Mark Minasi's Windows Networking Tech Page
Issue #41 September 2004
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
To change e-mail address, switch between HTML or text format, etc., link
Visit the Archives at http://www.minasi.com/archive.htm.
Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp. Document
copyright 2004 Mark Minasi.
- XP audio seminar series now available!
- One-day security seminar comes to DC next week then NY
- Active Directory class comes to DC next week then NY
- Tech Section
- XP Service Pack 2 Highlights, Tricks and Tips
- Bring a Seminar to Your Site
Hello all —
This month, permit me to help you with the question on everyone's
mind: to SP2 or not to SP2? It's a toughie so I'm offering
what I hope will be a real treat -- my complete SP2 PowerPoint as a free
download, as well as some highlights in this newsletter. But first,
a word from our sponsor...
My Seminars are Coming to DC Sept 13-15!
Just two more sets of sessions, DC in September and New York (Mahwah,
actually) in November. More details:
Seminar: Securing Your Windows Desktops and Servers in DC and NY
Doing a short talk on security at the Microsoft Security Roadshow was a lot of fun, but I wish I had a whole day to help attendees see how
to ward off security problems. So I created a seminar
called "Securing Your Windows Desktops and Servers." It's built from
the two talks from the first two road shows and adds more. I find
that a lot of people have a general idea about what they should be doing
to secure their networks -- they've heard terms like SMB signing, null
session, secure channel, LM hash, and so on -- but haven't the time to
sift through the often-contradictory knowledge base articles and the
welter of group policy settings, Registry hacks, patches and the
like. In this course, we spend a long day -- 9 to 6 PM -- going
through what the big security issues mean and understanding the exact step
by step methods that you need to know to make your system more secure.
like to find out more, please visit www.minasi.com/secoutln.htm.
"Running a 2003/2000-Based Active Directory" Runs in DC,
AD's great, but it can be a fragile
flower if not built and maintained properly. Find out how to build,
implement, maintain, and repair Active Directory at "Running a
2003/2000-Based Active Directory;" information at www.minasi.com/2003outln.htm
XP Audio Seminar Series Now Available!
You asked for it, we delivered it and they're selling like crazy. The entire two-day XP support seminar
(minus the tuning part, as I'm already selling that as a stand-alone CD
lecture) on seven audio CDs for $170, or just $99 if you've attended the
XP seminar (sorry, the offer's only for those who've attended the XP
seminar). Visit http://www.minasi.com/xpaudio
for more info.
XP Service Pack 2 Highlights, Tips and Tricks
It's been around for a few weeks, but only in the past week has
Microsoft started its big push on Windows XP's Service Pack 2. Many
service packs have been controversial, and this one's no exception.
Should you install it? I've had good luck with it, but it might not
be for everyone. One way to find out would be to download and read the
dozen or so big Word documents about SP2 on Microsoft's
site, comprising more than a thousand pages of text. I spent over a
week poring through all of them, with the hope of giving you the
"short version." (That's not to say that there's too much
verbage there; it's just that MS is primarily a developer-oriented
company, and much of it's really only of interest to coders. I've
tried to focus here on the folks who have to keep networks and desktops
I cover the details of SP2 and why you want it in a presentation that
I'm doing in a bunch of places around the world in the next few
months. But heck, in case you can't get there, I've put the
PowerPoint on my Web site at
In this article, I hope to offer you a quick overview of SP2's parts,
with pointers to the PowerPoint for more detail. In short, SP2 does four things.
- It adds new security features to the operating system
- It adds a few neat new features to XP that have little or nothing to
do with security
- It changes the default settings on a few things from "I don't
care about security" to "I'm a bit worried about
- It completely recompiles the operating system with tighter
requirements, and those tighter requirements break some drivers and
other apps that were always written a bit weakly
There are, again, lots to cover in SP2 and I've got a lot of it done in
the PowerPoint, so I'm just going to highlight here some of what I think
is important and/or interesting.
Data Execution Prevention (DEP)
Let's look at that last bullet point one first. Have you heard about how big
SP2 is? It's over 260 MB to download and, when expanded into its
component files, is about 332 MB in size -- probably a world record for
SPs. (But don't bother calling the Guinness guys, I feel safe
in forecasting that 2003's SP1 will be larger.) Why?
Simple: Microsoft wants to kill buffer overflows for good.
Buffer overflows happen when a programmer sets aside some space in the
middle of a program, space intended to store some kind of input from the
user or from some program calling that program. The space
where that input goes is called the buffer. But now what happens if
the user of the program decides to stuff not just a few bytes of data but
instead tons and tons of data, more data than the programmer set aside for
that data? Well, it depends.
In some cases, the programmer writes code that checks incoming data to
ensure that it doesn't exceed the length of the buffer, throwing away data
that's too long. It's a good idea, but it burns up CPU time and
tends to slow programs down, so coders sometimes get lazy and leave out
this buffer checking. Sometimes they even get a pat on the back for
having created a program that's so fast. But programs like this can
be attacked by patient criminals, who use this "back door" into
the program to actually add new pieces to the existing program.
(Yes, it's possible to insert a program into a program, disguised as data
-- if the programmer hasn't bothered to check for a buffer
overflow.) Better -- or at
least more paranoid -- programmers write code to avoid buffer overflows.
What's the best trade-off between speed and no buffer checks versus
slower code and buffer checks? I guess it's a matter of opinion, but
I've always been a "slow and secure" guy, and it appears that
many agree with me, including (at the moment, anyway) folks in Redmond. So they've recompiled basically the whole OS
with a compiler switch that sniffs out and objects to unprotected
buffers. That's right the whole OS -- hence the size.
(Heck, there's even a new version of Notepad in SP2.) But that's
not all; Microsoft's extended a certain level of buffer overflow
protection to any program that you run in Windows, called Data Execution
Prevention or DEP. In a few words, it watches an area in a
computer's memory called the "stack." The stack is where
the computer keeps track of what it's been doing; here's roughly how it
works. Have you ever been
in the middle of doing something when you realize that you've got to do
something else first, so you interrupt the first task and work on the
second? When you finish the second task, then you remember to return
to the first (with hope). The thing that let you remember where you
left off in the first task would be, in computer terms, the stack.
You could, in theory, be partway into a first task when you're called away
to a second task, and, in the middle of the second task, be interrupted
and have to attend to a third task, which might be interrupted by a fourth
and so on. With a good stack, you'll remember where you left off and
return to the third task when done with the fourth, return to the second
when done with the third and so on. Computers are of course better
at this "remembering what they were doing" stuff and so may have
stacks that go dozens or hundreds of levels deep.
DEP keeps an eye on the stack and notices when someone's trying to load
stuff on the stack that isn't just "when you get back to this level
do this" sorts of notices, but might be code, and in particular when
someone's actually trying to execute the stack. It stops your
system cold -- yup, it's typically a blue screen, but that's a good thing,
as the alternative would be running some kind of evil worm -- so as to
stop the buffer overflow attacker in mid-stream.
Anyway, the bottom line is that this code, had it existed in XP and
2000, would have stopped Code Red, Nimda, Nochia, Slammer, and Sasser
cold, with no other patches installed. It's a good idea and a
welcome addition to XP.
There's a personal firewall built into XP that's always been
there. But now it's kind of "in your face," as it's turned
on by default and it's much easier to configure and control from the GUI,
group policies, and command-line tools.
Even better, it's got two "profiles;" it behaves one way when
you're inside your domain and another when you're outside, such as when
you're connected to the Internet with your laptop from home or a hotel.
You might have heard about Firewall's two profiles, the
"standard" and the "domain" profile.
("Domain" means you're in the domain, on site;
"standard" means you're somewhere else, out of the
firewall.) But did you ever wonder, how does it know when you're
"in the domain?" I wondered. Is it something as easy
as IP address ranges? Pinging the domain controller to measure the
latency periods? Arcanely measuring the Earth's magnetic field to
estimate how far you are from Headquarters? Nope. It's like
- Windows Firewall (call it WF) remembers the last time that you got
- It remembers the DNS suffix of the system that you got them
from. (So, for example, if your AD domain was called bigfirm.com,
then the domain controller (DC) that your system got the group
policies from almost certainly had a DNS suffix of bigfirm.com.)
- WF then looks at all of your network adapters -- here's where it
gets geeky -- and examines their adapter-specific DNS suffixes.
If any of them match the DNS suffix of your last GP update,
then it assumes you're in the domain.
In English, then... suppose you're out on the road and for some reason
want the firewall to think that you're in "domain" mode rather
than "standard" mode. Just go to the Advanced properties
of your NIC, click the DNS tab and punch in your domain's name in the
"DNS suffix" field, and your firewall will behave as if you're
on the corporate grounds.
That, by the way was the simplified version; if you'd
like to know more about how the network location awareness in Windows
works, get this article:
But for more information about Windows Firewall, please take a look at
the PowerPoint. There's lots to know.
SP2's great, but it's changed a whole lot of things
security-wise. A lot of defaults have changed, and a lot of back
doors that Windows has left open for a long time have been locked.
Now, that's not going to bother most programs, but it might bother a few
Back when Windows networking first started up, security wasn't all that
important and to be quite frank, it was bloody hard to figure out how to
include security features in a network-aware Windows app. So many
older apps (or new and badly written apps) just plain didn't bother with
As time's gone on, Microsoft has offered new ways for programs to talk
to programs, and they've slowly gotten better about furnishing good
examples of securing those communications, so I'd hope that any recent
programs would have figured out security. In any case, Microsoft
decided to change the default behaviors of four communications protocols:
- RPC, Remote Procedure Call, has been a target of worms and
denial-of-service attacks in the past few years as a result of some
bugs that various folks have discovered. Your system uses RPCs
all the time; for example, when Outlook talks to Exchange, there's an
RPC session created. When Outlook talks to Exchange, it must
identify itself, but apparently not all RPC communications require
authentication -- there's an anonymous RPC logon possible. SP2
disables that, which shouldn't break any well-written network apps
(I've not run into any), but if it does then you can tell RPC
to return to its pre-SP2 status with a group policy.
- COM is Microsoft's object programming model (or one of them, anyway;
they like to shake things up ever few years) and it includes network
communications capabilities by default. Under SP2,
however, Microsoft has removed all permissions for COM apps to
talk to other COM apps over a network. You can, of course,
restore the permissions, but now that they're gone by default then
some things may break.
- DTC, Distributed Transaction Coordinator, is another
program-to-program tool often used in queries to SQL Servers. It
distinguishes between transactions between two programs in the same
machine, and transactions between different computers across a
network. SP2 changes the rules again by disabling all
network-based transactions by default.
- WebDAV is a file sharing protocol -- kind of like NET USE -- that
works over HTTP, on port 80. XP users may employ it to easily
update content on an externally-hosted Web site, or to access
SharePoint, or to connect Outlook Express to Exchange. WebDAV
has always allowed authentication either via the encrypted
"Windows Integrated" logon, or via "basic
authentication," where the WebDAV client and server pass user
names and passwords across the network in clear text. XP's
WebDAV client (the "Web Client" service) no longer supports
basic authentication without a Registry change.
You can get the specifics on re-enabling the old behaviors in the
IE's finally got a popup killer, and a quite nice one. But it's also
got a bunch of security fixes. It's interesting to read about the
changes, as it makes you realize just how much Microsoft believes -- or
believed at one time -- that IE would essentially be your desktop.
Apparently Microsoft created a pile of security headaches for itself with
a set of scripting tools improbably called "binary behaviors" as
well as "add-ons," a Microsoft phrase referring to both ActiveX
controls and browser helpers, not to mention the "local zone"
and, again, pop-up windows.
(What's that, you've never heard of a browser helper? It's a
doodad that someone can write that, if plugged into your browser, can
change IE's behavior. I'm sure they're used for good purposes
somewhere, but you mostly hear about them seizing control of a browser,
bringing down unwanted advertisements and redirecting you from a requested
site to another -- type in Google's address and your browser takes you to
Great Sales and Bargains.com.) Anyway, IE's now got a nice dialog box
listing all of your ActiveX controls and browser helpers, as well as a
button that lets you disable any or all of them.
You can disable the
scripting power of binary behaviors and enable (or disable) "MIME
sniffing," a tool that does not at all involve olfactory encounters
with Marcel Marceau but instead allows IE to see past a fake
extension. Try to sneak an EXE file at IE by naming it "something.jpg,"
and MIME sniffing will look inside the file, determining that it's not a
picture after all. Add to all of this a handful of other
sock-pulling-up on IE's part and you've got a browser that doesn't look
all that different, but that is miles better at avoiding spyware and other
uninvited guests than old IE.
(Of course, having said that, my pal Paul Thurrott points out there's
some new IE exploit that attacks even SP2's IE. If they'd just
waited a few more weeks before shipping SP2 they could have included the
SP2's IE also has another feature that I really like: publisher
blocking. When presented with an ActiveX control, we've always been
able to say "always trust content from xyz publisher." Now
there's an extra option: "never accept content from xyz
publisher." Take that, Gator!
TCP/IP Stack Changes
XP's always had "raw sockets," a feature that lets you
hand-craft a TCP or UDP packet. Hand-crafted packets can have
nonsensical headers, or can include false return addresses.
Sometimes the good guys need to do that kind of thing, but more often it's
the bad guys that want that. So no more outgoing raw sockets
(incoming are still fine) on TCP, and they're only allowed on UDP if the
return address of the packet matches an IP address on one of the NICs in
SP2 also modifies TCP's behavior in that it tracks incomplete TCP
connections. TCP connections are like phone calls -- first your
computer contacts another computer and asks if the two of them can
talk. Once the "phone call" is established, then the work
gets done -- e-mail's transferred, a Web site is visited, or the
like. But worms often create lists of randomly-generated IP
addresses and try to connect to those addresses in order to infect other
systems. This is a grossly inefficient way to spread themselves, as
most of those IP addresses either aren't active at the moment or have a
firewall up and ignoring the worm's overtures -- leaving incomplete the
connections that the worm is trying to create. When worms are loose
on the Internet, then, they tend to clog the Net (and intranets as well)
with pointless half-finished attempted communications.
SP2 tries to head them off with a new rule: only ten incomplete
TCP/IP connections at a time! A program that's tried to open ten
TCP/IP connections that have not yet completed -- often because there's
simply "nobody home" at the other side -- will have any
subsequent TCP/IP connection attempts queued until the ten incomplete
connections either complete or time out. Sure, the worms can still
run, but they can't spread as quickly.
Will this affect your Web browsing experience? No -- those
connections are (one hopes, at least) completed. The ten-connection
limit is just a limit on the number of incomplete connections.
I wish there were a way to un-do this. It's not a bad idea, but
it'll make running network scanning programs laborious for the good
guys. (You may, by the way, hear of a Registry hack that will change
that maximum number from ten to something else, but it doesn't work -- it
did at one point in the SP2 beta but not in the final.)
Making USB Devices Read-Only
USB "thumb drives" drive some security folks crazy because
they're so small physically and so big storage-wise; what's to keep people
from popping a USB drive into a USB slot, copying corporate data and
walking out the door? For the USB-paranoid, SP2 includes an ability
to let users read data from a USB drive, but not write data to that
drive. It's a simple Registry change. First, create a whole
new key: HKLM\System\CurrentControlSet\Control \ StorageDevicePolicies.
Then create a REG_DWORD entry in it called WriteProtect. Set it to 1
and you'll be able to read from USB drives but not write to them.
Wireless connections get a sprucing-up with a new system tray icon,
more attractive tiles representing available wireless networks, and a
better ability to choose preferred wireless network IDs (SSIDs).
Also there's a nifty Wireless Network Setup Wizard. It lets you
punch in your wireless network's SSID and your WEP code. The Wizard
then stores the SSID and WEP code in a program on a USB thumb drive.
(Clearly this assumes that you've not installed the "make USB drives
read-only" Registry hack
above.) It also installs an autorun.inf file on the USB drive.
Shove the drive into an XP box and the autorun.inf file will start up,
setting your SSID (which is not a big deal) and WEP code (which is a great
convenience) on the system. I didn't bother with WEP on my network
before, as punching in WEP codes is a pain. Now it's a snap.
Now XP gets native Bluetooth support. But it only works if your
Bluetooth device has a chipset that SP2 includes a driver for, and my
Presario X1000's Bluetooth hardware isn't included on the list so I can't
report how good or bad it is.
The Windows Update client got smarter in anticipation of Windows Update
Services (once known as SUS 2.0) but that server's been put off until
summer 2005. Nevertheless, the new client gives you some features
that you needn't wait for 2005 to see in action. You can use the new
group policy settings to tell Windows Update to
- Check for patches more often than its default of once every roughly
- Immediately install patches that do not require a reboot
- Control the reboot behavior (when a reboot is necessary) more
With SP2, Microsoft has overhauled the patching engine. It now
accepts a wider set of options, including a really neat one --
/integrate. That option lets you pre-install a patch into an I386
directory, so now we can slipstream both patches and service packs.
And the slipstream option's irritating habit of simply assuming that your
directory's name ended with "I386" has changed; you can now
store your installation files in a directory with any name that you
choose. Ever worried when installing a patch that you were
overwriting a newer patch? SP2's patch engine and Installer 3.0
keeps that from happening. Try to install an older patch atop a
newer one (or atop a newer service pack) and it'll ignore you.
Best Bets For Success with SP2
First of all, as I've already said, test your apps before you roll out
SP2. Second, follow the same common sense that's worked well in the
NT world for ages -- before you install SP2 on your system, go out to your
vendor's Web sites and get the latest drivers onto your system.
Reboot the system to ensure that the new drivers don't blue screen you; if
they do, then use Driver Rollback. Once you've got your drivers up
to date and your apps tested, then put SP2 on and I think you'll like it.
And if you can, then try to join me at one of the locations where I'll
be doing my SP2 talks this fall. Speaking of which...
Join me at one of these great shows.
TechMentor San Jose, September 27-Oct 1
101 Communication's semi-annual geekfest comes to one of the true
Meccas for us geek types -- San Jose. Everything you ever needed to
know about getting your networks running and keeping them running from
some of the smartest people in the business... and me too. The
program's available at www.techmentorevents.com.
IT Infrastructure Management Conference & Expo 2004
The Help Desk Institute's running their second annual week of
presentations for techies, and they've asked me to do my day-long security
class, as well as a short talk on the current state of the Windows
world. More info at http://www.thinkhdi.com/itim2004/
-- join us in Vegas for some geekin' out. (Since Fall Comdex isn't
going to happen this year.)
Windows Connections October 24-27, Orlando
The magazine that I write for, Windows and .NET Magazine (soon to be
renamed "Windows IT Pro Magazine"), holds its
next Windows Magazine Live! conference in The Land Of The Mouse this
October. It's a jam-packed set of great talks by some great speakers
including of the Microsoft tech world's foremost megacephaloids like Mark
Russinovich, IIS Answer Man Brett Hill, Uberscripter Bob Wells, Steve
Riley and Mike Danseglio (imagine, they got all three of
Microsoft's best speakers) and more — great speakers all and really smart
guys. I'm also doing talks on XP's SP2, Software Update Services,
and XP goodies. Watch http://www.winconnections.com/ for more info on this show.
Bring Mark to your site to teach
I'm keeping busy doing Active Directory and Security seminars and writing,
but I've still got time to visit your firm. In just two days, I'll
make your current NT techies into 2000, XP, Active Directory and 2003
experts. (And better yet they won't have to sit through any
Redmondian propaganda.) To join the large educational,
pharmaceutical, agricultural, aerospace, utility, banking, government,
telecommunication, law enforcement, publishing, transportation, and other
organizations that I've assisted, either take a peek at the course
outlines at www.minasi.com/presentations.htm, mail our assistant
Jean Snead at Assistant@Minasi.com, or call her
at (757) 426-1431 (only between 11-5 Eastern time, weekdays, please).
Until Next Month...
Have a quiet and safe month.
Please share this newsletter; I'd like very much to expand this
periodical into a useful source of NT/2000/2003/XP information.
Please forward it to any associates who might find it helpful, and accept
my thanks. We are now at over 30,000 subscribers and I hope to use
this to get information to every single Mastering 2003, XP, NT and 2000
Server reader. Thanks for letting me visit with you, and take care.
Many, many thanks to the readers who have mailed me to offer suggestions,
errata, and those kind reviews. As always, I'm at http://www.minasi.com/gethelp and
please join us at the Forum with technical questions at www.minasi.com/forum.
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.
All contents copyright 2004 Mark Minasi. You are encouraged to quote
this material, SO LONG as you include this entire document;