How to Reverse Engineer a Database with Microsoft Visio

What do we study in Information Systems Grad School? If there's a single topic that comes up in every class, it's databases. If we haven't memorized the first three normal forms by now, we haven't learned much. While few of us will bother going into Boyce-Codd Normal Form, 4NF and 5NF, every specification for a system we write that has a database needs an entity relationship diagram. An ERD is a visual representation of your data model, and your data model is probably the single most important part of any system you design. A good data model will survive several major versions of your software; a poor data model will make your system useless. Thus, we spend a lot of time doing data models and documenting them with ERDs.

As much as I love Visio, drawing the things from scratch is somewhat tedious. It's much easier to design and test in Access. (I have it on good authority that even elite Oracle DBAs who hand-tune Solaris for better performance will design and test in Access just because it's easy.) So what do you do when you have a decent test DB in Access and you don't want to diagram every little change in your masterful Visio ERD? Reverse engineer.

In Visio, it's fairly easy, but there are a couple of spots where it doesn't behave as nicely as it should. I'm going to refer to Visio 2007, still in Beta and free for the download and registration. Visio 2003 is almost the same. Visio 2003 Enterprise Architect Edition will create the database from your diagram, in case you can design an enterprise DB but don't know how to create the tables in SQL. (Not really someone you'd want touching your SQL server.)

1. Open Visio and select New | Software & Database | Database Model Diagram with the units of your choice.
2. Now that you have a database model diagram open, the database menu will appear. Select "Reverse Engineer" off of the database diagram.
3. A confusing dialog box will appear. Use it to verify you have the right drivers installed.
4. For Microsoft Access, choose Microsoft Access as your driver, and hit Next.
5. A username and password dialog box will pop up. Unless you've assigned a username and pw to the database, leave it blank and hit OK.
6. Navigate your filesystem and select your database. Ignore the clunkiness and be grateful that you can see filenames longer than 8.3.
7. When you have found your .MDB file, choose it and hit OK.
8. Select the types of objects you would like to import and hit Next. (No, you don't get stored procedures and triggers in Access, but you would in SQL.)
9. Select the specific tables, queries, etc. you want to see in your diagram and hit Next.
10. Select Yes to add them to your current diagram, and hit Finish. (Select no you have a lot of tables, queries, etc.)
11. You should see your tables in the diagram.
12. To add the crow's feet and cardinality, select options on the database menu. (Database | Options | Document )
13. You get three sections to change here: The General tab covers symbol sets: IDEF1X or Relational, Conceptual, Physical, both, or names based on symbol set. The table tab lets you display keys, indexes, non keys, and the IDEF1X optionality 0. The relationship tab lets you display relationships (duh), crow's feet, cardinality, and referential actions. You must select cardinality before you select crow's feet. (caridinality gets greyed out when crow's feet is checked.)
14. To update your diagram, select "Refresh Model" on the Database menu...

Now that you can see your information model, you know why it's messed up. That database that your business/organization/department runs on -- it's not in any kind of normal form. Or it has about 100 tables more than you thought it should.

The database people in my office have a debate: were the software engineers just trying to make it impossible to wean your organization off of their support, or were they just bad at information modeling?

Visit my new Educational Technologies Blog

Given that I have a new job in education, I started doing a few entries about recent developments in education and technology. I use the framework of educational technology to answer President Bush's question, "Is our children learning?"

At least it explains the dearth of recent posts here.

Threat Analysis and Modeling Tool, Office Groove Beta

Just when I thought I would stop experimenting with new Microsoft products and hunker down into my new job and my capstone project, I find a couple that will save me time and aggravation: Microsoft's Threat Analysis and Modeling Tool. This dot.Net 2.0 application has a wizard to create for us a CRUD matrix, that will can paste into our system security chapter. A CRUD matrix is simply a table of which users need what kind of access to which tables. It can get more complex if you have column-level security in your database. We don't, so it won't be overly detailed.

The other tool that can save me time, and possibly my group members, is Microsoft's Office Groove 2007 Beta. Like many cool Microsoft products, Groove did not originate at Microsoft. Most people I talk to about Groove don't really get what it does, but I blame that more on bad IT and IS metaphors than anything else. Groove is simply a shared workspace where a team can share documents, discussions, and contacts. When you set up Groove, you can set up one or more shared workspaces. You then add specific files to that workspace. Then all your invited and verified team members can access those documents whether you are online or off. No more uploading to Sharepoint or Blackboard, or whatever. You've got anywhere, anytime sharing, provided you have an Internet connection. I have it on my work computer and my home computer and share documents between them without having to email them back and forth. So far, I have no firewall issues either.

What if you want to secure your data and not have it stored on third-party servers? Use Groove Server, and give more money to Microsoft. Before the Office 2007 launch, both Groove and Groove server are free for the download, registration and product keys required. Try it and at least you'll know what people are talking about. The next big thing is enabling teamwork and collaboration and making the world "flat."

Services for Unix in Six Easy Steps

After tiring of redoing samba.conf files over and over again, I finally tried out Microsoft's (free) Services for Unix for simple file sharing between my Fedora Core 4 box and servers on my domain.

1. Copy over /etc/passwd and /etc/group to a secure folder on the windows machine where you are going to install SfU.
2. Download and install Microsoft's Services for Unix, and tell it to use password files during the installation process. (This is not a lesson on setting up a NIS domain -- just connecting one Linux box to your Windows server quickly and reliably. SfU installs several other items by default, like Unix Perl and grep; ActiveState Perl is optional. You want NFS Server.) Reboot.
3. In Windows, right click on the folder you'd like to share, click and NFS sharing tab, and select "share this folder."
4. On your linux box, as root, add a line like this to /etc/fstab:
myserver.com:/somefolder /somefolder nfs defaults 0 0
5. On linux, mount /pub
6. cd /pub and ls -la to your heart's content.

There are many security implications for Windows and Linux, like sharing your password and group files, and I'll sniff and trying cracking the passwords later.

Business Intelligence Studio: A Wizard for your Data Mart

My grad school project group finished our data mart for class. I learned a few things about SQL Server 2005 Analysis Services, Reporting Services, and Business Intelligence Studio along the way. One of our group members is a SAS programmer, so he provided us with simulated data: attendance records for a theoretical amusement park that included zip code and promotion type, with zip-code ACORN differences. Our idea was that if you came to the park with a coupon, we would know from the bar code where you came from; if you didn't have a coupon, the gate would ask you your zip code, just like at the retail store.

We had six million rows in our fact table, which included dateID, promotionID, zipID, and attendance, giving us three dimensions. We were going more for scalability rather than trying to pile in a lot of dimensions. I took the flat files from our SAS master and imported them into a SQL 2005 database. For some reason, SQL 2005's import tool defaults to a nvarchar(50) type. While six million records isn't much, the records were fixed-size and much smaller, so I was able to stuff them in an nchar type that was small and efficient because it doesn't require an offset column array. Our six million fact table records matched to 5 types of promotion, about 10,000 zip codes, and individual days for 3 years.

Once we created the database, I exited SQL Server Management Studio and opened up a new Business Intelligence Studio project. One difference between Management Studio and BI Studio is that BI Studio does not use SQL authentication. You must use Windows/Domain accounts. There is no sa in Business Intelligence Studio.

Once in BI Studio,you create a data source, just like with any project that involves a database. Then you create a data source view by selecting the tables you want to use and creating a dimensional model diagram. Microsoft calls this their Unified Dimensional Model. While your fact table doesn't need a primary key, your dimension tables do. The arrows should be pointing from your fact table to the dimension tables. I don't know why, but I often get this wrong when I'm creating a new data source view.

Finally, your fact table columns need to reference the right dimensions. Matching these up took a little longer than expected because I had to guess which fields were what, because our SAS genius didn't document which numbers were what. I looked at the 8-digit numbers and guessed wrong. The auto-build cube wizard worked fine, and the dimensions looked OK. Processing the cube failed when it timed out, and the error messages didn't say anything about orphaned fact rows.

Once the columns were matched up correctly, everything worked fine, and the auto-build cube wizard is pretty impressive. If you did everything right, building the cube should give you dimensions. You can create new dimensions if the wizard missed some. The time dimension has many options. At first I set time to be a regular dimension to avoid promblems: is day of week a number or a name? Monday or 1? While this will give you good reports, the order of weekdays and months will be alphabetical. (Which makes be think we should rename all month and day names so they can be alphabetical and still be in order, or re-sort them so that April is the first month and Friday the first day of the week.) Setting the time dimension as a time dimension rather than a "standard" dimension will fix this.

Processing the cube took under five minutes. (You also need apppropriate account permissions to process the cube) If the cube processes sucessfully, you can browse pivots immediately with the browser in BI Studio. Once you see that your dimensions work, you can start connecting to SQL Server Analysis services from Excel or from SS Report Server. (Again, with appropriate Windows Domain accounts.)

Microsoft's BI Studio Cube and Dimension wizards work the way they should: if you have defined your dimensional model accurately and your data are valid, they'll create the right dimensions for you. The wizards are no substitute for a valid dimensional model and they can't fix bad data or orphaned records.

Next: Creating Pivot Table Reports using our cube and SQL Server Reporting Services for IIS.

Google vs. the National Security Agency

Apparently, watching Google is now as much sport as watching the NSA, according to the latest in Baseline Magazine. Discovering the way Google solves data-related problems may be more interesting because Google, unlike the NSA, is not encumbered by government contracting procedures and regulations.

Think about it: you can search the web with Google and find files faster than you can when you're looking for files on your own computer using Windows Search. To learn why it takes longer to search a hard disk on your own *#$% computer than the web, read the Baseline story.

The National Security Agency and Google are in the same business, essentially: take a firehose spitting out information and sort it into something useful. Both the NSA and Google keep their collective mouths shut about sources and methods. The NSA has been slightly better about keeping purchases of high bandwidth out of the news, but only because they have an organization advantage of operating outside the traditional business community (assuming Watkins-Johnson is not a normal business).

The Baseline story estimates the number of Google servers at somewhere around 450,000, but you should think of them as a much smaller number of MPP supercomputers. Google initially had trouble because most data centers couldn't deliver enough watts per square foot to power dense server blade environments, so they turned to AMD processors. That's a process of scaling up computing power, and I wonder how the NSA solved the same problem, although I assume they just pumped in more watts for processors and cooling. Those of you familiar with Microsoft's current file system, NTFS, may know that you can set disk cluster size from 4 kbytes to 64 kbytes. Google's file system has a cluster size of 64 Mbytes. Their files are large, and a large cluster size leads to more efficiency. Google has re-engineered kernel, filesystems, and who knows what else for scalability. Did they re-engineer from the ground up more efficiently than the NSA?

Another facet of the Baseline Google story is the office-in-a-box. As a former IT contractor for political campaigns, I had to figure out the cheapest fastest way to set up a computing infrastructure for a field office in, say, Des Moines, Manchester, or Columbia. (Columbia is the capital of South Carolina, for those of you out of the primary calendar loop.) My setup was fairly simple: router, firewall, server (Domain Controller also running DHCP, DNS, and a Global Catalog, of course), printer/copier.

Google has office IT-in-a-box that would put mine to shame. Google also has shipping containers converted into server infrastructures that they can ship anywhere. Baseline implies that the military's IT- infrastructures-in-a-shipping-container exist in Powerpoint only.

As far as the Google vs. NSA operating efficiency battle goes, at least there's more than one career option for deep geeks. I would have a hard time deciding between the two because they both offer serious computing power. As far as ethical considerations go, both have pluses and minuses. The NSA doesn't make money selling advertising; as hard as Google tries, running a business requires some level of compromise to make money. The power of both organizations could be abused. The way things are going in the Intelligence Community, Google will be more secret than the NSA in five years.

What do you think?

Java vs. Python/Plone vs. PHP/XOOPS vs. J2EE vs. .Net

eWeek had one of the coolest lab tests I've seen in a while last week: they tested portal applications for speed on different architectures. This is exactly the kind of testing I'd do in my little lab if I had the resources.

eWeek tested JBoss on Windows, Plone on Windows, XOOPS on Windows, Plone on Linux (SUSE), XOOPS on Linux (SUSE), JBoss on Linux (CentOS), Liferay on CentOS, and Sharepoint Portal Server on Windows. Their results were mixed: .Net had the highest throughput per second in KB, Windows JBoss the highest number of transactions per second, J2EE/Liferay/Linux the highest hits per scond, and JBoss on Windows the lowest page load time. .Net and Windows JBoss were among the fastest portal applications, but the various LAMP flavors did OK, especially if you did something to speed them up. (Like using Zend Technologies' PHP accelerator.)

The main point of all this testing did not indicate that one portal architecture necessarily better than the rest. If your organization has expertise in a specific portal area, then that architecture will work for you. The key is that whatever architecture you choose is what matches your business.

Information Technology is changing, as always. What matters most is not the technology -- it's your understanding of your business and how to make that work faster and cheaper. IT and IS are just tools for your business.

Sharepoint Version 3 Beta Install

Microsoft's future for the Office suite emphasizes online collaboration. Microsoft's purchase of Groove and upcoming Office Groove and Groove Server emphasize collaboration, online and off, as key to their future success. (Sign up for the free Office 2007 Beta already -- Microsoft is pushing this pretty hard.)

I have been using Sharepoint since verson one to help solve simple problems with clients and their online office space, including collaboration. I have used Sharepoint to do everything from host photo albums and documents to doing really obvious things like "click here to connect to printer x in room y." I'm trying to see what Groove has to offer, but first I am playing around with Sharepoint Version 3.

Sharepoint Version 3 Beta has three requirements that it checks before the install: .Net Framework 2.0, since it's a .Net 2.0 application, ASP.net 2.0, and Windows Workflow Foundation Beta 2 v.3.0.3807.7 or above. Windows Workflow is the new process that will be available in Office 2007.

Once you have the installer running, it tells you that it can do an in-place upgrade of your Sharepoint v.2 site if you database is under 30 GB. However, it will need to restart IIS, Sharepoint, and the Sharepoint timer during the upgrade process. This is where I ran into one of two problems. I didn't look at all four tabs of the installer, so I neglected to check that my Sharepoint was front-end only. The database for mine is hosted on SQL 2005. Thus, the post-install script choked at step 5 of 10, stalling on registering SP services. The preupgrade install script posts details here:
\PreupgradeReport_632880453377812500_Log.txt and here PreupgradeReport_632880453377812500_Summary.xml, proving that everything has an XML file in the future.

The other problem was a result of my original Sharepoint v.2 install. Sharepoint v.3 will not let you connect to a configuration database with an SQL account. You must use a domain account. I didn't want to use NT Authority\Network Service, so I tried to change the SQL 2005 permissions for the configuration database, to no avail. I ended up doing a SQL Profiler Trace of the connect step to see what I could change in SQL to make Sharepoint use a different account. Thus result I got is a little opaque: a lot of exec sp_resetconnection and exec dbo.proc_getObject @Id='68430B8A-6365-44B4-99E2-CC842773FCDA', which results in:
68430B8A-6365-44B4-99E2-CC842773FCDA 8446FC57-4D84-4D79-8EA9-4B1C9C02C40C 9920F486-2FF4-4D10-9532-E01979826585 Central Administration, and more, which didn't help much. Sharepoint Version 3 help wasn't an aid here either.

Since I hadn't done much with the old Sharepoint except install the SQL Report Server web parts, I created a new site. The Sharepoint installer had already nuked my Default Web Site, so I didn't feel like I had much to lose. If I had to reconnect to the old database, I would have had to reset the password on the NT Authority\Network Service account. Once you get a configuration database, you can use SQL accounts for the individual web site connections.

Installing the web parts again was no problem. I used the same web parts I did for Sharepoint v.2 from the SQL 2005 install. Our old friend, stsadm.exe hasn't changed:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\STSADM.EXE -o addwppack -filename "C:\Program Files\Microsoft SQL Server\90\Tools\Reporting Services\SharePoint\RSWebParts.cab", assuming both are on the same box.

There's a lot more to Sharepoint 3 Admin tool: you can select specific users for inbound and outbound mail, for instance. You can also backup and restore content databases, as well as configure antivirus settings. There's even a built-in best practices analyzer tool.

Finally, there's a recycle bin. Now Sharepoint administrators won't have to figure out ways of protecting content from users. Next installment: how granular are the permissions?

Network Analysis With Free EtherPeek: Ethereal Gets Some Competition

Way back in 1999, I was looking for a packet analyzer. I was familiar with EtherPeek for the Macintosh from a few years before, and I found that the AG Group was producing EtherPeek for Windows, too. The AG Group is now WildPackets, and they are exceedingly helpful to anyone that has to troubleshoot data networks. AG Group always offered some cool network freebies: IP Subnet Calculator, netTools and a great protocol reference chart.

One of their people, J. Scott Haugdahl, has an excellent book, Network Analysis and Troubleshooting, which offers a bottom-up review of the OSI 7-layer model . (Which one are you: All People Say They Need Data Processing or Please Do Not Throw Sausage Pizza Away?)

I liked EtherPeek and the book so much that I bought both and paid out of my own pocket even though my job was managing the network. Of course, this was back in the day when running tcpdump required you to know your IRQ, DMA and chip set (i.e. DEC Tulip). My job at the time was helping change a campus network from Netware to TCP/IP when Windows and Macintosh didn't even install a TCP/IP stack by default. We went from three-and-a-half network protocols (two different Netware frame types) to one and a half (we still had a couple of AppleTalk issues.) Each computer was on the Internet with a public IP address and no firewall. The ping of death still worked against most machines, and we also got hit with Smurf and Trinoo attacks that would disrupt all online activity.

WildPackets makes some excellent packet analyzers for wired and wireless networks. Now their base-level product is free: OmniPeek Personal. While I have been using Ethereal since my old version of EtherPeek became obsolete because it was on my ancient Dell laptop, I missed EtherPeek because it was the first packet analyzer I really got to know well. I could create filters and find exactly what I needed to find. EtherPeek also had good summary statistical functions, which could tell me who was producing the most traffic on my networks. Omnipeek Personal is better than my copy of EtherPeek was because it includes some expert analysis about bad packets and delayed response times. It also produces HTML statistics just like the original, and it has a better interface than Ethereal, using color to show differences between packets.

For those of you that underestimate the power of color, try printing a Google or Mapquest map in black and white and one in color and see which one is easier to read while you're driving. OmniPeek makes it easier to read your packet stats and is easier on your eyes than Ethereal. It's also supposed to do wireless captures -- I'll update when I get a compatible chipset wireless card.

The Visio 2007 Beta

Since I started using visio in 1999 or so, I loved it. Microsoft bought Visio for $1.5 billion, which was the most Microsoft had paid anyone for anything. Since then, Microsoft has incorporated it into its Office line.

I usually don't use a lot of Beta, but I had no choice. Visio 2003 does not connect to MS SQL Server 2005, even with SQL Native Client installed on my laptop. I had two choices: download and install my (student free) copy of Visio for Enterprise Architects on my soon-to-be-dead laptop, or download a free Visio 2007 Beta.

I use Visio for diagramming almost anything technical, from rack diagrams to network and Active Directory diagrams to schoolwork like data flow diagrams, class diagrams, statecharts, and entity relationship diagrams. (I can't afford ERWin.) You can even export from MS Project into MS Visio to create GANNT and PERT charts that are more customizable than what you can do in Project. (Although for updating diagrams on large projects quickly, nothing beats Critical Tools which does a much better job of creating Work Breakdown Structures and PERT charts than MS Project.

One of my favorite features in Visio is reverse-engineering databases. I find it much easier to create databases in Access and then reverse-engineer the diagram in Visio. I can also test out the Access database and see if I can get the reports I need with the right queries. (I hear that even Oracle DBAs with years of experience test things in Access.) I can also use this feature to investigate vendor-supplied databases. (One-size-fits-none databases tend to have hundreds of tables.)

In Visio, I just create a new database diagram, then select Database | Reverse Engineer and point it at my data source, which is still a little cumbersome to set up on a new non-Access database. After importing the tables, indexes and queries I need, I can select Database | Options | Document and hit the checkboxes for cardinality, crow's feet, and actions for relationships. This box has changed slightly for Visio 2007, and it looks like the IDEF1X symbol set is also new, and it will be especially helpful to defense contractors.

Another good thing about Visio 2007 is that I can use all my old stencils, including the giant pack of slightly dated Altima stencils that came with a 3com switch. Since I can't afford to buy lots of custom stencils, I am very happy to see that more vendors are offering free equipment representations for their products at places like the Visio Cafe.

If you're looking for a free version of Visio to work with, the Visio 2007 Beta will work. Mine hasn't even crashed yet.

Data Mining and Data Warehousing Might Just Protect Your Identity, Someday

In dealing with financial activities, our law enforcement/intelligence community is someplace between Get Smart and Mission:Impossible, depending on which story you read in the newspaper.

Eighty-one people in 17 states used a California woman's Social Security number, according to the AP on June 18, 2006. You'd think the IRS or Social Security Administration would notice that 81 jobs falls outside the normal range of jobs. Maybe even past 3 standard deviations above the mean number of jobs that people hold in a given time period.

"They knew what was happening but wouldn't do anything," said Schmierer, 33, a housewife in this San Francisco suburb. "One name, one number; why can't they just match it up?"

Then on June 23, the New York Times breaks a story about how the Treasury is overseeing a CIA program that monitors data going through the Society for Worldwide Interbank Financial Telecommunications. What do these reporters think FinCen does? They look for the same kind of activity that the NY Times-revealed program does, except they've been doing it a lot longer than the CIA.

A former compliance officer for a major brokerage once told me that you might get away with insider trading once. After that the investigators would know the people with whom you attended kindergarten and might be in a position to give you insider information. That's link analysis.

The last time I bought AMEX traveler's cheques it took half an hour because of the paperwork required by the bank to satisfy post-9/11 financial tracking regulations, so it doesn't surprise me that the intelligence community is monitoring international transactions. (The paperwork is so tedious that I'm going to carry cash more often than not.)

Our government can access tons and tons of data about every transaction that travels across our borders, but without efficient algorithms for flagging suspicious activity, it will all be useless. Placing every tax return and W-2 statement into a single data warehouse would be academic. Yahoo and Google probably generate more data in a week than all our tax returns and W-2s annually. You would think the Social Security Administration would be able to see the fraud in their systems. The ACLU wouldn't even be able to argue that our government isn't allowed to look at its own data.

Once you loaded the data, a few queries could spit out suspicious Social Security Number users in a day or two. Again, the budget for this would be under a million or two.

Counting Web Attacks

I see a lot of 404 errors in my Apache logs. A 404 error is a file not found, e.g. someone has requested a file that's not there. Often it means I made a typo in a configuration or HTML someplace. More often, it means someone someplace is probing my server for weak web applications.

Linux and open source software have made it easy to add web applications running under Apache and MySQL. The problem is as more and more sites start using these cool web applications, hackers are able to find holes in them. The developers fix the holes and release patches, but many webmasters don't apply the patches. Thus I see probes like the one below in my Apache logs:

212.83.253.101 - - [19/Jun/2006:09:24:49 -0400] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 320 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:49 -0400] "GET /adxmlrpc.php HTTP/1.0" 404 294 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:49 -0400] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 303 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:49 -0400] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 304 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 304 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 301 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 298 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /ads/adxmlrpc.php HTTP/1.0" 404 298 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /xmlrpc.php HTTP/1.0" 404 292 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:51 -0400] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 299 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:51 -0400] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 299 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:51 -0400] "GET /blog/xmlrpc.php HTTP/1.0" 404 297 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:51 -0400] "GET /drupal/xmlrpc.php HTTP/1.0" 404 299 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /community/xmlrpc.php HTTP/1.0" 404 302 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /blogs/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 305 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 304 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 308 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:53 -0400] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 302 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:53 -0400] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 305 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:53 -0400] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 302 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:53 -0400] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 305 "-" "-"

This is a probe, not an attack. There's nothing illegal about requesting files that aren't on my server, is there? But if I touch /var/www/html/adxmlrpc.php, we may find out what happens next. Note that most of these requests, while probing for different applications, share one thing in common: RPC on PHP.

The below is chart of probes by date and request on this webserver. There's not enough space to list each one as it corresponds to the color. (MS Excel shows me data point details info on mouseover in my pivot table.)

Friendster and LinkedIn Meet Vonage and Skype, or Link Analysis and Transitive Closure

The ultimate social and business network would include more than just email contacts as Friendster or LinkedIn do. It would include the people you call using Vonage and/or Skype. Using the the Call Detail Records (as the National Security Agency might) to do what law enforcement calls "Link Analysis," a social or business network could connect you via phone numbers.

The telcos have been doing link analysis for years as part of their fraud detection programs, and what the NSA might be doing is not much different. Link analysis is really transitive closure, but most computer security and law enforcement people don't know relational algebra, so they call it link anlysis.

Transitive closure (aka recursive closure), at its simplest is this: The transitive closure of relation [table] R with attributes [columns] (A1, A2) defined on the same domain is the relation R augmented with all tuples [rows] successively deduced by transitivity; that is if (a,b) and (b,c) are tuples of R, the tuple (a,c) is also added to the result. (From Connolly and Begg's Database Systems, in reference to Timothy Merrett's Relational Information Systems, 1984). Since I was interested in the relational algebra, I bought a "new" copy of Merrett's book from an Amazon reseller for $8. In defining closure, Merrett refers to Aho, Hopcroft and Ullman (1974), and says, "to do so here would involve too much of a mathematical digression." It's 2006, and a book published in 2005 references another book from 1984 (!) that refers to a book from 1974. The relational database model has not changed much since E.F. Codd's work in 1971. What has changed is the scalability of hardware that we use to run our relational database management systems.

One example of transitive closure that project managers might understand is an exercise in the Merrett book: "Find the expression which gives PATHS the duration of all sets of activities in" and lists the data for the PERT chart. A query (or your relational algebra expression) would show all the paths through the network, and should probably show the critical path as well.

What makes the PERT chart example interesting is that it can show more than one path through a network between two nodes. When talking about link analysis using call detail records, many models show single links between nodes. In Investigative Data Mining for Security and Criminal Detection, Jesus Mena lists a couple of COTS off-the-shelf link analysis tools, ATAC and Analysts' Notebook. These systems can take call detail records and produce links and even chart them on graphs. Mena's book lists many tools, including some free applications and others with a free demo. For the documention of the tools alone, the book is worth the price. Mena's book details a lot of the history of AI and datamining in the security community, but it also confuses database terminology (related relations, e.g.) to make it understandable by the law enforcement community. Despite this, Mena implies that law enforcement in the 21st Century is going to need a lot more artificial intelligence and database experts.

Sample query to bring up people in your network:

SELECT callee
FROM table.cdr
WHERE callee = 'my_target_no'
UNION
SELECT callee
FROM table.cdr
WHERE caller = (SELECT callee FROM table.cdr WHERE caller = 'my_target_no');

The trouble with this query, adapted from the manger-employee recursive example that everybody learns in database school, is that it would eventually return everyone with a telephone. Thus the iterations must be controlled, and I need to adapt the query above from a recursive query into an iterative one if I were going to make it work on SQL 2005.

Connecting Sharepoint to SQL 2005 Report Server

It seemed simple: Export OLAP reports from SQL 2005 Reporting Services into Sharepoint. I like Sharepoint because it solves a ton of problems in organizations. I'm still surprised at how many Microsoft shops don't use Sharepoint because it's free and it integrates into Active Directory. (Sharepoint Portal Server, a different product, costs money, scales more and is personalizable.) All you need for Sharepoint is IIS and SQL or the MSDE; and FrontPage 2003 if you want to edit graphics. Microsoft has a lot of Sharepoint resources available for download, but they're not well organized.

The details slowed me down a few hours. There are several different ways of configuring security contexts, and you will have to keep your accounts and passwords straight. I have yet to find a step-by-step on Technet, but I'm still looking. I did see a page showing cool OLAP reports in Sharepoint on Technet, but no link to help me set it up.

The biggest problem that I've seen many other folks have is the 404 Bad Request error in the /Reports ReportManager Virtual Directory. /ReportServer worked the first time, but without the ReportManager Virtual Directory, it's not so useful. At first I thought this was a DCOM security issue because of the event log entries I got. (Ten of these on the first request for http://myreportserver/reports after restarting IIS and then no more until restarting IIS.)

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

The trouble with that message is that there's no DCOM component in Component Services that corresponds to the CLSID. This didn't stop me from searching the registry for a while, finding that the CLSID is involved with about a dozen basic network services, none of which are in the Component Services MMC.

I gave up searching the Registry and I added NT Authority\Network Service to the DCOM user group on the local machine and restarted IIS. No joy. I was able to clear the event log of that error this way, but I still got the same error requesting http://myreportserver/Reports, just with no event log entries. I rechecked all the settings in SQL Server's Report Configuration Tool, which is very useful, but still didn't solve the problem.

I googled the source code on the error page:

System.Net.WebException: The request failed with HTTP status 400: Bad Request.

and found a site at MIT concerning a totally unrelated applicaton that threw the same error. I had one other Virtual Web on the machine, so I deleted it and reset my Default Web Site set to All Unassigned IP addresses and restarted IIS. Bingo. I can manage reports over the Web -- it just takes a while to start up the first time you request http://myresportserver/Reports. I can access it from http://localhost/Reports on that box now; before localhost requests failed, and I didn't know why.

I still have to set the right permissions for everything. I also need to choose whether to share a data connection or use the web visitor's security context. Just listing all the security contexts makes me dizzy: The Sharepoint App Pool, the Report Server App Pool, SQL Report Server Data Sources, the DCOM permissions mentioned above, and finally, your users' accounts in Sharepoint and Reports.

Sharepoint doesn't hold the Report -- it just passes your request on to the Report Server. Thus, you'll need to set permissions for the Sharepoint and the SQL Report Server. If you have Sharepoint permissions but not Report Server permissions, the Report Explorer web part will be blank.

Steps that worked for me:
1. Start with a good SQL 2005 install with all necessary components -- like Reporting Services.
2. Install IIS and ASP.net 2 if they're not installed already. I installed SQL 2005 Service Pack 1 after this step. (Make sure you have only a default web site on IIS to avoid my issues.)
3. Use the SQL 2005 Report Configuration Manager. This is when you'll need to decide which security schema you're going to use before you can complete this. The Configuration Manager saves a lot of time because you won't have to touch IIS Manager. (The whole scripting IIS configurations in XML thing is going to make my IIS skills obsolete before long.)
4. Create a simple report. SQL Books Online has a tutorial using the Adventure Works database.
5. Verify that http://yourreportserver/Reports and http://yourreportserver/ReportServer work.

Now move to your Sharepoint box running WSS.

6. Use stsadm.exe to install the web part. You will find the report explorer and report viewer web parts on your SQL box: (Search the Report Services library for Sharepoint for more details.)
C:\Program Files\Microsoft SQL Server\90\Tools\Reporting Services\SharePoint\RSWebParts.cab
7. Open your SharePoint site and add the Report Explorer Web Part from the Virtual Server Gallery.
8. Point the Report Explorer at http://yourreportserver/Reports and leave the start path blank for now.
9. You should be able to see your SQL Reports on your Sharepoint site.

My example runs on two boxes: SQL 2005 and Reporting Services/IIS on one box, (along with the Exchange 12 Beta), and my Sharepoint on another box. Sharepoint doesn't seem to run on the same box as the Exchange 12 Beta.

Your (Firewall) Data are Ugly. Please Fix It.

Data warehousing and data marts would be simple to construct if only the data were in a standard format. Five years from now, businesses will take OLAP for granted. (OLAP is a fancy way of saying we're going to automate the sums and averages of your sales data over time so you don't have to do all that stuff in Excel any more.) Five to ten years from now, businesses will live or die by their data mining algorithms. (I classify DM as a step above standard OLAP.) Before this can happen, the data have to be available in a usable form.

I come from an information security background, thus I spend far too much time poring over computer logs: web server access logs, firewall logs, Windows event logs, not to mention /var/log/*. I have learned lots of stupid log tricks, like using logwatch, grep (my favorite), Snare to send Windows logs to syslog, and now, Microsoft's free Logparser tool. Logparser has poor documentation but will certainly pay you back for time taken to learn to use it. There's even a non-Microsoft site dedicated to logparser.

Note: Syslog does not store data in 3NF rows. If you want to be able to sort by fields with destPort, sourcePort, sourceIP, destIP, without doing text search, you'll be doing a LOT of ETL work.

This week I was thinking about replacing my firewall/router (a Netopia R9100 with the hardware VPN upgrade that I trade off with a Linksys WRT-54GS (v3) when I'm not paranoid about using wireless.) And yes, I'm not supposed to tell you that, but it doesn't really make a difference if we're both using nmap. So I looked at firewall vendors websites to learn what I could about logging capabilities. I'm slightly less concerned about security in my home lab than I am about collecting data on attacks. Firewalls have been around for over ten years now, so you'd think they would have logging down.

Watchguard: several logging options, including syslog and XML, SNMP costs extra.

Juniper/NetScreen: syslog, SNMP, NetIQ (If I feel like paying for that, too.)

Checkpoint: "Eventia Reporter™ is a complete reporting system that delivers in-depth network security activity and event information from Check Point log data." This means I can look at CheckPoint logs, but I can't correlate them to anything else. This Checkpoint vs. Cisco page is also interesting.

SonicWall: "ViewPoint®, Local Log, Syslog, WebTrends" I can pay extra for SonicWall's "Viewpoint" product, but I still can't correlate SonicWall logs to any other logs. One SonicWall includes a "secure" switch in their firewall: I would love to see what happens when I try an arp spoof. (If I wanted a switch, I would buy one.)

Cisco PIX: SNMP, Syslog, and AAA ("Authentication, Authorization, and Accounting Support") It does Cisco logging. It also has a CLI. (Command-Line Interface.) Unless Cisco starts giving me free hardware, I'm not sure why I'd use a PIX. If I blow a command, my network is not secure. A CLI is fine when it's obvious if a command is working or not, as with routing, but with firewalls, it makes me nervous. Then again, you should test every port after entering a rule change on your firewall.

Microsoft ISA Server: "ISA Server 2004 provides detailed security and access logs in standard data formats, such as delimited text files, Microsoft SQL Server databases, or SQL Server 2000 Desktop Engine (MSDE) databases."

I don't even like software firewalls, but Microsoft makes it easy for me. At $1,500 plus $250 for decent software, Watchguard is more expensive than ISA server. Checkpoint and Juniper won't even tell me how much their products cost. Sonicwall, Watchguard, and ISA Server are all priced on CDW.

If firewall data are this disparate, I can't imagine what a pain it must be to build data warehouses with data from other sources. Current firewall products seem to create their own silos and make it difficult to track intruders across a network rather than just at the perimeter.

The Sum of All Ports, coming to a SQL server near you.

Using syslog, MS SQL 2005, SQL Server Analysis Services, and MS Excel, I can build a cube with my firewall log violations and then import the cube into Excel and produce pivot tables. While this might seem more complicated than it needs to be, I could produce a daily scorecard of attacks. The only catch is that I need a firewall that logs to SQL server or a syslog to SQL server connector. The syslog => SQL connection would be tough because my router/firewall doesn't do uniform syslog notifications. I know enterprise-level firewalls do much better logging, like the Watchguard X-series which I was fond of just because I could make them do almost anything. The last time I checked, though, they still cost $1,500 for the base model plus $500 for the appropriate software.

With the Watchguard's new XML logging, I could create a SQL Server Integration Services package to import the data regularly. From there, I could get SQL Server Analysis services to process my cube each night. Then I use Microsoft Sharepoint's Scorecard or OLAP web part to display statistics. Best of all, I wouldn't have to mess with doing my own manual extract-transform-load (ETL) of my router log data.

The graph below represents a simple count of attacks by port on my router. Port 0 corresponds to ICMP. (I don't respond to ping requests.) The rest of the ports are closed, except for port 80, which you're using now. I ban a few IPs on port 80 because they won't stop posting junk trackbacks onto my blog. The ports are in alphabetical order rather than numerical order because I must store them in text fields rather than numerical fields in the database. If the port numbers aren't text then SSAS will OLAP them and I'll end up with the sum of all ports, which is nonsense but nevertheless might make a good statistic for MBA-types. While the graphic may not be all that impressive, the scalability is. Using SQL and SSAS, I could track probes and attacks on hundreds of firewalls at a time, track trends over time, and even predict the level of future probes.

Assessing Attacks; or 18th Century Epistolary Novels vs. Data Structures

Being assigned a data warehousing/data mining project for class sounds like fun, but where am I supposed to get a data set? I can buy a database of all area codes and exchanges with latitude and longitude, but I would still have to simulate a hundred million records to address scalability and query optimization issues. Then I could find out if my estimations of the size of records is within a factor of ten, but the networks I see still wouldn't be "real" and I would have no idea if that's what real social networks looked like. (As an undergrad English Lit major, I was reading 18th Century epistolary novels instead of taking Data Structures like my Computer Science major classmates. The sad part is that Data Strutures would have been more interesting.)

Fortunately, data magically appear on my Linux box every day.

Each morning at four am, logwatch runs on my Fedora Core 4 (Red Hat Linux) box. It tells me how many times nonexistent files on my webserver have been requested, and how many router firewall violation attempts have been logged. It also tells me how many times Apache logged a "method not allowed" 405 code. I have several daily log files that give me useful information on attacks. The problem is that there are so many attacks that if I banned every IP that looked for a web application hole or probed a port I wouldn't have time for anything else.

So it makes sense to look for attack source IP (Internet Protocol) addresses that probe my router AND request holes in web apps. To do this I need three files: my router log from syslog; and two greps of all my Apache logs. (grep -h will suppress file names at the beginning of each line) looking for 404 and 405 errors. This gives me three tables, from which I can do inner joins on source IP in each. Of course, I have do do some tedious data cleanup to get the text log files into Excel and from there Access. (I always underestimate the time it takes to clean up data.) From Access, I'm going to go to SQL 2005, Analysis Services, and build a cube. From there I should be able to "see" the attacks using Pivot Tables in Microsoft Excel.

If I see a source IP in my router log and Apache error logs, then it's probably worth banning. Correlating IP addresses to identify those involved in multiple methods of attack takes me from hundreds of IP addresses down to six.

Summer of SQL and Data Mining

Summer may be the best semester at George Washington University because all the undergrads are gone. The Marvin center is almost completely vacant, and the food court is closed. I am taking two electives this summer, which will give me more electives than I need. Why am I doing this? I’m actually learning something useful. People keep asking me why I don’t go for the CIO Certification. Instead of doing databases, I’d be taking MGT 272 Information Resource Management and MGT 274 Survey of Advanced IT Technologies. I have yet to read a single government job description that even mentions CIO Certification. (The Government Services Administration “invented” the CIO Certification, but the Office of Personnel Management sets job standards.)

I’ve taken academic classes in Information Systems at GWU for a while, and I have also taken classes at Learning Tree in SQL, Exchange, Solaris, Security and the programming language, C. The more advanced my classes get at GWU, the more they resemble a Learning Tree class, with one exception: at GWU, they teach theory and practice. At Learning Tree, it’s just practice. You can learn how Microsoft SQL Server works without learning a thing about normalization. Learning Tree is training database administrators, not database designers. My professor for both classes, John Artz, argues that vendor certifications will include more theory in the future; otherwise the vendor certs will become less relevant over time.

So what are my classes? Data Warehouse Design; and Database and Expert Systems. Database and Expert Systems includes no expert systems (I covered them in Decision Systems), and is mostly T-SQL for Microsoft SQL Server 2005. Data Warehouse Design is mostly theory with some implementation on SQL 2005 Analysis Services. Relational database theory hasn’t changed in about 30 years now, so you’d think I would have learned more relational database management systems earlier, but hey, it’s easy to become distracted with security and email and the web servers and Linux. Not that I haven’t used plenty of relational databases as back-ends to applications – I just didn’t think about the relational algebra that drives my queries.

While I can’t post class notes here, I can tell you which books the professor has chosen. When I’m searching for technology books, it’s hard to tell which ones are good.
Database and Expert Systems:
Dusan Petkovic’s SQL Server 2005: A Beginner’s Guide
Ken England’s Microsoft SQL Server 2000 Performance Optimization and Tuning Handbook. (There isn’t one for SQL 2005 yet.)
Data Warehouse Design:
Ted Lachev’s Applied Microsoft Analysis Services and Microsoft Business Intelligence Platform 2005.
(And the John Artz manuscript.)
Both classes:
Connolly and Begg’s Database Systms. This is the book I wish my database class from last semester used. It covers a lot more than that textbook: Hoffer, Prescott and McFadden’s Modern Database Management.

Exchange 12 Offline Address List Issue

I'm continuing to use the Exchange 12 preview beta, with mostly good results. Everybody that sees the new Outlook Web Access loves it and wants it. Thus users will have a reason to upgrade and it won't be just us messaging engineers that care. Since Exchange 12 will require 64-bit hardware, having a greate user interface may help justify the cost to many organizations.

I had one no-connect issue, which I tracked down to a DNS issue between my Windows Server 2003 Domain Controller (ADI-DNS) and my Red Hat Federa Core 4 box running Bind 9.3.1. While I don't do secure dynamic updates to BIND (yet), I do secure transfers from AD to BIND. (When I make sure BIND knows AD is authoritative for my AD zone.) It's funny seeing all the Active Directory DNS records in BIND: _gc, _kerberos, _ldap, etc. (Which brings up a typical AD interview question: what version of BIND do you need to run AD? 8.6.3 is the minimum. BIND 9 is better because it won't make you set the don't check names option because it supports a wider character set for domain names.)

I recently set up an account for the lab here in AD for mail to forward to a couple of folks in Outlook 2003 on Windows 2000 SP4. This account is not an administrator on the local box, and it sends and receives mail fine, but on Send/Receive I get a

Task ‘Microsoft Exchange Server’ reported error (0x8004010F): ‘The operation failed. An object could not be found.’

Microsoft has a solution for Exchange 2003 here: http://support.microsoft.com/?kbid=905813 ; but this isn't possible using the current Exchange 12 implementation. The error doesn't occur when I log on as a user with local admin privileges (yet). The server event logs don't show any errors. (I can grep my event logs because they go to my linux box via syslogd.)

I'm left with using the Exchange Management Shell's new-OfflineAddressBook command; first you must create an address list: "new-Addresslist." Fortunately, the shell features tab-command completion. All I have left to do is add addresses to my offline address list, but at least I have an offline address book, so my error should disappear, right? Wrong. I still get the error above. I'd fire up my Etherreal to do some more diagnosis, but I don't get the error on accounts wtih local admin privileges. Aargh.

Sometimes I miss the GUI.

Google Analytics: Malkovich of the Internet?

If you’ve ever seen Being John Malkovich, you should remember what happens when Malkovich himself enters the Malkovich portal: everyone is John Malkovich and all they say is “Malkovich Malkovich.” On the Internet these days, I feel like it’s “Google Google.”

After months of waiting, I got my free Google Analytics invitation. I had set up Urchin reporting on a number of sites years ago, and I was disappointed that I couldn’t buy Urchin anymore because Google had swallowed them whole. Google Analytics is even better than Urchin was, and it includes Urchin’s campaign and e-commerce tracking modules. I also liked Urchin a lot more than Webtrends, which seems to have grown into bloatware since my first (positive) encounter with Webtrends in 1999. The trouble with Webtrends and Omniture is that they are focused on big business, because that’s where the big money is. Google Analytics is simple enough use on this blog, but can scale as large as is needed. GA gives me the same tools that the big guys have. Thus, Google will make its money scaling out rather than scaling up.

Unlike Urchin, Google Analytics doesn’t run on my server. The JavaScript script goes back to Google, and I’m sure they can also see how many people are visiting my sites. On the up side, I didn’t have to remember to reconfigure Apache logging.
This is what I used to have to enter as root into httpd.conf and hope that I didn't make any typos:

LogFormat "%h %v %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\"" special 

Also, the Googlebot doesn’t show up in Analytics reports. Browsers that reject third-party cookies won’t be track-able. And Google will know a lot more about all of our browsing habits once more sites start implementing Google Analytics.

As far as the markets go, Google Analytics is a shot at other web analytics packages, and it may surpass them because Google can integrate your Google Adwords into your Google Analytics. (Malkovich Malkovich.) This is something that others can’t do, because Omniture and Overture are separate. Of course, Google Analytics, Adwords, and everything else Google integrates with your Gmail account. Before long, Google may be able to offer IP address resolution into Google Earth. (Malkovich Malkovich Malkovich)

I also recently created Google sitemaps for a couple of sites. Google uses sitemaps to find new pages and changed pages on sites faster. The sitemap generator is a python script that looks at your log files, your web file system and creates an XML file that the Googlebot can download. After creating the sitemaps, the two have now gotten a lot of hits from the Googlebot: 1671 for this site, and 5,000 or so for the other site, which gets a lot more traffic than mine. By getting me to do some of the work of indexing, Google indexing operates more efficiently.

Before long, Google will know more about traffic on the web than the NSA knows about traffic on the Public Switched Telephone Network.

More on How the NSA Tracking System Might Work

The Washington Post's David Ignatius postulated about how the National Security Agency's system might work. In doing so, he provided an excellent example of data mining. What the NSA is trying to do is simple and complex at the same time. The data structure is simple, but the sheer volume makes it complex.

The problem may seem hopelessly complex, but if you use common sense, you can see how the NSA has tried to solve it. Suppose you lost your own cellphone and bought a new one, and people really needed to find out that new number. If they could search all calling records, they would soon find a number with the same pattern of traffic as your old one -- calls to your spouse, your kids, your office, your golf buddies. They wouldn't have to listen to the calls themselves to know it was your phone. Simple pattern analysis would be adequate -- so long as they had access to all the records.

The trouble is, simple pattern analysis isn't that simple when you start trying to code it. You would have a giant data cube, and you would have millions of slices to compare with each other. On the other hand, if you have one target number and have a query that pulls all its callees, you could craft another query that searches for those same numbers. You could then score new numbers based on old queries: each query would have a rating of between 0 and 1 with 1 being just like the original number.

If you have voice matching that can confirm a 1, you could design an artifcial neural network that learns as it targets new numbers. Voice matching would require eavesdropping -- but if you got a score of 1, it would be worth the trouble. This way, your neural network could learn what the score is between 0 and 1 that should trigger voice matching.

Reflexive vs. Recursive Queries and Self-Joins

People (mostly database people) keep asking what I meant by reflexive query in my previous posts. Some thought I was confusing a self-join with a recursive query that would allow my DNS server to answer a DNS query for a domain for which it is not authoritative. What I mean is a query that returns a caller and a callee; and then another query that returns the callee's callees. In a self-join, I can match employers to their managers, since both are in the same table. While the NSA-phone tracking system might use some self-joins, what makes the network part work is getting queries from queries, and jumping from callers to callees. Of course I'd like all the results timestamped, too. Recursive queries are a part of this, and SQL 2005 can do it. If I had a few gigabytes worth of phone data, I'd love to let SQL 2005 loose and see what connections I could see. When I say reflexive, though, I mean that I'm going to use my queries to start other queries, and not just as sub-queries. The recursive part could lead to infinite loops. I wonder if the NSA hit any infinite loops when testing their system. Fortunately, you can specify limits on recursion in SQL 2005.

The scary part of this is what would happen if I had the resources to make it run really fast and tuned it to be as efficient as possible. I could select a target and find all of its connections in a few seconds or a few minutes. The difference between seconds and minutes would make a huge difference. In a system where it takes a couple of seconds to generate results, nobody would notice if I ran a few "unofficial" queries on my friends. If it took a few minutes and precious computer time, then people would notice. Utilitarian ethics.

This begs the question: how much computer time (and tax dollars) does our government use tracking down everyone who calls reporters? Then again, leaking classified information is unethical, but people do it anway. Contextual ethics. Of course, there's also the issue of selective enforcement, but that's a legal issue, not an ethical one.

Thus we're left with utilitarian ethics vs. contextual ethics. Who knew that efficient queries and more processing power could give one type of ethics an advantage over the other?

NSA has Greatest Sociological Dataset of the 21st Century

Between the phone records, emails, and instant messaging, the NSA can now map the social and business fabric of America and see how it is changing over time. By collecting our phone records, the NSA has created a dataset that can map our social connections. As I've mentioned in my previous post, the NSA can now map the calls we make and the calls our callees make, creating a giant tree of connections. A wrong number might get you placed on a no-fly list, but I'm not going into morality. (The current administration is the de facto law, so legality becomes a moot argument.) I'm just going to explore how they might use this data and what they could find from it.

