|RSS | MY PROFILE | PRIVACY|
Vol. 19, #42 - October 20, 2014 - Issue #1002
This week's newsletter is a follow up to last week's Issue #1001 ShellShock for Windows admins, and we're devoting our current issue to the feedback we've received from our readers concerning this recently discovered BASH vulnerability that is commonly referred to as "ShellShock." If your organization is starting to get worried about this dangerous new vulnerability, you better hope that your IT department doesn't pack up and go on vacation like Mordac, the Preventer of Information Services, did in this Dilbert comic strip:
But before we hear from some readers concerning why Windows admins should be (or shouldn't be too) worried about ShellShock, we'll first toss out a couple of questions we recently received that perhaps our readers can answer...
A reader named Jim who is Chief of an IT group based in Pennsylvania, USA asked us the following:
We recently upgraded one of my users from Win7 Pro/Office 2007 to Win8 Pro/Office 2013 with a 'clean' install. When we went to restore his data, a problem arose. His PST file -- a whopping 4.4 GB -- would restore to the disk but couldn't be reattached to Outlook. We've restored the file to another Win7 Pro, equivalent to his old system, but have the same issue: "Corrupt File". We don't know if the issue was somehow caused during the backup process or if it is just too damn big. None of our usual repair tools, like ScanPST, will fix it -- most won't even open it because of the size.
1) Any clever ways/tools to fix this problem?
2) Any way to split the file into manageable chunks (even if have to we lose a few emails in the process)?
3) And for my own edification… I thought that Office 2010 had removed the file size limitation on PST… True or false?
He later followed up saying he had found an answer to question 3 as follows:
By the way, I just read that Outlook 2007 increased the PST file size limit to 20GB and 2010 increased it again to 50GB.
But that still leaves questions 1 and 2 to answer. Any takers? Email us at firstname.lastname@example.org
This question was sent to us by a reader who works at an ISP in the eastern USA:
Hi, one of our readers asked us what we knew about CloudMark and which ISPs use it. Knowing virtually nothing about such things, we thought maybe you can help her. THX.
Does anyone have any experience with or knowledge concerning CloudMark they can share with this reader that might be helpful for them? Email us at email@example.com
Ask Our Readers: WServerNews has almost 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at firstname.lastname@example.org
And now on to some of the reader feedback we've received to last week's issue...
We'll start off with this detailed feedback we received from Dale Lobb, a Systems Programmer in Information Technology working at Bryan health in Lincoln, Nebraska, USA. Dale's feedback concerns the following question we received earlier from Mark, a Technical Architect in the UK, and which we included in last week's issue:
If you're covering Shellshock in the next edition, Cygwin is vulnerable. It doesn't appear to really have an unattended install (there doesn't really appear to be an upgrade path either). Anyone's experiences of patching it (it may only be the bash component which potentially would be easy, however the servers we have it in are in scope for PCI so we may need to do a full upgrade anyway) would be gratefully received. Most examples on the web appear to be a manual update but we've around 200 servers running it which would be a tad laborious.
Here is Dale's response to Mark's question concerning possible BASH bug vulnerabilities with Cygwin on Windows platforms and how to automate the patching of Cygwin deployments:
So, there are really two different worries with Shellshock:
1) Users with valid credentials on a system would be able to exploit telnet or SSH connections to exceed the allowed actions in a restricted environment.
2) BASH could be exploited by anonymous users if BASH is the default system shell of a webserver processing CGI requests.
On a windows platform with Cygwin installed, most likely neither issue is a concern.
For concern (1), users would have to be allowed telnet or ssh (or r-shell) access to a windows machine where one had a) specifically installed associated Cygwin telnet (inet.d) or SSHd daemons, b) specifically entered the user's AD (or local) credentials into the local machines copy of /etc/passwd, c) set up a restricted shell environment for the user as a security precaution and d) set up the user's AD account with elevated privileges. It's unlikely that a Windows Admin would have done all these things, effectively circumventing the native windows security mechanism. Most implementations of Cygwin that I have seen are for specific application support, typically scripting, or for Admin support, again for scripting. If a site actually has regular user's using SSH (or talent, really? ), to connect to a windows machine, even if the user were to exploit the ShellShock vulnerability, the result has no way to elevate the user's privileges. They're still stuck with whatever access windows gives them. Not a likely problem in most environments.
For concern (2): Is there actually anyone out there using the Cygwin apache or some other Cygwin web server port in production? When IIS is free with Windows? The only reason I can think of is to run a ported Linux or Unix application. Why do that when there are free Linux versions all over the place? I consider it very unlikely that someone is running a production web application on top of Cygwin on top of Windows; if anyone is, you will want to immediately turn off the CGI component of Apache (if you are not using it) or quickly upgrade your Cygwin bash version.
BTW, one should note that all the fixes issued so far do not actually disable BASH's use of passed environment variables. The GNU community seem hell bent on keeping that functionality. What they have done is patch BASH so that it no longer executes trailing junk on those passed environment strings. That seems to me to be an open door for further exploits. IMO, a version of BASH should be made available with this very little used functionality completely removed.
Getting back to upgrading Cygwin. No there isn't any silent, automatic update to Cygwin that would allow systems to be updated wholesale, at least, not last time I looked. However, there are some tricks you can use:
1) Using Cygwin's installer, create a local repository on a network drive containing of all the Cygwin software that you want/use. Then use that repository to update all of your other installations, merely picking "All Install" so that that the entire repository gets installed on each machine. This does not eliminate the need to upgrade each installation separately, manually, but it does make for a minimum of interaction with the installer after the repository is loaded. On updates, use only one of the installations to download updated/new packages to the repository and again use the repository to update all the other installations.
2) Use a reference installation and use Cygwin's rsync to update all other installations from the reference. One would need to script around (or save off) the files that might be different between machines (/etc/passwd for instance) so that installations do not become vanilla at update time. Also, one would probably still want to do each machine's original (first time) install using the Cygwin installer just to get the directories and registry set up correctly.
3) Use a network installation. Cygwin will run just fine off a shared network drive. The downside to this is that by default, all the machines will share the same /etc and /var directories and thus settings for applications and users. One could script around this and set up local directories to mount instead of the network ones, but that kind of defeats the purpose of making the environment less complicated and easier to maintain. But, where a plain vanilla installation will do, this method works great. We use a network installation for casual Cygwin access from Windows servers for our administrators. This allows an admin to use quick and dirty scripts with bash, grep, diff and awk. Searching IIS logs for specific info is a breeze this way. Using Cygwin's find command to search for files is way faster than Windows Search.
If anyone has any questions, I'd be glad to answer them to the best of my ability.
If anyone has follow up questions for Dale concerning any of the above, please send your question to us at email@example.com and we'll forward it to Dale, then if appropriate we'll include both your question and Dale's response in a future issue of this newsletter.
Another reader named Joe who works for a company that provides solutions for the education field also shared some thoughts on automating the patching of Cygwin installations:
Best way to do it that I know of is to use the Cygwin setup program... You can do an unattended upgrade with Setup-x86.exe -q -g
Obviously change the path to the bin and such as appropriate. It should elevate, download the newest list of packages and upgrade any packages out of date. It does seem to require a GUI session to do this... So you can't, for instance, run it from a bash session via ssh. But maybe create a .cmd file and call it from a user session, or psexec, or wrap it in a msi and deploy with GPO... deployment vectors up to you.
See here too:
Apt-cyg might be useful, if not the wget lines to auto-download the setup program might be useful too.
In last week's newsletter I also mentioned that ShellShock can also endanger small businesses running off-the-shelf network appliances like NAS boxes. A reader named Erik who is an Information Technology Manager for a non-profit organization in the USA responded to this as follows:
I had to install multiple OS updates on my QNAP NS-220 NAS device. Thankfully, QNAP seemed to be on the ball with BASH.
Have other readers had to update their NAS devices accordingly? I would be worried if my NAS vendor *hasn't* released any updates by now.
Finally, here is some more coverage concerning ShellShock from WindowsSecurity.com, one of our TechGenix family of sites:
Shellshock the bashbug vulnerability (by Ricky M. & Monique L. Magalhaes):
UNIX based computers getting bashed and shellshocked (by Debra Shinder):
Send us feedback
Got more info, recommendations or tips concerning safeguarding Windows-based environments from the BASH bug? Let us know at firstname.lastname@example.org
When you click Save As in Word, Excel or any other Microsoft Office application, your document, spreadsheet or other Office file is saved by default in the My Documents folder on your computer (or on a network share that your My Documents folder has been redirected to by Group Policy). Assuming however that Folder Redirection is *not* implemented in your environment, is there any way you can change the default Save As location on your PC from My Documents to another location like Desktop?
Yes there is! In Word for example, click File, then Options to open the Word Options dialog. Select the Save page of this dialog and change the setting shown here:
GOT TIPS you'd like to share with other readers? Email us at email@example.com
Check out this post on the Microsoft Press blog for their complete lineup of Microsoft Office Specialist (MOS) titles:
Some announcements from the Microsoft Virtual Academy:
October 20: Dev/Test Scenarios in the DevOps World
If you want to hear the pros and cons of various Dev/Test tools and practices, don't miss "Dev/Test Scenarios in the DevOps World"! Join a team of experts for deep dive into the dev/test portion of DevOps and ALM. Get answers to your questions on testing, debugging, building, releasing, deploying, and more! Register here:
October 21: Deep Dive: Integrate Office 365 APIs in Your Web Apps
Integrate your existing web applications (such as ASP.NET MVC 5) with the Office 365 APIs. Experts Scot Hillier, Ted Pattison, and Rob Howard show you how, with real-world demos and helpful tips. You'd be surprised how easy it can be to leverage these APIs and to implement practical scenarios in Calendar, Mail, Contacts, OneDrive for Business, SharePoint, and more. Register today!
October 23: Last Stop: Getting Your Windows App to Market
Are you almost ready to submit that app? Developers, get your Windows Store apps to market, and learn about a new pilot program that combines a free technical review from Microsoft Premier Field Engineering (PFE) with credit toward your MCSD: Windows Store Apps certification. Get all the details in “Last Stop: Getting Your Windows Apps to Market,” on October 23. Register today!
"I never learned anything while I was talking." --Larry King
Until next week,
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at firstname.lastname@example.org and we’ll try to troubleshoot things from our end.
Don’t be surprised when your servers fail. Monitor, manage & resolve with SolarWinds® Server & Application Monitor - includes support for multi-vendor environments, 150+ applications, & much more.
Concerned about data loss during a data migration? “LinkFixer Advanced” is a software tool that fixes broken links in most file types, preventing data loss. Get your free trial version today!
On a budget or still experimenting with VM backup? Veeam Backup Free Edition is the perfect solution because it is: powerful, easy-to-use and free forever for unlimited number of VMs. Get it now!
Amazon Web Services and Metalogix provide organizations with a fully functional version of the brand new Exchange archiving solution. Take it for an Instant Test Drive Today.
Bulk Password Control is a free tool that enables you to automate all kinds of bulk modifications on Active Directory user objects with a fast to use GUI:
Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington, USA
Convergence 2015 on March 16-19 in Atlanta, Georgia, USA
Microsoft will be hosting an inaugural, unified Microsoft commercial technology conference the week of May 4, 2015 in Chicago, Illinois, USA
TechEd Europe on October 27-31, 2014 in Barcelona, Spain
Convergence 2014 Europe on November 4-6, 2014 in Barcelona, Spain
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact email@example.com
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact firstname.lastname@example.org
Using PowerShell to Manage AD and AD Users (WindowsNetworking.com)
Cluster Aware Updating for Windows Server 2012 R2 (Part 2) (WindowsNetworking.com)
Verifying Active Directory Delegation is Accurate (WindowSecurity.com)
Deploying Virtual Machines in Azure using Service Manager and SMA Part I (System Center Blog by Russ Slaten)
SCOM and Power View: Alert Duration Analysis (drewfs)
FAQ: How do I get a simple list of specific computers based on simple criteria? (Kevin Holman's System Center Blog)
Product Review: Loadbalancer.org Enterprise VA R16 (MSExchange.org)
Using the SharePoint Integration Pack with System Center 2012 R2 Orchestrator (System Center Orchestrator Engineering Blog)
E-mail Forensics in a Corporate Exchange Environment (Part 4) (MSExchange.org)
Troubleshooting synchronization with Windows Azure Active Directory (WAAD) (Part 3) (MSExchange.org)
Preparing and Uploading an On-Premise Virtual Machine Image to Microsoft Azure (VirtualizationAdmin.com)
Microsoft Azure (IaaS) Cost Estimator Tool (Courtenay Bernier Infrastructure Blog)
A hybrid cloud merges your existing private cloud with the facilities of a public cloud provider. This can give you the best of both cloud worlds, but having one single point of failure in a public cloud provider comes with a lot of risks. Learn how and why having a backup plan in place can assist you in preventing common public cloud problems.
You need a resilient infrastructure to ensure your workloads run no matter what the circumstance, but it’s difficult to gauge how much resiliency you need and how much it will cost. A simple N+1 approach to data center resiliency is now out of date – learn why today’s more complex formula, N+X+Y is the better approach for data center resiliency.
While Citrix Workspace Services and Workspace Suite have a similar name, they are actually two very different offerings, as the Suite is a bundle of products and Workspace Services is a delivery platform and control plane. Get an inside look at both and learn how else they differ from one another.
Software as a Service (SaaS) enables enterprises to affordably provide applications to a lot of users, which is why so many businesses today depend on it. To find the business productivity suite solution best fit for your company’s needs, take a look at two similar, yet very different, models, Office 2013 and Office 365, and learn about the top 5 ways their features differ from each other.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at email@example.com
John Van Horne jumps from the top of the 1,099-foot Kuala Lumpur Tower into the rooftop pool of the nearby Pacific Regency Hotel:
A hawk wasn't happy to share his airspace over Magazine Beach Park, Cambridge with a remote-controlled quadcopter and took some quick and divisive action:
Cars being loaded onto a ferry in rough seas in Greece. Correct timing is of the essence. (Loud Volume!)
A traveler's emergency language guide to survive in Italy. Many of these gestures are also used in Spain, Portugal, France and other countries:
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.