******************** Windows 2000 Magazine Security UPDATE--brought to you by the Windows 2000 Magazine Network **Watching the Watchers** http://www.win2000mag.net/Channels/Security ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ WEBTRENDS FIREWALL SUITE -- DOWNLOAD FREE TRIAL! http://go.win2000mag.net/UM/T.asp?A2153.23115.1147.1.532985 ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: WEBTRENDS FIREWALL SUITE--DOWNLOAD FREE TRIAL! ~~~~ Experienced IT Managers know security requires insight! With WebTrends Firewall Suite, you'll get in-depth analysis of both incoming and outgoing traffic through your network. Monitor bandwidth usage, measure VPN activity, and receive alerts by e-mail or pager whenever critical security events occur. Firewall Suite 3.1 provides support for 35 leading firewall and proxy servers, including Cisco and Check Point. Currently a featured download on Tech Republic. Click here for your FREE trial, download now: http://go.win2000mag.net/UM/T.asp?A2153.23115.1147.1.532985 ~~~~~~~~~~~~~~~~~~~~ June 20, 2001--In this issue: 1. IN FOCUS - Debugging Code: Haste Makes Waste 2. SECURITY RISKS - SQL Server Cached Credentials Vulnerability - IIS Buffer Overflow Condition in Index Server Component 3. ANNOUNCEMENTS - Visit the New Connected Home Web Site! - Running Domino on Windows NT/2000? 4. SECURITY ROUNDUP - News: NSA Releases Win2K Security Recommendation Guidelines - Windows 2000 Magazine Network Names Tech Ed Best of Show Winners - News: Stay on Target - Review: Endurance 6200 3.0 - Report: Internet Security: Repelling the Inevitable Attack 5. HOT RELEASES (ADVERTISEMENTS) - Host Intrusion Prevention for Servers and Desktops - LANguard SELM: Intrusion detection for NT/2000! 6. SECURITY TOOLKIT - Book Highlight: Active Defense: A Comprehensive Guide to Network Security - Virus Center: Flip.MP2153.A - Virus Center: W32/Beast.A - FAQ: Why Is My ISA Server Using 50 Percent of Available Memory for the RAM Proxy Cache? - SOHO Security: Spyware, Part 2 7. NEW AND IMPROVED - Security Solution Secures Clients' Assets - All PCs on a LAN Can Access Internet with One Connection 8. HOT THREADS - Windows 2000 Magazine Online Forums Setting Up VPN - HowTo Mailing List HKCR Permission on Windows 2000 9. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, Do you run IIS? If so, you need to know that Microsoft has issued security bulletin MS01-033 about yet another nasty hole in the IIS-based Index Server 2.0 on Windows NT 4.0 and the Indexing Service on Windows 2000 and beta versions of Windows XP. eEye Digital Security discovered the problem ( http://www.eeye.com/html/Research/Advisories/index.html ), which can let an intruder access the server under the security context of the built-in system account. The problem stems from an unchecked buffer in an Internet Server API (ISAPI) filter used during the course of processing .ida files, which are related to the Index Server and Indexing Service. Read more about this problem in the related story under SECURITY RISKS. I point out this newly discovered problem because this is the fourth time in 2 years that eEye Digital Security has discovered an exploit against IIS that can grant an intruder system-level access. If hackers can find such dangerous holes in IIS, why can't Microsoft find them before the code rolls out to millions of Web servers around the planet? Each time such a hole surfaces, countless systems become easy prey because administrators don't apply security fixes fast enough. We can blame administrators and less-than-thorough administration, but it's Microsoft's fault that the holes exist to begin with. Some time ago, Microsoft said it was placing more focus on the security of its products, and the added effort shows. But even so, the company's efforts obviously aren't enough. When confronted with the number of security problems in its products, Microsoft shifts the blame to the volume of code in Windows platforms and related products. The company says that with millions of lines of code, finding every potential security risk before a product ships is impossible. But hackers don't seem to find many barriers to vulnerability discovery regardless of how big Microsoft's code becomes. Microsoft needs to follow its own recent advice and introduce a higher level of best practices into its organization. I admit that excellent hackers are a tough act to follow, but given the resources available to Microsoft, I fail to understand why the company doesn't do a better job of debugging its code before releasing it into production. You've heard the adage, "Haste makes waste." In the case of security-related bugs, any haste on Microsoft's part generally costs its customers lots of money in subsequent damages. I wonder why users have no recourse against defective software products when they do have recourse against many other types of defective products. After all, Microsoft dominates about 80 percent of all desktops on the planet. A vast percentage of worldwide commerce pivots around Microsoft technology, but the company produces less than safe products. When we use Microsoft's products, we're subject to its license structure and we must accept all the product's risks by default, by using that license structure. Do you think General Motors could get away with a similar license for its somewhat dangerous Sport Utility Vehicles (SUVs) or any other automobile? Not a chance. On a semi-related note, the National Security Agency (NSA) released a set of documents and templates that help people secure their Windows environments. Be sure to read the related news story in the SECURITY ROUNDUP section of this newsletter. Xato Network Security downloaded the documents and discovered some glaring contradictions and inaccuracies. An Xato representative posted a message on our Win2KSecAdvice mailing list detailing some of these findings, so be sure to read it at the URL below before implementing any of NSA's templates or recommended configuration settings. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private http://63.88.172.96/go/win2ks-l.asp?A2=IND0106C&L=WIN2KSECADVICE&P=496 2. ========== SECURITY RISKS ========= (contributed by Ken Pfeil, kenat_private) * SQL SERVER CACHED CREDENTIALS VULNERABILITY A vulnerability in Microsoft SQL Server 2000 and SQL Server 7.0 can let an attacker execute SQL queries using the systems administrator security context. When a user terminates a client connection to a SQL Server, the connection remains cached for a period of time because of performance reasons. One SQL query method contains this cache vulnerability, and an attacker can use the query to reuse a cached connection that once belonged to the systems administrator account. An attacker can then take actions on the database (e.g., running code), and under the right conditions, can assume full control of the server. Microsoft has released security bulletin MS01-032 for this vulnerability and recommends that users immediately apply the patch mentioned in Microsoft article Q299717. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21433 * IIS BUFFER OVERFLOW CONDITION IN INDEX SERVER COMPONENT eEye Digital Security has discovered that a vulnerability in Microsoft Index Server can let an attacker execute code under the system security context and take any action on the server, including assuming full control of the server. This vulnerability stems from an unchecked buffer in the Index Server Internet Server API (ISAPI) extension, idq.dll, which supports administration scripts. The buffer overrun condition occurs before any indexing is requested; therefore, the server remains vulnerable even if the Index Service isn't running. If you have the script mappings for .ida and .idq extensions in place, and users can establish Web sessions to the server, you have a vulnerable server. Microsoft has released security bulletin MS01-033 and recommends that users immediately apply the patch specified in the bulletin. The company further recommends that you remove script mappings for .ida and .idq extensions under IIS if you're not using them as mentioned in the security checklists for IIS 4.0 and IIS 5.0, which are linked in the report at the following URL: http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21503 3. ==== ANNOUNCEMENTS ==== * VISIT THE NEW CONNECTED HOME WEB SITE! The people who bring you Connected Home EXPRESS have launched a new Web site! Get how-to tips and tricks to help you with home networking, home theater, audio, and much more. While you're there, sign up (for free!) for the first issue of Connected Home Magazine, due out in late October. Check it out! http://www.connectedhomemag.com * RUNNING DOMINO ON WINDOWS NT/2000? Don't miss this chance to get the latest tips for enhancing your Domino/Windows installation! Learn first hand from the Lotus product team and world-renowned independent gurus who share their best discoveries. You'll find cutting-edge sessions on Domino administration, integration, and in-depth drilldowns for developers. Seats are going fast, so reserve your spot today! http://www.dominoconnections.com 4. ==== SECURITY ROUNDUP ==== * NEWS: NSA RELEASES WIN2K SECURITY RECOMMENDATION GUIDELINES The US National Security Agency (NSA) has released a set of guidelines and templates to help you secure Windows 2000 systems. The materials contain 5 templates to use with Microsoft's Security Configuration Editor, 17 guides to secure various aspects of the OS, and 3 supporting documents with in-depth defense coverage and details about various popular software packages. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21451 * WINDOWS 2000 MAGAZINE NETWORK NAMES TECH ED BEST OF SHOW WINNERS Penton Technology Media, publisher of Windows 2000 Magazine and SQL Server Magazine, named winners of the Windows 2000 Magazine Network Best of Show Awards at Microsoft Tech Ed 2001 in Atlanta this week. Winternals Software's Administrator Pak won Best Overall Product. "This bundle of Winternals' most popular repair and recovery utilities has broad appeal for our audience," said Karen Forster, editor in chief of Windows 2000 Magazine and SQL Server Magazine. "These tools give systems administrators the ability to recover crashed systems, remotely access systems for repair, reconstruct damaged files, edit the registry of unbootable systems, and more. The value to our audience is unmatched." Crystal Decisions' Crystal Analysis Professional won best product in the SQL Server category, and CAST's Application Mining Suite was runner-up. Quest Software's FastLane ActiveRoles won best product in the Windows 2000 category, and Marathon Technologies' Endurance product was named runner-up. Sybari Software's Antigen 6.1 won best product in the Exchange Server category, and BindView's bv-Control for Microsoft Exchange was runner-up. For more details and a list of finalists in each category, visit the Windows 2000 Magazine Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21533 * NEWS: STAY ON TARGET Windows XP is moving toward its October general release, and if you've been thinking about deploying Windows 2000 in your enterprise or are in the middle of a Win2K rollout, the availability of XP has undoubtedly raised questions for you. Before you start worrying about whether you should scuttle your Win2K rollout and wait for XP, read Paul Thurrott's perspective on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21133 * REVIEW: ENDURANCE 6200 3.0 Fault tolerance means different things to different people. According to a broad definition, fault tolerance ensures that an application is always available to its users. For example, if a problem occurs with an application on one server in a clustered server scenario, another server takes over. Although clusters provide high availability for applications, they don't satisfy John Green's definition of true fault tolerance because the application's recovery from a system failure isn't always transparent to users. Be sure to read what Green says about Endurance 6200 3.0--a new fault-tolerant server array that doesn't suffer from the shortcomings of a clustered server. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=%2021140 * REPORT: INTERNET SECURITY: REPELLING THE INEVITABLE ATTACK In this special report from Windows 2000 Magazine, Bob Kretschman discusses how system intrusion can cost your company big money. Kretschman discusses the damage suffered by Egghead.com and Omega Engineering as examples of how expensive intrusions can become. In addition, Jan De Clercq helps you understand the differences between Windows 2000 and Windows NT security. According to De Clercq, OS security is based on three core services: authentication, authorization (or access control), and auditing. Although these three services serve three different goals, they are interdependent: A good auditing system depends on a good authorization system, which in turn depends on a good authentication system. The document is available in Adobe PDF format on our IT Buyer's Network. http://www.itbuynet.com/specialreports 5. ==== HOT RELEASES (ADVERTISEMENTS) ===== * HOST INTRUSION PREVENTION FOR SERVERS AND DESKTOPS CyberwallPLUS uses a packet filtering firewall, stateful packet inspection, and active intrusion detection to secure and protect sensitive servers and workstations operating in "electronically open" networks. Three levels of host security in one product - CyberwallPLUS Free 30-day evaluation - http://go.win2000mag.net/UM/T.asp?A2153.23115.1147.5.532985 * LANGUARD SELM: INTRUSION DETECTION FOR NT/2000! GFI's new LANguard Security Event Log Monitor & Reporter provides centralized network-wide monitoring of NT/2000 security logs & alerts the administrator of security breaches for immediate intrusion detection (host-based). Download your evaluation copy at: http://go.win2000mag.net/UM/T.asp?A2153.23115.1147.6.532985 6. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: ACTIVE DEFENSE: A COMPREHENSIVE GUIDE TO NETWORK SECURITY By Chris Brenton, Cameron Hunt List Price: $49.99 Fatbrain Online Price: $39.99 Softcover; 736 pages Published by Sybex, May 2001 ISBN 0782129161 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0782129161 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda Virus Alert: Flip.MP2153.A Flip.mp.2153.A is an MS-DOS-resident encrypted virus that infects files with the following extensions: .exe, .com, or .ovl. The virus also infects the command.com file (in the hard disk root directory) and modifies the Master Boot Record (MBR) and the BOOT (the boot sector of 3.5" disks). Upon infection, the virus becomes memory resident, thereby decreasing your memory's available free space by 3064 bytes. http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=117 Virus Alert: W32/Beast.A W32/Beast.A is a hybrid virus that consists of two components: a macro virus that affects Microsoft Word documents and a Windows 95 virus. Infections are carried out through its Windows 95 component. The other section of the virus (the Word component) works as support. The virus spreads to other systems using the same means common to most macro viruses; therefore, the virus is contained in each previously infected document. http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=813 * FAQ: WHY IS MY ISA SERVER USING 50 PERCENT OF AVAILABLE MEMORY FOR THE RAM PROXY CACHE? ( contributed by Paul Robichaux, http://www.windows2000faq.com ) By default, Internet Security and Acceleration (ISA) Server 2000 uses 50 percent of the available memory for a RAM-based proxy cache. To modify the amount of memory ISA Server uses, perform the following steps: 1. Start the Microsoft Management Console (MMC) ISA Server Admin snap-in (Start, Programs, Microsoft ISA Server, ISA Management). 2. Right-click the Cache Configuration branch, and select Properties. 3. Select the Advanced tab. 4. For "Percentage of free memory to use for caching," change the number from 50 (the default) to the value you want (e.g., 5) and Click OK. 5. When the system prompts you, choose to either save changes but not restart the service or save changes and restart the service. Click OK. * SOHO SECURITY: SPYWARE, PART 2 In Spyware, Part 1, Jonathan Hassell discussed how spyware can be an unwelcome intrusion in your small office/home office (SOHO) computer system. By integrating code with shareware, freeware, or other publicly accessible programs, spyware monitors your computer activities and reports the tracking data to a third party. In Part 2, Hassell shows you some solutions for getting rid of these intrusion problems. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21402 7. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, productsat_private) * SECURITY SOLUTION SECURES CLIENTS' ASSETS Communication Technologies released No*Trace, a security application that lets users permanently remove sensitive, confidential, or proprietary information from their desktops or laptops. No*Trace software runs on Microsoft Windows 2000, Windows NT, and Windows 9x, and Communication Technologies offers 24 x 7 technical support. Single purchases are available for $49.95; discounts are offered for multiple or enterprise orders. Contact Communication Technologies at 888-753-7008. http://www.comtechnologies.com * ALL PCS ON A LAN CAN ACCESS INTERNET WITH ONE CONNECTION Ositis Software announced the release of WinProxy 4.0, the newest version of its software that lets all PCs on a LAN access the Internet through one connection. Key new features include the ability to create rules-based alerts for virus events or usage infractions, restrict Internet access privileges by user or user group, and scan outgoing email messages for viruses. The new release also supports SMTP virus scanning and VPN clients. WinProxy 4.0 is compatible with Windows 2000, Windows NT, Windows Me, and Windows 9x. WinProxy 4.0 is available in 3, 5, 10, 25, and unlimited user versions. Pricing starts at $59.95 to $799.95 for the unlimited user version. Contact Ositis at 888-9467769. 8. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Setting Up VPN (Five messages in this thread) Serena needs help setting up a small office that needs a static IP address and also needs to let a remote user with a dynamic IP address access the network via VPN. Read the responses of others or lend a helping hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=66100 * HOWTO MAILING LIST http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo Featured Thread: HKCR Permissions on Windows 2000 (Three messages in this thread) This user has a major application that requires users to have Read, Execute, Write, and Delete (RXWD) permission on the entire HKEY_CLASSES root key. The user wonders what the implications are of setting such loose security on the HKEY_CLASSES area of the registry. Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/go/page_listserv.asp?A2=IND0106B&L=HOWTO&P=80 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR Security UPDATE? emedia_oppsat_private ******************** This weekly email newsletter is brought to you by Windows 2000 Magazine, the leading publication for Windows 2000/NT professionals who want to learn more and perform better. Subscribe today. http://www.win2000mag.com/sub.cfm?code=wswi201x1z Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private Copyright 2001, Penton Media, Inc. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 02:30:52 PDT