Windows & .NET Magazine UPDATE—brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies.
THIS ISSUE SPONSORED BY
Quest Software: FREE WINDOWS 2000/AD RESOURCES
Security Administrator Web Site
SPONSOR: QUEST SOFTWARE: FREE WINDOWS 2000/AD RESOURCES
Want expert advice and free tools to manage Windows 2000 and Active Directory? Visit Quest Software today for practical information that will help you get the most out of your Microsoft infrastructures!
View our video whitepaper on server consolidation and learn how to cut hardware costs. Download free technical resources like our eBook, "The Definitive Guide to Windows 2000 Administration." Concerned about Active Directory security? Don't change another setting until you have read the Compaq-Quest joint whitepaper on advanced AD security management!
With Quest Software, you can manage your Microsoft infrastructures with confidence—visit us today!
April 23, 2002—In this issue:
- Get Secure, Stay Secure
2. HOT OFF THE PRESS
- Mr. Gates Goes to Washington
3. KEEPING UP WITH WIN2K AND NT
- IIS Security Rollup for XP, Win2K, and NT
- Web-Exclusive Articles
- CP/IP Blue Screen
- FRS Memory Leak
- Fax Service Access Violation
- Disabling Automatic Shortcut Repairs
- Find the Right Training Tool for You!
- Don't miss Windows & .NET Magazine LIVE!
5. HOT RELEASE (ADVERTISEMENTS)
- Free Testlab Guide! Put Aelita in Your Lab!
6. INSTANT POLL
- Results of Previous Poll: Email Client
- New Instant Poll: Releasing Source Code
- Featured Thread: Local Profiles for XP
- Tip: Plug and Play (PnP) Support for a Parallel Port
8. NEW AND IMPROVED
- Wise for Windows Installer Creates Reliable Installations
- WebCam Control Center 5.5 Gives You Total Webcam Control
9. CONTACT US
- See this section for a list of ways to contact us.
Not surprisingly, computer security has been the topic of this UPDATE commentary several times this year, and the recent release of the new Microsoft Baseline Security Analyzer (MBSA) has me thinking about security yet again. Whether you manage an entire enterprise, several workstations, or your broadband-connected home computer, security is more relevant now than ever before. Because greater minds than mine have studied and explained security concepts in detail elsewhere, I thought I'd provide a few pointers to information about the most recent security patches, updates, and information.
Microsoft Web Sites
Microsoft has a wealth of security-oriented content on its enormous Web site, although the information is spread across various areas of the site. Some of the better sources include the company's Security site and TechNet site.
Windows Update, Automatic Updates, and Office Product Updates
To help manage individual desktops, Microsoft offers several automated and manual product-updating tools, including Automatic Updates (Windows XP only), Windows Update (Windows 98 to present, http://www.windowsupdate.com), and Office Product Updates (Office 2000 and XP, http://office.microsoft.com/productupdates). These services are indispensable if you want your system to be as up to date as possible.
However, these services are less useful in medium-size to large organizations, where deploying product updates on individual desktops is difficult or impossible. Microsoft is working on various products to facilitate this process, and some of the configuration-management packages I've looked at recently have also automated this update capability. In the meantime, you can check out the beta version of Microsoft's Windows Update Corporate Site, which lets you preview an upcoming service for corporations. The Windows Update Corporate Site provides a comprehensive list of the product updates Microsoft has released for Windows 2000, Windows NT, Windows Me, and Win9x, including critical and security updates, management and deployment tools, service packs, and recommended updates and drivers. One of the best features is a package assembler, which lets you combine multiple updates into one package that you can deploy across your company. Windows Update Corporate isn't automated, but it does give you one place to search for all the product updates that the company has released in recent years.
Microsoft Security Toolkit
If you're looking for information specifically about securing your Windows environment, Microsoft has finally released its Security Toolkit, which the company promised last fall. The Microsoft Security Toolkit applies to Win2K Server, Win2K Advanced Server, Win2K Professional, NT 4.0 Server, NT 4.0 Workstation, and NT Server Terminal Server Edition. The toolkit includes best-practices data about securing Internet-connected Windows machines, high-severity security patches, and other tools and information. You can order the toolkit free of charge from the Microsoft Web site.
Microsoft Baseline Security Analyzer
A slightly more recent free security download is the MBSA, which provides an easy-to-use, XP-influenced UI. The MBSA checks your XP, Win2K, or NT machine for common security misconfigurations, such as weak or missing passwords, and can scan for security problems in Microsoft IIS 4.0 or greater and SQL Server 7.0 or greater. You can run the MBSA only on XP and Win2K machines, although you can check NT 4.0 machines remotely over a network.
Microsoft Windows 2000 Security Operations Guide
The Win2K Security Operations Guide is a 192-page document that provides a comprehensive, step-by-step approach to locking down Win2K systems while minimizing vulnerabilities and providing best practices for managing system patches, auditing, and intrusion detection. This must-read guide is available for free from the Microsoft Web site.
IIS Lockdown Wizard
Microsoft IIS administrators will want to look at the IIS Lockdown Wizard, which lets you secure IIS. Microsoft has updated this tool several times since its initial release, so make sure you have the most recent version, 2.1. This version adds server-role templates for IIS-dependent products such as Microsoft Exchange Server, Commerce Server, BizTalk Server, Small Business Server (SBS) 2000 and 4.5, SharePoint Portal Server, SharePoint Team Services, and FrontPage Server Extensions. The tool is integrated with the previously separate URLScan tool.
Windows & .NET Magazine
And last, Windows & .NET Magazine (publisher of this email newsletter) provides what I consider to be the best security-oriented publications: Security Administrator, a monthly print newsletter, and Security UPDATE, a weekly email newsletter. For information about subscribing, visit the Security Administrator Web site, where you'll also find useful and timely security-related information.
The Future of Windows Security
Future Windows versions will be more secure out of the box, thanks to Microsoft's sudden (but welcome) move to security awareness. In the meantime, Microsoft is churning out security information, fixes, and products that remove some of the burden from IT administrators and end users, and I hope you find this list of resources helpful. If you know about other valuable security tools, from Microsoft or other sources, please let me know so I can pass along that information to UPDATE readers.
Paul Thurrott, News Editor, [email protected]
SPONSOR: SECURITY ADMINISTRATOR WEB SITE
WINDOWS IT SECURITY NEWS, BULLETINS, AND MORE!
When you suspect a hack or virus attack, don't waste time surfing the Web. The Security Administrator Web site delivers news, articles, discussion forums, FAQs, and hotfixes (in one easy-to-navigate Web site), so you can mitigate the effects of today's disaster and prevent tomorrow's. Discover:
2. HOT OFF THE PRESS
(contributed by Paul Thurrott, [email protected])
The most eagerly awaited spectacle of the Microsoft remedy hearings will begin this week when Microsoft Chairman and Chief Software Architect Bill Gates takes the stand so that lawyers can cross-examine him about his previously recorded testimony. Gates has a big cross to bear; his embarrassing 1998 videotape testimony in the original Microsoft antitrust trial was responsible for removing any shred of credibility that the company might have held with the judge. But this time around, observers expect Microsoft's spiritual and intellectual business leader to perform in line with the public perception of the man who turned the PC industry into one of the world's largest industries. For the complete story, visit the following URL:
3. KEEPING UP WITH WIN2K AND NT
(contributed by Paula Sharick, [email protected])
Microsoft released on April 9 an extensive security rollup for Microsoft Internet Information Services versions 5.1 (Windows XP) and 5.0 (Windows 2000) and Internet Information Server 4.0 (NT). The update contains code fixes for eight new vulnerabilities, including three buffer overruns, one access violation, one potential Denial of Service (DoS) attack, and three cross-scripting issues, as well as all previously released IIS security patches. You can read a detailed description of each vulnerability and its potential effects (severity level) in Security Bulletin MS02-018, "Patch Available for Cross-Site Scripting in IIS Help File Search Facility Vulnerability."
All three download files follow the hotfix naming convention q319733_
-TCP/IP Blue Screen
If you manage Web, email, or Internet Security and Acceleration (ISA) servers that consistently sustain high TCP/IP data rates, read about a bug in how the TCP/IP module performs under stress.
-FRS Memory Leak
Eliminate a newly discovered File Replication Service (FRS) memory leak by installing the FRS Post-Service Pack 2 (SP2).
-Fax Service Access Violation
A coding error in handling long printer names can cause a fax service buffer overrun that might cause the Spooler service to generate an access violation.
-Disabling Automatic Shortcut Repairs
When you relocate or remove the executable to which a shortcut points, Windows XP and Windows 2000 automatically attempt to resolve the shortcut, but locating the shortcut's object might take a long time. You can manually correct your shortcut link problems.
The Windows & .NET Magazine Training and Certification Interactive Product Guide is an online resource where you'll discover boot camps, test simulators, and other resources to help you get certified. Whether you're studying for your MCSE exams, trying to strengthen your resume, or just learning a new skill set, you'll definitely want to check this guide out!
Industry-leading magazines have joined to produce Windows & .NET Magazine LIVE! and SQL Server Magazine LIVE!. You get two events for the price of one with more than 100 sessions jam-packed with expert tips and techniques from Mark Minasi, Mark Russinovich, Sean Daily, Brian Moran, and Kalen Delaney. Register now before this event sells out!
5. HOT RELEASE (ADVERTISEMENT)
Experience greater administrative control and security of Active Directory and Exchange with Enterprise Directory Manager's Rules & Roles. Visit Aelita's website and receive a FREE guide for comparing our solutions to those of our competitors.
6. INSTANT POLL
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "What email client do you use?" Here are the results (+/-2 percent) from the 649 votes:
- 68% Microsoft Outlook - 12% Lotus Notes - 6% Eudora - 12% Other
The next Instant Poll question is, "Do you think forcing Microsoft to reveal its Internet Explorer (IE) and MSN Explorer source code would help competitors or consumers?" Go to the Windows & .NET Magazine home page and submit your vote for a) It will help competitors, b) It will help consumers, c) It will help both, d) It will help neither, or e) Don't know. http://www.winnetmag.com/magazine
Bill wants to know how to create a default user profile that will be used by all Windows XP Professional users. He doesn't want to copy the ntuser.dat file to the default profile because items often get lost in the shuffle. Can you help? Join the discussion at the following URL:
(contributed by John Savill, http://www.windows2000faq.com)
Q. How can I add Plug and Play (PnP) support for a parallel port in Windows XP and Windows 2000?
A. If your computer isn't detecting legacy devices (e.g., some early Zip drives) connected through the parallel port, you might want to enable PnP support for parallel ports. To enable PnP support, perform the following:
- Start the System Control Panel applet (go to Start, Settings, Control Panel, and click System).
- Select the Hardware tab.
- Click Device Manager.
- Expand the Ports (COM and LPT) section.
- Right-click the parallel port and select Properties.
- Select the Port Settings tab.
- Select the "Enable legacy Plug and Play detection" check box, and click OK.
- Restart the computer if prompted.
8. NEW AND IMPROVED
(contributed by Bob Kretschman, [email protected])
Wise Solutions announced the availability of Wise for Windows Installer 4.0, which features advancements that support every facet of Windows Installer technology. Wise for Windows Installer 4.0 creates reliable installations that support the latest technologies, including the Microsoft .NET Framework, MTS/COM+, and 64-bit installations. Step-by-step graphic cues use point-and-click directives to walk users through each process. For pricing and other product information, contact Wise Solutions at 734-456-2100 or 800-554-8565.
WebCam Control Center 5.5 can help you add a WebCam to your Web site or a security-monitoring system to your home. The software lets you program a camera to take pictures at specified intervals or when your system detects motion, and it can upload pictures automatically to a Web site or send the pictures through email. You can also use WebCam Control Center to make AVI movies with or without sound. WebCam Control Center--which runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Win9x--costs $29.95. For more information, contact the program's publisher, Marc Schneider, at [email protected]
9. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT THE COMMENTARY — [email protected]
- ABOUT KEEPING UP WITH WIN2K AND NT — [email protected]
- ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR Windows & .NET Magazine UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR DEVELOPER .NET UPDATE?
This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows profession
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.