Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Feb 3, 2003 (Vol. 8, #5 - Issue #411)
Life Extension for NT. . . WHEW!
This issue of W2Knews contains:
- EDITORS CORNER
- Life Extension for NT. . . WHEW!
- TECH BRIEFING
- How EFS Works (Exam 70-214)
- NT/2000 RELATED NEWS
- ENT Survey: Active Directory Goes Mainstream
- MS Renames Palladium: Tainted
- Sure Enough, MS Gets Hit By SQL Slammer
- Black Hat Briefings 2003 Announcement
- Open Source Price for... Redmond?
- NT/2000 THIRD PARTY NEWS
- So, How Does The MBSS/SUS Compare To UpdateEXPERT?
- New Version Of Retina Released
- Second Largest US Federal Credit Union Selects Double-Take
- SysAdmin Toolbox Plus. What's New in 2.1?
- U.K. Group Estimates Slammer Damage at $1 Billion
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Book: The Nature Of The Beast
Been Hit With The Recent SQL Slammer Worm?
This could have been prevented. A U.K. security firm estimates
the economic damage already over $1 billion. UpdateEXPERT is a
powerful service pack and hotfix manager. You've got to do this
to keep your networks secure. Use UpdateEXPERT as your research,
inventory, deployment and validation tool that enables you to fix
security vulnerabilities and stability problems on your machines.
Visit UpdateEXPERT for more information.
Life Extension for NT. . . WHEW!
You already saw it in the Security Bulletin we sent this week.
All of us Admins let out a collective "whew" over the decision
to add one more year to NT. Relief was spelled R-E-P-R-I-E-V-E
for the people that are still running NT. We'll have one more
year to plan the migration. Which by the way is in full swing.
This year, the migration to Active Directory is going full blast.
See the article below. There is a LOT of news this time, so the
editor's corner is short. But first, here is the new SunPoll:
Q: Are you planning to get a third party Exchange 2000 anti-spam program this year?
Vote here, leftmost column:
- Yes, we have this now budgeted for
- Likely, but it needs to be cheap per user!
- Not so likely
- We already have something in place
- I'm still running Exchange 5.X
Let's get to work, read on!
(email me with feedback: [email protected])
Disaster Recovery has become priority #2, right after Security.
This means you have to have a tested plan and reliable tools in
place for the moment your site goes down. Double-Take is that tool.
Sold more than all other High-Availability tools combined. It is
even certified for W2K Datacenter. No other HA tool is. How it
works? "Server A goes down--Server B takes over transparently".
Get the eval copy here, this is your ultimate job-security:
Visit Double-Take for more information.
How EFS Works (Exam 70-214)
Microsoft implements both secret key encryption, which is a faster
and less secure process, and public key encryption, which is a
slower but more secure process. When the operating system receives
a request to encrypt a file, the Encrypting File System generates
a random number for the file. This random number is known as the
file's File Encryption Key (FEK). With the FEK, a modified DES
algorithm, called DESX, is used to generate the encrypted file
and store it on disk. The secret key algorithm is being implemented
at this point.
When a file needs to be decrypted, the FEK is used again. If you
store the FEK on disk with the file, you have the FEK available
for decryption at any time. Anyone who needs to decrypt the file
and who has access to it also has access to the file's FEK. Keeping
sensitive data secure is the most important concern, but convenience
is also important. Experience shows that when a security process
is inconvenient for users, they are less likely to use it. The FEK
is stored on disk and is available whenever it is needed, so the
process is convenient and quick, but anyone who can get to the file
will have available the one item needed for decrypting the file.
This means you must address the security of the FEK itself. Secret
key encryption is weak in this aspect, but public key encryption
can be used here to good effect. Thus, to tighten the FEK's security,
you can encrypt it also. This is where public key cryptography
When a user encrypts a file, the Encrypting File System uses the
user's public key to encrypt the FEK. This design prevents users
from sharing one decryption key. In Windows 2000, multiple users
cannot share encrypted files. The public key encryption method is
used only on the small FEK, so the system's performance isn't
impacted. The ciphered FEK is stored with the encrypted file.
Only the user, with that user's private key, can decrypt the
ciphered FEK, which is needed to decrypt the actual file. At
this point, both the sensitive data and the FEK are secured.
The slow method of public key algorithm is not used on the
large file. The final design of file encryption for Windows 2000
allows you to get the best from both encryption worlds.
NOTE: File encryption keys are stored in the nonpaged memory
pool. This means the keys will never be in the paging file,
which would create a security risk.
Windows XP/Windows Server 2003 enables support for sharing EFS
encrypted files among multiple users, without sharing private
keys among users. The file must first be encrypted by one user,
who can then enable sharing and select the specific users who
are to have access to the encrypted file. Any user who has an
account on the local machine or in the Active Directory and who
has a valid EFS certificate can be added. Each authorized user
can then decrypt the file using his or her own private key.
NOTE: You might be wondering about the security of the temporary
files that are used by some programs. Because of the way the NTFS
file system works; temp files do not present a security problem.
When temp files are created, all the attributes from the original
file (including the encryption attribute, if it is present) are
copied to the temp files. This means EFS encrypts the temporary
copies as well as the original file. It is for this reason that
Microsoft recommends setting the encryption attributes on folders
rather than individual files. Keep this in mind when asked about
configuring and implementing EFS on your network and during this
One interesting situation arises, however, when you create an
encrypted folder and another user creates a document in that
folder. The document, in this case, encrypted using the creator
or owner's private key. This means you will not be able to access
the document unless you're using Windows XP/Windows Server 2003
and the creator/owner has enabled sharing of the encrypted file
and added your account to the user access list. As well, if you
create a file and another user later encrypts that file, you will
no longer be able to access the file unless you can use the
multiple users feature provided in Windows XP/Windows Server 2003.
Excerpted from Chapter 5 of MCSE Implementing and Administering
Security in a Windows 2000 Network: Study Guide and DVD Training
System (Exam 70-214) by Will Schmied with contributions from Chad
Todd, Tom Shinder, and Debra Littlejohn Shinder. Syngress Publishing
2003 (1931836841). Click here to get more information about this
title or to purchase it from Amazon.com over at:
You can also purchase the e-Book now directly from Syngress:
NT/2000 RELATED NEWS
ENT Survey: Active Directory Goes Mainstream
A new ENT survey of nearly 800 IT professionals shows Active
Directory migrations, the surest sign that organizations are
committing themselves to Microsoft's infrastructure, are in full
swing and should be the rule rather than the exception by the end
of this year. While NT 4.0 Servers are still present in nearly two
thirds of the organizations surveyed, W2K Servers are present at
far more of those organizations. And the newer W2K Servers
outnumber the NT 4.0 Servers across the board. Read more at the
ENT site. This is a good one:
MS Renames Palladium: Tainted
Redmond decided to ditch the Palladium name. It was the code name
for its plan to link hardware and software security inside Windows-based computers. The new name is now "next-generation secure
computing base". They said it "better describes the effort"
My take: Hmmm. There has been SO much negative publicity
attached to the Palladium name, that this is a deft move by
their PR department to deflect some of the $#!+ that is hitting
the fan regarding Palladium.
Sure Enough, MS Gets Hit By SQL Slammer
Interesting article over at InfoWorld about MS getting hit by
the SQL Slammer worm. Talk about releasing a patch and then
not update some of your own servers for almost 6 months: [grin]
Black Hat Briefings 2003 Announcement
This time they are held in Microsoft's back yard, the conference
will be in Seattle, February 26-27th, with two days of training
available on the 24th & 25th. Highlights of the Briefings will
include the much anticipated release of the "Enforcer" tool by
Tim Mullen, Michael Howard & David LeBlanc's presentation on
writing secure code, and Saumil Shah's presentation on assessment
techniques utilizing the Fire & Water tool-kit. You can register
Greg Hoglund, founder of rootkit.com and Cenzic, has been
added to the training agenda, and is giving a two day class titled
"Aspects of Offensive Root-kit Technology". This is a first time
offering of a class specifically focusing on Root-kit technology
and promises to be stellar.
And if you could not make it in 2002, all the videos from Black
Hat Windows Security 2002 AND Black Hat USA 2002 are now on-line.
Richard Clarke was the keynote speaker at the July show, and while
there were many excellent technical talks, Jeff Jonas' lunchtime
talk on NORA was not to be missed:
Open Source Price for... Redmond?
During LinuxWorld, it looks like MS was able to grab one of the
awards. In the category of 'Best System Integration Software'
their 'Services for Unix 3.0' actually made it as first place.
The irony here is that it is a GPL open source product. Which
just recently Microsoft itself has been vehemently objecting to.
[grin] Here is the proof:
THIRD PARTY NEWS
So, How Does The MBSS/SUS Compare To UpdateEXPERT?
Microsoft's Baseline ("Base") Security Analyzer is an attempt by
Redmond to provide its customers with a reasonable level of added
security. MBSA is currently available for English OS's only and is
designed as part of a "base" solution to used with Software Update
Services and SMS' Update Service Feature Pack. The idea is to
provide a "base" level of protection against common security
misconfigurations and security classified hotfixes. MBSA uses
the HFNetChk tool technology to scan for missing security updates
and service packs.
Although a "base" level of protection may serve well for some
Windows customers, a product like eEye's Retina is far superior
at identifying system vulnerabilities, which includes MORE than
the absence of Security related patches. UpdateEXPERT is also
far superior as an update management tool, which is a process
that includes more than just Security Updates. Together such
products build complete solutions and are more reliable.
UpdateEXPERT is a software patch vulnerability assessment tool
that scans a customer's networked system for missing patches
and remediates discovered weaknesses for increased protection.
While MBSA can identify a SECURITY mis-configuration, it still
requires a component to remediate the problem (SUS or Update
Service Feature Pack). From an Update Management stand point,
UpdateEXPERT offers a number of added strengths:
Third Party Database - UpdateEXPERT does not use a public source
database for the list of patches. Instead, it uses an exclusive
patch database that includes information about research, patch
locations, validation information, patch interdependencies and
deployment instructions. The UpdateEXPERT experts research and
test independently to ensure reliable software patch delivery
For instance, there are two patches that protect customers from
the Slammer worm. One is MS02-039 (released last July) and one
is MS02-061 (released last October). UpdateEXPERT has had these
patches since they have been released, both of which would have
stopped the Slammer.
SQL 2000 SP3 is a roll-up of all of the security bulletins since
the last Service Pack, and surely would contain the two patches
mentioned above. The service pack installation is pretty
complicated and it took a fairly large effort to get it into
the database. It is in QA right now and should be released today.
UpdateEXPERT is a management console based software solution.
You install the software on your workstations and manage all
other machines from there. Agents, such as those used in MBSA
and SUS, can cause potential performance problems for the system
on which they run (we find admins generally object to planting
agents on their servers and workstations).
UpdateEXPERT includes a vast set of patches, not just security
patches. In addition, UpdateEXPERT has the ability to accept
private hotfixes and can use the custom install feature to
Policy-based deployment - UpdateEXPERT can deploy patches that
are missing and applicable by simply using a user defined list
of required updates. UpdateEXPERT matches the required list of
updates against the inventories of each workstation and server
managed. Then, deployment instructions are automatically
customized for each machine. With just a few clicks, any number
of machines can be patched immediately. Tell UpdateEXPERT what
patches are required, and UpdateEXPERT does the rest.
UpdateEXPERT does not require any additional hardware (SUS
requires a dedicated IIS5.0 server). Although base solutions
exist, it probably comes down to how much better do you want
to sleep at night. 15-day eval of UpdateEXPERT here:
New Version Of Retina Released
The following changes were made since Retina 4.9.43:
Check out this blisteringly fast, award winning scanner here:
- Enhanced SQL auditing
- Enhanced Custom Policy management through "Remove Audit From Current Policy" feature
- Added "Email Audit Details" feature
- Added ability to search audits database (Tools/Audits Search)
- Improved command line management of Retina as a scanning engine
Second Largest US Federal Credit Union Selects Double-Take
"As the second-largest corporate credit union in the United States,
we view our central databases as the glue that keeps us together
and connects us to our members. Accessible and up-to-date information
is vital to our business operations. After researching numerous
vendors, it became clear that NSI's products and Professional
Services team were right for us."-- Sam Palmgren, Southwest Federal
Credit Union Senior Project Lead, Technology Development
SysAdmin Toolbox Plus. What's New in 2.1?
Version 2.1 adds numerous new features to the Remote Reboot tool.
Check it out at, and buy online for just $185 at:
- Reboot one or more remote computers. With this new capability you could quickly shut down every computer in your organization.
- Easily add or remove names from a list of computers to be rebooted. You can quickly select multiple computers using the shift or control keys.
- The delay time before the reboot command is to be executed can now be entered in hours, minutes and seconds. This simplifies the calculations needed to schedule the reboot. The multi machine reboot or shutdown is a really cool option.
U.K. Group Estimates Slammer Damage at $1 Billion
A U.K.-based security firm is estimating that economic damage
from the SQL Slammer worm is already over $1 billion, making it
the ninth most damaging malware attack yet in the firm's estimation.
mi2g released the billion-dollar estimate on Thursday. It was an
upward revision of a figure the group released earlier in the week.
"It has also jumped in ranking from number 13 a few days ago to
number 9 in terms of the worst malware attacks recorded by the
mi2g Intelligence Unit," an mi2g spokeswoman said in a statement.
More at the ENTmag site:
This Week's Links We Like. Tips, Hints And Fun Stuff
MS has decided to start selling ad space on BSOD screens. Hehehe.
Pretty good spot to check the general health of the Internet:
Know anyone that wants to buy a real German Castle? We'll split
the finders fee [grin]:
Model Rocket Inflight Video Camera link via 2.4GHz Microwave.
Awesome videos, but slow download. Give it time:
PRODUCT OF THE WEEK
Book: The Nature Of The Beast
The Nature Of The Beast by Burton Hersh is a novel about Owen
Rheinsdorf, an ex-CIA operations specialist who gets dragged out
of retirement and plunged into a deadly conflict with a delusional
demagogue and a psycho, pedophile assassin. The Nature Of The
Beast is recommended as a grippingly written saga, crafted with
a firm grounding in the history of secret conflicts in Vietnam,
Portugal, Uruguay, Panama, and Moscow, and having the profound
double impact of both realism and high-stakes tension. The author
is a personal friend of mine and a real CIA-expert. Want to know
some of the hidden forces running our country? Reads like a John
Le Carre thriller. More background information at Tree Farm Books:
Also available at Amazon here: