- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 13, 2001 (Vol. 6, #61 - Issue #296)
Manage Hotfixes By Policy
  This issue of W2Knews™ contains:
    • WXP in our future
    • Nasty New PDF Virus?
    • Cleaning Up After A Code Red II Compromise
    • Microsoft Defends WPA: "No Privacy Infringement"
    • Manage Hotfixes By Policy
    • HIPAA Related Sites For More Info
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Server+ Certification Bible
FREE MIGRATION EBOOK: Don't miss Chapter 4, "Implementing a Windows
2000 Migration,"
of the free migration eBook brought to you by NetIQ
and Realtimepublishers.com. Learn which tools you'll need to build
your Windows 2000 infrastructure, including moving user and computer
accounts and groups to Active Directory. Register now to read the
complete eBook on migrating to Windows 2000 and Exchange 2000 at
Visit NetIQ for more information.

WXP in our future

Well, I just got word from two independent sources that WXP will be released to manufacturing August 15-th. My nickname for it is NT V5.1. It's the NT-kernel that now has made it into the consumer space with a whole slew of add-ons, new goodies and other ways for MS to get to a subscription-model instead of just selling a box. You have to prepare that this is going to happen in the future. It's like paying for the phone or water but now it's "MS-tone". Better start preparing your budgets for that event. The other two possibilities are refuse to upgrade and freeze your environment at the level it is now, or vote with your feet and move to another platform. You heard it here first folks. [grin]

UNDO DEPT: Intel's new CPU's are of course 1.8 Ghz, not Mhz. [blush]

Warm regards,

Stu Sjouwerman
(email me with feedback: [email protected])

  SPONSOR: Event Log Monitor
With Event Log Monitor, you can. ELM monitors Windows servers in real-
time, alerting you to security breaches, health problems, and critical
events but also network device problems that affect reliability and
availability. Need to monitor services and automatically restart them
when they go down? Whether you have one server or a hundred, a LAN or
a WAN, ELM will provide you maximum visibility and uptime with minimal
impact. For a 30-day eval, click:
Visit Event Log Monitor for more information.

Nasty New PDF Virus?

A new virus category was just made public. This flavor uses the Adobe PDF format which up to now was regarded as safe. It's using the combination of Outlook and the full version of Adobe Acrobat (not just the Reader). The worm hides VB code in the PDF file and propagates via the Outlook address list. In the proof of concept that was shown, the file will appear to be a game. The game contains an image of a peach (the fruit - a peach) hidden in a screenshot full of "peaches" of another kind. When you click on the peach, the virus is run and the VB code kicks in.

I'm telling you about this one in an early stage, before it has been spotted in the wild, but if there are any people running the full Adobe product (You use this to create PDF's) you need to watch Adobe for a hotfix for your Acrobat application. For more info on this particular virus, check out this ITWorld article:

Cleaning Up After A Code Red II Compromise

The question has been asked quite a few times: "How do I purge that [email protected]!* Code Red II worm once it has penetrated my box?". This is quite important, as Code Red III is out in the wild in Korea and leaves an even wider backdoor open.

The second version of Code Red installs a trojan (backdoor) on your system that any attacker can get into. If you take this to its extreme, it means that while that backdoor was open, anyone could have been having access to your machine and mess with it. That amounts to the need for fairly drastic action.

Since W2K installs IIS by default, many people running W2K had no clue that IIS was on their systems and already was infected. The problem is that you can get rid of the worm relatively easy, but any malicious changes on the box made by attackers using the backdoor are incredibly difficult to find. Solution for really critical environments: reformat and reinstall. Ouch.

If that is not possible, a possible way to try to get rid of them is to install virus software on that box, update the signature file and try to detect any/all backdoors that it can find. or, go to the SecureIIS page and download the LATEST version of the free CodeRedScanner which now includes the capability to find the trojan on your sick machine.


If you want to see if any backdoor code is on your server, here is a tool called VISION that shows exactly what code is using which ports on your box. It's downloadable as an eval, and if you want to purchase, it's available online for just 99 bucks.


Microsoft Defends WPA: "No Privacy Infringement"

Last Monday MS reiterated that following statement several times over: "Activation is completely anonymous and requires no personally identifiable information from the end user". The problem is that a lot of people have a healthy dose of paranoia and simply do not believe what MS is saying. But MS insists by repeating it is a "one-way mathematical algorithm to create the hardware hash used by Product Activation to create the Installation ID." (one-way meaning it's done on your own system)

Redmond came out with a detailed explanation how product activation works in WinXP, Office XP and Visio 2002. And of course you can bet your boots that these are the first, but many other MS-tools are to follow.

Product Activation was controversial even before it really arrived because of two very different reasons. One is the headache of having to potentially re-register with MS after hardware changes, the other because of a possible invasion of privacy that was alleged by anti- Microsoft forces. For us techies it is clear that the privacy- violation charges are bogus. The thing is done based on hardware ID's only. See our issue #286.

If you call MS over the phone to get your key, they do not even ask for your name, all you have to provide is the product key. If you are online at the moment you need to re-activate it can be done via the Internet as well. You do not have to give MS details about the hardware you are using.

Many people confuse product activation with product registration. Two very different animals indeed. Registration is voluntary and you provide all your end user info willingly to the vendor. There is an FAQ on the MS website about WPA and how you can get around it by licensing your stuff from MS via the new programs:


Manage Hotfixes By Policy

The new version 5.1 of UpdateExpert adds a tremendous amount of value to overworked and underpaid system- and security administrators. Just ask yourself if any of these statements apply to you:

"Microsoft just released the latest security hotfixes for IIS and W2K but unfortunately...

  • I don't have time to write scripts and test them.
  • I need to know if the hotfix installations I deployed last month are still valid.
  • Since Microsoft's updates are not regular, I am forced to reprioritize my day, as well as figure out which ones apply to my machines.
  • I need to define what hotfixes are required and detect what machines conform to my policies".
UpdateEXPERT solves these and many more problems. Here are the new features in Version 5.1. UpdateEXPERT now supports Windows XP and the following Microsoft apps:
  • IIS
  • SQL Server
  • Exchange Server
  • Internet Explorer
  • Media Player
  • Windows Media Services
  • NetMeeting
  • Office (Summer 2001)
  • Outlook (Summer 2001)
In addition to installing the updates, UpdateEXPERT will ensure that the update is correctly installed. This validation can be performed at any time and as part of the deployment process. You can designate updates as required. This enable you to manage hotfixes by policy, something that is regarded as the holy grail but just wasn't available up to now.

You can simply define what updates are required with a click of the mouse. The sum of required updates equals the user's policies. Policies are used for many configuration parameters. Security and staging are just a couple of policy factors.

You can run reports to verify your policy adherence. This report makes it easy to see how your inventory matches up against what updates are required. Policy management is enforced by defining policy (with required Updates) and managing by exception those machines that are incomplete. Note on the Eval you can download: This version of UpdateEXPERT will allow you to evaluate 5 machines for 15 days.

HIPAA Related Sites For More Info

I got a bunch of people asking me questions about HIPAA and where they could get more information. This is USA-related data but if you are somewhere in the rest of the world, the writing is on the wall. It's going to take a bit longer perhaps, but your government will very likely move in this same direction. It has a direct impact on how you have to organize your networks, servers, security and policy.

And here is a recent ComputerWorld article describing health groups that push for quick HIPAA changes. About 80 health care groups this week called on U.S. Department of Health and Human Services Secretary Tommy Thompson to approve quick changes to HIPAA's final privacy rules.

This Week's Links We Like. Tips, Hints And Fun Stuff

  • New South Carolina Law requires IT workers to fight child porn. Gulp
  • Totally useless kung-fu animation, but technically extremly kewl
  • A toy called DraganFlyer. You will hear more about it. (I got one)

    Server+ Certification Bible

    If you are planning to take the CompTIA Server+ exam, this might be the book you need. It's a very comprehensive and effective guide to train for that Certification. The writer Trevor Kay is clearly a techie that knows his stuff. There are a few technical and grammatical errors in the book that should have been edited out though. However if you are in the bizz of maintaining and upgrading servers in the field, this book is recommended despite its shortcomings. You can check it out at Amazon: