Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Sep 3, 2001 (Vol. 6, #67 - Issue #302)
Security Survey Results
This issue of W2Knews contains:
- EDITORS CORNER
- TECH BRIEFING
- More on the 1311 Error During Install
- Security Survey Results
- NT/2000 RELATED NEWS
- New Internet Worm Masquerades as MS Tech Support Email
- "Lost & Found" Your MCSE
- NT/2000 THIRD PARTY NEWS
- Oh Yeah! I Think I'm In Love...
- I Have A Hole In IIS, But Cannot Reboot After The Fix
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Windows 2000 Professional On Site
ALTIRIS COMPLIANCE TOOLKIT
Do you know how many unused software licenses you're paying for? How
will you project future software needs within your organization? With
Altiris Compliance Toolkit, use pre-built web reports to analyze where
software is installed and how often it's used. Make informed business
decisions, know where to harvest unused licenses and how many licenses
you really need. Instant ROI. Download a free, trial copy of Compliance
Toolkit now at:
Visit Altiris for more information.
Sunbelt Security Survey
First, I'd like to thank all of you that participated in this survey.
It's great to be able to now give you back the results, and they are
definitely interesting. We have the percentages in the Tech Briefing.
It's 9 questions that cover a good chunk of the current problems and
we'll have a few graphs on the website that make it a bit easier to
see. So, in a nutshell, what are the highlights?
Malicious code infections were by far the most impinging on security.
Organizations are currently focusing most on security and availability
for Web site and/or e-commerce operations, strengthening the network
perimeter to prevent external attacks, and messaging/e-mail security.
The biggest problem with security was the lack of employee training
and end-user awareness: This was where the pain hit home. The real
problems are still at the (early) stages of educating the end-users.
This was followed by lack of internal security policies, management
buy-in and lack of security tools.
The biggest internal security breech was very interesting to see:
A whopping 78.9% mentioned installation/use of unauthorized software
as the number one culprit. And external attacks, the pain is in
attacks on bugs in Web servers. A very high 75.8% rated this in the
"3 to 5" band on the headache-scale. Read all about it in the Tech
Briefing. There is work to do in this area. A lot of work!
And here is the new SunPoll, of course about security
Question: Would your network itself - regardless of policies and procedures - pass a security audit?
You can vote at the Sunbelt site, the leftmost column. Look for
the SunPoll bar. Let's see how confident everybody really is?
- Nope, I cannot keep up with all the fixes
- I'm trying but I'm not so sure
- Pretty well protected if I say so myself
- We're watertight. Hackers: bring it on!
(email me with feedback: [email protected])
SPONSOR: Intense School
It Boot Camps for as low as 33/month!*
Windows 2000 MCSE in 14 Days as low as $54/mo*
MCDBA in 14 Days as low as $56/mo*
MCSD in 14 Days as low as $54/mo*
CCNA/CCDA in 6 Days as low as $33/mo*
CCNP in 16 days as low as $89/mo*
A+, N+, MCP in 12 days as low as $48/mo*
Visit Intense School for more information.
More on the 1311 Error During Install
A few people responded they had seen this already, and one of you sent
me this. Very useful and this registry change was indeed another much
faster way to solve the problem. Here goes:
"I was recently involved with Microsoft PSS in a report of the 1311 error.
In fact, at the time, my trouble call was the only recorded instance
of the error to MS. I actually reported the work-around and cause to MS
myself, as they did not have an answer for me. What I found was that my
error was caused by a security policy labeled 'Restrict CDROM access to
locally logged on user only'. Turns out that the 'SYSTEM' account does
not run under the context of 'INTERACTIVE' and therefore is not considered
locally logged on.
This blocks the installation from the CD-ROM when the policy is set. The
policy is controlled in the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. There is a
value 'AllocateCDRom' which if set to '1' will cause this problem. Set
it to '0' to resolve the problem.
BTW, another work around that is much more convenient than copying all of
the files to the hard disk is sharing the CD-ROM (I am surprised they didn't
give you this work around) and accessing it through the share instead (ie
\\Computer\CDshare). Since the network drive is not treated as a CDrom, the
access restriction does not apply. Hope you find this information useful.
-- Michael Hall, Consultant, Windows and Messaging Practice, COMPAQ.
Security Survey Results
Early August 2001, Sunbelt Software did a survey with security as its
only focus. The survey resulted in some very interesting conclusions
regarding the general security posture of companies and the areas that
need to be addressed. There are 549 respondees:
To begin with, here are the results in percentage:
So there you have it. Here's where the current status is. It's
clear there is a lot of work to do. Sunbelt can help you if you
guys simply do not have the time to do it. So here is a shameless
plug for our Security Consulting Services [grin]
- What job title or category best describes your current position?
- Administrator/Operator 48.9%
- Consultant 14.5%
- Unit/Department/Division Manager 13.4%
- Engineer 12.6%
- Auditor 0.4%
- CEO/CIO/CTO/CFO/President/Principal 6.6%
- Developer 2.2%
- Chief Security Officer 1.5%
- How many total worldwide employees are in your entire organization?
(full-time, part-time and contract)
- 0-100 32.4%
- 100-500 20.9%
- 500-1000 11.2%
- 1000-10,000 20.9%
- 10,000-50,000 9.0%
- 50,000+ 5.7%
- Has your budget for infosecurity for the year 2001 been cut or
frozen due to economic slowdown?
- Yes 34.8%
- No 47.4%
- Do not know 17.8%
- Tell us the headache-ratio regarding these infosecurity-related
(1= no problem, 5=huge headache)
- Physical security was not seen as a major problem, 87% rated
this from 1 to 3.
- Electronic exploits/tools which include cracking, eavesdropping,
spoofing, rootkits and the like were seen as a bit more urgent,
81.5% rates these from 2 to 4 on the headache scale.
- Malicious code infection (e.g., viruses/Trojans/worms/ hostile
Java or ActiveX) was by far the most impinging on security, a
whopping 84.8% rated this from 3 to 5, which is the highest of
all five areas.
- Loss of privacy/confidentiality (e.g., abuse/misuse of data)
was not a main cause of worry with 60.9% rating this between
2 and 3.
- System unavailability (e.g., denial-of-service, natural disasters,
power interruptions, bugs) were rated between 2 and 3 by 55.8%.
- Please tell us how important these items are in your organization?
(1=Not at all important; 3=Moderately important; 5=Very important.)
- Preventing employees/insiders from abusing access rights:
This was rated relatively high with a vast majority of 76.9 rating
this between 3 and 5.
- Securing remote access for traveling employees/telecommuters/
remote offices: A very interesting high percentage of 36% rated
this with a 5, compared to only 23% that rated it a 4.
- Security and availability for Web site and/or e-commerce operations:
A large amount of respondees gave this a 5, 38.7% ! The answers to
this one went up gradually from just 7.5% that gave it a 1.
- Strengthening the network perimeter to prevent external attacks:
A similar "organpipe" pattern as the earlier question showed here
except for the fact the differences were even more extreme. Only
1.8% gave this a 1, where 49.1% decided this was very important
and gave it a 5.
- Messaging/e-mail security: Also a high-priority area, with 93.4%
rating this from 3 to 5.
- Centralized management/correlation of security policy/controls/alert
data: The spread was weighted heavily from 3 to 5 with a combined
84.8 percentage points.
- Tell us to what degree these items prevent you from achieving adequate
(1=Not a problem 3= Bit of a headache 5=Huge obstacle.)
- Budget constraints: This does not seem to be the biggest problem
here. 31.1% rated this a 3, and that was the highest voted for. In
it's totality the votes were weighed from 3 to 5, but money is not
the problem here!
- Lack of management support/buy-in: 85% rated this between 1 and 4,
with 5 being mentioned significantly lower. It's an issue, but not
where "it breaks".
- Lack of employee training/end-user awareness: This was where the
pain hit home! 88% indicated this in the 3 to 5 band, meaning that
the real problems are still at the (early) stages of educating the
- Lack of competent infosecurity personnel: if you imagine a bar
chart with 5 columns, with the amount of votes indicating the
height of each column, this looked like a pyramid. 31% rated this
a 3, and it dropped off toward both sides with 11.3% indicating a 1
and 12.9 percent rating it a 5.
- Lack of internal security policies: Leaning very strong toward
the 3-5 range with 73% rating in that band. This is an area
that definitely needs to be addresses, and of course directly
relates to educating the end-users.
- Technical challenges/complexity of products: Another pyramid
distribution (or bell curve if you insist) with 35% pegging the
3, and dropping off toward both extremes.
- Lack of security (software) tools: Practically identical, 32.7%
indicated a lack of tools at 3, 26.5% gave this a 4, and 10.8% a 5.
That means that just under 70% needs more tools to get the job done.
- Which of the following INTERNAL security breaches occurred in
the past 12 months?
(Check all that apply)
- Installation/use of unauthorized software 78.9%
- Abuse of computer access controls 41.9%
- Installation/use of unauthorized hardware/peripherals 41.0%
- Use of company computing resources for illegal or
illicit communications or activities 36.4%
- Physical theft, sabotage or intentional destruction
of computing equipment 33.6%
- Use of company computing resources for personal profit 27.3%
- Other 16.5%
- Electronic theft, sabotage or intentional destruction
disclosure of proprietary data 12.3%
- Fraud 4.0%
The numbers speak for themselves. There is an immense amount
of work to do here.
- Which of the following EXTERNAL attacks occurred in the
past 12 months?
(Check all that apply)
- Viruses/Trojans/worms Attacks related to
insecure passwords 64.2%
- Attacks on bugs in Web servers 56.7%
- Buffer-overflow attack 33.5%
- Denial-of-service attack 30.5%
- Exploits related to active program scripting /
mobile code 24.9%
- Attacks related to protocol weaknesses 21.1%
- Other 14.5%
- Please rate these external security breaches. Which do you consider
to be the most serious?
(1=relatively light, 5=caused me downtime!)
- Denial-of-service attack: Was not seen as such a big deal. 28%
rated this a 3, and that was the highest score. It sloped down
to both sides with 17.2% rating it a 1, and 16.9% gave it a 5.
- Buffer-overflow attack: A very similar middle of the road
distribution with 28.5% giving it a 3.
- Attacks on bugs in Web servers: Now here is where the pain is!
a whopping 75.8% voted in the 3 to 5 band. Keep in mind that most
of these kinds of attacks make use of buffer overflow exploits.
There is a relatively large "situation" in this area, which has
been shows recently with the code-red attack which is a prime
- Exploits related to active program scripting/mobile code:
This was indicated as less severe, but still 55.1% gave this
a rating in the 3 to 4 band.
- Viruses/Trojans/worms Attacks related to insecure passwords:
An area that certainly hurt a lot. We'll give you the numbers
for all the votes, and you'll see they are steadily climbing
to the 5-pain level: 1 - 10.0%; 2- 13.5%; 3- 21.3%; 4- 26.5%;
5 - 28.7%.
- Attacks related to protocol weaknesses: Not perceived as a
problem. 70.3% voted in the 1-3 band.
NT/2000 RELATED NEWS
New Internet Worm Masquerades as MS Tech Support Email
This puppy looks like an e-mail from MS Technical Support. The new
worm named [email protected] totes around a nasty payload that
renders .exe's unusable by encrypting them with a random key. This
thing will not hurt you if you stop .exe's from proliferating and
most of you do. But this one is interesting...
The worm first verifies that an Internet connection is available
and if a connection is established it searches for all files starting
with the extension ".ht*" in the My Documents folder. It then extracts
the e-mail addresses from within the files and sends the following
message that starts like this:
From: "Microsoft Support" [email protected]
Subject: Invalid SSL Certificate
Microsoft Corporation announced that an invalid SSL certificate
that web sites use is required to be installed on the user computer
to use the https protocol. During the installation, the certificate
causes a buffer overrun in Microsoft Internet Explorer and by that
This new worm attempts to use social engineering to again trick users
into opening its attached file. Casual Internet users are at most
risk for Invalid's damaging retaliation," said Steven Sundermeier,
Product Manager at Central Command, Inc. "At this time, we've
received one report of this new worm, but Central Command is
monitoring this worms activity very closely."
"Lost & Found" Your MCSE
Many of you are going to lose their MCSE end of the year. But
for some of us, this is not a laughing matter. For people that
depend on MS for their business certifications, it's a MUST.
They cannot afford a "lapse of credentials". A company like
Sunbelt is required to have certified people on board to maintain
our Partner status with MS.
For people that do not have these more stringent requirements,
there is a silver lining. If you first lose and then get your
MCSE back, it means you're then eligible for the TechNet first
year discount. I'm sure there are even people deliberately holding
off taking exams until next year for this reason.
You get no extra benefits for keeping your MCSE, and in fact are
rewarded for procrastinating on the exams. The longer people leave
them, the more chance MS will lower the pass rate (as they did with
70-210), and offer higher discounts (it's far cheaper for somebody
to take these exams now compared to earlier) MS marketing is making
an error with this disincentive. And the small "early achiever card"
doesn't really make up for it either. ;-)
(Thanks to Ed and Carol for their input on this one)
THIRD PARTY NEWS
Oh Yeah! I Think I'm In Love...
Read this and you will see exactly what I mean with "made
especially for System Admins". One of the W2Knews subscribers
downloaded Sunbelt Remote Admin and wrote the following:
"We have been using VNC for a while. It did what the previous
admins wanted it to, but we felt it was a bit buggy and insecure
for use in our production environment. We were looking at TermSvcs
on Win2k, but it has the basic limitations of terminal services.
Additionally, I wanted a secure command line product since I like
to run a lot of command scripts, but the other admins wanted a
robust GUI package. Seems like you really hit it all with Remote
Admin. I was most impressed with the speed through our VPN. It
was the smoothest and most responsive remote control solution I've
used over my DSL line (including VNC, pcAnywhere, Remotely Possible,
and others). We will definitely be purchasing a building-wide license".
That's better than I could have said it myself. Here is the 30-day
eval so you can have a look at it:
I Have A Hole In IIS, But Cannot Reboot After The Fix
Ever been there? You simply cannot reboot your web servers until
the scheduled downtime. These puppies are mission critical and
downtime costs money. But on the other hand, you are vulnerable
too. What to do while you are exposed?
SecureIIS is not for admins that don't want to ever patch their box
again. It is for admins that have to wait for scheduled downtime
to do so. We would all love to be able to take down our boxes and
apply hotfixes the day they come out, but many of us can't.
SecureIIS buys you till Saturday night when you can do the patches
and then reboot. Here is an eval. You should look at this tool.
It locks down IIS better than anything else out there. It's a whole
class in itself as it protects from known and unknown attacks.
This Week's Links We Like. Tips, Hints And Fun Stuff
Liked that useful MSConfig tool under NT, and missed it for W2K? Look:
ZoneAlarm is still free for personal use. A good firewall is no luxury
Latest information about the fight against fraud & white-collar crime
PRODUCT OF THE WEEK
Windows 2000 Professional On Site
Using real-world scenarios, Windows 2000 Professional On Site will guide
intermediate to advanced users, network professionals, system engineers,
IS/IT managers, system administrators, programmers, and consultants
through day-to-day needs assessment, planning, deployment, configuration,
and troubleshooting challenges associated with W2K Pro. It answers
common questions about the new OS, assists with budgeting for W2K pro
deployment, and guides you through typical setup and admin tasks.