******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Experience How Real Time Monitoring Will Benefit YOU http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Xg0Au PacWest Security Road Show http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Kz0A1 (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: EXPERIENCE HOW REAL TIME MONITORING WILL BENEFIT YOU ~~~~ A proactive Security Administrator installed TNT Software's ELM Enterprise Manager 3.0 on his critical servers to assess the benefits of real time monitoring. During the first week, EEM 3.0 paged him as a disgruntled employee attempted to access confidential files, alerted him when the QoS of his Exchange Server began to drop, and automatically restarted a failed anti-virus service. As a result, ELM Enterprise Manager was purchased and fully deployed during the second week. Download your FREE 30 day full feature evaluation copy today and experience how real time monitoring will benefit YOU. http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Xg0Au ~~~~~~~~~~~~~~~~~~~~ January 29, 2003--In this issue: 1. IN FOCUS - Slammer/Sapphire Worm and Shades of Code Red 2. SECURITY RISKS - Information Disclosure Vulnerability in Microsoft Outlook 2002 - Cross-Site Scripting Vulnerability in Microsoft Content Management Server 2001 - Unchecked Buffer in Microsoft Locator Service 3. ANNOUNCEMENT - InfoSec World Conference and Expo/2003 4. SECURITY ROUNDUP - News: SQL Slammer Worm Hits Microsoft Too - News: ISS and PowerTech Team to Improve IBM iSeries Server Security - News: SonicWALL Announces equinux VPN Tracker Support - News: Russia First Country to View Windows Source Code - News: ABIT and VIA Announce Chip-based Security for Motherboards 5. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Prevent Regedit from Remembering the Last Registry Key Location I Accessed Under Windows XP? 6. NEW AND IMPROVED - Assess Enterprise Vulnerability - Keep Offensive Emails out of Your Mailbox - Submit Top Product Ideas 7. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: User Can't Change Password at Logon - HowTo Mailing List - Featured Thread: Default Master Browser 8. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, markat_private) * SLAMMER/SAPPHIRE WORM AND SHADES OF CODE RED As you probably know by now, a tiny worm began traveling the Internet over the past weekend. Known as either Slammer or Sapphire, the worm affects unpatched Microsoft SQL Server machines. Patches to prevent the vulnerability the worm exploits have been available since July 2002. The worm doesn't damage an infected machine, nor does it compromise any data on an infected machine. However, it does prove a simple concept: A tiny worm (376 bytes) with only the essential amount of code can spread rapidly and consume large amounts of bandwidth in the process. Some people compare this worm with the Code Red worm that affected Microsoft IIS systems last year. However, far more IIS systems than SQL Server machines are online, and the Slammer/Sapphire worm's impact is proving to be relatively short-lived. As Chris Rouland, director of Internet Security Systems' (ISS's) X-Force said in an "InfoWorld" interview, the worm's impact has already lessened significantly. As of Sunday, its impact was more comparable to that of the Nimda virus, which affects Microsoft Outlook clients. According to ISS monitoring, Nimda and Slammer/Sapphire both propagated at about 10,000 attacks per hour on Sunday. By now, I'm sure Slammer/Sapphire's activity has lessened even further (although it's possible for it to flare up again), whereas the most serious affects of Code Red were probably felt for a longer period. Overall, Nimda is probably more expensive to clean up than Slammer/Sapphire. Even so, the thing Slammer/Sapphire did that Nimda didn't do was severely affect network communications. In some cases, networks went down entirely for brief periods of time. The reason that some networks went offline was probably twofold. First, the worm consumed a lot of bandwidth, sometimes saturating a given network's total capacity. Second, the worm affected Cisco Systems routers, which countless networks across the Internet use. The worm affected some Cisco routers because of the way those routers were configured to log packets. In some cases, routers were configured to block all traffic to port 1434 and to log all denied packets, such as those destined for blocked port 1434, which SQL Server typically uses. So the worm traffic in conjunction with the logging overwhelmed some routers. To read Cisco's recommendations regarding configuration adjustments, view the related Web page at the first URL below. To see a graph of how the worm affected traffic at a few of the larger networks, visit the second URL below. http://www.cisco.com/en/US/products/hw/iad/ps497/products_security_advisory09186a0080133399.shtml http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html Another problem with this worm is that it also affects Microsoft SQL Server Desktop Engine (MSDE), which ships inside a lot of products, some from Microsoft and many others from third parties. These products include Visual Studio .NET (Architect, Developer, and Professional Editions), ASP.NET Web Matrix Tool, Microsoft Office XP Developer Edition, Microsoft Developer Network (MSDN) Universal and Enterprise subscriptions, and Microsoft Access. But those products represent just the tip of the iceberg. To see the huge list of products that use MSDE--many of which are probably installed on your systems--visit the SQL Security Web site at the URL below. The list is updated as those who maintain the list become aware of more products that use MSDE. http://www.sqlsecurity.com/desktopdefault.aspx?tabindex=10&tabid=13 A Microsoft Web page offers information about the Slammer/Sapphire worm, including patch information (see the first URL below). As always, be sure to read the fine print associated with patches and related articles before you load any patches. Also, consider loading the recently released SQL Server Service Pack 3 (SP3). And if you want a tool that will scan your SQL Server systems to determine whether they're vulnerable, then you can download such a tool courtesy of eEye Digital Security (see the second URL below). http://www.microsoft.com/technet/security/virus/alerts/slammer.asp http://www.eeye.com/html/research/tools/sapphiresql.html To help prevent such attacks from being successful, administrators must patch systems as quickly as possible. They need to maintain firewalls in a deny-all-traffic-until-otherwise-authorized configuration. Also, they must conduct any remote administration that requires opening nonessential ports through a VPN and some kind of remote terminal software. When all the hype around this new worm has finally fizzled out, I hope that businesses will have learned how important it is to take defensive actions sooner rather than later. ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: PACWEST SECURITY ROAD SHOW ~~~~ BACK BY POPULAR DEMAND - DON'T MISS OUR SECURITY ROAD SHOW EVENT! If you missed last year's popular security Road Show event, now's your chance to catch it again in Portland and Redmond. Learn from experts Mark Minasi and Paul Thurrott about how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Registration is free so sign up now! http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Kz0A1 ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT OUTLOOK 2002 A vulnerability in Microsoft Outlook 2002 can result in information disclosure. This vulnerability stems from a flaw in the way Outlook 2002 uses a V1 Exchange Server Security certificate to encrypt email. As a result of this flaw, Outlook fails to correctly encrypt the mail and sends the message in plain text. Information in the message is therefore exposed. Microsoft has released Security Bulletin MS03-003 (Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure) to address this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=37819 * CROSS-SITE SCRIPTING VULNERABILITY IN MICROSOFT CONTENT MANAGEMENT SERVER 2001 A vulnerability in Microsoft Content Management Server (MCMS) 2001 lets an attacker insert script code into data that a user sends to an MCMS server. The vulnerability stems from a Cross-Site Scripting flaw and could result in the ability to access information that the user shared with the legitimate site. Microsoft has released Security Bulletin MS03-002 (Cumulative Patch for Microsoft Content Management Server) to address this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=37818 * UNCHECKED BUFFER IN MICROSOFT LOCATOR SERVICE The Microsoft Locator service contains a vulnerability that stems from an unchecked buffer. By sending a specially malformed request to the Locator service, an attacker can cause the Locator service to fail or to run code of the attacker's choice on the system. To address this vulnerability, Microsoft has released Security Bulletin MS03-001 (Unchecked Buffer in Locater Service Could Lead to Code Execution), and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=37780 3. ==== ANNOUNCEMENT ==== (brought to you by Windows & .NET Magazine and its partners) * INFOSEC WORLD CONFERENCE AND EXPO/2003 MIS Training Institute's InfoSec World Conference and Expo/2003 will be held in Orlando, FL, March 10-12, 2003, with optional workshops on March 8, 9, 12, 13, and 14. InfoSec World will cover today's need-to-know topics and deliver proven strategies for protecting your systems. For details and to register, visit: http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Lo0Aq 4. ==== SECURITY ROUNDUP ==== * NEWS: SQL SLAMMER WORM HITS MICROSOFT TOO Just a week after Microsoft celebrated the 1-year anniversary of its Trustworthy Computing initiative, the milestone was marred by one of the most virulent computer worms of all time, the so-called Slammer worm, which targets Microsoft SQL Server 2000 machines. http://www.secadministrator.com/articles/index.cfm?articleid=37817 * NEWS: ISS AND POWERTECH TEAM TO IMPROVE IBM iSERIES SERVER SECURITY Internet Security Systems (ISS) and PowerTech Group have announced an alliance to improve security for IBM's iSeries servers. ISS President and CEO Tom Noonan said that PowerTech's PowerLock iSeries line of security tools would pass security information over to the ISS RealSecure platform, which the RealSecure SiteProtector 2.0 security management platform could then correlate. http://www.secadministrator.com/articles/index.cfm?articleid=37755 * NEWS: SONICWALL ANNOUNCES EQUINUX VPN TRACKER SUPPORT SonicWALL announced a new relationship with equinux USA in which equinux will provide interoperability for its VPN Tracker software for network access through SonicWALL's firewall and VPN appliance technology. http://www.secadministrator.com/articles/index.cfm?articleid=37756 * NEWS: RUSSIA FIRST COUNTRY TO VIEW WINDOWS SOURCE CODE Microsoft has announced that Russia will be the first country to view the source code for Windows under the Government Security Program (GSP), a plan the company revealed earlier this month. http://www.secadministrator.com/articles/index.cfm?articleid=37732 * NEWS: ABIT AND VIA ANNOUNCE CHIP-BASED SECURITY FOR MOTHERBOARDS ABIT Computer and VIA Technologies announced new chipset features that will include security technologies. ABIT will include functionality for IP Security (IPSec), and VIA will include a chip-based random-number generator. http://www.wininformant.com/articles/index.cfm?articleid=37734 5. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I PREVENT REGEDIT FROM REMEMBERING THE LAST REGISTRY KEY LOCATION I ACCESSED UNDER WINDOWS XP? ( contributed by John Savill, http://www.windows2000faq.com ) A. In a previous FAQ, I explained how to write a script to automatically reset the last key location every time you log on to the OS. Another option for clearing the last registry key accessed is to use registry permissions to disable Write access to the key. To do so, perform the following steps: 1. Start the registry editor. 2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit registry subkey. 3. Select LastKey. 4. If you're working in XP, open the Edit menu and select Permissions; if you're working in Windows 2000, open the Security menu and select Permissions. 5. Remove Full Control access and grant Read-only access. 6. Click OK. You'll need to repeat this process for all users who don't want regedit to remember the last key location they accessed. 6. ==== NEW AND IMPROVED ==== (contributed by Sue Cooper, productsat_private) * ASSESS ENTERPRISE VULNERABILITY eSecurityOnline, an Ernst & Young security software company, released eSO Advisor, a hardware and software appliance designed to automatically assess and manage your environment's security risks. eSO Advisor correlates automated discovery, inventory, and assessment processes with a continuously updated database of verified threats and proven fixes, gleaned from eSecurityOnline's customers and from more than 2400 Ernst & Young security specialists worldwide. eSO Advisor's reporting features illustrate trends and overall progress in your company's security risk management. eSO Advisor supports most enterprise platforms. Contact eSecurityOnline at 603-634-4527 or salesat_private http://www.esecurityonline.com * KEEP OFFENSIVE EMAILS OUT OF YOUR MAILBOX PJ Walczak released Mailbox Guard 1.6, a utility that eliminates spam, viruses, and obscenity before it reaches your mailbox. Mailbox Guard prescreens mail on your email server and ranks each message according to a four-level risk scale, with each level color-tagged. Mailbox Guard 1.6 notifies you that new email messages are waiting and also provides the messages' risk level. Features new to Mailbox Guard 1.6 include user-definable lists, remote preview, and deletion of emails from multiple accounts. Supports all Windows desktop OSs at $29.50 per installation. Contact PJ Walczak at infoat_private http://www.pjwalczak.com/mbguard/ * SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshotat_private 7. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums Featured Thread: User Can't Change Password at Logon (Two messages in this thread) A reader writes that on his network when users' passwords are about to expire, users receive a message during logon that says "Your password will expire in [X] days, would you like to change it now?" But even if users answer "Yes," they can't change the password. After clicking "Yes," they receive the message "You're not allowed to change your password at this time" (or a message with similar wording). However, if the users log on with their old (still valid) credentials, they can change the password in a usual way, such as by using Ctrl+Alt+Del and selecting Change Password. Do you have any ideas about why this situation exists? Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=53206 * HOWTO MAILING LIST http://63.88.172.96/listserv/page_listserv.asp?a0=howto Featured Thread: Default Master Browser (One message in this thread) A user wants to know whether he can make a particular Windows XP or Windows 2000 system a Master Browser if another Master Browser is already present because that system booted first. Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?A2=IND0301D&L=HOWTO&P=976 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email |-+-|-+-|-+-|-+-|-+-| Thank you for reading Security UPDATE. MANAGE YOUR ACCOUNT You can manage your entire Windows & .NET Magazine Network email newsletter account on our Web site. Simply log on and you can change your email address, update your profile information, and subscribe or unsubscribe to any of our email newsletters all in one place. http://www.winnetmag.com/email Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 03:23:59 PST