******************** Windows 2000 Magazine Security UPDATE **Watching the Watchers** The weekly Windows 2000 and Windows NT security update newsletter from the Windows 2000 Magazine Network http://www.win2000mag.net/Channels/Security ******************** This week's issue sponsored by McAfee ePolicy Orchestrator http://www.win2000mag.com/jump.cfm?ID=129 |-+-|-+-|-+-|-+-|-+-|-+-| April 25, 2001 - In this issue: 1. IN FOCUS - SMBRelay: Another Good Reason to Protect Your Internal Network 2. SECURITY RISKS - Implementation Flaw with Microsoft WebDAV - Denial of Service Condition in Microsoft ISA Server 3. ANNOUNCEMENTS - New Seminars Series--Don't Be Left Out! - There Is Such a Thing as a Free Lunch! 4. SECURITY ROUNDUP - News: Fortress Strengthens Wired Equivalent Privacy - Feature: Exchange Server Antivirus Scanners - Review: WinWhatWhere Investigator 3.0 5. NEW AND IMPROVED - Advanced Security Software for Palm OS - Personal Firewall Protects PCs Before Windows Launches - Internet Content Security Solution 6. SECURITY TOOLKIT - Book Highlight: PKI: Implementing and Managing E-security - Virus Alert: W32/Matcher - FAQ: I've Upgraded to Windows 2000 Server with Service Pack 1 (SP1) Slipstreamed. Why Doesn't the Registry Show that SP1 Is Installed? - SOHO Security: Using PGP to Secure Your Email - New Poll: Which Administrative Scripting Language Do You Use Most Often? 7. HOT THREADS - Windows 2000 Magazine Online Forums Problem Sending Mail from MS-Outlook Express (Client Side) - HowTo Mailing List Preventing Exchange 5.5 Server from Being Used to Relay Spam Reduce Domain Administrators 8. CONTACT US See this section for a list of ways to contact us. ~~~~ SPONSOR: MCAFEE EPOLICY ORCHESTRATOR ~~~~ Managing anti-virus protection through policy can save any business money. A policy gives you a framework that allows you to more effectively update your protection - critical in the fight against viruses. Up-to-date protection prevents infections. And fewer infections means less downtime and less time spent cleaning up. A policy also gives you a benchmark against which to measure performance - in terms of both protection and infection rates. By establishing and enforcing an anti-virus policy, you save money where it counts the most: in the ongoing management of anti-virus protection. ePolicy Orchestrator is the best anti-virus management tool in independent tests. http://www.win2000mag.com/jump.cfm?ID=129 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Security UPDATE? Email emedia_oppsat_private ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Last week, I discussed 3COM's new Embedded Firewall and the need to protect your internal networks. Shortly after I wrote that column, I came across some interesting news: A new program--SMBRelay--is available that can hijack a user's session to perform a man-in-the-middle attack. SMBRelay represents another good reason to protect your internal networks. SMBRelay's author is Sir Dystic, a member of Cult of the Dead Cow (cDc). You'll recall that cDc also published Back Orifice and BO2K, remote control tools for Windows systems. SMBRelay sits on a Windows system waiting for a user to connect. When the user connects, the relay passes authentication traffic to its destination in a proxy-like fashion. After the system authenticates the session, the relay then disconnects the user's system and assumes control of the session. An intruder can use the relay system to access network resources under the same authority as the user whose session was hijacked. You can learn more about the program at the URL below. http://pr0n.newhackcity.net/~sd/smbrelay.html SMBRelay relies on the fact that many networks use the older NT LAN Manager (NTLM) authentication instead of the newer NTLMv2. The release of the L0phtcrack ( http://www.securitysoftwaretech.com/lc3 ) password-cracking software showed security vulnerabilities in NTLM, so Microsoft released NTLMv2 when it published Windows NT 4.0 Service Pack 4 (SP4). To learn about NTLMv2, see Randy Franklin Smith's article, "Inside SP4 NTLMv2 Security Enhancements," at the following URL. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=7072 In addition, Microsoft has several articles online that discuss NTLMv2, including "How to Disable LM Authentication on Windows NT," and "How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT." You can add NTLMv2 support to Windows 9x by installing the Directory Services Client from the Windows 2000 CD-ROM as discussed in the second article. The articles are located at the URLs below. http://support.microsoft.com/support/kb/articles/Q147/7/06.asp http://support.microsoft.com/support/kb/articles/Q239/8/69.asp NTLMv2 strengthens NTLM-based authentication, but it doesn't eliminate all risk. For example, NTLMv2 stops SMBRelay from hijacking user sessions, but the program might not stop future Server Message Block (SMB) relays. To better protect against man-in-the-middle attacks, you might want to integrate firewalls at the desktop and server level to guard against rogue client connections. Also consider VPN technology to protect user sessions and session traffic. Implementing a VPN can be tedious--but probably far less tedious than cleaning up after an intruder. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, markat_private) * IMPLEMENTATION FLAW WITH MICROSOFT WEBDAV Microsoft reported a flaw in its WWW Distributed Authoring and Versioning (WebDAV) implementation that runs a script under the user's security context. WebDAV should distinguish between a user's request and the script that a Web browser runs, but Microsoft WebDAV doesn't differentiate the two. An attacker can use this flaw to browse the user's intranet or access Web-based email if the attacker knows certain variables, such as server names, folder structures, and specific user and network information. Microsoft has issued security bulletin MS01-022 to address this vulnerability and has also released a hotfix that changes the WebDAV implementation to correctly process these scripts. http://www.windowsitsecurity.com/articles/index.cfm?articleID=20749 * DENIAL OF SERVICE CONDITION IN MICROSOFT ISA SERVER SecureXpert Labs discovered that when you use Microsoft Internet Security and Acceleration (ISA) Server 2000 Web Publishing to bridge HTTP traffic to a Web server, a malicious attacker can use an invalid Web request containing a certain malformed argument to cause an access violation in the Web proxy service, denying service for legitimate traffic. Microsoft disables this service by default. Microsoft has issued security bulletin MS01-021 to address this vulnerability and has also issued a hotfix that enables ISA Server 2000's Web proxy service to correctly treat this request as invalid. http://www.windowsitsecurity.com/articles/index.cfm?articleID=20689 3. ========= ANNOUNCEMENTS ========== * NEW SEMINARS SERIES--DON'T BE LEFT OUT! Check out our new 1- and 2-day seminars sponsored by Aelita Software. Hear from industry experts Mark Minasi, Kalen Delaney, and Steve Milroy, and polish your IT skills in informative sessions about Windows 2000 Server, SQL Server, and mobile and wireless connectivity. Seminars will be held in Los Angeles, Boston, and San Francisco in May and June. Sign up today! http://www.win2000mag.net/seminars * THERE IS SUCH A THING AS A FREE LUNCH! Do you subscribe to Windows 2000 Magazine? Plan to attend N+I in Las Vegas this May? We're seeking readers for a focus group at N+I. Participants get $100 and a free lunch. If you're interested, email kcollinsat_private Include your name, job title, and phone number. 4. ========== SECURITY ROUNDUP ========== * NEWS: FORTRESS STRENGTHENS WIRED EQUIVALENT PRIVACY To strengthen known weaknesses in the Wired Equivalent Privacy (WEP) protocol used in the 802.11b wireless network standard, Fortress Technologies has released a new Layer 2 protocol called Wireless Link Layer Security (wLLS). The new protocol provides secure frame and packet transmissions by automating crucial security operations, including encryption, authentication, data integrity-checking, key exchange, and data compression. Fortress based wLLS on techniques the company uses in its patented Secure Packet Shield (SPS) technology. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20706 * FEATURE: EXCHANGE SERVER ANTIVIRUS SCANNERS In the past, maintaining a regular virus-scanning regimen on your network was sufficient to prevent, or at least contain, viruses because viruses typically spread through disks. Today, however, email is the primary communication tool in many work environments. Users create, send, and receive countless email messages and attached files every day. Because most viruses now spread through email, ensuring that your networks remain virus-free is difficult. What is an overworked network administrator to do? One solution is to install a server-side virus scanner. Read all about it in Jonathan Chau's latest article on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20394 * REVIEW: WINWHATWHERE INVESTIGATOR 3.0 Rodney Landrum admits he's looked through Web logs to see which users on his company's network visit illicit Web sites and which spend hours surfing instead of working. As a network administrator, Rodney has also used data-packet-capture tools for troubleshooting. However, some administrators might find more detailed user-activity reports desirable, especially if they suspect illegal conduct on the business's computer systems. WinWhatWhere's WinWhatWhere Investigator 3.0 is more than a Web log. The product captures data from Windows 2000, Windows NT, Windows Me, and Windows 9x machines. Learn all about the application in Rodney's latest review on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20390 5. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, productsat_private) * ADVANCED SECURITY SOFTWARE FOR PALM OS Asynchrony released PDABomb, a security application that locks Palm OS-based handheld devices and provides powerful, customizable, and flexible encryption of personal data. The application disables data transfer mechanisms such as HotSync and IrDa so that no one can retrieve information without the correct password. After a certain number of incorrect password attempts, the user can opt to set off the "bomb," which erases all data and applications from the device. The user can then restore the data by syncing the device with a backup maintained on the user's computer. Go to http://www.pdabomb.com for more information about PDABomb. http://www.asynchrony.com * PERSONAL FIREWALL PROTECTS PCS BEFORE WINDOWS LAUNCHES Tiny Software announced Tiny Personal Firewall, a personal firewall positioned between the network interface adapter and the OS so that the PC is protected in the initial seconds of booting. This setup eliminates the possibility of hackers intruding with Trojan horses during this crucial and vulnerable stage. Tiny Personal Firewall offers many firewall features and is compatible with Windows 2000, Windows NT, Windows Me, and Windows 9x. The application is free for personal use, and pricing starts at $39 for business use. Bulk license rates are also available. For more information, go to the Tiny Software Web site. http://www.tinysoftware.com * INTERNET CONTENT SECURITY SOLUTION Aladdin Knowledge Systems released eSafe Gateway 3.01, an Internet content security solution that provides simple installation and fast content inspection using new NitroInspection Plug & Play (PnP) technology. IT managers plug eSafe Gateway 3.01 behind the firewall using a crossed network cable, and installation is complete. eSafe Gateway 3.01 provides immediate content inspection and verifies on-the-fly the content-type of the data transferred via HTTP. The application pushes through the graphics/audio/video content that doesn't contain malicious code, while inspecting other potentially malicious content such as HTML, ActiveX, Java, viruses, and vandals. For more information, go to the Aladdin Web site. http://www.ealaddin.com 6. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: PKI: IMPLEMENTING AND MANAGING E-SECURITY By Andrew Nash, Bill Duane, and Derek Brink Fatbrain Online Price: $49.99 Softcover; 513 pages Published by McGraw-Hill Professional Book Group, May 2001 ISBN 0072131233 Have you installed adequate security to protect your network from hackers? Written by RSA Security experts, "PKI: Implementing and Managing E-security" provides you with the tools to prevent access to your data and to secure any electronic transactions. This book explores public key infrastructure (PKI) basics, PKIX model, X509, trust models, privilege management, and biometrics. For more information or to purchase this book, go to the Windows 2000 Magazine Bookstore and click UPDATE Highlights under Highlighted Titles. http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772 Or go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0072131233 and enter WIN2000MAG as the discount code when you order the book. * VIRUS ALERT: W32/MATCHER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda W32/Matcher W32/Matcher is a worm designed to propagate through email. The worm is written in Visual Basic (VB) and is 28KB. W32/Matcher requires the Msvbvm60.dll Visual Basic Dynamic Library to work properly. The worm reaches systems in the form of an email message with a subject of "Matcher" and a message body that reads, "Want to find your love mates!!! Try this its cool... Looks and Attitude matching to opposite sex." The worm carries a file attachment called Matcher.exe that infects the user's system. To learn all about Matcher, be sure to visit our Center for Virus Control. http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1084 * FAQ: I'VE UPGRADED TO WINDOWS 2000 SERVER WITH SERVICE PACK 1 (SP1) SLIPSTREAMED. WHY DOESN'T THE REGISTRY SHOW THAT SP1 IS INSTALLED? ( contributed by John Savill, http://www.windows2000faq.com ) Slipstreaming, which lets you integrate a service pack's content into a setup area for the OS, is a great addition to Win2K. However, a known problem exists: The system doesn't update the registry key that indicates that SP1 is installed. This is a minor issue, and you can resolve it by performing the following steps: 1. Start regedit.exe. 2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion. 3. From the Edit menu, select New, String value. 4. Enter a name of CSDVersion, and click Enter. 5. Double-click the value and set it to Service Pack 1. Click OK. 6. Close regedit. You can also download and run the servicepack1.reg script, located on our Window NT/2000 FAQ site. http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=20686 * SOHO SECURITY: USING PGP TO SECURE YOUR SOHO EMAIL Small office/home office (SOHO) users often need to send and receive private email. Although SOHOs don't have the resources that are available to larger organizations to maintain email security and integrity, SOHOs still might need to use cryptography for protection. Learn how to use Pretty Good Privacy (PGP) to keep your email communication more secure in Jonathan Hassel's latest article on our Web site. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20696 * NEW POLL: WHICH ADMINISTRATIVE SCRIPTING LANGUAGE DO YOU USE MOST OFTEN? Which scripting language do you use most often to perform administrative tasks? Visit our Web site and take our latest poll. We'll use your answers to learn which types of scripting languages we should cover in detail in our publications. http://www.windowsitsecurity.com 7. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums. http://www.win2000mag.net/forums April 07, 2001, 07:29 A.M. Problem Sending Mail from MS-Outlook Express (Client Side) (Five messages in this thread) I have MS-Proxy Server 2.0 on my Windows NT 4.0 (SP4) machine. I am using Windows 98 and Windows 95 on the client side. I am using MS-Outlook Express 5.0 on the client machine. I can receive email, but I cannot send mail with Outlook Express. An error generates... "The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'aamir_riaz999at_private'. Subject 'Test Mail', Account: 'Aamir', Server: 'fsg6.fascom.com', Protocol: SMTP, Server Response: '550 not local host yahoo.com, not a gateway', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79" I am using MS-Proxy Client on the client machine. If you know how to handle this problem, please reply as soon as possible. Thread continues at http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=63879&mc=5 * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following threads are in the spotlight this week. 1. Preventing Exchange 5.5 Server from Being Used to Relay Spam (Four messages in this thread) My service provider has informed me that they suspect someone is using my company's Exchange server to relay SPAM. But other than that they offered me no advice as to how to prevent this or even how to track it. I have routing turned on in the IMS because I need to support a number of Sales People who are on the road, and I am providing OWA as well. The mail server itself is sitting behind a firewall, but since it needs to have ports open for sending and receiving SMTP, POP3, and IMAP traffic, I'm not sure how much protection it has from intruders. Does anyone have any advice on what I can do to prevent non-company personnel from using the Exchange server and still support POP3 for my remote users? http://63.88.172.96/go/page_listserv.asp?A2=IND0104C&L=HOWTO&P=919 2. Reduce Domain Administrators (Two messages in this thread) Our security department is tasked with resolving a common problem in many large organizations--how to reduce the number of Domain Admin accounts in a cost-effective way. We need a tool or solution that enables us to delegate user rights with a moderate-to-high level of granularity. We've looked at software solutions ranging from UsermanagemeNT to Aelita Enterprise Delegation Manager. None strike an acceptable balance between granularity of control and pricing. Can anyone offer a "How to" or mention how their organization reduced their number of Domain Administrator accounts? http://63.88.172.96/go/page_listserv.asp?A2=IND0104C&L=HOWTO&P=296 Follow this link to read all threads for April, Week 3: http://63.88.172.96/go/page_listserv.asp?A1=ind0104C&L=howto 8. ============ CONTACT US ============ Here's how to reach us with your comments and questions. * COMMENTS ABOUT THE COMMENTARY? Email Mark Joseph Edwards at markat_private * COMMENTS ABOUT THE NEWSLETTER IN GENERAL? Email Managing Editor Trish Faubion at tfaubionat_private Please mention the name of the newsletter in the subject line or body. * TECHNICAL QUESTIONS? Please post your technical questions to the discussion area. http://www.win2000mag.net/forums * PRODUCT NEWS? Email press releases to productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? Email emedia_oppsat_private ******************** This Security UPDATE is brought to you by Windows 2000 Magazine, the leading publication for Windows 2000/NT professionals who want to learn more and perform better. Subscribe today. http://www.win2000mag.com/sub.cfm?code=00inxupb |-+-|-+-|-+-|-+-|-+-|-+-| Windows 2000 Magazine Security UPDATE Staff News Editor - Mark Joseph Edwards (mjeat_private) Editor - Gayle Rodcay (gayleat_private) New and Improved - Judy Drennen (productsat_private) Copy Editor - Judy Drennen (jdrennenat_private) |-+-|-+-|-+-|-+-|-+-|-+-| ========== GET UPDATED! ========== Receive the latest information about the Windows 2000 and Windows NT topics of your choice, including Win2K Pro, Exchange Server, training and certification, SQL Server, IIS administration, .NET development, application service provision, .NET, wireless and mobile devices, and more. Visit our Web site to subscribe to our other FREE email newsletters. http://www.win2000mag.com/sub.cfm?code=up00inxwnf |-+-|-+-|-+-|-+-|-+-|-+-|- Thank you for reading Security UPDATE. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 02:16:15 PDT