Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 18, 2003 (Vol. 8, #33 - Issue #439)
What's New in Win2003: Part 3
This issue of W2Knews contains:
- EDITORS CORNER
- What's New in Win2003: Part 3
- TECH BRIEFING
- Blaster Worm Update and Fixes
- Windows Server 2003 Tip: Find Out What Process is Using a Port
- NT/2000 RELATED NEWS
- Server 2003's Software Restriction Policies: Another Weapon for your Defense Arsenal
- Are Businesses Dumping Linux Web Servers for Windows Server 2003?
- Will Microsoft's New Security Exams Revive Interest in Certification?
- Server Security: Optional or By Default?
- NT/2000 THIRD PARTY NEWS
- Scanning for Security
- NT to 2003 Migration: You Don't Have to Go it Alone
- Keeping Tabs on your Network when You're on the Road
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
Cut Your Help Desk Support Calls by 50%
"Every once in a while a product comes along that just seems to get
the pieces right, providing both simplicity and power. ScriptLogic
fits the bill on both counts." - MCP Magazine
Fully functional 45 day DOWNLOAD
Logon, logoff and shutdown scripting
Install/update software packages
Create Outlook mail profiles
Enforce security policies
... And Much More
Caffeine-free Desktop Administration T-shirt offer is available to US residents only.
Visit ScriptLogic for more information.
What's New in Win2003: Part 3
This marks our third issue re Windows 2003. Lots to cover but most specifically nasty worms and security patches. So get your systems patched if you haven't already!
QUOTE OF THE DAY:
"Competition is a by-product of productive work, not its goal.
A creative man is motivated by the desire to achieve, not by
the desire to beat others." - Ayn Rand (1905-1982)
(email me with feedback: [email protected])
New surveys show: Disaster Recovery and Security are #1 priority!
This means you have to have a tested plan and reliable tools in place
for the moment your site goes down. DOUBLE-TAKE is that tool. Sold
more than all other High-Availability tools combined. It is even certified
for W2K Datacenter. No other HA tool is. How it works? "Server A goes
down--Server B takes over". Get the eval copy here, this is your ultimate
Visit Double-Take for more information.
Blaster Worm Update and Fixes
Unless you've been completely out of the loop for the last week,
you're probably already aware that the Blaster worm is wrecking
havoc on corporate networks and end user systems all over the
world. It's a real shame, because this was preventable; the worm
came as a surprise to nobody who pays any attention at all to
Microsoft security issues. Microsoft even issued a patch for it
that we reported in the Aug 4th edition of W2Knews
(/?id=437). We said:
"...This is not a drill. You must, without a doubt, immediately
install this security patch..."
How does the worm attack a network? An infected machine scans
network address blocks searching for machines that accept
incoming connection requests to TCP 135. If the machine accepts
the connection, the worm payload is delivered. Of course, no
one allows inbound TCP 135 inbound from the Internet unless
they're using an ISA Server 2000 firewall, which completely
protects your network from external attack by this exploit:
The problem is that users who connect their laptops directly
to the Internet can be infected if they don't use a personal
firewall. Even worse, VPN users connecting from their laptops
that are also directly connected to the Internet, or home based
workers on unsecure home LANs can also poison the well. These
hosts infect other hosts on the corporate network after they
connect to the internal network and are not subjected to
You MUST patch your systems now. This is not an optional patch,
or one of those patches you install only if you think it'll fix
a problem you have. This patch fixes a problem that everyone who
runs Windows NT 4.0, Windows 2000, Windows XP or Windows Server
2003 has. For more details on the worm and Microsoft's
recommendations for fixes, check out:
We also highly recommend that you check out eEye's analysis and
recommendations. They have released a free vulnerability scanner
that you can download and scan your network for vulnerable hosts.
Find the info you need here:
Windows Server 2003 Tip: Find Out What Process is Using a Port
We see a lot of questions from readers who want to know what
process is using a particular port on a server or firewall. You
can use third party shareware and freeware solutions to find out,
but Windows Server 2003 includes the -o switch in the netstat
command that allows you to figure out the answers without
installing any extra software:
Now you can easily find out which process is responsible for using a port.
- Open a command prompt, type the following command: Netstat -nao
- You'll see a list of local addresses and ports. If you see a
local address of 0.0.0.0, that means that port is listening on
all addresses on all interfaces. Find the TCP or UDP port number
you're curious about. Then go to the end of that line and check
the value in the PID column. This is the process ID of the
application or service using the port.
- Press CTRL+SHIFT+ESC to bring up the Task Manager. Click the
Processes tab. Click the View menu and then click the Select
- Put a checkmark in the PID checkbox and click OK. Click the
PID column header to sort the entries by PID. Match up the PID
that you discovered using the netstat command with the process
owning the PID.
NT/2000 RELATED NEWS
Server 2003's Software Restriction Policies: Another Weapon for your Defense Arsenal
Microsoft's initiative to make their operating systems more
secure has resulted in a number of new features. Software
restriction policies, a new Group Policy feature, was first
introduced in Windows XP and reaches its greater potential in
Server 2003, giving admins the ability to control what software
can be run on a computer, identifying programs by hash,
certificate, file path or Internet zone. You can set the default
policy either to define specific programs that are to be allowed
to run, or to define specific programs (or file types) that are
disallowed. This is done by setting a default rule to either
Unrestricted or Disallowed, and then creating rules that define
the exceptions to the default.
This new features gives you one more way to combat viruses,
control the running of scripts and ActiveX controls, and
otherwise lock down both servers and workstations to the degree
that's appropriate for your organization.
Are Businesses Dumping Linux Web Servers for Windows Server 2003?
Despite Microsoft's "monopoly" status when it comes to desktop
operating systems, IIS has long played second fiddle to the
Apache/Linux combination - at least in part due to the much
lower cost of the latter. No one would call Windows Server 2003
cheap, but ZDNet recently published figures showing that
Microsoft's new OS has been giving Linux a run for its money
when it comes to web services. According to Netcraft's server
usage monitoring, there has been a 300 percent increase in the
number of sites hosted on Server 2003 over a recent three month
period, and surveys indicate many of the migrations to
Microsoft's new OS are coming from former Linux sites.
Microsoft still has a very long way to go before it catches up -
Apache still runs on over 13 million sites as opposed to under 5
million running on IIS - but hey, Internet Explorer came from
Will Microsoft's New Security Exams Revive Interest in Certification?
We noticed that a lot of Windows NT 4.0 MCPs and MCSEs didn't
bother to get certified in Windows 2000. There were undoubtedly
a lot of reasons for that: the downtown in the tech industry
meant that no longer could a "rookie" networker with a shiny new
cert go out and get a $50K job without experience. And a lot of
experienced admins just plain didn't have the time (or the need)
to study and take a long series of exams to prove their
As the Microsoft and other vendor specific certificates lost
some ground in popularity, though, the "hot" certs became those
related to security, from the entry level CompTIA Security+ exam
to the prestigious CISSP. This summer, Microsoft introduced
their security specialization track for the Windows 2000 MCSE,
and plan to do the same for the Windows Server 2003 MCSE. A new
exam, 70-299 ("Implementing and Administering Security in a
Windows 2003 Network) is in the works for the latter track. And
you don't have to go all the way to MCSE to become an MS
certified security specialist; there is also a security
specialization track for the MCSA.
Since security is the number one buzzword in IT these days, will
this new focus revive interest in the Microsoft certifications?
Certainly those in the certification industry (vendors of study
guides, practice exams and training classes) hope so:
Server Security: Optional or By Default?
A big criticism of NT and Windows 2000 was the fact that,
although they contained security features, many or most of these
were not enabled by default. A good example: the default share
and NTFS permissions, which gave the Everyone group full
control. Of course, you could (and in most cases, should) change
those defaults to lock down your sensitive resources, but the
philosophy of allowing all by default and then making exceptions
to control access is less secure than the opposite tactic of
disallowing everything by default and then making exceptions
only where access is needed (often called the principle of least
Security has been beefed up in many ways in Server 2003. Now,
when you create a new share, the Everyone group has only Read
permission, and the default NTFS permissions on new files give
Users only Read and Read & Execute permissions. The Everyone
group no longer includes members of the Anonymous group. IIS
default security has been vastly improved, too. It's no longer
installed by default on Windows Server 2003 (except for the Web
Server Edition), and when you do install it, it is installed in
a "locked down" state in which active content features (ASP,
ASP.NET, SSI, WebDAV and Frontpage extensions are not enabled.)
Some administrators believe Microsoft hasn't taken default
security far enough. They point out that file and print sharing
is enabled by default and that if you want to enforce password
complexity policies or use encryption, you must configure the
server to do so; these features aren't turned "on"
automatically. Others have been frustrated by the new defaults,
spending hours troubleshooting access problems that represent
normal behavior under these security settings.
Perhaps the question is: how far should an operating system
vendor go in forcing security on you? Do you prefer that the OS
provide the security features as options and then let you decide
which ones you want to use, or do you think Microsoft should do
it all for you, making the OS maximally secure "out of the box"
and letting you loosen security if you choose? There are
advantages and disadvantages to both approaches!
THIRD PARTY NEWS
Scanning for Security
It seems as if we get news of a new security vulnerability every
day (sometimes more than once a day). It's great that vendors
and the security community are on the ball and quick to publish
warnings as each new exploit hits, but if you have a whole
company full of computers - perhaps running many different
operating systems - how are you supposed to know whether your
machines are suffering from any of these problems and which
computers are vulnerable to which exploits?
Security scanning software has been in vogue for a while now,
and the wealth of scanning tools available from numerous
software vendors can get downright confusing. Sunbelt's Retina
is one that's received great reviews for its scope (it scans not
only Microsoft operating systems, but UNIX machines,
applications and even hardware devices such as routers and
switches), its flexibility (reports can be customized to give
you exactly the information that you want), and its performance
(installation is quick and easy and scans can be performed in
NT to 2003 Migration: You Don't Have to Go it Alone
Although you might not know it by listening to the marketing
hype, we know from the many admins on this list that a large
number of companies never made the upgrade from NT 4.0 to
Windows 2000. There are a lot of reasons for that, cost, comfort
level and the time (a commodity almost always in short supply)
required to learn a whole new product. Now, however, NT is
beginning to look a little long in the tooth, even to its most
steadfast proponents. Sticking with it prevents you from
benefiting from some exciting new components such as Active
Directory, EFS, and myriad other technologies that are built
into the newer server operating systems. Besides, being one
generation behind the cutting edge doesn't seem like a big deal,
but being two generations behind can make you a little antsy.
Making the leap from NT to 2003 might seem like a nerve-racking
proposition, though. However, there is help available. Microsoft
has provided a number of migration tools, and third party
vendors have jumped into the fray with software designed to more
easily get you through the process.
The Windows Server 2003 Migration eBook provides checklists,
recommendations and example scenarios that can make the
migration a bit less scary:
Keeping Tabs on your Network when You're on the Road
Busy network admins are always on the go. If you manage a multi-
site network, you might have to travel from one location to
another to keep tabs on what's going on. Even when you're
supposedly "off duty," whether it's home snoozing, taking a well
deserved night off to go out to dinner with the spouse or friend
you don't get to see nearly often enough, or on vacation in some
exotic location that was supposed to be "away from it all,"
chances are that Murphy's law will kick in and the folks back at
the IT department will track you down when problems occur. After
all, you are the only person who could possibly coax the network
back into a stable condition, right? It's great for the ego to
know you're indispensable, but it can also be inconvenient as
heck to get the call when you're nowhere near a computer. You
can't take a laptop everywhere you go - but how can you manage
the network if you can't connect?
Well, believe it or not, there is a way. In today's world of
integrated communications, you can use your Mobile phone,
Blackberry, wireless-equipped Pocket PC or Palm Pilot, even two-
way pagers to manage Windows servers, SQL, IIS and third party
tools like Tivoli and Openview. Worried about security? No
problem. New mobile administration packages ensure that only
authorized personnel can avail themselves of their many
The only problem is: which mobile administration package is the
harassed and harried admin to choose? It's not as if you have
lots of spare time to check them all out. We suggest you go with
the best: ASG-MobileControl Administrator. It's the wireless
management tool that goes a step further, giving you the control
you need even when you're traveling light:
This Week's Links We Like. Tips, Hints And Fun Stuff
Arnold for Governator!
Robot Guard Dog sniffs out Wi-Fi holes
The party's over for Outlook Express (and a reprieve!)
Whacking a Segway Thief
Stopping the American IT Jobs Hemorrhage - Michigan tries to lead the way
Photographic evidence that Moon landing never took place
And if you really do believe, then get Apollo on DVD:
PRODUCT OF THE WEEK
"Think You're Fully Protected? Think Again"
PestPatrol finds what your firewall and anti-virus don't. Who knows what
pests might be lurking on your users' workstations. The amount of these
can be astonishing: Trojans, Spyware, Keyloggers, Hostile Java code and
about 40,000+ other pests that get through your normal defenses. Usually
caused by clueless users surfing the Web. Install PestPatrol on your PDC
and clean your whole domain via Logon Scripts every day! Grab the eval
and you'll see for yourself: