******************** Windows 2000 Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows 2000 and Windows NT systems http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Protect Against the Top 20 Security Threats! http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHT0AP Lieberman & Associates--Shore Up Your Back Doors http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHU0AQ (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: PROTECT AGAINST THE TOP 20 SECURITY THREATS! ~~~~ The SANS group has developed a critical list of the key threats that organizations face today. This list outlines the most common attacks used by hackers and insiders to break in to your systems. Learn about these threats and how to stop them with BindView's definitive white paper, SANS/FBI Top 20 List: How BindView Helps You Get Secure. You can download the white paper from BindView's Web site at http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHT0AP ******************** December 12, 2001--In this issue: 1. IN FOCUS - Monitoring ISPs, Intruders, and Your Network 2. SECURITY RISK - OWA Script Execution Vulnerability in Microsoft Exchange Server 5.5 3. ANNOUNCEMENTS - Connected Home Magazine--Try It Free! - Windows Security 2002 Briefings and Training, February 5 Through 8, 2002 4. SECURITY ROUNDUP - News: Amino's Network Diversity - News: SonicWALL Announces Next Generation of Security Appliances - News: CA Offering Free Vulnerability Assessment to Qualified Companies - News: Microsoft Releases Cumulative IE Patch 5. HOT RELEASE (ADVERTISEMENT) - Sponsored by VeriSign--The Value of Trust 6. INSTANT POLL - Results of Previous Poll: Personal Firewalls - Instant Poll: ISP Response 7. SECURITY TOOLKIT - Virus Center - Correction to Last Week's News About the Goner.A Virus - FAQ: How Can I Let Users Search, but Not Browse, AD? 8. NEW AND IMPROVED - Attach Your USB Token to Your Key Ring 9. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Hiding User Accounts from Hackers - HowTo Mailing List - Featured Thread: Monitor Third-Party Mail 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== * MONITORING ISPS, INTRUDERS, AND YOUR NETWORK Hello everyone, I received many responses to last week's commentary about ISPs and the way some of them prioritize revenue above Internet security. Some readers told me about similar horror stories; others asked why I didn't name the ISPs to which I alluded; still others asked what sort of monitoring software I use to track incidents. This week I'll address those questions. I didn't name the Minnesota-based ISP that failed to respond in a reasonable, timely fashion for several reasons. First and foremost, naming the company might unnecessarily damage its reputation. We all make mistakes--and presumably learn from them. Although I can't be certain, I hope the incident taught the ISP a valuable lesson. If the ISP is intelligent enough to build and operate a complex network, it should also be intelligent enough to realize its mistakes and correct its procedures to ensure that such incidents don't occur again. I also mentioned a Colorado-based ISP that did respond admirably when I reported that one of its user's systems seemed to be infected with a malicious worm. The company is Front Range Internet (URL below), and I commend its support staff for a genuine caring attitude and swift actions to fix a serious problem. Kudos to Front Range Internet's entire staff--they're network professionals who deserve attention in good light. http://www.frii.com As for naming which monitoring software I use: Don't ask me that! It isn't prudent to ask, nor is it prudent for me to tell. The reasons should be obvious. Would you walk into your bank and ask the manager what kind of security system it uses? I doubt it. You would raise too much suspicion. Even if you did ask, I doubt that you'd get an answer because you don't have a need to know that sort of information. The same goes for networks: It's not wise to ask people about their network security systems. If you're interested in monitoring packages for various levels of system and network activity, I can point out several things that might help you. First, every good firewall provides considerable logging features that include various levels of tracking and alerting. If you aren't monitoring such logs at regular intervals, you need to start; otherwise, you'll find out after damage has already occurred that someone attacked your network. Some firewalls use their own log files; others send their events to the Windows event log. Several software packages can monitor and consolidate event-log records and deliver alerts to appropriate personnel. I offered tips about some of these products in "Which Software Can Help Monitor Event Logs?" October 2000 (see URL below). http://www.secadministrator.com/articles/index.cfm?articleid=15988 