Windows & .NET Magazine UPDATE—brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies.
THIS ISSUE SPONSORED BY
Real Time Monitoring is a Security Requirement
SPONSOR: REAL TIME MONITORING IS A SECURITY REQUIREMENT
A proactive IT Manager installed TNT Software's ELM Enterprise Manager 3.0 on his critical servers to assess the benefits of real time monitoring. A week later, EEM 3.0 paged him as a disgruntled employee was attempting to access confidential personal files. Within minutes, the hacker was escorted off company property. Use ELM Enterprise Manager 3.0 to monitor the health and status of your systems, protect your intellectual property, and prevent avoidable downtime. EEM 3.0 is affordable and simple to license. To see How the First-to-Know Stay Ahead(tm) download your FREE 30-day evaluation copy at:
September 17, 2002—In this issue:
- A Look at Windows .NET Server Security
2. HOT OFF THE PRESS
- Surprise: Microsoft's Java Implementation Is Full of Security Holes
3. KEEPING UP WITH WIN2K AND NT
- The Latest IE Cumulative Update
- Building Your Own WindowsUpdate Server
- Mark Minasi and Paul Thurrott Are Bringing Their Security Expertise to You!
- Real-World Tips and Solutions Here for You
5. HOT RELEASES (ADVERTISEMENTS)
- Free Download - Solve PC Problems 70% Faster!
- GWI Software – IT Help Desk Solutions
6. INSIDE WINDOWS SCRIPTING SOLUTIONS
- October 2002 Issue
- Automatic VBScript-to-WSF Translation
7. INSTANT POLL
- Results of Previous Poll: UNIX Version
- New Instant Poll: DNS Service
- Tip: Removing Access to a Program Using the "Set Program Access and Defaults" Feature
9. NEW AND IMPROVED
- Monitor Network Communications
- Keep Accurate Hardware and Software Inventory
10. CONTACT US
- See this section for a list of ways to contact us.
(contributed by Paul Thurrott, News Editor, firstname.lastname@example.org)
As part of a continuing look at the more intriguing new features in Windows .NET Server (Win.NET Server) 2003, I want to examine some of the OS's security improvements. The timing for such improvements is crucial: As I write this, Microsoft has issued 48 security bulletins this year and is on track to beat last year's record 60 bulletins. What a wonderful accomplishment.
Microsoft halted Win.NET Server 2003 development, as well as Windows XP Service Pack 1—SP1—and Windows 2000 SP3 development, for 10 to 12 weeks in early 2002 so that developers could scour the source code for potential security vulnerabilities. The source-code sweep was part of the company's Trustworthy Computing initiative, which grew out of Microsoft Group Vice President Jim Allchin's reaction to the embarrassing late-2001 Universal Plug and Play (UPnP) vulnerability in XP. The company finally grasped the notion that it wasn't developing product security from the ground up, but was simply adding security to products as it would add any other feature. The end result was a patchwork of code that was often easy to compromise.
With the Trustworthy Computing initiative, Microsoft has changed its approach: Now developers will engineer every product for security first, and if they need to cut or hide features to maintain product security, so be it. The first major software release that will embrace this new (for Microsoft) philosophy is Win.NET Server 2003.
Win.NET Server 2003 is, at heart, an upgraded version of Win2K Server, so how much true architectural work developers did to improve security is unclear. At a Win.NET Server 2003 technical reviewer's workshop earlier this summer, Microsoft Corporate Vice President of Windows .NET Server 2003 Management Bill Veghte provided a nifty sound bite: "Win.NET Server is secure by design, by default, and in deployment." If only everything I write about could be summed up so succinctly.
Secure by Design
At its heart, Win.NET Server 2003 uses a standards-based security model with technologies such as Kerberos authentication and public key infrastructure (PKI), IP Security (IPSec), and an intriguing new smart card-usage model that I think many administrators will adopt. Under this model, administrators log on with user-level accounts, swipe a smart card, and enter an associated password to access management tools and other high-privileged services and applications. Smart.
Win.NET Server 2003 also includes the new Secure Windows Update (aka AutoUpdate), which lets you download and install crucial software updates without any user interaction. This feature is even more important on servers than it is with interactive desktop systems such as XP.
And, of course, Win.NET Server 2003 includes the .NET Common Language Runtime (CLR), a run-time environment with stricter security rules than the underlying OS. We'll have to see whether this feature will drive enterprises in search of better security to .NET.
Secure by Default
Win.NET Server 2003 significantly reduces the default "attack surface" by disabling Microsoft Internet Information Services (IIS) and more than 20 other services that the OS used to install and enable by default. Other services, such as NetworkService and LocalService, now run with reduced privileges. And blank password-based attacks are no longer possible because Win.NET Server 2003 machines running with blank passwords can no longer provide network authentication. Frankly, I think the company should have bitten the bullet and not permitted blank passwords at all, but Microsoft told me that some environments demand this "feature."
If you choose to install IIS, the software defaults to running in a reduced functionality mode and can only serve static Web pages. When you turn on features such as the ability to serve dynamic Web pages using Active Server Pages (ASP) or ASP .NET, IIS will warn you about the ramifications of your decision.
Secure in Deployment
To reduce malicious code attacks, an exciting new feature called Software Restriction Policies (SRP) lets administrators specify which applications can and can't run on domain PCs. This change is important. You can specify that users can't install or launch certain applications, or you can simply provide a list of acceptable applications for locked-down desktops and specify that all other applications are off-limits.
Is It Really Secure?
Looking forward, the proof of whether Microsoft's work with Win.NET Server 2003 security has paid off will come in a year or so when we'll know how the OS has fared in the real world. If the past is any indication, Microsoft has a lot of work to do, and hackers will likely find a way around many of the security roadblocks that Microsoft erects. Is Win.NET Server 2003 more secure than Win2K Server? Absolutely. But whether Win.NET Server 2003 can meet the security challenges of the near future is a story for a distant day.
If you want to know more and live in or near New York City, Chicago, Denver, or San Francisco, you might be interested in our mid-October Windows Security RoadShow, where Mark Minasi and I will talk about Windows security. Mark's talk focuses on real-world security tips and tricks that will benefit enterprises today; I'll be discussing future security improvements in XP SP1, Win.NET Server 2003, and the nebulous and mysterious Palladium. For more information, check out the RoadShow Web site.
SPONSOR: UNIPRESS SOFTWARE
Speed customer support, improve workflow and reduce support costs with FootPrints. This award-winning, 100% web-based help desk & customer problem management software deploys in a day without any programming. Centralize and track all problems and requests, deliver customer self-service online, manage email, build group collaboration and automate IT asset discovery & tracking. FootPrints for Exchange provides integrated, direct access to corporate address books (Microsoft Exchange 5.5, Exchange 2000 and Active Directory). Register for a guided FootPrints walkthrough at
2. HOT OFF THE PRESS
(contributed by Paul Thurrott, email@example.com)
Jouko Pynnönen of Online Solutions in Finland discovered a series of severe security vulnerabilities in Microsoft's Java implementation. Some of the vulnerabilities let attackers run arbitrary code through Microsoft Internet Explorer (IE) and Outlook Express. According to a message posted to the NTBugTraq mailing list on September 9, Pynnönen discovered and reported to Microsoft as many as 10 such vulnerabilities during July and August. For the complete story, visit the following URL:
3. KEEPING UP WITH WIN2K AND NT
(contributed by Paula Sharick, firstname.lastname@example.org)
Microsoft has released four cumulative updates for Internet Explorer (IE) this year. After you install the February updates, the security patches cause IE to behave unexpectedly when you attempt to browse a Microsoft Word document, a Rich Text Format (.rtf) file, a Microsoft Excel spreadsheet, or a comma-separated file (.csv) on an internal or external Web server. Before opening the document, IE verifies that the content type in the Web page's header matches the document's filename. If the two match, IE displays the requested document; otherwise, IE prompts you to open or download the file. A bug in the shdocvwshdocvw.dll component of the February IE cumulative update incorrectly greys out the Open button when you attempt to browse .rtf or .csv files, but not .doc or .xls files. The Microsoft article "PRB: Open Button in Dialog Disabled When You Browse or Redirect to .rtf or .csv Files" at http://support.microsoft.com/default.aspx?scid=kb;en-us;q318761 describes two methods you can use to work around the greyed-out Open button. For more information about the fixes available with the latest IE update, visit the following URL:
With the advent of the Automatic Updates client in Windows 2000 Server Service Pack 3 (SP3), many administrators will want to manage security hotfixes and bug fixes internally. Paula Sharick offers instructions for installing and configuring your own WindowsUpdate server at the following URL:
(brought to you by Windows & .NET Magazine and its partners)
Windows & .NET Magazine Network RoadShow 2002 is coming this October to New York, Chicago, Denver, and San Francisco! Industry experts Mark Minasi and Paul Thurrott will show you how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and Trend Micro. Registration is free, but space is limited so sign up now!
