Switch between named SQL Server instances without changing the connection string

SQL Server allows installing multiple copies and multiple versions on the same machine as “named instances”. These are accessed locally with the name “(local)\<instance>” or “.\<instance>” or “localhost\<instance>” where <instance> is the name of the named instance. You can also install exactly one server as the “default” instance which doesn’t require a name. You just connect to (local).

If you want to switch your app between these, you have to change the connection string to the different instance names. It also means that everyone on your team has to use the same instance names or go through some other contortions to isolate the configuration file from source control.

If you aren’t using a default instance, you can make one of the named instances respond to the syntax of a default instance in a connection string. The trick is to use the SQL Configuration Manager to enable TCP/IP on one of your named instances and further configure that instance to accept connections on TCP port 1433.

When you want to switch between instances, you change which of your SQL Server named instances is listening on TCP 1433.

sql-config-mgr

Microsoft: When you have a DVD with room, please bundle your dependencies

I just started an install of Expression Studio 4 from the gold DVD ISO.

Annoyingly, Expression Studio 4 requires .NET Framework 4.0 but—unlike Visual Studio 2010—Expression Sudio doesn’t actually bundle the installer for .NET Framework 4.0.

download-netfx4

Arg! The download is huge.

netfx4-setup

This approach makes total sense if the Expression Studio was actually installed over the net but it isn’t. I have a DVD image and it’s only 40% filled. I wonder if most installation scenarios assumed that Visual Studio 2010 would be installed first? I don’t know but if you want to avoid the extra download time for .NET FX 4.0, install Visual Studio 2010 before Expression Studio 4.0.

Painless NVidia Boot Camp Update on MacBook Pro

NVidia has recently WHQL certified “verde” notebook drivers: 258.96. In the past, drivers from NVidia have refused to install without hacking the INF or waiting for a boot camp update, which happens about once a year.

This time, though the drivers installed happily with no complaint. Woot!

I also grabbed the latest NForce drivers which contain Ethernet, SMBus and Away Mode drivers for my 2009 MacBook Pro Unibody. The SMBus and Away Mode drivers are related to power management. Who knows, maybe they will improve my battery life.

nvidia-ver devmgmt-ver

Online Billing Scary Error

I went to my Vodafone Ghana online billing login and got a big fat scary error:

cert-expired

The SSL certificate is expired. It expired over a month ago:

cert-expired-detail

Now, there’s really not much of a problem here. The certificate is perfectly able to encrypt my connection to the server and it identifies the server as belonging to vodafone.gh. It’s just out of date. Embarrassing for Vodafone but it is actually safe for me to continue.

This is exactly the sort of wolf-crying that teaches people to ignore security warnings that computers throw up. To a normal human that just wants to complete a task, the big red screen looks an awful lot like “Blah, blah, blah, click the ‘Proceed’ button if you want to get your bills paid.”

Cormac Herly has a great paper on the rational rejection of security advice by users where he notes that “fully 100% of certificate error warnings appear to be false positives.” The gist of Herley’s argument is that burdens of understanding and implementing good e-security may not be worth it to people in a rational cost-benefit trade off of the perceived risk versus the value of their time and pain.

Mitigate Stuxnet with Least Privilege and AppLocker

There is a lot of concern about the LNK (shortcut) vulnerability which exists in all current versions of Windows. Basically, viewing a malicious link file or favicon in a web site will cause Windows to execute the malicious code which can be hosted remotely on an SMB network or a WebDAV server on the Internet.The vulnerability is actively being exploited by very sophisticated bad guys and there is no patch available, yet.

So what can be done to mitigate the risk in lieu of a patch?

Microsoft has a “Fixit” solution that involves disabling Windows’ ability to load icons resources on shortcuts. This solution basically makes Windows unusable because all icons in the Start menu and task bar become generic white documents.

The other recommendation is disabling the WebClient service but this breaks integration with Sharepoint and other services based on WebDAV.

I’m not sure why it isn’t being recommended by Microsoft but the AppLocker feature of Windows 7 should provide a robust mitigation without these side-effects.

AppLocker is a policy technology which allows an administrator to define which executables are allowed to run on a computer. The rules can be based on a any combination of trusted paths, file names and cryptographic hashes of files.

Least Privilege

The first step, though is to make sure that your day-to-day account is not anadministrators Administrator. UAC is not really a security boundary. If you are an Administrator it is a warning system to be careful but nothing more. If you are a non-administrator it works to elevate your rights to perform administrative tasks. If your account is in the Administrators group, create another account or enable the built-in Administrator account and remove yourself from the Administrators group.

For example, my main system—which is not joined to a domain—has only the Administrator in the Administrators group. (Be sure to create yourself an administrator account before removing your main account from Administrators or you will lock yourself out of your machine.)

Without Administrator-level privileges, most worms—including the Stuxnet worm exploiting the Windows LNK vulnerability—will fail to deliver its payload. That’s because they usually try to install a rootkit which means installing drivers which requires Administrator privileges. If you don’t have those privileges, the OS can’t be compromised.

Trusted Apps with AppLocker

As worms become more sophisticated, they may find ways to do their work without requiring Administrator privilege. Certainly, Administrator privilege isn’t required in order to steal your personal data because your account has access to personal data. This is where AppLocker comes in. AppLocker creates a concept of trusted applications. Only trusted applications are allowed to run. The default ruleset is pretty good. It simply says that normal users can only execute programs in the Windows directory or the Program Files directory. Those directories have permissions set on them so that only Administrators can put files in there. Hence the applications installed there are trusted.

In order to configure AppLocker, you first need to start the “Application Identity” service and set it to start automatically.

Next use the local security policy editor to configure AppLocker. If you are running as a non-admin, the command-line is this:

runas /user:Administrator "mmc secpol.msc"

Or you can search for “Local Security Policy”, right-click and choose Run as Administrator from the menu. (If you are running as a non-admin, you have to provide a password or smart card for the administrator-level account.)create-default-rules

Navigate to Security Settings | Application Control Policies | AppLocker | Executable Rules. Right-click on Create Default Rules. AppLocker will generate the reasonable set of defaults that I described above.

Unfortunately a few useful application don’t install themselves in Program Files. For example, Google Chrome installed itself on a per-user basis in the application data folder structure of each user. I believe the primary reason it does this is to be able to silently update itself on a least-privilege machine. It also makes it possible for users to install in an enterprise environment where users don’t have administrator privileges. With the default AppLocker settings, Chrome will be blocked from running.

If you want to run Chrome, the simplest solution is to trust the Google signing key and allow any applications published by Google to run.

Right-click on Executable Rules. Choose Create New Rule… Click “Next” through all the screens until you get to the screen asking to browse for an executable. For this purpose, any binary signed by Google will do but I’m going to use chrome.exe. For me, chrome.exe lives in

C:\users\breiter\AppData\Local\Google\Chrome\Application\chrome.exe.

After selecting Chrome.exe, slide the selector up to Publisher and click next until you are allowed to choose create.

publisher

Now we are trusting Google not to let someone steal their signing certificate and do something bad with it. Chrome runs and so do any other executables signed by Google.

Also, anything installed in C:\Program Files or C:\Program Files (x86) or C:\Windows runs.

Windows won’t let any other executables run.

This should posture completely mitigate the Stuxnet attacks because no untrusted code is ever allowed to run.

Developers

AppLocker creates a problem for developers that want to run as a limited-rights user. They won’t be able to execute and debug binaries that they compile!

This problem should primarily affect people creating directly executable code. Dynamic code (perl, python, ruby, vbscript, powerhsell script, etc.) executed by a trusted interpreter will work as will Java class and jar files because they are executed by java.exe or javaw.exe.

The issue is really directly executable Portable Executable (PE) binaries. It doesn’t matter if they are native or managed binaries. AppLocker won’t let them run.

The solution is straightforward. You have to relax the policy enough so that developers can work. The risk is that developers will execute stuff that they shouldn’t or some malware will leverage the knowledge of the location of the developer sandbox. It’s a risk you have to accept.

Put all of your source code into a directory tree and create a rule in AppLocker to allow any executables in there to run. For example, you could create a Developers security group and a “C:\source\*” directory. Grant Administrators and System “Full Control” and grant Developers “Modify” on C:\Source. In AppLocker grant Developers the right to execute on “C:\Source\*”.

Limitations

Unfortunately the biggest limitation is that AppLocker is only available in Windows 7 Enterprise and Ultimate or any version of Windows Server 2008 R2.

EDIT

Amazon Kindle for PC also installs itself into %localappdata%. Cisco’s WebEx installs itself onto the “all users” application data directory (%allusersprofile%). They need AppLocker publisher exlusions in order to run.

MSE v2 Command-Line Scanning

Microsoft Security Essentials (MSE) 2.0 adds command-line file scanning to its command-line interface.

MpCmdRun.exe is the command-line interface to MSE.

(Note that MSE has moved from “C:\Program Files\Microsoft Security Essentials” to “C:\Program Files\Microsoft Security Client”. And MpCmdRun.exe has moved to a subdirectory called Antimalware.)

In MSE v1, MpCmdRun was conspicuously missing an option to scan a file from a command line but the problem is rectified in MSE v2 beta.

mpcmdrun-filescan 

The file scanning is a new sub-option of the –Scan argument.

-Scan [-ScanType value]
    0  Default, according to your configuration
    1  Quick scan
    2  Full system scan
    3  Single file custom scan

       [-File ]
            Indicates the file path to be scanned, only valid for custom scan

       [-DisableRemediation]
            This option is valid only for custom scan.
            When specified:
              - File exclusions are ignored.
              - Archive files are scanned.
              - Actions are not applied after detection.
              - Event log entries are not written after detection.
              - Detections from the custom scan are not displayed in the user
                interface.

The usage is slightly awkward. It requires specifying –Scan –ScanType 3 –File <filename>.

A simple powershell function or a batch file.

Powershell

function Scan-File( $file )
{
    $exe = Join-Path $env:ProgramFiles &quot;Microsoft Security Client/Antimalware/MpCmdRun.exe&quot;
	&amp; $exe -Scan -ScanType 3 -File $file
}

Batch

@echo off
setlocal
set path=%programfiles%\Microsoft Security Client\Antimalware;%path%
cmd /c MpCmdRun.exe -Scan -ScanType 3 -File %1

Niftier PowerShell integration is possible by extending the work of the Scripting Guy’s Invoke-SecurityEssentials.ps1 script for MSE v1.0.

Security Essentials v2.0 on Windows Server

Microsoft released a beta of Microsoft Security Essentials (MSE) version 2.0 on July 20. The major new advertised feature is that it integrates with the Windows Filtering Platform (WFP) on Windows Vista and later to provide real-time network traffic inspection.

What they didn’t mention is that MSE 2.0 will install and run on Windows Server platforms. I suspect their target market here is Windows Home Server but it doesn’t seem to be picky.

I hope this feature stays in the final product. It and it makes sense to be able to protect servers as well as the client OS. MSE is a great option for SMEs and home users—any organization that is too small to make use of the centralized monitoring and management capabilities of a product like Forefront. It also might make sense for some bastion hosts.

MSE 2.0 beta x64 installed happily on my Mac Mini running Windows Server 2008 R2 Standard x64.

msev2-win2k8r2

Follow

Get every new post delivered to your Inbox.

Join 86 other followers

%d bloggers like this: