1. EDITORS CORNER
   • To Patch or Not to Patch: That is the Question
2. TECH BRIEFING
   • Microsoft Scanning Tool Identifies Unpatched Systems
   • How Will Patent Lawsuit Change Internet Explorer?
3. NT/2000 RELATED NEWS
   • Extra Year of Tech Support for Exchange 5.5
   • Microsoft Pushing Messenger Upgrade
   • New Pricing Structure for Small Business Server
   • Live Meeting Web Conferencing Part of New Office System
   • Keep Up with Microsoft Code Names
4. NT/2000 THIRD PARTY NEWS
   • MeasureUp Releases First Server 2003 Practice Exams
   • Clustering: No Longer Risky Business
5. W2Knews 'FAVE' LINKS
   • This Week's Links We Like. Tips, Hints And Fun Stuff
6. PRODUCT OF THE WEEK
   • iHateSpam Server Edition

To Patch or Not to Patch: That is the Question

Scott Berinato, in a cover story for CSO Magazine, recently put forth what's sure to be a controversial hypothesis - that patching doesn't work. If you, as a network administrator, have found yourself spending more and more of your time applying the security patches that seem to be issued on a daily basis, only to get whacked by the latest virus, worm or other malware, you might be tempted to agree.

These days, hackers and black hat coders are working overtime to find and exploit vulnerabilities in popular operating systems and applications. Even though software vendors are generally quick to respond and issue the requisite patches, no sooner do you seal up one "leak" than another appears. It's hard not to feel as if your attempts to hold back the flood are futile.

At the same time he refers to patching as a "fool's errand," though, Scott's article acknowledges the hard truth: it's presently the only method we have by which we can fix software vulnerabilities. What's the solution, then? Should we all just give up, throw our hands into the air, and stop trying to stay current on patching our critical systems? Or is there a better way to protect ourselves from those who have nothing better to do than come up with ways to break into or crash our computers and networks?

Computer security is a complex problem and we think it's a mistake to expect a simple solution. In an ideal world, we could stop the intruders and attackers, perhaps with stronger legislation and better enforcement methods. But in our real, less-than-ideal world, the bad guys will continue to do their dirty deeds and, imperfect as it might be, patching still needs to be done. Even if you diligently apply every applicable patch as soon as it's released, there's still no guarantee that your network is safe; with new exploits being discovered every day, your organization could be the victim of the next one before the patch comes out. Nonetheless, we think common sense dictates that you're better off patching than not patching.

But that still leaves you with the question of how to manage all those patches. Scott says Intel applied 2.4 million patches to its network last year. Overwhelming as that number is, patching doesn't have to be the "mission impossible" that it appears to be - if you automate the process. Luckily, there are a number of products on the market that can help to do just that.

Our favorite is UpdateEXPERT from St. Bernard Software. This program defines a baseline and then compares all the machines you specify against that baseline, and makes the tedious tasks of researching patch histories and co-dependencies easy. Best of all, you don't have to be a scripting genius to use it, and you don't need extra programs such as IIS or SQL to use it. The database is updated several times per week and the thousands of patches in the database are tested by experts. But you don't have to take our word for it; you can download a trial version at:
http://www.w2knews.com/rd/rd.cfm?id=030901ED-updateEXPERT

Warm regards,

Microsoft Scanning Tool Identifies Unpatched Systems

The RPC buffer overrun vulnerability in Windows NT 4.0, 2000, XP and Server 2003 has gotten a lot of attention, and can be protected by applying the 823980 Security Patch (MS03-026), which is available for download on the Microsoft web site at:
http://www.w2knews.com/rd/rd.cfm?id=030901TB-Security_Patch

But if your network is a big one with hundreds or thousands of machines, how can you easily determine which computers have been patched and which ones haven't? On August 14, Microsoft released a scanning tool that administrators can use to identify host systems to which the patch has not been applied. This utility can be run on Windows XP and Server 2003 machines, and you can download it from the Microsoft web site at:
http://www.w2knews.com/rd/rd.cfm?id=030901TB-Scanning_tool

How Will Patent Lawsuit Change Internet Explorer?

The Eolas Technologies/University of California lawsuit against Microsoft, claiming patent infringement related to interactive web technologies that are included in Internet Explorer, has some far-reaching implications that extend beyond Microsoft and IE users.

The federal court found in favor of the plaintiffs, awarding them a $521 million verdict against Microsoft. The first question is: what changes will Microsoft be forced to make to its browser software in response to the court ruling? An even bigger question: how will this affect other browsers, such as Opera and Mozilla, that use those same technologies?

Extra Year of Tech Support for Exchange 5.5

Exchange Server 2003 is gearing up for launch, with intro events scheduled this fall, but many companies haven't yet upgraded from version 5.5 to Exchange 2000. The cost and time involved in migration has deterred many, while others just haven't found a compelling need to make the switch, going on the principle of "if it's not broke, don't fix it." If yours is one of those companies, you might have been struggling with the budgeting problem of paying for extended support beginning January 1, 2004. Normally, Microsoft's products receive free support for five years after release and then you have to pay. There's good news in from Microsoft: the company has announced that it will provide an extra year of free support, which will carry you through December 31, 2004 (Fees will kick in after that if you want another year of support to take you up to December 31,2005).
http://www.w2knews.com/rd/rd.cfm?id=030901RN-Exchange_55

Microsoft Pushing Messenger Upgrade

Microsoft recently announced that they will discontinue support for older versions of their messaging clients (both MSN Messenger, the consumer-grade product used for instant messaging with family and friends on the Internet, and Windows Messenger, Microsoft's corporate messaging client more typically used in business environments). This is part of their Trustworthy Computing Initiative and is touted as a security update. The MSN Messenger upgrade is listed as a "required upgrade" on the MSN web site at:
http://www.w2knews.com/rd/rd.cfm?id=030901RN-MSN_upgrade

According to the Microsoft Watch web site, v6.1 of MSN Messenger is scheduled to go into beta testing in the very near future, and v5.0 of Windows Messenger went RTM on August 15th.
http://www.w2knews.com/rd/rd.cfm?id=030901RN-Messenger_61

An interesting side note to the Messenger story: Microsoft will also begin requiring a license for third-party messaging clients to connect to the .NET Messaging Service. On October 15th, unlicensed IM clients will be blocked.

New Pricing Structure for Small Business Server

The current version of Microsoft's Small Business Server (SBS 2000) costs $1499 - a little hefty for many of the businesses that are of a size to benefit from it. With SBS 2003 coming out later this year, Microsoft has announced a new, more attractive pricing structure that will offer both a "low end" and "high end" version. The latter will be priced the same as SBS 2000, but the low end version will cost only $599, with five client access licenses (CALs) included. Will this aggressive pricing bring some companies that are now relying on Linux servers into the MS fold? Only time will tell, but we think this is a step in the right direction. Microsoft is also increasing the number of users for Standard and Business editions of SBS to 75 from the current 50.
http://www.w2knews.com/rd/rd.cfm?id=030901RN-New_pricing

Live Meeting Web Conferencing Part of New Office System

With the release of Office 2003 coming up in October, customers might have a hard time sorting out just what is and isn't part of the new "Office System." In addition to the familiar Office suite, it contains a number of interesting new server services such as SharePoint Portal Server 2003 and the Microsoft Live Meeting web conferencing service. Of course, these will cost extra - but can add a great deal of functionality to the corporate and small business environments.

Live Meeting is based on the Placeware Conference Center software and it is used to conduct live, interactive meetings for groups ranging from 2 to 2000. Pricing for the service is a monthly fee, either per seat (5 seats for $375 or 10 seats for $750) or pay-per-use (35 cents per minute, per meeting participant).

If you'd like to try it out, you can download a free trial version at:
http://www.w2knews.com/rd/rd.cfm?id=030901RN-Live_meeting

Keep Up with Microsoft Code Names

Microsoft's product code names are often fun and whimsical, but it can be a chore to keep up with which code name goes with which software product. Most in-the-know industry insiders don't have any trouble remembering that Longhorn is Microsoft's next generation of Windows, and that Blackcomb is the server product that's expected to follow it, but things can get a little more confusing when you have Bobcats (SBS 2003) running around, Stingrays (ISA Server 2004) swimming by, and Hailstorms (.NET services) happening.

MeasureUp Releases First Server 2003 Practice Exams

Windows Server 2003 has been out for a few months now, and Microsoft's Server 2003 exams will be available soon. Administrators looking to upgrade their MCP, MCSA or MCSE certifications to the new 2003 track have been eagerly awaiting the availability of study aids, especially practice exams that often serve as an exam candidate's tool for evaluating whether he/she is ready to sit for the test or needs more study time. After all, it's not only disheartening but expensive and time consuming to take the exam and fail, and there's no better way to determine whether you've mastered the exam objectives than to test yourself on similarly formatted material that's also written to the objectives.

Well, the first practice exams for exams 70-290 (Managing and Maintaining a Windows Server 2003 Environment) and 70-291 (Managing and Maintaining a Windows Server 2003 Network Infrastructure) are now available from MeasureUp, one of Microsoft's Certified Practice Test Providers. This designation means MeasureUp actually works with Microsoft to ensure that the practice exams meet quality criteria. If you're planning to sit for these exams any time soon, you'll want to check out these exams as part of your exam prep plan.
http://www.w2knews.com/rd/rd.cfm?id=030901TP-Practice_exams

Clustering: No Longer Risky Business

Server clustering is a popular high availability solution in today's enterprise environment, and Microsoft's Cluster Service, built into Windows 2000's Advanced and Datacenter Servers (and now Windows Server 2003) provides a popular way to implement clustering technology. However, the practice of sharing the storage subsystem among the cluster nodes (the name for servers that are members of the cluster) creates a single point of failure that can be the downfall of your high availability plan - unless you take steps to address the vulnerability by using a software solution that replicates cluster data so that each node has a local copy of the data.

This Week's Links We Like. Tips, Hints And Fun Stuff

iHateSpam Server Edition

iHateSpam Server Edition lets you control spam according to the needs of your company and users - not to mention your needs. It delivers fast setup, a powerful spam detection engine, tunable parameters, and customizable treatment of spam. Aggressively priced and available now. Supports Exchange 2000 - gateway edition for Exchange 5.5 and 2000 coming soon. Click here for your 30-day, full feature eval: