- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 20, 2001 (Vol. 6, #63 - Issue #298)
Are You Going W2K MCSE?
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Sunbelt Website Down - What happened?
    • Latest SunPoll Extended: Are You Going W2K MCSE?
  2. TECH BRIEFING
    • Here's How To Block Instant Messaging
  3. NT/2000 RELATED NEWS
    • Warning Against A New MS Hotfix Scanner: MPSA
    • Microsoft Issues Another Cumulative IIS Patch
  4. NT/2000 THIRD PARTY NEWS
    • Want To Get Rid Of All Your Tape Drives?
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • White Hat Security Arsenal - Tackling the Threats
  SPONSOR: ALTIRIS
Do you know how many software licenses you've purchased that are rarely
used or never installed?
The Altiris Compliance Toolkit gives you pre-
built web reports to analyze where software is installed and how often
it's used. Know immediately where to harvest unused licenses. Instant
ROI. Download a trial copy of Compliance Toolkit at:
Visit ALTIRIS for more information.
  EDITORS CORNER

Sunbelt Website Down - What happened?

Friday morning, about 11:45am we went off the air. Here is the post- mortem so you can learn to avoid what happened to us. We have two W2K machines sitting side by side clustered together with the Network Load Balancing (NLB) tool that comes with Windows 2000. Both are Dell servers with their own storage. One dies, the other should take over. There is a third (heavy) server that runs SQL 7. It services both web machines since our whole website is dynamic, lives in SQL and pages get served out of SQL in real-time using Cold Fusion to drive the website.

We lost one of the two webserver machines out of the NLB cluster around 03:45am this morning. It started not to listen to its own network adapter. This behavior had been spotted a day or so earlier and was scheduled to get repaired this weekend.

The second web server machine stayed in the air and serviced all the requests heroically on its own but died at 11:45am. This time, Cold Fusion was the culprit choking the system by taking twice the amount of RAM as normal, and when we uploaded a big file it killed that box by taking too much resources: "Poof" and we were out of the air for about 3 minutes while we rebooted that machine.

Now, these two webservers were only having 256Megs of RAM each. When we bought them, RAM was expensive. Now it is really cheaper than dirt. So we decided to bump each up to either 512 or 1 Gig, so that when one of them fails, the other has enough resources to "pull the cart on its own" for a while, even if we make it sweat. [grin]

Latest SunPoll Extended: Are You Going W2K MCSE?

On this rare occasion, we modified a survey midstream because we found out we forgot a really important option. It was early enough to do that, and make everyone aware of the change. We forgot the 5-th choice and if you see which option, you'll understand how silly that omission was:

  • No, I am upset with MS and not motivated to redo the exams
  • Perhaps, when I can create some time for it
  • Yes, I am planning to do that
  • Already cramming for my exams
  • Already certified as a W2K MCSE (!)
The Poll sits on the Sunbelt Site, you can vote on the leftmost column of the welcome page. You will see instant results after you vote here: Come and vote! The people in MS that are responsible for training do take these polls in consideration.

http://www.w2knews.com/rd/rd.cfm?id=082001-SunPoll

Warm regards,

Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: UpdateEXPERT
DOES IT TAKE TOO LONG TO APPLY HOTFIXES?
Are you spending too much time deploying them by hand? Cannot track
which hotfixes are applied or validate installations remotely? Cannot
create system-wide policies to manage all machines at once? Cannot
generate reports and manage to these results? Hotfixes have migrated
from a headache to a full fledged nightmare. UpdateEXPERT is a great
and low-cost tool to manage hotfixes. Supports many Osen & Platforms:
Visit UpdateEXPERT for more information.
  TECH BRIEFING

Here's How To Block Instant Messaging

The new Win-Security List server is a big success. We have well over 2,300 subscribers and the threads start to become interesting after the somewhat noisy start coming out of the gate. A lot of people knew each other from other lists so the banter was thick. One of the topics discussed was the inherently very insecure Instant Messaging that is creeping into organizations almost like a sanctioned virus. This stuff makes Swiss cheese out of your security though. That is why a lot of people are nailing it down. Here's how.

