- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Jun 21, 2001 (Vol. 6, #45 - Issue #280)
This Is A Serious Hole
  This issue of W2Knews™ contains:
    • Let's Get To Work!
    • What's New At TechEd
    • Not W2K2, but Windows.NET Server
    • Microsoft: "This Is A Serious Hole"
    • NSA W2K Security Site Swamped. Here is a Mirror Site
    • Made It To W2K-MCSE? But No New Cert? Seems that's normal
    • New Sunbelt Office In The Netherlands
    • What Are The Most Popular Security Courses?
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • CISCO Certification Preparation: Internetwork Design
SecureIIS protects Microsoft IIS Web servers from known and unknown
attacks. It wraps around IIS and works within it, verifying and
analyzing incoming and outgoing Web server data for any possible
security breaches. SecureIIS combines the best features of Intrusion
Detection Systems and Conventional Network Firewalls all into one,
with very low overhead. Download your eval copy over here:
Visit SecureIIS for more information.

Let's Get To Work!

Hi All,

This is a short intro, there is a lot of news to read. TechEd is going on, so we have some short takes from the show. And the new name of W2K is now officially revealed. Check the item in NT/2000 Related News. See you Monday!

Warm regards,

Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: StorageCeNTral
And save hundreds of hours in file cleanup. Maximizing uptime is a top
priority. But servers crammed with obsolete and non-business related
files can jeopardize uptime, drag down backups and slow down real-time
access to what's really important. Adding more disk space only compounds
the problem - soon you'll have twice as many junk files. That's why
Microsoft and 80 of the Fortune 100 insist on StorageCeNTral. Download
your free 30 day evaluation copy, and you'll be surprised at what
StorageCeNTral finds wasting space on your servers.
Visit StorageCeNTral for more information.

What's New At TechEd

TechEd is currently held in Atlanta. Lots of people, lots of noise, lots of companies presenting their new tools and/or versions. I just took a quick look and here are some short takes I thought would be interesting from a "tools" perspective:

  • Industry Expert Curt Aubley has a new book out in the Microsoft Technology Series of Prentice Hall. The title is "Tuning and Sizing W2K for Maximum Performance". He writes about his tests with a tool called SuperSpeed and likes it a lot: "Performance improvements provided by the SuperSpeed 2000 RAM disk are dramatic. Even more important than the specific throughput values are the relative performance difference between using the RAM disk and a traditional disk array. For the sequential read-intensive environment, the Super- Speed 2000 RAM disk provides twice the performance of a 6-disk RAID 5 array, an eightfold improvement in the random read environment, and over seven times the performance in a write-intensive environment. (pages 389-90). Here is a link to the book:
    And if you want to try this on your own machine, here is an eval:
  • BindView released Version 4.1 of their bv-Admin for Exchange, bv-Admin for W2K, and bv-Admin for Migration. Together, they are called their Managed Migration Initiative, designed to enable you to effectively manage NT/W2K, Exchange and migrate successfully.
  • MS announced that SQL Server surpassed $1 Billion in revenue during fiscal year 2001, has licensed over a million copies and claims it trounced competitors to achieve the #1 spot as fastest growing database platform. I'm pretty sure that Oracle does not agree with that assertion though. They just dropped the prices of their latest version 9i, and changed their pricing to a 'per-cpu' model just like MS. More over, IBM just purchased Informix, so let the battle continue! [grin]
  • MS also announced the new .NET Mobile Information 2001 Server. This puppy extends Exchange Server and your intranet to mobile users. OK, call me cynical, tell me I'm raining on Microsoft's parade but the bandwidth is just not there yet to manage your servers from a mobile phone. Maybe when the next generation wireless is finally deployed.
  • Veritas Backup Exec's new version 8.6 adds a sophisticated backup and recovery function for new online database apps, as well as tools that improve the performance and management capabilities of backups.
  • NetIQ came out with their new version 6.3 of NetIQ Directory and Resource Administrator, and NetIQ Exchange Administrator. Both tools simplify significantly the amount of time, effort and resources that you require to manage and secure NT, W2K, AD and Exchange.

