Microsoft boosts the security of ISA Server with Service Pack 2

Takeaway: Get the details on Service Pack 2 for Microsoft’s Internet Security and Acceleration (ISA) Server 2000.

Microsoft has released Service Pack 2 for Internet Security and Acceleration (ISA) Server 2000. This software update definitely increases the security and stability of ISA, and administrators who manage ISA servers need to give it a close look.
Details

Going almost unnoticed, the release of Service Pack 2 for ISA Server 2000 comes in English, French, Japanese, Spanish, and German. ISA SP2 addresses the problems in the following Microsoft Knowledge Base articles:


Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

● 313318: “Cannot relay mail through ISA Server if authentication is required”

● 317122: “Web proxy sends TCP reset instead of only closing session”

● 317822: “Problems with Web browser if ISA Server 2000 is chained to an upstream Web proxy server”

● 323889: “Unchecked buffer in Gopher protocol handler can run code of attacker’s choice”

● 324642: “Macintosh clients who use MAPI cannot connect to Exchange 2000 with ISA Server”

● 331062: “Running ISA Server on Windows Server 2003”

● 331068: “ISA firewall causes handle leak in LSASS”

● 331069: “Hotfix to permit URL path redirection in Web publishing rules”

● 331070: “Authentication does not succeed when the user name contains a space”

● 810559: “Slow responses and failures when you use server publishing UDP protocols”

● 813864: “Site and content rules do not filter based on file name extensions”

● 816456: “Flaw in ISA Server error pages could allow cross-site scripting attack”

● 816828: “‘Permission Denied’ error message when you use rlogin to log on to a server on the Internet”

● 818821: “ISA firewall service stops responding on DNS resolution”

● 821724: “Basic credentials may be sent over an external https: connection when SSL is required”

● 822241: “ISA Server Web proxy service maintains a connection after a client session is closed”

● 822970: “Cannot read ISA Server performance data by using an SNMP program”

● 828044: “ISA Server intermittently stops responding to Web proxy client requests”

● 829892: “You cannot connect to external FTP sites by using a WRQ reflection FTP client through ISA Server 2000”

● 829893: “RSA SecurID cookie expires frequently, and clients are repeatedly prompted to authenticate”

● 833009: “ICMP traffic is not blocked during startup period with ISA Server”

● 839019: “White spaces in URL are not correctly encoded or decoded when you log on”

The list above represents some of the most important fixes, but there are others as well. An extensive list of other hot fixes is included in the release notes for SP2. In addition to the hot fixes, the Microsoft Security Bulletin “Vulnerability in Microsoft Internet security and Acceleration Server 2000 H.323 filter could allow remote code execution” (MS04-001) is also covered by ISA SP2.

You can download the English version of ISA SP2 here. For more details on installing SP2, see Microsoft Knowledge Base article 313139. If you experience problems, Microsoft says that ISA SP2 can be removed after installation.
Final word

This service pack has nearly gone unnoticed. At least I never saw any notices about it from Microsoft. Perhaps that was intentional because Microsoft’s ISA Server 2004 is rumored to be almost ready to ship. However, I suspect many administrators will want to install ISA 2000 SP2 before leaping to adopt the latest version of the software, even though ISA 2004 incorporates many of these security enhancements and undoubtedly includes many new features as well. Nevertheless, it takes a brave administrator to bet the farm on a brand-new security product.
Also watch for…

● Kurczaba Associates reports that ZoneAlarm Pro has a medium-level vulnerability in its new “mobile code” filter, but there is no known workaround yet. The problem is that the software fails to properly filter SSL content.

● There is a DoS vulnerability in all Cisco IOS systems with the Border Gateway Protocol (BGP) enabled. See Cisco Security Advisory 53021, “Cisco IOS malformed BGP packet causes reload,” for details. The vendor discovered this vulnerability.

● A bill that would impose heavy fines for redirecting URLs and spreading spyware is working its way through the U.S. Congress. CNET’s News.com reports a House subcommittee has approved the Securely Protect Yourself Against Cyber Trespass Act (SPYACT), H.R. 2929, which would impose fines of up to $3 million for annoying and privacy-invading practices such as installing keystroke loggers and even some pop-up ads. Of course, Microsoft is already planning to include a pop-up ad blocker in Windows XP Service Pack 2. But this is an election year, so Congress may actually do something. Whether the final bill will make a real difference is debatable. The last time Congress got involved in helping Internet users, they passed CanSPAM, and we all know that this legislation has done little to affect the daily spam deluge.

