May 2006

Earlier this week, Microsoft released a couple of patches on its standard monthly schedule.  These patches are designed to plug a couple of critical security flaws, including what appears to be a very serious problem with Microsoft Exchange Server.

The two Windows flaws are not terribly serious, in my opinion.  One, MS06-020, is rated “Critical” and plugs a problem with the Flash player.  So, technically, this isn’t a problem with Windows but with Flash, and Adobe has also released a security bulletin as well.  The second, MS06-018, fixes a flaw with the Distributed Transaction Coordinator (DTC).  This flaw can only cause a Denial of Service (DoS) condition and can be blocked at perimeter firewalls (but this, of course, won’t protect against internal threats).

Other related security advisories:
Secunia:  Microsoft Distributed Transaction Coordinator Two Vulnerabilities
Secunia:  Microsoft Windows Flash Player Code Execution Vulnerabilities

However, it is the Microsoft Exchange Server vulnerability, MS06-019, that is more troubling.  Remotely exploitable via anonymous connections (such as SMTP), this exploit is ripe for an automated worm.  What’s worse, typical perimeter firewall protections won’t help and no user intervention is required.  Simply getting spammed may be sufficient to affect your server!  This is one patch to get installed as quickly as possible (after appropriate testing has occurred, of course).

Read the Secunia advisory on the Exchange flaw here.

Also, a third party has uncovered an additional flaw in Windows that has not yet been patched.  This vulnerability affects compiled Help files (see more detailed information).  This one requires user intervention, so isn’t quite as likely to spread via a worm.

Wi-Fi on Linux is about to get much better, thanks to the release of an advanced Wi-Fi driver stack to the Linux community under the GPL.

As reported by eWeek (here’s the full article) and LinuxDevices.com (read the full article), Devicescape has released their advanced Wi-Fi driver stack under the GPL (read the press release) in order to speed the adoption of Linux-based Wi-Fi devices.  Having wrestled with Wi-Fi support on Linux on more than a few occasions, I can attest to the difficulty of trying to get online with a less-than-perfectly-supported Wi-Fi card.

If you’re lucky enough to have a Wi-Fi card that is fully supported by the Linux distribution of your choice, then great.  Unfortunately, that list of supported Wi-Fi cards is rather slim, and excludes a great many of the retail cards available to consumers.  Horror stories abound regarding trying to get a retail Wi-Fi card working under Linux, and these are the stories that prevent ordinary people from being willing to give Linux a try.

Hopefully, the inclusion of this new technology into mainstream Linux distributions will vastly improve Wi-Fi support on Linux and help continue to drive the adoption of Linux across business and consumer segments.

<aside>You may be wondering why I’m pushing for greater adoption of Linux.  Microsoft does it’s best work when it’s faced with great competition.  For quite a while now, there hasn’t been a serious competitor to Windows, and so Windows has lagged a bit (OK, perhaps more than a bit).  A stronger and more vital Linux would give Microsoft the competition it needs to perform better.  In addition, I believe that increased choice in operating systems can only lead to good things.</aside>

The issue I described in my original post regarding upgrading the schema to support Windows Server 2003 R2 as a domain controller is getting more attention.

Jorge de Almeida Pinto, a Windows Server MVP, has created his own blog entry about the need to use ADPrep.exe from the second CD, and has also pointed out that Microsoft has created a Knowledge Base article about the problem as well:

Error message when you run the Active Directory Installation Wizard: “The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer”
<http://support.microsoft.com/?kbid=917385>

Have a look at Jorge’s full weblog entry, as he lists some other helpful information as well.

I’ve been meaning to write about this young Christian rock artist for a while now, but keep forgetting.  Finally, here it is.

I picked up Krystal Meyers’ debut self-titled CD a few months ago from Sound and Spirit (one of the BMG Music clubs—you know, where they send you constant reminders to buy CDs from them and then ship them to you the instant you forget to tell them you don’t want them).  I initially bought it just for fun; I had never heard of Krystal Meyers and wasn’t entirely sure I would even like the music.  Worst case scenario, I could give the CD to one of my kids.

I was in for a surprise.  The music is really good.  This is one of my favorite CDs already, and I’m looking forward to hearing the next album.  If you’re looking for a good message grounded in the Gospel but wrapped in great-sounding rock music, this album is a good choice.

Krystal Meyers’ website is here.

Another interesting thread on the microsoft.public.windows.server.general newsgroup has turned up an issue with running Windows Server 2003 R2 as a member server.

First of all, many thanks to Jabez Gan, a Windows Server 2003 MVP, for his assistance in clearly defining the scope of this situation.  Jabez Gan’s weblog is found at http://www.msblog.org/.

It would seem that if you are going to deploy Windows Server 2003 R2 as a member server in a domain that is not running Windows Server 2003 R2 as domain controllers, there are still times when the Active Directory schema must be upgraded.  This is a bit unusual, since the addition of newer versions of Windows Server to a domain has typically not required this (think of adding Windows 2000 to a Windows NT domain, or adding Windows Server 2003—not R2—to a Windows 2000-based Active Directory domain).

So, the Active Directory schema will have to be extended if you are planning on deploying any of the following services on a Windows Server 2003 R2-based member server and you are not running Windows Server 2003 R2 on the DCs:

• DFS Replication
• Print Management Console
• File Server Resource Management

Jabez also mentioned UNIX Identity Management, but it seems like that can only be deployed on domain controllers anyway (that’s definitely true for Server for NIS).  However, in the event that UNIX Identity Management can be deployed to member servers, that will require a schema extension as well.

In summary, if you are planning on deploying some of the newer features of Windows Server 2003 R2 in a domain that is not running Windows Server 2003 R2 on the domain controllers, you may have to extend the Active Directory schema anyway.  Be sure to plan and prepare accordingly.

Reading about the “Vulnerability Discovery and Remediation Open Source Hardening Project”—a security audit funded by the Department of Homeland Security to regularly review popular open source software (this article has more information)—got me thinking.

The article that sparked my thinking discussed how a critical flaw had been discovered in the X Window System.  This flaw was described as one of the most serious flaws uncovered to date.  The flaw was corrected quickly, as is typical of most open source projects, but it wasn’t really the flaw itself or the quick response to the flaw that really got to me.  Instead, it was the fact that someone was even able to search for such flaws.

The war-cry for open source proponents has always been, “Our software is more secure because more people have seen the code and reviewed it.”  Until now, I wasn’t so sure about that argument; after all, how many people were like me?  People who loved the projects, supported them in whatever way they could, but aren’t developers?  An ordinary guy like me can’t contribute anything significant to an open source project because I don’t know C, C++, C#, Java, Objective-C, or anything else.  The fact that I could review the code, until now, didn’t really do me any good.  Or so I thought.

Perhaps I’m just coming late to the party.  Perhaps it’s the involvement of the government, using my tax dollars, that has driven the idea home.  Either way, now I see that the very right to review the source code is what makes open source projects so powerful in comparison with closed source software.  As this DHS-sponsored project pores over millions of lines of code to find obscure bugs like the one described above, everyone (even Windows users) benefits.  As security flaws, buffer overflows, etc., are corrected in software packages such as Apache (which runs the majority of web sites on the Internet, last I checked), FreeBSD, the Linux kernel, MySQL, the Internet and our own private networks become more secure, more protected, and less likely to be used in attacks against others.  This is what the open source proponents have been so excited about, and why support for open source software is so strong.

This doesn’t mean that open source projects are automatically “more secure,” nor does it mean that we should all eschew all forms of commercial software in favor of open source equivalents.  But it does mean that we do need to strongly consider open source equivalents, especially the high-profile ones, when developing solutions for customers.  In my opinion, it would be a disservice otherwise.

Mark one up for cross-platform standards:  the OpenDocument format, an XML-based file format originally derived from work on OpenOffice.org (and Sun’s StarOffice) has been officially approved as an ISO standard.

There are numerous announcements of the approval—this eWeek article, which initially alerted me; this press release at the OpenOffice.org web site; and this blog entry by Andy Updegrove, a participant in the standardization committees.

Of course, Microsoft continues to push its Open XML format as an alternative to ODF.  The push for ODF was never really about taking power away from Microsoft, though; it was really about moving documents and records and information into a format that isn’t controlled by a single vendor.  With ODF as an ISO/IEC standard (and likely to see much broader adoption now as a result), organizations don’t have to worry about changes in file formats suddenly wreaking havoc with years of accumulated documents.  If the application(s) they use with ODF are Microsoft Office, StarOffice, KOffice, or OpenOffice, who cares?  It’s not really about the application, it’s about the data.

I’m reasonably familiar with Linux/Unix permissions, so this isn’t really hard to understand for me, but I’m going to post this information anyway for those of you that may not be as familiar with Linux/Unix-based permissions and how they affect the ESX Server MUI.

The Linux/Unix permission structure is defined in the following way. There are three permissions:  read, write, and execute.  These three permissions may be granted to three entities:  user, group, or others.  You’ll see them listed in the directory listing as “rwxr-xr-x”; this is decoded in the following way:

• The first “rwx” is for the user (i.e., the owner of the file), and it specifies that the owner has read, write, and execute permissions.
• The second “r-x” is for the group assigned to the file, and this specifies that members of the group have read and execute permissions.
• The third “r-x” is for others (i.e, everyone who is not the owner and is not in the group), and again states that all others have read and execute permissions.

You’ll also see the permissions written in a numeric format, especially when in combination with the chmod command.  For example, the “rwxr-xr-x” permissions described earlier would have a numeric equivalent of 755.  This number is calculated as r=4, w=2, x=1, so “rwx” equals 7, and “r-x” equals 5.

How do these permissions affect the VMware MUI?  The permissions on the VMware configuration file (the file ending in .vmx) control what operations will be permitted in the MUI.  For example, if a user does not have write permissions to the VMX file, then the commands in the MUI change from “Configure Hardware” to “View Hardware”.  In order to grant someone the permission to modify a virtual machine, their user account must have the appropriate permissions on the VMX file.  This can be accomplished by changing the group on the VMX file (say, to something like “vmops” or “vmadmins”) and then adding write permissions for the group.

This would be accomplished using the following commands:

chown user:vmops vmachine.vmx
chmod g+w vmachine.vmx

Of course, you would substitute the appropriate names for “user” and “vmops”, as appropriate.

Hopefully, this information will be helpful to those of you that are new to the Linux/Unix platform (upon which the console operating system for VMware ESX Server is based).

Having successfully mapped out the steps for Linux/Unix-based hosts to authenticate against Active Directory on Windows Server 2003 R2 (get the complete details), I now turned my sights toward integrating authentication on ESX Server 2.5.3 with Active Directory as well.

Using instructions found in this technical white paper from VMware’s web site, I started out by modifying the /etc/krb5.conf file, which controls the operation of the Kerberos libraries in the Console Operating System (COS). The contents of the /etc/krb5.conf file should look something like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.NET = {
  kdc = addc01.example.net:88
  admin_server = addc01.example.net:749
  default_domain = example.net
 }

[domain_realm]
 .example.net = EXAMPLE.NET
 example.net = EXAMPLE.NET

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

As you may already be aware, you can change the “dns_lookup_realm” and “dns_lookup_kdc” directives to true and omit the “[realms]” section, assuming that your Active Directory DNS infrastructure has the properly registered SRV records for the domain controllers.

The VMware white paper then instructed to modify the /var/kerberos/krb5kdc/kdc.conf file, but I had never performed any edits to that file in my earlier experiments, so I decided to forgo that step.  It is my understanding that this file controls the behavior of a Key Distribution Center (KDC), which the COS is not (in this instance, the KDC is the Active Directory domain controller).

Next, I edited the vmware-authd file in /etc/pam.d, which connects the vmware-authd daemon to the PAM modules for authentication.  After the edits, the /etc/pam.d/vmware-authd file looked like this:

#%PAM-1.0
auth       sufficient   /lib/security/pam_unix_auth.so shadow nullok
auth       required     /lib/security/pam_krb5.so use_first_pass
account    required     /lib/security/pam_unix_acct.so

Finally, still following the instructions, I created a user account on the ESX Server (using the useradd command there in the COS) that matched the username of an account in Active Directory.  At this point, I was ready to test connectivity.

(Those of you that have read the other articles on Kerberos/LDAP integration of Linux into Active Directory will note that I did not create a computer object, use ktpass.exe to create a keytab, nor did I configure ldap.conf with the attribute mapping.  I can’t explain why I don’t need a computer object or a keytab yet—rest assured I will get the bottom of that—but the LDAP pieces aren’t necessary because we are relying on the presence of the accounts locally and only using Kerberos for authentication.  This has some advantages and some disadvantages, which I’ll discuss in more detail later.)

