******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ FREE Security Assessment Tool! http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GA0Aw Tips & Tricks Web Summit http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05nz0AX (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: FREE SECURITY ASSESSMENT TOOL! ~~~~ Do you comply with industry security regulations or corporate security policies? Download the FREE Aelita InTrust(tm) Audit Advisor to identify systems that are not compliant with industry standard security policies, such as those published by SANS and the NSA, or your company specific policies. Then check out Aelita InTrust to consolidate IT audit data and produce compliance reports for industry regulations and policies. Download your FREE tool today! http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GA0Aw ~~~~~~~~~~~~~~~~~~~~ November 13, 2002--In this issue: 1. IN FOCUS - Security Assertion Markup Language 2. SECURITY RISKS - Buffer-Overrun Vulnerability in Oracle iSQL - DoS in Microsoft Windows XP and Win2K PPTP - Multiple Vulnerabilities in Microsoft IIS 5.1, 5.0, and 4.0 3. ANNOUNCEMENTS - How Can You Reclaim 30% to 50% of Windows Server Space? - Give Us Your Feedback and Be Entered to Win a Digital Camera 4. SECURITY ROUNDUP - News: Common Criteria Configuration Guides for Win2K - Feature: EventComb: It's Free; It's Essential; Get It! - Fire & Water Toolkit Beta Available 5. HOT RELEASES (ADVERTISEMENTS) - Focus your IT resources - Test Your Web Applications for Security Flaws! 6. INSTANT POLL - Results of Previous Poll: Reading the EULA - New Instant Poll: Using SAML 7. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Clear My Customized Folder Settings in Windows XP? 8. NEW AND IMPROVED - User-Friendly Finger Image Reader - Security Solution for Network Clients and Remote Users - Submit Top Product Ideas 9. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Securing Servers Under Insecure Conditions - HowTo Mailing List - Featured Thread: Promoting a DC 10. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, markat_private) * SECURITY ASSERTION MARKUP LANGUAGE Last week, the Organization for the Advancement of Structured Information Standards (OASIS) approved the new Security Assertion Markup Language (SAML), which has been in development for some time. SAML uses XML to enable new Web-based security functions that interoperate across different Web sites, which will help create federated networks. http://www.oasis-open.org/committees/security In April 2002, Microsoft, IBM, and VeriSign announced Web Services Security (WS-Security), and in the June 12, 2002, Security UPDATE commentary, I discussed WS-Security to some extent (see the first URL below). The specification will support many types of credential information, including Kerberos, public key infrastructure (PKI), Extensible Rights Markup Language (XrML), SAML, and Secure Sockets Layer (SSL)/Transport Layer Security (TLS). Sun Microsystems also announced Liberty Alliance, its effort to help develop federated network technology. http://www.secadministrator.com/articles/index.cfm?articleid=25593 http://www.ws-i.org According to James Kobielus, senior analyst at Burton Group, "SAML 1.0 supports secure interchange of authentication and authorization information by leveraging the core Web services standards of Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Transport Layer Security (TLS). Most vendors of Web access management solutions have committed to SAML 1.0 and are currently implementing the specification in their products." http://www.oasis-open.org/news/oasis_news_11_06_02.shtml Joe Pato of Hewlett-Packard (HP), co-chair of the OASIS Security Services Technical Committee, said that a major SAML design goal was single sign-on (SSO) capabilities, which would let users authenticate in one domain and access resources in another domain. SAML 1.0 includes that capability. In addition, according to Pato, "Several profiles of SAML are currently being defined that support different styles of SSO and the securing of SOAP payloads." If you're completely unfamiliar with WS-Security, read Christa Anderson's summary of the technology, which helps explain what it is and what it can do. You'll find her article, "WS-Security Sets Standard for Web Services Transactions" at the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=24401 If you're a Web developer or you administer Web server security, you might be interested in reading about SAML assertions and protocols. The document you'll find at the first URL below outlines the syntax and semantics. Another specification document can help you obtain a better understanding of how SAML works with WS-Security. That document (see the second URL below) describes how to use WS-Security headers to securely add SAML assertions. http://www.oasis-open.org/committees/security/docs/cs-sstc-core-01.pdf http://www.oasis-open.org/committees/security/docs/draft-sstc-ws-sec-profile-04.pdf But there's a catch regarding Microsoft's implementation of SAML. In July, "Network World Fusion" (see the first URL below) reported that Microsoft is implementing SAML 1.0, but only to a limited extent. In the article, Kobielus said, "[Microsoft is] not implementing the full suite of SAML assertions and profiles the way others are ... At some point you have to ask what is the purpose, if Microsoft is going to do it their own way." The article points out that Microsoft used the same tactic when the company implemented Kerberos in Windows 2000. To learn more about how Microsoft implements SAML, be sure to read the related Microsoft document, "WS-Security Profile for XML-based Tokens," on the Microsoft Web site (see the second URL below). http://www.nwfusion.com/news/2002/0716msla.html http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security-xml-tokens.asp According to OASIS, Baltimore Technologies, BEA Systems, Computer Associates (CA), Entrust, HP, Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security, Sun, VeriSign, and other members of the OASIS Security Services Technical Committee developed the SAML OASIS Open Standard. Many vendors support SAML, and some of you might have begun using the technology before its official approval. Please participate in our Instant Poll this week and tell us whether you use SAML or some other credential technology for your Web applications. ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: TIPS & TRICKS WEB SUMMIT ~~~~ ATTEND OUR FREE TIPS & TRICKS WEB SUMMIT Join us on December 19th for our Tips & Tricks Web Summit featuring three eye-opening events: Disaster Recovery Tips & Tricks, Intrusion Detection: Win2K Security Log Secrets, and Merging Exchange Systems: Tips for Managing 5 Key Challenges. There is no charge for this event, but space is limited so register today! http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05nz0AX ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * BUFFER-OVERRUN VULNERABILITY IN ORACLE ISQL A vulnerability exists in Oracle's iSQL*Plus Web-based application that lets an attacker compromise the vulnerable system and obtain system-level access. This vulnerability stems from a buffer-overflow condition in the iSQL application. The vendor, Oracle, has released Security Alert #46 to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in Oracle's alert. http://www.secadministrator.com/articles/index.cfm?articleid=27240 * DoS IN MICROSOFT WINDOWS XP AND WIN2K PPTP A Denial of Service (DoS) vulnerability exists in Windows XP and Windows 2000 PPTP. This DoS vulnerability results from an unchecked buffer in a section of code that processes the control data used to establish, maintain, and tear down PPTP connections. The vendor, Microsoft, has released Security Bulletin MS02-063 (Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=27227 * MULTIPLE VULNERABILITIES IN MICROSOFT IIS 5.1, 5.0, AND 4.0 Four new vulnerabilities exist in Microsoft IIS. The most serious problem lets an attacker escalate privileges. Another problem results in a Denial of Service (DoS) condition on the vulnerable server. The vendor, Microsoft, has released Security Bulletin MS02-062 (Cumulative Patch for Internet Information Service) to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin. This patch is cumulative and addresses all previously discovered vulnerabilities. http://www.secadministrator.com/articles/index.cfm?articleid=27228 3. ==== ANNOUNCEMENTS ==== (brought to you by Windows & .NET Magazine and its partners) * HOW CAN YOU RECLAIM 30% TO 50% OF WINDOWS SERVER SPACE? Attend our newest Web seminar, brought to you by Windows & .NET Magazine and Precise SRM, and discover the secrets. Steven Toole will also advise you on how to reduce storage growth and backups by 30% and how to reduce storage administration by 25% or more. Space is limited for this important Web event, so register today! http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06A10Aa * GIVE US YOUR FEEDBACK AND BE ENTERED TO WIN A DIGITAL CAMERA Internet filtering is becoming a financial and legal concern for companies of all sizes. Complete our brief survey about the topic and you could win a digital camera. Click here! http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05zl0AV 4. ==== SECURITY ROUNDUP ==== * NEWS: COMMON CRITERIA CONFIGURATION GUIDES FOR WIN2K In conjunction with the announcement that Windows 2000 received the highest security certification level available to an OS, Microsoft released two new guides, the "Common Criteria Evaluated Configuration User's Guide," and the "Common Criteria Evaluated Configuration Administrator's Guide," which help people configure the OS securely. http://www.secadministrator.com/articles/index.cfm?articleid=27178 * FEATURE: EVENTCOMB: IT'S FREE; IT'S ESSENTIAL; GET IT! EventComb is a new free tool from Microsoft that lets you search event logs for specific information. EventComb is part of a Microsoft document called "Security Operations Guide for Windows 2000 Server." To obtain EventComb, you need to go to Microsoft's Web site (the URL is linked in this article) and download secops.exe. When you run secops.exe, the program creates a folder called SecurityOps. Within SecurityOps is a folder named EventComb, which contains a compiled HTML Help file and the EventComb program. http://www.secadministrator.com/articles/index.cfm?articleid=27132 * NEWS: FIRE & WATER TOOLKIT BETA AVAILABLE NTObjectives (NTO) announced that its new Fire & Water Toolkit is now available for public beta. The toolkit is an assessment and defense tool that you can use on local and remote networks. NTO said, "Fire & Water is a collection of cohesive, interactive command-line tools that perform network discovery, mapping, assessment, and