Mark Minasi's Windows Networking Tech Page
Issue #41 September 2004

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp. Document copyright 2004 Mark Minasi.

What's Inside

News:
- XP audio seminar series now available!
- One-day security seminar comes to DC next week then NY
- Active Directory class comes to DC next week then NY
Tech Section
- XP Service Pack 2 Highlights, Tricks and Tips
Conferences
Bring a Seminar to Your Site

News

Hello all —

This month, permit me to help you with the question on everyone's mind: to SP2 or not to SP2? It's a toughie so I'm offering what I hope will be a real treat -- my complete SP2 PowerPoint as a free download, as well as some highlights in this newsletter. But first, a word from our sponsor...

My Seminars are Coming to DC Sept 13-15!

Just two more sets of sessions, DC in September and New York (Mahwah, actually) in November. More details:

Seminar: Securing Your Windows Desktops and Servers in DC and NY

Doing a short talk on security at the Microsoft Security Roadshow was a lot of fun, but I wish I had a whole day to help attendees see how to ward off security problems. So I created a seminar called "Securing Your Windows Desktops and Servers." It's built from the two talks from the first two road shows and adds more. I find that a lot of people have a general idea about what they should be doing to secure their networks -- they've heard terms like SMB signing, null session, secure channel, LM hash, and so on -- but haven't the time to sift through the often-contradictory knowledge base articles and the welter of group policy settings, Registry hacks, patches and the like. In this course, we spend a long day -- 9 to 6 PM -- going through what the big security issues mean and understanding the exact step by step methods that you need to know to make your system more secure.

If you'd like to find out more, please visit www.minasi.com/secoutln.htm.

"Running a 2003/2000-Based Active Directory" Runs in DC, NY

AD's great, but it can be a fragile flower if not built and maintained properly. Find out how to build, implement, maintain, and repair Active Directory at "Running a 2003/2000-Based Active Directory;" information at www.minasi.com/2003outln.htm .

XP Audio Seminar Series Now Available!

You asked for it, we delivered it and they're selling like crazy. The entire two-day XP support seminar (minus the tuning part, as I'm already selling that as a stand-alone CD lecture) on seven audio CDs for $170, or just $99 if you've attended the XP seminar (sorry, the offer's only for those who've attended the XP seminar). Visit http://www.minasi.com/xpaudio for more info.

Tech Section

XP Service Pack 2 Highlights, Tips and Tricks

It's been around for a few weeks, but only in the past week has Microsoft started its big push on Windows XP's Service Pack 2. Many service packs have been controversial, and this one's no exception. Should you install it? I've had good luck with it, but it might not be for everyone. One way to find out would be to download and read the dozen or so big Word documents about SP2 on Microsoft's site, comprising more than a thousand pages of text. I spent over a week poring through all of them, with the hope of giving you the "short version." (That's not to say that there's too much verbage there; it's just that MS is primarily a developer-oriented company, and much of it's really only of interest to coders. I've tried to focus here on the folks who have to keep networks and desktops running.)

I cover the details of SP2 and why you want it in a presentation that I'm doing in a bunch of places around the world in the next few months. But heck, in case you can't get there, I've put the PowerPoint on my Web site at

http://www.minasi.com/sp2info

In this article, I hope to offer you a quick overview of SP2's parts, with pointers to the PowerPoint for more detail. In short, SP2 does four things.

It adds new security features to the operating system
It adds a few neat new features to XP that have little or nothing to do with security
It changes the default settings on a few things from "I don't care about security" to "I'm a bit worried about security"
It completely recompiles the operating system with tighter requirements, and those tighter requirements break some drivers and other apps that were always written a bit weakly

There are, again, lots to cover in SP2 and I've got a lot of it done in the PowerPoint, so I'm just going to highlight here some of what I think is important and/or interesting.

Data Execution Prevention (DEP)

Let's look at that last bullet point one first. Have you heard about how big SP2 is? It's over 260 MB to download and, when expanded into its component files, is about 332 MB in size -- probably a world record for SPs. (But don't bother calling the Guinness guys, I feel safe in forecasting that 2003's SP1 will be larger.) Why? Simple: Microsoft wants to kill buffer overflows for good.

Buffer overflows happen when a programmer sets aside some space in the middle of a program, space intended to store some kind of input from the user or from some program calling that program. The space where that input goes is called the buffer. But now what happens if the user of the program decides to stuff not just a few bytes of data but instead tons and tons of data, more data than the programmer set aside for that data? Well, it depends.

In some cases, the programmer writes code that checks incoming data to ensure that it doesn't exceed the length of the buffer, throwing away data that's too long. It's a good idea, but it burns up CPU time and tends to slow programs down, so coders sometimes get lazy and leave out this buffer checking. Sometimes they even get a pat on the back for having created a program that's so fast. But programs like this can be attacked by patient criminals, who use this "back door" into the program to actually add new pieces to the existing program. (Yes, it's possible to insert a program into a program, disguised as data -- if the programmer hasn't bothered to check for a buffer overflow.) Better -- or at least more paranoid -- programmers write code to avoid buffer overflows.

What's the best trade-off between speed and no buffer checks versus slower code and buffer checks? I guess it's a matter of opinion, but I've always been a "slow and secure" guy, and it appears that many agree with me, including (at the moment, anyway) folks in Redmond. So they've recompiled basically the whole OS with a compiler switch that sniffs out and objects to unprotected buffers. That's right the whole OS -- hence the size. (Heck, there's even a new version of Notepad in SP2.) But that's not all; Microsoft's extended a certain level of buffer overflow protection to any program that you run in Windows, called Data Execution Prevention or DEP. In a few words, it watches an area in a computer's memory called the "stack." The stack is where the computer keeps track of what it's been doing; here's roughly how it works. Have you ever been in the middle of doing something when you realize that you've got to do something else first, so you interrupt the first task and work on the second? When you finish the second task, then you remember to return to the first (with hope). The thing that let you remember where you left off in the first task would be, in computer terms, the stack. You could, in theory, be partway into a first task when you're called away to a second task, and, in the middle of the second task, be interrupted and have to attend to a third task, which might be interrupted by a fourth and so on. With a good stack, you'll remember where you left off and return to the third task when done with the fourth, return to the second when done with the third and so on. Computers are of course better at this "remembering what they were doing" stuff and so may have stacks that go dozens or hundreds of levels deep.

DEP keeps an eye on the stack and notices when someone's trying to load stuff on the stack that isn't just "when you get back to this level do this" sorts of notices, but might be code, and in particular when someone's actually trying to execute the stack. It stops your system cold -- yup, it's typically a blue screen, but that's a good thing, as the alternative would be running some kind of evil worm -- so as to stop the buffer overflow attacker in mid-stream.

Anyway, the bottom line is that this code, had it existed in XP and 2000, would have stopped Code Red, Nimda, Nochia, Slammer, and Sasser cold, with no other patches installed. It's a good idea and a welcome addition to XP.

Windows Firewall

There's a personal firewall built into XP that's always been there. But now it's kind of "in your face," as it's turned on by default and it's much easier to configure and control from the GUI, group policies, and command-line tools.

Even better, it's got two "profiles;" it behaves one way when you're inside your domain and another when you're outside, such as when you're connected to the Internet with your laptop from home or a hotel.

You might have heard about Firewall's two profiles, the "standard" and the "domain" profile. ("Domain" means you're in the domain, on site; "standard" means you're somewhere else, out of the firewall.) But did you ever wonder, how does it know when you're "in the domain?" I wondered. Is it something as easy as IP address ranges? Pinging the domain controller to measure the latency periods? Arcanely measuring the Earth's magnetic field to estimate how far you are from Headquarters? Nope. It's like this:

Windows Firewall (call it WF) remembers the last time that you got group policies.
It remembers the DNS suffix of the system that you got them from. (So, for example, if your AD domain was called bigfirm.com, then the domain controller (DC) that your system got the group policies from almost certainly had a DNS suffix of bigfirm.com.)
WF then looks at all of your network adapters -- here's where it gets geeky -- and examines their adapter-specific DNS suffixes. If any of them match the DNS suffix of your last GP update, then it assumes you're in the domain.

In English, then... suppose you're out on the road and for some reason want the firewall to think that you're in "domain" mode rather than "standard" mode. Just go to the Advanced properties of your NIC, click the DNS tab and punch in your domain's name in the "DNS suffix" field, and your firewall will behave as if you're on the corporate grounds.

That, by the way was the simplified version; if you'd like to know more about how the network location awareness in Windows works, get this article:

http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

But for more information about Windows Firewall, please take a look at the PowerPoint. There's lots to know.

Application Compatibility

SP2's great, but it's changed a whole lot of things security-wise. A lot of defaults have changed, and a lot of back doors that Windows has left open for a long time have been locked. Now, that's not going to bother most programs, but it might bother a few apps.

Back when Windows networking first started up, security wasn't all that important and to be quite frank, it was bloody hard to figure out how to include security features in a network-aware Windows app. So many older apps (or new and badly written apps) just plain didn't bother with security.

As time's gone on, Microsoft has offered new ways for programs to talk to programs, and they've slowly gotten better about furnishing good examples of securing those communications, so I'd hope that any recent programs would have figured out security. In any case, Microsoft decided to change the default behaviors of four communications protocols:

RPC, Remote Procedure Call, has been a target of worms and denial-of-service attacks in the past few years as a result of some bugs that various folks have discovered. Your system uses RPCs all the time; for example, when Outlook talks to Exchange, there's an RPC session created. When Outlook talks to Exchange, it must identify itself, but apparently not all RPC communications require authentication -- there's an anonymous RPC logon possible. SP2 disables that, which shouldn't break any well-written network apps (I've not run into any), but if it does then you can tell RPC to return to its pre-SP2 status with a group policy.
COM is Microsoft's object programming model (or one of them, anyway; they like to shake things up ever few years) and it includes network communications capabilities by default. Under SP2, however, Microsoft has removed all permissions for COM apps to talk to other COM apps over a network. You can, of course, restore the permissions, but now that they're gone by default then some things may break.
DTC, Distributed Transaction Coordinator, is another program-to-program tool often used in queries to SQL Servers. It distinguishes between transactions between two programs in the same machine, and transactions between different computers across a network. SP2 changes the rules again by disabling all network-based transactions by default.
WebDAV is a file sharing protocol -- kind of like NET USE -- that works over HTTP, on port 80. XP users may employ it to easily update content on an externally-hosted Web site, or to access SharePoint, or to connect Outlook Express to Exchange. WebDAV has always allowed authentication either via the encrypted "Windows Integrated" logon, or via "basic authentication," where the WebDAV client and server pass user names and passwords across the network in clear text. XP's WebDAV client (the "Web Client" service) no longer supports basic authentication without a Registry change.

You can get the specifics on re-enabling the old behaviors in the PowerPoint.

Internet Explorer

IE's finally got a popup killer, and a quite nice one. But it's also got a bunch of security fixes. It's interesting to read about the changes, as it makes you realize just how much Microsoft believes -- or believed at one time -- that IE would essentially be your desktop. Apparently Microsoft created a pile of security headaches for itself with a set of scripting tools improbably called "binary behaviors" as well as "add-ons," a Microsoft phrase referring to both ActiveX controls and browser helpers, not to mention the "local zone" and, again, pop-up windows.

(What's that, you've never heard of a browser helper? It's a doodad that someone can write that, if plugged into your browser, can change IE's behavior. I'm sure they're used for good purposes somewhere, but you mostly hear about them seizing control of a browser, bringing down unwanted advertisements and redirecting you from a requested site to another -- type in Google's address and your browser takes you to Great Sales and Bargains.com.) Anyway, IE's now got a nice dialog box listing all of your ActiveX controls and browser helpers, as well as a button that lets you disable any or all of them.

