Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 20, 2001 (Vol. 6, #63 - Issue #298)
Are You Going W2K MCSE?
This issue of W2Knews contains:
- EDITORS CORNER
- Sunbelt Website Down - What happened?
- Latest SunPoll Extended: Are You Going W2K MCSE?
- TECH BRIEFING
- Here's How To Block Instant Messaging
- NT/2000 RELATED NEWS
- Warning Against A New MS Hotfix Scanner: MPSA
- Microsoft Issues Another Cumulative IIS Patch
- NT/2000 THIRD PARTY NEWS
- Want To Get Rid Of All Your Tape Drives?
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- White Hat Security Arsenal - Tackling the Threats
Do you know how many software licenses you've purchased that are rarely
used or never installed? The Altiris Compliance Toolkit gives you pre-
built web reports to analyze where software is installed and how often
it's used. Know immediately where to harvest unused licenses. Instant
ROI. Download a trial copy of Compliance Toolkit at:
Visit ALTIRIS for more information.
Sunbelt Website Down - What happened?
Friday morning, about 11:45am we went off the air. Here is the post-
mortem so you can learn to avoid what happened to us. We have two W2K
machines sitting side by side clustered together with the Network Load
Balancing (NLB) tool that comes with Windows 2000. Both are Dell servers
with their own storage. One dies, the other should take over. There is
a third (heavy) server that runs SQL 7. It services both web machines
since our whole website is dynamic, lives in SQL and pages get served
out of SQL in real-time using Cold Fusion to drive the website.
We lost one of the two webserver machines out of the NLB cluster around
03:45am this morning. It started not to listen to its own network
adapter. This behavior had been spotted a day or so earlier and was
scheduled to get repaired this weekend.
The second web server machine stayed in the air and serviced all the
requests heroically on its own but died at 11:45am. This time, Cold
Fusion was the culprit choking the system by taking twice the amount
of RAM as normal, and when we uploaded a big file it killed that box
by taking too much resources: "Poof" and we were out of the air for
about 3 minutes while we rebooted that machine.
Now, these two webservers were only having 256Megs of RAM each. When
we bought them, RAM was expensive. Now it is really cheaper than dirt.
So we decided to bump each up to either 512 or 1 Gig, so that when
one of them fails, the other has enough resources to "pull the cart
on its own" for a while, even if we make it sweat. [grin]
Latest SunPoll Extended: Are You Going W2K MCSE?
On this rare occasion, we modified a survey midstream because we found
out we forgot a really important option. It was early enough to do
that, and make everyone aware of the change. We forgot the 5-th choice
and if you see which option, you'll understand how silly that omission
The Poll sits on the Sunbelt Site, you can vote on the leftmost column
of the welcome page. You will see instant results after you vote here:
Come and vote! The people in MS that are responsible for training do
take these polls in consideration.
- No, I am upset with MS and not motivated to redo the exams
- Perhaps, when I can create some time for it
- Yes, I am planning to do that
- Already cramming for my exams
- Already certified as a W2K MCSE (!)
(email me with feedback: [email protected])
DOES IT TAKE TOO LONG TO APPLY HOTFIXES?
Are you spending too much time deploying them by hand? Cannot track
which hotfixes are applied or validate installations remotely? Cannot
create system-wide policies to manage all machines at once? Cannot
generate reports and manage to these results? Hotfixes have migrated
from a headache to a full fledged nightmare. UpdateEXPERT is a great
and low-cost tool to manage hotfixes. Supports many Osen & Platforms:
Visit UpdateEXPERT for more information.
Here's How To Block Instant Messaging
The new Win-Security List server is a big success. We have well over
2,300 subscribers and the threads start to become interesting after
the somewhat noisy start coming out of the gate. A lot of people
knew each other from other lists so the banter was thick. One of the
topics discussed was the inherently very insecure Instant Messaging
that is creeping into organizations almost like a sanctioned virus.
This stuff makes Swiss cheese out of your security though. That is
why a lot of people are nailing it down. Here's how.
We made this list the other day using our l33t Nslookup "skillz" and
some digging, it should kill the 4 commonly used programs dead. We're
going to put hard blocks on the I.P. addresses for *all* ports using
our PIX firewall as the IM programs will try to find any port to get
out on. However, you will have to keep checking for changes. For
instance, about twice a year AOL changes their IP addresses.
Default Port: 5190
Default Port: 5190
Default Port: 5050
NT/2000 RELATED NEWS
Warning Against A New MS Hotfix Scanner: MPSA
This time it is a tool for personal use, small office & home office
(SOHO)-type users. It's called the Microsoft Personal Security Advisor
(MPSA). This is the kind of thing that can cause you intolerable
headaches as a systems- or network administrator in any production
environment. MS tells the market it should be available soon. It
allows your users to scan their NT 4.0 and W2K machines and receive
reports on their system's security settings and how to improve them.
Stuff like this finding its way into a corporate environment is a
time bomb waiting to explode. It totally annihilates the concept
of centralized control and being able to support your network. If
I were you I would insist on policy and procedures to KEEP MPSA
OUT OF YOUR NETWORKS. If everyone starts to "fix their own machines
to make them more secure" it's time to make a career change.
MPSA reports missing security patches, weak passwords, IE and Outlook
security settings, and Office protection settings. Fine for a 5-pc
network in a Dentists office, but that's about it. Do not allow
the use of this thing in your networks. You'll regret it.
