Windows & .NET Magazine UPDATE--Windows XP SP2, NSA Guidelines Follow-Up--January 13, 2004

This Issue Sponsored By

Microsoft(r) and Quest Software(r)

Exchange & Outlook Administrator


1. Commentary: Windows XP SP2, NSA Guidelines Follow-Up

2. Hot Off the Press
- Opinion: HP's iPod Move Could Hurt the Industry

3. Networking Perspectives
- Malicious Hackers and Spam, Part 2

4. Announcements
- The Windows & .NET Magazine Network VIP Web Site/Super CD Has It All!
- Announcing a New eBook: "Content Security in the Enterprise--Spam and Beyond"

5. Instant Poll
- Results of Previous Poll: IT Job Market
- New Instant Poll: Outdated Computer Equipment

6. Resource
- Tip: Which Windows versions does Microsoft Exchange Server run on?

7. Event
- New Web Seminar: Email Is a Service--Manage It Like One 8. New and Improved
- Parse Email Message Parts
- Optimize Your Business Processes
- Tell Us About a Hot Product and Get a T-Shirt!

9. Contact Us
- See this section for a list of ways to contact us.

==== Sponsor: Microsoft(r) and Quest Software(r) ====
Get Hard Data for Your Storage Consolidation Project.
Disk space is cheap, but managing storage isn't. How are you planning to tackle this growing concern? Learn how to plan the business case for your consolidation project. Get the hard data about consolidation projects from Microsoft(r) and Quest Software's white paper. Get on the road to storage fitness today! Download this complimentary white paper:


==== 1. Commentary: Windows XP SP2, NSA Guidelines Follow-Up ====
by Paul Thurrott, News Editor, [email protected]

Last week, I presented a hands-on look at Windows XP Service Pack 2 (SP2) and discussed the National Security Agency's (NSA's) guidelines for securely configuring XP, two somewhat related topics that are probably close to many administrators' hearts these days (see "Windows XP SP2 Beta In-Depth; NSA Guidelines on XP Security" at ). This week, I follow up on these topics because I've discovered new information about both.

More XP SP2 Features
After previewing XP SP2 last week, I took an XP SP2-enabled notebook computer to Las Vegas, Nevada, for the 2004 International Consumer Electronics Show (CES)--the perfect way to test the new service pack in the real world. I didn't experience any stability problems with SP2, although my one-PC experience is an admittedly nonscientific test. But during the trip, I was able to exercise XP SP2's new wireless networking features and the Internet Connection Firewall (ICF), which Microsoft plans to simply call Windows Firewall when SP2 ships in mid-2004.

XP SP2 and Wireless Networking
When Microsoft first shipped XP in October 2001, the company integrated wireless networking into the product, providing users with a relatively simple method of connecting to secure and insecure wireless networks. The initial XP version supports only 802.11b and the Wireless Equivalency Protocol (WEP) security scheme out of the box; if you recall the wireless security climate of late 2001, most wireless networks were left open and unsecured. In such a network, XP worked well: If you turned on an XP notebook within range of a wireless network, you'd be connected automatically and could get right to work. Of course, that capability exposed users' machines to potential intrusion.
In XP SP1, which shipped in fall 2002, Microsoft added a block that requires the user to manually OK every connection to an insecure network. This new emphasis on security over functionality is well suited for most businesses, but I suspect many consumers were a bit perplexed by the requirement because most home-based wireless networks are still insecure.
In XP SP2, Microsoft overhauled the wireless networking capabilities yet again. The first change is a friendly new UI for managing and connecting to wireless networks. This new interface will likely be much easier to use than the old View Wireless Networks dialog box-based approach used in earlier versions, especially for users in areas with numerous wireless networks. The new UI labels each network as "Non-secure wireless network" or "Security-enabled wireless network." On wireless networks with security, you'll see a message stating that you need a network key, which you can enter when prompted, and the OS offers task lists for getting more information about wireless networking connections or changing your preferred wireless network.
From my standpoint, the biggest change in this release is that wireless connection settings seem to stick better than before. After you've OK'd a connection to an insecure wireless network, you can connect to that network without further prompting in the future, which is nice. In my experience, this functionality would work only intermittently in XP SP1. The wireless network aggregated list is also less likely to display networks that are no longer in range, which was a curious problem with earlier versions.

