Application Management in the 21st Century

Monday, 19 October 2009

SSMSE 2008 - Messy!

I just may not be smart enough to install SQL Server Management Studio 2008.

Our company (ChangeBase) uses SQL Server 2008 to drive our application compatibility software (AOK). So, when something goes wrong (dare I say it), or we simply need to debug something, I have to install SQL Server Management Studio - which is fine.

Except the fact, that I can't. Really.

I downloaded the installation for SQL Management studio, which can be found here: http://www.microsoft.com/DOWNLOADS/details.aspx?displaylang=en&FamilyID=08e52ac2-1d62-45f6-9a4a-4b76a8564a2b

It's a simple, single executable. How hard can it be? Well, one of the surprises with the SSMSE is that to install it, you actually instantiate the SQL Server main installation routine which looks like this;

Is this the SQL Server Installation start-up dialog? Oh no it isn't. It the Microsoft Program Compatibility Assistant. Quite wisely, my Operating System has detected a potential issue and is trying to direct me to either a later version (which hopefully solves the problem) or a support page for some commiseration. The problem with this dialog box, is that I am (and I have checked) running the latest version of SQL Server 2008 (SP1) and the latest release of SQL Server Management studio. What am I missing?

This problem can be overcome as I choose to simply run the program (for the fifth time) and try install Management Studio Express. So, I now I get a chance to install software, with an installation dialog that looks like this;

I have always struggled with these kind of installations "front-pages" as there is a distinct lack of a "Install" button. Where do you start? OK, I got past this hurdle , and chose the Installation tab, and then was presented with the following "quiet point in my day";

It looks like I should be waiting for something, as the message indicates "Gathering user Settings"... So, I waited a while, nothing happened and my instinctive tendencies overwhelmed my better judgement and I pressed the Install button.

And, I installed the SQL Support files for the fifth (or sixth if you included the initial SQL Express installation) time.

And, here is where everything goes a bit wrong. The next dialog helpfully asks the user if he/she wants to perform a new installation or add to an existing feature. I have installed SQL Express 2008 already - really I have. I mean it - I use the database several times a day - it's there.

Note: There is NO option for installing SQL Server Management Studio

I struggled here: And after several rounds of failure. I tried to un-install SQL Server Express. Tried to find a later version (self-doubt ruins your concentration), I searched the web.

In desperation, I tried the following ;

Yes, I tried to install a new instance of SQL Express 2008 using the installation media for SQL Server Management Studio. After progressing through the SQL Server EULA, I was finally rewarded with the following;

Now, I had the option to install the Management Tools (Basic, of course). The installation then went smoothly .... Or, so it appeared initially. As a result of my aberrant behaviour, I had to re-attach all of my databases back to my initial instance of SQL Server Express.

That said, I can now run SQL Server Management Studio 2008.

Remember, SQL Server Management studio 2005? A single EXE, it installed. It worked. Yes??

Friday, 16 October 2009

Microsoft Azure: Not quite ready for prime time

I am fortunate enough to be working with the Microsoft Azure team and have had an opportunity to play with Microsoft's "Cloud" database offering; Azure.

Setting up, or more accurately getting access to my Azure database was simple.

I was able to access my account via my Microsoft Live ID, and create a new database with a very simple (but as we will soon see, a very limited interface) web based interface.

I have included a snap-shot of the default Azure databases;

One thing that is vitally, SUPER important. You need to select the Firewall Settings Tab and allow your IP address. Or, you will not be able to connect. Helpfully, the error dialog advises your of your IP address (that Azure sees) so you can add the correct IP address range.

I am not quite ready to publish some of our performance ratings. To be fair to Microsoft Azure is still in CTP mode (Community Technology Preview) and we could not get our diagnostic tools loaded. Which leads me onto my next point. Azure is at this stage, kind of interesting, but we are a long way from getting a USEFUL Azure-based product working.

For example, there are some pretty hefty limitations to Azure. For example, even in the humble database creation command (our natural starting point), we found the following limitations documented in the online Azure documentation;

SQL Azure does not support the following arguments and options when using the CREATE DATABASE statement:

Parameters related to the physical placement of file, such as and

COLLATE on a user database
External access options, such as DB_CHAINING and TRUSTWORTHY
Attaching a database
Service broker options, such as ENABLE_BROKER, NEW_BROKER, and ERROR_BROKER_CONVERSATIONS
Database snapshot

So, we could not set the collation on our newly minted Azure database, and so NOTHING from our development team will work. This kinda sucks. Hopefully, soon we will be able have more control over the database creation process (ALTER and UPDATE too please) and then we can give Azure a proper test.

