- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Jan 27, 2003 (Vol. 8, #4 - Issue #410)
2003 looks a lot brighter for IT Salaries
  This issue of W2Knews™ contains:
    • How's Your 2003 Budget?
    • Using the W2K Encrypting File System (Exam 70-214)
    • MS Definitely Takes Notice Of Linux
    • HP Teams Up With MS for Network Attached Storage
    • MS releases SQL Server 2000 Service Pack 3
    • MS Announces First 2003 Windows Bugs
    • How can I protect against SQL Injection attacks?
    • 99.999% High Availability A Dream?
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • BIOMETRICS - Identity Assurance in the Information Age
  SPONSOR: ScriptLogic
Cut Your Help Desk Support Calls by 50%
ScriptLogic automates administration tasks and reduces help desk
support for more than 1,000,000 desktops every day.
* Logon, logoff and shutdown scripting
* Install/update software packages
* Create Outlook mail profiles
* Create/remove shortcuts
* Enforce security policies
? And Much More
Begin saving time today! Evaluate a fully functional 45 day trial
version of ScriptLogic and get a FREE "Born to Network" T-shirt.
Free Born to Network T-shirt offer is available to US residents only.
Visit ScriptLogic for more information.

How's Your 2003 Budget?

It's different per industry section, but there seems to be a lot of "doing more with less" all over. How does your IT budget compare with last year's? Check out how everyone is doing in the new SunPoll. The results are online in real-time! Vote here, leftmost column:

Quote of the day: "Technology is the word given to the stuff that doesn't quite work just yet." - Supercomputer designer Danny Hillis

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: Opalis
"System Operation Workflow Software"
OpalisRobot automates a broad range of system operations
including event monitoring, file replication, routine maintenance
chores and production jobs. Run reports, batch jobs, scripts,
business processes and correct system errors with a single solution.
Download FREE fully functionally demo software today.
Visit Opalis for more information.

Using the W2K Encrypting File System (Exam 70-214)

The Encrypting File System supported in Windows 2000 and XP/.NET is a security feature built into the NTFS file system. In order to encrypt a file (or folder) in any of these operating systems, the file (or folder) must be located on an NTFS 5 volume. NTFS 5 is the version that is created with a Windows 2000 installation. Both public key encryption and secret key encryption are implemented within the complete process, so data is encrypted quickly and in such a way that it can stand up against an attack from cryptanalysts (people who specialize in analyzing and "breaking" encryption algorithms). U.S. customers who purchase Windows 2000 receive a 56-bit standard DES algorithm for implementation, but U.S. customers can also obtain a 128-bit encryption DES algorithm. Until export approval is received, Microsoft also has a 40-bit DES algorithm for all international customers.

An encrypted file can be read by anyone with a private key that can decrypt the File Encryption Key. In the Windows 2000 implementation of EFS, only the user who encrypted a file and a designated recovery agent (usually the network administrator) can decrypt the data. The version of EFS included in Windows XP/Windows Server 2003 adds the capability to share encrypted files with others.

The provision of a recovery agent is important in the implementation of EFS in the business environment. If a user leaves a company or if a user's private key becomes corrupted or is accidentally deleted, the recovery agent can implement data recovery. This might sound like a security weak spot, but data recovery in Windows is not a security weakness.

Microsoft has written code to establish an Encrypted Data Recovery Policy (EDRP), which controls who can recover data if the owner's private key is lost or if an employee leaves the organization. In a workgroup environment, Windows automatically sets up the EDRP on the local machine. In a domain environment, the EDRP is set up in the domain policy by the system administrator, and computers belonging to the domain will receive the EDRP from that location.

If a computer is not a member of a Windows 2000 domain and you force an Administrative password change on the user account that was used to encrypt the files, those files become unrecoverable. In a domain environment, you have more recovery options for EFS files.

NOTE: If you want to store encrypted files on a remote server, the server must be trusted for delegation. You must be a domain admin to configure the server as trusted for delegation. This is done through the Active Directory Users and Computers console. For detailed instructions, see Microsoft Knowledge Base article Q307877. Also note that you will not be able to access encrypted files from Macintosh clients.

Excerpted from Chapter 5 of MCSE Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214) by Will Schmied with contributions from Chad Todd, Tom Shinder, and Debra Littlejohn Shinder. Syngress Publishing 2003 (1931836841). Click here to get more information about this title or to purchase it from Amazon.com over at:

You can also purchase the e-Book now directly from Syngress Publishing:
[NEXT WEEK: How EFS Works]


MS Definitely Takes Notice Of Linux

How so? They have a booth at LinuxWorld! In the past, MS may have seemed somewhat indifferent, but no more. This is a good thing.

Peter Houston, senior director of server strategy at Microsoft recently remarked "One of the biggest changes has been IBM's emergence in the Linux space. We have to take these things more seriously than we would have before."

It is obvious that the corporate data center has a choice to make in the next few years. Clearly, there is a movement away from Unix' vendors proprietary hardware platforms to Intel-based servers. The OS competition is going to be a two-horse race: Windows and Linux. Up to now, Linux has mostly been eating into the existing *Nix-en out there, but will become a viable choice compared to Windows.

Obviously, both options have their "value proposition", and this is going to be a very interesting battle. It will force MS to be competitive and provide continual higher quality. To some extent they are moving toward a more component-based model, so watch for W2K3 with a smaller footprint, minimizing the number of services that really need to be there.

HP Teams Up With MS for Network Attached Storage

The two 800-pound gorillas are teaming up to boost network-attached storage products. They were already cooperating for a while, but now their engineers and sales / marketing teams will get trained together. They have decided they want to push Windows Powered NAS deeper into the enterprise. The target? IT groups that want to consolidate servers, but add more storage.

It is something a large percentage of you are thinking about. See SunPoll 45 about consolidation here:

If you look at the almost 2 million servers out there (both NT and W2K) that are targets for consolidation, you can see the market opportunity. Not to forget an estimated half a million Exchange 5.0 and older messaging servers.

All these boxes might get replaced, since they run older versions of software, and are being used stand-alone. Consolidating several of these, and add storage to the network means of course less cost, as you have less (and likely cheaper) hardware involved and the system is easier to manage. If you are planning server consolidation, you might want to check out AutoPilot Enterprise. This utility with a true supercomputer background (code was originally developed for Cray SMP boxes) will allow you to run many more processes on the same server with a very smooth performance curve:

MS releases SQL Server 2000 Service Pack 3

Just last Monday, MS announced SQL 2K SP3. It's got a monitoring API and enhanced error reporting. The new API allows you (or third party tools) to diagnose problem processes. The error reporting enables MS to be automatically notified about critical errors, similar to the stuff that's now part and parcel of XP.

If you run multiple servers, that admin is improved. The function enables centralization of maintenance tasks for several servers onto a single machine. MS states that SQL performance is better through use of Virtual Interface (VI) technology in the networking layer. This is supposed to reduce CPU consumption per message on the server and client. And if you really want a screaming I/O subsystem performance, you can now use QLogic's VI-enabled SAN QLA2350 Fibre Channel controller.

There are some security related patches, and you can now run the SQL Server Agent as a non-admin function for scheduling tasks such as backups and restores. And like always, first TEST, TEST and TEST some more on a NON-PRODUCTION machine!! You can get the new SQL SP3 over at:

MS Announces First 2003 Windows Bugs

Hmmm. What else is new. Servers running NT, W2K or XP have been discovered to suffer from another nasty buffer overrun flaw. These usually allow black hats to take control of your PC as buffer overflow bugs allow them to run code on your machine. The MS indicator for this problem in the Locator Service is critical. They tell you it should be a quick patch. There are also other warnings out for Content Management Server 2001 and Outlook 2002 -- There are patches available. Get them at:

Oh, and when you are sick and tired of all the work related to patching systems continuously, the best selling 2002 third party tool to automate this is called UpdateEXPERT. This product is really incredibly useful to keep your networks and systems secure:


How can I protect against SQL Injection attacks?

Answer: If your web servers happen to have a database backend (i.e. nearly all servers in commercial environments), SQL Injection attacks are malicious attempts aimed at bypassing the security mechanisms of the database. To do this, SQL Injection attacks utilize the web server to modify the content in the database.

Formally, SQL Injection is a technique that enables an attacker to execute unauthorized SQL commands by taking advantage of unsanitized input opportunities in Web applications that build dynamic SQL queries.

For example, the most common form of SQL injection is bypassing a login screen. Typically, the SQL would look like this
"SELECT * FROM logins WHERE uid = '[form input here]'"

The script would then check to see if there was any result. If the following is entered into the form "'' OR '1'='1'", then the SQL becomes:

"SELECT * FROM logins WHERE uid = '' OR '1'='1'",

That entry will always return a result and allow an attacker access to that system.

While the above example is a little hard to create keywords which will avert this attack, most SQL Injection attacks are much simpler to catch. A lot of attacks utilize default-stored procedures that have poor account security. Many stored procedures allow use by the 'public' account (SQL2000) and this is akin to allowing the 'guest' user to have access to something on a server.

There are five simple rules to remember in relation to averting SQL Injection attacks:

  1. Protect the entry point first ? the web server.
  2. Never pass unchecked user-input to database-queries.
  3. Validate and sanitize every user variable passed to the database.
  4. Check if the given input has the expected data type.
  5. Quote user input that is passed to the database.
For those with Microsoft web servers, you can screen out potential SQL injection threats by screening out potential attack requests before they are processed by IIS. SecureIIS Web Server Protection from eEye Digital enables administrators to properly define filters that can screen for unwanted commands and requests. For example, if part of the form input is a numeric field then do NOT allow any other characters aside from numbers to come through that field. If it's a username then obviously most characters that are not alpha or numeric need not be allowed either.

Best practices in managing a secure SQL server dictate removing any unnecessary stored procedures and locking down the ACL's on the remaining procedures. Compile a list of the remaining procedures and add those keywords to SecureIIS. DBA (Database Administrators) must do all they can to remove unneeded functionality. All unused stored procedures should be removed and permissions must be reviewed on the ones remaining. Some of the most commonly used stored procedures (such as xp_cmdShell) to act as a booby trap. SecureIIS uses these booby-trapped keywords to alert administrators when someone is actively attacking a web application and looking for a flaw.

For more information on SecureIIS and to download a free trial, visit:

99.999% High Availability A Dream?

Well, let's conclude that it was great marketing. But if you look under the covers, it usually was not all it was cracked up to be. If one investigates the exact service level guarantees, the penalty to a vendor for not achieving guaranteed uptime typically consisted of a service credit. Big Deal.

More over, most of these guarantees were just focused on the OS. And we just saw last December that over 40% of downtime is caused by apps, and a good chunk by hardware or natural disasters. The gulf between the promise of 99.999% uptime and reality was often quite large.

High availability is still a top concern for system admins though. Outfits that require five-nine, or even 100 percent uptime ? such as financial institutions or 911 centers ? usually choose vendors with specific fault-tolerant machines: Tandem or Stratus usually.

But for mere mortals like us that can live with a little bit of downtime and not get killed for it, W2K demonstrates higher uptime levels than NT. The Aberdeen Group, looking at 10 enterprises in 2001, estimated that W2K servers averaged 99.964% uptime. And MS promises a real 99.999% uptime provided you use Datacenter Server with a proper configuration.

Being part of the Windows Datacenter Program means stringent rules that OEMs must live up to. These include hardware compatibility, support centers staffed by both OEM and Windows specialists, and added to that an active software maintenance program. It really looks a lot like an IBM mainframe type of setup, so you cannot hook up just anything you want to these puppies, or plug in cards you like. Last but not least, the disaster recovery issue has still not been solved by MS, even with Datacenter. Getting your data off-site, real time, to a safe place that can be backed up and/or used to rebuild servers in case the office building goes up in flames or apps crash fatally is still solved by third party tools like Double-Take:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • This is the coolest animation I have seen in a while. Icons at war! Turn your sound on and click here:

  • http://www.w2knews.com/rd/rd.cfm?id=030127FA-Warring_Icons
  • Are you using SPEWS as an email blacklist? Here is an anti-spews site that explains the drawbacks of their particular approach:

  • http://www.w2knews.com/rd/rd.cfm?id=030127FA-Anti-Spews
  • Did you know XP connects to MS Servers in at least 16 different ways? This page is controversial, as its opinion mixed into technical data:

  • http://www.w2knews.com/rd/rd.cfm?id=030127FA-XP_Connections
  • Good technical e-books. W2Knews subscribers and Sunbelt Software customers get a 25% discount! Check the NetImpress Site:

  • http://www.w2knews.com/rd/rd.cfm?id=030127FA-E-books
  • Looks like 2003 is looking a lot brighter for IT Salaries!

  • http://www.w2knews.com/rd/rd.cfm?id=030127FA-IT_Salaries
  • A lot of you clicked on the COOL Canadian hotel room, but here is a WHOLE hotel made out of ice. Really. Check it out at:

  • http://www.w2knews.com/rd/rd.cfm?id=030127FA-IceHotel
  • In a hurry? At a workstation you do not know? Cannot run a DOS box for any reason? Try whatismyip:

  • http://www.w2knews.com/rd/rd.cfm?id=030127FA-WhatIsMyIP
  • OK, how good IS your eye-hand coordination really?

  • http://www.w2knews.com/rd/rd.cfm?id=030127FA-Coordination

    BIOMETRICS - Identity Assurance in the Information Age

    I just got a review copy. Pretty complete! It's got it all:
    Beyond passwords and PINS, beyond ID cards, keys, and tokens, stands biometrics--the science of recognizing people by physical characteristics or personal traits. Learn about the technical properties and applications of fingerprints, hand geometry, facial and voice recognition, iris and retinal scans, signature and keystroke dynamics, and futuristic biometrics such as vein patterns. Follow sample scenarios and real-world case studies to understand ensuring biometric liveness, deploying biometrics in large-scale systems, developing technical standards, and testing and evaluating biometric technologies. Get it at Amazon: