[ISN] Security UPDATE, January 1, 2003

From: InfoSec News (isnat_private)
Date: Thu Jan 02 2003 - 08:00:11 PST

  • Next message: InfoSec News: "[ISN] College student charged with distributing DirecTV trade secrets online"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Massive Workstation Security Hole...Ignored!
       http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07DQ0AC
    
    Windows & .NET Magazine - Exclusive Rate
       http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: MASSIVE WORKSTATION SECURITY HOLE...IGNORED! ~~~~
       In just a few minutes any of your domain users could become the
    administrator of ALL your machines without your knowledge. A quick
    search of Google.com for password crackers is all it takes. There is a
    solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS
    FLAW in Windows.
       http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07DQ0AC
    
    ~~~~~~~~~~~~~~~~~~~~
    
    January 1, 2003--In this issue:
    
    1. IN FOCUS
         - It's a Great Time to Check Your Security
    
    2. SECURITY RISKS
         - Privilege Escalation in Microsoft WM_TIMER
         - Vulnerability in Microsoft SMB
         - Multiple Vulnerabilities in Microsoft VM
    
    3. ANNOUNCEMENTS
         - The Microsoft Mobility Tour Is Coming Soon to a City Near You!
         - Get the New Windows & .NET Magazine Network Super CD/VIP!
    
    4. SECURITY ROUNDUP
         - Feature: Security and Parameterization
         - Feature: CA Basics
    
    5. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Configure Microsoft's Secure Desktop Restriction
           Setting in Windows 2000 Service Pack 1 (SP1) and Later?
    
    6. NEW AND IMPROVED
         - Maintenance-Free Spam Protection
         - Easily Set Up Remote Site Firewalls
         - Submit Top Product Ideas
     
    7. HOT THREAD
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Bypassing Proxy Servers
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * IT'S A GREAT TIME TO CHECK YOUR SECURITY
    
    It's 2003, and you might want to start the new year by checking the
    security of all your systems. Toward that effort, I've located several
    security checklists to assist you. The checklists cover Windows XP;
    Windows 2000; Windows NT; Microsoft IIS, SQL Server, Exchange Server,
    and Internet Explorer (IE); various UNIX systems; and Apache. Keep in
    mind that these are just a few of the many checklists available. To
    find more, use your favorite search engine.
    
    - Windows XP
       LabMice.net hosts a "Windows XP Security Checklist." The checklist
    is divided into three categories: basic, intermediate, and advanced.
    The items covered include user accounts, groups, passwords, hardware,
    ports, shares, risky subsystems, and risky features.
       http://www.labmice.net/articles/winxpsecuritychecklist.htm
    
    Microsoft also provides a security checklist for XP Home Edition and
    XP Professional. According to the related TechNet Web page, the
    checklists "outline the steps you should take to reach a baseline of
    security with Windows XP Home Edition and Windows XP Professional
    computers, either on their own or as part of a Windows NT or Windows
    2000 domain." The checklists cover such matters as shares, policies,
    and accounts and passwords.
       http://www.microsoft.com/technet/security/tools/chklist/xpcl.asp
    
    - Win2K
       LabMice.net also hosts the "Windows 2000 Security Checklist," which
    provides the same thorough coverage provided in the LabMice.net XP
    security checklist.
       http://www.labmice.net/articles/securingwin2000.htm
    
    Microsoft also provides checklists for Win2K Professional and Win2K
    Server. The comprehensive lists are on the TechNet Web site.
       http://www.microsoft.com/technet/security/tools/chklist/w2kprocl.asp
       http://www.microsoft.com/technet/security/tools/chklist/w2ksvrcl.asp
    
    - NT
       If you have NT systems on your network, check out the NT security
    checklist that Windows IT Library hosts. Originally compiled by Rob
    Davis with the help of several others, the checklist includes
    information from Microsoft's Web site. The list addresses such
    concerns as protecting files and directories, NetBIOS, dangerous
    services, passwords and hashes, registry entries, resource sharing,
    auditing, caching, and memory paging.
       http://www.windowsitlibrary.com/content/121/18/toc.html
    
    - IIS
       Microsoft offers the Internet Information Server (IIS) 4.0 Baseline
    Security Checklist, which helps you better secure the popular Web
    server. The list discusses installing the minimum Internet services
    required, setting appropriate authentication methods, setting
    appropriate virtual directory permissions and partitioning Web
    application space, setting appropriate IIS log file ACLs, enabling
    logging, setting up Secure Sockets Layer (SSL), disabling or removing
    all sample applications, removing the IISADMPWD virtual directory,
    removing unused script mappings, and disabling Remote Data Services
    (RDS) support (see the first URL below). Microsoft also provides a
    Web-based checklist form that helps you keep track of which
    configuration actions you've taken on a Web server. You'll find the
    form, which contains hotlinks that describe each item listed, at the
    second URL below. The company also provides a lockdown tool for IIS,
    which you'll find at the third URL below. Finally, you'll find a
    useful checklist for Internet Information Services (IIS) 5.0 at the
    fourth URL below.
       http://www.microsoft.com/technet/security/tools/chklist/iis4cl.asp
       http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/iischk.asp
       http://www.microsoft.com/technet/security/tools/tools/locktool.asp
       http://www.microsoft.com/technet/security/tools/chklist/iis5cl.asp
    
    - SQL Server
       SQLSecurity.com provides the "SQL Server Security Checklist" to
    help you secure SQL Server installations. The extensive list covers
    such matters as service packs, protocols, user accounts, dropping
    dangerous procedures, deleting stored procedures, logging, alerts,
    groups and roles, and user logins.
       http://www.sqlsecurity.com/checklist.asp
    
    - Exchange Server
       The IMIBO Web site discusses Exchange Server security and offers
    sample code that shows you how Microsoft handles security inside the
    server. The site's information addresses subjects such as logons,
    directory objects, security descriptors, modifying access, and public
    folder access control.
       http://www.imidev.galaxite.net/exc/security/contents.htm
    
    DevX provides "Eight Tips to Secure Exchange." The tips cover areas
    such as ports, underlying OS services, server location, passwords,
    using communities, dial-up access, and administrative rights.
     http://archive.devx.com/upload/free/features/exchange/2000/10oct00/jh0010/jh0010.asp
    
    You can find additional information about Exchange Server and Outlook
    security at Slipstick Systems. At the Slipstick Web site, search on
    the term "security."
       http://www.slipstick.com
    
    - Microsoft IE
       Microsoft provides a rudimentary Web page that explains IE
    security. The page includes settings for SSL and security zones. The
    most important thing to remember about IE security is to load the many
    available patches.
       http://www.microsoft.com/technet/security/tools/chklist/iecl.asp
    
    - More Microsoft Security Tools and Checklists
       For more complete access to Microsoft security checklists and
    tools, visit the company's TechNet Web site. The site includes items
    for most of Microsoft's enterprise products (although not for SQL
    Server).
       http://www.microsoft.com/technet/security/tools/tools.asp
    
    - UNIX OSs
       CERT offers a "UNIX Security Checklist v2.0." The checklist covers
    the basic OS, major services, patches, and details about specific UNIX
    OSs. The checklist appendix lists security tools, commands, and five
    "essential" steps to secure your UNIX systems before you put them into
    operation.
       http://www.cert.org/tech_tips/usc20_full.html
    
    - Apache HTTP Server
       If you're among the many people who run Apache HTTP server, you'll
    be happy to know that the Apache Server Project hosts a Web page,
    "Security Tips for Server Configuration." The content includes
    permissions on server root directories, server-side includes, Common
    Gateway Interface (CGI) in general, aliased CGI, dynamic content,
    system settings, and protecting server files.
       http://httpd.apache.org/docs/misc/security_tips.html
    
    Finally, Windows & .NET Magazine has published many in-depth articles
    that discuss how to better secure your systems. Be sure to use the Web
    site search engine to find material about the security topics most
    important to you.
       http://search.winnetmag.com
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: WINDOWS & .NET MAGAZINE - EXCLUSIVE RATE ~~~~
       http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE
       HERE'S AN OFFER YOU CAN'T AFFORD TO PASS UP!
       For a limited time, you can get an exclusive $19.95 rate to one
    year of Windows & .NET Magazine. That's only $1.66 an issue in the US
    -- a whopping 60% off our regular rate. This offer won't be around
    forever, so subscribe today at
       http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * PRIVILEGE ESCALATION IN MICROSOFT WM_TIMER
       A vulnerability in Microsoft WM_TIMER Message Handling can grant an
    attacker complete control over the vulnerable system. The
    vulnerability occurs because one process in the interactive desktop
    can use a WM_TIMER message to cause another process to execute a
    callback function at the address of its choice, even if the second
    process didn't set a timer. Microsoft has released Security Bulletin
    MS02-071 (Flaw in Windows WM_TIMER Message Handling Could Enable
    Privilege Elevation) to address this vulnerability and recommends that
    affected users immediately apply the appropriate patch mentioned in
    the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=37436
     
    * VULNERABILITY IN MICROSOFT SMB
       A new vulnerability in Microsoft Server Message Block (SMB) lets an
    attacker silently downgrade the SMB Signing settings on a vulnerable
    system, which might then let the attacker change Group Policy
    information. Microsoft has released Security Bulletin MS02-070 (Flaw
    in SMB Signing Could Enable Group Policy to be Modified) to address
    this vulnerability and recommends that affected users immediately
    apply the appropriate patch mentioned in the bulletin. This patch is
    included in Windows XP Service Pack 1 (SP1) and will be included in
    Windows 2000 SP4.
       http://www.secadministrator.com/articles/index.cfm?articleid=37435
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT VM
       GreyMagic Software and Thor Larholm discovered eight new
    vulnerabilities in Microsoft Virtual Machine (VM). The most serious of
    these vulnerabilities can give an attacker complete control over the
    vulnerable system. Microsoft has released Security Bulletin MS02-069
    (Flaw in Microsoft VM Could Enable System Compromise) to address these
    vulnerabilities and recommends that affected users immediately apply
    the appropriate patch available through Windows Update.
       http://www.secadministrator.com/articles/index.cfm?articleid=37434
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * THE MICROSOFT MOBILITY TOUR IS COMING SOON TO A CITY NEAR YOU!
       Brought to you by Windows & .NET Magazine, this outstanding
    seven-city event will help support your growing mobile workforce.
    Industry guru Paul Thurrott discusses the coolest mobility hardware
    solutions around, demonstrates how to increase the productivity of
    your "road warriors" with the unique features of Windows XP and Office
    XP, and much more. There is no charge for these live events, but space
    is limited so register today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw06Kw0Au
    
