Skip navigation

Security UPDATE--Lessons in Disaster Recovery--September 14, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Supercharging SMS for Effective Asset Management


1. In Focus: Lessons in Disaster Recovery

2. Security News and Features

- Recent Security Vulnerabilities

- McAfee and Microsoft Warn About ASP.NET Forms Authentication

- eEye's Lengthy Laundry List of Vulnerabilities

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

4. New and Improved

- Make Your Public PCs More Resilient


==== 1. In Focus: Lessons in Disaster Recovery ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

I seriously doubt that there is a person reading this newsletter who doesn't know of the devastation caused by Hurricane Katrina. Vast areas of the southern coast of the United States have been destroyed. People's lives are in ruins, and how long it will take to recover is still unknown.

The human suffering and loss of life is heart wrenching, to put it mildly, and although I have a difficult time thinking about protecting computer systems in the wake of such disaster, such protection is in fact the focus of this newsletter. Therefore I think it's appropriate to revisit disaster recovery in terms of information security and computer networks.

Katrina brings to light the fact that you and your business can be displaced not just temporarily, but for significant periods of time. A robust disaster recovery plan is paramount. Katrina shows us that in addition to thinking about system and communication failure, you should also consider the possibility that your premises might be destroyed and rendered unusable either temporarily or permanently. You need to think about system recovery, but you also need to consider hardware replacement or recovery, relocating available personnel in new office space, and replacing communication systems.

Data backup strategies can include offsite storage by either physically transporting media somewhere or by using a backup system that transmits data over a communication link. Either way, you should probably use an offsite backup location that's in a completely different geographic area.

You should also consider maintaining live backup Web sites, mail servers, and DNS systems that are ready to go. If you plan these right, they'll kick into action immediately as soon as anything at your main site goes down.

To get in touch with key employees after a disaster, you might need conventional-phone alternatives such as cell phones and Voice over IP (VoIP) tools. However, if cell towers and other communication lines fail, then those technologies will also be useless. You could consider getting satellite phones if your business needs justify the cost.

You'll also need a quick exit strategy. If you must evacuate the area, what will you take, aside from obvious essentials? You could gather disk drives that contain mission-critical data and other devices if you have time. One easy way to help protect hardware and documents you might need to take with you or leave behind is to waterproof them by using a product such as Space Bags (see URL below). Having a big safe or vault to store hardware might be a good idea too. After all, if the building collapses, Space Bags won't be much help.

In addition, you might consider the fact that you might have to leave a lot of data behind. If it's sensitive information, then it should be encrypted in case the hardware falls into the wrong hands in your absence. You probably won't have time to start encrypting data during a crisis, so you need to have such a process in place beforehand.

Those are a few ideas that might help you review your disaster recovery plans. As I've written before, you need to be ready to take action quickly on short notice and be ready to recover quickly from events that strike with little or no advance warning. A comprehensive disaster response and recovery plan is part of good business security.

You can find more information about disaster recovery for OSs, databases, email systems, and more in numerous articles on our Web site.


The Microsoft Professional Developers Conference 2005 (PDC05) is this week in Los Angeles. Check out Paul Thurrott's PDC05 blog on our Web site to find out the latest development news from LA.


==== Sponsor: Scalable Software ====

Supercharging SMS for Effective Asset Management

Cost control and license compliance have risen to the top of the IT asset and desktop management agenda. Learn to map Microsoft's SMS to specific business objectives and examine the pitfalls of relying solely on SMS to achieve business IT asset management objectives. Download this free white paper now and find out how you can leverage technology to bridge the gap between technical professionals and your CFO.


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

McAfee and Microsoft Warn About ASP.NET Forms Authentication

McAfee published a white paper that helps developers understand how to better protect against replay attacks in applications based on ASP.NET. Microsoft also published an article about the problem, which pertains to forms authentication. Both Microsoft and McAfee recommend a series of defenses.

eEye's Lengthy Laundry List of Vulnerabilities

Since the end of March, eEye Digital Security has discovered no less than nine vulnerabilities in Microsoft products, two in RealNetworks products, and one in Macromedia products. No patches are publicly available for any of these problems.


==== Resources and Events ====

Windows Connections 2005 Conference--October 31 - November 3, 2005

At the Manchester Grand Hyatt in San Diego, Microsoft and Windows experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Register now to save $100 off your conference registration and attend sessions at Microsoft Exchange Connections free!

