Ask the Doctor - 28 Jun 2000

Here are some tips for securing your network from infected message attachments, identifying potential Win2K upgrade problems, bypassing a bizarre error message, tricking DNS Manager, and navigating the command line.

Sean Daily

June 28, 2000

10 Min Read
ITPro Today logo in a gray background | ITPro Today

SEND US YOUR TIPS AND QUESTIONS.
For answers to more of your Windows 2000 and Windows NT questions, visit our online discussion forums at http://www.win2000mag.com/support.

The Love Bug virus, which propagates by sending email with VBScript attachments to all the addresses in your Microsoft Outlook address book, infected my company. Unfortunately, our antivirus software didn't have a signature file that could detect the virus. I'm concerned that a new virus using the same methodology might inflict similar damage. Do other methods exist for dealing with message attachments?

Many antivirus products can't detect a new virus unless the developer has provided a virus signature update. Additionally, the new breed of script-attachment viruses are especially dangerous because they're destructive and easily mutated. Within a few days of its initial appearance, Love Bug had three new variants—Mother's Day, Joke, and Virus Alert. By the time you read this column, dozens more variations will probably be circulating.

Because anyone can easily read and edit the virus code, and because legions of capable Visual Basic (VB) programmers inhabit the world, network administrators must control how email attachments reach users. You can configure security settings on the client, the server, or both.

On the client side, Microsoft and other email software vendors have issued software updates to improve the security surrounding email attachments. For example, Microsoft has provided updates for Outlook 2000—both in standalone form and bundled with Office 2000 Service Pack 1 (SP1)—that enforce new attachment-handling behavior. These new options take the form of clearer and more explicit dialog-box warnings to users when they attempt to open attachments, and modified attachment-handling behavior, such as forcing users to save attachments to disk rather than letting them open the attachments directly from an email message. Another update prevents worm viruses such as the Love Bug virus from utilizing the Outlook Address Book to propagate the virus to other users. You can find these patches—and information about how to use them—at http://www.microsoft.com/outlook/.

However, relying solely on users or their email clients to properly handle attachments isn't adequate for most companies. Some antivirus vendors simply treat all .vbs files as viruses. However, this strategy also has drawbacks. For example, some backup programs will fail while attempting to back up legitimate .vbs files, such as those that Windows 2000 includes. Although antivirus software is certainly a "must have," I strongly recommend that you also use server-side filtration software to control email attachments. Programs such as Content Technologies' MAILsweeper (formerly MIMEsweeper) and GFI's Mail Essentials for Exchange/SMTP let you create policy-based security for your mail server. For example, you can define a policy that instructs the server how to handle particular types of attachments, such as the VBScript files that Love Bug uses. MAILsweeper's policy-oriented technology also lets you monitor other aspects of your email system, such as employee confidentiality breaches, offensive messages, unsolicited commerical email (UCE), and compliance with other email policies in your organization. For a list of content-control tools, see http://www.slipstick.com/addins/content_control.htm.

I'm planning a Windows 2000 upgrade. However, I suspect that I might experience compatibility problems with my existing system because of the age of some of my hardware and software. How can I identify potential Win2K upgrade problems?

To determine whether your system is ready for a Win2K upgrade, visit the Upgrading to Windows 2000 page of Microsoft's Web site (http://www.microsoft.com/windows2000/upgrade/default.asp). This page provides several resources for would-be upgraders, including the following:

  • General system-hardware requirements

  • The Windows 2000 Hardware Compatibility List (HCL)

  • A searchable database that lists Win2K-compatible software

  • Win2K-compliant driver updates for various hardware devices and links to the manufacturers' Web sites

  • Win2K BIOS compatibility information and BIOS updates

  • Technical documentation that describes steps you'll need to take when you upgrade from various OSs to Win2K

If you already have the Win2K software, you can run Setup in a special mode that doesn't actually install the product but instead inspects your system configuration and attempts to identify any potential incompatibilities between your system and Win2K. (This check also automatically occurs during the usual Win2K installation process.) To run Setup in this mode, launch the winnt32 Setup program, which resides in the CD-ROM's i386 folder, with the /checkupgradeonly switch (e.g., D:i386winnt32 /checkupgradeonly). Running this program launches the Windows 2000 Readiness Analyzer, which Figure 1 shows. This utility analyzes the system and reports any incompatible components. You can obtain additional information about each conflicting component and save the compatibility report to disk.

If you don't already have the Win2K software, you can download the Windows 2000 Readiness Analyzer utility as a standalone component. Go to the Check Hardware and Software Compatibility page of Microsoft's Web site at http://www.microsoft.com/windows2000/upgrade/compat/default.asp.

My company has several subsidiary companies, all of which have unique company and DNS domain names. These companies all use the same server for their Internet-accessible services (e.g., Web servers, FTP servers, DNS servers). Therefore, I often need to create new DNS zone files that are essentially identical to those that already exist, with the exception of the domain name portion (e.g., mycompany.com). Using Windows NT's DNS Manager utility to recreate these files from scratch is tiresome. Do you know of any tricks I can use to speed up this process?

To easily duplicate DNS zone files and substitute the correct domain name for the new zone file, you can trick NT's DNS Manager. To duplicate an existing zone file and its record contents to a new zone, run DNS Manager and begin creating the new domain and zone file (i.e., select the server name and choose New Zone from the DNS menu). This process launches the Create New Zone wizard. In the first dialog box, the wizard asks you to choose whether this zone is primary or secondary. Click Primary, then Next. The second dialog box, which Figure 2 shows, asks you to name the domain and provide the name of the DNS zone file that contains the records. To trick DNS Manager, type the new domain in the first text box but override the default zone name in the second text box (e.g., newdomain.com.dns) with the name of the existing zone file for the domain you want to duplicate (e.g., existingdomain.com.dns).

After you select Finish to complete the wizard, DNS Manager will have created a new zone file for the new domain name. However, DNS Manager also will have automatically copied all records from the existing zone file and renamed all records that reference the root domain name (e.g., SOA, A, MX) so that they now reference the new domain name. Although you still need to check the data values in the right column to ensure that they're accurate for each record in the new domain, this handy tip lets you easily copy zone data from one domain to another through the DNS Manager GUI.

On several occasions, I've tried to copy a user profile from the Control Panel System applet's User Profile tab, only to receive the bizarre error message Copy Profile Error: The operation completed successfully. Despite the supposed successful completion of the operation, the profile doesn't copy. What can I do to get around this problem?

Your problem is common on Windows NT 4.0 systems with Microsoft Internet Explorer (IE) 4.0 or 4.01. The cause of the error message is a permissions problem on a Registry key related to the Protected Storage service. To resolve this problem, you can try manually resetting the Registry permissions on the HKEY_LOCAL_MACHINESOFTWAREMicrosoftProtected Storage System ProviderSID Registry key, where SID is the security identifier of the user whose profile you're attempting to copy. (Typically, only one SID will appear, and it will be your user account's SID.) To set permissions for the profile you're currently logged on as, run the regedt32 Registry editor and locate the HKEY_CURRENT_USERSOFTWAREMicrosoftProtected Storage System ProviderSID Registry key. If you need to determine your SID, you can use the Microsoft Windows NT Server 4.0 Resource Kit's Getsid utility or look for the name of the user within the various CentralProfile values under each of the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList Registry key's subkeys.

To fix the permissions glitch that causes this problem, select Permissions from the Registry editor's Security menu. In the Type of Access drop-down list, select Read permissions for the Administrators group. You should now be able to successfully complete the profile copy operation.

Microsoft's "Error Message: Copy Profile Error" (http://support.microsoft.com/support/kb/articles/q175/6/67.asp) discusses another potential solution for this problem. However, the solution works only if you're willing to create a new profile for the user. Another potential solution is to upgrade the browser to IE 5.0 or later.

My company uses many long filenames in the directory structures of our network's various disk volumes. Because I'm an old command-line DOS jockey, I like to work at a command prompt, but navigating with the CD command can be frustrating, especially with long filenames. For example, changing to a directory such as C:Program FilesMy Application at the command prompt requires a lengthy CD command (e.g., CD "Program FilesMy Application"). How can I simplify my life at the command line?

I can provide a few tips that you might find useful in command-prompt sessions. All of these tips work with both Windows 2000 and Windows NT.

First, when you're changing to a directory underneath the current directory at the command prompt, you don't need to type the target directory's full name. Instead, you can use an asterisk (*) wildcard with the CD command. For example, to change to a directory called Program Files underneath the current directory, simply type

cd prog*

This command moves you into the closest directory that begins with "prog," which in this case is Program Files. (Note that this technique might not take you to the correct directory if other directories share the same match string before the asterisk. Therefore, be sure to provide as much information as necessary to uniquely match the desired target directory.)

Another tip that you might find helpful is modifying the Windows Explorer GUI so that you can easily drop to a command prompt from any Windows Explorer folder. One way to obtain this functionality is to download the Microsoft PowerToy called Command Prompt Here from http://www.microsoft.com/ntworkstation/downloads/. To install the utility, simply expand the self-extracting executable, right-click the extracted doshere.inf file, and choose Install from the resulting menu. After you install the utility, you'll have a menu option in every Windows Explorer folder window that lets you drop to a command-prompt session (with the selected folder as the default directory). You can use this tool in several ways. The primary advantage is that you can right-click a folder icon in a Windows Explorer window and choose the Command Prompt Here option from the resulting menu. Additionally, you can use the right mouse button to click the icon in the upper-left corner of any open folder and choose the Command Prompt Here option from the resulting menu.

Another command-line trick enables command-line completion. If you're familiar with UNIX, you might lament that NT won't let you use the Tab key at the command line to autocomplete filenames within the current directory. However, you can mimic this ability in Win2K or NT: Edit the HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor or HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor Registry key. (If the value exists in both locations, the value in HKEY_CURRENT_USER will override the value in HKEY_LOCAL_MACHINE.) Using regedit or regedt32, navigate to either key, double-click the REG_DWORD value named CompletionChar (or add the value and the Command Processor Registry subkey, if they don't exist), and set the data to 9, as Figure 3 shows. In future command-prompt sessions, you'll be able to use Tab to autocomplete filenames at the command line.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like