******************** Windows 2000 Magazine Security UPDATE--brought to you by the Windows 2000 Magazine Network **Watching the Watchers** http://www.win2000mag.net/Channels/Security ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ BindView Corporation http://go.win2000mag.net/UM/T.asp?A2153.23115.1124.1.532985 ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~ Security is the key issue in today's interconnected world and BindView is right on top of it with a new, highly informative eBook, The Definitive Guide to Windows 2000 Security. This eBook covers all the bases of a comprehensive security methodology for your Microsoft Windows 2000 environment. It's heavy into the detail of what goes into a great IT security system, and is specifically geared for Windows 2000 platforms. Written by Paul Cooke, an Information Security professional with more than 10 years' experience developing and deploying security solutions, the tips, tricks, and info packed into this volume are priceless! Get it FREE at http://go.win2000mag.net/UM/T.asp?A2153.23115.1124.1.532985 ~~~~~~~~~~~~~~~~~~~~ June 13, 2001--In this issue: 1. IN FOCUS - New Tweaks and Tools 2. SECURITY RISKS - Script Execution Vulnerability in Microsoft Exchange OWA - Multiple Vulnerabilities in Microsoft Windows 2000 Telnet 3. ANNOUNCEMENTS - Tell Us about Your Connected Home! - The Black Hat Briefings: The Security Event the Experts Rave About 4. SECURITY ROUNDUP - News: Windows XP to Sport UNIX-like Raw Sockets - News: The AD Backup Bug: Monster in the Closet? - News: Citrix and Sierra Wireless Join Forces to Provide Wireless Access to Server-Based Applications - Review: IPSec and IKE: New VPN Standards 5. SECURITY TOOLKIT - Book Highlight: Configuring ISA Server 2000: Building Firewalls for Windows 2000 - Virus Center: Worm Alert--Choke.A - FAQ: How Can I Uninstall Hidden Windows Components? - Windows 2000 Security: IE Security Options, Part 6 - Event Highlight: Windows 2000 Magazine Live! 6. NEW AND IMPROVED - Defrag Your System - Biometric Authentication Sensor in New Keyboards 7. HOT THREADS - Windows 2000 Magazine Online Forums Disable CD-ROM Eject - HowTo Mailing List: Suspicious Entry in My Web Server Log 8. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, Over the past week, I've learned about three Microsoft tools that help you install Microsoft hotfixes in a more streamlined fashion and tighten security on your dial-up networking clients. In addition, I've come across some interesting articles that you might want to read. The tools are Qchain, the Windows 9x DUN 1.4 Upgrade, and Qfecheck. Qchain lets you install multiple hotfixes without having to reboot after each one. I found out about the tool while reading the June edition of Microsoft's "Ask Us About Security" column on its Web site. You can find the column at the first URL below. Qchain runs on Windows 2000 and Windows NT. To use Qchain, you first install each required hotfix (in proper sequence) with the -z command-line switch, which tells the installation program not to reboot the OS after installing the fix. Then run Qchain, which, according to article Q296861, "cleans the Pending File Rename Operations key in the registry to make sure that only the latest version of a file is installed after the computer is rebooted." You can learn more about Qchain and download a copy at the second URL below. http://www.microsoft.com/technet/security/columns.asp http://www.microsoft.com/technet/support/kb.asp?ID=296861 The DUN upgrade offers Windows 9x users support for 128-bit encryption with PPTP and also improves the stability of PPTP connections. According to Microsoft, "The DUN 1.4 release includes all of the features of all previous DUN releases, as well as those that are included in the Integrated Services Digital Network (ISDN) version 1.1 release." In addition, DUN 1.4 has multilink support and support for internal ISDN adapters and connection-time scripting, which helps automate nonstandard connections. You can find the DUN 1.4 upgrade at the following URL: http://support.microsoft.com/support/kb/articles/Q285/1/89.ASP The third tool is Qfecheck, which inspects a system to ensure that hotfixes are installed correctly on Win2K systems. Hotfix information is stored in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates. Qfecheck reads information from that key and compares the information to files on the system to ensure those files are the proper versions. Qfecheck also ensures that the Windows File Protection (WFP) subsystem has the information it needs to protect those files from tampering. Learn more about Qfecheck, including where to download a copy, from Microsoft's article. http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP While reading this month's "Ask Us About Security" column from Microsoft, I also learned that the company has begun producing no-reboot patches for Win2K--finally! Microsoft said it now analyzes each security patch it produces to determine whether a user can install it without a system reboot; the company will release those patches as no-reboot patches. The company also analyzed all of its former patches and found it could repackage only two (MS00-067 and MS00-099) as no-reboot patches using its current technology. So Microsoft is working on additional technology that will let it repackage as many as 25 percent of the currently available patches. That technology should also let the company create a greater percentage of no-reboot patches in the future. You can learn more about no-reboot patches on Microsoft's TechNet Web site. http://www.microsoft.com/TechNet/security/noreboot.asp Before I sign off this week, I want to point out that Windows 2000 Magazine senior contributing editor Sean Daily has discovered a potentially dangerous oddity with Active Directory (AD) backups. In certain instances, AD backups can become corrupt, and you know what happens when you restore corrupted data. You don't want to get bitten by this bug, so be sure to read about Sean's news article in the SECURITY ROUNDUP section of this newsletter. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ========== SECURITY RISKS ========= (contributed by Ken Pfiel, kenat_private) * SCRIPT EXECUTION VULNERABILITY IN MICROSOFT EXCHANGE OWA Joao Gouveia discovered a flaw in the interaction between Microsoft Exchange Server Outlook Web Access (OWA) and Microsoft Internet Explorer (IE) for message attachments. If an attachment contains HTML code that includes script, the script will execute when the user opens the attachment, regardless of the attachment type. Microsoft has acknowledged this vulnerability and recommends that users immediately apply the patch mentioned in Security Bulletin MS01-030. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21379 * MULTIPLE VULNERABILITIES IN MICROSOFT WINDOWS 2000 TELNET Seven different vulnerabilities exist in the version of Telnet that Microsoft ships with Windows 2000. Two of these vulnerabilities relate to the way that Telnet handles the sessions that a user creates, and escalate the user's privilege. Four of these vulnerabilities let an attacker create Denial of Service (DoS) attacks, and the seventh vulnerability involves information disclosure that lets an attacker enumerate Guest accounts exposed by using the Telnet server. Guardent, Peter Grundl, Richard Reiner, and BindView's Razor team discovered the problems. Microsoft acknowledges these vulnerabilities and recommends that users immediately apply the patch mentioned in Security Bulletin MS01-031. For Windows 2000 Datacenter Server users, the patches are hardware specific, and users should contact the OEM. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21380 3. ==== ANNOUNCEMENTS ==== * TELL US ABOUT YOUR CONNECTED HOME! Does your computer technology savvy come in handy at home? We want to know how you use home networking, computer technology, and home automation technology for work and play. Take a few minutes to answer our online survey! http://www.zoomerang.com/survey.zgi?EGPTKEMTH7BQRBT9YE8FN3X8 * THE BLACK HAT BRIEFINGS: THE SECURITY EVENT THE EXPERTS RAVE ABOUT Register now for Black Hat Briefings, the world's premier technical event for IT and network security experts, July 11 and 12 in Las Vegas. New this year is a Tools of the Trade track. Join 1500+ security experts and underground security specialists at this truly unique conference with lots of Windows 2000 sessions. http://www.blackhat.com 4. ==== SECURITY ROUNDUP ==== * NEWS: WINDOWS XP TO SPORT UNIX-LIKE RAW SOCKETS Microsoft's new Windows XP OS will include UNIX-like raw sockets, expanding on its current OSs. Winsock 2 already offers some raw socket functionality; however, Windows XP's new functionality will allow source IP address spoofing. Currently, Winsock overwrites a packet's source IP address with the system's true IP address before sending that packet to its destination. Early versions of Windows let malicious users spoof IP addresses, but sometime during the evolution of Windows, Microsoft decided to remove such functionality. With the company's decision to reinstate the raw socket functionality in Windows XP, at least one person is complaining loudly. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21358 * NEWS: THE AD BACKUP BUG: MONSTER IN THE CLOSET? Making reliable backups is one of the most important tasks a network administrator faces daily. At a recent conference, Sean Daily came across some rather disturbing information--information that directly affects administrators who run Windows 2000 networks based on Active Directory (AD). An engineer for Aelita, an independent software vendor (ISV) that produces Win2K and Windows NT administration and migration tools, told Daily that roughly half of all AD backups resulted in corrupt backup copies. For the complete details visit the following URL. http://www.wininformant.com/Articles/Index.cfm?ArticleID=21351 * NEWS: CITRIX AND SIERRA WIRELESS JOIN FORCES TO PROVIDE WIRELESS ACCESS TO SERVER-BASED APPLICATIONS Citrix Systems and Sierra Wireless have established a strategic relationship to deliver business applications running on Citrix MetaFrame servers over wireless networks to virtually any client device. Key terms of the agreement include product-compatibility testing and joint marketing and sales initiatives, beginning with Citrix representation in the Sierra Wireless booth at this month's PC Expo. Citrix has joined the Sierra Wireless WirelessReady Alliance (WRA), and Sierra Wireless has become a premier-level member of the Citrix Business Alliance (CBA). http://www.wininformant.com/Articles/Index.cfm?ArticleID=21346 * REVIEW: IPSEC AND IKE: NEW VPN STANDARDS The IP Security (IPSec) and Internet Key Exchange (IKE) protocols are becoming standards in VPN communications. All but one of the products in this review--Computer Associates (CA) eTrust VPN 2.1--use IPSec for encapsulating sensitive IP communication. IPSec is taking its place as a universal standard among firewall and router manufacturers. The reasons for IPSec's growing popularity are its ability to work on many types of network devices and its strong data-protection features. IPSec is essentially a set of security protocols and algorithms that ensure data security on the network layer. Learn all about it in Michael Norian's comparative review on the Windows 2000 Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20070 5. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: CONFIGURING ISA SERVER 2000: BUILDING FIREWALLS FOR WINDOWS 2000 By Tom Shinder List Price: $49.95 Fatbrain Online Price: $39.96 Hardcover; 512 pages Published by Syngress Publishing, April 2001 ISBN 1928994296 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=1928994296 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda WORM ALERT: CHOKE.A W32/Choke.A is an Internet worm written in Visual Basic (VB) 6.0 that uses the program MSN Messenger to propagate. If this application is not installed on your system, propagation isn't possible. The message body of this message contains the following text: "President bush shooter is game that allows you to shoot Bush balzz hahaha." For complete details on this worm, be sure to visit the Center for Virus Control http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1102 * FAQ: HOW CAN I UNINSTALL HIDDEN WINDOWS COMPONENTS? ( contributed by Paul Robichaux, http://www.windows2000faq.com ) When you start the Add/Remove Programs Control Panel applet and select Add/Remove Windows components, the system doesn't display all of the components because Windows doesn't want some of them uninstalled. However, you can change which components the system displays. Perform the following steps: 1. Open the sysoc.inf file located in the %systemroot%\inf folder. 2. Go to the Components section. 3. Locate the entry you want to make uninstallable and remove the word "hide." For example, for MSN Messenger Service, change the line: msmsgs=ocgen.dll,OcEntry,msmsgs.inf,hide,7 to msmsgs=ocgen.dll,OcEntry,msmsgs.inf,,7 4. Save the sysoc.inf file. * WINDOWS 2000 SECURITY: IE SECURITY OPTIONS, PART 6 In Parts 2 through 5 of this article series, Randy Franklin Smith described the many security settings in Microsoft Internet Explorer (IE) 5.0. You've probably identified some areas where you need to improve browser security. But like many administrators, you might have hundreds or even thousands of workstations where you need to make these changes. In addition, you need to prevent users from going back and reversing your stricter security settings. To accomplish these tasks in Windows 2000, you can use Group Policy Objects (GPOs) that you link to your Active Directory (AD) domain or to organizational units (OUs) in your domain. Learn how in Randy's latest column. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21282 * EVENT HIGHLIGHT: WINDOWS 2000 MAGAZINE LIVE! Microsoft TechEd 2001 June 17 through 21, 2001 Georgia World Congress Center Atlanta, Georgia Stop by the Windows 2000 Magazine booth at TechEd 2001 and meet our technical editors and hear what they have to say about current topics. Sunday, June 17, at 3:00 P.M., Tim Huckaby will discuss Web security auditing. Monday, June 18, at 10:00 A.M., and Tuesday, June 19, at 9:30 A.M., Sean Daily will present some very useful--and in some cases, undocumented--Windows 2000 tips, tricks, and customizations. Monday at 1:00 P.M., Mark Russinovich will discuss new stuff in the XP Kernel. Wednesday, June 20, at 11:00 A.M., Bob Wells will discuss some new and improved scripting goodies in Windows XP. 6. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, productsat_private) * DEFRAG YOUR SYSTEM Winternals Software released Defrag Commander Network Edition (NE), software that features a remote, schedulable defragmenter that can defrag Windows 2000 and Windows NT systems across the network without having to install client software. A client component of the product defragments Windows Me and Windows 9x systems through a logon script or through the Microsoft Systems Management Server (SMS). Defrag Commander NE is licensed by the number of simultaneous clients, and prices start at $169 for 10 units. Contact Winternals Software at 512-330-9130 or 800-408-8415. http://www.winternals.com * BIOMETRIC AUTHENTICATION SENSOR IN NEW KEYBOARDS DigitalPersona announced that its U.are.U biometric authentication sensor will be included in a new generation of Darfon Electronics keyboards. Biometric security solutions are becoming more popular as system developers move away from expensive and time-consuming password systems. Fingerprints provide a nonintrusive method to guarantee that only authorized recipients obtain information. http://www.digitalpersona.com 7. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Disable CD-ROM Eject (Six messages in this thread) This reader administers a school lab running Windows NT 4.0 workstations. He wants to know how to keep students from inserting game CD-ROMs on their systems. Read the responses of others or lend a helping hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=68658 * HOWTO MAILING LIST http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo Featured Thread: Suspicious Entry in My Web Server Log (Three messages in this thread) This user found a suspicious entry in the Web server's logs that seems to indicate some type of exploit was attempted against the server. The log entry is as follows: 2001-06-03 11:55:46 xxx.yyy.32.246 - W3SVC1 SERVERNAME xxx.yyy.zzz.112 GET /winnt/system32/cmd.exe 401 5 80 - - According to the user, the timing corresponds with what looks like a scan of IP addresses on the same subnet looking for HTTP servers on port 80. The user is not aware of an exploit but is trying to figure out what the intruder was up to. Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/go/page_listserv.asp?A2=IND0106A&L=HOWTO&P=1165 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR Security UPDATE? emedia_oppsat_private ******************** This weekly email newsletter is brought to you by Windows 2000 Magazine, the leading publication for Windows 2000/NT professionals who want to learn more and perform better. Subscribe today. http://www.win2000mag.com/sub.cfm?code=wswi201x1z Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private If you have questions or problems with your UPDATE subscription, please contact securityupdateat_private ___________________________________________________________ Copyright 2001, Penton Media, Inc. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 23:35:31 PDT