MY PROFILE | PRIVACY 
Vol. 16, #47 - November 28, 2011 - Issue #856

Hot and Heavy Passwords

  1. Editor's Corner    
    • Hot & Heavy Passwords
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. Webinars & Seminars
    • VIPRE Antivirus Business Product Demonstration - 12/6, 12/13
    • Free Desktop Virtualization Seminar
  4. Tech Briefing
    • Microsoft Slashes Upgrade Times For Windows 8 
    • Security Experts Dispute Google's Attitude Toward Android Malware 
    • Celebrating The Birthplace Of The Internet In Pictures
    • Security Manager's Journal: Why Would A Company Not Spring For Cadillac Security?
  5. Windows Server News
    • Narrow Down Your Cloud Tool Choices 
    • Which Virtualization Technology Are You Thankful For?
    • Client Hypervisor Guide
  6. Third Party News
    • VIPRE Business Service Release 1 Beta 2
  7. WServerNews FAVE Links
    • This Week's Links We Like. Tips, Hints And Fun Stuff.
  8. WServerNews - Product of the Week
    • Free SAN Monitor Allows you to Monitor Dell®, IBM®, & Sun® StorageTek? Storage Arrays

 

Free SAN Monitor Allows you to Monitor Dell®, IBM®, & Sun® StorageTek? Storage Arrays

SolarWinds free SAN Monitor tool gives you a-glance insight into storage performance & capacity with a slick desktop dashboard that lets you view top LUNs by size, busiest LUNS, & most under-utilized LUNs. You can also drill down into LUN inventory details including: LUN size, physical disks, RAID type, total IOPs, IO response time and more. Download and try it out for yourself. It?s free.
Download Now.

 

Editor's Corner

Hot & Heavy Passwords

Wow, I got a whole ton of feedback about this problem. There are many angles and pitfalls to consider, and I will quote a few of you that wrote back, edited for brevity as this seems to be a hotter topic than I first imagined. If you were not quoted, that just meant some one else also mentioned this. Thanks very much everyone for your feedback!

---

William Ferry: "Want a single password? Have Microsoft Office? Place all your passwords in an encrypted Excel file. End of this so-called problem."

---

Mark Aggleton: "Often it?s not the IT department?s fault. In AD we use standard AD policies (3 out of the 4 ? upper/lower/numeric/special) however we?ve fallen foul on that one as the iSeries (ex-AS/400) isn?t case aware." (Editor's note: different flavors of Unix also have different rule sets regarding this, causing login problems.)

---

Tony Gore: " How many people have noticed that the standard Administrator account is no longer used in Win7 / WinServer 08? Wondered why? Well if "administrator" is known to exist on every system, then you only have to crack the password. However, if the name of the administrator account is not known (assuming that you don?t give it too obvious a name) then having to crack both a user name for administrator AND a password is an awful lot more difficult.

"Standardising on password rules does have some other downsides ? the moreand stricter the rules and the more widespread, the easier it is to develop a cracking program because there are fewer permutations and more needs to be known about a specific system.

"What would be better would be to have a standardised, cheap and universal form of token login e.g. a secure USB memory stick, SD card or smartcard. Having to possess a physical token in order to log on makes fraud and hacking a lot, lot harder."

---

Frank Powell: "I use a password safe program that stores all my logins in a file that is encrypted with a strong key. I've devised a key that is easy for me to remember but would be difficult to guess or figure out using password guessing algorithms. For individual logins it can generate a nonsense password for each login. Basically it provides a secure way to "write down" passwords. I store the file on a USB drive so, in a way, I have a multi-factor authentication scheme. So I agree that the poster has identified a real issue. But I think the solution he proposes would create some significant exposures."

---

Mark Eldridge: "Long time reader, first time responder. This is not an either/or question. There is another answer - always having your password information in a highly encrypted but readily available format. I don't mean to address future possibilities of high tech answers - challenge devices etc... My comments are for what I want TODAY and what is easy to do TODAY.

---

Scott Wilkins:"I read your piece on the multiple login problems. I totally disagree with the challenge based login resolution. This is even more insecure, and MUCH more problematic for IT support than more simple login methods. The very FIRST thing to fix is the incorrect notion that passwords need to be changed often. A 90 day password will result in users writing them down, or using rolling passwords. A good strong password kept for as long as the user wants is much more secure and less work on IT support than a 90 day password. Personally I recommend changing only 1 time a year."

----

Grover Howard: "The CAT (Cellular Authentication Token) provides a number of methods for generating OTP (One Time Passwords) in the same manner as the PayPal dongle. The easiest is a program living on your cell phone, to operate the CAT you must enter your PIN or Password for that program, you then select the site and User ID you want to access. The CAT generates a OTP which the user applies with his user ID (and if desired a conventional password) to login. This means one CAT can provide OTP's for many sites all from a single user carried device. To me this is a very practical and cost effective means of authentication with a very low user set up cost (virtually $0.00), low site implementation costs and very low operating costs."

---

As you can see, there are a multitude of different situations, needs, and configurations that require different solutions. I'd like to mention a few password management products that could potentially be a solution for your environment:

Warm regards,
Stu Sjouwerman


 

Quote of the Week

"Be faithful to that which exists nowhere but in yourself-and thus make yourself indispensable." -- Andre Gide

"Time flies like an arrow; fruit flies like a banana". -- attributed to Groucho Marx

Warm regards, and thank you for being a WServerNews subscriber. No trees were killed in the sending of this message, but a large number of electrons were terribly inconvenienced. Please tell your friends about us. They can subscribe here:
http://www.wservernews.com/go/1307096257843

Stu Sjouwerman
email me: [email protected]

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

Insider. Outsider. With Centrify's detailed recordings of privileged user sessions, you've got a better way to see if outsourced IT staff are acting like insiders?or outsiders. View Demo:
http://www.wservernews.com/go/1322482592143

Tired of your Active Directory management tools? Centralize and simplify all Windows and AD management without scripting.
http://www.wservernews.com/go/1322482658320

Identify which users, applications, and protocols are consuming the most network bandwidth with Orion NetFlow Traffic Analyzer.
http://www.wservernews.com/go/1322482781556

Windows Performance Analysis Tools (WPT) Kit contains performance analysis tools that are new to the Windows SDK for Windows Server 2008 and .NET 3.5.
http://www.wservernews.com/go/1322310296750

Free Service: Email Exposure Check. Find out which addresses of your organization are exposed on the Internet and are a phish-attack target
http://www.wservernews.com/go/1322310315312

 

Webinars & Seminars

VIPRE Antivirus Business Product Demonstration - 12/6, 12/13

Looking for a security solution that doesn?t slow you down? VIPRE Antivirus Business combines antivirus and anti-spyware technologies into one powerful security solution for total protection with low resource usage. New VIPRE features include scalable multisite tiering and role-based access control. Join us as we demonstrate the many features of VIPRE Antivirus Business.

Register today!

Dec 6 at 2pm ET
http://www.wservernews.com/go/1322310351453

Dec 13 at 11am ET
http://www.wservernews.com/go/1322310369812

Free Desktop Virtualization Seminar

In this complimentary seminar, independent expert and desktop virtualization guru Brian Madden will update you on where the desktop virtualization market is in 2011, focusing on what?s real and what?s not. Spend just a few hours out of the office to take advantage of a live Q&A, peer networking opportunities and tons of valuable information.

Register today!
http://www.wservernews.com/go/1322310413437

 

Tech Briefing

Microsoft Slashes Upgrade Times For Windows 8

Microsoft claimed yesterday that users will be able to complete a Windows 8 upgrade much faster, in some cases in one-tenth the time it took similar-configured PCs to upgrade to Windows 7. The time savings quickly accumulate the more files are on the to-be-upgraded PC, said Christa St. Pierre, a member of Microsoft's Setup and Deployment team, in a long entry on the company's "Building Windows 8" blog. According to St. Pierre, a clean install -- where all files and data are wiped from the drive prior to installing Windows 8 -- should wrap up in 21 minutes, 35% less time than the 32 minutes Microsoft said it takes Windows 7 to do the same.

Computerworld had the story:
http://www.wservernews.com/go/1322310477109

Security Experts Dispute Google's Attitude Toward Android Malware

There is a bit of a controversy going on with Android.

Antivirus experts disagree with Chris DiBona, Google's open-source programs manager, who recently said that there is no virus problem on the Android platform and that companies selling anti-malware software for mobile operating systems are "charlatans."

"Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS," DiBona said in a post on Google+. "They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM or IOS you should be ashamed of yourself," he added. According to DiBona, none of the major smartphone operating systems has a virus problem that is similar to what the Windows and Mac ecosystems experience.

Wow, them's fightin' words! Here is the article, as the AV Vendors obviously have their own perspective on this:
http://www.wservernews.com/go/1322310575296

Celebrating The Birthplace Of The Internet In Pictures

Nov. 21 marks the 42nd anniversary of the first permanent Advanced Research Projects Agency Network (ARPANET) link between UCLA's Interface Message Processor (IMP) and the IMP at the Stanford Research Institute. By Dec. 5, 1969, the original four-node ARPANET environment was set up. History notes this network as the world's first operational packet switching network and the core of what is today?s Internet. UCLA recently opened the Kleinrock Internet Heritage Site and Archive in honor of the ARPANET project?s overseer Professor Leonard Kleinrock, to preserve and celebrate the birthplace of the Internet. The first message between the nodes had been sent by Kleinrock on Oct. 29, 1969.

Slideshow at NetworkWorld:
http://www.wservernews.com/go/1322310665625

Security Manager's Journal: Why Would A Company Not Spring For Cadillac Security?

I thought this was a very interesting article in ComputerWorld that might help you get budget for security tools:

"Cadillac or Kia? How much security is enough, and how much is too much? Can you even have too much security? In a performance review several years ago, I was criticized for proposing "Cadillac" solutions to security challenges like patching, security event management and endpoint security compliance -- "Cadillac" being code for "too expensive." It was surreal to hear my striving for excellence put in a negative light. I think what was said in that performance review all those years ago distills a basic conflict between information security and the company it seeks to protect. So, is seeking perfection in security a luxury or a necessity? I continue to be urged to consider it the former, and I continue to see that as folly." http://www.wservernews.com/go/1322310803921

 

Windows Server News

Narrow Down Your Cloud Tool Choices

Most enterprises know the major cloud computing solutions providers, but several lesser-known players are making their mark. With all the providers on the market, choosing the best fit for your organization?s needs can be a daunting task. Check out this expert tip for help narrowing down your choices: (RR)
http://www.wservernews.com/go/1322310877093

Which Virtualization Technology Are You Thankful For?

As server virtualization technology matures, new features open up different possibilities. In this exclusive article, our experts explain what new features they?re most thankful for and why: (RR)
http://www.wservernews.com/go/1322310931265

Client Hypervisor Guide

Client hypervisors provide a way to virtualize desktops without the drawbacks of VDI. Through this guide, learn about client hypervisor technologies, use cases and related news: (RR)
http://www.wservernews.com/go/1322310970015

 

Third Party News

VIPRE Business Service Release 1 Beta 2

GFI Software is very pleased to announce the availability of Service Release 1 (SR1) - Beta 2 for VIPRE Business and VIPRE Business Premium 5.0.
 
This beta release applies exclusively to the management console, and is currently available for download. The version number for SR1 - Beta 2 is 5.0.4943
 
We have included several bug fixes and improvements in this beta that are designed to improve the overall function, performance and usability of the management console.
 
Improvements:

  • Introduced the ability to migrate between a Microsoft SQL database and the native database in version 5.0 (and vice-versa), including the ability to transfer all data.
  • Improved the agent installation process to allow deployment on endpoints that already have a VIPRE consumer (home) product installed, without requiring the consumer product to be manually uninstalled first.
  • Restored ability for customers using multiple databases on version 4.0 to retain this functionality upon upgrading to version 5.0.
  • Improved email notifications and quarantine data for anti-phishing alerts (VIPRE Business Premium only) to now include the blocked URL.

Bug Fixes:

  • Corrected a bug that could cause a non-default Data Repository path to not be retained during upgrade.
  • Corrected a bug that caused scheduled reports to not be emailed if using a MS SQL database.
  • Corrected a bug that caused the Agent Installation Port setting to revert to port 80 upon upgrade if the default value was previously modified.
  • Corrected a bug that could cause an unhandled exception error when creating scheduled reports.
  • Corrected a minor bug that could cause an unhandled exception while viewing multiple sites.
  • Corrected a bug that resulted in the policy GUID to be displayed instead of the policy name under certain grouping conditions.
  • Corrected a bug where the bypass registration key status (closed networks only) may not be retained during upgrades.
  • Corrected a bug that could prevent registration keys from being applied on non-English Windows language locales.
     

Beta Download and Support Information:

Complete details on how to obtain this beta and receive support can be found via http://www.wservernews.com/go/1322311113156 in the ?Release Statement? forum.

 

WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

 

WServerNews - Product of the Week

Free SAN Monitor Allows you to Monitor Dell®, IBM®, & Sun® StorageTek? Storage Arrays

SolarWinds free SAN Monitor tool gives you a-glance insight into storage performance & capacity with a slick desktop dashboard that lets you view top LUNs by size, busiest LUNS, & most under-utilized LUNs. You can also drill down into LUN inventory details including: LUN size, physical disks, RAID type, total IOPs, IO response time and more. Download and try it out for yourself. It?s free.
Download Now.