Archive for November, 2005

Protect Yourself – Restrict Your Privileges

November 29, 2005

One of the advantages of having your own computer is all the things that you can do with it. From surfing the web, and holding instant audio / video conferences with friends and family, to paying your bills and maintaining data used in your various hobbies, your computer lets you do marvelous things.

Unfortunately, what your computer can do, the bad guys can use, if you don’t stop them. Would you want unknown persons having access to lists of your bank accounts? Would you want unkown persons having the ability to create files and folders on your system, without you knowing about them? How about if somebody were to encrypt the contents of your system, and provide the ability for YOU to use what’s on YOUR computer, only after you pay them?

Back when the web was just getting started, a browser (like Internet Explorer) was used to display text documents, that used hypertext to reference other documents. Then somebody added the ability to display pictures. Every web page needs at least a picture or two – look at the upper right portion of this windows – do you see the MVP logo? That’s a picture (and one that I’m pretty proud of too). Click on the logo, and you can see my picture too.

Unfortunately, with every ability given to your browser, comes the ability of the bad guys to use that ability against you.

Are you using Internet Explorer right now? Download one of the absolutely neatest utilities that you can get for Windows NT based (NT, 2000, 2003, XP) operating systems. Process Explorer will tell you 100 times as many details as the native Windows Task Manager will. Process Explorer is free, and does not require any installation process – just drop it into an available folder. Please don’t drop it into the root of C:, or anywhere into the C:\Windows structure – create a folder for it, such as “C:\Utilities”, or “C:\Program Files\Process Explorer”.

Now Process Explorer, and other utilities like it, is provided to us by SysInternals and Mark Russinovich, the guy who caught Sony with their pants down. You can trust anything from SysInternals (my professional opinion anyway). And you can trust anything else that I tell you about – really. I don’t recommend any products – free or otherwise – that I don’t use myself. But please don’t indiscriminately download software from the web.

So, did you just download Process Explorer? Did you do that using Internet Explorer? If so, you used a scripting program known as ActiveX. That window, like a small Windows Explorer, that popped up asking you where to put the file being downloaded is written in ActiveX. A lot of small programs (we call them applets generally) are written in ActiveX. Unfortunately, the mini-Explorer applet, like most ActiveX scripts, can be used by you locally, or thru your browser.

What happens if you surf to Hackerz-R-Us, and download one of the games there? Do it using Internet Explorer, and you may find yourself Owned. An ActiveX script that has system level capabilities, and can be called from your browser, has enormous potential to do you harm.

Having said that, it would NOT be in your interest, even if you could, to delete the ActiveX libraries. Nor can you even remove ActiveX totally from Internet Explorer. Windows Update, which you absolutely better use regularly, depends upon ActiveX to update your system.

Short of something stupid, you can do several things.

Use The Browser As A Restricted User
Knowing that Internet Explorer would be essential to your using Windows, Microsoft built into it the ability for you to designate some websites (such as WindowsUpdate) as absolutely trustworthy, and others (such as Hackerz-R-Us) as absolutely untrustworthy. And you can disable ActiveX, and other dangerous browser features, for untrusted websites.

One of the best known security experts on the web, Eric Howes, explains how to do this, and provides a regularly updated database of known dangerous websites.

Don’t Surf To Dangerous Websites
Right. Do’t go there. Stay away from http://www.hackerzrus.org! Unfortunately, this may not be an effective strategy. A DNS hijack, whether local (using your Hosts file), or networked (using your DNS server), could redirect traffic for windowsupdate.microsoft.com to www.hackerzrus.org.

Use The Computer As A Restricted User
How often do you install software? Most useful software requires you to close all open applications, and / or forces you to restart the system after installing. If you’re like me, you install once / day, or once / week.

So why should you login to your computer as an adminstrator routinely? If you do all of your web surfing as a non-adminstrator, and you accidentally (yeah right) surf to http://www.hackerzrus.org, don’t run any scripts there. View the pictures, and read the text, just don’t run any of their programs.

But what if you surf to a malicious website, but one with a benevolent name? How about http://www.sys1nternals.com?

One of the best ways to protect yourself is to NOT use Internet Explorer, by policy, except when doing Windows Updates. When you’re surfing the web, sign in as a user, and a user with non-adminstrative privilege.

Aaron Margosis, a Microsoft security expert, has a very dynamic blog discussing the pros and cons of running with limited privilege. And Derek Melber, of WindowsSecurity, has Using Dual Accounts for Administrators.

Advertisements

Sys1nternals

November 29, 2005

This could be a website with malicious content. You never know.

As I say separately, in my professional opinion, you can trust anything provided by http://www.sysinternals.com. SysInternals has been providing powerful, and free, system utilities for years. But, as you become well known, you need to watch out for imitators. I would not be surprised to hear, one day, of the bad guys registering domain Sys1nternals, and providing malware to anybody surfing to http://www.sys1nternals.com.

So be careful, and anytime you see a web site address, check it carefully for intentional misspellings like this.

Hackerz-R-Us

November 29, 2005

No, I will NOT provide an actual link to a site which knowingly may provide malware, maybe even intrusive malware.

So, I provide that mythical domain name, as a link to this article. Shame on you for expecting something different. How about if I included a link to http://www.naked-chicks.com? Would you click on that too?

Lost Ability To Create New Network Connections

November 25, 2005

When you use the Windows XP System Restore, you have to remember not to restore to a state preserved before a major system update. You can cause major problems, if you try a scenario like:

  1. Upgrade XP to SP2.
  2. Attempt System Restore to a point before the SP2 upgrade.

One of the known consequences of the above scenario is loss of functionality in the New Network Connections wizard. You might observe any of these symptoms:

  • One or more of the selections in the New Connection Wizard may be grayed out (unavailable).
  • The Network Connections folder may be empty.
  • You may receive an error like

    Cannot load Remote Access Connection Manager. Error 711.

When this happens, the only valid recovery is to reapply SP2. After that, you will have to rerun Windows Update, and reapply all upgrades applicable after that procedure.

But what if this isn’t the case? What if SP2 wasn’t recently applied, or if a system restore to a point before the SP2 upgrade wasn’t done? There is one thing you can check. The Remote Access Auto Connection Manager, and Remote Access Connection Manager, services must both be running. If you have this problem, check the Services Wizard, and make sure that those services, and all those that they depend upon, are running (Started and Automatic).

For more information, see these Microsoft articles.

Virtual Memory and The Thing King

November 23, 2005

Are you somewhat confused by virtual systems? Do you understand them but have a hard time explaining how they work? Then the following explanation, developed by Jeff Berryman, a Systems Programmer at the University of British Columbia (UBC) Computer Center, and originally published in the UBC Computer Center Newsletter, may help.

THE PAGING GAME
Rules

  1. Each player gets several million things.
  2. Things are kept in crates that hold 2048 things each. Things in the same crate are called crate-mates.
  3. Crates are stored either in the workshop or warehouse. The workshop is almost always too small to hold all the crates.
  4. There is only one workshop but there may be several warehouses. Everybody shares them.
  5. Each thing has its own thing number.
  6. What you do with a thing is to zark it. Everybody takes turns zarking.
  7. You can only zark your things, not anybody else’s.
  8. Things can only be zarked when they are in the workshop.
  9. Only the Thing King knows whether a thing is in the workshop or in a warehouse.
  10. The longer a thing goes without being zarked, the grubbier it is said to become.
  11. The way you get things is to ask the Thing King. He only gives out things in multiples of eight. This is to keep the royal overhead down.
  12. The way you zark a thing is to give it thing number. If you give the number of a thing that happens to be in a workshop it gets zarked right away. If it is in a warehouse, the Thing King packs the crate containing your thing back into the workshop. If there is no room in the workshop, he first finds the grubbiest crate in the workshop, whether it be yours or somebody else’s, and packs it off with all its crate-mates to a warehouse. In its place he puts the crate containing your thing. Your thing then gets zarked and you never knew that it wasn’t in the workshop all along.
  13. Each player’s stock of things have the same numbers as everybody else’s. The Thing King always knows who owns what thing and whose turn it is, so you can’t ever accidentally zark somebody else’s thing even if it has the same number as one of yours. (VS/2)

Notes

  1. Traditionally, the Thing King sits at a large, segmented table and is attended to by pages (the so-called “table pages”) whose job it is to help the king remember where all the things are and who they belong to.
  2. One consequence of Rule 13 is that everybody’s thing numbers will be similar from game to game, regardless of the number of players.
  3. The Thing King has a few things of his own, some of which move back and forth between workshop and warehouse just like anybody else’s, but some of which are just too heavy to move out of the workshop.
  4. With the given set of rules, oft-zarked things tend to get kept mostly in the workshop while little-zarked things stay mostly in a warehouse. This is efficient stock control.
  5. Sometimes even the warehouses get full. The Thing King then has to start piling things on the dump out back. This makes the game slower because it takes a long time to get things off the dump when they are needed in the workshop. A forthcoming change in the rules will allow the Thing King to select the grubbiest things in the warehouses and send them to the dump in his spare time, thus keeping the warehouses from getting too full. This means that the most infrequently-zarked things will end up in the dump so the Thing King won’t have to get things from the dump so often. This should speed up the game when there are a lot of players and the warehouses are getting full. (Not applicable to VS/1)

LONG LIVE THE THING KING

—————————————————
Dr. Michael R. Williams
Editor-in-Chief, Annals of the History of Computing
Department of Computer Science
University of Calgary
Calgary, Alberta

Don’t Lose Sight Of The Mission

November 23, 2005

This army officer didn’t, but you have to read the whole letter.

Gentlemen,

Whilst marching from Portugal to a position which commands the approach to Madrid and the French forces, my officers have been diligently complying with your requests which have been sent by H.M. ship from London to Lisbon and thence by dispatch to our headquarters.

We have enumerated our saddles, bridles, tents and tent poles, and all manner of sundry items for which His Majesty’s Government holds me accountable. I have dispatched reports on the character, wit, and spleen of every officer. Each item and every farthing has been accounted for, with two regrettable exceptions for which I beg your indulgence.

Unfortunately the sum of one shilling and ninepence remains unaccounted for in one infantry battalion’s petty cash and there has been a hideous confusion as the the number of jars of raspberry jam issued to one cavalry regiment during a sandstorm in western Spain. This reprehensible carelessness may be related to the pressure of circumstance, since we are war with France, a fact which may come as a bit of a surprise to you gentlemen in Whitehall.

This brings me to my present purpose, which is to request elucidation of my instructions from His Majesty’s Government so that I may better understand why I am dragging an army over these barren plains. I construe that perforce it must be one of two alternative duties, as given below. I shall pursue either one with the best of my ability, but I cannot do both:

  1. To train an army of uniformed British clerks in Spain for the benefit of the accountants and copy-boys in London or perchance:
  2. To see to it that the forces of Napoleon are driven out of Spain.

— Duke of Wellington, to the British Foreign Office,
London, 1812

Windows XP – Which Edition Should I Choose?

November 22, 2005

The choice of whether to choose Windows XP Home or Professional varies – and not always strictly according to network environment, or to use. Many small businesses can get by quite well with XP Home, yet many professionals wouldn’t have anything less than XP Pro in their home LAN.

Based on help requests, I’d guess that the most relevant distinctions, between XP Home and Pro, are:

  • Choice of file sharing. A computer running XP Home will only use Simple File Sharing.
  • Domain membership. A computer running XP Home cannot join a domain.
  • Number of simultaneous incoming connections. XP Home limits you to 5 simultaneous incoming connections, while XP Pro will limit you to 10.
  • Remote access to the desktop. XP Pro provides Remote Desktop, which integrates tightly into the Windows structure. For XP Home, and for other operating systems, you will need VNC, or a similar product.

As always, Your Mileage May Vary.

NOTE: There is a third, odd member of the trio. XP Media Center Edition has the XP Pro kernel. The early versions of MCE had all of the functionality of XP Pro, plus the multimedia capabilities. Starting with the 2005 version, XP MCE lost the ability to join a domain, though it still has many other components of XP Pro.

If you have a computer with either XP Home or XP MCE 2005, and you need it to access domain resources, please read File Sharing Under Windows XP – Windows XP In A Domain.

There are two additional editions of XP, which I will describe in more detail in the future.

If you want to make a detailed comparison, and look at other decision making possibilities, you may want to read additional articles:

Irregularities In Individual Share Accessibility

November 15, 2005

When I talk about strategies for diagnosing network problems, one of the principles that I recommend is Relational Pattern Analysis. Look for computers that have the same problem, and other computers that don’t. When you have problems that can’t be solved easily, when you use one of my troubleshooting guides like Irregularities In Workgroup Visibility, the larger your network, the better. You need computers that don’t have the problem, and computers that do, so you can identify the common thread between each set of computers, and then identify the problem itself.

Sometimes, though, your problem may be more complex. Instead of all shared folders on your server being invisible or inaccesible, maybe some are accessible, but others aren’t. Maybe only some are even visible. Now what do you do?

Visibility, and accessibility, of individual shared files and folders are controlled by Access Control Lists, or ACLs. The RestrictNullSessAccess setting can affect access to individual shares, if your server is authenticating with the Guest account.

The easiest way for your shares to differ in visibility is to have improperly differing ACLs. The easiest way to resolve this is to identify, and correct, the differences between the ACLs.

With Windows 2000, and Windows XP Pro, the solution here is simple. Edit the ACLs. Your can do this by the obvious (but more time consuming) way, by using the GUI in Windows Explorer. Or you can do this by the less obvious, but more efficient scriptable way of using CACLS. Both procedures are discussed in Server Access Authorisation techniques.

With Windows XP Home, you can’t use the GUI in Windows Explorer. Windows XP Home, and Simple File Sharing, set all permissions the same (supposedly). They don’t give you any way of changing any permissions, short of global settings where you identify each share, and allow (or disallow) network users to change the contents. With XP Home (or with XP Pro, if you prefer), you may use alternate Server Access Authorisation techniques.

But, having identified the above possibilities, and carefully read and followed all instructions, sometimes you still can’t get things working just right. There are known problems which can’t be solved by simple ACL editing.

If you want to provide a secure computer, one of the recommendations is to keep the operating system updated, religiously. Microsoft issues monthly operating system updates, with patches of varying criticality. In most cases, it is beneficial to apply all critical patches. In some cases, like yours, it isn’t.

In this case, patch 885250, as referenced in bulletin MS05-011, has been recently identified as the culprit in odd file sharing scenarios. The Microsoft article You cannot save a file from your Windows XP-based or Windows 2000-based computer…, and a subsequent article After you install security update 885250, both describe the symptoms of this problem. Symptoms caused by application of patch 885250 can, and have been known to, cause file sharing scenarios of varying complexity.

  • “Error = 5”, aka “Access denied”.
  • “Error = 58”, aka “Bad network response”.
  • Access to some folders, but not to others.
  • Apparently empty folders, when you know there are files in there.
  • “File not found”.

In your case, there are 2 possible solutions:

The Static Route Table

November 11, 2005

Every networking device that uses or passes Internet Protocol traffic, and operates at OSI Layer 3 and above, uses a static route table. A static route table defines the networks, the destinations on those networks, and how the destinations can be reached.

To get the static route table for immediate examination, simply type “route print” into a command window.

If you want the data so it is easily compared between computers, you need to export the data into a text file.

  • Type “route print >c:\route.txt” (less the “”) into a command window.
  • Then,
    • Type “notepad c:\route.txt” (less the “”) into the same command window, for immediate examination.
    • Or, copy file c:\route.txt to another computer, for comparative examination.

Once you have the static route data in front of you, check out Joe Davies Understanding the IP Routing Table for details on how to interpret it, and to modify it.

Setting Up A WiFi LAN

November 9, 2005

Are you new to networking, or have you setup a few networks in the past? Networking looks really complicated (it can look that way), but it’s basically just hooking up a few wires, and praying real well.

Setting up an Ethernet LAN is pretty simple, but it contains one annoying detail. With a wired LAN, unless the computer and router are right next to each other, you have to figure out how to locate the Ethernet cable that connects them. With a wired LAN, you have cables everywhere.

A WiFi LAN lets you remove the cables. With more work in the beginning, you’re freer in the end. Without a simple physical cable, which you can see and touch, you have to setup a wireless connection, that you can’t see or touch.

NOTE 1: Having carefully selected your WiFi Access Point / Router, and your WiFi Client Adapters, you hopefully spent some time acquainting yourself with their features. Now, spend some time perusing the guides and instruction manuals. Doing so is a good investment of your time.

NOTE 2: If this is the first time you’ve setup WiFi equipment, you may benefit from testing as you setup. Having 2 computers is a very good idea

  1. Connect one by Ethernet to the AP, and use it to make changes in the AP settings.
  2. Connect a second by WiFi, and use it to test the changes to the AP.

Having 1 computer, doing dual duty, can be done; but having 2 computers is a lot less stressful.

Setup The Access Point / Router
You still need an Ethernet cable when you setup the access point / router. Whenever you make configuration changes to a router (wired or wireless), the router may have to restart itself. When that happens, you will lose connectivity. Reestablishing connectivity with a wired connection is bad enough; reestablishing a wireless connection in some cases will be impossible. Always connect by Ethernet, if not absolutely impossible, when making changes.

  • Setup your computer as a DHCP client.
  • Install an Access Point / NAT router, and give it power.
  • Connect an Ethernet cable to the router, and to your computer.
  • Power your computer up.
  • Connect your computer to the router thru your browser, run the router configuration program, and make all the necessary changes.

NOTE: Most access points and routers, wired or wireless, will come with installation guides and configuration utilities, and some will offer to install software on your computer. If you plan your installation properly, no additional software should be necessary. Your Windows system has a browser, and that should be all the software that you need to connect to your access point or router. Don’t install unecessary software unknowingly.

The changes to a WiFi access point / router include Internet Protocol settings (like a wired NAT router), and WiFi settings. WiFi settings include:

  • Connectivity settings.
    • Channel. You need a channel with no other devices within range, if you are going to get full bandwidth.
      • With 802.11b, you can choose from any channel number 1 – 11 (in the USA).
      • With 802.11g, you CAN choose between 1 – 11; however, each 802.11g channel uses 3 802.11b channels, so channels 1, 6, and 11 are the only non-overlapping choices.
        802.11b    802.11g
        1 - 3      Bottom ("1")
        4          Empty
        5 - 7      Middle ("6")
        8          Empty
        9 - 11     Top    ("11")
        
      • With 802.11g-super, there is no channel choice. The entire 802.11 spectrum is needed for 108M bandwidth. If a channel number is used, it will be “6”, and be unselectable.
      • If there is any other network within range, using any channel which your router may use, you won’t get full bandwidth. You will have to share the channel with your neighbor.
    • Interoperability. What standard will you use – 802.11b, 802.11b/g, or 802.11g?
      • With 802.11b, you’ll get a maximum bandwidth of 11M (half duplex).
      • With 802.11b/g (having a combination of 802.11b and 802.11g devices on your LAN), you will get between 11M and 54M (probably substantially less than 54M though). (Again, half duplex).
      • Only with 802.11g will you have a prayer of getting a full 54M (and that’s with no 802.11b networks anywhere visible). (And still, half duplex).
      • If you have 2 802.11Super-G devices, from the same vendor, and no other WiFi devices are within range, you might be able to get 108M.
  • Security settings.
    • Authentication. How will the wireless clients identify themselves to the router?
    • Encryption. How will the wireless clients keep your communications, between themselves and the router, private?
    • Logging. How will YOU know what is happening on your WiFi LAN?
    • Visibility. Hiding the SSID will not help you, and may hurt network performance.
    • The issue of Security is covered, in detail, in my article Setting Up A WiFi LAN? Please Protect Yourself!. Please note the above details.

Setup The Clients
Having made the necessary changes, you are free to turn the radio portion of the router on, and to setup the wireless clients. If your main computer also has a WiFi adapter, you can now remove the Ethernet cable between that computer and the router (but keep the cable handy for any future changes that you may make).

Setting up a wired LAN is simple – you connect the cables, things you can see and touch. With WiFi, you have the access point(s) out there – but you can’t see or touch them. With WiFi, you setup the WiFi Client, which is a program provided by several vendors. Depending upon your setup, you may have any or all of these clients.

  • The computer manufacturer.
  • The WiFi adapter manufacturer.
  • Microsoft.
  • NetStumbler.

Your access point can have only one WiFi Client managing it; having more than one Client active can cause conlicts. Conflicts can cause erratic performance, loss of connectivity, even the WiFi adpter may turn itself off. Know the possibilities, and only run one WiFi Manager at a time.

Each WiFi Client will present you with a list of visible access points. You choose, by signal strength, channels, and name, with which access points you wish to associate. The access points that you choose become your Preferred Access Points. The WiFi Client will automatically, and continually, scan the spectrum for the strongest access point, and connect your computer to that access point. Note that this behaviour may be subject to SSID Visibility.

Any access points that you do not choose are still available for your use. Your WiFi Client probably has a selection to this effect – “Automatically connect to non-preferred networks”, for instance, is a selection with the Windows Wireless Zero-Config Client. Make sure that this selection is not enabled automatically. You do not want your client to connect to your neighbors WLAN unexpectedly.

Some Clients also let you prioritise the preferred access points – so you make a list, then you order the list, from top (most preferred) to bottom (least preferred). Your client will then automatically connect you, at any time, to the more preferred access point that is available.

With any access point of interest, if it uses any authentication or encryption, you will have to enter the appropriate information. Your client will create a profile for that access point, and keep that profile available for the future. When you remove an access point from your preferred list, you will delete the profile. You will then have to re enter the profile information later.

Without the correct profile information, you cannot connect to the network provided by the access point. If your client tells you that you are connected (however strong the signal), but you have no IP configuration, check the profile. If in doubt, delete and re enter the profile.

Whenever you setup a WiFi client profile, make sure that you select the appropriate authentication options. A WiFi client, intended to use the most common authentication protocol, WPA-PSK (pre-shared key), will probably not have a Radius server available. If 802.1x (Radius) authentication is also selected, the connection will have problems. If your connection drops on an extremely regular basis (like every 10 minutes or so), check the WiFi client setup; make sure that 802.1x authentication is not enabled.

For more information, read the instruction manual or guide for the WiFi Clients available to you. See, for instance, Windows Cable Guy Windows XP Wireless Auto Configuration.

Tune The Wireless Setup
Having done the Initial Setup, and having Secured your WiFi LAN, you may want to tune the physical setup. Maximum bandwidth is based upon maximum signal strength. There are a few things that you can do, when installing the equipment, that will prevent you from getting maximum signal strength.

Having completed all of the above tasks, enjoy the freedom.