May 15

Video: Remote access to Microsoft Access from DevCon Austria

FMS President Luke Chung was a presenter at the Virtual Microsoft Access DevCon 2020 in Vienna, Austria on April 23, 2020. He gave a presentation called “Remote access to Access“, which is available for everyone to watch.

If you missed the event, you can visit Virtual Access DevCon 2020 to watch all the presentations giving by all of the speakers.

Luke Chung’s video presentation

Remote Desktop and RemoteApp let your users run Access applications without having to installing anything on their local machine. That includes Access, the database, and any related programs. It lets users run the program across the network or Internet, from their PC or even a Mac. There are different approaches depending on whether the host is internal or in the cloud, and for backend databases in Access and Microsoft SQL Server.

PowerPoint Slides for the Presentation

Special thanks to Microsoft Access MVP Karl Donaubauer, who hosted the fourth annual Access DevCon and made it an online event during the COVID-19 lockdown.

Dec 29

Microsoft Azure Security Holes with SQL Server Databases

FMS President Luke Chung wrote a new paper to deal with Microsoft Azure Security Holes with SQL Server Databases

Here’s an overview:

Microsoft SQL Azure Security Introduction

Having Microsoft Azure host SQL Server databases on their servers is very cost-effective and efficient. Within minutes, one can have a SQL Server database hosted in the cloud and available to applications on the cloud or on premise.

As with all cloud resources, and especially databases, security is a huge concern. Fortunately, SQL Azure includes features to restrict what can connect to your database server but you need to know how to use them and realize that the default settings do not protect you best.

Setting Firewalls and Virtual Networks

This is an important feature for cloud solutions so that only permitted sources are allowed to get data from your server and databases. You can set the IP Addresses you allow at the database level and server level. The database settings take precedence over the server settings.

Cannot Open Server Error

If you try to connect to the database from an unauthorized IP address, it triggers an error like this:

Cannot open server ‘ServerName’ requested by the login. Client with IP address ‘111.222.33.44’. is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.

By Default, All Azure Resources can Connect to Your Database

By default, all Azure resources can connect to your server and databases hosted on Azure:

Allowing All Azure Services to Connect to Your Server is a Huge Security Hole!

If you “Allow access to Azure Services” set to On, you create a huge security hole for your server and every database in it. Not only can all your resources connect to your databases, Any Azure resource from any organization can connect to your database.

This setting is NOT restricted to the Azure resources in your subscription. It’d be nice to restrict permissions to the current subscription or list of subscriptions but that’s not possible. It’s everything on all of Microsoft Azure or you need to specify each IP address.

Turn Off Permissions to All Azure Services

Set the permissions to OFF to disallow all Azure services to connect to your SQL server:

Explicitly Specify the IP Addresses Allowed

To avoid the ability of rogue Azure resources from breaching your database security, you need to manually specify the IP Address of every resource that may connect to your server and databases. This can be a real pain.

For more details and how to set your IP Addresses and SQL Azure security correctly, read our new paper: Microsoft Azure Security Holes with SQL Server Databases

May 18

Converting Microsoft Azure SQL Server Databases to SQL Elastic Pools to Share Server Resources

Microsoft SQL Server Databases on the Azure Cloud

Microsoft Azure lets you economically and quickly host enterprise quality SQL Server databases in the cloud. The cost of each database is relatively modest.

Managing Resources and Costs for Individual Databases

However, as you add more databases, larger databases, and/or databases that require more resources, costs increase. Providing more resources to a database is helpful when it demands it, but when users aren’t on it or during non-business hours, it may be wasted capacity. Even during business hours, one can have some databases being utilized more than others at unpredictable levels.

Pooled Resources Across Multiple Databases

Fortunately, Azure offers an Elastic Pool option to share resources across multiple databases. If the demand on your databases is inconsistent (spiky), you can provide a high level of capacity that’s available to the most demanding database while allowing other databases to share those abundant resources when needed.

  • You no longer need to set the limits of each database,
  • You are not charged a per database monthly fee which is great for supporting lightly used databases.

Migrating Existing SQL Server Databases to Elastic Pool

Microsoft provides information on SQL Elastic Pools but does not explain how to convert existing databases to an Elastic Pool.

FMS President Luke Chung wrote a new paper with step-by-step instructions on how to convert existing SQL Server databases on Azure to an Elastic Pool without the need to change the database connection strings:

Converting Microsoft Azure SQL Server Databases to SQL Elastic Pools to Share Server Resources

Here’s more information on Designing and Deploying Microsoft Azure Solutions.

May 10

Remote Desktop Authentication Error Has Occurred. The function requested is not supported. CredSSP Workaround

Remote Desktop Connections Fail

Starting May 9, we received many reports of Remote Desktop connections failing globally. Users received error messages like this when they tried to remote to machines they connected to successfully for a long time:

Remote Desktop Connection Error

An authentication error has occurred.
The function requested is not supported

Remote computer: <computer name>
This could be due to CredSSP encryption oracle remediation.
For more information, see https:/go.microsoft.com/fwlink/?linkid=866660

The link goes to this page, https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018, and explains the Credential Security Support Provider protocol (CredSSP). It offers extensive information on a series of updates since March 2018. It recommends some steps but isn’t very clear what those changes are nor whether those changes are needed to be made by network administrators globally via group policies, or group policies on every PC and VM.

Caused by a Microsoft Security Patch

The Microsoft Security patch issued on Tuesday, May 8th triggered the problem by setting and requiring remote connections at the highest level (CredSSP Updates for CVE-2018-0886)::

Security update deployment information: May 08, 2018

It changed the default setting from Vulnerable to Mitigated which means that any PC using CredSSP is not be able to use insecure versions. If your PC received the May update but the target PC hasn’t implemented the CredSSP update, the PC receives the error message when it tries to connect to that PC.

The automatic Windows patch to raise the security level is not implemented if the PC doesn’t allow automatic updates. This mismatch between the implementation of a security requirement (which is not optional) without the corresponding automatic update may be the source of this problem.

However, there are many situations such as development, testing, build, staging, and deployment environments which require a stable environment that would be destroyed by automatic Windows updates.

We continue to research this.

Symptoms

The symptoms are rather strange because we found that some machines successfully connected while others didn’t.

For instance, we had a Windows 7 machine that hosted Remote Desktop. A Windows 7 PC had no problem connecting to it, but the same user connecting from a Windows 10 machine failed when that was never an issue before and the host machine allowed remote connection for years.

There are also reports of problems with Windows 10 machines connecting to Windows 10 machines, and people locked out of their Azure VMs.

Workaround Solution

One could rollback the security update, but rather than risking other security problems, there’s a quick fix.

Simply adjust the Remote Desktop settings on the host machine to a lower security level. From File Explorer, choose Computer, right-click and select Properties, then click Change Settings, and go to the Remote tab.

From Windows 10, uncheck the option to “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”:

From Windows 7, it’s setting the option to the Less Secure option rather than More Secure:

Once these are set, users can remote to the machine again.

Microsoft Comment

Based on this blog post, a Microsoft colleague told us this:

“I double checked the Windows bug database and they are aware of the problem. No ETA on a fix yet unfortunately. Your workaround is what’s suggested to temporarily get around the error, although it is not suggested as a long-term fix.”

Alternative Solutions

This section was added after our initial workaround and is based on the experience of many users struggling with this problem.

The problem is often caused because the local machine is patched with the Windows Update and the machine it’s connecting to is not patched for the CredSSP issue. If both systems were patched then this error would not occur.

There are two options:

Update the Target Machine

Update the target machine with the patch for the CredSSP issue (preferable).

Update the Local Machine

In many cases, you don’t have the option to modify anything on the target machine. You may even be prevented from modifying your own machine, but assuming you have administrator rights, you can change the Group Policy on your local machine to use the Vulnerable setting.

Big picture, it’s ridiculous to lower one’s security settings to connect to a machine that wasn’t updated. It would be much better if it prompted or automatically connected to lower level machines without turning off the higher security level for everything else. All it takes is one target machine that you can’t modify to force this change on your machine. But at least you can get your work done.

