Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Sep 27, 2004 (Vol. 9, #38 - Issue #494)
Redmond Legitimizes Replication Market
This issue of W2Knews contains:
- EDITORS CORNER
- Redmond Legitimizes Replication Market
- "Hey, That Advance Security Data Is Pretty Useless"
- ADMIN TOOLBOX
- Admin Tools We Think You Shouldn't Be Without
- TECH BRIEFING
- Redmond Announces Data Protection Server (DPS)
- Thousands Of Zombies Created Daily
- Microsoft Exchange Server Best Practices Analyzer Tool
- NT/2000 RELATED NEWS
- Whoa Nellie! You Mean I Need XP To Be Secure With IE?
- NT/2000 THIRD PARTY NEWS
- SNSI: 3207 Holes Scanned, Plus The New Scary JPEG One
- Agents in Patch Management? It's A Choice
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Last Chance: Sunbelt Security Pack - September Only
SPONSOR: Hop on the Appliance Bandwagon
Software filters like Websense and SurfControl can't give you the
ease of use and low maintenance that you'll get from iPrism, the
leading Internet filtering appliance. Whether you are switching
to an appliance or choosing one from the start, iPrism's low cost
and powerful features are the perfect fit for any network. Switch
to iPrism today and you can qualify for an extra year of Web
filtering at no cost! Try out 5 Free Web Tools today.
Visit Hop on the Appliance Bandwagon for more information.
Redmond Legitimizes Replication Market
There is some good news from Redmond. I have said for years that
disk-to-disk replication is a good thing. They finally woke up
and announced their new Data Protection Server (DPS). I have more
detail in the Tech Briefing on this, especially on what it does
and does not do.
"Hey, That Advance Security Data Is Pretty Useless"
OK, the headline is firmly tongue-in-cheek but the actual data
that companies get is a pre-notice of what type of patches will
be released. I checked in to that MS advance notification program
a little more. They did in fact pilot a program for offering
advance warning about how many patches, what platform (IE, OS,
Office, etc.), and how severe (critical, important, etc.).
However, that program has been extended to ALL customers who sign
an NDA, and also some people that have a BIG support contract
get these alerts. Details about vulnerabilities are still withheld
from everyone until the actual scheduled release of the monthly
security bulletins. If you maintain hundreds of Windows servers
it is useful information to know 4-5 days in advance and
schedule site outages and updates. But some people consider it
nothing more than a reminder that the second Tuesday of the
month is "Bulletin Day", and nothing else.
Andrew Baker of NTSYSADMIN-list fame said: "In general, there
are those who feel that everyone must be made aware of every
security issue immediately, and that full disclosure is the
only way to survive. I will simply say that my own personal
philosophy is that Timely, Responsible Security Disclosure is
in everyone's best interest, but that disclosing the details
of every single vulnerability to everyone, serves against the
greater good. What I *do* wish Microsoft would do, to some
degree, is that after a patch has been available for at least
a month, and the fixes therein have been deemed to cause little
conflict with most environments, I think it would be in their
best interest to provide at that time, a more detailed technical
document on the vulnerability -- even if as a paid service --
so that it would allow admins to get a better idea of the scope
of the issue. But it must be done well after availability
and notification of the patch."
Redmond, anyone listening?
Quote of the Week:
"I don't know what I want but I want two of
them here by Friday" -- Stan Johnson, VP Ops Rogers Cablesystems
(email me with feedback: [email protected])
Admin Tools We Think You Shouldn't Be Without
Redmond Announces Data Protection Server (DPS)
OK, some one in Redmond has finally seen that continuous data
protection is a good thing. Of course I have been saying this
for years now. The announcement of DPS legitimizes this market
and gives a signal to system admins that you should seriously
consider protecting your data via continuous disk-based backup.
Redmond said DPS is scheduled for the second half of 2005.
Looking at their 'slideware' track record that is a year from
now, and the beta is closed so only a few people get to really
play with it. It also solves another problem with tape backup,
the restore process is cumbersome and often fails too.
DPS is designed to simplify and reduce the backup and recovery
process. Technically it does not provide a lot of features, and
addresses the low-end 'HA' (high-availability) spectrum. DPS
does not do disaster recovery via off-site replication, does not
do failover, and doesn't support specific HA for apps like
Exchange and SQL.
What it will provide is:
It does all that on the foundation of a policy-driven engine and
agents on your production servers that replicate any deltas to
the DPS server which then makes so called 'point-in-time' snapshots.
You can restore from any of these snapshots. You can tell the
policy engine how frequently you want to replicate and how many
snapshots you want to keep at hand. They claim the whole process
is not going to cause any performance degradation. The idea is
too keep a few months of snapshots on disk, and save older data
off to tape.
