Microsoft the Ultimate Steal for Students is live again!!!

If you want a complete set of Office without breaking your bank account and you are a current student with a valid .edu e-mail address, you may really want to check this out:

http://www.microsoft.com/student/discounts/theultimatesteal-us/default.aspx

Cheers!

Fw: Info on Downadup / Conflicker (worm) and what to do about it

Dear All,

Here's a forward from Mark Minasi newsletter that I've received today. It contains useful information on how to look for and prevent the latest virus/worm outbreak since last Friday. Hope you find it helpful!

"Hi All --

Just a quick note about the Conflicker / Downadup worm that's gotten a bunch of press lately. It's on the grow, so it's worth taking a moment and checking your systems (and, more likely, your friends' home systems).

I view it as an important threat to address because it's one of those "remote code execution" exploits, which is security-ese for "you don't have to do anything to get this except (1) don't patch and (2) expose port 135 (RPC) to the Internet." What's scarier is that it puts itself on USB sticks and puts an autorun.inf file on those sticks, meaning that if your system's infected and you take a USB stick out of your system and hand it to someone and that person pops the USB stick into a system that hasn't disabled autorun, then that other person's computer is now infected. (I really hate autorun and disable it -- you can do it from group policies or Control Panel. In Vista, it's in Control Panel / Hardware and Sound / AutoPlay. On XP, open My Computer and right-click anything under "Devices with Removable Storage" and look on the AutoPlay tab.)

Microsoft published the patch, MS08-067 on 23 October '08, so you probably have nothing to worry about if you automatically download and install Microsoft's hotfixes in a timely manner. If not, any major anti-malware tool can identify and clean it, or just download the latest version of Microsoft's Malicious Software Removal Tool (the 19 January version) from http://www.microsoft.com/downloads, then run it by typing "mrt" and follow the prompts. Once finished, MRT offers a hyperlink "View detailed results of the scan." In that report refers to the worm as Win32/Conflicker, rather than the "Downadup" name used by many sources.

I hope this helps, and apologies to those for whom this is old news -- it'd just be a shame to allow a bunch of dirtbags to build another bot army."

Cheers, and take action against this worm right away if you haven't!

Meeting PCI Security Standard with IIS SSL

As a web development manager/network administrator, we've been asked by many of our clients to meet the PCI Security Standard. Since we are an MS shop and use IIS primarily, one common vulnerability is the IIS/SSL protocol not meeting the security standard. According to Microsoft, all SSL protocols and ciphers (including the ones with known vulnerabilities) are all "enabled" by default. Hence, to meet the PCI Security Standard, these vulnerabilities must be addressed. Here's my own quick and dirty list of what must be disabled based on varioius sources for my own use:

1. 322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows

2. Start->Run->Regedt32.

3. Navigate to each of the item in the following list. If the "Enabled" DWORD is not there, you could safely create one by right click on the item, then "New->DWORD" value. Please remember that "0x00000000" means "FALSE" AND "0xffffffff" means "TRUE". For example, setting "Enabled" DWORD value to "0x00000000" means "Disable"; while "0xffffffff" means "Enable" (yeah I myself find it pretty confusing also.)

4. Here's the list of entries in the registry that should be disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

5. Exit out of Registry Editor and reboot the computer.

(Disclaimer: The information is only based on the compilation of various sources on the Internet. I'm not employed by Microsoft and the information above should not be considered as official information. I will not bear any responsibility for any system crashes/damages/liability as a result of utilizing the above information. Please use at your own risk.)

Seagate Drive Gone Bad? Don't worry. Here's the link to check your warranty

I've just seen my dear friend on Facebook saddened by a broken Seagate hard drive. The frustration is understandable, so here's my humble attempt to cheer him up a bit:

http://support.seagate.com/customer/warranty_validation.jsp

If for nothing, at least you would have a spare drive available for backup or whatever purpose suits. I've personally RMAed a couple Seagate hard drives in the past and it seems Seagate is pretty good at shipping the replacement.

Just a personal tip to share with all Dell desktop users. Almost all latest Dell Inspiron, Vostro (possibly other lines also) already come with SATA RAID configuration in the BIOS (not activated by default). For maximum data security, all it takes is 2 identical hard drives to form a RAID 1 array (e.g. 2 x 1TB). Yes, you may only get 1TB storage out of 2 x 1TB hard drive, but it's 1TB fully redundant data storage! So if 1 of the hard drives goes bad, your computer would still work with the remaining good one while you go back to manufacturer (e.g. Seagate) and get your replacement hard drive (Seagate provides 5-year warranty on most of their hard drives). Just some food for thought!!!

Cheers!!!

DELL Inspiron 530 Q6600 with 24" monitor $663 (Expired)

Repost from Slickdeals.net: (couldn't resist this deal myself and in for 1)

Sorry to disappoint you but the deal is now officially expired.

http://configure.us.dell.com/dellstore/config.aspx?oc=dddodg4&cs=19&dgvcode=ss&c=US&l=EN& m_1=CT545HN&m_3=2G2D&dgc=CJ&cid=7420&lid=0

Add 24" E248WFP monitor with the 40% monitor off purchase with desktop deal(2days left)
plus 250 off 999 coupon V57X6FHK5Z$DLN
it comes with price $663.00 use DPA save more.


SPEC:
PROCESSOR Intel Core 2 Quad Processor Q6600 (8MB L2 cache,2.4GHz,1066FSB) edit
OPERATING SYSTEM Genuine Windows Vista® Home Premium Service Pack 1 edit
MONITOR 24 inch E248WFP Entry Widescreen Digital Flat Panel Monitor edit
MEMORY 2GB Dual Channel DDR2 SDRAM at 800MHz- 2DIMMs edit
HARD DRIVE 500GB Serial ATA Hard Drive (7200RPM) w/DataBurst Cache™ edit
OPTICAL DRIVE 16X DVD+/-RW Drive edit
VIDEO CARD Integrated Intel Graphics Media Accelerator 3100 edit

SQL Server Backup and Recovery Models

http://www.mssqltips.com/tip.asp?tip=1219

I have never been able to figure out the mystery of why transaction log backup always failed until today. It's definitely a huge oversight on my behalf. Here is one good link on the recovery models of each system database in SQL Server:

http://msdn.microsoft.com/en-us/library/ms365937.aspx

To sum it up:

Master (Simple) - Okay to backup the database file but NOT the transaction log

Model (Full) - Full backup on both database file and transaction log

msdb (Simple) - changed to Full Recovery Model is highly recommended. Full backup on both database file and transaction log

tempdb (Simple) - Simple Recovery Model is REQUIRED. You CANNOT backup tempdb database.

Hope this reminds and helps the ones who find the tips helpful! Cheers!

SQL Server 2005 Database Email setup and stored procedures

Here's a great article on how to setup the Database E-mail accordingly in SQL Server 2005:

http://www.mssqltips.com/tip.asp?tip=1438

And the T-SQL way to do it as well as a sample use of the sp_send_dbmail Stored Procedure:

http://www.dotnetspider.com/resources/19638-Sending-email-through-sql-server-stored-procedure.aspx

I personally find Database E-mail on SQL Server 2005 a step forward from SQL Server 2000. It did away the buggy MAPI mail profile and instead allows you to create Mail Profiles and multiple SMTP Accounts under each Mail Profile.

Mail Profile is like an "umbrella" that may consist one or more SMTP accounts. The Mail Profile name is also what's been used in the sp_send_dbmail Store Prodecure to send e-mails.

SMTP account is the actual configuration of which SMTP server to use, the originator's e-mail address, etc.

One of the advantage of Mail Profile is the ability to configure multiple SMTP accounts. It could be used as a "fail over", in the event that if the first SMTP account failed to send e-mail for whatever reason, it would automatically use the second SMTP account to send the same e-mail.

The sp_send_dbmail Stored Procedure also has some significant improvements and provide additional flexibility.

Finally, database developers are able to utilize Stored Procedure to send e-mails directly from within a Scheduled Task or Stored Procedure, instead of relying on external programs for sending e-mails.

Hopefully you would find this article a bit helpful! I welcome any comments and questions alike. I would also continue to modify this post as I dig deeper in Database Email and Stored Procedure in SQL Server 2005.

Cheers! Thanks for reading!