You can disable the scripting power of binary behaviors and enable (or disable) "MIME sniffing," a tool that does not at all involve olfactory encounters with Marcel Marceau but instead allows IE to see past a fake extension. Try to sneak an EXE file at IE by naming it "something.jpg," and MIME sniffing will look inside the file, determining that it's not a picture after all. Add to all of this a handful of other sock-pulling-up on IE's part and you've got a browser that doesn't look all that different, but that is miles better at avoiding spyware and other uninvited guests than old IE.

(Of course, having said that, my pal Paul Thurrott points out there's some new IE exploit that attacks even SP2's IE. If they'd just waited a few more weeks before shipping SP2 they could have included the patch...)

SP2's IE also has another feature that I really like: publisher blocking. When presented with an ActiveX control, we've always been able to say "always trust content from xyz publisher." Now there's an extra option: "never accept content from xyz publisher." Take that, Gator!

TCP/IP Stack Changes

XP's always had "raw sockets," a feature that lets you hand-craft a TCP or UDP packet. Hand-crafted packets can have nonsensical headers, or can include false return addresses. Sometimes the good guys need to do that kind of thing, but more often it's the bad guys that want that. So no more outgoing raw sockets (incoming are still fine) on TCP, and they're only allowed on UDP if the return address of the packet matches an IP address on one of the NICs in the system.

SP2 also modifies TCP's behavior in that it tracks incomplete TCP connections. TCP connections are like phone calls -- first your computer contacts another computer and asks if the two of them can talk. Once the "phone call" is established, then the work gets done -- e-mail's transferred, a Web site is visited, or the like. But worms often create lists of randomly-generated IP addresses and try to connect to those addresses in order to infect other systems. This is a grossly inefficient way to spread themselves, as most of those IP addresses either aren't active at the moment or have a firewall up and ignoring the worm's overtures -- leaving incomplete the connections that the worm is trying to create. When worms are loose on the Internet, then, they tend to clog the Net (and intranets as well) with pointless half-finished attempted communications.

SP2 tries to head them off with a new rule: only ten incomplete TCP/IP connections at a time! A program that's tried to open ten TCP/IP connections that have not yet completed -- often because there's simply "nobody home" at the other side -- will have any subsequent TCP/IP connection attempts queued until the ten incomplete connections either complete or time out. Sure, the worms can still run, but they can't spread as quickly.

Will this affect your Web browsing experience? No -- those connections are (one hopes, at least) completed. The ten-connection limit is just a limit on the number of incomplete connections.

I wish there were a way to un-do this. It's not a bad idea, but it'll make running network scanning programs laborious for the good guys. (You may, by the way, hear of a Registry hack that will change that maximum number from ten to something else, but it doesn't work -- it did at one point in the SP2 beta but not in the final.)

Making USB Devices Read-Only

USB "thumb drives" drive some security folks crazy because they're so small physically and so big storage-wise; what's to keep people from popping a USB drive into a USB slot, copying corporate data and walking out the door? For the USB-paranoid, SP2 includes an ability to let users read data from a USB drive, but not write data to that drive. It's a simple Registry change. First, create a whole new key: HKLM\System\CurrentControlSet\Control \ StorageDevicePolicies. Then create a REG_DWORD entry in it called WriteProtect. Set it to 1 and you'll be able to read from USB drives but not write to them.

Wireless Networks

Wireless connections get a sprucing-up with a new system tray icon, more attractive tiles representing available wireless networks, and a better ability to choose preferred wireless network IDs (SSIDs). Also there's a nifty Wireless Network Setup Wizard. It lets you punch in your wireless network's SSID and your WEP code. The Wizard then stores the SSID and WEP code in a program on a USB thumb drive. (Clearly this assumes that you've not installed the "make USB drives read-only" Registry hack above.) It also installs an autorun.inf file on the USB drive. Shove the drive into an XP box and the autorun.inf file will start up, setting your SSID (which is not a big deal) and WEP code (which is a great convenience) on the system. I didn't bother with WEP on my network before, as punching in WEP codes is a pain. Now it's a snap.

Bluetooth

Now XP gets native Bluetooth support. But it only works if your Bluetooth device has a chipset that SP2 includes a driver for, and my Presario X1000's Bluetooth hardware isn't included on the list so I can't report how good or bad it is.

Windows Update

The Windows Update client got smarter in anticipation of Windows Update Services (once known as SUS 2.0) but that server's been put off until summer 2005. Nevertheless, the new client gives you some features that you needn't wait for 2005 to see in action. You can use the new group policy settings to tell Windows Update to

Check for patches more often than its default of once every roughly 20 hours
Immediately install patches that do not require a reboot
Control the reboot behavior (when a reboot is necessary) more closely

Patches

With SP2, Microsoft has overhauled the patching engine. It now accepts a wider set of options, including a really neat one -- /integrate. That option lets you pre-install a patch into an I386 directory, so now we can slipstream both patches and service packs. And the slipstream option's irritating habit of simply assuming that your directory's name ended with "I386" has changed; you can now store your installation files in a directory with any name that you choose. Ever worried when installing a patch that you were overwriting a newer patch? SP2's patch engine and Installer 3.0 keeps that from happening. Try to install an older patch atop a newer one (or atop a newer service pack) and it'll ignore you.

Best Bets For Success with SP2

First of all, as I've already said, test your apps before you roll out SP2. Second, follow the same common sense that's worked well in the NT world for ages -- before you install SP2 on your system, go out to your vendor's Web sites and get the latest drivers onto your system. Reboot the system to ensure that the new drivers don't blue screen you; if they do, then use Driver Rollback. Once you've got your drivers up to date and your apps tested, then put SP2 on and I think you'll like it.

And if you can, then try to join me at one of the locations where I'll be doing my SP2 talks this fall. Speaking of which...

Conferences

Join me at one of these great shows.

TechMentor San Jose, September 27-Oct 1

101 Communication's semi-annual geekfest comes to one of the true Meccas for us geek types -- San Jose. Everything you ever needed to know about getting your networks running and keeping them running from some of the smartest people in the business... and me too. The program's available at www.techmentorevents.com.

IT Infrastructure Management Conference & Expo 2004

The Help Desk Institute's running their second annual week of presentations for techies, and they've asked me to do my day-long security class, as well as a short talk on the current state of the Windows world. More info at http://www.thinkhdi.com/itim2004/ -- join us in Vegas for some geekin' out. (Since Fall Comdex isn't going to happen this year.)

Windows Connections October 24-27, Orlando

The magazine that I write for, Windows and .NET Magazine (soon to be renamed "Windows IT Pro Magazine"), holds its next Windows Magazine Live! conference in The Land Of The Mouse this October. It's a jam-packed set of great talks by some great speakers including of the Microsoft tech world's foremost megacephaloids like Mark Russinovich, IIS Answer Man Brett Hill, Uberscripter Bob Wells, Steve Riley and Mike Danseglio (imagine, they got all three of Microsoft's best speakers) and more — great speakers all and really smart guys. I'm also doing talks on XP's SP2, Software Update Services, and XP goodies. Watch http://www.winconnections.com/ for more info on this show.

Bring Mark to your site to teach

I'm keeping busy doing Active Directory and Security seminars and writing, but I've still got time to visit your firm. In just two days, I'll make your current NT techies into 2000, XP, Active Directory and 2003 experts. (And better yet they won't have to sit through any Redmondian propaganda.) To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 11-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month.

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information. Please forward it to any associates who might find it helpful, and accept my thanks. We are now at over 30,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews. As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum.

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

Mark Minasi's Windows Networking Tech PageIssue #41 September 2004