Microsoft Crack: Password Left Blank During Server Config.
Paul Thurott's WinInformant site reported on the following story
that I think is worth your attention. There is finally some more
data about the recent MS-crack. Bob Herbold, one of the MS veterans
who is retiring his COO position gave a lecture at the University
of Washington Business School and explained what happened.
Herbold said that human error was to blame, and not a bug in any
particular software product. He added that usually these kinds of
cracks can be traced back to people, not software. In this particular
case, some one left a password blank when they configured a server.
The attacker came though an employee's PC, and then did a search &
discovery for a server with a blank password. He found an NT 4.0
server, and then gained access to the MS network and had fun roaming
around all over the place. What he did not know, it that MS was on
his trail after a while and monitored his movements trying to catch
Once they found out that the cracker had been looking at source code,
they pulled in the FBI and went public. They are still in the process
of investigating. A lot of details are not known yet, including how
the cracker got access to begin with to the PC. Lessons learned:
1) ALWAYS, ALWAYS, ALWAYS plug a mind numbingly difficult password
when configuring your servers. Seven characters is ideal, and
include things like %$#*. Take a normal word for instance, like the
date of this issue which is March05, but change some characters so
it is easy to remember but difficult to crack, e.g. [email protected]#05.
2) Have telecommuting employees that are on a broadband connection
run personal firewalls that keep enemy traffic OUT, but also keep
that PC from reaching out to unauthorized sites. You have to shut
off both incoming and outgoing traffic. The latter is something
most people forget.
How Did Microsoft Do in 2000? Pretty Good.
I just got a Press Release from IDC, one of the foremost industry
analysts, especially in the area of 'market share drilldowns'. They
have some interesting news. The reason for these releases BTW is
to announce their reports. These cost $1,500 and are for companies
that rather pay for this research than having to do their own.
So, what was the MS-related news? Despite the MS battle with the
US Dept of Justice, it has increased its iron grip on the server
OS market. According to IDC, Windows accounted for 41% of server
operating environment (SOE) shipments and an overwhelming 92% of
shipments for the client operating environment (COE).
"The strong are getting stronger," said Dan Kusnetzky, vice president
of IDC's Operating Environments research. "In what could have easily
been a tough year for Microsoft because of its transition to Windows
2000, the company managed to increase its position in both the client
and the server operating environments market."
Microsoft's SOE shipments jumped 20% in 2000 while the overall market's
growth was less than 13%. With 24% growth, Linux was the only other
category of operating environment to increase its shipments faster
than Microsoft - or to increase its shipments at all. That's pretty
much what I said in my last issue, but now I have some backing [grin].
Linux continues to garner backing from some big guns in the IT
industry, helping to drive its growth. IBM, Hewlett-Packard, and Dell
are all shipping workstations and low-end servers with Linux as the OS.
"Critics and nonbelievers can no longer dismiss the Linux market as a
fad," said Al Gillen, research manager for IDC's Operating Environments
program. "If leading hardware vendors are willing to risk their credi-
bility by endorsing and placing Linux systems in the market, it's easy
for customers to conclude there must be something real about Linux."
The IDC reports this comes out of (and have a LOT more data) are called
'Server Operating Environments: 2000 Year in Review (IDC #B23731) and
Client Operating Environments: 2000 Year in Review (IDC #B23849).
Careful With Active Directory 'Link Value Replication' Bug
Network World reported that AD has a bit of a bug you need to work
around for the coming year. It's been there for a while already but
will only be fixed in the new Windows XP Server, so you will have
to upgrade your domain controllers to WXP to get rid of this puppy.
It's a security related issue in AD that can cause changes to user
groups to be dropped before being recorded. The flaw centers on the
requirement that admins manage user groups as a single entity, or
attribute, and not by individual user, a concept called "multivalued
attributes." Multivalued attributes force administrators to update
an entire attribute, or list, to add or delete even a single user.
If two administrators make changes to the same list, one set of changes
is dropped out during replication as part of conflict resolution.
One result could be that a user deleted from a group membership by
one admin could be returned to the group and retain group access
rights and permissions due to the work of another admin. Sloppy,
and a security risk. You can get around it by centralizing admin of
group membership lists. But you want to be able to delegate that
stuff, so it's a headache.
Microsoft says the best way to avoid the problem is to make all group
membership changes on a single domain controller, which prevents
If you are in the process of implementing AD, here is a good little
nugget. MS just released the free NT 4.0 Active Directory Client [1.48M]
A new Active Directory client has been released for Windows NT 4.0
(SP 6a required) systems, allowing "legacy" systems to play nice with
W2K AD environments. It should be noted that several AD features are
still not available to either Windows 9x or NT 4.0 clients. Check out:
And while you are at it, here is another white paper. This time
from MS on how they did their in-house AD roll-out. Good "how to"