Windows & .NET Magazine UPDATE--July 8, 2003

1. Commentary: One Last Follow-up: The Future of Patch Management

2. Hot Off the Press
- Adobe's XP-Only Premiere Takes a Bite Out of Apple

3. Keeping Up with Win2K and NT
- Win2K SP4 Tightens Security for Programs and Services

4. Announcements
- Windows & .NET Magazine Connections: Fall Dates Announced
- Find Your Next Job at Our IT Career Center

5. Instant Poll
- Results of Previous Poll: SBS 2003
- New Instant Poll: Thin-Client Technology

6. Resources
- Featured Thread: Disable IE Locally
- Tip: How Can I Display Seconds as Part of the Current Time Displayed in the Taskbar?

7. Event
- New--Mobile & Wireless Road Show! 8. New and Improved
- Migrate to Windows 2003 from Legacy Platforms
- Access Lost Data
- Submit Top Product Ideas

9. Contact Us
- See this section for a list of ways to contact us.

==== Sponsor: HP & Microsoft Network Storage Solutions Road Show ====
Missed the Network Storage Solutions Road Show? If you couldn't make the HP & Microsoft Network Storage Solutions Road Show, you missed Mark Smith talking about Windows-Powered NAS, file server consolidation, and more. The good news is that you can now view the Webcast event in its entirety at:

http://www.winnetmag.com/roadshows/nas

==== 1. Commentary: One Last Follow-up: The Future of Patch Management ====
by Paul Thurrott, News Editor, [email protected]

Two weeks ago in Windows & .NET Magazine UPDATE, I discussed the Microsoft patch-management nightmare ( http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=39383 ); now I'm happy to report that the company will be fixing this problem much sooner than I'd previously thought. In a recent briefing with Microsoft, I learned how the software company will consolidate its patch-management infrastructure and tools and provide customers a more workable solution by mid-2004. Here's what's happening.

Today, we have a variety of patch-management tools, but many of these tools run off of different back-end data sources, which can cause confusion. For example, you might run the Microsoft Baseline Security Analyzer (MBSA) against a Windows XP installation and receive a report about the various updates you need to install, but when you run Windows Update against that same machine, it says you're up-to-date.

The number of patch-management tools available to enterprises is bewildering. Microsoft offers Windows Update and Auto Update to individuals and very small businesses; Microsoft Software Update Services (SUS) to small- and mid-sized businesses; Microsoft Systems Management Server (SMS) SUS Feature Pack for enterprises; and other tools, such as MBSA and the IIS Lockdown Tool to address specific problems. The company also offers an Office Update Web site, similar to Windows Update, for its Microsoft Office products.

Another concern is patch quality. Microsoft walks a fine line between releasing security patches quickly and releasing patches that correct the problem without introducing new problems. Many of Microsoft's critics complain that the company doesn't deliver high-quality patches quickly enough. To release a high-quality patch, the software giant must perform a certain level of testing. So I ask, "Do you want the patch now or do you want it right?"

Microsoft tells me it will address all these concerns. On the back end, Microsoft is creating a new centralized patch-management infrastructure that it will use for all its products. New versions of existing patch-management tools will build off this infrastructure, and the long-sought version of Windows Update that will work with all the software giant's products is on the drawing board as well. I think of this product as "Microsoft Update," but the company tells me it hasn't settled on a name yet. When these new products appear in the first half of 2004, you'll no longer see different results when you run MBSA and Windows Update, for example. For more information about these plans, please see my WinInfo Daily Update article, "Exclusive: Microsoft's Plan to End the Patch Management Nightmare" ( http://www.wininformant.com/articles/index.cfm?articleid=39451 ).

Microsoft has plans for other products and initiatives that will intersect with its patch-management plans. In December 2003, the company plans to release Windows Server 2003 Service Pack 1 (SP1), which will include a tool called the Microsoft Security Configuration Wizard. This excellent roles-based wizard will finally answer what might be the number-one question I receive: "How do I know which services I can turn off in my Windows installation?" To date, this question has been virtually impossible to answer, even for a base Windows install, but the answer gets even more complicated as you add features and other products to the mix. Currently, your best bet for answering this question is to review a list of services and what they do. But even these lists don't speak to the complexity of the situation because many services on a Windows system have various dependencies.

To solve this problem, Microsoft is creating an extensible XML-based database covering Windows 2003 and every Microsoft server product that can run on that platform. When you run the wizard, it will query your system and compare the results with the database. You'll be able to choose which roles your server should perform--email server, Web server, domain controller (DC)--and the wizard will shut down all unneeded services and ports. For the curious, the wizard will even provide a list of those services so that you can see what it's doing. And because the tool is extensible, third parties can add their products to the database, and administrators and developers can add their custom-built inhouse applications. I look forward to evaluating this tool, and I'll report back as soon as possible. I hope this functionality will be available to other Windows versions, such as XP and Windows 2000?

Another upcoming product that will have dramatic ramifications on patch management is Longhorn, the next major Windows client release (Longhorn is currently due in late 2005). Microsoft will develop Longhorn in a modular fashion, much as XP Embedded is today, that will let administrators and PC makers more easily deploy systems. Because 85 to 90 percent of Longhorn code will consist of a language-independent core code module, to create Longhorn versions such as home, professional, Tablet PC, or Media Center Edition, one will simply add the appropriate code modules to the core module. For example, a PC maker wishing to supply Longhorn Media Center Edition to the US market would assemble the Longhorn core module with the US English language module, the Longhorn professional module, and the Longhorn Media Center Edition module (Media Center Edition builds on professional). The end result will be a more stable system for which patch management will be far simpler. Because most of Longhorn's code will reside in the core module, Microsoft will be able to release most bug fixes for this one code base, negating the need for language- and version-specific fixes. This approach will result in faster and more stable patch delivery.

Of course, Longhorn is still 2 years away. In the meantime, Microsoft is working to, well, patch its current products with more elegant patch management. But looking ahead, it's exciting to think that a long-term dream of centralized patch management is finally happening.

==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Adobe's XP-Only Premiere Takes a Bite Out of Apple
This week, longtime Apple Computer supporter Adobe Systems announced a new version of Adobe Premiere Pro, its high-end video-editing platform, but with one catch: The new Premiere will be Windows-only, making this version of the product the first that doesn't support Apple's Mac OS. Adobe's decision mirrors that of many third-party developers, most of which have far less emotional reasons to continue supporting Apple: Supporting the dwindling Macintosh market doesn't make financial sense, especially when Apple is trying to get its hands on the Mac's few remaining lucrative software areas. How will this decision affect Apple and the wider market for PC-based video editing? Read the rest of the article at the following URL:
http://www.wininformant.com/articles/index.cfm?articleid=39476

==== 3. Keeping Up with Win2K and NT ====
by Paula Sharick, [email protected]

Win2K SP4 Tightens Security for Programs and Services
Windows 2000 Service Pack 4 (SP4) introduces two new rights that tighten Win2K's security model and make it compatible with Windows Server 2003. To avoid problems with installed programs, you need to understand how these new rights restrict previously allowed activity. In nondeveloper terms, the "Impersonate a client after authentication" (SeImpersonatePrivilege) right lets programs and services that run after you log on perform activities on your behalf. To do so, the program or service must impersonate you by using your account credentials instead of the credentials the program or service logged on with. Many Win2K services log on with a local system account. When you request a network connection, the service responsible for the connection uses your account credentials to make the request for the resource. A similar process happens with Win2K Server Terminal Services clients. In Win2K SP3 and earlier, programs and services don't require explicit permission for impersonation activities; in Win2K SP4, they do.
The impetus behind the "Impersonate a client after authentication" right is similar, in some respects, to the impetus behind the Restrict Anonymous security setting. Without this control, code with user or client access credentials can use a remote procedure call (RPC) or named pipe to anonymously connect to another system at any time. In fact, many worms and Trojan horses use RPC and named pipe connections to propagate their evil ways across a network. When you upgrade a system to Win2K SP4, setup automatically assigns this right to members of the local Administrators group, the System account, all services that the Service Control Manager (svchost.exe) starts, and all COM components.

To read the complete story, visit the following URL:
http://www.winnetmag.com/articles/index.cfm?articleid=39534

==== 4. Announcements ====
(from Windows & .NET Magazine and its partners)

Windows & .NET Magazine Connections: Fall Dates Announced
Jump-start your fall 2003 training plans by securing your seat for Windows & .NET Magazine Connections Fall, scheduled for November 2 through 6, 2003, in Orlando, Florida. Register now to receive the lowest possible registration fee. Call 800-505-1201 or 203-268-3204 for more information.
http://www.devconnections.com

Find Your Next Job at Our IT Career Center
Check out our new online career center in which you can browse current job openings, post your resume, and create automated notifications to notify you when a job is posted that meets your specifications. It's effective, it's private, and there's no charge. Visit today!
http://windows.itcareerpath.com

==== 5. Instant Poll ====

Results of Previous Poll: SBS 2003
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Is your company a candidate for the next version of Small Business Server (SBS), which Microsoft will release later this year?" Here are the results from the 93 votes:

- 32% Yes, we have 50 seats or fewer and we plan to purchase SBS.
- 6% We have 50 seats or fewer but we won't purchase anytime soon.
- 24% We have 50 seats or fewer but we have no interest in SBS.
- 38% SBS doesn't fit our needs (we have more than 50 seats).

New Instant Poll: Thin-Client Technology
The next Instant Poll question is, "What's your company's situation regarding terminal services or thin-client technology?" Go to the Windows & .NET Magazine home page and submit your vote for a) We currently use a Microsoft terminal server product, b) We currently use a third-party thin-client product, c) We're considering implementing thin-client technology at my company, d) We don't use thin-client technology but would consider doing so if it made sense, or e) Thin-client technology doesn't make sense for my organization.
http://www.winnetmag.com/magazine

==== 6. Resources ====

Featured Thread: Disable IE Locally
Reader PIXADMIN wants to know how to disable Microsoft Internet Explorer (IE) 6.0 locally on a Windows XP Professional Edition workstation. The user accounts are built locally, and he needs to use the local security policy because these workstations are on a workgroup not a domain. If you can help, join the discussion at the following URL:
http://www.winnetmag.com/forums/rd.cfm?cid=36&tid=60905

Tip: How Can I Display Seconds as Part of the Current Time Displayed in the Taskbar?
by John Savill, http://www.windows2000faq.com

The taskbar displays only the hour and minutes for the current time. This behavior dates back to the days of Windows 95, when displaying the seconds was deemed to be too CPU intensive. You can't use Windows to display seconds, but you can use one of several third-party utilities, such as Tclock2 ( http://home.inreach.com/2tone/tclock2/tclock2.htm ), which adds the date and seconds and is fully configurable.

==== 7. Event ====
(brought to you by Windows & .NET Magazine)

New--Mobile & Wireless Road Show!
Learn more about the wireless and mobility solutions that are available today! Register now for this free event!
http://www.winnetmag.com/roadshows/wireless

==== 8. New and Improved ====
by Carolyn Mader, [email protected]

Migrate to Windows 2003 from Legacy Platforms
ManageSoft released ManageSoft for Windows Deployment 2.0, automated Windows deployment software for Windows Server 2003. The solution lets you perform enterprisewide migration from legacy platforms. The software provides policy-based central control throughout the rollout. ManageSoft for Windows Deployment also provides native integration with Active Directory (AD). Other key features include predeployment asset discovery and reporting, Symantec Ghost tools integration, intelligent machine renaming, and automatic restoration of user data and application settings. For pricing, contact ManageSoft at 800-441-4330.
http://www.managesoft.com

Access Lost Data
Alexey V. Gubin released Zero Assumption Recovery (ZAR) 7.3, a suite of data-recovery tools that lets you access data on your PC after an accidental disk reformatting, virus attack, power spike, software mishap, or hardware malfunction. The solution gathers all available data, then rebuilds the file structure from the recovered data. ZAR 7.3 runs on Windows XP/2000/NT/Me/9x systems and costs $99. Contact Alexey V. Gubin at [email protected].
http://www.z-a-recovery.com

Submit Top Product Ideas
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions to [email protected].

==== Sponsored Link ====

AutoProf
Jerry Honeycutt Desktop Deployment Whitepaper http://ad.doubleclick.net/clk;5790077;8214395;s?http://www.AutoProf.com/Update_TextLinks_2003_06_23.html

==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]