- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Sep 27, 2004 (Vol. 9, #38 - Issue #494)
Redmond Legitimizes Replication Market
  This issue of W2Knews™ contains:
    • Redmond Legitimizes Replication Market
    • "Hey, That Advance Security Data Is Pretty Useless"
    • Admin Tools We Think You Shouldn't Be Without
    • Redmond Announces Data Protection Server (DPS)
    • Thousands Of Zombies Created Daily
    • Microsoft Exchange Server Best Practices Analyzer Tool
    • Whoa Nellie! You Mean I Need XP To Be Secure With IE?
    • SNSI: 3207 Holes Scanned, Plus The New Scary JPEG One
    • Agents in Patch Management? It's A Choice
  6. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Last Chance: Sunbelt Security Pack - September Only
  SPONSOR: Hop on the Appliance Bandwagon
Software filters like Websense and SurfControl can't give you the
ease of use and low maintenance that you'll get from iPrism
, the
leading Internet filtering appliance. Whether you are switching
to an appliance or choosing one from the start, iPrism's low cost
and powerful features are the perfect fit for any network. Switch
to iPrism today and you can qualify for an extra year of Web
filtering at no cost! Try out 5 Free Web Tools today.
Visit Hop on the Appliance Bandwagon for more information.

Redmond Legitimizes Replication Market

There is some good news from Redmond. I have said for years that disk-to-disk replication is a good thing. They finally woke up and announced their new Data Protection Server (DPS). I have more detail in the Tech Briefing on this, especially on what it does and does not do.

"Hey, That Advance Security Data Is Pretty Useless"

OK, the headline is firmly tongue-in-cheek but the actual data that companies get is a pre-notice of what type of patches will be released. I checked in to that MS advance notification program a little more. They did in fact pilot a program for offering advance warning about how many patches, what platform (IE, OS, Office, etc.), and how severe (critical, important, etc.).

However, that program has been extended to ALL customers who sign an NDA, and also some people that have a BIG support contract get these alerts. Details about vulnerabilities are still withheld from everyone until the actual scheduled release of the monthly security bulletins. If you maintain hundreds of Windows servers it is useful information to know 4-5 days in advance and schedule site outages and updates. But some people consider it nothing more than a reminder that the second Tuesday of the month is "Bulletin Day", and nothing else.

Andrew Baker of NTSYSADMIN-list fame said: "In general, there are those who feel that everyone must be made aware of every security issue immediately, and that full disclosure is the only way to survive. I will simply say that my own personal philosophy is that Timely, Responsible Security Disclosure is in everyone's best interest, but that disclosing the details of every single vulnerability to everyone, serves against the greater good. What I *do* wish Microsoft would do, to some degree, is that after a patch has been available for at least a month, and the fixes therein have been deemed to cause little conflict with most environments, I think it would be in their best interest to provide at that time, a more detailed technical document on the vulnerability -- even if as a paid service -- so that it would allow admins to get a better idea of the scope of the issue. But it must be done well after availability and notification of the patch."

Redmond, anyone listening?

Quote of the Week:
"I don't know what I want but I want two of them here by Friday" -- Stan Johnson, VP Ops Rogers Cablesystems

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])


Admin Tools We Think You Shouldn't Be Without


Redmond Announces Data Protection Server (DPS)

OK, some one in Redmond has finally seen that continuous data protection is a good thing. Of course I have been saying this for years now. The announcement of DPS legitimizes this market and gives a signal to system admins that you should seriously consider protecting your data via continuous disk-based backup. Redmond said DPS is scheduled for the second half of 2005. Looking at their 'slideware' track record that is a year from now, and the beta is closed so only a few people get to really play with it. It also solves another problem with tape backup, the restore process is cumbersome and often fails too.

DPS is designed to simplify and reduce the backup and recovery process. Technically it does not provide a lot of features, and addresses the low-end 'HA' (high-availability) spectrum. DPS does not do disaster recovery via off-site replication, does not do failover, and doesn't support specific HA for apps like Exchange and SQL.

What it will provide is:

  1. Rapid and reliable recovery through use of disk-based backup of files stored on W2K, W2K3 and Windows Storage Server 2003.
  2. Continuous real-time data backup, shortening backup windows.
  3. Integration with tape through a (planned) backup interface.
It does all that on the foundation of a policy-driven engine and agents on your production servers that replicate any deltas to the DPS server which then makes so called 'point-in-time' snapshots. You can restore from any of these snapshots. You can tell the policy engine how frequently you want to replicate and how many snapshots you want to keep at hand. They claim the whole process is not going to cause any performance degradation. The idea is too keep a few months of snapshots on disk, and save older data off to tape.

During setup, DPS does an autodiscovery of all your production machines and will warn you when a new server is added that has no DPS agent yet. Apart from 'whole system' recovery by admins, it will support end-users restoring their own files via a few self-service tools that will magically appear in WinXP and Office 2003.

More than 20 storage industry partners, including independent software vendors that sell backup and recovery solutions, announced their support for DPS. Hardware vendors are going to be happy with this for sure as they will sell more servers. Some of the low-end replication software vendors are going to hurt. Companies like NSI (the developer of Double-Take) are going to be very happy with DPS.

Why? Because Double-Take is going to add essential functionality to DPS that you are going to 'need and want' once you have deployed DPS. Having tens of thousands of DPS servers out there will broaden the Double-Take market even further.

Bob Muglia, Senior Veep of the MS Windows Server Division said: "Customers are telling us that backing up and recovering their data is labor-intensive and complex. Exponential growth of business-critical data and new government regulations are increasing the cost and complexity of backup and recovery, forcing companies to rethink their data protection planning. Data Protection Server has garnered broad industry support because it will help customers of all sizes shrink their recovery time from hours to minutes and drive down the cost of maintaining storage infrastructures."

Don Beeler, CEO of NSI Software, said "Microsoft Data Protection Server is a positive indicator for the data protection market. Working strategically with Microsoft, NSI can extend the building blocks of DPS to provide companies the highest levels of assurance that their critical business data, systems and applications will be protected and always available."

So, the combination of DPS and Double-Take provides a pretty powerful "HA/DR cocktail":

  1. Off-Site Protection and Recovery of Microsoft DPS backups. Most companies store their tape backups off-site. Double-Take off-site replication can be used to provide an up-to-date off-site copy of the data being protected by Microsoft DPS.
  2. Rapid recovery of applications and data in minutes or seconds. For some data and applications, any restore time is too long. You need immediate failover of mission critical applications. DPS can address the need to recover data to a previous point in time, but in the event of server or site failure, the automatic failover capabilities of Double-Take enable a secondary server to stand in, providing maximum availability to end users.
  3. Complete Recovery Architecture. The combination of DPS and Double-Take allows you to easily scale your data recovery systems beyond a single site, including protection of critical apps. Used in conjunction with DPS, Double-Take can provide high-availability failover and WAN-optimized, off-site data replication for apps like Exchange, SQL and Oracle databases in addition to maintaining an off-site copy of the local DPS server.
Our suggestion is to simply continue with your Double-Take plans, and once DPS comes out, you can combine the two for an even stronger High-Availability + Disaster Recovery architecture. More data on DPS at the MS website:

More data on Double-Take:

Thousands Of Zombies Created Daily

Symantec apparently monitors the Net and can see how many PC's are turned into zombies. Since 50% of the USA's households are now on 'always-on' cable internet, the numbers are going up rapidly.

It turns out that the rate at which PC's are getting hijacked skyrocketed in the first half of 2004. A whopping 30,000 systems per day were subverted into zombies, and that is 15 times more than the 2000 per day in 2003.

Symantec claimed that building "botnets" (networks of zombies) is a very lucrative business. Phishers and spammers pay good money for botnets, which can also be used for all kinds of other attacks like Ddos. Symantec's service development manager Jeremy Ward told New Scientist (link below) that "What we're seeing now is malware that is truly professional, you have the ability to set up botnets for a number of money-making schemes."

Microsoft Exchange Server Best Practices Analyzer Tool

A lot of people are very enthusiastic about this tool, but keep in mind that it is a "best practice according to MS" and thus somewhat subjective. Having said that though, you should really get this tool, you are going to love it as it is an excellent free reporting tool and one of the best that MS has put out.

Looks like a good idea to run the tool on a workstation (or server) and make sure that machine is correctly hooked up to Active Directory and your Exchange Server(s). Not suggested to to run it on the Exchange machine itself, unless you absolutely have to. Some suggestions do not make 100% sense, so you still need to use your common sense and judgement. Here goes, go get it!!


Whoa Nellie! You Mean I Need XP To Be Secure With IE?

