Microsoft allows bypass of Vista activation

Microsoft allows bypass of Vista activation

UPDATE 2007-07-05: We’ve found that the effect reported in the story below is not caused by SkipRearm but by a different mechanism. See our July 5, 2007, article. By Brian Livingston Microsoft always says it opposes “software pirates” who sell thousands of unauthorized copies of Windows. But the Redmond company has made things a lot easier for pirates by adding a line to the Registry that can be changed from 0 to 1 to postpone the need to “activate” Vista indefinitely.

Activation doesn’t stop true software piracy

As most Windows users know, Microsoft has required “product activation” since the release of Windows XP in 2001. XP must be activated by communicating with servers in Redmond within 30 days of installation. By contrast, Microsoft Office XP, 2003, and 2007 require activatation before the package is used 5 to 50 times, depending on the version, according to a company FAQ. If a PC has no Internet connection, a user may activate a product by dialing a telephone number in various countries.

The activation process will complete successfully only if the software has not been previously activated, such as on a different machine. If activation isn’t completed within the trial period, Microsoft products temporarily shut down some of their features. MS Office loses the ability to edit and save files. After Vista’s activation deadline runs out, the user can do little other than use Internet Explorer to activate the operating system or buy a new license.

Microsoft describes its product activation scheme as a way to foil software pirates. However, as I previously described in an InfoWorld Magazine article on Oct. 22, 2001, activation does nothing to stop mass piracy. The Redmond company actually included in Windows XP a small file, Wpa.dbl, that makes it easy for pirates to create thousands of machines that validate perfectly.

Far from stopping software piracy, product activation has primarily been designed to prevent home users from installing one copy of Windows on a home machine and a personal-use copy on a laptop. As I explained in an article on Mar. 8, buying a copyrighted work and making another copy strictly for personal use is specifically permitted to consumers by the U.S. Copyright Act and the copyright laws of many other countries.

For example, courts have repeatedly ruled that consumers can make copies of copyrighted songs or television programs for personal use (not for distribution or resale). This principle is legally known as "fair use." The home edition of Microsoft Office 2007 reflects this principle, allowing consumers to activate three copies of a single purchased product. Microsoft Windows XP and Vista, however, allow only one activation.

Surprisingly, Microsoft has embedded into its new Vista operating system a feature that makes things easier than ever for true, mass software pirates. These tricksters will be able to produce thousands of Windows PCs machines that won’t demand activation indefinitely — at least for a year or more.

Leaving the activation barn door open

I reported in a Feb. 1 article that the upgrade version of Windows Vista allows itself to be clean-installed to a new hard drive. The new Microsoft operating system completely omits any checking for a qualifying previous version of Windows. This allows the upgrade version of Vista to successfully upgrade over a nonactivated, trial version of itself.

After my article appeared, ZDnet blogger Ed Bott summarized the secret in a post on Feb. 15. He flatly states, “You satisfied every condition of the license agreement and aren’t skating by on a technicality. The fact that you have to use a kludgey workaround to use the license you’ve purchased and are legally entitled to is Microsoft’s fault.”

In my own piece, I had speculated that clean-installing the upgrade version of Vista “probably violates the Vista EULA (End User License Agreement).” But more and more computer experts are saying that the procedure is fully compliant with the EULA and, in any event, is perfectly legal.

I wrote a follow-up story on Feb. 15. I reported that Microsoft includes in Vista a one-line command that even novices can use to postpone the product’s activation deadline three times. This can extend the deadline from its original 30 days to as much as 120 days — almost four months.

PCWorld.com posted a report on my story on Feb. 17. The magazine quotes a Microsoft spokeswoman as saying that extending Vista’s activation deadline as I described it “is not a violation of the Vista End User License Agreement.” I’m glad that’s clear.

The feature that I’ve revealing today shows that Microsoft has built into Vista a function that allows anyone to extend the operating system’s activation deadline not just three times, but many times. The same one-line command that postpones Vista’s activation deadline to 120 days can be used an indefinite number of times by first changing a Registry key from 0 to 1.

This isn’t a hacker exploit. It doesn’t require any tools or utilities whatsoever. Microsoft even documented the Registry key, although obtusely, on its Technet site.

But dishonest PC sellers could use the procedure to install thousands of copies of Vista and sell them to unsuspecting consumers or businesses as legitimately activated copies. This would certainly violate the Vista EULA, but consumers might not realize this until the PCs they bought started demanding activation — and failing — months or years later.

The following describes the Registry key that’s involved.

Step 1. While running a copy of Windows Vista that hasn’t yet been activated, click the Start button, type regedit into the Search box, then press Enter to launch the Registry Editor.

Step 2. Explore down to the following Registry key:

HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows NT CurrentVersion SL

Step 3. Right-click the Registry key named SkipRearm and click Edit. The default is a Dword (a double word or 4 bytes) with a hex value of 00000000. Change this value to any positive integer, such as 00000001, save the change, and close the Registry Editor.

Step 4. Start a command prompt with administrative rights. The fastest way to do this is to click the Start button, enter cmd in the Search box, then press Ctrl+Shift+Enter. If you’re asked for a network username and password, provide the ones that log you into your domain. You may be asked to approve a User Account Control prompt and to provide an administrator password.

Step 5. Type one of the following two commands and press Enter:

slmgr -rearm
or
rundll32 slc.dll,SLReArmWindows

Either command uses Vista’s built-in Software Licensing Manager (SLMGR) to push the activation deadline out to 30 days after the command is run. Changing SkipRearm from 0 to 1 allows SLMGR to do this an indefinite number of times. Running either command initializes the value of SkipRearm back to 0.

Step 6. Reboot the PC to make the postponement take effect. (After you log in, if you like, you can open a command prompt and run the command slmgr -xpr to see Vista’s new expiration date and time. I explained the slmgr command and its parameters in my Feb. 15 article.)

Step 7. To extend the activation deadline of Vista indefinitely, repeat steps 1 through 6 as necessary.

Any crooked PC seller with even the slightest technical skill could easily install a command file that would carry out steps 1 through 6 automatically. The program could run slmgr -rearm three times, 30 days apart, to postpone Vista’s activation deadline to 120 days. It could then run skip -rearm every 30 days, for a period of months if not years, by first resetting the SkipRearm key.

The program could be scheduled to check Vista’s activation deadline during every reboot, and to remind the user to reboot once a month if a deadline was nearing. The buyer of such a PC would never even see an activation reminder, much less be required to go through the activation process.

If you happen to buy a Vista PC from a little-known seller, and the price was too good to be true, use Vista’s search function to look for the string SkipRearm in files. You may discover that your "bargain" computer will mysteriously start demanding activation in a year or two — but your product key won’t be valid.

I asked Microsoft why SkipRearm is included in Vista if it can be used to create machines that appear not to need activation for long periods. A Microsoft spokewoman replied, “I connected with my colleagues and learned, unfortunately, we do not have information to share at this time.” (I can’t identify the speaker because the policy of Waggener Edstrom, Microsoft’s public-relations firm, prohibits the naming of p.r. spokespersons.)

In my testing of Microsoft’s back-door loophole, I’ve found that the technique can be used to postpone the activation deadline one year or longer. It may or may not, however, work forever, as I describe below.

Why does SkipRearm even exist in Vista?

The Vista development teaam apparently inserted the SkipRearm loophole to help major corporations work around Microsoft’s new Volume Licensing Agreement. This new program, which the Redmond company calls "Volume Licensing 2.0," requires buyers to set up a Key Management Service (KMS) host, as described by a Microsoft FAQ. Companies must choose from two types of digital keys and three different methods of activation to validate thousands of individual Vista machines within the corporate LAN.

Activation of Windows XP, by comparison, requires merely that volume purchasers use a single product key. Corporate buyers obtain a unique key when signing a Volume Licensing Agreement. Microsoft has said, however, that most Windows XP piracy involves stolen product keys that are used by others to activate unauthorized machines.

The new KMS requirement is intended to discourage such piracy, but it places a heavy burden on corporate IT administrators. For example, Microsoft provides a tool called System Preparation (sysprep.exe) to prepare Vista machines for use. If a system can’t be completely prepped within 30 days after installation, an admin can run the command sysprep /generalize to postpone the activation deadline another 30 days. However, like the slmgr -rearm command, sysprep /generalize will only succeed three times.

To work around this, as a Technet document states, "Microsoft recommends that you use the SkipRearm setting if you plan on running Sysprep multiple times on a computer." This is echoed by Microsoft Knowledge Base article 929828.

Contributing editor Susan Bradley points out, "The good guys have to go through this stupid implementation of a KMS deployment because of bad guys abusing the system." She strongly feels that users should comply with Microsoft’s EULA provisions. "The operating system license has always been a one-machine install. … Many of us forget the multiple-install rule [for Microsoft Office] since we are so used to the one license, one install rule," she adds.

In its TechNet documents, Microsoft recommends the repeated use of SkipRearm. How many times is "multiple times"? My testing revealed that the answer is, well, indefinite.

• On a copy of Vista Ultimate that Microsoft released in New York City on Jan. 29, I found that changing SkipRearm from 0 to 1 allowed the command slmgr -rearm to postpone Vista’s activation deadline eight separate times. After that, changing the 0 to 1 had no effect, preventing slmgr -rearm from moving the deadline. The use of slmgr -rearm 3 times, plus using SkipRearm 8 times would eliminate Vista’s activation nag screens for about one year (12 periods of 30 days).

• On a copy of the upgrade version of Vista Home Premium that I bought in a retail store on Jan. 30, slmgr -rearm also worked 3 times and SkipRearm worked 8 times before losing their effect. This combination would, as with Vista Ultimate, permit a one-year use of Vista without nag screens appearing.

• On a copy of the full version of Vista Home Premium that I bought in a retail store on Mar. 14, SkipRearm had no effect on extending the use of slmgr -rearm at all. This suggests that Microsoft has slipstreamed a new version into stores, eliminating the SkipRearm feature in Vista Home. That could mean that changing the key from 0 to 1 will now work only in the business editions of Vista — Business, Enterprise, and Ultimate — so corporations can use the loophole.

Where is the usage count of slmgr -rearm stored? Where is the usage count of SkipRearm stored? These bytes won’t be hard for expert users to find. The use restrictions may be easily lifted. If so, this would allow crooked PC sellers to truly create machines that would never need activation, ever.

