Security Principals, ACE, ACLs, DACLs, and SACLs

Posted on by
Reply

As a follow up to an earlier post I made on Advanced NTFS Permissions I thought I’d post some notes I made recently on Security Principals, ACE, ACLs, DACLs, and SACLs

Security Principals

A security principal is an entity that can be authenticated by the system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account and Security groups of these accounts. The important thing to remember is that each principal is automatically assigned a security identifier (SID)when it is created and that these are unique. This is why a domain computer cannot access domain resources if its account is deleted even when a new account with the same name exists.

Access Control Entry (ACE)

An Access Control Entry (ACE) is an element in an access control list (see below). Each ACE controls or monitors access to an object. We see an ACE when we look in the list of security principals which have access tab on an object.
Access Control Lists (ACL)
Broadly speaking an ACLs are the lists of security principals (users, groups and computers that have access to an object. There are two types of ACL. The DACL and the SACL.

Discretionary access control lists (DACLs).

DACLs identify the users and groups that are assigned or denied access permissions on an object. If a DACL does not explicitly identify a security principal it will be denied access to that object.

System access control lists (SACLs).

SACLs identify the users and groups that you want to audit when they successfully access or fail to access an object. Auditing is used to monitor events related to system or network security. A SACL can be found by selecting the Advanced Security settings on an object button and selecting the Auditing Tab

Security

Exchange Problems

Posted on by
Reply

Last week, we were unfortunate to have a major problem with our Exchange 2007 service. The server process (store.exe) that runs the mailboxes was crashing every 5 minutes or so. As the process that was failing is fundamental to the service working, it was important to try and diagnose the issue as quickly as possible.

The most difficult part of this diagnosis was that the error was so generic and wasn’t providing any relevant information as to what to look at. Exchange is a complicated and awkward piece of software at the best of times, so the problem was compounded by unsatisfactory logging of what was happening.

We were able to determine that the problem happened on both nodes of a cluster, so it looked likely that it was related to the database or even at a more granular level.

When dismounting databases to try and narrow down the issue, we noticed that when one particular database was dismounted that the problem went away. Sadly this meant a significant amount of downtime for the mailboxes on this affected database, particularly as we needed to obtain diagnostic information for Microsoft to investigate the problem, as it’s a fault that isn’t documented anywhere.

We narrowed down the problem to when a particular message (that was queued on one of our Hub Transport Servers) was trying to be delivered that the mailbox server crashed. We deleted the item from the queue and everything started to work OK. It wasn’t long before the problem reoccurred. We could then correlate (using the wonderful tool that is Powershell) that the second message that was causing a problem was scheduled to be delivered to the same mailbox as the first.

This indicated that the problem was common to one mailbox. We isolated that mailbox away from our production server to provide some stability to the thousands of other users that have mailboxes residing there. Once that mailbox was moved, the other mailboxes were fine, so it seemed as if the problem was really narrowed down.

We could reproduce the crash by replaying the problem message into the test system, so we were now at the stage where we could try and determine what it was about these two messages that caused the problem.

The problem seemed to be caused by some fault in a user’s rules. We had fortunately found the needle in the haystack and at the same time we were able to hopefully provide enough diagnostic information to Microsoft so they can thoroughly investigate why a problem with one user’s rules was enough to crash the entire server. That really is a big failing of Exchange.

One issue we noted was the user who had the problem mailbox was exclusively using Outlook 2003. If the user had moved to Outlook 2007, the problem would have been somewhat alleviated. Outlook 2007 alters the rules format.

It was an incredibly stressful couple of days and underlined the fact that email is a business critical system. We are still waiting to hear back from Microsoft, but should the problem reoccur, we should be much quicker in being able to diagnose the fault.

Time to move on from the Windows 7 Release Candidate

Posted on by
Reply

If you are still running Windows 7 RC (I’m sure a lot of people are because it was pretty darned stable), the time to move on is fast approaching.

From 15th February, warning messages will start, saying that from 1st March Windows 7 RC will shutdown every 2 hours. You really want to be off the RC by then because you will lose any unsaved work.

If you continue to use the RC through the bi-hourly shutdowns, on 1st June 2010 the RC will cease to meet “genuine” Windows criteria and will not be able to download anything that checks whether the copy of Windows is genuine. You’ll also lose your wallpaper, but by that point that’s the least of your worries! 😉

I’ve still got one machine running the RC – that will change this weekend!

Launch of the Centre for Cybercrime and Computer Security

Posted on by
Reply

Tuesday 9th February is the EU’s Safer Internet Day, and the University’s recently formed Centre for Cybercrime and Computer Security is getting involved by hosting a half day event to raise awareness in order to protect young children from dangers on the internet. This will take the form of interactive workshops for parents and children.

