Windows & .NET Magazine UPDATE--May 27, 2003

1. Commentary: Taking a Closer Look at NGSCB

2. Hot Off the Press
- Microsoft Regains TPC-C Benchmark Crown

3. Keeping Up with Win2K and NT
- New IE Security Rollup

4. Announcements
- Guide to Securing Your Web Site for Business
- Free Webcast-SSL VPNs: Deliver Secure Remote Access from Any Browser
- New--Test-Drive Our Performance Portal!

5. Instant Poll
- Results of Previous Poll: NGSCB - New Instant Poll: Network Security

6. Resources
- Featured Thread: Not Allowed to Restart - Tip: How Can I Increase the Memory Available During a Windows 2000 Command Session?

7. Events
- Windows & .NET Magazine Web Seminar
8. New and Improved
- Clean the Hard Disk
- Create Macros
- Submit Top Product Ideas

9. Contact Us
- See this section for a list of ways to contact us.

==== Sponsor: NetIQ ====

CIO eBook for Managing and Securing the Enterprise - Need in-depth best practices for systems and security management? Register now for the FREE ebook, "From Chaos to Control: The CIO's Executive Guide to Managing and Securing the Enterprise," brought to you by NetIQ and Realtimepublishers.com. Topics covered include: Top 10 Corporate Manageability Policies; Top 10 Overlooked Vulnerabilities; Top 10 Corporate Security Breaches. Take your enterprise systems and applications from chaos to control now. http://www.netiq.com/f/form/form.asp?id=2258&origin=NSWinnetmag_update_052703

==== 1. Commentary: Taking a Closer Look at NGSCB ====
by Paul Thurrott, News Editor, [email protected]

Last week, I presented a wide-angle view of Next-Generation Secure Computing Base (NGSCB--formerly Palladium), Microsoft's solution for creating a secure, private, and trusted computing environment with the next Windows version, code-named Longhorn. This week, I drill down and look at the hardware and software components that will make up NGSCB. NGSCB is a hardware and software solution; you can't run it on a PC that doesn't incorporate specific NGSCB hardware. This unique architecture is, Microsoft says, what makes NGSCB more trustworthy than previous technologies that attempted to address the concerns NGSCB will solve. However, the company is also quick to point out that even NGSCB won't solve all security problems. Like any other security device, be it hardware or software based, NGSCB will likely be compromised in some way, eventually. The goal, however, is to dramatically improve security over present solutions. Here are some of the components that make up NGSCB.

New Hardware
An NGSCB PC will likely look and act like a regular PC, but it will include new NGSCB-specific hardware, making it a superset of a regular PC. These new hardware bits include a security computing chip called the Security Support Component (SSC), a modified CPU (Intel and AMD are supporting the new architecture) and supporting chipsets, and NGSCB-compatible input and output devices, including new keyboards and displays. NGSCB PCs will also require physically isolated disk and RAM storage that's separate from the storage that the non-NGSCB parts of the system use. The NGSCB SSC will perform cryptographic operations and will securely store cryptographic keys that the NGSCB nexus (formerly called the trust operating root) and its agents use.

New Software
NGSCB requires a special PC with a new kind of protected BIOS and a specially written OS--initially Windows Longhorn--that knows how to interact with NGSCB and provide low-level system services such as file access. The NGSCB software system is an optional OS component that boots after the OS boots and lets the user run legacy applications (e.g., today's version of Microsoft Office) and specially written applications in a protected memory space that's separate from the unprotected parts of the system. At the heart of the software side is the NGSCB nexus, which handles interactions between the protected and nonprotected worlds. The nexus works with software agents called Nexus Computing Agents (NCAs) to provide a variety of cryptographic services to the software environment. Logically, the NGSCB nexus is the kernel mode portion of the Palladium software environment, and the NCAs pass and process information between it and (user-mode) applications. Palladium will also require protected versions of virtually every software component in Windows, including the graphics subsystem and device drivers.

New Capabilities
To make the technology more approachable, Microsoft usually describes these NGSCB components by their capabilities, not by discrete part. NGSCB PCs, the company says, will provide the following capabilities: -
Attestation. This capability basically means notarization. Documents, data, and applications running in the NGSCB software environment can be tested and proven to be "good" or "bad." Attestation is similar the question you get about your bags at the airport: "Has this Microsoft Word document ever been outside your control, or outside the control of a NGSCB-powered environment?" If so, it can't be trusted. In NGSCB, attestation applies to virtually anything you can think of: PC, hardware devices attached to the system, software environment, applications, documents, or users.
- Sealed storage. NGSCB seals off its software environment, physically and logically, from the rest of the system, ensuring that data and information stored within are safe. Users can encrypt data to ensure that nothing or no one outside of the safe NGSCB environment can access the data.
- Process isolation. Applications and services running inside the NGSCB environment are also physically and logically isolated from the rest of the system to ensure that they're protected and isolated from unsafe code.
- Secure input and output. NGSCB-enabled keyboards encrypt keystrokes before sending them inside the NGSCB environment, ensuring that intruders can't imitate keystrokes, or other users can't sit down at the system and access your private data. Microsoft also says that information displayed to the user is "presented so that no one else can intercept and read it." Microsoft hasn't publicly demonstrated this last feature but showed it a few weeks ago at Windows Hardware Engineering Conference (WinHEC) 2003.

Combined, these capabilities will attempt to engender the trust concept I wrote about last week. The way the technology works in day-to-day life is predictable: When you create a Word document in an NGSCB environment and attempt to email it to a non-Palladium-enabled coworker, you'll receive a warning that such a transmission could compromise the data. However, with data exchanged within an NGSCB environment, you can encrypt it and set certain limits on its use. For example, you can specify that an NGSCB-enabled coworker can't print, copy, paste, or forward an email message you send, and NGSCB will enforce the restriction. So what won't NGSCB do? It won't provide a simple one-step, plug-in security solution, because overall NGSCB adoption will limit its capabilities initially. It won't automatically stop spam, worms, or viruses because most of those compromises find their way into PCs when users specifically let them in. However, NGSCB will provide a more secure, reliable, and privacy-friendly computing environment than today's PCs and present a platform for building better tools for eliminating today's vulnerabilities. Those who use NGSCB to its fullest will be more secure by default, although as with any system, user error will continue to be a problem. NGSCB technology comprises a lot more functionality, but I'm running out of space. For more technical information, please refer to the Microsoft Next-Generation Secure Computing Base - Technical FAQ ( http://www.microsoft.com/technet/security/news/ngscb.asp ). And keep those questions coming. I suspect NGSCB is a topic we'll be revisiting in the days ahead.

Sponsor: Windows & .NET Magazine ====
Microsoft Mobility Tour If you were too busy to catch our Microsoft Mobility Tour event in person, now you can view the Webcast archives for free! You'll learn more about the available solutions for PC and mobile devices and discover where the mobility marketplace is headed. http://www.winnetmag.com/seminars/mobility

==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Microsoft Regains TPC-C Benchmark Crown
The race for supremacy in the Transaction Processing Performance Council's (TPC's) TPC-C benchmark continued as Microsoft and Hewlett-Packard (HP) posted new results last week in the nonclustered TPC-C category. The race has heated up in recent weeks. At the Windows Server 2003 launch last month, Microsoft and HP used Windows 2003 and Microsoft SQL Server 2000 (64-bit) to gain the top position with a score of 658,277 transactions per minute (tpm) at a cost of $9.80 per transaction. IBM used DB2 UDB 8.1 and AIX 5L v5.2 to claim the top spot 2 weeks later when it posted a score of 680,613tpm at $11.13 a transaction. http://www.wininformant.com/articles/index.cfm?articleid=39077

==== 3. Keeping Up with Win2K and NT ====
by Paula Sharick, [email protected]

New IE Security Rollup
In keeping with the bimonthly schedule of updates, Microsoft released a security rollup for Internet Explorer (IE) 5.0 through IE 6.0 Service Pack 1 (SP1) on April 23. As is standard with rollups, this release supersedes and replaces the February IE update. The April 23 version eliminates four new script-based vulnerabilities that let an attacker either load and run code on your system, or alternatively, copy files from the local system to a destination of the attacker's choice. Because the latest crop of flaws are exploited only through HTML code that runs on a Web server, you'd have to visit a malicious Web site to become a victim of the vulnerabilities. Unlike previous IE vulnerabilities, a malicious user can't use email to exploit these flaws, other than by presenting you with links to a Web site that contains code to leverage the script-based flaws. For more information about the nature of the vulnerabilities, see Microsoft Security Bulletin MS03-017 (Flaw in Windows Media Player Skins Downloading could allow Code Execution). People updating Windows XP systems will be happy to hear that Microsoft corrected the bug that caused previous rollups to fail if installed in noninteractive mode. You can successfully install this rollup on XP systems in unattended mode by using the Windows Task Scheduler, Microsoft Systems Management Server (SMS), or IBM's Tivoli software. For more information about this security rollup and instructions for downloading it, visit the following URL: http://www.winnetmag.com/articles/index.cfm?articleid=39094

==== 4. Announcements ====
(from Windows & .NET Magazine and its partners)

* Guide to Securing Your Web Site for Business
Download VeriSign's new whitepaper, "Guide to Securing Your Web Site For Business," and discover the practical business benefits of securing your Web site. You'll also learn more about the innovative processes and technologies VeriSign uses to address Internet security issues. Download your free copy now! http://www.verisign.com/resources/gd/secureBusiness/index.html

* Free Webcast-SSL VPNs: Deliver Secure Remote Access from Any Browser Join Michael Suby, Sr., Research Analyst at Stratecast Partners, for a free Webcast on the security and business issues surrounding SSL VPN technology, June 3rd at 12 pm EST. This event, sponsored by Whale Communications, will also provide IT Directors & Networking Admins at medium-to-large enterprises with a first hand success story and opportunity for Q&A. http://ad.doubleclick.net/clk;5555039;6455353;o?http://pentonevents.webex.com/pentonevents/onstage/g.php?d=667717567

* New--Test-Drive Our Performance Portal! The Windows & .NET Magazine Performance Portal site is an online service that lets IT professionals test client/server scalability and application performance of client/server database, workflow, streaming media, and office productivity applications. Check out this innovative service at http://perform.winnetmag.com

==== HOT RELEASE ====

QUEST SOFTWARE FREE WHITE PAPER: Bulletproof Your Windows Network. Don't waste a year testing GPOs and learning from your mistakes - put Group Policy best practices to work for you today! Download "Bulletproof Your Windows Network with Group Policy," by Windows/AD expert Darren Mar-Elia. CLICK HERE NOW: http://www.quest.com/landing/winnet_update052703.asp

==== 5. Instant Poll ====

Results of Previous Poll: NGSCB
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Do you think NGSCB (formerly known as Palladium) will present a positive security solution or an invasion of privacy?" Here are the results from the 139 votes: - 20% A security solution - 37% An invasion of privacy - 23% Both - 19% I don't know yet

(Deviations from 100 percent are due to rounding error.)

New Instant Poll: Network Security
The next Instant Poll question is, "Do you think that your organization's network is more secure or less secure than it was a year ago?" Go to the Windows & .NET Magazine home page and submit your vote for a) More secure, b) Less secure, or c) Not sure. http://www.winnetmag.com/magazine

==== 6. Resources ====

Featured Thread: Not Allowed to Restart
User kilobyte wants to know why some of the Windows XP installations in his network can't be restarted unless the user has administrator status. If you can help, join the discussion at the following URL: http://www.winnetmag.com/forums/rd.cfm?cid=36&tid=59332

Tip: How Can I Increase the Memory Available During a Windows 2000 Command Session?
by John Savill, http://www.windows2000faq.com

When you start a new command session, you can use the /e switch to configure the amount of memory available during that session. For example, the command

cmd /e:32768

sets aside 32MB of memory. Valid values range from 2048 to 32768 (in multiples of 2048). To apply this change to all command sessions, perform the following steps:
1. Start the Control Panel System applet.
2. Select the Advanced tab.
3. Click Environment Variables.
4. Under the "System variables" section, select ComSpec, then click Edit.
5. In the Variable Value field, add

/e:nnnnn

to the end of the value, where nnnnn is the amount of memory to set aside. Click OK.
6. Click OK to return to the main dialog box.

==== 7. Events ====
(brought to you by Windows & .NET Magazine)

* Windows & .NET Magazine Web Seminar How can you reclaim 30% to 50% of Windows server space? Attend the newest Web seminar from Windows & .NET Magazine, and discover the secrets from the experts. http://www.winnetmag.com/seminars/precise

==== 8. New and Improved ====
by Carolyn Mader, [email protected]

* Clean the Hard Disk
Abexo released Defragmenter Pro Plus, a disk defragmentation utility that can clean the hard disk, remove the pagefile, disable running applications, run the Windows or DOS scandisk, run the Windows or DOS defrag disk, set the pagefile, enable running applications, and shut down and restart Windows. Pricing is $35. Contact Abexo at [email protected]. http://www.abexo.com

* Create Macros
MJT Net released Macro Scheduler 7.2, software that lets you create macros to control Windows applications, automate software processes, and assign tasks to scheduled events, desktop shortcuts, or hot keys. The software features more than 200 script commands and standard programming constructs, which let you send keystrokes and mouse events to other applications, wait for windows to open and close, make a certain window active, perform Internet tasks, run programs and commands, and execute files. Contact MJT Net at 425-930-1822. http://www.mjtnet.com

Submit Top Product Ideas
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions to [email protected].

==== 9. Contact Us ====

About the newsletter -- [email protected]
About technical questions -- http://www.winnetmag.com/forums
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring [email protected]