The Diskeeper Blog: May 2006 Archives

April 2006 | Main | June 2006

May 25, 2006

Using Sitekeeper to mitigate the new MS WORD security vulnerability

The latest security vulnerability to raise eyebrows is the trojan described in Microsoft Security Advisory (919637).

Unfortunately the final fix from Microsoft is not scheduled for release until a few weeks from now, though I do commend Microsoft on informing the IT public and offering interim workarounds. Major antivirus firms currently rank the threat of this trojan as "low" and already have updates to detect it, so I'd suggest caution as the workarounds do inhibit user functionality.

Read on and I'll present a customizable way to deploy these fixes to select targets...

I've written and made available in the past, many VB and batch scripts to handle system configuration and assorted operations. The pieces I did not address in these scripts is the more complicated activity of targeting systems and distributing the fixes/tweaks across a network. The tool I've relied on to handle that aspect is Sitekeeper, Diskeeper Corporation's easy to use, system management software.

I took part in early Sitekeeper development and have a soft spot for that product. Therefore I will rely on it again to demonstrate a method to secure systems from this new trojan. I'm not creating anything fancy in the procedures below, I'm simply taking Microsoft's solutions and demonstrating how they can be packaged for distribution with Sitekeeper.

While Group Policy is a great way to deploy configurations, it is not the ideal method for more targeted deployment. Sitekeeper allows for creation of as many "custom" groups (the AD equivalent of an OU) as desired.

It is unlikely that you (or your AD Infrastructure group) have organized systems into categories "such as non-IT savvy users" or "machines operated by non-savvy IT users". Servers tasked with Mail, CRM databases or File and Print responsibilities don't necessarily have their own OU's but may require policy or behavioral adjustments. We know this is true for Diskeeper as well, which offers GPO templates (you may wish to set different defragmentation schedules on your Mail servers than your SAN).

The point here being that you may send an email to all your company users warning of this threat, but it will go over the head of many if not most, or will be quickly forgotten. Only the more tech-savvy will remember to be wary of Word documents. Sure blocking/quarantining Word docs is technically possible, but potentially inefficient and possibly ineffective (given the mobility of many user workstations and USB drives, etc...). MS Word flaws have recently been specifically targeted to corporations (primarily in Europe per news reports) with spoofed emails that make them appear to originate internally (more readily creating trust on the target victim's part that the attachments are safe).

So for the next few weeks, it may behoove you to segregate internal target systems for this workaround? With Sitekeeper you can quickly drag and drop system you believe to be susceptible into custom groups and then deploy this workaround.

The skinny:

The Microsoft Security Advisory offers registry changes (by use of .reg files) to alter Word default behavior that is susceptible to this virus. Use the data provided by copying the data into a notepad file and saving it with a .reg extension. I'll call them DisableWORDasEMAILeditor.reg and RunWORDinSAFEmode.reg.
Given that you may want to undo these alterations, make sure to also create a .reg file for the current settings (e.g. RestoreWORDasEMAILeditor.reg, etc...).

The first workaround disables Word as your Outlook editor. Personally I rely heavily on this feature and would not disable this on my system (I plan to stay vigilant for Word docs). Use with caution.

What you paste into notepad for DisableWORDasEMAILeditor.reg should look something like this (Word 2003 only):

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\Mail]

"EditorPreference"=dword:00020000

"UseWordMail"=dword:00000000

RestoreWORDasEMAILeditor.reg would look like:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\Mail]

"EditorPreference"=dword:00020001

"UseWordMail"=dword:00000001

The second work around, opening Word in safe mode has the limitations described in the MS article below. While I don't personally find anything threatening from a usability perspective here, it is important to understand the ramifications (personally I like the fact that the office assistant is disabled).
http://office.microsoft.com/en-us/assistance/HP030823931033.aspx

Once you have created the two .reg files and placed them to a folder at a File Server (for distribution with Sitekeeper) you're ready to complete a simple batch script to execute them.

Here's an example:

To execute part 1:
pushd "\\REPLACE_WITH_A_FULL_UNC_PATH_TO_REGISTRYFILE"
Regedit /s DisableWORDasEMAILeditor.reg
popd "\\REPLACE_WITH_A_FULL_UNC_PATH_TO_ REGISTRYFILE"

To execute part 2:
pushd "\\REPLACE_WITH_A_FULL_UNC_PATH_TO_REGISTRYFILE"
Regedit /s RunWORDinSAFEmode.reg
popd "\\REPLACE_WITH_A_FULL_UNC_PATH_TO_ REGISTRYFILE"

You can just as easily run one batch file to execute both registry updates. I prefer Push/Pop to "Net Use" when existing drive mappings on remote systems may be unknown.

If you want to alter other Word behavior, Word does offer several command line qualifiers, such as prevention of macro loading, altering the default template used (i.e. Normal.dot) and others. Outlook has a lot as well including the elimination of the reading pane (by default) which I've implemented.

For an example on how all these steps can be combined into a complete solution, you can view an older article I wrote on using Sitekeeper (an older but relevant version of Sitekeeper) to execute remote commands.
http://executive.com/eletter/previous/eletter.aspx?F=2003040301.htm

Sitekeeper offers free fully functional trialware for 30 days, that can be used on a limited number of systems (you can call a Sales Rep for additional machine trial licenses). That means you could use the trialware to deploy the workaround, then use the Patchkeeper module in Sitekeeper to deploy the patch in couple of weeks and remove the modifications detailed above - all for free. Hopefully you see the potential and decide it's worth buying to have it around for the next patch, deployment, tweak, etc., that comes along.

Posted by Michael at 07:55 PM | Comments (0)

May 24, 2006

Diskeeper Affiliate Program

Our affiliate program is an excellent way for people to make money by recommending Diskeeper on their website. We currently have over a hundred affiliates which recommend Diskeeper on their website. When someone you recommend purchases Diskeeper you get a 10% commission.

You can apply to join our Affiliate Program here.

After you are accepted in our program, our Affiliates Portal provides simple instructions, graphics and box shots to get you started making money.

-Paul

Posted by paul.shomo at 12:50 AM | Comments (0)

May 18, 2006

Defragmenting databases

In order to squeeze optimal performance out of a database, there are two "layers" that need defragmentation; the database file(s) themselves, and the internal records/indexes within those files.

Diskeeper, of course safely and automatically defragments files and free space (yes even live databases). Advanced Diskeeper features like I/O Smart ensure that defragmentation can occur during production without impact to the system.

Diskeeper does not offer, nor perform, internal file defragmentation. I've authored several white papers that discuss the internal defragmentation/compaction tools Microsoft offers with their Exchange and SQL products. It is those tools, development by the application vendors, that have the understanding required to address internal fragmentation. You can read up on those white papers in the Knowledge Center.

The problem with these free provided tools is they are cumbersome to use and integrate with IT operations. Fortunately there are vendors that have dramatically improved upon the basic scripting tools and offer powerful features so you can avoid the long and often complex coding normally required to operate them.

I'd like to introduce you to a couple of great products I'm familiar with and personally recommend.

Exchange Maintained is a robust program that provides scheduling for all the necessary actions to properly defragment and compact Exchange datastores. You can find out more about this great product at (http://www.fixthisbox.com/). With valuable features like backup, error checking and integrity verifications, this tool has it all.

Norb Technologies (http://www.norbtechnologies.com/) offers the intuitive and powerful Visual Defrag for Microsoft SQL Server 2005, 2000 and 7.0 with a flexible scheduler and detailed visual reports so you can target defragmentation where it's needed most, a SQL administrator can get helpful reports and keep on top of database performance.

Both vendors offer product tours for their products and are very reasonably priced. Check with them for trial versions.

Posted by Michael at 12:57 AM | Comments (2)

May 09, 2006

Learn more about virtualization...

We recently released a new white paper on Virtualization and Disk Performance. For anyone interested in reading it, visit our Knowledge Center - there is a link on the left of this page to take you there.

If you want to learn more about how virtualization works I recommend the video on Microsoft's MSDN site (link below). It's an hour long, but well worth it.
http://channel9.msdn.com/ShowPost.aspx?PostID=163022

Posted by Michael at 08:01 PM | Comments (0)