******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ IBM Infrastructure http://go.win2000mag.net/UM/T.asp?A2153.23115.1296.1.532985 ~~~~~~~~~~~~~~~~~~~~ ~~~~ IBM INFRASTRUCTURE ~~~~ Not worried about hackers? You should be. Because they can put your e-business out of business. If your customers don't feel comfortable dealing with you online, they'll work with someone else. With IBM infrastructure, you'll have the security your company needs to operate effectively and to keep your clients comfortable. Your networks and servers are the backbone of your company. It's time you treated them that way. In today's ever-changing e-environment, keeping network security tight is something that can't be ignored. So is keeping your clients happy. Find out more from our latest security white paper today. http://go.win2000mag.net/UM/T.asp?A2153.23115.1296.1.532985 ******************** August 8, 2001--In this issue: 1. COMMENTARY - Surprise: Code Red II 2. SECURITY RISKS - Command History Vulnerability in Windows 2000 and Windows NT 3. ANNOUNCEMENTS - Get 25 Percent Off Windows 2000 Magazine! - Tired of the Same Old Sales Pitch? 4. SECURITY ROUNDUP - News: Code Red II Worm on the Loose - News: Orbit Secures DirecPC Satellite Internet Service - News: Government Mulls Requesting Court to Block Windows XP 5. SECURITY TOOLKIT - Book Highlight: Counter Hack: A Step-By-Step Guide to Computer Attacks and Effective Defenses - Virus Center - Virus Alert: W32/MSInit.A - FAQ: Do I Have to Call Microsoft If I've Lost My Windows 2000 Server Terminal Services License Tokens? - Windows 2000 Security: Code Red and Proactive Security 6. NEW AND IMPROVED - Detect Trojan Horses - Learn About ISA Server 7. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Unlocking Security Policy - HowTo Mailing List - Featured Thread: How to Disable HTTP and SMTP Banner Version Information 8. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, You've probably read the news by now: A new version of the Code Red worm, dubbed Code Red II, is spreading rapidly across the Internet. Is that news any surprise? The new Code Red worm is far more dangerous than previous versions--it spreads more effectively and also installs a Trojan horse that creates back doors within Microsoft IIS. On Monday, we posted a survey on our Windows 2000 Magazine Security Channel home page that asks whether any version of the Code Red worm has infected your systems. (See the list of resources at the end of this column for all related URLs.) As of today, 9 people have admitted that the worm has infected their systems. If you ask me, that's 9 too many. If you haven't patched your IIS systems to protect against the Code Red worm, this is the time to do so. You'll find a link to the Microsoft security bulletin MS01-033 and patch in the related news item in the Security Roundup section of this newsletter. Also, be sure to read Randy Franklin Smith's article, "Code Red and Proactive Security" on the Security Channel Web page--it's good advice. (See the first paragraph of his article and the URL to the Web site in the Security Toolkit section of this newsletter.) Speaking of patches, I've read several recent posts on the Bugtraq mailing list that indicate a problem might exist with the Microsoft patch listed in Microsoft Bulletin MS01-033. A few people have reported that after they installed the patch, their systems remain immune to Code Red infection. However, when an infected system attempts to connect to their system to infect it, several IIS services (e.g., FTP, the default Web site, the administrative Web site, and the proxy service) stop processing. In addition, users on our Win2KSecAdvice mailing list report that Code Red worm variants are affecting Cisco 600 series routers because the routers use a Web service on port 80. Users report that even when their systems run Cisco's latest firm revision (which is generally CBOS 2.4.2, depending on the router) and they have disabled the Web interface, the routers stop passing traffic when the worm confronts the routers. Some readers have suggested workarounds that help deter the effects of the Code Red worm. If you're interested in a detailed analysis of how the new Code Red II operates, read eEye Digital Security's Code Red II report, which we published on our Win2KsecAdvice mailing list last weekend. In addition, the Computer Emergency Response Team (CERT) has published a good overview of how the Code Red worm works. Until next time, have a great week. Resources: Security: Poll http://www.WindowsITsecurity.com Microsoft Bulletin MS01-033 http://www.securityfocus.com/templates/archive.pike?list=1 Win2KSecAdvice--Code Red II workarounds http://126.96.36.199/go/win2ks-l.asp?a1=ind0108a&l=win2ksecadvice eEye Digital Code Red II Report http://188.8.131.52/go/win2ks-l.asp?a2=ind0108a&l=win2ksecadvice&p=1173 CERT Incident Note http://www.cert.org/incident_notes/IN-2001-09.html Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * COMMAND HISTORY VULNERABILITY IN WINDOWS 2000 AND WINDOWS NT Siffredi Dani reported that a vulnerability exists in Windows 2000 and Windows NT that lets a user crash the system by opening a command prompt, running certain commands (e.g., ping, dir), and pressing F7 repeatedly during the commandís execution. Depending on the system's configuration, Win2K or NT will either reboot or display the blue screen common to system crashes. Microsoft is aware of the vulnerability but hasn't released a fix or workaround for this problem. http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22037 3. ==== ANNOUNCEMENTS ==== * GET 25 PERCENT OFF WINDOWS 2000 MAGAZINE! Every issue of Windows 2000 Magazine is packed with superb coverage of security, Active Directory (AD), disaster recovery, Exchange (and more!) and helps you navigate the rough waters of your job with ease. Subscribe now (at 25 percent off the regular rate) and find out why your peers think we're simply the best independent resource for Windows 2000 and Windows NT professionals. http://www.win2000mag.com/sub.cfm?code=diee201gup * TIRED OF THE SAME OLD SALES PITCH? Now there's a better way to find the perfect IT vendor or solution--absolutely free! The IT Buyer's Network (ITBN) lets you search through thousands of vendor solutions. You'll love the ITBN's one-stop shopping approach for hardware, network and systems software, IT services, and much more. Visit the ITBN today. http://www.itbuynet.com 4. ==== SECURITY ROUNDUP ==== * NEWS: CODE RED II WORM ON THE LOOSE A new worm, dubbed Code Red II, is attacking Web servers and carries an entirely different payload from the original Code Red worm. eEye Digital Security performed a detailed analysis of the Code Red II worm after the SecurityFocus ARIS Project came forward with information about the new threat. Once inside a system, Code Red II creates files in the MSDAC and SCRIPTS IIS-related directories. In addition, the worm creates a Trojan horse on the system by injecting binary code into the explorer.exe file, which runs the Win2K desktop. http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22054 * NEWS: ORBIT SECURES DIRECPC SATELLITE INTERNET SERVICE Orbit Communications has released its new Orbitnet software, which uses a two-way satellite to connect a network of computers to the Internet through DirecPC's satellite Internet service. Targeted at small office/home office (SOHO) users, Orbitnet is a server-based application that's compatible with all Windows platforms. Orbitnet's server software runs on an Intel-based computer and provides network address translation (NAT), a firewall, a proxy server, and virus scanners. Orbit based the firewall on stateful packet-inspection technology that uses fine-grain control over a user's Internet access privileges. http://www.WindowsITsecurity.com/articles/index.cfm?articleID=22042 * NEWS: GOVERNMENT MULLS REQUESTING COURT TO BLOCK WINDOWS XP Quoting sources close to state and federal prosecutors, a report this weekend in The Washington Post said that the government is seriously considering asking the courts to block Windows XP's release or at least require Microsoft to modify the OS before releasing it. According to the report, lawyers from the offices of the New York, Wisconsin, and California attorneys general are conducting XP research. None of the parties involved will speak publicly about the government's legal strategy. http://www.wininformant.com/articles/index.cfm?articleID=22050 5. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: COUNTER HACK: A STEP-BY-STEP GUIDE TO COMPUTER ATTACKS AND EFFECTIVE DEFENSES By Edward Skoudis List Price: $49.99 Fatbrain Online Price: $39.99 Softcover; 500 pages Published by Prentice Hall PTR, July 2001 ISBN 0130332739 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0130332739 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.WindowsITsecurity.com/panda Virus Alert: W32/MSInit.A W32/MSInit.A is a worm that uses a TCP/IP connection to access other systems. The worm searches for IP addresses at random. When the worm finds an IP address for a remote system that allows access to a disk where Windows is installed, the worm creates a copy of itself in the Windows\System directory of that remote system. The copy of the worm resides in a file named Wininit.exe. http://184.108.40.206/panda/index.cfm?fuseaction=virus&virusID=798 * FAQ: DO I HAVE TO CALL MICROSOFT IF I'VE LOST MY WINDOWS 2000 SERVER TERMINAL SERVICES LICENSE TOKENS? ( contributed by John Savill, http://www.windows2000faq.com ) A. With Windows 2000 Server Terminal Services licenses, you must contact Microsoft to enable Client Access Tokens on the server. If you rebuild a Terminal Services license server, you typically must contact Microsoft to re-enable the licenses. However, Microsoft has released a hotfix at its Web site (see the first URL below) that lets you recover any future Client Access Licenses (CALs) that you apply. You must be running Win2K Service Pack 1 (SP1) or Win2K Service Pack 2 (SP2) to apply this fix. Be aware, however, that you'll still need to contact Microsoft to recover any CALs that you install before applying the hotfix if you have no backup of the license database. Microsoft has published a related news bulletin at the second URL below: http://support.microsoft.com/support/kb/articles/Q287/6/87.asp http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/tslichotfix.asp * WINDOWS 2000 SECURITY: CODE RED AND PROACTIVE SECURITY By now, you've probably read about the Code Red Web server worm and have loaded the fix on your Internet-connected Microsoft IIS servers. Unlike a typical desktop worm, such as Melissa, the Code Red worm spreads from one Web server to another. After infecting a Web server, Code Red temporarily defaces the home page before creating 99 threads that look for other Web servers to infect. However, because Code Red uses an exploit for which a patch has been available for some time, your systems might be safe. If you've practiced proactive security (e.g., reading Microsoft security bulletins and loading recommended hotfixes on your Windows 2000 IIS servers), you were probably already protected from Code Red before its release. Read the rest of Randy Franklin Smith's article at the following URL: http://www.WindowsITsecurity.com/articles/index.cfm?articleID=21967 6. ========== NEW AND IMPROVED ========== (contributed by Scott Firestone, IV, productsat_private) * DETECT TROJAN HORSES Greatis Software released RegRun II software to manage the Windows startup processes. RegRun II consists of eight subsystems for controlling programs that load from the registry or Windows system files. You can track and manage all startup processes to detect hidden Trojan horses, viruses, or other unauthorized programs. RegRun II runs on Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $19.95 for a single-user license. Contact Greatis Software at a-teamat_private http://www.greatis.com * LEARN ABOUT ISA SERVER Microsoft Press released "MCSE Training Kit: Microsoft Internet Security and Acceleration Server 2000," a book that teaches you how to set up and support Microsoft Internet Security and Acceleration (ISA) Server 2000 to optimize network performance and security. Topics include installing ISA Server, configuring and troubleshooting ISA Server services, managing and troubleshooting policies and rules, configuring the client PC, and monitoring and managing ISA Server use. The 656-page book includes one CD-ROM and costs $59.99. Contact Microsoft Press at 800-677-7377. http://mspress.microsoft.com 7. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Unlocking Security Policy (Three messages in this thread) A user needs to change the user rights in Windows 2000 Professional, but when he opens the Local Security Policy, all of the subheadings have a lock next to them. He already has administrator rights and is not on a domain. Also, he needs to know how to recover or retrieve his forgotten password in Win2K Pro. Read more about the problem and the responses, or lend a hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=73704 * HOWTO MAILING LIST http://www.WindowsITsecurity.com/go/page_listserv.asp?s=HowTo Featured Thread: How to Disable HTTP and SMTP Banner Version Info (Four messages in this thread) As you know, versioning information recovered from service banners can help an intruder determine a more effective way of penetrating a system. In most cases, it's wise to mask this information from preying eyes. A user on the HowTo mailing list wants to know how to remove Microsoft version information from the banners presented during typical HTTP and SMTP mail sessions. With Windows releases prior to Windows 2000, you could use a hexadecimal editor to edit the text strings within the binary file used to provide a service. However, with Microsoft system file protection technology in Win2K, it's more difficult to replace the text strings because the system file protection will notice those changes and revert to an original copy of the edited file. Can you help figure out how to effectively mask such banners? Read the responses or lend a hand at the following URL: http://220.127.116.11/go/page_listserv.asp?A2=ind0108A&L=howto&p=82 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATEat_private If you have questions or problems with your UPDATE subscription, please contact securityupdateat_private ___________________________________________________________ Copyright 2001, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 08:16:24 PDT