Sophos AntiVirus recently announced a free tool to mitigate the impact of a very serious and potentially catastrophic vulnerability in all current versions of Windows (and going back to at least Windows 2000, if not farther). The security hole is so severe, simply browsing anything that includes a .lnk (a webpage, a document, a file folder, a usb drive, a network share) is enough to execute the malicious code. You don’t have to open or execute anything at all to be infected.

At this time there is still no fix from Microsoft, but they have released a workaround as well as a quick-fix tool which will implement it for you; however, this solution disables or limits .lnk parsing, so most will find this fix to be a huge nuisance;  It will turn most of your icons into ambiguous white squares.

So, with the IT Security world in minor panic, Sophos comes to our rescue with the following tool, which specifically promises to intercept malicious code if a malicious .lnk comes our way:  http://www.sophos.com/pressoffice/news/articles/2010/07/shortcut.html

See here for microsoft’s temporary workaround solution (plus pics of what your icons will look like) : http://support.microsoft.com/kb/2286198

I’ll be installing the Sophos tool on my main machine shortly. Msg me or leave some comments if you’re curious about how it goes.

- Paul

Windows 7/2008 setup creates a new type of partition called “System Reserved Parition”.  This partition holds a few key files required to boot in case Bitlocker is utilized (since Windows cannot boot from an encrypted drive).

If you do not use Bitlocker (which is probably always), you can safely remove the System Reserved Partition by following the instructions in step #4 of the following post:

http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/5f9e147e-32de-4a69-80eb-86f1b10f1c4c

You can also avoid Windows setup from creating the parition to begin with by following Method 3 in the following post:

http://www.mydigitallife.info/2009/08/20/hack-to-remove-100-mb-system-reserved-partition-when-installing-windows-7/

However, since most new machines will ship with the partition already created (and deleting it seems a bit “hackerish”), I would leave it alone.  Just make sure to back it up once and set it aside.

We were performing a routine RAID array upgrade and ran into something new: MBR drives cannot be bigger than 2tb. 

Because we configured 6 x 2tb drives in a RAID 10 configuration, we now have a 6TB drive that can only be used as a 2tb drive.   The remaining 4tb un-partitioned space cannot be used in Windows.  I suspect more of you will discover this as you create more ginormous arrays for a few hundred bucks!

1. To break the 2tb barrier, you must convert the drive as a GPT drive.
2. However, you cannot boot from a GPT partition.
3. Also, you can only convert drives that are empty.

 Therefore, you can pretty much forget about installing Windows on a partition larger than 2tb.  That shouldn’t be a problem since your boot partition doesn’t need to be much larger than 80gb anyway.  Just make sure when configuring RAID array larger than 2tb, split it in to two volumes (or virtual drives in Dell Perc lingo).

1. 80gb MBR – Boot disk
2. 2tb > GTP – Data partition (Maximum 256 TB)

Here are some references.

http://carltonbale.com/how-to-break-the-2tb-2-terabyte-file-system-limit

http://www.microsoft.com/whdc/device/storage/gpt-on-x64.mspx

Occasionally you may have a user report that they are getting bounced messages from someone they did not send emails to. 

They may be a victim of email address spoofing, a technique spammers use to hide their identity.  Basically, a spammer sends out junk email using your email address as the From: address, and when the receipients reject the message, the true owner of the address ends up with the rejection notice. 

Most domains send outbound mail through a relatively small number of servers. Domains should describe that set of servers in an SPF record in their DNS. Internet email receivers can then reject forged messages which don’t come from an envelope sender domain’s approved servers.If the receipient’s spam filtering solution is configured to check SPF before receiving messages, it will reject any spoofed messages not originating from the designated servers. 

SPF record syntax is a bit cryptic and I”m not exactly sure how it works, but there is a tool that helps you generate the correct formatting.  You should also be able to contact your email service provider to help with the correct mail server adddresses to enter into the SPF record. 

http://old.openspf.org/wizard.html 

For example, GFI MailProtection uses the following servers for outbound servers. 

92.51.176.0/24
92.51.177.0/24
174.36.154.0/24
207.154.50.0/24
208.43.37.0/24
208.70.88.0/24
208.70.89.0/24
208.70.90.0/24
208.70.91.0/24 

By running the wizard and selecting no to the first three options and entering in the above list of IP addresses in the “ip4:” field, the following record is generated (note: select YES to the ~all field): 

“v=spf1 ip4:92.51.176.0/24 ip4:92.51.177.0/24 ip4:174.36.154.0/24 ip4:207.154.50.0/24 ip4:208.43.37.0/24 ip4:208.70.88.0/24 ip4:208.70.89.0/24 ip4:208.70.90.0/24 ip4:208.70.91.0/24 ~all” 

Now log into your DNS host and create a TXT record using the above syntax.  

This isn’t a foolproof method since not all spam filtering solutions support SPF records, but it should reduce the number of some spoofing attempts.  Also, some DNS servers may not support SPF records (i.e. doesn’t allow you to create txt records), in which case you may want to consider switching your DNS host to one that does.

Here is a blog post by the dudes at Sysinternals about how SID duplication is not a real security threat

http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

excerpt:

 ”It’s a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem. To my chagrin, NewSID has never really done anything useful and there’s no reason to miss it now that it’s retired. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so Microsoft’s support policy will still require cloned systems to be made unique with Sysprep”