WSUWiki Initial Log Analysis Result - Month of November 2005

I'm running a log analysis tool called Awstats against the logs of some of our applications.

I downloaded the result into Excel, and do a little massaging on the data - Basically, I separated all the "action=" with the pages-URL. Among all "action=" pages, I added the counts of "action=edit", and "action=submit" together. They are both generated by the process of editing (Edit, Preview, Save). Among all individual pages, I added /index.php and /index.php/Main_Page together. They are basically the same page.

Here is the top 10 most viewed Pages-URL:

Pages-URL	Viewed	Entry	Exit
Main_Page	1447	442	246
Chinese_Calendar_2006	622	405	122
Cultural_Politics_of_Sport:_Annotated_Bibliography	301	104	42
Fix_Outlook_2003_Phonebook_Issue	236	170	51
Chinese_Calendar_2005	197	125	43
Special:Search	120	4	16
Category:CES_308_RKing	98	3	0
User:Krussell07/CES_308	91	3	0
Category:CoursePagelist	89	1	0
History_Of_Sport	83	2	4

Notice that both Chinese Calendars are high on the list, I am pleasantly surprised.

But then, as I look more... I was even more surprised. I have only promoted the URL of the AAPI page to the asian groups. It's been over a month ago. Being too caught up at my main duty, I admit I haven't done much since then.
But the two Chinese Calendars (linked from the AAPI page) are on the top 10 most visited list, but not the AAPI page itself.
They have very high "Entry" counts. Apparently, once people found those calendar pages, they bookmarked them.
The 2006 version has a much higher "Viewed" count then the 2005 version. (Due to student groups planning on events and gatherings of next year... e.g. looking at when the Chinese New Year is, maybe?)

Among the top 5, the "Entry" counts are several times higher than the "Exit" counts. This implies that once people visit a page (and find it useful), they also wander off, looking at what else could be interesting to them on the site.

Finally, I added the "Viewed" counts of all individual page.I found that in this month of November, so far there are 6865 views and 967 edits. There are 7 times more views than edits.

Ok, maybe I should exclude "/index.php/Main_Page" in the numbers.
This gives 5418 views and 967 edits. Still over 5 times more views than edits.

People are visiting (and re-visiting) pages for "reference". They would generally poke around further on the site if the information on some particular pages are useful to them. Information here flows one direction only.

Among all the 967 edits, there are 789 counts of clicking the edit button, and and 178 actually submit. (Submit includes both preview and save. This is just the way the URL is presented to the server). Intuitively, I would think there should be more submit than edit... since people may only click edit once on a page, but preview many times before they save their work. The log analysis result shows that it is not the case. There are 4 times more people click on edit, than actually saving their work.

Could it be due to the wiki (text editor) hard to use for end-user?
What can we do to encourage more contributions?

List of CDs with the Evil Sony BMG Rootkit

Details on which CDs, and how to identify them can be found on the Electronic Frontier Foundation's web site:
http://www.eff.org/deeplinks/archives/004144.php

After over a week of furor surrounding this issue, Sony BMG has finally said that they will stop manufacturing CD with the rootkit.
http://blog.sonymusic.com/sonybmg/archives/xcp.html

But does Sony want you to uninstall the rootkit? Read Mark Russinovich (SysInternals)'s blog:
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

Using Active Directory Group Policy to Make hosts File Read Only

According to SANS NewsBites Nov 4, 2004 New Phishing Tactic is Stealthy,

MessageLabs has reported seeing what could become a new twist in phishing scams. These emails contain a script that, once the email is opened, rewrite host files to automatically redirect users to phishing sites when they attempt to visit legitimate banking sites.

The article advised you protect from this particular kind of attack by disabling Windows Scripting Host. However, if your users are technical people and require to use this for their dayto day work, you don't have the luxury.

But you can change the hosts file to read only and enforce it via Group Policy. Here is how:

• In Group Policy Management Console, create a new group policy.
• Go to Computer Configuration | Windows Settings | Security Settings | File System.
• Add the file:
  %SystemRoot%\system32\drivers\etc\hosts
• Change the permissions of the file to:

  Type	Name	Permission
  Allow	BUILDIN\Administrators	Read
  Allow	NT AUTHORITY\SYSTEM	Read
  Allow	BUILDIN\Users	Read

• Save and link this group policy to the desired OU accordingly.

Don't forget to enable security policy enforcement. Best practice is to define this as your baseline policy.

• In Group Policy Management Console again, create a new baseline group policy (or click on your baseline group policy if you already have one).
• Go to Computer Configuration | Administrative Templates | System | Group Policy.
• Click on Security policy processing.
• Choose Enabled radio button, and check the Process even if the Group Policy object have not changed.
• Save and link it to the desired OU accordingly.
  
  

Using Active Directory Group Policy to Protect Against SYN Flood DoS Attack

I have been seeing waves of SYN Flood denial of service attack against our applications every so often. During the attack, hugh volume of TCP SYN packets was being sent to our web application until they exhausted all the resources on the corresponding server. It is pretty annoying because it affects the experience of our other legitimate users using our applications.

Our firewalls could keep track of the number of connections from a single source, and if that exceeds a certain threshold, they could deny further connection attempts. This does a pretty good job so far. But I am a little concerned about the growing number of those attacks, and eventually a distributed denial of service one.

Turns out on the Windows 2000/ 2003 server, there are several registry settings that one can use to harden the TCP/IP stack. e.g. SynAttackProtect. By setting this registry value to 1, the server will time out all half open connections more quickly during a SYN attack (determined by several thresholds), and be able to recover the resource sooner to serve legitimate users.

I want to enable it on all our servers. Can Active Directory Group Policy help? Yes! Here is how:

• Created a custom Administrative Template as follows:
  
  CLASS MACHINE
  CATEGORY "Network"
  CATEGORY "TCP/IP Hardening"
  POLICY "SynAttackProtect"
  KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
  EXPLAIN "This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly during a SYN attack (a type of denial of service attack). Set SynAttackProtect to Disabled (0 - default) for typical protection against SYN attacks. Set SynAttackProtect to Enabled (1) for better protection against SYN attacks. This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if the system detects that a SYN attack is in progress. Refers to Microsoft KB 324270 for more information."
  VALUENAME "SynAttackProtect"
  VALUEON NUMERIC 1
  VALUEOFF NUMERIC 0
  END POLICY
  END CATEGORY
  END CATEGORY
  
  
• Save the file as SynAttackProtect.adm.
• In the Group Policy Editor, go to View menu | Filtering, uncheck the "Only show policy settings that can be fully managed" checkbox.
• Then go to Computer Configuration | Administrative Templates, and use Add/Remove Template to add this SynAttackProtect.adm custom administrative template.
• Now, under Administrative Template | Network, a TCP/IP Hardening category will appear.
• Under this TCP/IP Hardening category, double-click on SynAttackProtection and change the status to Enable.
• Close the Group Policy Editor to finish.
• Link this group policy to the right OU to apply onto all the servers under it. (always do it on test servers first!)
• Within 90 minutes (default time for Active Directory Group Policy refresh), the servers will have the new registry setting.
• You still have to reboot the servers to make the registry change effective.

One thing you have to know is that this kind of group policy is a tattoo type policy. The registry setting would not be changed back to the original value if you later on remove this group policy. To undo the change, you will have to explicitly change this group policy SynAttackProtect setting to Disable.

Refer to Microsoft KB 324270 article for complete detail on how to harden the TCP/IP stack against denial of service attacks in Windows Server 2003.

Convert Today's Date to YYYYMMDD In Batch File

Here is a simple script to convert today's date into yyyy-mm-dd format in batch file:

FOR /F "usebackq tokens=1,2,3,4 delims=/ " %%i IN (`date /t`) DO (

set yyyymmdd=%%l%%j%%k

)

Using Active Directory Group Policy to Deploy SmbDeviceEnabled Registry Setting

I deployed a pair of firewall appliances onto our network using Network Address Translation (NAT). Soon after that, users start to report they encounter intermittent network problems. e.g. Corrupted word documnet, garbage data in files on file server, XP machines receive a "Write Delay Error" warning, corrupted Visual Source Safe database.

One thing in common is that the problems are all found when the connection is using Server Message Block (SMB) protocol.

Turns out there is a problem with SMB protocol running on NAT. Refer to Microsoft KB 301673 article for more detail. The work around is to change a registry setting so that NetBT protocol will be used. You can change it either on the client workstations or the servers side.

For us, since the client workstations may connect to more than one servers, and some of those servers are not managede by us (and as a result, they are outside our firewalls, we have to change the registry setting on the client side.

So, I used Active Directory Group Policy to help me to deploy the registry setting.

• Create a custom Administrative Template as follows:
  
  CLASS MACHINE
  CATEGORY "NetBT Settings"
  POLICY "SmbDeviceEnabled"
  KEYNAME "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"
  EXPLAIN "This policy configures the registry value HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled. You can disable this value to solve the problem of SMB using NAT. Refers to Microsoft KB 301673 for more information."
  VALUENAME "SmbDeviceEnabled"
  VALUEON NUMERIC 1
  VALUEOFF NUMERIC 0
  END POLICY
  END CATEGORY
  
  
• Save the file as NetBT.adm.
• In the Group Policy Editor, go to View menu | Filtering, uncheck the "Only show policy settings that can be fully managed" checkbox.
• Then go to Computer Configuration | Administrative Templates, and use Add/Remove Template to add this NetBT.adm custom administrative template.
• Now, under Administrative Template, a NetBT Settings category will appear.
• Under this NetBT Settings category, double-click on SmbDeviceEnabled and change the status to Disable.
• Close the Group Policy Editor to finish.
• Link this group policy to the right OU to apply onto all the machines under it. (always do it on test machines first!)
• Within 90 minutes (default time for Active Directory Group Policy refresh), the machines will obtain the new registry value.
• You still have to reboot the machines to make the registry change effective.

One thing you have to know is that this kind of group policy is a tattoo type policy. The registry setting would not be changed back to the original value if you later on remove this group policy. To undo the change, you will have to explicitly change this group policy NetBT Settings to Enable.

WSU IT Forum Presentation

The Vice President of Information Technology of our university organized the first Information Technology Forum. I was invited to co-present with the Enterprise Administrator. The topic is Active Directory: Securing the Enterprise.

Here is the slides of my part of the presentation.

Of course, it's my professional responsibility (as a systems administrator) to strip out or obscure any real server name and infrastructure details. But the essence of the presentation, the power of Active Directory and group policies, remains.

Using Active Directory Group Policy to Protect Against Adware/ Spyware Tracking Cookies

Continuing my journey to fully utilize Active Directory to streamline computer management, I found that we could use Group Policy to block adware and spyware tracking cookies.

Here is how:

• Start Group Policy Editor.
• Under User Configuration | Windows Settings | Internet Explorer Maintenance | Security,
• Right-click on Security Zones and Content Ratings.
• Under Security Zones and Privacy, choose Import the current security zones and privacy settings.
• Note: Before you click on Modify Settings
  It will import the Internet Explorer Security Zones and Privacy settings of the machine where you are running the Group Policy Editor. Be careful! Since Windows 2003 disables a lot of IE settings by default, you may not want to run the editor on a Windows 2003 machine and define a IE group policy for Windows XP machines.
  
• Click Modify Settings.
• Go to Privacy tab. Click Sites.
• Add the advertisement sites/ domains that you want to block their tracking cookies.
• Click OKs to finish.

This approach only works for Internet Explorer. Of course, it doesn't compare with a real adware/ spyware checking software, since they can do other checks, like file system, registry. I call this a poor man's version. It doesn't cost you anything, other than the time it takes to configure the group policy, and then link it to the right Organization Unit (OU) for deployment.

Exchange/ Outlook Rules Handling

For current (non-Exchanged) Outlook users that is getting onto Exchange, beware!
Exchange/ Outlook rules handling can bite you in many ways.

Before you proceed, export all your current rules into a file.
You will need it!

Read the following article to have a better idea about Exchange server-based and client-based rules
http://www.slipstick.com/rules/serverbased.htm

This talks about the Exchange rules storage limit of 32K:
http://support.microsoft.com/kb/241325

Some workarounds for this 32K storage limit problem
http://support.microsoft.com/?kbid=886616

For the advanced,
Bruse Heimbigner has a suggestion of using some programming technique to workaround the 32K storage limit problem:
http://blogs.msdn.com/adioltean/archive/2004/11/18/259448.aspx
http://www.google.com/search?q=RULE.DLL

Exchange Outlook Rules 32K Limit - Frustrating!

I signed up as a WSU Exchange early tester. After two days of using it, I get really frustrated.

I use my emails as a filing system. I have a place/ category/ folder for everything.
In my non-Exchanged Outlook, I have 115 filtering rules to automatically sort my incoming emails.

But once "Exchanged"... Outlook allows me to have only 27 of my rules (all the remaining 88 are being disabled). Reason is they exceed the Exchange server rules storage limit of 32K...... yes...32K only!

There are two types of filtering rules in Exchange - server-only, and client-only rules.

• Server-only rules are executed on the Exchange server directly. There is no need to have any email client. One can use it to automatically sort email out of the default Inbox, and keeping the Inbox clean and small. It is especially useful when one checks email a lot using mobile device.
• Client-only rules are executed on the client side (in my case, Outlook). One can use it to sort email onto different Personal Folders on the local machine.

All my existing rules are client-only. So, why would Outlook ever need to upload those rules to the Exchange server? and subsequently be counted into the 32K Exchange server rule storage limit? A bad design, or integration on the two Microsoft products.

I then removed the Exchange server connection from my Outlook. It shocked me to find that all my rules were removed as well. Another bad product design (should I call it a bug?) in Outlook - client-only rules should always stay with the email client, and not be affected by whether there is an Exchange server configuration or not.

There is a Microsoft KB that talks about some workarounds on the Exchange 32K rules storage limit problem. Basically, rename your rules to shorter names, merge some of your rules, change your local folders to shorter names, move your Outlook data files to another location on the file system that has a shorter path, etc.

It costs me an entire afternoon and I'm finally able to cut down my number of rules to 65. Exchange is still complaining that I can only enable 64 of them. :-(

Getting Start with Microsoft SMS 2003

Here is a summary of steps involved to get started on Microsoft Systems Management Server 2003.

Watch these essential webcasts

• Installing SMS 2003 from Start to Completion
• Using SMS 2003 to Upgrade to Windows XP SP2
• Deployment of SMS for Patch Management

Procedure to install SMS 2003

• Install SQL 2000 and patched.
• Install SMS 2003 and apply SP1.
• Install BITS support on IIS.
• Install WebDAV on IIS.
• Install SSL Certificate on IIS (if you want https in reporting).
• Configure Site Settings (Site Boundary/ Roaming Boundary, Publish to AD, etc).
• Configure Site Systems (Management Point, Reporting Point, etc).
• Configure Client Agents (Hardware Inventory, Software, etc, polling schedule).
• Configure Client Installation Methods (Software Distribution Account, SMSSITECODE).
• Configure Component Configuration (Software Distribution Account).
• Configure Discovery Methods (Active Directory, etc).
• Grant permissions for others to access the SMS server.
• In Collections (after AD Discovery complete), refresh on All Systems. Install SMS clients (push installation) selectively.
• In Software Updates, download and Install Inventory Scanning Programs.

Procedure to deploy package

• Build Query (to select machine eligible for package deployment).
• Define Collection based on Query.
• Build Package.
• Build Advertisement (Schedule, Target Collection).
• Wait for machine's regular advertised program polling cycle, or go to client machine (Control Panel, System Management) to initial machine policy refresh. Then, the package will be deployed.

Procedure to deploy patches

• Run report "Software updates with count of applicable and installed computers".
• Based on the missing updates reported, go to Software Updates, Distribute Software Updates.
• Build Package (one package contains all necessary patches).
• Specify parameters (/z /Q or other options) for each patch included the package.
• Specify the rest of the package option (Postpone reboot, allow users to defer, etc).
• This process will automatically create the advertisement.

Procedure to deploy custom package

• Create Package.
• In Package | create Program, and define program install command there.
• In Package | Distribution Point, associate the package with a distribution point.
• Create Collection (optional).
• Create Advertisement.

Remember

• A Collection contains a set of machines. It can be generated based on the result of a Query. (Note: a Query can run based on a Collection. This is used to limit the scope on which the query command is run against.).
• A Package can contain a software, a service pack, or multiple patches. It basically just points to the source folder that contains all the executables, config, etc required.
• Inside a package, you can define more than one programs. A program is for you to define what the executable is and the corresponding command line options.
• e.g. A package for Sun Java 1.4.2_07 can have two programs, one to define how to install sun java, and one for uninstalling it.
• An Advertisement associates a Program (inside a Package) to a Collection with a deployment schedule.

SMS 2003 Installation Experience

It took me a day just to simply install Microsoft SMS 2003.

First, it was the database cluster issue. One of the SMS 2003 webcasts said it did not support SQL DB cluster. I could not believe it. I thought how could it know... as long as it supports the database on a different server (which it does). But the webcast is right. The problem is that it cannot talk to a SQL cluster named instance. The installation only allows me to enter a 15 character remote SQL server name (obviously, it is a netbios name). There is simply no where I can specify a particular named instance. So, my choice is to install a standalone SQL 2000 server onto my SMS server.

Then it was the SQL 2000 and CA issue. It just happens that my SMS-server-to-be is also our private Root Certificate Authority server. It's our utility/ support server, of course. But SQL 2000 (before SP1) does not support installing onto such an environment (KB 302409 refers). The problem is fixed in SQL 2000 SP1, but I need to find a way to slip-stream the latest SQL service pack onto a SQL server installation package in order to proceed.