- Rapid and reliable recovery through use of disk-based backup
of files stored on W2K, W2K3 and Windows Storage Server 2003.
- Continuous real-time data backup, shortening backup windows.
- Integration with tape through a (planned) backup interface.
During setup, DPS does an autodiscovery of all your production
machines and will warn you when a new server is added that has
no DPS agent yet. Apart from 'whole system' recovery by admins,
it will support end-users restoring their own files via a few
self-service tools that will magically appear in WinXP and Office
More than 20 storage industry partners, including independent
software vendors that sell backup and recovery solutions,
announced their support for DPS. Hardware vendors are going
to be happy with this for sure as they will sell more servers.
Some of the low-end replication software vendors are going to
hurt. Companies like NSI (the developer of Double-Take) are going
to be very happy with DPS.
Why? Because Double-Take is going to add essential functionality
to DPS that you are going to 'need and want' once you have deployed
DPS. Having tens of thousands of DPS servers out there will broaden
the Double-Take market even further.
Bob Muglia, Senior Veep of the MS Windows Server Division said:
"Customers are telling us that backing up and recovering their
data is labor-intensive and complex. Exponential growth of
business-critical data and new government regulations are
increasing the cost and complexity of backup and recovery,
forcing companies to rethink their data protection planning.
Data Protection Server has garnered broad industry support
because it will help customers of all sizes shrink their recovery
time from hours to minutes and drive down the cost of maintaining
Don Beeler, CEO of NSI Software, said "Microsoft Data Protection
Server is a positive indicator for the data protection market.
Working strategically with Microsoft, NSI can extend the building
blocks of DPS to provide companies the highest levels of assurance
that their critical business data, systems and applications will
be protected and always available."
So, the combination of DPS and Double-Take provides a pretty
powerful "HA/DR cocktail":
Our suggestion is to simply continue with your Double-Take plans,
and once DPS comes out, you can combine the two for an even stronger
High-Availability + Disaster Recovery architecture. More data on
DPS at the MS website:
- Off-Site Protection and Recovery of Microsoft DPS backups.
Most companies store their tape backups off-site. Double-Take
off-site replication can be used to provide an up-to-date
off-site copy of the data being protected by Microsoft DPS.
- Rapid recovery of applications and data in minutes or seconds.
For some data and applications, any restore time is too long.
You need immediate failover of mission critical applications. DPS
can address the need to recover data to a previous point in time,
but in the event of server or site failure, the automatic failover
capabilities of Double-Take enable a secondary server to stand
in, providing maximum availability to end users.
- Complete Recovery Architecture. The combination of DPS and
Double-Take allows you to easily scale your data recovery systems
beyond a single site, including protection of critical apps.
Used in conjunction with DPS, Double-Take can provide high-availability failover and WAN-optimized, off-site data replication
for apps like Exchange, SQL and Oracle databases in addition to
maintaining an off-site copy of the local DPS server.
More data on Double-Take:
Thousands Of Zombies Created Daily
Symantec apparently monitors the Net and can see how many PC's
are turned into zombies. Since 50% of the USA's households are
now on 'always-on' cable internet, the numbers are going up
It turns out that the rate at which PC's are getting hijacked
skyrocketed in the first half of 2004. A whopping 30,000 systems
per day were subverted into zombies, and that is 15 times more
than the 2000 per day in 2003.
Symantec claimed that building "botnets" (networks of zombies)
is a very lucrative business. Phishers and spammers pay good
money for botnets, which can also be used for all kinds of
other attacks like Ddos. Symantec's service development manager
Jeremy Ward told New Scientist (link below) that "What we're
seeing now is malware that is truly professional, you have
the ability to set up botnets for a number of money-making
Microsoft Exchange Server Best Practices Analyzer Tool
A lot of people are very enthusiastic about this tool, but keep
in mind that it is a "best practice according to MS" and thus
somewhat subjective. Having said that though, you should really
get this tool, you are going to love it as it is an excellent
free reporting tool and one of the best that MS has put out.
Looks like a good idea to run the tool on a workstation (or server)
and make sure that machine is correctly hooked up to Active Directory
and your Exchange Server(s). Not suggested to to run it on the
Exchange machine itself, unless you absolutely have to. Some
suggestions do not make 100% sense, so you still need to use your
common sense and judgement. Here goes, go get it!!
NT/2000 RELATED NEWS
Whoa Nellie! You Mean I Need XP To Be Secure With IE?
News.com just broke a story that I think is a bit unbelievable.
