******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ "Tee-Off" at Tech·Ed with Sybari Software http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0r830Aw Windows & .NET Magazine Network UPDATE Newsletters http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0rvS0AW (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: "TEE-OFF" AT TECH·ED WITH SYBARI SOFTWARE ~~~~ Don't get caught waiting for signature file updates from your single engine provider when the next email virus hits! Visit Sybari's booth (#619) at Tech Ed and learn how Antigen lets you deploy up to six of the leading virus scan engine technologies for the most comprehensive virus scanning on the market today. Antigen also delivers advanced content management capabilities including subject line, sender, and domain filtering. Don't forget to play Sybari's "Putt and Win" game at Tech Ed and enter to win a Ping Putter. Not going to Tech Ed? Attend an Antigen web demo by May 1st and get a free Sybari t-shirt. Register at http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0r830Aw ~~~~~~~~~~~~~~~~~~~~ April 3, 2002--In this issue: 1. IN FOCUS - Abundant Resources for Security Best Practices 2. SECURITY RISKS - Memory Leak Vulnerability in Cisco Systems' CallManager 3.1 - Script Execution Vulnerabilities in Microsoft IE 3. ANNOUNCEMENTS - Sign Up for Free UPDATEs and Enter to Win a Palm Handheld! - Find the Right Training Tool for You! 4. SECURITY ROUNDUP - News: Survey Says Web Sites Are Now Less Intrusive - News: More Outlook Security Problems - Feature: WS-Security Sets Standard for Web Services Transactions 5. SECURITY TOOLKIT - Virus Center Virus Alert: W32/MyLife.B - FAQ: What Advantages Do Offline Backups and Image Backups Have over Online Backups? 6. NEW AND IMPROVED - Learn About Web Security, Privacy, and Commerce - Restrict File and Folder Access 7. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Anonymous Access - HowTo Mailing List - Featured Thread: How to Hide Dial-up Properties 8. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, markat_private) * ABUNDANT RESOURCES FOR SECURITY BEST PRACTICES Have you visited Microsoft TechNet's Security Best Practices Web site recently? In January, just two documents were posted to the site. However, when I revisited the site (see the URL below), I found that since mid-March, Microsoft has assembled more than two dozen additional items from both inhouse and outside sources. Currently, the site offers 29 links that lead to individual resources that include white papers, interviews, articles, checklists, and links to other useful sites. http://www.microsoft.com/technet/security/bestprac Let me give you a brief overview of what the site offers. You'll find information about topics such as preventing Denial of Service (DoS) attacks, effective security monitoring, TCP/IP security, and security strategies. For example, "Best Practices for Preventing DoS/Denial of Service Attacks," by Michael Cretzman and Todd Weeks, lists 10 best practices for preventing such attacks based on information drawn from actual attacks that several companies experienced. The article includes advice about system configuration and suggests several registry adjustments that can help minimize the effects of DoS attacks. Another article available through the site, "Distributed Denial-of-Service Attacks and You," by Paul Robichaux, describes the nature of distributed attacks and lists various ways you can protect your network from them. The latter article includes links to other Web sites that have additional related information. Both the TCP/IP article and the security strategy article are chapters from popular and respected books. "TCP/IP from a Security Viewpoint," Chapter 3 of "Firewalls, 24 seven" (Sybex), by Matthew Strebe and Charles Perkins, offers an in-depth discussion about how TCP/IP packets are structured and how various protocols move traffic in and out of your network. "For Strategists," Chapter 11 of "Intrusion Detection" (MacMillan Technical Publishing), by Rebecca Gurley Bace, provides a roadmap for people charged with improving security in their organizations. It offers good advice about developing your security strategies and suggests specific questions to ask solution vendors. This Web site draws information from other books as well. The Best Security Practices Web site resources also include information about managing Microsoft IIS Web services, an interview with Dr. William Stallings (a popular engineer and consultant) about cryptography, and best practices for managing service packs and hotfixes. "Manage Security of Your Windows IIS Web Services," from Microsoft Consulting Services Web Server Best Practices, offers advice about how to bring rogue systems under management to help prevent security problems such as virus infections. The Stallings interview covers topics such as assessing security needs, open-standard encryption algorithms, the inner workings of firewalls, what intruders look for, and intrusion detection. As you know, managing service packs and hotfixes is a hot topic. During the last month and a half, Microsoft has released more than a dozen security bulletins. Keeping up with all the patches (and service pack releases, which are less frequent) is a tough job indeed, especially for those who administer large networks. The Microsoft article "Best Practices for Applying Service Packs, Hotfixes, and Security Patches," by Rick Rosato, outlines various steps to take before, during, and after installation. The article recommends that you apply all changes in a test environment and be prepared to uninstall in case the systems in your environment behave unexpectedly. The document also stresses the need for revision consistency, especially with domain controllers (DCs), and recommends that noncritical systems be updated first. Overall, the Web site offers abundant resources that you might not be aware of. Be sure to stop by the site and take a look. The site can help raise your awareness about various aspects of security and help you increase the overall security of your entire enterprise. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: WINDOWS & .NET MAGAZINE NETWORK UPDATE NEWSLETTERS ~~~~ * SIGN UP FOR FREE UPDATES AND ENTER TO WIN A PALM HANDHELD! UPDATE email newsletters are designed to help busy IT professionals just like you stay on top of the latest Windows enterprise news and developments. We distill what's really important in the world of IT in a concise and independent voice. Sign up for FREE today and you'll be entered to win a Palm handheld! http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0rvS0AW ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== * MEMORY LEAK VULNERABILITY IN CISCO SYSTEMS' CALLMANAGER 3.1 When a user logs on to his or her account through the IMail Server Web interface, the application uses a unique URL to maintain the session authentication. A vulnerability in Cisco Systems' CallManager 3.1 can cause a memory leak in the computer telephony integration (CTI) framework authentication. This memory leak can cause the server to crash and reload. An attacker can exploit this vulnerability to create a Denial of Service (DoS) condition. http://www.secadministrator.com/articles/index.cfm?articleid=24641 * SCRIPT EXECUTION VULNERABILITIES IN MICROSOFT IE Andreas Sandblad discovered two vulnerabilities in Microsoft Internet Explorer (IE), one of which can lead to script execution in the Local Computer Zone. The first vulnerability involves a flaw in the way IE handles object tags that lets an attacker invoke an executable already present on the vulnerable system. The second vulnerability targets IE's zone-determination function. By embedding an HTML script within a cookie, an attacker can execute a script on the vulnerable computer. http://www.secadministrator.com/articles/index.cfm?articleid=24651 3. ==== ANNOUNCEMENTS ==== * SIGN UP FOR FREE UPDATES AND ENTER TO WIN A PALM HANDHELD! UPDATE email newsletters are designed to help busy IT professionals just like you stay on top of the latest Windows enterprise news and developments. We distill what's really important in the world of IT in a concise and independent voice. Sign up for FREE today and you'll be entered to win a Palm handheld! http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0rvS0AW * FIND THE RIGHT TRAINING TOOL FOR YOU! The Windows & .NET Magazine Training and Certification Interactive Product Guide is an online resource where you'll discover boot camps, test simulators, and other resources to help you get certified. Whether you're studying for your MCSE exams, trying to strengthen your resume, or just learning a new skill set, you'll definitely want to check this guide out! http://list.winnetmag.com/cgi-bin3/flo?y=eLPS0CJgSH0CBw0r5p0Au 4. ==== SECURITY ROUNDUP ==== * NEWS: SURVEY SAYS WEB SITES ARE NOW LESS INTRUSIVE The Progress & Freedom Foundation (PFF) published a new survey that shows that fewer Web sites are collecting users' personal information. The study indicates that only 84 percent of the 100 most popular Web sites collect personal information; in 2000, 96 percent collected personal information. In addition, only 48 percent of the 100 most popular Web sites use cookies to track users' surfing habits, compared with 78 percent that used cookies in 2000. Read more about the new survey results at the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=24642 * NEWS: MORE OUTLOOK SECURITY PROBLEMS As we approach the 2-year anniversary of the VBS.LoveLetter virus outbreak, which catapulted Microsoft Outlook into the headlines, security problems continue to surface. Internet security and privacy expert Richard M. Smith posted a note to the Windows NTBugtraq mailing list that cited four problems with Outlook 2002--two security problems, one privacy problem, and one case of mixed messages from Microsoft-- that Smith says probably affect earlier Outlook versions as well. http://www.secadministrator.com/articles/index.cfm?articleid=24618 * FEATURE: WS-SECURITY SETS STANDARD FOR WEB SERVICES TRANSACTIONS The three core pieces of Microsoft's XML Web services--Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL), and Universal Description, Discovery, and Integration (UDDI)--form the foundation of Microsoft's approach to the .NET platform, but they don't represent the whole picture. To add greater security and better routing and lookup abilities to Web services, Microsoft is developing five other XML-based specifications. Read this article to learn more. http://www.secadministrator.com/articles/index.cfm?articleid=24401 5. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * VIRUS ALERT: W32/MYLIFE.B W32/MyLife.B is a mass-mailing worm that arrives in a compressed format in a user's inbox as an email message with another email message attached. In reality, the attachment is a compressed program that executes when the user attempts to open the attachment. Once it executes, the worm attempts to delete all files on the user's C, D, E, and F drives and all files in the C:\windows\system folder that have a .sys, .vxd, .ocx, or .nls extension. The worm spreads by sending a copy of itself to everyone in the user's address book. http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1149 * FAQ: WHAT ADVANTAGES DO OFFLINE BACKUPS AND IMAGE BACKUPS HAVE OVER ONLINE BACKUPS? ( contributed by John Savill, http://www.windows2000faq.com ) A. You can use any backup program--or even the Copy command--to reliably back up files that aren't in use. However, backing up files that are in use, such as system files, when your OS is in an online state can be complicated. Read what John Savill has to say about offline, image, and online backups! http://www.windows2000faq.com/articles/index.cfm?articleid=24414 6. ==== NEW AND IMPROVED ==== (contributed by Carolyn Mascarenas, productsat_private) * LEARN ABOUT WEB SECURITY, PRIVACY, AND COMMERCE O'Reilly & Associates released "Web Security, Privacy & Commerce," by Simson Garfinkel and Gene Spafford, a reference book that covers Web security risks and the techniques and technologies that you can use to protect yourself against these risks. Topics include cryptography, passwords, digital signatures, biometrics, cookies, log files, spam, Web logs, the Secure Sockets Layer (SSL), digital payments, client-side signatures, pornography filtering, intellectual property, and legal concerns. The 756-page book costs $44.95. Contact O'Reilly at 800-998- 9938. http://www.oreilly.com * RESTRICT FILE AND FOLDER ACCESS CenturionSoft and SoftClan released SoftClan Security Suite, a security and auditing program that can provide Windows Me and Windows 9x systems with protection levels similar to those of Windows NT on NTFS. You can administer the software by using a transparent monitoring process that doesn't alter the system's operation or speed. The software restricts file and folder access to protect a system from intruders, accidents, and viruses. The software controls and audits each user's PC use, which is important for PCs that have multiple users. SoftClan Security Suite costs $39.95. Contact CenturionSoft or SoftClan at 202-293-5151. http://www.centurionsoft.com 7. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Anonymous Access (One message in this thread) Richard writes that every 2 hours, his PDC records hundreds of anonymous accesses in a 2- to 4-second period in the Security log. He reports that he has disabled anonymous access, but the log entries still appear. He's worried about the security implications. Can you help? http://www.secadministrator.com/forums/thread.cfm?thread_id=100630 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: How to Hide Dial-up Properties (One message in this thread) Tricia wants to know how to hide dial-up properties when users dial into a Windows NT server. She wants to hide all settings including the number dialed yet still let the user enter a username and password for authentication. Can you help? http://www.secadministrator.com/listserv/page_listserv.asp?a2=ind0204a&l=howto&p=81 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 02:15:30 PST