******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Top 10 Windows and AD Security Threats http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0KwR0A3 Prevent a Cyber Terrorism Attack on Your Network http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0gcc0AT (below SECURITY RISKS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: TOP 10 WINDOWS AND AD SECURITY THREATS ~~~~ Security vulnerabilities never die, they just become more embarrassing when exploited. Protect your organization from common security risks. To find out how, download a free white paper "Top Ten Security Threats for Windows 2000 and Active Directory." This white paper not only describes vulnerability threats such as IIS RDS, IIS Unicode, SQL Server with no system administrator (SA) password, and weak or no passwords, but also tells you how to protect your organization from these Windows 2000 and Active Directory security exposures. Download it FREE at http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0KwR0A3 ******************** October 17, 2001--In this issue: 1. IN FOCUS - Trapping Worms in a Honeypot 2. SECURITY RISKS - Multiple Vulnerabilities in Microsoft Internet Explorer 3. ANNOUNCEMENTS - MEC 2001, Nice, France, November 6 through 9, 2001 - What Does a Connected Home Look Like? 4. SECURITY ROUNDUP - Feature: XP Pro for the Administrator - Review: Event Archiver 3.3.25 and Event Analyst 1.3.52 5. HOT RELEASES (ADVERTISEMENTS) - LANguard Security Event Log Monitor Offer! - VeriSign - The Internet Trust Company 6. SECURITY TOOLKIT - Book Highlight: The CISSP Prep Guide: Mastering the Ten Domains of Computer Security - Virus Center - FAQ: How Can I Prevent the OS from Storing LAN Manager Hashes in Active Directory and the SAM? 7. NEW AND IMPROVED - Web-Based Antivirus Service - Protect Your PC 8. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Recommended Antivirus Software - HowTo Mailing List: - Featured Thread: What Data Is Lost When an Account Is Deleted? 9. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== COMMENTARY ==== Hello everyone, Is Nimda still attacking your network now and then? My Intrusion Detection System (IDS) continues to catch related intrusion attempts (two more as I write this editorial) even though weeks have passed since corrective measures came out. Many Microsoft IIS administrators still haven't plugged the holes in their systems. The attacks consume my bandwidth and cause log files to grow to unruly proportions. However, 2 weeks ago I found an interesting tool, called LaBrea, that can help slow the spread of worms on Windows NT and UNIX systems. Tom Liston, LaBrea's creator, calls the tool a tar pit or a sticky honeypot because it's a lure that lets almost no intruder escape. When a robot intruder (such as a worm) connects, a LaBrea system traps that connection indefinitely by manipulating the TCP session parameters. Liston says, "The LaBrea server software allows a normal three-way handshake in response to a connect attempt. During the handshake, the server sets a small (5 byte) TCP window. When the client sends its first 5 bytes of data, the server responds with a TCP window of 0 (wait). The client then shifts into the persist state, where it sends window probe packets at intervals that increase to a maximum of 4 minutes for an NT stack. The LaBrea server answers these probes to hold the client in the persist state. At this point, a connection can be maintained with a throughput of approximately 1215 bytes per hour. All of this can be done without maintaining any 'state' on the connections." Using LaBrea slows the spread of worms. For example, to propagate, the Code Red worm spawns about 100 threads. Each thread scans IP addresses in rapid succession, looking for vulnerable hosts to infect--the potential to spread rapidly is enormous. But by capturing some of those threads as they attempt to infect your network, the LaBrea tool reduces the spread of the worm exponentially--a neat idea that really works! Be sure to look at LaBrea at the URL below. Liston says he must address problems with the Windows 2000 TCP/IP stack before he can make the tool run on that platform. http://www.threenorth.com/LaBrea Speaking of computer attacks, the results are in on a survey that InfoSecurity Magazine conducted in late July and early August 2001. The 2545 participants include security professionals involved in government, consulting, manufacturing and reselling, banking and finance, medical and healthcare, military, and education. One interesting finding is that the number of people who reported attacks against their Web servers has doubled since 2000--roughly half of those polled reported such attacks. The survey also tracks a 33 percent increase in the number of entities suffering buffer-overflow attacks, and almost 90 percent of the respondents suffered some type of infection by malicious code such as a virus, worm, or Trojan horse. The survey has lots of other interesting facts and figures--be sure to stop by and take a look: http://www.infosecuritymag.com/articles/october01/images/survey.pdf I ran across an interesting document last week, "Best Practices for Secure Development," written by Razvan Peteanu. The 72-page paper, arranged in 12 sections, covers various topics including common mistakes, security in a project life cycle, principles, services, authorization, technologies, languages, platforms, distributed systems, and tools. The document is a great top-level overview of those focus areas rather than an intricate guide. Nevertheless, it's full of useful advice and interesting anecdotes. You'll find it at the URL below. Until next time, have a great week. http://members.home.net/razvan.peteanu/best_prac_for_sec_dev4.pdf Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * MULTIPLE VULNERABILITIES IN MICROSOFT INTERNET EXPLORER Michiel Kikkert and Joao Gouviea discovered several vulnerabilities that affect Internet Explorer (IE) 6.0, 5.5, and 5.01. The first problem involves using a dotless IP address with particular malformed URL requests, which an attacker can use to cause a site to load under the intranet zone security settings and can expose the client system to further attack. The second problem occurs when an attacker encodes URLs in a way that makes it possible to issue requests to a site automatically on establishing a connection to that site. In doing so, an intruder causes a variety of unwanted actions to take place, such as deleting Web-based email and spoofing transactions. The third problem occurs when an intruder launches Telnet from a URL within IE. Using the Telnet client that ships as part of Microsoft Services for UNIX (SFU) 2.0, an attacker can make the Telnet Client receive and execute that file. Microsoft released Security Bulletin MS01-051 and a patch to address these matters. Microsoft articles Q306121 and Q308414, which discuss this matter, should become available tomorrow. http://www.secadministrator.com/articles/index.cfm?articleid=22873 ******************** ~~~~ SPONSOR: PREVENT A CYBER TERRORISM ATTACK ON YOUR NETWORK ~~~~ The NIMDA Virus and other security threats are easily avoided if the latest security updates are deployed with UpdateEXPERT(tm). UpdateEXPERT is a solution that helps you secure your systems by deploying service packs and hotfixes. UpdateEXPERT supports Windows NT and 2000, and a long list of mission critical applications. Quickly conduct research, take inventory, deploy updates and validate installations of networked machines from the comfort of your workstation. Free Trial: http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0gcc0AT ~~~~~~~~~~~~~~~~~~~~ 3. ==== ANNOUNCEMENTS ==== * MEC 2001, NICE, FRANCE, NOVEMBER 6 THROUGH 9, 2001 MEC 2001 offers in-depth technical training for planning, deploying, and managing your enterprise infrastructure. Join industry experts to discuss best practices for deploying Microsoft Exchange 2000 and Active Directory (AD), extending the platform with Office XP, and integrating Exchange 2000 with the other .NET Enterprise Servers. Call to register at +44 1252 771 133, or visit the MEC Web site. http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0gcd0AU * WHAT DOES A CONNECTED HOME LOOK LIKE? You've never seen anything like the Connected Home Magazine Virtual Tour. Experience (room by room) the latest home entertainment, home networking, and home automation options that are going to change how you work and play. While you're there, enter to win a free copy of Windows XP! http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0LTe0An 4. ==== SECURITY ROUNDUP ==== * FEATURE: XP PRO FOR THE ADMINISTRATOR You've probably heard how Windows XP Professional Edition is easier to use and more productive for end users than Windows 2000 Professional. But, like most administrators, you probably want to hear more about the XP Pro features that affect how you do your job. Although the Windows 2000 Magazine Lab staff hasn't yet thoroughly tested XP Pro, we've begun performing tests in environments that include XP Pro clients. In our testing, we've discovered several administrator-related features that we think you'll like. Ed Roth fills you in on the details in this month's Lab Notes. http://www.secadministrator.com/articles/index.cfm?articleid=22237 * REVIEW: EVENT ARCHIVER 3.3.25 AND EVENT ANALYST 1.3.52 Logging and monitoring network server events has always been important for troubleshooting, trending, and long-term systems management. Although Windows NT Event Viewer can be useful for managing system logs, Windows 2000 and NT don't include extensive functionality for managing logs across multiple systems. Dorian Software Creations' Event Archiver 3.2.25 and Event Analyst 1.3.52 work together to simplify enterprisewide collection, storage, and analysis of your network systems' System, Application, and Security logs. Learn more about them in Marty Scher's review on our Web site! http://www.secadministrator.com/articles/index.cfm?articleid=22240 5. ==== HOT RELEASES (ADVERTISEMENTS) ==== * LANGUARD SECURITY EVENT LOG MONITOR OFFER! Catch hackers red-handed with LANguard S.E.L.M.! Provides intrusion detection through centralized NT/2000 security event log monitoring. Extensive reporting identifies all machines being targeted and local users trying to hack. Download your FREE starter pack today: http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0gce0AV * VERISIGN -- THE INTERNET TRUST COMPANY Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and learn about using SSL to encrypt e-commerce transactions. Get it now! http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0Lo50AS 6. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: THE CISSP PREP GUIDE: MASTERING THE TEN DOMAINS OF COMPUTER SECURITY By Ronald L. Krutz, Russell Dean Vines List Price: $69.99 Fatbrain Online Price: $69.99 Hardcover; 556 pages Published by John Wiley & Sons, September 2001 ISBN 0471413569 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471413569 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I PREVENT THE OS FROM STORING LAN MANAGER HASHES IN ACTIVE DIRECTORY AND THE SAM? ( contributed by John Savill, http://www.windows2000faq.com ) A. Both Windows XP and Windows 2000 support several authentication methods, including LAN Manager (LM), NT LAN Manager (NTLM), and NTLM version 2 (NTLMv2). LM stores passwords in a hashed format that's easy to crack. Starting with Windows 2000 Service Pack 2 (SP2), Microsoft addressed this weakness by adding the ability to disable the storage of LM hashes. To disable LM hashes in Win2K, perform the following steps: 1. Start the registry editor (regedit.exe) on the domain controller (DC). 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. 3. From the Edit menu, select New, Key. 4. Enter a name of NoLMHash, set the value to 1, and click Enter. 5. Close the registry editor. 6. Restart the computer for the change to take effect. To disable LM hashes in XP, perform steps 1 and 2 above. At step 3, from the Edit menu, select New, DWORD value. Complete the process by performing steps 4 through 6 above. This change won't happen until each user changes his or her password. In XP, you can also use Group Policy (GP) to disable LM hashes under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. To change the settings for this policy, locate the Network Security policy entitled "Do not store LAN Manager hash value on next password change." Be aware that if you set this option, some components that rely on LM hashes (e.g., the Windows 9x change password operation, Win9x client authentication if you don't have the Directory Services--DS--client pack installed) might not work as expected. 7. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * WEB-BASED ANTIVIRUS SERVICE McAfee announced that WatchGuard Technologies will offer McAfee's ASaP Web-based managed virus scanning service for desktops. VirusScan ASaP provides 24 x 7 protection against vulnerabilities in an online delivery model that requires no internal resources from the channel partner or customer. The service provides detailed reporting on viruses detected and cleaned within the network. For pricing, contact WatchGuard Technologies at 206-521-8340. http://www.watchguard.com http://www.mcafeeb2b.com * PROTECT YOUR PC Software Abroad announced an agreement with Danu Industries to distribute TermiNET, its personal firewall product that protects your PC from outside attack while you browse the Web or connect to other networks. The firewall lets you control and restrict access to specific services such as Web browsing or email. You can disallow access to specified undesirable sites or you can allow access only to known acceptable sites. TermiNET runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x and costs $39.95. Contact Software Abroad at 202-293-5151. http://www.sastore.com 8. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Recommended Antivirus Software (Eighteen messages in this thread) Brett uses Symantec's Norton Antivirus software to protect his Windows NT-based systems against viral infection. He's thinking of switching to a different product line and wonders whether you have suggestions for another solution. Can you help? Read more about the questions and responses or lend a hand at the following URL: http://www.secadministrator.com/forums/thread.cfm?thread_id=79459 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: What Data Is Lost When an Account Is Deleted? (One message in this thread) This user wonders what data is lost when a user account is deleted. He believes that--minimally--lost data includes the user's last logon date and time, as well as group memberships, SID, and exclusive file rights. He also noticed that the former user's file ownerships change to Unknown. Have you seen any other effects of deleting a user account? Read the responses or lend a hand at the following URL: http://188.8.131.52/listserv/page_listserv.asp?a2=ind0110c&l=howto&p=805 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? -- emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security_UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 04:22:41 PDT