- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Nov 6, 2000 (Vol. 5, #53 - Issue #227)
How To Protect Against the 'QAZ MS Crack'?
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • W2K Survival Kit - Limited Edition - Selling Out Fast!
  2. TECH BRIEFING
    • How To Protect Against the 'QAZ Microsoft Crack'?
  3. NT/2000 RELATED NEWS
    • New IT Training And Certification Portal
    • What Is New In 'Windows 2002'?
    • More On Sending 'Out Of Office' to mailing lists
    • More on The Page File Is A Possible Vulnerability
  4. NT/2000 THIRD PARTY NEWS
    • Migration to W2K Still A Headache?
    • Another NEW Security Tool: Service Account Password Mgmt
    • Where Did That EX-EMPLOYEE Have Access?
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • Hacking Exposed (Second Edition) [BRAND NEW!]
    • Network Intrusion Detection, An Analysts Handbook (Sec.Ed.)
    • Designing Security for a Windows 2000 Network
  SPONSOR: MAIL.COM
Whether upgrading from a previous version of Exchange, migrating
to Exchange from existing systems, or choosing Exchange as your
company's first system, Mail.com provides Hosted Microsoft
Exchange solutions to suit the needs of organizations of every
size. Mail.com provides enhanced applications such as virus
scanning, content control and integrated faxing. Without requiring
any additional hardware or software, we'll provide Exchange 2000
that is more reliable, secure and affordable than running it
yourself-virtually overnight.

Visit MAIL.COM for more information.
  EDITORS CORNER

W2K Survival Kit - Limited Edition - Selling Out Fast!

You may have missed this, and I do not want you to tell me afterward that I did not warn 'ya. :-)

I pulled together something really special for you guys as a Christmas present from Sunbelt. OK, OK, it's not completely free, but normally you pay 5 times more than this. Basically we do this once a year as a special, and it's practically at cost. We can now also deliver internationally, (but shipping is higher, send an email to [email protected] to get details).

The combo is:
1) the W2K Admin Black Book I co-wrote
2) 5 CD's(videos put on CD) that completely cover the new W2K system.
You could consider this your very own home 'W2K boot camp' at about 10% of the cost, and will prep you for the 70-240 exam. Remember the old 'MCSE Complete' kit we had? This is something similar.

'The Book, the Booster and the Movie'. How does the new AutoPilot for Windows 2000 perform? Well, I'll let Drew Megarry do the talking, he sent the following two paragraphs to us a few days ago:

"Our company specializes in outsourcing IT assistance for small to mid-sized companies that can't afford their own IT Department. Most of them have only a single server, and these servers sometimes run everything from Exchange, to Faxing, File and Printer Sharing, Backups, Proxy Services, Web Publishing and more".

"This weekend I was working at a client site and he complained of extremely poor performance on his server. I decided that this would be a good test of your AutoPilot software and downloaded an eval copy. The results were dramatic, I couldn't believe the results!"

We are only going to make a 1000 of this Limited Edition. Just in the first week hundreds were already sold, so you have to be quick with this one before the Holiday Rush sets in. You can download and watch two clips from the CD's in the section "White Papers, Documents and Other Files" to get to know Ross who will become your mentor and friend. He presents the data in a clear and humorous way. You want to grab this opportunity while it lasts. Normal $794.90, but now only $195.00 (add s/h).
http://www.sunbelt-software.com/product.cfm?id=227

If I see any good 'end-of-year' deals I'll send you a W2KnewsFlash.

Now, let's have a look at the news!

Stu Sjouwerman
(email me with feedback: [email protected])

  SPONSOR: Win2K MAG
WINDOWS 2000 MAGAZINE - GET A FREE SAMPLE ISSUE
Windows 2000 Magazine helps you seek out and implement smart
solutions and includes unrivaled coverage of security, Exchange,
Active Directory, and more. Order a free sample issue now and
without risk, and discover the best resource for Windows NT/2000.

Visit Win2K MAG for more information.
  TECH BRIEFING

How To Protect Against the 'QAZ Microsoft Crack'?

Of course this is a black eye for MS. So how do we prevent getting a shiner like that ourselves? Many have sent me feedback and thanks to all of you. The article below was inspired by a MS TechNet page that goes into security in a generic way, but I added a series of specific links to tools and suggestions. It's in an FAQ-format.

Keep in mind that reason number one that your network gets cracked is that YOUR ORGANIZATION was not ready/trained enough to prevent it. This is your challenge Number One. Buy and *Study* the 3 books in the SECURITY BOOKS OF THE WEEK section below.

Q: How does an intruder get into my network?

A: In many cases it is end-user lack of security awareness that result in errors. You have to be alert for this kind of stuff that often boil down to configuration errors. Crackers look for these and exploit them. You GOTTA, GOTTA, GOTTA have a set of security Policies and Procedures that are drilled into staff on a regular basis and get Top Management Air Cover. They are themselves also subject to these measures. What good are all these measures if the CEO uses his wife's name as a password? Done that myself once as I have to shamefully admit [blush].

The policy and procedures need to be based on 'Security Best Practices'. You will find these in the SECURITY BOOKS OF THE WEEK section below.

Once you have these in place, and you have a responsible team (or person) make sure they get implemented, tested, tested, tested and continually monitored. This will limit your exposure. But the *very* first thing you need to do is get a cheap but powerful Event Log Monitor that will ping you when something funky is going on and monitor your network carefully. An example is ELM:
http://www.sunbelt-software.com/product.cfm?id=533

Q: Any recommendations about software and configuration that I should follow?

A: Since our security perimeter has now moved to the home of employees that 'telecommute', I suggest 4 lines of defense:

  1. Virus Scanners, (home and office)
  2. Personal Firewalls /maybe combined with VPN's (home)
  3. Email Gateway Scanners (office)
  4. Traditional Corporate Security Tools (office)

1) MS recommends following Security Best Practices, but that is a conveniently vague term. To begin with, you have to have antivirus software on ALL corporate machines, desktops and servers, whether they are used at home or on the office. Have them automatically update their virus signatures overnight. Also, have the AV software sit on Exchange Internet Mail Connectors, and proxy servers. It slows the machine down a tiny bit, but you should make it a reason for dismissal if employees turn off their virus scanning software.

2) On home systems being used for corporate access I would almost REQUIRE a personal firewall installed to prevent the QAZ hack that MS suffered. These tools are either free or cheap, but need to be compatible with the VPN you might use or work with your existing remote access (Terminal Server?) method. Some examples of these: - Checkpoint's SecurClient, BlackICE by NetworkICE, tools like ZoneAlarm and "eSafe Desktop" from Aladdin, and Norton Internet Security 2000.

3) CNN just reported yesterday that a whopping 80% of *all* USA's corporate mail is now EMAIL! And email also happens to be the Number One source of security breaches at the moment. That means you want some kind of extra scanning going on that protects against attachments which can contain viruses or trojan horses like the MS hack. Look at Mail Essentials:
www.sunbelt-software.com/product.cfm?id=610

Other good tools are Sybari and Network Associates' GroupShield.

4) There are quite a few categories of traditional corporate security tools. Firewalls are a good example. Configure your firewalls and routers to allow only the network activity necessary to your business. Update them the moment patches become available. Monitor and control application access (turn on Auditing on your servers) and set+enforce a strong password policy. Configure only those service accounts that are actually needed, and change their passwords at least once a month. (See THIRD PARTY TOOLS below for a new utility that can help here)

Use other tools as needed. These are the categories:

  • Active Content Monitoring
  • Host-Based Intrusion Detection
  • Network-Based Intrusion Detection
  • Security Appliances
  • Security Services: Penetration Testing
  • Authentication
  • Network Authentication
  • Certificate Authority
  • File and Session Encryption
  • Virtual Private Networks and Cryptographic Communications
  • Single Sign-On
  • Secure Web Servers
  • Vulnerability Scanners: Network-Based
  • Vulnerability Scanners: Host-Based
  • Real-Time Security Awareness
  • Enterprise Security Administration
  • Managed Security Services
  • Security Services: Policy Development
  • Trusted Operating System

More data at www.sans.org, this site explains these and what they do.

And your systems need to be configured correctly. Update to the most recent Service packs to begin with. Think about things like restricting null session access via the Registry, or limiting access via named pipes and/or shares. Kill the NetBIOS bindings if that does not break anything by itself, and disable as many Admin shares as possible. And for obvious reasons, make sure only a few of your high priests can get to tools and boxes that capture network traffic. Make sure to 'testbed' this before you break your production environment!

Q: How do I detect an intrusion when it occurs?

A: Category 2 and 3 above are most used, often in combination with each other and with scripts that show when things out of your ordinary daily routine occur. Decide what activities and events should be audited, and set alarms for them. A rational approach of building your security perimeter is to create multiple layers of security that start with Policy, Procedure, Training, correct configuration, deployment of security tools, followed by continuous testing and monitoring.

Microsoft describes this as follows: Prevent, Detect, React, and then Remediate.

  1. Prevent - Obviously, the primary goal of a security system should be to prevent intrusions whenever possible, and to ensure that breaching the security of one layer doesn't enable the intruder to breach other ones.
  2. Detect - Security measures should be in place that constantly monitor the system for signs of an intrusion.
  3. React - When an intrusion is detected, the system should take action to monitor the intruder and limit further damage.
  4. Remediate - Once the intrusion has been countered, the security system should be capable of returning the network to its former secure state.

Building a security system and a security organization around these principles is the only way to assure robust security for a large organization and network.

Q: It sounds like achieving network security is a significant responsibility.

A: Yes. The job of security officer is a critical one for any outfit that operates in today's connected world. It is important to designate a security officer, and to give him or her the resources and authority needed to do the job and protect the organization's information assets.

Links:
http://www.microsoft.com/technet/security/
and
http://www.microsoft.com/technet/security/001027.asp

  NT/2000 RELATED NEWS

New IT Training And Certification Portal

I recently spotted a new IT training and certification portal on the Web called CertReview.com. The site's main focus seems to be Microsoft certifications (MCP, MOUS and MSS), but also has plans to expand into other non-competing certifications, such as CISCO and A+ credential programs.

When I dug a little deeper into the site we found in-depth technical reviews on products and services pertaining to Microsoft training and certification, hence the name CertReview.com. In addition, they will soon be offering their own line of digital e-books (MS Approved Study Guides) for sale on their site in the new Microsoft Reader format.

CertReview.com offers a different twist on IT training and certifi- cation (it's really an infomediary), and the site is definitely worth visiting and becoming a member, especially if you are a Microsoft Certified Professional, Office User Specialist or Sales Specialist.
They are over at:
http://www.certreview.com

What Is New In 'Windows 2002'?

ENT Magazine reported that MS has sent the future Windows 2000 version for the first time to a real beta test group. I kind of expect the server version only to surface in 2002 , that's the reason for the title of this item. Why so long? Well Windows 2000 deployment has only just started to penetrate. Why push a new flavor to companies that have not even picked up the earlier version. Anyway, the only really interesting things are that this FINALLY merges the code base for consumer and corporate products into one, and includes 64-bit Windows. These are things BillG has been looking forward to for y e a r s.

ENT's Scott Bekker said that Beta 1 doesn't have any major features over the earlier versions that were floating around. Stuff like pruning and grafting of AD, IIS 6.0, and extensions for MS-Office should arrive later. One bit of coolness is a drag-and-drop AD snap-in for Users and Computers.

MS Officials say that they are going to release desktop 'Whistler' which is the code name for the tool in summer 2001. Knowing MS, I am now officially nicknaming the new version "W2K2" from here on out! The W2K2 server flavors are expected late 2001. Well, we'll see about that [grin]. Since this integrates some old W95 code into NT, I expect a bunch of backward compatibility problems.

MS has a press release on this over on their website [HYPE ALERT]
http://www.microsoft.com/presspass/press/2000/Oct00/Whistler1PR.asp

But ENT Mag has a nice list of features that are new which is far more interesting to check out. Mouse over here and have a look:
http://www.entmag.com/breaknews.asp?ID=3603

More On Sending 'Out Of Office' to mailing lists

This one I 'stole' from Michèle Hirt's sig on our Exchange list. To avoid sending OOFs to mailing lists, you can do the following:

  1. Create a Public Folder & name it whatever you want to. Make a note of its SMTP address.
  2. Subscribe that SMTP address to the mailing list (for instance "MS-Exchange Admin Issues").
  3. Set your own mail subscription to the "no mail" option.
Then, the PF will receive all mail sent to the list & since PFs can't be out of the office, they won't return OOFs.

But some more people sent in suggestions. David Houston said:

"Alternatively, you can set conditions for the OOO rule so that it will only send the message if the message has been "Sent directly to me". This also means that you don't send responses to internal user groups (I'm not sure what the MS name for such groups is) that have been set up by system administrators. This is what I have done in the past".

And Greg Bromage sent this:

"Another way of doing this is, rather than set up a blanket OOO mail, create out-of-office rules. For each mailing list you don't want to suspend, create a Sent By rule with the mailing list name in it. Don't set any actions, and ensure that the "Do not process subsequent rules" box is checked. Finally, create an end rule with the OOO reply. The advantage of this is that you can also set up mail from particular mailing lists (or people) to be forwarded to another e-mail address, or have a different OOO reply for different people".
Regards, Greg

More on The Page File Is A Possible Vulnerability

Quite a few people sent me a response like Steve Morgan did:

"Hey Stu: There is a consequence to deleting a pagefile on shutdown. It stretches out the time until the machine shuts down. For security, I specify deleting the pagefile on our Windows 2000 terminal servers. Those servers are specified with a 4 GB pagefile, and it takes the systems about 20 minutes to shutdown. The bigger the pagefile, the longer to shutdown. On public servers like a terminal server, this can be a real pain when you're trying to turn maintenance around real quick."

I appreciate the feedback. And also a little 'undo': the 775Meg should be 375Meg. Thanks Guys!

  THIRD PARTY NEWS

Migration to W2K Still A Headache?

Well, listen to this. There is some help for network pros, and it's better than aspirin. I found two great (free) opportunities to help you plan, deploy and manage Windows 2000 and Exchange 2000.

  1. A completely free e-book and
  2. A free half-day Seminar.

1) The e-book: 'The Definitive Guide to Windows 2000 Administration', by industry gurus Sean Daily and Darren Mar-Elia. It gets you beyond the manuals and white papers. Here are real-world experiences that will impact your performance. Written by industry experts - sponsored by NetPro. You can download the first chapter now at:
http://www.fastlane.com/windows2000admin/toc.cfm

2) The seminar: 'Plan, Deploy, Manage Windows 2000 & Exchange 2000'. Learn how to: Get to Windows 2000 & Exchange 2000 - faster. It shows how to ensure a smooth upgrade that minimizes disruption to your end-users and HelpDesk personnel, and to facilitate a manageable and enforceable Windows 2000 & Exchange 2000 policy and admin model.

You can visit the seminar and learn why large outfits such as Kodak, Shell, AstraZeneca, and Charles Schwab selected FastLane to get to Windows 2000 & Exchange 2000. They told me the attendance will be strictly limited. Better see if you can get in there before it is too late:
http://www.fastlane.com/content.cfm?pgID=10&oa=sb103000

Another NEW Security Tool: Service Account Password Mgmt

Hackers and Crackers work hard, but so do the software developers that come out with tools to stop them. Here is your chance to be influencing the development direction of a NEW TOOL. SmallWonders of Atlanta is a successful developer of security tools. They have just *yesterday* announced the BETA program of Service Explorer. No, you cannot buy it yet, we do not know the price even!

But what you *can* do is download it, play with it, report the bugs (which we know there are) to Smallwonders, but most importantly, tell them about the features you would like in this tool, and help build that product so it will be optimal in its use.

Service Explorer allows W2K/NT admins to manage multiple services across multiple servers simultaneously. Use Service Explorer to solve the common SECURITY LOOPHOLE of unchanged service accounts that have Domain privileges. Service Explorer gives you the capability to remotely install and de-install services, and lets you control the order of changes to different services. It can change services on multiple domains in the same operation.

Service Explorer makes it easy to completely manage Services and Service Account Passwords on thousands of Windows 2000/NT Systems in a single operation. If your company uses agent-based and other software that relies on 2000/NT Services (such as SMS and many virus- scanning programs), you will benefit from enhanced security, improved uptime for service-based software and reduced administrative costs.

DOWNLOAD THE BETA OVER HERE: (the current limit is 10 servers and 21 days but the developer will extend both if you ask them to).
http://www.sunbelt-software.com/product.cfm?id=786

Where Did That EX-EMPLOYEE Have Access?

In today's increasingly security conscious IT environments, it's important to be able to quickly determine who has admin rights over your network and where. Sure, you may know who is a Domain Admin but what if someone has added themselves locally on a key server?

What about those administrative level test accounts with blank passwords?! Corporate data may also be at risk - do you know if your file system permissioning standards are actually being followed? Where did those fired employees have access anyway? Sunbelt's Domain Reporter can help you address these and other concerns. With its real time and historical data collection modes, you can gather information on file permissions, unused accounts, blank passwords and even track changes to your administrative group memberships. Don't get cracked. Run the 30-day eval and get ready to be surprised.
http://www.sunbelt-software.com/product.cfm?id=866

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • Who uses what OS and how good is their website uptime record? Hot Stuff over at:
    http://www.netcraft.com/survey/
  • If you want to see a REALLY good SMS site, check out Cliff Hobb's site at:
    http://www.swynk.com/friends/hobbs/
  • Looking for the most important and time saving keyboard shortcuts? Chris Pirillo did the work:
    http://www.lockergnome.com/shortcuts.html
  •   PRODUCT OF THE WEEK

    Hacking Exposed (Second Edition) [BRAND NEW!]

    This title has been a bestseller in its version 1.0, and 2.0 is even better. I wanted to update you on this brand spanking new edition of Hacking Exposed. I reviewed V1.0 a while back. I have the 2.0 version in my hot little hands and already started on it. They have added over 220 new pages and you are going to love the new stuff in there. There are two entirely new Chapters on Windows technologies - Win 2000 Hacking and Internet User Hacking (covers insidious attacks on IE and Outlook). And of course, they go into detail on how to defend against everything they describe. Two short soundbytes: "A cross between a spy novel and a tech manual" and "The best full-disclosure security book you can buy". A MUST.
    http://www.amazon.com/exec/obidos/ASIN/0072127481/sunbeltunivers0c

    Network Intrusion Detection, An Analysts Handbook (Sec.Ed.)

    Excellent title if you are interested to learn how networks work in reality. Great data about network traffic analysis, how you can identify possible attacks, and how best to handle them. Very good book in this area. Strong recommendation.
    http://www.amazon.com/exec/obidos/ASIN/0735710082/sunbeltunivers0c

    Designing Security for a Windows 2000 Network

    Exam 70-220, Designing Security for a Windows 2000 Network tests the skills required to analyze the business requirements for security and design a security solution that meets your business requirements. Security includes controlling access to resources, auditing access to resources, authentication, and encryption.
    http://www.sunbelt-software.com/bookclub/