- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Feb 3, 2003 (Vol. 8, #5 - Issue #411)
Life Extension for NT. . . WHEW!
  This issue of W2Knews™ contains:
    • Life Extension for NT. . . WHEW!
    • How EFS Works (Exam 70-214)
    • ENT Survey: Active Directory Goes Mainstream
    • MS Renames Palladium: Tainted
    • Sure Enough, MS Gets Hit By SQL Slammer
    • Black Hat Briefings 2003 Announcement
    • Open Source Price for... Redmond?
    • So, How Does The MBSS/SUS Compare To UpdateEXPERT?
    • New Version Of Retina Released
    • Second Largest US Federal Credit Union Selects Double-Take
    • SysAdmin Toolbox Plus. What's New in 2.1?
    • U.K. Group Estimates Slammer Damage at $1 Billion
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Book: The Nature Of The Beast
Been Hit With The Recent SQL Slammer Worm?
This could have been prevented. A U.K. security firm estimates
the economic damage already over $1 billion. UpdateEXPERT is a
powerful service pack and hotfix manager. You've got to do this
to keep your networks secure. Use UpdateEXPERT as your research,
inventory, deployment and validation tool that enables you to fix
security vulnerabilities and stability problems on your machines.
Visit UpdateEXPERT for more information.

Life Extension for NT. . . WHEW!

You already saw it in the Security Bulletin we sent this week. All of us Admins let out a collective "whew" over the decision to add one more year to NT. Relief was spelled R-E-P-R-I-E-V-E for the people that are still running NT. We'll have one more year to plan the migration. Which by the way is in full swing. This year, the migration to Active Directory is going full blast. See the article below. There is a LOT of news this time, so the editor's corner is short. But first, here is the new SunPoll:

Q: Are you planning to get a third party Exchange 2000 anti-spam program this year?

  • Yes, we have this now budgeted for
  • Likely, but it needs to be cheap per user!
  • Not so likely
  • We already have something in place
  • I'm still running Exchange 5.X
Vote here, leftmost column:

Let's get to work, read on!

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: Double-Take
Disaster Recovery has become priority #2, right after Security.
This means you have to have a tested plan and reliable tools in
place for the moment your site goes down. Double-Take is that tool.
Sold more than all other High-Availability tools combined. It is
even certified for W2K Datacenter. No other HA tool is. How it
works? "Server A goes down--Server B takes over transparently".
Get the eval copy here, this is your ultimate job-security:
Visit Double-Take for more information.

How EFS Works (Exam 70-214)

Microsoft implements both secret key encryption, which is a faster and less secure process, and public key encryption, which is a slower but more secure process. When the operating system receives a request to encrypt a file, the Encrypting File System generates a random number for the file. This random number is known as the file's File Encryption Key (FEK). With the FEK, a modified DES algorithm, called DESX, is used to generate the encrypted file and store it on disk. The secret key algorithm is being implemented at this point.

When a file needs to be decrypted, the FEK is used again. If you store the FEK on disk with the file, you have the FEK available for decryption at any time. Anyone who needs to decrypt the file and who has access to it also has access to the file's FEK. Keeping sensitive data secure is the most important concern, but convenience is also important. Experience shows that when a security process is inconvenient for users, they are less likely to use it. The FEK is stored on disk and is available whenever it is needed, so the process is convenient and quick, but anyone who can get to the file will have available the one item needed for decrypting the file. This means you must address the security of the FEK itself. Secret key encryption is weak in this aspect, but public key encryption can be used here to good effect. Thus, to tighten the FEK's security, you can encrypt it also. This is where public key cryptography comes in.

When a user encrypts a file, the Encrypting File System uses the user's public key to encrypt the FEK. This design prevents users from sharing one decryption key. In Windows 2000, multiple users cannot share encrypted files. The public key encryption method is used only on the small FEK, so the system's performance isn't impacted. The ciphered FEK is stored with the encrypted file. Only the user, with that user's private key, can decrypt the ciphered FEK, which is needed to decrypt the actual file. At this point, both the sensitive data and the FEK are secured. The slow method of public key algorithm is not used on the large file. The final design of file encryption for Windows 2000 allows you to get the best from both encryption worlds.

NOTE: File encryption keys are stored in the nonpaged memory pool. This means the keys will never be in the paging file, which would create a security risk.

Windows XP/Windows Server 2003 enables support for sharing EFS encrypted files among multiple users, without sharing private keys among users. The file must first be encrypted by one user, who can then enable sharing and select the specific users who are to have access to the encrypted file. Any user who has an account on the local machine or in the Active Directory and who has a valid EFS certificate can be added. Each authorized user can then decrypt the file using his or her own private key.

NOTE: You might be wondering about the security of the temporary files that are used by some programs. Because of the way the NTFS file system works; temp files do not present a security problem. When temp files are created, all the attributes from the original file (including the encryption attribute, if it is present) are copied to the temp files. This means EFS encrypts the temporary copies as well as the original file. It is for this reason that Microsoft recommends setting the encryption attributes on folders rather than individual files. Keep this in mind when asked about configuring and implementing EFS on your network and during this exam.

One interesting situation arises, however, when you create an encrypted folder and another user creates a document in that folder. The document, in this case, encrypted using the creator or owner's private key. This means you will not be able to access the document unless you're using Windows XP/Windows Server 2003 and the creator/owner has enabled sharing of the encrypted file and added your account to the user access list. As well, if you create a file and another user later encrypts that file, you will no longer be able to access the file unless you can use the multiple users feature provided in Windows XP/Windows Server 2003.

Excerpted from Chapter 5 of MCSE Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214) by Will Schmied with contributions from Chad Todd, Tom Shinder, and Debra Littlejohn Shinder. Syngress Publishing 2003 (1931836841). Click here to get more information about this title or to purchase it from Amazon.com over at:

You can also purchase the e-Book now directly from Syngress:


ENT Survey: Active Directory Goes Mainstream

A new ENT survey of nearly 800 IT professionals shows Active Directory migrations, the surest sign that organizations are committing themselves to Microsoft's infrastructure, are in full swing and should be the rule rather than the exception by the end of this year. While NT 4.0 Servers are still present in nearly two thirds of the organizations surveyed, W2K Servers are present at far more of those organizations. And the newer W2K Servers outnumber the NT 4.0 Servers across the board. Read more at the ENT site. This is a good one:

MS Renames Palladium: Tainted

Redmond decided to ditch the Palladium name. It was the code name for its plan to link hardware and software security inside Windows-based computers. The new name is now "next-generation secure computing base". They said it "better describes the effort" My take: Hmmm. There has been SO much negative publicity attached to the Palladium name, that this is a deft move by their PR department to deflect some of the $#!+ that is hitting the fan regarding Palladium.

Sure Enough, MS Gets Hit By SQL Slammer

Interesting article over at InfoWorld about MS getting hit by the SQL Slammer worm. Talk about releasing a patch and then not update some of your own servers for almost 6 months: [grin]

Black Hat Briefings 2003 Announcement

This time they are held in Microsoft's back yard, the conference will be in Seattle, February 26-27th, with two days of training available on the 24th & 25th. Highlights of the Briefings will include the much anticipated release of the "Enforcer" tool by Tim Mullen, Michael Howard & David LeBlanc's presentation on writing secure code, and Saumil Shah's presentation on assessment techniques utilizing the Fire & Water tool-kit. You can register here:

Greg Hoglund, founder of rootkit.com and Cenzic, has been added to the training agenda, and is giving a two day class titled "Aspects of Offensive Root-kit Technology". This is a first time offering of a class specifically focusing on Root-kit technology and promises to be stellar.

And if you could not make it in 2002, all the videos from Black Hat Windows Security 2002 AND Black Hat USA 2002 are now on-line. Richard Clarke was the keynote speaker at the July show, and while there were many excellent technical talks, Jeff Jonas' lunchtime talk on NORA was not to be missed:

Open Source Price for... Redmond?

During LinuxWorld, it looks like MS was able to grab one of the awards. In the category of 'Best System Integration Software' their 'Services for Unix 3.0' actually made it as first place. The irony here is that it is a GPL open source product. Which just recently Microsoft itself has been vehemently objecting to. [grin] Here is the proof:


So, How Does The MBSS/SUS Compare To UpdateEXPERT?

Microsoft's Baseline ("Base") Security Analyzer is an attempt by Redmond to provide its customers with a reasonable level of added security. MBSA is currently available for English OS's only and is designed as part of a "base" solution to used with Software Update Services and SMS' Update Service Feature Pack. The idea is to provide a "base" level of protection against common security misconfigurations and security classified hotfixes. MBSA uses the HFNetChk tool technology to scan for missing security updates and service packs.

Although a "base" level of protection may serve well for some Windows customers, a product like eEye's Retina is far superior at identifying system vulnerabilities, which includes MORE than the absence of Security related patches. UpdateEXPERT is also far superior as an update management tool, which is a process that includes more than just Security Updates. Together such products build complete solutions and are more reliable.

UpdateEXPERT is a software patch vulnerability assessment tool that scans a customer's networked system for missing patches and remediates discovered weaknesses for increased protection. While MBSA can identify a SECURITY mis-configuration, it still requires a component to remediate the problem (SUS or Update Service Feature Pack). From an Update Management stand point, UpdateEXPERT offers a number of added strengths: Third Party Database - UpdateEXPERT does not use a public source database for the list of patches. Instead, it uses an exclusive patch database that includes information about research, patch locations, validation information, patch interdependencies and deployment instructions. The UpdateEXPERT experts research and test independently to ensure reliable software patch delivery and installation.

For instance, there are two patches that protect customers from the Slammer worm. One is MS02-039 (released last July) and one is MS02-061 (released last October). UpdateEXPERT has had these patches since they have been released, both of which would have stopped the Slammer.

SQL 2000 SP3 is a roll-up of all of the security bulletins since the last Service Pack, and surely would contain the two patches mentioned above. The service pack installation is pretty complicated and it took a fairly large effort to get it into the database. It is in QA right now and should be released today.

UpdateEXPERT is a management console based software solution. You install the software on your workstations and manage all other machines from there. Agents, such as those used in MBSA and SUS, can cause potential performance problems for the system on which they run (we find admins generally object to planting agents on their servers and workstations).

UpdateEXPERT includes a vast set of patches, not just security patches. In addition, UpdateEXPERT has the ability to accept private hotfixes and can use the custom install feature to deploy.

Policy-based deployment - UpdateEXPERT can deploy patches that are missing and applicable by simply using a user defined list of required updates. UpdateEXPERT matches the required list of updates against the inventories of each workstation and server managed. Then, deployment instructions are automatically customized for each machine. With just a few clicks, any number of machines can be patched immediately. Tell UpdateEXPERT what patches are required, and UpdateEXPERT does the rest. UpdateEXPERT does not require any additional hardware (SUS requires a dedicated IIS5.0 server). Although base solutions exist, it probably comes down to how much better do you want to sleep at night. 15-day eval of UpdateEXPERT here:

New Version Of Retina Released

The following changes were made since Retina 4.9.43:

  • Enhanced SQL auditing
  • Enhanced Custom Policy management through "Remove Audit From Current Policy" feature
  • Added "Email Audit Details" feature
  • Added ability to search audits database (Tools/Audits Search)
  • Improved command line management of Retina as a scanning engine
Check out this blisteringly fast, award winning scanner here:

Second Largest US Federal Credit Union Selects Double-Take

"As the second-largest corporate credit union in the United States, we view our central databases as the glue that keeps us together and connects us to our members. Accessible and up-to-date information is vital to our business operations. After researching numerous vendors, it became clear that NSI's products and Professional Services team were right for us."-- Sam Palmgren, Southwest Federal Credit Union Senior Project Lead, Technology Development

SysAdmin Toolbox Plus. What's New in 2.1?

Version 2.1 adds numerous new features to the Remote Reboot tool. These include:

  • Reboot one or more remote computers. With this new capability you could quickly shut down every computer in your organization.
  • Easily add or remove names from a list of computers to be rebooted. You can quickly select multiple computers using the shift or control keys.
  • The delay time before the reboot command is to be executed can now be entered in hours, minutes and seconds. This simplifies the calculations needed to schedule the reboot. The multi machine reboot or shutdown is a really cool option.
Check it out at, and buy online for just $185 at:

U.K. Group Estimates Slammer Damage at $1 Billion

A U.K.-based security firm is estimating that economic damage from the SQL Slammer worm is already over $1 billion, making it the ninth most damaging malware attack yet in the firm's estimation. mi2g released the billion-dollar estimate on Thursday. It was an upward revision of a figure the group released earlier in the week. "It has also jumped in ranking from number 13 a few days ago to number 9 in terms of the worst malware attacks recorded by the mi2g Intelligence Unit," an mi2g spokeswoman said in a statement. More at the ENTmag site:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • MS has decided to start selling ad space on BSOD screens. Hehehe.

  • http://www.w2knews.com/rd/rd.cfm?id=030203FA-Ads
  • Pretty good spot to check the general health of the Internet:

  • http://www.w2knews.com/rd/rd.cfm?id=030203FA-Internet_Health
  • Know anyone that wants to buy a real German Castle? We'll split the finders fee [grin]:

  • http://www.w2knews.com/rd/rd.cfm?id=030203FA-Castle
  • Model Rocket Inflight Video Camera link via 2.4GHz Microwave. Awesome videos, but slow download. Give it time:

  • http://www.w2knews.com/rd/rd.cfm?id=030203FA-RocketCam

    Book: The Nature Of The Beast

    The Nature Of The Beast by Burton Hersh is a novel about Owen Rheinsdorf, an ex-CIA operations specialist who gets dragged out of retirement and plunged into a deadly conflict with a delusional demagogue and a psycho, pedophile assassin. The Nature Of The Beast is recommended as a grippingly written saga, crafted with a firm grounding in the history of secret conflicts in Vietnam, Portugal, Uruguay, Panama, and Moscow, and having the profound double impact of both realism and high-stakes tension. The author is a personal friend of mine and a real CIA-expert. Want to know some of the hidden forces running our country? Reads like a John Le Carre thriller. More background information at Tree Farm Books:

    Also available at Amazon here: