******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Protection from the Top 10 Security Threats http://list.winnetmag.com/cgi-bin3/flo?y=eK1X0CJgSH0CBw0rVA0AF VeriSign--The Value of Trust http://list.winnetmag.com/cgi-bin3/flo?y=eK1X0CJgSH0CBw0p5N0Ar (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: PROTECTION FROM THE TOP 10 SECURITY THREATS ~~~~ Do you know the 10 most widely exploited vulnerabilities in the Windows environment? Better yet, do you know how to close them? What's the most common weakness found throughout today's IT environments? What can you do about it? Tune in to BindView's March 14 Webinar with Scott Blake, "Top 10 Security Threats for Windows 2000 and Active Directory," and find out what. If you do nothing else, closing these Top 10 holes will go a long way to securing your network! Register today at http://list.winnetmag.com/cgi-bin3/flo?y=eK1X0CJgSH0CBw0rVA0AF ~~~~~~~~~~~~~~~~~~~~ March 6, 2002--In this issue: 1. IN FOCUS - Additional Information About Microsoft Baseline Security Analyzer 2. SECURITY RISKS - Authentication Vulnerability in SMTP of Microsoft Windows 2000 and Exchange Server 5.5 - Denial of Service in Microsoft's SMTP Service - Multiple Vulnerabilities in PHP Scripting Language 3. ANNOUNCEMENTS - Register for a Free NAS Webinar! - Register Now for Security Matters at Internet World Spring 4. SECURITY ROUNDUP - News: IETF Receives Proposal: Responsible Vulnerability Disclosure Process - News: Microsoft Releases Patches for Several Critical Flaws 5. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Enable the Microsoft Outlook Web Access (OWA) Logoff Warning Page? 6. NEW AND IMPROVED - Firewall Products - Learn About Security Architecture 7. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Automatically Log Off Users - HowTo Mailing List - Featured Thread: Locking Users Out of a Directory at Specified Times 8. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== * ADDITIONAL INFORMATION ABOUT MICROSOFT BASELINE SECURITY ANALYZER Last week, I reported that Microsoft plans to release a new security-analysis tool, Microsoft Baseline Security Analyzer (MBSA), which Microsoft is codeveloping with Shavlik Technologies. Since then, I've spoken about the new tool with Lara Sosnosky, product manager at Microsoft, and Mark Shavlik, founder of Shavlik Technologies. Sosnosky said that MBSA is essentially a superset of Microsoft Personal Security Advisor (MPSA), Microsoft's Web-based security scanner. (See the URLs at the end of the column.) MBSA will scan servers and remote systems and will also contain the functionality in Microsoft's existing security-analysis tool, HFNetChk, which scans for installed or missing hotfixes. (MBSA contains HFNetChk's compiled code.) The tool will ship as an executable that runs on local systems instead of from a Microsoft-hosted Web site. Because MBSA is a superset of MPSA, you'll likely see MPSA's functionality in the MBSA tool. MPSA scans a workstation and reports on a wealth of security aspects, such as missing security patches and settings for a variety of system components. MPSA's list of checks (to be seen in MBSA) includes scans that relate to password strength and length parameters, Microsoft Internet Explorer (IE) and Microsoft Outlook Express security (including security zones), Microsoft Office macro protection, RAS Manager security, system auditing, file-system security, anonymous connections, automated logons, shares, Administrator group membership, and service parameters. When scanning servers, MBSA will be able to inspect various services to some degree. For example, when inspecting a Microsoft SQL Server installation, MBSA will check whether the systems administrator account has a blank password, which users the SysAdmin group includes, and whether the default installation directory has properly set the ACLs. In another example, when MBSA scans a Microsoft IIS server, MBSA will check for installed sample applications. The list of checks performed against a server is more extensive, but these examples give you a basic idea of what to expect. The first version of MBSA will ship as both a GUI-based and command- line-based tool, so you'll be able to run MBSA from batch files and use task schedulers to launch the tool. The initial MBSA release will have its various checks hard-coded, so the only control users will have over which checks MBSA performs will be to tell the tool whether to scan services and which services to scan. Users will define the services to scan through a text-based script file. MBSA will run on Windows XP Professional, XP Home, Windows 2000 Server, and Win2K Workstation. The tool will scan all OSs (whether server or workstation versions) from Windows NT 4.0 through XP. The tool's reporting subsystem will produce XML-based output, and the GUI will render the XML into readable HTML for the user. Shavlik said that after Microsoft releases MBSA, his company will release an updated version of its current EnterpriseInspector security scanner product. The updated EnterpriseInspector will have a look and feel similar to MBSA and will be compatible with MBSA's scanning ability. Shavlik said that EnterpriseInspector will become a superset of Microsoft's MBSA much as Shavlik's commercially available HFNetChkPro is a superset of Microsoft's free HFNetChk tool. Expect to see even more scanning functionality with EnterpriseInspector once Shavlik releases the updated version. One advantage of the updated EnterpriseInspector product will be its use of a SQL Server 2000 back end, which Shavlik already includes in the current EnterpriseInspector version. By using a database server to store collected security information, EnterpriseInspector will let users perform more tailored scanning features and obtain better reporting styles. For example, EnterpriseInspector will be able to use the stored data to perform cross scans, such as listing the top-10 least-secured IIS or SQL servers. Advanced users will be able to define additional scanning parameters that will permit other types of customized scanning. Microsoft and Shavlik have tentatively scheduled the release of both MBSA and the MBSA-compatible EnterpriseInspector for late March, but that time frame could slip. Release depends on debugging the code and coordinating the date-driven and version-dependent aspects of the tools as they relate to the various renditions of Microsoft products. I'll notify you when the tools become available. http://www.microsoft.com/technet/mpsa/info.asp http://www.microsoft.com/technet/security/tools/mpsa.asp http://www.shavlik.com Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ Is your e-business secure enough? Learn why it's vital to encrypt your business transactions, secure your intranets, and authenticate your Web site with the strongest encryption available--128-bit SSL. To learn more, get VeriSign's FREE Guide, "Securing Your Web Site for Business," now: http://list.winnetmag.com/cgi-bin3/flo?y=eK1X0CJgSH0CBw0p5N0Ar ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * AUTHENTICATION VULNERABILITY IN SMTP OF MICROSOFT WINDOWS 2000 AND EXCHANGE SERVER 5.5 BindView's RAZOR Team discovered a vulnerability in the way that the SMTP service handles a valid response from the underlying OS's NT LAN Manager (NTLM) authentication layer. An attacker can use this vulnerability to gain user-level privileges on the SMTP service. Microsoft released Security Bulletin MS02-011, which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch as listed in Security Bulletin MS02-011. http://www.secadministrator.com/articles/index.cfm?articleid=24330 * DENIAL OF SERVICE IN MICROSOFT'S SMTP SERVICE HD Moore discovered a Denial of Service (DoS) condition in the SMTP service of Windows XP Professional, Windows 2000, and Microsoft Exchange 2000 Server. A vulnerability exists in how the service handles a particular type of SMTP command used to transfer incoming mail data. By issuing a malformed version of the SMTP command, an attacker can cause the SMTP service to fail. Microsoft released Security Bulletin MS02-012, which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch as listed in Security Bulletin MS02-012. http://www.secadministrator.com/articles/index.cfm?articleid=24331 * MULTIPLE VULNERABILITIES IN PHP SCRIPTING LANGUAGE Steffan Esser discovered multiple vulnerabilities in the PHP scripting language's file-upload code that let an attacker remotely compromise a vulnerable server. Several problems exist in the way PHP handles multipart/form-data POST requests. An attacker can use each of these problems to execute arbitrary code on the vulnerable system. Affected users should immediately upgrade to PHP 4.1.2 or download the appropriate security fix from the PHP Web site http://www.secadministrator.com/articles/index.cfm?articleid=24324 3. ==== ANNOUNCEMENTS ==== * REGISTER FOR A FREE NAS WEBINAR! Join our free Webinar, "NAS Emerges as a Prime Storage Solution" (sponsored by Dell and Microsoft), and discover how Network Attached Storage (NAS) can meet your enterprise's demands for high-availability, manageability, scalability, and performance. Also, learn more about how Windows 2000 is optimized for developing specialized NAS applications and hear about real-world solutions for NAS and emerging NAS applications. Register today! http://list.winnetmag.com/cgi-bin3/flo?y=eK1X0CJgSH0CBw0rHs0Ap * REGISTER NOW FOR SECURITY MATTERS AT INTERNET WORLD SPRING The Security Matters conference and exhibit will bring you up-to- date on the latest products and services that can help you keep your network, your data, and your company secure. Security Matters is co- located with Internet World Spring, April 24 through 26, in Los Angeles. For registration and information, visit the following URL. http://list.winnetmag.com/cgi-bin3/flo?y=eK1X0CJgSH0CBw0rVB0AG 4. ==== SECURITY ROUNDUP ==== * NEWS: IETF RECEIVES PROPOSAL: RESPONSIBLE VULNERABILITY DISCLOSURE PROCESS The Internet Engineering Task Force (IETF) received a draft proposal called "Responsible Vulnerability Disclosure Process" (RVDP), which the writers hope will become a published Request for Comments (RFC) standard. http://www.secadministrator.com/articles/index.cfm?articleid=24321 * NEWS: MICROSOFT RELEASES PATCHES FOR SEVERAL CRITICAL FLAWS Microsoft's security jihad continued this week as the company issued a set of patches that address "critical flaws" in Microsoft Internet Explorer (IE), Commerce Server 2000, and SQL Server. The IE patches, which the company issued through Windows Update and Auto Update late last week, address a previously unannounced VBScript-related vulnerability that affects all newer IE versions. The patches also deal with an IE 6.0 bug first revealed late last year. http://www.secadministrator.com/articles/index.cfm?articleid=24288 5. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I ENABLE THE MICROSOFT OUTLOOK WEB ACCESS (OWA) LOGOFF WARNING PAGE? ( contributed by John Savill, http://www.windows2000faq.com ) A. The OWA logoff warning page is for OWA users who regularly use public kiosks to access their email. The Log Off icon on the main Outlook bar points to a customizable Active Server Pages (ASP) page that tells the user how to log off of his or her mailbox. You can enable OWA's logoff warning page if the user redirects the browser window away from OWA (either by closing a Web browser window or by typing a different URL into the address bar). To enable the warning page, follow these steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA subkey. 3. From the Edit menu, select New, DWORD Value. 4. Enter a name of EnableLogoffWarning and press Enter. 5. Double-click the new value, set it to 1, and click OK. 6. Close the registry editor. 6. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * FIREWALL PRODUCTS SonicWALL released the SonicWALL PRO family of high-performance, business-class firewall appliances. The SonicWALL PRO 100 features unlimited network nodes and an integrated demilitarized zone (DMZ) port to support public servers. The SonicWALL PRO 200 features an IP Security (IPSec) VPN, support for as many as 500 VPN tunnels, an integrated DMZ port, and unlimited node support. The SonicWALL PRO 300 features an IPSec VPN with 50 VPN clients for remote workers, SonicWALL ViewPoint reporting software, support for as many as 1000 VPN tunnels, an integrated DMZ port, and unlimited node support. Prices start at $1795. Contact SonicWALL at 408-745-9600. http://www.sonicwall.com * LEARN ABOUT SECURITY ARCHITECTURE Osborne/McGraw-Hill released "Security Architecture: Design, Deployment, and Operations," a book by Christopher King, Curtis Dalton, and T. Osmanoglu, that teaches you how to design a secure solution and the principles for developing a solid network architecture. You'll learn how to develop an information classification and access control plan; how to use appropriate security technology; and how to ensure complete network security across multiple systems, applications, hosts, and devices. The 481-page book costs $49.99. Contact Osborne at 800- 227-0900. http://www.osborne.com 7. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Automatically Log Off Users (One message in this thread) Dave wants to know how to set up a Windows NT 4.0 network to automatically log off users after a period of inactivity. Can you help? Read more about the problem at the following URL. http://www.secadministrator.com/forums/thread.cfm?thread_id=96983 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Locking Users Out of a Directory at Specified Times (One message in this thread) A user wants to know how to configure Windows 2000 to automatically prevent a group of users from accessing a particular directory during specified times of the day. Can you help? Read the responses or lend a hand at the following URL. http://188.8.131.52/listserv/page_listserv.asp?a2=ind0202d&l=howto&p=1296 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 03:30:03 PST