Not W2K2, but Windows.NET Server

To underscore the importance of XML Web services to Microsoft's strategy, Gates announced this week at TechEd that the next version of Windows Server, formerly code-named "Whistler" (and for a short while was rumored to be Windows 2002) will include the .NET Framework and be called Windows.NET Server. So, W2K pro is called WXP, and W2K Server, Advanced Server and Datacenter Server will have Windows.NET instead of W2K. And guess who now owns: WNETNEWS.COM. Right!

Gates also announced a variety of developer tools including a toolkit for mobile applications; a developer edition of the Universal Description, Discovery and Integration (UDDI) XML Web services registry; and a set of peer-to-peer samples using the .NET Framework; he also introduced many customers that are already running their businesses on XML Web services using Microsoft .NET technologies.

Microsoft: "This Is A Serious Hole"

A rather glaring hole in a component of MS's Internet Information Service (IIS) software could let hackers take full control of boxes that run IIS: one fifth of the Internet. MS sent out a red alert with the strong recommendation to fix this asap, as this hole affects all versions of IIS running on NT, W2K and the WXP beta.

The company that found this flaw is eEye Digital Security, the developers of the new product SecureIIS that Sunbelt Software just announced last weekend. The vulnerability lies within the code that allows a Web server to interact with Microsoft Indexing Service functionality. The vulnerable Indexing Service ISAPI filter is installed by default on all versions of IIS. The problem lies in the fact that the .ida (Indexing Service) ISAPI filter does not perform proper "bounds checking" on user inputted buffers and therefore is susceptible to buffer overflow attacks.

Attackers that leverage the vulnerability can, from a remote location, gain full SYSTEM access to any server that is running a default installation of Windows NT 4.0, Windows 2000, or Windows XP and using Microsoft's IIS Web Server software. With system-level access, an attacker can perform any desired action, including installing and running programs, manipulating Web server databases, adding, changing or deleting files and Web pages, and more.

eEye stressed the extreme seriousness of this vulnerability. Network administrators are urged to immediately install the patch released by Microsoft at

According to Netcraft (www.netcraft.com), there are roughly 5.9 Million Web servers running IIS. It is safe to say that because the vulnerability is within a default IIS component that, at the very least, 50% of these servers have the .ida extension running, making this one of, if not the single largest vulnerability in IIS to date.

As stated earlier, all versions of Microsoft's IIS Web server software are vulnerable to this flaw. This includes Windows XP- Microsoft's next-generation Operating System. Microsoft is taking the necessary steps to patch Windows XP before the final version ships to customers.

eEye alerted Microsoft's security team immediately upon discovery of the vulnerability and has worked closely with Microsoft on the development of a patch and the expeditious alerting of administrators worldwide. An exploit program was developed by eEye that can be run against any vulnerable IIS Web server and in a matter of minutes produce a remote command prompt to which an attacker could connect and execute commands with system-level access. eEye has shared the exploit with Microsoft.

"This vulnerability is further proof of the need for network and application based security," said Marc Maiffret, Chief Hacking Officer at eEye Digital Security. "While firewalls and Intrusion Detection Systems are necessary, they are not enough to ensure the total security of a network." eEye has recently released a new product (Sunbelt Software carries it), SecureIIS, that acts as an "application firewall" for IIS.

