Windows Consistency Sucks...AD Edition

Microsoft Windows has gained a well-deserved reputation for sucking wind. I encounter new reasons usually about once a week or so.

Microsoft realized that to make more headway into the enterprise (business, not starships) it had to beef up its offerings, so they did what they usually do. They looked at the guy already in the lead and copied them, added a couple tweaks, and touted it as their own better-than-sliced-bread feature.

At the time this meant they were staring at Novell's behind with their NDS tools (Novell Directory Services), later called eDirectory. Microsoft cloned much of the functionality and called it Active Directory, then proceeded to integrate it into Windows.

Now for the fun part. I don't trust it. Here's a quick reason why.

Windows XP integrated a software firewall. Basically it prevented connections to your computer when it's activated unless you set up rules allowing said software to connect, thus limiting the ability for other programs to infect you through network scans. This post is about irritations with Active Directory, so I won't get into why their firewall software sucks just yet.

Where I work we are using a freeware utility called VNC to remotely assist users when they have problems; we are a small department supporting hundreds of computer and simply cannot be everywhere at once. VNC lets you connect and view the user's desktop; they call saying there's an odd error on their screen, we can connect and see it just as they're seeing it instead of trying to decipher their sometimes creative descriptions of what is going on.

Except when the firewall is on.

Since we're a Microsoft shop, the solution, from many an MSCE with a smirk on their faces (MSCE's are people who pay big bucks to pass Microsoft-biased tests so they get a certificate saying they're certified to answer your questions about Windows and other Microsoft products, really oversimplifying and probably offending some of them out there), is to simply add into your policies...rules that govern the behavior of good Active Directory citizens (i.e., Windows clients) on your network.

Fine. We set up a rule in the default policies saying to turn off the software firewall. Don't get your panties in a wad just yet, sysadmins who know better! I fully realize this is semi-insecure and not best practices. This is not to justify why we did it. The sharp point of the rant is approaching!

About ninety-five percent of the time this works. Boot the computer, the firewall is off. The other five percent of the time, the computer reboots, and voila! We're locked out!

That's right. Active Directory policies, supposedly refreshed at boot and randomly at other times later, sometimes and seemingly without rhyme or reason will lock me out of the remote, twenty-mile-away computer because it decided to activate the firewall!

Best of all because we have certain software running that can only switch modes with a password and a reboot to unlock certain functionality in the computer, the reboot will occur putting the computer into a compromised state just as the firewall pops up, meaning I can't get in to reset the system back the way it was!

Why? Who knows!

We had another policy many moons ago that was telling the computer to hide certain drives from the user that they didn't need access to. This was fine and dandy, except when you ran the old fileman utility from Windows 3.1 or a third-party freeware utility for managing files...the programs showed all the drives. Huh?

After some experimentation it appeared that the Active Directory policy that hides drives was actually a setting for Explorer, the shell program that you interact with in Windows to allow you to launch programs and navigate through Windows.

In other words, the setting to hide system drives in Active Directory was only effective against one program in Windows. Other programs could still work around it. Basically what I would have thought at first glance was a setting to tell Windows to hide access to certain drives was actually telling a particular component of Windows to hide the drives.

No doubt that careful reading would have explained that this was the expected behavior, but I never saw any warning to the administrator that this could be worked around so easily, that it wasn't a system-level lockout but rather something that could be worked around with a two-minute download of freeware.

Another reason I don't trust Active Directory. I got burned by a setting that looked like it was taking a step in the direction of locking out access to the system, in reality it was just telling one part of Windows to hide it. Second, the policies don't always "take," so when I take the time to configure a system to behave in a certain way there's no guarantee that it will, just that it probably will work. Sometimes "probably" just isn't good enough.