SANS Security West 2012

Arrived back in town after attending the SANS Security West in San Diego for six days.

Watch for a full review in the coming days.

Online, no one can hear you think.

Online, no one can hear you think.

NetBackup Back Down

It has been said that the enemy of progress is change. I think that’s quite an insightful statement, whatever the environment. Based on more than a decade’s worth of experience in Information Technology, it’s especially true of software upgrades.

I’d been running Symantec’s NetBackup 6.5 for quite a while with nary a problem. The promise of faster backups (150%!) with the latest version, 7.5, tugged on my nose ring and led me through the pasture gates and into the abattoir.

I’ve been battling an error thrown by 7.5 (error 69) which sternly contradicts the evidence of my eyes and factual experience that the Exchange databases were mounted. NBU 7.5 thinks they are not and refuses to continue. At least I think that’s what it’s complaining about:

Critical bpbrm(pid=5984) from client ExchangeServer: FTL – snapshot preparation failed – Unable to backup Exchange database. It may not be mounted., status 69

I’m confused because I don’t know which particular database it’s going on about—there are 10 of them. Also, I’m not certain what it means by “snapshot preparation.”

So NBU 7.5 is failing me in many respects, one of which is the 150%—or whatever the number actually is—increase in speed that only happens when you buy an additional option.

Yes, in case you ask, I’ve opened a case with Symantec Technical Support. So far, no dice. Weirdly, the guy I have working with me is named Fred. Unfortunately Symantec Fred seems to be useless as tits on a boar. The problem is I’m running out of disk space so, gasp, I may have to run a Windows Server Backup one-time job. Sigh.

“Your mind can be your Yoda or your Empe

“Your mind can be your Yoda or your Emperor.”

Happy New Year. I wish you what you wish

Happy New Year. I wish you what you wish for yourselves and your loved ones. In small doses so we are thankful.

iDon’t

I have a hypothesis that if I gave two newbie users who’d never worked on computers one computer each—one computer with Windows, the other with MacOS—tutored them in the general operation of each machine then turned them out on their own for one year, the Windows user will end up knowing more about using their computer than the MacOS user.

By the way, I’d have to restort to recruiting two-year-olds to find stark newbies at this point!

Anyone care to speculate why?

Portals Of Discovery

In this post about Windows errors, I got the title from a James Joyce quote:

“A man’s errors are his portals of discovery.”

Seems appropriate, doesn’t it?

I think Joyce’s quote indicates the normal approach we should take towards errors: they should provide an opportunity to discover both what went wrong and what to do, or not to do, in the future.

Except when you’re dealing with Windows errors. These things verge on the bizarre, and as if the shock you get sonically and visually weren’t enough, the verbiage is sure to send you into an apoplectic shock.

The programmers for Microsoft seem to have this idea that they’re writing software for other programmers with access to the source code so of course, why wouldn’t error number 0x08233FF make sense?

Here’s an example of one of these delightful specimens:

The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.

Yeah sure, I’ll just get on that.

Another I just walked into this nay this very afternoon:

This is what happens if you’re foolish enough to click on the link to ‘Get help with this error,’ another window bearing the following gifts:

You silly rabbit! How dare you ask for help by clicking on the link to get help? What’s wrong, you gonna cry now?

There are other injustices at hand, the Event Viewer which Microsoft has devised for the sole purpose of user torture to show what “events” have been logged to various Windows logs, ranging from System to Application and includes Setup, Security and Forwarded Events (in Windows Server 2008 because they changed the logging setup in the latest versions, continuity be damned!) contains the machinations of Satan’s keyboard.

Say you’re a junior sysadmin, “tasked” with the job of identifying all logons to the server between certain times. Your tongue hanging out because you’ve been allowed access to the servers and you click on the Security category of the Event Viewer. Your heart leaps with anticipation (GOD RIGHTS!!) and then you meet Satan:

Just what in Zeus’ armpit does this mean?

Compare and contrast with an entry from a random Linux box I happen to have on hand, for just this purpose:

Oct 20 11:48:50 SERVER sudo:     fred : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/less messages

H’m, whatever could this gobbledygook mean? It seems this user, fred, used the sudo command to impersonate the root user and the command he ran was /usr/bin/less messages.

NONSENSE! I CAN’T WORK LIKE THIS!

Once in a blue moon, you get a message that reads like it wasn’t written by a three-year-old Mongolian with access to only the HEX number set, but the key is, it’s almost always a third-party software vendor who, you know, actually cares their customer can easily decipher what the problem is. Yeah.

Yes, I’m exaggerating for effect, but if you’ve run a Windows installation for time, t ≥ 5s, you’ll run into this buzzsaw at approximately time, t ≥ 6s. (I like to layer my exaggerations for maximum effect.)

The Vista

Ah Windows. I suppose I should be grateful to Windows because were it not for this Operating System, my blood pressure would be three points lower.

I kid.

Yeah, but not really.

Managing Windows is my day job. My hobby is complaining about managing Windows. It’s fun and so easy, even my mother-in-law does it.

Here are the four things I’ve always had to complain about every single version of Windows since version 3.11 Windows for Workgroups:

• The error messages are mostly obtuse, sometimes insane, and often confusing.
• Infuriating Inconsistency. 
• Documentation is sparse.
• Reliance on third-party products for any useful functionality.

I will go into each with more detail in coming posts.

Open Heart Surgery

Mark Russinovich, of Sysinternals’ fame, tweeted a link to this rather in-depth (and I’m not kidding) article about Frank Boldewin’s extirpation of malware on a friend’s computer.

To get to that level requires a deep understanding of the Windows OS innards and reminds me of Nietzsche’s famous quote about abysses. Nevertheless, it got me thinking: of the Systems Administrators I know, which one of us (I include myself) would have been able to tackle such a dye-in-the-wool malware infection? Let’s try none.

At this level, it’s rather simpler to throw one A/V after the other at the problem and hope this fixes it, all the while exhibiting a large measure of faith that the issue had indeed been resolved. Barring this, there’s the always elegant “nuke and pave” method for fixing problems with which Windows administrators are quite familiar.

A short hike from this philosophical position leads to the question of whether this is a Good Thing™. Should I, as a systems administrator of one of the world’s most widely used Operating Systems, be able to routinely handle the kinds of issues met and defeated by the hero in the aforementioned article? Further, bearing in mind that the scenario encountered is nothing esoteric and in fact, is an everyday occurrence in many Windows “shops” nationwide. Yet, only a very small number of admins could perform all of the tasks in the manner outlined.

I haven’t decided on answer. Requiring all systems administrators to understand their OS to this depth may be asking for too much from someone who’s not an OS developer. Then again, why not? Why should sysadmins be able to handle what is gradually becoming an everyday issue for users without blindly resorting to sometimes expensive third-party “solutions” or destroying the OS and data in performing an OS reinstallation?

I try to imagine what a UNIX administrator would do with this kind of scenario? Would the average UNIX admin be able to dive that deep and not drown? Are these kinds of scenarios commong in that arena? I don’t remember as it’s been quite a while.

Whatever the case, this is indeed heart surgery and if I were allowed to abuse the analogy a bit, a surgeon is no ordinary doctor. To perform that kind of work requires extensive schooling and experience, something 99% of MDs don’t have, and perhaps don’t want. The parallels begin to fray though, when you consider that if the occurrence of heart surgery was as common as malware infection is in Windows, perhaps anyone who called themselves a doctor would indeed be required to perform heart surgery.

What do you think?

Sisyphus

Whenever I read “Outlook repeat logon prompts” in the ticket, I groan inwardly. This is one of the most infuriating problems I’ve dealt with because I’ve never been able to pin down the actual problem. Never.

I don’t know at which end the problem lies: with Outlook, with the Domain Controller, or with the Exchange servers’ various roles. Toss in the fact that it’s almost always related to Outlook Anywhere and you’ve a recipe for frustration.

I’d like something easier, please, like brain surgery.