We made this list the other day using our l33t Nslookup "skillz" and some digging, it should kill the 4 commonly used programs dead. We're going to put hard blocks on the I.P. addresses for *all* ports using our PIX firewall as the IM programs will try to find any port to get out on. However, you will have to keep checking for changes. For instance, about twice a year AOL changes their IP addresses.

AOL IM
login.oscar.aol.com
Default Port: 5190
205.188.3.160
205.188.3.176
205.188.5.204
205.188.5.208
205.188.7.164
205.188.7.168
205.188.7.172
205.188.7.176

ICQ
login.icq.com
Default Port: 5190
64.12.162.57
205.188.179.233

MSN
messenger.hotmail.com
64.4.13.17
64.4.13.36
64.4.13.49
64.4.13.223

Yahoo
cs.yahoo.com
Default Port: 5050
216.136.175.145
216.136.224.213
216.136.224.214
216.136.225.11
216.136.225.12
216.136.225.35
216.136.225.36
216.136.225.83
216.136.225.84
216.136.226.117
216.136.226.118
216.136.131.93
216.136.175.142
216.136.175.143
216.136.175.144

  NT/2000 RELATED NEWS

Warning Against A New MS Hotfix Scanner: MPSA

This time it is a tool for personal use, small office & home office (SOHO)-type users. It's called the Microsoft Personal Security Advisor (MPSA). This is the kind of thing that can cause you intolerable headaches as a systems- or network administrator in any production environment. MS tells the market it should be available soon. It allows your users to scan their NT 4.0 and W2K machines and receive reports on their system's security settings and how to improve them. Noooooooo!

Stuff like this finding its way into a corporate environment is a time bomb waiting to explode. It totally annihilates the concept of centralized control and being able to support your network. If I were you I would insist on policy and procedures to KEEP MPSA OUT OF YOUR NETWORKS. If everyone starts to "fix their own machines to make them more secure" it's time to make a career change.

MPSA reports missing security patches, weak passwords, IE and Outlook security settings, and Office protection settings. Fine for a 5-pc network in a Dentists office, but that's about it. Do not allow the use of this thing in your networks. You'll regret it.

Obviously this is MS's answer to the recent accusations they are not doing enough to keep their software secure. The problem is that these are fixes after the fact. Designing, coding and testing truly secure software from the drawing board on up is what is needed. Many military systems are compartmentalized and virtually unbreakable. The kind of stuff to get rockets to the moon. It's time we use these techniques in commercial software. The damage just gets way out of hand if hundreds of thousands of companies need to jump through hoops to fix software that is significantly flawed.

The new MS command-line tool HFNetCht is an attempt to help admins. This puppy will help figure out which patch you need, if any. Each time the program is run, it downloads a new version of the XML hotfix listing from the MS website, using a number of security features to ensure authenticity.

But it's still an extremely clunky command-line tool. And it does not fix anything automatically. To be really on the ball, you need a 3-rd party tool from a company that makes a full-time living off managing the MS-fixes. A utility like UpdateEXPERT is something you should look at for a network in any production environment. Here are two links. One to the FAQ of the MS HFNetCht scanner, which shows you what kind of problems already crept up with it. The other link is to a 3-rd party tool that has been doing this kind of thing for years already, called UpdateEXPERT.

http://www.w2knews.com/rd/rd.cfm?id=082001-MSFixFAQ

http://www.w2knews.com/rd/rd.cfm?id=082001-UpdateEXPERT

Microsoft Issues Another Cumulative IIS Patch

Just last Wednesday, hours after W2Knews issue 297 was sent, MS bundled five newly discovered IIS vulnerabilities into a cumulative patch and posted it that night. IIS has been getting (a lot of) negative publicity recently due to its role as the vector for the Code Red worm.

This cumulative patch includes the fixes for Code Red, but it was actually created to fix some other vulnerabilities. MS said that the recent patch was needed because of the existence of five IIS holes which can be exploited by denial-of-service (DoS), buffer overrun or privilege-elevation attacks.

