- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Jul 14, 2003 (Vol. 8, #28 - Issue #434)
SP4 Anecdotal "Unfixes"
  This issue of W2Knews™ contains:
    • W2K SP4 Anecdotal "Unfixes"
    • UNDO Dept
    • How Layered Defense Prevents Virus Spreading
    • A New Identity For Active Directory?
    • What's the Role of ISA Server 2000 on SBS?
    • New LanHound Webinar
    • iHateSpam Server Now Available Via Dell
    • KaZaA and P2P Threaten Corporate Security
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • BOOK: Active Directory, 2nd Edition
  SPONSOR: Panda Software
Viruses like Bugbear.B are routinely infecting networks that are
"fully protected". What to do? Is total protection possible? Find
the answer in the complimentary guide HOW TO KEEP YOUR COMPANY
100% VIRUS-FREE from Panda Software. Learn how the latest viruses
enter networks, what they can do, and the most effective weapons
to combat them. Protect your network effectively and permanently
- download this complimentary guide today!
Visit Panda Software for more information.

W2K SP4 Anecdotal "Unfixes"

First, thanks to all of you that took the time to describe the different problems you encountered. You know who you are. Second, do not see this as an attempt to knock SP4 and tell you to not deploy it. This SP has hundreds of important security fixes, so it is important. The main thing I am emphasizing is that you need to TEST, TEST, and TEST in a non-production environment FIRST.

We have assembled about 50 different short 'Unfixes", but they are too long to have in this newsletter, so here is a link to all these gotchas, with names removed but otherwise left exactly the way they were sent, so that you can get an idea of the general problem areas. We hope that this will help some of you and help prevent some unplanned downtime:

Now, keep in mind that these problems are coming up in site-specific configurations, and that you might never see these in your own environment. So,... test. These problems were not really put in categories, but when you read them you will readily recognize similar problems with earlier SP's like third party apps breaking, BSOD's, .Net framework 1.0 problems, applications (like Exchange) hanging and the like. Here goes! This is the link:

And if you want to discuss this with your peers, subscribe to the Sunbelt sponsored (no cost) list server, the NTSYSADMIN list. Almost 5,000 system admins discuss a host of these and other problems:


In the last issue, several KB articles mentioned did not have to do with W2K SP4. The first one, 195008, is about Windows NT4 Service Pack 4 and Windows 2000. (I was in a rush to get it out a day early due to July 4 and omitted to do the research. My mistake. Egg, face, the works [grin]).

Quote Of The Day:

  • Due to economic restraints light at end of tunnel will be turned off until further notice.
Stu Sjouwerman (email me with feedback: [email protected])
  SPONSOR: Double-Take
New surveys show: Disaster Recovery and Security are #1 priority!
This means you have to have a tested plan and reliable tools in
place for the moment your site goes down. DOUBLE-TAKE is that tool.
Sold more than all other High-Availability tools combined. It is
even certified for W2K Datacenter. No other HA tool is. How it
works? "Server A goes down--Server B takes over". Get the eval
copy here, this is your ultimate job-security:
Visit Double-Take for more information.

How Layered Defense Prevents Virus Spreading

On June 25, 2003, the computer worm known as Sobig.E quickly reached widespread infection levels. It did not rely on and exploit the now infamous Outlook preview pane vulnerability, nor did it offer pictures of scantily clad women, luring users to open the files. So how did this happen with professional and public awareness at all time highs on the subject of security and malware? How did one worm find its way into corporate networks and personal computers and cause such havoc?

Worm at Work

There are a number of factors at work here, including some technical and a couple of behavioral reasons. On the technical side, Sobig.E is delivered as a zip file attachment to an email. Then through its own SMTP engine it re-mails itself spoofing the "from" address. Finally once inside the network the worm can easily spread via network shares.

Sobig.E is very socially adept, making use of known email addresses (people are of course more inclined to open files from friends or associates). The subject line for the worm is also intriguing alluding to a movie or screensaver attachment. Having this come from a friend or associate creates trust thereby inducing the person to open it.

Layered Defenses

What does this have to do with layered defense?

When most gateway e-mail filtering is setup, the application is typically set to strip .exe, .vbs, etc. By using .zip, Sobig.E blew by the basic gateway filtering settings. As evidenced by the rapid spreading of the worm in the US corporate environment, the large AV company products were not that adept at scanning inside the compressed .zip file and allowed the worm into the network. (One vendor that did a better job with compressed files was Panda.) Once the e-mail hit the users desktop, the resident AV, (most likely from the same company providing gateway security) permitted the infected zip file to be opened and executed. Now the worm spreads throughout the network.

This scenario demands an improved layered defense strategy:

At the gateway layer the antivirus protection has to actually be able to scan inside compressed files (at multiple levels of nesting) and delete/disinfect BEFORE allowing it into the network. Protection at the e-mail server has to be able to also stop these simple worms cold. Some companies are relying on only one gateway application that does 40 different security functions and they have no dedicated e-mail server scanning. The desktop resident AV solution has to also be able to fully handle any type of worm, virus, trojan, etc.

Obviously, it is vital to have security apps at the various network layers. Another most important aspect of layered security that is often overlooked is this simple maxim - do not have all of your eggs in one basket. If you have systems that are mission critical and must ALWAYS be up you should look at multiple vendors and place them throughout the different network layers. It takes more work but the odds of catching malware greatly increase if different scanners are placed at the various network points. This approach obviously does not limit itself to anti-virus products, it's just as applicable for vulnerability scanners and intrusion detection for instance.

Layering Something Different

It also makes sense to have a complete newcomer in your security stack. Why? Because different virus labs think differently and newcomers often come without baggage. That's why I recommend you look at specifying lesser-known players like Panda Software. They have a useful Layered Defense White Paper at:

Sometimes I get asked why I fastened onto Panda antivirus. Well, I have to say it was an astonishing experience to find viruses on a computer that I thought was completely protected. (story: /?id=424) It's a no-brainer to take them up on their free software offer for IT Managers and see for yourself:

A New Identity For Active Directory?

Identity Management. Think directory management, e-provisioning and security all rolled into one. It's the new buzz word out of Redmond. But if you still don't get it, check out this timely collection of news articles, technical tips and white papers. Good article:


What's the Role of ISA Server 2000 on SBS?

By Thomas W. Shinder. Last week W2knews reported that SBS guru, Harry Brelsford, said "the role of ISA Server in SBS is unknown". A couple days later Windows magazine reported that Small Business Server would be released in two versions: a Standard and a Premium version.

The major differentiator between the two versions is that the Standard version would not include ISA Server 2000 and the Premium version would include ISA Server 2000. This comes as welcome news to members of the ISA Server community. One of the most frustrating configuration scenarios ISA Server admins and consultants find themselves in is the small business that wants to leverage the strong inbound and outbound access control that ISA Server affords them.

The problem is ISA Server is a real, honest to goodness, enterprise level firewall. Enterprise firewalls don't belong on the same box as Exchange, SQL, Sharepoint, Doom or KaZaA. The future of ISA Server and SBS lies not in stacking it on top of an already overloaded box. The ISA Server firewall component needs to be teased-out from the rest of the SBS suite. Microsoft's SBS unit must realize that the ISA Server firewall belongs in front of the servers, not with them.

No other serious firewall vendor runs server or user apps on their security device, and an ISA Server firewall should not be the exception.

Harry mentioned that he preferred a hardware firewall in front of the SBS box. I suspect what he actually had in mind was that he wanted a firewall appliance in front of the SBS box. The ideal setup would be an ISA Server based firewall appliance. Let's face it, no other firewall on the market supports Microsoft networks better than ISA Server, so an ISA Server based firewall appliance is a natural value multiplier for the SBS environment.

Such an appliance would leverage the following ISA Server firewall features:

  • URLScan 2.5 running on the ISA Server firewall; blocking bad HTTP requests at the ISA Server firewall before they get near an OWA or other Web server.
  • Simplified OWA publishing using the OWA Publishing Wizard
  • Application layer inspection of SSL protected connections to the published OWA server; this takes advantage of the ISA Server firewall's ability to perform SSL to SSL bridging
  • Pre-authentication of connection request at the ISA Server firewall so that unauthenticated requests never get near the OWA box
  • Encrypted Exchange RPC Publishing, which allows external network users to use Outlook 2000/2002/2003 in the exact same way that the use it when they're directly connected to the internal network; no nasty reconfiguration of Outlook when the boss leaves the office with his laptop; he just plugs into the hotel room broadband connection and Outlook works just like it does in the office
  • Layer 7 application filters that inspect SMTP, POP3 and DNS packets for buffer overflow attacks and stop them at the ISA Server firewall
  • Rudimentary spam control with the ISA Server firewall SMTP Message screener
  • VPN server tightly integrated with the ISA Server firewall, making it easy to provide VPN access using both PPTP and L2TP/IPSec with the native RFC NAT-T compliant Windows VPN clients -- no fudging around with proprietary VPN client software that isn't RFC compatible
Most of all, such an appliance would be remotely managed via a Web interface, not support adding extraneous servers and applications that would negate its role as firewall, and would have an appliance form factor.

No such ISA Server firewall appliance currently exists, but if one should become available, I would hope (and expect) that SBS users would run, and not walk, to get this ISA Server firewall-based appliance. Let's hope something along these lines comes out soon, before these small businesses invest in subpar SOHO/small business Internet "firewalls" which represent little more than a NAT servers.

Dr. Thomas W. Shinder is an author of, and contributor, to over 30 Windows 2000, Windows 2003 and Windows-based networking and security books. Tom and Deb Shinder wrote the best selling ISA Server 2000 book Configuring ISA Server 2000: Building Firewalls with Windows 2000. Tom is the principle perpetrator of the world's leading unofficial ISA Server Web site:

Thomas W Shinder
ISA Server and Beyond
Configuring ISA Server


New LanHound Webinar

"Everything you wanted to know about Network Monitoring but were too afraid to ask".

One of the key things we learned in our post-download survey of LanHound evals was that many people were just baffled by all the data presented. There can be such a thing as too much data.

With this in mind, we created a very straightforward webinar on LanHound, which defines the key concepts behind the product. Then, it presents the product. Think of it as a crash course in network monitoring using LanHound as the example tool to do it. Common concepts are defined, the layer model is explained, and you will see hands-on examples of troubleshooting techniques. Did your 30-day eval expire? Reinstall the download on top of the existing one, and you have another 30 days.

There is also a new white paper up on LanHound: "Network Monitoring and Protocol Analysis with Sunbelt LanHound". This again explains how to use a tool like this to trouble shoot your networks:

You will find the link to the (pre-recorded) webinar on the LanHound page, and you can play it any time you want:

iHateSpam Server Now Available Via Dell

Run a Dell Server with Exchange? You can now call your existing Dell Sales Rep and get iHateSpam Server via Dell. An ideal anti-spam solution. iHateSpam Server Edition will support MS Exchange Server 2003. Also, in the near future we expect to further enrich the already robust functionality of iHateSpam Server Edition by leveraging the additional options provided by Microsoft's enhanced VSAPI (Virus Scanning API) that ships with Exchange 2003.

"Sunbelt is committed to supporting Exchange 2003, as well as Exchange 5.5 and 2000 for its server-based spam detection product," said Greg Kras, CTO of Sunbelt Software. 30-day evals here, and if you like what you see, call your Dell Rep!

KaZaA and P2P Threaten Corporate Security

PestPatrol released a Pest Briefing Paper to explain in everyday language the dangers posed by peer-to-peer (P2P) networking software and the security threat it poses to PC security in homes and offices around the world.

"Unfortunately, the rising popularity of P2P file-sharing networks creates a target of great opportunity for would-be Malcoders," said Roger Thompson, VP of Product Development at PestPatrol. "Fizzer, for example, created multiple copies of itself with different names and placed them in the victim's dedicated KaZaA file-sharing folder. The minute this happened, Fizzer became 'available' to every other KaZaA user. People need to realize that, by definition, an Internet based P2P network means that you are sharing with, and trusting your hard disk to, complete strangers."

KaZaA, the most popular file on CNET Networks' Download.com, was downloaded more than 2.7 million times during the first week of June alone. Other popular P2P downloads include iMesh, Morpheus, and Grokster.

While the KaZaA Media Desktop (KMD) allows individuals to share files stored on their computer directly with other KaZaA users over the web, it also presents new ways for spyware and remote administration trojans to be accidentally downloaded and, as we've seen with Fizzer, enables the rapid spread of viruses and worms.

KaZaA, which is generally categorized as adware, can cause confidential personal or corporate information to be made available across the Internet, and can also consume significant bandwidth. Ultimately, the use of KaZaA can present legal liability for individuals and corporations if it is used inappropriately or otherwise enables a security breach.

Those users who recognize that KaZaA and other P2P tools are a real security threat believe that their anti-virus or firewall will protect them. This is unfortunately not the case; KaZaA is a legitimate application that the user knowingly and willingly installs, so the majority of general-purpose security tools ignore it. One of the few ways to counter the threat effectively is by running PestPatrol, which has been designed to locate and remove these stealthy threats.

Read this new white paper, and download the eval for the PestPatrol Corporate version at:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • Here's how you slipstream the new W2K Service Pack 4 (text file):

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-W2K_SP4
  • Need to check out MONSTER.COM from the office? Surfola allows anonymous browsing. Downside, your users can use it too...

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-Surfola
  • "Black box" recorders collect car crash data. Is there one in your car? Who "owns" the data once it is captured? More resources here:

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-BlackBox
  • Google giggle about Weapons Of Mass Destruction (fake error page):

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-Error_Page
  • THIS is the ultimate MS Flight Simulator Setup. Anyone found something even more elaborate? Write me:

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-Flight_Sim
  • Use the new MS Smart Displays? Here's a Home Automation Project using them:

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-Smart_Displays
  • Linux: A Reason To Stick With NetWare. Article about the relationship between Netware, Linux, and Windows:

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-Netware
  • Researches uses public info to exactly map all USA fiber connections. Security Risk? You bet your sweet behind. Good article here:

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-Fiber
  • Looks like the Russian economy is doing great with a 13% flat tax. Time to export that to the USA (and how about Europe)!! Who would have ever thought...

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-Flat_Tax
  • Here is a fantastic Japanese video. Gotta see it (Windows media):

  • http://www.w2knews.com/rd/rd.cfm?id=030714FA-Video

    BOOK: Active Directory, 2nd Edition

    From the back cover: When Microsoft introduced Windows 2000, the most important change was the inclusion of Active Directory. With many great benefits, it continues to be a huge headache for network and system administrators to design, implement and support. The first edition of this book, O'Reilly's best-selling Windows 2000 Active Directory, eased their pain considerably. Now titled Active Directory, 2nd Edition, this book provides system and network administrators, IT professionals, technical project managers, and programmers with a clear, detailed look at Active Directory for both Windows 2000 and Windows Server 2003. ISBN: 0596004664