- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Apr 18, 2002 (Vol. 7, #31 - Issue #362)
Your W2K Support Stops in 2005!
  This issue of W2Knews™ contains:
    • Your W2K Support Stops in 2005!
    • Microsoft Patch Management? It's A Mess
    • Windows vs. Unix Uptime
    • Gartner: Securing Windows Takes 15% Longer Than Unix
    • More on QChain
    • Already Own One Half Of The Bundle? The Other One Now Discounted!
    • NEW: ScriptLogic V4.0- No More Messing With Logon Scripts!
    • PentaSafe OnLine Security Libary Opened
    • Throwing More Hardware At It: "Storage Insanity"
    • Self Service For User Passwords!
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • The Hacker Diaries
  SPONSOR: Double-Take
Full Site Failover and Infrastructure Redundancy delivered by the #1
tool for data replication: Double-Take.
Ensure that your data and
applications are always safe. Help your Company and Homeland Security
by protecting your most valuable resources at the source: Your Servers.
Double-Take will fail over to the target server if your source server
goes down. 2001 Editor's Choice of both Windows 2000 and Network Magazine.
Download a 30-day eval copy now and start protecting your data and apps.
Visit Double-Take for more information.

Your W2K Support Stops in 2005!

This week at TechEd in New Orleans, MS sent Post-Beta Version 3 build 3604 of Windows .NET Server on its way. It's roughly 5 months after the Beta 3 .Net Server release. So, since support for W2K ends in 2005, what is .NET really? Well, from my perspective it is a "point release". Since W2K is NT 50, WinXP really NT V5.1, let's call .NET Server NT V5.2 and we're close to reality. Will .NET Server be part of your future? Probably. But when? Do you really need it? You may wonder if you need it at all.

I would start looking at your NT 4.0 servers and plan to retire them latest end of 2004. If you have not started deploying W2K yet, skip it all together and roll out .NET instead. Keep in mind that W2K only has Active Directory V1.0 but .NET will have AD V2.0 which will be much more manageable.

If you're already busy deploying AD and W2k domain controllers, keep going. You can slipstream .NET in later, but be careful not to mix domain controllers that can break things in AD. So that's the simplicity of it.

This week's XBOX winner is John K. Fee, in Goleta, California. Congrats John! NOTE: This campaign will last 4 more weeks and then stop. Refer a friend now if you want to make a chance to win an XBOX!

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: InstallShield
Making Sense of Windows Installer is the new 1-day seminar from
that you need to understand today's Windows
Installer setups. You gain InstallShield's Windows Installer
expertise for only $159! And you'll also receive Bob Baker's new
1000-page book for free! Get up to speed on Windows Installer --
but hurry! Some locations start class in less than two weeks!
Join the Making Sense of Windows Installer seminar today:
Visit InstallShield for more information.

Microsoft Patch Management? It's A Mess

Just read the little story below and you'll simply see by a real life illustration how bad it really is:

"We run NT 4.0 Servers and Workstations. I am trying to find out what patches have been released since the Security Rollup Package. MS seems to change its web site organization periodically, but it doesn't always make it easier to find what you need. NT now seems be a combination of old and new formats, which makes it frustrating.

  1. I go to the Hotfix and Security Bulleting Service at
    I select Product = Windows NT 4.0 Server and Service Pack = SP6a. I look at the list returned and the SRP is not listed. Only Security Bulletin IDs are listed.
  2. Now I go search for a copy of KB article id Q299444 for SRP on http://support.microsoft.com. It lists all the hotfixes included in the SRP by Q-article number.
  3. Now, I go back to the list of Security Bulletins from step 1. Problem! The list includes only security bulletin ids, not the Q-number of the hotfix. (Except for the April 2002 entry.)
  4. Now I go down the menu in the left pane to see if I can directly access a list of hotfix files, sorted in date order. Then I can pick out the hotfixes released after the SRP. But there is no list of hotfix files available.
  5. Now I start clicking on the Security Bulletin entries to get the Q-number of the hotfixes (since Q29944 was published on July 20, 2001). I start in April, 2001, with MS01-022, which takes me to
    There is a reference to KB Article Q296441. This isn't in the list for the SRP either as an NT patch or an IIS patch.
  6. I click the link for the patch, and the patch file is named rbupdate.e x e. So is Q296441 really it's Q-number? I guess I better install it since I can't verify that it's in the SRP.
  7. Now I click MS01-017 under March 2001. It says that the KB article is Q293818, which is in the list of NT patches for SRP. The patch file is named crlupd.e x e .
  8. I guess I better install all the patches associated with the Security Bulletins from MS01-022 on since this one is not (apparently) included in the SRP. But am I sure I got them all? Nope!
More over, HFNetChk checks the actual version/checksum of the files in question, based upon an XML file downloaded. The new MBSA does the same, since it uses HFNetChk as its patch scanner. The Windows Update Site on the contrary uses a registry key to check. HFNetChk will check for patches applied out of order, while Windows Update will not necessarily. AAugh!!"

What I suggest is use a tool like UpdateEXPERT that at the moment uses the registry to check if a hotfix is there, and use the new free MBSA as a double-check to make sure, as that uses the checksum to see if a hotfix is there. Here is your 30-day eval:


Windows vs. Unix Uptime

Boy, the issue of Windows or Unix sure gets me some letters! This one voices the best what many of you communicated to me. Interesting reading:

"Okay, Stu, you crossed the line with reporting on the anonymous Unix admin who claims his implementation is cheaper. His first point about his Oracle database isn't close to being accurate. We paid $25K for a dual processor, 2GB RAM, blah, blah Dell 6300PE...2 more processors were maybe $10K, who knows but I know it wasn't $65K total for the hardware described! And we run Oracle for a 300 user system on it! We don't reboot every night; in fact, here is the uptime on that puppy:

H:\>psuptime \\oracle6300
PsUptime v1.1 - system uptime utility for Windows NT/2K
Sysinternals - www.sysinternals.com
Querying \\oracle6300...done.
\\oracle6300 has been up for 340 days, 20 hours, 16 minutes, 25 seconds.

"The 2nd point is also an anecdotal response. We are Windows admins and we know how to properly size a server. Don't blame a poor implementation on Windows products.

"The 3rd point is ridiculous as well. Windows brings the stability, affordability and flexibility we need to our enterprise and allows us to offload basic tasks to our helpdesk and allows my staff to concentrate on new technology projects, security, etc. Tying our resources up in menial administrative functions because I run a "nix" environment would be a poor use of resources. We are a pure Windows 2000 domain and love it! I don't know what rfc issues exist with MS DNS but our MS DNS handles all our internal and external queries just fine. So next time you share a letter from a questioning user, maybe they should be a little more factual about their criticism and less anecdotal."

Gartner: Securing Windows Takes 15% Longer Than Unix

The good news? There's a better chance Microsoft will make good on its efforts to strengthen security for Windows and .NET software products. The bad news? Windows administrators will spend 15% more time securing their servers than Unix administrators spend securing theirs. This is the sum of some Gartner math, shown at the consulting firm's "Windows: Nothing But .NET?" conference in Los Angeles. Full article at the SearchWin2000 site over here:

More on QChain

A reader sent me this: "In today's newsletter, you passed on some comments including:

""Regarding the comments on qchain.e x e: Despite the fact that the article Q296861 says the following: "It is a solution that works on both Windows 2000 and Windows NT 4.0," none of the patches (and they are numerous) that we've been installing in our NT environment since qchain came out are qchain-able! None of them support the -z switch, and none of them are in the format Qnnnnnn_w2k_spx_x86_en.e x e.""

"This does not match our experience. I've recently put together a package of 15 of the latest Microsoft hotfixes using QChain to resolve conflicts (if any) between them. Every hotfix to date has supported the -z option. However, we always unzip the hotfix file so we can get to the hotfix command directly. Patches that don't use the hotfix command are slightly trickier, though the /q:a /r:n options are often good."


Already Own One Half Of The Bundle? The Other One Now Discounted!

Recently, Retina and UpdateEXPERT came out with a special marketing bundle of these two security products together. You have read about that in recent W2Knews versions. Now, for a limited time only, and as a special intro offer through the end of May 2002, when you already own either Retina or UpdateEXPERT, you get a discount when you purchase the other one. Ask your Rep or Reseller for details. Here is the product page:

NEW: ScriptLogic V4.0- No More Messing With Logon Scripts!

Hate to have to code login scripts with way more important and urgent things on your mind? Things like:

  • Drive mappings
  • Search paths
  • Printer deployment
  • Time synchronization
  • Automatic Outlook/Exchange mail profile creation
  • Security policy management
  • Registry manipulation
  • Configure environment variables
  • Folder redirection for network-based user desktops, start menus, bookmarks, cookies, etc.
  • Desktop shortcut management
  • Internet settings & proxy server access
  • Control of Microsoft Office open & save paths
  • Service pack deployments
If not, think for a moment about having to maintain the above things in real-time, through 5 domains, with different service packs revisions and on different subnets. Not feeling so perky suddenly, eh?