Microsoft did this too in May 2001: bundling a set of security fixes for IIS. But the recent security rollup for NT 4.0 about a month ago caused quite a few systems to crash. So again with this recent IIS rollup: TEST before you apply! But you gotta go back to all the servers you just patched for Code Red, and do it again. Sigh. Here is the link to the MS Bulletin.

http://www.w2knews.com/rd/rd.cfm?id=082001-IISrollup

  THIRD PARTY NEWS

Want To Get Rid Of All Your Tape Drives?

You may say, whaddayamean? Well, it's like this. Disk storage has become SO cheap, that you could afford to stop making backups to tape completely. Restoring would also be really quick that way. Tapes are cumbersome, have to be made in off-hours, are slow, they break, they wear out, in short more vulnerable than disks. Not to speak of backup windows that extend further and further.

There are several ways to do this. It really depends on how you are set up, how big (storage capacity) the sites are, how much the data changes, if you need fail-over or not, and how much bandwidth you have to play with. The type of tool and the costs are related to the degree of high-availability (HA) you choose.

Suppose you have several remote small sites that are less than 50GB where backups are a headache. You could backup (mirror) all the files from these disks to one central site with a capacity of say 300GB. If a remote small site goes down, you can either fail over or do a fast restore, depending on the "mission critical-ness" of that site.

Let's define terms here, so we know what we are talking about.

  • BACKUP is a file-by-file copy, usually from disk to tape. But can also be done disk-to-disk.
  • MIRRORING is making a one-time copy of all the files from a source machine to a target machine.
  • REPLICATION means once a mirror has completed, keeping all the files on the target up to date with changes that were made on the source.
  • DELTA Replication, only the data blocks that change (not the whole file), are moved from the source to the target.
Now you know the difference, you can determine what tool you would need to get rid of your tape drives. Let me explain three different solutions looking at the site that was described above, from low-cost and low-HA to higher cost and high-HA.
  1. Use a disk-to-disk backup utility once a day. It copies all your storage from the small sites to the large site overnight. If a disk crashes, you can copy the files back quickly. The cost is roughly between US$ 1,000 and 2,000, the UltraBac Utility is a good example.
  2. Use a file replication tool that looks at files in real time. Once a file on one of the small sites changes, it gets copied in real time to the central site. Or you can schedule it to run say once an hour. A good value is PowerSync that costs US$ 2,500 for 5 machines.
  3. Use a real-time Delta-replication tool with fail-over capability. Double-Take (DT) is a good example. This tool filters all data that goes to disk, looks at what changes and pumps just the data blocks that change over to the target machine. If the source machine croaks, the target takes over (fail-over) If your data changes a lot, this might be the only choice you have, as it uses less bandwidth, but the price is higher too. DT comes at about 2K per normal server and 5K for Advanced Server. You always need a minimum of two.
Here are all three options nicely together in the High Availability/ Disaster Recovery section so you can have a look and compare which one you think fits your environment best.
http://www.w2knews.com/rd/rd.cfm?id=082001-NoTapeDrives
  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • The new win-security list agrees this is a top security site to check
    http://www.w2knews.com/rd/rd.cfm?id=082001FL-SecuritySite
  • Looking at getting Certified in the Security area? Check out this one:
    http://www.w2knews.com/rd/rd.cfm?id=082001FL-SecurityCertified
  • Stunning space pics from the Chandra X-Ray telescope. Great wallpaper
    http://www.w2knews.com/rd/rd.cfm?id=082001FL-SpacePics
  •   PRODUCT OF THE WEEK

    White Hat Security Arsenal - Tackling the Threats

    As a computer security expert at AT&T Labs, author Avi Rubin regularly meets with IT staffs from all types of companies. When asked to recommend resource material to his customers, Rubin realized that there just wasn't a book on the market that would give them concise, direct answers to all their security questions. So he wrote one. You will find it at the W2Knews BookClub:
    http://www.w2knews.com/rd/rd.cfm?id=082001BOW-WhiteHat