******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ UltraBac Version 6.3 Deploys Machines Faster! http://go.win2000mag.net/UM/T.asp?A2153.23115.1203.1.532985 ~~~~~~~~~~~~~~~~~~~~ ~~~~ ULTRABAC VERSION 6.3 DEPLOYS MACHINES FASTER! ~~~~ UltraBac Software announces new support for Windows NT(R)/2000/XP disaster recovery, disk cloning, and ultra-fast rollouts of server and workstation installations. The utility runs using a Win9x/DOS bootable floppy and can backup/restore only the clusters marked in-use. A system administrator can now copy or restore multiple images onto a network share (or tape) in significantly less time than other options. The program is available without charge for personal use. Visit http://go.win2000mag.net/UM/T.asp?A2153.23115.1203.1.532985 to download a free live trial of the software. ******************** July 11, 2001--In this issue: 1. IN FOCUS - Updated Windows 2000 Security Tools 2. SECURITY RISKS - Back Door in R.I. Soft Systems Screensavers - SMTP Vulnerability in Windows 2000 3. ANNOUNCEMENTS - Get 25 Percent Off Windows 2000 Magazine! - Now Is the Time, Now Is the Time . . . 4. SECURITY ROUNDUP - News: Linux Community Fights .NET - News: Windows XP Pricing, Packaging Revealed - Review: Security Analyzer 3.5a - Review: NTRama 3.0 5. SECURITY TOOLKIT - Book Highlight: The Handbook of System and Network Security - Virus Center - Virus Alert: X97M/Barisada.C - FAQ: How Can I Add a Boot Option that Starts with the Alternate Shell? - Windows 2000 Security: Don't Shoot Yourself in the Foot with Group Policy Security Settings, Part 1 - SOHO Security: Zombie Attackers 6. NEW AND IMPROVED - Data Encryption and Smart Card Technology - Track PC Use 7. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Security Overview - How-to Mailing List - Featured Thread: Event ID 643 8. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, On June 6, I wrote about the need for adequate exit procedures when an employee leaves a company (for whatever reasons). This week, I came across an interesting news item at ComputerWorld (see URL below) that serves as a great case in point. A company suffered repeated Denial of Service (DoS) attacks after firing two key software developers. As it turned out, the company failed to change certain passwords after firing the two employees, and subsequently, these two former employees used those passwords to gain remote access to the company's application server and crash it. Be sure to read the details of the story with its interesting comments. http://www.computerworld.com/itresources/rcstory/0,4167,STO61983.html You might also recall that on June 20, I mentioned that the National Security Agency (NSA) had released a set of documents to help users secure Windows 2000 systems. The demand for these documents was overwhelming, and the NSA had to take the documents offline because of the server load. NSA contracted with Conxion to host these documents, which are available again from links at the NSA Web site. In addition, NSA has made documents available that help secure Cisco routers. You can find both sets of documents at the following URL. http://nsa1.www.conxion.com Speaking of Win2K security, Microsoft has an updated version of the cipher.exe tool that it's shipping with Win2K as part of the Encrypting File System (EFS). The original cipher.exe version that ships with the OS doesn't include a mechanism to wipe data off the hard disk; however, the updated version does include such functionality. During typical system operation, when you delete a file, the OS doesn't actually erase the data associated with that file. Instead, the OS marks the disk clusters related to that file as available empty space, and the data remains intact within those clusters until another process overwrites the clusters with new data. In other words, you can recover deleted files from a Win2K system in certain instances. Clem Colman of Colman Communications realized the problem and suggested that Microsoft provide a cluster-wiping mechanism, and now this updated cipher.exe version is available to overwrite all unallocated clusters, guarding against unwanted data recovery. You can find the updated cipher.exe file on Microsoft's TechNet Web site. http://www.microsoft.com/technet/security/cipher.asp Of course, third-party tools that wipe data off the hard disk are also available. A few freeware packages that I am aware of include Parisien Encryption Tools from Parisien Research, Without a Trace from Karmadrome Software, and BCWipe from Jetico. You can find the packages at their respective URLs below. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor, markat_private http://www.parisien.org/download.htm http://www.karmadromesoft.com http://www.jetico.sci.fi/bcwipe.htm 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * BACK DOOR IN R.I. SOFT SYSTEMS SCREENSAVERS Steve Johns reported a back door in R.I. Soft Systems 4th of July Fireworks and Living Waterfalls demo screensavers. By pressing the space bar on the keyboard, you can circumvent the screensaver's lock workstation function. A malicious user can open the default Web browser with the R.I. Soft System Web site by using the security context of the currently logged-on user. From there, the attacker can run explorer.exe in the browser's address window to get the desktop and to run programs under this context. A malicious user can also exploit this vulnerability remotely through Windows 2000 Terminal Services Advanced Client (formerly known as Terminal Services Web Client). The vendor, R.I. Soft Systems, is aware of the vulnerabilities but doesn't intend to release a fix. To work around this problem, a user can uninstall the demo screensaver software. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21684 * SMTP VULNERABILITY IN WINDOWS 2000 Joao Gouveia reported a vulnerability in the default SMTP server that is installed with the Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter Server versions of Win2K. An attacker can use a vulnerability in the SMTP authentication process to authenticate to the SMTP service using incorrect credentials. An attacker can gain user-level privileges on the SMTP service and use the service to perform SMTP mail relaying. This vulnerability affects only standalone machines, not domain controllers (DCs) or Microsoft Exchange mail servers running Win2K. Microsoft has released security bulletin MS01-037 for this vulnerability and recommends that Win2K users immediately apply the patch mentioned in the bulletin. Patches for Win2K Datacenter are hardware specific and are available only through the OEM. As usual, if a service is not needed, a user should disable the service. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21685 3. ==== ANNOUNCEMENTS ==== * GET 25 PERCENT OFF WINDOWS 2000 MAGAZINE! Every issue of Windows 2000 Magazine is packed with superb coverage of security, Active Directory (AD), disaster recovery, Exchange (and more) and helps you navigate the rough waters of your job with ease. Subscribe now (at 25 percent off the regular rate!) and find out why your peers think we're simply the best independent resource for Windows 2000/NT professionals. http://www.win2000mag.com/sub.cfm?code=diee201gup * NOW IS THE TIME, NOW IS THE TIME . . . It's Windows 2000 Magazine LIVE! Hear and talk with the writers you've come to trust. Minasi, Daily, Mar-Elia, and Russinovich join a host of world-renowned gurus to help you be more successful. The seven dedicated tracks include Active Directory (AD), .NET Servers, Security, plus a bonus SMS track sponsored by Altiris. Attend concurrently running XML & Web Services Connections for FREE! Now is the time to reserve your spot! http://www.winconnections.com 4. ==== SECURITY ROUNDUP ==== * NEWS: LINUX COMMUNITY FIGHTS .NET As expected, the Linux community announced a variety of open-source replacements for Microsoft's .NET product line Monday, including a way to run C# programs and the .NET Common Language Infrastructure (CLI) on Linux. The Free Software Foundation (FSF) and Linux desktop application maker Ximian are spearheading the development of these tools, which are called DotGNU and GNU Mono. The companies say that their open-source alternatives will overcome the limitations of Microsoft's centralized server approach. http://www.wininformant.com/Articles/Index.cfm?ArticleID=21693 * NEWS: WINDOWS XP PRICING, PACKAGING REVEALED Amazon.com is the first online retailer to offer the Windows XP full and upgrade versions for advanced sale, giving us an early idea of how much the product will cost and what the packaging will look like. On Amazon.com, the upgrade version of Windows XP Home Edition is priced slightly higher than Windows Me, the product it's replacing; prices for Windows XP Professional Edition are similarly higher than its predecessor, Windows 2000 Professional. Although Microsoft has yet to release official pricing for the products, Amazon's prices are roughly equivalent to what we've been expecting. http://www.wininformant.com/Articles/Index.cfm?ArticleID=21692 * REVIEW: SECURITY ANALYZER 3.5A NetIQ's Security Analyzer 3.5a architecture is based on profiles and policies. Profiles let you create scanning conditions (i.e., which policies to use and which hosts to scan) and policies define what Security Analyzer will search for during a security check. NetIQ offers 10 default security policies: Complete Security Analysis, Standard Security Analysis, Critical Security Analysis, Intermediate Security Analysis, Inventory Scan, Port Scan Only (Well-Known Ports), Port Scan Only (Standard Ports), Password Grinding Analysis, Ping Scan, and UNIX Security Analysis. These policy files are essentially Perl scripts, so if you know Perl, you can create your own policies. Security Analyzer even includes a software development kit (SDK) to help you create custom policy files. Learn more about this product in Jonathan Chau's Lab Review on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21144 * REVIEW: NTRAMA 3.0 CoperNet's NTRama 3.0 is a network-discovery and inventory tool that scans your network's Windows 2000, Windows NT, and Windows 9x computers. The software saves the results to a central ODBC-compliant database file, on which you can run queries to obtain a global vision of your infrastructure. CoperNet didn't design NTRama as an end-all network-management application. Instead, NTRama is a scaled-down solution that functions impressively as a scanner, requiring no software agents on any other computer on the network. Learn all about it in Dennis Williams Lab Review on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21141 5. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: THE HANDBOOK OF SYSTEM AND NETWORK SECURITY By Julia H. Allen Fatbrain Online Price: $39.99 Softcover; 464 pages Published by Addison Wesley Longman, June 2001 ISBN 020173723X For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=020173723X and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda Virus Alert: X97M/Barisada.C This virus contains a single macro associated with the WindowDeactivate event. The virus triggers when a user moves from an Excel window with an infected book to another Excel window. The virus first checks the global variable StartUpPath to see whether a copy of itself exists in the Excel Start directory. If this directory doesn't exist, the virus provokes an interesting secondary effect: Because the virus can't copy itself to where it wants, it opens two new Excel books, which stops the user from exiting the program. The virus opens a number of books and continually increases the number. For complete details on this macro virus, be sure to visit the URL below. http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=876 * FAQ: HOW CAN I ADD A BOOT OPTION THAT STARTS WITH THE ALTERNATE SHELL? ( contributed by John Savill, http://www.windows2000faq.com ) A. Under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot is the value AlternateShell, which is set to cmd.exe (the command prompt). When you press F8 during startup and select "Safe Mode with Command Prompt," the system uses this alternate shell. You shouldn't change the AlternateShell value. You can, however, create a boot option so that you don't have to press F8, then select "Safe Mode with Command Prompt." 1. Edit the boot.ini (c:\boot.ini) file attributes to make the file nonread-only, nonsystem, and nonhidden (attrib c:\boot.ini -r -s -h). 2. Open boot.ini. 3. Add a line similar to the following: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL). 4. Save the file. 5. Reapply the correct permissions (attrib c:\boot.ini +r +s +h). * WINDOWS 2000 SECURITY: DON'T SHOOT YOURSELF IN THE FOOT WITH GROUP POLICY SECURITY SETTINGS, PART 1 Recently, when Randy Franklin Smith presented a Windows 2000 security seminar, one of his students made a simple change to rights assignments in Group Policy, and Randy discovered how easy it is to lock everyone out of an Active Directory (AD) domain. The incident taught Randy how important it is to use strict change-management controls, to follow least-privilege doctrine, and to implement some fail-safe measures in AD to protect domain controllers (DCs). To find out how Randy recovered from this situation, read his latest article on our Web site! http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21656 * SOHO SECURITY: ZOMBIE ATTACKERS While researching information to write Spyware, Part 1 and Part 2, Jonathan Hassell explored the Gibson Research Corporation Web site. Steve Gibson, an assembly language programmer and noted advocate for consumer privacy on the Internet, is also interested in security systems connected to the Internet. Recently, script kiddies attacked his Web site (script kiddies are young crackers who maliciously knock off Web sites). Unlike most victims of an Internet assault, Gibson dissected and analyzed the attack. On his Web site, Gibson describes what he did to find out how the script kiddies used a Distributed Denial of Service (DDoS) attack on his systems, and he shares what he did to protect his Web site in the future. To find out how, be sure to read Jonathan Hassell's latest article on our Web site! http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21629 6. ========== NEW AND IMPROVED ========== (contributed by Scott Firestone, IV, productsat_private) * DATA ENCRYPTION AND SMART CARD TECHNOLOGY WinMagic and Datakey announced integration of the Datakey Certified Internet Professional (CIP) system with WinMagic's SecureDoc 2.5 disk encryption software. The software encrypts all data written to the disks. Users don't have to save files to certain folders or drives for the software to encrypt the files. SecureDoc 2.5 runs on Windows 2000, Windows NT, Windows Me, and Windows 9x systems. For pricing, contact WinMagic at 905-502-7000 ext. 222. http://www.winmagic.com * TRACK PC USE Alexander Jmerik released Boss Everyware 2.3, security software that records data about how people use a PC. The software keeps a log of which programs each user runs, and how much time they've spent on those programs. The software is password-protected, and only the network administrator can access it. Boss Everyware 2.3 runs on Windows 2000, Windows NT, Windows Me, and Windows 9x systems. Pricing starts at $49 for a single-user license. Contact Alexander Jmerik at infoat_private http://boss.dids.com 7. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Security Overview (Four messages in this thread) A user wants recommendations for books that provide an overview of most IT security aspects (e.g., firewalls, Secure Sockets Layer (SSL), and demilitarized zone (DMZ)) and the security aspects of FTP, HTTP, HTTPS, POP3, and SMTP. Also, ssh and Telnet (e.g., how they work, their vulnerabilities). The books he has come across don't provide details that a beginner or intermediate person in the security field can grasp. Read the responses or lend a hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=70864 * HOWTO MAILING LIST http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo Featured Thread: Event ID 643 (Two messages in this thread) This user found an item in the Event Log associated with Event ID 643. Typically, this ID reflects a condition in which an administrator has changed the domain's password requirements or lockout policy. However, this user said this wasn't the case, so he suspects the event might be related to local policy changes, but he is uncertain what type of changes to a local machine might trigger the logging of Event ID 643. Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/go/page_listserv.asp?A2=IND0107A&L=HOWTO&P=572 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR Security UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. ___________________________________________________________ Copyright 2001, Penton Media, Inc. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 03:28:41 PDT