SecureIIS protects servers running IIS from known and unknown hacker attacks. By working within IIS, SecureIIS monitors all incoming and outgoing traffic looking for classes of attacks and securing against them. "Clients that had SecureIIS installed on their servers were already protected from this latest vulnerability before the advisory was released" said Maiffret. In short, you can protect your webservers against future, unknown holes if you have SecureIIS installed. Eval at:

NSA W2K Security Site Swamped. Here is a Mirror Site

When the NSA made their security guides for W2K public, they did not count on W2Knews promoting that far and wide. Your reaches basically swamped their site, and they had to close it down to beef up their pipes. Luckily enough some one found a mirror site, where are these free guides are still available. Now it's just hoping that they have more bandwidth than the NSA's server. Kind of a black eye for the nation's largest spook agency that supposedly is monitoring gigabytes of packets per seconds on a constant basis [grin]. Anyway, here is the mirror site:

Made It To W2K-MCSE? But No New Cert? Seems that's normal

I was sent a very disappointed email by some one called David who studied hard and passed all his W2K exams. Then asked for a new cert to indicate his new status. That was nixed. This is what he received:

"Hello David,

"This is in response to your request for a MCSE 2000 Welcome Kit. There is no distinction on any MCSE Certificate as to which track the MCSE was obtained. It indicates "Microsoft Certified Professional- System Engineer" only. Your transcript will not reflect your MCSE update to, or a new certification for, the Windows 2000 track.

"The MCSE certification date will remain the same and there will not be any other designation that there has been an update to the Windows 2000 track other than the listing of the exams that you passed to achieve the update. Also, there will not be a logo change nor will a special certificate or designation be awarded to those who update their NT 4.0 MCSE track to the Windows 2000 track.

"The MCSE certification speaks to the fact that the individual has the necessary skills and knowledge to meet Microsoft's requirements and advertise themselves as an MCSE. The MCSE certification has never indicated nor has been intended to portray that an individual is certified for a specific product type. An individual can draw out particular areas of specialization via their transcript. With the requirements for this certification changing quite rapidly, Microsoft would have to go back and re-brand every MCSE's credential every time the requirements change. By the end of 2001, there will only be one product that an individual can certify themselves in an as an MCSE, Windows 2000. With this being the case, this is another reason why we don't make the certification specific to a product.

"Also, remember that you can use your online ID and password to log onto the secure site at https://partnering.one.microsoft.com/mcp to update your profile information, view and print your transcript, and receive exclusive offers."

All good and well, but this is a letdown and works demotivating. Some one that made the grade for W2K should get a new Cert. Not too much to ask, and an acknowledgement for hard work well done.


New Sunbelt Office In The Netherlands

As part of our European expansion plans Sunbelt will open our new office in the Netherlands next week. Your contact for the Netherlands is Mr. Peter Adriaanse and the contact details are as below.


Tel: +31 (0)320 218995
Fax: +31 (0)320 218905
email [email protected]

This will be followed by the opening of our new Swedish office in July.

What Are The Most Popular Security Courses?

Last month, the three most popular Hacker Exploits courses were run head-to-head at SANS2001. The highest rated was Eric Cole and Ed Skoudis' course "Computer and Network Hacker Exploits." It was also the only one of the three courses that taught students how to block the attacks as well as how to run them.

You may attend Eric and Ed's course in Boston or Washington in July. If you take the entire five-day track, which combines the hacker exploits courses with advance incident handling, you'll have finished the course work for one of the GIAC Level 2 security certifications.


This Week's Links We Like. Tips, Hints And Fun Stuff

  • GPS: Gotta Pay for Speeding. Rental Trucks with GPS - betta watch it!
  • MS is bashing Open Software, but uses parts of it inside Windows :-(
  • Got Bandwidth? These new short films from BMW are the BEST EVER. LOL!

    CISCO Certification Preparation: Internetwork Design

    CCDP Certification Preparation. Presents the fundamental, technical, and design issues associated with campus LANs; TCP/IP networks; IPX, AppleTalk, and Windows-based networks; WANs; and SNA networks. You will be able to identify internetwork requirements, determine appropriate infrastructure and routing issues within an internetwork, and construct a viable plan to deploy or upgrade to a more effective network topology. Filled with invaluable foundation information on various internetworking technologies and supported with useful design examples. Self-assessment through chapter- ending questions starts the student down the path for attaining CCDP certification. Cisco-recommended training for CCDP Exam #640-025.