- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Sep 3, 2001 (Vol. 6, #67 - Issue #302)
Security Survey Results
  This issue of W2Knews™ contains:
    • Sunbelt Security Survey
    • More on the 1311 Error During Install
    • Security Survey Results
    • New Internet Worm Masquerades as MS Tech Support Email
    • "Lost & Found" Your MCSE
    • Oh Yeah! I Think I'm In Love...
    • I Have A Hole In IIS, But Cannot Reboot After The Fix
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Windows 2000 Professional On Site
  SPONSOR: Altiris
Do you know how many unused software licenses you're paying for? How
will you project future software needs within your organization? With
Altiris Compliance Toolkit, use pre-built web reports to analyze where
software is installed and how often it's used. Make informed business
decisions, know where to harvest unused licenses and how many licenses
you really need. Instant ROI. Download a free, trial copy of Compliance
Toolkit now at:
Visit Altiris for more information.

Sunbelt Security Survey

First, I'd like to thank all of you that participated in this survey. It's great to be able to now give you back the results, and they are definitely interesting. We have the percentages in the Tech Briefing. It's 9 questions that cover a good chunk of the current problems and we'll have a few graphs on the website that make it a bit easier to see. So, in a nutshell, what are the highlights?

Malicious code infections were by far the most impinging on security. Organizations are currently focusing most on security and availability for Web site and/or e-commerce operations, strengthening the network perimeter to prevent external attacks, and messaging/e-mail security.

The biggest problem with security was the lack of employee training and end-user awareness: This was where the pain hit home. The real problems are still at the (early) stages of educating the end-users. This was followed by lack of internal security policies, management buy-in and lack of security tools.

The biggest internal security breech was very interesting to see: A whopping 78.9% mentioned installation/use of unauthorized software as the number one culprit. And external attacks, the pain is in attacks on bugs in Web servers. A very high 75.8% rated this in the "3 to 5" band on the headache-scale. Read all about it in the Tech Briefing. There is work to do in this area. A lot of work!

And here is the new SunPoll, of course about security
Question: Would your network itself - regardless of policies and procedures - pass a security audit?

  • Nope, I cannot keep up with all the fixes
  • I'm trying but I'm not so sure
  • Pretty well protected if I say so myself
  • We're watertight. Hackers: bring it on!
You can vote at the Sunbelt site, the leftmost column. Look for the SunPoll bar. Let's see how confident everybody really is?

Warm regards,

Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: Intense School

It Boot Camps for as low as 33/month!*

Windows 2000 MCSE in 14 Days as low as $54/mo*
MCDBA in 14 Days as low as $56/mo*
MCSD in 14 Days as low as $54/mo*
CCNA/CCDA in 6 Days as low as $33/mo*
CCNP in 16 days as low as $89/mo*
A+, N+, MCP in 12 days as low as $48/mo*
Visit Intense School for more information.


More on the 1311 Error During Install

A few people responded they had seen this already, and one of you sent me this. Very useful and this registry change was indeed another much faster way to solve the problem. Here goes:

"I was recently involved with Microsoft PSS in a report of the 1311 error. In fact, at the time, my trouble call was the only recorded instance of the error to MS. I actually reported the work-around and cause to MS myself, as they did not have an answer for me. What I found was that my error was caused by a security policy labeled 'Restrict CDROM access to locally logged on user only'. Turns out that the 'SYSTEM' account does not run under the context of 'INTERACTIVE' and therefore is not considered locally logged on.

This blocks the installation from the CD-ROM when the policy is set. The policy is controlled in the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. There is a value 'AllocateCDRom' which if set to '1' will cause this problem. Set it to '0' to resolve the problem.

BTW, another work around that is much more convenient than copying all of the files to the hard disk is sharing the CD-ROM (I am surprised they didn't give you this work around) and accessing it through the share instead (ie \\Computer\CDshare). Since the network drive is not treated as a CDrom, the access restriction does not apply. Hope you find this information useful.
-- Michael Hall, Consultant, Windows and Messaging Practice, COMPAQ.

Security Survey Results

Early August 2001, Sunbelt Software did a survey with security as its only focus. The survey resulted in some very interesting conclusions regarding the general security posture of companies and the areas that need to be addressed. There are 549 respondees:

To begin with, here are the results in percentage:

  1. What job title or category best describes your current position?
       Choice                                    Percent
     - Administrator/Operator                    48.9%
     - Consultant                                14.5%
     - Unit/Department/Division Manager          13.4%
     - Engineer                                  12.6%
     - Auditor                                    0.4%
     - CEO/CIO/CTO/CFO/President/Principal        6.6%
     - Developer                                  2.2%
     - Chief Security Officer                     1.5%

  2. How many total worldwide employees are in your entire organization? (full-time, part-time and contract)
       Choice          Percent
     - 0-100           32.4%
     - 100-500         20.9%
     - 500-1000        11.2%
     - 1000-10,000     20.9%
     - 10,000-50,000    9.0%
     - 50,000+          5.7%

  3. Has your budget for infosecurity for the year 2001 been cut or frozen due to economic slowdown?
       Choice       Percent
     - Yes          34.8%
     - No           47.4%
     - Do not know  17.8%

  4. Tell us the headache-ratio regarding these infosecurity-related issues?
    (1= no problem, 5=huge headache)

    • Physical security was not seen as a major problem, 87% rated this from 1 to 3.
    • Electronic exploits/tools which include cracking, eavesdropping, spoofing, rootkits and the like were seen as a bit more urgent, 81.5% rates these from 2 to 4 on the headache scale.
    • Malicious code infection (e.g., viruses/Trojans/worms/ hostile Java or ActiveX) was by far the most impinging on security, a whopping 84.8% rated this from 3 to 5, which is the highest of all five areas.
    • Loss of privacy/confidentiality (e.g., abuse/misuse of data) was not a main cause of worry with 60.9% rating this between 2 and 3.
    • System unavailability (e.g., denial-of-service, natural disasters, power interruptions, bugs) were rated between 2 and 3 by 55.8%.

  5. Please tell us how important these items are in your organization?
    (1=Not at all important; 3=Moderately important; 5=Very important.)

    • Preventing employees/insiders from abusing access rights: This was rated relatively high with a vast majority of 76.9 rating this between 3 and 5.
    • Securing remote access for traveling employees/telecommuters/ remote offices: A very interesting high percentage of 36% rated this with a 5, compared to only 23% that rated it a 4.
    • Security and availability for Web site and/or e-commerce operations: A large amount of respondees gave this a 5, 38.7% ! The answers to this one went up gradually from just 7.5% that gave it a 1.
    • Strengthening the network perimeter to prevent external attacks: A similar "organpipe" pattern as the earlier question showed here except for the fact the differences were even more extreme. Only 1.8% gave this a 1, where 49.1% decided this was very important and gave it a 5.
    • Messaging/e-mail security: Also a high-priority area, with 93.4% rating this from 3 to 5.
    • Centralized management/correlation of security policy/controls/alert data: The spread was weighted heavily from 3 to 5 with a combined 84.8 percentage points.

  6. Tell us to what degree these items prevent you from achieving adequate security:
    (1=Not a problem 3= Bit of a headache 5=Huge obstacle.)

    • Budget constraints: This does not seem to be the biggest problem here. 31.1% rated this a 3, and that was the highest voted for. In it's totality the votes were weighed from 3 to 5, but money is not the problem here!
    • Lack of management support/buy-in: 85% rated this between 1 and 4, with 5 being mentioned significantly lower. It's an issue, but not where "it breaks".
    • Lack of employee training/end-user awareness: This was where the pain hit home! 88% indicated this in the 3 to 5 band, meaning that the real problems are still at the (early) stages of educating the end-users.
    • Lack of competent infosecurity personnel: if you imagine a bar chart with 5 columns, with the amount of votes indicating the height of each column, this looked like a pyramid. 31% rated this a 3, and it dropped off toward both sides with 11.3% indicating a 1 and 12.9 percent rating it a 5.
    • Lack of internal security policies: Leaning very strong toward the 3-5 range with 73% rating in that band. This is an area that definitely needs to be addresses, and of course directly relates to educating the end-users.
    • Technical challenges/complexity of products: Another pyramid distribution (or bell curve if you insist) with 35% pegging the 3, and dropping off toward both extremes.
    • Lack of security (software) tools: Practically identical, 32.7% indicated a lack of tools at 3, 26.5% gave this a 4, and 10.8% a 5. That means that just under 70% needs more tools to get the job done.

  7. Which of the following INTERNAL security breaches occurred in the past 12 months?
    (Check all that apply)
     - Installation/use of unauthorized software              78.9%
     - Abuse of computer access controls                      41.9%
     - Installation/use of unauthorized hardware/peripherals  41.0%
     - Use of company computing resources for illegal or 
       illicit communications or activities	                  36.4%
     - Physical theft, sabotage or intentional destruction
       of computing equipment                                 33.6%
     - Use of company computing resources for personal profit 27.3%
     - Other                                                  16.5%
     - Electronic theft, sabotage or intentional destruction 
       disclosure of proprietary data                         12.3%
     - Fraud                                                   4.0%

    The numbers speak for themselves. There is an immense amount of work to do here.

  8. Which of the following EXTERNAL attacks occurred in the past 12 months?
    (Check all that apply)
     - Viruses/Trojans/worms Attacks related to
       insecure passwords                                  64.2%
     - Attacks on bugs in Web servers                      56.7%
     - Buffer-overflow attack                              33.5%
     - Denial-of-service attack                            30.5%
     - Exploits related to active program scripting /
       mobile code                                         24.9% 
     - Attacks related to protocol weaknesses              21.1%
     - Other                                               14.5%

  9. Please rate these external security breaches. Which do you consider to be the most serious?
    (1=relatively light, 5=caused me downtime!)

    • Denial-of-service attack: Was not seen as such a big deal. 28% rated this a 3, and that was the highest score. It sloped down to both sides with 17.2% rating it a 1, and 16.9% gave it a 5.
    • Buffer-overflow attack: A very similar middle of the road distribution with 28.5% giving it a 3.
    • Attacks on bugs in Web servers: Now here is where the pain is! a whopping 75.8% voted in the 3 to 5 band. Keep in mind that most of these kinds of attacks make use of buffer overflow exploits. There is a relatively large "situation" in this area, which has been shows recently with the code-red attack which is a prime example.
    • Exploits related to active program scripting/mobile code: This was indicated as less severe, but still 55.1% gave this a rating in the 3 to 4 band.
    • Viruses/Trojans/worms Attacks related to insecure passwords: An area that certainly hurt a lot. We'll give you the numbers for all the votes, and you'll see they are steadily climbing to the 5-pain level: 1 - 10.0%; 2- 13.5%; 3- 21.3%; 4- 26.5%; 5 - 28.7%.
    • Attacks related to protocol weaknesses: Not perceived as a problem. 70.3% voted in the 1-3 band.
So there you have it. Here's where the current status is. It's clear there is a lot of work to do. Sunbelt can help you if you guys simply do not have the time to do it. So here is a shameless plug for our Security Consulting Services [grin]

New Internet Worm Masquerades as MS Tech Support Email

This puppy looks like an e-mail from MS Technical Support. The new worm named [email protected] totes around a nasty payload that renders .exe's unusable by encrypting them with a random key. This thing will not hurt you if you stop .exe's from proliferating and most of you do. But this one is interesting...

The worm first verifies that an Internet connection is available and if a connection is established it searches for all files starting with the extension ".ht*" in the My Documents folder. It then extracts the e-mail addresses from within the files and sends the following message that starts like this:

  From: "Microsoft Support" [email protected]
  Subject: Invalid SSL Certificate


  Microsoft Corporation announced that an invalid SSL certificate 
  that web sites use is required to be installed on the user computer 
  to use the https protocol. During the installation, the certificate 
  causes a buffer overrun in Microsoft Internet Explorer and by that

  Attachment: sslpatch.exe

This new worm attempts to use social engineering to again trick users into opening its attached file. Casual Internet users are at most risk for Invalid's damaging retaliation," said Steven Sundermeier, Product Manager at Central Command, Inc. "At this time, we've received one report of this new worm, but Central Command is monitoring this worms activity very closely."

"Lost & Found" Your MCSE

Many of you are going to lose their MCSE end of the year. But for some of us, this is not a laughing matter. For people that depend on MS for their business certifications, it's a MUST. They cannot afford a "lapse of credentials". A company like Sunbelt is required to have certified people on board to maintain our Partner status with MS.

For people that do not have these more stringent requirements, there is a silver lining. If you first lose and then get your MCSE back, it means you're then eligible for the TechNet first year discount. I'm sure there are even people deliberately holding off taking exams until next year for this reason.

You get no extra benefits for keeping your MCSE, and in fact are rewarded for procrastinating on the exams. The longer people leave them, the more chance MS will lower the pass rate (as they did with 70-210), and offer higher discounts (it's far cheaper for somebody to take these exams now compared to earlier) MS marketing is making an error with this disincentive. And the small "early achiever card" doesn't really make up for it either. ;-)

(Thanks to Ed and Carol for their input on this one)


Oh Yeah! I Think I'm In Love...

Read this and you will see exactly what I mean with "made especially for System Admins". One of the W2Knews subscribers downloaded Sunbelt Remote Admin and wrote the following:

"We have been using VNC for a while. It did what the previous admins wanted it to, but we felt it was a bit buggy and insecure for use in our production environment. We were looking at TermSvcs on Win2k, but it has the basic limitations of terminal services.

Additionally, I wanted a secure command line product since I like to run a lot of command scripts, but the other admins wanted a robust GUI package. Seems like you really hit it all with Remote Admin. I was most impressed with the speed through our VPN. It was the smoothest and most responsive remote control solution I've used over my DSL line (including VNC, pcAnywhere, Remotely Possible, and others). We will definitely be purchasing a building-wide license".

That's better than I could have said it myself. Here is the 30-day eval so you can have a look at it:

I Have A Hole In IIS, But Cannot Reboot After The Fix

Ever been there? You simply cannot reboot your web servers until the scheduled downtime. These puppies are mission critical and downtime costs money. But on the other hand, you are vulnerable too. What to do while you are exposed?

SecureIIS is not for admins that don't want to ever patch their box again. It is for admins that have to wait for scheduled downtime to do so. We would all love to be able to take down our boxes and apply hotfixes the day they come out, but many of us can't.

SecureIIS buys you till Saturday night when you can do the patches and then reboot. Here is an eval. You should look at this tool. It locks down IIS better than anything else out there. It's a whole class in itself as it protects from known and unknown attacks.


This Week's Links We Like. Tips, Hints And Fun Stuff

  • Liked that useful MSConfig tool under NT, and missed it for W2K? Look:
  • ZoneAlarm is still free for personal use. A good firewall is no luxury
  • Latest information about the fight against fraud & white-collar crime

    Windows 2000 Professional On Site

    Using real-world scenarios, Windows 2000 Professional On Site will guide intermediate to advanced users, network professionals, system engineers, IS/IT managers, system administrators, programmers, and consultants through day-to-day needs assessment, planning, deployment, configuration, and troubleshooting challenges associated with W2K Pro. It answers common questions about the new OS, assists with budgeting for W2K pro deployment, and guides you through typical setup and admin tasks.