******************** Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET, 2000, and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ SuperScout Web and Email Filter http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqD0Ah New Security Toolset: ELM Log Manager(tm) 3.0 http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqE0Ai (Below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: SUPERSCOUT WEB AND EMAIL FILTER ~~~~ It's time to realize the risks of NOT filtering. You can't be everywhere at once. What's worse, your users, either intentionally or accidentally, put your network/email systems in jeopardy on a daily basis: introducing VIRUSES, downloading BANDWIDTH intensive audio, or leaking CONFIDENTIAL INFORMATION. In any case, there's a price to pay and likely you'll be involved in the clean-up. Reduce the risk: download your FREE 30-Day trials of SuperScout Web and Email Filter today: http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqD0Ah ~~~~~~~~~~~~~~~~~~~~ February 6, 2002--In this issue: 1. IN FOCUS - Active Directory and the Common Criteria 2. SECURITY RISKS - Privilege Escalation Vulnerability in Win2K/NT Domains - DoS in Snort 3. ANNOUNCEMENTS - Want 24 x 7 Availability? - We Want to Hear from You! 4. SECURITY ROUNDUP - News: Microsoft Reportedly Halts New Software Development Temporarily - News: Tiny Software Announces Trojan Trap Software - News: New Version of SPECTER IDS Honeypot Available for XP - News: Microsoft Ships Win2K Security Rollup Package 5. HOT RELEASES (ADVERTISEMENTS) - IBM Secure E-business Infrastructure - Sponsored by VeriSign--The Value of Trust 6. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Run Scheduled Tasks in the Background When They Run as the Currently Logged-on User? 7. NEW AND IMPROVED - Scan for Viruses - Protect Your Laptop from Theft 8. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: How to Control Bandwidth Use - HowTo Mailing List - Featured Thread: User Becomes Locked Out 9. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== * ACTIVE DIRECTORY AND THE COMMON CRITERIA Hello everyone, Last week I wrote about Microsoft's white paper, "Design Considerations for Delegation of Administration in Active Directory," which discusses design considerations to maximize security for organizations that might need multiple domains. The paper, in part, suggests that such organizations should consider using multiple forests to minimize security risks. http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmin.asp Donald Bauer, MCSE and Certified Citrix Administrator (CCA) at Integery International, wrote to inform me that Lucent Technologies has a white paper, "Windows 2000 Active Directory Design, Restricting the Enterprise Administrators Group," which is available online in PDF format. Anyone wondering about the pros and cons of multiple forest directory models should read this paper. http://www.lucent.com/knowledge/documentdetail/0,1983,inContentId+8839-inLocaleId+1,00.html The white paper outlines the advantages of grouping domains into a forest and discusses three Active Directory (AD) features that make this choice reasonable. The paper says, "There are many advantages to having domains grouped into a forest. First and foremost, the Windows 2000 AD automatically manages interdomain trusts within a forest. A second major advantage is that tools exist from both Microsoft and third parties to permit the movement of certain types of objects, such as user or computer accounts, from one domain to another in the same forest. A third advantage is a unified administrative model: a user can be designated an Enterprise Administrator (EA) and granted administrative rights to all domains in the forest." Great points. The paper also discusses the controversy about the third mentioned advantage--a unified administrative model. The paper states, "This third feature has caused some controversy; specifically, some organizations want to have a fully segregated domain design such that an administrator in one domain cannot interfere with another domain. This has led some organizations to consider creating separate forests. Separate forests, while they do solve the problem of overlapping administration introduce other complications into the mix; trusts between domains from different forests must be manually managed. If the organization employs Exchange 2000, a common global address book is not possible since the address book is defined on a forest basis. Finally, the ability to move user and computer objects between domains is lost since no tool currently exists to move an object from one forest to another." Those are some additional interesting tidbits of information, don't you think? If you're using AD, be sure to read the eight-page white paper--it's worth your time to do so. On January 17, Microsoft released another white paper about AD called "The Common Criteria: Providing a Reliable Security Standard." The paper is available on the company's Web site. The paper discuses how to use AD to comply with the Common Criteria (CC). http://www.microsoft.com/windows2000/techinfo/planning/commoncriteria.asp According to the US government's CC Web site, "The governments of North American and European nations agreed in the spring of 1993 to develop a 'Common Information Technology Security Criteria.' Participants include France, Germany, the Netherlands, the UK, Canada, and the United States (National Institute of Standards and Technology--NIST--and National Security Administration--NSA). The Common Criteria Project is an international body of organizations charged with aligning the existing security criteria into a standard for certifying the security of products and systems. The CC Project consists of three parts. Part 1 defines general concepts and principles of IT security evaluation and presents a general model of evaluation. Part 2 establishes a set of standard components to express the functional security requirements for targets of security evaluation. Part 3 establishes a set of assurance components to express the assurance requirements for targets of evaluation. Be sure to visit the CC Web site and read about this initiative in detail. You can also read a brief explanation of the project at the SANS Institute Web site. http://csrc.nist.gov/cc/info/infolist.htm http://www.commoncriteria.org http://rr.sans.org/securitybasics/criteria.php Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: NEW SECURITY TOOLSET: ELM LOG MANAGER(tm) 3.0 ~~~~ TNT Software's ELM Log Manager(tm) 3.0 gives Security Administrators the power to see event entries with unrivaled clarity. With or without installed Agents, ELM efficiently monitors and collects events with separate, easy to use, Monitor Items. Personal Views and scheduled Reports provide valuable event summaries. And a unique Alerts feature, one of the 14 Notification Methods, provides a single glance view of the most critical events allowing prompt action. Download ELM and see How the First-to-Know Stay Ahead(tm) For more information and download visit: http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqE0Ai ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * PRIVILEGE ESCALATION VULNERABILITY IN WIN2K/NT DOMAINS A vulnerability in Windows 2000 and Windows NT 4.0 domains lets an attacker gain administrative access to computers in a trusting domain. This vulnerability stems from the fact that the trusting domain doesn't verify that the trusted domain is actually authoritative for all the SIDs in the authorization data. If one of the SIDs in the list identifies a user or security group that's not in the trusted domain, the trusting domain accepts the information and uses it for future access control decisions. By inserting SIDs into the authorization data at the trusted domain, an attacker can elevate his or her privileges to those associated with any user or group, including the Domain Administrators group for the trusting domain. Microsoft has released security bulletin MS02-01 to address this vulnerability and recommends that affected users apply the security rollup packages provided in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=23959 * DOS IN SNORT A remote Denial of Service (DoS) condition exists in the open-source Intrusion Detection System (IDS) Snort. An attacker can use specially crafted Internet Control Message Protocol (ICMP) echo and echo-reply packets with fewer than 5 bytes of ICMP data to remotely crash the system. Snort recommends that affected users apply the available patch and recompile the binaries or download the latest version (build 90 or better). http://www.secadministrator.com/articles/index.cfm?articleid=23923 3. ==== ANNOUNCEMENTS ==== * WANT 24 X 7 AVAILABILITY? High-availability networks, systems, and applications are critical to every business. Sign up for our (free!) Webinar taking place on February 26 and sponsored by MKS, and find out how to achieve 24 x 7 availability on Windows 2000. Windows & .NET Magazine author Tim Huckaby shares his expertise on load balancing, monitoring, and more. Register today! http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qQh0Al * WE NEED TO HEAR FROM YOU! Your feedback is invaluable to us. Tell us who you are and how you use our products and you could win a free T-shirt, mag light, or padfolio. To get started, go to the following URL. http://www.zoomerang.com/survey.zgi?d9ng21n8yxanak2gl8wswtql 4. ==== SECURITY ROUNDUP ==== * NEWS: MICROSOFT REPORTEDLY HALTS NEW SOFTWARE DEVELOPMENT TEMPORARILY According to a report in Government Computer News (GCN), an IT publication aimed at federal, state, and local governments in the United States, Microsoft has halted all new software development for 1 month so that the company's programmers can focus on fixing existing bugs. http://www.secadministrator.com/articles/index.cfm?articleid=23971 * NEWS: TINY SOFTWARE ANNOUNCES TROJAN TRAP SOFTWARE Tiny Software announced the release of Trojan Trap, a security tool designed to prevent malicious applications and code from entering a network. The program consists of a series of executables, DLLs, and kernel-level drivers--each protecting a different aspect of an OS. Trojan Trap creates a closed sandbox environment in which code can execute. The software monitors the code to protect against unwanted access to system drivers, services, the registry, system files, and network ports. http://www.secadministrator.com/articles/index.cfm?articleid=23952 * NEWS: NEW VERSION OF SPECTER IDS HONEYPOT AVAILABLE FOR XP NETSEC announced version 6.0 of its SPECTER IDS honeypot software for Windows XP, Windows 2000, and Windows NT 4.0. The new version simulates 13 different OSs, includes new services and traps, and provides improved tools for incident analysis. http://www.secadministrator.com/articles/index.cfm?articleid=23940 * NEWS: MICROSOFT SHIPS WIN2K SECURITY ROLLUP PACKAGE Microsoft finally shipped its long-awaited Security Rollup Package for Win2K, which aggregates all the security fixes the company has shipped since Win2K Service Pack 2 (SP2). The cumulative patch requires that Win2K customers first install SP2. http://www.secadministrator.com/articles/index.cfm?articleid=23928 5. ==== HOT RELEASES (ADVERTISEMENTS) ==== * IBM SECURE E-BUSINESS INFRASTRUCTURE Not worried about hackers? You should be. If your customers don't feel comfortable working with you, they'll work with someone else. Learn how IBM e-business can help, and get our complimentary security book at http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqF0Aj * SPONSORED BY VERISIGN--THE VALUE OF TRUST Is your e-business secure? Learn why it's vital to encrypt business transactions, secure intranets and authenticate your Web site with the strongest encryption available--128-bit SSL. Get VeriSign's FREE Guide, "Securing Your Web Site for Business" now: http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0p5N0Aq 6. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I RUN SCHEDULED TASKS IN THE BACKGROUND WHEN THEY RUN AS THE CURRENTLY LOGGED-ON USER? ( contributed by John Savill, http://www.windows2000faq.com ) A. Scheduled tasks usually run under the SYSTEM context and run in the background. However, if you change a service to run as a user account and that account is currently logged on to the machine, the scheduled task will run in the foreground. To change this behavior, follow these steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. 3. Double-click Shell (which is explorer.exe). 4. Modify this value to "<C:\windows>\explorer.exe," (don't type the quotes but do type the comma) where <C:\windows> is your local machine's system root. 5. Click OK. 7. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone IV, productsat_private) * SCAN FOR VIRUSES Central Command released Vexira Antivirus, virus-protection software that combines a fast virus-scanning speed with various virus-detection technologies. The software features Vexira Guard, a realtime scanner that operates in the background until it detects a virus. The software then stops access to the infected files to prevent accidental infection. Vexira Antivirus runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $49.95. Contact Central Command at 330-723-2062 or 866-243-8289. http://www.centralcommand.com * PROTECT YOUR LAPTOP FROM THEFT Caveo Technology released Caveo Anti-Theft, an integrated security solution for laptops that is available in the form of a PC Card. The solution deters theft by detecting motion and issuing audible warning signals. If someone moves the laptop beyond a distance specified by you, the system assumes theft and implements strong security responses. The security measures include shutting down the laptop, an audible alarm, and the option to encrypt the hard disk. The Caveo Anti-Theft PC Cards cost $99. Contact Caveo Technology at 800-363-1418. http://www.caveo.com 8. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: How to Control Bandwidth Use (One message in this thread) Spike's company uses a single Internet connection for its Web server and proxy server. The company's priority is the Web server, and Spike wants to know how he can control the bandwidth use of the proxy server so that users take up less bandwidth, thereby freeing up bandwidth for server use. If you can help, visit the following URL: http://www.secadministrator.com/forums/thread.cfm?thread_id=84618 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: User Becomes Locked Out (One message in this thread) Dimitri has a situation in which one user complains about once a week that his account has locked him out. Dimitri checks event logs on the domain controllers (DCs) and doesn't see anything unusual--no failed logons anywhere in the organization. Dimitri enabled logging for all events, whether successful or failed. He checked to ensure that he doesn't have drives mapped to other machines and to ensure that no other software tries to authenticate to the network. He also confirmed that the user isn't dialed in or running a VPN from home with a connection left running. Can you help? Read the responses or lend a hand at the following URL: http://18.104.22.168/listserv/page_listserv.asp?a2=ind0202a&l=howto&p=3527 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private Copyright 2002, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 03:06:37 PST