Well, no worries. The new ScriptLogic V4.0 has you covered. This version solves problems like this by delivering the correct configuration created for each user wherever they log in. All the above points (and then some) are configured for you automatically during the logon process. Your users can log in from any PC, running any Windows 32-bit OS, over any LAN, dial-up or VPN connection and instantly have access to their unique desktop configuration.

V4 New Features and Enhancements

  • Incredible performance enhancements.
  • New ScriptLogic Manager GUI
  • Multiple Profile Support
  • Multiple profiles can run for a single user.
  • Validation Logic has been enhanced
  • Now add descriptions for each element of your profile
  • Overcomes security related limitations of the user logging on
  • Rebuilt Service Manager: configure multiple Services/Servers with a single click.
  • A Logoff (and shut down) Agent has been added
  • New options for Outlook settings.
  • Enhanced Cycle Logic has been implemented
  • Update of Global Options
  • New Alert feature for Profile Options
Scriptlogic is based on the KiXtart scripting language and actually generates KiXtart code. It allows you to manage logon scripts through a simple point-and-click Management Console. No code writing or debugging!

PentaSafe OnLine Security Libary Opened

PentaSafe's library of information security policies is written by security policy expert and consultant, Charles Cresson Wood, CISA, CISSP who has over 20 years of experience writing and implementing security policies for companies around the world.

PentaSafe's Library of Information Security Publications provides you with everything you need to create a successful information security program for your organization. Including 1100+ security policies, templates, sample mission statements and job descriptions, this is the most comprehensive compilation of information security resources and expert advice available. All policies and templates are provided on CD so they can be easily customized to meet your company's specific needs. The three titles:

  • Information Security Policies Made Easy
  • Information Security Roles & Responsibilities Made Easy
  • Best Practices in Internet Commerce Security
Check 'em out here:

Throwing More Hardware At It: "Storage Insanity"

We see it all the time. A lot of companies attempt to solve mounting storage problems by throwing more hardware at the problem instead of investing in software. At the moment, it looks like IT spends roughly one dollar on storage management software for every four dollars of storage hardware. But experience in the trenches shows that investmenting in software to manage your storage helps in two ways: less data pollution and more budget dollars availble for other needed equipment

IDC has projections that network storage will boom from just over 30% today to almost 70% by 2006. Not to be sneezed at. And here is another bit of unwelcome news: storage can eat up 25% or more of your total IT budget. And you may not be aware of another interesting number. For every Terabyte of storage, you need some one to manage it!

So now, if you want to keep your headcount down, spend money for faster gear and the latest cool stuff, better have a (new) look at the leading storage management tool out there for the Windows environment: StorageCentral. It allows you to quickly get the storage monster under control, and effortlessly manage capacity, performance, charges for storage and block unwanted file formats. Get your eval here:

Self Service For User Passwords!

Let's start with this simple statement: You can't afford to keep managing password service and security manually: It's too risky, it's too costly, it's simply too inefficient.

VigilEnt User Manager/Password Management Takes Care Of It:

  • Provide secure self-service password resets via a convenient web interface
  • Get centralized enterprise password synchronization, monitoring and management
  • Ensure that every password complies with your security policies
  • Relieve the Help Desk of routine password reset requests
  • Save money and time, while also improving security enterprise-wide
"I forgot my password." Four words that constantly put your company at risk and cost you plenty. According to Meta Group, it costs about $25 every time a password has to be manually reset. And considering that an estimated 40% of all Help Desk calls are password reset calls, manual password management may be costing your company more than you realize. Use our ROI calculator to find out how much your company may really be spending on manual password resets every year.

Then there are the security risks... is your Help Desk really thinking about security? With hundreds or even thousands of manual password resets every year, the security risks and costs can quickly become unmanageable. With VigilEnt User Manager you can now assure superior security while and provide better user password service. VigilEnt User Manager provides password synchronization, self-service password reset, and enhanced Help Desk password management functionality via a user-friendly web-based interface. You'll be able to reduce IT support costs while also improving network security across your IT environment.

Key Benefits

  • Dramatically reduces help desk costs and increases employee productivity with self-service password reset, allowing end users to quickly and easily restore access to business-critical applications without help desk assistance.
  • Decreases the security risks associated with users having to remember multiple passwords, including the use of weak passwords or writing down passwords. Password synchronization requires that end users remember only one enterprise password.
  • Mandates and enforces enterprise-wide password strength policies to safeguard corporate data security by validating every new password against a set of rules configured by your organization's security administrator.
  • Increases security against unauthorized access by authenticating users each time they reset or synchronize a password with a set of challenge/ response questions.
  • Improve your organization's overall security by providing complete audit trails, logging and reporting on password change activities.
  • Improve service quality by relieving over-burdened help desks from having to attend to numerous password resets calls and allowing them to focus on more complex projects in a timely manner, which allows the end user to reset their own passwords without waiting in a long queue-minimizing overall business interruption.
Password Synchronization
VigilEnt User Manager provides users with consistent access to multiple systems while increasing enterprise security through the enforcement of stronger password policy. Instead of having to go through the tedious process of logging into each application to conduct password changes, VigilEnt User Manager's password synchronization capabilities allow an end user to initiate a password change across all their systems and applications with a single action from the convenient Web-based interface. Once a password has been validated, the password change request is disseminated to all applicable user login systems ensuring a synchronized enterprise-wide password. The password change process is complete when users are notified of successful changes.

Self-Service Password Reset
If an end user's password expires or is forgotten, VigilEnt User Manager allows users to reset their own passwords upon authentication without having to rely on the help desk for support. Not only does this reduce costly support calls, it also increases employee productivity while improving network security by enforcing authentication and other security procedures, which are often neglected by overburdened help desk staff. Once a user's identity is verified by responding to a configurable number of challenge questions, they can replace a forgotten or expired password and the new password is synchronized across the enterprise.

Password Policy Enforcement
Perhaps one of the most difficult tasks of today's security administrators is being able to effectively enforce password policy throughout the org. Without an enforceable policy, users are more likely to utilize weak passwords resulting in a potential security gap. VigilEnt User Manager comes with default settings for password validation policy, but Admins can configure the product to enforce their own password policy. If an end user attempts to log in with a password that does not match the password rules configured in the product, they will receive a validation error and be asked to provide a password that conforms to the password policy defined by the Administrator.

Online Tracking of Transactions
VigilEnt User Manager provides end users with online tracking of their password transactions on relevant systems. When an end user submits a password change, they are notified that the password change has been submitted and can view the status of the password change across all their systems to ensure that their transaction was executed enterprise-wide. This prevents users from encountering unexpected access denials that can result in unnecessary business interruptions.

Audit Trails and Logging
VigilEnt User Manager improves auditing and service management with automatic logging of all password management activity information. From a central location, Admins can access a searchable and sortable audit trail that contains user information, transaction type, date, IP address and other configurable options.

Integrates into our VigilEnt Security Management console for centralized management across your entire security infrastructure. No need for multiple consoles and separate password system management and logging. Offers greater platform breadth than most other password products. Includes major operating systems, web servers, web applications, databases, and more, plus Lotus Notes and most custom applications using our VigilEnt Universal Agent. Check out the eval here:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • The "HammerOfGod" site has a few good utilities to improve penetration testing for the security freaks among you:

  • http://www.w2knews.com/rd/rd.cfm?id=020418FA-HammerOfGod
  • A new Linux desktop that's a spitting image of WinXP from a Redmond company:

  • http://www.w2knews.com/rd/rd.cfm?id=020418FA-Linux_Desktop
  • New threats force intrusion-detection vendors to rearm:

  • http://www.w2knews.com/rd/rd.cfm?id=020418FA-Rearm
  • Cool & scary at the same time: Key Katcher- record all keystrokes and URLS:

  • http://www.w2knews.com/rd/rd.cfm?id=020418FA-Key_Katcher
  • Here is something to gross out some of the girls in the office:

  • http://www.w2knews.com/rd/rd.cfm?id=020418FA-Gross_Out
  • And when you think that -your- day is bad, take a look at THIS man's Monday morning. This is one of the best ads for furniture I have seen in years and every time I see it I'm in stitches. Forward this one to your friends!

  • http://www.w2knews.com/rd/rd.cfm?id=020418FA-IKEA

    The Hacker Diaries

    No, I'm not making this up. The book exists and I have it on my desk here. The subtitle is even more interesting: "confessions of teenage hackers". Now normally I would not take this serious but the publisher Osborne is a respectable outfit. Then I started reading. This is about the 14-year old kid that brought down Yahoo, CNN, Datek and E-Trade! So, if you want to stop hackers, better start thinking like one. Entertaining reading and "job enhancement" in-one: