Tech Tips, News and Tribal Knowledge

This post is Part I of a two part post investigating the significance of the recent exploit involving the W32.stuxnet trojan.

Part I – Background of SCADA and the Stuxnet trojan
Part II – Stuxnet and the demise of the digital certificate

On July 17^th, Siemens AG warned their customers of a sophisticated virus hence named Stuxnet,  targeting their Windows SCADA control software, Simatic WinCC.  SCADA, which stands for Supervisory Control and Data Acquisition, is a centralized system used to control and monitor complex production systems usually dispersed over a large area.  The systems SCADA manages are industrial, manufacturing, production and infrastructure applications such as refining and power generation.  

 While not commonly known to the general public, SCADA is ubiquitous in industries and organizations that must control extremely large integrated systems such as subways and water works.  SCADA accomplishes this using RTUs, or remote terminal systems that employ sensors which monitor process metrics and then forwards that information to the central supervisory unit.  It’s this unit, which in the case of Siemens’ SCADA system, is controlled by a Windows PC running the Simatic WinCC program, which provides the visualization, or human-machine interface (HMI).  I.E., this is the system operator’s primary interface with the SCADA system. Read more

I found a bug today in the Quest Security Explorer 7.0.0 for SharePoint 2007.  If you create a document library with a forward slash in the name, the application will prompt for a logon and after several unsuccessful tries, it will return a message box stating “Error: Invalid Pointer.”  At this point, you will need to click on the root site and hit F5 to refresh the perms.

You will also have difficulty if you attempt to backup permissions of any site that has a document library, or probably any securable object, that has a forward slash in the path.  The backup will proceed normally until it hits the errent object.  It will then ask you for authentication and finally give up the ghost with the error:

“[-2146233088] Exception of type ‘ScriptLogic.Common.SharePointAccess.Node
+AuthenticationException’ was thrown.”

 So, if you use the Quest product for permissions management, don’t create document libraries that contain a forward slash “/” with names like “My Docs/Under Review.”  

I’m going to open a tickect with Quest / ScriptLogic later this week.  I’ll post any additional info I receive from them.

UPDATE:

Apparently Quest is aware of this issue and they have created a tech note in their support database.  Their workaround is to remove all forward slashes from document libraries and lists.  However, if you really want to use the forward slash in your system, it is possible to continue to use the forward slash in your navigation links.

1. Create your document library using a forward slash.
2. Navigate to your document library and open your library’s settings page.
3. Select “Title, Description and Navigation.” 
4. Remove the forward slash from the “Name” field and save. 
5. Open your “Site Settings” page and select “Navigation” under the “Look and Feel” section.
6. Find your site link and add the slash back into the “Title” field.
7. Click “OK” and close the “Navigation” page.

Your document library link will now contain the forward slash as  before and Security Explorer will be able to parse the object properly. 

Ever wished you could link directly from a SharePoint document library to a file or file share?   Well here is a code snippet  that allows you to specify the file:// prefix as well as http:// or https://.  It accomplishes this by altering the input checking on the newlink.aspx found in your layouts directory.

While you can always use the page viewer web part to accomplish the same thing, this method will allow you to mix SharePoint documents and file server documents in the same library.

This method does require that you edit one of your layout files in the ”…\12\TEMPLATE\LAYOUTS” directory, so make sure you back it up before you begin. 

1) Add the content type “Link to a Document” to your document library. If the content type doesn’t exist, simply create it with Document as the parent.

2) Navigate to your “layouts” folder and edit the newlink.aspx. Add the following at the end of the script section near the top of the page:

function HasValidUrlPrefix_Override(url)
{
var urlLower=url.toLowerCase();
if (-1==urlLower.search(“^http://”) &&
-1==urlLower.search(“^https://”) && -1==urlLower.search(“^file://”))
return false;
return true;
}

3) Find each occurance of the function HasValidUrlPrefix and replace it with HasValidUrlPrefix_Override.  It’s in there twice.

