******************** Windows 2000 Magazine Security UPDATE--brought to you by the Windows 2000 Magazine Network **Watching the Watchers** http://www.win2000mag.net/Channels/Security ******************** >>>> SPONSOR: BINDVIEW CORPORATION <<<< Security is the key issue in today's interconnected world and BindView is right on top of it with a new, highly informative eBook, The Definitive Guide to Windows 2000 Security. This eBook covers all the bases of a comprehensive security methodology for your Microsoft Windows 2000 environment. It's heavy into the detail of what goes into a great IT security system, and is specifically geared for Windows 2000 platforms. Written by Paul Cooke, an Information Security professional with more than 10 years' experience developing and deploying security solutions, the tips, tricks, and info packed into this volume are priceless! Get it FREE at http://www.bindview.com/ebook. ~~~~~~~~~~~~~~~~~~~~ May 16, 2001--In this issue: 1. IN FOCUS - Three Great Security Tools 2. SECURITY RISKS - IIS Might Allow Remote Command Execution - DoS in Windows 2000 Kerberos Service - DoS in WFTPD FTP Server - Crush FTP Relative Path Vulnerability 3. ANNOUNCEMENTS - Microsoft TechEd 2001 Europe, Barcelona, Spain - IIS Administrator Newsletter--Help Is on the Way 4. SECURITY ROUNDUP - News: Fast-Spreading Homepage Worm Directs Readers to View Porn - News: Microsoft Sites Suffer Defacement - News: New Worm Causes Solaris to Attack Windows - Review: Good Migrations - Review: UserManagemeNT 5.3 Professional and Import 5. HOT RELEASES (ADVERTISEMENTS) - CyberwallPLUS Firewalls for NT/2000 Servers - The Most Important EVENT in Your Network! 6. SECURITY TOOLKIT - Book Highlight: Cryptography in C and C++ - Virus Center Virus Alert: Homepage.A - FAQ: Do You Know an Easy Way to Determine Which User is Logged on to the Computer and Which Domain Controls the Computer? - Windows 2000 Security: Internet Explorer Security Options, Part 4 7. NEW AND IMPROVED - New Management Platform for Large Security Deployments - Fight Web Site Attacks - Proactive Security Solution 8. HOT THREADS - Windows 2000 Magazine Online Forums Changing the System Time - HowTo Mailing List Legal Notice Text 9. CONTACT US See this section for a list of ways to contact us. >>>> THIS ISSUE SPONSORED BY <<<< BindView Corporation http://www.bindview.com/ebook ~~~~~~~~~~~~~~~~~~~~ 1. ==== COMMENTARY ==== Hello everyone, Microsoft released another security bulletin (MS01-026) this week about serious vulnerabilities in IIS. One problem lets a remote intruder run commands on the server; two other problems affect the FTP service where intruders can cause Denial of Service (DoS) attacks or find valid user accounts across internal and trusted domains. Don't take these problems lightly; make sure you load the patch, which is linked in our report under Security Risks. This IIS patch is a cumulative patch that contains all previous IIS patches, so after you load it you don't have to load the previous patches. I point out this latest bulletin from Microsoft because I know about a new IIS add-on that prevents these and other types of problems whether or not you've patched your systems. eEye Digital Security developed the tool, called SecureIIS, and released it only 4 weeks ago. SecureIIS is an application firewall module that filters all inbound and outbound Web traffic, looking for traffic patterns that might indicate an attack is underway. SecureIIS loads itself into the same memory space as IIS so, according to eEye, the product can examine Secure Sockets Layer (SSL) traffic without affecting server performance. When I first heard about SecureIIS, I wondered what it offered for detecting and preventing unknown attacks. Soon after, I found out how effective the product can be. On May 1, Microsoft released bulletin MS01-023 regarding a serious vulnerability (discovered by eEye) in the IIS .printer extension that lets remote intruders run code of their choice under the security context of the System account by exploiting an unchecked buffer. As it turns out, SecureIIS can detect erroneous buffer overflow exploits and stop them cold. So users of SecureIIS didn't experience the problems reported in Microsoft's bulletin. The same holds true for the directory traversal and parsing error condition mentioned in Microsoft's latest IIS bulletin--SecureIIS users remain unaffected because the plug-in generically stops directory traversal attacks, parsing attacks, buffer overflow attacks, and more. Be sure to check it out. http://www.eeye.com/html/Products/SecureIIS/index.html Are you interested in biometric security? Another slick tool I've used for the past month is Identix's BioLogon. BioLogon is a fingerprint logon mechanism for Windows 2000, Windows NT, and Windows 9x systems that eliminates the need for passwords. The unit I have came as a PC card finger scanner, which I slipped into a laptop running Win2K. The product integrates into the Windows security subsystem, and you can configure it in a variety of ways, including fingerprint-only logons, where passwords aren't allowed--no matter how the system is booted, a person can't log on without the correct fingerprint. When combined with disk encryption, BioLogon offers strong security, especially for mobile users who are more susceptible to stolen or lost computer equipment. You can use BioLogon as standalone security for one system, or you can integrate the tool across a network with Identix's BioServer software. If you're looking for fingerprint-based security technology, give BioLogon a close look. http://www.identix.com/itsecurity/products/biologonclient.html The third security product I've been playing with is an intrusion-detection system (IDS) called Snort, which is provided free to everyone under the GNU General Public License scheme (as published by the Free Software Foundation.) Snort was originally designed by Martin Roesch to run on UNIX systems; however, Michael Davis has graciously ported Snort to the Win32 platform so now it runs on Windows. Like other IDS systems, Snort works by comparing network traffic to a database of known attack types and traffic patterns. Snort is very flexible; users can write their own rules using fairly simple syntax, or they can download any of several predefined attack signature databases (called rules) for use within the product. The ability to define your own attack signatures means that you don't have to wait for your IDS vendor to produce them for you; you can protect yourself as soon as you discover a new risk by writing your own rules. No IDS can detect attack types it doesn't know about, so the rules are crucial. And because Snort is freeware (and open source at that), the tool has a tremendous amount of community support, and as a result, new rules are created about as fast as hackers and crackers discover new exploits. So in most cases, instead of writing your own rules, you can simply go to a site that maintains Snort rules and quickly download any new rules. For example, Whitehats.com maintains a list of rules called Vision that add to Snort's detection capabilities, so if you use Snort, consider loading the Vision rules along with any others you find useful. Developers have created many Snort add-ons that make the tool easier to use. Snort is command-line-based, so remembering the command switches is cumbersome. Snort users realized this and created Windows-based GUIs for Snort. The GUIs help automate command-line switch configurations through the use of simple dialogs. Other add-ons include log analyzers that help make sense of Snort logs. Logs can be written in Snort's native ASCII log format or to a familiar TCPDump-style binary format. In addition, Snort can send its output to a Posix-compliant syslog daemon (which typically runs on UNIX systems), to the Win2K/NT Event Log, or to a SQL database--all of which help you take advantage of existing technology infrastructures. Setting up Snort takes a little work, but its setup isn't beyond the capability of any network administrator who understands basic networking concepts. The real work comes from the need to download Snort along with other required components that might not be present on your system (e.g., WinPcap, which provides the packet driver--DLL file--that the Win32 version of Snort uses). I installed Snort, a GUI-based configuration tool, and a log analyzer/alerter in less than an hour. I installed the software on a honey pot I leave running on my network as bait, and in the first 3 days, it caught crackers' port scans as well as their attempts to break into the honey pot's Web service, mail server, and DNS server. I suppose it's no coincidence that two of those three crack attempts originated from networks in China! (See last week's column, "Cyberwar: Deadly Battleground or Hype Beyond Compare?" -- http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21030 ) Snort is easy to use, good at detecting attacks, runs on a variety of OSs, and comes with a plethora of snap-ins and add-ons that further extend its abilities. If you thought you couldn't afford a good IDS system for your network, Snort is just what you need--and it's free! You can thank the open-source community for that fact. You can get Snort and the required WinPcap packet driver at the following URLs: http://www.snort.org http://netgroup-serv.polito.it/winpcap Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor (markat_private) 2. ========== SECURITY RISKS ========= (contributed by Ken Pfeil, kenat_private) * IIS MIGHT ALLOW REMOTE COMMAND EXECUTION Three vulnerabilities were recently discovered in Microsoft's IIS 4.0 and 5.0 that can lead to a Denial of Service (DoS), remote code execution, and information disclosure. The DoS vulnerability is in the function that processes wild-card service requests for the FTP service. The remote code execution vulnerability lets a potential attacker run scripts on the server by using the security context of IUSR_machinename, which by default appears in the Everyone group. The information disclosure vulnerability lets an attacker find guest accounts that FTP inadvertently exposed. Microsoft has acknowledged these vulnerabilities and recommends that users immediately apply the patch contained in Security Bulletin MS01-026. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21101 * DOS IN WINDOWS 2000 KERBEROS SERVICE Defcom Labs discovered that a Denial of Service (DoS) condition in the Windows 2000 Kerberos and Kerberos password services can let an intruder disrupt those services on a network. Microsoft has released an FAQ and a patch to remedy this vulnerability. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21043 * DOS IN WFTPD FTP SERVER Joe Testa discovered a Denial of Service (DoS) condition in Texis Imperial Software's WFTPD program. If a potential attacker connects to the FTP server and issues a change directory (CD) command targeted at the 3.5" drive of the FTP server, the server processes this request. The vendor will correct the problem in version 3.1. A workaround is to disable the drive in the FTP server's BIOS. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21003 * CRUSH FTP RELATIVE PATH VULNERABILITY Joe Testa discovered that a vulnerability in CrushFTP lets an attacker break out of FTP root. For example, by connecting to a vulnerable host and issuing the change directory (CD) command, an attacker can access the root directory where the FTP server is running. An attacker can also download files outside of the FTP root by using relative paths. Version 2.17 is now available and isn't vulnerable to this problem. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21007 3. ==== ANNOUNCEMENTS ==== * MICROSOFT TECHED 2001 EUROPE, BARCELONA, SPAIN July 3 through 6, join 7000 IT professionals and developers at the premier technical education event for solutions built on the Microsoft platform. If you're designing and building leading-edge solutions for today's business needs, then Microsoft TechEd 2001 Europe is for you. Book before May 18 for a EUR300 EURO discount. For full details and to register, visit the following site: http://www.microsoft.com/europe/teched/home.asp * IIS ADMINISTRATOR NEWSLETTER--HELP IS ON THE WAY Do you wish you had a reliable resource to turn to when your Web server is down and you're out of answers? Subscribe to IIS Administrator, a monthly print newsletter, and start getting the tools, solutions, and advice you need to effectively manage your Web site with IIS. http://www.iisadministrator.com/sub.cfm?code=niei241e1a 4. ========== SECURITY ROUNDUP ========== * NEWS: FAST-SPREADING HOMEPAGE WORM DIRECTS READERS TO VIEW PORN A new worm, nicknamed Homepage, is spreading fast across the Internet. The Homepage worm spreads by sending a copy of itself to all addresses in the recipients' Outlook address book. The message subject reads "Homepage," and the message body contains the sentence "You've got to see this page! It's really cool ;O)". An attachment to the message (homepage.html.vbs) contains a Visual Basic (VB) script that opens one of four randomly selected pornographic Web sites. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21033 * NEWS: MICROSOFT SITES SUFFER DEFACEMENT Microsoft suffered another Web site defacement last week--this time at streamer.microsoft.com. A group calling itself Prime Suspectz replaced the site's home page with a message that read, "Microsoft Owned. Where is the security?" The same group claimed responsibility for defacing the Microsoft Mexico, Saudi Arabia, and UK sites 2 weeks ago. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21022 * NEWS: NEW WORM CAUSES SOLARIS TO ATTACK WINDOWS The Computer Emergency Response Team (CERT) issued an advisory today detailing a new worm that causes a Sun Microsystems Solaris system to attack a Windows system. The worm exploits a vulnerability under Solaris to install a worm that attempts to seek out and attack IIS-based systems. According to the advisory, the problem stems from a 2-year-old buffer overflow condition in the Solstice sadmind program and a 7-month-old directory traversal vulnerability common to unpatched IIS 4.0 and 5.0 systems. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21023 * REVIEW: GOOD MIGRATIONS Computers have personalities, in the form of user-customized network, desktop, and application settings. Recreating a computer's personality on a new or upgraded machine can be time-consuming, especially when you need to repeat the task for multiple computers. The ability to migrate, rather than recreate, a computer's personality can save significant time and resources. Miramar Systems' Desktop DNA 2.5, Altiris's PC Transplant Pro 2.1 beta, and Tranxition's Personality Tranxport Professional (PT Pro) 2.0 give you this ability. You can save users' personalized settings, set up new computers or upgrade existing computers, then reapply the saved settings. The new or upgraded computers look familiar to users, who can immediately find printers, mapped network shares, and shortcuts. Learn all about these products in Joshua Orrison's Lab Comparative on our Web site! http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20393 * REVIEW: USERMANAGEMENT 5.3 PROFESSIONAL AND IMPORT Windows 2000 and Windows NT include easy-to-use graphical functions to help you create, modify, and delete user accounts. However, both products lack the flexibility to manage large numbers of users. Tools4ever's UserManagemeNT 5.3 product suite includes powerful enterprise-class Win2K/NT utilities that let you manage user-account and user-resource creation, movement, and deletion from within any configured domain. To learn about UserManagemeNT 5.3, be sure to read Marty Scher's Lab Review on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20392 5. ==== HOT RELEASES (ADVERTISEMENTS) ===== * CYBERWALLPLUS FIREWALLS FOR NT/2000 SERVERS CyberwallPLUS uses stateful packet inspection and fine-grain network access control to bring full feature firewall security to NT/2000 servers operating in "electronically open" networks - and it includes active intrusion detection to further protect servers. Free 30-day evaluation. http://www.network-1.com/support/download.html * THE MOST IMPORTANT EVENT IN YOUR NETWORK! Aelita EventAdmin gives you control over your Windows NT/2000 network. It analyzes, reports and alerts on event data collected from all your distributed systems. Aelita EventAdmin . . .We Analyze, We Report, We Secure. http://www.aelita.com/516securityupdate 6. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: CRYPTOGRAPHY IN C AND C++ By Michael Welschenbach List Price: $49.95 Fatbrain Online Price: $39.96 Softcover; 380 pages plus CD-ROM Published by Apress, February 2001 ISBN 189311595X For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=189311595X and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda - VIRUS ALERT: HOMEPAGE.A The Homepage.A Internet worm was created using a VBS worm generator and is similar to the February 2001 Anna Kournikova worm. It spreads via Microsoft Outlook by sending itself as an email attachment to all addresses in the infected user's address book. Then the worm tries to randomly open one of four pornographic Web sites using the default Web browser. For complete technical details about this and other viruses, be sure to visit our Center for Virus Control. http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1092 * FAQ: DO YOU KNOW AN EASY WAY TO DETERMINE WHICH USER IS LOGGED ON TO THE COMPUTER AND WHICH DOMAIN CONTROLS THE COMPUTER? ( Bob Chronister, http://www.windows2000faq.com ) In this case it's time to forget Windows NT 4.0's GUI and go to the command line. Bob Chronister knows some wonderful and easy commands that can solve your problem. Bob prefers the "Net Config Workstation" command, which tells you about the workstation's configuration. For example, Figure 1 at the URL below shows information about the notebook on which Bob wrote this FAQ. Various command-line utilities are available to help you find information or set up a network. http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=20758 * WINDOWS 2000 SECURITY: INTERNET EXPLORER SECURITY OPTIONS, PART 4 In Part 1 and Part 2, Randy Franklin Smith described security zones and settings in Microsoft Internet Explorer (IE) 5.0. In Part 3, Randy showed you the IE security settings that control cookies and file downloads. In Part 4, Randy shows you how to securely set IE's Java permissions and describes some of the settings under the Miscellaneous group of security settings. Be sure to read the article on our Web site. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21026 7. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, productsat_private) * NEW MANAGEMENT PLATFORM FOR LARGE SECURITY DEPLOYMENTS NetScreen Technologies announced NetScreen-Global PRO, a strategy to simplify deployment and management of security technology for enterprises and service providers. NetScreen-Global PRO is a scalable security management platform that lets customers provide and control NetScreen's line of security systems and appliances that integrate firewall and VPN capabilities. For more information, contact NetScreen through its Web site. http://www.netscreen.com * FIGHT WEB SITE ATTACKS Tripwire released Tripwire for Web Pages, a solution that detects unauthorized modifications to Web site content, prevents the delivery of modified pages, and instantly alerts the system administrator. Tripwire for Web Pages determines whether an intruder has altered a Web page by comparing the date and the digital signature of the current Web page to that of the "known good" authorized file saved in the database. Tripwire for Web Pages is available immediately for an introductory price of $1095 in North America. For more information about Tripwire, go to the Web site. http://www.tripwire.com. * PROACTIVE SECURITY SOLUTION OKENA released StormWatch, a security solution that improves network uptime by protecting against both file and network attacks that originate externally or from inside the security perimeter. At the heart of OKENA StormWatch lies the Rules Engine, which lets OKENA security experts implement behavioral rules, "out of the box," to enforce behavior for IIS Web servers, Microsoft SQL Server databases, Microsoft Office desktops, and more. These rules recognize any irregular behavior within the network or host and immediately stop that activity and prevent further intrusion into the enterprise. OKENA StormWatch starter pack costs $8995. For more information, contact OKENA at 781-209-3200. http://www.okena.com 8. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Changing the System Time (Seven messages in this thread) Andy Clark is having trouble giving users the ability to change the time on their systems. Visit the following URL to read other responses or lend a hand. http://www.win2000mag.net/forums/rd.cfm?app=64&id=66697 * HOWTO MAILING LIST http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo Featured Thread: Legal Notice Text (Three messages in this thread) This reader is having problems getting a standard DOD warning banner to fully display using group policies. The last few words are truncated; however, the user can press the down arrow to display the rest of the message. Read other responses or lend a hand at the following URL. http://63.88.172.96/go/page_listserv.asp?A2=IND0105A&L=HOWTO&P=79 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR Security UPDATE? -- Email emedia_oppsat_private ******************** This weekly email newsletter is brought to you by Windows 2000 Magazine, the leading publication for Windows 2000/NT professionals who want to learn more and perform better. Subscribe today. http://www.win2000mag.com/sub.cfm?code=wswi201x1z Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private If you have questions or problems with your UPDATE subscription, please contact securityupdateat_private ___________________________________________________________ Copyright 2001, Penton Media, Inc. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 03:35:07 PDT