Last week (Tuesday, March 13, 2012), Microsoft released a security bulletin detailing a fairly severe vulnerability in their Remote Desktop Protocol which is present in all versions of it from Windows XP to Windows Server 2008 R2. At the time there
was no functional exploit code in the wild, but the potential risk surrounding this vulnerability was marked as “Critical.” The following is a snippet from their own write-up of the security vulnerability:
“This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.”
The bolded text was added by us. Security vulnerabilities with the potential to allow remote code execution are some of the most severe around. This means that given the appropriate sequence of packets, an attacker could do anything from creating their own users to simply shutting the server down, without providing as much as a password. Due to these threats, secure data is a must!
Microsoft released a patch for this vulnerability the same day as the security bulletin, and if your servers are currently configured to perform automatic updates, you are likely in the clear for this particularly nasty hole. However, if you are managing your patches yourself and haven’t gotten around to addressing this one, it would be in your best interest to do so as soon as possible.
At the time the patch was released, no functional exploit code was available. Since then, however, several IT security professionals have been working to develop a proof-of-concept exploit to take advantage of unpatched systems. The demand for this exploit even grew so great that a $1,500 bounty had been offered to the first person or team to provide a functional Metasploit security plugin. Simply the amount of buzz around this vulnerability should be enough motivation to apply the patches as soon as possible.
A security vulnerability with such potential for damage doesn’t come out very often, but when it does, it’s a pretty big deal. For those of you hosting with INetU, contact support to find out if your server has been patched yet, and if it has not, we can schedule a time to do so immediately. For those of you hosting elsewhere, you too should make an effort to see that your Windows servers are safe from this vulnerability and other security issues.
As the most used OS today, Windows has great challenges when re-designing their interface. With the new Windows 8 design, there will definitely be a lot to adjust to and may even be a shock for some Windows users. When Microsoft released the latest beta of Windows 8, I was anxious to see – so I took some time and got familiar. I’ll share my experience with you so you know what to expect.
Microsoft is designing one operating system for laptops, desktops, phones and tablets. The New ‘Metro’ design is a big change and risk for Microsoft, similar to the Ribbon interface in Office applications, or the big changes seen with Windows Vista. Some will love it and others will hate it, that’s the nature of change. Here’s what the Metro user interface will look like:
I think overall the Metro interface looks very promising for things like Kinect, Windows Phone and upcoming windows tablets. Touch screens work very well with the new interface and over all things seem to flow pretty nicely. But it may take some getting used to on your PC.
Now what everyone seems to be concerned with is on the desktop and laptop, and the business user. There is no Start button and no easy way to completely turn off the Metro interface. If Windows 8 ends up not supporting a Windows 7 style desktop there will be a tough learning curve and many businesses may skip windows 8.
The new OS of course has dozens and dozens of tweaks and improvements. It should run on any system that can support windows 7, and you can download and test Windows 8 in a VM or on a physical machine now if you like. The OS is going to hook into the cloud more with integration into SkyDrive. You will be able to sign into the computer with your Windows email addresses and there will be a Metro apps ‘App Store’, just like the Apple and Android stores.
Time will tell if the Metro interface ends up being a popular choice and what additional changes Microsoft will make before Windows 8 is released in its final version. Keep your eyes peeled, many say Windows 8 will be released around October 2012!
There are many different certifications out there today, but what do they all really mean?
Are you familiar with SAS 70 or SSAE 16? SAS 70 was originally intended to access financial practices, not necessarily data center operations. In June 2011, SAS 70 was replaced by the Statement of Standards for Attestation Engagements, also called SSAE 16. The main difference is that the SSAE 16 reporting methodology requires the organization’s leadership to sign an “Attestation” verifying the existence and effectiveness of the organization’s financial practices. INetU has SSAE 16 Type II, and ISAE 3402 is the international equivalent.
In addition to SSAE 16, there are some new players to the game. Three reports have been established, titled Service Organization Control (SOC) reports. While SOC 1′s primary concern is still over the financial practices and is equivalent to SSAE 16, SOC 2 came around as a game changer!
SOC 2 measures and reports on a service organizations controls. Finally, an audit designed around specific requirements of data center operations, such as security. SOC 2 reports on the organization’s operational controls and can be obtained in one or more of the following categories: Security, Availability, Processing Integrity, Confidentiality, or Privacy. INetU has SOC 2. 
So what could be better than SOC 2? Well SOC 3 of course! SOC 3 is public availability of SOC 2. It is the highest level you can obtain. SOC 3 is a third party certification that verifies SOC 2 was completed and summarizes the contents of that report for public consumption. INetU has SOC 3.
Seeing new certifications come out into the technology industry is great news for you! It means more proactive steps on keeping your data protected and an additional measure of trust when evaluating a new vendor. If you have any more questions on the different types of certifications, please leave a comment below. I’ll be happy to reply! Cheers!
Here at INetU we are intensely focused on the needs of our customers “before, during and after the sale”. I actually hesitate to use that phrase because it is often viewed as just an empty cliché.
I sincerely hope that the Server Smarts blog gives you helpful information from our team of technical experts. However, I want to depart a little from some more technical topics and be able to give you some great insight today on how the INetU culture, work ethic and commitment to your success really does work for our clients.
Processor Magazine recently wrote about us: you can read it here bit.ly/j9O4Ee – We love it when our clients truly believe they made the right choice with INetU.
We all have tough decisions to make when it comes to selecting vendors. It’s always helpful when making decisions to read 3rd party reviews like this.
It’s really amazing and fulfilling when I hear our corporate philosophy reflected back to us in the words of a happy client. I hope you enjoy the article as much as I did.
With all the recent news about IPv4 exhaustion being covered on the major media outlets, many have questioned IPv6, and what the progress is with it. Well, don’t be too worried. IPv6 is moving along, but not as far as many would have hoped, including me. This doesn’t mean that the internet will be coming to a screaming halt anytime soon due to lack of IP addresses. IPv4 addresses are still available from your Regional Internet Registry ( RIR ). It’s just that all the IPv4 addresses have been to assigned to the respective Regional Internet Registries, and once they are done, they are done. There are sites online that you can visit to show you current Remaining IP Space, or you can download an App for your smartphone if you require a more frequent update.
Read the full post »
