Windows 2003 SP1 service pack delayed until 2005

The upcoming service pack for microsoft windows 2003 SP1 network operating system has been delayed untill somewhere in 2005, probably first half of 2005. This is the second delay as it orginally should be released in 2003.

For a list of new features in Windows 2003 SP1 (if it ever sees the light of day) can be found at nwfusion.com

Rumor goes that bear paw, the next generation terminal services from Microsoft, will not be a windows 2004 addon but will go into longhype erm.. longhorn.

[Via Thincomputing.net]
[Listening to: Pinball Wizard - Who - Live At Woodstock (3:27)]

The Windows Registry in Terminal Server Environments (Part 1 of 3)

In this three-part series, I'm going to detail the Windows registry as it relates to Terminal Server environments. Today's article explains the basics of how Terminal Server uses the registry.
[Via Brian Madden - Technology Author and Freelance Consultant] Nagyon fontos cikk!
[Listening to: My Generation - The Who - (6:42)]


MakeMeAdmin -- temporary admin for your Limited User account

Common scenario:  you log on with your Windows domain account, which you have removed from the Administrators group (as well as from Power Users, Backup Operators, etc.).  When you need to perform tasks that require elevated privileges, you use RunAs to start a program with the local Administrator account.  You quickly realize two things:

  1. The program running as local Administrator cannot access network resources, since your local account is recognized only on your own computer; and
  2. Any per-user settings apply to the local Administrator’s profile, not to the profile you normally work with.


The first problem often occurs when installing software from a network share, or an ActiveX control from an intranet site that uses Windows authentication.  An area where the second problem crops up is with applications that assume that it will be installed by the same user who will use it.  Some apps also have a “run-once” problem, in which the app needs to be executed one time with admin privileges.  For some, such as Windows Messenger 4.x, each user has to run it one time with admin privs.


The per-user settings problem also occurs with the Power Options applet in Control Panel, which modifies both per-machine and per-user settings.  When you use it from an unprivileged account, an error occurs writing the per-machine settings, so the per-user settings never get written.  When you use it from the local admin account, the per-user settings you write are for the local admin account, not the account you normally use.


There are a number of ways to address the network access problem.  The first of these that I’ll describe also addresses the user profile problem.


Elevating your normal account to admin


The only effective way I know of to address the user profile issue is to make your “normal” account an administrator.  The trick is to do it for the least amount of time necessary. 


The long and painful way


Using an admin account, you can add your normal account into the Administrators group, but that change doesn’t take effect until the next time you log on.  If you’ve tried this, you’ve probably noticed that it’s a pain to add your domain user account into the Administrators group using the GUI – first you need to use RunAs to run the Computer Management / Local Users and Groups console; you then get prompted for network credentials to resolve the domain names because your local admin account isn’t recognized.  And then when you’re done with all that, your current logon still doesn’t have admin privileges because changes to groups and privileges only take effect on subsequent logons.  Finally, you need to remember to remove yourself from the Administrators group and then log back in again to make that change take effect.




MakeMeAdmin.cmd addresses all of these issues.  When you run it, you get a Command Prompt running under your normal user account, but in a new logon session in which it is a member of the Administrators group.  This Command Prompt and any programs started from it use your regular profile, authenticate as you on the network, but have full local admin privileges.  All other programs continue to run with your regular, unprivileged account.


How does it work?  Remember a moment ago when I mentioned that changes to groups and privileges take effect only on subsequent logons?  The critical thing to understand is that you do not actually need to log out in order to log on.  If you use RunAs to start a process with your current account, it creates a new logon session and builds a new token, taking into account group memberships in effect at that instant.  MakeMeAdmin.cmd invokes RunAs twice, prompting you first for your local admin password, then for your current account password.  The bit that runs as local administrator does the following:

  1. Adds your current account to the local Administrators group (using NET LOCALGROUP, avoiding the problem of needing network credentials to resolve names);
  2. Invokes RunAs to start a new instance of cmd.exe using your current account, which is at this instant a member of Administrators;
  3. Removes your current account from the local Administrators group.

The result of the second step is a Command Prompt running in a new logon session, with a brand new token representing your current account, but as a member of Administrators.  The third step has no effect on the new cmd.exe’s token, in the same way that adding your account to Administrators does not affect any previously running processes.


The zip file also includes a less-privileged version, MakeMePU.cmd, which temporarily elevates you to Power Users instead of Administrators.


A very brief bit about processes and tokens


I’ll try to keep this as brief and broad-brush as possible.  What follows is not 100% accurate and complete, but if you’re unfamiliar with the concepts I think you might find it helpful:

  • Every program in Windows runs in a “process”.  A process may display zero or more windows.  You can see a list of the running processes by starting Task Manager and clicking on the “Processes” tab.  If you click on the “Applications” tab, then right-click on one of the items listed there and choose “Go To Process”, it will show you which process that “application” is running in.
  • A “token” identifies a user, the Windows groups that user belongs to, and a set of system privileges, such as the ability to change the computer’s clock.  When a user logs on (including with RunAs), the system creates a new token for the user, determining at that time what groups the user is a member of and which privileges the user should have.  Once a token is created, one can’t add or (generally) remove any groups or privileges from the token.
  • Every process always has a token.  In almost all cases, its token is a copy of that of its parent process (the process which started it).
  • Whenever a process tries to access a securable object (such as a file or a registry key), an access check is performed by comparing the process’ token to the “access control list” (ACL) of the object.  The result of that access check determines whether the requested access is allowed or denied.


Addressing the network resource access issue


If you prefer to use the local administrator account, but need to use your domain account for network access, there are a couple of other approaches:


From your local admin Command Prompt, you can simply NET USE to authenticate to the specific resources you need to access.  You need to authenticate separately this way for every remote computer you wish to access.  NET USE is logon-session specific, so any connections established in one Command Prompt affect only processes started within the same RunAs session.


Another commonly used approach is to use RunAs with /netonly.  The /netonly option starts the target process in a new logon session with the current token, but with the account you specify for all SSPI-based network access.  You can kind of think of it as implicitly calling NET USE for every remote computer you try to access.  Here’s how you might use it (ignore word-wrapping – this should be one line):

runas /u:%COMPUTERNAME%\Administrator "runas /netonly /u:%USERDOMAIN%\%USERNAME% cmd.exe"

(If you have renamed your builtin Administrator account, change “Administrator” to the new name.)

As with MakeMeAdmin, RunAs is used twice and you’ll get prompted for two passwords:  that of the local Administrator, and that of your current account.  What you’ll get is a Command Prompt running under the local Administrator account, using the local Administrator profile, but authenticating on the network with your domain account.  (Confusingly, the title bar will say that you’re running as the domain user rather than as the local administrator.)


Tradeoffs of MakeMeAdmin vs. using the builtin Administrator account


Personally, I prefer using MakeMeAdmin.  The main issues I have run into with MakeMeAdmin are 1) telling privileged from unprivileged apps, 2) Explorer issues, and 3) issues with objects created while running with elevated privilege.


1.  Telling privileged from unprivileged apps


In two previous posts, I echoed Keith Brown's suggestion to change the admin’s background bitmap for Explorer and Internet Explorer so that you could tell your admin windows from your non-admin ones.  But with MakeMeAdmin, you can have different IE and Explorer windows all running as “you”, but some with administrator privileges and others not.  The background bitmap settings are associated with user accounts, not with privilege levels, so they don’t help you in this scenario.


I promised to provide a solution.  It’s called PrivBar and it adds a toolbar to your IE and Explorer windows that lets you know at a glance at what privilege level that particular instance is running.  At this point I will have to postpone it to a future post – this post is already very long and very overdue!  I will try to post it really soon!


2.  Explorer issues


If you want to start explorer.exe from a MakeMeAdmin context, you need to set the Separate Process flag for your normal account, and you must start explorer.exe with /root, in the command line unless there are no other Explorer windows running.  For more information, read my post about using RunAs with Explorer, paying close attention to “More info about Explorer’s Separate Process flag” and the references to explorer.exe command line options.


3.  Objects created while running with elevated privilege


Normally, when a user creates a securable object, such as a file, folder, or registry key, that user becomes the “owner” of the object and by default is granted Full Control over it.  Prior to Windows XP, if the user was a member of the Administrators group, that group, rather than the user, would get ownership and full control.  The user still had ownership and control over the object by being a member of Administrators.  But if you created objects while a member of Administrators and then were removed from the group, your subsequent use of those objects could be limited or completely denied.  Windows XP introduced a configurable option whether ownership and control of an object created by an administrator would be granted to the specific user or to the Administrators group.  The default on XP is to grant this to the object creator; the default on Windows Server 2003 is to grant it to the Administrators group.


I’m not on the Windows team and was not party to the thinking that went into exposing this option and establishing its defaults.  My guess is that it was that on the server, all admins are equal.  If I’m an admin on a server and I create an object and am later reassigned or leave the company, any other admin should be able to access and manage the objects I created without any trouble.  A workstation, however, is more likely to be a single-user device.  Objects I create on my computer, such as documents, should remain under my control even if I change myself from a Computer Administrator to a Limited User (to use XP Home Edition’s terminology).  I think this makes a lot of sense.


However, MakeMeAdmin changes things.  If I use MakeMeAdmin to install programs, my normal account will be granted ownership and full control over the installation folder, the program executable files, and any registry keys the installation program creates.  Those access rights will remain even when I am no longer running with administrator privileges.  That’s not what I want at all.  I want to be able to run the app, create and modify my own data files, but not to retain full control over the program files after I have installed it.  For this reason, I changed the “default owner” setting on my computer to “Administrators group”.


To view or change this setting, open “Local Security Policy” in Administrative Tools, or run secpol.msc.  You need to be an admin to use this tool.  In the left pane, browse to Security Settings \ Local Policies \ Security Options.  The policy name is “System objects: Default owner for objects created by members of the Administrators group”.  The allowable settings are “Administrators group” or “Object creator”.


Coming Real Soon

  • PrivBar
  • Running with a restricted token (what does “protect my computer and data from unauthorized program activity” actually mean)
  • ???


[Via Aaron Margosis' WebLog]
[Listening to: A gothic romance (Red roses fo - Cradle of filth - Dusk and her embrace (8:35)]



...With RemoteSQLCe you can completely manage your SqlServeCE database from the desktop. RemoteSQLCE works in the cradle, and over ethernet/bluetooth.
Using RemoteSQLCe you can:-
Create a database
Drop a database
Examine the database structure
Get Database information
Compact a database
Create a table
Drop a table
Add columns
Drop columns
Add an index
Drop an index
Run SQL queries
Load data from a file
Execute batches of SQL statements
Generate (and populate) a SqlServerCE database from your server databases

Nagyon kellemes eszköz.
[Listening to: McGoohan's Blues - Roy Harper - Folkjokeopus (17:54)]

eMbedded Visual C++ 4.0 Service Pack 4 (SP4)

Service Pack 4 (SP4) allows eMbedded Visual C++ 4.0 users to target Windows CE 5.0 based devices.
[Via Microsoft Download Center]
Sejtettem, ha belekezdek egy fejlesztésbe, egyre újabb mikuláscsomagokat kapok.
[Listening to: hells angels - Roy Harper - Flat Baroque & Berserk (6:45)]


Software Monoculture in Schools?

The World Is Not Microsoft asks: "I've been worried by changes my school has made over the past year or so to the general computer setup we have. The school is a City Technology College, and as a result of this there are an abundance of computers around the building which everyone is free to use. When I first started there (almost six years ago now) there were approximately even numbers of Windows and Mac machines. As happens over time these machines got out of date and had to be replaced, and the school has spent a lot of money buying replacements. What I'm bothered about is that when they did this they completely eliminated the Mac population, and by the time school starts again in September the only machines we will have will either be Windows 98 or Windows 2000. What's the situation like in other schools? Is everyone else completely locked into Microsoft like we are?"
[Via Slashdot: ]
Iskolákban software és hardware monokultúrát kialakítani - engedni kialakulni - felelőtlenség->hiba->bűn.
Inkább azon kellene elmélkedni, hogyan lehet általános érvényű (nem eszközhöz kötött) dolgokat oktatni.
[Listening to: Hangman - Roy Harper - Whatever Happened To Jugula (7:06)]



My Atom feed conversion to RSS moved from 2rss.com to http://feeds.feedburner.com/Sfc. Pls refresh!


SGI to Scale Linux Across 1024 CPUs

im333mfg writes "ComputerWorld has an article up about an upcoming SGI Machine, being built for the National Center for Supercomputing Applications, "that will run a single Linux operating system image across 1,024 Intel Corp. Itanium 2 processors and 3TB of shared memory.""
[Via Slashdot: ]
[Listening to: Seasons in the Abyss (rare version) - Slayer - (6:36)]


Renaming STDOUT?

Microsoft has made its living building software applications that are more self-documenting and otherwise easier to use than its competitors. Thus, I was unsurprised to learn that my feature team wants to gather customer ideas for alternatives to the “unix-y” stdout option.

Wait! That's you. Already have an opinion. Let it be known.

If you're one of the 99.99999% of human beings that don't know what stdout is, don't worry about it. I did not learn what erudite means until high school.  Obtuse still trips me up.  And orthogonal?  Orthagonal must be the most abused English word at Microsoft after heuristic, which is a good description of this post, don't you think? 

Have your eyes glazed over yet?  When we read words (or quasi-words) like orthogonal and stdout out of context, our brains reel and our eyes glaze over. What the heck is stdout?  Who cares!

For Team Foundation's source control command line, I think that stdout be replaced with either “>[format]“ or “sendto:[format]“.

The following examples display the contents of a source-controlled file in the default viewer for that type of file. Note that - and / are interchangeable command line option identifiers.

vstf View myfile.doc /sendto:viewer

vstf View foo.txt ->viewer

The following examples display the contents of the specified source-controlled files in the command console (a quick view):

vstf View header.h -sendto:console

vstf View foo.txt />console

What do you think?  Should > replace stdout? What about sendto:?  Record your comments here.

[Via Microsoft WebBlogs]

Otthon, a nagyanyád gardrob szekrényében nevezd át.

Microsoft Solution for Small and Medium Business - Program Overview

This is an overview of the Microsoft Solutions for Small and Medium Business program, which provides prescriptive guidance on planning, building, operating, and supporting end-to-end integrated information technology (IT) solutions for small and medium businesses.
[Via Microsoft Download Center]

Ezek azok a dokumentumok, eljárások, amiket azonnal le kell fordítani magyarra, ki kell egészíteni mindegyik a leírásban jelzett dologgal (W2K, W98 beillesztése, ezek biztonsági ügyei) és sürgősen közkinccsé tenni. Egyszer s mindenkorra ki kéne húzni a "rencergazda unakaöccsök" lába alól a talajt.

Screen Scraping, ViewState, and Authentication using ASP.Net

Screen Scraping, ViewState, and Authentication using ASP.Net

Screen Scraping, ViewState, and Authentication using ASP.Net Posted by scott on Saturday, July 03, 2004 This article will examine three options to fetch HTML output from a URL, including how to fetch the output of an ASPX page using Viewstate and forms based authentication. Before web services came along, screen scraping was a popular technique for grabbing the output from another application by examining the text it displays on the screen. For web applications, this meant making a request to a URL and examining the HTML the server returns. You could then parse the HTML to grab the latest news headlines or stock quotes from a news site, or the price of a book on amazon.com. With RSS, XML, and Web Services, the need to screen scrape has diminished, but is not extinct. In this article we will examine a few methods to grab the HTML from another URL and for display in your own page.

Ugyan a screen scraping technológiát vagy 30 éve használom, de jól meghatározott output-ok esetében (SNA). Érdekes lehet a szívás, ha az elég inkonzisztens web oldalakat kellene elemezni. Lehet, hogy megéri.

123 Protect your Server - Firewall, Antivirus and Patching

Did everyone see this?  Trend and HP will be partnering to pre-load Trend on SBS boxes sold by HP.  Kewl!  Remember the 1-2-3 Protect your PC campaign?  We got the Firewall.  This provides the Antivirus bundle.  Now we only need Patching built in for the “swwweeeettt” product!
[Via A .Text Community]

Remélem, hamar a kezembe akad egy ilyen példány, akkor majd jól megvizsgálom. A hír addig is biztató.

New Security Features in ASP.NET 2.0

Use the new controls, tools, and APIs in ASP.NET 2.0 to more easily create and manage users, and to password-protect pages in a Web application.
[Via MSDN Just Published]

New Security Features in ASP.NET 2.0 Stephen Walther Microsoft Corporation June 2004 Applies to: Microsoft ASP.NET 2.0 Microsoft ASP.NET framework Microsoft SQL Server Microsoft Visual Studio .NET Summary: ASP.NET 2.0 includes a number of new features to make securing your ASP.NET applications easier than before. See how you can use the new controls, tools, and APIs to control access to pages, and make it easier to store information about your users. (15 printed pages) Contents Security and the Provider Model Using the Web Site Administration Tool to Configure Security Using the Login Controls to Create Standard Security Pages Working Directly with the Membership API

Dropping Internet Explorer

Last week, InfoWorld columnist Oliver Rist recommended that you stop using Microsoft Internet Explorer as your browser. He had good reason: The latest vulnerability reports point out some significant security holes in IE that aren't going to be easily overcome.
[Via InfoWorld: Security]

Eggy pozitivumot ír Oliver Rist:
Unfortunately, you can’t drop IE from your Windows machines completely. You still need it for Windows Update alerts. But it is possible to use it sparingly, and until Microsoft issues a new release, that would be a good idea.

Network General back in business

Can the company that fell on hard times as a part of Network Associates go it alone again?
[Via CNET News.com] Network General re-emerged on Friday after a seven-year pairing with McAfee, promising that a sole focus on network administration will serve its customers better. The company was sold by McAfee, formerly Network Associates, to Silver Lake Partners and the Texas Pacific Group for $235 million in a transaction that was completed Friday. Emerging from the shadow of a security-focused company will help the firm focus more keenly on its core users, said Nancy Blair, vice president of marketing and product management for Network General. "In the confines of McAfee, our customers--the network managers--felt a little underserved," she said, adding that the company intends to invest more heavily in network products. The reformation of Network General is the last stage in the dismantling of Network Associates, created by the merger of Network General and McAfee in 1997. The firm-formerly-known-as-Network Associates, announced the divorce last year, and the chunk once known as McAfee reassumed that name at the end of June.

First virus for Windows CE surfaces

Code's author, part of group that created Symbian virus, creates gentle bug to prove it can be done.
[Via CNET News.com] A virus that infects Windows CE has been developed--the first such bug discovered for the handheld operating system, according to one firm. BitDefender, based in Romania, stated that it has discovered a "proof of concept" virus for Microsoft's operating system for smart phones and other handhelds. The malicious code's author, who uses the pseudonym Ratter, is part of the 29A VX group that created a virus for the Symbian OS. BitDefender said it is the first known Windows CE virus. Microsoft could not be reached for comment.


Top 75 Network Security Tools

Egy kínai blogger (Bernard Cheah) hivatkozik egy japán blogger (Yamaken) blogjára, amely az alábbi forrást adja:
Top 75 Network Security Tools
Az alábbi megjelöléssel:
-Did not appear on the 2000 list
-Generally costs money. These rarely includes source code. A free limited/demo/trial version may be available.
-Works on Linux
-Works on FreeBSD/NetBSD/OpenBSD and/or proprietary UNIX systems (Solaris, HP-UX, IRIX, etc.)
-Supports Microsoft Windows
találhatóak egy elég nagy csoport véleménye alapján fontossági sorrendben az eszközök.

In May of 2003, I conducted a survey of Nmap users from the nmap-hackers mailing list to determine their favorite security tools. Each respondent could list up to 8. This was a followup to the highly successful June 2000 Top 50 list. An astounding 1854 people responded in '03, and their recommendations were so impressive that I have expanded the list to 75 tools! Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also plan to point newbies to this page whenever they write me saying "I do not know where to start". Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. Many of the descriptions were taken from the application home page or the Debian or Freshmeat package descriptions. I removed marketing fluff like "revolutionary" and "next generation". No votes for the Nmap Security Scanner were counted because the survey was taken on an Nmap mailing list. This audience also means that the list is slightly biased toward "attack" tools rather than defensive ones.

Measuring security

Garnering ROI from information security is an elusive metric, says Eddie Schwartz, security architect at netForensics Inc., but there are ways that CIOs can use technology to find some measurements to justify network security investments.
[Via Computerworld Security News]
Számomra mindig kérdéses, ha egy kvázi létfontosságú dolgot, mint a biztonság, méricskélni akar valaki. Ekkor valóban "csak" olyan dolgokat, mint:
Ways to measure security performance: Risk, time and cost To build a meaningful performance management framework for information security, we must start with variables we can measure: threat level, vulnerability level, asset valuation, problem-resolution time and cost in terms of losses or savings. lehet "mérni".
Viszont, ha költség oldalról közelítjük meg a biztonság kérdését, unokáink is a mai férgeket fogják irtani a jelenlegi millió zombi gép leszármazottaiból. M, mint méricskélő Ágnes figyelmébe:))

.Math 1.0

Steve Hebert's Development Blog: .Math Welcome to .Math, the OpenSource expression compiler for the .NET platform written entirely in C#. Offering speed through compilation of expressions, the library allows for variable handling, an entire function library and the ability to add your own functions. .Math Sourcecode is available as an OpenSource license on the web at http://workspaces.gotdotnet.com/math. Be sure to check out the online web demo Sample Page! A hétvégén majd jól kipróbálom. Különösen ez érdekel: The .Math library allows the user to extend the syntax of functions by creating classes and registering them with the compiler.


Classic security solution

Osbourne's security solution


Windows Server 2003 Terminal Server Capacity and Scaling

Windows Server 2003 Terminal Server Capacity and Scaling Published: June 24, 2003 Summary Microsoft Windows Terminal Server lets users run Windows-based applications on a remote computer running one of the Windows Server 2003 family of operating systems. This white paper contains testing methodologies, results, analysis, and sizing guidelines for Windows Server 2003 Terminal Server. Included in This Document • Introduction • Results Overview • Test Environment and Testing Tools • Analysis of the Results • Performing Your Own Scaling Tests • Appendix A: Test Script Flow Charts • Appendix B: Terminal Server Settings • Appendix C: HP Server specifications Download: TermServScaling.doc 469 KB Microsoft Word file


Wireless thin client tablet Optoma Operis-1

A new light weight thin client device (800 g) in tablet form was introduced by Optoma. It runs wireless 802.11b on Windows CE.Net 4.2. With the builtin RDP and ICA client it seems like a very attract...
[Via Thin Computing Times]
[Listening to: Satanic Mantra - Cradle of Filth - Midian (0:50)]


What is more secure ?

What is more secure ? Open source software or closed source commercial software is one of the best topics you can get when you’re having a beer at the pub. Open source claims that it not only saves money, but is also inherently more secure than the closed source commercial software. Why do so many have that perception?