There are multiple accounts with name MSSQLSvc

Having nothing better to do over the Christmas / New Year break (yeah right) we thought we might enjoy a good swing. A swing migration that is. Firstly, all credit to Jeff Middleton for his excellent guide on how to get a new SBS server working without disrupting and old SBS server. It doesn’t even have to be an SBS server but we know that it works with SBS. For information about the process see www.sbsmigration.com.

Our only criticism of Jeff’s work is that although it is very through we found it a little disjoined. To overcome this we developed our set of custom migration notes that made it clear for dummies like us. During this process we have come across a few interesting tips and issues that aren’t mentioned in Jeff’s notes.

The first of these is the following error that started appearing in the logs :

There are multiple accounts with name MSSQLSvc/:1433 of type DS_SERVICE_PRINCIPAL_NAME.

Turns out what happens was that our initial SBS Premium server ( with SQL 2000 installed ) was set to run the SQL services under a specific user. However, when we installed the new SBS server we set up the new version of SQL to run under another account. This means that two different users in the Active Directory think that they in control the SQL service accounts generating the above error.

The fix is pretty simple. Use the setspn utility to check the accounts and then change the setting so only one is registered for SQL.

Use

setspn -l account1

setspn -l account2

to check that both accounts were registered for mssqlsvc. Now use

setspn -d mssqlsvc/:1433 account2

to remove the suplicate SPN from the second account (in this case account2).

So for all you SBS swingers out there keep this in mind if you are planning to change the service accounts logins for accounts during migration.

Windows updates fail to install

Having a problem installing Windows Updates from the Microsoft web site on your XP machine? Typically they download but when they actually go to install the message you get says “failed”. If so try this :

1. On the machine with issue, locate and stop the service “Automatic Updates” in Services under Administrative Tools from Control Panel.

2. Locate C:\WINDOWS\SoftwareDistribution and delete all the contents in this folder but do not delete the folder C:\WINDOWS\SoftwareDistribution, just all files and folders underneath it.

3. Return to Services and restart “Automatic Updates”

4. Re-run Microsoft Updates from the web site. You will need to reinstall the Microsoft Update ActiveX control but updates should now download and install.

Good security demo

Here’s a great video that demonstrates how “insecure” even the most the modern networks are. All you have to do is ignore one fundamental security principal ( which end users do all the time ) and then the flood gates are open.

http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx?videoid=351

It’s only about 20 minutes in total time but we just wish we could download the file in total for later reference.

SBS2003 standard and VPN issues

We were recently trying to get VPN access to an SBS 2003 standard install. Everything we tried just didn’t work. We ran and re-ran the wizards, checked that the right ports on the hardware firewall were forwarded but still no luck. Typically, we would get the message that the VPN was connecting but during authentication it would simply timeout and we would receive a message that the VPN had been disconnected.

Turns out that the problem lay with the hardware firewall. What finally ended up resolving the problem was a simple upgrade of the firewall firmware. Once completed the VPN worked a treat. Initially you just never stop and consider that the hardware firewall ( external to SBS2003 ) could be the issue. It works and has always worked so why should it be a problem? Well, in this case it certainly was the problem.

Another handy tip we’d give is you is to always backup the configuration of the hardware firewall before you upgrade the firmware. Over time a lot of changes can be made to a hardware firewall that are note always documentated.

Book review – Spies Among us

Spies Amoung Us: How to stop spies, terrorists, hackers and criminals you don’t even know you encounter every day by Ira Winkler was a little disappointing we thought. Well, probably the most likely reason is that we’ve heard it all before. Security isn’t as destination it is a process as all good security professionals know. Ira’s book covers a wide range of topics but the answers are always very simple and usually just require common sense. We suppose that in this day and age that is what is missing from most people. Why would someone from Nigeria ask you to allow them to transfer money through your account for a significant handling fee? C’mon, now really, but you’d be amazed at how many people just that scam alone fools. From memory we think email scams are Nigeria largest earning export.

This book is probably a good read for someone who really hasn’t had to think too much about security. It does provide plenty of real world examples of how professionals perform penetration tests of businesses and generally how they walk away with the information they require with a few days. It is probably a good book to get your boss to read to convince them to spend more on security but as we all know this is highly unlikley. Why? Simply because security is all about maintaining the status quo in managements eyes. They think that it doesn’t contribute to profits and it doesn’t reduce expenditure so what good is it? In the face of this sort of attitude we like to ask – “What do you have to do to be 100% certain that a break in will not re-occur once your computer systems have been compromised?“ – Answer “The only way to be 100% certain is to wipe EVERYTHING (servers, workstations, the lot) and reload“. How expensive is that going to prove boss?

The cost of proactive security is always far cheaper than reactive security but not many businesses understand that until it is too late. If you don’t see the benefit of security then read Spies Amoung Us before your business becomes a victim.

High processor utilization after SBS2003 Service Pack 1 installed

Recently we upgraded an SBS 2003 Standard system to Service Pack and everything went well until the following day when we received all these processor idle time warnings. When we logged in we found that indeed the processor usage was averaging above 50%. Hmmm.. we looked at the task manager and found that the process “System” was consuming an abnormal amount of processors time.

We then loaded processor monitor from sysinternals, which showed all the processes that form part of system, to help us determine where the problem lay. We didn’t install the Microsoft debugging tools like you are supposed to so we couldn’t really identify where the issue lay. Hmmm..most likely some sort of system drive needed updating.

We had updated the system BIOS before performing the Service Pack upgrade so it couldn’t be that. Our thoughts turned to the hard disk drivers being the next most likely option. When we looked at the HP drivers site for the server we were confused as to exactly what disk drivers the server had. We became hesitant about applying these sort of driver updates remotely. Hmmm…

After a little more contemplation we got the feeling that this issue was remarkably like another we had seen previously. A while back we saw issues where an SBS2003 server would slow to a crawl when it had Etrust 7.X installed. That little bug took us over 6 months to solve. The problem turned out to be an update of the Etrust realtime drivers. These updates can be found here.

We then checked the dates on the realtime CA files, INO_FLTR.SYS and INO_FLPY.SYS files located in the WINNT\SYSTEM32\DRIVERS directory and they were pretty old. Thinking that updating these was a good first step we downloaded the realtime updates from the CA web site and applied them to the SBS 2003 server. Of course applying the updates required the server to be reboot ( what doesn’t these days?).

After the reboot, guess what? The processor activity returned to normal. Who ever thought that such small files can cause problems but we suppose when you consider that any realtime antivirus works at a pretty low level most of the time on a server, it makes sense that old realtime files can cause problems.

So in summary, if you are seeing high processor activity on a SBS 2003 server with Etrust V7.X antivirus installed, our advice is to try applying the realtime updates first (you’ll need to reboot your server for them to take effect).

SharePoint workflows

We have spent the week converting our old SharePoint 2003 site into a new SharePoint 2007 site. We loved the old SharePoint but the new 2007 version is even better if that is possible. One of our favourite features so far has gotta be wikis and search. We have entered all our in-house knowledge base as a wiki and now we can do a search on the content. This is great when you are out on a customers site and need to remember something you’ve got documented. Simply dial up SharePoint remotely, do a search and bingo there’s the info you need. Make you look like a hero in the eyes of the client.

However, we feel that the greatest asset of SharePoint 2007 will be its ability to handle workflow. Simply put, this means that you can systemize a business process. For example you can create a document library that contains an expense spreadsheet template. To lodge a new expense claim you create a new file from the template and save it back to the document library. Once saved the workflow kicks in prompting other SharePoint users to approve the expenses. Once they have approved it the information can be forwarded to someone else for payment. How many businesses processes do comapnies have that would benefit from workflow? We know we have heaps and are sure most other people do as well.

Well, after coming to grips with most of what the new version of Sharepoint has to offer we decided that it was time to conquer workflows. We were disappointed to find that out of the box Windows Sharepoint Server only comes with one workflow. Office Sharepoint Server has more but surely there must be others available for Windows Sharepoint. Next stop Google. Unfortunately, not much luck here we could find any pre-built add on workflows we could simply import into Sharepoint. What now?

After a bit more research we discovered that you can create your own workflows usin Microsoft Sharepoint designer 2007. Now we’ve used Microsoft Frontpage extensively to create all sorts of web sites but Sharepoint Designer certainly appears to be a step closer to a designer tool like Visual Studio. Not to be intimidated we started looking at the inbuilt help for the product and was surprised at helpful it really was.

We a short time later we had created and integrated our very first workflow into our Sharepoint 2007 site. It really was snap. Sure it is only a test workflow at this stage and it doesn’t do anything flash but we can really see the power of Sharepoint designer now in just helping create workflows alone, never mind all the other cool stuff it can do with Sharepoint. Just imagine being able to walk into a business with Sharepoint designer and automate a business process then and there. Then imagine being able to create “standard” workflows that you can install on other Sharepoint sites. Just imagine.

If you thought Sharepoint 2007 was a revolution, try combining with Sharepoint designer, then you’ll really see what can be done. There is not doubt in our mind, Sharepoint 2007 is going to be a HUGE product for Microsoft.

Wanna know why Vista took so long and will cost so much?

If you do then you should read this article about the Cost analysis of Windows Vista Copy protection. You’ll find the article at :

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

Here’s the Executive summary :

“Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called “premium content”, typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analyses the cost involved in Vista’s content protection, and the collateral damage that this incurs throughout the computer industry.”

It would seem that Microsoft has spent a hell of a lot of time and effort basically trying to appease Hollywood, who fear their “content” being stolen. The article details how the Vista will be slower and less stable for all users with “features” designed to prevent copying by a small minority. Such “features” also appear to have wide ranging effects on the whole PC industry with providers of accessories, such as graphics cards, will need to comply with these “murky” standards to get their equipment working in Vista PC’s.

The scarey part appears to be the fact that Vista will disable or degregate an interface (say video output) if it senses premium output. So let’s say that you are working on a spreadsheet while trying to watch a HD movie. If Vista doesn’t like the HD movie then guess what the whole screen may go blank as the interface is shutdown. The other interesting “feature” is the inclusion of “tilt bits”. “Tilt bits” monitor the bus for “abnormal activity” and if detected shut down the bus. This is supposed to prevent people inserting equipment in PC to by pass software protection.

We highly recommend you read the article (which has much better explanations and details) and decide for yourself. The more you start to look at what is presented here the more you see how running Vista could be a problem. What we want to know is why the hell didn’t Microsoft put all this time and effort into adding the features they initially said they would or improving security. Instead we potentially have an operating system with inclusions for a very small minority of the population but with ramifications that could affect the whole industry.