Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Jan 27, 2003 (Vol. 8, #4 - Issue #410)
2003 looks a lot brighter for IT Salaries
This issue of W2Knews contains:
- EDITORS CORNER
- TECH BRIEFING
- Using the W2K Encrypting File System (Exam 70-214)
- NT/2000 RELATED NEWS
- MS Definitely Takes Notice Of Linux
- HP Teams Up With MS for Network Attached Storage
- MS releases SQL Server 2000 Service Pack 3
- MS Announces First 2003 Windows Bugs
- NT/2000 THIRD PARTY NEWS
- How can I protect against SQL Injection attacks?
- 99.999% High Availability A Dream?
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- BIOMETRICS - Identity Assurance in the Information Age
Cut Your Help Desk Support Calls by 50%
ScriptLogic automates administration tasks and reduces help desk
support for more than 1,000,000 desktops every day.
Begin saving time today! Evaluate a fully functional 45 day trial
* Logon, logoff and shutdown scripting
* Install/update software packages
* Create Outlook mail profiles
* Create/remove shortcuts
* Enforce security policies
? And Much More
version of ScriptLogic and get a FREE "Born to Network" T-shirt.
Free Born to Network T-shirt offer is available to US residents only.
Visit ScriptLogic for more information.
How's Your 2003 Budget?
It's different per industry section, but there seems to be a lot
of "doing more with less" all over. How does your IT budget
compare with last year's? Check out how everyone is doing in the
new SunPoll. The results are online in real-time! Vote here,
Quote of the day:
"Technology is the word given to the stuff that doesn't quite
work just yet." - Supercomputer designer Danny Hillis
(email me with feedback: [email protected])
"System Operation Workflow Software"
OpalisRobot automates a broad range of system operations
including event monitoring, file replication, routine maintenance
chores and production jobs. Run reports, batch jobs, scripts,
business processes and correct system errors with a single solution.
Download FREE fully functionally demo software today.
Visit Opalis for more information.
Using the W2K Encrypting File System (Exam 70-214)
The Encrypting File System supported in Windows 2000 and XP/.NET
is a security feature built into the NTFS file system. In order
to encrypt a file (or folder) in any of these operating systems,
the file (or folder) must be located on an NTFS 5 volume. NTFS 5
is the version that is created with a Windows 2000 installation.
Both public key encryption and secret key encryption are implemented within the complete process, so data is encrypted quickly
and in such a way that it can stand up against an attack from
cryptanalysts (people who specialize in analyzing and "breaking"
encryption algorithms). U.S. customers who purchase Windows 2000
receive a 56-bit standard DES algorithm for implementation, but
U.S. customers can also obtain a 128-bit encryption DES algorithm.
Until export approval is received, Microsoft also has a 40-bit DES
algorithm for all international customers.
An encrypted file can be read by anyone with a private key that
can decrypt the File Encryption Key. In the Windows 2000 implementation of EFS, only the user who encrypted a file and a designated recovery agent (usually the network administrator) can decrypt the data. The version of EFS included in Windows XP/Windows Server 2003 adds the capability to share encrypted files
The provision of a recovery agent is important in the implementation of EFS in the business environment. If a user leaves a
company or if a user's private key becomes corrupted or is
accidentally deleted, the recovery agent can implement data
recovery. This might sound like a security weak spot, but data
recovery in Windows is not a security weakness.
Microsoft has written code to establish an Encrypted Data Recovery
Policy (EDRP), which controls who can recover data if the owner's
private key is lost or if an employee leaves the organization.
In a workgroup environment, Windows automatically sets up the
EDRP on the local machine. In a domain environment, the EDRP is
set up in the domain policy by the system administrator, and
computers belonging to the domain will receive the EDRP from
If a computer is not a member of a Windows 2000 domain and you
force an Administrative password change on the user account that
was used to encrypt the files, those files become unrecoverable.
In a domain environment, you have more recovery options for EFS
NOTE: If you want to store encrypted files on a remote server,
the server must be trusted for delegation. You must be a domain
admin to configure the server as trusted for delegation. This is
done through the Active Directory Users and Computers console.
For detailed instructions, see Microsoft Knowledge Base article
Q307877. Also note that you will not be able to access encrypted
files from Macintosh clients.
Excerpted from Chapter 5 of MCSE Implementing and Administering
Security in a Windows 2000 Network: Study Guide and DVD Training
System (Exam 70-214) by Will Schmied with contributions from Chad
Todd, Tom Shinder, and Debra Littlejohn Shinder. Syngress Publishing
2003 (1931836841). Click here to get more information about this
title or to purchase it from Amazon.com over at:
You can also purchase the e-Book now directly from Syngress
[NEXT WEEK: How EFS Works]
NT/2000 RELATED NEWS
MS Definitely Takes Notice Of Linux
How so? They have a booth at LinuxWorld! In the past, MS may have
seemed somewhat indifferent, but no more. This is a good thing.
Peter Houston, senior director of server strategy at Microsoft
recently remarked "One of the biggest changes has been IBM's
emergence in the Linux space. We have to take these things more
seriously than we would have before."
It is obvious that the corporate data center has a choice to make
in the next few years. Clearly, there is a movement away from Unix'
vendors proprietary hardware platforms to Intel-based servers. The
OS competition is going to be a two-horse race: Windows and Linux.
Up to now, Linux has mostly been eating into the existing *Nix-en
out there, but will become a viable choice compared to Windows.
Obviously, both options have their "value proposition", and this
is going to be a very interesting battle. It will force MS to be
competitive and provide continual higher quality. To some extent
they are moving toward a more component-based model, so watch for
W2K3 with a smaller footprint, minimizing the number of services
that really need to be there.
HP Teams Up With MS for Network Attached Storage
The two 800-pound gorillas are teaming up to boost network-attached
storage products. They were already cooperating for a while, but
now their engineers and sales / marketing teams will get trained
together. They have decided they want to push Windows Powered NAS
deeper into the enterprise. The target? IT groups that want to
consolidate servers, but add more storage.
It is something a large percentage of you are thinking about. See
SunPoll 45 about consolidation here:
If you look at the almost 2 million servers out there (both NT and
W2K) that are targets for consolidation, you can see the market
opportunity. Not to forget an estimated half a million Exchange
5.0 and older messaging servers.
All these boxes might get replaced, since they run older versions
of software, and are being used stand-alone. Consolidating several
of these, and add storage to the network means of course less cost,
as you have less (and likely cheaper) hardware involved and the
system is easier to manage. If you are planning server consolidation,
you might want to check out AutoPilot Enterprise. This utility with
a true supercomputer background (code was originally developed for
Cray SMP boxes) will allow you to run many more processes on the
same server with a very smooth performance curve:
MS releases SQL Server 2000 Service Pack 3
Just last Monday, MS announced SQL 2K SP3. It's got a monitoring
API and enhanced error reporting. The new API allows you (or third party tools) to diagnose problem processes. The error reporting enables MS to be automatically notified about critical errors, similar to the stuff that's now part and parcel of XP.
If you run multiple servers, that admin is improved. The function
enables centralization of maintenance tasks for several servers
onto a single machine. MS states that SQL performance is better
through use of Virtual Interface (VI) technology in the networking
layer. This is supposed to reduce CPU consumption per message on
the server and client. And if you really want a screaming I/O
subsystem performance, you can now use QLogic's VI-enabled SAN
QLA2350 Fibre Channel controller.
There are some security related patches, and you can now run the
SQL Server Agent as a non-admin function for scheduling tasks
such as backups and restores. And like always, first TEST, TEST
and TEST some more on a NON-PRODUCTION machine!! You can get the
new SQL SP3 over at:
MS Announces First 2003 Windows Bugs
Hmmm. What else is new. Servers running NT, W2K or XP have been
discovered to suffer from another nasty buffer overrun flaw.
These usually allow black hats to take control of your PC as
buffer overflow bugs allow them to run code on your machine.
The MS indicator for this problem in the Locator Service is
critical. They tell you it should be a quick patch. There are
also other warnings out for Content Management Server 2001 and
Outlook 2002 -- There are patches available. Get them at:
Oh, and when you are sick and tired of all the work related to
patching systems continuously, the best selling 2002 third party
tool to automate this is called UpdateEXPERT. This product is
really incredibly useful to keep your networks and systems
THIRD PARTY NEWS
How can I protect against SQL Injection attacks?
Answer: If your web servers happen to have a database backend
(i.e. nearly all servers in commercial environments), SQL Injection
attacks are malicious attempts aimed at bypassing the security
mechanisms of the database. To do this, SQL Injection attacks
utilize the web server to modify the content in the database.
Formally, SQL Injection is a technique that enables an attacker
to execute unauthorized SQL commands by taking advantage of
unsanitized input opportunities in Web applications that build
dynamic SQL queries.
For example, the most common form of SQL injection is bypassing
a login screen. Typically, the SQL would look like this
"SELECT * FROM logins WHERE uid = '[form input here]'"
The script would then check to see if there was any result. If
the following is entered into the form "'' OR '1'='1'", then the
"SELECT * FROM logins WHERE uid = '' OR '1'='1'",
That entry will always return a result and allow an attacker access
to that system.
While the above example is a little hard to create keywords which
will avert this attack, most SQL Injection attacks are much simpler
to catch. A lot of attacks utilize default-stored procedures that
have poor account security. Many stored procedures allow use by
the 'public' account (SQL2000) and this is akin to allowing the
'guest' user to have access to something on a server.
There are five simple rules to remember in relation to averting
SQL Injection attacks:
For those with Microsoft web servers, you can screen out potential
SQL injection threats by screening out potential attack requests
before they are processed by IIS. SecureIIS Web Server Protection
from eEye Digital enables administrators to properly define filters
that can screen for unwanted commands and requests. For example, if
part of the form input is a numeric field then do NOT allow any other
characters aside from numbers to come through that field. If it's
a username then obviously most characters that are not alpha or
numeric need not be allowed either.
- Protect the entry point first ? the web server.
- Never pass unchecked user-input to database-queries.
- Validate and sanitize every user variable passed to the database.
- Check if the given input has the expected data type.
- Quote user input that is passed to the database.
Best practices in managing a secure SQL server dictate removing any
unnecessary stored procedures and locking down the ACL's on the
remaining procedures. Compile a list of the remaining procedures
and add those keywords to SecureIIS. DBA (Database Administrators)
must do all they can to remove unneeded functionality. All unused
stored procedures should be removed and permissions must be reviewed
on the ones remaining. Some of the most commonly used stored procedures (such as xp_cmdShell) to act as a booby trap. SecureIIS uses these booby-trapped keywords to alert administrators when someone is actively attacking a web application and looking for a flaw.
For more information on SecureIIS and to download a free trial,
99.999% High Availability A Dream?
Well, let's conclude that it was great marketing. But if you look
under the covers, it usually was not all it was cracked up to be.
If one investigates the exact service level guarantees, the penalty
to a vendor for not achieving guaranteed uptime typically consisted
of a service credit. Big Deal.
More over, most of these guarantees were just focused on the OS.
And we just saw last December that over 40% of downtime is caused by
apps, and a good chunk by hardware or natural disasters. The gulf
between the promise of 99.999% uptime and reality was often quite
High availability is still a top concern for system admins though.
Outfits that require five-nine, or even 100 percent uptime ? such
as financial institutions or 911 centers ? usually choose vendors
with specific fault-tolerant machines: Tandem or Stratus usually.
But for mere mortals like us that can live with a little bit of
downtime and not get killed for it, W2K demonstrates higher uptime
levels than NT. The Aberdeen Group, looking at 10 enterprises in
2001, estimated that W2K servers averaged 99.964% uptime. And MS
promises a real 99.999% uptime provided you use Datacenter Server
with a proper configuration.
Being part of the Windows Datacenter Program means stringent rules
that OEMs must live up to. These include hardware compatibility,
support centers staffed by both OEM and Windows specialists, and
added to that an active software maintenance program. It really
looks a lot like an IBM mainframe type of setup, so you cannot
hook up just anything you want to these puppies, or plug in cards
you like. Last but not least, the disaster recovery issue has
still not been solved by MS, even with Datacenter. Getting your
data off-site, real time, to a safe place that can be backed up
and/or used to rebuild servers in case the office building goes
up in flames or apps crash fatally is still solved by third party
tools like Double-Take:
This Week's Links We Like. Tips, Hints And Fun Stuff
This is the coolest animation I have seen in a while. Icons at
war! Turn your sound on and click here:
Are you using SPEWS as an email blacklist? Here is an anti-spews
site that explains the drawbacks of their particular approach:
Did you know XP connects to MS Servers in at least 16 different
ways? This page is controversial, as its opinion mixed into
Good technical e-books. W2Knews subscribers and Sunbelt Software
customers get a 25% discount! Check the NetImpress Site:
Looks like 2003 is looking a lot brighter for IT Salaries!
A lot of you clicked on the COOL Canadian hotel room, but here is
a WHOLE hotel made out of ice. Really. Check it out at:
In a hurry? At a workstation you do not know? Cannot run a DOS
box for any reason? Try whatismyip:
OK, how good IS your eye-hand coordination really?
PRODUCT OF THE WEEK
BIOMETRICS - Identity Assurance in the Information Age
I just got a review copy. Pretty complete! It's got it all:
Beyond passwords and PINS, beyond ID cards, keys, and tokens,
stands biometrics--the science of recognizing people by physical
characteristics or personal traits. Learn about the technical
properties and applications of fingerprints, hand geometry,
facial and voice recognition, iris and retinal scans, signature
and keystroke dynamics, and futuristic biometrics such as vein
patterns. Follow sample scenarios and real-world case studies
to understand ensuring biometric liveness, deploying biometrics
in large-scale systems, developing technical standards, and
testing and evaluating biometric technologies. Get it at Amazon: