In mid-July, I attended Fusion 2000, Microsoft’s annual conference for their development and networking partners, a.k.a. Solution Providers, or SPs. The conference is designed to prepare the sales and marketing groups within these organizations to position and price upcoming solutions based on the Microsoft platform.

It should come as no surprise that the main message was centered around configuring and delivering solutions on the Microsoft .NET platform. But if you look beyond the marketing glitter, one of the major themes that emerged from the conference is that Microsoft now believes “ASPs are for real.”

Piloting for success
At the conference, Microsoft revealed that they had been running a series of licensing pilots over the last year designed to help them determine a strategy for offering their products on a subscription (or rental) basis rather than as a one-time purchase.

These licensing pilots centered on offering infrastructure based on Microsoft Windows NT 4.0 and Microsoft BackOffice and also productivity services centered around Microsoft Exchange 5.5 and Microsoft Office 2000. As a result of these pilots, Microsoft has determined that there are two basic licensing decisions that ASPs need to be ready to offer, and customers willing to accept.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

Decision #1: How long does the license last?
The first licensing decision is one of purchasing a perpetual license versus a non-perpetual license.

In the past, the only option from Microsoft has been a perpetual license, i.e. when you buy a copy of Office 97, you have the option of using that license on a single machine “in perpetuity.” Microsoft simulated a non-perpetual license by allowing a customer to upgrade every 18 months for a fee, thus preserving a revenue stream on a purchased perpetual license.

But now Microsoft will offer a real non-perpetual license. For example, you can purchase, (from an authorized ASP), a right to use the current version of Microsoft Office for one month at a price set by the ASP. That price would include not only the license cost of the software, but also the ASP’s fees for managing and maintaining access to the software.

The other key difference between a perpetual and non-perpetual license is to whom (or what) the license is applied. In the case of a perpetual license, the license is applied to a device, i.e. anyone can use the copy of Office installed on a specific PC. In the non-perpetual mode, the license is applied to an individual, i.e. the individual has the right to use Office on ANY DEVICE from which he or she can access a hosted version of Office. This would include their office PC, a home PC, or even an airport kiosk from which they can load a Web session into Windows Terminal Services.

Decision #2: How many licenses do I need?
The second key decision that an ASP must make on behalf of their customers is whether to license certain products by the user or by the CPU. For some products, (like Windows 2000, Commerce Server, and SQL Server), the hosting company has the option of paying Microsoft a monthly per CPU fee for using a copy of the software.

If the hosting company chooses to segregate companies into their own unique, non-shared environments, it will be more cost effective to pay Microsoft and charge their customers by the user rather than the CPU.

The exception to this rule is for applications that require external authenticated access to SQL Server databases or to Commerce Server. Microsoft has finally dropped their maddening and somewhat irrational requirement that externally authenticated Internet users be required to pay for a CAL or Client Access License.

(This was one of the biggest inhibitors to widespread, legal deployment of Microsoft’s Commerce Server product. There was no way for you, as the company deploying an e-commerce solution, to determine how many unique, external users would access your site. It made Commerce deployment on the Microsoft platform unpredictable and, potentially, prohibitively expensive.)

The more compelling case for per-CPU pricing from the hosting company’s perspective is the ability to share large, multiprocessor servers running Windows 2000 for access and authentication, SQL Server 2000 for database access, and Commerce Server for commerce transactions. This allows the ASP to spread the cost of maintaining these services across multiple boxes and to offer hosting services at a lower price than the company can purchase and manage the product without the ASP.

Most of the per-user pricing is determined by making the impact to Microsoft revenue-neutral. That means that the hosting company’s real ability to generate revenue lies in delivering efficient shared services to its customers. In order to keep from cannibalizing their revenue, Microsoft has chosen to stick with per-user pricing only for products like Office, Exchange, and Terminal Server. ASPs will have to add value there by integration and custom development surrounding those products.

