Readers offer tips on Wi-Fi

Readers offer tips on Wi-Fi

Readers had positive reactions — and lots of additional tips to share — to my May 26, 2005, article entitled, "Wi-Finally: wireless security that actually works."

Glenn Fleishman, a wireless expert and editor of Wi-Fi Net News, wrote in his blog on May 27 that the article "is an incredibly clear set of the best advice I’ve seen on the topic."

I devoted a lot of effort to researching the story because Microsoft had recently begun giving away a free piece of software for Windows XP SP2 that supports both of the new, secure forms of Wi-Fi — WPA (Wireless Protected Access) and WPA2. I wrote that all Windows users should immediately throw into the garbage any old Wi-Fi hardware that can’t be upgraded at least to WPA.

There are plenty of Wi-Fi routers, access points, and adapters that are WPA2-capable and are selling for commodity-level prices. If you’re buying any new Wi-Fi equipment, insist on products that support the strongest standard: WPA2-Enterprise. (Such products are also downward-compatible with all lesser standards.) You can find a product list by clicking the WPA2-Enterprise check box at the Wi-Fi Alliance’s Certified Product Listing page.

Of course, buying anything new wouldn’t be necessary if the computer industry had demanded from the beginning that all Wi-Fi equipment must support strong security — and must be sold with all security features turned on.

Unfortunately, that’s a battle that was lost long ago. The best thing you can do now is make sure the drivers, adapters, and access points you use are all upgraded to WPA or WPA2. For step-by-step instructions, see the May 26 newsletter.

As usual, my readers found excellent resources that other readers can benefit from. Let’s look at some of the tips they’ve sent in.

Login authentication using MS software

I sent out a brief newsletter update on June 10 describing a concern about Microsoft’s new WPA2 software. eWeek Magazine had reported that the download supports only one of five forms of login authentication that have been standardized by the Wi-Fi Alliance. This form is known as EAP-TLS.

Several readers, the first of whom was Fleishman, wrote to explain that Microsoft’s software can also support another form of authentication called PEAP. This is because Microsoft has built PEAP support into Windows XP SP1 and SP2, Windows 2000 SP4, and Windows Server 2003.

This still leaves the Microsoft software, technically known as a supplicant, without support for (take a deep breath) EAP-TTLS, PEAPv1, and EAP-SIM.

Rather than explain all of these acronyms here, I’ll refer you to an article by George Ou, a blogger for ZDnet, entitled "Understanding the Updated WPA and WPA2 Standards." His write-up exhaustively defines all five of these technologies, and much more.

If you’re a small business or home user who’s decided to use the simpler WPA-PSK (WPA with a pre-shared key), none of the five forms of authentication mentioned above matter to you. Just remember to create a pre-shared key that’s long enough to be secure (32 characters is fine), with a random mix of numerals, punctuation, and upper- and lowercase letters. I described these PSK details in my May 26 article.

Authentication for Windows 2000

Rich Saulpaugh writes to say that Microsoft has made available a free authentication client for Windows 2000 SP3 and higher for some time. This software supports the EAP-TLS and PEAP methods of login authentication.

This software is available to download from Microsoft’s 802.1x client page.

WPA support for Centrino and Win 98/Me

Frank Bulk recommends some resources that provide WPA and/or WPA2 features to users of Centrino-based laptops and Windows 9x-based PCs:

• "I want to point out to you some free Windows-based WPA supplicants that will help Windows 98/Me users:

  • WPA Assistant
  • WIRE1x

  “Users of Centrino laptops with Intel PRO/Wireless 2200BG and the Intel PRO/Wireless 2915ABG products can also obtain WPA2 support via version 9 of the Intel supplicant:

  • ProSet 9

  “ProSet 9 is only supported on Windows 2000 and up computers, but it at least gives Win2K users access to WPA2.

  “Readers not more familiar with the development of 802.11 standards might have misunderstood from your article that 802.11b cards only had WEP and that 802.11g support automatically meant that it has support for WPA. That wasn’t always the case.

  Via drivers or firmware updates, some 802.11b cards now have WPA/TKIP support and even WPA2 support (for example, Intel PRO/Wireless 2100 LAN 3B MiniPCI Adapter WM3B2100WWWB).

  “There were some 802.11g devices sold that had no WPA support (for example, 3Com OfficeConnect Wireless 11g PC Card Model# 3CRWE154G172, 802.11g Wireless Notebook Network Card Model# F5D7010, D-Link IEEE 802.11g Wireless NetWork PCI Adapter / DWL-G510, etc).”

WPA Assistant is a free portion of the Wireless Security Corporation’s WSC Guard, a third-party login authentication service that costs $4.95 per month. The free WPA Assistant supports only WPA-PSK and the insecure WEP and Clear methods. It also displays reminders to upgrade to the paid version of WSC Guard.

