No Scanner and Camera Wizard? (And a little on Remote Assistance under x64)

I despise digital cameras. My girlfriend constantly asks me to charge mine, although I have no intention of ever using it. It breaks down like this:



  • Fun photo-taking duties: her.

  • Charging and general maintenance – including downloading, storing, publishing and otherwise doing things with photos: me.

I pray daily for the convergence of all portable digital devices, so that I can lose the vines of charger cables for phones, cameras, MP3 players and so on that frond their way across my living room.


Back To The Point, Son


My parents called up with a minor emergency: when they plugged their new or old digital cameras in, “nothing happened”. Closer investigation revealed that “nothing” was actually “something”: the folder view appeared, but not the Scanner and Camera Wizard.


They had attempted all the usual remedies before calling: installing the Windows 98 software that came with the old camera (they’re on XPSP2, natch); clicking things in various control panels; hanging out the washing; getting upset with each other; cursing the “bloody thing”.


I assumed that they’d simply picked a default action in the Scanner and Camera Wizard, and that they weren’t going to be prompted ever again, and set about looking for a way to undo this. All the search engines suggested that uninstalling Realplayer would resolve the problem, but I wasn’t prepared to install RealPlayer, just to remove it, just to get the wizard back.


Remote Assistance, MSN Messenger 7.0, Windows X64 Edition


Their Remote Assistance invites (er, actually about 50% were RA Invites, 50% were “You have been added to this conversation”) failed with a message that indicated Remote Assistance is not installed or available on my computer, or is disabled. Funny, I thought X64 did include RA. Quick web search didn’t show any “of course, we had to cut that feature” announcements.


As a last ditch attempt, I killed MSN Messenger and started Windows Messenger. This time, the invitation actually worked, and I got as far as the Accept stage before Messenger went to 100% CPU. Closing everything that might have a vested interest in Messenger components (Windows Messenger, MSN Messenger, Outlook, Maxthon, everything right-click and Exit-ed), I fired up Windows Messenger again, and this time got the RA session working.


The Problem(s)


Now I could see their screen, so I got them to plug in their Sony camera. Up popped a folder view, with a couple of weirdly named folders. Browsing through them, I couldn’t find any JPGs or RAWs or similar.


I asked if it would be a fair assessment that they had no photos actually taken on the device? No. Can you take one? OK.


One photo taken later, the camera is plugged back in, and whop – there’s the Scanner and Camera Wizard, eager to dispose of the photo.


The other camera (an old Olympus D520 Zoom) turned out not to be able to take photos any more under pretty much any circumstances, so might be of limited use as a camera.


ADD-friendly Summary


If you came here just looking for a quick fix of information, here are the key learnings in easy-to-consume form:



  1. The Scanner and Camera Wizard might not appear if you haven’t got any photos on the device you’re plugging in.

  2. Receiving Remote Assistance Invites under Windows XP Pro X64 (at least on my system) needs Windows Messenger to receive the invitation – MSN Messenger 7.0 doesn’t cut it. Remember to close any open programs that might consume Messenger features if trying to switch between them.

  3. I’m a rotten relative to ask for tech support.

 

Aussie IT Pro Blogger OPML

Rightyho.


My ISP issues have now worked themselves out (touch wood), so I can post the link to the Aussie IT Pro OPML page.


There’s also a timely confluence of interest in OPML, with Start.com announcing they’d added support to their MyW3b site – though you need to download it as a file and then upload it to myw3b; perhaps they’ll add online OPML support later? – and Dave Winer publishing a new OPML outlining tool (mental note to play with it, I haven’t quite grasped it yet).


Anyway – if you know of an Aussie IT Pro Blogger that should be added, or you’re just starting out with this IT blogging thing and want an audience, hit my Contact page and let me know about you. Or them. Or it.


Cheers!


 

Susan: Two NICs. And Live Logging is Win!

I was really trying to work an Animal Farm joke in here, but I can’t make it work.


