- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Oct 8, 2001 (Vol. 6, #77 - Issue #312)
Password Strength
  This issue of W2Knews™ contains:
    • Password Policy
    • Microsoft Unveils New Security Initiative
    • Forget W2K Service Pack 3 In 2001
    • Veritas Manage Exec Scared By MOM
    • Free Hotfix Management ROI Calculator
    • New Security Tool Now Supports RollOut Patches
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Viruses Revealed
Need to ensure that your Active Directory deployment has a positive
bottom-line impact on your business critical applications? Get the
expert advice you need now during NetIQ's FREE audiocast, "Active
Directory Advantages: Exploring AD, an Essential IT Asset." Register
today and you'll receive a free Windows security white paper.
Visit NetIQ for more information.

Password Policy

Hi All,

Here are the results of the last SunPoll. Double votes have been eliminated of course. It looks like the golden 80-20 rule strikes again. We will see how the NetCraft surveys over time reflect this choice. For the moment, IIS is still going up but Gartner's advice is only a few weeks old. If I were you I would do some research on the total cost of switching over before actually doing the switch. You might be surprised by hidden cost factors. Another remark is that when admins do not manage their IIS well, what makes Gartner think they will manage another web server better? To illustrate the point, over the same time frame of about a month, 16 holes were found in IIS and 13 in Apache.

So, here are the numbers after your 1405 votes were counted.

Q: Are you going to do what Gartner proposes and trash your IIS?

  • Yup! Moving away to another one: 19%
  • Seriously thinking about it: 16.65%
  • Not so likely: 23.7%
  • No Way! We standardized on IIS and like it, holes and all: 40.64%
And since we are getting forced to pay more attention to security, here is another issue: password strength. After all the security measures you took to make your network impenetrable, there is one liability that could still undermine your entire operation.

It's your users' passwords. Simply put, passwords are the weakest link that hackers prey upon. Also, passwords are the most neglected security hole. Hackers use "dictionary attacks" to compare common words from several wordlists to crack weak passwords. L0phtcrack is a good example of a Target Award winning password cracking tool that administrators often also use to test the strength of their users' passwords. We run this in house regularly and even here people get caught red handed with passwords even the company dog could guess. [grin] This SunPoll asks how you are handling the password strength issue in your org.

And here is the NEW SunPoll:

As you know, passwords are very important to network security. In your company have you implemented:

  • Strong password policy, enforced by AD and Group Policy
  • Strong password policy, implemented via the NT Resource Kit
  • Written policy about password strength
  • No written policy and no additional tools implemented
  • We do not use passwords at all for our users
Vote in the leftmost column, scroll down a bit. You will quickly see how your colleagues are approaching this problem:

And some good news from High Tech for a change: Both Cisco and Dell told Wall Street their quarters are going to look good. Share prices went straight up.

UNDO Dept. We had a little error in the NT4.0 retirement article, but all the correct termination dates are in the table at the end.

Warm regards,

Stu Sjouwerman
(email me with feedback: [email protected])

  SPONSOR: Vulnerability Is Over!
In order to thoroughly protect your network from cyber crime,
traditional security measures such as firewalls and intrusion
detection systems are not enough. Retina, the Network Security
Scanner, prevents penetration of your networks by scanning,
monitoring, alerting, and automatically fixing network security
vulnerabilities with a touch of a button. Protect your data with
the best digital security solution. Free 15-day trial available at:
Visit Vulnerability Is Over! for more information.

Microsoft Unveils New Security Initiative

About time... and it could be better, but this is at least a start. It's called "STPP" (Strategic Technology Protection Program), and if you are a MS customer in the U.S. you can get free, virus-related tech support if you call 1-866-PC SAFETY.

If you are an system or a network admin, they also threw all the existing tools together on a CD. This free kit has a bunch of security guides, product updates, and tools for protecting NT/W2K. Most of these were already available via downloads, but it's nice to have it all together:

  • Latest Service Packs for OS, IIS, and IE.
  • Security Checklists for NT, W2K, and IIS.
  • A W2K-SP2 Deployment guide (Run AD? read the Update.msi section)
  • An NT 4.0-SP6a Deployment guide for SMS.
  • IE Deployment guides.
  • Several individual Hotfixes required for NT 4.0 Terminal Server
  • IIS Lockdown Tool
  • URLScan
  • HFNetchk
  • Critical Update Notification 3.0
  • QChain
Their website claims that the STPP "represents an unprecedented mobilization of Microsoft's people and resources." From my perspective, MS has been pinched by first Code Red, next Nimda, woke up and realized they have not made it easy enough to patch systems, and for sure have not insisted enough to get users to actually do it.

MS also promised a series of "security readiness events" for its users, will create auto-update functionality via Windows Update, and produce bi- monthly product roll-up patches. It is also a good idea to have security consultants to help you secure your networks. I'm sure that MS is going to push that idea as well. More information on the Microsoft Strategic Technology Protection Program is at

And from our perspective, sitting in the trenches ourselves, I have the following suggestions:

  • Impress on all your users under the pain of death by torture that they only open up attachments THEY ASKED FOR. If they get one from some one they know but was not asked for, send an email back to check what it is. Violation is asking for a pink slip.
  • Religiously patch all your systems. Servers of course are much more important than workstations, but still. Security is more important than the inevitable downtime that patching your systems generates.
  • Monitor your systems for normal performance. Establish a baseline, and program in alerts so that you get warned if things start to peak suddenly. Good chance these machines are being hit by something, or worse, are already infected and are now trying to penetrate other machines. A good tool to set this kind of thing up is ELM. For instance, you can make ELM ping you if CPU is over, say, 75% for 3 minutes or of RAM utilization gets over 1Gig. Over at:
  • If you have people working from home or hotels, make sure that they use personal firewalls on their machines. Especially if they have either a cable modem or DSL. Make sure that these firewalls are also stopping hackers to get out of that machine into your corporate systems by using something like ZoneAlarm.
  • You should start looking at your own firewalls and make them block traffic that uses spoofed IP addresses. You can do that with the so called egress and ingress filtering.
  • Enlighten your management that budgets should be made available with high priority for two flashpoint areas: Security and High Availability.

Forget W2K Service Pack 3 In 2001

With the whole new STPP going on, and the massive resources that MS is throwing into the security fray, this also means is that W2K Service Pack 3 will very likely not make it out the door this year. Well, that's one thing less to worry about and deploy in the usually hectic Q4. Just as well.


Veritas Manage Exec Scared By MOM

It looks like High-end tools vendor Veritas is departing the segment of applications monitoring. They have started talking to NetIQ, and agreed to migrate the current Manage Exec installed base to NetIQ's suite of tools. This is of course a very interesting development.

There was no public policy statement for Veritas' move to terminate Manage Exec. It is also still on their website, and has not been moved yet to the section "discontinued products". It looks like the real reason why Veritas decided to drop it was not wanting to compete with Microsoft Operations Manager (MOM). For people new to W2Knews, NetIQ sold some code to MS, which slapped its label on it and called it MOM.

NetIQ announced that together with Veritas they started to warn the existing Manage Exec users about the migration and how this thing will go down. There is also one other loose end that is not clear: Manage Exec is a multi platform (read NetWare) health monitor, and NetIQ only runs on Windows. Somebody going to be left in the lurch? Source: Client Server News, a paid-for zine that I recommend BTW:

Free Hotfix Management ROI Calculator

A humongous amount of you downloaded UpdateEXPERT in the last few weeks. Just as a reminder, this was the header of that article:

"Been hit by viruses lately? Need to keep IIS up to snuff? The new version 5.1 of UpdateExpert adds a tremendous amount of value to overworked and underpaid system- and security administrators. Just ask yourself if any of these statements apply to you. Microsoft just released the latest security hotfixes for IIS and W2K but unfortunately...

  • I don't have time to write scripts and test them.
  • I'm too busy cleaning up after Nimda.
  • I need to know if the hotfix installations I deployed last month are still valid.
  • Since Microsoft's updates are not regular, I am forced to reprioritize my day, as well as figure out which ones apply to my machines.
  • I need to define what hotfixes are required and detect what machines conform to my policies".
You now are probably looking at what the cost is, and how you can get budget. Well, we just put up a Return On Investment Calculator that will help you get budget approval for UpdateEXPERT. It's for free and now sits in the section White Papers, Documents and Other files. You don't even have to fill out a form [grin].

New Security Tool Now Supports RollOut Patches

As you all know, Microsoft developed some security tools together with Shavlik. As part of their relationship with the security teams at Microsoft they came out with a new release of the Shavlik Admin Suite. Here are some key points of the new code:

The two most critical needs in security are strong passwords and keeping all systems update with critical security patches. All the systems that were well patched and used strong passwords were not effected by neither the Code Red or the Nimda attacks.

The problem is of course how to find the machines with weak passwords and missing patches. For example, test servers under the desk of your key software development team's desk are just as critical to security as those running your business critical systems. How do you find these systems? How do you know if they are properly patched?

Do they have Everyone in the Administrators Group? Do they have a blank administrator password? How do you know? You can easily find out by running the new Shavlik AdminSuite which provides the full set of tools need to find those machines that are not secure, no matter where they are.

Security is also time sensitive. You must get the latest patches as soon as they are out, because the entire world knows how to break into systems the moment a security patch is released. HfNetChkPro is tied DIRECTLY into Microsoft's security teams to provide up date security information to all Shavlik and Microsoft customers using the Shavlik security tools.

You must also always be on the look out for new admin accounts that have passwords added in as a result of someone installing a new application, or for a password set to "password" and then never changed after a user requested an account reset after a password was forgotten. The list goes on and things happen every day. They happen 5 minutes after your last, and expensive, security audit. This is why Shavlik Technologies created the AdminSuite - it allows everyone to easily, and often, check for security problems in real time from one central location.

Security is more about the people using the technology and less about the technology itself. As a result there is no "set and forget" in the security world. Tools in the Shavlik Technologies' AdminSuite are here to help.

Shavlik has released version 3.2 of its well know HfNetChckPro that includes the following updates:

  1. Full support for command line file input, see the -? help for more information
  2. 100% support of Microsoft's rollout patches for IIS and all other HfNetChkPro supported platforms in both the GUI and the command line
  3. Added support to clearly identify systems that cannot allow checking due tight security settings in both the GUI and the command line
  4. Command line patch history reporting
  5. The command line ability to not check for patches that have no information that can be scanned
  6. The command line -nosum flag that prevents the checking of files

This Week's Links We Like. Tips, Hints And Fun Stuff

  • Here is a great Swiss Army Knife for system admins. Really, check it out. It's the ultimate cybertool.
  • Into Home Automation? This puppy is pretty cool. Drives all your X-10 gear.
  • The Microsoft Windows Online Crash Analysis site looks pretty handy to plug into your favorites list...

    Viruses Revealed

    Defend your system against the real threat of computer viruses with help from this comprehensive resource. Up-do-date and informative, this book presents a full-scale analysis on computer virus protection. Through use of case studies depicting actual virus infestations, this guide provides both the technical knowledge and practical solutions necessary to guard against the increasing threat of virus attacks. From the publishers of "Hacking Exposed". Here's a link to it: