Archive for the 'Networking and Security' Category

Facebook Logon Security Measures Advancing

Published by Bret Fisher on Jun 24, 2011 in Networking and Security and Tech. 0 Comments Tags: facebook, security.

As much as everyone bitches about Facebook security, here’s some things I experienced today that shows they are getting rather advanced about protecting invalid logon attempts, which is one area I grow increasingly concerned about:

You can control if you get an email or even require a pin sent to your cell phone if a “unrecognized computer/browser” tries to log in.
You can require a security question to get in on a new computer/browser, and as a backup it will ask you to correctly name 5 friends by picture if it doesn’t recognize your browser/computer.
Coolest: In helping a friend, I remotely logged in from his west-coast PC and then into his same account from my east-cost PC within minutes of each other. Facebook DID NOT like that and told him on next logon to his west-coast FB that someone from Virginia Beach tried to log in with the correct password but couldn’t identify his friends by picture, so was denied until he approved it.

Yes this is cool tech, but still doesn’t control their overall bad decisions on how I’m opt’ed into new features without my awareness.

IE9 RC and Java

Published by Bret Fisher on Feb 16, 2011 in Microsoft, Networking and Security and Tech. 0 Comments Tags: bug, crash, ie9, Internet, internet explorer, java.

If you’re running the IE9 Release Client (huge improvement over IE8) and sites are crashing it could be that your Java isn’t updated to version 6 update 24. Versions before that (I had update 23) will crash the web page and send it in a loop of crash, reload, crash, etc. You can also click the compatibility mode button (if you’re fast enough) to prevent the crash.

ActiveSync Random Password Prompts Fixed

Published by Bret Fisher on Oct 1, 2009 in Microsoft, Networking and Security, Solution Writeups and Tech. 3 Comments Tags: activesync, email, exchange, firewall, isa, Microsoft, timeout, windows mobile.

They were getting random prompts for passwords in ActiveSync on Windows Mobile 6.0 and 6.1. They had Exchange 2007, and ISA Server 2006, but this problem showed up months after Exchange was migrated to 2007. It seemed random. The error on ActiveSync was the generic:

please log in access was denied 0×85010002

In the ISA Monitoring you would see a denied connection on your ActiveSync rule with this status:

12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.

I tested with Windows Mobile Emulator from outside the firewall and was able to reproduce the error within hours (just letting it sit there).

I first thought this was the HTTP session timeout that changed with a Exchange 2003 service pack when Direct Push came out back in 2005. I remembered that setting and looked under the ISA Web Listener for ActiveSync on the Connections tab>Advanced>“connection timeout”. The wizard had correctly set it to 1800 seconds (30 minutes). No dice.

I poked around the web listener settings some more and noticed the timeout settings for forms authentication were set (this same web listener was used for OWA). ISA is supposed to be smart enough to not apply any of the forms auth settings to clients that don’t support it (falling back to basic auth as with ActiveSync).

Tom and the forums at isaserver.org confirmed my suspicion. The forms auth timeout was indeed affecting ActiveSync. To find it, look for the web listener of your ActiveSync rule, go to properties>Forms tab>Advanced> and make sure “apply session timeout to non-browser clients” is unchecked.

Another reason SharePoint could prompt for authentication on anonymous sites

Published by Bret Fisher on Aug 1, 2009 in Microsoft and Networking and Security. 1 Comment Tags: anonymous, authenication, error, Microsoft, sharepoint, software.

I see a lot of people saying they are getting auth prompts for public anonymous content on SharePoint sites. Once you have anonymous enabled in Central Admin and in the site collection, you’d expect it to be all good right?

I discovered one more resaon beyond the obvious permissions problems. If you put a graphic or something embded in a page, then publish that page but NOT the embeded object (i.e. it’s still draft or unapproved) you’ll get an auth prompt when the page loads.

On a busy (lots of stuff) page it can be tough to find what’s the issue. The quickest way I’ve found to discover the problem (99% of time an image) is to cancel out of auth prompts, then look for broken stuff on the page. An image you can right click the broken icon and find the location of it… then jump to that library and check the file. My bet is it’s never been published.

SharePoint Sites Unavailable From Localhost

Published by Bret Fisher on Jul 31, 2009 in Microsoft and Networking and Security. 1 Comment Tags: loopback, Microsoft, security, sharepoint, windows server.

Also seen as:

search is running but no results returned
search errors in event log (can’t access content, etc.)
you can access sites fine from other boxes but not from the local server
only seems to happen for URL’s (http://sitename1, http://sitename2) that are different then the host name (http://servername).

Problem:

Windows Server 2003 SP2 and newer (Windows Server 2008) have a Anti Denial Of Service feature that prevents the server from accessing itself via different names (that’s the simple answer).

Fix (assuming you want to keep your custom URL’s):

Set a registry value to turn off this security feature (I still don’t understand the specific type of attack that it’s preventing)
Set a registry value to a list of all the cname’s your server goes by.

Further Info:

example SharePoint people having the issue
short explanation of fix
long explanation of issue and risks

Rant:

In the KB Microsoft basically says “don’t turn it all off unless your lame”, so your left with “edit the registry every time you add a website”. This is a cumbersome workaround for something that happens out of the box default. Most SharePoint boxes will want more then one web site name and best practice says to NOT make production sites the server name. IMO SharePoint should be updating the reg key itself and keep in sync with the host headers created/managed by central admin. Or, the localhost loopback “new feature” should be looking at iis host headers and allowing them.