******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** August 1, 2001--In this issue: 1. IN FOCUS - Tighten Your System Security Now! 2. SECURITY RISKS - Unchecked Buffer in Windows Media Player - DoS in Microsoft's Remote Procedure Call - DoS Condition in Windows Terminal Services - DoS Condition in Microsoft Services for UNIX 2.0 3. ANNOUNCEMENTS - Weaving a Tangled Web? - Free Research Delivered to Your Email Inbox 4. SECURITY ROUNDUP - News: Windows Product Activation: The Enemy Within - News: Microsoft Unleashes a .NET Hailstorm - Review: Disk-Imaging Solutions 5. SECURITY TOOLKIT - Book Highlight: Incident Response: Investigating Computer Crime - Virus Center: - Virus Alert: W32/Prolin.A - Tip: Changing Passwords in Untrusted Domains - Windows 2000 Security: Don't Shoot Yourself in the Foot with Group Policy Security Settings, Part 2 - SOHO Security: Encryption Basics 6. NEW AND IMPROVED - Prevent Vulnerable Password Selection - USB Security Key 7. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Blank Audit Events in Security Event Log - HowTo Mailing List - Featured Thread: How to Log On to an NT DC over Secure Remote 8. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, Last week, I mentioned that I had received no fewer than two dozen copies of the Sircam worm in email. This week the count has risen to more than eight dozen, and copies of the worm are arriving in my inbox even as I write this editorial. If you haven't checked into the Sircam worm at our online Virus Center, be sure to do so--or at least take my email address out of your Outlook address book! http://22.214.171.124/panda/index.cfm?fuseaction=virus&virusID=1104 Also last week, I discussed the Code Red worm, which affects unpatched Microsoft IIS Web servers. Two variants of the virus have been discovered, and many entities (e.g., Microsoft, National Infrastructure Protection Center--NIPC, Computer Emergency Response Team--CERT) think someone might launch the two Code Red worm variants July 31. Code Red is a date-driven worm that deactivates itself after day 27 of a given month. However, because CERT has received reports of Code Red attacks from July 28 through 30, CERT suspects that Code Red has infected many IIS Web servers with incorrectly set system dates. The assumption is that if the dates were set correctly, the worm should be inactive--apparently, it's not. Therefore, CERT and others think the worm is likely to flare up either through nondormant copies of Code Red or because someone releases one of the two known variants onto the Internet. Getting rid of the Code Red worm is easy because it's a memory-resident worm--it's not stored in a disk file. To rid your systems of Code Red, simply reboot your system and be sure to apply the Microsoft patch for IIS that the company released 6 weeks ago: Windows 2000: http://www.microsoft.com/downloads/release.asp?releaseID=30800 Windows NT 4.0: http://www.microsoft.com/downloads/release.asp?releaseID=30833 Speaking of IIS, Microsoft has a utility available, called IISLock, that helps you better secure your IIS systems. Microsoft released the tool in March 2000, and it's available on Microsoft's Web site (see first URL at the end of this paragraph). If you follow the NTBugtraq mailing list, you're probably aware that the list moderator, Russ Cooper, has released a Visual Basic (VB) script that also helps secure an IIS system. According to Cooper, the script implements many of the recommended configuration settings found in Microsoft IIS 4.0 Security Checklist (see second URL), plus a few additional settings that Cooper thinks are prudent. You can download the SecuredIIS.vbs script from the NTBugtraq Web site (see third URL). http://www.microsoft.com/downloads/release.asp?releaseID=19889 http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp http://ntbugtraq.ntadvice.com/download/securedIIS.zip Finally, this week I learned about a new book, "The Unofficial Guide to Ethical Hacking," that will be available soon. Although several great security-related books are currently on the market, this book is unique because its author, Ankit Fadia, was 14 years old when he wrote it, making him India's youngest author ever published. Fadia, now 16, recently drew the interest of Macmillan India, who agreed to publish the book. Although I haven't been able to locate a full table of contents for the book, I did find that Fadia has a Web site with three sample sections of the book (see the URL at the end of this paragraph). I looked at the samples and found them informative. One section covers Windows-related tips and tricks, the second explains viruses in detail, and the third explains how to crack the Windows screen saver password without software assistance--a good lesson in basic cryptographic analysis. If nothing else, check out the tips and tricks section, where you might learn a few interesting registry tweaks. Until next time, have a great week. http://hackingtruths.box.sk/book.htm Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * UNCHECKED BUFFER IN WINDOWS MEDIA PLAYER An unchecked buffer exists in one of the functions that processes Microsoft Windows Media Station (.nsc) files for certain Windows Media Player (WMP) versions. An attacker can use this overflow condition to execute malicious code on the user's system. This code can then take any action on the system that a legitimate user can take. Microsoft has released security bulletin MS01-042 to address this vulnerability and recommends that users apply the patch that's relevant for their system. For more details, see the following URL: http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21964 * DOS IN MICROSOFT'S REMOTE PROCEDURE CALL Several of the remote procedure call (RPC) servers associated with the services of certain Microsoft Exchange Server, SQL Server, Windows 2000, and Windows NT systems might not validate input information properly. In some cases, these systems might accept invalid input information that can disrupt normal processing of legitimate requests. Specific values of invalid input vary among RPC servers. A malicious attacker can exploit this vulnerability by repeatedly sending these invalid RPC requests and cause a Denial of Service (DoS) condition. Microsoft has released security bulletin MS01-041 to address this vulnerability and recommends that users apply any of the patches that are relevant to their system. For more details, see the following URL: http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21965 * DOS CONDITION IN WINDOWS TERMINAL SERVICES A memory leak exists in one of the functions used to process TCP checksums on incoming RDP information using port 3389 of Windows 2000 Server and Windows NT Server 4.0 Terminal Services Edition. Every time a user sends an RDP packet to the server using a specially crafted malformed format, the process depletes the server's memory by a small amount. By repeatedly sending these packets, an attacker can cause the server to stop responding, resulting in a Denial of Service (DoS) condition. Microsoft has released security bulletin MS01-040 to address this vulnerability and recommends that users apply one of the patches that's relevant to their system. For more details, see the following URL: http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21948 * DOS CONDITION IN MICROSOFT SERVICES FOR UNIX 2.0 A vulnerability exists in both the Telnet and NFS service components of Microsoft Services for UNIX 2.0. An attacker can exploit the vulnerability to trigger memory leaks in both services. By using repeated requests, a potential attacker can cause the depletion of resources on the server, resulting in a Denial of Service (DoS) condition. The vendor, Microsoft, has released security bulletin MS01-039 to address this vulnerability and recommends that users apply one of the patches that's relevant to their system. For more details, see the following URL: http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21928 3. ==== ANNOUNCEMENTS ==== * WEAVING A TANGLED WEB? Our newly launched Web site, WebSpherePro.com, can help you unravel the Web with practical, how-to information about developing and deploying Web and enterprise applications for IBM's WebSphere Application Server. Check out the new Web site, and sign up to receive our FREE WebSphereWire and WebSpherePro email newsletters. You can also sign up to get a free premiere issue of WebSphere Professional magazine! http://www.webspherepro.com * FREE RESEARCH DELIVERED TO YOUR EMAIL INBOX Make informed choices about new technology with a free subscription to Research UPDATE. This HTML-based, biweekly newsletter delivers analysis and forecasting on the hottest topics and trends in the IT industry. Subscribe today! http://www.win2000mag.net/email/index.cfm?id=18 4. ==== SECURITY ROUNDUP ==== * NEWS: WINDOWS PRODUCT ACTIVATION: THE ENEMY WITHIN It started with the international versions of Microsoft Office 2000 and crept into Office XP. Michael Otey first wrote about it in his editorial, "Where the Real Monopoly Is," Windows 2000 Magazine, June 2001. Since then, Otey has learned more about what he calls "forced registration," and it has spread beyond Office. Microsoft plans to include this antipiracy technology in Windows XP, where it's known as Microsoft Product Activation or Windows Product Activation (WPA). For more details, see the following URL: http://www.win2000mag.com/articles/index.cfm?articleID=21579 * NEWS: MICROSOFT UNLEASHES A .NET HAILSTORM Microsoft recently rolled out concrete plans for its .NET strategy, code-named Hailstorm, which will let the software giant make the transition from a maker of shrinkwrapped software to a company that provides software services over the Internet. Hailstorm will include base services such as email, instant messaging, alerts and notifications, calendar and address book functions, and file storage, as well as premium services that the company has yet to identify. For more details, see the following URL: http://www.win2000mag.com/articles/index.cfm?articleID=21511 * REVIEW: DISK-IMAGING SOLUTIONS Disk-imaging programs have been a boon to administrators tasked with deploying PCs in their organization. You configure a system the way you want it, then copy the hard disk's contents (i.e., the image) to another system's hard disk so that the second system is configured the same as the first. Although the basics haven't changed since cloning software's inception, the mechanisms for copying and deploying images have become sophisticated. Some imaging software vendors even incorporate backup, restore, and application-deployment facilities into their products. These new features promise to help administrators deploy images faster and make computer maintenance easier than previously possible. Ed Roth tested Altiris eXpress 5, PowerQuest Drive Image Pro 4.0, SoftStorage Solutions (formerly IT Infusion) ImageCast, and Symantec Ghost 6.5.1 to see how they handle a variety of cloning tasks. Be sure to read the review on our Web site! http://www.win2000mag.com/articles/index.cfm?articleID=20876 5. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: INCIDENT RESPONSE: INVESTIGATING COMPUTER CRIME By Chris Prosise, Kevin Mandia List Price: $39.99 Fatbrain Online Price: $31.99 Softcover; 512 pages Published by McGraw-Hill Professional Book Group, July 2001 ISBN 0072131829 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0072131829 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.WindowsITsecurity.com/panda Virus Alert: W32/Prolin.A W32/Prolin.A is a worm that uses email to spread to other systems. The worm sends itself to all the entries in the infected user's Microsoft Outlook address book. In addition, the worm renames the extensions of all .jpg, .mp3, and .zip files found on the affected system. If the email recepient has a yahoo.com address, the messages have varied characteristics. For more details, see the following URL: http://126.96.36.199/panda/index.cfm?fuseaction=virus&virusID=809 * TIP: CHANGING PASSWORDS IN UNTRUSTED DOMAINS (contributed by James Turner, jamesdturnerat_private) Q. My company has put a freeze on creating trusts in our Windows NT Server 4.0 environment, but users in our domain need access to files and applications in another domain. Setting up local accounts, passwords, shares, and permissions in the other domain isn't a problem. However, users needed to be able to change their passwords in the untrusted domain. A. A simple solution exists that also works for changing passwords in trusted domains. Log on to your local domain, and press Ctrl+Alt+Del. In the resulting window, click Change Password, and in the User name text box, input the account ID of the user's account in the untrusted domain (e.g., userID1). In the Domain text box, input the PDC's name (e.g., pdcmydomain). In the Old Password text box, enter the current password for the untrusted domain, then enter the new password in the New Password text box. Re-enter the new password in the Confirm New Password text box, and click OK. For this solution to work, you must enable DNS. * WINDOWS 2000 SECURITY: DON'T SHOOT YOURSELF IN THE FOOT WITH GROUP POLICY SECURITY SETTINGS, PART 2 Nowhere is change control more important than in Active Directory (AD) and Group Policy: A directory service (i.e., AD) and a centralized configuration solution (i.e., Group Policy) are fundamental to your IT infrastructure. However, many systems administrators make the mistake of implementing changes in production without a review-and-release cycle that includes peer review and advance maintenance announcements. Change control has always been strong in the mainframe world, but it's never fully matured in the Windows world. Unfortunately, as the opening example illustrated in Part 1 of Randy Smith's article, Windows 2000 can make a potentially devastating and wide-ranging change appear to be simple and harmless. Learn how to avoid the pitfalls in Part 2 of this series. http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21834 * SOHO SECURITY: ENCRYPTION BASICS In previous small office/home office (SOHO) columns, Jonathan Hassell discussed encryption as it relates to pretty good privacy (PGP) and secure email. Many readers have asked for further details describing exactly how encryption works. Although doing justice to such a complex topic is difficult, you can use this SOHO security column as a primer on using encryption to secure your data. Learn some of the basics of encryption in the SOHO column on our Web site. http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21953 6. ========== NEW AND IMPROVED ========== (contributed by Scott Firestone, IV, productsat_private) * PREVENT VULNERABLE PASSWORD SELECTION MDD released Password Bouncer Standard Edition, a centralized management console that prevents users from selecting vulnerable passwords that intruders can easily guess and crack. The console screens and validates passwords against a 300,000-word English wordlist and a 4000-word proper noun wordlist. Password Bouncer Standard runs on Windows 2000 and Windows NT systems and is licensed on an annual, nonperpetual subscription at $995. Contact MDD at 925-831-4746. http://www.mddinc.com * USB SECURITY KEY PlayApp is offering its PlayApp Key as a USB device that consumers can use to generate and remember all their personal passwords, encryption codes, and pretty good privacy (PGP) passphrases. The PlayApp key requires the PlayApp Player software, which lets you download digital books, music, videos, business applications, and streaming channels from the PlayApp Web page. The PlayApp key supports Windows 2000, Windows Me, and Windows 9x systems and costs $44. Contact PlayApp at 214-704-3397. http://www.playapp.com 7. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Blank Audit Events in Security Event Log (Three messages in this thread) A user has noticed a strange event in the security event logs. The log has recorded some successful logons, but the username, domain, and workstation name fields are blank in the event's description field. Read more about the problem and the responses, or lend a hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=73849 * HOWTO MAILING LIST http://www.WindowsITsecurity.com/go/page_listserv.asp?s=HowTo Featured Thread: How to Log On to an NT Domain Controller Over Secure Remote (Four messages in this thread) This user needs to perform administrative tasks against a remote SQL Server installation using Secure Remote. However, the SQL Server requires NT LAN Manager (NTLM) authentication, which relies on a domain controller (DC)-based database of user accounts. The user wants to know how to log on to the domain remotely using Secure Remote so that his attempt to connect to the SQL Server is not rejected because of a failure to authenticate with the domain. Can you help? Read the responses or lend a hand at the following URL: http://188.8.131.52/go/page_listserv.asp?A2=IND0107D&L=HOWTO&P=703 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private If you have questions or problems with your UPDATE subscription, please contact securityupdateat_private ___________________________________________________________ Copyright 2001, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 04:58:04 PDT