4) Save and restart IIS.

Now not only can you add a link to an http:// or https:// page, the override function allows you to link to docs on a file share. Use a syntax of:  file://\\fileserver\filename.doc.

If you’d rather have it open a folder instead, create a shortcut to the folder in question and create your link like this:  file://\\fileserver\shortcutname.lnk

If you really want to get fancy, you can edit the wss.resx file at:  c:\Inetpub\wwwroot\wss\VirtualDirectories\<app name>\App_GlobalResources

Find the section named ‘<data name=”newlink_badurl”>’ and change the value to read:  <value>Enter a valid document name and URL.  Valid URLs must begin with ‘http:’,  ’https:’,  or ‘file:’</value>

Remember to backup your layouts folder and wss.resx file before messing around in there!

Love it, or hate it, free is always a good thing!

Anyone interested in a free copy of SharePoint Designer can get it here:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=baa3ad86-bfc1-4bd4-9812-d9e710d44f42

Recently I experienced some unusual Kerberos authentication issues with one of our SharePoint farms. Users accessing the farm using the Kerberos protocol would receive repeated logon dialog boxes from the front-end server. The prompts would continue even though the user was entering the proper credentials. These repeated logon attempts wouldn’t lock out the user account which indicated the logon never got past the front-end server. This behavior affected only those users authenticating to the farm using Kerberos. Any users authenticating to the farm using the NTLM protocol had no issues logging in. In addition, the following KRB_AP_ERR_MODIFIED error appeared in the event logs:

Read more

After installing SharePoint using the least privileged model, you will undoubtedly find your event logs filled with errors. You will see dozens of 10016, 7888, 6482 and 6398 events all with red the “X”, but don’t despair, you haven’t done anything wrong. If you have followed SharePoint best practices, the accounts you have used for your farm, shared services provider, default content access and application pools are all domain user accounts with no special rights or privileges. When installing MOSS under the least privileged model, these errors are expected. In order to eliminate the errors and finish your install, you need to complete three basic permissioning tasks before calling it a day.

Read more

Recently I was tasked with creating a training environment for new SharePoint site administrators. Since the trainer wanted to create as realistic an experience as possible, the site needed to closely match the production environment. The training session was scheduled to begin in a couple of days, so I didn’t have much time to come up with a workable solution.

Read more

Microsoft has just released updates to both Sharepoint 2007 and Windows Sharepoint Services 3.0.  The update addresses several performance and scalability issues as well as adding new search features such as federated search and a unified search admin dashboard.

Microsoft recommends applying these fixes as soon as possible.

You can find the patches at:

32 bit

Infrastructure Update for Microsoft Office Servers (KB951297)

Infrastructure Update for Windows SharePoint Services 3.0 (KB951695)

64 bit

Infrastructure Update for Microsoft Office Servers (KB951297)

Infrastructure Update for Windows SharePoint Services 3.0 (KB951695)

In Eric Eaton’s post, How do I make our SharePoint site stop asking me to login? – Part II, he discusses several issues that prevent pass-through authentication from SharePoint to Active Directory. While browser settings are a common source of authentication problems, in this post, I’d like to discuss an interesting credential issue related to Kerberos ticket expirations.

Read more

The double-hop issue in SharePoint occurs when IIS attempts to pass the user’s NTLM credentials to a service that is running on a server that is either not part of the requesting server’s farm, or not running directly on the web server. A good example of this is a web part that requests data from a SQL server that is not part of the MOSS farm and that SQL server requires the credentials of the user making the request. This type of authentication request is disallowed in .NET. As NTLM authenticates only the client and not the server, there would be no way for the end user to know if their credentials were passed to a valid service. If Microsoft Windows authentication allowed this, a web server could collect user credentials and pass them around at will. This would be a very poor security model. Fortunately, Kerberos authentication provides a workaround for this, but it requires a little more configuration effort.

Read more