******************** Windows 2000 Magazine Security UPDATE **Watching the Watchers** The weekly Windows 2000 and Windows NT security update newsletter from the Windows 2000 Magazine Network http://www.win2000mag.net/Channels/Security ******************** This week's issue sponsored by BindView Corporation http://www.bindview.com/hurwitz4 |-+-|-+-|-+-|-+-|-+-|-+-| April 18, 2001 - In this issue: 1. IN FOCUS - Embedded Firewalls: The Next Wave? 2. SECURITY RISKS - Windows PGP ASCII Armor Parser Vulnerability - Denial of Service Condition in Lotus Domino Web Server R5 - Denial of Service Condition in Compaq Presario PCs 3. ANNOUNCEMENTS - Read the Latest Addition to the Windows 2000 IT Library--Free! - Announcing Windows 2000 Magazine Network Seminars! 4. SECURITY ROUNDUP - News: Microsoft Cancels Windows NT 4.0 SP7 - Feature: Watch Out for Possible Problems with Task Scheduler, Cacls, and Xcacls - Feature: So You Want to Be Your Own Certificate Authority! - Feature: Terminal Services Security; Securing a Windows 2000 Terminal Server 5. HOT RELEASE (ADVERTISEMENT) - CyberwallPLUS Firewalls for NT/2000 Servers 6. SECURITY TOOLKIT - Book Highlight: RSA Security's Official Guide to Cryptography - FAQ: What's an Image Backup? - Windows 2000 Security: Internet Explorer Security Options, Part 2 7. NEW AND IMPROVED - Gateway-to-Gateway VPN Security Appliance - Reduce Help Desk Calls - Antivirus Solution for Internet Mail 8. HOT THREADS - Windows 2000 Magazine Online Forums Unroutable Addresses Protect Against Spoofs? - HowTo Mailing List How to Lock Users 9. CONTACT US See this section for a list of ways to contact us. ~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~ Are your security practices adequate enough to protect you from hackers and crackers? How do you provide remote access to your users, enable E-mail messaging, Internet sites and e-commerce activity, and at the same time maintain security? Can you implement and administer the effective security measures you need without doing battle with the people who need access to your network? Download FREE the latest Hurwitz Group Report, Management Controls: Security Impact of IT Administration at http://www.bindview.com/hurwitz4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Security UPDATE? Email emedia_oppsat_private ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Certainly your organization uses a firewall, most likely at your network borders. And many of you have adopted firewalls to protect your internal network segments, servers, and workstations. Most of these solutions are software-based--you must load that software on top of an existing OS. The exceptions are dedicated hardware-based firewalls and routers with embedded firewall add-ons. Software-based firewalls are great tools, but some people argue that hardware-based firewalls are more effective because they're harder to tamper with. Another cited benefit is that hardware-based firewalls are standalone units that are less prone to interruption from services that often run on an underlying OS. At the recent RSA Security Conference in San Francisco, 3COM announced that it's taking hardware-based firewalls to the next level by embedding distributed firewall technology in its new network cards. The idea is to offer centralized control of network traffic at the NIC level where the user has no access or control over the embedded firewall. 3COM partnered with Secure Computing to produce the 3COM Embedded Firewall. Secure Computing makes the popular Sidewinder firewall solution. According to 3COM, the solution works by using associated 3COM Embedded Firewall Policy Servers. Security policy is managed centrally on the Policy Servers and then downloaded to the appropriate NICs across the network. According to 3COM, the solution will help prevent users from operating packet sniffers, spoofing packets, and running unauthorized services of all types. 3COM will offer a 10-client starter kit that includes hardware and software, including one Policy Server, for a list price of $2114. The solution will be available third quarter 2001 and will initially support Windows 2000, Windows NT, and Windows 9x. 3Com made no mention of Windows Me support in its press release. http://www.3com.com/corpinfo/en_US/pressbox/press_release.jsp?INFO_ID=2002706 3COM did well to partner with an existing and reputable firewall maker to establish its new embedded solution. By doing so, the company gains credibility and some amount of initial trust for its solution. I haven't seen the product in action yet, but it seems like a tempting solution. And the price of roughly $210 per seat for a 10-seat network is certainly competitive with various other firewall solutions on the market. Embedded firewalls seem like the next logical step in the evolution of firewall technology--I'm pleased to see this technology become available. And with 3COM using its own 3XP processor on board its new NICs, the firewall probably won't add any more overhead than a traditional desktop or server-based firewall. In fact, having the firewall embedded in the NIC might lower system overhead in some cases. In my experience, hardware-based firewalls typically cause far fewer headaches than firewalls that run on top of existing OSs, mainly because they stand alone and are unaffected by any OS-related snafus. So I'm glad to finally see a firewall embedded in a NIC. Perhaps we'll see other vendors follow 3COM's lead. It doesn't seem far-fetched to think that Intel might respond by creating a similar solution related to its NIC products and router-based PIX firewall technology. What do you think? Would centrally managed NIC-based firewall solutions benefit your network? Send me a note with your thoughts or post them as a Reader Comment ( http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20703 ). Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, markat_private) * WINDOWS PGP ASCII ARMOR PARSER VULNERABILITY @Stake reported that by using Pretty Good Privacy (PGP) versions 5.0 to 7.0.3 (on Windows 2000, Windows NT, Windows Me, and Windows 9x), a malicious attacker can wrap a specially formed ASCII armored file around a file with arbitrary name and contents. After parsing the armored file using PGP, the attacker can extract the binary file. Because of how Windows OSs load the .dll files, if the extracted file is a .dll file, the intruder can trick several applications into loading the .dll files and executing potentially malicious code. The vendor, Network Associates, has released several patches to correct this vulnerability. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20645 * DENIAL OF SERVICE CONDITION IN LOTUS DOMINO WEB SERVER R5 Defcom Labs reports that an HTTP header-activated Denial of Service (DoS) condition exists in Lotus Domino Web Server R5 versions earlier than 5.0.7. An attacker can repeatedly request document root (/) with various accept fields (accept: a, accept: aa, accept: aaa aso) that can cause the server to run out of physical memory. The server might continue to run but won't accept any new requests, or the server process can crash, requiring a server restart. The vendor, Lotus Development, has acknowledged this vulnerability and recommends that users upgrade to version 5.0.7. Users can obtain a copy of this upgrade from the Notes.net Web site. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20646 * DENIAL OF SERVICE CONDITION IN COMPAQ PRESARIO PCS Compaq provides customer support features through its Knowledge Center and Back Web components for its Presario PCs running Windows Me and Windows 98. Users use ActiveX controls to implement some of Presario's custom support features. By using the ActiveX control function LogDataListToFile, a malicious attacker can use a Web page to write a specified file to the system's hard disk, creating a potential Denial of Service (DoS) condition. The intruder can't modify the file's content but can access the hardware and software configuration information. The vendor, Compaq Computer, has released Softpaq 16629 to correct this vulnerability. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20647 3. ========= ANNOUNCEMENTS ========== * READ THE LATEST ADDITION TO THE WINDOWS 2000 IT LIBRARY--FREE! According to Tony Redmond, the Microsoft Exchange development team performed major surgery when it created Exchange 2000. Visit the Windows IT Library and read more from Tony about the factors that have driven the change, how the transport core works, and how the new routing mechanism affects designs. Check it out! http://www.windowsitlibrary.com/Content/519/06/toc.html * ANNOUNCING WINDOWS 2000 MAGAZINE NETWORK SEMINARS! Don't miss our new 1- and 2-day seminars presented by industry experts Mark Minasi, Kalen Delaney, and Steve Milroy. Polish your IT skills in informative sessions about Windows 2000 Server, SQL Server, and mobile and wireless connectivity. Seminars will be held in Los Angeles, Boston, and San Francisco in May and June. Sign up today! http://www.win2000mag.net/seminars 4. ========== SECURITY ROUNDUP ========== * NEWS: MICROSOFT CANCELS WINDOWS NT 4.0 SP7 Late yesterday, Microsoft confirmed that it has canceled development of what would have been the seventh and final service pack for Windows NT 4.0. According to a Microsoft representative, the company decided to cancel Service Pack 7 (SP7) because of customer feedback; the number of hotfixes Microsoft has issued since SP6a's release in November 1999 has dropped considerably in recent days. http://www.wininformant.com/Articles/Index.cfm?ArticleID=20690 * FEATURE: WATCH OUT FOR POSSIBLE PROBLEMS WITH TASK SCHEDULER, CACLS, AND XCACLS For some time, Dick Lewis has been testing his scripts to ensure that they function correctly in Windows 2000. When Lewis recently tested a few scripts on a server running Win2K Server Service Pack 1 (SP1), he ran into problems with three commonly used tools: Task Scheduler, Cacls, and Xcacls. Learn the details about those problems and the Microsoft hotfixes available to fix them in this Windows Scripting Solutions feature article. http://www.winscriptingsolutions.com/Articles/Index.cfm?ArticleID=20510 * FEATURE: SO YOU WANT TO BE YOUR OWN CERTIFICATE AUTHORITY! Setting up a Web server for a secure public key infrastructure (PKI) requires subscribing to the services of a Certificate Authority (CA). A CA is a trusted source from which you can acquire a digital certificate. The CA vouches for your identity, and the digital certificate becomes your own digital signature. You can use your digital certificate to communicate and transact securely with various systems. Did you know that you can use the CA software included with Lotus Domino for no fee? In "Domino Internet Security: Implementing SSL and X.509" (Group Computing, March 2001), D'Artagnan Fischer offered information about requesting and accepting certificates from a CA as well as how to use a certificate. In this article, Fischer addresses how you can become your own CA. http://archives.groupcomputing.com//index.cfm?fuseaction=viewarticle&ContentID=595 * FEATURE: TERMINAL SERVICES SECURITY: SECURING A WINDOWS 2000 TERMINAL SERVER When Morris Lewis was creating an online library for his students, he decided to use Windows 2000 Server Terminal Services to give them access to research material. Unfortunately, Lewis discovered that this solution creates security problems because Terminal Services treats users as if they were logged on locally to the computer. The challenge was to find a way to control access to the system while still making resources available. Learn how Lewis solved these issues in this feature article from our Security Administrator Newsletter. http://www.secadministrator.com/Articles/Index.cfm?ArticleID=16524 5. ========== HOT RELEASE (ADVERTISEMENT) ========== * CYBERWALLPLUS FIREWALLS FOR NT/2000 SERVERS CyberwallPLUS uses stateful packet inspection and fine-grain network access control to bring full feature firewall security to NT/2000 servers operating in "electronically open" networks - and it includes active intrusion detection to further protect servers. Free 30-day evaluation - http://www.network-1.com/support/download.html 6. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: RSA SECURITY'S OFFICIAL GUIDE TO CRYPTOGRAPHY By Steve Burnett and Steve Paine List Price: $59.99 Fatbrain Online Price: $47.99 Softcover; 448 pages Published by McGraw-Hill Professional Book Group, April 2001 ISBN 007213139X Learn to protect your network from hackers with "RSA Security's Official Guide to Cryptography." Written by RSA Security experts, this practical guide shows you how to implement cryptography to secure your network from attacks. This book covers symmetric-key and public-key cryptography, public key infrastructure (PKI), and X.509 directories. The book also includes case studies analyzing different types of security weaknesses. For more information or to purchase this book, go to the Windows 2000 Magazine Bookstore and click UPDATE Highlights under Highlighted Titles. http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772 Or go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=007213139X and enter WIN2000MAG as the discount code when you order the book. * FAQ: WHAT'S AN IMAGE BACKUP? ( contributed by Windows NT and 2000 FAQ, http://www.windows2000faq.com ) Image backups (aka sector backups) have been a fixture on mainframes for years. In general, an image backup focuses on sectors and is independent of the sectors' content. Therefore, an image backup contains information about partition tables, file tables (e.g., FAT, Master File Table--MFT), and the Master Boot Record (MBR). File backups are a more recent development. File backups contain information about files and file attributes. In a file backup, you can selectively restore individual files, whereas in an image backup, you attempt to restore an entire disk. Both backup types offer distinct advantages. An image backup lets you boot to a set of 3.5" disks and restore the tape contents, thereby regenerating your hard disk. However, the size of the disk to which you restore must be at least equal to the size of the disk that you back up. (Best practice is to use disks of identical size.) In all cases, the disks should be low-level formatted to optimize the restore. You don't need to partition or format the recipient disk. As you might expect, you can't perform an incremental image backup. Consequently, you should use image backups only for true disaster recovery and use file backups for individual file restoration. (Computer Associates' ARCserve was the first backup application to allow specific file restoration from an image backup, so exceptions exist to the rule about using image backup restorations.) * WINDOWS 2000 SECURITY: INTERNET EXPLORER SECURITY OPTIONS, PART 2 In Part 1 of this series, Randy Franklin Smith described the security zones in Microsoft Internet Explorer (IE) 5.0. In Part 2, Randy shows you how to configure the security settings for each zone. In the final part of this series, Randy will explain how to use rules in Active Directory (AD) to centrally and consistently configure these IE security settings for all users in your domain according to each type of user. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20622 7. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, productsat_private) * GATEWAY-TO-GATEWAY VPN SECURITY APPLIANCE Cylink released NetHawk, a high-speed VPN appliance for secure, site-to-site Internet communications. NetHawk is an IP Security (IPSec) solution that transparently integrates into the network. NetHawk performs at wire throughput speeds in Ethernet (10Mbps) and Fast Ethernet (100Mbps) environments while supporting strong Triple-DES encryption--without slowing down the network. NetHawk is available in four models, from an Ethernet model supporting 5000 simultaneous connections to a high-performance fast Ethernet that supports up to 20,000 simultaneous connections. Pricing for NetHawk begins at $3500. Contact Cylink at 800-533-3958 for more information. http://www.cylink.com/ * REDUCE HELP DESK CALLS Courion announced that Bear Stearns, a securities trading, investment banking, and brokerage firm, is implementing Courion PasswordCourier and ProfileBuilder to give its 10,000 employees the ability to securely manage authentication credentials and reset, change, and synchronize passwords on systems and applications via Web browser or desktop access. Password management modules are available for Windows 2000, Windows NT, Windows 98, Netscape Directory Server, Novell NetWare NDS, Sun Solaris, HP-UX, IBM AIX, IBM mainframes, Oracle, Microsoft SQL Server, Sybase, and RSA SecurID. For more information, go to the Courion Web site. http://www.courion.com * ANTIVIRUS SOLUTION FOR INTERNET MAIL F-Secure announced F-Secure Anti-Virus for Internet Mail, software that protects email traffic against inbound and outbound security threats in real time. Because email can bypass traditional workstation and server-based virus protection, businesses need an antivirus solution at the gateway level. Updates are distributed automatically through F-Secure Policy Manager, and protection is always on and transparent to the end user. The product supports Windows 2000 and Windows NT, and the email server can sit on any platform. Visit the F-Secure Web site for more information. http://www.fsecure.com 8. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums. http://www.win2000mag.net/forums April 05, 2001, 12:20 P.M. Unroutable Addresses Protect Against Spoofs? (Two messages in this thread) I am setting up a small corporate network that will utilize a Cisco router firewall. The firewall does packet filtering and utilizes NAT to get out. I read in the Cisco documentation that this setup will leave you open to spoof attacks. If I am using nonroutable IP addresses inside (ie.10.10.10.X), this should not be an issue because Internet routers will drop the address as invalid. Is this a correct assumption? Before anybody asks, the company is small and on a budget, so a stand-alone firewall is out of the question, I am just trying to CYA on the router solution. Thread continues at http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=63662&mc=2 * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following thread is in the spotlight this week. How to Lock Users (Five messages in this thread) In my organization, we have some domains running Windows NT 4.0 with Service Pack 5. Here in Italy, a law requires us to lock out a UserID if the user does not log on for 6 months. Is there a tool or a function we can use to obey this law? http://63.88.172.96/go/page_listserv.asp?A2=IND0104B&L=HOWTO&P=81 Follow this link to read all threads for April, Week 2: http://63.88.172.96/go/page_listserv.asp?A1=ind0104B&L=howto 9. ============ CONTACT US ============ Here's how to reach us with your comments and questions. * COMMENTS ABOUT THE COMMENTARY? Email Mark Joseph Edwards at markat_private * COMMENTS ABOUT THE NEWSLETTER IN GENERAL? Email Managing Editor Trish Faubion at tfaubionat_private Please mention the name of the newsletter in the subject line or body. * TECHNICAL QUESTIONS? Please post your technical questions to the discussion area. http://www.win2000mag.net/forums * PRODUCT NEWS? Email press releases to productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? Email emedia_oppsat_private ******************** This Security UPDATE is brought to you by Windows 2000 Magazine, the leading publication for Windows 2000/NT professionals who want to learn more and perform better. Subscribe today. http://www.win2000mag.com/sub.cfm?code=00inxupb |-+-|-+-|-+-|-+-|-+-|-+-| Windows 2000 Magazine Security UPDATE Staff News Editor - Mark Joseph Edwards (mjeat_private) Editor - Gayle Rodcay (gayleat_private) New and Improved - Judy Drennen (productsat_private) Copy Editor - Judy Drennen (jdrennenat_private) |-+-|-+-|-+-|-+-|-+-|-+-| ========== GET UPDATED! ========== Receive the latest information about the Windows 2000 and Windows NT topics of your choice, including Win2K Pro, Exchange Server, training and certification, SQL Server, IIS administration, .NET development, application service provision, .NET, wireless and mobile devices, and more. Visit our Web site to subscribe to our other FREE email newsletters. http://www.win2000mag.com/sub.cfm?code=up00inxwnf |-+-|-+-|-+-|-+-|-+-|-+-|- Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 01:43:35 PDT