reporting, as well as robust Web server defense." By using XML output interactively, Fire & Water can effectively manage multiple scans and their resulting output through standard output in the command line, Comma Separated Value (CSV), and HTML reports (created through Extensible Style Language--XSL templates provided with the tools) or through custom report formats. http://www.secadministrator.com/articles/index.cfm?articleid=27273 5. ==== HOT RELEASES (ADVERTISEMENTS) ==== * FOCUS YOUR IT RESOURCES Learn how better infrastructure management practices can speed the integration of e-business enterprises, while providing assurance of continuous availability, flexibility and scalability. Get the IBM white paper, "Infrastructure Resource Management: A Holistic Approach," at http://www.ibm.com/e-business/playtowin/n339 * TEST YOUR WEB APPLICATIONS FOR SECURITY FLAWS! ALERT! "Outsmart Web Application Attackers" 75% of today's successful hacks involve Web Application attacks such as SQL Injection and Cross-Site Scripting. All undetectable by Firewalls and IDS! FREE 15 Day Product Trial which delivers a Comprehensive Vulnerability Report http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GB0Ax 6. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: READING THE EULA The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you read the End User License Agreement (EULA) before you install new software?" Here are the results (+/- 2 percent) from the 540 votes: - 3% Always - 19% Sometimes - 31% Rarely - 46% Never * NEW INSTANT POLL: USING SAML The next Instant Poll question is, "Do you use Security Assertion Markup Language (SAML) for security in your Web applications?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, c) Not yet, but we will, d) No--We use Extensible Rights Markup Language (XrML), and e) No--We use other security technology. http://www.secadministrator.com 7. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I CLEAR MY CUSTOMIZED FOLDER SETTINGS IN WINDOWS XP? ( contributed by John Savill, http://www.windows2000faq.com ) A. To clear any customized folder settings, perform the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell registry subkey. 3. Delete the Bags and BagMRU subkeys. 4. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam registry subkey. 5. Delete the Bags and BagMRU subkeys. 6. Close the registry editor, then reboot the machine for the changes to take effect. 8. ==== NEW AND IMPROVED ==== (contributed by Judy Drennen, productsat_private) * USER-FRIENDLY FINGER IMAGE READER Biometric Access Corporation (BAC) announced a USB model of the SecureTouch PC, the company's latest computer/network control product. The USB model PC replaces its predecessor, the SecureTouch 2000. The product secures employee workstations, protects patient health records, grants access to transaction-authorization codes, clocks in/out on time and attendance applications, and enables manager override approvals on point-of-sale systems. SecureTouch PC runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. Contact BAC for pricing information at 800-873-4133 or go to the Web site for more information. http://www.biometricaccess.com * SECURITY SOLUTION FOR NETWORK CLIENTS AND REMOTE USERS Symantec announced Symantec Client Security, an integrated security solution for network clients and remote users. Symantec Client Security integrates antivirus, personal firewall, and intrusion-detection technologies to effectively protect desktops against today's blended threats. To reduce administration time, administrators can easily deploy Symantec Client Security by using one of three prepackaged installations--full installation, lightly managed, and thin client (the smallest possible footprint without sacrificing protection). For pricing information, contact Symantec at 408-517-8000. http://www.symantec.com * SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshotat_private 9. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums Featured Thread: Securing Servers Under Insecure Conditions (Eight messages in this thread) A user writes that he has a client who has servers located in facilities without locked rooms. Some of the servers run Windows NT 4.0 and some run Windows 2000. He wonders how to secure servers at these sites when he can't physically lock the server in a room. Read the responses or lend a hand at the following URL: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=49147 * HOWTO MAILING LIST http://63.88.172.96/listserv/page_listserv.asp?a0=howto Featured Thread: Promoting a DC (Nine messages in this thread) A user writes that he has two Windows 2000 servers. One of them is the PDC and the other is a BDC. The PDC suffered a hard drive error. He wonders how to promote the BDC to take the PDC's place. Because there are no PDCs or BDCs in Win2K, you'll want to read what other users have said or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?A2=IND0211A&L=HOWTO&P=1861 10. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email |-+-|-+-|-+-|-+-|-+-| Thank you for reading Security UPDATE. MANAGE YOUR ACCOUNT You can manage your entire Windows & .NET Magazine Network email newsletter account on our Web site. Simply log on and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://www.winnetmag.com/email Thank you! - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 02:37:13 PST