Windows & .NET Magazine UPDATE—brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies.
THIS ISSUE SPONSORED BY
Free Security White Paper from NetIQ
VeriSign - The Value of Trust
SPONSOR: FREE SECURITY WHITE PAPER FROM NETIQ
Need to simplify, strengthen and speed up security tasks? Sign up now to receive our free white paper, "Strengthen Windows Security with NetIQ Directory and Resource Administrator". You'll learn how to reduce administration costs, boost security and implement comprehensive reporting. Find out how to extend the security benefits of Active Directory. Download the free white paper now!
June 18, 2002—In this issue:
- Should Microsoft Be Held Liable for Defective Software?
2. HOT OFF THE PRESS
- Windows Users Threatened by IIS, IE, Messenger Flaws
3. KEEPING UP WITH WIN2K AND NT
- SQL Server 2000 SP2 Causes NAT Problems on RRAS Server
- Network Timeouts Slow Open/Save Operations
- Restored Domain Controller FRS Problems
- Encrypted Files and Password Changes
- Struggling with IIS and Web Administration Concerns?
- Exchange Reports Plus from Software Shelf!
5. INSTANT POLL
- Results of Previous Poll: Upgrading to XP
- New Instant Poll: Defective Software Liability
- Featured Thread: XP to Remote NT 4.0 Server
- Tip: Windows .NET Server Kernel Version
7. NEW AND IMPROVED
- Detect the Warning Signs of Impending Disk Failure
- Monitor Important Elements of Your System
8. CONTACT US
- See this section for a list of ways to contact us.
(contributed by Paul Thurrott, News Editor, [email protected])
The vulnerability warnings come so often now that they don't even register as news. Microsoft, the largest software company, is probably responsible for more software vulnerabilities than any other company in the world. For example, just last week the company posted information about critical flaws in the Windows 2000 RAS component, Internet Explorer's (IE's) Gopher technology, and an older Web-related technology in SQL Server. This year, Microsoft announced its Trustworthy Computing initiative, and although the company seems earnest about tackling security head-on, few positive and concrete examples of real progress are available. And although we've been dealing with—and in many cases cursing—the steadily increasing number of problems with Microsoft's software, the company's customers have done little to address the problems.
Until now, that is. A vocal and growing minority of Microsoft's users is starting a call to action, and some have dollar signs in their eyes. Other customers with real buying power, such as various factions of the US government, are complaining directly to Microsoft and threatening to move to rival systems such as Linux if the company doesn't turn around its security woes.
The notion that Microsoft should be held accountable for insecure software isn't new, but a movement to hold the company financially liable for its insecure software is. Critics have often lambasted the software industry for its rarely challenged End User License Agreements (EULAs), which effectively protect vendors from responsibility when their software breaks down. "Today, Firestone can produce a tire with a systemic flaw and they're liable," Bruce Schneier, chief technology officer of network-monitoring firm Counterpane Internet Security, told Reuters recently. "But Microsoft can produce an operating system with multiple systemic flaws per week and not be liable."
That situation might soon change. Microsoft has almost $40 billion in liquid assets and is a ripe target for the sort of class action lawsuits that hobbled tire-maker Firestone and various tobacco companies in recent years.
Microsoft, of course, says that its products are more reliable than those in other industries when you factor in usage rates. "Society has benefited from high-volume, low-cost software and a rapidly evolving ecosystem," says Microsoft CTO Craig Mundie. "Microsoft can't control \[the entire\] process. If the printer driver tanks the system, who do you hold liable?"
We blame Microsoft, Craig. For example, consumer advocate Ralph Nader recently backed a plan that would let the US government use its market power to force Microsoft to fix its security problems or face losing lucrative government contracts. Nader revealed details of the plan just weeks after the Pentagon released a study that stated open source solutions such as Linux would save the government millions of dollars. But Nader's opinion is that the government's buying power could have more far-reaching effects than propping up Linux. "The Department of Justice is spending years in court trying to restrain very modest elements of Microsoft's monopoly abuses," Nader wrote in a letter to Mitchell Daniels, director of the US Office of Management and Budget (OMB). "There are serious problems with the Microsoft monopoly, including those associated with harm to innovation, security, and pricing. The federal government spends billions of dollars on software purchases from one company that is continually raising prices, making its products incompatible with previous versions in order to force upgrades, deliberately creating interoperability problems with would-be competitors, and is well known for engaging in many other anticompetitive practices. Would a business that was spending this much money be such a passive consumer?"
And Reuters reported this weekend that Air Force Chief Information Officer (CIO) John Gilligan has complained about security problems directly to Microsoft. "I'm spending more money patching and fixing than we did to buy \[the software\]," he said. "I can't afford to do this anymore."
Finally, here's an odd fact to consider. Just this week, I received several emails from readers who honestly don't want Microsoft's software reliability to improve; unstable, unreliable, and insecure software products virtually guarantee job security for a large portion of the IT world. If Microsoft's software were as easy to use and reliable as the company advertises, these IT personnel would be out of a job.
So should users hold Microsoft liable for the numerous software vulnerabilities that the company acknowledges week after week? The Trustworthy Computing initiative is one fairly damning factor in determining blame: The company's highest executives have admitted again and again that the company needs to do more to create secure and reliable software. That, combined with the seemingly never-ending supply of security bulletins and software patches seems to suggest that the company, indeed, could do more to address security. I'm just not sure that Microsoft breaking out the checkbook is the answer.
Paul Thurrott, News Editor, [email protected]
Editor's Note: We need your help to make this and other email newsletters from Windows & .NET Magazine as useful to you as they can be. To help us with our editorial planning, please answer the Windows & .NET Magazine Network Email Newsletter & Web Site Survey, available at the following URL. If you provide your email address at the end of the survey, we'll put your name in a drawing for a Windows & .NET Magazine T-shirt. Thank you! We appreciate your help.
SPONSOR: VERISIGN - THE VALUE OF TRUST
Which security solution is right for your Web site? Before you decide, request your FREE guide, "Securing Your Web Site For Business," to learn the facts. In the guide, find solutions for:
- Encrypting online transactions
- Securing corporate intranets
- Authenticating your Web site
Get your FREE guide today at:
2. HOT OFF THE PRESS
(contributed by Paul Thurrott, [email protected])
Microsoft has admitted to three serious new security vulnerabilities, one of which could let attackers seize control of Web sites utilizing Microsoft Internet Information Services (IIS), the company's Web server. Microsoft has issued a patch for this vulnerability, which affects the IIS versions in Windows 2000 and Windows NT, but not Windows XP. IIS currently runs more than one-third of all Web sites on the Internet, although it has a larger percentage of the market for corporate Web sites.
Two other vulnerabilities affect Microsoft Internet Explorer (IE) and MSN Messenger applications; both are described as "critical." The IE vulnerability affects versions 6.0, 5.5, and 5.01 of the product, as well as Proxy Server 2.0 and Internet Security and Acceleration Server 2000 (ISA Server). Microsoft released a patch in May to fix the MSN Messenger vulnerability, but the vulnerability can let attackers run programs on the user's PC. This vulnerability also affects MSN Chat and Exchange Messenger.
End users can upgrade MSN Messenger through Auto Update or Windows Update. For server-based patches, please refer to the Microsoft Security Web site
3. KEEPING UP WITH WIN2K AND NT
(contributed by Paula Sharick, [email protected])
If you support a Microsoft SQL Server that also runs RRAS with Network Address Translation (NAT) or Internet Connection Sharing (ICS), be advised that SQL Server 2000 Service Pack 2 (SP2) sets a registry value that severely restricts the addresses the RRAS NAT driver allocates to outgoing connections. The SP2 installation script limits the TCP/IP port range to only two addresses—1433 and 1434—in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ReservedPorts registry subkey. The Windows 2000 NAT driver reads this key and limits outgoing TCP/UDP source mappings to these two addresses. If your SQL/RRAS server has this problem, internal clients that connect to the Internet through RRAS or ICS might be able to view only the text portion of a Web page, but not images or embedded objects. To eliminate this problem, delete the ReservedPorts subkey and reboot the server. For more information, see Microsoft article "NAT Clients Cannot View Web Sites After You Install SQL 2000 SP2 on an RRAS Server" at the following URL:
WEB-EXCLUSIVE ARTICLES: The following items are posted on the Windows & .NET Magazine Web site. For the complete story, use the following link and scroll to the appropriate article.
When you create persistent connections to network drives (in a logon script, in Windows Explorer, or with a "Net use" command), you might encounter a long delay when you click the up or down arrow in the Open or Save As dialog box in Notepad or Microsoft Office applications. For details about this problem, visit the following URL:
When you back up and then restore the only domain controller (DC) in a domain, the restore process doesn't restore the File Replication Service (FRS) database. For more information and a workaround, visit the following URL:
Paula writes about a Catch-22 problem that occurs when you use encryption to secure your files. Read all about the problem at the following URL:
(brought to you by Windows & .NET Magazine and its partners)
Discover Windows Web Solutions online, the Web site with articles, tips, and more to help you manage and overcome the security, performance, and maintenance concerns Web site administrators deal with every day. Don't miss this article: "15 Tips for Troubleshooting VPN Connections"
Check it out!
Exchange Reports Plus offers full reporting for Microsoft Exchange Server! It analyzes all messages exchanged through Exchange Server (inside and outside the Exchange organization) and uses Message Tracking Logs, Exchange Server Information Store, and Active Directory to monitor email traffic, mailbox, Public Folder properties, and user and group membership. To find out more, go to:
5. INSTANT POLL
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "If you use an older desktop OS, what keeps you from upgrading to Windows XP?" Here are the results (+/-2 percent) from the 381 votes:
- 16% Current hardware won't support it
- 38% Satisfactory performance of current OS
- 33% Software and licensing costs
- 3% XP security concerns
- 10% Other
The next Instant Poll question is, "Do you think Microsoft should be held financially liable for defective software?" Go to the Windows & .NET Magazine home page and submit your vote for a) Yes, b) No, c) Not sure.
Chris is trying to remotely connect a Windows XP client to his organization's Windows NT 4.0 server over the Internet. He established a connection using VPN, but he can't browse or see the server. Can you help? Join the discussion at the following URL:
(contributed by John Savill, http://www.windows2000faq.com)
Q. What is the kernel version of Windows .NET Server (Win.NET Server) and Windows XP?
A. Microsoft named previous versions of Windows after the kernel version (e.g., the Windows NT 4.0 kernel version is 4.0). With Windows 2000, Microsoft changed the naming scheme so that the OS name no longer matches the kernel version; however, the company maintained the numbering order for the kernel version (e.g., the Win2K kernel version is 5.0).
Because XP included only minor core changes, its kernel version is 5.1. Win.NET Server takes this numbering scheme one step further with a kernel version of 5.2. To determine the kernel version, use a registry editor (e.g., regedit.exe) to view the CurrentVersion registry value at the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\CurrentVersion subkey.
7. NEW AND IMPROVED
(contributed by Bob Kretschman, [email protected])
Executive Software International released DiskAlert 2.0, software that runs on Windows XP, Windows 2000, and Windows NT. DiskAlert 2.0 automates the task of detecting and evaluating warning signs of impending disk failure. The product delivers instant alerts by email, phone, pager, and screen pop-up messages before a hard-disk failure occurs. DiskAlert 2.0 installs and configures from a central console and monitors all disks within a network. DiskAlert 2.0's desktop version sells for $44.95, and the Administrator version costs $259.95. For more information, contact Executive Software at 800-829-6468 or 818-771-1600.
SmartLine released Active Network Monitor 1.0, a tool for day-to-day monitoring of computers in your network. The software product lets IT personnel monitor installed service packs and hotfixes, services, devices, processes, installed applications, disks, shared resources, hardware, users, and other system elements. The software has a flexible plug-in-based architecture that lets you plug in necessary modules on demand. Active Network Monitor 1.0 requires Windows XP, Windows 2000, or Windows NT 4.0, 64MB of RAM, and 2MB of hard-disk space. The product costs $30 for a single-user license. Discounts are available for multiuser licenses and educational institutions. For more information, email [email protected]
8. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT THE COMMENTARY — [email protected]
- ABOUT KEEPING UP WITH WIN2K AND NT — [email protected]
- ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR WINDOWS & .NET MAGAZINE UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR WINDOWS & .NET MAGAZINE UPDATE?
This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Windows & .NET Magazine UPDATE.