Telstra Mobile Network - Network Time Problem and 2008 DST Changes

Today's been a weird day due to the fact that both my Nokia N95 and my wife's Nokia E51 rolled back from AEDT to AEST. I'm the only one that noticed it though.

In the past us Tasmanians would go to daylight savings times about 3 weeks ahead of our mainland counterparts that participated in daylight savings (South Australia, Victoria, ACT, New South Wales) and then change back at the same time.

Last year an agreement was reached for the states that participated in daylight savings (except Western Australia, who've introduced a DST trial for 3 years) to change to daylight savings on the last Sunday in October and change back on the first Sunday in April. The appropriate State departments promulgated their DST changes around March/April last year.

Thankfully organisations like Microsoft responded promptly with DST patches. Unfortunately, organisations like Nokia and Telstra ignored the changes and made no provision to cater for these changes.

I've just spent half an hour on the phone with Telstra explaining what the problem is and possible remediation steps to get the problem resolved. Apparently their mobile phone helpdesk has had an incredible spike in calls today, with the bulk of them about the DST change.

So the point of this post is if you're responsible for devices that require accurate time, or have their time synchronised, make yourself aware of local DST changes and plan for changes and also have contingency plans for when providers/suppliers are slack. If you're responsible for systems that span multiple timezones and/or countries, then you need to keep an eye on resources such as Microsoft's Hot Topics for Daylight Saving Time changes, which helps aggregate these changes into one resource.

I wonder how many people are going to be an hour late to work tomorrow?

Sophos Enterprise Console - Stuck on Connecting to Server

I have a problem on an SBS 2003 Premium Edition box (2 NICs and running ISA Server) where launching the Enterprise Console sits forever at the connection screen.



This is the same problem even if I perform a console-only install to a separate box.

The drastic remedy is to reboot the server. By using the console on a separate box I was able to use TCPView to find that EnterpriseConsole.exe was connecting to MgntSvc.exe on the server.

I then tried stopping the service from the command line:

> net stop "Sophos Management Service"

Which resulted in me being told that the service could not be stopped. I then used PsKill to stop the service:

> pskill "Sophos Management Service"

And I then restarted the service:

> net start "Sophos Management Service"

This then allowed me to successfully use the Enterprise Console.

Hyper-V Release Candidate is Here

Microsoft have made the Hyper-V Release Candidate available.

The Release Candidate has better (but not complete) localisation support, support for the x86 versions of Windows Server 2003 SMP, Vista SP1 and XP SP3, integration components for Vista SP1 and XP SP3 (yay!), and improved performance - especially with pass-though disk support.

It's looking good so far...

SBS2003 Remote Web Workplace, Console Access and That Awful /admin Change

OK, those of us that have worked with SBS2003 for quite some time tend to put Remote Web Workplace (RWW) right up there on our list of favourite SBS features.
The best feature I like is the pre-authenticated access to enable RDP proxy to the servers in the SBS network (although the use of port 4125 can be a pain behind some firewalls). The "Log on to or resume the console session of the remote computer" allows me to effectively remotely manage the server as though I was on site.

This is particularly useful when dealing with programs that require Session 0 - commonly known as console - access (for a concise description of terminal services history and session 0, see the Terminal Services Sessions: Then and Now article or the Wikipedia Terminal Services entry).
Over the last few months, I'd been finding that the Patch Tuesday reboots on the boxes I'd been RWW'ing to had resulted in hung systems, similar to what Susan Bradley's September 2006 blog entry records. Today, I saw the Ask the Performance Team's blog entry on The Reboot that Wasn't. This seemed to detail exactly what was going on with me, but I'd been enabling the "Log on to or resume the console session of the remote computer" option. So surely this wasn't my problem - or was it?
So I did some digging. I picked a Windows Vista RTM box, a Windows Vista SP1 box, a Windows Server 2003 SP2 box and a Windows Server 2008 box. I tried RWW'ing to my SBS 2003 box on each of them with the "Log on to or resume the console session of the remote computer" option set.
The results were as follows:

Windows Server 2003	Session 0
Windows Vista RTM	Session 0
Windows Vista SP1	Session 1
Windows Server 2008	Session 1

What's going on here? Shouldn't that be Session 0 for all those RWW clients?
No, not exactly. The problem we're seeing here is that the Remote Desktop Client (version 6.1) found in Windows Vista SP1 and Windows Server 2008 has dropped the /console switch and replaced it with /admin. The description of this change can be found in MSKB 947723 and also at the following Terminal Services Team Blog entry (same entry as the KB article, but with user comments). This change also extends to the programmatic interfaces that RWW uses.
As I commented in the Terminal Services Team Blog entry, this change was unwarranted, as the /console switch could have been left alone and have the code handle graceful fallback from the security-enhanced console access in Vista SP1 and Windows Server 2008 to the Session 0 access in Windows XP and Windows Server 2003.
So, the Terminal Services team has broken console access from RWW. Doesn't say much for the QA process when an entire product feature that relies on the Remote Desktop Client isn't tested for regression.
So what can be done to mitigate this? Well, you can use something like CopSSH on the SBS box and ssh to it, then use an ssh tunnel to connect to the SBS box using RDP (a how-to guide can be found on this Remote Desktop and SSH page). Or you can allow direct RDP access to the SBS 2003 box, which is very useful if you're running the Premium Edition and using ISA Server as you can leverage the ISA Server lockdown mode - which means you get RDP access when ISA's in lockdown and you can also tighten up RDP access to a restricted set of computers when ISA's running normally. For Standard Edition, or non-ISA Premium Editions, RDP restriction should be done by your firewall device.
For a hardware solution, something like an iBoot remote power management device might be useful to help with those hang on shutdown problems.
Anyway, patching over RWW can be problematic - see the Repeat after me.... you don't patch over RWW blog entry and the Some months you can't patch over RWW blog entry for some reasons why patch over RWW is bad.

Windows Vista SP1 - Why Isn't Windows Update Showing It To Me?

If you're waiting patiently for Windows Vista SP1 and Windows Update isn't letting you know about it, then you probably want to go and look at MSKB 948343 for a list of reasons why you're not seeing it.

In particular, check your driver versions. This is the current list of drivers known to be problematic with SP1:

Audio drivers
Realtek AC'97

• For x86-based computers: Alcxwdm.sys - version 6.0.1.6242 or earlier

• For x64-based computers: Alcwdm64.sys - version 6.0.1.6242 or earlier

SigmaTel

• For x86-based computers: Sthda.sys - version 5.10.5762.0 or earlier

• For x64-based computers: Sthda64.sys - version 5.10.5762.0 or earlier

SigmaTel

• For x86-based computers: Stwrt.sys - version 6.10.5511.0 or earlier

• For x64-based computers: Stwrt64.sys - version 6.10.5511.0 or earlier

Creative Audigy

• For x86-based and x64-based computers: Ctaud2k.sys - version 6.0.1.1242 or earlier

• For x86-based computers: P17.sys – all versions (This was originally a Windows XP-based driver.)

Conexant HD Audio

• For x86-based computers: Chdart.sys - version 4.32.0.0 or earlier

• For x64-based computers: Chdart64.sys - version 4.32.0.0 or earlier

Biometric (Fingerprint) Sensors

• AuthenTec Fingerprint Sensor with the Atswpdrv.sys driver file – version 7.7.1.7 or earlier

• UPEK Fingerprint Sensor with the Tcusb.sys driver file – version 1.9.2.99 or earlier

Display drivers
Intel Display

• For x86-based computers: Igdkmd32.sys – versions between and including driver 7.14.10.1322 and 7.14.10.1403

• For x64-based computers: Igdkmd64.sys – versions between and including driver 7.14.10.1322 and 7.14.10.1403

Other drivers
Texas Instruments Smart Card Controller with the GTIPCI21.sys driver file – version 1.0.1.19 or earlier
Sierra Wireless AirCard 580 with the Watcher.exe application – version 3.4.0.9 or earlier (This application is located in the AirCard 580 Program Files folder.)
Symantec software driver for Symantec Endpoint Protection and for Symantec Network Access Control clients

• For x86-based computers: Wgx.sys – versions 11.0.1000.1091 or earlier

• For x64-based computers: Wgx64.sys – versions 11.0.1000.1091 or earlier

Note Symantec is aware of this issue, and it is working on a solution. Symantec provides various update procedures. This includes their LiveUpdate service.

Windows Server 2008 Standard Edition - License Change Regarding Virtualisation

The introduction of Hyper-V to all editions of Windows Server 2008 (except Web Edition) has meant there's been a licensing change to the Standard Edition.

The previous editions of Windows Server Standard Edition allowed for 1 instance of Windows Server to be installed as a Physical Operating System Environment (POSE) or as a Virtual Operating System Environment (VOSE). This meant that if you wanted to host a virtualised Windows Server 2003 R2 Standard Edition on say Virtual Server 2005 R2 running on Windows Server 2003 R2 Standard Edition, then you needed to acquire 2 licenses of Windows Server 2003 R2 Standard Edition - one for the physical instance and one for the virtual instance.

The new licensing change brings the Standard Edition in line with the Enterprise Edition. This means that Windows Server 2008 Standard Edition can be installed twice using the one license - once for the physical instance and once for the virtualised instance. The caveat is that the physical instance can only be used for the purposes of hosting the virtualised instance. All the workload for the Standard Edition license is to be performed in the virtualised instance, with the physical instance used to host and maintain the virtualised instance.

More information can be found in the Licensing Information section of the Hyper-V FAQ, Microsoft's Licensing Virtualisation changes and the Volume Licensing Product Use Rights.

Wisptis.exe Can Cause Browsing Problems

I went up to serverunleashed.com last week to have a look at Microsoft's marketing efforts for Windows Server 2008 launch.

On my freshly installed Windows Vista Business x64 with SP1 laptop, I was finding that Internet Explorer was locking up before getting to the loader progress bar (the one that appears on Vista and Server 2008 boot up).

I disabled all the add-ons (except Silverlight) to see if one of the add-ons was causing the problem. No go. My XP boxes were displaying it OK, as was my test Server 2003/2008 boxes and another Vista box.

One thing different with my laptop is that it has a Wacom Bamboo tablet. Which means that loads a heap of tablet-specific drivers and helper applications. I would find occasionally that when I launched Internet Explorer it would prompt me to run wisptis.exe, for which I always clicked Allow but never checked "Do not show me the warning for this program again". I thought this might be the problem, because when I force closed IE7 and selected "Look for a solution to this problem and restart Internet Explorer" it would restart IE and prompt to run wisptis.exe.

I went hunting for wisptis.exe and found that it's a pen input device utility that can be installed from a variety of sources, including being bundled with the OS. It's also useful in talking to the tablet digitisers, so removing it or not running it can impact on the usefulness of the tablet device.

Once I checked "Do not show me the warning for this program again" when prompted to run wisptis.exe and clicked Allow, then I was able to successfully view serverunleashed.com.

So if you're having Internet Explorer lock-ups when visiting a site and you've got tablet devices/drivers installed, this could be your problem.

Who Do You Trust?

We place a large amount of trust in big organisations when we browse to their sites - banks, insurance companies, telecoms + technology companies, etc. We assume that they're doing the right thing and have appropriate security measures in place to prevent breaches and ensure the integrity of their sites.

Two recent episodes have taken place that highlight the problems are the whitepages.com.au banner ad injection and the Trend Micro site compromise on one of their Japanese sites.

Now both of these exploits highlight that large organisations have SNAFU moments too. Unfortunately given their market position, and in Trend's case their security reputation, we can tend to trust them too much.

My take on both these exploits is to:

• regularly review dynamic code injection into your sites (e.g. banner ads); get rid of them where possible and try to restrict the type of content generated.
• perform regular integrity checks on your sites; create MD5 or SHA1 checksums of your site prior to deployment, then check these checksums regularly. Shut down the site if the checksums change.
• make sure you have malware protection software and it's up to date; nothing new in this one really.
• investigate browser add-ons to help prevent malware infection; IE7Pro for Internet Explorer is good, as is NoScript for Firefox

Remember, ultimately you are responsible for the health of your systems. If Trend Micro are able to be compromised, so are you. Don't outsource your security responsibilities. Have a healthy sense of paranoia and apply a "secure by default" mindset when setting up your Web sites and also your Web browser.