Certified Mail, Feb. 2002

Security risks, the "right" security policy, and certification as a foot in the career door.

• By MCP Magazine Readers
• February 01, 2002

I’m writing in response to your December 2001 article, “Gartner IIS Analysis Off-Target, Say Some Experts.” Just to get it out in the open, let me say that I’m not a big fan of Microsoft security. Having said that, I think there’s an important issue not being covered in this debate.

The article states, “While both security experts say IIS is far from perfect and is vulnerable, they insist it’s not inherently more vulnerable than other Web servers on the market.” I don’t totally agree with this, but I admit it’s easily possible to make valid arguments both for and against IIS and its relative security or lack thereof.

However, I believe that using IIS poses an inherently greater risk, for the following reason. IIS runs in the “Local System” context, the highest privilege level in Windows! Compare that to Apache, which, when properly configured, usually runs as “nobody,” a user account with essentially no privileges.

Issues of vulnerability aside, the inherent risk associated with running an Internet-accessible service in a highly privileged context is much greater than running the same service in a non-privileged context. It seems like the designers of IIS have never heard of the concept of least privilege, or they don’t like to implement it! I’m aware of the IUSER account; but my understanding of the issue is that a buffer overflow or similar vulnerability in the IIS code will result in access to the security context in which the main IIS processes run—Local System. A flaw in a script (for example) would result in access to the IUSR context (which is often Administrator anyway).

I consider this a serious design flaw that leaves little recourse but to either not use IIS or to place a secure proxy in front of it. Given the added resources required for that, and given that Apache runs on Windows and can also support ASP, using IIS does seem to be contraindicated.
—J.P. Vossen, CISSP
Collegeville, Pennsylvania
[email protected]

You Guys Can Have the Future
In 1999 I decided to get my MCSE and make the leap into the wonderful world of Information Technology. Now, two years later, I’m going back to my old profession. After 24 months of “Your OS Sucks!” “No, your OS sucks!” and other such mature examples of nerd empowerment, I’ve had enough. The training company I worked for collapsed, right along with the job market, and Microsoft wants me to pay $200 to keep my “new and improved”—and quite worthless—MCT certification. Everyone who is still struggling to make a living in Microsoft training now knows that the big rush of work coming before all of Windows NT 4.0 certs ran out wasn’t going to make Christmas happen after all.

Is all of this just the whining of a disappointed and bitter old man? No, I’m not that old. I must say though, that taking all of the NT, Win2K, Linux, and Cisco books off of my shelves and putting the electronics, instrumentation, and IEEE spec books back has put a smile back on my face. The future is in IT, is it? Well, you guys can have the future. I’m going back to the work all of this infrastructure is supposed to support.
—Joel Reed
Oak Ridge, Tennessee
[email protected]

Two Accounts Better than One?
I’m an administrator at a large company running Windows NT and 2000. There are more than 100 admins throughout the nationwide company, many of whom have Domain Admin or similar rights. I’ve created a second account with basic user rights for my two admins and me in our region. We log on using those accounts and use the Run As feature in Win2K to launch our admin programs using our admin accounts.

Our data security group at headquarters is pressuring me to get rid of the second account we’re using, saying it’s against corporate policy to have more than one account. I’ve told them this is Security 101—that you only use your admin account for performing functions that require the elevated privileges—not for everything, especially in view of many of the new viruses now in the wild. My boss is in complete agreement, but we’re still having difficulties convincing them that using two accounts is the way to go.
—Tom Culligan
[email protected]

It’s absolutely imperative that individuals entrusted with administrative roles in Win2K and Windows NT (and other OSs as well) not be logged on using these accounts when performing standard user-level chores such as reading and composing e-mail, writing Word documents, researching on the Web and so on. The administrative accounts are all-powerful in Windows OSs. Imagine the impact of an e-mail base virus or Trojan that attempts to destroy resources on a Windows system. These products often launch themselves simply when the e-mail is opened or the attachment double-clicked. Many of them are powerless if they attempt to destroy resources that a normal user wouldn’t have access to, like many sensitive registry keys and system files.

A properly ACLed file system would also protect many other system files. What if the malicious code were set to infiltrate group policies in a Win2K domain? Since the administrative-level accounts may be responsible for creating group policies, the dangerous code might adjust or create a policy that would then be automatically pushed out to every computer in the domain. These are but a few of the potential disasters that can occur if the user has the privileges required to do damage. Were he or she to be using an ordinary user account, that damage might be minimal; it certainly would be much less. Rather than fighting responsible admins who wish to preserve security in their domain, you should reconsider your policy and make it one that encompasses all domain admins and others with high-level administrative privileges. One account per person is a sound policy. However, this is the exception that proves the rule.
—Roberta Bragg

Gotta Have the Love
I wanted to comment on something Steve Crandall said in his December 2001 “Professionally Speaking” column, “Taking Control.” He wrote, “You have to have a relatively high degree of ‘geekiness.’” I couldn’t agree more. Of the two provincially funded colleges in Windsor, Ontario, Canada, neither offers a program heavy in networking; both focus substantial time on programming. I hate programming. I just find it boring.

When I think about networks, even little four-computer, mini-hub networks, my heart starts to beat a little quicker. My imagination starts to race as I trace the data path and immediately start to think of how I could make it bigger and better. The bigger the network, the geekier the toys, the faster my heart goes. That’s Steve’s point, I believe. Whatever field of IT you’ve chosen had better make your pulse quicken, take your breath away, and bring you back to the days of racing through the aisles at the local toy store.

All too often people think, as was stated, that a cert is like a blank check. I recently completed my MCSE on Win2K. Of 10 people in the class (and one of only four to pass all seven exams), I’m the only one working in the industry. The other three who finished are all pursuing other fields of work because their pot of gold was not at the end of the MCSE rainbow.
—Joshua Biggley
Windsor, Ontario, Canada
[email protected]

Not Worth the Effort
A couple of Microsoft certification titles on my resume have proved to be not worth the effort. I still get no responses to my resume for positions where an MCP might fill the bill. Even with all the NT 4.0 MCSEs still out there, I feel that the only way for me to go is to forgo any social, family, or potential employment opportunity until I can put a Win2K MCSE on my resume.

And, yes, once I have my MCSE and have obtained a job that gives proper respect to both my 14-plus years of computer experience and the fresh MCSE I’ll bring to the table with appropriate pay, I’m going to want to coast for a while before hitting the books again. Much as I like to keep current, I’m not going to be in the mood for seven new tests on Windows .NET when a mature Win2K certification is all my employer may ever need.
—Loel Larzelere
Columbus, Ohio
[email protected]

Terminal Services on a Small Network
I read Bruce Rougeau's article on Windows 2000 Terminal Server, "Progress at the Speed of Thin," in the July 2000 issue with lots of interest, and I have a question. It's mentioned that Terminal Server License Server shouldn't be on the server running Terminal Server. However, in a small network (eight to 10 users) with only one server, how do you avoid this problem?
—Andy Kim
Salisbury, Maryland
[email protected]

There's always a best practices strategy that must be broken to meet the demands of the real world. Some people refer to this as the bubble gum and bailing twine principle. In a very small environment it's very common to have the license server on your terminal server as long as you follow these rules:

If you're in a workgroup, then your license server must be on a computer in the same workgroup; the client will find the server via a broadcast. Yes, the license server can be on the terminal server.

If you're in a domain environment, the license service must be on a domain controller servicing the domain or site, depending on how it was installed.

In my office I work with about 10 instructors. We have a domain controller running Windows 2000 configured as a domain controller (forest of one domain), Terminal Server, and Terminal Server Licensing Server. We have a second server that also runs as a Terminal Server. With only one server in a small environment this will work just fine. Be prepared for your solution to grow and then implement the best practices.
—Bruce Rougeau

Accelerated Aggravation
I finally had the honor of using my voucher for the Accelerated Exam on Nov. 12th. Unfortunately I didn't pass. I have spent the past nine months setting up lab systems running Win2K Professional and Server, averaging 20 hours a week studying Sybex and Coriolis study guides, and doing numerous simulations on systems.

Two weeks prior to my scheduled exam, I downloaded questions off braindump sites, thinking it wouldn't hurt to know what other people have run into. But I didn't have much faith in this information.

Since Microsoft claimed that the MCSE 2000 tests were for knowledgeable, hands-on professionals, I felt that I was more than capable of passing 70-240. But I didn't.

I sat for three and a half hours taking this exam, and when it was over, there was no explanation of my final score, nor what segment was my downfall. The terminal on which I was working froze up at the end of my directory services exam and had to be restarted. Maybe I didn't get credit for 25 percent of the exam. I will never know.

But one thing I do know: The study books are shelved, and I still have my MCSE on NT 4.0. No more certification attempts for me!
—Robert Boas
Rochester, New York
[email protected]

No Study = No Pass
I read Dian Schaffhauser's August column "Current Count," and was happy to see that I'm not the only one curious about this number.

I work for a large IT company with 2,600 employees, and to date I know of two of us who are certified on Win2K, and another two that work at other companies. I do know that my MCSE co-workers were running around trying to find good Accelerated Exam material, or at the very least, start studying the four core exams, but things have really died down since Microsoft's certification reversal announcement in October.

I did my two electives last spring, wrote the design exam in May, and then wrote 70-240 at the end of June. It was a busy five months. I've been using Win2K since July 2000, so I thought after a year of using the product, it was time to go for the big one. The Accelerated Exam was the 20th I've written since November 1998; it was hardest exam ever for me. It's a fair exam in its own right; anyone who says differently obviously didn't study the four core requirements.

All the Win2K exams, in my opinion, measure the information Microsoft wants you to know. Unfortunately, it doesn't measure the "real world" problems that we deal with every day, but, hey, what certifications measure that? So, for your question, how tough was it? Like all certs, it's as tough as the rest of them. If you don't study, you don't pass. It's as simple as that.
—Nancy McCombs, MCSE, CNE, CCA, A+
Dartmouth, Nova Scotia
[email protected]