Will Microsoft be successful with ASPs?
Microsoft has chosen a different route than their competitors in the software space. Companies like Oracle, SAP and PeopleSoft have chosen to compete with their own partners in the ASP space. Other than their bCentral effort, (aimed at companies with less than 50 PCs), Microsoft is encouraging companies to focus on providing hosted offerings to companies with 1,000 or more PCs. Unfortunately, Microsoft has no clear vision or program to help companies in the 50 to 1000 PC market segment—either the companies with this number of seats or the ASPs who serve them.

Microsoft’s ultimate success here actually rides on two things. First, the rest of the market needs to keep rolling over on the desktop. If Sun, IBM, Oracle, and AOL all decided to band together and focus on providing the Sun StarOffice Suite on a standard Linux/Gnome platform using a rich, hosted Lotus Notes back end for a set fee per month, ($5 or less), then Microsoft would have to dramatically alter their plans to continue desktop operating system and productivity suite domination.

The second key to Microsoft’s success is their own ability to deploy large numbers of well-configured and manageable Windows 2000 platforms, (hosted and non-hosted), in a short period of time. If Microsoft can push enough Windows 2000 and .NET servers out the door in the next 12 months, then the game’s over anyway.
Is Microsoft’s non-perpetual license marketable? Share your opinions with us by e-mail or by posting below.

Exterminator has rounded up information on several Microsoft fixes this week, including a new tool and patch kit for Windows 2000. Find out the details and check out the latest Novell update and Trend Micro virus news.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

Microsoft Security Bulletin (MS01-004)
Regarding: Microsoft IIS
Date Posted: Jan. 29, 2001
Patch URL:Click here to download the 4.0 patch
Patch URL:Click here to download the 5.0 patch
Information URL:Click here for more information

This week, Microsoft released a patch for its Internet Information Server, versions 4 and 5. The patch eliminates a vulnerability that could allow a malicious user to read file fragments from an affected Web server. For more information on this update, click on the Information URL above.

Microsoft Security Bulletin (MS01-005)
Regarding: Windows 2000
Date Posted: Jan. 30, 2001
Patch URL:Click here to download the tool
Patch URL:Click here to download the Win2K patch
Patch URL:Click here to download the Win2K SP1 patch
Information URL:Click here for more information

Also this week, Microsoft released a tool and patch for its Windows 2000 operating systems. According to Microsoft’s TechNet Security Bulletin, the tool and patch help users “diagnose and eliminate the effects of anomalies in the packaging of hotfixes” for Windows 2000 machines. Microsoft said these anomalies could uninstall updates, such as security patches from Win2K machines. For more information on this update, click on the Information URL above.

Microsoft Security Bulletin (MS01-006)
Regarding: Windows 2000 Terminal Server
Date Posted: Jan. 31, 2001
Patch URL:Click here to download the patch
Information URL:Click here for more information

Microsoft has released a patch for its Windows 2000 Server and Advanced Server acting as a terminal server. The patch eliminates a vulnerability that could allow a user to attack a server and cause it to crash. For more information on this patch, click the Information URL above.

Novell issues
Regarding: NetWare
Date Posted: Jan. 29, 2001
Patch URL:Click here to download the patch
Information URL:Click here for more information

Novell’s only update this week is a self-extracting file for its NetWare 5.1 SP2 and NetWare 5.0 SP6 updates for NDPS 2.x. For more information on this update, click on the Information URL above.

Virus updates from Trend Micro
Virus/Worm: TROJ_SUB7DRPR.C
Posted: Jan. 31, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Virus/Worm: TROJ_RUNNER.B
Posted: Jan. 31, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Virus/Worm: W97M_HOPE.AA
Posted: Jan. 30, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Virus/Worm: TROJ_RUX.30
Posted: Jan. 29, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Virus/Worm: TROJ_HERMES
Posted: Jan. 29, 2001
Risk: Low
Information URL:Click here for more information on this virus.
Stay current on virus information
Are you keeping up with the latest virus information from Microsoft and Novell? If not, visit the Exterminator archive for past columns with information on bugs and patches you may have missed.

Exterminator brings you weekly updates on bug fixes, virus recovery, service release announcements, and security notices for Windows, Novell, Linux, and other systems.

Microsoft Security Bulletin (MS01-004)
Regarding: Microsoft IIS
Date Posted: Jan. 29, 2001
Patch URL:Click here to download the 4.0 patch
Patch URL:Click here to download the 5.0 patch
Information URL:Click here for more information

This week, Microsoft released a patch for its Internet Information Server, versions 4 and 5. The patch eliminates a vulnerability that could allow a malicious user to read file fragments from an affected Web server. For more information on this update, click on the Information URL above.

Microsoft Security Bulletin (MS01-005)
Regarding: Windows 2000
Date Posted: Jan. 30, 2001
Patch URL:Click here to download the tool
Patch URL:Click here to download the Win2K patch
Patch URL:Click here to download the Win2K SP1 patch
Information URL:Click here for more information

Also this week, Microsoft released a tool and patch for its Windows 2000 operating systems. According to Microsoft’s TechNet Security Bulletin, the tool and patch help users “diagnose and eliminate the effects of anomalies in the packaging of hotfixes” for Windows 2000 machines. Microsoft said these anomalies could uninstall updates, such as security patches from Win2K machines. For more information on this update, click on the Information URL above.

Microsoft Security Bulletin (MS01-006)
Regarding: Windows 2000 Terminal Server
Date Posted: Jan. 31, 2001
Patch URL:Click here to download the patch
Information URL:Click here for more information

Microsoft has released a patch for its Windows 2000 Server and Advanced Server acting as a terminal server. The patch eliminates a vulnerability that could allow a user to attack a server and cause it to crash. For more information on this patch, click the Information URL above.

Novell issues
Regarding: NetWare
Date Posted: Jan. 29, 2001
Patch URL:Click here to download the patch
Information URL:Click here for more information

Novell’s only update this week is a self-extracting file for its NetWare 5.1 SP2 and NetWare 5.0 SP6 updates for NDPS 2.x. For more information on this update, click on the Information URL above.

Virus updates from Trend Micro
Virus/Worm: TROJ_SUB7DRPR.C
Posted: Jan. 31, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Virus/Worm: TROJ_RUNNER.B
Posted: Jan. 31, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Virus/Worm: W97M_HOPE.AA
Posted: Jan. 30, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Virus/Worm: TROJ_RUX.30
Posted: Jan. 29, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Virus/Worm: TROJ_HERMES
Posted: Jan. 29, 2001
Risk: Low
Information URL:Click here for more information on this virus.

Takeaway: Get the details on Service Pack 2 for Microsoft’s Internet Security and Acceleration (ISA) Server 2000.

Microsoft has released Service Pack 2 for Internet Security and Acceleration (ISA) Server 2000. This software update definitely increases the security and stability of ISA, and administrators who manage ISA servers need to give it a close look.
Details

Going almost unnoticed, the release of Service Pack 2 for ISA Server 2000 comes in English, French, Japanese, Spanish, and German. ISA SP2 addresses the problems in the following Microsoft Knowledge Base articles:

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

● 313318: “Cannot relay mail through ISA Server if authentication is required”

● 317122: “Web proxy sends TCP reset instead of only closing session”

● 317822: “Problems with Web browser if ISA Server 2000 is chained to an upstream Web proxy server”

● 323889: “Unchecked buffer in Gopher protocol handler can run code of attacker’s choice”

● 324642: “Macintosh clients who use MAPI cannot connect to Exchange 2000 with ISA Server”

● 331062: “Running ISA Server on Windows Server 2003”

● 331068: “ISA firewall causes handle leak in LSASS”

● 331069: “Hotfix to permit URL path redirection in Web publishing rules”

● 331070: “Authentication does not succeed when the user name contains a space”

● 810559: “Slow responses and failures when you use server publishing UDP protocols”

● 813864: “Site and content rules do not filter based on file name extensions”

● 816456: “Flaw in ISA Server error pages could allow cross-site scripting attack”

● 816828: “‘Permission Denied’ error message when you use rlogin to log on to a server on the Internet”

● 818821: “ISA firewall service stops responding on DNS resolution”

● 821724: “Basic credentials may be sent over an external https: connection when SSL is required”

