Microsoft has launched an effort to produce a version of Windows for high-performance computing, a move seen as a direct attack on a Linux stronghold.

High-performance computing once required massive, expensive, exotic machines from companies such as Cray, but the field is being remade by the arrival of clusters of low-end machines. While the trend could be considered an opportunity for Microsoft, which has long been the leading operating-system company, Linux has actually become the favored software used on these clusters.

Now Microsoft has begun its response, forming its High Performance Computing team and planning a new OS version called Windows Server HPC Edition. Kyril Faenov is director of the effort, and Microsoft is hiring new managers, programmers, testers and others.

The Redmond, Wash.-based software colossus has its work cut out in the market–and knows it.

“Winning in this important space against entrenched Linux/open-source software competition requires creativity, innovation, speed of execution, and deep engagements with hardware, software and academic partners,” reads a job posting for a program manager responsible for setting up the team’s academic partnerships.

In a recent interview, Bob Muglia, a Microsoft senior vice president who leads the development of Windows Server, said the company is interested in two particular areas: building high-performance computing clusters and harvesting the unused processing power of PCs.

Although Microsoft is a comparative newcomer to the market, the company could bring several advantages:

Best online Microsoft MCTS Training, Microsoft MCITP Certification at certkingdom.com

• Machines running Windows HPC Edition could seamlessly connect to desktop computers, providing instant power for someone such as a financial analyst performing calculations on an Excel spreadsheet, said David Lifka, chief technology officer for the Cornell Theory Center, Microsoft’s premier high-performance computing partner.

• Microsoft could create a specialized version of its widely praised programming tools, said Phil Papadopoulos, director of the grids and clusters program at the San Diego Supercomputing Center. “Windows could make that much easier with their integrated development environment. They have the manpower to do that piece of the puzzle.”

• Microsoft could also adapt its popular SQL Server database software to run on high-performance systems. The company has already said the next major version of SQL Server, code-named Yukon and due next year, will include better support for very large databases and for running on clustered systems.

• And Microsoft could build software into its desktop version of Windows to harness the power of PCs, letting companies get more value from their computers. It’s a technology that’s applicable to tasks such as drug discovery and microchip design.

The business imperative
The high-performance effort doesn’t mark the first time Microsoft has tried to head off Linux’s progress. With Windows Server 2003, Microsoft released a lower-priced Web server edition, as Linux was growing popular for use on the machines that host Web sites.

“The Windows Server group is really focused on countering Linux,” said Rob Helm, an analyst with Directions on Microsoft. “They’ve identified specific areas where Linux has the most traction.”

The HPC Edition is also an example of a Microsoft strategy to increase revenue by creating versions of Windows tailored for specific market segments–for example, Windows for tablet PCs, digital TV recorders and storage servers.

“Another way for them to keep Windows sales moving is to roll out more of these editions,” Helm said. “When you’ve got a product that you need to keep moving, one way to do it is to segment it. You introduce Tarter Control Windows Server and Sensitive Teeth Windows Server.”

High-performance computing is a lucrative market, with sales that increased 14 percent to $5.3 billion in 2003, according to IDC. And “bright clusters,” Linux servers that manufacturers know will be used in a cluster, had sales of $384 million in the fourth quarter.

Beating the incumbent
But for once, Microsoft is the newcomer, and Linux is the incumbent. Linux got its first foothold in academia and research labs, which already had expertise and software for the functionally similar Unix operating system.

“The majority of people doing high-performance computing are a lot more comfortable and efficient inside a Unix environment,” a category that includes Linux, the SDSC’s Papadopoulos said. To convince people to invest the time and money to switch, Microsoft will have to offer something much better, he said.

Linux, boosted by low-cost servers using processors from Intel and Advanced Micro Devices, now is used on prestigious machines. Thunder, a machine at the Lawrence Livermore National Laboratory with 512 Linux servers running Red Hat Enterprise Linux, can perform more than 19 trillion calculations per second, second only to Japan’s Earth Simulator.

Dozens of machines in a list of the 500 fastest supercomputers run Linux, including five of the top 10. Only two on the list are identified as Windows machines.

One reason Windows has been slow to catch on is that Unix and Linux were bred to be administered remotely, a necessary feature for managing a cluster with dozens or hundreds of computers.

In Windows, “the notion of remote computing is significantly more difficult than in Unix,” Papadopoulos said. “Because Windows was born out of the desktop, (it is) deeply ingrained in the Microsoft culture that you have somebody sitting in front of the machine to do work.”

Management is on Microsoft’s agenda, though. The company is hiring one programmer to work on a “graphical and script-based user interface for efficient job and resource management across large clusters” and another to create “automated infrastructure to uncover performance and reliability problems with high performance, large-scale server applications.”

Linux adds another advantage: It’s open-source software, meaning that anybody may see and modify its underlying source code. Most business customers aren’t interested, but high-performance technical computing users need to extract every bit of performance and track down difficult bugs.

“The nice thing is that because everything is open, if you have a problem, you can get at the root of the problem in terms of the software. That moves things along quite a bit faster,” Papadopoulos said.

That openness also makes it easier to accommodate the multitude of different technologies used in the high-performance market but not necessarily in the mainstream computing market, said Brian Stevens, vice president of operating system development for Linux seller Red Hat.

Releasing a product
Microsoft declined to share schedule information about the HPC Edition, but work is already under way.

For example, a software developer kit for HPC Edition will include support for the Message Passing Interface, or MPI, widely used software to let computers in a cluster communicate with one another.

The Cornell Theory Center’s Lifka believes that an early software development kit for the HPC Edition could arrive as soon as this fall. The center is helping Microsoft develop and test the new software.

Microsoft has several upcoming server releases, to which an HPC version of Windows could be added. Service Pack 1 of Windows Server 2003 is due later this year, followed by a more substantive upgrade, code-named R2, slated for 2005. The next major update to Windows, code-named Longhorn, is scheduled to arrive in server form in 2007.

According to job postings, Microsoft is adapting MPI to Microsoft’s .Net infrastructure. A key foundation of .Net is the C# programming language and the Common Language Runtime, or CLR, which lets C# programs run on a multitude of different systems.

Lifka said the first phase will use a version of MPI written for a specific operating system and hardware type. The next foundation will be a version of MPI for the CLR that will let administrators run the same programs on a wide variety of different Windows machines–for example, those using Xeon, Opteron or Itanium processors.

So far, programs written for the CLR and .Net aren’t as fast as those written for a specific machine, “but we see constant improvement in that,” Lifka added. Another area that needs work is security and easy patch installation, he said.

Overall, Lifka is a fan of Windows for high-performance computing. The biggest reason for his enthusiasm is that it can dovetail easily with other versions of Windows in a company.

And companies are more familiar with Windows than Linux, he added. “Moving to Windows has allowed us to have a greater number and quality of corporate relationships,” Lifka said.

Microsoft takes a long-term view of the challenge.

Muglia often discusses technology moving from possible to practical to seamless, as it matures. High-performance computing on Windows today is in the possible stage, he said, but the goal is to make it practical.

“That is something that will happen in the next few years,” Muglia said. “There is an opportunity to make this better.”

With a long-awaited security update to Windows XP now complete, Microsoft is preparing a holiday season push for the 3-year-old operating system–and is set to revisit ambitious plans for the next major revision, News.com has learned.

That revision, code-named Longhorn, one of the most difficult and complicated in the company’s history, has fallen further behind this year, as Microsoft shifted developers from the project and onto Windows XP Service Pack 2, which took longer than expected. Now the company faces the task of getting Longhorn under control and making XP seem fresh during a longer-than-usual wait between OS updates.

“SP2 was a major milestone for the Windows development team,” the company said in a statement Wednesday to CNET News.com. “Now that it has been released, it is a natural time to revisit Longhorn priorities.”

With SP2 shipped and Longhorn still in development, Microsoft faces three major challenges: how to market XP this holiday season, what to do in the years before the next major OS release, and what changes to make to Longhorn, if any, to ensure a timely update.

The answers could have a significant effect on consumers, partners and even investors, since Microsoft dominates its industry. Although the technology behind Longhorn has drawn praise, the long wait for the update has raised some concerns. Major partners, including Intel, have worried about the lag time between major OS updates.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

More IT news stories
Death of the Internet greatly exaggerated
Digital attacks on Winamp use ‘skins’ for camouflage
‘Plays for sure’ means Microsoft’s inside
Justice Dept. probes for pirates

Many investors have expressed concern about whether Microsoft can release new software fast enough to spur the company’s growth, as well as that of Microsoft-dependent technology companies. In the meantime, Linux providers and other companies with innovative technology, such as Google, are making inroads.
Although Microsoft Chairman Bill Gates was enthusiastic when unveiling an early version of Longhorn at a developer event last October, he has been largely mum in recent months. “We’re not saying much new about Longhorn today, it’s fair to say,” Gates told financial analysts during a meeting last month at Microsoft headquarters.

“Now that (SP2) has been released, it is a natural time to revisit Longhorn priorities.”
–Microsoft
Even though Gates and CEO Steve Ballmer were coy with Wall Street, Longhorn is a key part of the company’s financial future. Windows is one of Microsoft’s main profit centers, and the company had planned to tie other software, including the next update of Office, to Longhorn’s release. Microsoft has already scaled back those plans, however, saying for example that the next version of Office will work with older versions of Windows as well.

As for Longhorn’s rollout, Microsoft said in April that it had pushed out the target for the software until the first half of 2006. A test version of the software has also been delayed until next year.

Matt Rosoff, an analyst with Directions on Microsoft, said: “2006 is what we’re predicting” for the final release. “It’s conceivable it could slip further.”

For now, Microsoft is preparing a slew of new consumer products and services designed to spur sales of Windows XP, which debuted in October 2001.

Entertainment center
The company is focused on making the PC more of an entertainment hub. Apple Computer has invigorated its own sales with its “digital hub” plan, and Windows-based PC makers are selling everything from plasma televisions to portable media devices. Hewlett-Packard, for example, is expected to soon unveil an HP-branded iPod.

For its part, Microsoft will soon announce its MSN Music download store and Windows Media Player 10, a new version of its jukebox software. The company also has been quietly preparing an update of Windows XP Media Center edition, an entertainment-themed version of the OS that allows consumers to watch videos and view pictures via a remote control.

Bill Gates Microsoft started testing the new version–code-named Symphony–early this year. The company has sent the finished software to computer makers, with a goal of having the new version of Media Center in PCs by October, according to a PC industry source. Microsoft declined to comment on this.

Besides enhancing the user interface, Microsoft is considering two steps aimed at making the Media Center edition of the OS more widely adopted: lowering the price it charges PC makers for the software and removing the requirement that it ship with a TV tuner, an industry source said.

All past Media Center-based PCs have included a TV tuner and promoted TiVo-like recording as a key feature. Making the TV-recording feature optional would allow PC makers to sell machines equipped with Media Center for less than $800–a price that could generate more demand.

The new version of Media Center will coincide with a marketing campaign called “Windows XP Reloaded,” which promotes numerous products that are debuting this year as reasons to buy a Windows XP computer. These are expected to include Windows Media Player 10 and two peripherals tied to Media Center. One is the Portable Media Center, a handheld that plays music, pictures and recorded TV, downloaded from a PC. The other is a set-top box, known as Media Center Extender, that allows consumers to watch videos and TV shows in the bedroom while the Media Center PC is in the den.

Longhorn’s long journey
Beyond sprucing up Windows XP with more advanced multimedia features, Microsoft has to complete a road map for Longhorn and decide what to do further with XP before the next major OS update. Microsoft has already scaled back its Longhorn ambitions. In April, the company said it would trim Longhorn around the edges, hoping to allow the OS to ship by 2006.

Other companies, such as Apple, have tried to update their operating systems with smaller, more frequent revisions. Apple has been averaging roughly one new release of the Mac OS X per year since the first version debuted in 2000. The latest edition, Mac OS X 10.3 Panther, shipped in October 2003, while “Tiger,” with its improved search capabilities, is due out in the first half of next year.

With Longhorn, Microsoft has been planning three major changes to the way Windows works: a new file system known as WinFS, a new graphics and presentation engine known as Avalon, and a Web services and communication architecture dubbed Indigo. Such a major overhaul is difficult for Microsoft, with its need to ensure compatibility with thousands of existing software programs, not to mention myriad peripherals and other devices. In the past, the company has had to scale back or scrap some ambitious efforts, such as the ill-fated Cairo release of Windows in the mid-1990s.

For its regular monthly security announcement in August 2004, Microsoft released only a single Security Bulletin, MS04-026, “Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks.” This vulnerability, which could allow a remote attacker to run arbitrary code on a compromised system, has also been assigned the MITRE candidate ID CAN-2004-0203.

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Details

There hasn’t been any proof of concept published for this vulnerability, and the threat itself wasn’t made public before the Security Bulletin and patch were released by Microsoft.

This vulnerability itself is due to a weakness in the way Outlook Web Access validates https: redirection query input, and the update corrects this flaw. Microsoft reports it may also be possible for this vulnerability to insert spoofed data in Web browser caches and intermediate proxy server caches.

MBSA (Microsoft Baseline Security Analyzer) version 1.2 or later will identify this vulnerability, and SMS (Systems Management Server) will deploy this fix. MS04-026 replaces the patch provided in Microsoft Security Bulletin MS03-047.
Applicability

This vulnerability is found only in Exchange Server 5.5. Exchange 2000 Server and Exchange Server 2003 are not vulnerable.
Risk level – Moderate

Microsoft rates this as only a moderate threat because the at-risk service isn’t used in all Exchange installations, and the threat hasn’t been disclosed until now. However, it’s important to remember that the Microsoft ratings are not simply a measure of how much damage the vulnerability can cause if exploited. Any remote code execution threat is critical if your system is vulnerable, so this threat poses significant risk to those organizations that are running OWA on Exchange 5.5.
Mitigating factors

Using SSL connections would eliminate this threat because the data will be encrypted and not cached on proxy servers. Also, if you block anonymous access to OWA, only authorized users can take advantage of this exploit.
Fix – Apply patch

You will need to have Exchange 5.5 Service Pack 4 installed before applying the provided patch.

If Outlook Web Access is not needed, then you can simply remove it, which will mitigate this threat. See Knowledge Base Article 290287 for detailed instructions.

Another workaround is to disable OWA via Exchange Administrator. You need to do this for each Exchange site.
Final word

I have long felt that Microsoft should use a different vulnerability rating system that explicitly shows all the separate factors Microsoft uses to rate a threat. The overall rating we see today is simple but really doesn’t convey much information. If you don’t have an affected component installed, then your risk level is zero; but if you do have a vulnerable system, then the threat level may easily be critical, while the same vulnerability gets an overall rating of moderate.

Here is an example of individual vulnerability ratings based on various considerations:

* Exploit danger: CRITICAL
* Proof of concept published: LOW (if not published)
* Exploit seen: LOW (if not seen in wild)
* Number of potentially affected systems: LOW
* Risk if best practices followed: LOW
* Overall risk: MODERATE

This is the type of system that I would recommend Microsoft to adopt for rating its vulnerabilities.

Also, I think it’s important to remind administrators, at least once every year, just how much confidence Microsoft places in these patches and the associated Knowledge Base articles. I have no inside information, but I can read the disclaimer that you will find at the bottom of Security Bulletins:

“The information provided in the Microsoft Knowledge Base is provided ‘as is’ without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.”

Now, I’m certainly not a lawyer and have no ambitions in that area, but I do know what “as is” means when you buy a used car. It’s also important to note that Microsoft disclaims responsibility for “any damages,” even if Microsoft knows that there is a possibility of such damage.

In other words, always remember that you are on your own when it comes to making sure these patches work right, and that installing them won’t end up breaking something else on your network.

Cooperation between Sun Microsystems and Microsoft probably won’t drastically alter the information technology landscape, analysts and IT professionals say, but it should eliminate some integration headaches.

Last month’s historic agreement between the two computing giants is most likely to create near-term progress in two areas: identification and directory services, and Web services.

Further down the road, look for better communication between servers running Windows and Sun’s Solaris version of Unix. And Sun’s StarOffice productivity package might get better at parsing documents created by Microsoft’s Office software.

“I think the benefits to customers are pretty obvious. It’s going to be easier to mix and match these environments,” said John Fowler, Sun’s chief technology officer for software.

The two companies had been “at a high state of acrimony for a long period of time, and we’ve had to do lots of reverse engineering in our products up to now to make them work with Microsoft products,” Fowler added. “Now we can make products work together in a much more direct way.”

A Microsoft representative would only e-mail a company statement on the matter: “The announcement laid the foundation for closer collaboration at various levels within the companies, though at this point it is very early to speculate as to specific impact this may have on various products, standards and pending benefits as they relate to different customers and their unique needs.”

Directory structures up first
Besides settling pending litigation between the companies, the Sun-Microsoft agreement commits the companies to sharing unspecified technologies and cross-licensing patents, with the goal of improving interoperability between systems.

Initial efforts will be focused on directory structures, identity services and communications protocols, Fowler said, to make it easier for Windows clients to sign on and share data with Sun servers.

“We can do a lot of that now,” he said, “but having an agreement to (go) after some of the more esoteric parts of Kerberos authentication, for example, would help.”

Directory compatibility is at the top of IT administrators’ wish lists. Sun servers use the Lightweight Directory Access Protocol (LDAP) standard, while Windows relies on Microsoft’s proprietary Active Directory protocols. Allowing Sun to poke around with Active Directory should lower the technical hurdles to signing on users between Sun and Microsoft systems, said Brian Conlon, chief information officer for global law firm Howrey Simon Arnold & White.

“I’m pleased at where they’re focusing their initial efforts, on identity management and the authentication and single-sign-on issue,” Conlon said. “If we can have a single facility or service for access control on customer-facing services and portals, that would save some trouble.”

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

Tony Scott, chief information officer for General Motors’ information systems and services division, agreed that better directory interoperability will have immediate payoffs.

“We have Microsoft everywhere on the desktop, and Sun LDAP directory (on Unix systems), so we have Active Directory and Sun LDAP integration work between the two that we have to do on a one-off, case-by-case basis,” he said. “This is a perfect case where they can do that work for us and make that just plug in and work. We’ll be delighted if they can pull that off. We would rather spend the money on manufacturing or designing a new car.”

Web services in the wings
A little further into the future, Web services is likely to be a focus of Sun-Microsoft cooperation. Microsoft will continue to promote its .Net software for creating Web-based applications. And Sun will keep pushing its Java language, which is incompatible with Microsoft’s .Net.

But, Fowler said, the formats can be made to work together better, building on work being done by the Web Services Interoperability Group.

“We’re looking at how can we go beyond that, whether that’s standards we promulgate together or active cooperation on products,” Fowler said. “We’re still competitors–we’re not here to promote .Net. But we have to realize our customers need to work in a mixed world.”

Gordon Haff, an analyst for research firm Illuminata, said there will continue to be a basic Web services split between Sun and Microsoft on developers tools–Microsoft’s C# versus Sun’s Java–but customers increasingly expect the resulting applications to work together.

“You may very well continue to have multiple ways of developing applications,” Haff said. “The important thing is, can those applications talk to each other on a meaningful level? That’s going to happen at some level because customers are demanding it. They’re saying, and rightly so, that the underlying details of how Web services are implemented shouldn’t really matter that much.”

And the big computing companies need to listen to customers, said analyst Matt Rosoff, as it becomes increasingly difficult to push new technology.

“It’s getting harder and harder with each passing year to explain to businesses why they should upgrade,” said Rosoff, an analyst for research firm Directions on Microsoft. “Sun and Microsoft understand they’re in the same boat. They’re thinking about what do they need to do to really compel upgrades, and interoperability is a big part of that.”

Law firm CIO Conlon said that his company has focused on Java for initial work on Web services but that compatibility with .Net would provide useful reassurance going forward.

“If they can agree on a Web services framework, I think that would be a real plus,” he said. “Our target architecture is a Java-based one–there’s just more third-party support for it…But it would be good to know our choices aren’t going to be limited.”

Solaris waiting on the bench?
Besides general directory and identity improvements, analysts also see a good chance for increased links between Solaris and Windows. Solaris-specific connections to Windows technology would serve Sun’s interests by giving Solaris another distinction from Linux, said Stephen O’Grady, an analyst for research firm Red Monk. And anything that slows Linux is likely to appeal to Microsoft.

“That’s a scenario where the win-win is pretty clear,” O’Grady said. “Sun does need to have more to differentiate Solaris against Linux, and Microsoft wants to play more effectively in higher-end computing tasks.” The ability to function alongside Solaris would be a compelling pitch for Microsoft, he said.

StarOffice is likely to be a thornier issue, O’Grady said. Sun no doubt would like full access to the file formats used by Microsoft Office. StarOffice can read and manipulate Microsoft-generated documents now, but complex formatting or the presence of “macros”–mini-programs used to automate common tasks–can cause StarOffice to choke on a document.

“I do think there’ll be some degree of exchange on Office formats…but I don’t see Microsoft giving up that stuff lightly,” O’Grady said, adding that pressure from the European Union and other regulators could force Microsoft’s hand. “Microsoft isn’t going to just hand over the formats and fall into lockstep with StarOffice, but external factors could play a role there.”

Sun’s Fowler said StarOffice already has solid compatibility with Microsoft Office formats and won’t be a focus of initial efforts between the companies.

Rosoff said Sun is unlikely to push the Office issue, instead treating the Microsoft deal as an opportunity to shore up its server business and back away from desktop ambitions. “I think Sun might look at the desktop business and re-evaluate the viability of that business,” he said. “My suspicion has been Sun got into that business mainly to be a thorn in Microsoft’s side…Now they have a way to back out and refocus on the back-end stuff, where their strength is.”

Recently, Microsoft announced yet another security vulnerability. Yes, I know that Microsoft announces new security vulnerabilities every week, but this one requires your immediate attention. It’s a critical vulnerability that allows remote code execution on quite a few different Microsoft operating systems. I will explain the component affected by this vulnerability and show you how to keep your system safe.

ASN.1 library
The reason why the security hole affects so many different systems is because the bug exists within an ASN.1 library. ASN (Abstract Syntax Notation) is a set of data standards and devices. ASN.1, on the other hand, is a programming language used for defining various standards with no regard for how those standards will be implemented.

To get an idea of how ASN.1 works, think of the C programming language. You can write C code all day long, but not one line of that code is executable until the code is compiled. In order to compile the code, you need a compiler. There is no one standard C compiler. Instead, there are compilers for different platforms. For example, there are X86 compilers that compile C code to run on Intel processors. There are also Macintosh compilers that compile C code to run on Macintosh machines. The C code will remain the same regardless of which platform uses it. It’s up to the compiler to translate that code into something that a specific computer type understands.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

ASN.1 works exactly the same way. Like C, ASN.1 is a high-level programming language that also has lots of different libraries that can be referenced. ASN.1 code is used to develop various commonly used standards. The ASN.1 code is then compiled and implemented as a part of various operating systems.
Common ASN.1 standards
Even if you have never heard of ASN.1, you are no doubt familiar with some of the standards that are written in ASN.1. These standards include X.400 (an electronic messaging standard implemented in Microsoft Exchange), X.500 (a Directory Services standard used by Active Directory), X.200 (a network communications standard), Light Weight Directory Access Protocol (LDAP, the protocol used for Active Directory Access), and many others.
My point is that ASN.1 is heavily used by Microsoft operating systems. Unfortunately, the recently discovered security vulnerability exists within the Microsoft ASN.1 libraries. This means that any code based on certain ASN.1 libraries is affected by the bug, making it very widespread.

Unchecked buffer vulnerability
Like so many other Microsoft security vulnerabilities, this particular security problem involves an unchecked buffer. An unchecked buffer implies the problem code does not take steps to monitor the contents of a buffer. If too much data is crammed into the buffer, the buffer will overflow and in doing so will expose the data that was previously contained within the buffer.

Hackers could then examine this data and use it to gain full administrative access to a system. Using this access, they could install applications, view, modify, or delete data. An attacker could even create a brand new account with full administrative privileges.

Under normal conditions, the chances of this particular buffer overflowing on its own are pretty slim. However, if a hacker knows the specific details of the buffer, they could easily write a small program whose sole purpose is to flood it, causing the dreaded buffer overflow.

Now that you know how the security vulnerability works, you are probably wondering which Microsoft products are vulnerable and what you can do about the problem. In the sections below, I will address each product individually.

Windows NT
If you are still running Microsoft Windows NT 4.0, you are in a unique situation. None of the versions of Windows NT 4.0 install the affected code by default. Ironically, the affected code is installed into Windows NT as a part of a hot fix (MS03-041). If you haven’t installed this particular update, then you may not be affected by this problem. However, it is possible that other hot fixes might have installed the problem code. The only way to tell for sure is to search your system’s hard drive for a file named MSASN1.DLL. If this file exists, then you will need the update. The actual update that you apply will differ depending on the version of Windows NT 4.0 you are running. Here is a list of the various versions of Windows NT 4.0 and the locations of their respective updates:

* Windows NT Workstation 4.0 Service Pack 6A
* Windows NT Server 4.0 Service Pack 6A
* Windows NT Server 4.0 Terminal Server Edition Service Pack 6

Windows 2000
As with Windows NT, a default implementation of Windows 2000 Server or Windows 2000 Professional does not contain the security vulnerability. Instead, the vulnerability was introduced into these operating systems through service packs. Any machine running Windows 2000 Server or Windows 2000 Professional with Service Pack numbers two, three, or four are affected. Microsoft does intend to correct this issue in Service Pack five. In the mean time however, it is necessary to download and apply a fix. You can get the necessary fix from the Microsoft Download Center.

Windows XP
Windows XP is affected by the problem whether a service pack is installed or not. Both the Home and Professional versions are affected, as are the 32-bit and the 64-bit versions. If you are running the 64-bit version of Windows XP, then be sure to check out the section below on Windows Server 2003, because 64-bit versions of Windows XP use the same fix as the 64-bit version of Windows Server 2003.

Microsoft plans to include a fix for this vulnerability in Windows XP Service Pack two. In the meantime you should implement a patch to remove the vulnerability. Users of the 32-bit version of Windows XP can get the patch from the Microsoft Download Center. If you are running the 64-bit edition of Windows XP with Service Pack one, you can also get the necessary update from the Download Center. The same goes for users of the 64-bit version of Windows XP version 2003 with Service Pack one.

Windows Server 2003
As luck would have it, Windows Server 2003, the newest and supposedly most secure version of Windows in existence is also affected by this vulnerability. Because Windows Server 2003 is so new, there are currently no service packs to worry about, but Microsoft has committed to including a fix for this vulnerability in Service Pack one. In the meantime, you will want to apply a fix to get rid of the vulnerability. As with Windows XP, the fix that you will apply depends on whether you are using the 32-bit version or the 64-bit version.

Still not sure?
If you are still in doubt as to whether or not you need a fix and which fix you need, then I recommend downloading the Microsoft Baseline Security Advisor. This utility will analyze your system and tell you exactly what security patches are required.

There’s talk that Microsoft may introduce new certifications for desktop support and security. The discussion began last month at CompTIA’s 2002 Strategies conference. Microsoft’s Judith Morel announced that a worldwide Job Task Analysis survey of MCPs showed that MCSAs and MCSEs don’t spend much time working with client OSs. She added that there’s also strong interest in a security certification.

The desktop support strategy is certainly sound. That’s a niche that needs to be filled. For the last few years, help desk professionals have been turning to CompTIA for its A+ and even Network+ accreditations to demonstrate their desktop and basic networking expertise. But there is no reason to introduce a security certification.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

Squeaky wheels get greased
There’s been a noticeable softening in the way that Redmond deals with Microsoft Certified Professionals. It almost seems that if IT professionals complain loudly and long enough, Microsoft will cater to their wishes. I don’t believe that’s in the best long-term interest of those earning Microsoft certification.

First, the deadline for taking Windows NT 4.0 exams was extended. Then, Microsoft announced certifications would no longer retire. More recently, there have been rumblings that Microsoft is revisiting its decision to provide only pass/fail scores on exams. All of these reversals could serve to weaken Microsoft certifications.

The large chorus of complaints that followed the scoring change is certainly fueling Microsoft’s review of that system. I still believe, as I wrote in February, that numeric scores are unnecessary. Further, if you’ve busted your tail to earn a Microsoft certification, do you want someone who failed the same test you passed to be pointed to the topics they need to study again? I thought the purpose of a certification exam was to test your IT understanding and expertise, not to help you become certified.

Now it appears that Microsoft may cave in on the security certification as well. Back in January, Microsoft’s position was that there were enough certifications. A security certification wasn’t needed.

That was then. This is now.

The only reason I see for Microsoft to consider a security certification is that so many IT professionals are saying one is needed. I disagree. I see no place for a stand-alone security track among any software or hardware vendor. Leave the security certifications to the vendor-independent organizations like CompTIA.

Every exam should test security knowledge
Remember Microsoft’s TCP/IP exam? Exam 70-059: Internetworking with Microsoft TCP/IP on Microsoft Windows NT 4.0 seemed like a critical exam back in 1998. Many observers didn’t understand how Microsoft could discontinue such an important test at a time when TCP/IP had clearly won dominance over all other protocols.

Microsoft’s explanation was logical and appropriate. TCP/IP had become so dominant, so important, and so critical that Redmond no longer felt TCP/IP should be an elective or even an exam by itself. In fact, some IT professionals were earning MCSE certification without ever proving their TCP/IP expertise. To eliminate that problem, Microsoft began including TCP/IP content in each exam, thereby requiring candidates to prove their TCP/IP knowledge regardless of which exam they were taking. This was definitely the correct step to take.

Microsoft should do the same thing with security, and I believe it will.

Whether you’re taking an exam on supporting Windows XP, administering Exchange Server 2000, or configuring Windows .NET Server, you should be pelted with questions that test your security expertise. Security is as important as any other topic, regardless of whether the exam covers a client operating system, a critical application such as enterprise e-mail, or administering and configuring servers.

A quick look at current Microsoft exam objectives shows Redmond is on the right track. The Windows 2000 Pro exam tests your ability to:

* Encrypt data on a hard disk by using Encrypting File System (EFS).
* Implement, configure, manage, and troubleshoot local security policy.
* Implement, configure, manage, and troubleshoot a security configuration.

The Windows 2000 Server exam tests your ability to perform all those actions and to:

* Deploy service packs, which often include security upgrades.
* Install, configure, and troubleshoot a virtual private network (VPN).
* Implement, configure, manage, and troubleshoot security by using the Security Configuration Tool Set.

The Windows 2000 network infrastructure administration exam tests your ability to:

* Enable, configure, customize and manage IPSec.
* Remove EFS recovery keys.
* Manage and monitor network traffic.
* Configure remote access security.

Microsoft Exam 70-220: Designing Security for a Microsoft Windows 2000 Network is devoted entirely to security, as is much of Exam 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition.

The above list, while only a sampling, demonstrates that Microsoft is already testing candidates’ security knowledge. All it needs to do is continue that effort by ensuring that each certification exam it offers tests candidates on the appropriate and relevant security issues associated with each exam topic.

Why do so many security problems still exist?
Once you’ve secured your network, there’s only so much you can do to prevent breaches and the next round of viruses from wreaking havoc. Those who write new viruses and exploit new security holes identify new security weaknesses and create new threats because most IT professionals typically work to close known holes and vulnerabilities. I don’t see how any vendor could create a credible certification that tests your ability to close security holes that aren’t widely known to exist.

Microsoft software is frequently found to have security flaws because a large community of individuals constantly pokes, prods, and snoops to locate backdoors, breaches, holes, and other weaknesses. They choose Microsoft as a target because a large number of enterprises use Microsoft software. If OS/2 had the same enterprise presence that Windows does, I feel confident that you’d be reading many more articles about security holes that need to be fixed in OS/2.

Eckel’s take
The best any vendor can do is test IT professionals on their ability to understand fundamental security issues and ensure that those administering software and configuring hardware systems know how to make the most of available security tools and keep up with updates as they’re released. As John McCormick wrote last July, it’s clear many network administrators can improve their diligence.

Certification can help by reinforcing the fundamentals, but a new certification track isn’t the solution. Instead, security fundamentals should be emphasized in every IT exam.

Microsoft recently introduced a new product support life cycle policy designed to make support availability more predictable and consistent. This will allow customers to better plan their upgrades, instead of relying on announcements about the retirement of products or the discontinuation of support for them.

Under previous policies, customers couldn’t effectively plan upgrades. This had a significant impact on IT budgets and implementation plans. Microsoft’s new policy makes clear when the support for a product will end and what types of support are available during the product life cycle.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

The new policy should be of great benefit to those who rely on Microsoft products, especially its operating systems.

The policies
Microsoft has adopted two support policies—one that covers business and development software, the other for consumer products, hardware, and multimedia software. The primary difference between the two is that additional paid support is unavailable for consumer, hardware, and multimedia products.

Microsoft’s Support Lifecycle policy establishes two phases of support for business and development software.

The Mainstream Support Phase lasts at least five years from the product release date. Mainstream support provides the same options and services that are currently available, including free incident support, paid incident support, hourly charge support, warranty claim support, and hot fix support. In this phase, customers can suggest design changes or feature additions, and Microsoft will evaluate the requests.

At the end of that five-year period, customers can elect to purchase extended support, which covers the product for an additional two years. With extended support, you must pay for support on an hourly basis. To get hot fix support, you have to purchase a hot fix support contract within 90 days after the end of the mainstream period. During the extended phase, Microsoft will not respond to requests for warranty support, make design changes, or add new features.

Beyond the extended phase, customers can obtain additional support through Microsoft’s strategic partners. This custom support may include assisted support as well as hot fix level support.

Online self-help support—which includes access to the Microsoft Knowledge Base, FAQs, troubleshooting tools, and other resources—is available for a period of at least eight years after the product release date. So for at least one year after the end of the extended phase, customers will have access to online resources free of charge to resolve issues without contacting Microsoft.

For Microsoft’s consumer, hardware, and multimedia products, no extended support is available at the end of the mainstream phase. Customers will continue to have access to the self-help resources, however, for the same eight-year period from the product’s release.

Service packs and patches
In addition to the new support policy, Microsoft also announced a change in its Service Pack Support Policy, which extends the availability of support for product service packs.

Previously, Microsoft only offered support for the most recent service pack; it now offers support on the current and immediately preceding service packs. Support for preceding service packs will continue for up to one year after the release of the most current one. Customers can request new or receive existing hot fixes for both during the mainstream support phase.

Microsoft will not automatically create hot fixes for the immediately preceding service packs, however. If a customer needs a hot fix for the earlier service pack, it must contact Microsoft to request it.

Security patches
For business and development software, Microsoft will offer security patches through the extended support phase at no additional charge. Security fixes for most products will thus be available for seven years from the product release date.

Microsoft will provide security patches for its consumer, hardware, and multimedia products for five years—through the end of the mainstream support phase.

Coverage
Microsoft says the new policies cover most of its currently available and future product offerings. To verify that your product is covered by the policy, you should visit the product’s Web page or find it via the Locate Your Product page.

For additional information about Microsoft’s new policies, you can visit the Support Lifecycle Support Policy FAQ page.

Potential benefit
In the long run, the new policies likely won’t result in big changes in the way Microsoft’s customers use its products, but they will add better predictability to the product life spans. Because of the new policies, customers won’t be caught off guard by announcements of the discontinuation of support for particular products.