Identify the Key Security Considerations for Wireless Mobility

Wireless and mobile technologies are enabling enterprises to gain a competitive advantage through accelerated responsiveness and increased productivity. In this free, on-demand Web seminar, you'll receive a checklist of risks to factor in when considering your wireless mobility technology evaluations and design. Sign up today and learn all you need to know about firewall security, transmission security, OTA management, management of third-party security applications, and more!

Get Ready for the SQL Server 2005 Roadshow in Europe

Back By Popular Demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now.

Discover SQL Server 2005 for the Enterprise. Are you prepared?

In this free, half-day event you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical, enterprise database applications--making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today!

Cut Your Windows XP Migration Time by 60% or More!

If your organization is considering--or has already begun--migrating your operating system to Windows XP, then this Web seminar is for you. Sign up for this free event and you'll learn how to efficiently migrate your applications into the Windows Installer (MSI) format and prepare them for error-free deployment and what steps you need to package your applications quickly and correctly and more!

Walking the Tightrope Between Recovery and Continuity

There's a big difference between the ability to quickly recover lost or damaged data and the ability to keep your messaging operations running normally before, during, and after an outage. In this free Web seminar, you'll learn what the technical differences between recovery and continuity are, when each is important, and what you can do to make sure that you're hitting the right balance between them.


==== Featured White Paper ====

How to Solve the Anti-Spam Dilemma

In this free white paper, learn why older spam prevention technologies using traditional content filtering don't work against the latest spammer tactics--and why more corporate email administrators are turning to a managed email security service. Discover how to achieve email security with multiple-layer protection, minimize false positives, cut email administration costs, and keep user communities happy and productive. Download your copy today!


==== Hot Release ====

Download Free: Patch & Spyware Management in one easy-to-use GUI.

Is your network safe from Spyware? The first step to securing your network is to remove spyware, adware, and malware. Next, patch your systems to stop re-infestation. Remediate Spyware and install Patches with Shavlik NetChk Protect for a Complete Security Solution.

To download free software visit:


==== 3. Security Toolkit ====

Security Matters Blog: Some Vulnerabilities Are Downright Funny

by Mark Joseph Edwards,

Full Disclosure is a decent mailing list, although the conversation can at times become childish and full of offensive language. Once in a while, a truly funny post comes across the list to lighten the discussion. Read this blog item for a little comedic relief.


by John Savill,

Q: I'm trying to copy a user profile, but the Copy To button is grayed out in the dialog box in the System Control Panel applet. How can I access that functionality?

Find the answer at

Security Forum Featured Thread: Securing Microsoft Access

A forum participant has a Microsoft Access database on the company network and wants some people to be able to read it and others to be able to make changes to it. When he chooses what he thinks are the proper security settings in Tools, Security, he gets a "Not a valid account name or password" error message. Does he need to save an .mdw file to a particular folder, and can he create passwords on the fly? Join the discussion at


==== Announcements ====

(from Windows IT Pro and its partners)

Get All the Scripting Answers You Need

If you haven't seen the Windows Scripting Solutions newsletter, you're missing out on an exclusive monthly resource that shows you how to automate time-consuming administrative tasks by using our expert-reviewed downloadable code and scripting techniques. Subscribe now and find out how you can save both time and money. Plus, get online access to our popular "Shell Scripting 101" series--click here:

SQL Server Magazine Has What IT Professionals Need

Get SQL Server Magazine and get answers! Subscribe today and get an entire year for just $39.95--that's 44% off the cover price. You'll also gain exclusive access to the entire SQL Server Magazine article database (over 2300 articles) and get the Top SQL Tips handbook (over 60 helpful tips) FREE. This is a limited-time, risk-free offer, so click here now:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Make Your Public PCs More Resilient

Jackson Backup offers the Jackson Armor Card, a PCI card that provides fast recovery technology for computers in schools, libraries, cyber cafes, and other public places. Jackson Armor Card is designed to protect a PC's OS and program settings; it guards against any form of corruption or unwanted modification, accidental or intentional damage to the hard drive, hacking, viruses, tampering, and most accidents including formatting. To recover the PC's original settings and data after an incident, you simply reboot the system. The Jackson Armor Card costs $79.99. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Argent Versus MOM 2005

Download Argent Versus Microsoft Operations Manager 2005

Is Your Office Truly Fax Integrated?

Download this free whitepaper from Faxback and find out!


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.