******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Massive Workstation Security Hole...Ignored! http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07DQ0AC Windows & .NET Magazine - Exclusive Rate http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: MASSIVE WORKSTATION SECURITY HOLE...IGNORED! ~~~~ In just a few minutes any of your domain users could become the administrator of ALL your machines without your knowledge. A quick search of Google.com for password crackers is all it takes. There is a solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS FLAW in Windows. http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07DQ0AC ~~~~~~~~~~~~~~~~~~~~ January 1, 2003--In this issue: 1. IN FOCUS - It's a Great Time to Check Your Security 2. SECURITY RISKS - Privilege Escalation in Microsoft WM_TIMER - Vulnerability in Microsoft SMB - Multiple Vulnerabilities in Microsoft VM 3. ANNOUNCEMENTS - The Microsoft Mobility Tour Is Coming Soon to a City Near You! - Get the New Windows & .NET Magazine Network Super CD/VIP! 4. SECURITY ROUNDUP - Feature: Security and Parameterization - Feature: CA Basics 5. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Configure Microsoft's Secure Desktop Restriction Setting in Windows 2000 Service Pack 1 (SP1) and Later? 6. NEW AND IMPROVED - Maintenance-Free Spam Protection - Easily Set Up Remote Site Firewalls - Submit Top Product Ideas 7. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: Bypassing Proxy Servers 8. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, markat_private) * IT'S A GREAT TIME TO CHECK YOUR SECURITY It's 2003, and you might want to start the new year by checking the security of all your systems. Toward that effort, I've located several security checklists to assist you. The checklists cover Windows XP; Windows 2000; Windows NT; Microsoft IIS, SQL Server, Exchange Server, and Internet Explorer (IE); various UNIX systems; and Apache. Keep in mind that these are just a few of the many checklists available. To find more, use your favorite search engine. - Windows XP LabMice.net hosts a "Windows XP Security Checklist." The checklist is divided into three categories: basic, intermediate, and advanced. The items covered include user accounts, groups, passwords, hardware, ports, shares, risky subsystems, and risky features. http://www.labmice.net/articles/winxpsecuritychecklist.htm Microsoft also provides a security checklist for XP Home Edition and XP Professional. According to the related TechNet Web page, the checklists "outline the steps you should take to reach a baseline of security with Windows XP Home Edition and Windows XP Professional computers, either on their own or as part of a Windows NT or Windows 2000 domain." The checklists cover such matters as shares, policies, and accounts and passwords. http://www.microsoft.com/technet/security/tools/chklist/xpcl.asp - Win2K LabMice.net also hosts the "Windows 2000 Security Checklist," which provides the same thorough coverage provided in the LabMice.net XP security checklist. http://www.labmice.net/articles/securingwin2000.htm Microsoft also provides checklists for Win2K Professional and Win2K Server. The comprehensive lists are on the TechNet Web site. http://www.microsoft.com/technet/security/tools/chklist/w2kprocl.asp http://www.microsoft.com/technet/security/tools/chklist/w2ksvrcl.asp - NT If you have NT systems on your network, check out the NT security checklist that Windows IT Library hosts. Originally compiled by Rob Davis with the help of several others, the checklist includes information from Microsoft's Web site. The list addresses such concerns as protecting files and directories, NetBIOS, dangerous services, passwords and hashes, registry entries, resource sharing, auditing, caching, and memory paging. http://www.windowsitlibrary.com/content/121/18/toc.html - IIS Microsoft offers the Internet Information Server (IIS) 4.0 Baseline Security Checklist, which helps you better secure the popular Web server. The list discusses installing the minimum Internet services required, setting appropriate authentication methods, setting appropriate virtual directory permissions and partitioning Web application space, setting appropriate IIS log file ACLs, enabling logging, setting up Secure Sockets Layer (SSL), disabling or removing all sample applications, removing the IISADMPWD virtual directory, removing unused script mappings, and disabling Remote Data Services (RDS) support (see the first URL below). Microsoft also provides a Web-based checklist form that helps you keep track of which configuration actions you've taken on a Web server. You'll find the form, which contains hotlinks that describe each item listed, at the second URL below. The company also provides a lockdown tool for IIS, which you'll find at the third URL below. Finally, you'll find a useful checklist for Internet Information Services (IIS) 5.0 at the fourth URL below. http://www.microsoft.com/technet/security/tools/chklist/iis4cl.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/iischk.asp http://www.microsoft.com/technet/security/tools/tools/locktool.asp http://www.microsoft.com/technet/security/tools/chklist/iis5cl.asp - SQL Server SQLSecurity.com provides the "SQL Server Security Checklist" to help you secure SQL Server installations. The extensive list covers such matters as service packs, protocols, user accounts, dropping dangerous procedures, deleting stored procedures, logging, alerts, groups and roles, and user logins. http://www.sqlsecurity.com/checklist.asp - Exchange Server The IMIBO Web site discusses Exchange Server security and offers sample code that shows you how Microsoft handles security inside the server. The site's information addresses subjects such as logons, directory objects, security descriptors, modifying access, and public folder access control. http://www.imidev.galaxite.net/exc/security/contents.htm DevX provides "Eight Tips to Secure Exchange." The tips cover areas such as ports, underlying OS services, server location, passwords, using communities, dial-up access, and administrative rights. http://archive.devx.com/upload/free/features/exchange/2000/10oct00/jh0010/jh0010.asp You can find additional information about Exchange Server and Outlook security at Slipstick Systems. At the Slipstick Web site, search on the term "security." http://www.slipstick.com - Microsoft IE Microsoft provides a rudimentary Web page that explains IE security. The page includes settings for SSL and security zones. The most important thing to remember about IE security is to load the many available patches. http://www.microsoft.com/technet/security/tools/chklist/iecl.asp - More Microsoft Security Tools and Checklists For more complete access to Microsoft security checklists and tools, visit the company's TechNet Web site. The site includes items for most of Microsoft's enterprise products (although not for SQL Server). http://www.microsoft.com/technet/security/tools/tools.asp - UNIX OSs CERT offers a "UNIX Security Checklist v2.0." The checklist covers the basic OS, major services, patches, and details about specific UNIX OSs. The checklist appendix lists security tools, commands, and five "essential" steps to secure your UNIX systems before you put them into operation. http://www.cert.org/tech_tips/usc20_full.html - Apache HTTP Server If you're among the many people who run Apache HTTP server, you'll be happy to know that the Apache Server Project hosts a Web page, "Security Tips for Server Configuration." The content includes permissions on server root directories, server-side includes, Common Gateway Interface (CGI) in general, aliased CGI, dynamic content, system settings, and protecting server files. http://httpd.apache.org/docs/misc/security_tips.html Finally, Windows & .NET Magazine has published many in-depth articles that discuss how to better secure your systems. Be sure to use the Web site search engine to find material about the security topics most important to you. http://search.winnetmag.com ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: WINDOWS & .NET MAGAZINE - EXCLUSIVE RATE ~~~~ http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE HERE'S AN OFFER YOU CAN'T AFFORD TO PASS UP! For a limited time, you can get an exclusive $19.95 rate to one year of Windows & .NET Magazine. That's only $1.66 an issue in the US -- a whopping 60% off our regular rate. This offer won't be around forever, so subscribe today at http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * PRIVILEGE ESCALATION IN MICROSOFT WM_TIMER A vulnerability in Microsoft WM_TIMER Message Handling can grant an attacker complete control over the vulnerable system. The vulnerability occurs because one process in the interactive desktop can use a WM_TIMER message to cause another process to execute a callback function at the address of its choice, even if the second process didn't set a timer. Microsoft has released Security Bulletin MS02-071 (Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation) to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=37436 * VULNERABILITY IN MICROSOFT SMB A new vulnerability in Microsoft Server Message Block (SMB) lets an attacker silently downgrade the SMB Signing settings on a vulnerable system, which might then let the attacker change Group Policy information. Microsoft has released Security Bulletin MS02-070 (Flaw in SMB Signing Could Enable Group Policy to be Modified) to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. This patch is included in Windows XP Service Pack 1 (SP1) and will be included in Windows 2000 SP4. http://www.secadministrator.com/articles/index.cfm?articleid=37435 * MULTIPLE VULNERABILITIES IN MICROSOFT VM GreyMagic Software and Thor Larholm discovered eight new vulnerabilities in Microsoft Virtual Machine (VM). The most serious of these vulnerabilities can give an attacker complete control over the vulnerable system. Microsoft has released Security Bulletin MS02-069 (Flaw in Microsoft VM Could Enable System Compromise) to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch available through Windows Update. http://www.secadministrator.com/articles/index.cfm?articleid=37434 3. ==== ANNOUNCEMENTS ==== (brought to you by Windows & .NET Magazine and its partners) * THE MICROSOFT MOBILITY TOUR IS COMING SOON TO A CITY NEAR YOU! Brought to you by Windows & .NET Magazine, this outstanding seven-city event will help support your growing mobile workforce. Industry guru Paul Thurrott discusses the coolest mobility hardware solutions around, demonstrates how to increase the productivity of your "road warriors" with the unique features of Windows XP and Office XP, and much more. There is no charge for these live events, but space is limited so register today! http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw06Kw0Au * GET THE NEW WINDOWS & .NET MAGAZINE NETWORK SUPER CD/VIP! Everyone can appreciate a bargain in today's economy. That's why we've introduced the Windows & .NET Magazine Super CD/VIP Web site. You get exclusive subscriber-only access to all our publications through our new VIP Web site. Plus, you get Super CDs delivered twice a year, and we'll even throw in a 1-year print subscription to the magazine! The Super CD/VIP is a $545 value for just $279. Subscribe today! http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw06oc0AC 4. ==== SECURITY ROUNDUP ==== * FEATURE: SECURITY AND PARAMETERIZATION In SQL Server 2000 Analysis Services, Microsoft introduced dimension-level security, which can limit the members of a cube dimension that a user can view. The most straightforward way to use this feature is to create a security role for each unique set of permissions in the application. But in a sales application, every user might need a unique set of permissions for the sales data. This requirement could introduce hundreds--if not thousands--of security roles. However, even if you could create an administrative application to manage this number of security roles, Analysis Services couldn't handle it. Russ Whitney works around this limitation and creates a scalable solution. Read how at the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=27040 * FEATURE: CA BASICS A primary condition for enabling Secure Sockets Later (SSL) encryption is that your server and clients must have a digital certificate from a trusted root Certificate Authority (CA). The server and client certificates must be from the same CA. For the example in this article, Gary Zaika used Microsoft Certificate Services to issue certificates for all clients inside the company. Read more on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=27141 5. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I CONFIGURE MICROSOFT'S SECURE DESKTOP RESTRICTION SETTING IN WINDOWS 2000 SERVICE PACK 1 (SP1) AND LATER? ( contributed by John Savill, http://www.windows2000faq.com ) A. Users who interactively log on to a computer running Win2K or later can perform tasks that might be security risks, such as gaining access to display and input devices that a computer process with wider-reaching privileges owns. These users then can create a process to capture passwords or sensitive data. For more information about the problem, see Microsoft Security Bulletin MS00-020 (Patch Available for "Desktop Separation" Vulnerability) at the Microsoft Web site. Win2K SP1 corrected this vulnerability by adding a Secure Desktop Restriction setting, but the new locked-down functionality might adversely affect certain applications. If your application vendor advises you to disable this security setting, perform the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. 3. From the Edit menu, select New, DWORD Value. 4. Enter a name of SecureDesktop. 5. Double-click the new value, set it to 0 to disable the setting (you can set the value to 1 to reenable the default configuration), then click OK. 6. Restart the machine for the change to take effect. 6. ==== NEW AND IMPROVED ==== (contributed by Sue Cooper, productsat_private) * MAINTENANCE-FREE SPAM PROTECTION Singlefin announced the Global Email Gateway Service, which blocks unwanted email and viruses at the gateway, before they enter your network. The service uses a three-step filtering process to block only spam: email address baiting, proprietary message scoring, and proprietary fingerprinting and addition to Singlefin's database. The service uses two virus engines to support its 10-minute update intervals. Contact Singlefin at 619-222-1362, 866-566-3346, and infoat_private http://www.singlefin.net * EASILY SET UP REMOTE SITE FIREWALLS PowerWallz Network Security announced the ProShield v1000 firewall appliance, designed for branch offices, telecommuters, and small and midsized enterprise users. ProShield v1000 features high-end encryption and EasyVPN, a proprietary configuration utility to simplify the installation and configuration process for your remote or small office settings. ProShield v1000 is available in rack-mount and standalone models, with Web-based central administration. It's expected to ship in first quarter 2003 with prices starting at $899. Contact PowerWallz Network Security at 604-233-2822, 888-889-6988, and salesat_private http://www.powerwallz.com * SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshotat_private 7. ==== HOT THREAD ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums Featured Thread: Bypassing Proxy Servers (Four messages in this thread) A user writes that his company uses a Cisco Systems PIX firewall and WebSense URL-blocking software. However, some users have found applications that let them bypass the WebSense system to surf the Internet unrestricted. He wants to know where users might get such programs. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=51474 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email |-+-|-+-|-+-|-+-|-+-| Thank you for reading Security UPDATE. MANAGE YOUR ACCOUNT You can manage your entire Windows & .NET Magazine Network email newsletter account on our Web site. Simply log on and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://www.winnetmag.com/email Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:50:27 PST