Certified Mail, Feb. 2002
Security risks, the "right" security policy, and certification as a foot in the career door.
IIS Inherently Risky
- By MCP Magazine Readers
- February 01, 2002
I’m writing in response to your December 2001 article, “Gartner
IIS Analysis Off-Target, Say Some Experts.” Just to get it out in
the open, let me say that I’m not a big fan of Microsoft security. Having
said that, I think there’s an important issue not being covered in this
The article states, “While both security experts say IIS is far from
perfect and is vulnerable, they insist it’s not inherently more vulnerable
than other Web servers on the market.” I don’t totally agree with this,
but I admit it’s easily possible to make valid arguments both for and
against IIS and its relative security or lack thereof.
However, I believe that using IIS poses an inherently greater risk, for
the following reason. IIS runs in the “Local System” context, the highest
privilege level in Windows! Compare that to Apache, which, when properly
configured, usually runs as “nobody,” a user account with essentially
Issues of vulnerability aside, the inherent risk associated with running
an Internet-accessible service in a highly privileged context is much
greater than running the same service in a non-privileged context. It
seems like the designers of IIS have never heard of the concept of least
privilege, or they don’t like to implement it! I’m aware of the IUSER
account; but my understanding of the issue is that a buffer overflow or
similar vulnerability in the IIS code will result in access to the security
context in which the main IIS processes run—Local System. A flaw in a
script (for example) would result in access to the IUSR context (which
is often Administrator anyway).
I consider this a serious design flaw that leaves little recourse but
to either not use IIS or to place a secure proxy in front of it. Given
the added resources required for that, and given that Apache runs on Windows
and can also support ASP, using IIS does seem to be contraindicated.
—J.P. Vossen, CISSP
You Guys Can Have the Future
In 1999 I decided to get my MCSE and make the leap into the wonderful
world of Information Technology. Now, two years later, I’m going back
to my old profession. After 24 months of “Your OS Sucks!” “No, your OS
sucks!” and other such mature examples of nerd empowerment, I’ve had enough.
The training company I worked for collapsed, right along with the job
market, and Microsoft wants me to pay $200 to keep my “new and improved”—and
quite worthless—MCT certification. Everyone who is still struggling to
make a living in Microsoft training now knows that the big rush of work
coming before all of Windows NT 4.0 certs ran out wasn’t going to make
Christmas happen after all.
Is all of this just the whining of a disappointed and bitter old man?
No, I’m not that old. I must say though, that taking all of the NT, Win2K,
Linux, and Cisco books off of my shelves and putting the electronics,
instrumentation, and IEEE spec books back has put a smile back on my face.
The future is in IT, is it? Well, you guys can have the future. I’m going
back to the work all of this infrastructure is supposed to support.
Oak Ridge, Tennessee
Two Accounts Better than One?
I’m an administrator at a large company running Windows NT and 2000. There
are more than 100 admins throughout the nationwide company, many of whom
have Domain Admin or similar rights. I’ve created a second account with
basic user rights for my two admins and me in our region. We log on using
those accounts and use the Run As feature in Win2K to launch our admin
programs using our admin accounts.
Our data security group at headquarters is pressuring me to get rid of
the second account we’re using, saying it’s against corporate policy to
have more than one account. I’ve told them this is Security 101—that you
only use your admin account for performing functions that require the
elevated privileges—not for everything, especially in view of many of
the new viruses now in the wild. My boss is in complete agreement, but
we’re still having difficulties convincing them that using two accounts
is the way to go.
It’s absolutely imperative that individuals entrusted with administrative
roles in Win2K and Windows NT (and other OSs as well) not be logged
on using these accounts when performing standard user-level chores such
as reading and composing e-mail, writing Word documents, researching
on the Web and so on. The administrative accounts are all-powerful in
Windows OSs. Imagine the impact of an e-mail base virus or Trojan that
attempts to destroy resources on a Windows system. These products often
launch themselves simply when the e-mail is opened or the attachment
double-clicked. Many of them are powerless if they attempt to destroy
resources that a normal user wouldn’t have access to, like many sensitive
registry keys and system files.
A properly ACLed file system would also protect many other system
files. What if the malicious code were set to infiltrate group policies
in a Win2K domain? Since the administrative-level accounts may be responsible
for creating group policies, the dangerous code might adjust or create
a policy that would then be automatically pushed out to every computer
in the domain. These are but a few of the potential disasters that can
occur if the user has the privileges required to do damage. Were he
or she to be using an ordinary user account, that damage might be minimal;
it certainly would be much less. Rather than fighting responsible admins
who wish to preserve security in their domain, you should reconsider
your policy and make it one that encompasses all domain admins and others
with high-level administrative privileges. One account per person is
a sound policy. However, this is the exception that proves the rule.
Gotta Have the Love
I wanted to comment on something Steve Crandall said in his December 2001
“Professionally Speaking” column, “Taking
Control.” He wrote, “You have to have a relatively high degree of
‘geekiness.’” I couldn’t agree more. Of the two provincially funded colleges
in Windsor, Ontario, Canada, neither offers a program heavy in networking;
both focus substantial time on programming. I hate programming. I just
find it boring.
The January article, "Windows
2000 Defragmentation Tools," states that one
of PerfectDisk's drawbacks "is that it doesn't
consolidate free face by default." According to
Raxco Software Inc., PerfectDisk consolidates free space
as a default, with no tailoring required by the user.
The company says PerfectDisk was the first product to
perform this consolidation on the Windows platform.
We apologize for the error.
When I think about networks, even little four-computer, mini-hub networks,
my heart starts to beat a little quicker. My imagination starts to race
as I trace the data path and immediately start to think of how I could
make it bigger and better. The bigger the network, the geekier the toys,
the faster my heart goes. That’s Steve’s point, I believe. Whatever field
of IT you’ve chosen had better make your pulse quicken, take your breath
away, and bring you back to the days of racing through the aisles at the
local toy store.
All too often people think, as was stated, that a cert is like a blank
check. I recently completed my MCSE on Win2K. Of 10 people in the class
(and one of only four to pass all seven exams), I’m the only one working
in the industry. The other three who finished are all pursuing other fields
of work because their pot of gold was not at the end of the MCSE rainbow.
Windsor, Ontario, Canada
Not Worth the Effort
A couple of Microsoft certification titles on my resume have proved to
be not worth the effort. I still get no responses to my resume for positions
where an MCP might fill the bill. Even with all the NT 4.0 MCSEs still
out there, I feel that the only way for me to go is to forgo any social,
family, or potential employment opportunity until I can put a Win2K MCSE
on my resume.
And, yes, once I have my MCSE and have obtained a job that gives proper
respect to both my 14-plus years of computer experience and the fresh
MCSE I’ll bring to the table with appropriate pay, I’m going to want to
coast for a while before hitting the books again. Much as I like to keep
current, I’m not going to be in the mood for seven new tests on Windows
.NET when a mature Win2K certification is all my employer may ever need.
Terminal Services on a Small Network
I read Bruce Rougeau's article on Windows 2000 Terminal Server, "Progress
at the Speed of Thin," in the July 2000 issue with lots of interest,
and I have a question. It's mentioned that Terminal Server License Server
shouldn't be on the server running Terminal Server. However, in a small
network (eight to 10 users) with only one server, how do you avoid this
There's always a best practices strategy that must be broken to
meet the demands of the real world. Some people refer to this as the
bubble gum and bailing twine principle. In a very small environment
it's very common to have the license server on your terminal server
as long as you follow these rules:
If you're in a workgroup, then your license server must be on a
computer in the same workgroup; the client will find the server via
a broadcast. Yes, the license server can be on the terminal server.
If you're in a domain environment, the license service must be on
a domain controller servicing the domain or site, depending on how it
In my office I work with about 10 instructors. We have a domain
controller running Windows 2000 configured as a domain controller (forest
of one domain), Terminal Server, and Terminal Server Licensing Server.
We have a second server that also runs as a Terminal Server. With only
one server in a small environment this will work just fine. Be prepared
for your solution to grow and then implement the best practices.
I finally had the honor of using my voucher for the Accelerated Exam on
Nov. 12th. Unfortunately I didn't pass. I have spent the past nine months
setting up lab systems running Win2K Professional and Server, averaging
20 hours a week studying Sybex and Coriolis study guides, and doing numerous
simulations on systems.
Two weeks prior to my scheduled exam, I downloaded questions off braindump
sites, thinking it wouldn't hurt to know what other people have run into.
But I didn't have much faith in this information.
Since Microsoft claimed that the MCSE 2000 tests were for knowledgeable,
hands-on professionals, I felt that I was more than capable of passing
70-240. But I didn't.
I sat for three and a half hours taking this exam, and when it was over,
there was no explanation of my final score, nor what segment was my downfall.
The terminal on which I was working froze up at the end of my directory
services exam and had to be restarted. Maybe I didn't get credit for 25
percent of the exam. I will never know.
But one thing I do know: The study books are shelved, and I still have
my MCSE on NT 4.0. No more certification attempts for me!
Rochester, New York
No Study = No Pass
I read Dian Schaffhauser's August column "Current
Count," and was happy to see that I'm not the only one curious about
I work for a large IT company with 2,600 employees, and to date I know
of two of us who are certified on Win2K, and another two that work at
other companies. I do know that my MCSE co-workers were running around
trying to find good Accelerated Exam material, or at the very least, start
studying the four core exams, but things have really died down since Microsoft's
certification reversal announcement in October.
I did my two electives last spring, wrote the design exam in May, and
then wrote 70-240 at the end of June. It was a busy five months. I've
been using Win2K since July 2000, so I thought after a year of using the
product, it was time to go for the big one. The Accelerated Exam was the
20th I've written since November 1998; it was hardest exam ever for me.
It's a fair exam in its own right; anyone who says differently obviously
didn't study the four core requirements.
All the Win2K exams, in my opinion, measure the information Microsoft
wants you to know. Unfortunately, it doesn't measure the "real world"
problems that we deal with every day, but, hey, what certifications measure
that? So, for your question, how tough was it? Like all certs, it's as
tough as the rest of them. If you don't study, you don't pass. It's as
simple as that.
Nancy McCombs, MCSE, CNE, CCA, A+
Dartmouth, Nova Scotia