  1. Enter run “gpedit.msc” to edit group policy, or from Windows start, enter “Group Policy” and select “Edit group Policy”:
    1. Windows 10
    2. Windows 7
  2. From the treeview, choose Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
  3. Select “Encryption Oracle Remediation” from the right pane (if it’s not there, it probably means your machine wasn’t patched):
  4. Enable and set the Protection Level to Vulnerable:

Hope this helps.


Additional Problem: Cannot Connect via VPN

We’ve discovered problems with VPN connection if the PC has Remote set to the higher security level.

The network connection fails with error: Cannot load the Remote Access Connection Manager service. Error 711:

Lower Your Remote Desktop Security to have the Security to Make the VPN Connection

Apparently, the Remote Desktop setting on the client side impacts its ability to connect via VPN to the host side.

By lowering the setting to less secure for others to connect to the PC, the PC can now successfully connect to the VPN. What a mess.

Additional Discussions

I’ve also been involved in other online discussions:

Summary

It’s late August, and it’s shocking that this problem remains after so many months. I am extremely frustrated by the Windows update policies and Microsoft’s inadequate testing before these security patches are deployed. This is very disruptive and dangerous to many organizations trying to fulfill their missions expecting their PCs to be reliable.

Microsoft security “purists” claim the current approach is necessary to address the serious threats facing users. I guess it wouldn’t be an issue if the updates worked without disruption. However, the downside of this medicine may exceed the illnesses they are trying to prevent.

Hope you are able to resolve this and move on.


Additional Remote Desktop Connection Resources

Apr 23

Microsoft Azure SQL Server Usage and DTU Limit Resource Graphs are Confusing

microsoft-azure-h60 SQLServerText

Microsoft Azure lets you easily create and deploy enterprise quality SQL Server on the cloud and scale it to suit your application’s needs. From the SQL Server database’s Azure dashboard, you can see the Database Transaction Unit (DTU) usage against the specified DTU limit for the database.

One Hour Usage Graph

This is what we saw for usage over one hour. The cyan line across the top is the DTU limit. The dark blue line is the DTU used. The limit is what you pay, so it’s important to scale it to what the application needs.

monitor-hour

One Hour Azure SQL Server DTU use versus limit

While everything seemed fine at the weekly level, looking at the hourly graph gave us a shock. It looks like the database is maxed out for most of the hour. It seems conclusive that we need to increase our DTU level.

65 Minute Graph

But when we set the range to 65 minutes and saw this:

monitor-65-minute

65-minute Azure SQL Server DTU use versus limit

These are completely different displays of the same period of time. The 65 minute graph never hits the maximum DTU. What’s going on?

Visit our page Monitoring SQL Server Usage on Microsoft Azure and Setting DTU Limits for an explanation.

Apr 12

What Happened When We Created a Facebook App for Social Network Analysis

facebook-medFacebook and Mark Zuckerberg are getting blamed for a large number of issues from promoting fake news, election fraud, mishandling user data, and profiting from selling user data.

While some of that may be true, the Facebook security breach is actually a violation of Facebook API licensing rules by the people who used it. Facebook provided the data and encouraged developers like us to create innovative solutions for the Facebook ecosystem. They weren’t selling the data.They weren’t even charging us to use it.

Our Facebook App with Social Network Analysis and Maps

In 2010, we created a Facebook application using our Sentinel Visualizer technology to perform Social Network Analysis (SNA) based on a user’s friends’ friends. It would automatically cluster friends so you could quickly see their groups (high school, college, work, family, in-laws, clubs, etc.).

Facebook Social Network Analysis App of Clustered Friends

Each box (picture) was one of your friends, and you could move them around the network, hover over them to get their info, or click on them to go to their page.

We also plotted friends on a Microsoft Bing Map making it easy to see who were near you or where you were visiting.

Plotting Your Friends' Locations on a Map

 

We launched our free Sentinel Visualizer Facebook App to a limited number of users and it started to gain followers. People were amazed to see which of their friends knew each other. The application started to go viral. We were having trouble supporting the traffic.

Not Allowed to Save Facebook Data

One of the things developers couldn’t do was to save Facebook’s data. All we collected were the user names and email addresses people provided when they registered our program. Unfortunately, other developers didn’t abide by Facebook’s terms and the data improperly got to Cambridge Analytica and others.

Facebook Stopped Making the Data Available

Our app ceased to work when Facebook limited their APIs and prevented our ability to get to the list of your friends’ friends among your network.

It’s not entirely Facebook’s fault for trying to spur innovation by sharing their data for free. Some developers violated the trust Facebook gave them.

The Full Story

Here’s our new web page describing our experience in detail:

Mar 14

Create Surveys with Excel Online hosted in Office365

excel-icon-lgYou can quickly create surveys with Excel and make them available online with all results saved in the spreadsheet hosted in Office365. Just create an Excel spreadsheet in Office365 and choose the Survey item on the ribbon to design it.

A link is provided to share with people to respond. They don’t need to have Excel or Office365. Just a web browser. Try our sample by clicking the image below:

survey

Shorten the URL

Excel provides a very long URL to share your survey. By using a site like bit.ly, you can create a shorter one to email to your contacts. This is important to avoid problems when URLs get word wrapped in emails. For instance, this survey is shortened to https://bit.ly/2qmSweG.

Results in Your Spreadsheet

The results go directly into your spreadsheet with each submission as a separate row:

response

Having the ability to create a survey and see the results in a spreadsheet in minutes, is a terrific tool to help your projects!

Jan 05

Sean Hannity Radio Show Interview on Julian Assange, WikiLeaks, Russian Hacking, and Cyber Warfare

sean-hannity-radioBackground

The day after an amazing personal interview of Julian Assange by Sean Hannity aired on his TV show, FMS President Luke Chung was invited to discuss the related technology on his radio show.

Hannity traveled to London to interview Julian Assange at the Ecuadorian Embassy where he’s seeking asylum. They discussed an overview of Assange’s role as founder of WikiLeaks, and their obtaining and publishing the emails from the Democratic National Committee the weeks before the US Presidential election. Some people attribute Hillary Clinton’s loss to the revelations in those emails especially from John Podesta, the former White House Chief of Staff and Chairman of the Clinton campaign. They are also accusing the Russians for hacking (stealing) and providing the data to Assange so Donald Trump could win the election.

Radio Show

On January 4, 2017, I was on the radio show with Sean Hannity and Brigadier General Eli Ben Meir, former Israeli Military Intelligence chief. The three of us discussed the WikiLeaks disclosures. I commented specifically on:

  • Cyber attacks and the security breach at OPM disclosed non-classified government employees and by omission who were covert at American Embassies globally.
  • Noting Julian Assange’s careful word choices to exclude Russia as source without excluding them as the ultimate source of his sources.
  • The need for WikiLeaks’ to keep their sources confidential and how they amplified the data from Bradley Manning and Edward Snowden.
  • Different approaches to preventing cyber attacks depending on the cause.
    “It’s one thing when someone steals your car because they broke into it. It’s another thing when someone steals your car because you left your keys in the ignition.”

Here’s the audio of the show:

My segment starts at the 6:50 mark. Sean and General Meir speak first, then I start around 9:25. Final comments at 14:15 and it wraps up by 14:50.

Additional Issues

Only a limited amount of information can be discussed in such a short interview. Some additional issues to consider are:

Data Security

Securing data over the internet and inside organizations is very challenging. Threats may come from:

  • External hacks that need to be monitored and defeated
  • Internal people who unintentionally leave the front door unlocked
  • Internal people who intentionally leak information

Different solutions are required for each type of threat. Some are at the software vendor, design, and developer level, while others involve end-user training, background checks, and monitoring.

Applications can be built so that simply disclosing a user name and password doesn’t compromise the whole system by require two-factor authentication and registering devices that can use those credentials.

Unfortunately, many systems were built well before today’s cyber threats existed. The cost of making those systems more secure without breaking their existing functionality will be daunting and expensive. In many cases, the original source code, development environment and/or vendor are long gone, so the only option is to replace them which is also very expensive and time consuming.

