No more infrastructure roles for Windows Nano Server, and why I still like Server Core

Microsoft’s General Manager for Windows Server Erin Chapple posted last week about Nano Server (under a meaningless PR-speak headline) to explain that Nano Server, the most stripped-down edition of Windows Server, is being repositioned. When it was introduced, it was presented not only as a lightweight operating system for running within containers, but also for infrastructure roles such as hosting Hyper-V virtual machines, hosting containers, file server, web server and DNS Server (but without AD integration).

In future, Nano Server will be solely for the container role, enabling it to shrink in size (for the base image) by over 50%, according to Chapple. It will no longer be possible to install Nano Server as a standalone operating system on a server or VM. 

This change prompted Microsoft MVP and Hyper-V enthusiast Aidan Finn to declare Nano Server all but dead (which I suppose it is from a Hyper-V perspective) and to repeat his belief that GUI installs of Windows Server are best, even on a server used only for Hyper-V hosting.

Prepare for a return to an old message from Microsoft, “We recommend Server Core for physical infrastructure roles.” See my counter to Nano Server. PowerShell gurus will repeat their cry that the GUI prevents scripting. Would you like some baloney for your sandwich? I will continue to recommend a full GUI installation. Hopefully, the efforts by Microsoft to diminish the full installation will end with this rollback on Nano Server.

Finn’s main argument is that the full GUI makes troubleshooting easier. Server Core also introduces a certain amount of friction as most documentation relating to Windows Server (especially from third parties) presumes you have a GUI and you have to do some work to figure out how to do the same thing on Core.

Nevertheless I like Server Core and use it where possible. The performance overhead of the GUI is small, but running Core does significantly reduce the number of security patches and therefore required reboots. Note that you can run GUI applications on Server Core, if they are written to a subset of the Windows API, so vendors that have taken the trouble to fix their GUI setup applications can support it nicely.

Another advantage of Server Core, in the SMB world where IT policies can be harder to enforce, is that users are not tempted to install other stuff on their Server Core Domain Controllers or Hyper-V hosts. I guess this is also an advantage of VMWare. Users log in once, see the command-line UI, and do not try installing file shares, print managers, accounting software, web browsers (I often see Google Chrome on servers because users cannot cope with IE Enhanced Security Configuration), remote access software and so on.

Only developers now need to pay attention to Nano Server, but that is no reason to give up on Server Core.

F-Secure Sense: a success and a failure (and why you should not rely on your anti-virus software)

I am in the process of reviewing F-Secure sense, a hardware firewall which works by inspecting internet traffic, rather than scanning files on your PC or mobile device. This way, it can protect all devices, not only the ones on which an anti-malware application is installed.

I get tons of spam and malware by email, so I plucked out a couple to test. The first was an email claiming to be an NPower invoice. I don’t have an account with NPower, so I was confident that it was malware. Even if I did have an account with NPower, I’d be sure it was malware since it arrived as a link to a website on my.sharepoint.com, where someone’s personal site has presumably been hacked.

I clicked the link hoping that Sense would intercept it. It did not. Here is what I saw in Safari on my iPad:

image

(Wi-Drive is a storage app that I have installed and forgotten about). I clicked More and saved the suspect file to Apple’s iCloud Drive.

Then I went to a Windows PC, and clicking very carefully, downloaded the file from iCloud Drive. The PC is also connected to the Sense network.

Finally, I uploaded the file for analysis by VirusTotal:

image

Well, it is certainly a virus, but only 4 of 58 scanning engines used by VirusTotal detect it. You will not be surprised to know that F-Secure was one of the engines which passed it as clean.

image

Note that I did not try to extract or otherwise open the files in the ZIP so there is a possibility that it might have been picked up then. Still, disappointing, and an illustration of why you should NOT rely on your antivirus software to catch all malware.

Now the good news. I had another email which looked like a phishing attempt. I clicked the link on the iPad. It came up immediately with “Harmful web site blocked.”

image

While that is a good thing, 50% of two attempts is not good – it only takes one successful infection to cause a world of pain.

My view so far is that while Sense is a useful addition to your security defence, it is not to be trusted on its own.

In this I am odds with F-Secure which says in its FAQ that “With F-Secure SENSE no traditional security software is needed,” though the advice adds that you should also install the SENSE security app.

image

F-Secure Sense Firewall first look: a matter of trust

Last week I journeyed to Helsinki, Finland, to learn about F-Secure’s new home security device (the first hardware product from a company best known for anti-virus software), called Sense.