    * GET THE NEW WINDOWS & .NET MAGAZINE NETWORK SUPER CD/VIP!
       Everyone can appreciate a bargain in today's economy. That's why
    we've introduced the Windows & .NET Magazine Super CD/VIP Web site.
    You get exclusive subscriber-only access to all our publications
    through our new VIP Web site. Plus, you get Super CDs delivered twice
    a year, and we'll even throw in a 1-year print subscription to the
    magazine! The Super CD/VIP is a $545 value for just $279. Subscribe
    today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw06oc0AC
    
    4. ==== SECURITY ROUNDUP ====
    
    * FEATURE: SECURITY AND PARAMETERIZATION
       In SQL Server 2000 Analysis Services, Microsoft introduced
    dimension-level security, which can limit the members of a cube
    dimension that a user can view. The most straightforward way to use
    this feature is to create a security role for each unique set of
    permissions in the application. But in a sales application, every user
    might need a unique set of permissions for the sales data. This
    requirement could introduce hundreds--if not thousands--of security
    roles. However, even if you could create an administrative application
    to manage this number of security roles, Analysis Services couldn't
    handle it. Russ Whitney works around this limitation and creates a
    scalable solution. Read how at the URL below.
       http://www.secadministrator.com/articles/index.cfm?articleid=27040
    
    * FEATURE: CA BASICS
       A primary condition for enabling Secure Sockets Later (SSL)
    encryption is that your server and clients must have a digital
    certificate from a trusted root Certificate Authority (CA). The server
    and client certificates must be from the same CA. For the example in
    this article, Gary Zaika used Microsoft Certificate Services to issue
    certificates for all clients inside the company. Read more on our Web
     site.
       http://www.secadministrator.com/articles/index.cfm?articleid=27141
    
    5. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I CONFIGURE MICROSOFT'S SECURE DESKTOP RESTRICTION
    SETTING IN WINDOWS 2000 SERVICE PACK 1 (SP1) AND LATER?
       ( contributed by John Savill, http://www.windows2000faq.com )
     
    A. Users who interactively log on to a computer running Win2K or later
    can perform tasks that might be security risks, such as gaining access
    to display and input devices that a computer process with
    wider-reaching privileges owns. These users then can create a process
    to capture passwords or sensitive data. For more information about the
    problem, see Microsoft Security Bulletin MS00-020 (Patch Available for
    "Desktop Separation" Vulnerability) at the Microsoft Web site.
       Win2K SP1 corrected this vulnerability by adding a Secure Desktop
    Restriction setting, but the new locked-down functionality might
    adversely affect certain applications. If your application vendor
    advises you to disable this security setting, perform the following
    steps:
       1. Start a registry editor (e.g., regedit.exe).
       2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Windows.
       3. From the Edit menu, select New, DWORD Value.
       4. Enter a name of SecureDesktop.
       5. Double-click the new value, set it to 0 to disable the setting
    (you can set the value to 1 to reenable the default configuration),
    then click OK.
       6. Restart the machine for the change to take effect.
    
    6. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * MAINTENANCE-FREE SPAM PROTECTION
       Singlefin announced the Global Email Gateway Service, which blocks
    unwanted email and viruses at the gateway, before they enter your
    network. The service uses a three-step filtering process to block only
    spam: email address baiting, proprietary message scoring, and
    proprietary fingerprinting and addition to Singlefin's database. The
    service uses two virus engines to support its 10-minute update
    intervals. Contact Singlefin at 619-222-1362, 866-566-3346, and
    infoat_private
       http://www.singlefin.net
    
    * EASILY SET UP REMOTE SITE FIREWALLS
       PowerWallz Network Security announced the ProShield v1000 firewall
    appliance, designed for branch offices, telecommuters, and small and
    midsized enterprise users. ProShield v1000 features high-end
    encryption and EasyVPN, a proprietary configuration utility to
    simplify the installation and configuration process for your remote or
    small office settings. ProShield v1000 is available in rack-mount and
    standalone models, with Web-based central administration. It's
    expected to ship in first quarter 2003 with prices starting at $899.
    Contact PowerWallz Network Security at 604-233-2822, 888-889-6988, and
    salesat_private
       http://www.powerwallz.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    7. ==== HOT THREAD ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Bypassing Proxy Servers
       (Four messages in this thread)
    
    A user writes that his company uses a Cisco Systems PIX firewall and
    WebSense URL-blocking software. However, some users have found
    applications that let them bypass the WebSense system to surf the
    Internet unrestricted. He wants to know where users might get such
    programs. Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=51474
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
    This email newsletter is brought to you by Security Administrator, the
    print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
    Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:50:27 PST