******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Top 10 Windows and AD Security Threats http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw032P0AO VeriSign - The Value of Trust http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw01bI0A2 (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: TOP 10 WINDOWS AND AD SECURITY THREATS ~~~~ Do you know the 10 most widely exploited vulnerabilities in the Windows environment and what you can do about them? The same vulnerabilities get exploited again and again. In most cases they aren't new - but left open, they can wreak havoc throughout your organization. To find out how to protect your organization, download the FREE white paper, "Top 10 Security Threats for Windows 2000 and Active Directory." If nothing else, closing these Top 10 holes will go a long way to securing your network! Download the white paper at http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw032P0AO ~~~~~~~~~~~~~~~~~~~~ August 14, 2002--In this issue: 1. IN FOCUS - Can Your Applications Jeopardize Your Security? 2. SECURITY RISKS - Multiple Vulnerabilities in Microsoft Content Management Server 2001 3. ANNOUNCEMENTS - Enter the Windows & .NET Magazine/Transcender Sweepstakes! - Do You Like the Kind of Content You're Finding in This Newsletter? 4. SECURITY ROUNDUP - News: SP3 for Win2K Now Available - Feature: Forcing Password Changes - Feature: Synchronizing Logins 5. HOT RELEASES - Spectracom's NetClock, for Secure Network Time - IBM E-business Scalability White Paper 6. SECURITY TOOLKIT - Virus Center - FAQ: What Administrative Permissions Do I Need to Upgrade a System from Windows 2000 to Windows .NET Server (Win.NET Server)? 7. NEW AND IMPROVED - Filter Objectionable Material from All Windows Applications - Enhance Enterprise VPN Performance - Submit Top Product Ideas 8. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: I've Been Hacked 9. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, markat_private) * CAN YOUR APPLICATIONS JEOPARDIZE YOUR SECURITY? In last week's Security UPDATE Special Edition, I discussed Microsoft's plan to implement a hardware-level security system code-named Palladium. In the commentary, I quoted Chairman and Chief Software Architect Bill Gates' statement that it's "the growth of the Internet and the advent of massive computing systems built from loose affiliations of services, machines, communications networks and application software that have helped create the potential for increased vulnerabilities." http://www.microsoft.com/mscorp/execmail/ Although Gates' statement seemed to pass the buck to some extent--without admitting in the same breath to his own company's shortcomings--another Microsoft executive let the cat out of the bag. In May, "eWeek" reported that a top Microsoft executive, Jim Allchin, admitted that parts of the company's software contained flaws so dangerous that making those sections of program code public could be a severe blow to Windows security. Both statements leave it to readers to discern that loose affiliations are the necessary nature of current computing--that is, unless we want to let a couple of companies dominate the industry. http://www.eweek.com/article2/0,3959,5264,00.asp To facilitate third-party application development, Windows allows considerable flexibility. When third parties develop applications, it's safe to say that they don't have nearly as much information about APIs as Microsoft does. The companies' limited knowledge leads to security-related problems. However, even when Microsoft offers sound advice to third parties, the parties might incompletely register or only partially understand the information offered. Operational security contexts for system services and desktop applications offer a good case in point. Last week, Chris Paget published a white paper that details how misused security contexts can lead directly to unauthorized elevation of user privileges. In many cases, users--even guest users--can elevate their privileges to those of the built-in System account, which, as you know, is all-powerful. Paget describes the steps a user can take that lead to the System account security context. The process works as follows: A user first uses a simple program to obtain the windows handle of an application that's operating under the Local System account. The user uses the handle to modify the application's window parameters so that the window will accept a large amount of text from the Windows clipboard. The user then uses the clipboard to paste command-shell code into the window and sends a message to the window that executes the code. After the code executes, the user has access to a command shell running under the Local System account from which the user can perform any desired action. To use Paget's technique, the user must usually have either the ability to coax a user into running a malicious program or physical access to the user's computer. However, Paget said that he could use the technique to gain control over a remote Terminal Server system because the remote server drives those desktops. http://security.tombom.co.uk/shatter.html Before he published the white paper, Paget notified Microsoft about his findings and his intent to publish them. Microsoft's response (see the first URL below) noted that the company was aware of the circumstances that could cause the vulnerability and had offered advice that helps mitigate them. Microsoft had previously published an essay titled, "The Ten Immutable Laws of Security" (see the second URL below), in which laws 1 and 3 offer modest advice for third-party developers, but only indirectly. Law 1 states, "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore," and Law 3 states, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." http://security.tombom.co.uk/response.txt http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp Although both laws state truths and apply to the techniques Paget outlines, they do little to inform developers about the extreme risks associated with running desktop applications and user services under the context of the System account. Unless developers fully realize the risks, they unnecessarily place systems in jeopardy. Paget tested the process of privilege elevation that he describes by exploiting Network Associates' (formerly McAfee's) VirusScan 4.5.1, which opens windows on the desktop under the Local System account. You can help mitigate the risk of such an exploit by "attacking" your own systems. From the Web page that contains Paget's white paper, you can link to a small application called Shatter, which obtains an application's window handles. You can use Shatter with Netcat, a hexadecimal editor, and a Windows debugging application (also linked in the white paper) to test various applications on your desktop to see whether you can gain elevated privileges. If you succeed in elevating privileges, you can respond in one of three ways. You can ignore the fact that a given application jeopardizes your security. You can notify the vendor about the situation and insist that the vendor change the application's behavior. Or you can stop using that particular software altogether. You must police applications on your own systems--unless you want Palladium to do it for you. ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: VERISIGN - THE VALUE OF TRUST ~~~~ FREE E-COMMERCE SECURITY GUIDE Is your e-business built on a strong, secure foundation? Find out with VeriSign's FREE White Paper, "Building an E-Commerce Trust Infrastructure." Learn how to authenticate your site to customers, secure your web servers with 128-Bit SSL encryption, and accept secure payments online. Click here: http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw01bI0A2 ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * MULTIPLE VULNERABILITIES IN MICROSOFT CONTENT MANAGEMENT SERVER 2001 Joao Gouveia discovered three new vulnerabilities in Microsoft Content Management Server 2001, the most serious of which could give a potential attacker full control over the vulnerable server. These three vulnerabilities consist of a buffer overrun in a low-level function that performs user authentication, a SQL injection vulnerability, and two flaws that affect a function that lets a user upload files to the server. Microsoft has released Microsoft Security Bulletin MS02-041 (Unchecked Buffer in Content Management Server Could Enable Server Compromise) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the security bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=26212 3. ==== ANNOUNCEMENTS ==== (brought to you by Windows & .NET Magazine and its partners) * ENTER THE WINDOWS & .NET MAGAZINE/TRANSCENDER SWEEPSTAKES! Nothing can help you prepare for certification like Transcender products, and no one can help you master your job like Windows & .NET Magazine. Enter our combined sweepstakes contest, and you could win a Transcender Deluxe MCSE Select Pak (a $729 value) or one of several other great prizes. Sign up today! http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw028j0At * DO YOU LIKE THE KIND OF CONTENT YOU'RE FINDING IN THIS NEWSLETTER? If so, we have more than a dozen email newsletters just as informative as this one on the topics you care about most. From Windows 2000/NT to security to storage, our technical authors cut to the chase about what's going on in the industry so that you can stay informed in less than 5 minutes a day! Subscribe at no charge. http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac 4. ==== SECURITY ROUNDUP ==== * NEWS: SP3 FOR WIN2K NOW AVAILABLE On July 30, Microsoft released Service Pack 3 (SP3) for Windows 2000. Users should consider loading the new service pack for a variety of reasons, including the fact that the new service pack contains all the fixes presented in the Win2K Security Rollup Package 1 (SRP1). But that's not all. The new service pack also contains other security-related modifications for Win2K systems, so be sure to read the news story on our Web site to learn the details. http://www.wininformant.com/articles/index.cfm?articleid=26219 * FEATURE: FORCING PASSWORD CHANGES Do you subscribe to our Windows Client UPDATE newsletter? If not, you missed some interesting commentary. Last week, David Chernicoff discussed network problems that a systems administrator encountered after a quarterly security audit. During the audit process, users' passwords were changed and unpredictable behavior set in regarding access to file shares and Encrypting File System (EFS)-encrypted files. Visit our Web site and read about the circumstances. You might find yourself in a similar situation. http://www.secadministrator.com/articles/index.cfm?articleid=26210 * FEATURE: SYCHRONIZING LOGINS In our most recent Reader Challenge, a reader posed a problem about the task of synchronizing logins across multiple Microsoft SQL Server machines as follows: Ray's company runs SQL Server 7.0 on its production servers and SQL Server 2000 on its staging servers. Ray needs to build a script that can synchronize logins between the production and staging servers (i.e., add missing logins from the production servers to the staging servers). Synchronized logins will let him create an identical environment for testing application upgrades, SQL Server, and the OS on a different server. When a staging server is configured identically to a production server and holds the same data, he can also test service pack upgrades on the staging server. Then, after the upgrade is finished, he can switch the server roles. The production servers are configured for mixed authentication, which means that users can connect to a SQL Server instance by using either Windows authentication or SQL Server authentication. Visit our Web site to see how the challenge winner helped Ray write a script that can synchronize the logins between the servers while preserving all login properties. http://www.secadministrator.com/articles/index.cfm?articleid=25710 5. ==== HOT RELEASES ==== * SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME Does your network depend on a Time Source that's outside your Firewall? Doesn't your network need an accurate clock source? Think "Time" is FREE over the Internet? Spectracom's NetClock/NTP and White-Paper can help you. http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw02fG0A5 http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw02fF0A4 * IBM E-BUSINESS SCALABILITY WHITE PAPER Learn real-world techniques for meeting the scalability demands of your e-business. The IBM white paper, "Design for Scalability," includes information that can help you meet changing usage demands. Get your complimentary copy at http://www.ibm.com/e-business/playtowin/n177 6. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: WHAT ADMINISTRATIVE PERMISSIONS DO I NEED TO UPGRADE A SYSTEM FROM WINDOWS 2000 TO WINDOWS .NET SERVER (WIN.NET SERVER)? ( contributed by John Savill, http://www.windows2000faq.com ) A. The permissions required to upgrade a server from Win2K to Win.NET Server vary depending on the server, its position in the forest, and which domain users use to log on to the network. For all upgrades, you need the ability to 1. back up files and directories 2. modify firmware environment values 3. restore files and directories 4. shut down the system The tables listed on our FAQ site at the URL below show which administrative roles have access to domain controllers (DCs) and member servers, depending on whether the administrator is logged on to a root domain or a nonroot domain. http://www.secadministrator.com/articles/index.cfm?articleid=26082 7. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, productsat_private) * FILTER OBJECTIONABLE MATERIAL FROM ALL WINDOWS APPLICATIONS Security Software Systems released Cyber Sentinel, software that filters objectionable material from all Windows applications--including Microsoft Word, Microsoft Excel, email, attachments, instant messages, and chats--not just from the Internet. Cyber Sentinel delivers reports so that you can see where your problems lie and who's causing the violations. The software costs $49 for up to 25 users. Contact Security Software Systems at 630-466-1038 or infoat_private http://www.securitysoft.com * ENHANCE ENTERPRISE VPN PERFORMANCE WatchGuard Technologies announced the RapidStream "Secured by Check Point" line of high-performance security appliances, targeted at the Global 1000 and large enterprise market. The RapidStream line, which includes RapidStream 11000, RapidStream 8100, RapidStream 6100, and Rapid Stream 2100 models, is designed to address VPN performance, scalability, and flexibility in a Check Point appliance solution. Pricing starts at $5000 for the RapidStream 2100, which supports up to 400 IP Security (IPSec) tunnels and 8000 concurrent sessions. Contact WatchGuard at 206-521-8340. http://www.rapidstream.com * SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshotat_private 8. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums Featured Thread: I've Been Hacked (10 messages in this thread) Bruce writes that a few days ago he noticed a new icon in the system tray of one of his Windows 2000 servers. The icon was for slave.exe from Remote-Anything. He also found remnants of Serv-U installed. Neither had been installed locally. He has uninstalled slave.exe and is still trying to find a way to safely uninstall Serv-U. He wants to know whether any available software monitors who's connected to which ports. Also, should he report the offender to his ISP (his ISP is in Israel; Bruce is in Canada)? Read the responses or lend a hand at: http://www.secadministrator.com/forums/thread.cfm?thread_id=111167 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac |-+-|-+-|-+-|-+-|-+-| Thank you for reading Security UPDATE. MANAGE YOUR ACCOUNT You can manage your entire Windows & .NET Magazine Network email newsletter account on our Web site. Simply log on and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac Thank you! - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 15 2002 - 07:32:14 PDT