Julian Assange and WikiLeaks are Not Heroes

We need to keep in mind that the WikiLeaks exposed top secret US information by publishing the disclosures from Manning and Snowden. Lives were put at risk and lives may have been lost because of those publications. The Arab Spring was inflamed in part by the disclosure of diplomatic communications and one could argue the human tragedy in Syria is tied to this as well. While Republicans are celebrating and defending Assange and WikiLeaks now for the DNC emails, the tables may turn very quickly.

Data That’s Not Exposed May be More Dangerous

While many are focused on the DNC emails, it’s not unreasonable to assume the people who hacked that also got the RNC emails. Data can be power, and in the wrong hands, data can be used for nefarious purposes such as blackmail.

If the RNC data were compromised, we should be extremely worried if the hackers discovered it was more valuable to keep private than public. Whether they use it directly or sell it to another party or country, the information can make victims puppets by threatening the exposure of their personal data. It’s not uncommon during E-discovery of an email server to discover all sorts of inappropriate language, behavior and activity conducted by individuals in an organization. Disclosures of affairs, homosexual activity, underage sex, bribery, unethical business dealings, breeches of confidentiality, collusion, and actual crimes are often found in email threads and can be used for blackmail.

Additional Resources

Jul 01

Microsoft Office365 Exchange Online Service Performance Degradation and SMTP Problems

office365A few years ago, we migrated our email service to Microsoft’s Office365 cloud service. Overall, it’s been very reliable and eliminated the challenges we had hosting Exchange ourselves. It let us get to our emails using Outlook installed on Windows, any internet browser, and smartphones. Office365 also offered other Office product online (Access Web Apps, Excel, Word, etc.), SharePoint and OneDrive Business.

Unfortunately, on the morning of June 30th, we discovered:

  • Delays sending and receiving emails
  • Some emails were bouncing back from recipients who couldn’t validate our Office365 Exchange Server’s SMTP (protection.outlook.com) with our domain name. That meant the Exchange SMTP server was no longer considered a trusted sender of emails from the @fmsinc.com domain.
  • Our use of the Office365 SMTP server to send emails with our Total Access Emailer product was also failing to authenticate against the server

The problems began the evening before. Needless to say, we aren’t happy about this experience which impacted us and our clients using Office365. Reports are that it affects Office365 customers across North America.

exchangeContacting Microsoft, they confirmed problems with the health of their Office365 Exchange Server. Throughout the day, problems lessened but persisted. We hope the problems are resolved soon and that we’ll understand what went wrong once we overcome the immediate crises.

These are the reports we’ve received from Microsoft. We’ll keep you updated as we learn more:


Exchange Online Service Degraded

This is what the Office365 Admin portal shows for Service Health:

Office365Issues

Office365Health


EX71628 – E-Mail and calendar access – Restoring Service

Jun 29, 2016 12:11 PM

CURRENT STATUS

Our investigation determined that an existing transport feature which is designed to expedite the delivery of email messages became degraded, which caused impact to email delivery for a subset of users. We’re bypassing the affected feature to restore service

User Impact

Users may be unable to send email messages through the Exchange Online service. Email messages may appear to be stuck in the Drafts or Outbox folders.

Scope of Impact

A few customers have reported this issue, and our analysis indicates that for most customers, it’s unlikely that many users would report impact related to this event.

  • Start Time: Thursday, June 23, 2016, at 3:00 PM UTC

Preliminary Root Cause

An existing transport feature that is designed to expedite the delivery of email messages became degraded, which caused impact to email delivery for a subset of users

EX71628 – E-Mail and calendar access – Extended recovery

Jun 30, 2016 2:18 PM

Current Status

We’ve developed an additional fix to address the underlying cause of the issue. We’re preparing to deploy the fix to the affected environment to ensure that the issue does not reoccur.

User Impact

Users may be unable to send email messages through the Exchange Online service. Email messages may appear to be stuck in the Drafts or Outbox folders.

Scope of Impact

A few customers have reported this issue, and our analysis indicates that for most customers, it’s unlikely that many users would report impact related to this event.

  • Start Time: Thursday, June 23, 2016, at 3:00 PM UTC

Preliminary Root Cause

An existing transport feature that is designed to expedite the delivery of email messages became degraded, which caused impact to email delivery for a subset of users.

Next Update by: Saturday, July 2, 2016, at 7:00 PM UTC


EX71674 – E-Mail timely delivery – Service restored

Jun 30, 2016 7:35 PM

Final Status

We’ve confirmed that the remaining message queues have now drained after implementing a configuration change to optimize message filtering.

User Impact

Users were experiencing delays when sending and receiving email messages. Affected users may have received Non-Delivery Reports (NDR) when sending email messages.

Scope of Impact

Customer reports indicated that many users likely experienced impact related to this event. Our analysis indicates that this issue may potentially have affected any of your users attempting to send or receive mail.

  • Start Time: Thursday, June 30, 2016, at 2:30 PM UTC
  • End Time: Thursday, June 30, 2016, at 11:30 PM UTC

Preliminary Root Cause

The infrastructure responsible for processing Exchange Online Protection (EOP) message filtering became degraded.

Next Steps

  • We’re analyzing performance data and trends on the affected systems to help prevent this problem from happening again.
  • We’re reviewing our code for optimizations and automated recovery options.
  • We’ll publish a post-incident report within five business days.

EX71674 – E-Mail timely delivery – Service restored

Jul 1, 2016 12:08 AM

Final Status

We’ve rolled out the fix and confirmed that service is restored. Any meeting requests created during the outage will need to have the conference room calendar removed and readded to book the room.

User Impact

Users that attempted to create a meeting request with a conference room calendar were unable to successfully book a conference room. This lead to conference rooms being booked by multiple resources.

Scope of Impact

A few customers reported this issue, and our analysis indicated that this may have affected any users attempting to use this feature.
  • Start Time: Monday, June 27, 2016, at 6:00 PM UTC
  • End Time: Friday, July 1, 2016, at 2:54 AM UTC

Preliminary Root Cause

A recent update affected the ability for calendar invite requests to successfully book conference rooms.

Next Steps

  • We’re reviewing our deployment and provisioning procedures to help prevent this kind of problem in the future.
  • We’ll publish a post-incident report within five business days.

Aug 03

Appearance on FOX Business News for Tom Brady’s Destroyed Text Messages

cavutoOn Wednesday, I was invited for a live interview with Neil Cavuto on his FOX Business News show Coast-to-Coast.

The primary issue was NFL quarterback Tom Brady’s destruction of his cellphone surrounding the Inflate-gate controversy and his recent suspension.

Prior to his hearing before the NFL, Brady physically destroyed his cellphone and was able to avoid disclosing his text messages which were suspected to contain incriminating information. The question was whether that really destroyed his text messages.

luke-fms-crop

It’s a rather interesting question because people don’t often think about how different types of communications are stored whether it’s email, text or instant messages. With our concerns over security, hacking, and privacy, it’s important to better understand how these platforms work to address the risks we face.

How Emails are Stored

Emails are always stored on a server which retains the emails even if the device that received or read the emails is destroyed. This is how emails can be retrieved from multiple devices simultaneously. Depending on the mail server’s rules, old emails generally remain available until they are permanently deleted. They also exist on the sender’s email box and any of the Cc and Bcc recipients.

3-computer-it-expert2

How Text Messages are Stored

Text Messages do not have the same permanence as emails. They exist on the sending and receiving devices until they are deleted. The phone company that transmits the text message also retains the message. At a minimum, they need to retain it until they successfully transmit it since the receiving device may be unavailable. It can take multiple attempts and multiple days before the message is transmitted.

After that, the phone company has no requirement to retain the message. The text message only exists on the sending and receiving devices.

However, some phone companies, like Verizon, offer text messages that can be read online. The messages are available online even after the message is received by the phone. That means the phone company is playing the role of a text message server. They may exist there for months, which means it remains a repository if the device is destroyed.

So if you think your text messages only exist on yours and the other party’s device, you may want to check your mobile phone provider (and that of the other party) to understand their policies.


Unfortunately, Fox did not release an online copy of the interview, so we can’t share it.