Windows Firewall
If you're familiar with Zone Labs' Zone Alarm or other firewall products, you've probably spent time configuring which applications and services can and can't send information to and from your machine. XP SP2's new Windows Firewall works the same way. The first time any application or service attempts to access a closed port, you'll get a dialog box that lets you configure whether the application or service can bypass the firewall, or you can simply click Cancel to never allow said access. The new firewall has several advantages over ICF. First, users are more likely to use the firewall because Windows Firewall is much easier to customize than was the ICF in earlier versions. Second, as with commercial firewall products, you get to see which applications are calling home and decide which ones to allow. From a corporate standpoint, this functionality is centrally manageable, which is extremely welcome.
If you want to manage the Windows Firewall settings manually, you can access a list of exceptions, which are applications and services that can receive connections from the outside world. In the past few days, I've received warnings about programs such as Microsoft Virtual PC, Windows Messenger, and RealNetworks' RealPlayer, as well as system services such as File and Print Sharing and ActiveSync. You can manually add programs to the list, which is nice, and determine the network connections to which these settings apply. Overall, the improvements are phenomenal compared with the previous version.

NSA, Security, and XP
Last week, I briefly mentioned the NSA's Windows XP Security Guidelines. I incorrectly noted that these guidelines were new, when in fact they were released in 2002 and last updated in April 2003. Several readers pointed out this discrepancy and that following the NSA guidelines can lead to software incompatibilities related to security because many applications and services rely on certain non-secure configurations to operate correctly, a problem that Microsoft has been wrangling with during its Trustworthy Computing makeover. A Microsoft representative who contacted me last week noted that the software giant worked closely with the NSA, as well as the National Institute of Standards and Technology (NIST) and the SANS Institute's Center for Internet Security (CIS), on the company's own security guides, which you can access from the links below.

Windows Server 2003 Security Guide

Threats and Countermeasures Guide

Microsoft Windows XP Security Guide Overview

Guide to Securing Windows XP in Small and Medium Businesses


==== Sponsor: Exchange & Outlook Administrator ====
Try a Sample Issue of Exchange & Outlook Administrator!
If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and down time. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now!


==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Opinion: HP's iPod Move Could Hurt the Industry
Last summer, HP announced a sweeping push into consumer electronics and released more than 100 new consumer-oriented products in one day. The move drew a bit of press attention, but nothing like the front-page news assault that Apple Computer generated last week for its comparably weak announcement of relatively inexpensive, new, and smaller iPod devices--portable audio players that won't be available for months.
Attempting to latch on to Apple's marketing success, last week HP made the incredible decision to license Apple's iPod player and iTunes software, a move that predictably catapulted HP into the spotlight for a day. But as the dust settles, HP's customers are rightly asking some hard questions about the decision because, as Microsoft is pointing out, Apple's technology offerings are an island of incompatibility in an otherwise widely compatible PC world.

==== 3. Networking Perspectives ====
by Alan Sugano, [email protected]

Malicious Hackers and Spam, Part 2
If you recall from last month's article "Malicious Hackers and Spam, Part 1" ( ), a client was having a backup problem and poor server performance. I discovered that a spammer was using the client's server to relay spam. Although the server wasn't an open relay, the spammer was somehow authenticating to the server to send messages.
My first concern was to prevent the spammer from sending more messages. I disconnected the firewall from the Internet and deleted all the sessions. I tried to use the Exchange System Manager (ESM) to delete the messages from the queues, but the process was taking a long time. I stopped all the Exchange services, opened a command prompt, and deleted the messages from the directory D:\exchsrvr\mailroot\vsi 1\queue. Stopping the Exchange services greatly improved the server performance, but more than 10,000 messages were waiting in various queues, so even using the command prompt to delete the messages took more than an hour. I changed all the passwords for every user on the network. I also looked at the bad mail directory in D:\exchsrvr\mailroot\vsi 1\badmail. The directory contained so many messages that I couldn't even view the number of files in the directory. I used a command prompt to delete all the files, which took approximately 8 hours. I then created a rule on the firewall to deny traffic from the IP ranges from which the spam originated. To read the rest of the story, visit the following URL:

==== 4. Announcements ====
(from Windows & .NET Magazine and its partners)

The Windows & .NET Magazine Network VIP Web Site/Super CD Has It All!
With a VIP Web site/Super CD subscription, you'll get online access to all of our publications, a print subscription to Windows & .NET Magazine, and a subscription to our VIP Web site, a banner-free resource loaded with articles you can't find anywhere else. Click here to find out how you can get it all at 25 percent off!

Announcing a New eBook: "Content Security in the Enterprise--Spam and Beyond"
This eBook explores how to reduce and eliminate the risks from Internet applications such as email, Web browsing, and Instant Messaging by limiting inappropriate use, eliminating spam, protecting corporate information assets, and ensuring that these vital resources are secure and available for authorized business purposes. Download this eBook now free!

~~~~ Hot Release: Free white paper: Windows Quota Management and File Blocking "Best Practices"

This white paper provides guidelines and a methodology for developing corporate policies to control a shared Windows storage environment. Download this free technical white paper now from Windows & .NET Magazine's White Paper Central. Brought to you courtesy of Veritas Software.;6982949;8469764;q?;6964549;8743054;z?

==== 5. Instant Poll ====

Results of Previous Poll: IT Job Market
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Do you think the IT job market will improve in 2004?" Here are the results from the 448 votes:
- 35% Yes
- 31% Probably
- 29% Probably not
- 5% Definitely not

New Instant Poll: Outdated Computer Equipment
The next Instant Poll question is, "What does your organization do with outdated computer hardware?" Go to the Windows & .NET Magazine home page and submit your vote for a) Sell it, b) Donate it, c) Recycle it, or d) Throw it away.

==== 6. Resource ====

Tip: Which Windows versions does Microsoft Exchange Server run on?
by John Savill,

The answer to this question varies according to the version of Exchange you plan to run. For example, Exchange Server 2003 runs on Windows Server 2003 and Windows 2000 Server with Service Pack 3 (SP3) or later. Exchange 2000 Server runs on Win2K Server with SP1 or later. And Exchange Server 5.5 runs on Win2K Server with any service pack and on Windows NT Server 4.0.
If you plan to run Exchange 2000, you don't have to install this version of Exchange on a domain controller (DC), although you can, but you must install it on a member server that has access to Active Directory (AD). Also be aware that the only version of Exchange that Windows 2003 can support is Exchange 2003. As a result, if you plan to upgrade from Win2K to Windows 2003, you'll need to upgrade to Exchange 2003 on Win2K before you upgrade the OS.

==== 7. Event ====
(brought to you by Windows & .NET Magazine)

New Web Seminar: Email Is a Service--Manage It Like One
True end-to-end management of the messaging infrastructure requires an integrated, service-oriented approach. This free Web seminar introduces service-driven management and best practices for managing and monitoring the key elements crucial to ensuring email health and performance, including Exchange Server, Active Directory, network, and storage. Sign up today!

==== 8. New and Improved ====
by Carolyn Mader, [email protected]

Parse Email Message Parts
ExclamationSoft released NetMailBot 4.0, command-line email software that can parse email message parts, save attachments, forward, and autorespond. You can reduce the complexity of creating individualized email campaigns by using the built-in database features such as mail merge and personalization. You can send a message containing both HTML and plain text. NetMailBot runs on Windows XP/2000/NT/Me/9x systems and costs $149.95. Contact ExclamationSoft at 267-895-1726 or 866-489-0111.

Optimize Your Business Processes
Ultimus released Ultimus BPM Suite 6.0, software that lets you model, automate, manage, and optimize your business processes. The suite includes BPM Studio, which is a collaborative design environment in which users can share and reuse process designs. Expanded developer support lets developers enhance their processes. The software supports Windows 2003. Contact Ultimus at 919-678-0900 or [email protected]

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== Sponsored Link ====

VMware Inc.
Are you an MCSE/MCP? Let VMware Workstation put $100 in your pocket.;6966714;8214395;w?


==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Copyright 2004, Penton Media, Inc. All Rights Reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.