven’t seen any of his photos but I know (from his blog) that it’s something he’s really into. Then I got a Flickr invitation from Atila the Hun… at first it seemed suspect, until I realised that it was Windows Server guru Austin Osuide‘s handle.

For the last week or so, I’ve been working with an experienced IT Architect by the name of Sean Mantey and it turns out that Sean is also a very talented photographer (check out his Flickr photostream, coverage on the BBC website, and his own website). And then he showed me his camera.

I always lust after the latest toys from Nikon but having held the camera that Sean uses and taken a couple of test shots, all of a sudden I knew that my trusty D70 is due to be retired… in favour of a D700. The D700 is, quite simply, fantastic. It has a decent, weighty body, a huge screen (big enough for a preview, histogram, and technical data all at once) and, most importantly, a full-frame (FX) format sensor with 12.1MP and stunning light sensitivity – so I can use my lenses (which mostly date back to my F90X film days) to their full effect. In short, the D700 will undo all the compromises I made when I switched to digital and give me back even more.

Then there are the lenses – I already have an AF-S 80-200mm f2.8 IF-ED lens so, although a modern VR lens (i.e. the AF-S VR 70-200 f2.8G ED-IF) would be nice, its the AF-S 14-24mm f/2.8G ED that I desire in order to capture some full frame landscape photography goodness when I’m on holiday in France this summer (instead of stitching frames together in Photoshop, as I do with my DX sensor and a AF-S 24-85mm f2.8-4D IF lens).

So, this is the deal: I need to save around £2800 for my new kit but that’s a lot of pocket money (more than the family holiday will cost!). This is where I get cheeky because there are a lot of people who read this blog and if I work out how much I earn from it, it’s quite depressing (let’s just say it’s well below minimum wage). If you subscribe to the RSS feed you don’t even have to look at the ads so, if you find what I write useful, how about sending me a PayPal donation? I don’t ask for much but if I’ve written something that’s saved you some time, effort, even some money, a contribution towards my camera fund would be really welcome. In return, I’ll keep on writing a mix of (hopefully useful) IT and photography-related articles whilst I try to take some good pictures and publish them on my Flickr feed.

More licensing changes for virtualisation with Windows Server 2008

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last summer, there was a big shake up of Microsoft’s licensing policies around virtualisation. Matt McSpirit provides the best explanation of licensing Windows Server in a virtual environment that I’ve seen on his blog but, today, I was notified about some new developments in the Microsoft Windows Server 2008 licensing model.

Quoting from the e-mail I received:

“Currently, if your physical server environment is running Windows Server 2003, matching version CALs are required for all users (i.e. Windows Server 2003 CALs). However, if you move your physical Windows Server 2003 Operating System Environments (OSE) to run as virtual machines hosted by Windows Server 2008 Hyper-V, Windows Server 2008 CALs are required. This is per the current use rights. With the change in our licensing policy, Windows Server 2008 CALs are no longer required if you are using Windows Server 2008 solely as a virtualization host. The only exception to this is if you are running Windows Server 2008 virtual machines, which would require Windows Server 2008 CALs.”

The e-mail then goes on to describe three scenarios by way of example:

Scenario 1 – Customer deploying WS08 Workloads

  • There is no change in licensing or CAL requirements
  • This is irrespective of whether the customer deploys WS08 workloads (other than Hyper-V) in a physical or virtual environment.

Scenario 2 – Customer only deploys WS08 Hyper-V to consolidate WS03

  • WS08 CAL are no longer required
  • Customer will still need CALs for the appropriate WS edition (WS03 in this example)

Scenario 3 – Customer deploys WS08 Hyper-V to consolidate WS03 but also has WS08 deployments

  • WS08 CAL requirements will apply for the WS08 deployment
  • A CAL for a particular version of Windows Server allows the user/device to access all instances of that version of Windows Server (and prior versions) across the organization.”

So, if you have a Windows Server 2003 (or earlier) estate without SA and were thinking of virtualising on Windows Server 2008 (but didn’t want to stump up for the Windows Server 2008 CALs), this could save you a lot of money. Full details may be found in the updated licensing brief.

Photography is not a crime

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

In the current climate of political correctness and anti-terrorism legislation, there have been a few situations recently where photographers have found themselves falling foul of the law – for example the US photographer who was arrested whilst taking photos for an Amtrak competition at a railway station (of all places!) – and the UK Home Secretary caused controversy last summer when she suggested that legal restrictions may be placed upon photographers.

A petition was lodged at the Prime Minister’s web spinning site and this week a response was published.

There are no legal restrictions on photography in public places. However, the law applies to photographers as it does to anybody else in a public place. So there may be situations in which the taking of photographs may cause or lead to public order situations, inflame an already tense situation, or raise security considerations. Additionally, the police may require a person to move on in order to prevent a breach of the peace, to avoid a public order situation, or for the person’s own safety or welfare, or for the safety and welfare of others.

Each situation will be different and it would be an operational matter for the police officer concerned as to what action if any should be taken in respect of those taking photographs. Anybody with a concern about a specific incident should raise the matter with the Chief Constable of the relevant force.”

[Number10.gov.uk response to photography law e-petition, 12 January 2008]

So, there you have it – Photography Is Not A Crime – although an overzealous law enforcement agent may think it is until you take it up with his or her Chief Constable…

Resuming stuck downloads in the Microsoft File Transfer Manager

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Microsoft File Transfer ManagerThe chances are that if you’ve been reading this blog then, by now, you’ve had a go at downloading the Windows 7 beta. If, like me, you used Microsoft Connect to get your copy, then you’ve been using the Microsoft File Transfer Manager (FTM) to download the software and, in my experience, sometimes this gets stuck. In my case, after downloading 8GB of software (I have multiple build variants to test – and now I’m waiting to see if my ISP invokes it’s fair use policy…), it stuck with 30MB to go.

It might be useful to note that when this happens there is a workaround – sometimes just suspending and resuming the download will do the trick – other times the suspend doesn’t seem to work either. In that case, exit the File Transfer Manager, then attempt to download something else (starting a new instance of the FTM). If you want to keep the new download then let it run it’s course but, if not, you can cancel it (you only needed to download something to access a new instance of FTM) – either way you should be able to resume the stuck download.

Detecting and fixing stuck pixels on an iPhone

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last week I wrote that my iPhone had just been replaced under warranty but, just before it was swapped out, I decided to have a look at fixing the stuck pixels it had started to show.

Pixel Fix application for iPhoneFirst of all, I should explain that stuck pixels are just something that happens on certain types of display. Stuck pixels (which show a seemingly permanent red, green or blue whenever the device is switched on) are particularly obvious on a dark background, but can be fixed. Dead pixels just show nothing and are… dead – i.e. they show nothing.

If you have stuck pixels on your iPhone, then you’ll probably have seen them already (and if you haven’t, why worry?) but there is a test page to help you spot them. To fix them, check out Knox’s iPhone pixel fix web application, which runs a cycle of colours on the screen at a rate that the iPhone can cope with (rather than the animated GIF solutions that the author claims don’t work because the iPhone’s processor can’t keep up).

I seemed to work for me. Definitely worth a try to lose the annoying blemishes.