Windows & .NET Magazine UPDATE—brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies.
THIS ISSUE SPONSORED BY
Windows Powered NAS Web Seminar
SPONSOR: GET THE LATEST ABERDEEN SECURITY REPORT
Aberdeen Group's latest Identity Management research paper explores high impact technologies that improve Security, Productivity, and Deliver a three month ROI. This featured technology, which offers integrated support across all major OS and Application Platforms, can be installed in less than one day. Download your copy of this white paper today to learn more about Aberdeen's research on this exciting new security technology:
February 4, 2003—In this issue:
- Trustworthy Computing: One Year Later
2. HOT OFF THE PRESS
- Microsoft Releases MDAC 2.7 SP1
3. KEEPING UP WITH WIN2K AND NT
- Post-SP3 FRS Update Polishes Performance
- First 2003 Security Hotfix
- Don't Miss Our 2 New Security Web Seminars in March!
- Join the HP & Microsoft Network Storage Solutions Road Show!
5. HOT RELEASES (ADVERTISEMENTS)
- Slash FAX Charges 20-80% (FREE TRIAL & ROI)
- Update AD from HR and Win a Free Digital Camera!
6. INSTANT POLL
- Results of Previous Poll: Exchange's Antispam Solution
- New Instant Poll: Trustworthy Computing
- Featured Thread: How to Move Local Accounts from NT to Win2K
- Tip: Prevent Users from Importing or Exporting IE Favorites
8. NEW AND IMPROVED
- Make Your Windows Applications Run Faster
- Conduct Virtual Presentations in Realtime
- Submit Top Product Ideas
9. CONTACT US
- See this section for a list of ways to contact us.
(contributed by Paul Thurrott, News Editor, firstname.lastname@example.org)
Almost exactly 1 year after Microsoft announced a sweeping internal initiative called Trustworthy Computing aimed at rearchitecting all its products with an emphasis on security before features, the company was stung by the SQL Slammer worm, which attacked Microsoft SQL Server 2000 machines and temporarily brought down about 20 percent of the Internet. Leading security experts seized this event as proof that Trustworthy Computing is more fiction than reality. One expert, the well-respected security guru and founder of NTBugtraq Russ Cooper, even gave Microsoft a grade of "F" for its security efforts. No offense to Cooper, but give me a break. Microsoft's Trustworthy Computing initiative has already provided real benefits to its users. And the biggest benefits are right around the corner, in the new products Microsoft has on deck, including Windows Server 2003.
I'll assume you're at least partially familiar with SQL Slammer (if not, you can read about it at http://www.wininformant.com/articles/index.cfm?articleid=37817). Despite the fact that Microsoft began issuing fixes for the bug that this worm exploits last summer, many administrators (including some within Microsoft) neglected to install the fixes, which opened their servers up to Denial of Service (DoS) attacks. Microsoft also included the fix in SQL Server 2000 Service Pack 3 (SP3), which the company released the week before the worm wreaked havoc. Since the worm hit, Microsoft has addressed the key complaint about the bug's previous fixes, which were hard to install.
Reaction to SQL Slammer invariably targeted Microsoft, which I find confusing. In this sound-bite-friendly world, summing up complex thoughts in a simple sentence is convenient. Cooper's comments about Trustworthy Computing in the wake of SQL Slammer do little justice to the progress that Microsoft has made in the past year. "I gave \[Trustworthy Computing\] a 'D-minus' at the beginning of the year, and now I'd give it an 'F'," Cooper said, in a quote that made its way from Reuters to CNN to virtually every technology-oriented news agency on the planet.
That's a shame, because during the past year, Microsoft has improved the security of its products as well as the ways in which it responds to security problems. Windows XP, now running on more than 90 million PCs worldwide, includes an Auto Update feature that automatically downloads and, optionally, installs critical security updates. This feature is so important that the company back-ported it to Windows 2000. This feature, combined with Microsoft's support for secure wireless networking in XP SP1, is one of the key reasons why XP is such a secure OS. But developers didn't initially design XP with security in mind, and not until the Longhorn release—due in late 2004—will we have a desktop OS that benefits from deep architectural improvements.
On the server, however, Windows 2003—shipping April 24, 2003—will initiate a series of important Microsoft releases, all of which benefit deeply from Trustworthy Computing. Visual Studio .NET 2003, Microsoft Exchange Server 2003 (formerly code-named Titanium), Microsoft Office 11, and SQL Server 2003 (code-named Yukon) will all ship within the next 12 months, along with a host of other products that ship locked-down out of the box, with security-adverse features turned off. In Windows 2003, Microsoft has completely rewritten Microsoft Internet Information Services (IIS) 6.0, but IIS's most important new aspects are that the product is no longer installed by default, won't install silently if you install another feature that requires the program, and installs locked-down, with dangerous services disabled. As you turn on features in IIS, the product warns you about the security ramifications.
The security changes in Windows 2003 are legion. The product supports 802.11x secure wireless technologies, an encrypted offline files database, a new Group Policy Management Console (GPMC) for modeling policy changes before implementing them, and an excellent Software Restriction Policies (SRP) feature that lets administrators specify which applications users can and can't run; SRP also helps fight Trojan horses and viruses, but it requires XP on the client. Windows 2003 will also provide a secure platform for future server products, including a Digital Rights Management (DRM) server, a federated identity server code-named Trustbridge, and the long-awaited Microsoft .NET My Services (formerly code-named Hailstorm) server.
Microsoft will detail security improvements in other products, such as Office 11 and Exchange 2003, as those products come closer to release. But in the year since Microsoft announced Trustworthy Computing, the company has done much to secure its current products while working to rearchitect its upcoming products to support pervasive security features out of the box. To be honest, I'm not sure that we could ask more from the company in this area.
Finally, one aspect of Trustworthy Computing that few people have applauded is the wide range of security vulnerabilities that never occurred. Thanks to sweeping code reviews of all its core products, Microsoft has squashed many thousands of bugs, including the common buffer-overrun errors that had so often compromised its products in the past. Had the company not temporarily halted development early last year to perform a security review, we likely would have seen a much higher number of vulnerabilities during the past 12 months. Rather than damn the company for its mistakes, we might consider applauding its admittedly silent victories. For systems as widely used as those Microsoft creates, things could be a lot worse. And 2003 will be a pivotal year for the company.
So am I a Microsoft apologist? No, not really. But I find the one-sided reports about the company's security failings tiring.
More on Transmeta's Crusoe
A few readers took exception with my comments about Transmeta's Crusoe processor in last week's "Laptop of the Month" review, although I understand the point behind this product—ultra mobility at the expense of performance—I feel that the current-generation Crusoe is underpowered for Tablet PCs. Hewlett-Packard's (HP's) Compaq Tablet PC TC1000, which is the only Tablet PC of the five I've used so far to feature a Crusoe chip, has trouble keeping up with handwriting, which is obviously a crucial feature of the Tablet PC. However, I had an extensive briefing with Transmeta a few weeks ago at the 2003 International Consumer Electronics Show (CES), and I think the company is poised for success in markets other than the ultra-mobile notebooks that dominate in the Far East. I'll have more on the company's plans in Windows & .NET Magazine UPDATE when appropriate.
SPONSOR: WINDOWS POWERED NAS WEB SEMINAR
NEW WEB SEMINAR: AN INTRODUCTION TO WINDOWS POWERED NAS
Would you like to find out how to consolidate your Windows NT file servers while reducing costs? Or, do you need to formulate a solid disaster recovery plan? Mark Smith, a former MIS manager and founder of Windows & .NET Magazine, will illustrate how Windows Powered NAS can help you address these issues and more—without impacting day-to day business. Register today at:
2. HOT OFF THE PRESS
(contributed by Paul Thurrott, email@example.com)
Microsoft announced the availability of Microsoft Data Access Components (MDAC) 2.7 Service Pack 1 (SP1). This new release includes the same data access core components as Windows XP SP1, but doesn't include Microsoft Jet, the Microsoft Jet OLE DB Provider, the Desktop Database Drivers ODBC Driver, or the Visual FoxPro ODBC Driver. For more information, visit the following URL:
3. KEEPING UP WITH WIN2K AND NT
(contributed by Paula Sharick, firstname.lastname@example.org)
It's time for another File Replication Service (FRS) performance boost. Microsoft released a standalone FRS update before the release of Windows 2000 Service Pack 3 (SP3) and bundled the update in SP3. Last week, the company issued a post-SP3 FRS tune-up that addresses several inefficiencies in the original replication model. Of the eight code fixes in the release, most eliminate processing delays or failures that occur when downstream partners process out-of-sequence change requests that modify the contents of the replication directory. To read a summary of the key changes in the FRS update, visit the following URL:
WEB-EXCLUSIVE ARTICLES: The following item is posted on the Windows & .NET Magazine Web site. For the complete story, use the following link and scroll to the appropriate article.
The first security hotfix of 2003 eliminates a buffer-overflow condition that a malicious user can exploit to run code of the attacker's choice.
