Mark Minasi's Windows Networking Tech Page
Issue #35 July 2003

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  Visit the Archives at http://www.minasi.com/archive.htm.  Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp.  Document copyright 2003 Mark Minasi.

What's Inside

  • News: 
    • Seminars: XP and the NEW Server 2003/2000 Classes: LA, DC, NY
    • Webcast September 12:  Time To Leave NT 4 Behind?
  • Tech Section
    • Get the MS03-026 Patch.  NOW.
    • Service Pack Slipstreams Are Easier Now
    • Making 2000 Closer To 2003's Security:  A Few Thoughts
  • Conferences
  • Bring a Seminar to Your Site

News

Hello all —

I've been working on an in-depth article on SMB signing -- that's been the delay on this newsletter -- but something more important came up and I've decided that it can't wait.  I'm talking about MS03-026, Knowledge Base article 823980.  It's about a bug that'll let anyone do anything with an NT 4, 2000, XP or 2003 system unless you patch that system.  Please read about this and please patch your systems now.  Even if you do have a firewall!

But before the news, a couple of short announcements...

Seminars: XP and the NEW Active Directory Classes: DC, NY, Charlotte, Philly, Chicago

Just a few more weeks until our Washington, DC seminars:  "XP Support" and "Running a 2003/2000-Based Active Directory," held at the Marriott near Dulles.  There's no faster way to become expert in desktop or network support.  And don't forget we're coming to NY in November (near LaGuardia), Charlotte in January and Philly in February.  Find out about the XP seminar at http://www.minasi.com/xpsupport.htm,  the Active Directory/Group Policy seminar at http://www.minasi.com/2003outln.htm, and the schedule of seminars at http://www.minasi.com/pubsems.htm

Webcast September 16:  Time To Leave NT "4 Good?"

The SearchWin2K.com folks have asked me to do another Webcast -- this one with an unusual topic.  The webcast jumps off from some of the pieces that I've done about Microsoft's pressuring people to discard NT 4 and migrate to 2000 or 2003.  In the webcast,  I'll examine whether or not it's time to get rid of those NT 4 systems -- or whether NT 4's a perfectly good OS that you'd be crazy to discard.  Find out more and sign up by visiting

http://webevents.broadcast.com/techtarget/Win2kWinMan/091603/index.asp?loc=11

Note that you've got to register beforehand and if you use a pop-up killer that you'll need to disable it.

Tech Section

Get the MS03-026 Patch.  NOW.  Or Nimda and Slammer are Gonna Look Like a Picnic!

If you don't read anything else this month, read this.  I'm not kidding!

On July 16, Microsoft announced that a group called the Last Stage of Delirium (LSD) had found a humdinger of a bug.  If someone writes a hostile program that exploits this bug -- some worm, trojan or the like -- then that program could cause your computer to do pretty much whatever you wanted it to.  And you should expect that hostile program any day now -- a Chinese hacker group -- oops, I meant "a non-profit research organization" called Xfocus (www.xfocus.org) has already written and published a "proof of concept" program that exploits MS03-026's bug.  Unfortunately Xfocus's work has greatly sped things along for dirtbags everwhere.

Worse yet, the bug applies to NT 4, Windows 2000, XP, and even Windows Server 2003.

The bug works through port 135.  Ah, you might be thinking, no problem ... we have a firewall and we've blocked port 135, so no worries.  Not so -- remember Nimda?  Nimda worked by exploiting several Microsoft security bugs.  Your firewall protects you from an MS03-026 exploit so long as the hostile program is outside of your firewall.  All a bad guy has to do is to build a virus that uses MS03-026 and wrap it into a Trojan horse program of some kind, like a "click this attachment to download great savings!" e-mail virus.  All you need is one person inside the firewall to open it, and the cat's out of the bag.

So please, do yourself a favor and get the patches for this on all of your NT 4, 2000, XP and 2003 systems.  Now.

You can find technical info and download links for patches for NT 4 through Server 2003 at

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

Again, I cannot stress how important it is that you get this patch on your systems, and quickly.  When the exploit gets written for this, it will be a doozie.  Imagine all of those 2000 Pro and XP systems sitting in people's homes directly attached to the Internet with no firewall software and port 135 sitting open and exposed to the Internet.  Now imagine all of them running some kind of worm that batters away at every other computer on the Internet trying to infect those computers.  Remember how slow the Internet became due to Slammer?  Well, that only affected computers running SQL Server.  Imagine how much worse it'll be if someone writes a Slammer-like worm that "only" affects computers running the Server service -- given that virtually every Windows system runs the Server service, even workstations.  My guess is that if someone writes an exploit quickly, before we're all patched, then the Internet will be a shambles for a week or two.  So please, do yourself and do all of us a favor -- after you've gotten your systems patched, go tell your not-so-techie neighbor with the new Dell that came with XP Home about this.  (Better yet, burn the patch on a CD and hand it to him.)  Thanks very much, and please forward this to any and all of your techie friends.

Service Pack Slipstreams Are Easier Now

Forum member Aed pointed out a nice new feature of Windows 2000 SP4.  You can slipstream it onto an I386 so that you can then burn that I386 to a CD and do an install of both the OS and the latest service pack all in one shot, using the -s option.  But that's not new, as we've been able to do that for a while now.  What's new is that you can directly slipstream from the roughly 130 MB SP4 file itself, rather than having to first extract it.  With older SPs, you'd slipstream an SP onto an I386 on C: with this command:

update -s:c:\

Note that you didn't have to refer to I386 because the program was hard-wired to only look for a directory named \I386; if you put your I386 files in, say, C:\2ksource, then update -s wouldn't work.  That's unfortunately still true, and the directory must be called I386 or one of a few other "magic names."  But you no longer have to first extract the service pack from its all-in-one W2KSP4_EN.EXE package, allowing you to type

w2ksp4_en -s:c:\

to slipstream SP4 onto an I386.

Making 2000 Closer To 2003's Security:  A Few Thoughts

I ran across an interesting document on Microsoft's Web site that detailed how 2003's system defaults varied from 2000's.  I soon saw that a few of them could be easily adapted to 2000 to make a 2000 system more secure.  

Control Who Can Schedule Tasks

2003 restricts who can set up programs to run at some scheduled time. 

When you create a scheduled task with that at.exe command, that shows up in a folder called windows\tasks.  If you'd like, you can see this in action.  Just type

at 18:00 /interactive cmd.exe

And the next time that 6 PM rolls around, then a command prompt window will appear on your screen.  (But any commands you type in that window run not as you, but as LocalSystem!)  Look in \windows\tasks and you'll see an object with a name like "At1" or the like. 

Windows restricts who can create new tasks by controlling who's got write permissions to that folder.  But interestingly enough, right-clicking the folder and choosing properties will not let you examine or change the permissions on the Tasks folder.  You can, however, change the permissions on Tasks with CACLS.  So, for example, you could keep a user named Jack from scheduling tasks like so:

cacls c:\windows\tasks /D Jack /E

This seems to work on 2000 as well.

Tighten Some Security Settings

Windows 2003 tightens up a few settings in Computer Configuration / Windows Settings / Local Policies / Security Options:

Additional restrictions for anonymous connections:  set to "Do not allow enumeration of SAM accounts and shares."

"Secure channel: Require strong (Windows 2000 or later) session key" set to "Enabled."

They've worked well on my 2000 systems; give 'em a try.

Eliminate Services

By default, 2003 shuts down Alerter, Clipbook, Distributed Link Tracking Server, Indexing Service, License Logging, Messenger, NetMeeting Remote Desktop Sharing, Network DDE, Network DDE DSDM, Remote Access Auto Connection Manager, System Event Notification, Task Scheduler, Telnet, Terminal Services Session Directory, Themes, Upload Manager, WebClient, and Windows Audio.  If they're good enough for 2003, why not 2000?

There's more as well -- I'll get to them in the next newsletter.  Of course, please test before rolling out these changes to your enterprise.  Sometimes security breaks things!

Conferences

I hope you'll join me for a seminar but if you can't attend a class then please consider attending another show:

TechMentor San Diego, September 2-6

101 Communications' semi-annual geekfest comes to San Diego in fall's waning days.  Join me when I keynote this great show featuring Windows Giant Brain Bill Boswell, Security Expert Nonpareil Roberta Bragg, Group Policy Expert Dude Jeremy Moskowitz and others.  It happens right around back-to-school time, so come on back to school with some of the industry's leading lights.  http://www.techmentorevents.com for more info.

SearchWin2000 Webcast on NT 4 -- Should It Stay Or Should It Go?

Free webcast September 16, don't miss it!

http://webevents.broadcast.com/techtarget/Win2kWinMan/091603/index.asp?loc=11

Windows Magazine Live! November 2-6, Orlando

The magazine that I write for, Windows and .NET Magazine, holds its next Windows Magazine Live! conference in Orlando this November.  It's a jam-packed set of great talks by some great speakers including of the Microsoft tech world's foremost megacephaloids like Mark Russinovich, Intel's Sean Deuby, IIS Answer Man Brett Hill, Uberscripter Bob Wells and more — great speakers all and really smart guys.  I'm also doing three talks, more details on that as the show gets closer.  Watch www.winconnections.com for more info on this show, coming to The Land Of The Mouse.

Bring Mark to your site to teach

I'm keeping busy doing Windows Server 2003/2000 Active Directory and XP seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies ... 2000, XP, Active Directory and 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 9-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month.  I hope to be back soon with the SMB signing article.

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 25,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care.  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2003 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.