Follow Safe Internet Practices
My last trip around the Internet because of a supposed Active Server Pages (ASP) bug shows the importance of reading and following safe Internet practices. The excitement started with an email from a friend warning me of the ASP security leak, ::$DATA. Supposedly, you could use ASP to read confidential credit card information. My previous experience with Windows NT has been that its security is frustratingly solid if you follow recommended guidelines. Thus, I wanted proof of this bug.
My friend provided me with an example site, and I visited it. I was able to reveal the ASP code. I asked my friend whether he had turned off Read permissions on the directory. He assured me that he had disabled it. So I had someone visit one of my company's internal sites. That person encountered the Access denied message. I advised my friend to check his directory permissions again. Sure enough, he discovered that Read permissions were enabled.
You cannot read ASP code if you disable Read permissions on the folder. In a development environment, you probably want to enable Read and Execute permissions. In a production environment, you definitely want to disable Read and Execute permissions.
Securing an NT server isn't complicated. Microsoft documentation tells customers how to follow safe Internet practices. Although going over directory permissions is tedious, it's absolutely essential.
—Deborah Hughes
hughed2@tdbank.ca
How to Optimize WINS Network Traffic
For every NetBIOS name that you register with a Windows Internet Naming Service (WINS) server, the registration at client startup will take two frames. Although two frames might not sound too bad, the frames add up quickly. You'll use two frames for renewal (every 3 days by default), two frames for name resolution every time you attempt to access the server with another computer, and two frames to release the name when the service or client stops. If you want to reduce this network traffic, here are some techniques you can try.
The first traffic reduction method is to disable unnecessary network services. Services that support NetBIOS automatically register with WINS. So if you never use a particular service but leave it enabled, you're creating unnecessary network traffic.
The second traffic reduction method is to change the length of time the NetBIOS name stays in the name cache. By default, after WINS resolves a NetBIOS name, the name stays in the cache for 10 minutes (600,000 milliseconds). If you increase this value, WINS makes fewer resolution attempts for frequently used names. To increase the value, go to the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\CacheTimeout. The default value is 600,000. What you increase the value to is your preference.
The third traffic reduction method is to use the LMHOSTS file. LMHOSTS uses a static ASCII text file to resolve NetBIOS names into IP addresses. For a server that users frequently access, you can preload the server's entry from the LMHOSTS file into the NetBIOS name cache. Preloading eliminates network traffic during name resolution, because the name is permanently in the NetBIOS name cache. One word of caution about using the LMHOSTS file: The LMHOSTS file is not dynamic like WINS. As a result, if you bring a new server online, you need to manually add its entry to the LMHOSTS file.
One traffic reduction method that I don't recommend is to adjust the renewal rate, or Time to Live (TTL), of registered names. WINS renewal doesn't generate much traffic, so the default of 6 days is adequate. However, if you have a good reason for changing the TTL, you can adjust the renewal interval in WINS Manager. The Microsoft implementation of WINS configures the client computers to automatically renew their registered names every one-half of the TTL, or every 72 hours. Thus, if a WINS client registered six names for various network services at startup, it renews these same six names every 72 hours.
—Tommy Gustafsson
t.gustafsson@norrkoping.mail.telia.com