The first test (performing by trying to log into the VMware ESX Server MUI using the account created above) failed; /var/log/messages indicated a problem with host resolution.  That problem was easily resolved with a quick edit of /etc/resolv.conf.

The next test also failed; again, /var/log/messages held the answer:  too great of a time skew between the ESX Server and the Active Directory domain controller.  The date command fixed that right up, and we were ready to test again.

The third time was the charm.  Using an account that existed locally (but for which no password had been set) as well as in Active Directory, I was able to log in to the MUI using the Active Directory password.  A quick test with another Active Directory account that did not have a matching local account failed (as expected), indicating that it was working as expected.

I learned a couple of useful tidbits from this experiment.  First, it seems viable that organizations may wish to use Kerberos for authentication to their Linux-based hosts but not use LDAP for account information, instead requiring that local accounts exist on each system (like in this situation).  This bears the advantage that the organization has more granular control over which specific Linux/Unix hosts may be used (i.e., no logins will succeed if a local account does not exist); that granularity does not exist if using LDAP for account information.  However, the corresponding disadvantage of this approach is that local accounts must be managed on each separate host.

Second, I learned that a computer object (and the whole ktpass.exe command to generate the keytab) may not be necessary; I’m going to go back and perform some additional testing to see if that is the case.  More information will be posted here as soon as it is available.

I’d had this article titled “Where Is Virtualization Heading And How This Might Effect The Design And Use Of Citrix And Terminal Servers” flagged in NetNewsWire for quite some time now, with the idea of going back and reading the full article.  (I’ll have to explain my use of RSS feeds sometime.)  In any case, I finally took the time to read the full article, and here are my thoughts.

The article (found here) draws from an earlier article by Brian Madden (here are my earlier comments on this same article) that discusses the various ways in which applications can be delivered to end-users.  In that article, the idea of using VMware to provide virtualized desktop sessions (something VMware is now pursuing with its Virtual Desktop Infrastructure Alliance).

In this particular article, the author (I don’t even know the author’s name!) wonders if SystemGuard (the application virtualization technology used by Softricity in their SoftGrid product) can somehow reduce the layers of virtualization in the scenario proposed by Brian Madden so as to improve performance and/or resiliency.

It’s an interesting idea, and I believe that the desire to improve performance is what’s driving the rise of paravirtualization products (such as Xen and SWsoft Virtuozzo) that don’t virtualize the entire OS and typically have lower overhead, as well as the introduction of virtualization support into the hardware (via Intel VT and AMD Pacifica).

So, instead of using VMware to provide virtual desktops, perhaps a paravirtualization product is more applicable?  That may (stress the “may,” since VMware’s flagship product ESX Server is an exception to the rule that full virtualization products typically have higher overhead and lower performance) be helpful for performance, but it doesn’t address the increased resiliency the author is really seeking.  The article states:

What I’m imagining here is that instead of Logging on to a traditional Server, you are making a call from the thin client to a “undefined at present” middle layer component that is able to “auto start” an Application encased in a SystemGuard Shell that could then be run on say a Server 2003 x64 System by virtue of a VMware/VMotion layer.

This is followed by:

If this middle layer component was able to deliver some reasonable level of Load Balancing then we could almost take a hit on the resilience, because the redundancy would now be based not on Servers, Sessions or Users but at the individual Application level.

Unfortunately, even VMotion today lacks the ability to recover from a failed host server, although if I recall correctly that kind of “clustered host” functionality may be coming in ESX Server 3.0 (now in beta).  To achieve the kind of resiliency the author is seeking we need more than application virtualization (like that provided by SystemGuard) and more than OS virtualization (like that provided by Xen, VMware, or Virtuozzo) and we need a way of maintaining state across multiple systems.  This would ensure that the failure of one server (because even the author’s ideal scenario has the user logging in to some sort of server) does not impact the applications running on that server—their state is being maintained across a group of servers that can seamlessly take up the slack.  Sounds like a cluster to me!

Once we find this way to maintain state across multiple servers, then we can go easily bring together technologies for delivering applications (like Citrix Presentation Server) and technologies for managing applications (like SoftGrid and SystemGuard) to create the ideal managed desktop environment that many organizations are seeking.