The financial impact of SkipRearm on Microsoft

I’d like to repeat here that I’m not advocating that anyone use the above technique to violate Microsoft’s EULA or avoid paying for Vista. Any company that used SkipRearm to install Vista on multiple machines for as long as possible would have little defense against a surprise inspection by the Business Software Alliance. This coalition of software makers, which includes Microsoft, investigates reports of unlicensed software and obtains warrants to conduct audits.

As a journalist, my job is to report the facts. SkipRearm was specifically built into Vista to be used. Microsoft executives made Vista’s activation overly complex and cumbersome. So the development team apparently invented a Registry key to lift the burden of Vista’s activation deadline, for at least a year and probably more.

The technique is so powerful and basic, however, that hackers around the world may soon use the feature to install millions of extra copies of Vista without buying them. This could have a major impact on Microsoft’s revenues. The company’s employees and shareholders might want to be aware of this.

Product activation does little or nothing to stop mass software piracy. It’s become so convoluted, the way Microsoft has implemented it, that it’s more of an irritation to legitimate users than a worthwhile antipiracy measure. In my opinion, Microsoft should concentrate on legal action against true pirates instead of inventing more ways to drive honorable users bonkers.

I invite my readers to send me information about SkipRearm using the Windows Secrets contact page. I’d like to thank my program director, Brent Scheffler, for tirelessly testing SkipRearm dozens of times, and reader Reine T. for being the first to point out the use of SkipRearm to me. He’ll receive a gift certificate for a book, CD, or DVD of his choice for sending me a tip that I used.

Brian Livingston is editorial director of the Windows Secrets Newsletter and the co-author of Windows Vista Secrets and 10 other books.

Improving your Windows networking defaults

By Fred Langa Free online tools can help speed your downloads and Web browsing. First, use a free connection analyzer to find out exactly what your optimum settings should be. Then, use a free tweaking tool to actually make the changes.

Optimizing your network connections

Windows Secrets reader "abcalvin" wondered about some of the less obvious settings Windows uses for its networking setups:

• "Depending on the type of connection — dial-up, broadband, etc. — some communications settings, such as ‘Max transmission unit,’ ‘TCP receiving window,’ ‘selective acks,’ and so on, have to be set for best results. What are these settings and how do we read the present settings, find the best values for the specific mode, and correctly set them?"

Windows uses generic default settings for its networking setups, and these settings usually work acceptably, but barely. Replacing the generic settings with settings that are custom tailored to your specific needs can yield a huge improvement in your online throughput speeds.

Several Web sites offer tools that can help you tune your online connections, but the one I use myself is Broadband Reports (formerly DSLReports). The site’s Tools section is a gold mine. The Speed Test will let you compare your actual upload and download speeds to other users so you can get an idea of how well (or not) your system is doing online. The Tweak Test analyzes your online connection and makes specific recommendations as to what your ideal settings should be. Then, to implement the recommendations, you can download and use the free Dr. TCP tool, which provides an easy-to-use front end for modifying all of Windows’ essential networking parameters.

Figure 1. The free Dr. TCP tool makes it easy to change Windows’ essential networking parameters.

It’s a great site. Highly recommended!

More on the Vista Express Upgrade

Today (Mar. 15) marks the end of the "Vista Express Upgrade" purchase program. Most Windows PCs purchased between Oct. 26, 2006 and today are eligible for a free upgrade to Vista. The only catches are: (1) You must submit your upgrade request and proof of purchase by the end of this month; and (2) the upgrade ordering process may not work very well, as was discussed in the Mar. 1 issue.

In my test case — trying to upgrade a new Acer laptop — I experienced almost a month of problems with the upgrade site, which prevented me from completing my order. Eventually, after a phone call to the site’s tech support also failed, I tried to contact Acer by e-mail (the only contact mechanism the company offers). After a delay of about a week, Acer responded by sending me back to the upgrade site. But this time, the site’s tech support was finally able to help. After several more rounds of e-mail, my upgrade CD supposedly will be on its way in four to six weeks. I’m not holding my breath, though.

Reader Charles Little asked an important question about the Vista upgrades:

• "I read your article on the Windows Vista Express Upgrade, and it was an eye-opening read! I do have one question: When you upgrade, do you get any way to reinstall if you have a catastrophic failure of your PC and have to reformat? Can you use this license on another PC?"

Most OEM (original equipment manufacturer) licenses tie a specific copy of Windows to the machine it came on. This means that you cannot legally move a copy of Windows to another PC. Instead, the Windows license follows that one machine for its lifetime. (See Paul Thurrott’s excellent explanation of Windows licensing.)

Licensing does allow for upgrades. If you have an original, OEM-licensed copy of Windows on your PC, you can upgrade it with a later version. The original version is the "qualifying product" that makes the upgrade legitimate. The upgrade inherits this legitimacy, but then remains tied to the original PC.

Because the Vista Express Upgrade program is an upgrade and not a brand-new installation of Vista, most vendors will simply send an upgrade CD. This means that you’d need a two-step process to do a complete restore of the PC’s software, using the vendor tools. First, you’d use the original restore process that came with the PC (usually a restore CD or a restore program on the hard drive) to return the system to its as-shipped setup. Then, you’d run the Vista upgrade CD again to install the new OS.

A computer vendor could, in theory, choose to send out a complete new Vista-based recovery CD. This would give you a one-step total restore of the new (upgraded) OS and all the software normally bundled with a brand-new PC. But in every case I’ve seen to date, an "upgrade" means that you get an upgrade CD, period. The upgrade CD extends, but does not replace, the PC’s original restore CD or process.

Two final notes: Most vendors’ total-system-restore procedures wipe out all user data, settings and changes when returning a PC’s software to its as-shipped condition. As a result, these restoration tools should be used only as a last resort. It’s much better and much safer to use some other backup technique that will let you restore not only the original system files, but also your personal data and modifications. (See the next item for more information on backups.)

Lastly, it may be possible to use an OEM upgrade CD to produce a clean install of Vista, just as if you were starting fresh, by using the technique Brian Livingston described in the Feb. 1 and Feb. 8 issues. This doesn’t affect the licensing, which remains tied to the original PC, but may be a way to produce a fresh, "clean" Vista setup.

The catch is that OEM upgrade CDs may or may not contain all the files in the retail upgrade CDs, and there’s no way to know in advance. So by all means try Brian’s technique if you wish, but (as always before any major work on your system) make a full backup first. That way, you can roll back your changes in the event that things don’t work out.

Backing up encrypted password files

Reader Fred Stone crafted a way to selectively back up his files of passwords and, in doing so, nearly created a complete, do-it-yourself backup system:

• "After reading your comments about RoboForm in the Jan. 4 issue, I decided it was worth my sanity to purchase. Since many of my passwords existed only in RoboForm, backup was a serious concern. My solution for backup: Copy the encrypted password files to another drive on a regular basis. I do it with a batch file [Note: The command that begins with c: should be all on one line—Ed.]:

  echo Backup RoboForm File
  echo Rev 20060404.0238

  rem Remove oldest file
  del J:backupsrobobkuproboback5.zip

  rem Shift all files up by 1

  ren J:backupsrobobkuproboback4.zip roboback5.zip
  ren J:backupsrobobkuproboback3.zip roboback4.zip
  ren J:backupsrobobkuproboback2.zip roboback3.zip
  ren J:backupsrobobkuproboback1.zip roboback2.zip
  ren J:backupsrobobkuproboback0.zip roboback1.zip

  rem All files have been shifted. Begin backup

  "c:program filespkwarepkzipcpkzipc" -add -path=specify J:backupsrobobkuproboback0.zip "C:Documents and SettingsF W StoneMy DocumentsMy RoboForm DataDefault Profile*"

  echo RoboForm backup complete

  "This batch file is executed at 2:55 a.m. as a scheduled task every Mon., Tue., Wed., Thur., Fri., and Sat. of every week."

Thank you, Fred. First: RoboForm (and many other password-management and form-filling utilities) lets you choose where to store the encrypted password information files. If you place the files in any location that’s a part of your server’s regular and routine backups (e.g., somewhere in your "My Documents" folder tree), the password files will automatically get swept up with all your other important and frequently changing files. This can circumvent the need to have a separate backup procedure just for the password files.

Second: I use a technique similar to yours, except that it’s a complete system backup that uses WinZip (instead of PKzip). It also employs a slightly more powerful script that renames the backup files based on their creation date and sequence. Having the creation date embedded in the file name makes it simpler to find one specific backup in a group of files.

The technique I use is fully explained in my article "Fast, Easy Backups," and the scripts that power the process are available for free download at the end of that article.

Worldwide responses to CD longevity article

Even after some 30 years of writing about PCs, I’m still surprised at some "hot button" topics that crop up unexpectedly. For example, I discussed "How to predict CDR and DVD-R longevity" in the Feb. 8 issue, and then, due to reader response, also ran "CD-Rs don’t survive freezing temperatures" in the Feb. 22issue.

Even more reader mail poured in, leading to "Cold weather can damage hard drives" in the Mar. 1 issue. Like ripples on a pond, reader mail is still coming in from distant places like Finland and Greece.

First, from Finland, advice from a reader named Petri who knows something about cold weather:

• "I just wanted to reply to your article about condensation on hard drives. I am also transporting hard drives back and forth to work almost daily. I keep all my personal docs and other ‘personal junk’ in my portable hard drive. I have been doing that for years now, and I am using a simple trick to avoid condensation almost completely.

  "Being born and raised in arctic conditions (Finland), and having hobbies like photography, condensation is something you see often on items brought inside from sub-zero temperatures, and it is not so good on cameras either. I am using big Ziplock bags to seal my hard drive in before I take it outside in cold weather. When you bring it back in, even from sub-zero temperatures, all condensation happens outside of the bag and your hard drive is ‘safe,’ as long as you let it warm up before opening the bag.

Thanks, Petri — good idea!

Next, from Greece, Theo has a question about backup tapes, and the longevity of other data storage media:

• "You have covered CDs and hard disks; still to discuss are floppies, Flash drives/memory cards, and backup tapes.

  "As part of our disaster recovery policy, we ensure that tapes not in tape devices be offsite temporarily or permanently as much as practically possible. This means the tapes are daily potentially exposed to extremely low/high temperatures and humidity, as well as to possible rapid temperature and humidity changes.

  "For what it is worth, I do not think that any backup problems that we have are related to humidity, low temperatures (tapes are brought into the office in the morning and will have reached room temperature by the time of the evening backup) or high temperatures (again, tapes are brought into the office in the morning, when temperatures are still relatively low.) Can you give me and other readers your thoughts?"

Tapes can last for decades, if properly cared for in controlled, archival environments. But in typical real-world office use, the life is much shorter. For example, cold temperatures can make the tape more susceptible to breaking, and high temperatures or high humidity can cause the adhesives that bind the magnetic oxides to the tape to change for the worse.

As a result, major tape manufacturers such as Imation recommend that tapes in routine use (i.e., not in archival storage in a controlled environment) be replaced every 100 uses or so. If you’re using the same tape every day, that’s only three or four months’ worth of use! The complete Imation Tape FAQ is good reading. And the Vidipax site has additional excellent information on the problems that can befall magnetic tape.

Floppies employ technologies much like tape: oxide particles bound to a flexible substrate. So, similar guidelines apply there.

Flash drives are new enough that there’s no definitive data on long-term life spans, but there are several indicators that suggest a maximum useful life of about 10 years or 10,000 write cycles, whichever comes first. If that’s the maximum life, then the safe life span for storing critically important data is probably three to five years. For more information, see my article "Life Expectancy Of Flash Drives."

And, in the interest of completeness — so you’ll have longevity data on all the most common archival storage media referenced together in this one issue — there’s good information on CD and DVD longevity in the National Institute of Standards and Technology’s "Digital Data Preservation Program." You can find additional information in my article "Consensus Emerging On CD/DVD Life."

Fred Langa edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets. Prior to that, he was editor of Byte Magazine and editorial director of CMP Media, overseeing Windows Magazine and others.

Hey, can you throw me a beer?

A recent graduate of Duke University is doing a lot with his Ivy League education. In homage to his college days, John Cornwell — who works as a software engineer in Atlanta, Georgia — created a refrigerator that can toss a beer to him while he sits on his couch. The remote-controlled machine, fashioned out of a mini-fridge and a catapult arm, can hold 10 cans of beer and propel them up to 20 feet. It’s not rocket science, but it’s pretty darn cool — not to mention great for game days! More info

Monitoring your childrens' Internet use

By Mark Joseph Edwards The Internet is useful, and fun, as long as you keep it safe. Kids are bound to be attracted to the Internet, and many of them like to chat with and e-mail friends, as well as make new friends. This week, I’ll tell you how to monitor their  instant-messaging use to ensure your children aren’t falling into a predator’s trap.

Tracking instant-messaging conversations

Keeping children safe on the Internet can be a challenge. There’s no substitute for parental tutoring, but sometimes software can help when you’re not around. Your child could be lured into a conversation with a sexual predator through Web site forums, e-mail messages, or instant messaging chat rooms. Obviously, that’s very dangerous. How can you find out what’s happening when you’re not there to watch? Jamie wrote to ask about software that can help:

• “Is there a way for a parent to trace what their pre-teen has been saying on instant messenger, after the program has been closed?”

There are several tools available, Jamie. I know of two for standalone computers. The first is Instant Message Grabber, which records conversations to the computer disk. You can configure a password that is required in order to access the conversation logs. The product costs $34.95.

The second tool is ChatChecker, which lets you record instant messaging sessions to a remote server operated by Imbrella Software. You then login to the company’s Web site to review the conversations that have been captured. Imbrella provides their tool free of charge (for now, anyway) for use on a single PC.

When does your security software begin to operate?

When you install security software, such as a firewall and antivirus software, you probably expect it to become active right away. But that isn’t always the case. Roger Harder wrote to ask about this:

• “Just wondering what protection is offered by 3rd-party antivirus, firewall, and spam filters between turning on the computer and actually logging in? My wife and I often turn on the computer to use it but may not log in until some time later. Is this an issue or not?”

Roger, it depends on how your security software operates. If it installs itself as a Windows service, then it should start when the system boots up. But if it’s only a deskop application, with no supporting Windows services, then it won’t start to operate until your desktop loads, which of course means that your system isn’t protected when you’re not logged in.

If you’re not using security software that operates as a Windows service, then you should probably switch to software that does operate as a service. Check the product information and manuals for your software to learn how it operates, and if you can’t find that particular information in the documentation then ask the vendor’s support team.

Quarantine protects everyone’s computers

Many business, schools, and even some free wireless hotspots require computers that connect to their networks to meet minimum security standards. This helps protect everyone else’s computers from malware. Computers that don’t meet the standards are placed into quarantine, which basically means they have limited network connectivity and can only access software updates, software installation packages,and information on how to bring the system into compliance. Rob Collins writes to ask about whether quarantine is worth the effort:

• “Our IT department at Auburn University has just laid down the law concerning admission to the network: All PCs must run Windows XP and have Cisco Clean Access installed. “I’m not trying to get you to second guess our gurus, but I was probably not the only one surprised by this sweeping measure. I know nothing about Clean Access, and was wondering whether there might be performance issues caused by it. Does it intrude into the routine operation of the OS, as some of these things do, or is it smarter than that?”

Rob, Cisco’s Network Admission Control Appliance (formerly Cisco Clean Access) will introduce preliminary performance issues, as does any software that needs to read and write data to and from the system. However, overall, the software probably doesn’t bog down a system unnecessarily.

One big issue I do see with this tool is that you must give up some amount of control over your computer. Depending on how the school configures its use of Cisco NAC, the administrator of the school network could either force changes into your systems or let you decide to make the changes yourselves.

Another issue is whether the tool will recognize your preferred security solutions. For example, it might not recognize your particular antivirus solution, or your particular firewall. In those cases, you’d have to either switch to an approved solution or coax the staff into adding recognition for your software.

Overall, this sort of technology makes good sense for businesses, but I don’t like network access control measures that affect private computers. Therefore, I’d find a way around it somehow. But keep in mind that’s only my opinion, yours could be different.

I did notice on the Auburn University Web site that Mac, Linux, and PDA devices won’t be required to pass Cisco NAC, so you can use any of those if you find the requirement unbearable.

Another alternative would be to use “live Linux CD,” which lets you boot up a Linux desktop from a CD without having to install Linux. A good one to look at is the Ubuntu LiveCD or, if you prefer a different live CD, then check out the lengthy Live CD List at Frozen Tech.

ZoneAlarm’s new Secure Wireless Router Z100G

ZoneAlarm is widely known for its software-based firewall products. Now the company has a hardware device that offers built-in security. Sarah Eastman writes to ask whether it’s worth the price:

• “I would like your comments on the new ZoneAlarm Wireless Router Z100G. Is it worth the $149 to switch to that from our Linksys Wireless B for our 2-computer home network? My laptop has ZoneAlarm Security Suite, the update for which expires in a few days. ZoneAlarm’s offer for its router has been extended to March 18, 2007. Does this suggest a lack of interest in the router?”

Sarah, if you like ZoneAlarm security products, then maybe switching is a good idea. The device offers a stateful inspection firewall (which is better than the typical firewall found in wireless routers today), antivirus software, intrusion detection, and other nifty features like remote desktop control.

However, in order to keep your firewall and antivirus up to date, it’s going to cost you $69.95 extra per year. And, if you want to have more than five computers protected by the security features, then you must upgrade to a 15-user license, which costs $99.95. So, the $149 wireless router with built-in security could actually cost you roughly $250 plus $70/year.

The upside is that it’s a router, which means that it sits at the border of your network and will offer all of its protection to your entire network as long as the number of computers on your network doesn’t exceed your ZoneAlarm license. This could save you money in the long run. It also makes maintenance a bit easier since there’s only one device that needs updates — as opposed to updating all your computers.

Read the feature comparison guide and read the FAQ (linked at the same URL) to get enough information to make a more informed decision.

Norton 360 may cause problems with Internet

Symantec’s Norton 360 “all-in-one” security solution is a decent offering and costs about $80. But sometimes the company’s “total protection” might go too far for your liking. Jim Ward wrote to tell us about his experience:

• “My Norton Internet Security software expired, so I bought and downloaded Norton 360 based on their e-mail promising wonderful things and even 3 licenses, all for $40. I installed it on my Dell Dimension 4600 running XP Home and soon regretted it. The app borked my broadband Internet connection by installing browser helper objects (BHOs) in both of my browsers (IE 7 & Firefox 2.0), and the suite refused to offer me their definition of ‘total protection’ because I won’t blindly accept Windows updates automatically.

  "I uninstalled the Norton 360 and requested a refund to my credit card, which was processed quickly. The BHOs were also uninstalled and my Internet connection returned to normal. I then downloaded and installed the trial version of NOD32 and am happy with it. I’m wondering if anyone else has had a similar experience.”

Thanks for sharing your experiences, Jim. I personally haven’t experienced a similar situation since I don’t use Norton 360. However, some of our readers may have, so those of you who have experienced problems with Norton 360 please send us details. Meanwhile, if anyone is interested in NOD32, you can find it at ESET’s Web site.

Your computer only needs one version of Java

Sometimes, when you install a newer version of a software package, the previous version isn’t uninstalled. You wind up with several versions, even though you might only use one of them. Irving Gold wrote to ask about this situation:

• “When I go to the Windows Control Panel, Add/Remove Programs, I see a list of Java 2 through Java 9. Each program takes up about 200M of disk space. I would like to reclaim some of this space, so my question is can I safely remove/uninstall earlier versions of Java (2 through 8) without causing damage?”

Irving, the answer is yes. You can remove older versions of Java without causing any problems. There is, however, the outside chance that removing an older version of Java might break one of your applications that relies on that older version.

If you’re certain that you only use Java with your browser and not with any other desktop applications, then you should be safe from that potential problem. On the other hand, if removing an older Java version does break an application, the simple fix is to reinstall the broken application or upgrade it to the latest version.

Citrix shortcut-key mapping can break functionality

Citrix is a great virtual-terminal program that makes distributed-application access easier to deploy and use. But, like any software, sometimes updates change functionality and that can lead to plenty of frustration. Ted Johnston wrote to tell us about his experience:

• “Based upon a security alert, I just updated to the Citrix 10.0 client. What a mistake. I have an application running on my Citrix farm with the shortcut Shift-F12 to enter the development environment. When I issue this command, Citrix wants to expand to full screen. It tells me that it will pass the command to the app once it is in full-screen mode.

  "Here’s the rub. I have a laptop with a 1280 x 800 panel and an external panel running at 1280 x 1024. When the new client wants to go full screen, it expands past the size of both monitors. The start bar is hidden and no scrolling is enabled. I have to get out using Task Manager to kill the Citrix client. As I use this command regularly, I’ve had to downgrade to a previous client to fix the problem. If you know how to stop this behavior in 10.0, please let me know.”

Ted, you might try remapping keyboard shortcuts to disable the Shift-F12 functionality, which will probably let Citrix send the keystroke directly to the appplication. Review the Citrix article, “ How to Enable or Disable Hotkeys within an ICA file,” (CTX140219) on its support site for exact details on remapping keyboard shortcuts.

How can I speed up Vista’s new interface?

Vista’s new Aero interface looks really slick. But you pay a lot for that slick look in terms of performance. For some people, it’s just not worth the overhead. Guillermo Puertino wrote to ask about Aero performance:

• “I like the Aero interface, but is there any way to make it faster without buying new equipment? I can’t afford that right now.”

Guillermo, the easiest and quickest way to speed up the Aero interface is to choose a different theme that doesn’t make use of Aero’s transparent "glass" effects and window animations. Choose either the Windows Vista Basic theme, which has none of the spiffy visual effects. If you have the Vista Home Basic version, choose the Windows Vista Standard theme, which still looks like the Aero interface but operates without the visual effects. To change your theme, follow these steps:

Step 1. Right-click on the desktop and select Personalize.
Step 2. Select Windows Color And Appearance.
Step 3. Scroll through the Color Scheme list to find your preferred theme, select it, and close the dialog window.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and and writes the weekly email newsletter Security UPDATE. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

The missing Microsoft patches, part 1

By Chris Mosby On the heels of a major Daylight Saving Time patch, Microsoft announced that it would not release any security patches for the month of March. While the security community is wrapped up with rumors of Vista patching problems, older Windows operating systems still have plenty of flaws that need fixing.

Print Spooler service can cause DoS

The Print Spooler service in Windows (spoolsv.exe) is vulnerable to a remote denial of service (DoS) attack. The flaw could allow a hacker to use up almost all available memory on a computer by sending an RPC (Remote Procedure Call) request. No administrative rights are required to use this exploit, and there have already been three publicly available exploits released for the flaw since it was discovered.

This flaw was first discovered in November 2006 and has been confirmed on a fully patched Windows 2000 system. Other operating systems may also be vulnerable, but so far there has been no evidence of this since the flaw was discovered.

What to do: Exploiting this flaw requires a hacker to have access to your computer over a network or the Internet. To protect yourself, one option is to disable the Print Spooler service. This can be done as follows:

Step 1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
Step 2. Double-click Administrative Tools.
Step 3. Double-click Services.
Step 4. Double-click Print Spooler.
Step 5. In the Startup type list, click Disabled.
Step 6. Click Stop, and then click OK.

Please note that doing this will prevent your computer from being able to print at all. You don’t need to take this drastic measure if you’re using Brian’s Security Baseline. Your hardware and software firewalls should isolate you from the threat automatically by blocking the ports the exploit uses.

More information: CVE-2006-6296, eEye, US-CERT, ISS, SecurityFocus, FrSIRT, SecurityTracker, Secunia

PowerPoint still unpatched for DoS

PowerPoint 2003 has a flaw that causes the program to fail to check the input of PowerPoint (PPT) files. A hacker can exploit this by getting a user to open an infected PPT file, which can then cause a Denial of Service (DoS) in PowerPoint. This flaw has been confirmed in Office 2003, but other versions may also be vulnerable.

Microsoft first acknowledged this problem in a Microsoft Security Response Center (MSRC) blog entry on Oct. 12, 2006. This post initially reported that the flaw would allow infected code to run if a user opened an exploited file. Microsoft then retracted this statement in a later blog post on Nov. 11, 2006, saying that the flaw could only cause a DoS, and that the company didn’t consider it to be a security vulnerability.

What to do: Since Microsoft doesn’t consider this to be a serious flaw, I doubt that a patch for this is going to be released anytime soon. In the meantime, don’t open PowerPoint files that you receive from sources you don’t trust, or that you receive unexpectedly from trusted sources.

This is a good practice when dealing with e-mail attachments of any kind. I’m sure we’ve all gotten those cute PowerPoint files with jokes and/or pictures. Personally, I don’t even consider opening them, no matter whom they’re from.

More Information: CVE-2006-5296, ISS, SecurityFocus, OSVDB, FrSIRT, SecurityTracker, Secunia, eEye

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He runs the SMS Admin Store and is a contributor to Configuring Symantec Antivirus Corporate Edition.

Server 2003 Service Pack 2 is released

By Susan Bradley So you thought March’s “lack of security patches” would allow you to snooze through the month? Guess again. Windows Server 2003 Service Pack 2 was suddenly and without warning thrown at us this Tuesday. For us admins, this means we have a lot of work to do.

Solving the riddle of the SP2 release

Microsoft announced on Mar. 8 that there would be no new security patches this month. I thought today’s Patch Watch column would be all about the impact of Daylight Saving Time. Then, when W2K3 Service Pack 2 (SP2) was announced on the Windows Server blog — and the download showed up on the download site — I was extremely surprised. No rest for the weary!

The MSRC (Microsoft Security Response Center) has never considered service packs to be security patches. But service packs are definitely security-related in my mind, whether MS chooses to call them that or not.

The unexpected release has been rather confusing, especially as I’m still bleary-eyed from the time change. The release notes state that if you applied IE 7 after installing Windows Server 2003 SP1 (and who wouldn’t have?), you now need to uninstall IE 7 before you install SP2.

Let me state that again: Before installing SP2 on your Windows 2003 servers, you must uninstall IE 7 if you previously installed IE 7 after Windows 2003 SP1.

I personally don’t uninstall updates willy-nilly. To offer up a patch on Microsoft Update that requires uninstallation of software that was previously offered on the same site seems downright silly.

I normally wait to install service packs until I’m convinced that there are no major problems. I certainly will not be installing SP2 the week of this "patchless" Patch Tuesday. I think I’m going to follow Woody Leonhard’s advice from the May 11, 2006, newsletter, which is to turn off Automatic Updates this month, take a break, and come back next month with a report on SP2. I think I should have followed his advice sooner and not allowed IE 7 to install on my server, but, oh well.

My advice for all of you seeing SP2 offered up to your servers? Wait.

Vista, Media Player 11, and XP get fixes

Vista received another compatibility update, KB 932246, which includes compatibility fixes for Trend Micro and the Windows 2003 SP1 admin tools pack, among others.

Media Player 11 also got an update in KB 929399. The interesting thing was that this was offered up to me on a system that had only Windows Media Player 10 installed. I’m going to pass on that update for now while I investigate why a machine running Windows Media 10 thinks it needs a Media Player 11 patch.

Finally, XP got a BSoD (Blue Screen of Death) prevention patch in KB 929338, which you’ll see offered to XP SP2 machines.

DST spells trouble for Outlook

For most of you, the biggest impact of the Mar. 11 Daylight Saving Time (DST) change in the U.S. was that your appointments were an hour off in Outlook, even though your computer was displaying the right time.

For most of those who were impacted, this was caused by not running the Outlook "rebasing" tool. This utility looks at the appointments in your calendar and allows you to move them to the proper time. You can download the tool from the Microsoft download site.

The DST blog also covers additional issues that may occur with BlackBerrys and appointments.

The next biggest symptom folks have seen is that their all-day appointments now extend over two days, rather than one. This, again, is due to installing the required patches, but omitting the offset or "rebasing" tool. While the patches will keep you in sync from now on, they have no effect on preexisting appointments and calendar events. Go get the Outlook rebasing tool to adjust these.

How to fix DST patches that didn’t work

If you were one of the unlucky ones who patched, but the time zone change didn’t take effect, follow the DST2007 blog’s advice on standalone systems. Just open up the Control Panel, manually adjust your time zone to the new time zone, click Apply, and then change back to the original time zone. This is, in fact, the same thing I had to do on my cell phones to get them to take the patch. I was very happy to see the notice that my Windows Mobile phone was updated.

Making sure databases weren’t impacted by DST

If you have an application that runs on a database, you may want to take extra steps to ensure that it handled the DST change properly. The DST2007 blog reports that databases running on Microsoft’s SQL Server may not provide proper historical data. If you have an application that relies on a standalone database and is not embedded in the software, you may want to review the impact with your vendors.

DST change impacts many applications

Applications that use the TZ (Time Zone) variable may not operate properly and may need an additional Time Zone patch. KB 932590, released on Mar. 9, is available for applications that use the Microsoft C Run-Time (CRT) Library. This is in addition to the operating system patches. You may wish to contact your vendors should you experience any issues in their applications.

SharePoint DST patch has a flaw

For those folks who are running SharePoint servers (including users of Small Business Server 2003), I found a problem with the patch just before Daylight Time took effect in the States. Items that use the date or time field are off by one hour. In addition to applying the patch in KB 933738, you’ll need to run a script to fix SharePoint.

Because of the impact on Small Business Server (SBS) boxes, I blogged about the issues that one SBS consultant had with this script. You have to look in the Add/Remove control panel of your server to determine the prior SharePoint patches that impacted the DST calculation. This could be KB 927878, 929189, 930103, 930476, 930773, or 932057. See which one is the earliest "installed on" date and use that value in the script that I indicated in the blog.

Check the automatic time-adjust box

On my very own patched server at home, I found that the check box to automatically adjust for Daylight Time wasn’t checked. The server was still functioning and the workstations were still working. One check in a box later, so was the time on my server. If you find a computer not in sync, you may want to look at that check box. See Figure 1.

Figure 1. If your Date and Time Properties are not being adjusted for Daylight Saving Time, your system will be an hour off whether you’ve installed Microsoft’s DST patches or not.

DST patching is a ‘learning experience’

I have to apologize to those Windows Secrets readers outside the U.S., who don’t go by the same calendar that I do, for all of the DST patch information you’ve had to endure this week. But, while you may not need to run any of the confusing rebasing tools, you do still need to apply the patches so your computers can interact with calendars and events in the various time zones that were affected.

The bad news is that this DST time change might only be temporary. The U.S. government could decide the experiment didn’t save energy at all and revert back to the old schedule. I’m pooped, and I’ll definitely cry "uncle" if they make this decision.

This experience has revealed some of my patching weaknesses. I don’t have a good way to patch cell phones that run "smart" operating systems. And while Outlook 2007 was built to handle the time change, the need for Outlook 2003 and previous versions to use an adjustment tool makes me hope not to have to go though this again!

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received a MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.