This will be followed on Wednesday 10th February by the official launch event of the CCCS with a group of presentations on a range of topics including Counterfeiting, Internet Grooming, Gambling Websites and Security.

Both events will be held at St.James Park.

For more details, head over to http://cccs.ncl.ac.uk

UCISA-IG Service Availability Event

Posted on by
Reply

Just back (well last week – taken me a while to write up my notes) from the UCISA Infrastructure Group (UCISA-IG) event in Liverpool – “Service availability – is 24x7x365 really necessary?”. These notes are very rough but I’d rather get them out now while reasonably fresh.

This sort of event is always worthwhile not just because of the “formal” talks but also the chance to meet colleagues from other institutions and talk about common issues. Doing this face to face allows you to be a bit less discreet than you would be on a mailing list :->. Topics that came up in passing were account management systems (why does everyone seem to write their own?); how IT services are organised internally (by platform/by layer/at random) and the difference between working in a large IT service (where most people are specialists and much of what your colleagues do is a black (or at least grey) box) and a small organisation where the IT person is likely to do network/storage/desktop/servers/everything else (because there’s no-one else).

Whilst the event was interesting and useful I felt the title was a bit misleading – most of it was talking about DR and BC (Business Continuity) rather than whether universities need 24×7 services. My instincts are
1. Not everything needs the same level of availability
2. If more services were designed to use asynchronous communication and message queues we wouldn’t have to have such a broad shutdown of services on the (hopefully rare) occasions that we need to shutdown one of the fundamental systems. Constructing a concrete example; if a member of the University needs to update their address does it matter if the database change happens instantaneously or is it OK if the change is made within half a day. The important thing is that they should be able to submit their change whenever is convenient (and that they get some feedback when it’s complete). Moving to reliable loose coupling should reduce our need for everything running all the time.
3. Some systems are intrinsically easy to make resilient. My favourite is mail relaying (not the complete mail service – just the pure relay). Because each transaction is independent and there’s a standard mechanism to distribute requests between servers (MX records) it’s easy – you just add more servers (though there was the problem with large MX sets and poorly configured remote systems – I think that hit us when we got to 10 entries in our MX list).

Opening session was David Teed talking through the processes you would use to set your recovery targets for services. Not everything needs to be recovered in 4 hours – working through Business Impact Analysis and leading to an ICT Recovery Statement (what you’ll recover, how long will it take and what workarounds will the business use to cope in the mean time). This leads to list of resource requirements and allows you to manage customer expectations and cost justify solutions.
Idea is that you then invest – matching the requirements exposed by BIA (not going overboard on making things over resilient – though you may do more if it brings other benefits). All very sensible and if we haven’t done something like this already we should.

Next Adrian Ellison, LSE talking about working from home (WFH) as an item in the DR/BC toolbox.
Often a big part of the BC plan but there are (of course) issues. DR moved up LSE agenda after 7/7.

Alternative accommodation on the larger campus might be a better solution (as it maintains the face to face contact which is lost). As part of planning
allocate suitable alternative for each critical activity (making sensible assumptions on loss (of access to) buildings).
Reciprocal arrangements with neighbouring institutions may be a possibility.
Not everyone can work from home (and some can’t do all of their hobs) – specialised equipment/other people.
WFH isn’t sustainable for long.

To support WFH you need
– Resilient dual-path network with OOB access via 3rd party ISP (tested regularly)
– Robust DC strategy with resilience
– Likely that you’ll need to scale up remote access systems quickly. For Citrix etc will probably need extra licences
– Think about how you do remote support (LSE use LogMeIn Rescue)
– Separate VPN/remote access for IT staff?

Telephony – mobile networks may (will) become overloaded
Will need to divert key numbers to alternate locations (pre-arrange with supplier)
May be able to divert to external numbers (advanced IPT – “remote office”)

Remote learning – if lots of students are accessing rich content do we have bandwidth to cope (to halls?)

Information security is important but if you make things too difficult people will create their own workarounds which will be worse in terms of security.
Make clear that there is personal responsibility for security of data/systems under their control.
Managing people – motivation – all more difficult when remote – need, f2f meetings (off-site)
Off-site working relies on trust

Talk from Oracle/Strathclyde about how the availability features of 11g can help with resilience. The idea of automatic storage management (ASM) which (as I understood it) replicates data across multiple low cost modular storage arrays seems like a nice idea. Anything that helps us to move away from big, expensive boxes sit in the middle of everything (and tend to be fussy eaters).
Active data guard (ADG) – replication of data – can use replicated copy for read-onlt queries/BI etc as well as a backup to use as when the primary site fails (so that you’re getting some use out of the standby kit).

Talk by Adrian Jane, University of Plymouth on how they use IPstor appliances to virtualise storage. These boxes sit between the real storage and the machines using the storage. This allows you to do mirroring, migration and similar without downtime and without changing the configuration on the clients. IPstor boxes are hardened Linux servers. They obviously need to be replicated (as all the storage traffic flows through them) and reasonably chunky (for the same reason) Plymouth are using something like HP 585 G6 quad cpu (6 core), 32G ram, 4x 8Gb HBAs.
As well as the obvious advantages, there’s also the benefit of simpler client config – all the mirroring is done in the IPstor.

Last talk was Richard Smith, Sheffield Hallam University about how they use VMware. They moved further with VMware than we have – over 200 VMs (though I guess if we count up all of our Xen and VMware guests and add on all the the Solaris zones for SAP we’d get a similar number). Running higher numbers of guests per host than us (50 as a matter of course, up to 120). Vmotion allowed them to migrate services to new data centre with no downtime.
Vsphere can now use HP’s iLO technology to power up extra servers to cope with peak loads (and I think to reset hardware that appears to be hung).
Nice feature was the use of template VMs for Terminal Services servers – this let SHU scale up their TS capacity very quickly to cope with extra load when large numbers of people worked from home because of the bad weather at the start of the year.

http://www.ucisa.ac.uk/gr…ailability.aspx

How to add the Quick Launch Toolbar to the Windows 7 taskbar

Posted on by
Reply

If you used it a lot in Vista and XP, you might miss the Quick Launch toolbar in Windows 7 as it’s disabled by default.

However, it’s easy to re-enable it:

Right mouse-click on any space on the Taskbar at the bottom of the screen, and select Toolbars… New Toolbar… as shown here:

New Toolbar selection

In the folder field type (or copy and paste) the following:

%userprofile%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

userprofile%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Click Select Folder, and the Quick Launch bar will appear. You can alter the way the Quick Launch bar looks by right-clicking on it and opting to hide/show titles, enlarge/shrink icons, etc.

So, why isn’t there a Quick Launch bar in Windows 7 by default? Because it’s been replaced by more interactive, intelligent Taskbar features that should, in theory, make the Quick Launch bar redundant. That’s the theory anyway…. There’s nothing to stop you having both the old ways and new ways of doing things though.

Troubleshooting Terminal Services (RDS) Client issues

Posted on by
Reply

This problem keeps coming up every now and then so I thought it would be good to document it. If you get licencing error messages when you connect to a Terminal Services session on a remote server then this might fix the problem (you might also get this error if you use the Remote Application Service (RAS) here at Newcastle).

Open regedit

Create a backup of the MSLicensing registry key and its subkeys on the client, and then remove the original key and subkeys by doing the following:

1. On the client, navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing.
2. Click MSLicensing.
3. On the Registry menu, click Export Registry File.
4. In the File name box, type mslicensingbackup, and then click Save.
5. If you need to restore this registry key in the future, double-click mslicensingbackup.reg.
6. On the Edit menu, click Delete, and then click Yes to confirm the deletion of the MSLicensing registry subkey.
7. Close Registry Editor, and then restart the computer.
When the client is restarted, the missing registry key is rebuilt.

Its probably also worth checking to make sure you have the RDP 7 client installed, see http://blogs.msdn.com/rds/archive/2009/10/28/announcing-the-availability-of-remote-desktop-connection-7-0-for-windows-xp-sp3-windows-vista-sp1-and-windows-vista-sp2.aspx (we rolled this out on campus at the end of 2009)

Introducing North East Bytes (NEBytes) a new Microsoft Usergroup for the North East of England

Posted on by
Reply

We are pleased to announce a new User Group in the North East of England, based around Microsoft technologies: North East Bytes (NEBytes). We have decided to start this group in order to help Developers and IT Pros in the community with the constant battle to learn, stay current and broaden their knowledge.

North East Bytes (NEBytes)

We run monthly meetings every third Wednesday of the month (except on the second Wednesday in December – to allow time for Christmas parties and shopping!) on the Newcastle University campus. Each meeting consists of two one hour presentations (one Developer topic and one IT Pro topic) and we have refreshments, food, giveaways and prizes.

Attendance at our meetings is completely FREE!! The venue is provided kindly by the University, our Speakers kindly provide their time for free, and the organisers provide their time for free to organise the events. We will provide refreshments and we also provide hot food, all we ask is if you would like to partake in the the hot food, please make a small donation towards the cost via the open contribution box at each meeting.

Our Launch Event is to be on Wednesday 20th January 2010 (from 6pm), we are delighted to have Mike Taulty visiting to cover Silverlight and James O’Neill to cover Hyper-V, and we’re teaming up with the SharePoint User Group UK to bring an overview of SharePoint 2010 too! We are really looking forward to this great event and hope to see lots there to help us celebrate our launch!

Head over to NEBytes.net for more details.