- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Aug 2, 2004 (Vol. 9, #30 - Issue #486)
Do They Think We Are Stupid Or Something?
  This issue of W2Knews™ contains:
    • What's Everyone Planning With Windows and Linux?
    • ZDNet Reports: Linux Added To Security Scanner
    • WebCast: Microsoft and Sunbelt Software Present
    • The Top 50 Tech Sites: Bookmarks
    • Updates to Understanding IPv6
    • Do They Think We Are Stupid Or Something?
    • Microsoft's Security Laws: Rebuttal
    • 64-Bit Windows and W2K3 SP1 Pushed Back
    • Microsoft Finishes SQL Server 2005 Beta 2
    • The Window Shortens From Hole To Exploit
    • SBS Is Really Doing Great
    • Best Practices for Vulnerability Management
    • Security Update: 7 New Vulnerabilities Discovered
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • What The MS Spell Checker Thinks Of WinXP RC2
The demands on your time and budget are enormous. Panda
EnterpriSecure and BusinesSecure deliver completely centralized,
always updated corporate virus protection. You can administer the
entire network right from your desk, install, uninstall, or update AV
on any of your machines all at once or individually. Protect your
perimeter and email communications with hassle-free, centralized
management. Test drive it yourself click here.

What's Everyone Planning With Windows and Linux?

The Yankee Group and Sunbelt Software invite you to participate in the yearly Windows, Linux, Office and Active Directory Deployment Survey. This has become a regular, reliable benchmark on the actual deployment of these most popular technologies. We will come out with an Executive Summary for W2Knews subscribers in a few weeks, so you can see what your peers are planning and rolling out at the moment. It's a fast survey and should take you just 2-3 minutes to fill out. Know where the market is heading, it's worth your time! Here goes:

ZDNet Reports: Linux Added To Security Scanner

The new Sunbelt Network Security Scanner is taking off like a rocket now that it does IP-scanning and is multi-platform. See what ZiffDavis has to say over here:

WebCast: Microsoft and Sunbelt Software Present

"How to Protect Your Enterprise from Spam: Solutions for Microsoft Exchange" The increasing volume of spam and the increasing ingenuity of those who disseminate it have made the battle against spam a priority in the enterprise environment. Current anti-spam weapons must address end users? needs and concerns without placing excessive demands on company resources or system administrators. Join us online to see the ways that Sunbelt Software's iHateSpam for Exchange can be deployed to easily and effectively protect an enterprise. Spam filtering techniques will be presented along with solutions specifically designed to support MS Exchange Server 5.5, 2000 and 2003 environments. Register at the Microsoft website:

Date: Wednesday, August 4, 2004
Time: 10:00-11:00am Pacific time
1:00-2:00pm Eastern time
(All times are US and Canada)

The Top 50 Tech Sites: Bookmarks

Carl Webster put these 50 sites in an HTML page so that you can make that page a FAVE instead of having to spend all the time to create your own faves by hand. Here you are!

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: Disaster Recovery Is Now A Must-Have
But there are still a lot of questions about DR, here are a few:
- What is the difference between synchronization and replication?
- Does DOUBLE-TAKE replicate the entire file when it is changed?
- Are changes applied to the target server immediately?
- Can replicated data on the target be accessed by users?
- Will DOUBLE-TAKE replicate encrypted files?
And many more. We have an FAQ in PDF for you here (no registration!)
Visit Disaster Recovery Is Now A Must-Have for more information.

Updates to Understanding IPv6

Microsoft wrote a white paper about changes in Internet Protocol version 6 (IPv6) standards and their implementation in Microsoft Windows XP and the Windows Server 2003 family. IPSec for IPv6 support includes support for the Secure Hash Algorithm 1 (SHA1) hashed message authentication code (HMAC) when using IPSec for IPv6. It sits at itpapers.com. (You need to register)

Do They Think We Are Stupid Or Something?

Network World has a fairly critical/funny article. It starts like this: "The marketing mavens at Microsoft, Sun, Novell, IBM and Apple are looking at the removal, by a rival, of support for older operating systems as an opening to a 'year of opportunity' (Steve Ballmer's words at Microsoft's recent Partners Conference) for moving corporations to new server operating systems. With Novell pushing folks to give up NetWare and Microsoft dropping support for Windows NT, we see the incredible sight of these two companies believing they can 'steal' customers from the other! Even Apple is jumping on the conversion bandwagon, with Steve Jobs chortling that 'the time is right to try to win the hearts and minds of the disenfranchised Windows Server base.'" The rest of the article is here:

Microsoft's Security Laws: Rebuttal

In the last Stu's News (company newsletter for Sunbelt customers) I published Microsoft's 10 Security Laws and got an earful of feedback. [grin] Bruce MacDonald, who is an Information Technology Manager sent me this. Quite interesting and humorous reading actually! (You can subscribe to Stu's News over here, it's a monthly):

"Stu, Here is my feedback on Microsoft's laws.

"Law #1: If a bad guy can persuade you to run his program on your computer, It's not your computer anymore.
REBUTTAL #1: If an operating system writer sells an operating system that permits this, then the OS writer is an accomplice.

"Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
REBUTTAL #2: If the writer of that operating system make "everyone: Full control" the default security setting, then the OS writer is an accomplice and should be liable for any damage thus caused.

"Law #3: If a bad guy has unrestricted physical access to your computer, It's not your computer anymore.
REBUTTAL #3: If ANYONE other than yourself and trusted individuals has unrestricted physical access to your computer, then you are a fool and deserve what you get.

"Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.
REBUTTAL #4: If someone pretending to be a good guy does the same thing, they become the bad guy.

"Law #5: Weak passwords trump strong security.
REBUTTAL #5: Once again, Microsoft reveals an astonishing degree of hypocrisy by making this a 'law'. Installing Windows XP Pro does not even prompt for an administrator password, let alone force even basic password common sense. If Microsoft did their job properly, it would be impossible to create a weak password.

"Law #6: A machine is only as secure as the administrator is trustworthy.
REBUTTAL #6: This is a universal security law, not a computer or technological one. Stating the obvious.

"Law #7: Encrypted data is only as secure as the decryption key.
REBUTTAL #7: I guess they wanted 10 laws really bad. This is stating the obvious again.

"Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.
REBUTTAL #8: No existing virus scanner is of any use whatsoever against previously unknown viruses. At the vary basis of system design, it should be totally impossible to introduce an executable piece of code, without putting the machine deliberately into an 'installation mode'. In such a mode, only specially designated installation programs would run. Nothing could ever execute unless first "blessed" by such an installer. A separate "execution" mode would not permit installers to run. A further "developer" mode would permit both, but would be restricted to running developer tools. Such an operating system would be relatively easy to implement, and no malware could then exist.

"Law #9: Absolute anonymity isn't practical, in real life or on the Web.
REBUTTAL #9: Bullsh!t. Microsoft threw this in 'cuz they want people become less protective of their privacy. Presumably so that Microsoft can profit by exploiting it. This statement is detestable. By throwing the word 'absolute' in there, they make their statement true, but its intent is sinister. I see a day coming when all content generated for use outside the confines of the computer that created it will be required to be digitally signed by its originator, and further by each distributor as it travels the internets of the world, and all accesses of private systems will require prior permission, whereas access to public systems will still be permissible anonymously. In Canada (I don't know about the US) trespass on another's land is a tort (a civil case), but peeking in their windows is a criminal offense (the equivalent in the US of a felony). Microsoft, and many other internet entities, by using information found on my computer without my permission commit the same offence. The only difference is that it is copper, not glass, that they are peeking through.

"Law #10: Technology is not a panacea. (noun: hypothetical remedy for all ills or diseases; once sought by the alchemists)
REBUTTAL #10: LOL - and they finish off by stating the obvious once again.

"I'll finish off with a law of my own:
MacDonald's Law: Every communication originating from a corporation is self-serving, and contains deceptions, misdirections and outright falsehoods. Corollary: The purpose of the deception is to mine your pockets. You have been warned."


64-Bit Windows and W2K3 SP1 Pushed Back

Wanted to get one of those cool Athlon 64's in production? You will have to wait a bit longer I'm afraid. The 64-bit Windows OS has been postponed until the first part of 2005. Windows Server 2003 SP1 will also be delayed until next year. A bit of a bummer for both AMD and people that already bought the 64-bit CPUs. With this latest news, W2K3 and XP 64-bit join the slipping slideware batch of products with WinXP SP2 and most notably Longhorn. If you just die to run a 64-bit OS, your only choice is one of 64-bit Linux distros such as SuSE 9.1 Pro, Gentoo, or Mandrake.

