******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Aelita Secures Windows 2000 & Active Directory http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0gr40AG ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: AELITA SECURES WINDOWS 2000 & ACTIVE DIRECTORY ~~~~ Aelita EventAdmin closes the gap in security management. Combining sophisticated data collection with powerful analysis, reporting and archiving technologies, EventAdmin delivers a new level of security and visibility into your Windows NT- and Windows 2000-centric environments that include Microsoft .NET Enterprise Servers, Novell NDS and UNIX systems. Focusing on current and historical data, EventAdmin extends real-time monitoring tools and allows IT professionals to track and analyze user activity patterns, implement and enforce enterprise audit and security policies, increase network visibility, investigate problems and prevent disasters. Get your FREE evaluation copy today! http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0gr40AG ******************** October 24, 2001--In this issue: 1. IN FOCUS - Information Anarchy: The Blame Game? 2. SECURITY RISKS - Denial of Service in Windows Terminal Services - Arbitrary File Disclosure Vulnerability in Novell GroupWise - Denial of Service in Citrix Metaframe 3. ANNOUNCEMENTS - What's the Right Way to Tackle Home Networking? - Are You Getting Everything You Need from WebSphere? 4. INSTANT POLL - Results of Previous Poll: Drop Microsoft IIS? - Instant Poll: Full Disclosure 5. SECURITY ROUNDUP - News: Microsoft Introduces Security Bulletin Severity Rating System - News: Hacker Breaks DRM; Microsoft Considers Legal Action - Buyer's Guide: Job Scheduling Software 6. HOT RELEASE (ADVERTISEMENT) - VeriSign - The Internet Trust Company 7. SECURITY TOOLKIT - Book Highlight: Hacking Exposed: Network Security Secrets and Solutions - Virus Center - FAQ: Why Do I Receive an Error Message in Win2K That Says My Password Must Be at Least 18,770 Characters? 8. NEW AND IMPROVED - Protect Data from Attacks - Replace Passwords with Biometric Technology 9. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Thread: Win2K Server and Me Policies - HowTo Mailing List - Featured Thread: Permissions Affected After NTFS File Conversion 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== COMMENTARY ==== Hello everyone, Full disclosure of security risk information is still under fire--this time driven by the recent outbreak of malicious worms such as Code Red and Nimda. Last week, Microsoft published an essay (URL below) written by Scott Culp, manager of the Microsoft Security Response Center. In the essay, Culp refers to full disclosure as "information anarchy" and says that Microsoft is working with other industry leaders to form a consensus protesting such information release. The company will ask its customers to support the adoption of the resulting consensus. http://www.microsoft.com/technet/columns/security/noarch.asp The central concern with full disclosure is that people often take vulnerability demonstration code--sometimes released in fully functional form--and use the code to create a weapon against unsuspecting users. "But regardless of whether the [security vulnerability] remediation takes the form of a patch or a workaround," Culp wrote, "an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin." Although he's right to a certain extent, we need to consider a larger perspective. Worms such as Code Red and Nimda definitely played upon well-known bugs for which patches had long since been available. Those worms showed us how many administrators don't consider security to be a priority in operating their systems. Granted, the worm writers seem malicious in releasing such nuisances, but is there a silver lining to those dark clouds? I think so. As a result of regularly demonstrated administrative complacency, Microsoft has adopted significant new policies and practices. The company has expanded its customer support efforts and is committed to providing even more robust security in its products and more robust tools to help automate and manage security. For example, because of these worms, Microsoft is now giving in a bit to the habits and needs of its customers instead of the somewhat idealistic visions of its software architects. So who benefits in the overall scenario? Everyone does. Culp wrote, "Customers who are considering hiring security consultants can ask them what their policies are regarding information anarchy, and make an informed buying decision based on the answer. And security professionals only need to exercise some self-restraint." In reality, Microsoft doesn't benefit by condemning the sharing of detailed vulnerability information. Instead, the company should be scolding the misguided focus and relative complacency of its customers' administrative efforts. It seems that Microsoft is doing that now indirectly with its new Strategic Technology Protection Program (STPP- URL below). The effects should benefit information security in general, but getting a new program fully operational takes time. Perhaps any new consensus is going a bit too far too soon. In any event, a new consensus will benefit Microsoft by buying the company some time to get STPP into full swing. So again, who benefits from any new consensus in the long run? As Culp pointed out, "Even in the best of conditions, it will still be possible to write worms." So a new consensus won't eliminate the core problems of administrative latency and faulty code. http://www.secadministrator.com/articles/index.cfm?articleid=22751 The full-disclosure problem comes down to timing on three fronts: Researchers publish explicit details in many cases without enough consideration for the time required for companies to develop a patch and coax customers into loading the patch; users wait too long to apply patches, if they apply them at all; and Microsoft product cycles are probably still far too quick to market for effective code development. What do you think about full disclosure? Is it a detriment or a benefit to the user community, or does it seem to balance out fairly equally in the bigger picture? Stop by our home page and take the Instant Poll. We're eager to learn your perspective. And if you want to express detailed comments regarding any new consensus, you can post them in response to this editorial--you'll find a copy posted on our home page. Until next time, have a great week. http://www.secadministrator.com Sincerely, Mark Joseph Edwards, News Editor, markat_private 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * DENIAL OF SERVICE IN WINDOWS TERMINAL SERVICES Luciano Martins of Deloitte & Touche Argentina reported that a vulnerability exists in Microsoft Windows 2000 and Windows NT 4.0 RDP service that can result in a Denial of Service (DoS) attack. The attack can occur because of a problem in the service that doesn't properly handle a particular series of data packets. To cause the service to fail, an attacker doesn't have to connect to the service but only send this series of data packets to the port on which RDP is listening. Microsoft released Security Bulletin MS01-052 to address this vulnerability. Win2K Datacenter patches are hardware-specific and will be available from the OEM when they're ready. Microsoft rates the severity of this vulnerability as low risk to Internet systems, moderate risk to intranet systems, and no risk to client systems. Microsoft has temporarily pulled the related patch offline due to numerous reports that the patch breaks system functionality in many cases. The company intends to make the patch available again shortly. http://www.secadministrator.com/articles/index.cfm?articleid=22981 * ARBITRARY FILE DISCLOSURE VULNERABILITY IN NOVELL GROUPWISE Mike Shema of Foundstone reported that a vulnerability exists in Novell's GroupWise Server 6.0 and 5.5 for Windows 2000 that can let an attacker view files located anywhere on the server. The servlet "webacc" located in /servlet/ typically accesses templates located in webroot. However, if an attacker knows the filename and location and appends the file with a null character, the servlet also permits full directory-path traversal. Novell recommends that users obtain a fix available through regular support channels. http://www.secadministrator.com/articles/index.cfm?articleid=22917 * DENIAL OF SERVICE IN CITRIX METAFRAME Justine Bone, Glyn Geoghegan, and Paul Davies, of Internet Security Systems, discovered that a vulnerability exists in the Citrix MetaFrame server application that lets an attacker crash the server, resulting in a Denial of Service (DoS). An improper handling of multiple sessions on the Citrix server causes this DoS condition. By spoofing the protocol that runs between the MetaFrame client and server, an attacker can start multiple fake sessions with the affected server. Citrix recommends that users install the appropriate hotfixes that the vendor will make available soon. http://www.secadministrator.com/articles/index.cfm?articleid=22919 3. ==== ANNOUNCEMENTS ==== * WHAT'S THE RIGHT WAY TO TACKLE HOME NETWORKING? It starts with a subscription to Connected Home Magazine! Each issue (starting with our premiere issue in February 2002), will bring you the latest how-to advice to help you connect a home network, select home automation equipment, and much more! Our experts have seen it all, and are sharing what they know. Subscribe today! http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0gnK0AZ * ARE YOU GETTING EVERYTHING YOU NEED FROM WEBSPHERE? Check out WebSphere Professional magazine, for developers and system administrators WebSphereWire e-newsletter, with news and analysis; WebSpherePro System Admin Tips e-newsletter, with tips and techniques; and WebSpherePro Developer Tips e-newsletter, with technical tips. The e-newsletters are FREE--and so is the premiere issue of WebSphere Professional. Get them at the following URL. http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0gR20Ag 4. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: DROP MICROSOFT IIS? The voting has closed in Windows 2000 Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Does your company plan to do one of the following? a) Move to a yet- to-be-determined platform, b) Move to Apache c) Move to iPlanet, d) Consider the recommendation, or e) Not change--you need Microsoft technology?" Here are the results (+/-2 percent) from the 601 votes: 6% Move to a yet-to-be-determined platform 26% Move to Apache 2% Move to iPlanet 12% Consider the recommendation 53% Not change--you need Microsoft technology * INSTANT POLL: FULL DISCLOSURE Microsoft is working with other industry leaders to form a consensus protesting information release or "full disclosure." The company will ask its customers to support the adoption of the resulting consensus. The current Instant Poll question is, "What do you think about full disclosure?" a) It's an overall detriment to the user community as a whole, b) It's a benefit, or c) It seems to balance out fairly equally in the bigger picture? Go to the Security Administrator Channel home page and submit your vote. http://www.secadministrator.com 5. ==== SECURITY