Home Wi-Fi Security

I remember when just about every household wireless router made it difficult to add security to the connection. It wasn't part of the setup wizard, or the setup wizard didn't do a good enough job explaining why it was important.

I think we have definitely crossed a bridge in this area. Some routers (e.g. 2Wire) enable it out of the gate and put the key on the bottom of the unit (a practice we have started doing whenever we install them in a household now). Others require it as part of the setup wizard. Whatever the reason, people are finally doing it. I opened up my list of wireless networks while sitting on my couch and here's what I saw:



There were three more networks, all secured, below these that are visible. I'm glad the message finally got through. Let's just pray the ISM Band isn't toxic or something with this much Wi-Fi going around. =)

New Hyper-V Server Standalone

Microsoft has announced a new product called Microsoft Hyper-V Server. It's a free, standalone version of Hyper-V server with limited features. Based on what I have read, it's a core-install of Server 2008, meaning you will need to use external tools, or a command shell to configure and maintain it, and all it will run is Hyper-V.

If one of your guest OSes is going to be Windows Server 2008, and you need to license it, you're probably better off just buying a license for Windows Server 2008 Standard. If you run Hyper-V on Standard, you are allowed to extend that license to a single guest OS. This is probably what most small businesses will do, and run it on a full install of Server 2008 so all of the tools to manage it are in the same spot.

I can definitely see how this standalone product will come in handy for a few niche projects. It's always better to have the option for something like this, especially since VMWare has a couple of free virtualization server options.

Custom NTBackup Script

Here is the script I referenced in the previous post. You can download this script from here, or use the one below along with sendemail, which you can download from here.

Disclaimer: Use this script at your own risk. You assume all responsibility for your data if you choose to use this script to protect any systems. It is assumed that you can understand and modify this script to fit your environment.

---

@echo off

:: ARTECH-NIGHTLY
:: 19 JULY 2008
::
:: COPYRIGHT (C) 2008 ARTECH SOLUTIONS, INC.
:: Author: Alexander Romp - alex@artechsolutions.com
::
:: THIS SCRIPT IS LICENSED TO THE CLIENT FOR USE
:: AND MAY ONLY BE MODIFIED TO CHANGE VARIABLES AS
:: NEEDED. IT MAY NOT BE MODIFIED IN ANY OTHER WAY OR
:: COPIED EXCEPT BY ARTECH SOLUTIONS, INC.


set semail=administrator@customerdomain.com
set demail=BackupReports@yourdomain.com
set subject=Customer (%computername%) Nightly Backup
set destfile=X:\Nightly-Backup.bkf
set selsetname=Nightly-Backup.bks
set smtpserver=emailserver:25


:: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
:: No Modification Below Here Should Be Required
:: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


for /f "Tokens=1-4 Delims=/ " %%i in ('date /t') do set dt=%%i-%%j-%%k-%%l
for /f "Tokens=1" %%i in ('time /t') do set tm=-%%i

set tm=%tm::=-%
set dtt=%dt%%tm%

if "%1" == "/full" goto full
if "%1" == "/incremental" goto incremental
if "%1" == "/emailtest" goto backdone

echo.
echo Please sepcify backup type with /full or /incremental
echo or /emailtest to test sending the last backup file.
echo.
goto EOF

:full

%windir%\system32\ntbackup.exe backup "@%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%selsetname%" /n "%computername% %dtt%" /d "%computername% %dtt%" /v:no /r:no /rs:no /m normal /j "%dtt%" /l:s /F "%destfile%" /UM

goto backdone

:incremental

%windir%\system32\ntbackup.exe backup "@%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%selsetname%" /a /d "%computername% %dtt%" /v:no /r:no /rs:no /m incremental /j "%dtt%" /l:s /F "%destfile%" /UM

goto backdone

:backdone

cd "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\"

for /f "tokens=1 delims=" %%M in ('dir *.log /B /O-D') do (
if "%%~xM"==".log" (
type "%%~fM" > %computername%-Backup.log
goto next1
)
)

:next1

sendemail -s %smtpserver% -f %semail% -t %demail% -u "%subject%" -a "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%computername%-Backup.log" -m "Logfile Attatched"

del /q "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%computername%-Backup.log"

:EOF

Backup Solutions for Small Businesses

I think it's probably fair to say that the days of tape are in the past. At least when it comes to the majority of small businesses. I think the only client of ours that still "requires" the use of tape is an advertising agency that frequently has to pull very old files off of tape. And even that is somewhat debatable.

Most of our day-to-day file protection is done using shadow copy now. To me, that is probably one of the best features that was introduced with Server 2003. Most of our clients are using SBS 2003, which includes a front-end for using NTBackup complete with reporting and easy scheduling. However, one huge thing that is missing from this is the ability to recognize portable hard drives as valid backup destinations. It will recognize tape drives, and any drive that shows itself as removable, like the Dell RD1000 drive (which is just a 2.5" SATA drive in a housing that acts like a tape cartridge).

That is why I was glad to hear about the changes to backup in the new SBS 2008. It is specifically geared towards using portable hard drives to protect your data (however it no longer supports tapes). The drives are setup using a configuration wizard which labels the drive and "commandeers" them for use exclusively by the backup system. The system accesses the drives using low-level API and optimizes them for speed, and therefore they are not accessible by drive letter or visible to Windows Explorer.

The system is smart enough to know the difference between multiple drives and performs an ongoing differential backup and keeps the disks so that any of them can be used for full disaster recovery. This greatly simplifies the issues we have had in the past with sites that required cumulative incremental backups due to the size of their backups.

Until all of our clients are on SBS 2008, our current backup script is pretty handy. We had cobbled pieces of it together from various other samples over the years, and I finally put it together into a single script a couple of months ago. You simply define what you want to backup and save the selection set as a BKS file in the usual spot. The script requires one of three parameters. You launch it with either /full, /incremental or /emailtest. The first two should be self-explanatory. The third tests the scripts ability to figure out which of the log files from NTBackup is the most recent, converts it to ASCII (side note: even though NTBackup log files can be opened with Notepad, they are actually binary files) and then sends it to the specified email server and recipient.

Our script calls sendemail.exe by Brandon Zehm to use as the email engine. If you are interested in seeing it for yourself, I will put it up in a separate post, or you can download it here.

Creating a Secondary OWA Instance

(continued from previous post: AuthAnvil on OWA 2007)

So I set out on the task of creating a secondary OWA instance in IIS for the purpose of securing using AuthAnvil. First, I bound a second IP address to the server under TCP/IP properties. Then I created a new website named "AA-Secured" and set it to only listen on the new IP address. Then I set it to use the same SSL certificate that the original site used (e.g. webmail.domain.com).

So far, so good. I'm no PowerShell guru, but I'm impressed with how versatile it is. I have used it to perform many of the regular Exchange tasks with ease. I'm a command shell junkie at heart, but I never learned how to do "real" programming beyond some horribly complicated CMD files and some very simple VB.

One of the commandlets is called "New-OwaVirtualDirectory". So I executed the command:

New-OwaVirtualDirectory -owaversion:exchange2007 -websitename "AA-Secured"

I watched the new OWA virtual directory show up in IIS manager while PowerShell plugged away. However after a little bit, it returned an error:

New-OwaVirtualDirectory : An error occurred while creating the IIS virtual directory 'IIS://server.domain.local/W3SVC/448843799/ROOT/owa' on 'SERVER'.
At line:1 char:24
+ New-OwaVirtualDirectory <<<< -owaversion:exchange2007 -websitename "AA-Secured"

Yes, I know I don't need to specify the version when executing this command - this is just one of the many ways I tried to get it to work.

In researching this issue, it seems that everybody's solution was to uninstall CAS (client access server - component of Exchange 2007), reinstall IIS and then reinstall CAS. Why would I want to do that? The original OWA listener works just fine.

If part of your job involves supporting and troubleshooting of Exchange environments, I really hope you follow the MS Exchange Team's blog. It's full of a lot of useful information. The part that specifically interested me was this article, titled "Supportability for multiple OWA/ Exchange Web Sites on Client Access Servers in Exchange Server 2007 and Exchange Server 2007 Service Pack 1" (quite the long title). However it was exactly what I was looking for.

1. If you are using Forms-Based Authentication for your /OWA and/or legacy (/Exchange and /ExchWeb) virtual directories, Microsoft supports a single Web site per Client Access Server. Further, the /OWA and legacy virtual directories must be in the same Application Pool (AppPool).
2. If you do not use Forms-Based Authentication, you can use as many Exchange Server-related Web sites as needed for your organization.
   However, Microsoft recommends that you use a Microsoft ISA Server 2006 server to handle Forms-Based Authentication for your various Web sites, in this circumstance.
3. If Forms-Based Authentication must be used on the Exchange Server 2007 computer *and legacy virtual directories are not used*, you can use multiple Application Pools (AppPools) for each Web site.
   Note: Lack of legacy virtual directories will prevent proxy to Exchange Server 2003 mailbox servers and prevent Entourage clients from synchronizing with the Exchange Server using the Exchange service.

Here was my reaction to these points:

1. Crap... We need forms-based authentication.
2. Who cares? We need forms-based auth and there's no way we're moving the firewall over to the ISA box (which we use for web proxy).
3. BINGO!

At this particular site, we only have a single Exchange server, which is 2007, and there's nobody using Entourage. So I used the following command to remove any legacy OWA directories:

Remove-OwaVirtualDirectory "exchange (default web site)"
Remove-OwaVirtualDirectory "public (default web site)"
Remove-OwaVirtualDirectory "exchweb (default web site)"

(I should mention that we didn't even have a public store at this site, much less users who use public folders via OWA, however I wanted to include it since most sites probably would have to remove that directory too)

After removing those other OWA virtual directories from the main site, I was able to execute the command successfully. Here's what IIS Manager and Exchange Manager looked like after all was said and done.





After making the new OWA virtual directory on the second site, we tested it to make sure it was fine on its own. Once we were confident everything was working, we locked it down with AuthAnvil's Web Logon agent, and modified the firewall so external users could only hit the new IP.

AuthAnvil on OWA 2007

If you're not familiar with AuthAnvil, you should check it out. It's a great two-factor solution designed for the SMB market. It's easy to install, and the support is great.

They're getting ready to release the 1.6 version of their agents (edit: It was released yesterday). I've been running 1.5 for a while and we use it to secure our desktop machines as well as OWA.

Did I mention that we use Exchange 2007? Exchange 2007 requires a 64-bit server OS. However there's one little problem. There isn't a 64-bit version of the ISAPI available for AuthAnvil yet (I think that's coming out in 1.6).

I've had many conversations with Dana Epp, the owner of Scorpion Software, makers of AuthAnvil. I told him that I wanted to experiment with securing OWA 2007 using their Web Logon Agent. He was kind enough to send me the 64-bit version of the ISAPI DLL and some instructions. I ran into some roadblocks along the way, but was able to get past all of them. We have been running AuthAnvil with our OWA server with no issues for over two months now.

With this in mind, I was confident telling a client of mine that we would have no problem installing it onto their Exchange 2007 OWA server. However their environment was a little bigger than ours. One of the features of AA's web logon agent is the whitelist. You can setup individual IP addresses that don't require two-factor logins. This is handy if you have internal users using OWA and you don't want to buy tokens for them. However this environment has 12 class-C networks spread out across Central Iowa. Many of the internal users use OWA for their email. That means we would have roughly 3000 IP addresses to whitelist.

So my solution was to create a secondary OWA in IIS on a different IP. Internal users would continue to hit the old, unsecured version. However external users would be directed to the new listener in IIS, which would be secured with AuthAnvil. I've had to create secondary OWA listeners in older versions of Exchange. How hard could it be with this shiny new version?

Famous last words...

(to be continued)

Hyper-V Stuck at 53%

Just a weird little issue. Seems that the KB article has been out since March but HP is yet to fix the problem.

If you install any updates to Hyper-V on certain HP servers running their NIC management software, after you reboot you will be stuck on "Stage 3 of 3" at 53%. Luckily there were a few good hits for this on Google and we easily fixed it.

The fix involves booting from the CD and using Repair (which is much improved in Server 2008 - I'm impressed), then renaming a file.

I'm sure the Microsoft KB article would have appeared in my results, however it has 54% instead of 53% (I did find some older references online that had 54% in them).

Here's the article in case anybody else runs into this:
http://support.microsoft.com/kb/950792

I'm really digging Hyper-V. Yes, I still like ESX too, so I don't want to hear anything from VMWare fanboys.

Windows Search 4.0

Why does Microsoft like to sneak products into patches?

A recent example of this would be the inclusion of Windows Search 4.0 which was installed if you approved an update patch. The patch was just supposed to update it if it was installed. Not install the full version for everybody.

Personally, I'm a fan of Windows Search. However it seems to *really* slow down machines if they're more than a year old. It landed on a couple of our managed networks and the users really started to complain. At first I thought the complaints would die down once the indexing process completed. However it's been a week and a half and the complaints keep coming.

This is another one of those times that I absolutely LOVE using Kaseya. With just a few clicks, I created a script that tests for the existence of the uninstall file (which is only there if the product is installed), and then runs it in silent mode. I tested it on a machine that I was logged into remotely to make sure the user didn't see anything. Everything worked like a charm.

The command in case anybody needs it is:

C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe /quiet /norestart

Or for you Kaseya Script people:

Script Name: Remove Windows Search 4.0
Script Description:

IF Test File
Parameter 1 : C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe
Exists :
THEN
Execute File
Parameter 1 : C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe
Parameter 2 : /quiet /norestart
Parameter 3 : 3
OS Type : 0
ELSE

This just ran in the background. I watched as the search taskbar disappeared followed by the tray icon. I then checked the Add/Remove programs list to make sure that it was indeed gone.