bdpnetworks
newsletter - issue #2: September, 2001bdpnetworks
newsletter - issue #2: September, 2001Virus
& Security Hitlist
[All]
• Worm-type viruses: Nimda, Code Blue, Code Red, etc...
[NT, 2000]
• Are you SURE you're not running IIS?
• Traditional viruses: Does anyone remember SirCam? [All]
• Top viruses in the wild: useful information available from anti-virus
software vendors [Network Administrators]
• Information for small-business and home users
- where to get free virus scans, and what to buy for continuous protection
[Home, Small Business]
Microsoft
security tools & updates
[All]
• New tool available from Microsoft to help secure
IIS servers with latest hotfixes (HFNETCHK.EXE) [IIS
Administrators]
• New: Microsoft Personal Security Advisor for any NT/2000 server (doesn't
cover IIS) [NT, 2000]
• windowsupdate.microsoft.com [All]
• Recap of Microsoft-supplied security tools & websites [All]
Newsbites
• Gartner
Group recommends moving away from IIS entirely [NT,
2000]
• ALERT!: GroupWise security alert from
Novell - requires immediate action for GroupWise 5.5ep or above [GroupWise
Administrators]
Information
about my services
[All]
• Who is this guy?
• What is this all about?
Fun
& Cool
[All]
• WindowsRG (Really Good)
• Bad Candy
• Dilbert's Ultimate Cubicle
Key: [NT, 2000] affects users of Windows NT or Windows 2000, [Administrators] is primarily of interest to LAN administrators, [All] is of interest to everyone, etc.
Welcome once again to the bdpnetworks monthly newsletter. Thanks to everyone who had great comments about the first issue. I really appreciate the positive feedback. I started this newsletter to raise awareness about the services I can provide for companies of any size by giving away useful information in a condensed format that you may not normally encounter.
As Nimda is expected to resurface on September 28th at 1am EDT, I really think the information on Nimda is most important right now. Look for a follow-up issue in a week or so with more news not related to computer viruses.
As always, if you have any questions or comments about anything at all, please don't hesitate to contact me at info@bdpnetworks.com. For more information on bdpnetworks, please see the section below entitled Information about bdpnetworks. Thanks again for reading!
P.S. I apologize for the lateness of this issue. I had originally planned to send it out on September 12th. News of the attacks on September 11th was immediately followed by a previously-scheduled trip to San Francisco (which ended up being a 2000 mile road trip from Seattle) so I got sidetracked and everything was pushed back. I feel it would be wrong to completely ignore the issue and pretend that nothing happened, but since I am just a computer guy I am not equipped to say anything useful about the tragedy that hasn't already been said countless times. My deepest condolences go out to everyone affected by this horrific event (and I believe it affects everyone at this point.)
There has been a flurry of new computer virus/worm activity lately... Nimda (that's "Admin" spelled backwards...) has been one of the most aggressive viruses/worms ever to spread through the Internet. As I speculated in issue #1, it is only going to get worse. Nimda spreads through e-mail (primarily via the Microsoft Outlook e-mail program) and through Microsoft Internet Information Server (IIS) (through Internet Explorer). It replaces legitimate files with copies of itself and actually creates new security holes in your system by opening up drive C: as a world-writable share. This is pretty bad stuff, and Code Red looks like a mild nuisance in comparison.
To protect yourself from Nimda right now, you need to do a few things:
Secure your IIS servers with the latest patches (see HFNETCHK.EXE under Security Tools & Updates) [Administrators]
At least for the time being, set your Internet Explorer web browser's security to "High." You can find this under Tools -> Internet Options -> Security. (Note that this may cause problems with viewing some websites, but is safest for browsing unknown websites.) [Everyone]
Visit Windows Update and download all of the latest Critical Updates. (see Windows Update under Security Tools & Updates) [Everyone]
And most importantly, keep your virus protection software up to date with the latest signature files! (See "Information for small-business and home users" below.) [Everyone]
For a tool that will remove
Nimda from your system, you can use the free one provided by Symantec, located
here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html
Before Nimda, it was clear that many administrators were still not doing anything to patch their servers against Code Red. Now it has become obvious that companies that even attempt to keep their IIS servers up-to-date can still be compromised by viruses that take advantage of security exploits before Microsoft can even release a patch! Yes, keeping IIS patched is starting to look like a full-time job. It's the reason why the Gartner Group is recommending companies move away from using IIS completely. (More about this in Newsbites)
Many companies do not have the option of moving away from IIS right away because their infrastructure is tied so closely to it. If you must continue to run IIS, I have put together a list of resources (including the new HFNETCHK tool) for you to use to keep those systems patched up. You can view it under the heading Microsoft security tools & updates in this issue.