But it just might be true. They reported that if you want to
get the latest hotfixes to IE you'd better upgrade to
XP. I'm quoting them here:
"Microsoft this week reiterated that it would keep the new
version of Microsoft's IE Web browser available only as part
of the recently released Windows XP operating system, Service
Pack 2." Microsoft seems to have stated: "We do not have
plans to deliver Windows XP SP2 enhancements for Windows 2000
or other older versions of Windows, the most secure version
of Windows today is Windows XP with SP2. We recommend that
customers upgrade to XP and SP2 as quickly as possible."
This does open door to people checking out another browser,
like Mozilla Firefox. Its preview 1.0 release got a whopping
one million downloads in just four days last week. A lot of
people are getting concerned about viruses apparently. With
reason, as Symantec recently said they found 5,000 new Windows
viruses Jan thru June 2004, up from 1,000 in the first half
of 2003. Yikes.
If the news about only these hotfixes is true, that looks like
a high price to pay to keep your browser secure. Could it be
that Redmond is showing "the stick" to encourage people to
upgrade to XP SP2? Better call your MS-rep or reseller and
confirm this news, and I will try to find out more as well
THIRD PARTY NEWS
SNSI: 3207 Holes Scanned, Plus The New Scary JPEG One
SNSI looks at Windows, Linux, Unix, HP printers, Solaris, and
other devices like Cisco routers. There is a sizable, dedicated
team of security experts working full-time to update this database
that now contains 3207 potential vulnerabilities.
You REALLY SHOULD run SNSI, either standalone or together with
a tool like Retina and make sure that you find these holes. It
is CRUCIAL that you identify vulnerabilities in your networks,
and SNSI is a great solution at an unbelievable price. Here are
the new holes SNSI scans for. Just have a look at the third one,
SNSI even scans for the free MBSA scanner being outdated!!
W2247 - Office 2000 - Latest Service Pack Not Installed
W2248 - JPEG Processing (GDI+) Vulnerability - IE 6, SP1- MS04-028
W2249 - Microsoft Base Security Analyzer Outdated
W2246 - JPEG Processing (GDI+) .NET Framework - MS04-028
In addition, there were improvements in the following vulnerability
checks: W2243, and W2246
Keep in mind that SNSI also scans for the new scary JPEG hole,
and that an exploit for this was published this week. An example
of a working exploit means this will proliferate like mad. Any
website with a "poison JPEG" on it gets visited by your users,
and slam! you have a trojan on that user's machine. This is scary
and you really need to scan for and fix all code with this JPEG
hole. If you have XP SP 2 you are OK, everything older than that
can cause a potential security breach.
SNSI uses the latest Mitre Common Vulnerabilities and Exposures
(CVE) list of computer incidents. It contains the latest SANS/FBI
top 20 vulnerability list. SNSI also uses the latest CERT, CIAC
Microsoft and FedCIRC (Department of Homeland Security) advisories.
Get a 30-day eval here. You can scan one machine right away, and
get a key for a full 30-day eval that will scan your whole network.
Agents in Patch Management? It's A Choice
Some automated patching solutions offer client agent architecture,
most do not. There are arguments for both approaches with many
admins choosing agentless programs as they feel they offer more
control and can be a considerable improvement over manual patching.
However, on large enterprise networks, the advantages of an optional
agent architecture are difficult to ignore:
These are all excellent arguments for using agents as part of
your patch management process. However, there may be situations
where you don?t want to use them, situations where you might
want more control over patching your machines but want to avoid
the inconvenience of manually patching.
- Agents make it easy to reach remote or unconnected machines,
a capability that is difficult if not impossible without an
- Resource management such as throttling bandwidth is difficult
without a distributed model using agents.
- Only the security services provided by the OS are available
if you do not have an agent on the target system (e.g.,
encryption of transferred data).
- Secured collaboration of management tasks cannot be distributed
without some agent-base architecture.
- Some systems have been hardened to prevent remote management.
An agent using a secured and dedicated communications method
will minimize risk and offer a remote management option.
There is one patch management solution that provides both
options. UpdateEXPERT makes the client agent optional and
allows you to install agents on managed machines only when
required. UpdateEXPERT uses RPC (Remote Procedure Call) to
manage machines without client agents and, using encrypted
TCP/IP, employs an agent to control the use of bandwidth and
balance the load among other tasks.
With very little risk to systems and software, UpdateEXPERT
gives IT administrators the best of both agent and agentless
patch management approaches.
This Week's Links We Like. Tips, Hints And Fun Stuff
PRODUCT OF THE WEEK
Last Chance: Sunbelt Security Pack - September Only
This is a special you do not want to lose out on. Sunbelt bundled
three security tools and you basically only pay for one. The
retail value is $3,237.50. But the cost now is $1,868.75 and
that even includes one year maintenance. You'll be surprised
with the tools you find in this pack. Check it out here. It's
just available during September 2004 though, so be quick.