Become a patch-management expert

Become a patch-management expert

The days are long gone when we could just install Windows and never change it once we got everything working. Now, we’re faced with a different reality.

Smoothly handling a continuous series of upgrades — for Windows and many other pieces of software — is the key to keeping our computers safe from hackers and compatible with the latest technologies.

Patch management has become a crucial and in-demand skill in today’s world. So I’m excited that a new e-book has just been published that gives PC users and administrators a world-class education on the subject. Best of all, the company behind the e-book is giving it away for free.

Patch Management Best Practices is a 100-page, printable PDF file containing six chapters. The authors are Anne Stanton, president of the Norwich Group, a business-process consulting service, and Susan Bradley, a high-tech CPA and a contributing editor of the Windows Secrets Newsletter, whose Windows Patch Watch Column appears in the paid version.

The e-book is sponsored by and is being given away by Ecora Software Corp., the maker of Ecora Patch Manager, a serious upgrade-management solution. I was pleased to see, to the company’s credit, that the e-book contains almost nothing about Ecora and its products. Stanton and Bradley have focused on the facts Windows admins need on patch management — they haven’t written anything that could be considered an ad for the sponsor.

Patch Management Best Practices has emerged chapter-by-chapter over the past several months as the coauthors built up their information-rich resource. If you visit the Ecora home page today, the company still links to a giveaway offer for Chapter 4, for some reason. I advise you to ignore that and get the full e-book as soon as possible. 

Stanton and Bradley shatter the myth that only Windows needs regular patching. They give their readers a much broader understanding of the challenges that face every networked company:

• “The reality of what we protect today includes products beyond those developed and supported by Microsoft.

  "Third-party software we monitor for updates includes products from Apple, Macromedia, Real Networks, Adobe, WinZip, and many others. It even includes tracking vulnerabilities in antivirus agents.

  "Many firms also track Solaris, RedHat, SuSe, Oracle, Cisco, and even vulnerabilities in devices and printers from vendors such as Ricoh and HP."

To underscore the fact that it’s not just Windows we need to update, the authors cite numerous Internet attacks that have bedeviled users of other operating systems, applications, and devices:

• "In late December 2004, the ‘Sanity’ worm affected Web sites that included code from the phpBB Web forum.
• "The ‘Ramen’ worm shut down print servers.
• "In 2000, well-known vulnerabilities in the ToolTalk database server compromised Solaris systems.
• "The ‘Slapper’ worm attacked Apache Web servers."

Stanton and Bradley describe numerous ways to stay informed about updates from whichever vendors you may rely upon. To help you create test beds on which you can examine a given patch before installing it, the authors also describe the best ways to use backup and imaging solutions, such as Symantec Ghost, Acronis True Image, and others.

Frankly, you could teach a college-level course on patch management with the information that’s packed into this e-book.

The work makes no recommendation on which patch-management solutions (of the many that are now available) you should use. That isn’t the point of this book, however. The lineup of PM products changes so rapidly that any such recommendation would almost instantly be out of date. (See our Security Baseline Section, below, for the latest reviews of update-management software.)

There’s much more in the e-book itself, which you really should read for yourself. To get it, Ecora requires that you complete a short, free registration process, but the company is currently accepting any made-up e-mail address and phone number you may provide. If you wish to hear from the company, of course, you should enter valid information.

The work is available at Ecora’s e-book download page.

To send us more information about patch management, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Scanners for office and home make the charts

We have scanner reviews this week to cover all of your needs. PC Magazine tests scanners that excel in optical character recognition for business, while Consumer Reports releases its ratings of consumer scanners. In this section, we link to respected expert reviews of the best Windows-compatible hardware products available today. Only head-to-head ratings of competing products — not individual reviews of single products — are indexed here.

		BUSINESS (OCR) SCANNERS Xerox tops PC Mag scanner list PC Magazine compares eight scanners that support functionality businesses typically need, such as optical character recognition (OCR) and multiple document management. Xerox DocuMate 262 (Editors’ Choice, Score: 4.5/5.0) Link to all ratings and full review
		PHOTO-QUALITY SCANNERS Consumer Reports rates two scanners Best Buys Unlike the business scanners above, Consumer Reports’ scanner review focuses on photo-quality scanning. Both Canon and Epson beat out 15 competing models for the title of Best Buy. Canon CanoScan 4200F (Best Buy, Score: Very Good) Epson Perfection 2480 Photo (Best Buy, Very Good) Link to all ratings and full review
		DIGITAL CAMERAS Two winners in Mobile Mag camera shootout Nineteen cameras are tested in three different categories. The editors at Mobile Magazine give their highest awards to the HP (left) and Kodak offerings. Casio Exilim Zoom EX-Z50 (Ultracompact, Score: 4.0/5.0) HP Photosmart R717 (Midrange, Mobile Choice, 4.5) Kodak EasyShare DX7590 (Enthusiast, Mobile Choice, 4.0) Link to all ratings and full review
		ULTRACOMPACT MP3 PLAYERS Four-way tie for CNET’s MP3 Editors’ Choice The editors at CNET choose four of the eleven MP3 players they tested, all of which were reviewed together for their super-small size. Apple iPod Mini (6GB, silver) (Editors’ Choice, Score: 8.7/10.0) Samsung YEPP YP-T7X (512MB) (Editors’ Choice, 8.7) Cowon America iAudio U2 (1GB) (Editors’ Choice, 8.7) Creative MuVo TX FM (256MB) (Editors’ Choice, 8.3) Link to all ratings and full review
		iPOD SPEAKERS WSJ picks Bose to amp up the iPod The Wall Street Journal looks at some new additions to the field of iPod external speakers. Of the four they tried, they recommend the Bose SoundDock for its sound quality. Bose SoundDock (Score: Best Overall) Link to all ratings and full review
		INKJET PRINTERS Consumer Reports recommends Canon inkjet In a special test section on inkjet and laser printers, Consumer Reports tortured 17 all-purpose inkjet printers. The editors pick Canon as their Best Buy on the basis of quality and cost. Canon Pixma iP4000 (Best Buy, Score: Excellent) Link to all ratings and full review
		4″ X 6″ PHOTO PRINTERS CR gives ‘Excellent’ photo score to HP Forget the photo lab. Consumer Reports compares thirteen 4″ X 6″ printers and finds that the HP offers the best quality in snapshot printing. HP PhotoSmart 245 (Quick Pick, Score: Excellent) HP PhotoSmart 375 (Quick Pick, Excellent) Link to all ratings and full review
		LASER PRINTERS SOHO laser printers go head-to-head Consumer Reports magazine puts a few affordable laser printers up against each other. Of the three black-and-white text printers tested, Brother proves to be the fastest and cheapest and gets the editors’ Quick Pick recommendation. Brother HL-5140 (Quick Pick, Score: Very Good) Link to all ratings and full review
		NETWORK ATTACHED STORAGE PC Mag recommends NAS for workgroups Whether for work or home, PC Magazine names the Buffalo TeraStation (left) as the top network storage device. The Adapter Snap Server is a better match for large companies. Buffalo TeraStation (Home and small-office NAS, Editors’ Choice, Score: 4.0/5.0) Adaptec Snap Server 4500 (Entry-level business-class NAS, Editors’ Choice, 4.5) Link to all ratings and full review Note: The links above lead to information from U.S. sources. For information from sources in other countries, enter the name of any reviewed product into a search box at one of the following links: Canada / Elsewhere Vickie Stevens is research director of WindowsSecrets.com.

Make Windows work the way you want

By Paul Thurrott

I’m tired of Microsoft forcing its hand-holding tools on me. This week, I’m going to start examining the ways we make Windows work the way we need it to, not the way Microsoft wants it to.

This week, Apple is releasing Mac OS X 10.4 “Tiger,” the latest version of its Unix-based operating system. The Mac has come a long way during the four-year lifetime of OS X. While reviewing Tiger for the SuperSite for Windows recently, I started thinking about the ways in which this OS really differs from Windows XP.

The most obvious way concerns the respective systems’ user interfaces. Mac fans are quick to point out that OS X “gets out of your way,” which is an allusion to the Mac’s Spartan user interface. There’s some truth to that. By comparison, Windows XP is adorned in Fisher-Price blues and greens. XP also tries to pop-up tiring software wizards at the most inopportune times.

Well, I’ve had enough.

No, I’m not switching to Mac OS X. I’m just tired of the constant hand-holding and other XP-related silliness. I need Windows’ hardware and software compatibility. And I need to run the latest applications and services that only run on XP, such as Movie Maker 2.1 and Photo Story 3. So I’m not downgrading to Windows 2000 either. What I am doing, however, is taking back my desktop. My Windows desktop.

I need your help. I have some basic ideas, which I outline below, about reclaiming XP. But my guess is that many of you have thought about these issues and have developed your own plans for making XP behave. I’d like to collect some of these ideas and write a follow-up with three or so of the best tips and tricks. If I use one of your tips in that article, the newsletter will send you a gift certificate for any book, CD, or DVD of your choice. Drop me an e-mail via paul at thurrott dot com if you’d like to help.

For starters, I have a process I go through each and every time I reinstall Windows. I won’t bore you with the details of some of the more obvious things I do — turn on ClearType, change the background image, and so on. But there are some not-so-obvious things I do each and every time I install Windows. The idea is to create a lean and mean XP setup that works the way I want it to.

Fade the interface to gray

The first thing I do is turn off the XP “Luna” user interface and return to the more pleasing grays of Windows 2000. This is done by right-clicking the Desktop, clicking Properties, then choosing Windows Classic Style from the Appearance tab of Display Properties.

Simply turning on this display style isn’t enough. I also speed up XP’s Explorer windows by removing the task panes and forcing all folders to display in List mode. To remove XP’s unnecessary task panes in Windows Explorer, click Tools, Folder Options, then select Use Windows classic folders.

To force List mode on all Explorer windows, navigate to a folder such as C:Program Files and then choose List from the Views button in the menu. Then open Folder Options again, select the View tab, and press the Reset All Folders button. Click Yes in the dialog box that appears, then press Apply to All Folders. (Incidentally, you can still go and customize certain folders to use other folder styles. For example, you may still want My Pictures to use Thumbnails.)

Power users will want to take this time to peruse the Advanced settings in this part of Folder Options. For example, you may want to show hidden and system files, or always show file extensions.

Fix Windows’ search silliness

Next up is that damn dog. You know what I’m talking about. Select Search from the Start Menu and the progeny of Microsoft Bob appears, a little orange dog that has no business in a product called Windows XP Professional. To kill the puppy, select Change preferences and then Without an animated screen character. Then select Change preferences again, followed by Change files and folders search behavior, and then Advanced. Then, click OK and — voilà! — XP search acts just like the one in Windows 2000.

That’s not a huge compliment, actually. Windows 2000 search stinks too. So think about a better desktop search tool like Google Desktop Search, Yahoo! Desktop Search Beta, Copernic Desktop Search, or my current favorite, MSN Toolbar Suite 2.0 Beta. Any of these free products offer much better desktop searching than the default Windows tool. And each of them integrates with popular email programs as well.

Start me up with a better menu

I like the utility of the XP Start menu, even if it is a bit ugly with the XP Luna theme turned off. The XP Start menu offers quick ways to find recently used documents and applications, and has links to commonly needed system locations like My Computer and My Documents. But if you’re using the old Windows 2000-style Start menu, do yourself a favor. Turn off personalized menus. Then, customize the Start menu to do your bidding.

To turn off personalized menus, right-click the Start button and choose Properties. Then click the Customize button next to Classic Start Menu and scroll down to the bottom of the Advanced Start menu options list. Deselect Use Personalized Menus.

To customize the Start menu, right-click the Start button and choose Open (or Explore). This will open an Explorer window. Navigate into Programs and then start customizing. I usually create logical groups like “Digital Media,” “Internet,” and “Utilities,” and then drag in the other program shortcuts and folders as appropriate. The result is a much smaller and easily navigated Start menu.

Customize with Konfabulator and SecureZIP

Desktops and color schemes are fun, but I need to get work done. There are a few desktop tools I can’t live without. The first is Konfabulator, a $25 utility that lets you place widgets all over your desktop. These widgets run the gamut from clocks and calendars to weather reports and games. But some of the Konfabulator widgets are truly useful, letting you monitor such things as drive space, memory, and battery life. Check out the Gallery pages on the Konfabulator Web site for inspiration. Konfabulator is free to try, and a bargain at $25 to register.

Everyone is familiar with ZIP archives. Although XP includes Compressed Folders as a built-in feature, a lot of people have turned to a third-party solution, such as WinZIP. But I use a lesser-known tool called SecureZIP, which provides much better security than WinZIP. Like WinZIP, SecureZIP lets you create encrypted ZIP files. However, unlike WinZIP, SecureZIP actually hides the contents of a ZIP file until you’ve presented the correct password. At $100, it’s not cheap. But if security is a concern, it’s a must-have, in my opinion. Combined with XP’s Encrypting File System (EFS), SecureZIP can help ensure that your system’s valuable data will be secure even in the event of physical theft.

OK, you get the idea. I suspect you’ve already spent a lot of time figuring out how to take back your own Windows desktops. Let me know how you do it.

Paul Thurrott, associate editor of the Windows Secrets Newsletter, is the author of Windows XP Home Networking, 2nd Ed., and Great Digital Media with Windows XP and the author or co-author of several other books.

Windows Web features allow exploits

By Chris Mosby

The Web is a highly graphical place. Web sites will do whatever they can to catch your eye, and some will try to use that against you to do your computer harm. In some cases, operating system features can be used against you as well. The thing to remember is that just because something is slick and flashy, doesn’t mean it’s secure.

The real trick is to find the balance between "flashy functionality" and "safe and secure." This task is getting harder and harder on the Web as hackers exploit software features almost as fast as developers can design workarounds against them.

Windows 2000 Web View is vulnerable

A vulnerability was recently discovered in Windows 2000’s Windows Explorer "Web folder view." This hole allows an infected file, such as a Word document, to run scripts or other code without your knowledge, whether the user has administrative rights or not. This exploit will work if the infected document is merely selected in a Windows Explorer window with Web Views enabled. The exploit does not require that the document be opened.

This vulnerability has been confirmed on fully patched Windows 2000 SP4, but does not affect Windows XP or Windows Server 2003. Proof of concept code is already available on the Web, making this hole a serious threat that may soon be seen in the wild.

What to do: To keep this exploit from infecting your computer, disable the Web View capability of Windows Explorer in Windows 2000. This can be done via the following steps:

• Step 1. Open the Tools menu in Windows Explorer.
• Step 2. Select Folder Options.
• Step 3. Select the General tab.
• Step 4. Then select the Use Windows classic folders option.
• Step 5. Click OK on all open dialog boxes to save your changes.

For more detailed information about this exploit, see the Secunia advisory or the original advisory at GreyMagic, which announced the weakness and released exploit code.

Windows XP is crashed by large images

The ability to show images is one of the things that’s made the Internet so popular. It shouldn’t be a surprise that a way has been discovered to exploit this fundamental part of the Web.

Windows XP is vulnerable to being crashed by an error in its rendering of very large images. Typically this occurs in Internet Explorer when viewing images with very large height and width settings in HTML files. Used with other exploits, a hacker could use this weakness to cause your computer to be unstable and prevent you from using it.

This problem has been confirmed in Windows XP SP2, but also may be present in other versions of XP.

What to do: This problem is pretty new, and details are still coming in. If you ue IE, disabling images is not really an option. Your best plan of action is to follow the IE hardening guidelines detailed in the Nov. 11, 2004, issue of the Windows Secrets Newsletter. This may keep this problem from presenting much of a threat.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

I think I'mreading Japanese (bulletins)

By Susan Bradley

Where has the week gone? We started with a new pope, we’re still shaking out issues with both Windows 2003 SP1 and Microsoft’s April patches, and I’ve decided that turning Japanese is the way to go. At least when it comes to security bulletins, anyway.

Let’s start off with the language situation, and then turn to some issues I’ve seen that’ve cropped up since my last Patch Watch.

Why Japanese bulletins are clearer

It was Steve Riley, a senior program manager in Microsoft’s Security Business and Technology Unit, who first pointed out that the Japanese version of Microsoft security bulletins are actually very helpful in clearly identifying how the "bad guys" can get you.

While it may otherwise take several pages of reading to come to conclusions in any bulletin (regardless of your language), looking at the pictures in the Japanese security bulletins can, interestingly enough, be quite helpful in understanding the impact.

Take, for example, two bulletins I showcased in the last issue as being critical: MS05-021 (894549), the Exchange server security issue, and MS05-023 (890169) the Office patch. On the Japanese Web site, MS05-021 looks like this, and MS05-023 looks like this.

Above: Illustration from the Japanese version of MS05-021.

Having pictures that demonstrate how something will "get you" helps me better understand the risks.

2003 SP1 bonks MOM Admin Console

First off, Microsoft’s Operations Manager (aka "MOM") had issues with the Administrator Console failing after you install Windows 2003 SP1. There’s now a patch available to fix this issue.

TCP/IP patch causing a few fits

Security Bulletin MS05-019 (893066) is so far the "problem bulletin" of the April batch. Issues have been reported on NTBugtraq regarding VPN and FTP issues. So far, one of the recommended workarounds for Windows 2003 we’ve been seeing is to adjust the MTU setting on clients and on the servers to 1400.

Proofs of concept circulate before fixes

Historically speaking, two years ago we had about 12 months between when a patch was released and when we saw exploits "in the wild." Around a whole year could go by before you truly saw worms, viruses or exploits circulating on the Web.

These days, I’ve seen so much "test exploit code" and so many "proofs of concept" pass through my e-mail since the April 12 bulletins came out that I’ve lost count of which flaws don’t have such things already floating around the Web.

The Security Mentor blog touched on how the progression from patch to proof-of-concept to exploit to worm is getting shorter and shorter. I recently did a Webcast on Windows Patches and included a table of the shortening time frame we have these days between patching and exploit. We’re now even suffering from "security firms" that disclose vulnerabilities before there’s a patch.

The MSRC blog, in fact, has a discussion regarding a recently published exploit, which affects Windows folder views, for which there’s no patch at this time. (See "Windows 2000 Web views can be expoited" in Chris Mosby’s column, above.)

My view is similar to that of the Microsoft Security Response Center — it would take quite a bit of user interaction for this to affect my company. Therefore, I place a higher priority on people installing the MS05-021 (894549) Exchange patch and the MS05-023 (890169) Office patch, both of which came out on April 12. Many small firms do not have automatic patch tools that will roll these two fixes out. (See my article in the Apr. 14 newsletter for instructions on downloading these patches manually.)

Patching tools are coming our way

I read the great news this week that both WSUS (Windows Server Update Services) and MU (Microsoft Update) appear to be on track to be released in June. WSUS is the small- and medium-business patch tool (formerly called Software Update Service) that will allow a firm to download patches to a server and then deploy the patch. Microsoft Update is the next version of Windows Update, which will support Windows and Office patches as well as Windows bump revs. When these two tools come out, we’ll have a lot more help managing patches on our systems.

Opera’s siren song is getting louder

The buzz surrounding Opera is getting louder this week with word that the company had to install new servers to handing the demand for downloads. This is partially due to the fact that we still have to face unpatched issues with Internet Explorer, while Firefox users are urged to update to another minor revision, this time to 1.0.3, to protect against a Javascript Engine information disclosure, among other things.

Apple users, don’t forget to patch

Vulnerabilities come in all shapes and sizes, and this month is no exception. Apple users are urged to upgrade to the 10.3.9 version due to some critical patches that just came out. As in any operating system these days, there’s a new browser patch to protect against HTML and Java exploits.

Last but not least

I typically end Patch Watch columns with a reminder that you need to contact Microsoft Product Support Services and urge MS to resolve any issues you find with patches. This was recently emphasized on the security blog of Microsoft employee Jerry Bryant. If we don’t call in, these issues won’t get resolved.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

Choosing a patch-management solution

By Mark Burnett

It was just a few years ago that I complained that patch management shouldn’t be something we have to think about to use a PC. I trust my local lube shop to keep my car’s fluid levels topped off. I trust my lawn service to spray my lawn with the appropriate treatment each month. And I trust my financial software to keep my checkbook balanced. I wanted to trust someone else to keep my system patched.

I got my wish. In fact, I got so much of my wish that now the market is flooded with patch-management solutions. Last year, I wrote an article (now out-of-date) comparing patch-management systems. By the time it got published, the number of available products had nearly doubled.

And that’s not counting all the general system-management software that’s added patch management to its feature list. My new problem is deciding which solution, out of all these, is best for me.

There’s no single best answer

If you investigate some of the available applications, you’ll see that they vary greatly in price, features, automation, and product support. Some solutions only work well for small networks, while others aren’t worth the cost and trouble unless you manage several thousand workstations.

Some systems require too much user interaction, while others are so automated that you can’t interact with them even if you want to.

Before you even start looking at different products, take a minute to look at your patch-management requirements. Below are some of the things to consider.

Product support

Perhaps the most important feature to consider is product support. Each patch-management solution supports a different list of products, so make sure your products are on the list.

Some solutions support a wide variety of products but might not be too accurate, while other solutions focus on accuracy and timeliness for a smaller set of products.

If your organization spans the globe, watch for support for international patches. Many companies only support English patches, but there are a few that keep on top of all languages.

Number of seats

It’s important to know exactly how many systems you need to patch because that makes a big difference in usability and cost. In particular, some products get significantly cheaper per seat when you’re dealing with large networks.

Watch out for what each company claims as the maximum number of clients. Although the system might support a large number of clients, you need to test the user interface because some products are too cumbersome to use with more than 20 systems. Likewise, some products are cumbersome when managing only a few systems.

Another consideration: Does the product support multiple administrators managing patches from multiple locations?

Scanning features

Determine how you expect to manage patches and take a look at how all your systems connect. You might have a single Windows domain or you might have a large number of standalone systems.

This is important because some systems use network authentication to check for patches while others require an agent installed on each client. The method you choose largely depends on your network structure.

Also consider extra scanning features each products might have, such as Active Directory integration, scheduled scans, and custom scan parameters.

Custom updates

Another feature that might be important in your environment is the ability to perform custom updates, such as custom patches, temporary workarounds, non-security updates, and even software deployment.

One cool feature I’ve seen on some products is the ability to distribute anti-virus and spyware signature updates.

Patch deployment

This is one area where most products do well, but not always. Some things to consider are administrator alerts to users, client postponement of installation, remote system rebooting, remote rollback, and status monitoring.

Also important is to make sure the patch deployment is secure. A patch manager should encrypt traffic and use some method to verify the identity of the server and check the validity of patches.

Reporting

Finally, you should consider what information you might want to see in reports. Some products have very robust reporting features. Others use standard ODBC databases, so you can build your own reports using any reporting tool you desire.

Where’s the list of products?

You may have noticed that I was careful not to mention any particular products here. The problem is that the list is so huge and grows so fast that it is way beyond the scope of this column. Unfortunately, finding an updated list on the Web is also difficult.

A good place to start is PatchManagement.org. From there you can subscribe to a patch-management mailing list and check out their product comparisons, which include a number of articles about patch management.

I got what I wished for, but I guess it’s possible to have too much of a good thing. It might take a couple more years for some companies to fail and others to merge before we have clear market leaders. Until then, make sure you know your requirements and know your products before you make a big investment.

Mark Burnett is the author of Hacking the Code, coauthor of Stealing the Network: How to Own the Box, and an independent security consultant.

Pitfalls of future-date testing

By Ian Maddox

In the past, many software developers made the mistake of assuming that their applications wouldn’t be in use several years down the road. This was the case in the Year 2000 bug and will be the case in the upcoming 2038 bug.

In order to prevent this class of problems, some developers have been performing an increasing amount of future-date testing. However, this form of testing isn’t easy or without problems, as reader Mike Morrison describes:

• “For companies that have to date-test their applications — like Insurance processing or financial securities systems — this becomes very hard when running under Microsoft’s Active Directory.

  “For example, you work for a branch of the government that has a distributed application that manages the Federal Debt. Your job is to verify the results of this application with varying interest rates once a month for the years going forward.

  “How do you do this? The old easy answer in a pre-Active Directory environment was you would simply move the system time forward on those machines that ran the processes relevant to the application. With Active Directory, moving the system clock on these machines effectively locks them out of the domain… they can’t see each other since they can’t authenticate with the DC.

  “You would be surprised at the number of very large corporations that ‘discover’ this problem on a weekly basis.”

So, how does one perform future-date testing in an Active Directory environment?

In KB 289668 and KB 244703, Microsoft stresses you should never change the time on a production Windows server in order to run date-tests.

Don’t fret, though. Solution-Soft, where Morrison works, has developed a tool called Time Machine. It allows testers to define a number of “virtual clocks,” which can be limited (and only visible to) certain processes or users.

There appear to be few other players in this market right now. Many future-date testing firms closed their doors after Y2K.

Support for MS AntiSpyware beta

Phil Hines writes, in response to a writer who stated there was no support for the MS AntiSpyware beta:

• “In the Security Baseline section of the April 14 Windows Secrets Newsletter, it states

  > Bass found that the much-hyped Microsoft AntiSpyware app, currently in beta, missed some spyware that CounterSpy caught and there’s no way for users to report problems to MS or get technical support, unlike other betas.

  “I am not a Microsoft shill by any means, but there is a way, albeit indirect, to report bugs or get ‘technical support.’ Microsoft has set up a series of newsgroups dedicated to the AnitSpyware beta. Just a little bit of clarification.”

The AntiSpyware support can be found in Microsoft’s newsgroups.

ID theft and fraud alert info

Sometimes, all of our best efforts just aren’t enough to keep personal or financial information out of the hands of malefactors. Reader Bob Mendell writes in with the following links to help U.S. citizens whose vital data have been compromised:

• Number to call to request a free automated fraud alert for all three major credit-reporting agencies: (800) 525-6285
• FTC’s consumer ID theft page
• Identity Theft Resource Center
• Privacy Rights Clearinghouse, featuring a chronology of personal data breaches since Feb 15, 2005
• ChoiceTrust property and auto claims history check, a free service

Readers Morrison, Hines, and Mendell will receive a gift certificate for a book, CD, or DVD of their choice for sending us tips we printed.

Ian Maddox is program director of WindowsSecrets.com.

First radio station to play nothing but podcasts

A San Francisco radio station announced on Apr. 27 that it will begin playing nothing but "podcasting" that is contributed by its listeners. Podcasts are MP3-player-compatible audio files that are placed on the Internet and made discovered via RSS (really Simply Syndication) or other means. The practice caught on last summer and shows no signs of abating. The radio station formerly known as KYCY-AM is changing its call letters to KYOU. Beginning on May 16, listeners can hear it in San Francisco at 1550 AM or tune in worldwide for streaming music across the net. For more info, see KYOUradio.com