Microsoft Finishes SQL Server 2005 Beta 2

Redmond released its long-awaited Beta 2 for SQL Server 2005 this week. It's the next major release of SQL that had the code-name "Yukon."

The Window Shortens From Hole To Exploit

I told you a few issues ago that the time it takes to find an exploit in the wild for a known vulnerability is now about 10 days. ZDnet has an article about how come. Crackers now have automated tools (!) to create hacks for known holes. They say they can do it in a day. [grumble]. Here is the article that describes the Black Hat Briefings that were held in Vegas this week. Interesting reading.

SBS Is Really Doing Great

Microsoft Corp.?s Windows Small Business Server 2003 is a big success with Small and Midsize Business (SMB) customers, Microsoft Value Added Resellers (VARs) and consulting partners alike.

Windows Small Business Server?s (WSBS) success and fast adoption rate is all the more notable because Microsoft?s marketing efforts have been minimal in comparison to Windows Server 2003 and Office 2003. WSBS is in a very real sense, selling itself. The word of mouth buzz is significant. In less than one year of deployment, it has outsold its predecessor Windows Small Business Server 2000 by 200%.

SMB shops with one-to-75 users, are installing WSMB in record numbers for its unparalleled functionality, ease of use and price tag. At $599 for the base-level Standard Edition and $1,499 for the Premium Edition, there is simply nothing like it for the money. For that matter, there is simply no bundled package that can match it. Linux and Open Source vendors have no products that individually or collectively can compete with the bundled feature set of Windows SBS 2003, customers say. Small businesses further reported that Windows SBS 2003 has a near immediate ROI.

The product is actually a collection of software packages. It incorporates the following packages: W2K3, Exchange 2003, IIS, Fax, Management Console, Front Page 2003, SQL Server 2000 and the Internet Security and Acceleration Server (ISA) in the Premium Edition and a variety of tools and utilities.

Microsoft partners reported that their sales have soared by 100% to even 300% or 400% in the past 12 months. This sales spike is directly attributable to WSBS deployments, they said.

There is a certain irony to this last statement because the SMB partners make miniscule profit margins from the actual sale of Windows SBS. Rather, they realize the greatest return in assisting customers with deployment, after market consulting and technical service and support. These fees --which can range from $8,000 to $15,000 -- more than compensate for the approximately $4 (US dollars) they make on each unit sale of Windows SBS.

If Windows Small Business Server stays under wraps, don't blame Harry Brelsford, the CEO of SMB Nation, Inc. a consultancy based in Bainbridge Island, Washington that focuses on small and medium business consulting and system integration. He is the driving force behind SMB Nation touring conference complete with workshops designed to highlight the features and functions of WSBS customers on its usage. If you can't attend SMB Nation in person, check out, Brelsford's third party SBS book, "Windows Small Business Server 2003 Best Practices" it's chock full of tactical, practical advice and tips and tricks to make the most of the bundled package. It lists for $59.95; you can order it at:

Laura DiDio
Senior Analyst, The Yankee Group


Best Practices for Vulnerability Management

Eric Ogren, an analyst at the Yankee Group specializes in Security Solutions & Services Research and Consulting. He came up with a good article and I asked permission to use sections of it. He started like this:

"Building a strong program based on mitigating known vulnerabilities has transformed from a security-centric process to an operational necessity for business success.

"Product vendors describe vulnerabilities as defects requiring a patch, upgrade or configuration change; attackers target these weaknesses in a security profile. Once a vulnerability is discovered, it is only a matter of time before an attacker develops the worm, virus or intrusion that can take advantage of the defect. For example, the recent Sasser worm was launched a mere 18 days after the vulnerability was announced in the form of an available patch. Companies that rely on signature-based defenses against known exploits are helpless against fast-moving exploits and zero-day attacks that propagate globally at Internet speeds. The goal of the security team is to reduce risk by identifying and eliminating weaknesses in an effort to shrink the window of opportunity in which an exploit or attacker could impact the organization.

Best Practices for Vulnerability Management:

  1. Classify network assets to effectively prioritize vulnerability mitigation programs, such as patching and system upgrading.
    The first best practice is to identify and classify network resources. There are far too many assets in an enterprise network to manage individually, and at an average cost of $235 to patch a desktop (based on 2003 Yankee Group enterprise security spending survey), patching all vulnerabilities as rapidly as possible becomes cost prohibitive. The odds are great that unpatched systems will exist when the exploit designed specifically for the announced vulnerability strikes. Understanding and classifying assets to a category allows IT to apply policies more efficiently, and if the organization is time or resource constrained, it enables the security team to focus on patching the most critical assets first.
  2. Reduce vulnerability exposure quickly to measure the effectiveness of risk mitigation.
    Vulnerability management systems test network resources for the presence of known vulnerabilities. This produces a record per scan of the number of vulnerabilities discovered, their severity, and the asset classes affected. It is the true measure of a patch and configuration control program.
  3. Integrate vulnerability management with discovery, patch management, and configuration management processes to close vulnerabilities before exploits can strike.
    Vulnerability management bolsters the effectiveness of patch management, configuration control, and early-warning services. Integrate vulnerability management with network integrity systems to assess new systems on the network, with patch management systems to confirm completion of a patch process, and with management reporting portals to raise the awareness among executive management for the accomplishments of the security team.
  4. Audit the performance of security policy implementations, security team performance and process improvements to build a culture of refining security operations.
    Security executives regularly audit the effectiveness of integrated vulnerability processes. Vulnerability management delivers the fundamental metrics that management needs to evaluate the state of the corporate network security program. Best practices use the metrics to assess the success or failure of various efforts to improve performance."
Eric suggested some vendors, and noted it is a good thing to integrate the vulnerability scanning and patching with asset discovery tools, to expand the scanning into security profile management, and change the way your organization thinks about security by sending your line managers reports about the security of their business. He continued with:


  • Continually test critical assets for weaknesses. Test critical assets a minimum of every 5 to 10 days. The software on the asset may not change, but new vulnerabilities as well as reintroduced weaknesses are discovered every day. Identifying and eliminating weakness is an ongoing process.
  • Patch all critical systems within 21 days of the release of a critical vulnerability, with a rollout procedure to other assets based on their classified priority level. The rate at which vulnerabilities are exploited continues to get shorter; build a sense of managed urgency into your vulnerability process.
  • Measure security team performance with vulnerability management metrics. The impact of an organization?s effectiveness in identifying risks and reducing vulnerabilities serves as the true measure of a security team?s performance. Use vulnerability management to measure and monitor security procedures for patching, upgrading and deploying networked systems."

Tools Recommended for Scanning and Patching:

SCANNER: Sunbelt Network Security Inspector (SNSI)


Security Update: 7 New Vulnerabilities Discovered

Sunbelt Network Security Inspector (SNSI) Version now scans for these new vulnerabilities. Three new Windows checks, bringing the total Windows checks to 2216:
W2214 - BrowserAid Detected
W2215 - WinSCP3 Long URI Handling Vulnerability
W2216 - Acrobat/Reader File Name Handling Vulnerability

Three new Linux checks, bringing the total Linux checks to 567:
L565 - PHP - memory_limit/strip_tags
L566 - Ethereal - Dissector Bugs - Fedora
L567 - Samba - SWAT administration service - Red Hat

One new Solaris check, bringing the total Solaris checks to 226:
S226 - Solaris Volume Manager (SVM) Panic - Solaris 9

In addition, there were improvements in the following vulnerability checks:
H64 - X font server
H68 - X font server
L551 - Apache patch
W1142 - Anti-Virus
W1986 - Anti-Virus
W1999 - Anti-Virus
W2067 - Anti-Virus

SNSI uses the latest Mitre Common Vulnerabilities and Exposures (CVE) list of computer incidents. It also contains the latest SANS/FBI top 20 vulnerability list. SNSI also uses the latest CERT, CIAC Microsoft and FedCIRC (Department of Homeland Security) advisories.


This Week's Links We Like. Tips, Hints And Fun Stuff


What The MS Spell Checker Thinks Of WinXP RC2

Remember the article in last week's issue: WinXP SP2: Don't Tell Me I Did Not Warn You . Some one decided to forward it and sent the following copy to some co-workers: "CRN Test Lab guys downloaded RC2 and pretty much trashed (BSOD) three out of five test systems. I strongly suggest you tread lightly and TEST, TEST, TEST. Here are the ugly details with some suggestion on how to recover."

When he hit send, the MS spell checker decided that he should change "WinXP" to "wimp" and "RC2" to "cry". That makes it Product Of The Week! [grin]