Keep in mind that when your log entries indicate that someone is attacking your system, the information might not point to the intruder's true point of origin. Savvy attackers cover their tracks as deeply as they can. An intruder will hijack other people's equipment and launch attacks from those hijacked systems. It's often extremely difficult, if not impossible, to determine an attack's true origin. So be careful when you contact an ISP about intrusion attempts. Don't assume that you know exactly where the intruder originates. Work with the ISP to help make that discovery as accurately as possible. When someone attacks your system, you might want to know which files or registry keys an intruder accesses as the attack occurs. A great tool that can help you learn this information in realtime is Winternals Software's Monitoring Tools. Monitoring Tools captures and displays file and registry accesses that occur on any Windows system on your network. The product displays results on your local computer and can filter for specific details. Monitoring Tools lets you know which application is accessing your system and logs results to a file for review or offline processing. Be sure to check out this tool and other Winternals Software tools. http://www.winternals.com We're conducting a new poll this week to ask about your experiences with intruders and ISPs: If you've ever caught intruders and reported them to an ISP, did the ISP respond immediately? Please visit our home page and tell us your answer. http://www.secadministrator.com Until next time, have a great week. Mark Joseph Edwards, News Editor, markat_private ******************** ~~~~ SPONSOR: LIEBERMAN & ASSOCIATES -- SHORE UP YOUR BACK DOORS ~~~~ THE NEW YEAR IS KNOCKING! Use your year-end budget dollars for management tools you have always wanted. With Service Account Manager you can report and change service settings on all your servers in seconds. With User Manager Pro you can make the same changes to all your workstations in a few mouse clicks. Get the award winning tools you've been waiting for all year. Year-end discounts through December 31. Microsoft Gold Certified FREE TRIAL at http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHU0AQ ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISK ==== * OWA SCRIPT EXECUTION VULNERABILITY IN MICROSOFT EXCHANGE SERVER 5.5 WhiteHat Security reported a vulnerability in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA) service that lets an attacker take any action on the user's mailbox that the user can take, including deleting, moving, and sending messages. The vulnerability results from a problem in the way that OWA handles inline script messages used in conjunction with Microsoft Internet Explorer (IE). If the attacker uses OWA to open an HTML message containing a specially formed script, the script executes under the user's security context. Microsoft has released Security Bulletin MS01-057 to address this vulnerability and recommends that affected users apply the patch provided at this URL. http://www.secadministrator.com/articles/index.cfm?articleid=23433 3. ==== ANNOUNCEMENTS ==== * CONNECTED HOME MAGAZINE--TRY IT FREE! Connected Home Magazine is the new magazine to help you manage all the PCs, devices, and components in your home and in your life. We can show you how to install a home network, tackle home automation, build a home theater system, or integrate your PDA with your PC. Get a free sample of the premiere issue today! http://www.connectedhomemag.com/sub.cfm?code=fsei301xup * WINDOWS SECURITY 2002 BRIEFINGS AND TRAINING, FEBRUARY 5 THROUGH 8, 2002 Registration and call for papers for the Black Hat Briefing's Windows Security 2002 conference is now open! This is the Windows XP/2000/.NET security event of the year with intensive training sessions! Join 500 experts and "underground" security specialists for briefings, training, and Mardi Gras in New Orleans. http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0pHV0AR 4. ==== SECURITY ROUNDUP ==== * NEWS: AMINO'S NETWORK DIVERSITY Amino Communications announced patent-pending technology that might help eliminate the need for encryption. The new technology, called Network Diversity, helps protect sensitive data in transit by breaking up the data packets into fragments smaller than characters or symbols. http://www.secadministrator.com/articles/index.cfm?articleid=23420 * NEWS: SONICWALL ANNOUNCES NEXT GENERATION OF SECURITY APPLIANCES SonicWALL announced its next generation of Internet security appliances. The new appliances feature the company's CyberSentry security processor, which provides application-specific integrated circuit (ASIC)-based acceleration and high-performance throughput. The appliances include more memory and more concurrent connections than previous versions, bandwidth management, and a serial port for out-of-band (OOB) device management. http://www.secadministrator.com/articles/index.cfm?articleid=23422 * NEWS: CA OFFERING FREE VULNERABILITY ASSESSMENT TO QUALIFIED COMPANIES Computer Associates (CA) is offering a free remote vulnerability assessment to current CA customers and to other qualified companies until March 31, 2002. Companies with 1000 or more employees might qualify for free assessment at the discretion of a CA security consultant. http://www.secadministrator.com/articles/index.cfm?articleid=23423 * NEWS: MICROSOFT RELEASES CUMULATIVE IE PATCH Microsoft has released updates for Internet Explorer (IE) 6.0 and IE 5.5 Service Pack 2 (SP2) to protect against all known vulnerabilities. The patch includes fixes for two new cookie-related problems that can affect HTML mail messages. http://www.microsoft.com/technet/security/bulletin/ms01-055.asp 5. ==== HOT RELEASE (ADVERTISEMENT) ==== * SPONSORED BY VERISIGN - THE VALUE OF TRUST Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and learn about using SSL to encrypt e-commerce transactions. Get it now! http://lists.win2000mag.net/cgi-bin3/flo?y=eJfd0CJgSH0BVg0Lo50Av 6. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: PERSONAL FIREWALLS The voting has closed in Windows 2000 Magazine Network's Security Administrator Channel nonscientific Instant Poll for the question, "If you use a personal firewall, which one do you use?" Here are the results (+/-2 percent) from the 1906 votes: 54% a) ZoneAlarm. 15% b) Tiny Personal Firewall 12% c) Norton Personal Firewall 20% d) Other * INSTANT POLL: ISP RESPONSE The current Instant Poll question is, "If you caught someone intruding into your network and you reported it to your ISP, did the ISP respond immediately?" a) Yes, b) No. Go to the Security Administrator Channel home page and submit your vote. http://www.secadministrator.com 7. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * CORRECTION TO LAST WEEK'S NEWS ABOUT THE GONER.A VIRUS Last week's Security UPDATE mentioned a new worm, Goner.A, that was spreading rapidly around the Internet. The worm is an executable file with an .scr file extension, not an .exe extension, as we reported. * FAQ: HOW CAN I LET USERS SEARCH, BUT NOT BROWSE, AD? ( contributed by John Savill, http://www.windows2000faq.com ) A. You can use either a policy setting or the registry to configure Active Directory (AD) for browsing. To use the policy-setting method, complete the following steps: 1. Open Group Policy with Group Policy Editor (GPE). 2. Navigate to User Configurations, Administrative Templates, Desktop, AD. 3. Double-click "Hide Active Directory folder." 4. Select the Policy tab. 5. Click Enabled, and click OK. 6. Close the policy. To use the registry to complete the same task, perform the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft registry subkey. 3. If the Windows subkey doesn't exist, click Edit, New, Key to create the subkey. 4. Look for "Directory UI" under the Windows subkey, and if it doesn't exist, click Edit, New, Key to create the subkey. 5. From the Edit menu, select New-DWORD Value. 6. Type HideDirectoryFolder and press Enter. 7. Double-click the new value, set it to 1, and click OK. 8. Close the registry editor. 8. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * ATTACH YOUR USB TOKEN TO YOUR KEY RING Griffin Technologies released SecuriKey, a USB-based user-authentication solution for PCs that combines a small, keylike USB device with password protection. The USB token attaches to a key ring and plugs into a PC's USB port or USB hub, which eliminates the need for a special hardware device, other than an available USB port, to authenticate the physical token. For pricing, contact Griffin Technologies at salesat_private or 800-986-6578. http://www.griftech.com 9. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Hiding User Accounts from Hackers (Two messages in this thread) Mark wonders whether there's a registry switch (or some other method) that can prevent intruders from browsing his Windows 2000/NT server for valid user accounts. Can you help? Read the responses or lend a hand at the following URL: http://www.secadministrator.com/forums/thread.cfm?thread_id=86281 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Monitor Third-Party Mail (Three messages in this thread) Sebastian wonders whether he can monitor the email messages that users send by way of third-party mail servers (e.g., MSN Hotmail, Yahoo!) from within his domain. Can you help? Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0112b&l=howto&p=84 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. You are subscribed as isnat_private SUBSCRIBE To subscribe, send a blank email to mailto:Security_UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 09:22:58 PST