- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Apr 15, 2002 (Vol. 7, #30 - Issue #361)
NEW: Sunbelt Now Sells L0phtCrack
  This issue of W2Knews™ contains:
    • Finding Technical Information A Timesink?
    • Some Limitations In QChain and MBSA
    • Biometrics And Live Fingers
    • Am I Under Attack? Yup, You Sure Are!
    • IIS Mega-Patch Released: "Critical"
    • Windows Cheaper Than Unix? Maybe Not!
    • NEW: Sunbelt Now Sells L0phtCrack!
    • NEW: Military Strength Drive Encryption Tool: DriveCrypt
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • MCSE Consulting Bible
  SPONSOR: Altiris
I don't like you, your cubicle, your mouse or your stupid screensaver
and now with Altiris Client Mgmt Suite, I don't have to touch any of it!
Recent winner of "BEST of Show" at FOSE 2002, Altiris Client Mgmt Suite
conveniently allows you to deploy, manage and migrate desktops, notebooks
and handhelds from the quiet, comfortable place you call your office.
30-day FREE trial.
Visit Altiris for more information.

Finding Technical Information A Timesink?

Is it getting overwhelming? Getting in despair? Can't find what you are looking for? You're not the only one. But we want to know how bad (or how good) it actually is. So here is the new SunPoll: "Do you find the information you are looking for when you search the Microsoft Technical sites?" These are the answers you can vote for:

  • Pretty much always
  • Frequently, but I have to click through all 100 links
  • Sometimes, I generally get tired of clicking on links
  • Hardly ever
  • Oh, I have given up hope and use other sources!
Vote here, leftmost column: http://www.sunbelt-software.com

And here are the final results of the last SunPoll:

Q: Ever Needed A Restore From Backups - And Did You Get It?
A: 975 responses:

  • Heck yes, this is priority one and I always run restore to be sure: 19.17%
  • Occasionally I restore backups, but I always read the backup logs 54.46%
  • I normally trust my backups but sometimes I'm looking at a dud 15.79%
  • Once, I got completely wiped out by not having a reliable backup 6.25%
  • I don't back up at all, I laugh in the face of job security! 4.3%
So, do you think a utility that reads your backup logs and alerts you when problems arise would be a good idea? Write me!

Sunbelt is excited! We can now provide you with the latest version of the world famous L0phtCrack password cracker. This new Version 3 is way more powerful than its predecessors and still only 250 bucks. BTW, we're calling it LC3 for short, and if they ask you what that charge on your credit card is for, you can tell them that you were able to get your hot little hands on the "World's Best Password Auditing and Recovery Tool"... legally! [grin] See the story in Third Party Tools.

Quote of the day:
"Best file compression around: DEL *.* = 100% compression."

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: "Wireless Server Control"
Network Management from the Palm of Your Hand. It's simple. When
your systems are down, you are losing money. SonicAdmin is a complete
network and server administration utility that allows system admins and
support workers to diagnose and repair mission critical server and
network problems 24 hours a day, 7 days a week, from handheld wireless
devices. SonicAdmin lets you keep your systems up and productive, where
ever you are.
Visit "Wireless Server Control" for more information.

Some Limitations In QChain and MBSA

Got some useful feedback on these items in the last issue:

"We have been using QCHAIN but I don't find it as useful as it could be - namely the hotfix has to support the -z or no reboot option and some hotfixes do not. The only way to check is to run the hotfix with the /? switch to see what command line arguments it takes. You cannot use the file name either as some Q files don't support the /z switch either."

"Regarding the comments on qchain.exe: Despite the fact that the article Q296861 says the following: "It is a solution that works on both Windows 2000 and Windows NT 4.0," none of the patches (and they are numerous) that we've been installing in our NT environment since qchain came out are qchain-able! None of them support the -z switch, and none of them are in the format Qnnnnnn_w2k_spx_x86_en.exe. I searched long and hard before an obscure website somewhere made this fact clear. Please do the readers a service and point out the serious limitations of this tool. No one ever seems to."

"Regarding the Microsoft Baseline Security Analyzer - you need Office 2000 installed to run it. I am quite happy with Office 97, it does everything I want but it looks as if I'll have to upgrade to check MBSA out. I suppose that MS Office is like the "washing machine syndrome" - the washing machine has zillions of washing programs and you use 2!!!!

And this one came off the Sunbelt Security ListServer. Very useful list indeed, and free to join. See link below:

"Current version of HFNetChk doesn't differentiate between DCs and non-DCs, (it does differentiate between different SKUs of the product - Pro, Server, Adv Server, etc.). A future version of hfnetchk might be able to do this, the XML schema would probably be changed to support notation that a patch was only applicable to DCs. (MS01-011, 24, 36 were DC only patches as well.)

"In the meantime, consider a DC like a service on the system. Example: There have been patches for the tlntsvr service - most people don't use the service, but if we find earlier versions of tlntsvr.exe on the system, we'll recommend that it be updated - because although you're not using the service today, you might tomorrow, and the file should be the most recent. DCs are a little different, you don't casually decide to turn on a DC service, however.

"The files for 02-016 are marked in the XML file as change if exist, so if any of those files in the patch are on your server system, and they aren't the most recent (ie what's in the patch) it will tell you you need to install the patch. It doesn't hurt a server to apply this patch, but it's not necessary for this issue. Future versions of hfnetchk will have a -ignore flag where you can specify issues that you don't want to report on".

Subscribe to the Sunbelt Security Forum here:

Biometrics And Live Fingers

Thanks much, a lot of you mentioned that there are quite a few companies out there that check for heat, heartbeat and other signs of life in fingerprint scanners. I'm currently using the U.are.U device and tried to lift my fingerprint off a glass with scotch tape and see if it took it. No cigar. Looks like a real mantrap that completely locks in the individual and takes several measurements is really fool-proof at the moment. I'm sure this area is still very early stage, and that we'll probably move to superfast DNA-testing at one point in time, and solutions like radio-enabled smartcards combined with a short pin-code.

In the mean time, listen to this story!

"About 10 years ago I was a sub-contractor at a defense establishment where they were trialing fingerprint biometrics to replace PIN numbers and/or security swipe cards. I was not directly involved in this project but caught enough of the talk and gossip to know what was going on.

The idea was place your finger on the pad, the secure door/safe/computer etc opens. A clever foolproof system or so they thought.

This system was going to be deployed in all secure areas and considerable money (millions of UKP) had been spent identifying where the system could be used and designing all the associated infrastructure.

A team of external people (from a University I think) were then hired to try and crack the system, before the roll-out started, to prove how secure the system was.

Well in front of some top military official they correctly copied his finger by taking an imprint in silicone putty and casting in silicone another finger. Then by warming the copy up, infusing it with a warm saline solution (from a syringe) to simulate blood flow the team correctly opened one of the secure area doors using this finger !!!!

"OK" the biometrics team said "we will revoke this finger so it won't work anymore". We have all 10 fingers said the cracking team, how will you issue this person with new "fingers". Well you can see the crux of the problem if the system is compromised, you can only revoke so many "fingers" and how do you issue a new finger?

The project was dropped like a hot potato after this demo and I heard no more. Oh also the saline in the silicone finger corroded the sensor rendering it unusable after the demo."


Am I Under Attack? Yup, You Sure Are!

Here is an interesting bit of a thread on the Sunbelt Security List, which is an education for all of us:


I found the following new entries in my IIS 5.0 server logs starting a couple of days ago.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 4/11/2002
Time: 8:48:20 AM
User: \Administrator
Computer: WWW
Change Password Attempt:
     Target Account Name: Administrator
     Target Domain: WWW
     Target Account ID: WWW\Administrator
     Caller User Name: Administrator
     Caller Domain:
     Caller Logon ID: (0x0,0xF6B24F)
     Privileges: -

This server is behind the firewall and only port 80 is passed to it. Anyone have a clue what this might be. So far there are more than 50 of these attempts logged against different accounts (guest, admin, ISInternetUser, IWAM_WWW, etc). Here are the log files from IIS and SecureIIS when over 76 of the change password audit failures were logged:

IIS Logs:
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /scripts/root.exe /c+dir 406 -
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /MSADC/root.exe /c+dir 406 -
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /c/winnt/system32/cmd.exe /c+dir 406 -
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /d/winnt/system32/cmd.exe /c+dir 406 -
- 2002-04-11 08:49:19 64.x.x.x - 10.x.x.x 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 406 -
< SNIP >

Secure IIS Logs:
DEBUG : 2002/04/11-08:45:59 : Web 2: No Lock Directory checks found
DEBUG : 2002/04/11-09:07:53 : Web 2: No Lock Directory checks found


No doubt about it. You are under attack. The calls to /root.exe are to see if nimda has holed your server. Set the permissions on Cmd.exe so that only Administrators and System have access to it.

Subscribe to the Sunbelt Security Forum here:

IIS Mega-Patch Released: "Critical"

Ten new vulnerabilities were discovered in IIS 4.0/5.0/5.1 running on NT 4.0/2000/XP, the most serious of which could enable code of an attacker's choice to be run on a target server.

Five of the holes could enable a hacker to gain control over your Web server. Two others could enable some one to prevent either a Web server or an FTP server from providing service. Three more holes enable a black hat to "bounce" Web content to another user's browser session.

"Unlike past IIS buffer overflow vulnerabilities, (one of these flaws) is within a core component of IIS, .ASP," says Marc Maiffret, chief hacking officer at eEye Digital Security. "Since the buffer overflow is within such a core component of ASP, it is probable that the number of affected servers is potentially higher than any of the past IIS vulnerabilities."

This new patch is almost kind of a mini-service pack as it includes the functionality of all security patches released for IIS 4.0 since NT 4.0 Service Pack 6a, plus all security patches released up to now for IIS 5.0/5.1. And always read the release notes before you apply the patch, and TEST, TEST, TEST! because there are already reports that it breaks stuff.

Here is the link to the MS website that discusses this patch:

And here is a tool (by eEye) that will really protect your IIS web server:

Windows Cheaper Than Unix? Maybe Not!

Got some good feedback on this one that I did not want to hold back from you. Name withheld at request.

Point one: Personal experience has showed me that the article is certainly not correct in cases where you need to run "Other than Microsoft" products. i.e. Oracle, SAP, People Soft, iPlanet.... I have a college down the hall from me that runs a 80 user Oracle database on a Dell PE6300 with 4 Xeon 600 MHz processors, W2K, 2 Gig of RAM, RAID, blah, blah. Hardware cost: $65,000 & he reboots every night so the server will (hopefully) stay up all day the following day.

I run a LARGER 400 user Oracle database on a Sun E220 with a single 400 MHz SPARC processor, Solaris 8, 2 Gig of RAM, RAID, blah, blah. Hardware cost: $20,000. $Uptime -> 12:27AM up 431 days - last time I rebooted was to re-initialize kernel parameters changed by a patch. And "oh by the way" (much to my chagrin) HE makes more than I do... (he is the more senior Oracle DBA)

Point two: I'm quite happy that UNIX admins like myself cost more "We found the average salary was far lower for support staff with Windows skills compared with UNIX specialists," said Manter. " The reason "we" cost more is because, amongst other skills, we know how to properly size a server [grin] rather than just throwing [expensive] hardware at a situation (see above).

Point three: If my only skill was administering W2K (or Windows OS's) I would be QUITE dismayed by that article. I would be asking myself "How long before my job is relegated to a secretary as an additional task" (much like the [now] cliche of secretaries making the coffee) An excellent example is found in my point one - we have an Oracle DBA assigned the additional duties of maintaining the W2K server albeit somewhat inefficiently. My company has adopted (for the most part) this approach: We will never be able to rid ourselves of UNIX based back ends, so we hire UNIX admins and assign them the additional task of maintaining W2K machines. (this is why I like your newsletter ;)

In closing, I will concede that if the only thing a (small) company was going to do was run MS SQL server and MS Exchange, etc. then the Windows solution is definitely cheaper, easier, and faster. Any company that has a few thousand people working for them (and is not a Windows only software development firm) is probably going to at least need to run one of the "free" NIX's for something - probably a DNS server that FULLY complies with the RFC spec RATHER than Microsoft's rendition of RFC-ish DNS.


NEW: Sunbelt Now Sells L0phtCrack!

Some very exciting news. Sunbelt is able to sell the very latest Version 3.0 of this world famous password cracking tool as per right now. For short, it is called LC3. W2Knews readers have chosen LC3 two years in a row as a Target Award Winner.

Product Features:

LC3 provides two critical capabilities to you as a network admin:

  1. Secure Windows-authenticated networks through comprehensive auditing of Windows NT and Windows 2000 user account passwords.
  2. LC3 recovers Windows user account passwords to streamline migration of users to another authentication system or to access accounts whose passwords are lost.
Security experts from industry, government, and academia cite weak passwords as one of the most critical internet security threats. But while many administrators recognize the danger of passwords based on family or pet names, fewer recognize that even savvy users expose networks to risk due to inadequate passwords. Consider that at one of the largest technology companies, where policy required that passwords exceed 8 characters, mix cases, and include numbers or symbols...
  • LC3 obtained 18% of the passwords in 10 minutes
  • 90% of the passwords were recovered within 48 hours on a Pentium II/300
  • The Administrator and most Domain Admin passwords were cracked
LC3 provides reporting options to fit your diverse needs. Password auditors can get a quantitative comparison of password strength from LC3's report on the time required to crack each password. A 'Hide' feature gives administrators the option to know whether or not a password was cracked without knowing the password itself. Password results can be exported to a tab-delimited file for sorting, formatting or further manipulation in applications such as Microsoft Excel.

LC3 makes password auditing accessible to less-experienced password auditors. New password auditors will find LC3 easier to use. An optional Wizard walks new users through the process of configuring and running their password audit, letting them choose from pre-configured Quick, Common, Strong or Custom configurations. Extensive documentation explains potential complications to keep password audits from getting frustrating.

It doesn't have to be this way. Crack-resistant passwords are achievable and practical. But password auditing is the only sure way to identify user accounts with weak passwords. LC3 offers you an easy and adaptable way to address this threat and find vulnerable passwords. Check the new screenshot of Version 3 and get a 15-day limited eval here. It is also available on the Sunbelt OnLineShop for just $249. This is a great deal.

NEW: Military Strength Drive Encryption Tool: DriveCrypt

DriveCrypt allows you to securely encrypt all, or parts of your hard disk making them only accessible to authorized users. DriveCrypt is the most powerful, flexible and fast cryptographic program available on the market today, bringing Military Strength Encryption to your computer and protecting your data transparently and in a quick, reliable way: $39.95 per machine.

Product Features:

DriveCrypt securely and easily protects all proprietary data on notebooks and desktop computers 100% of the time without users having to think about security. Any organization, from a small company to a large international firm with thousands of users in the field, can effectively protect business plans, client lists, product specifications, confidential corporate memos, stock information, and much more with this product.

Strong Cryptography
256-bit Military Strength disk encryption using the best and most proven cryptographic algorithms such as AES, Blowfish, Tea 16, Tea 32, Des and Triple Des.

Easily Install, Deploy & Use
DriveCrypt requires minimal administration and user training. It is completely transparent, requiring no change in the way users work with the computer.

Maximize Your Security, Minimize Your Risk
DriveCrypt protects your data with very fast and a true "on the fly" encryption process. Other products that claim to be "on the fly" decrypt an entire file and load it into memory, creating significant security risks. DriveCrypt is smarter and more secure because it decrypts only the specific portion of a file that is in use. Unprotected data never resides on a DriveCrypt encrypted hard drive.

Invisible Encryption (Steganography)
Using special so called "Steganographic" functionalities, DriveCrypt allows you to hide all your sensitive information into music files. Just authorized users will be able to access secret information, anyone else will only find harmless music on the computer.

Disk Partition and file volume encryption
DriveCrypt allows both, the encryption of an entire Hard Disk partition, as well as the creation of a virtual container file that will store all the encrypted information.

Improve Password Security
DriveCrypt allows administrators to configure several password settings:

  • Master Password Settings
  • Restricted second user Passwords
  • Second user Password Expiration
  • Console Lock-Out Password
  • Password Sniffing Protection
DriveCrypt integrates special functionalities that prevent passwords from being sniffed by Hackers or Trojan horses such as Back Orifice and SubSeven.

Get your eval or full version now at the Sunbelt site:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • This gentleman has build an honest-to-goodness monorail in his backyard.

  • http://www.w2knews.com/rd/rd.cfm?id=020415FA-Monorail
  • Failed your MCSE exam and need to know why? Here is some news you'll like.

  • http://www.w2knews.com/rd/rd.cfm?id=020415FA-MCSE_Results
  • Receive free email alerts every time Microsoft publishes new support or Knowledge Base articles over at:

  • http://www.w2knews.com/rd/rd.cfm?id=020415FA-MS_Updates

    MCSE Consulting Bible

    According to the 1999 Salary Survey conducted by MCP Magazine, the average MCSE has 6.8 years of experience. The average self-employed MCSE consultant with 6 - 9 years of experience earns $85,000 - that's over $8,000 more than the average salary +bonus and benefits package of other MCSEs. There is a demand for MCSEs who can offer a variety of technical expertise and services, and this book will show you how to create a successful consulting business. MCSE CONSULTING BIBLE walks you through the issues to consider when making the decision to start their own consulting business and then offers key advice on each aspect of the business from deciding what services to offer, to marketing, to maintaining customer relationships.