The last of MS06-040: Windows is out. Without OS X Server, what to use instead?
I hope to post the innumerable comments to my series on MS06-040, but I have to clear comments individually via a tedious HTML interface. The task keeps falling to 3rd priority (meaning my job's not riding on it) as content joins my calendar. Don't think I'm trying to spin this my way by stifling dissenting opinions.
Things are now quiet on the MS06-040 front, and I truly don't enjoy saying that it's no thanks to Microsoft. If I had stayed in the character I set out to portray--the non-IT person responsible for running a very small number of Windows servers--I would have been forced to erase and reinstall, as was the advice from Microsoft and security sites. When I failed to heed that advice, sure enough, I got hit with follow-up infections as if to prove the point that an average administrator couldn't finesse his or her way out of this exploit and the ones that tailgated behind it. Windows simply offers too many vectors through which infection can enter, and too many places for malware executables and configuration holes to hide once they get in. I was left with no choice but to hang up the Average Joe hat and let my inner Windows admin loose. It derailed the original drama, but I'll be damned if I'm going to wipe out all of my apps and reconfigure my box from scratch because of some waste of oily skin.
Having to hang up the hat of the typical small business user was a major disappointment. There are more Average Joes out there running one, two or a small number of Windows servers than most people realize. Small Business Server and lower-end Windows Server SKUs like Web and Standard Edition do very well because they target organizations whose computing needs are not likely to grow beyond five to ten machines. For all of Microsoft's enterprise-focused advertising and enterprise-targeted editorial in InfoWorld and elsewhere, I'll always consider Windows most at home in small groups of servers. In that setting, many admins of average skill but lacking the unreasonable amount of time I devoted to tracking and curing the exploit would have wiped their machines clean and, potentially, years of manual patching, tuning and work-arounds along with it. It really is demoralizing.
Commenters asked, "why didn't you have backups?" I did. I do full backups weekly and incremental backups nightly. Not knowing where the infection lived, I'd have had to do a full restore from a week-old backup, and the process would not overwrite Windows system files, including the Registry. Yes, the attack clobbered the backup copy of my Registry.
The system image that I originally restored to build this stopgap Windows server--you may recall that it only has to last until October when the new Xserve comes out--was a Primary Domain Controller. That was back when I had a Windows LAN, and leaving the machine as a PDC was expedient. The infection destroyed Active Directory to the point where I can't execute use the GUI management console to change users' passwords or set security policies. When I tried to use Microsoft Management Console to alter user passwords on a local level, I was told that this operation was not permitted on a PDC. I'm sure there's a good reason for this, but even PDCs have local accounts. I was able to change account passwords with a little LAN Manager command line hoodoo, specifically:
net user username *