Thursday, 15 October 2009

App-V Versus Altiris SVS

I was asked today to comment on the differences between Microsoft's App-V and Altiris' SVS virtualization solutions. I thought, aha! A blog posting for Thursday! Here are my initial thoughts. Note, I have heavily referenced a report published by PQR and so have included a reference to their more complete evaluations of currently available virtualization products on the market.

Altiris SVS leverages two technologies to deliver virtualized application environments to the user:

Virtual distribution—streaming allows the user to acquire applications from any endpoint, while minimizing bandwidth requirements and optimizing license consumption.
Virtual execution—layering applications on disk ensures that each application includes all of its appropriate resources, eliminates conflicts with other applications and the base operating system, and enables instant repair.
Rule based application and licensing management

Microsoft’s App-V environment provides a virtualization platform that delivers;

Application virtualization: Enable applications to be deployed an run without the need to visit a desktop, laptop, or terminal server.
Applications are no longer installed on the client—and there is minimal impact on the host operating system or other applications.
Dynamic streaming delivery: Applications are delivered, on demand, to laptops, desktops, and terminal servers. In some cases a small portion of the application is downloaded to the client in order to launch the application.
Centralized, policy-based management (AD): Virtual Application deployments, patches, updates, and terminations are more easily managed via policies, and administered through the App-V console or via your ESD system.

A comparison between the two Virtualization Technologies (for my boss) would include;

App-V is the most complete, best managed virtualization system on the market today
SVS offers a local execution, layered virtualization technology that App-V does not
App-V is fully integrated into Microsoft Active Directory management platform
SVS experiences technical challenges when dealing when dealing with middleware (i.e. JAVA)
App-V experiences difficulty with IE6 and some .NET packages.
App-V sequencing and SVS capture technologies are both relatively immature

For the full report, look here: http://www.virtuall.nl/download-document/application-virtualization-solutions-overview-and-feature-compare-matrix

Wednesday, 14 October 2009

Microsoft Security Updates for October: The Results...

The big story with the October 2009 Patch Tuesday Security Update from Microsoft is the sheer size (both breadth and depth) of the update. This is the largest update in the history of patch Tuesday.

Thirteen updates this month, with eight updates rated critical and the other five updates rated as Important.

The good news is that despite what one might think the impact on application compatibility is not huge across all the patches.

Based on the results of our application compatibility lab (c. 1000 sample packages), twelve of the 13 patches have very limited impact on applications. The one patch with issues is MS09-061 (Vulnerabilities in GDI+ Could Allow Remote Code Execution Which affects c. 13% of a sample application portfolio. We would recommend technical teams focus their testing on this patch.

We have included a brief snap-shot of some of the results from our AOK Software that demonstrates some of the potential impacts on Microsoft Office deployments with the following picture.

Testing Summary

MS09-050 : : Marginal impact and negligible testing profile.
MS09-051 : : Marginal impact and negligible testing profile.
MS09-052 : : Marginal impact and negligible testing profile.
MS09-053 : : Marginal impact and negligible testing profile.
MS09-054 : : Marginal impact and negligible testing profile.
MS09-055 : : Marginal impact and negligible testing profile.
MS09-056 : : Marginal impact and negligible testing profile.
MS09-057 : : Marginal impact and negligible testing profile.
MS09-058 : : Marginal impact and negligible testing profile.
MS09-059 : : Marginal impact and negligible testing profile.
MS09-060 : : Marginal impact and negligible testing profile.
MS09-061 : : Marginal impact and negligible testing profile.
MS09-062 : : Strong potential impact and large testing profile.

Patch Name	Total Issues	Matches Affected	Reboot	Rating
Microsoft Security Bulletin MS09-050	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-051	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-052	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-053	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-054	1%	1%	YES	Critical
Microsoft Security Bulletin MS09-055	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-056	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-057	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-058	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-059	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-060	1%	1%	YES	Critical
Microsoft Security Bulletin MS09-061	1%	1%	YES	Critical
Microsoft Security Bulletin MS09-062	11%	<1%	YES	Critical

Legend:

	No Issues Detected
	Potentially fixable application Impact
	Serious Compatibility Issue

Security Update Detailed Summary

MS09-050	Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)
Description	This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Payload	Srv2.sys
Impact	Critical – Remote Code Execution

MS09-051	Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)
Description	This security update resolves two privately reported vulnerabilities in Windows Media Runtime. The vulnerabilities could allow remote code execution if a user opened a specially crafted media file or received specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	wmavds32.ax, wmspdmod.dll, msaud32.acm
Impact	Critical – Remote Code Execution

MS09-052	Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)
Description	This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if a specially crafted ASF file is played using Windows Media Player 6.4. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	strmdll.dll
Impact	Critical – Remote Code Execution

MS09-053	Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
Description	This security update resolves two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.
Payload	ftpsvc2.dll
Impact	Important

MS09-054	Cumulative Security Update for Internet Explorer (974455)
Description	This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Iecustom.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Iecustom.dll
Impact	Critical – Remote Code Execution

MS09-055	Cumulative Security Update of ActiveX Kill Bits (973525)
Description	This security update addresses a privately reported vulnerability that is common to multiple ActiveX controls and is currently being exploited. The vulnerability that affects ActiveX controls that were compiled using the vulnerable version of the Microsoft Active Template Library (ATL) could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	No Files – Registry Settings Only
Impact	Critical – Remote Code Execution

MS09-056	Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)
Description	This security update resolves two publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow spoofing if an attacker gains access to the certificate used by the end user for authentication.
Payload	msasn1.dll
Impact	Important

MS09-057	Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)
Description	This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker set up a malicious Web page that invokes the Indexing Service through a call to its ActiveX component. This call could include a malicious URL and exploit the vulnerability, granting the attacker access to the client system with the privileges of the user browsing the Web page. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	query.dll
Impact	Important

MS09-058	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)
Description	This security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logged on to the system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Payload	ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, ntoskrnl.exe
Impact	Important

MS09-059	Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)
Description	This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sent a maliciously crafted packet during the NTLM authentication process.
Payload	Msv10.dll, Netlogon.dll
Impact	Important

MS09-060	Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
Description	This security update resolves several privately reported vulnerabilities in ActiveX Controls for Microsoft that were compiled with a vulnerable version of Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Cnfnot32.exe, Contab32.dll, Dlgsetp.dll, Dumpster.dll, Emablt32.dll, Emsmdb32.dll, Envelope.dll, Exsec32.dll, Impmail.dll, Mimedir.dll, Mlcfg32.cpl, Mlshext.dll, Mspst32.dll, Oladd.fae, Olappt.fae, Oljrnl.fae, Olkfstub.dll, Olmail.fae, Olmapi32.dll, Olnote.fae, Oltask.fae, Omsmain.dll, Omsxp32.dll, Outlctl.dll, Outlmime.dll, Outlook.exe, Outlph.dll, Outlrpc.dll, Outlvba.dll, Outlvbs.dll, Pstprx32.dll, Recall.dll, Rm.dll, Rtfhtml.dll, Scanost.exe, Scanpst.exe, Scnpst32.dll, Scnpst64.dll
Impact	Critical – Remote Code Execution

MS09-061	Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
Description	This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario. Microsoft .NET applications, Silverlight applications, XBAPs and ASP.NET pages that are not malicious are not at risk of being compromised because of this vulnerability.
Payload	mscordacwks.dll, mscorlib.dll, SOS.dll, mscorwks.dll
Impact	Critical – Remote Code Execution

MS09-062	Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)
Description	This security update resolves several privately reported vulnerabilities in Microsoft Windows GDI+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	gdiplus.dll
Impact	Critical – Remote Code Execution

Tuesday, 13 October 2009

Microsoft Security Updates for October: Monster!

Well, it looks like quite a few release and testing engineers are going to busy over the next few weeks. Microsoft has just released information for this month (October 2009) for 13 updates. An absolute MONSTER of a Security update.

This is a record release, with the next worst (or biggest, depending on your viewpoint) with a release of 12 updates.

With the October Security update, there are eight Critical updates, and 5 bulletins rated as Important. From the summary information, it appears that six update will definitely require a machine reboot (Restart in MS parlance). Generally, what we see is that most updates to the Windows Operating System require a restart. It remains to confirmed by our analysis this evening, but my bet is either all of the updates will require a restart or all but one (the MS Office update may not require a reboot ) may require a machine restart.

The advance security briefing documentation can be found here: http://www.microsoft.com/technet/security/Bulletin/MS09-oct.mspx

ChangeBase will conduct a review of 2000 application packages and will publish a report on the potential impact of these security updates tomorrow. Our approach includes a Red, Amber, Green appraisal of how the security "payload" (the changes and files affected by the security update) affects each package and their Operating System level dependencies.

Watch this space!