- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Nov 19, 2001 (Vol. 6, #89 - Issue #324)
The Weak Security-Link: Passwords
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • The Weak Security-Link: Passwords
  2. TECH BRIEFING
    • 70-240 Extension?
  3. NT/2000 RELATED NEWS
    • MS Releases a MUST Post-Sp6a Security Rollup For NT 4.0
    • Three Personal Firewalls Pass Stringent Security Testing
  4. NT/2000 THIRD PARTY NEWS
    • NEW! Password Bouncer Gives Stronger Password Enforcement
    • Brand New Way To Prevent Hard Disk Crashes
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • Exchange 2000 On Site
  SPONSOR: Altiris PC Transplant Pro
PC Transplant Pro is the easiest and most powerful migration utility
available. PCT makes transferring a PC's unique settings and files,
it's personality, a quick and intuitive process. Save time and reduce
users' frustration with cross version support for 50+ applications
and OS's, including Windows 2000 and XP. For a free 30-day trial:
Visit Altiris PC Transplant Pro for more information.
  EDITORS CORNER

The Weak Security-Link: Passwords

Hi All,

As you know, passwords are very important to network security. The recent survey we did shows there is a lot left to be done in this area. The question we asked was: "In your company, have you implemented for your users - (Percentages directly behind each option)

  • Strong password policy, enforced by AD and Group Policy: 24.39%
  • Strong password policy, implemented via the Resource Kit: 17.19%
  • Written policy about password strength: 19.14%
  • No written policy, no additional tools, rely on NT/W2K's password functionality: 37.31%
This means really that more than half of you, your users are very likely leaving your domains open to attack. After all the security measures taken to make your network impenetrable, that one liability could undermine your entire operation.

Simply put, passwords still are the weakest link that hackers prey upon and the most neglected security hole. Hackers often use "dictionary attacks" that compare common words from several wordlists to your users' passwords.

Publishing a stricter written company password policy does not prevent users from selecting those same vulnerable passwords. The native NT/ W2K tools do not enforce effective enough restrictions on passwords to defeat these "dictionary attacks." Running a password hacking tool to identify the weak passwords still will not stop your users from falling back and using passwords that are "easy to remember." The only answer is to enforce an effective password policy when it counts, before the password is used.

Sunbelt-Software has been looking around for a solution since we discussed this problem in October and we found another best-of-breed tool. It's called Password Bouncer and you can read about it in the third party section below. It's a powerful, low-cost solution for a real-world problem.

Warm regards,

Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: Syngress Publishing
SAVE 45% ON ALL SYNGRESS WINDOWS 2000 TITLES
Special Offer for W2Knews Subscribers: buy now and save 45% on all
Windows 2000, .NET, and Hack Proofing titles from Syngress. Recent
releases include:
-- Windows 2000 Active Directory, Second Edition
-- VB.NET Developer's Guide
-- Configuring Windows 2000 without Active Directory
-- Hack Proofing Windows 2000 Server
To purchase Syngress titles:
Visit Syngress Publishing for more information.
  TECH BRIEFING

70-240 Extension?

Question: Is it true that Microsoft has extended the 70-240 exam? That would be great for those people who have not passed yet. But I'm an MCT, I have passed all exams (failed the 240 long ago). To keep our MCT designation for 2002, we (MCT's) must get 15 credits, passing the 240 exam gives you 15 credits for next year. So basically those that pass now don't have to do anything next year! Those of us that failed and did not get our certification for W2K before July 1st have to get the full 15 credits, I think this is unfair.

Answer: According the current version of the MCSE FAQ, the timetable on the 70-240 exam has NOT been extended, nor do I see evidence elsewhere on the site (or in news services) that this is the case. Here is how the copy reads:

-begin quote-
Q. When does the voucher for exam 70-240 expire?

A. The voucher for the accelerated exam must be redeemed and the exam taken by December 31, 2001. Exam 70-240 will not be offered after that date. You must order your voucher using the online tool in the MCP secured site by November 1, 2001. We expect demand for this exam to be increasingly high as we approach December 31, and capacity is limited at testing centers, so register early to ensure a wider selection of testing times and test centers.
-end quote-

We're sorry that you're unhappy about the impact of recent changes in certification policy at Microsoft. We suggest you to e-mail or call the MCP organization, and try to ferret out somebody with the authority to address your concerns about unfairness to MCTs who qualified under the old rules. This means e-mailing [email protected] or call in the USA (800) 636-7544. If worst comes to worst, send a registered letter or FedEx to their address at

    Microsoft Training and Certification Programs
    PO Box 911
    Santa Clarita, CA, 91380-9011
Be sure to include your MCP ID on any and all correspondence with them. I've found this a reliable way to get answers to tough questions like yours, but they will ignore all correspondence that does not include a valid MCP ID.
-- Ed Tittel --
  NT/2000 RELATED NEWS

MS Releases a MUST Post-Sp6a Security Rollup For NT 4.0

Redmond released the replacement they had promised for NT Service Pack 7. They called it "NT 4.0 Post-SP6a Security Rollup Package (SRP). It's a very useful 14.3MB download that gets you all the available post-NT 4.0 SP6a security updates in one go. This is a MUST update, no doubts about it. You want to do this yesterday. If you want more data, check the link below to Microsoft's website. The download is there too!
http://www.w2knews.com/rd/rd.cfm?id=111901-PostNT60

Three Personal Firewalls Pass Stringent Security Testing

Mark Joseph Edwards reported in his Security Update newsletter (which I recommend by the way) that TruSecure announced its Internet Computer Security Association (ICSA) Labs division has awarded certification to three products under its new PC firewall certification program. The newly certified products include ZoneAlarm Pro for Windows, Tiny Personal Firewall for Windows 2000, and Norton Personal Firewall for Win2K, W2K Professional, Windows Me, and NT Workstation. This link below is for to read the full article, and also you will be able to subscribe to his newsletter:
http://www.w2knews.com/rd/rd.cfm?id=111901-FireWalls

  THIRD PARTY NEWS

NEW! Password Bouncer Gives Stronger Password Enforcement

This new tool called Password Bouncer will give you stronger password enforcement than Win2K/NT, plus extensive wordlist screening. You can automate your security policy and prevent users from picking those easy-to-hack passwords. This is something you should really check out.

After all the security measures you have taken to make your network impenetrable, one liability could undermine your entire operation - Your User's Passwords.

Allowing lax network logon password policies on your network is like giving a stranger the keys to the front door of your home. The logon is your network's front door, and strict logon password policy is your first line of defense. Simply put, passwords are the weakest link that hackers prey upon and the most often neglected security hole.

Microsoft and leading security authorities agree that strong network logon policy and practices are critical in today's environments. Here is a link that shows their Strong Password implementation guidelines:
http://www.w2knews.com/rd/rd.cfm?id=111901-MSonPassWords

Although it is up to your company to determine how strong your own policy needs to be, the following guidelines are suggested. Passwords must contain:

    Upper Case Letters: A, B, C
    Lower Case Letters: a, b, c
    Numerals: 1, 2, 3
    Special Character: @, #, %
Password minimum length of 6 characters, 7 and 15 characters being the strongest. Passwords must change at least every 45 days. New Passwords must not be the same as any of the last 8 passwords.

Passwords must not contain:

    The User's Name: JohnPublic
    The User's ID: jqpublic
    Repeating Sequences: AAA, 111, ***...
    Palindromes: radar, bob...
    Common Words: found in a dictionary
    Common Names: Robert, Joan, Richard...
    Company Specific Words: IBM, MQseries, Tivoli
Simply publishing your strict password policy is not enough to ensure the security of your network. Human nature dictates that user's will select passwords that are easy to remember and therefore not likely to conform to a strong password policy. You can Run a password cracking tool against the company passwords each month to locate the weak passwords, but this only highlights the problem and does nothing to enforce the strong policy beyond badgering the offending users.

Hackers use "dictionary attacks" to compare common words from several wordlists to crack weak passwords. PasswordBouncer actually screens user passwords at the time they are being changed to ensure that the new password conforms to PasswordBouncer's highly customizable password policy. PasswordBouncer prevents the use of weak passwords, including those that contain common words and names. Start securing your network at the first line of defense. Download and install a trail copy of PasswordBouncer, and start making life very difficult for the bad guys:
http://www.w2knews.com/rd/rd.cfm?id=111901-PasswordBouncer

Brand New Way To Prevent Hard Disk Crashes

PC Week recently wrote: "One of the most costly IT headaches occurs when a hard drive crashes. The downtime and lost data can be catastrophic for the employee; getting a system up and running can be a time sink for the technician. DiskAlert watches for subtle signs of an impending disk failure and warns you before it's too late".

DiskAlert is new software from Executive Software that monitors your system's hard drives for problems and alerts you and/or your staff by e-mail, pager, phone and screen popup. DiskAlert runs NT, W2K and XP. It does not run on 9X or Me. This version's GUI has been revamped and now is a Microsoft Management Console snap-in that controls and monitors one or more DiskAlert Agents, which reside on the client machines (in many cases, that would be your servers). The setup takes only a few minutes per box. You can add and remove agents through your Admin console, so you don't need to use the sneakernet to install it on each machine ;-)

You can install a third module called the DiskAlert Assistant, on boxes you specifically select, so your staff can also monitor and check up on any alerts, but only the Administrator console allows you to change or add drives to be monitored and configure your alert settings. Once you install it, DiskAlert Agents runs invisibly on your servers, monitoring disk drives and watching for potential problems. When a red flag gets raised, the Agent sends a message to the Administrator, which in turn sends out the various alerts you've set up to you and your staff.

Most of the time, before one of your hard drives goes bad, its throughput starts to decline combined with an increased frequency of various types of read errors. DiskAlert monitors these elements along with other information from the operating system and reports any anomalies to you, that usually gives you time to back up your data and replace the drive. DiskAlert also monitors free space on logical volumes. If you've ever run out of free space on a critical server volume, then you know how useful this could be.

You can tailor the event triggers to your needs. You have four options for notification: e-mail, pager, telephone, and pop-up messages. The pager and telephone options require you have a voice modem hooked up to the Administrator module. A cool little feature is that the phone method plays you a prerecorded WAV file.

Executive Software says that DiskAlert is "Smarter than SMART". (Self Monitoring and Analysis Reporting Tool". While SMART data is one of the information resources DiskAlert reads, Executive Software claims that their tests have shown that most of the time, SMART doesn't work very well. Steve Gibson of Gibson Research says on his web site, "We've encountered drives that were barely alive that reported absolute 100% health through their 'SMART' interface commands...

Unfortunately, it appears that since each manufacturer decides what they want their drives to report about itself, and since those manufacturers are competing with each other, the 'SMART' system has turned out to be rather 'dumb.'" That's why DiskAlert goes way beyond simply relying upon SMART and monitors numerous additional resources within the operating system, on the drives and supported RAID controllers. DiskAlert can even monitor older drives that aren't SMART enabled.

DiskAlert works with all SCSI and IDE drives, all software RAID and currently supports RAID controllers from Adaptec, AMI Mega RAID and Compaq, with support for more controllers being added all the time.

PC Week installed the product on six Windows 2000 servers and client PCs on a small office LAN and left it running for a month. They didn't encounter any drive failures, but they did get warned about several nearly full client PC drives. Given the high cost of drive replacement and lost data, we strongly recommend you spend that (little) money. Here's the eval and price indication:
http://www.sunbelt-software.com/product.cfm?id=457

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • Scan a C Class for $99/mo. Immediate activation. Free Trial Offer here:
    http://www.w2knews.com/rd/rd.cfm?id=111901FL-ScannerX
  • Freeware: Hotfix Reporter automates hotfix checking and reporting.
    http://www.w2knews.com/rd/rd.cfm?id=111901FL-HotFixReporter
  • Go Back In Time with the WebArchive.org. Very interesting.
    http://www.w2knews.com/rd/rd.cfm?id=111901FL-GoBackInTime
  • And here's a BONUS Fave link. Star Wars in ASCII via telnet. RIOT!
    Just open up a CMD-box and type this: telnet towel.blinkenlights.nl
  •   PRODUCT OF THE WEEK

    Exchange 2000 On Site

    Exchange 2000 Server On Site is a complete reference to planning, deploying, configuring, and troubleshooting Exchange 2000 in any size organization. The book includes step-by-step instructions for important configurations. It focuses on SMTP and helps admins to understand how it works in Exchange. The book is helpful for administrators, IT managers, and consultants that are considering implementation and shows how to migrate from Exchange 5.x to Exchange 2000. It has detailed information and illustrations of how Exchange 2000 works and explains the relationship between Windows 2000 and Exchange 2000.

    http://www.w2knews.com/rd/rd.cfm?id=111501-BOW-E2Konsite