Susan brings up a couple of really good points (IMNSHO) – first, I’ll tackle the NIC question: I always tend to come back to the two (plus)-NIC variant for any given ISA Server. From an ISA perspective, there are clear benefits (and a lack of limitations) to using multiple NICs.


In discussing how you need to get to know your firewall, Susan also touches upon something that one of my customers told me about ISA 2004 a while back:


“Tristan”, he said, “If you’re going to be giving feedback to the product team anytime soon, the live logging is a win.”


I’d forgotten that this was something new at the time he told me, but it offers a couple of huge benefits when troubleshooting: directly, you get to look at why a certain piece of traffic is being handled in a way you didn’t expect; indirectly, it helps you easily get a better understanding of the workings of the firewall.


This customer had a really good handle on protocols, publishing and general ISA operation, but some of the junior people he worked with didn’t (at least at first), and he said that this helped them see the traffic patterns and learn how the protocols themselves worked, without requiring a capture-and-analyze approach (as, say, Network Monitor/Ethereal or log analysis after the fact would).


If you’re not already using Live Logging in ISA 2004, quickly go check it out – it’s in the Monitoring area, on the Logging tab – just set the Log Time field to Live, and hit Start (optionally filtering on some useful criteria), then, um, do stuff, and watch how ISA reacts.


So, my advice: you can use Live Logging to get to know your firewall a little better.


(And if that doesn’t work, you can always try to buy it dinner and a movie; I find ISA just eats romantic comedies.)

On Vista

The name’s grown on me since the rumours started yesterday, and I’m happy with the overall design and context of the name and logo in the video. Purely to shake it up a bit, I’d have tried to get a “-tron” postfix in there, as a “Vistatron” sounds pretty cool, in a Transformers sort of way (er, although all the *trons I can remember offhand (Galvatron, Megatron) were decepticon leaders, so possibly not quite the effect we’re looking for).


Drawing on many years of marketing experience*, I wonder if this name won’t become the Rambo of the software world.


As you can see from the link above, the first movie to feature John Rambo was First Blood. When they made the sequel, they called it Rambo: First Blood Part II. As I recall, Rambo was a blockbuster in every sense, whereas the prequel was just about some guy in the woods shooting people. (I was something like 7 at the time, so my memory of it isn’t so good).


When the sequel to Rambo rolled around, they didn’t simply call it Rambo 2, ohhh no. That would be too obvious. This was Rambo III. Sure, technically it was First Blood III, but if Rambo was First Blood II, surely that made it Rambo II? “First Blood” was gone from the title, forgotten.


In Windows terms, the letters NT got us all the way to 4.0 (oddly, in 4 releases) before the letters disappeared from the name in Windows 2000. Different letters were used for XP in 2001, but then numbers reasserted themselves for 2003. The letters “NT” are just part of a fading memory.


Sooo… That’s my bet for Vista. Sure, Windows Vista might have the Windows prefix for now, but if it’s wildly successful, perhaps the Windows name will be replaced with Vista, so the next version will simply be “Vista 2008” or similar. (Or “Vista XP” if we’re on another letter fetish at the time).


Alternatively, I’d like to suggest that the Operating System Following Vista be known as Windows: First Blood, just to keep everything balanced and coherent.

Terminal Server / Remote Desktop DoS Issue

Via TonySo:


http://www.microsoft.com/technet/security/advisory/904797.mspx


Our initial investigation has revealed that a denial of service vulnerability exists that could allow an attacker to send a specially crafted Remote Desktop Protocol (RDP) request to an affected system. Our investigation has determined that this is limited to a denial of service, and therefore an attacker could not use this vulnerability to take complete control of a system. Services that utilize the Remote Desktop Protocol are not enabled by default, however if a service were enabled, an attacker could cause this system to restart.

Sounds like a low-value attack, but an attack nonetheless. Check out the advisory article for mitigation details while we work on a fix; an additional workaround might be to temporarily adjust the port you’re using for RDP from the default (security through obscurity – if an attacker took the time to scan all available ports, they’d still probably be able to easily identify the RDP port) – you can do this without modifying a back-end server if it’s done with ISA 2004 (ignore the TSWeb bits, it’s the port numbering we’re interested in), and/or to filter that port based on known/trusted incoming IP addresses.


Update: Noticed Susan had a similar thought about it – the RDP proxy used for RWW in SBS 2003 runs on a different port (*speculation with little-or-no-merit warning* who knows, might not even be affected by the same issue…).

Custom Password Filters

Back from holiday now, and almost over the jetlag. Almost.

A question came up today about Password Filter DLLs, and the documentation always seems to be hard to find, so I’ve popped up a quick summary of everything I know here.

Back In The Day of NT4, there was an optional component that Microsoft provided called PASSFILT.DLL that could be installed to perform password complexity checks. These days, equivalent functionality is built in to the base OS (since Windows 2000)(I.e. Windows 2000, 2003, 2008, 2012, 2016, etc etc).

Anyway, the problem is that the Platform SDK article Installing and Registering a Password Filter DLL makes the assumption that you want more security than Windows’ default password complexity check, and so lists the final step as being:

4. Ensure that the Passwords must meet complexity requirements policy setting is enabled.

If you’d written a filter that, say, only checked that the user wasn’t using their own name as a part of the password, and you wanted this check to be an additional check over the Microsoft built-in password complexity filter, this would be a Good Thing, because a password is only considered valid if it satisfies all installed password filters. It’s an AND relationship:

  • Filter1 must return true AND
  • Filter2 must return true AND
  • Filter3 must return true

So, all the filters run for every password change, and if they all say “yep, that’s fine with me”, then the password change is successful.

If you wrote a filter that checked for the word “Micro$oft” (or a 1337 derivative of your own company name) in a password, and rejected it if it was present, and followed the instructions at the above link, you’d have a system that would accept:

  • strong passwords (as defined by your Windows complexity policy)
  • that didn’t contain that particular word (as defined by your filter)

To extend the model, if your company had compiled a massive database of personal information on its employees,  you could similarly check that they weren’t using their wife’s name, blood type, social security number (Hello Americans!), dog’s name, daughter’s boyfriend’s name or brand of hair gel as a part of their password, and be assured that the password met Windows’ password complexity requirements… though slightly more seriously it’s a good idea to keep these things somewhat lightweight.

The Windows Password Complexity setting simply enables or disables the default “complex” Windows checks, so you don’t have to muck around with DLL installation and removal to get the regular “complex” stuff, it just sets a registry key (via policy). The Windows password filter is always installed and always runs to some extent, it just doesn’t always take action (depending on those registry settings).

Over the years I’ve worked with password filters, it’s (disappointingly) been reasonably common that some customers actually want reduced security in the password complexity space (often because it’s more difficult to upgrade legacy systems that can’t handle > 5 character passwords and lower case, or other similarly horrific constraints). As the alternative is “no password complexity” at the Windows filter level, we’re not really that flexible, and any security measure is potentially better than none.

If you’re coding a password complexity filter that is meant to replace rather than complement the Windows complexity checks, you need to disable the “Passwords must meet complexity requirements” setting to make yours the One True Password Filter (assuming no other custom filters are installed that make it impossible to produce a valid password… be careful with that too).

It’s worth calling out one other item around password filters – the error message received by clients isn’t configurable – the client always assumes the Windows password filter is in use, and is hard-coded to report the Windows complexity requirements (at least in part because there’s no mechanism that is used to explain to the client what the problem is.)

(Update 2017-04: There was a feedback link here, but… the behaviour didn’t change for 20 years, so odds are we’ve moved on from passwords. And if you can modernize your environment, perhaps you can too? Hello!) (in all non-glibness, consider an unlock gesture tied to a device a more authentic validation than a shared character string which many folks will surrender for a bar of chocolate…) (OK so that was a cheap 2004 reference, but you have a security awareness program in place, right?)