- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 25, 2003 (Vol. 8, #34 - Issue #440)
What's New in Win2003: Part 4
  This issue of W2Knews™ contains:
    • What's New in Win2003: Part 4
    • B Drive Can Come Alive in Pre-Windows 2003 Systems, Too
    • Does Microsoft Feel your (Licensing) Pain?
    • Is Your Buffer Overflowing?
    • This Week's Worm is "So Big"
    • Blaster Attack Fails to Complete its Mission
    • Planning Ahead for Windows Server 2003 Service Pack 1
    • New Microsoft Desktop Cert on the Horizon?
    • Readers Respond on Optional vs Default Security Issue
    • Monitoring File I/O Performance
    • Doing a Double-Take: Back up in Real Time
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Sunbelt Remote Administrator
  SPONSOR: SPONSOR: iHateSpam Server
Is Spam Negatively Affecting Productivity and Security?
Make spam go away, free up both your and your users' time and cut
down on email-borne security threats. Control spam with iHATESPAM
Server Edition. It was uniquely tailored to the exact features you
require as an Exchange Administrator and detects over 95% of spam.
Click here for your 30-day, full feature Eval:
Visit SPONSOR: iHateSpam Server for more information.

What's New in Win2003: Part 4

Here we are with our last of four special issues about Windows 2003. With all the virus news this week, I'll keep the Editor's corner short again so we can get right to it!

"I may not have gone where I intended to go, but I think I have ended up where I intended to be."
- Douglas Adams (1952-2001).

Warm regards,

Stu Sjouwerman (email me with feedback: [email protected])

New surveys show: Disaster Recovery and Security are #1 priority!
This means you have to have a tested plan and reliable tools in
place for the moment your site goes down. DOUBLE-TAKE is that tool.
Sold more than all other High-Availability tools combined. It is
even certified for W2K Datacenter. No other HA tool is. How it
works? "Server A goes down--Server B takes over". Get the eval
copy here, this is your ultimate job-security:
Visit DOUBLE-TAKE for more information.

B Drive Can Come Alive in Pre-Windows 2003 Systems, Too

A couple of weeks ago, we wrote about Windows Server 2003's ability to assign the B drive letter through the graphical interface. A reader wrote to remind us that, although you can't use the GUI to do it, you can substitute B: for a local drive path in pre-Windows 2003 systems by using SUBST or the handy freeware program NTSUBST. Here's what our reader has to say:

"I use this technique on my users' machines to give them easier access to their "My Documents" folders.


is used in their login script.

As a matter of practice I strongly encourage my users to root all work files under "My Documents". Our backup procedures back up only the %USERPROFILE% directory on a regular basis. If they obey policy this is all that needs to be backed up. The problem is that we have a number of legacy applications that do not take well to long (> 8 characters) file/folder names, spaces in file/folder names, or long total path lengths (> 64 characters). Furthermore, because these are ancient (or sometimes just poorly written) programs, they also have no concept of the modern Windows file shell object. Accessing "My Documents" must be done through an actual path (i.e. C:\Documents and Settings\username\My Documents). Not only is this littered with long names and spaces but it also has consumed 48 characters and we aren't even into the user's personal folder structure where the actual work files are stored.

By using NTSUBST I can let them work from a short and simple B:\ whenever they're using these legacy applications and still comply with my policies for filesystem structure.

The truly wonderful thing about using B: is that I know this letter is not otherwise in use. I built all the machines so I know none of them have a 2nd floppy drive and it isn't possible to do anything else with B:. Any other letter would have the potential for conflict with either physical drives or mapped network shares."

You can download a copy of NTSUBST here:

Does Microsoft Feel your (Licensing) Pain?

Microsoft's various licensing programs have been the object of much weeping and wailing and gnashing of teeth - just trying to understand what you legally can or can't do under the licenses sometimes seems next to impossible, and when you do figure out the terms and conditions, you're likely to be unhappy about them. A year ago, the Software Assurance Licensing 6.0 for corporate volume users entered the scene, and many of the affected customers complained long and loudly about the new "annuity-based" licensing scheme.

Now it seems Microsoft heard their cries and has been trying to make things better by talking to (and better yet, listening to) their enterprise and mid-size customer base and making some changes to the volume licensing contracts. Maybe there's hope after all.

You can read more about software assurance on Microsoft's web site:

Is Your Buffer Overflowing?

A W2KNews reader wrote last week to ask that we give a little background on what a buffer overflow is and how it is used to enable virus or Trojan attacks. To fully understand how these attacks work, you need some programming knowledge, but here's the short form: A buffer is a holding place in memory where data is stored temporarily. It's created by the programmer so that different processes that operate at different speeds can work together without one impeding the operation of the others. The program will allocate a specified amount of memory for the buffer. If a process tries to put more data in the buffer than is allocated, you get an overflow. When that happens, the extra data can overwrite data in other buffers that are adjacent in memory to the overflowing one. If the adjacent area in memory is one that holds program instructions, the extra data can overwrite the instructions with new ones.

Buffer overflows can be intentionally created by hackers, who include in the extra data code that provides malicious instructions to the computer that's the target of the attack.

Our reader also asked why this type of error is so prevalent in Microsoft products. Actually, buffer overflow vulnerability is not limited to Windows or any specific platform. The real culprit is the C programming language. UNIX and Linux are also subject to buffer overflows and thus to attacks that exploit them. In fact, a Google search on "buffer overflow attacks" turns up numerous articles related to non-Microsoft operating systems. One of the first famous attacks that used a buffer overflow (of the UNIX service called "finger") was the Internet Worm of 1988. For more info on the evolution of buffer overflows, see:

This Week's Worm is "So Big"

August has been a big month for viruses, worms and other "malware," and this week is no exception. The Sobig worm isn't new, but a variant (Sobig.F, the sixth recorded version) has earned the moniker of "fastest spreading e-mail virus ever" since its release a few days ago. Even companies and individuals with heavy-duty filtering and virus checking implemented are seeing its effects. For a complete list of the subject lines and attachment files associated with this virus, see Symantec's web site. The worm is another of those that propagates by sending itself to the addresses in the infected computer's address books and other files. The good news is that the worm is supposed to deactivate on September 10th. The bad news is that it affects all Windows systems (except 3.x) and because of the sheer number of infections reported, Symantec has upgraded it from a Category 2 to a Category 3 threat.

Symantec's security response can be found here:


Blaster Attack Fails to Complete its Mission

The W32.Blaster worm created havoc last week and thousands of Windows computers were infected. The real goal of the worm, though, was not to damage the infected systems but to use them to launch a distributed denial of service attack against Microsoft, targeting the Windows Update web site. Ironically, it appears that the writer of the worm code used the wrong URL (windowsupdate.com, which actually just forwards web browsers to the site's real address, windowsupdate.microsoft.com). Thus, Microsoft was able to easily change the registration of the forwarding site so that the DDoS attack did not affect the Windows Update site. Some infected systems were crashed by the worm, but it was not able to do nearly the amount of dirty work that was anticipated.

Planning Ahead for Windows Server 2003 Service Pack 1

If you were an early implementer of Windows Server 2003, you've probably been wondering when the first service pack will be available - especially in light of recent worms and other vulnerabilities and exploits that have received a lot of publicity. For those who like to plan ahead, Microsoft has put together a road map on their web site with projected timeframes for the release of service packs. According to the road map, SP1 should be available sometime early in 2004.

New Microsoft Desktop Cert on the Horizon?

We've been hearing from readers who recently participated in an invitation-only online survey put out by Microsoft that the survey indicates that MS is planning a brand new certification path for desktop support technicians, including help desk personnel. Indications are that this would be an intermediate level certification, something that would fall between the expertise levels of CompTIA's A+/Network+ and Microsoft's own MCP/MCSA/MCSE program. We think it's a good idea, and hope MS proceeds with the idea. Article requires registration:

Readers Respond on Optional vs Default Security Issue

Last week, we asked what you thought about Microsoft's new approach to security in Windows Server 2003, where certain OS features are locked down by default. We wondered if admins welcomed the new philosophy, thought it didn't go far enough in locking down everything, or preferred that such security measures be optional.

Most of the responses we got indicate that many of you like the middle of the road approach MS is taking at this time. One reader noted that this isn't the first time a major computer vendor has transitioned from open access to a more secure model:

"An observation from the archives of my mainframe background regarding the comments you made about the Everyone group being left open:

When IBM introduced RACF (Resource Access Control Facility) Security for mainframe applications, by default all resources were granted access to all groups and individuals. It was up to the individual security administrators to lock down the resources that they wanted to protect. Within several years, a new product arrived on the market (Not IBM) called ACF2. The premise behind ACF2 was the opposite of IBM's, that all resources were to be protected, and only those specifically granted access could perform work. This approach was a terrible strain on the security admin staff, and a huge irritant to the programmers and analysts. Over the years, IBM has modified its approach to be closer to the ACF2 model, but not as severe as ACF2.

I expect that Microsoft is going thru the same curve that IBM went thru. I can just hear the screams from the computing public if Microsoft were to suddenly impose a complete security philosophy. They seem to be taking the gradual approach. Probably fewer lawsuits!"

On the other hand, some of you pointed out that having everything locked down by default would at least solve the problem of "breaking" key system components when you implement security.


Monitoring File I/O Performance

We have numerous tools for monitoring various aspects of Windows system performance, from the built-in System Monitor to a variety of third party utilities. Most of these give us a way to monitor the performance of major hardware components such as memory, processor, and network adapters. But what about the performance of your files - the basic component of all the software and data on your computer?

The best option for monitoring file input/output is Sunbelt's hIOmon, a file I/O performance monitoring utility that is unique in its ability to not only let you collect specific file I/O performance data but also to easily automate the process. Because it supports Windows Management Instrumentation (WMI), you can integrate it into your management and monitoring routine easily. This is a must-have if you want to be comprehensive in monitoring the performance of your servers and workstations. Windows NT 4.0, 2000, and XP (Home and Pro) are supported.

Doing a Double-Take: Back up in Real Time

You've probably already learned the hard way, at least once, why it's essential to back up the data on your critical systems every day. But even if you diligently back everything up every night with a traditional backup program, you still might end up with serious problems when disaster strikes, because you'll still lose all the data that was created or changed since that last backup. What if the server's disk crumps at 4:45 p.m. and you do your backup at night after everyone leaves? You have a whole day of work - multiplied by the number of users on your network - that's gone forever. That is, unless you do a Double- Take.

Double-Take lets you replicate file changes as soon as they occur, so that you have all your important files backed up no matter what time it is. But that's not all - the server to which your data is replicated can actually take on the identity of the server with the failed disk, so that users won't even know anything happened and can continue working with zero lost time and lost productivity. It's compatible with Windows NT 4 Server and Workstation, Windows 2000 Server and Pro, and Windows Server 2003.


This Week's Links We Like. Tips, Hints And Fun Stuff

  • The 2003 US Blackout as seen from space:

  • http://www.w2knews.com/rd/rd.cfm?id=030825FA-2003_Blackout
  • Make yourself heard on keeping IT jobs in the U.S.

  • http://www.w2knews.com/rd/rd.cfm?id=030825FA-IT_Jobs
  • Forget the whales; save the Internet!

  • http://www.w2knews.com/rd/rd.cfm?id=030825FA-Save_the_Net
  • No rules - catch everything ...

  • http://www.w2knews.com/rd/rd.cfm?id=030825FA-Bug_Game
  • Singing politicos

  • http://www.w2knews.com/rd/rd.cfm?id=030825FA-Singing_Politicos
  • Ever fancied working in a shop?

  • http://www.w2knews.com/rd/rd.cfm?id=030825FA-Clerk
  • Squirrel Hazing: the untold story

  • http://www.w2knews.com/rd/rd.cfm?id=030825FA-Squirrel_Hazing

    Sunbelt Remote Administrator

    "I love your Sunbelt Remote Administrator software. Easy to setup and use. I can accomplish the same kind of remote (co-located) server access using pcAnywhere but that is a "pig". But here is the cool part. I never could copy really large image files using MS VPN, one packet drops and it dies. But RADMIN copied 1.8 GB without crashing! In fact I tested it on my home LAN. During file copy, I yanked a patch cable and plugged it back in. RADMIN stopped for a moment (of course, the connection was lost) but quickly resumed and completed the transfer! That won't normally work with a MS mapped drive. Very reliable! Dirt Cheap! It works great and I'm impressed." R.N.