New Security Regulations In Massachusetts

The commonwealth of Massachusetts has recently passed legislation entitled "Standards for the Protection of Personal Information of Residents of the Commonwealth." Under these standards, businesses must comply with a new set of regulations that govern how they must protect employee and customer data.

The legislation was passed with good intent, but a hue and a cry from businesses has convinced the state to push out the deadline from January 1 to May 1, 2009.

Recently, Jack Daniel (former chair of NAISG/Boston) moderated a discussion on these new standards. We recorded the discussion and posted it as Windows Media streaming video. We encourage you to watch it if you conduct business in or near Massachusetts. You can find it at http://boston.naisg.org/archive.

-TQG

The Misery of Requesting DNS Changes

For those of you that support clients or even manage your own organization's IT, I ask you this simple question: Have you ever had to request a record change from your DNS provider and sat there wondering...no, praying... if it would go correctly?

I pray to the gods of all religions every time I have to request a change in a MX or A record. Recently, a client of mine moved to the Postini antispam system. As part of this, we needed to create four new MX records and eliminate the old one, which had the format of mail.myclient.com. However, we needed to retain the mail.myclient.com host (A) record because the client used it for Web access to the mail system.

Knowing full well what might transpire when I sent the request to the DNS provider, I very explicitly stated: "Please delete the MX record of mail.myclient.com. However, please do NOT delete the corresponding host (A) record."

I thought that directive was fairly clear. The provider responded that he made the change and even included a copy of the zone file to prove his case. But what I found when reviewing the file was that he left the MX record intact and deleted only the A record.

So, this obviously illiterate support person made two flagrant violations:

1. He did not follow my instructions. In fact, he did just the opposite of what I requested.
2. He created an invalid MX configuration for the client, since the MX record had no corresponding host record. As a result, the client lost email and it took another 36 hours for me to track down a knowledgeable support person to make the correction.

I'm still wondering exactly how I need to communicate the request so that it will be understood. As indicated, it seemed clear to me when I wrote it. Perhaps I just need to take control of the DNS myself with an account at DynDNS or other such provider rather than letting the client's ISP manage it. Or maybe I need to sacrifice a goat to the DNS gods. I don't know...

-TQG

SBS 2008 Released to Manufacturing

For those of you, like The Quintessential Geek, that are fans of Microsoft's Small Business Server, you should know that the SBS 2008 was officially released to manufacturing today.

I have been playing with SBS 2008 for the past month or so and have been very pleased with its performance, functionality and stability. This is a product that I will definitely be recommending to my clients!

You can read some details on the Microsoft SBS blog at http://blogs.technet.com/sbs/archive/2008/08/21/sbs-2008-released-to-manufacturing.aspx.

-TQG

Does M'Soft want admins doing online shopping from servers?

This may be small in the grand scheme of things, but why is it that Microsoft continues to install its default Favorites with the browser? Microsoft has been doing this since the days of Internet Explorer 4.

Microsoft claims (rightly so) that administrators should not be Web surfing on a server, yet I fire up any IE installation on a server and I see that the browser is still pre-loaded with Favorites such as MSN Entertainment and MSN Sports.

It's always chewed away at my gut that browsers insist on installing default Favorites, or for that matter that ANY software installation installs Favorites, icons at the root of the Start menu, in the Quick Launch toolbar, etc. I always end up deleting them so that I have only the ones that I want, but it's just another annoying tweak that I need to make.

Be gone, o hideous, default Favorites!

-TQG

The Need for Security Education in the Community

It's been three weeks since my last post. I guess the warm weather and long work days have helped suppress motivation lately. But since that time, some interesting changes have occurred at the National Information Security Group (NAISG). We started 5+ years ago as a Boston-based user group. Since then, we have taken on a national, online role; and then expanded on that to include a handful of US-based chapters which include Connecticut River Valley, New York City, Washington, D.C. and Seattle, Washington.

In addition to this, we also maintain a LinkedIn "group." This group has grown much quicker than expected. (As of today, we have ~1,200 members from around the world.) So three weeks ago, I sent an email blast to all of our LinkedIn members, thanking them for joining the list, encouraging them to visit our Web site and asking them about general interest for user groups in their communities.

As a result of that email, two things happened:

1> I received one email from an upset individual asking why the heck he would want to join yet another security group. After all, he asked, isn't it adequate having ISSA, CIPS and ISACA? "Why did I feel it was necessary to fragment the security community?," he argued.

2> I received a number of other emails from individuals expressing their desire to form chapters, indicating the need to have the groups and the education they provide. In addition, many of these individuals expressed their frustrations with organizations such as ISSA, which charge membership and frequently provide just vendor-focused presentations. (In contrast, NAISG's operations dictate to prospective presenters that the discussions must be issue-focused and not product-focused.)

So, the positive response I received from these many individuals helped me to mentally squash the negative one. And as a result, we have since opened chapters in Atlanta, Georgia; Dallas, Texas; Pittsburgh, Pennsylvania; London, England and Bangalore, India!

In addition, we have plans for chapters in Chicago, Illinois; Austin, Texas; Jacksonville, Florida; Detroit, Michigan; Red Deer, Alberta, Canada; Athens, Greece; Bucharest, Romania; Delhi, India; Istanbul, Turkey and Oxford, England.

So much for fragmenting the security community!!!!

-TQG

3rd-Party SSL Certs on SBS

Today I experienced the wonder and amazement (sarcasm intended) of installing a 3rd-party SSL certificate onto our Small Business Server 2003 so that users would no longer be annoyed with warning messages when connecting to Outlook Web Access or Remote Web Workplace, and so that it would be significantly easier to configure Outlook-over-HTTPS.

Although the certificate worked like a charm for its intended purpose, I was not-so-pleasantly surprised when I found that I could no longer administrate public folders in Exchange System Manager. I've already spent more than a few hours trying to resolve this with no luck. I've also discovered by a search through Google Groups that I am by no means the only person to experience this pain. Unfortunately, the solution for most people (disable the SSL requirement on the ExAdmin virtual directory in IIS) does not seem to work for me.

I've written a nice support message to the issuing CA in the hopes that they can assist, but methinks that I may need to remove this particular cert and revert to the self-signed certificate that SBS conveniently generates.

Ugh...

-TQG

XP SP3 breaks ActiveX in IE 7

A client recently contacted me to report that he lost the ability to use the Remote Web Workplace feature of Small Business Server 2003 after having installed SP3 for Windows XP. It took a while of troubleshooting and some digging into Google Groups, but I soon found reports that SP3 will disable the Remote Desktop add-on of Internet Explorer 7 (perhaps also IE 6, but unsure at this time).

To fix this problem, go into IE's Tools > Internet Options > Programs > Manage Add-Ons and locate the Remote Desktop add-on. If it is set to Disabled, then enable it and your problem should be cured.

-TQG