Feb 15, 1997
Sunbelt Windows NToolstm Electronic
Newsletter
Vol. 2, # 4
USA:
www.ntsoftdist.com
EUROPE:
www.sunbelt.co.uk
Sunbelt Windows NTools E-News Sunbelt
Windows NTools E-News is the world's largest E-newsletter
designed for NT System Managers that have the job of getting and
keeping WinNT up & running in a production environment.
Sunbelt launched this electronic newsletter so that we could keep
members of the Windows NT community informed and aware of what is
happening with 3-rd party NT System Management Tools, and to
provide hints and tips that will enable you to better understand
and utilize Windows NT. You'll find general Windows NTools
related and third party news, technical information, and 3-rd
party beta and release information. By subscribing to NTools
E-News, you are
also a charter member of the Sunbelt Field Test Bonus Program.
Sunbelt Software is the first and largest distributor worldwide
of Third Party System Management Tools for Windows NT.
This Issue of Windows NToolstme-news contains:
2. "TECH
BRIEFINGS"
* NT SECURITY CHECKPOINTS
3.
"NT RELATED NEWS"
* MICROSOFT ACTIVE DIRECTORY TO HIT
STREETS YEAR END
* MICROSOFT NT SERVER OUTSHIPS NOVELL 6 to 1 !!!
* NEW WEBSITE (JOB BANK) FOR NT SPECIALISTS
4.
"THIRD PARTY NEWS"
* OCTOPUS, DEFRAGMENTATION AND QUOTA
MANAGEMENT
* OOPS, FORGOT URL FOR SPEEDISK DOWNLOAD
* DISKEEPER DROPS PRICES
* SELECTIVE SECURITY AUDITING IN NT DOMAINS
* NEW PRODUCT ANNOUNCEMENT
* ENCRYPT YOUR NT DISK DATA IN REAL TIME
5. "HINTS
AND TIPS"
"JARGON ALERT & DID YOU NOW?"
* THE LATEST SYSTEM ADMIN JARGON
* POLICY, SCHMOLICY
* TO PC OR TO NC?
* FREE FAX FOR NTWS... (or also SV?)
* 73 HINTS AND TIPS ALL AT THE SAME PLACE
6. "HOW
TO USE THE MAILING LIST"
*Instructions on how to subscribe, sign off
and change addresses.
"EDITORS
CORNER"
Last Issue we discussed the fact that NT was not all roses
yet,
and that the stern school of mini and mainframe mission critical
application management needs to be applied to NT: Always backups,
always repair disks, and fallback procedures are essential. This
issue we'll focus on Security which is getting more and more a
concern with fast growing networks.
But, this is an alive, growing, young and enthusiastic
environment where a LOT is going on. So this issue is again
full of new stuff, new releases, and other important NT
related news. I think if we all combine the experience we now
have in the computing field with the power of NT we will create
killer networks that are actually easy to manage and sometimes
even fun to work with <grin>.
So here goes the next issue with a focus on NT security and a
bunch of hints & tips to keep intrusions to a minimum.
Let's get busy!
Warm regards,
Stu
*************************************************************************
2. "TECH
BRIEFINGS"
* NT SECURITY CHECKPOINTS
In a recent Computer Security Institute survey, 42% of the
respondents said they have experienced an intrusion or some
unauthorized use of their systems last year. And then you need
to be aware that these are the people that _admitted_ the
intrusions, because security breaks are known to be very
under reported. And Data pro reported in 1996 in an International
Survey on Information Security that 57% of those reporting
security incidents said the perpetrators were current employees.
The main things that you are going to be looking out for are
data theft from inside and outside, viruses, password exposure
and malicious code. NT has a series of security features built
in, but you need to be sure they are turned on and implemented
well.
So here are 16 points you can use as a security checklist,
just read these and in your mind assess how your security report
card would be. Essentially NT comes out of the box in a trusting
mode, so you have to _give_ it paranoia!
1. Use NTFS, not FAT. NTFS can apply Access Control Lists (ACL)
to files and directories, so use NTFS especially on machines
linked to the 'net.
2. NT has the equivalent of a network burglar alarm called
Account Lockout that you should always activate. If Account
Lockout is turned off, an intruder could attempt to crack
passwords without any restraint.
3. Rename the Administrative Account, as this account is exempt
from the Account Lockout in #2.
4. Make sure that the number of users with administrator
privileges is appropriate to your company size. Too many
people with the key to the cash box is asking for trouble.
5. Turn On Auditing. In the User Manager, the Policies >
Audit menu gets you a screen that controls auditable events.
You need to get enough information but not too much. You
can track successful operations like File Access, Use of
User rights and Process Tracking but the storage requirements
are massive. Tools like SeNTry would help in this area.
6. NT provides for two types of trust relationships--one way
and two way--between domains. This whole issue of trust
relationships can quickly become complicated as the number
of trusted domains grows. You want to manage and monitor trust
relationships regularly to make sure users in all domains are
doing what your company security policy intends them to do.
7. Disable NetBIOS over TCP/IP if possible. You can go to the
Bindings dialog box in the Networks Control panel and disable
and or all of he bindings between NetBIOS services and TCP/IP.
8. Block Nonessential Inbound TCP/IP Ports, so that a hacker
when he has come in through the back door cannot re-enable the
NBT bindings you just disabled.
9. You must be able to assess security for all of the domains
under your responsibility. Periodically verify that your access
privileges are adequate for your security beat.
10. Revoke the "Access From Network" Privilege. You can
do this
and block all Windows Networking services - but still support
a Web service. You could grant only your personal administrative
account the Access from Network right.
11. Make sure that all of NT's password control features have
been implemented. That includes requiring users to have hacker-
proof passwords; forcing users to change their passwords at
regular intervals; hiding the last username to login; and giving
users the option of changing their passwords on their own.
12. Periodically check the system for user accounts that are
inactive and disable them. There might be users such as
consultants who were given access to the system but who are no
longer working for the organization.
13. Display a legal notice on every workstation that warns
intruders that access to the system is limited only to employees
and other authorized users and that unauthorized attempts to
access the
system carry legal liabilities.
14. Make sure users that they should not leave their workstations
turned on and unattended. If they plan to step away for a few
minutes, they should know to lock their screens by pressing
Control-Alt-Delete. But many users fail to remember this so a
useful security utility like Fortress-NT will do this for them.
15. The Guest user ID is created by default when you install
Windows NT. If you do not need to permit Guest users on your
system,
remove or disable the Guest ID from the system and setup a unique
user
ID for each person who must access your system temporarily.
16. To recap, NT has many robust security features but you must
verify
they are turned on and properly configured. Auditing tools such
as
the Kane Security Analyst from Intrusion Detection, Inc. can
provide a
helping hand with the pressing demands of system and network
security
administration. The product automatically performs a thorough
check of
your system's security configuration and pinpoints potential
loopholes.
For more info on this last tool:
http://www.ntsoftdist.com/ksa.htm
(Thanks to Jon Udell, Steve Turcich, Andy Baron and Dave Kane who
are
all NT Security Experts and have published about this topic)
**********************************************************************
3. "NT RELATED NEWS"
* MICROSOFT ACTIVE DIRECTORY TO HIT STREETS YEAR END
If Microsoft makes its published schedule, Windows NT Server 5.0,
code-
named Cairo, and its advanced Active Directory will ship by
year's end.
The Active Directory is Microsoft's full-blown enterprise
services
mechanism. It is created to remove the limitations of the current
domain
name services (DNS) in NT 3.51 and 4.0 and ease NT Server
administration
on an enterprise level. It will support several standards, and
will
allow electronic-mail and other directories to share user
information,
including X.500 and the Internet Engineering Task Force's
Lightweight
Directory Access Protocol (LDAP).
Not having this functionality is the one big, ongoing weakness
that
hampers Windows NT Server's scalability and deployment as an
enterprise
server in Fortune 500 accounts. We expect that NT will be
embraced
completely the moment this technology has proven to work and be
stable.
-------------------------------
* MICROSOFT NT SERVER OUTSHIPS NOVELL 6 to 1 !!!
Microsoft announced new data showing that the NT was the world's
best-
selling server operating system in 1996. With its built-in Web
server,
Internet Information Server (IIS), Windows NT Server is the
leading
platform for intranets and the Internet.
According to the latest sales report from International Data
Corp., sales
of Windows NT Server grew by 85 percent in 1996, or about six
times the rate
of Novell NetWare. In another analysis, done by Computer
Intelligence (CI)
based on its extensive surveys of users in the United States and
Western
Europe, the rapid customer adoption of Windows NT Server has
driven the
overall growth for network operating systems.
Like stated before, we are at the right side of the product life
cycle
bell curve my friends, and we have years of healthy growth and
higher
income before us.
Market share of networks installed
1994
NetWare: 85%
Windows NT: 9%
1995
NetWare: 79%
Windows NT: 16%
1996
NetWare: 72%
Windows NT: 25%
1997
NetWare: 66%
Windows NT: 32% (Est.)
--------------------------------
* NEW WEBSITE (JOB BANK) FOR NT SPECIALISTS (MCP's)
Have a look at NTSpecialist, an innovative service developed
by NT Recruiters International. The service is intended to help
match Microsoft Certified Professionals with organizations in
need of technical specialists. The Web site offers a job and
resume bank for organizations and individuals respectively.
The service also offers Certified Professionals virtual career
development services by providing helpful links to resources
on the Net, and through its free monthly electronic newsletter.
Have a look at: http://www.ntspecialist.com/
4."THIRD
PARTY NEWS"
* OCTOPUS, DEFRAGMENTATION AND QUOTA MANAGEMENT
- When you are running Octopus, the best sold solution for file
mirroring and fault tolerance, make SURE you do not defragment
the Octopus Data Directories. These files look like they are not
open so a defragger will blissfully start to process them and
turn your valuable mirror files into slush. Exclude the Octopus
Data directories in your defagger options.
- When you want to make sure that Disk Quota are being maintained
on both the Source and Target Servers, you need to have Quota
Manager running on BOTH servers. Modifications made by Quota
Manager to the File's ACL's are not mirrored to the target
servers
so the disk space need to be kept under control on both sides.
Have a look over here for the latest V2.0 Octopus eval copy:
http://www.ntsoftdist.com/octopus.htm
-----------------------------
* OOPS, FORGOT URL FOR SPEEDISK DOWNLOAD
That's what happens when you are in a hurry and send an email
to over 14,500 people at the same time. A whole BUNCH remind
you of your stupidity <grin>
So the URL is http://www.ntsoftdist.com/speedisk.htm
-----------------------------
* DISKEEPER DROPS PRICES
In an expected marketing move, Executive Software has dropped
the prices for Diskeeper for NT Workstation significantly.
The old suggested retail price was $125, and is now $75. Volume
purchasing discounts have seen similar decreases. Give us a
call if you want to know more? 1-800-688-8404 or send an
email to ntsales@ntsoftdist.com
------------------------------
* SELECTIVE SECURITY AUDITING IN NT DOMAINS
QUESTION: You may say: We have an NT domain with 10 to 20
servers, but
want to audit just 3 of them. Can KSA accomplish this task?
ANSWER: If you would only like to assess 3 servers within a
domain
you can do that very easily with the KSA for NT simply by
auditing each
server individually rather than running an entire domain
assessment.
However, one highly recommends against this. By not assessing the
entire NT domain, you are missing out on several critical points
of
entry into the network. As a result, the data received from only
assessing a few servers would not be complete.
Some information you would miss is:
-If passwords are scripted in clear text on the other machines
-the actual last login date (not replicated back to the PDC)
-If legal notice is displayed upon entering the network
-UPS status
-Audit configuration
All of this is critical security data. Of course the final
decision
is up to you, but it makes a whole lot of sense to audit the
whole
network with all servers.
KSA has also recently integrated Crystal Reports from Seagate
with
it's product. This means you can now generate your own customized
reports apart from the standard reports provided by KSA:
* User Rights * Group Membership
* New User Accounts * NT Services/NLMs
* Password Strength * Guest Account Status
* Auditing Status * Sensitive Systems Files Status
* Security Settings Status
Current KSA users can purchase the Crystal Reports module through
Sunbelt Software.
-----------------------------------
* NEW VERSION 2.0 ON SUPERCACHE
The Developers of SuperCache sent us the following news:
"We'll have SuperCache-NT V2.0-0 on our web site some time
over the
weekend or the beginning of next week. It is currently for V4.0
of NT
only. We are still resolving some problems with 3.51. This
version
removes almost all the restrictions that were on previous
releases:-
Customers may now cache the system partition, and they can also
cache the
partition on which the page file exists. This is particularly
useful for
customers that only have one partition.
We've improved the efficiency of SC. This version is 25% faster
than the
previous versions.
We've cut down on the cache overhead. V1.2-2 had a 3% size
overhead which
meant that if a customer wanted to cache a large partition 3% of
the size
of the partition was required for memory mapping before the cache
buffers
could be allocated. This is now cut down to 0.4% overhead.
We recommend that customers have 15-20% of the size of the
partition they
wish to cache in free memory. Remember that NT requires 16MB
before it can
boot so urge people to get lots of memory.
We now support hardware raid.
We still do not support the following:-
using SC on the same partition as Diskeeper or Speed Disk.
using SC with software volume shadowing or striping.
using SC with NT clusters.
The New Version will be shortly on the Sunbelt Website as well.
------------------------------------
* NEW PRODUCT ANNOUNCEMENT:
Sunbelt proudly announces a new product that will be available
for
download starting next Friday Feb 21-st from our website. We will
send you a short <<E-NewsFlash>> to remind you. This
is another
great time saver for overworked System Admins.
Network application developer Ilexis Inc. is announcing its
"File Rules" 1.02 file management authoring utility for
Windows NT.
The software automates file management tasks on file servers and
LANs
as well as across the Internet and corporate intranets and saves
a
significant amount of time compared to for instance command line
batch
files.
File Rules also allows system administrators to customize
administration
rules for local or network drives. File Rules functions can be
integrated
with World Wide Web browsers to enable file manipulation across
the
Internet and intranets.
Users can run checks on global installations, to ensure complete
file
transmission to all workstations; perform programming tasks
directly from
Windows desktops; and receive real-time reports on network
resource
allocation. More over, the developers are available for you to
write
custom File Rules especially for your environment. Pricing:
$595.95.
-----------------------------------
* ENCRYPT YOUR NT DISK DATA IN REAL TIME:
Soft Winter Corporation, February 10, 1997 released:
Shade - strong encryption software for Windows NT.
Shade allows you to create encrypted disk device inside a file.
Such a device can then be formated using any file system
(like NTFS or FAT) and used as a regular disk. The only
difference
is that Shade will encrypt the data on every write operation
and decrypt it on every read operation.
To download go to: http://softwinter.bitbucket.co.il
Soft Winter Corporation, EMAIL: softwinter@post1.com
*********************************************************************
5."HINTS
AND TIPS"
Jargon Alert:
PEBCAK: System Administrator shorthand for "Problem Exists
Between
Chair And Keyboard.
Bugs In Liveware: Definition, see PEBCAK
404: Some one who is clueless. Derived from the error message on
the Web "404 not found".
CHD: Short for "click here, dummy" Refers to much too
simple
navigation hints for computer users that are supposed to be
stupid. Used in: "We need some CHD to explain how the pull
down
menu's work"
----------------------------
* POLICY, SCHMOLICY
The Policy Editor in NT 4.0 is supposed to let you restrict the
privileges of individuals, all users and/or groups. This means
if a user logs on to an NTSV they will be restricted by the
policies that affect the user in particular, the group the user
is in and all users. All good and well but that is only theory.
In reality a policy written for a individual overrides all group
policies when they log on!
------------------------------
* TO PC OR TO NC?
The idea of the Network Computer comes from the same folks who a
few
years ago predicted that in a few months we would all have
video-on-
demand. Remember the magazines being full of that? Well I did not
get it, did you??
------------------------------
* FREE FAX FOR NTWS... or also SV?
One of our readers remarked that the free FAX he downloaded for
NTWS from Microsoft also worked fine on his NT Server. Anyone
else
have some experience? Let me know at stus@ntsoftdist.com
------------------------------
* 73 HINTS AND TIPS ALL AT THE SAME PLACE
In the newsletter from Executive Software I found this little
gem,
so had a look and found it was definitely worth it. Here goes!
One of the best computer-related sites on the Web, CNET, has
compiled a list of 73 NT 4.0 tips and tricks - and they're
great. They're categorized by:
- Customize your user interface
- Get up and running - fast
- Put NT on the Net
- Gain control of your network
- Manage more efficiently
- Unlock security secrets
- Pick up NT's performance
Every one of the category pages also lists out the other
categories,
and you also have the option to list all the tips for all the
categories. I trust you're ready to go! Here's the address:
http://www.cnet.com/Content/Features/Howto/NT4tips/index.html
6. "HOW TO
USE THE MAILING LIST"
Instructions on how to subscribe, sign off
and change addresses
TO SUBSCRIBE TO THE LIST
send the command 'subscribe nt-list firstname lastname'
as the first line of your message to listproc@intnet.net
_____________________________________________________
TO QUIT THE LIST
send the command 'signoff nt-list' or 'unsubscribe nt-list'
as the first line of your message to listproc@intnet.net
_____________________________________________________
TO CHANGE YOUR ADDRESS
First unsubscribe and then resubscribe as per the
procedure above.
*************************************************
FOR MORE INFORMATION
On the World Wide Web point your browser to:
For the newsletter:
http://www.ntnews.com
USA:
http://www.ntsoftdist.com
EUROPE: http://www.sunbelt.co.uk
Email for US sales information to:
ntsales@ntsoftdist.com
Email for US Tech support to:
daved@pssi.com
Email for European Sales to:
chris@sunbelt.fr
Email for European Tech support to:
robdixon@sunbelt.demon.co.uk
webmaster
Legal Stuff:
This document is provided for informational purposes only. The
information contained in this document represents the current
view of Sunbelt Software Distribution on the issues discussed as
of the date of publication. Because Sunbelt must respond to
changes in market conditions, it should not be interpreted to be
a commitment on the part of Sunbelt and Sunbelt cannot guarantee
the accuracy of any information presented after the date of
publication.
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED
INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM
FROM INFRINGEMENT.
The user assumes the entire risk as to the accuracy and the use
of this document. This document may be copied and distributed
subject to the following conditions: 1) All text must be copied
without modification and all pages must be included; 2) All
copies must contain Sunbelt's copyright notice and any other
notices provided therein; and 3) This document may not be
distributed for profit. All trademarks acknowledged.
Copyright Sunbelt Software Distribution, Inc. 1996.
[Back to Homepage] [Back to Top] Last Mod Date: Feb 24-1997 kgw: 04:00pm