The phone call data structure (date/time, origin number, destination number, duration, ID) could easily be used to scan emails and instant messaging as well: date/time, origin address, destination address, length, ID). Using the same reflexive queries, the NSA can track our social and business connections through email. They could also tell how those annoying chain letters get spread (Good TImes virus warning: forward this to all your friends). However, the size of each record would be larger, probably more than double the ~48 bytes required for a phone record. The size would slow down the query and require more storage. Also, geocoding the emails would be more difficult, although it could be done based on where the person writing them maintains a physical address, or on the originating Internet Protocol address.

With all this data, the NSA is in a position to know the difference in social networks that use telephones and those that use email. If they've had this program in place for long enough, they could even recognize trends social communication. With the right set of queries, you could spot the difference between neighborhoods where people know each other and neighborhoods where nobody knows each other and plot them in different colors on a map. What percentage of Americans calls their mom on Mother's Day? In which neighborhoods do people call their mothers most often?

It would also be somewhat easy to plot our connections in a GIS tool such as Google Earth. You would just export your target connection tree into an XML kmz/kml file and import it into Google Earth or ESRI's ArcGIS. The graphs derived from the data would by anonymous. (Of course, research ethics might prevent us from using the data.)

Sadly, none of the derived information will ever see the light of day. Academically, it would produce fascinating results that could teach us about how we communicate with each other and how our communications are changing. Then again, no local, state, or federal government information sytem about citizens has ever been immune from misuse. IRS workers read their neighbors' tax returns. Cops run license "plates for dates," and use NCIC (National Criminal Information Center) criminal background checks to help those running for election denounce their opponents. If a dataset about us exists, it will be abused by those with access, but appropriate security controls should prevent that.

How the NSA Might use our Phone Records

Today, USA Today reported that the National Security Agency has been collecting domestic phone records of many of us U.S. citizens. Unlike everyone else blogging on this today, I'm taking no position on the ethicality of this activity. Instead, I'm going to tell you what I would do with those phone records from the perspective of a database geek. There's plenty of other analysis going on elsewhere, and I'm no constitutional lawyer.

I've been using Vonage for a while now, and I have access to my own phone records on the computer. It's easy enough to cut and paste my Vonage call records into Excel and from there into Access. From Access, I can easily export/import them into the Relational Database Mangement System of my choice, which for now is MS SQL 2005. However, there are many more out there.

Each records looks something like this: Date, Time (you can combine these into a LongDate), From phone number, To phone number, Duration, and a unique transaction ID. I get all this for incoming and outgoing calls. It's great for anyone that does billing for phone time. I'm assuming that these are the same kind of records that the NSA gets. Once the NSA gets these records, they do a data transform to make all the fields fit into their system in a uniform manner. Since the data is already fairly simple, they don't have to do much, and even a moderately skilled programmer like me could write something to transfer phone records almost as fast as they could get them.

If I had phone records from other people, I could combine them with my phone records into one massive table (relation, in database-speak). I could then do a reflexive query on them to pull a list of all the people I had contact with, through incoming or outgoing calls. I could then do another query to pull all contacts of all the people who had called me; this would show my my friends' friends. If I had access to more data about the phone numbers, say through geocoding (a fancy way of saying latitude and longitude attached to each phone number), I could create a map and track a phone tree. If I call someone in New York, and they call someone in Paris, and the person in Paris calls someone in Amman, I could draw lines making the connections on a map.

For this level of tracking to work, the NSA has to have absolutely all the phone records they can possibly get their hands on. If they have a target talking to someone and that someone talks to someone else and the NSA's records drop at the first friend of the target, they're lost. It would be a dead end. If they get all the records, the creation of a massive data warehouse that shows connections between people is pretty much academic. The budget for doing all this has dropped dramatically over recent years: you might be able to do it with a couple of Netezza data warehouse appliances. Rumor has it the NSA was Netezza's first customer. All the hardware to do it might cost under a million dollars. The tricky part, as with all data mining projects, is getting good data, and the NSA has that problem solved.

The hardest part left for them is scalability: they're trying to drink from a firehose, but the records aren't that big, which makes it feasable. You might be able to store all the number-only data in a record as short as 40 bytes: LongDate, Number, Number, Number, Number. (I'm not going to get into data types in depth here, but let's assume we can store phone numbers as numbers and not text to save space.) Thus one million phone records would occupy 40 megabytes. If the US makes a hundred million phone calls a day, that's about 4 GB a day of data. Large, but manageable if you have a large budget. Even if you double the key identifier size to 16 bytes (to cover hundreds of millions of calls) you're still only up to 4.8 GB per 100 million calls.

Only after you've identified a target would you want to create a join query that connects names and addresses with phone numbers; this would be far more efficient than attaching names to the phone record tables, and would give the NSA a chance to say they're recording numbers only. If the NSA uses a consumer data company like, say, Acxiom, to get information on phone numbers post-targeting, then they're not even subject to the Freedom of Information Act or US Privacy Law.

The end result is that the NSA has the capability to map our social and business networks; given enough time and hardware, they could even plot them on satellite photos, creating a cool mish-mash of lines across neighborhoods. They could create files on us all like Friendster lists our friends and their connections. Whether the NSA's system actually works efficiently, we'll never know.

The Job Interview

I used to think it happened only to me, and then I read Dilbert last Saturday. My interviewers are asking more and more real-world technical questions about real problems they have. More often than not, I can solve them in a couple of sentences. And later I wonder if they really had a job to offer or if they were just looking for cheap solutions.

Even months later, I can see users from my interviewers' companies reading my blog entries about how IIS, SQL, AD, and SharePoint work together. Thank you, Google Analytics. And no, I would never name your company here, because it just wouldn't be professional.

Finals: Neural Nets in a Nutshell?

I have three finals: one Monday evening and two Wednesday evening. The bad part about having two finals on one evening is that it's two exams for which I have to prepare. The good part is crossover between the two classes: both cover neural networks, although it's definitely on my database exam, my decision support systems class covered it better. Although the Marakas text had problems, including a typo and a cut-off paragraph, it explained neural nets better than the database textbook or the db professor did, and I've gone over his powerpoint several times looking for a good definition. Marakas:

neural networks attempt to mirror the way the human brain works in recognizing patterns by developing mathematical structures with the ability to learn.

One type of human intelligence is the ability to recognize patterns, and then learn to recognize patterns better. Thus, neural networks are one form of artificial intelligence.

If you search the web, though, you'll find as many definitions of neural networks as you do result pages.

More Ruby on Rails Security

I do Windows, Unix (Solaris), and Linux (mostly Red Hat). Everyone who's into "open-source" keeps telling me how much more secure it is. I'm a CISSP and I've been installing open-source OSes since I had to know the chipset, IRQ and DMA of the NICs in my box to get networking to work. (The DEC Tulip was my favorite.) When I started working with Solaris 7 and Red Hat 4.x, telnet was enabled by default. I still wonder if telnet was enabled on a Trusted Solaris 7 default install. People who tell me any form of Unix is inherently more secure than any Windows don't seem to be familiar with the Morris worm, the Leshka Sendmail exploit, or BIND vulnerabilities. In fact, just mentioning BIND and sendmail in the same sentence is likely to send your security coordinator into the bunker for the rest of the day. Mind you, I've also seen IIS flaws. Can't we all just get along and implement security best practices on whatever platforms we're using?

Ruby on Rails shows a lot of promise as to helping people get up and running on applications quickly. The tutorials are pretty helpful , but there are a a couple of caveats:

In the configuration wizard, you can also just accept all of the defaults, except that in the security panel you must uncheck the "Modify Security Settings" checkbox (Figure 4). This is because starting with version 4.1.7, MySQL uses a new authentication algorithm that is not compatible with older client software, including the current version of Rails. By unchecking this box, you can access MySQL without a password.

This is not the path to secure computing. MySQL should NOT ship with a blank root password. Tutorials should not encourage the use of blank root passwords.

And they have you set up your server as to leave database.yml publicly available. I see Drupal attacks (xmlrpc.php) every day; it's only a matter of time before I start to see RoR attacks.

It's the developers' job to make it work. It's your job to make it work securely. Today's hackers don't even know C and have never heard of Kernighan and Ritchie; all they need is a script and an Internet connection to take advantage of your vulnerabilities.

Ruby on Rails and Security

Ruby on Rails is the most recently hyped language, so I though about testing it out on my development server. I followed the tutorial available on the RoR website. It went fine until I did a ./scripts/generate command and got lot of syntax errrors:

/usr/lib/ruby/1.8/yaml.rb:133:in `load': syntax error on line 27, col 2: `  host: localhost' (ArgumentError)
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:459:in `database_configuration'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:181:in `initialize_database'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:84:in `process'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:42:in `run'
from ../config/../config/environment.rb:13
from /usr/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.rb:147:in `require'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/commands/generate.rb:1
from /usr/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/ 

I started looking around at the folder structure that Ruby installs itself into when you create a new RoR application. Below my main folder, which the tutorial instructed my to create an alias or virtual directory for is the config folder. Inside the config folder is the database.yml file, holding my database information, with accounts and hard-coded passwords. (On my box, it's all localhost only, but still...)

Just to check, I fired up my browser and entered http://myserver/myrailsalias/config/database.yml. All the information popped up. I changed the Apache alias to /mypathtorails/public/ which I didn't see in the tutorial. This seems to be a lot more secure. This doesn't mean RoR is any more or less secure than any other interpreted scripting language for web applications, just that right now, it's easy to install it in a less secure manner.

What's the point? Know what you're installing, where it installs, what permissions it needs, and what context it runs as. And don't put your database.yml someplace where anyone can download it. I know there are websites where I could find it, but I'm not going to try. That doesn't mean someone else isn't writing a bot to find it right now.

Oh, and know how Apache works and httpd.conf works, too. All that is a lot to expect for people looking for a simple programming language.

DateDiff: How soon is now() ?

For a grad school project we need to build a system that bills people by the amount of time they rent a car. Thus, I needed to use the DateDiff function of VB and SQL in Access. I looked it up using Access help and got to the right MSDN page:

Syntax

DateDiff(interval, date1, date2[, firstdayofweek[, firstweekofyear]])

They tell you that interval is a String and link to what a string is. The part they don't say explicitly is that you need to enclose the interval value in quotation marks. "Of course," you say, "It's a string." Is it too much to ask for an example showing it in use with the quotation marks? e.g.

In Microsoft Access:
WHERE (((Rentals.CarOut)=True)) AND ((DateDiff("h",Rentals.DropOffDate,Now())>3));
In Microsoft SQL: (Transact-SQL for SQL 2000/2005)
WHERE (((Rentals.CarOut)=True)) AND ((DateDiff("h",Rentals.DropOffDate,GETDATE())>3));

Where h is the code for hours.

I just wanted to write this down someplace before I forget it. And why must Access and T-SQL be different? Now() doesn't work in T-SQL and GETDATE() doesn't work in Access.

The hits I get after updating this blog:

Those blog indexers work fast. Immediately after updating, I checked my log file and this is what I saw:

206.188.0.11 - - [24/Apr/2006:15:20:28 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "-" "Java/1.5.0_03"
206.188.0.11 - - [24/Apr/2006:15:20:28 -0400] "GET /blog/2006/04/quick_nmap_for_different_oses.html HTTP/1.1" 200 9707 "-" "Jakarta Commons-HttpClient/3.0"
70.85.178.146 - - [24/Apr/2006:15:20:29 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "" "edgeio-retriever (www.edgeio.com)"
65.19.150.209 - - [24/Apr/2006:15:20:37 -0400] "GET /blog/ HTTP/1.1" 200 38102 "-" "OmniExplorer_Bot/6.52 (+http://www.omni-explorer.com) WorldIndexer"
64.158.138.84 - - [24/Apr/2006:15:20:43 -0400] "GET /robots.txt HTTP/1.1" 404 287 "-" "Blogslive (info@blogslive.com)"
64.158.138.84 - - [24/Apr/2006:15:20:43 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "-" "Blogslive (info@blogslive.com)"
209.18.119.138 - - [24/Apr/2006:15:20:51 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "-" "Jakarta Commons-HttpClient/3.0"
209.18.119.138 - - [24/Apr/2006:15:20:51 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "-" "Java/1.5.0_05"
209.18.119.138 - - [24/Apr/2006:15:20:52 -0400] "GET /blog/2006/04/quick_nmap_for_different_oses.html HTTP/1.1" 200 9707 "-" "Jakarta Commons-HttpClient/3.0"
209.191.83.2 - - [24/Apr/2006:15:21:02 -0400] "GET /blog/index.xml HTTP/1.0" 200 33997 "-" "Yahoo-Blogs/v3.9 (compatible; Mozilla 4.0; MSIE 5.5; http://help.yahoo.com/help/us/ysearch/crawling/crawling-02.html )"
209.237.228.229 - - [24/Apr/2006:15:21:10 -0400] "GET /blog HTTP/1.0" 301 313 "-" "Technoratibot/0.7"
209.237.228.229 - - [24/Apr/2006:15:21:10 -0400] "GET /blog/ HTTP/1.0" 200 38102 "-" "Technoratibot/0.7"
209.237.228.229 - - [24/Apr/2006:15:21:11 -0400] "GET /blog/atom.xml HTTP/1.0" 200 93963 "-" "Technoratibot/0.7"
209.237.228.229 - - [24/Apr/2006:15:21:18 -0400] "GET /blog/index.xml HTTP/1.0" 200 33997 "-" "Technoratibot/0.7"

Thus Technorati and the others can keep a pretty good pulse on exactly what people are blogging about at any given moment. This didn't happen with Presstopia.

Quick nmap for different OSes in the lab

Just for fun, I thought I'd compare the ports open on the various boxes in my lab.

Mac OS X v. 10.3.9 (Running Dave)
PORT STATE SERVICE
21/tcp open ftp (Throws a Win98 .com filename "hole" in nessus)
22/tcp open ssh
139/tcp open netbios-ssn
427/tcp open svrloc
445/tcp open microsoft-ds
548/tcp open afpovertcp

Windows XP SP2 Laptop
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Fedora Core 4
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
1241/tcp open nessus
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt (Actually webmin)

Windows Server 2003 DC
PORT STATE SERVICE
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1025/tcp open NFS-or-IIS
1027/tcp open IIS
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv

Exchange 12: Open Ports

I was curious as to what Exchange 12 opened on my old Dell, so I ran a quick nmap scan. I also have SQL 2005 running, so that's open, too. As you can see from the list below, not all nmap service reports are accurate. Pretty short compared to my Fedora Core 4 box running Apache, MySQL, and Sendmail.

PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
1040/tcp open netsaint
1083/tcp open ansoft-lm-1
1155/tcp open nfa
1433/tcp open ms-sql-s
3389/tcp open ms-term-serv
5001/tcp open commplex-link
6001/tcp open X11:1
6002/tcp open X11:2
6004/tcp open X11:4
8009/tcp open ajp13

Two System Log Errors from the scan, One System Log Warning:
None, message: An anonymous session connected from 10.10.10.15 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Tur nOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day. , Matched on: Type: Error , timestamp: 16:54:50 04/22/106

TermDD:50 on xxxx, category: None, message: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. , Matched on: Type: Error , timestamp:16:55:08 04/22/106

The Security System has received an authentication request that could not be decoded. The request has failed.

The Exchange roles running on this box include everything except gateway. (Client Access, Mail Store, Bridgehead).

For the full Nessus 3.0 report, read on.

NESSUS SECURITY SCAN REPORT
Created 22.04.2006 Sorted by host names
Session Name : Exchange12
Start Time : 22.04.2006 17:20:14
Finish Time : 22.04.2006 17:21:26
Elapsed Time : 0 day(s) 00:01:11
Total security holes found : 58
high severity : 0
Medium severity : 1
informational : 57
Host: xxxxxxxxxx
Open ports:
smtp (25/tcp)
http (80/tcp)
epmap (135/tcp)
netbios-ssn (139/tcp)
https (443/tcp)
microsoft-ds (445/tcp)
http-rpc-epmap (593/tcp)
netarx (1040/tcp)
cplscrambler-in (1087/tcp)
ms-sql-m (1434/udp)
unknown (1148/tcp)
ansoft-lm-1 (1083/tcp)
nfa (1155/tcp)
jstel (1064/tcp)
unknown (1172/tcp)
ff-fms (1090/tcp)
hpvmmagent (1125/tcp)
ms-wbt-server (3389/tcp)
ms-sql-s (1433/tcp)
netbios-ns (137/tcp)
Service: ms-wbt-server (3389/tcp)
Severity: Medium
Synopsis :
It may be possible to get access to the remote host.
Description :
The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.
An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).
See also :
http://www.oxid.it/downloads/rdp-gbu.pdf
Solution :
None at this time.
Risk factor :
Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)
CVE : CVE-2005-1794
BID : 13818
Service: https (443/tcp)
Severity: Info
Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
(Negative)12:8a:24:b7:8f:aa:2c:7f:b2:cc:ce:f7:f9:f3:49:08
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=xxxx, CN=Exchange Edge Certificate
Validity
Not Before: Apr 5 04:17:26 2006 GMT
Not After : Apr 5 04:17:26 2011 GMT
Subject: CN=xxxx, CN=Exchange Edge Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bb:ab:21:ac:2b:64:08:88:68:66:45:33:2a:af:
9a:87:14:34:0a:4e:db:f1:9e:42:69:11:c5:fb:e9:
eb:f1:c5:4c:a6:ea:c2:e9:30:11:4a:36:80:ec:7c:
32:5d:ce:12:fd:8c:0b:af:da:38:d2:8a:86:94:cb:
a7:8a:18:c7:c6:89:7d:8d:c2:f1:17:9f:12:b6:91:
f4:6b:79:67:e7:e0:2c:40:87:99:90:e3:75:9d:da:
57:75:b2:92:e4:bb:32:4f:49:93:63:a7:3e:22:f3:
03:8f:24:c8:e9:8b:5c:5f:dc:e2:e6:8f:d9:1e:cf:
cb:7f:27:a8:8d:08:86:fa:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Signature Algorithm: sha1WithRSAEncryption
82:f5:ab:4b:4e:35:9d:31:99:38:af:ce:07:92:9d:8c:5c:aa:
fd:d8:c2:6e:a4:74:32:4f:23:79:ce:fd:91:92:60:d5:6b:8e:
70:e6:1e:3c:24:6e:e9:2b:66:97:de:e6:7a:33:35:d2:b8:bb:
94:4d:1f:fc:d7:00:b2:ac:1a:f9:99:7c:af:5e:fd:3f:40:ca:
da:98:be:ca:75:f7:9b:c2:ab:f0:5b:51:46:49:8d:fa:6b:7d:
80:f5:c3:d3:78:4f:e0:0b:35:85:69:38:aa:b2:6c:27:5f:de:
d2:39:a0:6a:a5:a9:2a:6b:79:f8:7a:6c:71:4a:d5:9d:9f:28:
c5:c4
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
The SSLv2 server offers 4 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack
Solution: disable those ciphers and upgrade your client
software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb
en-us
216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
Service: netbios-ns (137/tcp)
Severity: Info
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on udp port 137 and replies to NetBIOS
nbtscan requests.
By sending a wildcard request it is possible to obtain the name of
the remote system and the name of its domain.
Risk factor :
None
Plugin output :
The following 4 NetBIOS names have been gathered :
xxxx = Computer name
xxxx = Workgroup / Domain name
xxxx = File Server Service
xxxx = Browser Service Elections
The remote host has the following MAC address on its adapter :
00:14:22:2f:a4:0a
CVE : CVE-1999-0621
Service: netbios-ssn (139/tcp)
Severity: Info
An SMB server is running on this port
Service: microsoft-ds (445/tcp)
Severity: Info
A CIFS server is running on this port
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to obtain information about the remote os.
Description :
It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.
Risk factor :
None
Plugin output :
The remote Operating System is : Windows Server 2003 3790 Service Pack 1
The remote native lan manager is : Windows Server 2003 5.2
The remote SMB Domain Name is : xxxx
Service: https (443/tcp)
Severity: Info
Synopsis :
The remote service encrypts traffic using a protocol with known
weaknesses.
Description :
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit these
issues to conduct man-in-the-middle attacks or decrypt communications
between the affected service and clients.
See also :
http://www.schneier.com/paper-ssl.pdf
Solution :
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
xxxx ( os: 5.2 )
xxxx ( os: 5.2 )
xxxx ( os: 5.0 )
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
Access the remote Windows Registry.
Description :
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.
Risk factor :
None
Service: epmap (135/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available locally :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : DNSResolver
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Local RPC service
Named pipe : tapsrvlpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Local RPC service
Named pipe : unimdmsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Local RPC service
Named pipe : W32TIME_ALT
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5be7c8ee-c646-462a-9800-50f165e56a5d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC000001a4.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8384fc47-956a-4d1e-ab2a-1205014f96ec, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b4757e80-a0e4-46b4-876a-3ae4a548ee07, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 41f5fae1-e0ac-414c-a721-0d287466cb23, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bd5790c9-d855-42b0-990f-3dfed8c184b3, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31e-00dd010662da, version 1.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 89742ace-a9ed-11cf-9c0c-08002be7ae86, version 2.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 3.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 4.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : da107c01-2b50-44d7-9d5f-bfd4fd8e95ed, version 5.0
Description : Unknown RPC service
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 76209fe5-9049-4336-ba84-632d907cb154, version 1.0
Description : Unknown RPC service
Annotation : Interprocess Logon Service
Type : Local RPC service
Named pipe : OLE128CD5FE9C354C4F8C66B7C573A7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 76209fe5-9049-4336-ba84-632d907cb154, version 1.0
Description : Unknown RPC service
Annotation : Interprocess Logon Service
Type : Local RPC service
Named pipe : ReportingServices$MSSQL.3
Object UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c
UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c, version 16.0
Description : MS Exchange System Attendant Public Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Public Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c
UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c, version 6.0
Description : MS Exchange System Attendant Private Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Private Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : f930c514-1215-11d3-99a5-00a0c9b61b04
UUID : f930c514-1215-11d3-99a5-00a0c9b61b04, version 1.0
Description : MS Exchange System Attendant Cluster Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Cluster Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Local RPC service
Named pipe : OLE1D1D71DF8AAA4500AB5BCC7122B5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Local RPC service
Named pipe : OLE1D1D71DF8AAA4500AB5BCC7122B5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Local RPC service
Named pipe : OLE4B123A1724B243B4A3709CD0AC62
Object UUID : 582ca130-3f68-4f89-9eac-cd89fbc1e36e
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000284.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : audit
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : securityevent
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a7a183af-1665-4765-bb94-90b878ebf12f, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000180.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b9fadb8d-53a1-41d7-b763-88d884b6b829, version 1.0
Description : Unknown RPC service
Annotation : Microsoft Exchange Topology Information Server RPC Interface
Type : Local RPC service
Named pipe : LRPC0000069c.00000001
Object UUID : afce9b69-ac94-4f23-9eb4-fde0fa07148b
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : 697bd66b-c06b-422d-8648-739a1ca111ce
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : f3e3ab0f-b6b5-44ba-aac1-e5ad00227733
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : c7e627e4-ef6d-401d-a726-a92f95ace410
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available remotely :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Remote RPC service
Named pipe : \pipe\tapsrv
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Remote RPC service
Named pipe : \pipe\cert
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\xxxx
Service: hpvmmagent (1125/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1125 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f5cc5a18-4264-101a-8c59-08002b2f8426, version 56.0
Description : Active Directory Name Service Provider (NSP)
Windows process : unknown
Annotation : MS Exchange Directory NSPI Proxy
Type : Remote RPC service
TCP Port : 1125
IP : 10.10.10.201
Service: ms-wbt-server (3389/tcp)
Severity: Info
Synopsis :
The Terminal Services are enabled on the remote host.
Description :
Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).
If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.
Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.
Solution :
Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
BID : 3099, 7258
Service: ff-fms (1090/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1090 :
Object UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c
UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c, version 16.0
Description : MS Exchange System Attendant Public Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Public Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c
UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c, version 6.0
Description : MS Exchange System Attendant Private Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Private Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : f930c514-1215-11d3-99a5-00a0c9b61b04
UUID : f930c514-1215-11d3-99a5-00a0c9b61b04, version 1.0
Description : MS Exchange System Attendant Cluster Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Cluster Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Service: general/tcp
Severity: Info
10.10.10.201 resolves as xxxx.
Service: unknown (1172/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1172 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5be7c8ee-c646-462a-9800-50f165e56a5d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1172
IP : 10.10.10.201
Service: https (443/tcp)
Severity: Info
A web server is running on this port through SSL
Service: jstel (1064/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1064 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a7a183af-1665-4765-bb94-90b878ebf12f, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1064
IP : 10.10.10.201
Service: smtp (25/tcp)
Severity: Info
An SMTP server is running on this port
Here is its banner :
220 xxxx Microsoft ESMTP MAIL Service ready at Sat, 22 Apr 2006 17:19:23 -0400
Service: nfa (1155/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1155 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8384fc47-956a-4d1e-ab2a-1205014f96ec, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b4757e80-a0e4-46b4-876a-3ae4a548ee07, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 41f5fae1-e0ac-414c-a721-0d287466cb23, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bd5790c9-d855-42b0-990f-3dfed8c184b3, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Service: general/udp
Severity: Info
For your information, here is the traceroute from 10.10.10.15 to 10.10.10.201 :
10.10.10.15
10.10.10.201
Service: ansoft-lm-1 (1083/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1083 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Remote RPC service
TCP Port : 1083
IP : 10.10.10.201
Service: http (80/tcp)
Severity: Info
A web server is running on this port
Service: unknown (1148/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1148 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31e-00dd010662da, version 1.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 89742ace-a9ed-11cf-9c0c-08002be7ae86, version 2.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 3.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 4.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : da107c01-2b50-44d7-9d5f-bfd4fd8e95ed, version 5.0
Description : Unknown RPC service
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Service: https (443/tcp)
Severity: Info
A SSLv2 server answered on this port
Service: cplscrambler-in (1087/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1087 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 1087
IP : 10.10.10.201
Service: ms-sql-m (1434/udp)
Severity: Info
Synopsis :
It is possible to determine remote SQL server version
Description :
Microsoft SQL server has a function wherein remote users can
query the database server for the version that is being run.
The query takes place over the same UDP port which handles the
mapping of multiple SQL server instances on the same machine.
CAVEAT: It is important to note that, after Version 8.00.194,
Microsoft decided not to update this function. This means that
the data returned by the SQL ping is inaccurate for newer releases
of SQL Server.
Solution :
filter incoming traffic to this port
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin output :
Nessus sent an MS SQL 'ping' request. The results were :
ServerName xxxx InstanceName MSSQLSERVER IsClustered No Version 9.00.1399.06 tcp 1433
If you are not running multiple instances of Microsoft SQL Server
on the same machine, It is suggested you filter incoming traffic to this port
Service: netarx (1040/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1040 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b9fadb8d-53a1-41d7-b763-88d884b6b829, version 1.0
Description : Unknown RPC service
Annotation : Microsoft Exchange Topology Information Server RPC Interface
Type : Remote RPC service
TCP Port : 1040
IP : 10.10.10.201
Service: general/icmp
Severity: Info
Synopsis :
It is possible to determine the exact time set on the remote host.
Description :
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0524
Service: general/tcp
Severity: Info
The remote host is running Microsoft Windows 2003 Server
Service: smtp (25/tcp)
Severity: Info
Synopsis :
An SMTP server is listening on the remote port.
Description :
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
Solution :
Disable this service if you do not use it, or filter incoming traffic
to this port.
Risk factor :
None
Plugin output :
Remote SMTP server banner :
220 xxxx Microsoft ESMTP MAIL Service ready at Sat, 22 Apr 2006 17:19:23 -0400
Service: ms-sql-s (1433/tcp)
Severity: Info
Synposis :
A SQL server is running on the remote host.
Description :
Microsoft SQL server is running on this port.
You should never let any unauthorized users establish
connections to this service.
Solution:
Block this port from outside communication
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0652
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to logon on the remote host.
Description :
The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :
- NULL session
- Guest account
- Given Credentials
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Risk Factor :
none
Plugin output :
- NULL sessions are enabled on the remote host
CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117
BID : 494, 990, 11199
Service: http (80/tcp)
Severity: Info
The remote web server type is :
Microsoft-IIS/6.0
Service: https (443/tcp)
Severity: Info
The remote web server type is :
Microsoft-IIS/6.0
Service: http (80/tcp)
Severity: Info
The remote host appears to be running a version of IIS which allows remote
users to determine which authentication schemes are required for confidential
webpages.
Specifically, the following methods are enabled on the remote webserver:
- IIS Basic authentication is enabled
- IIS NTLM authentication is enabled
Solution : None at this time
Risk factor : Low
CVE : CVE-2002-0419
BID : 4235
Service: https (443/tcp)
Severity: Info
The remote host appears to be running a version of IIS which allows remote
users to determine which authentication schemes are required for confidential
webpages.
Specifically, the following methods are enabled on the remote webserver:
- IIS Basic authentication is enabled
- IIS NTLM authentication is enabled
Solution : None at this time
Risk factor : Low
CVE : CVE-2002-0419
BID : 4235
Service: general/tcp
Severity: Info
Information about this scan :
Nessus version : 3.0.2
Plugin feed version : 200603062248
Type of plugin feed : Release
Scanner IP : 10.10.10.15
Port scanner(s) : nessus_tcp_scanner
Port range : 1-1024
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 16
Max checks : 10
Scan Start Date : 2006/4/22 17:19
Scan duration : 66 sec