Vol 01 - Edition 05

.

Outsourcing pitfalls to avoid
By Zen Lee, ZDNet Asia
Monday , May 24 2004 11:34 AM

Outsourcing is increasingly becoming a popular trend. In a recent report by analyst firm Gartner, the number of businesses starting new outsourcing deals will grow by 30 percent this year globally. However, a successful outsourcing deal is no easy feat, not least for small and medium-size businesses.

Linda Cohen, managing vice president of Gartner tells CNET News.com: "Outsourcing requires an ongoing relationship that has to be managed proactively and measured to achieve what is expected. Outsourcing is hard work, and it takes a lot of preparation."

Therefore, before a company decides whether to outsource, it is essential to consider the possible pitfalls.

Beyond dollars
Often, the decision for companies to outsource is based on the preference to cut down operational costs. Outsourcing helps to achieve this in more ways than one. Via outsourcing, employee headcount can be reduced in order for companies to save costs on salaries. IT spending due to software and hardware maintenance and upgrading can also be minimized.

However, Janice Leong, general manager of Enterprise Infrastructure, Management and IT Security for NCS Communications Engineering, warns against an overemphasis on cost.

"Outsourcing for cost reasons alone does not last," says Leong.

"The reasons must not only be cost considerations but also of how the outsource service provider value add to the business success at the strategic level," she adds.

According to Leong, companies need to study their core capabilities before embarking on an outsourcing deal. The services outsourced are usually non-core activities, so companies do not have to divulge too much intellectual property to the service provider. Such activities are usually related to the aspects such as IT, network security, logistics, human resource and administrative processes.

An example is IT security. As more and more businesses start establishing an online presence, they are required to be more vigilant about security on the Internet. By turning to security service providers, they are freed of the responsibility of having to monitor their equipment, which may require additional manpower. They also do not have to worry about security issues such as firewalls or software licensing.

In other words, an efficient outsourcing partnership not only frees up resources for the company, it also allows the customer and the service provider to focus on their core business competency to achieve a higher standard of service.

This Month's Tip:

If you're using MSN Messenger as your chat and videoconferencing tool, you may never use Windows Messenger anymore and have removed it from the startup group to keep it out of your way. However, you may have seen it pop up on occasion and had to struggle with closing it down. The reason that Windows Messenger makes these impromptu appearances is that Outlook, Outlook Express and even some Microsoft Web pages can still make it load automatically. Fortunately, you can banish Windows Messenger from your desktop by making an alteration to the local group policy with the Group Policy Editor. Here's how:

1. Access the Run dialog box by pressing [Windows]R
2. In the Open text box type Gpedit.msc and click OK to launch the Group Policy Editor.
3. Go to Computer Configuration | Administrative Templates | Windows Components | Windows Messenger.
4. Double-click the Do Not Allow Windows Messenger To Be Run setting.
5. In the resulting dialog box, select the Enabled option, and click OK
6. Close the Group Policy Editor.

Note: This tip applies only to Windows XP Professional

Originally published at TechRepublic.

Microsoft Security Bulletin MS06-019
Vulnerability in Microsoft Exchange:

Greetings,

Microsoft released three fixes – two of which prevent remote code execution - as part of its monthly Patch Tuesday release 9th May 2006.

As expected, one of the critical patches was for Microsoft Exchange and fixes a vulnerability in the Exchange Calendar that a hacker could exploit by constructing a specially crafted message to allow remote code execution if the program's server processes an e-mail with vCal or iCal properties.

This update resolves a newly-discovered, privately-reported vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Summary

• Severity: Critical
• Bulletin Id - MS06-019, Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
• Bulletin URL :
  http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
• Microsoft Knowledge Base Article- 916803
• Recommendation: Customers should apply the update immediately.
• Affected Software:

• Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004(870540)
• Microsoft Exchange Server 2003 Service Pack 1
• Microsoft Exchange Server 2003 Service Pack 2

Our Security Advisory Team is of the opinion that this is a critical flaw and it should be tested and install the patch as soon as possible. Until the patch is installed, administrators should consider blocking or quarantining calendar-based mail messages as an interim solution.

Symantec Corp., in Cupertino, Calif., warned administrators to patch quickly and listed the Exchange vulnerability level as "High" on the company's security response Web site. Internet Security Systems (ISS) Inc.'s X-Force research team expects an exploit for the Exchange bug would be out soon.

"With the high profile of Microsoft Exchange as a target and the nature in which it is typically deployed, we expect to see active exploitation of this issue in the wild with the possibility of a worm," read an alert on the ISS Web site.

Microsoft has issued a workaround because of some compatibility problems with the Exchange fix. According to a Microsoft support site, users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 and Exchange Server 2003. The software maker has a Knowledge Base article available for Exchange managers to deal with the mobile problems.

Exchange MS06-019 Patch Workarounds

From the security bulletin…for those of you who cannot deploy quickly.

Block iCal/vCal on Microsoft Exchange Server to help protect against attempts to exploit this vulnerability through SMTP e-mail.

Systems can be configured to block certain types of files from being received as e-mail attachments. Meeting requests, typically used in Outlook, contain a file attachment that stores the meeting information. This file attachment is usually named meeting.ics. Blocking this file, and blocking the calendar MIME type, could help protect Exchange servers and other affected programs from attempts to exploit this vulnerability if customers cannot install the available security update. To help protect an Exchange Server computer from attacks through SMTP, block the .ics files and all text/calendar MIME type content before it reaches the Exchange Server computer.

We plan to deploy this patch this weekend if we have the approval from you. Incase you want to us reschedule this deployment, then we would request you to reply back to this mail and let us know when you would like us to schedule this deployment. However, we suggest that this needs to be done ASAP.

Also please note on deployment of this Patch, the Server will have to be rebooted and hence we request you to ensure that the latest ERD is created for the Servers as is done in the usual patch deployment process.