● 822241: “ISA Server Web proxy service maintains a connection after a client session is closed”

● 822970: “Cannot read ISA Server performance data by using an SNMP program”

● 828044: “ISA Server intermittently stops responding to Web proxy client requests”

● 829892: “You cannot connect to external FTP sites by using a WRQ reflection FTP client through ISA Server 2000”

● 829893: “RSA SecurID cookie expires frequently, and clients are repeatedly prompted to authenticate”

● 833009: “ICMP traffic is not blocked during startup period with ISA Server”

● 839019: “White spaces in URL are not correctly encoded or decoded when you log on”

The list above represents some of the most important fixes, but there are others as well. An extensive list of other hot fixes is included in the release notes for SP2. In addition to the hot fixes, the Microsoft Security Bulletin “Vulnerability in Microsoft Internet security and Acceleration Server 2000 H.323 filter could allow remote code execution” (MS04-001) is also covered by ISA SP2.

You can download the English version of ISA SP2 here. For more details on installing SP2, see Microsoft Knowledge Base article 313139. If you experience problems, Microsoft says that ISA SP2 can be removed after installation.
Final word

This service pack has nearly gone unnoticed. At least I never saw any notices about it from Microsoft. Perhaps that was intentional because Microsoft’s ISA Server 2004 is rumored to be almost ready to ship. However, I suspect many administrators will want to install ISA 2000 SP2 before leaping to adopt the latest version of the software, even though ISA 2004 incorporates many of these security enhancements and undoubtedly includes many new features as well. Nevertheless, it takes a brave administrator to bet the farm on a brand-new security product.
Also watch for…

● Kurczaba Associates reports that ZoneAlarm Pro has a medium-level vulnerability in its new “mobile code” filter, but there is no known workaround yet. The problem is that the software fails to properly filter SSL content.

● There is a DoS vulnerability in all Cisco IOS systems with the Border Gateway Protocol (BGP) enabled. See Cisco Security Advisory 53021, “Cisco IOS malformed BGP packet causes reload,” for details. The vendor discovered this vulnerability.

● A bill that would impose heavy fines for redirecting URLs and spreading spyware is working its way through the U.S. Congress. CNET’s News.com reports a House subcommittee has approved the Securely Protect Yourself Against Cyber Trespass Act (SPYACT), H.R. 2929, which would impose fines of up to $3 million for annoying and privacy-invading practices such as installing keystroke loggers and even some pop-up ads. Of course, Microsoft is already planning to include a pop-up ad blocker in Windows XP Service Pack 2. But this is an election year, so Congress may actually do something. Whether the final bill will make a real difference is debatable. The last time Congress got involved in helping Internet users, they passed CanSPAM, and we all know that this legislation has done little to affect the daily spam deluge.

● There are rumors around the Internet water cooler that Network Associates (maker of McAfee solutions) is on the market, and that Microsoft is considering increasing its position in the antivirus world by acquiring the software as well as the credibility of the McAfee name. Microsoft is denying interest, while theinquirer.net is reporting that Network Associates is saying that no discussions are being held. Of course, nothing can kill such a deal quicker than holding a press conference to announce that it may take place. So the denials are being taken with a grain of salt, especially just a week after Symantec’s CEO told a British audience that Microsoft’s move into the antivirus arena doesn’t threaten other vendors because the Redmond giant lacks credibility in the security field.

● A Linux kernel flaw in the IEEE 1394 (a.k.a. Firewire or i.Link) driver opens the door to DoS attacks. This applies to all versions of Linux. The driver in question is /usr/src/linux/drivers/ieee1394/. See Bugtraq for details.

● There is a DoS vulnerability in Sun’s Solaris operating system (versions 7, 8, and 9). Secunia rates this as “not critical,” but you should probably check it out if you’re running Solaris. The problem isn’t specified, but it lies in the Basic Security Module (how ironic) and patches are available. This problem was discovered and reported by Sun.

● Reuters reports that MasterCard has hired NameProtect to try to block phishing attacks related to the credit card giant’s accounts.