News.com just broke a story that I think is a bit unbelievable. But it just might be true. They reported that if you want to get the latest hotfixes to IE you'd better upgrade to XP. I'm quoting them here:

"Microsoft this week reiterated that it would keep the new version of Microsoft's IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2." Microsoft seems to have stated: "We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows, the most secure version of Windows today is Windows XP with SP2. We recommend that customers upgrade to XP and SP2 as quickly as possible."

This does open door to people checking out another browser, like Mozilla Firefox. Its preview 1.0 release got a whopping one million downloads in just four days last week. A lot of people are getting concerned about viruses apparently. With reason, as Symantec recently said they found 5,000 new Windows viruses Jan thru June 2004, up from 1,000 in the first half of 2003. Yikes.

If the news about only these hotfixes is true, that looks like a high price to pay to keep your browser secure. Could it be that Redmond is showing "the stick" to encourage people to upgrade to XP SP2? Better call your MS-rep or reseller and confirm this news, and I will try to find out more as well this week.


SNSI: 3207 Holes Scanned, Plus The New Scary JPEG One

SNSI looks at Windows, Linux, Unix, HP printers, Solaris, and other devices like Cisco routers. There is a sizable, dedicated team of security experts working full-time to update this database that now contains 3207 potential vulnerabilities.

You REALLY SHOULD run SNSI, either standalone or together with a tool like Retina and make sure that you find these holes. It is CRUCIAL that you identify vulnerabilities in your networks, and SNSI is a great solution at an unbelievable price. Here are the new holes SNSI scans for. Just have a look at the third one, SNSI even scans for the free MBSA scanner being outdated!!

W2247 - Office 2000 - Latest Service Pack Not Installed
W2248 - JPEG Processing (GDI+) Vulnerability - IE 6, SP1- MS04-028
W2249 - Microsoft Base Security Analyzer Outdated
W2246 - JPEG Processing (GDI+) .NET Framework - MS04-028

In addition, there were improvements in the following vulnerability checks: W2243, and W2246

Keep in mind that SNSI also scans for the new scary JPEG hole, and that an exploit for this was published this week. An example of a working exploit means this will proliferate like mad. Any website with a "poison JPEG" on it gets visited by your users, and slam! you have a trojan on that user's machine. This is scary and you really need to scan for and fix all code with this JPEG hole. If you have XP SP 2 you are OK, everything older than that can cause a potential security breach.

SNSI uses the latest Mitre Common Vulnerabilities and Exposures (CVE) list of computer incidents. It contains the latest SANS/FBI top 20 vulnerability list. SNSI also uses the latest CERT, CIAC Microsoft and FedCIRC (Department of Homeland Security) advisories. Get a 30-day eval here. You can scan one machine right away, and get a key for a full 30-day eval that will scan your whole network.

Agents in Patch Management? It's A Choice

Some automated patching solutions offer client agent architecture, most do not. There are arguments for both approaches with many admins choosing agentless programs as they feel they offer more control and can be a considerable improvement over manual patching.

However, on large enterprise networks, the advantages of an optional agent architecture are difficult to ignore:

  • Agents make it easy to reach remote or unconnected machines, a capability that is difficult if not impossible without an agent.
  • Resource management such as throttling bandwidth is difficult without a distributed model using agents.
  • Only the security services provided by the OS are available if you do not have an agent on the target system (e.g., encryption of transferred data).
  • Secured collaboration of management tasks cannot be distributed without some agent-base architecture.
  • Some systems have been hardened to prevent remote management. An agent using a secured and dedicated communications method will minimize risk and offer a remote management option.
These are all excellent arguments for using agents as part of your patch management process. However, there may be situations where you don?t want to use them, situations where you might want more control over patching your machines but want to avoid the inconvenience of manually patching.

There is one patch management solution that provides both options. UpdateEXPERT makes the client agent optional and allows you to install agents on managed machines only when required. UpdateEXPERT uses RPC (Remote Procedure Call) to manage machines without client agents and, using encrypted TCP/IP, employs an agent to control the use of bandwidth and balance the load among other tasks.

With very little risk to systems and software, UpdateEXPERT gives IT administrators the best of both agent and agentless patch management approaches.


This Week's Links We Like. Tips, Hints And Fun Stuff


Last Chance: Sunbelt Security Pack - September Only

This is a special you do not want to lose out on. Sunbelt bundled three security tools and you basically only pay for one. The retail value is $3,237.50. But the cost now is $1,868.75 and that even includes one year maintenance. You'll be surprised with the tools you find in this pack. Check it out here. It's just available during September 2004 though, so be quick.