Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 13, 2001 (Vol. 6, #61 - Issue #296)
Manage Hotfixes By Policy
This issue of W2Knews contains:
- EDITORS CORNER
- TECH BRIEFING
- Nasty New PDF Virus?
- Cleaning Up After A Code Red II Compromise
- NT/2000 RELATED NEWS
- Microsoft Defends WPA: "No Privacy Infringement"
- NT/2000 THIRD PARTY NEWS
- Manage Hotfixes By Policy
- HIPAA Related Sites For More Info
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Server+ Certification Bible
FREE MIGRATION EBOOK: Don't miss Chapter 4, "Implementing a Windows
2000 Migration," of the free migration eBook brought to you by NetIQ
and Realtimepublishers.com. Learn which tools you'll need to build
your Windows 2000 infrastructure, including moving user and computer
accounts and groups to Active Directory. Register now to read the
complete eBook on migrating to Windows 2000 and Exchange 2000 at
Visit NetIQ for more information.
WXP in our future
Well, I just got word from two independent sources that WXP will
be released to manufacturing August 15-th. My nickname for it is
NT V5.1. It's the NT-kernel that now has made it into the consumer
space with a whole slew of add-ons, new goodies and other ways for
MS to get to a subscription-model instead of just selling a box.
You have to prepare that this is going to happen in the future.
It's like paying for the phone or water but now it's "MS-tone".
Better start preparing your budgets for that event. The other two
possibilities are refuse to upgrade and freeze your environment
at the level it is now, or vote with your feet and move to another
platform. You heard it here first folks. [grin]
UNDO DEPT: Intel's new CPU's are of course 1.8 Ghz, not Mhz. [blush]
(email me with feedback: [email protected])
SPONSOR: Event Log Monitor
GET NOTIFIED OF SERVER PROBLEMS AS SOON AS THEY ARISE
With Event Log Monitor, you can. ELM monitors Windows servers in real-
time, alerting you to security breaches, health problems, and critical
events but also network device problems that affect reliability and
availability. Need to monitor services and automatically restart them
when they go down? Whether you have one server or a hundred, a LAN or
a WAN, ELM will provide you maximum visibility and uptime with minimal
impact. For a 30-day eval, click:
Visit Event Log Monitor for more information.
Nasty New PDF Virus?
A new virus category was just made public. This flavor uses the Adobe
PDF format which up to now was regarded as safe. It's using the
combination of Outlook and the full version of Adobe Acrobat (not
just the Reader). The worm hides VB code in the PDF file and propagates
via the Outlook address list. In the proof of concept that was shown,
the file will appear to be a game. The game contains an image of a
peach (the fruit - a peach) hidden in a screenshot full of "peaches"
of another kind. When you click on the peach, the virus is run and
the VB code kicks in.
I'm telling you about this one in an early stage, before it has been
spotted in the wild, but if there are any people running the full
Adobe product (You use this to create PDF's) you need to watch
Adobe for a hotfix for your Acrobat application. For more info on
this particular virus, check out this ITWorld article:
Cleaning Up After A Code Red II Compromise
The question has been asked quite a few times: "How do I purge
that [email protected]!* Code Red II worm once it has penetrated my box?". This
is quite important, as Code Red III is out in the wild in Korea
and leaves an even wider backdoor open.
The second version of Code Red installs a trojan (backdoor) on
your system that any attacker can get into. If you take this to
its extreme, it means that while that backdoor was open, anyone
could have been having access to your machine and mess with it.
That amounts to the need for fairly drastic action.
Since W2K installs IIS by default, many people running W2K had
no clue that IIS was on their systems and already was infected.
The problem is that you can get rid of the worm relatively easy,
but any malicious changes on the box made by attackers using
the backdoor are incredibly difficult to find. Solution for really
critical environments: reformat and reinstall. Ouch.
If that is not possible, a possible way to try to get rid of them
is to install virus software on that box, update the signature
file and try to detect any/all backdoors that it can find.
or, go to the SecureIIS page and download the LATEST version of
the free CodeRedScanner which now includes the capability to find
the trojan on your sick machine.
If you want to see if any backdoor code is on your server, here
is a tool called VISION that shows exactly what code is using
which ports on your box. It's downloadable as an eval, and if
you want to purchase, it's available online for just 99 bucks.
NT/2000 RELATED NEWS
Microsoft Defends WPA: "No Privacy Infringement"
Last Monday MS reiterated that following statement several times
over: "Activation is completely anonymous and requires no personally
identifiable information from the end user". The problem is that a
lot of people have a healthy dose of paranoia and simply do not
believe what MS is saying. But MS insists by repeating it is a
"one-way mathematical algorithm to create the hardware hash used
by Product Activation to create the Installation ID." (one-way
meaning it's done on your own system)
Redmond came out with a detailed explanation how product activation
works in WinXP, Office XP and Visio 2002. And of course you can
bet your boots that these are the first, but many other MS-tools
are to follow.
Product Activation was controversial even before it really arrived
because of two very different reasons. One is the headache of having
to potentially re-register with MS after hardware changes, the other
because of a possible invasion of privacy that was alleged by anti-
Microsoft forces. For us techies it is clear that the privacy-
violation charges are bogus. The thing is done based on hardware
ID's only. See our issue #286.
If you call MS over the phone to get your key, they do not even ask
for your name, all you have to provide is the product key. If you
are online at the moment you need to re-activate it can be done via
the Internet as well. You do not have to give MS details about the
hardware you are using.
Many people confuse product activation with product registration.
Two very different animals indeed. Registration is voluntary and
you provide all your end user info willingly to the vendor. There
is an FAQ on the MS website about WPA and how you can get around it
by licensing your stuff from MS via the new programs:
THIRD PARTY NEWS
Manage Hotfixes By Policy
The new version 5.1 of UpdateExpert adds a tremendous amount of value
to overworked and underpaid system- and security administrators. Just
ask yourself if any of these statements apply to you:
"Microsoft just released the latest security hotfixes for IIS and W2K
UpdateEXPERT solves these and many more problems. Here are the new
features in Version 5.1. UpdateEXPERT now supports Windows XP and
the following Microsoft apps:
- I don't have time to write scripts and test them.
- I need to know if the hotfix installations I deployed last month
are still valid.
- Since Microsoft's updates are not regular, I am forced to reprioritize
my day, as well as figure out which ones apply to my machines.
- I need to define what hotfixes are required and detect what machines
conform to my policies".
In addition to installing the updates, UpdateEXPERT will ensure that
the update is correctly installed. This validation can be performed at
any time and as part of the deployment process. You can designate
updates as required. This enable you to manage hotfixes by policy,
something that is regarded as the holy grail but just wasn't available
up to now.
- SQL Server
- Exchange Server
- Internet Explorer
- Media Player
- Windows Media Services
- Office (Summer 2001)
- Outlook (Summer 2001)
You can simply define what updates are required with a click of the
mouse. The sum of required updates equals the user's policies.
Policies are used for many configuration parameters. Security and
staging are just a couple of policy factors.
You can run reports to verify your policy adherence. This report makes
it easy to see how your inventory matches up against what updates are
required. Policy management is enforced by defining policy (with
required Updates) and managing by exception those machines that are
incomplete. Note on the Eval you can download: This version of
UpdateEXPERT will allow you to evaluate 5 machines for 15 days.
HIPAA Related Sites For More Info
I got a bunch of people asking me questions about HIPAA and where
they could get more information. This is USA-related data but if you
are somewhere in the rest of the world, the writing is on the wall.
It's going to take a bit longer perhaps, but your government will
very likely move in this same direction. It has a direct impact on
how you have to organize your networks, servers, security and policy.
And here is a recent ComputerWorld article describing health groups that
push for quick HIPAA changes. About 80 health care groups this week called
on U.S. Department of Health and Human Services Secretary Tommy Thompson
to approve quick changes to HIPAA's final privacy rules.
This Week's Links We Like. Tips, Hints And Fun Stuff
New South Carolina Law requires IT workers to fight child porn. Gulp
Totally useless kung-fu animation, but technically extremly kewl
A toy called DraganFlyer. You will hear more about it. (I got one)
PRODUCT OF THE WEEK
Server+ Certification Bible
If you are planning to take the CompTIA Server+ exam, this might be the
book you need. It's a very comprehensive and effective guide to train
for that Certification. The writer Trevor Kay is clearly a techie that
knows his stuff. There are a few technical and grammatical errors in
the book that should have been edited out though. However if you are
in the bizz of maintaining and upgrading servers in the field, this book
is recommended despite its shortcomings. You can check it out at Amazon: