Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Nov 6, 2000 (Vol. 5, #53 - Issue #227)
How To Protect Against the 'QAZ MS Crack'?
This issue of W2Knews contains:
- EDITORS CORNER
- W2K Survival Kit - Limited Edition - Selling Out Fast!
- TECH BRIEFING
- How To Protect Against the 'QAZ Microsoft Crack'?
- NT/2000 RELATED NEWS
- New IT Training And Certification Portal
- What Is New In 'Windows 2002'?
- More On Sending 'Out Of Office' to mailing lists
- More on The Page File Is A Possible Vulnerability
- NT/2000 THIRD PARTY NEWS
- Migration to W2K Still A Headache?
- Another NEW Security Tool: Service Account Password Mgmt
- Where Did That EX-EMPLOYEE Have Access?
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Hacking Exposed (Second Edition) [BRAND NEW!]
- Network Intrusion Detection, An Analysts Handbook (Sec.Ed.)
- Designing Security for a Windows 2000 Network
Whether upgrading from a previous version of Exchange, migrating
to Exchange from existing systems, or choosing Exchange as your
company's first system, Mail.com provides Hosted Microsoft
Exchange solutions to suit the needs of organizations of every
size. Mail.com provides enhanced applications such as virus
scanning, content control and integrated faxing. Without requiring
any additional hardware or software, we'll provide Exchange 2000
that is more reliable, secure and affordable than running it
Visit MAIL.COM for more information.
W2K Survival Kit - Limited Edition - Selling Out Fast!
You may have missed this, and I do not want you to tell me
afterward that I did not warn 'ya. :-)
I pulled together something really special for you guys as a
Christmas present from Sunbelt. OK, OK, it's not completely free,
but normally you pay 5 times more than this. Basically we do this
once a year as a special, and it's practically at cost. We can
now also deliver internationally, (but shipping is higher, send
an email to [email protected] to get details).
The combo is:
1) the W2K Admin Black Book I co-wrote
2) 5 CD's(videos put on CD) that completely cover the new W2K system.
You could consider this your very own home 'W2K boot camp' at about 10%
of the cost, and will prep you for the 70-240 exam. Remember the
old 'MCSE Complete' kit we had? This is something similar.
'The Book, the Booster and the Movie'. How does the new AutoPilot
for Windows 2000 perform? Well, I'll let Drew Megarry do the talking,
he sent the following two paragraphs to us a few days ago:
"Our company specializes in outsourcing IT assistance for small to
mid-sized companies that can't afford their own IT Department. Most
of them have only a single server, and these servers sometimes run
everything from Exchange, to Faxing, File and Printer Sharing,
Backups, Proxy Services, Web Publishing and more".
"This weekend I was working at a client site and he complained of
extremely poor performance on his server. I decided that this would
be a good test of your AutoPilot software and downloaded an eval
copy. The results were dramatic, I couldn't believe the results!"
We are only going to make a 1000 of this Limited Edition. Just in
the first week hundreds were already sold, so you have to be quick
with this one before the Holiday Rush sets in. You can download and
watch two clips from the CD's in the section "White Papers, Documents
and Other Files" to get to know Ross who will become your mentor
and friend. He presents the data in a clear and humorous way. You
want to grab this opportunity while it lasts. Normal $794.90, but
now only $195.00 (add s/h).
If I see any good 'end-of-year' deals I'll send you a W2KnewsFlash.
Now, let's have a look at the news!
(email me with feedback: [email protected])
SPONSOR: Win2K MAG
WINDOWS 2000 MAGAZINE - GET A FREE SAMPLE ISSUE
Windows 2000 Magazine helps you seek out and implement smart
solutions and includes unrivaled coverage of security, Exchange,
Active Directory, and more. Order a free sample issue now and
without risk, and discover the best resource for Windows NT/2000.
Visit Win2K MAG for more information.
How To Protect Against the 'QAZ Microsoft Crack'?
Of course this is a black eye for MS. So how do we prevent getting
a shiner like that ourselves? Many have sent me feedback and thanks
to all of you. The article below was inspired by a MS TechNet page
that goes into security in a generic way, but I added a series
of specific links to tools and suggestions. It's in an FAQ-format.
Keep in mind that reason number one that your network gets cracked
is that YOUR ORGANIZATION was not ready/trained enough to prevent
it. This is your challenge Number One. Buy and *Study* the 3 books
in the SECURITY BOOKS OF THE WEEK section below.
Q: How does an intruder get into my network?
A: In many cases it is end-user lack of security awareness that
result in errors. You have to be alert for this kind of stuff
that often boil down to configuration errors. Crackers look
for these and exploit them. You GOTTA, GOTTA, GOTTA have a
set of security Policies and Procedures that are drilled into
staff on a regular basis and get Top Management Air Cover. They
are themselves also subject to these measures. What good are all
these measures if the CEO uses his wife's name as a password?
Done that myself once as I have to shamefully admit [blush].
The policy and procedures need to be based on 'Security Best
Practices'. You will find these in the SECURITY BOOKS OF THE WEEK
Once you have these in place, and you have a responsible team
(or person) make sure they get implemented, tested, tested,
tested and continually monitored. This will limit your exposure.
But the *very* first thing you need to do is get a cheap but
powerful Event Log Monitor that will ping you when something
funky is going on and monitor your network carefully. An example
Q: Any recommendations about software and configuration that
I should follow?
A: Since our security perimeter has now moved to the home of
employees that 'telecommute', I suggest 4 lines of defense:
- Virus Scanners, (home and office)
- Personal Firewalls /maybe combined with VPN's (home)
- Email Gateway Scanners (office)
- Traditional Corporate Security Tools (office)
1) MS recommends following Security Best Practices, but that
is a conveniently vague term. To begin with, you have to have
antivirus software on ALL corporate machines, desktops and
servers, whether they are used at home or on the office. Have
them automatically update their virus signatures overnight.
Also, have the AV software sit on Exchange Internet Mail
Connectors, and proxy servers. It slows the machine down a
tiny bit, but you should make it a reason for dismissal if
employees turn off their virus scanning software.
2) On home systems being used for corporate access I would almost
REQUIRE a personal firewall installed to prevent the QAZ hack
that MS suffered. These tools are either free or cheap, but need
to be compatible with the VPN you might use or work with your
existing remote access (Terminal Server?) method. Some examples
of these: - Checkpoint's SecurClient, BlackICE by NetworkICE,
tools like ZoneAlarm and "eSafe Desktop" from Aladdin, and
Norton Internet Security 2000.
3) CNN just reported yesterday that a whopping 80% of *all* USA's
corporate mail is now EMAIL! And email also happens to be the Number
One source of security breaches at the moment. That means you want
some kind of extra scanning going on that protects against attachments
which can contain viruses or trojan horses like the MS hack.
Look at Mail Essentials:
Other good tools are Sybari and Network Associates' GroupShield.
4) There are quite a few categories of traditional corporate security
tools. Firewalls are a good example. Configure your firewalls and
routers to allow only the network activity necessary to your business.
Update them the moment patches become available. Monitor and control
application access (turn on Auditing on your servers) and set+enforce
a strong password policy. Configure only those service accounts that
are actually needed, and change their passwords at least once a month.
(See THIRD PARTY TOOLS below for a new utility that can help here)
Use other tools as needed. These are the categories:
- Active Content Monitoring
- Host-Based Intrusion Detection
- Network-Based Intrusion Detection
- Security Appliances
- Security Services: Penetration Testing
- Network Authentication
- Certificate Authority
- File and Session Encryption
- Virtual Private Networks and Cryptographic Communications
- Single Sign-On
- Secure Web Servers
- Vulnerability Scanners: Network-Based
- Vulnerability Scanners: Host-Based
- Real-Time Security Awareness
- Enterprise Security Administration
- Managed Security Services
- Security Services: Policy Development
- Trusted Operating System
More data at www.sans.org, this site explains these and what they do.
And your systems need to be configured correctly. Update to the
most recent Service packs to begin with. Think about things like
restricting null session access via the Registry, or limiting
access via named pipes and/or shares. Kill the NetBIOS bindings
if that does not break anything by itself, and disable as many
Admin shares as possible. And for obvious reasons, make sure only
a few of your high priests can get to tools and boxes that capture
network traffic. Make sure to 'testbed' this before you break your
Q: How do I detect an intrusion when it occurs?
A: Category 2 and 3 above are most used, often in combination with
each other and with scripts that show when things out of your ordinary
daily routine occur. Decide what activities and events should be
audited, and set alarms for them. A rational approach of building your
security perimeter is to create multiple layers of security that start
with Policy, Procedure, Training, correct configuration, deployment of
security tools, followed by continuous testing and monitoring.
Microsoft describes this as follows: Prevent, Detect, React, and then
- Prevent - Obviously, the primary goal of a security system should
be to prevent intrusions whenever possible, and to ensure that
breaching the security of one layer doesn't enable the intruder to
breach other ones.
- Detect - Security measures should be in place that constantly
monitor the system for signs of an intrusion.
- React - When an intrusion is detected, the system should take
action to monitor the intruder and limit further damage.
- Remediate - Once the intrusion has been countered, the security
system should be capable of returning the network to its former secure
Building a security system and a security organization around these
principles is the only way to assure robust security for a large
organization and network.
Q: It sounds like achieving network security is a significant
A: Yes. The job of security officer is a critical one for any outfit
that operates in today's connected world. It is important to designate
a security officer, and to give him or her the resources and authority
needed to do the job and protect the organization's information assets.
NT/2000 RELATED NEWS
New IT Training And Certification Portal
I recently spotted a new IT training and certification portal on the
Web called CertReview.com. The site's main focus seems to be Microsoft
certifications (MCP, MOUS and MSS), but also has plans to expand into
other non-competing certifications, such as CISCO and A+ credential
When I dug a little deeper into the site we found in-depth technical
reviews on products and services pertaining to Microsoft training and
certification, hence the name CertReview.com. In addition, they will
soon be offering their own line of digital e-books (MS Approved Study
Guides) for sale on their site in the new Microsoft Reader format.
CertReview.com offers a different twist on IT training and certifi-
cation (it's really an infomediary), and the site is definitely worth
visiting and becoming a member, especially if you are a Microsoft
Certified Professional, Office User Specialist or Sales Specialist.
They are over at:
What Is New In 'Windows 2002'?
ENT Magazine reported that MS has sent the future Windows 2000
version for the first time to a real beta test group. I kind of
expect the server version only to surface in 2002 , that's the
reason for the title of this item. Why so long? Well Windows 2000
deployment has only just started to penetrate. Why push a new flavor
to companies that have not even picked up the earlier version. Anyway,
the only really interesting things are that this FINALLY merges the
code base for consumer and corporate products into one, and includes
64-bit Windows. These are things BillG has been looking forward to
for y e a r s.
ENT's Scott Bekker said that Beta 1 doesn't have any major features
over the earlier versions that were floating around. Stuff like
pruning and grafting of AD, IIS 6.0, and extensions for MS-Office
should arrive later. One bit of coolness is a drag-and-drop AD
snap-in for Users and Computers.
MS Officials say that they are going to release desktop 'Whistler'
which is the code name for the tool in summer 2001. Knowing MS, I
am now officially nicknaming the new version "W2K2" from here on
out! The W2K2 server flavors are expected late 2001. Well, we'll
see about that [grin]. Since this integrates some old W95 code into
NT, I expect a bunch of backward compatibility problems.
MS has a press release on this over on their website [HYPE ALERT]
But ENT Mag has a nice list of features that are new which is far
more interesting to check out. Mouse over here and have a look:
More On Sending 'Out Of Office' to mailing lists
This one I 'stole' from Michèle Hirt's sig on our Exchange list.
To avoid sending OOFs to mailing lists, you can do the following:
Then, the PF will receive all mail sent to the list & since PFs
can't be out of the office, they won't return OOFs.
- Create a Public Folder & name it whatever you want to. Make
a note of its SMTP address.
- Subscribe that SMTP address to the mailing list (for instance
"MS-Exchange Admin Issues").
- Set your own mail subscription to the "no mail" option.
But some more people sent in suggestions. David Houston said:
"Alternatively, you can set conditions for the OOO rule so that
it will only send the message if the message has been "Sent
directly to me". This also means that you don't send responses
to internal user groups (I'm not sure what the MS name for such
groups is) that have been set up by system administrators. This
is what I have done in the past".
And Greg Bromage sent this:
"Another way of doing this is, rather than set up a blanket OOO
mail, create out-of-office rules. For each mailing list you don't
want to suspend, create a Sent By rule with the mailing list
name in it. Don't set any actions, and ensure that the "Do not
process subsequent rules" box is checked. Finally, create an end
rule with the OOO reply. The advantage of this is that you can
also set up mail from particular mailing lists (or people) to
be forwarded to another e-mail address, or have a different OOO
reply for different people".
More on The Page File Is A Possible Vulnerability
Quite a few people sent me a response like Steve Morgan did:
There is a consequence to deleting a pagefile on shutdown. It
stretches out the time until the machine shuts down. For security,
I specify deleting the pagefile on our Windows 2000 terminal
servers. Those servers are specified with a 4 GB pagefile, and
it takes the systems about 20 minutes to shutdown. The bigger the
pagefile, the longer to shutdown. On public servers like a
terminal server, this can be a real pain when you're trying
to turn maintenance around real quick."
I appreciate the feedback. And also a little 'undo': the 775Meg
should be 375Meg. Thanks Guys!
THIRD PARTY NEWS
Migration to W2K Still A Headache?
Well, listen to this. There is some help for network pros, and it's
better than aspirin. I found two great (free) opportunities to help
you plan, deploy and manage Windows 2000 and Exchange 2000.
- A completely free e-book and
- A free half-day Seminar.
1) The e-book: 'The Definitive Guide to Windows 2000 Administration',
by industry gurus Sean Daily and Darren Mar-Elia. It gets you beyond
the manuals and white papers. Here are real-world experiences that
will impact your performance. Written by industry experts - sponsored
by NetPro. You can download the first chapter now at:
2) The seminar: 'Plan, Deploy, Manage Windows 2000 & Exchange 2000'.
Learn how to: Get to Windows 2000 & Exchange 2000 - faster. It shows
how to ensure a smooth upgrade that minimizes disruption to your
end-users and HelpDesk personnel, and to facilitate a manageable
and enforceable Windows 2000 & Exchange 2000 policy and admin model.
You can visit the seminar and learn why large outfits such as Kodak,
Shell, AstraZeneca, and Charles Schwab selected FastLane to get to
Windows 2000 & Exchange 2000. They told me the attendance will be
strictly limited. Better see if you can get in there before it is
Another NEW Security Tool: Service Account Password Mgmt
Hackers and Crackers work hard, but so do the software developers
that come out with tools to stop them. Here is your chance to be
influencing the development direction of a NEW TOOL. SmallWonders
of Atlanta is a successful developer of security tools. They have
just *yesterday* announced the BETA program of Service Explorer.
No, you cannot buy it yet, we do not know the price even!
But what you *can* do is download it, play with it, report the bugs
(which we know there are) to Smallwonders, but most importantly,
tell them about the features you would like in this tool, and help
build that product so it will be optimal in its use.
Service Explorer allows W2K/NT admins to manage multiple services
across multiple servers simultaneously. Use Service Explorer to solve
the common SECURITY LOOPHOLE of unchanged service accounts that have
Domain privileges. Service Explorer gives you the capability to
remotely install and de-install services, and lets you control the
order of changes to different services. It can change services on
multiple domains in the same operation.
Service Explorer makes it easy to completely manage Services and
Service Account Passwords on thousands of Windows 2000/NT Systems
in a single operation. If your company uses agent-based and other
software that relies on 2000/NT Services (such as SMS and many virus-
scanning programs), you will benefit from enhanced security, improved
uptime for service-based software and reduced administrative costs.
DOWNLOAD THE BETA OVER HERE: (the current limit is 10 servers and 21
days but the developer will extend both if you ask them to).
Where Did That EX-EMPLOYEE Have Access?
In today's increasingly security conscious IT environments, it's
important to be able to quickly determine who has admin rights over
your network and where. Sure, you may know who is a Domain Admin
but what if someone has added themselves locally on a key server?
What about those administrative level test accounts with blank
passwords?! Corporate data may also be at risk - do you know if
your file system permissioning standards are actually being followed?
Where did those fired employees have access anyway? Sunbelt's Domain
Reporter can help you address these and other concerns. With its real
time and historical data collection modes, you can gather information
on file permissions, unused accounts, blank passwords and even track
changes to your administrative group memberships. Don't get cracked.
Run the 30-day eval and get ready to be surprised.
This Week's Links We Like. Tips, Hints And Fun Stuff
Who uses what OS and how good is their website uptime record? Hot
Stuff over at:
If you want to see a REALLY good SMS site, check out Cliff Hobb's
Looking for the most important and time saving keyboard shortcuts?
Chris Pirillo did the work:
PRODUCT OF THE WEEK
Hacking Exposed (Second Edition) [BRAND NEW!]
This title has been a bestseller in its version 1.0, and 2.0 is
even better. I wanted to update you on this brand spanking new
edition of Hacking Exposed. I reviewed V1.0 a while back. I have
the 2.0 version in my hot little hands and already started on it.
They have added over 220 new pages and you are going to love the
new stuff in there. There are two entirely new Chapters on Windows
technologies - Win 2000 Hacking and Internet User Hacking (covers
insidious attacks on IE and Outlook). And of course, they go into
detail on how to defend against everything they describe. Two
short soundbytes: "A cross between a spy novel and a tech manual"
and "The best full-disclosure security book you can buy". A MUST.
Network Intrusion Detection, An Analysts Handbook (Sec.Ed.)
Excellent title if you are interested to learn how networks work
in reality. Great data about network traffic analysis, how you can
identify possible attacks, and how best to handle them. Very good
book in this area. Strong recommendation.
Designing Security for a Windows 2000 Network
Exam 70-220, Designing Security for a Windows 2000 Network tests
the skills required to analyze the business requirements for
security and design a security solution that meets your business
requirements. Security includes controlling access to resources,
auditing access to resources, authentication, and encryption.