Windows & .NET Magazine UPDATE--Still Waiting for a Truly Secure System--May 25, 2004

This Issue Sponsored By

MKS Toolkit – Sanity while working in Windows

Download: Be Proactive with Real-Time Monitoring!


1. Commentary: Still Waiting for a Truly Secure System

2. Hot Off the Press
- Microsoft Plans Email Caller ID Standard

3. Keeping Up with Win2K and NT
- A First Look at the New MBSA

4. Resources
- Windows XP User Account Catch-22
- How can I obtain a certificate so that I can enable Secure Sockets Layer (SSL) on my Microsoft IIS server?

5. New and Improved
- Find Out When a Network Failure Occurs
- Tell Us About a Hot Product and Get a T-Shirt!

==== Sponsor: Download: MKS Toolkit – Sanity while working in Windows ====

MKS Toolkit products enable you to preserve your investments in UNIX/Linux software and expertise as you deploy Windows-based workstations and servers because Toolkit allows you to port scripts, source code, and working environments quickly and easily from UNIX/Linux to Windows. MKS Toolkit brings the power of UNIX/Linux to Windows. UNIX/Linux scripts, commands, applications and your skills are immensely powerful tools that when mixed with over 450 utilities and a complete application SDK make even Windows palatable. Whether you have code to create or systems to administer, the MKS Toolkit product family is essential to your Windows experience.
Call 800-637-8034; +1 (703) 803-3343.
Request a free Evaluation:


==== 1. Commentary: Still Waiting for a Truly Secure System ====
by Paul Thurrott, News Editor, [email protected]

About a year and a half ago, as I was preparing for a series of Microsoft-sponsored security talks with Mark Minasi, I suggested that my talk--which was to focus on Microsoft's security road map--might be jokingly called "Finding the Humor in Security." For the record, I was serious about the title, but the attempt at humor fell on deaf ears in Redmond and we used a more staid (i.e., boring) title.

I'm not laughing anymore. On Sunday night, while preparing for a trip Monday to New York, the notebook I had planned to bring was suddenly struck by the most malicious software (malware) I've ever encountered. This Trojan horse got through my defenses despite the fact that I was running the Release Candidate 1 (RC1) version of Windows XP Service Pack 2 (SP2) with the firewall turned on. It was infuriating, and after hours of investigating, deep cleaning with various antivirus and spyware products, and consulting with my technical guru (Storage UPDATE's Keith Furman, a lifesaver), I finally gave up. As I write this commentary, I'm heading to New York by train, using a different machine, and my infected laptop is home, awaiting a complete wipeout. I never did completely clean up the machine, and I'm still frustrated by the defeat.

This isn't the first time I've been hacked. A few years ago when Nimda hit, I discovered the chilling message, "You've been hacked by the Chinese" on one of my Web servers. Fortunately, I had previously taken the simple step of moving my Web sites out of the default location (i.e., they weren't in C:\Inetput\wwwroot), so I didn't lose any data. But the episode left me with an uncomfortable feeling of violation.

As a news reporter, I write daily stories about Microsoft and the computer industry and, as you might expect, security-related topics have dominated the headlines recently in ways that no topic--even Microsoft's epic antitrust battle with the US government--ever has. Even here in Windows & .NET Magazine UPDATE, security has been an overwhelmingly popular topic: The editorials in at least 10 of the last 24 issues have dealt, at least in some way, with security. These days, the topic is almost unavoidable.

Oddly, I've actually defended Microsoft and its security record. I've written--and I still believe--that no company is doing as much work as Microsoft is right now to secure computer systems and that, ultimately, this work will benefit us all as PCs become more and more adept at dealing with electronic intrusions. Last week, in a meeting at Microsoft, XP Lead Product Manager Greg Sullivan, showed me how XP SP2 prevents a particularly nasty form of attack, in which malicious users can use chromeless (i.e., borderless) browser windows to hide warnings and make you think that you're accepting a valid bit of Microsoft code. The ingenuity in such an attack highlights the problems Microsoft faces as it seeks to secure Windows and its other products against increasingly sophisticated attackers.

But ultimately, I'm not as concerned with Microsoft's problems as I am with how the company addresses its customers' needs. One concept I've always tried to get across, whether here in Windows & .NET Magazine UPDATE or on the road during speaking engagements, is that we need to remember where we, as Microsoft customers, fit in the equation. We pay Microsoft for specific services and capabilities, and we need to start holding the company to a higher standard. And we need to demand better security--it's just not there today, not yet.

And based on my recent experience, SP2 might not be the panacea I was hoping for. Indeed, days before my unfortunate experience with the aforementioned particularly irritating Trojan horse, Sullivan intimated during our meeting that SP2 wouldn't cure all security problems. Although the company is raising the bar in this release--dramatically, in some ways, especially for next-generation PCs whose microprocessors support the No Execute (NX) security technologies--SP2, like most technologies, will be too little, too late, for some people.

That brings me to another little bit of humor that I pull out whenever something goes wrong--maybe a demo isn't working quite right or a projector refuses to cooperate with my laptop for some reason. "Technology has never failed me," I'll deadpan. It always gets laughs, but you know what? Maybe the joke is really on me. If anything, technology has done nothing but constantly fail me. And now, purposeful technological glitches are starting to bridge the gap between simple irritation and economic ruination. I'm starting to fear that the Good Guys can't keep up.

Pick your poison: Today, we have spam, browser phishing, browsing hijacking, Trojans, worms, and viruses and probably have other malware of which I'm naively ignorant. Call me a Luddite, but I long for simpler days.


==== Sponsor: Download: Be Proactive with Real-Time Monitoring! ====

There are two ways to manage your critical systems: Reactive and Proactive. ELM Enterprise Manager supports the latter. ELM Enterprise Manager is the affordable solution that monitors the health and status of your systems in real-time, provides easy to access Views, and alerts you in time to take prompt corrective action. Be proactive, download you FREE 30 day full featured trial copy of ELM Enterprise Manager NOW and start experiencing the benefits of real-time monitoring.


==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Microsoft Plans Email Caller ID Standard
Last week, Microsoft announced that it will submit a proposal to the Internet Engineering Task Force (IETF) to make its Caller ID for E-Mail technology an industry standard. Caller ID for E-Mail is an IP-based authentication scheme for ensuring that an email sender's return address is legitimate. Microsoft hopes that broad adoption of this technology will end one of today's biggest problems with spam: Hostile messages often seem to come from friendly sources because making email messages appear to come from someone else is easy. To read the complete story, visit the following URL:

==== 3. Keeping Up with Win2K and NT ====
by Paula Sharick, [email protected]

A First Look at the New MBSA
Microsoft recently released a new version of Microsoft Baseline Security Analyzer (MBSA), a free security auditing and reporting tool. MBSA 1.2 has many enhancements that improve its functionality for systems and security administrators. In addition to the ability to scan 10,000 machines in one run, MBSA now audits against a Microsoft Software Update Services (SUS) server, and, when run locally, reports about macro settings in Microsoft Office products, the state of the Automatic Updates client, and the state of the Internet Connection Firewall (ICF). For an overview of the more notable new features in MBSA 1.2, visit the following URL:

==== Announcements ====
(from Windows & .NET Magazine and its partners)

Get 2 Sample Issues of Windows & .NET Magazine!
Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month!

Get the Most Out of IIS 6.0 Performance and Tuning
In this free Web seminar, you'll learn about the Internet Information Services (IIS) performance-tuning tools, including System Monitor, Application Center Test, and Log Manager. The Webcast will show how to use these tools to gather Web server baseline performance information, optimize performance and memory utilization, and test performance of applications running on the Web server with different caching and configuration settings. Register now!

Get the Most out of Your Small Business IT Infrastructure
In this free eBook, you’ll learn how to plan your IT infrastructure to get the most out of your systems while minimizing the costs involved. You'll discover which Windows version is right for your needs, how to lower licensing and operating costs, and more. Download this eBook now!

~~~~ Hot Release: (Advertisement) InstallShield ~~~~

Ensure Your Windows Patches Always Deploy Smoothly
The new Patch Impact Manager from InstallShield provides the only solution for full patch impact analysis. Only Patch Impact Manager analyzes the future impact of patches on the runtime file dependencies of your applications, presenting overlaps for your review. Try Patch Impact Manager now!

==== Instant Poll ====

Results of Previous Poll: TechEd
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Have you ever attended a Microsoft TechEd conference?" Here are the results from the 198 votes:
- 13% Yes, and I'm planning to go to TechEd 2004
- 16% Yes, but I'm not planning to attend TechEd 2004
- 10% No, but I'm planning to go to TechEd 2004
- 62% No, and I have no plans to attend TechEd 2004

(Deviations from 100 percent are due to rounding error.)

New Instant Poll: Home Computer Attacks
The next Instant Poll question is, "Has your home computer ever been hacked or hit with malicious software (malware)?" Go to the Windows & .NET Magazine home page and submit your vote for a) Yes, once or twice, b) Yes, often, c) No, never, or d) I don't know.

==== 4. Resources ====

Featured Thread: Windows XP User Account Catch-22
Forum user ppchang is running Windows XP Home Edition on his notebook computer with only one user account. He accidentally set the account to be limited. Now he can't perform any administrative tasks or set it back to an administrator account. If you can help, join the discussion at the following URL:

Tip: How can I obtain a certificate so that I can enable Secure Sockets Layer (SSL) on my Microsoft IIS server?
by John Savill,

Before you can use SSL for an IIS server, you must obtain a certificate. To request a certificate from your Certificate Authority (CA), perform the following steps: 1. Start IIS Manager--click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. 2. Expand the Web sites, right-click the Web site for which you want to request a certificate (e.g., Default Web Site), and click Properties. 3. Click the Directory Security tab. 4. In the "Security communications" section, click Server Certificate. 5. In the Web Server Certificate Wizard, click Next. 6. Select the option "Create a new certificate" and click Next. 7. Fill in the necessary details to request a certificate.

==== Events Central ====
(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

New--From Chaos to Control: Using Service Management to Reclaim Your Life
Take control of your workday! If you're supporting 24 x 7 operations by working around the clock instead of 9 to 5, learn how you can benefit from a sound service-management strategy. In this free Web seminar, you'll learn practical steps for implementing service management for your key Windows systems and applications. Register now!

==== 5. New and Improved ====
by Carolyn Mader, [email protected]

Find Out When a Network Failure Occurs
PAC Software released Network Console, a solution that monitors networks and graphically displays an alert when a failure occurs. The solution can send an alarm message through email, pagers, cell phones, and other devices. Network Console lets you draw a chart that shows the nodes in your network and how the nodes are connected. The chart shows a real-time view of the status of each node, with failing nodes displayed in yellow or red. You can view the chart from any Windows computer in the network or from a browser. Pricing for Network Console varies from $300 to $1500 depending on the size of the network you are monitoring. Contact PAC Software at 800-364-3048.

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== Sponsored Links ====

Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?

Microsoft(R) TechNet
Microsoft(R) TechNet Webcasts: essential guidance, industry experts;7759917;8214395;c?


==== Contact Us ====

About the newsletter -- [email protected]
About technical questions --
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring UPDATE -- [email protected]


==== Contact Our Sponsors ====

Primary Sponsor:
MKS Software -- -- 1-800-637-8034

Secondary Sponsor:
TNT Software -- -- 1-360-546-0878

Hot Release:
InstallShield --


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

View the Windows & .NET Magazine Privacy policy at Windows & .NET Magazine a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All Rights Reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.