ROUNDUP ==== * NEWS: MICROSOFT INTRODUCES SECURITY BULLETIN SEVERITY RATING SYSTEM Microsoft has instituted a severity rating system that it will apply to new security bulletins and related patches. The company designed the new system to help customers decide which patches they should apply for their network environments. The new rating system is a matrix of three severity levels in conjunction with three system environments. The severity levels are Critical, Moderate, and Low, and the environments are Internet Servers, Internal Servers, and Client Systems. http://www.secadministrator.com/articles/index.cfm?articleid=22921 * NEWS: HACKER BREAKS DRM; MICROSOFT CONSIDERS LEGAL ACTION Microsoft might seek legal action against a hacker who at least partially compromised the company's Digital Rights Management (DRM) software, which helps prevent consumers from pirating music. In a self- described "act of civil disobedience," an anonymous hacker published the hack, dubbed FreeMe, on the Internet this week. Breaking DRM software is illegal under the Digital Millennium Copyright Act (DMCA), a statute implemented in 1998. The Electronic Frontier Foundation (EFF), however, is challenging DMCA's legality in a New York court. http://www.secadministrator.com/articles/index.cfm?articleid=23000 * BUYER'S GUIDE: JOB SCHEDULING SOFTWARE The growing number of job-scheduling packages that work in Windows 2000 and Windows NT environments signals the maturation of Windows in the enterprise and of Windows users themselves. With the variety of feature sets and price ranges in our job scheduling Buyer's Guide, you're sure to find something to meet your needs. http://www.win2000mag.com/files/22552/22552.pdf 6. ==== HOT RELEASE (ADVERTISEMENT) ==== * VERISIGN - THE INTERNET TRUST COMPANY Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and learn about using SSL to encrypt e-commerce transactions. Get it now! http://lists.win2000mag.net/cgi-bin3/flo?y=eIRo0CJgSH0BVg0Lo50Al 7. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS By Stuart McClure, George Kurtz, Joel Scambray List Price: $49.99 Fatbrain Online Price: $34.99 Hardcover; 729 pages Published by McGraw-Hill Professional Book Group, September 2001 ISBN 0072193816 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0072193816 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: WHY DO I RECEIVE AN ERROR MESSAGE IN WIN2K THAT SAYS MY PASSWORD MUST BE AT LEAST 18,770 CHARACTERS? ( contributed by John Savill, http://www.windows2000faq.com ) A. This error occurs when you're running Windows 2000 Service Pack 1 (SP1) and you connect to an MIT realm and select Change Password from the Security dialog box (Ctrl+Alt+Del). (An MIT realm is a Kerberos realm used for authentication in the same way that Win2K uses Kerberos 5 for authentication.) The full error you'll receive is "Your password must be at least 18,770 characters and cannot repeat any of your previous 30,689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes." To correct this problem, contact Microsoft Product Support Services (PSS) and request an updated msgina.dll file (version 5.0.2195.3351 or later). 8. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * PROTECT DATA FROM ATTACKS Gianus Technologies released Phantom Total Security, software that protects laptop or PC data by making the data invisible to intruders, unauthorized users, and viruses. The software splits the hard disk into two parts, and when you click an icon, the software makes one of the parts invisible. You can drag files and documents between the two parts of the hard disk. Phantom Total Security runs on Windows 2000, Windows NT, Windows Me, and Windows 9x systems. For pricing, contact Gianus Technologies at 212-838-7070. http://www.phantomts.com * REPLACE PASSWORDS WITH BIOMETRIC TECHNOLOGY BioconX released BioconX 3.5, security software that applies biometrics to replace passwords. The software strengthens access control by centralizing all users' biometric templates and system authorization profiles. The software authenticates the users' identity by comparing their fingerprint or the iris of their eye against all stored templates. The software then lets users access all servers and applications for which they have authorization. For pricing, contact BioconX at 952-835-5321. http://www.bioconx.com 9. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Win2K Server and Me Policies (One message in this thread) Martin used policy editor to secure Windows 98 and Windows 95 desktops when either networked with NT Server or used as standalones. When he comes across a desktop with Windows Me, he can't secure it in either environment or in policy editor for Windows Me. Can you help? Read more about the questions and responses or lend a hand at the following URL: http://www.secadministrator.com/forums/thread.cfm?thread_id=82220 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Permissions Affected After NTFS File Conversion (Ten messages in this thread) This user is having problems after converting Windows NT systems from FAT disk partitions to NTFS partitions. After the conversion, users are experiencing problems where they are prompted to log on when they access certain shortcuts or Start Menu items. The logon prompting relates to \MachineName\C$ administrative share. Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0110c&l=howto&p=1039 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? -- emedia_oppsat_private ******************** Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security_UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 03:06:30 PDT