Not W2K2, but Windows.NET Server
To underscore the importance of XML Web services to Microsoft's
strategy, Gates announced this week at TechEd that the next version
of Windows Server, formerly code-named "Whistler" (and for a short
while was rumored to be Windows 2002) will include the .NET Framework
and be called Windows.NET Server. So, W2K pro is called WXP, and W2K
Server, Advanced Server and Datacenter Server will have Windows.NET
instead of W2K. And guess who now owns: WNETNEWS.COM. Right!
Gates also announced a variety of developer tools including a toolkit
for mobile applications; a developer edition of the Universal
Description, Discovery and Integration (UDDI) XML Web services
registry; and a set of peer-to-peer samples using the .NET Framework;
he also introduced many customers that are already running their
businesses on XML Web services using Microsoft .NET technologies.
Microsoft: "This Is A Serious Hole"
A rather glaring hole in a component of MS's Internet Information
Service (IIS) software could let hackers take full control of boxes
that run IIS: one fifth of the Internet. MS sent out a red alert with
the strong recommendation to fix this asap, as this hole affects all
versions of IIS running on NT, W2K and the WXP beta.
The company that found this flaw is eEye Digital Security, the
developers of the new product SecureIIS that Sunbelt Software just
announced last weekend. The vulnerability lies within the code that
allows a Web server to interact with Microsoft Indexing Service
functionality. The vulnerable Indexing Service ISAPI filter is
installed by default on all versions of IIS. The problem lies in the
fact that the .ida (Indexing Service) ISAPI filter does not perform
proper "bounds checking" on user inputted buffers and therefore
is susceptible to buffer overflow attacks.
Attackers that leverage the vulnerability can, from a remote location,
gain full SYSTEM access to any server that is running a default
installation of Windows NT 4.0, Windows 2000, or Windows XP and
using Microsoft's IIS Web Server software. With system-level access,
an attacker can perform any desired action, including installing and
running programs, manipulating Web server databases, adding, changing
or deleting files and Web pages, and more.
eEye stressed the extreme seriousness of this vulnerability. Network
administrators are urged to immediately install the patch released by
According to Netcraft (www.netcraft.com), there are roughly 5.9 Million
Web servers running IIS. It is safe to say that because the vulnerability
is within a default IIS component that, at the very least, 50% of these
servers have the .ida extension running, making this one of, if not the
single largest vulnerability in IIS to date.
As stated earlier, all versions of Microsoft's IIS Web server software
are vulnerable to this flaw. This includes Windows XP- Microsoft's
next-generation Operating System. Microsoft is taking the necessary
steps to patch Windows XP before the final version ships to customers.
eEye alerted Microsoft's security team immediately upon discovery of the
vulnerability and has worked closely with Microsoft on the development
of a patch and the expeditious alerting of administrators worldwide.
An exploit program was developed by eEye that can be run against any
vulnerable IIS Web server and in a matter of minutes produce a remote
command prompt to which an attacker could connect and execute commands
with system-level access. eEye has shared the exploit with Microsoft.
"This vulnerability is further proof of the need for network and
application based security," said Marc Maiffret, Chief Hacking Officer
at eEye Digital Security. "While firewalls and Intrusion Detection
Systems are necessary, they are not enough to ensure the total security
of a network." eEye has recently released a new product (Sunbelt Software
carries it), SecureIIS, that acts as an "application firewall" for IIS.
SecureIIS protects servers running IIS from known and unknown hacker
attacks. By working within IIS, SecureIIS monitors all incoming and
outgoing traffic looking for classes of attacks and securing against
them. "Clients that had SecureIIS installed on their servers were
already protected from this latest vulnerability before the advisory
was released" said Maiffret. In short, you can protect your webservers
against future, unknown holes if you have SecureIIS installed. Eval at:
NSA W2K Security Site Swamped. Here is a Mirror Site
When the NSA made their security guides for W2K public, they did not
count on W2Knews promoting that far and wide. Your reaches basically
swamped their site, and they had to close it down to beef up their
pipes. Luckily enough some one found a mirror site, where are these
free guides are still available. Now it's just hoping that they have
more bandwidth than the NSA's server. Kind of a black eye for the
nation's largest spook agency that supposedly is monitoring gigabytes
of packets per seconds on a constant basis [grin]. Anyway, here is
the mirror site:
Made It To W2K-MCSE? But No New Cert? Seems that's normal
I was sent a very disappointed email by some one called David who
studied hard and passed all his W2K exams. Then asked for a new cert
to indicate his new status. That was nixed. This is what he received:
"This is in response to your request for a MCSE 2000 Welcome Kit.
There is no distinction on any MCSE Certificate as to which track
the MCSE was obtained. It indicates "Microsoft Certified Professional-
System Engineer" only. Your transcript will not reflect your MCSE
update to, or a new certification for, the Windows 2000 track.
"The MCSE certification date will remain the same and there will not
be any other designation that there has been an update to the Windows
2000 track other than the listing of the exams that you passed to
achieve the update. Also, there will not be a logo change nor will
a special certificate or designation be awarded to those who update
their NT 4.0 MCSE track to the Windows 2000 track.
"The MCSE certification speaks to the fact that the individual has the
necessary skills and knowledge to meet Microsoft's requirements and
advertise themselves as an MCSE. The MCSE certification has never
indicated nor has been intended to portray that an individual is
certified for a specific product type. An individual can draw out
particular areas of specialization via their transcript. With the
requirements for this certification changing quite rapidly, Microsoft
would have to go back and re-brand every MCSE's credential every time
the requirements change. By the end of 2001, there will only be one
product that an individual can certify themselves in an as an MCSE,
Windows 2000. With this being the case, this is another reason why we
don't make the certification specific to a product.
"Also, remember that you can use your online ID and password to log
onto the secure site at https://partnering.one.microsoft.com/mcp to
update your profile information, view and print your transcript, and
receive exclusive offers."
All good and well, but this is a letdown and works demotivating. Some
one that made the grade for W2K should get a new Cert. Not too much
to ask, and an acknowledgement for hard work well done.