vista

You are currently browsing the archive for the vista category.

Semi-good news

April 3, 2008 in microsoft, vista by Daniel Nyström | No comments

Microsoft has let the expiration date on Windows XP slip a little further, but unfortunately only for OEM’s on cheap/weak computers.

More at The Register.

My feeling is that Microsoft is slipping in a lot of areas right now and alternatives are being examined where there is possibility to do so.

Vista is/was probably a big mistake, and key features are being turned off in a lot of larger environments for the sake of compatibility with older applications.

The problems companies are facing with this operating system is not very far from what they would be facing if switching to an open source solution as many components need to be rewritten in whole.

The world is changing and there are alternatives to resource-hogging and expensive software. You wanna stay in the game? Then get with it.

I do not use this phrase very often,

November 26, 2007 in dns, networking, security, vista by Daniel Nyström | 1 comment

but “L O L” at Microsofts latest security debacle ;)

I think their own advisory from 1999 (!!!) explains the issue pretty well:

The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname “wpad” to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the domain name or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.

Well,

too bad they only protected their customers from this if their domains ended in .com, and that this issue has persisted through eight more years of code (how much new code did they say there were in Vista?). This little function seems to have remained unchanged for almost a decade anyhow…

Now let’s hope that Microsoft are faster than the bad guys… And in the meantime:

  • If you have a webfilter, block all adresses containing “wpad.” in them.
  • On most Windows operating systems, stopping the service “WinHTTP Web Proxy Auto-Discovery Service” would also do it, but some people have been having problems with this.

In other words, keep an eye on your network the next couple of weeks until MS produces a patch.

Cheers and browse safe!

Specialized Security - Limited Functionality

November 15, 2007 in security, standards, vista by Daniel Nyström | No comments

I’m not an advocate or fan of Microsofts technology, implementation of standards or politics. That’s for sure. However this is actually really interesting for us that are stuck in our corporate environment with Windows:

I was recently visiting a larger company in Sweden that is in the testing stage of a large deployment of Windows Vista. This deployment will be done on a pretty big userbase that has somewhat special security demands and for that reason they are following the SSLF (or SS-LF) baseline presented by Microsoft in the Windows Vista Security Guide. In that same guide you will also find information about a lighter security model called Enterprise Client (EC). The EC-baseline provides a more simple and less intrusive security baseline but it did not fill the requirements for this particular company.

I was quite impressed with the work they had done and how well it seems to have fallen out and decided to read up on these baselines. I mean, more security for Windows systems is not a bad thing and if you can do this easily then it would be great.

The definition of the two baselines in the Windows Vista Security Guide are:

  • Enterprise Client (EC). Client computers in this environment are located in a domain that uses Active Directory and only need to communicate with systems running Windows Server 2003. The client computers in this environment include a mixture: some run Windows Vista whereas others run Windows XP….
  • Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. The client computers in this environment run only Windows Vista…”

The whole process of securing the clients are done via Active Directory group policies and the implementation of these can be very much simplified by using pre-made scripts (also included in the security guide).

The main downside for me with this policy (SSLF) is that it might cause a minor conflict with the brand new “Panda For Desktops” (formerly known as ClientShield) but there is an easy remedy for that particular problem. Guess why I was there btw ;) hehe…

Here is a short list of resources for more information:

And as a bonus, the delicious, the enormously useful (as not many run on an SSLF baseline) but also quite CTO friendly:

This should be an prerequisite for all administrators running a +100 user network. Sure would make my life a hell of a lot easier during intrusion investigations ;)

Cheers and drive safe (winter in Sweden now) !