Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Jul 14, 2003 (Vol. 8, #28 - Issue #434)
SP4 Anecdotal "Unfixes"
This issue of W2Knews contains:
- EDITORS CORNER
- W2K SP4 Anecdotal "Unfixes"
- UNDO Dept
- TECH BRIEFING
- How Layered Defense Prevents Virus Spreading
- A New Identity For Active Directory?
- NT/2000 RELATED NEWS
- What's the Role of ISA Server 2000 on SBS?
- NT/2000 THIRD PARTY NEWS
- New LanHound Webinar
- iHateSpam Server Now Available Via Dell
- KaZaA and P2P Threaten Corporate Security
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- BOOK: Active Directory, 2nd Edition
SPONSOR: Panda Software
CAN WE EVER BE 100% VIRUS-FREE?
Viruses like Bugbear.B are routinely infecting networks that are
"fully protected". What to do? Is total protection possible? Find
the answer in the complimentary guide HOW TO KEEP YOUR COMPANY
100% VIRUS-FREE from Panda Software. Learn how the latest viruses
enter networks, what they can do, and the most effective weapons
to combat them. Protect your network effectively and permanently
- download this complimentary guide today!
Visit Panda Software for more information.
W2K SP4 Anecdotal "Unfixes"
First, thanks to all of you that took the time to describe the
different problems you encountered. You know who you are. Second,
do not see this as an attempt to knock SP4 and tell you to not
deploy it. This SP has hundreds of important security fixes, so
it is important. The main thing I am emphasizing is that you
need to TEST, TEST, and TEST in a non-production environment
We have assembled about 50 different short 'Unfixes", but they
are too long to have in this newsletter, so here is a link to
all these gotchas, with names removed but otherwise left
exactly the way they were sent, so that you can get an idea
of the general problem areas. We hope that this will help some
of you and help prevent some unplanned downtime:
Now, keep in mind that these problems are coming up in site-specific configurations, and that you might never see these
in your own environment. So,... test. These problems were not
really put in categories, but when you read them you will readily
recognize similar problems with earlier SP's like third party
apps breaking, BSOD's, .Net framework 1.0 problems, applications
(like Exchange) hanging and the like. Here goes!
This is the link:
And if you want to discuss this with your peers, subscribe
to the Sunbelt sponsored (no cost) list server, the NTSYSADMIN
list. Almost 5,000 system admins discuss a host of these and
In the last issue, several KB articles mentioned did not have
to do with W2K SP4. The first one, 195008, is about Windows NT4
Service Pack 4 and Windows 2000. (I was in a rush to get it out
a day early due to July 4 and omitted to do the research. My
mistake. Egg, face, the works [grin]).
Quote Of The Day:
(email me with feedback: [email protected])
- Due to economic restraints light at end of tunnel will be turned
off until further notice.
New surveys show: Disaster Recovery and Security are #1 priority!
This means you have to have a tested plan and reliable tools in
place for the moment your site goes down. DOUBLE-TAKE is that tool.
Sold more than all other High-Availability tools combined. It is
even certified for W2K Datacenter. No other HA tool is. How it
works? "Server A goes down--Server B takes over". Get the eval
copy here, this is your ultimate job-security:
Visit Double-Take for more information.
How Layered Defense Prevents Virus Spreading
On June 25, 2003, the computer worm known as Sobig.E quickly reached
widespread infection levels. It did not rely on and exploit the
now infamous Outlook preview pane vulnerability, nor did it offer
pictures of scantily clad women, luring users to open the files.
So how did this happen with professional and public awareness at
all time highs on the subject of security and malware? How did one
worm find its way into corporate networks and personal computers
and cause such havoc?
Worm at Work
There are a number of factors at work here, including some technical
and a couple of behavioral reasons. On the technical side, Sobig.E
is delivered as a zip file attachment to an email. Then through
its own SMTP engine it re-mails itself spoofing the "from" address.
Finally once inside the network the worm can easily spread via
Sobig.E is very socially adept, making use of known email addresses
(people are of course more inclined to open files from friends or
associates). The subject line for the worm is also intriguing
alluding to a movie or screensaver attachment. Having this come
from a friend or associate creates trust thereby inducing the
person to open it.
What does this have to do with layered defense?
When most gateway e-mail filtering is setup, the application is
typically set to strip .exe, .vbs, etc. By using .zip, Sobig.E
blew by the basic gateway filtering settings. As evidenced by
the rapid spreading of the worm in the US corporate environment,
the large AV company products were not that adept at scanning
inside the compressed .zip file and allowed the worm into the
network. (One vendor that did a better job with compressed files
was Panda.) Once the e-mail hit the users desktop, the resident
AV, (most likely from the same company providing gateway security)
permitted the infected zip file to be opened and executed. Now
the worm spreads throughout the network.
This scenario demands an improved layered defense strategy:
At the gateway layer the antivirus protection has to actually
be able to scan inside compressed files (at multiple levels of
nesting) and delete/disinfect BEFORE allowing it into the network.
Protection at the e-mail server has to be able to also stop these
simple worms cold. Some companies are relying on only one gateway
application that does 40 different security functions and they
have no dedicated e-mail server scanning. The desktop resident
AV solution has to also be able to fully handle any type of worm,
virus, trojan, etc.
Obviously, it is vital to have security apps at the various
network layers. Another most important aspect of layered security
that is often overlooked is this simple maxim - do not have all
of your eggs in one basket. If you have systems that are mission
critical and must ALWAYS be up you should look at multiple vendors
and place them throughout the different network layers. It takes
more work but the odds of catching malware greatly increase if
different scanners are placed at the various network points.
This approach obviously does not limit itself to anti-virus
products, it's just as applicable for vulnerability scanners
and intrusion detection for instance.
Layering Something Different
It also makes sense to have a complete newcomer in your security
stack. Why? Because different virus labs think differently and
newcomers often come without baggage. That's why I recommend you
look at specifying lesser-known players like Panda Software. They
have a useful Layered Defense White Paper at:
Sometimes I get asked why I fastened onto Panda antivirus. Well,
I have to say it was an astonishing experience to find viruses on
a computer that I thought was completely protected. (story: /?id=424) It's a no-brainer to take them up on their free software offer for IT Managers and see for yourself:
A New Identity For Active Directory?
Identity Management. Think directory management, e-provisioning and
security all rolled into one. It's the new buzz word out of Redmond.
But if you still don't get it, check out this timely collection of
news articles, technical tips and white papers. Good article:
NT/2000 RELATED NEWS
What's the Role of ISA Server 2000 on SBS?
By Thomas W. Shinder. Last week W2knews reported that SBS guru,
Harry Brelsford, said "the role of ISA Server in SBS is unknown".
A couple days later Windows magazine reported that Small Business
Server would be released in two versions: a Standard and a Premium
The major differentiator between the two versions is that the
Standard version would not include ISA Server 2000 and the Premium
version would include ISA Server 2000. This comes as welcome news
to members of the ISA Server community. One of the most frustrating
configuration scenarios ISA Server admins and consultants find
themselves in is the small business that wants to leverage the
strong inbound and outbound access control that ISA Server affords
The problem is ISA Server is a real, honest to goodness, enterprise
level firewall. Enterprise firewalls don't belong on the same box
as Exchange, SQL, Sharepoint, Doom or KaZaA. The future of ISA Server
and SBS lies not in stacking it on top of an already overloaded box.
The ISA Server firewall component needs to be teased-out from the
rest of the SBS suite. Microsoft's SBS unit must realize that the
ISA Server firewall belongs in front of the servers, not with them.
No other serious firewall vendor runs server or user apps on their
security device, and an ISA Server firewall should not be the
Harry mentioned that he preferred a hardware firewall in front of
the SBS box. I suspect what he actually had in mind was that he
wanted a firewall appliance in front of the SBS box. The ideal
setup would be an ISA Server based firewall appliance. Let's face
it, no other firewall on the market supports Microsoft networks
better than ISA Server, so an ISA Server based firewall appliance
is a natural value multiplier for the SBS environment.
Such an appliance would leverage the following ISA Server firewall
Most of all, such an appliance would be remotely managed via
a Web interface, not support adding extraneous servers and
applications that would negate its role as firewall, and
would have an appliance form factor.
- URLScan 2.5 running on the ISA Server firewall; blocking
bad HTTP requests at the ISA Server firewall before they get near
an OWA or other Web server.
- Simplified OWA publishing using the OWA Publishing Wizard
- Application layer inspection of SSL protected connections to
the published OWA server; this takes advantage of the ISA Server
firewall's ability to perform SSL to SSL bridging
- Pre-authentication of connection request at the ISA Server
firewall so that unauthenticated requests never get near the
- Encrypted Exchange RPC Publishing, which allows external network
users to use Outlook 2000/2002/2003 in the exact same way that
the use it when they're directly connected to the internal
network; no nasty reconfiguration of Outlook when the boss
leaves the office with his laptop; he just plugs into the
hotel room broadband connection and Outlook works just like
it does in the office
- Layer 7 application filters that inspect SMTP, POP3 and DNS
packets for buffer overflow attacks and stop them at the ISA
- Rudimentary spam control with the ISA Server firewall SMTP
- VPN server tightly integrated with the ISA Server firewall,
making it easy to provide VPN access using both PPTP and
L2TP/IPSec with the native RFC NAT-T compliant Windows VPN
clients -- no fudging around with proprietary VPN client
software that isn't RFC compatible
No such ISA Server firewall appliance currently exists, but
if one should become available, I would hope (and expect)
that SBS users would run, and not walk, to get this ISA
Server firewall-based appliance. Let's hope something along
these lines comes out soon, before these small businesses
invest in subpar SOHO/small business Internet "firewalls"
which represent little more than a NAT servers.
Dr. Thomas W. Shinder is an author of, and contributor, to over
30 Windows 2000, Windows 2003 and Windows-based networking
and security books. Tom and Deb Shinder wrote the best selling
ISA Server 2000 book Configuring ISA Server 2000: Building
Firewalls with Windows 2000. Tom is the principle perpetrator
of the world's leading unofficial ISA Server Web site:
Thomas W Shinder
ISA Server and Beyond
Configuring ISA Server
THIRD PARTY NEWS
New LanHound Webinar
"Everything you wanted to know about Network Monitoring but were
too afraid to ask".
One of the key things we learned in our post-download survey of
LanHound evals was that many people were just baffled by all
the data presented. There can be such a thing as too much data.
With this in mind, we created a very straightforward webinar on
LanHound, which defines the key concepts behind the product. Then,
it presents the product. Think of it as a crash course in
network monitoring using LanHound as the example tool to do it.
Common concepts are defined, the layer model is explained, and
you will see hands-on examples of troubleshooting techniques.
Did your 30-day eval expire? Reinstall the download on top of
the existing one, and you have another 30 days.
There is also a new white paper up on LanHound: "Network Monitoring
and Protocol Analysis with Sunbelt LanHound". This again explains
how to use a tool like this to trouble shoot your networks:
You will find the link to the (pre-recorded) webinar on the
LanHound page, and you can play it any time you want:
iHateSpam Server Now Available Via Dell
Run a Dell Server with Exchange? You can now call your existing
Dell Sales Rep and get iHateSpam Server via Dell. An ideal anti-spam
solution. iHateSpam Server Edition will support MS Exchange Server
2003. Also, in the near future we expect to further enrich the already
robust functionality of iHateSpam Server Edition by leveraging the
additional options provided by Microsoft's enhanced VSAPI (Virus
Scanning API) that ships with Exchange 2003.
"Sunbelt is committed to supporting Exchange 2003, as well as
Exchange 5.5 and 2000 for its server-based spam detection product,"
said Greg Kras, CTO of Sunbelt Software. 30-day evals here, and
if you like what you see, call your Dell Rep!
KaZaA and P2P Threaten Corporate Security
PestPatrol released a Pest Briefing Paper to explain in everyday
language the dangers posed by peer-to-peer (P2P) networking
software and the security threat it poses to PC security in
homes and offices around the world.
"Unfortunately, the rising popularity of P2P file-sharing networks
creates a target of great opportunity for would-be Malcoders,"
said Roger Thompson, VP of Product Development at PestPatrol.
"Fizzer, for example, created multiple copies of itself with
different names and placed them in the victim's dedicated KaZaA
file-sharing folder. The minute this happened, Fizzer became
'available' to every other KaZaA user. People need to realize
that, by definition, an Internet based P2P network means that
you are sharing with, and trusting your hard disk to, complete
KaZaA, the most popular file on CNET Networks' Download.com,
was downloaded more than 2.7 million times during the first
week of June alone. Other popular P2P downloads include iMesh,
Morpheus, and Grokster.
While the KaZaA Media Desktop (KMD) allows individuals to share
files stored on their computer directly with other KaZaA users
over the web, it also presents new ways for spyware and remote
administration trojans to be accidentally downloaded and, as
we've seen with Fizzer, enables the rapid spread of viruses
KaZaA, which is generally categorized as adware, can cause
confidential personal or corporate information to be made
available across the Internet, and can also consume significant
bandwidth. Ultimately, the use of KaZaA can present legal
liability for individuals and corporations if it is used
inappropriately or otherwise enables a security breach.
Those users who recognize that KaZaA and other P2P tools are
a real security threat believe that their anti-virus or
firewall will protect them. This is unfortunately not the
case; KaZaA is a legitimate application that the user
knowingly and willingly installs, so the majority of general-purpose security tools ignore it. One of the few ways to counter the threat effectively is by running PestPatrol, which has been designed to locate and remove these stealthy threats.
Read this new white paper, and download the eval for the
PestPatrol Corporate version at:
This Week's Links We Like. Tips, Hints And Fun Stuff
Here's how you slipstream the new W2K Service Pack 4 (text file):
Need to check out MONSTER.COM from the office? Surfola allows
anonymous browsing. Downside, your users can use it too...
"Black box" recorders collect car crash data. Is there one in your
car? Who "owns" the data once it is captured? More resources here:
Google giggle about Weapons Of Mass Destruction (fake error page):
THIS is the ultimate MS Flight Simulator Setup. Anyone found
something even more elaborate? Write me:
Use the new MS Smart Displays? Here's a Home Automation Project
Linux: A Reason To Stick With NetWare. Article about the
relationship between Netware, Linux, and Windows:
Researches uses public info to exactly map all USA fiber connections.
Security Risk? You bet your sweet behind. Good article here:
Looks like the Russian economy is doing great with a 13% flat tax.
Time to export that to the USA (and how about Europe)!! Who would
have ever thought...
Here is a fantastic Japanese video. Gotta see it (Windows media):
PRODUCT OF THE WEEK
BOOK: Active Directory, 2nd Edition
From the back cover: When Microsoft introduced Windows 2000, the
most important change was the inclusion of Active Directory. With
many great benefits, it continues to be a huge headache for network
and system administrators to design, implement and support. The
first edition of this book, O'Reilly's best-selling Windows 2000
Active Directory, eased their pain considerably. Now titled Active
Directory, 2nd Edition, this book provides system and network
administrators, IT professionals, technical project managers, and
programmers with a clear, detailed look at Active Directory for
both Windows 2000 and Windows Server 2003. ISBN: 0596004664