I also interviewed F-Secure’s Chief Research Officer Mikko Hypponen and wrote it up for The Register here. Hypponen explained that a firewall is the only way to protect the “connected home”, smart devices such as alarms, cameras, switches, washing machines or anything that connects to the internet. In fact, he believes that every appliance we buy will be online in a few years time, because it costs little to add this feature and gives vendors great value in terms of analytics.

Sense is a well made, good looking firewall and wireless router. The idea is that you connect it to your existing router (usually supplied by your broadband provider), and then ensure that all other computers and devices on your networks connect to Sense, using either a wired or wireless connection. Sense has 3 LAN Ethernet ports as well as wireless capability.

This is not a full review, but a report on my first look.

image

Currently you can only set up Sense using a device running iOS or Android. You install the Sense app, then follow several steps to create the Sense network. You can rename the Sense wifi identifier and change the password. The device you use to setup Sense becomes the sole admin device, so choose carefully. If you lose it, you have to reset the Sense and start again.

My initial effort used the Android app. I ran into a problem though. The Sense setup said it required permission to use location:

image

I am not sure why this is necessary but I was happy to agree. I clicked continue and verified that Location was on:

image

Then I returned to the Sense app but it still did not think Location was available and I could not continue.

Next I tried the iOS Sense app on an iPad. This worked better, though I did hit a glitch where the setup did not think I had connected to the wifi point even though I had. Quitting and restarting the app fixed this. I am sure these glitches in the app will be fixed soon.

I was impressed by the 16 character password generated by default. Yes I have changed it!

image

I was up and running, and started connecting devices to the Sense network. Each device you connect shows up as a protected device in the Sense app.

There are very limited settings available (and no, you cannot use a web browser instead, only the app). You can set a few network things: IP address, DHCP range. You can configure port forwarding. You can set the brightness of the display, which normally just shows the time of day. You can view an event log which shows things like devices added and threats detected; it is not a firewall log. You can block a device from the internet. You can send feedback to the Sense team. And that is about it, apart from the following protection settings:

image

The above is the default setting. What exactly do Tracking protection and Identify device type do? I cannot find this documented anywhere, but I recall in our briefing there was discussion of blocking tracking by advertisers and identifying IoT devices in order to build up a knowledgebase of any security flaws in order to apply protection automatically. But I may be wrong and do not have any detail on this. I enabled all the options on my Sense.

As it happens, I have a device which I know to be insecure, a China-made IP camera which I wrote about here. I plugged it into the Sense and waited to see what would happen.

Nothing happened. Sense said everything was fine.

image

Is everything OK? I confess that I did not attach Sense directly to my router. I attached it to my network which is behind another firewall. I used this second firewall to inspect the traffic to and from the Sense. I also disconnected all the devices other than the IP Camera.

I noticed a couple of things. One is that the Sense makes frequent connections to computers running on AWS (Amazon Web Services). No doubt this is where the F-Secure Security Cloud is hosted. The Security Cloud is the intelligence piece in the Sense setup. Not all traffic is sent to the Security Cloud for checking, but some is sent there. In fact, I was surprised at the frequency of calls to AWS, and hope that F-Secure has got its scaling right since clearly this could impact performance.

The other thing I noticed is that, as expected, the IP Camera was making outbound calls to a couple of servers, one in China and one in Singapore, according to the whois tools I used. Both seem to be related to Alibaba in China. Alibaba is not only a large retailer and wholesaler, but also operates a cloud hosting service, so this does not tell me much about who is using these servers. However my guess is that this is some kind of registration on a peer to peer network used for access to these cameras over the internet. I don’t like this, but there is no way I can see in the camera settings to disable it.

Should Sense have picked this up as a threat? Well, I would have liked it if it had, but appreciate that merely making outbound calls to servers in China is not necessarily a threat. Perhaps if someone tried to hack into my camera the intrusion attempt would be picked up as a threat; it is not easy to test.

On the plus side, Sense makes it very easy to block the camera from internet access, but to do that I have to be aware that it might be a threat, as well as finding other ways to access it remotely if that is something I require.

Sense did work perfectly when I tried to access a dummy threat site from a web browser.

image

If you disagree with Sense, there is no way to proceed to the dangerous site, other than disabling browser protection completely. Perhaps a good thing, perhaps not.

It all comes down to trust. If you trust F-Secure’s Security Cloud and technology to detect and prevent any dangerous traffic, Sense is a great device and well worth the cost – currently £169.00 and then a subscription of £8.50 per month after the first year. If you think it may make mistakes and cause you hassle, or fail to detect attacks or malware downloads, then it is not a good deal. At this point it is hard for me to tell how good a job the device is doing. Unfortunately I am not set up to click on lots of dangerous sites for a more extensive test.

I do think the product will improve substantially in the first few months, as it builds up data on security risks in common devices and on the web.

Unfortunately more technical users will find the limited options frustrating, though I understand that F-Secure wants to limit access to the device for security reasons as well as making it simpler to use. The documentation needs improving and no doubt that will come soon.

More information on Sense is here.


The Mott the Hoople and Ian Hunter Story

I’ve been a fan of first Mott the Hoople and then Ian Hunter solo since way back when. I decided to embark on an album-by-album discussion of the band and of Hunter’s solo career over on the Steve Hoffman Music Forum. I started in October 2016 and have not finished yet, but I will.

There are a couple of reasons why I have decided to repost the content here – my own content, not the entire discussion. One is that I cannot edit any old posts there so errors, additions, fixing broken links etc cannot be fixed, other than by emailing moderators. Another is that it is hard to navigate a long thread, for example if you are looking for a review of a specific album.

Therefore I’ve posted the key posts on this site. You can find an index in the first post and continue from there.

Comments are welcome, especially if you have your own recollections of seeing the band (or one of Ian Hunter’s bands).

How to remove the WINS server feature from Windows Server

The WINS service is not needed in most Windows networks but may be running either for legacy reasons, or because someone enabled it in the hope that it might fix a network issue.

It is now apparently a security risk. See here and Reg article here.

Apparently Microsoft says “won’t fix” despite the service still being shipped in Server 2016, the latest version:

In December 2016, FortiGuard Labs discovered and reported a WINS Server remote memory corruption vulnerability in Microsoft Windows Server. In June of 2017, Microsoft replied to FortiGuard Labs, saying, "a fix would require a complete overhaul of the code to be considered comprehensive. The functionality provided by WINS was replaced by DNS and Microsoft has advised customers to migrate away from it." That is, Microsoft will not be patching this vulnerability due to the amount of work that would be required. Instead, Microsoft is recommending that users replace WINS with DNS.

It should be removed then. I noticed it was running on a server in my network, running Server 2012 R2, and that although it was listed as a feature in Server Manager, the option to remove it was greyed out.

I removed it as follows:

1. Stop the WINS service and set it to manual or disabled.

2. Remove the WINS option in DHCP Scope Options if it is present.

3. Run PowerShell as an administrator and execute the following command:

uninstall-windowsfeature wins

This worked first time, though a restart is required.

Incidentally, if Microsoft ships a feature in a Server release, I think it should be kept patched. No doubt the company will change its mind if it proves to be an issue.

Note: you can also use remove-windowsfeature which is an alias for uninstall-windowsfeature. You do need Windows Server 2008 R2 or higher for this to work.

OneDrive Files on Demand is back – will users get confused? And how does it look to applications?

Microsoft is restoring a much-requested feature to its OneDrive cloud storage: placeholders, or what is now called Files on Demand.

The issue is that when users have files in cloud storage, they want easy access to them at any time, but downloading everything to local storage may use too much disk space. There are also scenarios where you do not want a local copy, for example for confidential documents, especially if you do not enable Bitlocker encryption.

You can use OneDrive through the web browser, but Windows users expect File Explorer integration, the most natural way of working.

Windows 8.1 introduced placeholders, where OneDrive (then SkyDrive) files appeared in File Explorer but were not actually downloaded until you opened them. It was a popular feature, but Microsoft removed it in Windows 10, saying that users found it confusing. I suppose they might have thought a file was on their PC, boarded a plane, and then discovered they could not work on the document because they it was not actually there.

This was a user interface issue, but apparently there were other technical issues, particularly for applications using the Windows file APIs. Perhaps the problems were so intricate that the team did not think it could be fixed in the first releases of Windows 10.

Now the feature is back, and I have installed it on the latest Windows Insider build:

image

But could users still be confused? Files in OneDrive now have four possible states:

Hidden. You can still choose not to make all folders visible in File Explorer. In fact, hidden seems to be the default for folders previously not synced to the PC, though you can easily check an option to show them all:

image

Online-only: Files have a cloud icon and are offline until you open them:

image

Locally available:

image

Always available:

image

So what is the difference between “Locally available” and “Always available”? It really is not explained here but my assumption is that locally available files could automatically revert to online-only if there is pressure on disk space. It could catch you out, if you saw that a file was locally available and relied on that, only to find that Windows automatically reverted it without you realising.

If you right-click a file in OneDrive you can change its status or share a link. If you want to make a file online-only, you choose Free up space (I think it would be clearer if this option were called Online-only, but this is a preview so it might change).

image

How do online-only files look to applications? I ran up Visual Studio and wrote a utility that iterates through a folder and shows the file name and length:

image

You will note that the API reported the size of the file online, not on disk. This is the kind of thing that can cause issues, though if the file size were reported as zero bytes – well, that could cause issues too.

Incidentally, you can also now sort files in File Explorer by Status. I imagine the latest Windows 10 SDK will also have a way to report status so that applications can catch up.

Fixing “couldn’t parse private ssl key” in Dovecot

I run Debian Linux including a mail server, and part of the system is Dovecot, an open source IMAP and POP3 server which has always worked well for me.

Unfortunately it stopped working after an upgrade. With Linux I am in the habit of doing:

apt-get update

apt-get upgrade

to keep the system patched, and normally everything works fine. Occasionally it does not, and then I need to dig in and work out what is wrong and how to fix it. The upgrade to Apache 2.4, for example, was somewhat painful because of changed configuration directives.

This time it was Dovecot that broke. I use Thunderbird to pick up POP3 mail, and nothing was flowing. Eventually I found the problem logged in syslog:

Fatal: Couldn’t parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY

I puzzled over this for some time. The path to the private key was correct in dovecot.conf. The permissions were OK. I regenerated the certificate (it’s self-signed) but still the same.

Eventually I found the solution here. The path to the SSL certs used to look like this:

ssl_cert = /etc/ssl/certs/dovecot.pem
ssl_key = /etc/ssl/private/dovecot.pem

Now it must look like this:

ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem

Yes, you need that angle bracket, otherwise you get the error.

It used to work, so at some point the Dovecot coders took out the compatibility code that allowed the old-style directive.

Mentioned here in case it helps someone find the solution.

The threat from insecure “security” cameras and how it goes unnoticed by most users

Ars Technica published a piece today about insecure network cameras which reminded me of my intention to post about my own experience.

I wanted to experiment with IP cameras and Synology’s Surveillance Station so I bought a cheap one from Amazon to see if I could get it to work. The brand is Knewmart.

image

Most people buying this do not use it with a Synology. The idea is that you connect it to your home network (most will use wifi), install an app on your smartphone, and enjoy the ability to check on how well your child is sleeping, for example, without the trouble of going up to her room. It also works when you are out and about. Users are happy:

So far, so good for this cheap solution for a baby monitor. It was easy to set up, works with various apps (we generally use onvif for android) and means that both my wife and I can monitor our babies while they’re sleeping on our phones. Power lead could be longer but so far very impressed with everything. The quality of both the nightvision and the normal mode is excellent and clear. The audio isn’t great, especially from user to camera, but that’s not what we bought it for so can’t complain. I spent quite a long time looking for an IP cam as a baby monitor, and am glad we chose this route. I’d highly recommend.

My needs are a bit different especially as it did not work out of the box with Surveillance Station and I had to poke around a bit. FIrst I discovered that the Chinese-made camera was apparently identical to a model from a slightly better known manufacturer called Wanscam, which enabled me to find a bit more documentation, but not much. I also played around with a handy utility called Onvif Device Manager (ONVIF being an XML standard for communicating with IP cameras), and used the device’s browser-based management utility.

This gave me access to various settings and the good news is that I did get the camera working to some extent with Surveillance Station. However I also discovered a number of security issues, starting of course with the use of default passwords (I forget what the admin password was but it was something like ‘password’).

The vendor wants to make it easy for users to view the camera’s video over the internet, for which it uses port forwarding. If you have UPnP enabled on your router, it will set this up automatically. This is on by default. In addition, something strange. There is a setting for UPnP but you will not find it in the browser-based management, not even under Network Settings:

image

Yet, if you happen to navigate to [camera ip no]/web/upnp.html there it is:

image

Why is this setting hidden, even from those users dedicated enough to use the browser settings, which are not even mentioned in the skimpy leaflet that comes with the camera? I don’t like UPnP and I do not recommend port forwarding to a device like this which will never be patched and whose firmware has a thrown-together look. But it may be because even disabling UPnP port forwarding will not secure the device. Following a tip from another user (of a similar camera), I checked the activity of the device in my router logs. It makes regular outbound connections to a variety of servers, with the one I checked being in Beijing. See here for a piece on this, with regard to Foscam cameras (also similar to mine).

I am not suggesting that there is anything sinister in this, and it is probably all about registering the device on a server in order to make the app work through a peer-to-peer network over the internet. But it is impolite to make these connections without informing the user and with no way that I have found to disable them.

Worse still, this peer-to-peer network is not secure. I found this analysis which goes into detail and note this remark:

an attacker can reach a camera only by knowing a serial number. The UDP tunnel between the attacker and the camera is established even if the attacker doesn’t know the credentials. It’s useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet) and to bruteforce credentials. Then, the attacker can just try to bruteforce credentials of the camera

I am not sure that this is the exact system used by my camera, but I think it is. I have no intention of installing the P2PIPC Android app which I am meant to use with it.

The result of course is that your “security” camera makes you vulnerable in all sorts of ways, from having strangers peer into your bedroom, to having an intrusion into your home or even business network with unpredictable consequences.

The solution if you want to use these camera reasonably safely is to block all outbound traffic from their IP address and use a different, trusted application to get access to the video feed. As well as, of course, avoiding port forwarding and not using an app like P2PIPC.

There is a coda to this story. I wrote a review on Amazon’s UK site; it wasn’t entirely negative, but included warnings about security and how to use the camera reasonably safely. The way these reviews work on Amazon is that those with the most “helpful votes” float to the top and are seen by more potential purchasers. Over the course of a month or so, my review received half a dozen such votes and was automatically highlighted on the page. Mysteriously, a batch of negative votes suddenly appeared, sinking the review out of sight to all but the most dedicated purchasers. I cannot know the source of these negative votes (now approximately equal to the positives) but observe that Amazon’s system makes it easy for a vendor to make undesirable reviews disappear.

What I find depressing is that despite considerable publicity these cameras remain not only on sale but highly popular, with most purchasers having no idea of the possible harm from installing and using what seems like a cool gadget.

We need, I guess, some kind of kitemark for security along with regulations similar to those for electrical safety. Mothers would not dream of installing an unsafe electrical device next to their sleeping child. Insecure IoT devices are also dangerous, and somehow that needs to be communicated beyond those with technical know-how.

Server shipments decline as customers float towards cloud

Gartner reports that worldwide server shipments have declined by 4.2% in the first quarter of 2017.

Not a surprise considering the growth in cloud adoption but there are several points of interest.

One is that although Hewlett Packard Enterprise (HPE) is still ahead in revenue (over $3 billion revenue and 24% market share), Dell EMC is catching up, still number two with 19% share but posting growth of 4.5% versus 8.7% decline for HPE.

In unit shipments, Dell EMC is now fractionally ahead, with 17.9% market share and growth of 0.5% versus HPE at 16.8% and decline of 16.7%.

Clearly Dell is doing something right where HPE is not, possibly through synergy with its acquisition of storage vendor EMC (announced October 2015, completed September 2016).

The larger picture though is not great for server vendors. Businesses are buying fewer servers since cloud-hosted servers or services are a good alternative. For example, SMBs who in the past might run Exchange are tending to migrate to Office 365 or perhaps G Suite (Google apps). Maybe there is still a local server for Active Directory and file server duties, or maybe just a NAS (Networked Attached Storage).

It follows that the big cloud providers are buying more servers but such is their size that they do not need to buy from Dell or HPE, they can go directly to ODMs (Original Design Manufacturers) and tailor the hardware to their exact needs.

Does that mean you should think twice before buying new servers? Well, it is always a good idea to think twice, but it is worth noting that going cloud is not always the best option. Local servers can be much cheaper than cloud VMs as well as giving you complete control over your environment. Doing the sums is not easy and there are plenty of “it depends”, but it is wrong to assume that cloud is always the right answer.

How to use Vi: a minimalist guide

Occasionally you may find Vi is the only editor available. To use it to edit somefile.txt type:

vi somefile.txt

Now type:

i

This puts you into insert mode and you can type. Type something.

When you are done, type the Esc key to go back to command mode. Type:

ZZ

(must be upper case) to save the file and quit.

If you don’t want to save, type:

:q!

to quit without saving.

At this point I am tempted to add all sorts of other tips, like / to search, but then this would not be a minimalist guide!