Mark Minasi's Windows Networking Tech Page
Issue #39 February 2004

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  Visit the Archives at http://www.minasi.com/archive.htm.  Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp.  Document copyright 2004 Mark Minasi.

What's Inside

  • News: 
    • NEW SEMINAR:  One-day security seminar comes to LA June 16, then DC and NY
    • The LAST XP class comes to Chicago March 22/23
    • Active Directory class comes to March, LA, DC, NY 
    • Microsoft Security Roadshow Version 2:  All New Stuff!
  • Tech Section
    • Get MS04-007 and MS04-004.  Now!
    • Supercharge Your Laptop With FireWire 800
  • Conferences
  • Bring a Seminar to Your Site

News

Hello all

This month, a short newsletter to give you a heads-up on another scary security hole and strong advice to patch it.  Also, speaking of security, I'm announcing my new seminar on that very topic, a one-day class on how to secure your systems easily and at minimum cost.  I'm also announcing the retirement of the XP class, but there's one more chance to see it in March...

NEW Seminar: Securing Your Windows Desktops and Servers

Doing a short talk on security at the Microsoft Security Roadshow has been a lot of fun, but I wish I had a whole day to help attendees see how to ward off security problems.  So I'm initiating a new seminar called "Securing Your Windows Desktops and Servers."  It's built from the two talks from the first two road shows and adds more.  I find that a lot of people have a general idea about what they should be doing to secure their networks -- they've heard terms like SMB signing, null session, secure channel, LM hash, and so on -- but haven't the time to sift through the often-contradictory knowledge base articles and the welter of group policy settings, Registry hacks, patches and the like.  In this course, we spend a long day -- 9 to 6 PM -- going through what the big security issues mean and understanding the exact step by step methods that you need to know to make your system more secure.

The first session happens at our LA week, on June 16.  If you'd like to find out more, please visit www.minasi.com/secoutln.htm.  

One More XP Class, And Then It's Over:  March 22/23 Chicago

After running for a year and a half, it seems that the XP course has about run its course.  It'll still be available as an on-site presentation but I'm taking it off the public seminar schedule after one last class in Chicago.  If you've been meaning to get to this course, which includes tons of geeky help for XP support folks, then please visit www.minasi.com/xpsupport.htm and sign up.  Come on down to Chicago for the XP class's swan song.  Or watch this newsletter, as I'll be offering an audio CD version of the XP class very soon.

"Running a 2003/2000-Based Active Directory" Runs in Chicago, LA, DC, NY

It seems that AD's finally gotten some momentum and people are past the planning stages and into the rollout stage.  But AD can be a fragile flower if not built and maintained properly.  Find out how to build, implement, maintain, and repair Active Directory at "Running a 2003/2000-Based Active Directory;" information at www.minasi.com/2003outln.htm

The New Microsoft Security Roadshow Is Going Great

Thousands of you attended the first series of Security Roadshows created by Windows and .NET Magazine and sponsored by Microsoft, NetIQ and others.  And so many of you asked for more details that Microsoft requested us to do a second series.

This second set of 20 shows has already visited seven cities, thirteen to go!  We're coming to Cedar Rapids and Minneapolis this week.  Then we're off to Cleveland, Chicago, New York (midtown), DC (Crystal City), Philadelphia, Phoenix, Anaheim, Mountain View, Woodbridge NJ, Albany NY, and Nashua.  There's a sign-up page with more details at 

http://www.winnetmag.com/Roadshows/ComputerSecurity2004/

In the first series of road shows, I did a talk with a dozen or so tips that you can quickly use to shore up your network's security.   This time I offer a new set of useful things that you can quickly do to strengthen your network from attackers both inside and out.  I find that most of us have heard of the kinds of things that we're supposed to do to secure our nets -- concepts like LM hashes, LM and NTLM authentication, SMB signing, IPSec, Internet Connection Firewall, SYN flood protection, null sessions, proper password policies, EFS and others -- but lack the time to research these things.  What do they protect us from?  How large a threat to we face if we ignore these tools? What breaks if we enable these protections? In this talk, I cover those concepts and more.  In every case, you'll first learn why you care about these things, then you'll get a tested set of step-by-steps to implement them and some cautions about their potential down-sides.

But that's just the start.  This show is a day long and includes speakers on hardening client and server systems, intrusion detection and patch management.  The cost is the same as the previous one -- there isn't any -- and I think you'll find it a worthwhile use of your time.  I hope to see you there!

Tech Section

Get MS04-007 and MS04-004.  Now!

Regular readers may recall that back in July 2003 I urged readers to get a patch that Microsoft released in mid-July for a pretty scary worm; those without that patch were stricken by the MSBlaster worm and variants.  Unfortunately there are a couple more patches that Redmond just recently released that you really should consider.

The scarier one is MS04-007, discussed in KB article 828028.  Windows incorporates a language called Abstract Syntax Notation or ASN.1 and apparently giant brains in the industry use ASN.1 to describe a lot of things.  Unfortunately, a bunch of those things are in Windows 9x, NT, 2000, XP and 2003 and worst of all, there's a bug in Microsoft's implementation of ASN.1 -- another buffer overflow.  

How big's the bug?  According to Microsoft, someone could potentially take control of your system.  As ASN's apparently used by a lot of different server programs, it appears that you can't just block one port and thereby protect yourself.  Someone could, then, theoretically write a worm like MSBlaster.

But the threat isn't just theoretical, unfortunately.  Some jerk has already released some sample code on the Internet that would use this buffer overflow weakness to create a remote "system killer."  The idea is that someone points this program at a Windows system and the Windows system crashes.  Remember the "ping of death?"  Same idea.  It runs on port 139.  If you feel like reading what the exploit's author wrote, visit http://lists.netsys.com/pipermail/full-disclosure/2004-February/017343.html.  All I can say is, "thanks, dirtbags!"

So where do you get the patch for this?  Windows Update's got it, or visit http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-007.asp , where you'll find patches for NT 4, 2000, XP and 2003.  And please be sure to read the fine print -- the "caveats" -- before installing on NT 4.0.  I guess Microsoft hasn't yet learned that patches have to be easy to install or they don't get installed.

Still got Windows 9x/ME?  MR&D forum member and newly-minted MVP Susan Bradley gave us all a heads-up that strangely enough Microsoft has a patch for Windows 98 and ME, but they don't list it on their security bulletin.  Susan tells us that you can get it, but you've got to ask for it.  See the thread at http://x220.minasi.com/forum/topic.asp?TOPIC_ID=8137&SearchTerms=MS04-007 for more info.  (Thanks, Susan.)

The other one that you should look seriously into is MS04-004.  It patches some scary Internet Explorer bugs ... but it may break some existing IE-based apps, so you've got to give it a long look.

IE apparently has three bugs that Microsoft considers critical.  First, it's possible to create a hyperlink that, if clicked, would lead you to think that you're at one web site while you're actually at another.  Someone could, then, create a hyperlink that looked like Hotmail and that prompted you for your name and password.  The address bar in IE would still say www.hotmail.com but you'd actually be somewhere else, feeding a name and password to a dirtbag site.  Second, another bug would make it possible under some circumstances to create a dirtbag Web site with hyperlinks which, if clicked, would cause IE to download some file and put it someplace on your computer without prompting you.  A third bug would let a dirtbag Web site run scripts on your system with complete local power, run programs already installed on your system, or peek into information that your system has obtained from other Web sites, like cookies.  (Normally a Web page can only access cookies that it created.)

The fix for these are at http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-004.asp or Windows Update or from Knowledge Base article 832894.

But should you apply this patch?  Yes -- if you can.  As a side effect, it breaks any URLs that include a "username:name@password" construct which I'm told a lot of Web-based apps include.  So if you've got a Web-based app that needs this, then consider reading and implementing the "workarounds" section on the MS04-004 page.  I've been using these patches for a few weeks now without any trouble.  I suspect the workarounds will do the job for those who need them but you just know that Web sites exploiting this hole will start popping up.

In contrast, I wouldn't hesitate about the MS04-007 patch.  Folks, the sample code is out there and it's just a matter of time before someone comes up with an even worse exploit:  this can be used to take control of your system, once someone learns how to do it.  And you probably know that someone leaked tons of source code from Windows NT 4.0 and Windows 2000, which may make the dirtbags' jobs easier.  

Supercharge Your Laptop With Firewire 800

I wanted to pass along something I've been playing with and like a lot:  FireWire 800 stuff.

As I run a lot of VMWare demonstrations in class, I need an external hard disk to run the virtual machines from.  Of course the faster that disk is, the faster the demos are.  So I was pretty jazzed to hear that Hitachi released a 60 GB drive in a laptop-sized (2.5") format, running at 7200 RPM!  It's called the Travelstar 7K60 and would probably make a great replacement for most laptop drives.  But I wanted an external case and the best speed I could get, so I decided to experiment with FireWire 800.  My laptop only includes the original 400 megabit FireWire, so I went to Orange Micro to purchase their FireWire 800 Cardbus card.  (Info is at http://www.orangemicro.com/fw800cardbus.html.)  It was a very simple install -- just load the driver, slap in the card and you're in business.  Finally, I needed an enclosure for 2.5" drives that supported FireWire 800.  They call it the MicroGB800 and you can see it at their Products Page at http://www.wiebetech.com/products.html.  The enclosure's very well built and comes with all of the FireWire cables that you could possibly want ... and you'll want a few!  I didn't know this until I started buying the FireWire 800 (also known as 1394b) stuff, but the new standard uses completely new cables.  So the Wiebetech guys include a cable that connects FireWire 800 to another FireWire 800 device, one to connect 800 to an older FireWare 400 connector with the four-pin connection, and one that goes from FireWire 800 to a six-pin FireWire 400 device.

It's been a great combination and I can't recommend it highly enough.  (And no, no one paid me to say that.)

Conferences

Join me at one of these great shows.

Microsoft Security Roadshow, Version 2

With 13 cities to go, there's probably one near you.  All new stuff, no re-runs, a longer show and more information.  See the notes above for more details.

Windows Connections April 4-7, Las Vegas

The magazine that I write for, Windows and .NET Magazine, holds its next Windows Magazine Live! conference in Sin City this April.  It's a jam-packed set of great talks by some great speakers including of the Microsoft tech world's foremost megacephaloids like Mark Russinovich, IIS Answer Man Brett Hill, Uberscripter Bob Wells, Steve Riley and Mike Danseglio (imagine, they got all three of Microsoft's best speakers) and more great speakers all and really smart guys.  I'm also doing three talks, more details on that as the show gets closer.  Watch www.winconnections.com for more info on this show, coming to The Land Of Wayne Newton.

Help Desk International Annual Conference and Expo April 17-21, Orlando

HDI has always been the place to go for help desk and support folks and this year's 15th gathering is no exception.  I'm doing a half-day version of my Securing Microsoft Networks talk, a short version of the talk and passing along the latest on Longhorn, "How To Troubleshoot Any Network Problem" and more.  Visit http://www.thinkhdi.com/trainingEvents/annualConference/ for more info.

Enterprise Messaging Decisions (TechTarget -- Free) May 4-6, Chicago

Some of you may recall that TechTarget put together a series of pretty neat conferences on Windows called Windows Decisions.  They were free to those who qualified and the sessions were uniformly good (well, maybe except for that Minasi guy).  Anyway, Windows Decisions is no more, but they've asked me to speak at their Enterprise Messaging Decisions conference this May.  I'll be doing my "State of the OS" talk, where I'll talk about whatever's topical, new, and/or important.  Come join me by visiting http://enterprisemessagingdecisions.techtarget.com/ to apply. 

Bring Mark to your site to teach

I'm keeping busy doing Active Directory and XP seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2000, XP, Active Directory and 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 11-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 30,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care.  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2004 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.