IE 5.01 Security Hotfix; Various Win2K Solutions

IE 5.01 Security Hotfix
Internet Explorer (IE) versions 4.0 through 5.01 manage cached logon credentials in a nonsecure fashion. Specifically, when you connect to a secure Web site that requires authentication and then view a nonsecure page at that site, IE automatically sends your secure logon username and password to the nonsecure page. This behaviour presents an opportunity for a malicious user to potentially capture and reuse the cached logon credentials that IE sends.

To close this loophole, upgrade your browser to IE 5.5 or download and install the security hotfix q273868.exe from the Microsoft Web site. Microsoft article Q273868 indicates that you can install this hotfix only on a system running IE 5.01 Service Pack 1 (SP1). If you attempt to install it on older versions of IE or on the most current version, IE 5.5, the hotfix terminates and displays the error message, "This update does not need to be installed on this system."

To determine which version of IE you're running, click Help, About Internet Explorer from the browser's menu bar. You can also view the version number in the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer. If the version number you see in either location is lower than 5.00.3103, upgrade the browser to IE 5.01 SP1 or higher and install the hotfix—or upgrade to IE 5.5, which doesn't require the hotfix.

Win2K Computer Name Confusion
Are you planning to upgrade Windows NT systems with all-numeric computer names to Windows 2000? If so, read on for an explanation of a potential computer-name confusion issue. Although NT permits all-numeric computer names (i.e., digits only), Win2K does not. However, for compatibility reasons, Win2K maintains the all-numeric computer name when you upgrade a machine from NT to Win2K. If you ping the upgraded system by its numeric name (e.g., 911), the ping fails and you see the standard "Request timed out" error message. To get a response from the numerically named system, you must add the domain name to the numeric name (e.g., when you ping the machine. In fact, to avoid the problem altogether, always append the Fully Qualified Domain Name (FQDN) to the numeric system name. This workaround works for all utilities that can't distinguish a string of digits from an IP address.

Win2K permits all-numeric names only to maintain compatibility when upgrading NT systems. If you later rename the upgraded system, you must conform to Win2K computer-naming rules, which require at least one alphabetic character. This limitation might require you to revisit and revise your enterprise naming standards, a task that's easiest to accomplish at the beginning of a migration!

Win2K DCPromo Details
Here’s a handy reference for running the DCPromo utility to promote and demote Win2K systems to and from domain controller (DC) status. Microsoft article Q238369 describes the steps you must take to

  • install the first DC in a new forest
  • install the first DC in an existing forest
  • install the first DC in a new child domain
  • install an additional DC in an existing domain

The Microsoft article describes how to remove Active Directory (AD) from a Win2K system that you demote to a server-only role and what steps to take if you terminate the Dcpromo demote procedure before it finishes—a situation that results in a system with AD settings that you should remove. Microsoft article Q216498 describes how to use the Ntdsutil utility to clean up the last of the AD settings. (Microsoft ships the Ntdsutil utility in the Win2K CD-ROM's Support directory and with the Windows 2000 Resource Kit.)

Automating Win2K Account Creation
If you're considering ways to add a group of Win2K accounts to your Win2K domain, you probably know that the manual method leaves a great deal to be desired. Instead of endlessly clicking through the same dialog boxes, try either of the following methods to automate the process.

If you have the Windows 2000 Resource Kit, install the Netdom utility. With Administrator rights, you can run Netdom in a console window or in a batch file. You enter one line for each new account you want to create, then add the domain name, the username, the password, and the computer account. You can find a reasonably good explanation of Netdom syntax in Microsoft article Q150493.

Alternatively, you can automate the account creation process with Active Directory Service Interfaces (ADSI) and Windows Script Host (WSH). If you expect to run Win2K as your production environment for a couple of years, develop your VBScript skills now and reap the rewards over and over. I don't have room for VBScript lessons here, so check out Microsoft’s Web site for more information. Microsoft article Q222525 documents these account creation options.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.