For more information on Nimda,
you can visit these sites:
http://www.microsoft.com/technet/security/topics/Nimda.asp
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
In addition to servers, many
people may not realize that their workstations running Windows 2000 or NT 4.0
may also be affected by Code Red, Nimda and other worms because Microsoft Internet
Information Server (IIS) is often installed on these systems as well. If you
have Windows 2000 or Windows NT installed on any computer, you should
check to see if IIS is installed and take appropriate measures to patch your
system. For instructions on how to check to see if IIS is running on your computer,
please refer back to newsletter #1 at this location:
http://www.bdpnetworks.com/nl/nl01.html#codered
With all of the hoopla about Code Red a few weeks ago, most people promptly forgot about SirCam. This is a common virus that, like many others, will spread through Microsoft Outlook. Why is Microsoft Outlook so commonly attacked? Because it has mechanisms in it that allow a script (in this case, an e-mail message) to directly access functions in the program, such as downloading your address book or sending copies of itself to others. In this case, SirCam mails itself to users in a person's Outlook address book along with random documents from the sender's hard drive.
Unlike Code Red, you don't need to patch your systems to combat this common virus. You simply need to have a reasonably good virus protection package installed with current virus signatures, which tell the software what to look for and how to remove it.
Good corporate packages include products from Symantec, McAfee and Trend Micro. All three offer some of the same features, but some excel in certain areas and others yet need work. If you are interested in learning the strengths and weaknesses of these products based on my experience in large corporate environments, please give me a call at (206)351-7964, or contact me through my web page at http://www.bdpnetworks.com/contact.html. The best product for your environment depends on your mix of servers and the types of management & reporting you require.
For small businesses or home users, see the section called "Information for small-business and home users" below.
You may not know that many manufacturers of anti-virus software have excellent resources available that list the most common viruses "in the wild" along with encyclopedias of viruses (virii?) complete with information about what they do and what needs to be done to remove them. The three companies I'm most familiar with are Symantec (Norton), McAfee & Trend Micro.
For information about the most common viruses along with alerts and warnings about new threats, you can visit some of the following links:
| Company | Top viruses & threats | Virus encyclopedia & reference |
| Symantec | http://www.sarc.com/ | http://www.sarc.com/avcenter/vinfodb.html |
| McAfee | http://vil.mcafee.com/topVirus.asp | http://vil.mcafee.com/default.asp? |
| Trend Micro | http://wtc.trendmicro.com/wtc/ | http://www.antivirus.com/vinfo/virusencyclo/ |
Most of these companies also have e-mail lists you can sign up for that will alert you when there are outbreaks of new viruses.
Many home users and small business owners often ignore virus protection completely simply because they don't know enough about it... If you don't already have good, continuous virus protection, there are a number of web-based tools that will scan your system "on demand" for viruses. (Note that these tools may require Internet Explorer 5.5 or later installed on your computer. You can visit Windows Update to install this which I will describe later.) These services are not always perfect, so I've included three of them so you can get a second opinion.
Symantec offers both a virus
scan & Internet security scan from their website. The virus scan may not
cure anything it finds so you may have to download the evaluation edition of
Norton AntiVirus or Norton Internet Security to do this. You can get to their
free service at this link:
http://security1.norton.com/us/home.asp?j=1&langid=us&venid=sym&plfid=22&pkj=DCWGORVWHFHMFNZMBBX
McAfee offers a similar service,
but you'll need to register first before you can use it:
http://www.mcafee.com/login_page.asp?a=ok
Finally, Trend Micro offers
PC House Call, a free service that does not require registration. You can access
it here:
http://housecall.antivirus.com/housecall/start_pcc.asp
None of these links are a replacement for continuously active virus protection software. If you don't already have good virus protection, you really need to get some. Viruses are coming out faster and faster these days, and I suspect they'll just get bigger and more destructive. It's not going to get any better anytime soon. If you have high-speed Internet access through a Cable modem or DSL, it only increases your risk to new threats.
If you are in the market for
a good personal virus protection package at home, I recommend Norton
Internet Security 2002 for Windows based on what I know about it and based
on Symantec's overall track record. It combines virus protection with a built-in
Internet firewall and is easy to set up and use. It also has the ability to
block pop-up ads! Like other Norton products, it's a bit heavy on resources
though so it could slow you down if you own a computer that is more than a few
years old. Symantec is offering a $30 dollar rebate on it right now, so you
can follow this link to order it from Amazon.com
http://www.amazon.com/exec/obidos/ASIN/B00005N6K4/bdpnetworks-20
Again, if you're a business user looking for a good virus protection system or are trying to integrate several existing packages, Norton Internet Security 2002 is probably not the right solution for you if you have more than a few PCs. Please give me a call at (206)351-7964, or contact me through my web page at http://www.bdpnetworks.com/contact.html.
If you are a home or small-business user and have a story to tell about your virus protection software's effectiveness, please let me know about it & I'll use it in the next newsletter.
I have listed most of the current Microsoft-provided security & patching tools here for your benefit:
[IIS]
If you are running Internet
Information Server on Windows NT or Windows 2000, use this tool (HFNETCHK) to
check to make sure you have the latest hotfixes:
http://support.microsoft.com/support/kb/articles/q303/2/15.asp?id=303215&sd=tech
[Windows
NT, Windows 2000]
If you are running Windows NT 4.0 or Windows 2000, use this tool to check for
other hotfixes and security issues not related to IIS:
http://www.microsoft.com/technet/mpsa/start.asp
[All
Microsoft products]
And if you are running ANY Microsoft operating system, use this tool to check
for everything else:
http://windowsupdate.microsoft.com
I've described each tool in more detail below.
If you need to continue to
run IIS, Microsoft has released an automated tool that will tell you if your
patches are out of date on your IIS servers. The tool is called HFNETCHK.EXE
and is available through this link:
http://support.microsoft.com/support/kb/articles/q303/2/15.asp?id=303215&sd=tech
I have tried using the tool
on my own systems and found that it picks up on many hotfixes not already covered
by the Windows Update web site (see below). Give it a shot--you may be
surprised at the results.
Microsoft has just announced
a new service called the Personal Security Advisor. The Personal Security
Advisor is a very interesting and thorough tool. It checks for overly-permissive
registry entries, easy-to-guess passwords & a number of other things not
normally covered by simple hotfixes. This service is web-based, and applies
to any computer running Windows NT or Windows 2000. You can access it (with
Internet Explorer 5.5 or above) at this link:
http://www.microsoft.com/technet/mpsa/start.asp
If you have not used Windows Update before, you should start getting in the habit of checking it once in a while. Go to http://windowsupdate.microsoft.com (with Internet Explorer) and download all of the Critical Updates. This service is extremely easy to use and will help safeguard your computer from attacks. (Note that it will NOT protect against regular viruses--you will still need a separate virus protection package for that.)
If your computer is often connected to the Internet, there is a Critical Update Notification tool that you can install from Windows Update that will notify you when there are new critical updates to download.
This service applies to anyone using ANY 32-bit version of a Windows operating system. This includes Windows 95, Windows 98, Windows ME, Windows 2000, Windows NT 4.0 and Windows XP. If you are in a corporate environment and Windows Update shows critical updates for your machine, ask your system administrator for help before installing them.
http://windowsupdate.microsoft.com
There is at least one other
tool Microsoft is working on called URLScan that will fit between the
IIS server and the web browser requesting information. It scans for invalid
HTTP requests such as the ones generated by Nimda & Code Red. This is not
really a patch, it's more of a crutch. I have not yet had a chance to evaluate
it, but you may find it useful so I'm including the link here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/URLscan.asp
Microsoft has made available some powerful tools to help prevent the spread of worms such as Nimda. You should seek them out and use them regularly.
As always, if you need help with any of these tools, or even help with selecting or managing your virus protection software, please give me a call at (206)351-7964, or contact me through my web page at http://www.bdpnetworks.com/contact.html - There are additional ways to protect your systems from worms, viruses & outside invaders, and we can help get you set up with the right combination of services for your needs.
The Gartner Group is a consulting firm that has been around for many years. They make recommendations based on product testing & calculate the ROI (Return on Investment) of software based on how much productivity it generates. Software that requires lots of upkeep generally scores a low ROI, which means it may cost a company more to use it than competing packages.
I was surprised to learn that they have officially recommended that companies now move away from Microsoft Internet Information Server. The Gartner Group is generally quite conservative about their recommendations, and will often recommend that people stick with their old software until there is a clear reason to upgrade or move to a different platform. But with all of the recent security problems and worms that are spreading through IIS, they are recommending that companies replace IIS with a different product entirely, such as Apache or iPlanet. They say that Microsoft is working on a complete rewrite of IIS which won't be available until the end of 2002.
Here's an excerpt from the recommendation:
Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS. Sufficient operational testing should follow to ensure that the initial wave of security vulnerabilities every software product experiences has been uncovered and fixed. This move should include any Microsoft .NET Web services, which requires the use of IIS. Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability).
You can view the entire document, written by John Pescatore, by following this
link:
http://www3.gartner.com/DisplayDocument?doc_cd=101034
So what should you use for 95% of all cases? Look at Apache on Linux - it is
fast, tight and very well-supported. And free! It has even been ported to several
operating systems, so you can still run it on Windows NT or Windows 2000 (or
even Novell Netware 5 now!) if you'd prefer. This is also a great program to
play with if you are a hobbyist who wants more experience with web servers.
Learn about (and download) Apache by going to their website:
http://www.apache.org
Many companies think they have to keep IIS around so they can run their Active
Server Pages (ASP), a technology created by Microsoft that allows people to
easily write "dynamic" web pages. This is not the case, because there
are several free packages that plug into Apache that enable it to use .ASP files.
One of the more popular ones is located here:
http://www.nodeworks.com/asp/
Novell has identified a security problem with the GroupWise 5.5 Enhancement Pack server agents and clients, and has published patches that will eliminate the problem. They are not yet releasing details about the hole in order to give administrators plenty of time to act.
The fix is called the "GroupWise
Padlock Fix." It and some supporting tools that will detect any non-padlocked
clients still running on your network are available at this location:
http://support.novell.com/padlock/
Novell insists that this patch be applied to all servers and clients immediately.
If you are running any version of GroupWise 5.5 without the Enhancement Pack or older, you are not affected by this security bulletin.
If you have read this far, THANK YOU! This newsletter is the culmination of an idea I had a long time ago and now finally have the time (and drive) to implement.
bdpnetworks (located in Seattle, WA) is owned and managed by myself, and I maintain a network of contacts with other independent computer consultants and support firms for subcontracting purposes. I've been doing this consulting thing for quite a while as an employee of other computer service companies. While my experiences were very enriching, I've generally been frustrated by the lack of consistency or innovation at those companies & the overhead a lot of them carry. I think I can do a better job by myself at a lower cost, so I formed bdpnetworks in June.
I intend to start by simply doing what I'm best at: helping people to get their networks to run more smoothly so they can concentrate on other things. Unfortunately, I've seen way too many companies that simply don't have adequate network support. A lot of companies are pouring vast sums of money into their infrastructure just to keep it stable, let alone add value or features to it. This doesn't have to be the case; I have the experience necessary to help get these networks running well again & know how to add innovative features onto them that will benefit everyone.
My focus now is primarily on small businesses in and around the Seattle area. I enjoy working with small companies and am looking forward to forming new relationships, especially with companies near my Capitol Hill office.
I offer a free one-hour onsite consultation to new clients, so you have NO RISK! If you would like to set up an appointment, give me a call at (206)351-7964 or e-mail me at bdp@bdpnetworks.com
For more information, please visit my website at http://www.bdpnetworks.com
This is a guide to the terminology
used on Microsoft's campus in Redmond. It is a revealing look at a very unique
corporate culture...
http://www.microsoft.com/READER/includes/MicroSpeak.lit
Note: You'll need to install
the Microsoft Reader program to view this file. You can obtain it by going here:
http://www.microsoft.com/reader/download.asp
No, it's not quite New Technology.
There's a rumor that this is the successor to Windows XP... it's still a little
rough around the edges, though.
http://www.bdpnetworks.com/fun/winrg.swf
A shrine to candy that should
not have been produced.
http://www.bad-candy.com/
Scott Adams & the Ideo
design firm team up to build the "ideal" cubicle. Here's the news
item:
http://www.dilbert.com/comics/dilbert/cube/index.html
And more pictures of the actual
model:
http://www.ideo.com/dilbert/index.htm
(c)2001 Brian Place for bdp networks. All Rights Reserved.
Feel free to forward a copy of this to whomever you wish; please leave the contents intact.
If you would like to subscribe or unsubscribe to this newsletter, please send e-mail to subscribe@bdpnetworks.com or unsubscribe@bdpnetworks.com - don't worry about the format of your message because the requests are read by a real, live human being.
Questions, comments, concerns or flames may be directed to newsletter@bdpnetworks.com
Thank you for reading!
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM FROM INFRINGEMENT. NEITHER BRIAN PLACE NOR BDPNETWORKS TAKE ANY RESPONSIBILITY FOR ANY NEGATIVE CONSEQUENCES RESULTING FROM THE USE OF ANY OF THE INFORMATION CONTAINED IN THIS DOCUMENT. BRIAN PLACE WILL GLADLY TAKE RESPONSIBILITY FOR ANY POSITIVE OUTCOMES INFLUENCED BY THIS INFORMATION--PLEASE E-MAIL HIM IF THIS IS THE CASE.