● There are rumors around the Internet water cooler that Network Associates (maker of McAfee solutions) is on the market, and that Microsoft is considering increasing its position in the antivirus world by acquiring the software as well as the credibility of the McAfee name. Microsoft is denying interest, while theinquirer.net is reporting that Network Associates is saying that no discussions are being held. Of course, nothing can kill such a deal quicker than holding a press conference to announce that it may take place. So the denials are being taken with a grain of salt, especially just a week after Symantec’s CEO told a British audience that Microsoft’s move into the antivirus arena doesn’t threaten other vendors because the Redmond giant lacks credibility in the security field.

● A Linux kernel flaw in the IEEE 1394 (a.k.a. Firewire or i.Link) driver opens the door to DoS attacks. This applies to all versions of Linux. The driver in question is /usr/src/linux/drivers/ieee1394/. See Bugtraq for details.

● There is a DoS vulnerability in Sun’s Solaris operating system (versions 7, 8, and 9). Secunia rates this as “not critical,” but you should probably check it out if you’re running Solaris. The problem isn’t specified, but it lies in the Basic Security Module (how ironic) and patches are available. This problem was discovered and reported by Sun.

● Reuters reports that MasterCard has hired NameProtect to try to block phishing attacks related to the credit card giant’s accounts.

Mcitp 70-680 Candidate Profile

About this Exam Candidates operate in computing environments that use Microsoft Windows 7 certificate as a desktop operating system in an enterprise environment. Candidates should have at least one year of experience in the IT field, as well as experience implementing and administering any Windows client operating system in a networked environment.

Audience Profile:
Candidates for this exam operate in computing environments that use Microsoft Windows 7 as a desktop operating system in an enterprise environment. Candidates should have at least one year of experience in the IT field, as well as experience implementing and administering any Windows client operating system in a networked environment.


Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

Candidates should be able to install, deploy, and upgrade to Windows 7, including ensuring hardware and software compatibility. Additionally, candidates should be able to configure pre-installation and post-installation system settings, Windows security features, network connectivity applications included with a Exam and mobile computing.

Candidates should also be able to maintain systems, including monitoring for and resolving performance and reliability issues. Candidates should have a basic understanding of Windows PowerShell syntax.

The Microsoft Certified IT Professional (MCITP) certification helps validate that an individual has the comprehensive set of skills necessary to perform a particular job role, such as database administrator or enterprise messaging administrator. MCITP certifications build on the technical proficiency measured in the Microsoft Certified Technology Specialist (MCTS) certifications. Therefore, you will earn one or more MCTS certifications on your way to earning an MCITP certification.

MCITP candidates are IT professionals capable of deploying, building, designing, optimizing, and operating technologies for a particular job role. They make the design and technology decisions necessary to ensure successful technology implementation projects.

Why get certified?
Earning a Microsoft Certification helps validate your proven experience and knowledge in using Microsoft products and solutions. Designed to be relevant in todays rapidly changing IT marketplace, Microsoft Certifications help you utilize evolving a free Microsoft practice tests technologies, fine-tune your troubleshooting skills, and improve your job satisfaction.

In-depth look at Microsoft Home Server – CES 2007

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

I had a chance to speak with members of the Microsoft Home Server team at CES about Microsoft Home Server 2006.  I managed to get some in-depth questions answered on the product so here it is.

Question:  Will Home Server be available to the do-it-yourself buyers or will it only be available as a packaged deal?

Microsoft:  For the time being, it will only be available as a packaged deal from major PC makers.  But there is a lot of interest from the do-it-yourself market and Microsoft is looking in to it.

Question:  What is Home Server based on?  Is it based on Windows Server 2007 (or what ever it will be called)?

Microsoft:  It’s based on Windows Server 2003 R2 along with some other components that the Home Server team developed for the home product.

Question:  I noticed a fairly nice looking rich client management console.  Is that web based or is that a rich client that needs to be installed?

Microsoft:  Neither.  It’s a rich Win32 application hosted on the server delivered to the client’s desktop seamlessly using the RDP (Remote Desktop Protocol).  This is a feature similar to Microsoft Terminal Services in Windows Server 2007.  The user interface is also available to remote users via web interface.  The connection from the client to server is extremely thin and efficient (often less than 2 kbps in my experience on RDP).

Question:  On the custom domain names that buyers may get if they adopt MS Home Server early (details not worked out yet), will that support DDNS Dynamic DNS non-static IP Internet connections typical of most DSL and Cable broadband connections?

Microsoft:  Microsoft will support Dynamic DNS for custom domain names.

Question:  How does the remote access work?  Is that an https: tunneling technology that can bypass firewalls or is it just using RDP on TCP 3389 or some other redirected port?

Microsoft:  It’s not using https: tunneling, but Microsoft Home Server can act as an RDP proxy which allows a single server on a single IP address to simultaneously host multiple RDP connections to multiple PCs.

Question:  How does Microsoft deal with the issue of security.  It’s hard enough for an IT professional to secure a publicly available server exposed to the Internet let alone someone in the home.  This opens up a whole new can of worms on the security front because we now have millions of homes connected to the Internet with a wide-open server 24×7.

Microsoft:  Microsoft has put a lot of work in hardening the home server using technology from Windows Server 2003 R2 with IIS 6.0 web server.

Note that IIS 6.0 since 2003 has only had two moderately critical flaws which is really quite amazing for a web server.  Apache 2.0 has had more than 10 times the number of flaws in the same time period and some of which were more critical.  But the biggest security issue with web servers besides poor administration is poor custom ASP or PHP coding which thankfully is not an issue with most home servers.  Homes are currently safe if they have a firewall or router even if a serious flaw exists on the home network because it isn’t open to the public Internet.  This is not just a Microsoft problem since the same thing is being done with Linux-based servers and appliances, but we’re talking about the server that holds all the user’s data open to the Internet.  Only time will tell on the cyber-crime front but my prediction is that it will be a huge problem afflicting the industry in general as we move to a more connected digital society.

Question:  One of the biggest security headaches in running a secure web server is the secure authentication issue and the pain of setting up and buying expensive SSL certificates.  A lot of IT shops don’t even get this right and they set up these untrusted self-signed digital certificates that violate fundamental SSL security principles and many American Banks can’t even seem to get this concept straight.  What chance does a home user have of dealing with this huge implementation challenge?  What is Microsoft doing to make this easier?

Microsoft:  We’re working on this.

Question:  Wouldn’t it make sense for Microsoft to offer free SSL certificate signing with every Home Server and automate the whole thing?

Microsoft:  That’s good feedback.

Question:  Cisco has a technology on their firewalls called cut-through-proxy where ports aren’t open until a user authenticates.  Wouldn’t that type of technology be good for the home and in general to minimize the open ports and vectors for attack?

Microsoft:  We’re aware of this technology and it’s good feedback.

Question:  How does Microsoft Home Server deal with PC backup?

Microsoft:  Microsoft offers a full PC backup solution that includes data and system imaging.  Even if a hard drive died on a PC, the customer can put in a blank hard drive and do a bare metal recovery using a bootable recovery CD.

Question:  How does Microsoft deal with the issue of offline-backup from the home server?  Let’s say the user’s computer is hacked and the hacker destroys or encrypts all the user’s data on the client and file shares on the Home Server.

Microsoft:  Microsoft will have an add-on product that supports offline backups like an external USB/Firewire hard drive.  The home server will run as a separate service that has exclusive access to the offline backup.  The normal home server services will not have access to the offline backup.  Microsoft Home Server also has point-in-time snapshot capability so that users can recover files from a previous state like a day or week before.  (Vista also has this feature natively).

Question:  Does Microsoft Home Server support single instant storage like Windows Server 2003 R2?  (This means if two people in a home had separate folders with the same files on the same server, Home Server will only store one instance of the file)

Microsoft:  Not at this point.

Question:  Does Microsoft Home Server have the IAS (RADIUS) authentication server component of Windows Server 2003 built in?  (This allows people to run Enterprise Class wireless LAN security that’s easy to manage.)

Microsoft:  Not at this point.

Question:  Is Microsoft Home Server an Active Directory server?

Microsoft:  No, Windows XP home and Vista basic can’t support domain joins.  Only business editions of Windows can support domain joins.

Question:  But wouldn’t this make file sharing difficult since users are often prompted to enter in a username and password?  Furthermore, Workgroup networking and file sharing has never worked consistently in Windows XP even if you manually sync up the usernames and passwords.

Microsoft:  The Home Server client agent will synchronize passwords so that file shares on different machines can be seamlessly accessed.  It’s also made Workgroup network file sharing more consistent and users won’t need to type in passwords for different shares.