Mark Minasi's Windows Networking Tech Page
Issue #39 February 2004
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp. Document
copyright 2004 Mark Minasi.
What's Inside
- News:
- NEW SEMINAR: One-day security seminar comes to LA June 16, then DC
and NY
- The LAST XP class comes to Chicago March 22/23
- Active Directory class comes to March, LA, DC, NY
- Microsoft Security Roadshow Version 2: All New Stuff!
- Tech Section
- Get MS04-007 and MS04-004. Now!
- Supercharge Your Laptop With FireWire 800
- Conferences
- Bring a Seminar to Your Site
News
Hello all —
This month, a short newsletter to give you a heads-up on another scary
security hole and strong advice to patch it. Also, speaking of security,
I'm announcing my new seminar on that very topic, a one-day class on how to
secure your systems easily and at minimum cost. I'm also announcing the
retirement of the XP class, but there's one more chance to see it in March...
NEW Seminar: Securing Your Windows Desktops and Servers
Doing a short talk on security at the Microsoft Security Roadshow has been a
lot of fun, but I wish I had a whole day to help attendees see how to ward off
security problems. So I'm initiating a new seminar called "Securing
Your Windows Desktops and Servers." It's built from the two talks
from the first two road shows and adds more. I find that a lot of people
have a general idea about what they should be doing to secure their networks --
they've heard terms like SMB signing, null session, secure channel, LM hash, and
so on -- but haven't the time to sift through the often-contradictory knowledge
base articles and the welter of group policy settings, Registry hacks, patches
and the like. In this course, we spend a long day -- 9 to 6 PM -- going
through what the big security issues mean and understanding the exact step by
step methods that you need to know to make your system more secure.
The first session happens at our LA week, on June 16. If you'd like to
find out more, please visit www.minasi.com/secoutln.htm.
One More XP Class, And Then It's Over: March 22/23 Chicago
After running for a year and a half, it seems that the XP course has about
run its course. It'll still be available as an on-site presentation
but I'm taking it off the public seminar schedule after one last class in
Chicago. If you've been meaning to get to this course, which includes tons
of geeky help for XP support folks, then please visit www.minasi.com/xpsupport.htm
and sign up. Come on down to Chicago for the XP class's swan song.
Or watch this newsletter, as I'll be offering an audio CD version of the XP
class very soon.
"Running a 2003/2000-Based Active Directory" Runs in Chicago, LA,
DC, NY
It seems that AD's finally gotten some momentum and people are past the
planning stages and into the rollout stage. But AD can be a fragile flower
if not built and maintained properly. Find out how to build, implement,
maintain, and repair Active Directory at "Running a 2003/2000-Based Active
Directory;" information at www.minasi.com/2003outln.htm
.
The New Microsoft Security Roadshow Is Going Great
Thousands of you attended the first series of Security Roadshows created by
Windows and .NET Magazine and sponsored by Microsoft, NetIQ and others.
And so many of you asked for more details that Microsoft requested us to do a second
series.
This second set of 20 shows has already visited seven cities, thirteen to
go! We're coming to Cedar Rapids and Minneapolis this week. Then
we're off to Cleveland, Chicago, New York (midtown), DC (Crystal City), Philadelphia, Phoenix, Anaheim,
Mountain View, Woodbridge NJ, Albany NY, and
Nashua. There's a sign-up page with more details at
http://www.winnetmag.com/Roadshows/ComputerSecurity2004/
In the first series of road shows, I did a talk with a dozen or so tips that you can quickly use to
shore up your network's security. This time I offer a new set of
useful things that you can quickly do to strengthen your network from attackers
both inside and out. I find that most of us have heard of the kinds
of things that we're supposed to do to secure our nets -- concepts like LM
hashes, LM and NTLM authentication, SMB signing, IPSec, Internet Connection
Firewall, SYN flood protection, null sessions, proper password policies, EFS and
others --
but lack the time to research these things. What do they protect us
from? How large a threat to we face if we ignore these tools? What breaks
if we enable these protections? In this talk, I cover those concepts and
more. In every case, you'll first learn why you care about these things,
then you'll get a tested set of step-by-steps to implement them and some
cautions about their potential down-sides.
But that's just the start. This show is a day long and includes
speakers on hardening client and server systems, intrusion detection and patch
management. The cost is the same as the previous one -- there isn't any --
and I think you'll find it a worthwhile use of your time. I hope to see
you there!
Tech Section
Get MS04-007 and MS04-004. Now!
Regular readers may recall that back in July 2003 I urged readers to get a
patch that Microsoft released in mid-July for a pretty scary worm; those without
that patch were stricken by the MSBlaster worm and variants. Unfortunately
there are a couple more patches that Redmond just recently released that you
really should consider.
The scarier one is MS04-007, discussed in KB article 828028. Windows
incorporates a language called Abstract Syntax Notation or ASN.1 and apparently
giant brains in the industry use ASN.1 to describe a lot of things.
Unfortunately, a bunch of those things are in Windows 9x, NT, 2000, XP and 2003
and worst of all, there's a bug in Microsoft's implementation of ASN.1 --
another buffer overflow.
How big's the bug? According to Microsoft, someone could potentially
take control of your system. As ASN's apparently used by a lot of
different server programs, it appears that you can't just block one port and
thereby protect yourself. Someone could, then, theoretically write a worm
like MSBlaster.
But the threat isn't just theoretical, unfortunately. Some jerk has
already released some sample code on the Internet that would use this buffer
overflow weakness to create a remote "system killer." The idea
is that someone points this program at a Windows system and the Windows system
crashes. Remember the "ping of death?" Same idea. It
runs on port 139. If you feel like reading what the exploit's author
wrote, visit http://lists.netsys.com/pipermail/full-disclosure/2004-February/017343.html.
All I can say is, "thanks, dirtbags!"
So where do you get the patch for this? Windows Update's got it, or
visit http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-007.asp
, where you'll find patches for NT 4, 2000, XP and 2003. And please be
sure to read the fine print -- the "caveats" -- before installing on
NT 4.0. I guess Microsoft hasn't yet learned that patches have to be easy
to install or they don't get installed.
Still got Windows 9x/ME? MR&D forum member and newly-minted MVP
Susan Bradley gave us all a heads-up that strangely enough Microsoft has a patch
for Windows 98 and ME, but they don't list it on their security bulletin.
Susan tells us that you can get it, but you've got to ask for it. See the
thread at http://x220.minasi.com/forum/topic.asp?TOPIC_ID=8137&SearchTerms=MS04-007
for more info. (Thanks, Susan.)
The other one that you should look seriously into is MS04-004. It
patches some scary Internet Explorer bugs ... but it may break some
existing IE-based apps, so you've got to give it a long look.
IE apparently has three bugs that Microsoft considers critical. First,
it's possible to create a hyperlink that, if clicked, would lead you to think
that you're at one web site while you're actually at another. Someone
could, then, create a hyperlink that looked like Hotmail and that prompted you
for your name and password. The address bar in IE would still say
www.hotmail.com but you'd actually be somewhere else, feeding a name and
password to a dirtbag site. Second, another bug would make it possible
under some circumstances to create a dirtbag Web site with hyperlinks which, if
clicked, would cause IE to download some file and put it someplace on your
computer without prompting you. A third bug would let a dirtbag Web
site run scripts on your system with complete local power, run programs already
installed on your system, or peek into information that your system has obtained
from other Web sites, like cookies. (Normally a Web page can only access
cookies that it created.)
The fix for these are at http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-004.asp
or Windows Update or from Knowledge Base article 832894.
But should you apply this patch? Yes -- if you can. As a
side effect, it breaks any URLs that include a "username:name@password"
construct which I'm told a lot of Web-based apps include. So if you've got
a Web-based app that needs this, then consider reading and implementing the
"workarounds" section on the MS04-004 page. I've been using
these patches for a few weeks now without any trouble. I suspect the
workarounds will do the job for those who need them but you just know
that Web sites exploiting this hole will start popping up.
In contrast, I wouldn't hesitate about the MS04-007 patch. Folks, the
sample code is out there and it's just a matter of time before someone comes up
with an even worse exploit: this can be used to take control of
your system, once someone learns how to do it. And you probably know that
someone leaked tons of source code from Windows NT 4.0 and Windows 2000, which
may make the dirtbags' jobs easier.
Supercharge Your Laptop With Firewire 800
I wanted to pass along something I've been playing with and like a lot:
FireWire 800 stuff.
As I run a lot of VMWare demonstrations in class, I need an external hard
disk to run the virtual machines from. Of course the faster that disk is,
the faster the demos are. So I was pretty jazzed to hear that Hitachi
released a 60 GB drive in a laptop-sized (2.5") format, running at 7200
RPM! It's called the Travelstar 7K60 and would probably make a great
replacement for most laptop drives. But I wanted an external case and the
best speed I could get, so I decided to experiment with FireWire 800. My
laptop only includes the original 400 megabit FireWire, so I went to Orange
Micro to purchase their FireWire 800 Cardbus card. (Info is at http://www.orangemicro.com/fw800cardbus.html.)
It was a very simple install -- just load the driver, slap in the card and
you're in business. Finally, I needed an enclosure for 2.5" drives
that supported FireWire 800. They call it the MicroGB800 and you can see
it at their Products Page at http://www.wiebetech.com/products.html.
The enclosure's very well built and comes with all of the FireWire cables that
you could possibly want ... and you'll want a few! I didn't know this
until I started buying the FireWire 800 (also known as 1394b) stuff, but the new
standard uses completely new cables. So the Wiebetech guys include a cable
that connects FireWire 800 to another FireWire 800 device, one to connect 800 to
an older FireWare 400 connector with the four-pin connection, and one that goes
from FireWire 800 to a six-pin FireWire 400 device.
It's been a great combination and I can't recommend it highly enough.
(And no, no one paid me to say that.)
Conferences
Join me at one of these great shows.
Microsoft Security Roadshow, Version 2
With 13 cities to go, there's probably one near you. All new stuff, no
re-runs, a longer show and more information. See the notes above
for more details.
Windows Connections April 4-7, Las Vegas
The magazine that I write for, Windows and .NET Magazine, holds its next Windows
Magazine Live! conference in Sin City this April. It's a jam-packed set
of great talks by some great speakers including of the Microsoft tech world's foremost
megacephaloids like Mark Russinovich, IIS Answer Man Brett
Hill, Uberscripter Bob Wells, Steve Riley and Mike Danseglio (imagine, they got
all three of Microsoft's best speakers) and more — great speakers all and really smart
guys. I'm also doing three talks, more details on that as the show gets
closer. Watch www.winconnections.com
for more info on this show, coming to The Land Of Wayne Newton.
Help Desk International Annual Conference and Expo April 17-21, Orlando
HDI has always been the place to go for help desk and support folks and this
year's 15th gathering is no exception. I'm doing a half-day version of my
Securing Microsoft Networks talk, a short version of the talk and passing along
the latest on Longhorn, "How To Troubleshoot Any Network Problem" and
more. Visit http://www.thinkhdi.com/trainingEvents/annualConference/
for more info.
Enterprise Messaging Decisions (TechTarget -- Free) May 4-6, Chicago
Some of you may recall that TechTarget put together a series of pretty neat
conferences on Windows called Windows Decisions. They were free to those
who qualified and the sessions were uniformly good (well, maybe except for that
Minasi guy). Anyway, Windows Decisions is no more, but they've asked me to
speak at their Enterprise Messaging Decisions conference this May. I'll be
doing my "State of the OS" talk, where I'll talk about whatever's
topical, new, and/or important. Come join me by visiting http://enterprisemessagingdecisions.techtarget.com/
to apply.
Bring Mark to your site to teach
I'm keeping busy doing Active Directory and XP seminars and writing, but I've still got time to visit your firm. In just two
days, I'll make your current NT techies into 2000, XP, Active Directory and 2003
experts. (And better yet they won't have to sit through any Redmondian
propaganda.) To join
the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government,
telecommunication, law enforcement, publishing, transportation, and other organizations that I've assisted, either take a peek
at the course outlines at www.minasi.com/presentations.htm,
mail our assistant Jean Snead at Assistant@Minasi.com,
or call her at (757) 426-1431 (only between 11-5 Eastern time, weekdays, please).
Until Next Month...
Have a quiet and safe month.
Please share this newsletter; I'd like
very much to expand this periodical into a useful source of NT/2000/2003/XP information. Please forward it to any associates who might find
it helpful, and accept my thanks. We are now at over 30,000 subscribers and I hope to use this to get information to every single Mastering
2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take
care. Many, many thanks to the readers who have
mailed me to offer suggestions, errata, and those kind reviews. As always,
I'm at http://www.minasi.com/gethelp and
please join us at the Forum with technical questions at www.minasi.com/forum.
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.
All contents copyright 2004 Mark Minasi. You are encouraged to quote this
material, SO LONG as you include this entire document; thanks.
|