(brought to you by Windows & .NET Magazine and its partners)
Windows & .NET Magazine has two new Web seminars to help you address your security concerns. There is no fee to attend "Selling the Importance of Security: 5 Ways to Get Your Manager's Attention" and "Building an Ultra Secure Extranet on a Shoe String," but space is limited, so register today!
Now is the time to start thinking of storage as a strategic weapon in your IT arsenal. Come to our 10-city Network Storage Solutions Road Show, and learn how existing and future storage solutions can save your company money—and make your job easier! There is no fee for this event, but space is limited. Register now!
5. HOT RELEASES (ADVERTISEMENTS)
FAX business-critical information 20-80% faster with popular network fax server. Boost delivery times while dramatically decreasing long distance costs. FREE 30-Day Evaluation Fax Server Software, Whitepaper and Personalized ROI!
Update Exchange from HR, LDAP or any database. Synchronize your GAL with employee information using Directory Transformation Manager (DTM) a simple and affordable tool from Imanami. Evaluate 30 days – Chance to win Camera!
6. INSTANT POLL
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "If you don't find Exchange Server 2003's antispam solution is adequate, will you use another messaging program?" Here are the results from the 124 votes:
- 45% No, other solutions aren't adequate either
- 18% Yes, we need a robust solution
- 10% I don't know
- 27% We don't use Exchange
(Deviations from 100 percent are due to rounding error.)
The next Instant Poll question is, "Do you think that Microsoft's Trustworthy Computing initiative has benefited the company's customers?" Go to the Windows & .NET Magazine home page and submit your vote for a) Yes, b) No, or c) Too soon to tell.
This user is looking for a utility that will help move the local accounts on a Windows NT 4.0 standalone workgroup server to a Windows 2000 Advance Server machine. The new server will be on a new hardware platform and will assume the responsibilities of the old workgroup server. If you can help, join the discussion at the following URL:
(contributed by John Savill, http://www.windows2000faq.com)
Q. How can I prevent users from importing or exporting their Microsoft Internet Explorer (IE) Favorites?
A. By default, users can use the File, "Import and Export" menu option in IE to import and export their IE Favorites. You can disable this
functionality by performing the following steps:
- Start a registry editor (e.g., regedit.exe).
- Navigate to the HKEY_CURRENT_USER\Software\Policies\Microsoft registry subkey.
- Specify a local device (LPT1), and configure the new printer.
- If the Internet Explorer subkey doesn't exist, create it (from the Edit menu, select New, Key and type Internet Explorer), then navigate to that subkey.
- From the Edit menu, select New, DWORD Value.
- Enter the name DisableImportExportFavorites, then press Enter.
- Double-click the new value, set it to 1, then click OK.
The change takes effect immediately. Users will still be able to run the Import and Export Wizard, but when they click Finish, the wizard will inform them that it's been disabled.
8. NEW AND IMPROVED
(contributed by Carolyn Mader, email@example.com)
PC Mesh released Defrag for Windows, software that can make your Windows applications run faster by defragmenting the fragmented files. The software shuts down running processes, disables and removes the paging file, runs the Windows Scandisk utility, runs the Defrag for Windows Defrag utility, restarts the running processes, enables paging file, and restarts or shuts down the PC. Defrag for Windows runs on Windows XP, Windows 2000, Windows Me, and Windows 98 systems. For pricing, contact PC Mesh at firstname.lastname@example.org.
SiteScape announced Forum eMeeting, a Web conferencing add-on to SiteScape Enterprise Forum 7.0. The combination of SiteScape Enterprise Forum and Forum eMeeting lets users host realtime meetings and capture all meeting information for further collaboration. Forum eMeeting lets you conduct Web meetings, virtual presentations, and white boardings with mark up and features application sharing and voice and video over IP capabilities. You only need a PC and Web browser to begin meeting online. Users can link online meetings to threaded discussions entries, documents, tasks, workflows, and forum and Microsoft Outlook calendars.
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions to email@example.com.
9. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT THE COMMENTARY — firstname.lastname@example.org
- ABOUT KEEPING UP WITH WIN2K AND NT — email@example.com
- ABOUT THE NEWSLETTER IN GENERAL — firstname.lastname@example.org
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — email@example.com
- QUESTIONS ABOUT YOUR Windows & .NET Magazine UPDATE SUBSCRIPTION?
Customer Support — firstname.lastname@example.org
- WANT TO SPONSOR Windows & .NET Magazine UPDATE?
This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.