Early-bird discount for Windows & .NET Magazine LIVE! expires September 21! Register now, and you'll also receive access to sessions of concurrently run XML Web Services Connections. Choose from more than 70 sessions and save $1595. Discover why more than half of our attendees choose to attend only LIVE! events, which are chock-full of "been there, done that" knowledge from people who use Microsoft products in the real world. Register now at
5. HOT RELEASES (ADVERTISEMENT)
See why NetOp Remote Control, PC Magazine Editor's Choice, should be your remote support & management tool. Securely control PCs over the Internet, LANs, WANs, Wireless or modems. Great add-on for SMS too. Try it FREE!
The first help desk solution written expressly for the .NET platform. c.Support provides a full set of features for managing calls, users, knowledge, assets, and more. Product tour and special pricing at:
6. INSIDE WINDOWS SCRIPTING SOLUTIONS
Windows Scripting Solutions is a monthly, paid, print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. NONSUBSCRIBERS can access all the newsletter content in the online article archive from the premiere issue of Windows Scripting Solutions (December 1998) through the print issue released 1 year ago.
In addition to receiving the monthly print newsletter, SUBSCRIBERS can access all the newsletter content, including the most recent issue, at the Windows Scripting Solutions Web site ( http://www.winscriptingsolutions.com ). Subscribe today and access all the 2002 issues online!
To access this issue of Windows Scripting Solutions, go to the following URL:
You might think learning WSH's .wsf format is more a hindrance than helpful. However, the more complex your scripts, the more you need this format. To flatten your learning curve, here's a tool that automatically translates existing code into .wsf files.
The following article is available for free to nonsubscribers for a limited time.
Here are some quick and effective script samples to introduce you to the WSF format, as well as a handy tool for automatically translating existing VBScript and JScript code into a .wsf file.
7. INSTANT POLL
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "What version of UNIX (if any) does your organization use?" Here are the results (+/-2 percent) from the 218 votes:
- 17% AIX
- 11% HP-UX
- 32% Solaris
- 37% Linux
- 4% UnixWare
The next Instant Poll question is, "What DNS service does your company use?" Go to the Windows & .NET Magazine home page and submit your vote for a) Microsoft Windows 2000 DNS, b) Microsoft Windows NT 4.0 DNS, c) BIND DNS running on Win2K or NT 4.0, d) BIND DNS running on UNIX or Linux, or e) Other.
( contributed by John Savill, http://www.windows2000faq.com )
Microsoft's agreement with the US Department of Justice (DOJ) states that the company has to remove visibility of its components, not the actual application code. The "Set Program Access and Defaults" feature doesn't remove the application executables and resources—doing so would have caused additional problems because many Microsoft applications interoperate with other parts of the Windows OS.
9. NEW AND IMPROVED
(contributed by Carolyn Mader, email@example.com)
Linkuistics released Linkuistics Web Services Detective (LWSD), a developer tool to help you monitor network communications for development or diagnostic purposes. LWSD lets developers listen to and record the transactions on any nominated port and send the traffic to another nominated port while letting the developer view HTTP headers and data for every request and response. LWSD runs on Windows XP, Windows 2000, Windows NT, and Windows 98 systems and costs $99. Contact Linkuistics at firstname.lastname@example.org.
iInventory released iInventory 5.0, software that lets you keep a hardware inventory and monitor your company's software license compliance. You can use the software to analyze your hardware and software before you install a new OS, provide system data to your Help desk, and report asset information to your management team. iInventory collects BIOS data, CPU information, physical and logical drive data, device driver descriptions, I/O port data, and user logins. iInventory runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $220 for an 11-node license. Contact iInventory at email@example.com.
9. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT THE COMMENTARY — firstname.lastname@example.org
- ABOUT THE NEWSLETTER IN GENERAL — email@example.com
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — firstname.lastname@example.org
- QUESTIONS ABOUT YOUR Windows & .NET Magazine UPDATE SUBSCRIPTION?
Customer Support — email@example.com
- WANT TO SPONSOR Windows & .NET Magazine UPDATE?
This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Windows & .NET Magazine UPDATE.