[ISN] Security UPDATE, May 7, 2003

From: InfoSec News (isnat_private)
Date: Thu May 08 2003 - 03:55:04 PDT

  • Next message: InfoSec News: "[ISN] Multiple Vulnerabilities found in Microsoft .Net Passport Services"

    ********************
    
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows Server 2003, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Windows & .NET Magazine
       http://list.winnetmag.com/cgi-bin3/DM/y/eQoY0CJgSH0CBw08zM0AE
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: WINDOWS & .NET MAGAZINE ~~~~
        GET WINDOWS & .NET MAGAZINE AT 25% OFF!
        Every issue of Windows & .NET Magazine includes intelligent,
    impartial, and independent coverage of security, Active Directory,
    Exchange, and much more. Our expert authors deliver content you simply
    won't find anywhere else. Subscribe today at 25% off, and find out
    what over 100,000 readers know that you don't!
       http://list.winnetmag.com/cgi-bin3/DM/y/eQoY0CJgSH0CBw08zM0AE
    ~~~~~~~~~~~~~~~~~~~~
    
    May 7, 2003--In this issue:
    
    1. IN FOCUS
         - Security: Out of the Box and into the Guides
    
    2. SECURITY RISKS
         - Multiple Vulnerabilities in Microsoft's BizTalk Server 2002 and
           2000
         - Path Disclosure Vulnerability in Macromedia ColdFusion MX
           Server
         - Script Injection Vulnerability in Opera for Windows JavaScript
           Console
         - Long File Extension Heap Buffer-Overrun Vulnerability in Opera
           for Windows
         - Oracle Database Link Buffer Overflow
    
    3. ANNOUNCEMENTS
         - Windows & .NET Magazine Connections: Win a Florida Vacation
         - Time Is Running Out to Join Our Storage Solutions Road Show!
    
    4. SECURITY ROUNDUP
         - News: Microsoft Releases Win2K Hardening Guide
         - News: Continued Windows 2003 Documentation Push Focuses on
           Security
         - News: New eBook Helps Administrators and Programmers Secure IIS
         - News: Microsoft and Sanctum Host Secure Programming Webinar
    
    5. SECURITY TOOLKIT
         - Virus Center
         - FAQ: Are There Any Circumstances Under Which Win2K Still Uses
           NTLM?
    
    6. NEW AND IMPROVED
         - Lure Attackers with a Honeypot
         - Centralize Your Security Policy Management
         - Submit Top Product Ideas
    
    7. HOT THREAD
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Does Windows Use Default Values If a
               Registry Key Isn't Present?
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * SECURITY: OUT OF THE BOX AND INTO THE GUIDES
    
    As you know, Microsoft recently launched Windows Server 2003. One
    significant aspect of the new OS is Microsoft's pledge of better
    security. As history has shown, rushing a new OS out the door to eager
    users complete with all the bells and whistles blowing loudly isn't
    the best practice. Microsoft has taken longer than usual to develop
    this new OS, especially in regard to security. So when you deploy it,
    you'll find that rather than having loads of features turned on by
    default, the OS has many features that you must intentionally enable.
    
    Even when you enable features such as Microsoft Internet Information
    Services (IIS) 6.0, you might find that they install with minimum
    functionality enabled. Security professionals will prefer this
    approach, but it doesn't address the larger question of how to
    reasonably open up functionality while maintaining adequate security
    levels.
    
    To help you balance functionality and security in your Windows 2003
    environment, Microsoft has released an extensive security guide.
    Microsoft designed the guide to help you deploy Windows 2003
    effectively while maintaining adequate security in three basic
    environments: a legacy client environment, an enterprise environment,
    and a high-security environment.
    
    The "Windows Server 2003 Security Guide" contains 12 chapters.
    Chapters 2 through 12 deal directly with configuring various network
    elements and their associated systems. They help you configure domain
    infrastructure, create baseline security for member servers, and
    harden several system elements: domain controllers (DCs) and
    infrastructure servers, file servers and print servers, IIS and
    Internet Authentication Server (IAS), Certificate Services Servers
    (CSSs), and bastion hosts.
    
    All told, the security guide contains 290 pages of highly useful
    recommendations. In addition to the main guide, you'll find delivery
    guides (3), checklists (10), scripts (8), and templates (25) to help
    you further secure your Windows 2003 environment.
    
    Microsoft recommends that those charged with deploying and securing
    Windows 2003 and Windows XP in an enterprise have MSCE 2000
    certification, 2 or more years of security-related experience,
    in-depth knowledge of Active Directory (AD), and experience with these
    features and functions: Microsoft Management Console (MMC) and other
    tools, Group Policy administration, and workstation and application
    deployment in enterprise environments.
    
    If you're considering using the security guide and wonder how
    Microsoft arrived at the security recommendations, refer to the
    "Testing Windows Server 2003 Security Guide" documentation included in
    the overall security guide package. The documentation outlines how
    Microsoft configured and tested the three basic network environments
    (legacy, enterprise, and high security) to ensure that the guide's
    recommendations are both accurate and adequate.
    
    The test documentation explains, chapter by chapter, the steps
    Microsoft took to test the guide's recommendations. Microsoft also
    used a third party to perform extensive penetration testing against
    the enterprise and high-security environments. After several weeks of
    testing, the servers remained secure. Microsoft notes one
    vulnerability, however: Where brute-force attacks can expose user
    passwords, intruders might be able to intercept Kerberos network
    traffic. According to Microsoft, to mitigate this vulnerability, you
    can use complex user passwords or IP Security (IPSec) to encrypt
    network traffic. The guide recommends strong user passwords.
    
    Obviously, the guide can't guarantee that Windows 2003 users won't
    encounter security problems. Nevertheless, if you follow the guide's
    advice, you'll be less likely to find your systems compromised.
    Microsoft's third-party testing helps assure that much.
    
    If you still wonder about various threats and possible
    countermeasures, you can find additional security help. Microsoft has
    released "Threats and Countermeasures: Security Settings in Windows
    Server 2003 and Windows XP." This guide details threats and potential
    countermeasures in detail--and discusses how deploying the recommended
    configuration settings affects users.
    
    The 287-page threat guide also discusses domain level and audit
    policies, user rights assignments, security options, event logs,
    system services, software restriction policies, administrative
    templates, additional registry settings, and additional procedures for
    hardening member servers.
    
    So--with the new OS, Microsoft offers two guides full of
    security-related configuration recommendations. Microsoft hopes you'll
    use this information to secure your Windows 2003 network environment.
    If you wonder whether your company can benefit from Windows 2003's
    strengthened security, review the guides to gain insight.
    
    If you use the security guides, send me an email message about their
    usefulness. I want to know how they work for you and whether you found
    significant problems when you used them in your network environment.
    
    You can download the new guides from Microsoft's Web site. You can
    also link to them from Paul Thurrott's news story, "Continued Windows
    2003 Documentation Push Focuses on Security," in this issue of the
    newsletter.
       http://www.secadministrator.com/articles/index.cfm?articleid=38837
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT'S BIZTALK SERVER 2002 AND 2000
       Two new vulnerabilities exist in Microsoft BizTalk Server 2002 and
    BizTalk Server 2000, one of which can result in the execution of
    arbitrary code on the vulnerable system. The second vulnerability is a
    Microsoft SQL injection vulnerability in some of the pages that
    BizTalk 2002 and BizTalk 2000's Document Tracking and Administration
    (DTA) uses. Microsoft has released Security Bulletin MS03-016
    (Cumulative Patch for BizTalk Server) to address these vulnerabilities
    and recommends that affected users immediately apply the appropriate
    patch mentioned in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=38855
    
    * PATH DISCLOSURE VULNERABILITY IN MACROMEDIA COLDFUSION MX SERVER
       A vulnerability in Macromedia Coldfusion MX Server's default
    installation can result in the inadvertent disclosure of the physical
    path of the server installation. In a default installation, the Enable
    Robust Exception Information setting is enabled under Debugging
    Settings. According to Macromedia, you should clear this setting on
    production systems.
       http://www.secadministrator.com/articles/index.cfm?articleid=38848
    
    * SCRIPT INJECTION VULNERABILITY IN OPERA FOR WINDOWS JAVASCRIPT
    CONSOLE
       A vulnerability in Opera for Windows can result in the execution of
    an arbitrary script in the Local Computer zone. This vulnerability is
    a result of code in Opera 7.x's console.html file that doesn't
    sanitize the single quotation mark. The flaw permits a malicious
    intruder to inject an arbitrary script into the link on the Microsoft
    JavaScript console. Opera has yet to respond to this problem.
       http://www.secadministrator.com/articles/index.cfm?articleid=38849
    
    * LONG FILE EXTENSION HEAP BUFFER-OVERRUN VULNERABILITY IN OPERA FOR
    WINDOWS
       Several versions of Opera for Windows contain a Denial of Service
    (DoS) condition. The condition results from an unchecked buffer on the
    heap and Opera's failure to check the length of a filename. Opera has
    yet to respond to this problem.
       http://www.secadministrator.com/articles/index.cfm?articleid=38850
    
    * ORACLE DATABASE LINK BUFFER OVERFLOW
       The Oracle database server contains a buffer-overflow condition. To
    exploit the condition, a malicious user can provide a long parameter
    for a connect string with the CREATE DATABASE LINK query. Oracle has
    released a patch to correct the problem.
       http://www.secadministrator.com/articles/index.cfm?articleid=38825
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * WINDOWS & .NET MAGAZINE CONNECTIONS: WIN A FLORIDA VACATION
       Don't miss this exclusive opportunity to learn in person from your
    favorite writers you know and trust. All attendees will receive a free
    1-year subscription to Windows & .NET Magazine plus a chance to win a
    Florida vacation for two. Connections has simply the best lineup of
    technical training for today's Windows IT pro. Conference begins May
    18, so hurry and register now:
       http://list.winnetmag.com/cgi-bin3/DM/y/eQoY0CJgSH0CBw0KXQ0A2
    
    * TIME IS RUNNING OUT TO JOIN OUR STORAGE SOLUTIONS ROAD SHOW!
       Attend the HP & Microsoft Network Storage Solutions Road Show, and
    learn how existing and future storage solutions can save your company
    money--and make your job easier! Attendees have lots of chances to win
    incredible prizes. There is absolutely no fee for this event, but
    space is limited. We've just added Minneapolis to our list of cities,
    so register now!
       http://list.winnetmag.com/cgi-bin3/DM/y/eQoY0CJgSH0CBw07cD0Af
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: MICROSOFT RELEASES WIN2K HARDENING GUIDE
       Microsoft announced the release of a new guide designed to help
    users harden the security of their Windows 2000 systems. The guide
    consists of six chapters, three appendices, and checklists to help
    deploy the measures outlined in the guide. The guide helps configure
    Win2K in a more secure fashion in any of six different server roles.
       http://www.secadministrator.com/articles/index.cfm?articleid=38828
    
    * NEWS: CONTINUED WINDOWS 2003 DOCUMENTATION PUSH FOCUSES ON SECURITY
       Microsoft has issued its voluminous "Windows Server 2003 Security
    Guide," a threats and countermeasures document for Windows 2003 and
    Windows XP, and companion documentation designed to help harden
    Windows 2000 Server and Win2K Professional against attack. According
    to Microsoft, the "Windows Server 2003 Security Guide" focuses on
    providing a set of easy to understand guidance, tools, and templates
    to help secure Windows 2003 in many environments.
       http://www.secadministrator.com/articles/index.cfm?articleid=38837
    
    * NEWS: NEW eBOOK HELPS ADMINISTRATORS AND PROGRAMMERS SECURE IIS
       Jason Coombs has released a free eBook, "IIS Security and
    Programming Countermeasures," designed to help administrators and
    programmers better secure their IIS servers.
       http://www.secadministrator.com/articles/index.cfm?articleid=38829
    
    * NEWS: MICROSOFT AND SANCTUM HOST SECURE PROGRAMMING WEBINAR
       Microsoft and Sanctum will present a webinar, "Security Best
    Practices in the .NET Framework Environment," on May 9 at 4:30 P.M.
    Eastern time. Sanctum Chief Technology Officer (CTO) Steve Orrin and
    Microsoft Senior Security Program Manager for the Secure Windows
    Initiative Michael Howard will host the presentation. The two will
    discuss security unit testing in Windows .NET Framework development.
       http://www.secadministrator.com/articles/index.cfm?articleid=38813
    
    5. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: Are There Any Circumstances Under Which Win2K Still Uses NTLM?
       (contributed by Randy Franklin Smith, rsmithat_private)
    
    A: Yes, Windows 2000 still uses NT LAN Manager (NTLM) rather than
    Kerberos in certain situations. Because NTLM is much more vulnerable
    to eavesdropping and subsequent cracking, you should know the
    circumstances under which Win2K uses NTLM. For Win2K to use Kerberos
    when a user logs on, all computers involved--workstations, domain
    controllers (DCs), and servers--must be Win2K or later and members of
    the same domain or at least the same forest. In addition, the user
    account that's logging on must be an Active Directory (AD) user
    account, not an account in a computer's local SAM or an account from a
    Windows NT domain. For a list of situations in which Win2K uses NTLM,
    be sure to read the rest of the article on our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=24670
    
    6. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * LURE ATTACKERS WITH A HONEYPOT
       KeyFocus released KFSensor, a honeypot-based Intrusion Detection
    System (IDS) that attracts and detects attackers by simulating
    vulnerable system services, Trojan horses, and servers such as Telnet
    and SMTP. This configurable system features detailed logging, attack
    analysis, and security alerts. Because KFSensor isn't activated until
    attacked, it consumes little processor time or network resources and
    doesn't affect usual machine use. KFSensor supports Windows
    XP/2000/NT/Me/98 and costs $149 per user. Contact KeyFocus at
    contactat_private
       http://www.keyfocus.net
    
    * CENTRALIZE YOUR SECURITY POLICY MANAGEMENT
       Pedestal Software announced SecurityExpressions 3.0, an agentless
    system security policy management solution that lets you apply and
    monitor policies the software creates or deploy a policy that security
    or government organizations predefine. SecurityExpressions 3.0
    verifies policy compliance on each server, workstation, and desktop.
    You can then implement fixes to any problems discovered during that
    audit. Features new to this version include a Web console that lets
    others perform an audit without compromising enterprise security, a
    distributed proxy that lets one console scan systems in remote
    locations, and ODBC Reporting that lets you store the scan results in
    a centralized ODBC-compliant database. Pricing is based on the number
    of systems scanned and starts at $495 per server and $30 per desktop.
    Contact Pedestal Software at 617-928-5550 or
    salesat_private
       http://www.pedestalsoftware.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    7. ==== HOT THREAD ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Does Windows Use Default Values If a Registry Key
    Isn't Present?
       (Two messages in this thread)
    
    A reader wants to know whether Windows uses a default value if a
    registry key isn't present or is intentionally deleted. For example,
    how does Windows behave if the following registry key is set to zero
    or deleted:
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\
    NtfsDisable8dot3NameCreation
    
    Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58174
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 08 2003 - 06:33:33 PDT