Obviously this is MS's answer to the recent accusations they are
not doing enough to keep their software secure. The problem is
that these are fixes after the fact. Designing, coding and testing
truly secure software from the drawing board on up is what is needed.
Many military systems are compartmentalized and virtually unbreakable.
The kind of stuff to get rockets to the moon. It's time we use these
techniques in commercial software. The damage just gets way out of
hand if hundreds of thousands of companies need to jump through hoops
to fix software that is significantly flawed.
The new MS command-line tool HFNetCht is an attempt to help admins.
This puppy will help figure out which patch you need, if any. Each
time the program is run, it downloads a new version of the XML hotfix
listing from the MS website, using a number of security features to
But it's still an extremely clunky command-line tool. And it does not
fix anything automatically. To be really on the ball, you need a 3-rd
party tool from a company that makes a full-time living off managing
the MS-fixes. A utility like UpdateEXPERT is something you should look
at for a network in any production environment. Here are two links.
One to the FAQ of the MS HFNetCht scanner, which shows you what kind
of problems already crept up with it. The other link is to a 3-rd party
tool that has been doing this kind of thing for years already, called
Microsoft Issues Another Cumulative IIS Patch
Just last Wednesday, hours after W2Knews issue 297 was sent, MS bundled
five newly discovered IIS vulnerabilities into a cumulative patch
and posted it that night. IIS has been getting (a lot of) negative
publicity recently due to its role as the vector for the Code Red worm.
This cumulative patch includes the fixes for Code Red, but it was
actually created to fix some other vulnerabilities. MS said that the
recent patch was needed because of the existence of five IIS holes
which can be exploited by denial-of-service (DoS), buffer overrun
or privilege-elevation attacks.
Microsoft did this too in May 2001: bundling a set of security fixes
for IIS. But the recent security rollup for NT 4.0 about a month ago
caused quite a few systems to crash. So again with this recent IIS
rollup: TEST before you apply! But you gotta go back to all the
servers you just patched for Code Red, and do it again. Sigh.
Here is the link to the MS Bulletin.
THIRD PARTY NEWS
Want To Get Rid Of All Your Tape Drives?
You may say, whaddayamean? Well, it's like this. Disk storage has
become SO cheap, that you could afford to stop making backups to
tape completely. Restoring would also be really quick that way.
Tapes are cumbersome, have to be made in off-hours, are slow, they
break, they wear out, in short more vulnerable than disks. Not to
speak of backup windows that extend further and further.
There are several ways to do this. It really depends on how you are
set up, how big (storage capacity) the sites are, how much the data
changes, if you need fail-over or not, and how much bandwidth you
have to play with. The type of tool and the costs are related to the
degree of high-availability (HA) you choose.
Suppose you have several remote small sites that are less than 50GB
where backups are a headache. You could backup (mirror) all the files
from these disks to one central site with a capacity of say 300GB.
If a remote small site goes down, you can either fail over or do a
fast restore, depending on the "mission critical-ness" of that site.
Let's define terms here, so we know what we are talking about.
Now you know the difference, you can determine what tool you would
need to get rid of your tape drives. Let me explain three different
solutions looking at the site that was described above, from low-cost
and low-HA to higher cost and high-HA.
- BACKUP is a file-by-file copy, usually from disk to tape. But can
also be done disk-to-disk.
- MIRRORING is making a one-time copy of all the files from a source
machine to a target machine.
- REPLICATION means once a mirror has completed, keeping all the files
on the target up to date with changes that were made on the source.
- DELTA Replication, only the data blocks that change (not the whole
file), are moved from the source to the target.
Here are all three options nicely together in the High Availability/
Disaster Recovery section so you can have a look and compare which
one you think fits your environment best.
- Use a disk-to-disk backup utility once a day. It copies all your
storage from the small sites to the large site overnight. If a disk
crashes, you can copy the files back quickly. The cost is roughly
between US$ 1,000 and 2,000, the UltraBac Utility is a good example.
- Use a file replication tool that looks at files in real time.
Once a file on one of the small sites changes, it gets copied in
real time to the central site. Or you can schedule it to run say
once an hour. A good value is PowerSync that costs US$ 2,500 for
- Use a real-time Delta-replication tool with fail-over capability.
Double-Take (DT) is a good example. This tool filters all data that
goes to disk, looks at what changes and pumps just the data blocks
that change over to the target machine. If the source machine croaks,
the target takes over (fail-over) If your data changes a lot, this
might be the only choice you have, as it uses less bandwidth, but
the price is higher too. DT comes at about 2K per normal server
and 5K for Advanced Server. You always need a minimum of two.
This Week's Links We Like. Tips, Hints And Fun Stuff
The new win-security list agrees this is a top security site to check
Looking at getting Certified in the Security area? Check out this one:
Stunning space pics from the Chandra X-Ray telescope. Great wallpaper
PRODUCT OF THE WEEK
White Hat Security Arsenal - Tackling the Threats
As a computer security expert at AT&T Labs, author Avi Rubin regularly
meets with IT staffs from all types of companies. When asked to
recommend resource material to his customers, Rubin realized that
there just wasn't a book on the market that would give them concise,
direct answers to all their security questions. So he wrote one. You
will find it at the W2Knews BookClub: