Windows Secrets Newsletter • Issue 2 • 2003-03-13 • Circulation: over 400,000

Table of contents

Top Story: Fun with Microsoft licensing
From Our Readers: Using offline files remotely – but within the same domain
From Our Readers: XP password story makes good reading worldwide
Wacky Web Week: Now keep coffee warm with your unused USB port

Top Story

Fun with Microsoft licensing

By Brian Livingston

I’m not going to repeat here all the complaints people have about Microsoft’s various software licensing schemes. But reader William Walo II found a new wrinkle lately. Since he’s so good at telling the story, I’ll let him do the talking:

“I have several computers at work that we needed to migrate to XP Pro as a corporatewide upgrade from Win 95/98. I purchased three boxed retail copies before purchasing subsequent licenses via the OLP. On the fourth computer that needed the upgrade to XP Pro, I proceeded to purchase the license via the OLP program. What I failed to purchase was the OLP media (an additional $25).

“I did the fourth computer upgrade using the retail box CD and the OLP license key. When I entered the key from OLP against the retail CD, the install program notified me that the Product Key was invalid. Assuming that MS had generated a bad key via the eOpen Web site, I continued the install using the Product Key from the retail box under the assumption that I could determine the key problem when I registered the product after the OS install.

“Well, the install completed successfully and I proceeded to attempt to register the OS with MS. Again, the Product Key was reported as invalid. So again back to the eOpen Web site I went, looking for a phone number to contact MS regarding the issue.

“On the eOpen site there is no contact information for MS to resolve problems. I was referred back to my vendor where I purchased my OLP license. Luckily, they have a staff member dedicated to MS licensing issues, at which point I got an 800 number to contact MS.

“I proceeded to call MS on the issue. After discussions with the MS rep, I told her that I had used a retail box CD to perform the upgrade and an OLP Product Key to try to activate the product. At which point she said that that isn’t allowed, and that I needed to purchase the OLP media (another $25) and use that media with the OLP Product Key to perform the upgrade. The catch is that I must zero out the previous install and completely reinstall the OS from the OLP media.

“In my view, this is a radical departure from past MS installation/licensing procedures. I was also taken aback by the fact that I had purchased everything legally but I was stopped from doing a legal install of a product that I had purchased in accordance with their rules.

“Granted, I need to have only one piece of media from the OLP media purchase to install on subsequent computers. But the idea that I have to purchase another media when I have three “valid” media sitting in my office really confounds my logic.”

The point here is: Don’t purchase retail copies of Windows XP if you’re going to be purchasing licenses through OLP. I wrote about the secrets of Product Activation and other “new” features when XP first came out. For the details, see my InfoWorld column on the subject.

Reader Walo will receive a certificate for a free book, CD, or DVD of his choice for sending me a comment I printed. To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact

From Our Readers

Using offline files remotely – but within the same domain

Glen Looby writes:

“We use ‘offline’ files for our laptop users, typically comprising their personal and shared folders on the network. The problem we have is that when the user works from another office but on the same domain (we’re in New Zealand and the office is in Australia), Windows connects the drives to the original location rather than ‘work offline.’

“When the user opens a file (Word, Excel, etc.), the response time is painful and frustrating as the system is trying to work from the original document location. This affects the laptop’s own performance, also, since the sites are only connected by a 512 frame-relay-to-Internet connection.

“How can we ‘work offline’ with files while connected to the network? You can do this with Outlook (‘Connect’ or ‘Work Offline’), but there’s no obvious option for files. Our head office in Houston is experiencing the same issues and cannot offer a solution. I’ve entered this into a forum in WinNTMag and had a reply from another admin in the same position, but no answers, though. I’ve even lodged a call with Microsoft support and they haven’t even heard of the problem (in New Zealand, anyway) but are researching. Can you please help?”

I have an idea how we can solve Looby’s dilemma, but I’ll bet someone out there has an even better plan. How about it? To send me your answer, visit WindowsSecrets.com/contact

From Our Readers

XP password story makes good reading worldwide

My top story last issue – that Windows XP allows anyone to log on to the Recovery Console without entering an administrator password if they use the Windows 2000 CD – was picked up by media around the world. It was the top story at the “news for nerds” site known as Slashdot, and was a feature story at Extreme Tech, WinInformant, Lockergnome, Wired News, Security Administrator, Langa List, Geek.com, IT World (Canada), The Register (U.K.), The Inquirer (U.K.), PC Welt (Germany), PC Tip (Switzerland), and many others. Here are some excerpts:

“A slip-up like this just makes it all the more trivial to completely circumvent XP’s existing security mechanisms.” –Ken Pfeil, a security consultant at Avaya, quoted in Wired

“While one does need physical access to the machine to exploit this flaw, this will be of little comfort to the administrators of academic computer laboratories and other facilities where users can easily pop a CD-ROM into a computer.” –Brett Glass, Extreme Tech

“There are other boot CDs and techniques for circumventing Microsoft’s thin layer of file system protection, but using previous versions of Microsoft’s own software against XP took me by surprise. Physical access is always going to be a potential security threat, but this is just too darn easy.” –Lockergnome

I’d like to comment on a point made by several readers who said that there are much worse errors to be found in Windows XP. I never wrote that this was the worst security flaw ever – it’s simply interesting that Windows XP doesn’t even ask for an administrator password in a situation where Windows 2000 definitely does.

Second, some readers asked about my statement that Windows XP allows an intruder to copy files onto removable media – something that a user of the Recovery Console normally isn’t allowed to do under Windows XP or 2000. These readers weren’t able to duplicate that feat. That’s because it requires setting an environmental variable at a command line first. The command is documented, but I’m not going to describe it, because I don’t want to enable more people to use this technique.

Finally, here are some of the most interesting comments I received. The readers whose comments I printed will receive a gift certificate for a book, CD, or DVD of their choice.

“Your recommendation should be that if people use ANY machine in an open space, and they are concerned with the data on those systems, that they physically secure them. What the bad guys know even better is how to simply boot up on a Linux disk and change the admin password. That is a far more significant threat – and one not limited to Win2K, XP, or any operating system from any manufacturer.” –Tim Mullen

“The problem, as I see it, is that Microsoft Corp. marketing convinced a large portion of an entire generation of IT admins that Windows NT had suddenly made it feasible to leave the consoles of business-critical computers accessible to casual foot traffic, without security exposure. … We long-time Unix people immediately pegged that as laughable drivel. Even before the Linux kernel people wrote their NTFS driver and admin-password access utilities, it was simple, given console access, to open the system case, insert your own NT boot hard drive alongside the target system’s drive, boot your drive, and crack any contents of the target drive you wish.” –Rick Moen

“The only protection is to lock down the computer, prevent booting from CD or floppy in the BIOS setup, password-protect the BIOS, make sure that all file systems are NTFS, and encourage users to encrypt sensitive files (which cannot be read using this ‘technique’). Windows is not alone in having this ‘vulnerability,’ Linux, FreeBSD, and in fact any operating system that does not encrypt its file system can be accessed in this way, provided users can boot off removable media.” –Daniel Franklin

Wacky Web Week

Now keep coffee warm with your unused USB port

Most laptop and desktop PCs today include one or more Universal Serial Bus (USB) ports. But you may not have enough USB devices to keep all those ports occupied. Fortunately, someone’s come to the rescue with a coffee cup that plugs into any spare USB port to keep your beverages steaming. The site where this is advertised is all in Japanese – which I can’t read – so I can’t tell you how much the USB Cup costs or even if you can order one yet. But thanks to a graph on the site, I can state that the plug-in cup (works with Windows or Macs!) will keep your java hotter than an ordinary cup by a toasty 18 degrees F. (10 C.) Is technology great, or what? More info

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents

Top-scoring articles in the past 12 months

Internet Services

Web Development

Digital Marketing

Consumer Tech