For these reasons, Windows users may prefer WIRE1x (pronounced "wire one ex"). This is a free, open-source program developed at the National Tsing Hua University in Taiwan. It runs on Windows 98, Me, 2000, and XP and supports EAP-TLS, PEAP, and EAP-TTLS. significantly, it also works with a program called freeRADIUS, which can be used to provide WPA-Enterprise-style login authentication.

Unfortunately, WIRE1x at this moment doesn’t include a convenient, user-friendly installer. You need to download a set of files, copy some of them to your System32 folder, and then create a shortcut to run the executablke program. This shouldn’t be difficult for most Windows Secrets readers, but it does require extra installation steps.

Low-tech device provides 100% security

Robert Riebs, a technologist/educator in Lafayette, Calif., is often called upon to configure wireless access points (WAPs) for his clients and colleagues.

“After this is set up, I advise them to get a plug-in timer that is programmable,” Riebs writes. “Now I set the power for the WAP to run only during the times they prefer to produce a wireless signal. (Who needs a wireless network in the middle of their sleep, whenever that is?)”

Timing the power to your Wi-Fi connection should only be an addition to, not a substitute for, good WPA or WPA2 security. But the good thing about an AC timer is that turning off your router or access point does provide you with 100% protection against anyone misusing your wireless signal during that time!

Riebs recommends the Intermatic DT17C, a 3-outlet timer (photo, left) that sells for about $19.99 on the Web. The device can be programmed for up to 98 “on” and 98 “off” periods per week. It can be manually overridden if you need to use Wi-Fi at an unexpected time. Being low-tech, the device can’t be controlled by hackers, needless to say. More info: Intermatic DT17C AC Timer

More great advice from readers regarding Wi-Fi is available in my Hot Tips column, below, where I continue this subject in the paid version of today’s newsletter.

Readers Saulpaugh, Bulk, and Riebs will receive gift certificates for a book, CD, or DVD of their choice for being the first to send me tips that I printed.

To send us more information about Wi-Fi security, or to send us a tip on any other subject, visit WindowsSecrets.com/contact.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

We have a screenful of LCD monitor tests

The LCD market is crowded with look-alike contenders, but we’ve gathered reviews from a few electronics experts to help you navigate by price class. We’ve also pulled together reviews covering a wide spectrum of digital cameras and photo printers.

		19- TO 24-INCHLCDs Dell named PC World’s Best Buy Breaking their usual top 10 list into two categories — 19-inch and 23- to 24-inch LCDs — PC World Magazine showcases the best of both worlds. Dell’s 24-inch 2405FPW (photo, left) wins the Best Buy spot in the 23- and 24-inch category, while the higher-priced Samsung SyncMaster 243t was judged the finest on graphics and text quality. In the 19-inch category, Sony’s model outranks others in text and graphic quality, but the inexpensive Dell 1905FP gets Best Buy. Dell UltraSharp 2405FPW (23- and 24-inch LCD monitors, Best Buy, Score: 4.0/5.0) Dell UltraSharp 1905FP (19-inch LCD monitors, Best Buy, Score: 4.0/5.0) Link to all ratings and full review
		19-INCHLCDs Tom’s likes LG’s LCD Using various applications, Tom’s Hardware puts 19-inch offerings of big-name vendors to the test. Of the LCD panels they compared, they have a penchant for LG’s L1980U. LG L1980U (“clean lines, quality materials, and a finish that’s beyond reproach”) Link to all ratings and full review
		17- TO 21-INCHLCDs Dell reappears at the top of CR’s list Consumer Reports Magazine puts LCDs through their paces, with Dell making a return appearance, this time in the 17-inch category. Samsung’s 19-inch model receives a “Best Buy” in the larger class of LCDs. Dell UltraSharp 1704FP (17-inch LCD monitors, Best Buy, Score: Very Good) Samsung SyncMaster 910t (19- to 21-inch LCD monitors, Best Buy, Very Good) Link to all ratings and full review
		PORTABLEPROJECTORS PC Mag picks best projector PC Magazine does a roundup of the latest line of portable, business projectors and gives the top honors to Dell for its low price, performance, and features. Dell 1100MP (Score: 4.5/5.0) Link to all ratings and full review
		DIGITALCAMERAS FOR ENTHUSIASTS CPU Mag finds Canon unchallenged in tests CPU Magazine focuses on 11 cameras made for photography, not snapshots. Of these entry-level SLRs, the Canon Rebel gets the highest score for its convenient features and excellent images. Canon EOS Digital Rebel 300D (Score: 4.5/5.0) Link to all ratings and full review
		COMPACT DIGITALCAMERAS Canon’s improved model impresses CNET CNET reviews the newest ultracompact models from five big names. The new and improved Canon SD400 tops the list in this category. Canon PowerShot SD400 (Score: 7.4/10.0) Link to all ratings and full review
		DIGITALCAMERAS PC Mag awards cameras in five categories From ultracompacts (such as the Canon SD300, left) to digital SLRs, PC Magazine reports its top picks for five different categories of cameras. Canon PowerShot SD300 Digital Elph (Ultracompact, Editors’ Choice, Score: 4.0/5.0) Canon PowerShot SD500 Digital Elph (Ultracompact, Editors’ Choice, 4.0) Canon PowerShot S70 (Compact, Editors’ Choice, 4.0) Casio Exilim EX-P600 (Compact, Editors’ Choice, 4.0) Fujifilm FinePix E550 (Compact, Editors’ Choice, 4.0) Kodak EasyShare LS743 (Compact, Editors’ Choice, 4.0) Panasonic Lumix DMC-FZ20 (Superzoom, Editors’ Choice, 4.0) Panasonic Lumix DMC-FZ20 (Superzoom, Editors’ Choice, 4.0) Canon PowerShot G6 (Enthusiast, Editors’ Choice, 4.0) Konica Minolta DiMage A2 (Enthusiast, Editors’ Choice, 4.0) Olympus Camedia C-8080 Wide Zoom (Enthusiast, Editors’ Choice, 4.0) Canon EOS Digital Rebel XT (Digital SLR, Editors’ Choice, 5.0) Canon EOS 20D (Digital SLR, Editors’ Choice, 5.0) Link to all ratings and full review
		LAPTOPCOMPUTERS CR recommends HP, Sony laptops Consumer Reports magazine ranks 15 different laptops strictly on performance, from Budget to Workhorse, choosing four as Quick Picks by taking other factors into account. Topping CR’s list for good value and overall performance are models by HP and Sony. HP Pavillion dv1000 1.5-GHz Celeron M 340 (Budget, Quick Pick, Score: Very Good) Sony Vaio VGN-A230 1.3-GHz Celeron M 350 (Budget, Quick Pick, Very Good) Toshiba Satelite M45-S351 1.73-GHz Pentium M 740 (Workhorse, Quick Pick, Very Good) Toshiba Portegé M205-S810 1.5-GHz Pentium M (Slim and light, Very Good) Apple iBook 14″ Combo 1.33-GHz PowerPC G4 (Macintosh, Quick Pick, Very Good) Link to all ratings and full review
		PHOTOPRINTERS Two Canon printers get Editors’ Choice PC Magazine reviews seven high-end printers designed specifically for photos. The editors name two Canon models the best choices for their print quality and speed. Canon i9900 Photo Printer (Editors’ Choice, Score: 5.0/5.0) Canon Pixma iP8500 Photo Printer (Editors’ Choice, 4.0) Link to all ratings and full review
		4″ X 6″ PHOTOPRINTERS Tom’s names HP winner in photo printers Tom’s Hardware Guide finds that compact photo printers have a lot of advantages, and manufacturers are battling it out to get their share of the market. HP is the clear winner, according to the editors. HP Photosmart 375 (“Produces excellent results, adaptable, and resonable cost”) Link to all ratings and full review —————— For non-U.S. sources of information on any product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere Vickie Stevens is research director of WindowsSecrets.com.

Get the most out of your Wi-Fi

By Brian Livingston

The great ideas from our readers regarding the best features and security possible for your Wi-Fi connection just keep on coming.

In the wrap-up below, which continues the topic I began at the top of this newsletter, we see how to set up a VPN for free, plus a couple of cautionary notes about not believing everything you read on Web sites.

How to get a free VPN

In my article on Wi-Fi in the May 26, 2005, newsletter, I wrote that an insecure wireless connection — such as in a poorly-managed Internet café — could be used safely if you first set up a VPN (virtual private network). Since this isn’t easy for novices to do from scratch, I listed four services that do it for you for a small monthly cost.

Reader Daniel Vives recommends some free software that he uses for his own VPN needs:

• “In the article ‘Wi-Finally: security that works’, it is stated that implementing a VPN is an alternative to secure a wireless network, and there are some low-cost suppliers mentioned.

  “I’ve setup a VPN easily and with no cost with OpenVPN. In my case, I followed the instructions to set up authentication via certificates that are easily created for any number of users.

  “I use it to access my home LAN from the office. In this way I open just the VPN port on the router (no need to open telnet, ftp, tightvnc ports to Internet access).”

OpenVPN is an SSL VPN. This is a type of secure tunnel that should be adequate for most individuals and small businesses. It doesn’t provide some of the features of an IPSec VPN, as used by larger businesses, however. For an article on the differences, see TechTarget’s analysis.

Vendors may be slow with WPA support

Orbra Bliss writes that it’s hard to get some hardware makers to keep their promises when it comes to upgrades for WPA and WPA2 compatibility:

• “The May 26 newsletter contained a lot of positive references to Linksys. Yes, they make good hardware, but can you trust their support? Last year I bought a WCF12 adapter for my [Pocket PC] PDA and found it has excellent range and is basically very satisfactory — except that when WPA wireless was finally installed in our office, I could not connect.

  “A major Linksys selling point is upgradeable firmware. A press release dated April 30, 2003, contains this statement:

  • “WPA has been designed to be a firmware or software upgrade for existing Wi-Fi certified wireless LAN products. These upgrades will be made available for Linksys’ Wireless-G products when testing is completed. Firmware and software upgrades for Linksys products will be obtainable at www.linksys.com. By summer, Linksys will also provide WPA enhancements for many of its popular Wireless Dual-Band A+G products and Wireless-B products, including the BEFW11S4 (v2 and v3), WPC11 (v2, v2.5 and v3), WUSB11 (v2 and v2.5), WMP11, WCF11 and WCF12.”

  “Over two years later and that press release is still on the Linksys site. However, when I inquired about it last December, I got the ‘tells you nothing’ reply that I have included.

  “I suppose they believe people will get tired of waiting and buy a newer model. This may be a choice for some, but I work with a non-profit organization and this kind of thing comes out of my own, not-very-deep pocket. It doesn’t appear that anyone should give any weight to Linksys promises.”

I checked the Linksys site and, sure enough, that press release is still there. In cases like this, it may be necessary to obtain WPA- or WPA2-compatible software from a third party. I linked to two alternative suppliers, Funk Software and Meetinghouse, in a section of my May 26 story.

Not everyone reveres George Ou

Paul Thomas takes issue with some of the blanket statements made by George Ou, a blogger who appears at ZDnet. I linked to one of Ou’s posts about six dumb things that he says don’t really protect Wi-Fi:

• “Good article about Wi-Fi in the 5-26-05 edition. However, your reliance on George Ou as an ‘expert’ seems misplaced. I’m not an electrical engineer, so I can only state what ‘works’ or makes sense based upon my experience and the magazines I read each month (including IEEE publications). But look at George’s continual statements like
  • “Anyone who tells you that this is a way to secure your wireless LAN does not know what they’re talking about.”

  or

  • “Disabling DHCP has zero security value and just wastes time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Anyone who tells you that this is a way to secure your wireless LAN doesn’t know what they’re talking about.”

  “At the risk of sounding like the expert George Ou thinks he is,

  “1. What percentage of ‘hackers’ know or are even willing to take all of the steps required to break in? (Three percent?) As with car thieves, they will usually look for a better target when something delays their break-in attempt.

  “2: George attempts to come across as the expert in this, and probably other fields. Maybe ZD is trying to get ‘reality TV’ going in the tech world. Maybe it will even sell well.

  “It just won’t sell to myself. Hopefully at least a few others wrote to indicate their displeasure with being directed to Ou’s article. It is all right to set a point level of some sort to a defensive tactic as to its effectiveness, but just waving your magic wand and declaring ‘NOTHING WORKS’ is, to quote old Ebeneezer, Humbahg.”

In defense of George Ou, I believe he’s generally right to poo-poo halfway security measures. Small-time hackers may not be able to get around MAC filtering or DHCP disabling today. But how do we know that such technques won’t become part of an easy hacker toolkit, say, six months from now, in the same way that WEP became a snap to break? The best defense for a Wi-Fi network is WPA/WPA2 with strong authentication. Everything else is a stopgap measure that can’t be counted on for long.

The secrets of silent computing

By Paul Thurrott

Your PC is part of a conspiracy to rob you of your precious hearing. Don’t believe me? Simply sit in front of your PC and then turn it off.

Notice the wonderful silence in the absence of the jet turbine-like sound of your PC. That’s what computing can be like. Yes, seriously.

Over three years ago, I embarked on a quest to silence the computers in my home office. As a tinnitus sufferer — and someone who is perhaps unusually pained by unwanted noise — I’ve tried to preach the gospel of silent computing to anyone who will (ahem) listen.

I should note that computing isn’t the only problem. We’re besieged by noise in virtually every aspect of our lives. I’ve grown convinced that those who regularly commute on buses and trains are doing horrible things to their ears by cranking up their earbuds. And don’t get me started with those poor fools who crank their car stereos to 11. I can’t cure all ills. But I can tell you what I know about silent computing.

First, admit there’s a problem and then locate it. A typical PC is a whirling dervish of moving mechanical parts, all of which contribute to the overall sound your PC emits. The chief culprits (in generally descending order of whine) are your power supply, microprocessor and motherboard fans, optical drives (CD-ROM/DVD), and hard drives. Also, increasingly, today’s high-powered graphical accelerators come with loud fans to cool them.

If you’re a gamer, I’ve got a bit bad news: The more powerful the system, the more noise it will typically make. That’s because high-end PCs have high-end microprocessors and other components that generate a lot of heat, which in turn require a lot of cooling. But some of the noisier components, like your optical drive, only spin up occasionally. And the fans on graphics cards will work harder during gaming, and then cool down–and quiet down–when you’re done. You’re unlikely to be too bothered by these types of sounds during game play.

An industry takes notice of noise

When I first investigated silent computing three years ago, there wasn’t a lot of information out there on the topic. Worse, PC makers weren’t particularly interested. Today, that’s no longer the case. I’ve recently spoken with PC makers such as Dell and HP, and microprocessor makers such as Intel and AMD. All of these companies are actively pursuing PC designs that offer better thermal design and quieter acoustics.

For Intel, silent computing is only part of the challenge of making PCs act like consumer electronics devices. (They should also be reliable and turn on and off instantly, according to the company.) And AMD told me that its latest processors, which feature dual processor cores, don’t impose a power penalty. Thus, you get the power of two processors without raising the thermal requirements of the underlying system.

On the PC maker side, new systems from Dell, HP, and other companies are designed to be as quiet as possible. I recently spent time with a Dell dual core Xeon processor-based workstation, which barely rose above an audible whisper during use. That’s astonishing, when you consider the almost obscene performance such a system delivers. Apple’s high-end PowerMac G5 even takes a cue from the homebrew world and uses a silent water cooling approach coupled with a highly integrated, slow-moving fan system.

Buying silence for your PC

If you’re interested in silent computing, you have a few tactics to consider. First, you can simply purchase new computing equipment, searching for a system that offers a good combination of acoustics and performance. Most PC makers don’t provide a lot of information about acoustics yet, but you’ll generally find that PCs from major PC makers like Dell and HP will be of higher quality — and are quieter — than those from tier-two PC makers.

If performance isn’t a huge concern, you might consider a small form factor (SFF) computer. These are small systems that are generally much quieter and unobtrusive than typical desktop PCs, and they typically utilize less powerful chips. There are two trends in SFF computing these days. The first is a new motherboard form factor called Mini-ITX, which allows for truly tiny PCs.

The second trend is that a growing number of systems are now based on Intel’s Pentium M processor, which was originally designed for notebook computers. Pentium M processors, however, are also great performers for all but the most demanding tasks. They can create systems that are generally far quieter than those that feature traditional desktop chips. You can find out more about pre-built SFF PCs on SilentPCReviews’ Web site.

Upgrading to silent components

A second approach to quieting your computer is to examine your existing PC and see what you can do about silencing it. I’ve spent countless hours and untold amounts of money trying various alternatives. Here’s what I’ve found out.

The single biggest source of sound in my PCs has been the power supply, though that’s been less of an issue with newer boxes. A number of companies offer quiet and powerful power supplies that can replace the lawnmower motor you may currently be using. Look for units that offer less than 20 dBA of noise output at idle, a noise level that is considered "virtually inaudible" for most people.

After the power supply, take a look (and a listen) at the fan/heat sink that’s protecting your microprocessor. Many vendors offer quiet replacements for these parts, and if your PC is over a year old, this is one part you’re definitely going to want to consider replacing. The trick, of course, is finding a silent one. Water cooling systems are becoming somewhat popular with hardware gurus, but traditional fan/heatsink combos are still easier for us Luddites.

Depending on the make and model, and even on its location within your system, a hard drive can be a surprising source of sound. There are two ways to dampen hard drive sound. The first is to use a rubberband-like system that basically suspends the drive and prevents its vibrations from transmitting to the PC case and amplifying. The second is a full enclosure system, which encases the drive along with the noise it makes. Note however that enclosures might raise the temperature of the drive. A better bet is to go with quieter drives.

Too, consider some sort of noise absorption material, which can be cut out and applied to the inside of your PC’s case. This can be difficult to do if there isn’t a lot of room, and I have my suspicions about it not working well in systems where there are lots of cut-outs and holes through which noise can still escape.

If you aren’t interested in mucking around inside your PC, you might purchase, or even make, a sound deadening box in which to place your entire PC. This box should be lined with the aforementioned noise absorption material. Or, do what Windows Secrets editor Brian Livingston does: His PC is in the next room! Brian snakes long cables for the keyboard, mouse, and display through a pass-through he built into the wall, which separates him from the sound of the PC. If he needs to put a CD in the optical drive, the PC is just a short walk away. A USB hub, connected to the PC using a long cable, sits on his desk for convenient plugging and unplugging of USB Flash drives.

Finally, keep your PC clean. PCs, especially those that sit on the floor, are dust magnets that soon coat all of their internal components in a not-so-fine layer of heat-producing dust. Fans make more noise when they’re coated with dust. Open up your PC periodically and give it a good going-over with compressed air. You may be surprised how many problems this can solve.

So where do you find all this stuff? A number of online stores cater to silent PC owners, including Silicon Acoustics, End PC Noise, and Quiet PC. Need for info about silent PC parts and systems? Not surprisingly, a number of Web sites are dedicated to this growing movement. Take a look at the Silent PC Guide, How To Build a Silent PC, and the Silent PC Review for more information.

Enjoying the sounds of silence

There’s so much you can do to make your computing experience quieter. However you do it, even the smallest of improvements may make a difference for you. Everyone perceives sounds in different ways. But removing noise from your life will reap immediate rewards, so don’t put it off. Your ears will thank me.

Paul Thurrott, associate editor of the Windows Secrets Newsletter, is the author of Windows XP Home Networking, 2nd Ed., and Great Digital Media with Windows XP and the author or co-author of several other books.

Don't wait for IE 7 to be secure

By Chris Mosby

Microsoft announced plans for a new Internet Explorer version 7 back in February. With the first beta due out this summer, you might be thinking that IE will finally be secure enough for you to start using it again.

While this may be the case for users of Windows XP SP2, people who are using Windows 2000 will be out of luck.

Beginning of the end for Windows 2000

Windows 2000 will be regressing into “extended support” on June 30. As an upshot, Microsoft announced recently that only users with Windows 2000 SP4 will continue to get security patches for IE 6.

Furthermore, no version of IE 7 will be compatible with Windows 2000, Microsoft says, due to security features of XP SP2 that IE 7 will be dependent upon and which the Redmond company doesn’t wish to add to W2K.

More information about this decision can be found at BetaNews and at InformationWeek.

While this may be great news for users of Windows XP SP2, what about those computer users who are stuck with Windows 2000 for the time being?

Don’t expect a service pack soon

If you’re one of those people with the mindset, “We’ll just hold out until the next service pack,” I have some more bad news for you.

Back in November 2004, Microsoft announced the planned Service Pack 5 for Windows 2000 was canceled. An “Update Rollup” for Service Pack 4 will be released instead. As it says in the official announcement, the Update Rollup will contain:

• “…all security-related updates produced for Windows 2000 between the time SP4 was released and the time when Microsoft finalizes the contents of the Update Rollup. The Update Rollup will also contain a small number of important non-security updates.”

  “By including the most important updates for Windows 2000, the Update Rollup will make it easier for customers to improve the security of Windows 2000 systems, keep them up to date, and build new deployment images.

  “The Update Rollup should require less pre-deployment testing for two reasons: the number of updates included in the Update Rollup is significantly lower than the number typically included in a service pack, and Microsoft will have already released most of the contents of the Update Rollup as individual updates and hotfixes. Individual hotfixes made since SP4, but not included in the Update Rollup, will remain available via individual downloads.”

Reports indicate that this Update Rollup is due out next week, and will require Windows 2000 SP4 to be installed first.

How to secure your system now

If an upgrade from Windows 2000 SP4 to Windows XP SP2 is out of reach, what can people do in the meantime while they try to come up with other options?

Don’t give up hope yet. There are still things you can do to secure Windows 2000 as best you can.

First, you can harden Windows 2000 using the steps to in Brian’s Livingston’s article, "Secure Windows 2000 and Me (because MS won’t)," from the Oct. 4, 2004, newsletter. This article warned users even back then that an operating system upgrade would be needed eventually.

Next is something I’ve mentioned several times before, but I can’t stress it enough. If you’re not using an alternative browser, such as Firefox, you have to make an extra effort to secure Internet Explorer on Windows 2000. Brian’s "Protect IE Without SP2" article from the Nov. 18, 2004, newsletter is the best advice I’ve seen on how to do that.

Last but not least, there’s Brian’s recommended and constantly updated Security Baseline, above. This will allow you to build up multiple layers of security prior to your next, much-needed operating system upgrade.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

^

I'm MU-ing this month — are you?

By Susan Bradley

I printed out this week’s "Book-of-the-Month" — otherwise known as Microsoft’s ten new security bulletins — with gleeful anticipation. That’s especially because we have two new patch tools to try out on these babies.

Mark Burnett, in his column below, will tell all the corporate types about the newly released Windows Software Update Services (WSUS). But I’m primarily going to focus on Microsoft Update, a tool that will make it much easier to keep individual PCs up to date.

How to switch to Microsoft Update

We may have to give the Windows Patch Watch column a new name. That’s because I’m not using Windows Update anymore. For all of you die-hard patchers, in the past you’ve had to go to both Windows Update and the separate Office Update to get patches for each product. But starting this month, Microsoft Update — which currently patches Windows, Office, and Exchange — is my update tool of choice.

In the future, MU, like its corporate cousin WSUS, will also support SQL Server and ISA Server patches. But, considering that MU is intended as a standalone desktop patch tool, I can’t complain. My only irritation thus far was that the tool found a few catchup patches that I needed.

You have to opt in to use Microsoft Update instead of Windows Update. To do this, follow the steps in KB 901037, or just go to the Microsoft Update Web site and click on the easy opt-in procedures.

When I switched over, a few of my line-of-business applications that use older versions of Access caused MU to indicate that I needed a Sharepoint Team Services patch: namely, MS KB 890829. The reason for this patch is some “leftover” Access files that share code with Sharepoint. This results in a slightly confusing upgrade being offered.

Troublesome patches include IE fixes

MS05-025 (883939): Of the 10 new security bulletins this week, the ones I’m looking at most closely for potential issues include one patch for Internet Explorer MS05-025. This already has some known issues, which are documented in KB 883939.

If you’re a regular Windows Patch Watch reader, you’ll know this is the Internet Explorer’s perennial “you-may-have-issues” wording. We have to read through this every time, since IE patches are always cumulative.

It’s expected that this security hole will spawn a new wave of malicious e-mails with images in them. So this is a high-priority patch for standalone machines.

MS05-027 (896422): The next patch that I’m keeping my eye on is MS05-027, the “SMB” or “networking glue” patch. Interestingly enough, the title of this patch is similar to the MS05-011 patch earlier this year that revealed issues with file sharing. But MS05-027 is not patching the same files that have caused file-sharing issues historically. Therefore, the issues seen with the prior SMB patch may not be a concern this time. I’ll update you in the next Patch Watch column if anything comes up.

MS05-026 (896358): A vulnerability in HTML Help is fixed in MS05-026. As the folks at Incidents.org point out, this hole will probably end up being used by spyware soon. Patching HTML Help files may cause issues with certain Web-based applications, so review KB 896358 for the currently-known glitches.

MS05-031 (898458): I won’t bore you with the remainder of the bulletins rated merely “Important” and “Moderately Important,” other than to highlight the interesting issue of MS05-031. This patch may offer you a version of the update in a language other than the one you expect. For example, if you have a Norwegian version of the operating system and a French version of the application, you’ll get the English patch applied, according to the FAQ section of the Microsoft bulletin. If you need a French version of the patch in a case like this, you’ll have to manually download it.

TCP/IP patch re-released to fix VPN

MS05-019 (893066): In the category of re-released (initially faulty) patches, MS05-019 was re-issued to correct problems many people had with VPN and connectivity.

If you’re using BlackIce products, make sure you’ve updated to the vendor’s recommended versions of RealSecure Desktop (and BlackICE Agent on the server). You’ll see MS05-019 being re-downloaded to your system even if you downloaded the original patch or called Microsoft PSS (Product Support Services) to get a hotfix.

Firefox now easier to patch and deploy

I’ve long argued that any browser is inherently insecure and that we need to ensure we stay patched on any that we use.

Thanks to the folks at Shavlik, it just got a lot easier to patch Firefox. Deploying it in a corporate setting is better, too.

Shavlik’s version 5.1 of its Hfnetchk update-management product, released on June 9, can now patch and deploy Firefox in your network. (Several other non-Microsoft applications are now supported for the first time, as well.) For standalone machines, Firefox’s auto-updates will still work just fine.

For more Firefox update tips, review the Firefox Tweak Guide. For some important corrections to the guide, see Asa Dotzler’s blog.

MSN IM wants update… but for what?

MSN Instant Messenger has been prompting people, saying there’s a later version. But given that it is not a mandatory update — as a previous security-based update was — I was wondering what got fixed in it.

On the Messenger support blog, I found the answer. While seemingly not security-related, the update to 7.0.0813 does add some stability fixes.

I sure want to know what they’re talking about when they say, “A certain infamous wink has been removed.” That certainly has my interest piqued. Apparently the wink was only evidenced in France and certain other markets. So if you happen to be in Paris, you’ll know what this is about, while the rest of us will just have to wonder.

Irritating Front Page and SQL issues

If you failed to catch Brian’s newsletter update on June 10, just know that there’s an issue using Front Page if you have Windows 2003 SP1. To edit pages that are located on the server, you’ll need KB 896861. Remember, any hotfix issue is a free call to Microsoft.

You may be lucky enough to have large RAM memory on SQL Server machines courtesy of AWE (Address Windowing Extensions). If so, there’s a fix for the memory-limitation issue discussed in KB 899761, but it has not yet been fully released. I recommend that you contact Microsoft Product Support Services to get the fix for this issue.

Good blogs and Webcasts on patching

In Tuesday’s installment of the MSRC blog, patch release manager Craig Gehre talks about what his Patch Tuesday is all about. While we take it for granted that the patches will just show up, ready for us to download, this is an interesting peek behind the curtain of the release process.

Also, Steven Toulouse (aka Stepto) talked at TechEd about the process Microsoft goes through to build and test patches.

If you were like me and didn’t go to hot and humid Florida for the Microsoft geekfest known as TechEd, all is not lost. You can now sit in your air-conditioned office or home and view Mark Russinovich’s excellent Webcast on cleaning and stomping Malware, Corey Hynes on Windows Software Update Services, and — one that all of us should consider watching — Aaron Margosis on running Windows without local administrator rights. More Webcasts can be found at Microsoft’s TechEd 2005 page.

Tell me your Microsoft Update experiences

Do me a favor: Try out Microsoft Update this month and drop me a line via the newsletter’s contact page. Use the string MU: at the beginning of your Subject line. Let me know what you thought of the patching experience with this new tool.

As always, let’s be careful out there. Always keep a healthy dose of paranoia, which should become a regular part of your life on the Internet.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

Tips for getting started with WSUS

By Mark Burnett

Microsoft’s recently released Windows Server Update Services (WSUS) is another step in the goal of making patch management more efficient.

While WSUS isn’t loaded with features, as other patch-management solutions are, it is a free and easy way to manage patches in environments that mostly use Microsoft software. Here are some tips to get the most out of it.

1. Turn off unused languages

If you know you’ll never use updates in anything but your own language, save bandwidth and disk space by turning off all languages you don’t need. By default, WSUS downloads updates in all languages. You can change this by browsing to the Options page of the WSUS admin Web site, selecting Synchronization options, then clicking the Advanced button at the bottom of the page. From there, you can select exactly which languages you want to download.

2. Manually install the agent, if necessary

Occasionally, you might have trouble getting a system to connect to the WSUS server because your PC doesn’t have the proper client agent. If this happens, you can get the downloadable file from Microsoft and install it manually.

3. Run the diagnostic tools

If updating the client still doesn’t solve your problems, download the Client Diagnostic Tool to give you some more details about the problem.

Another tool you might find helpful for diagnosing problems is Microsoft’s DCDiag tool.

4. Check the logs

Another way to diagnose problems is to check out the log files. WSUS stores detailed logs in:

C:Program FilesUpdate ServicesLogFiles

Each client also keeps a Windows Update.log file in the Windows directory. In addition, you can review the IIS server’s log files to make sure the client is at least trying to communicate with the server.

5. Disable Windows Update

If you want full control over client updates, you can completely disable direct connections to Windows Update. To do this, create a DWORD value named DisableWindowsUpdateAccess in the Registry at:

HKLM Software Microsoft Windows CurrentVersion Policies WindowsUpdate

and set the value to 1.

6. Make a pilot group

Create a small pilot group that gets updates automatically approved to make sure everything works okay before general deployment. Depending on your organization, you can establish a structured test procedure for those systems or simply make sure they reboot after installing new patches.

Whatever you do, make sure you notify these pilot users when new updates are to be installed.

7. Follow up with MBSA 2.0

Although currently in beta, MBSA 2.0 will complement and integrate with your WSUS installation. It’ll use the approved updates list from WSUS and help you identify systems not assigned to a WSUS server. It also provides more detailed explanations if a patch installation fails.

Mark Burnett is the author of Hacking the Code, coauthor of Stealing the Network: How to Own the Box, and an independent security consultant.

Protect your Ben & Jerry's with a Pintlock

If your dissolute roommates are helping themselves to your ice cream while you’re hard at work, now you can help them keep their mitts off your frozen confections with the brilliant new Pintlock (photo, left). The vexing problem of “we share everything” was exactly the situation Doug Hertle was facing. In desperation, he wrote to Ben & Jerry’s, the Vermont ice cream czars, with the idea for this invention. Remarkably, the famously laid-back capitalists actually produced the thing, complete with a 3-digit combination lock. It’s like a chastity belt for your sweet treats. The whole story is at Hertle’s DougyDoug.com site. The Pintlock, $5.95 direct, can be obtained from Ben & Jerry’s order page.