******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Close Massive Local Security Hole in NT/2000/XP http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDY0AO Connected Home Magazine Virtual Tour http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0LTe0AP (below SECURITY RISKS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP ~~~~ Did you ever consider that the same local administrator account and password is stored on every NT/2000/XP workstation in your organization? If this account were to become compromised, or one of your administrators were to leave, how would you change this backdoor account on all of your workstations? User Manager Pro for Windows NT/2000/XP makes mass changes to the local security of your workstations in minutes. FREE TRIAL: http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDY0AO ******************** October 10, 2001--In this issue: 1. IN FOCUS - The New Microsoft STPP: Is It Enough? 2. SECURITY RISKS - Excel and PowerPoint Macro-Checking Bypass - DoS in AOL Instant Messenger - DoS in Cisco Secure PIX Firewall 3. ANNOUNCEMENT - Test Your Windows XP Knowledge--Free! 4. INSTANT POLL - Results of Previous Poll: Nimda Worm - Instant Poll: Drop Microsoft IIS? 5. SECURITY ROUNDUP - News: Microsoft Announces Major Changes to Security Practices - News: Sun Lowers Costs to Woo IIS Customers - News: Sun and AOL Announce Passport Competitors - Feature: 20 Tips for Exchange 2000 Migration - Review: Enterprise Backup Solutions 6. HOT RELEASE (ADVERTISEMENT) - Sponsored by Stop Password Hackers with Password Bouncer! 7. SECURITY TOOLKIT - Virus Center - FAQ: Why Do I Receive Microsoft Passport-related Errors When I Visit Some Web Sites? 8. NEW AND IMPROVED - Manage Passwords - Establish a Secure Channel 9. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Recommended Antivirus Program - HowTo Mailing List: - Featured Thread: Outlook/Exchange Connection 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== COMMENTARY ==== Hello everyone, You've no doubt heard the news by now: Microsoft launched the Strategic Technology Protection Program (STPP) to help companies get secure and stay secure. STPP consists of five offerings in consulting services and software that companies can use to change how they handle network security. The software helps lock down systems and services and helps automate patch installation. The consulting services help users deal with design, planning, and serious security threats, such as the Nimda worm, which affects multiple products. You can learn more about STPP by reading the related news item in the SECURITY ROUNDUP section of this newsletter. STPP is a good step forward for Microsoft and its customers, but is it enough? The STPP announcement comes after Gartner Group issued its stern statements 2 weeks ago. Gartner recommends that users who've been affected by security intrusions due to Microsoft IIS bugs should consider migrating to another Web server platform, such as iPlanet or Apache. You can read about Gartner's comments in Paul Thurrott's related news story on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=22587 Gartner's comments stem from the number of exploitable vulnerabilities in the IIS source code. For example, as of October 9, 2001, the Microsoft security Web site lists 22 bulletins about Internet Information Services (IIS) 5.0 security vulnerabilities and 36 bulletins about Internet Information Server (IIS) 4.0 security vulnerabilities. STPP will help Microsoft guard against security vulnerabilities, but the fact that users need so many patches clearly indicates a deeper problem: faulty coding practices. Granted, Microsoft released URLScan, which is a fantastic way to prevent unknown bugs from becoming exploitable security risks, but even so, many people view URLScan as just another patch. As you'll learn by reading our news story about STPP, Microsoft designed new analysis tools to use when developing Windows XP code--tools that help find bugs that can become security risks. Microsoft is also using those tools to analyze Windows 2000 patches and service pack code. So we can expect IIS 5.0 to become more secure as Microsoft releases new service packs, and IIS 6.0 should be more secure than its predecessors. URLScan will be built into IIS 6.0 Before you take Gartner's advice, you might give Microsoft a chance to show how its new code analysis provides increased security in IIS 6.0. Of course, to use IIS 6.0, you must move to XP, in which case you might be interested to learn that Microsoft has again postponed its controversial new licensing program. Read about it in Paul Thurrott's new story on our WinInformant Web site at the URL below. http://www.wininformant.com/articles/index.cfm?articleid=22808 I asked Scott Culp, manager of Microsoft's Security Response Center, if IIS 6.0 is stronger code than its predecessors. As you know, IIS 5.1 ships with XP, and Culp said Microsoft believes that the quality of the code in IIS 5.1 is in fact better than what is in IIS 5.0. "IIS 5.1 was built using the processes and tools that were developed as part of the Secure Windows Initiative [SWI], and we're seeing dramatic improvements in products built under SWI, across the board. Fewer coding errors means fewer vulnerabilities, which should mean better security. But as you know, security is about more than just code quality," Culp said. "That's where IIS 6.0 (which will be part of Windows .Net Server) comes in. The primary difference between IIS 5.1 and IIS 5.0 is the code quality--most other aspects of the product are the same or only changed in minor ways. In contrast, IIS 6.0 contains code quality improvements, but also includes significant architectural changes as well. For instance, IIS 6.0 won't install by default. When you do install it, the setup wizard will interview you to find out what you're planning to do with the server, and only enable the services you'll need. The net is that IIS 5.1 should be more secure than its predecessors because of the code quality improvements. But IIS 6.0 will encompass code changes, architectural improvements, and new features. As a result, the security improvements there should be much more dramatic." Nevertheless, if you're considering a move away from IIS, you'll be interested to know that Sun Microsystems lowered the cost of iPlanet to woo IIS customers. Formerly, iPlanet cost $1495 per CPU; however, Sun now offers the platform for $940 per CPU to any customer who moves from a competing platform. See the news story in the SECURITY ROUNDUP section of this newsletter. According to Netcraft's September Web survey results, 49.6 percent of all Web systems polled run a Microsoft OS and probably IIS. Results also show that many of those systems exhibit known security risks. As of September 1, 8.5 percent of the systems Netcraft surveyed still have the root.exe program, which is a backdoor associated with the Code Red worm, installed; 37.14 percent still have the IIS-related WebDAV functionality overly exposed; and 17.14 percent have their administration Web pages open to the public and are vulnerable to known URL-encoding exploits and known bugs in IIS-related sample pages and scripts. Overall, one out of every five IIS servers is vulnerable to attack. You can read Netcraft's survey results on its Web site. http://www.netcraft.com/survey Speaking of surveys, be sure to stop by our Security Administrator home page to take our new poll concerning Gartner's comments. Are you planning to switch Web server platforms? We're interested to know how Gartner's comments might affect your decisions. http://www.secadministrator.com Last week, I mentioned the Eraser tool, which helps users prevent unauthorized recovery of deleted files. Norman Samuelson wrote to remind me that to keep data safe, users should be aware that some disk- defragmentation software can inadvertently expose some or all of your sensitive data. This scenario might occur when you move sensitive files during a defragmentation process and the software doesn't wipe the data sufficiently clean from the disk's formerly occupied sectors. It's a good idea either to mark your sensitive data files as unmovable within your defragmentation software or to configure the defragmentation software to wipe disk data after moving files, if your software offers such functionality. Otherwise, use a disk-wiping tool that wipes all unused disk sectors after you've completed the defragmentation process. Eraser can do that on demand or based on your defined schedule (see URL below). Until next time, have great week. http://www.tolvanen.com/eraser/download.shtml Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * EXCEL AND POWERPOINT MACRO-CHECKING BYPASS Peter Ferrie of Symantec Security Response reported a vulnerability in Microsoft Excel and PowerPoint (for Windows and Macintosh) that might let a malicious user bypass macro-checking to automatically execute a script when opening a document. Microsoft released Security Bulletin MS01-050 to address this problem. The bulletin lists the patches and patch-installation instructions. http://www.secadministrator.com/articles/index.cfm?articleid=22789 * DOS IN AOL INSTANT MESSENGER Matthew Sachs reported a Denial of Service (DoS) condition in AOL Instant Messenger. An attacker who can send instant messages to a user signed on to the AOL Instant Messenger service can crash that user's AOL Instant Messenger. The default settings let anyone send instant messages to the user. When an attacker sends a text message with certain symbols repeatedly (approximately 640 or more times), the Instant Messenger client crashes. To minimize exposure to this vulnerability, users should restrict the ability to receive instant messages to only the people the users select. AOL has been notified of this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=22757 * DOS IN CISCO SECURE PIX FIREWALL A vulnerability in the Cisco Secure PIX Firewall Authentication lets a Denial of Service (DoS) condition exist. When a user configures AAA (Authentication, Authorization, Accounting) authentication services on the Cisco Secure PIX Firewall, a single-source address can consume all authentication resources, preventing other legitimate users from authenticating. This DoS affects only the authentication resources; other established traffic continues unaffected, and the DoS prevents only new authentication requests. Cisco issued a notice about this vulnerability and recommends that customers obtain a firmware upgrade through Cisco distribution channels. http://www.secadministrator.com/articles/Index.cfm?articleid=22758 ******************** ~~~~ SPONSOR: CONNECTED HOME MAGAZINE VIRTUAL TOUR ~~~~ What Does The Home Of The Not-Too-Distant Future Look Like? You've never seen anything like the Connected Home Magazine Virtual Tour. Experience (room by room) the latest home entertainment, home networking, and home automation options that are going to change how you work and play. While you're there, sign up for a free copy of Windows XP! http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0LTe0AP ~~~~~~~~~~~~~~~~~~~~ 3. ==== ANNOUNCEMENT ==== * TEST YOUR WINDOWS XP KNOWLEDGE--FREE! Our MCSE Exam 70-270 Question-of-the-Day email dives into the new Windows XP topics such as installing and configuring handheld devices and managing mobile users, while also measuring your skills in networking basics, TCP/IP fundamentals, user accounts, protocol features, and much more. Sign up (for FREE) today! http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0KrD0AL 4. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: NIMDA WORM The voting has closed in Windows 2000 Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Has your system become infected by the Nimda worm?" Here are the results (+/-2 percent) from the 715 votes: - 31% Significantly--we've lost days disinfecting systems - 37% Not at all - 18% Somewhat - 14% Hardly at all * INSTANT POLL: DROP MICROSOFT IIS? The Gartner Group is recommending that companies affected by security problems in Microsoft IIS drop IIS in favor of other "Web- server platforms. The current Instant Poll question is, "Does your company plan to do one of the following? a) Move to a yet-to-be- determined platform, b) Move to Apache? c) Move to iPlanet, d) Consider the recommendation, or e) Not change--you need Microsoft technology?" Go to the Security Administrator Channel home page and submit your vote. http://www.secadministrator.com 5. ==== SECURITY ROUNDUP ==== * NEWS: MICROSOFT ANNOUNCES MAJOR CHANGES TO SECURITY PRACTICES Microsoft announced several major changes to its security practices designed to help mitigate unpatched systems that the Code Red and Nimda worms recently affected. Microsoft also hopes these practices will help companies build security into any future networks from the outset. Brian Valentine, senior vice president of the Windows division at Microsoft, said that the company will make an unprecedented effort to help customers secure their systems from Internet-based threats by using the new Microsoft Strategic Technology Protection Program (STPP). http://www.secadministrator.com/articles/index.cfm?articleid=22751 * NEWS: SUN LOWERS COSTS TO WOO IIS CUSTOMERS In a bid to take advantage of the recent Microsoft product security scares, Sun Microsystems has lowered the price of its iPlanet Web Server by 37 percent. The company hopes that Microsoft IIS customers, worried about constant security breaches, will move to the Sun platform. Sun will provide additional tools that ease the process. The price reduction cuts the cost of iPlanet from $1495 per processor to $940 per processor, for any customer moving from a competing platform. http://www.secadministrator.com/Articles/Index.cfm?ArticleID=22809 * NEWS: SUN AND AOL ANNOUNCE PASSPORT COMPETITORS A growing feeling in the computer industry is that, where Microsoft is concerned, you should strike when the company is down. In light of the amount of negative press this year about Microsoft Windows XP, HailStorm (now called .NET My Services), and Passport, we shouldn't be surprised that the company's competitors--such as AOL, Oracle, Sun Microsystems, and IBM--recently announced initiatives that will compete with Microsoft's plans for the .NET future. Two of these competitors, Sun and AOL, announced services that the companies hope will supplant Passport. http://www.secadministrator.com/articles/index.cfm?articleid=22783 * FEATURE: 20 TIPS FOR EXCHANGE 2000 MIGRATION The move from Microsoft Exchange Server 5.5 to Exchange 2000 Server and the corresponding move from Windows NT to Windows 2000 are among the most significant changes you'll make to your infrastructure in the near future. Because an Exchange 2000 migration requires some fundamental changes to your environment, setting out on the road to Exchange 2000 without understanding every detail of the migration isn't smart. Read Kieran McCorry's article for Windows 2000 Magazine (October 2001) to be sure you don't overlook anything crucial. http://secadministrator.com/articles/index.cfm?articleid=22252 * REVIEW: ENTERPRISE BACKUP SOLUTIONS Enterprise-level backup programs can provide peace of mind that the data on your servers is safe and secure. If your backup software doesn't give that protected feeling, you might want to invest in a solid insurance policy for your data. Ed Roth found seven products that offer the comprehensive client support and advanced features necessary to enable centralized backup in an enterprise. The products that Roth considered for this comparative review needed to offer backup and restoration capabilities on Windows 2000, Windows NT, Novell NetWare 5.1, and Sun Microsystems' Solaris 8 platforms. The products also needed to be able to perform online backups and restores of SQL Server 7.0 databases and Microsoft Exchange Server 5.5's Directory Store, Information Store (IS), and individual mailboxes. Read the review to learn what Roth found regarding base capabilities, performance, media-control features, and manageability. http://secadministrator.com/articles/index.cfm?articleid=22239 6. ==== HOT RELEASE (ADVERTISEMENT) ==== * SPONSORED BY STOP PASSWORD HACKERS WITH PASSWORD BOUNCER! Are your employees and contractors unwittingly leaving your enterprise exposed to password attacks? Password Bouncer screens new passwords against "Hacker Wordlists" and prevents users from choosing vulnerable passwords. Defend your network today with Password Bouncer! http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDZ0AP 7. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: WHY DO I RECEIVE MICROSOFT PASSPORT-RELATED ERRORS WHEN I VISIT SOME WEB SITES? ( contributed by John Savill, http://www.windows2000faq.com ) A. I recently encountered this problem in the Microsoft Developer Network (MSDN) subscriber download area. I can connect to several Microsoft Passport-related Web sites, but I was unable to use my Microsoft Passport to connect to the MSDN site. To remedy this situation, I had to delete my MSDN Microsoft Passport cookie. Your Web browser stores cookies on your computer in the Cookies subfolder of your user profile using the following format: <username>@<site name> If you're running Microsoft Internet Explorer (IE) 5.5 or IE 6.0, you can choose to delete all cookies simultaneously. However, if you remove all your cookies, you'll lose any information contained within your Web site profiles. To remove all cookies in IE 5.5 or IE 6.0, perform the following steps: 1. Start IE. 2. From the Tools menu, select Internet Options. 3. In the Temporary Internet files section of the General tab, click Delete Cookies. 4. Click OK. 5. Close IE. 8. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * MANAGE PASSWORDS Zemerick Software released myPasswords Professional, password- managing software. The Password Recovery tool lets you recover the passwords that asterisks have hidden in a program's dialogs. The Password Generator tool creates complex passwords of any length containing any combination of letters, numbers, and symbols. The software can handle unlimited databases and entries, and users can protect each database with a unique password. The software runs on Windows 2000, Windows NT, Windows Me, Windows 9x, and other systems and costs $30. Contact Zemerick Software at 304-469-4031. http://www.zemericks.com * ESTABLISH A SECURE CHANNEL Pragma Systems released SecureShell 2.0, a dual, secure-shell server that supports Secure Shell 1 (SSH1) and Secure Shell 2 (SSH2) protocols with Advanced Encryption Standard (AES) Rijndael encryption. The software establishes a secure channel over any TCP/IP-based connection for both client and server applications by encrypting data and file transfers over the Internet. SecureShell 2.0 uses RSA/DSA public-key encryption and runs on Windows 2000, Windows NT, and Windows 9x systems. The software costs $799 per server for unlimited client connections. Contact Pragma Systems at 512-219-7270. http://www.pragmasys.com 9. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Recommended Antivirus Program (Six messages in this thread) Brett wants to know what antivirus program he should use to protect Windows NT servers. He's using Norton Antivirus but isn't happy with it and wants suggestions. Read more about the questions and responses, or lend a hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=79459 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Outlook/Exchange Connection (Eight messages in this thread) This user is having a problem with his Microsoft Outlook client when receiving mail from an Exchange Server. His Outlook client doesn't notify him when new mail arrives, yet the notification functionality works on other Outlook clients running on other workstations on his network. Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0110a&l=howto&p=181 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? -- emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0KrD0AL |-+-+-+-+-+-+-+-+-+-| Thank you for reading Storage UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security_UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 06:15:56 PDT