[ISN] Security UPDATE -- Administrator Accounts and Root Kits -- March 9, 2005

From: InfoSec News (isn@private)
Date: Thu Mar 10 2005 - 01:05:40 PST


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which you 
might be interested. Please take a moment to visit these advertisers' 
Web sites and show your support for Security UPDATE. 

Free util: Scan your site for system slowdowns

SQL Server Magazine


1. In Focus: Administrator Accounts and Root Kits 

2. Security News and Features
   - Recent Security Vulnerabilities
   - Need Information About Internet Explorer 7.0?
   - Deploying Junk Mail Filter Lists in Outlook 2003
   - @stake LC 5

3. Security Toolkit
   - Security Matters Blog
   - Web Chat
   - FAQ
   - Security Forum Featured Thread

4. New and Improved
   - Prevent Unauthorized Network Access


==== Sponsor: Executive Software ====

Free util: Scan your site for system slowdowns
   Disk Performance Analyzer for Networks is a FREE utility that 
remotely checks your systems for performance bottlenecks caused by 
severe disk fragmentation. If not identified promptly, fragmentation 
builds exponentially and causes frustrating slowdowns, random 
crashes, even complete inability to boot. Disk Performance Analyzer 
for Networks zeros in on problem computers, showing you exactly how 
much performance and stability is being lost. Find systems that need 
attention now, BEFORE they become help desk calls! This is a free 
utility, not spyware or adware. Download Disk Performance Analyzer 
for Networks now! 


==== 1. In Focus: Administrator Accounts and Root Kits ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about why you should try not to use administrative 
accounts unless you really need to. Several readers wrote to explain 
various scenarios and problems they've encountered while trying to 
use a nonadministrative account for certain tasks. Some of the 
problems involve using Windows Explorer, running debuggers, creating 
Data Source Names (DSNs), and accessing Control Panel items. 
Obviously, you'll need to log on as the administrator in some 
instances; using RunAs, even with the /netonly switch, might not 
always suffice. 

There are other possible solutions for some problems too. For 
example, Microsoft's OS resource kits include the su.exe tool, which 
can elevate privileges. Another tool, which I've mentioned before, is 
MakeMeAdmin, written by Aaron Margosis at Microsoft. The tool adds 
your account to the local Administrators group, spawns a command 
shell with your new elevated privileges, and then removes your 
account from the group. 

So, effectively, MakeMeAdmin gives you a command shell running with a 
new security token. You can perform whatever actions you need to in 
the shell. If you also need privileges on the network, you can 
initiate some kind of network access and authenticate by using 
whatever account you prefer. For example, you can map a drive by 
using the command

net use

and specifying an account with the required privileges. Or you could 
launch Windows Explorer on the desktop with elevated privileges by 
using its /root switch. You could also launch Control Panel applets 
by simply entering the applet name and extension (.cpl) as if it were 
any other executable program. If you run Microsoft Internet Explorer 
(IE) with elevated privileges, you can use Margosis's PrivBar add-on 
that shows which security level your browser is running under. 

Another reader wrote to point out that Microsoft has published a 
document that explains some of the problems you can encounter when 
you run applications on the desktop with nonadministrative accounts. 
The article offers tips about how developers can remedy some of those 
problems and offers some insight into how the next release of Windows 
(codenamed Longhorn) will address the matter in more effective ways. 
One change will be a Protected Administrator status, which, if I 
understand correctly, will allow a user to use an administrator 
account but with the fewest privileges necessary for a given task. 

Another topic I want to discuss this week is root kits, which as you 
know, can be a real problem. A Microsoft paper discusses research the 
company has done regarding ways to discover such nuisances. The paper 
mentions a related tool, Strider Ghostbuster, developed in the labs, 
which isn't available to the public.

However, Sysinternals has a root kit discovery tool that you might 
find helpful. The new tool, RootkitRevealer, is still undergoing 
development, but you can download a copy and try it out. 

F-Secure will release a beta version of its new root kit detection 
tool, F-Secure BlackLight Rootkit Elimination Technology, this week. 
You can learn more about that tool in the related article on our Web 


==== Sponsor: SQL Server Magazine ====

Get SQL Server Magazine and Get Answers
   Throughout the year in 2005, SQL Server Magazine is on target to 
deliver comprehensive coverage of all hot industry topics, including 
SQL Server 2005, performance tuning, security, Reporting Services, 
Integration Services, and .NET development. If you aren't already a 
subscriber, now is the time to sign up. You'll get unlimited online 
access to every article ever published in the magazine and you'll get 
30% off the cover price. Don't miss out . . . sign up today: 


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Need Information About Internet Explorer 7.0?
   If you need information about the upcoming Microsoft Internet 
Explorer (IE) 7.0, you can find some tidbits about it on IEBlog, 
which is operated by Microsoft's IE team. 

Deploying Junk Mail Filter Lists in Outlook 2003
   Microsoft released a hotfix for Outlook 2003 late last month for a 
feature that deals with importing junk mail filter lists into Outlook 
2003. This feature lets you use registry values to tell Outlook to 
import the Safe Senders, Safe Recipients, and Blocked Senders lists 
from specific locations and either overwrite the user's existing junk 
mail filter lists or append entries to them. The hotfix makes some 
important changes to the way the feature works.

@stake LC 5
   If you want a terrific password-auditing tool, Jeff Fellinge 
recommends the most recent version of L0phtCrack: @stake LC 5 
(recently acquired by Symantec). New features let you remotely 
collect password hashes, schedule scans, score passwords, create 
audit reports, and speed up audits. LC 5 supports most password-
cracking methods and comes in four versions (professional, 
administrator, site, and consultant). 


==== Resources and Events ====

The Must-Attend Event for Securing Your Wireless Deployments
   The Conference on Mobile & Wireless Security delivers on-target, 
need-to-know information on emerging issues and tech trends. 
Featuring first-class keynotes and sessions, an in-depth panel 
discussion, and interactive workshops, you will learn practical 
tactics for overcoming mobile security challenges and real-world 
strategies for maximizing the potential of your wireless devices.

Get Ready for SQL Server 2005 Roadshow in a City Near You
   Get the facts about migrating to SQL Server 2005. SQL Server 
experts will present real-world information about administration, 
development, and business intelligence to help you implement a best-
practices migration to SQL Server 2005 and improve your database 
computing environment. Receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

Windows Connections 2005 Conference
   April 17-20, 2005, Hyatt Regency San Francisco. Microsoft and 
Windows experts present over 40 in-depth sessions with real-world 
solutions you can take back and apply today. Don't miss Mark Minasi's 
entertaining and insightful keynote presentation on "The State of 
Windows" and your chance to win a 7-night Caribbean cruise!

The Essential Guide to Active Directory Management
   Migrating from NDS and/or eDirectory to AD means changes in the 
way you manage your network, users, and network resources. Download 
this Essential Guide to Active Directory Management and learn hands-
on approaches that reduce management complexity, IT workload, and 
costs and improve security--all with minimal impact on your 
organization. Download this guide today.

Discover, Manage, and Archive Information Within Your Exchange 
   Limit your legal exposure and protect corporate information. In 
this free Web seminar, Exchange MVP Paul Robichaux provides an 
overview of general retention and compliance issues, knowledge of 
pitfalls you may encounter when implementing your policy, insight 
into managing mail data for best-efforts compliance, and Exchange's 
built-in archiving and compliance features. Register now!
   http://list.windowsitpro.com/t?ctl=48BD:4FB69 emailannc


==== Hot Release ====

Managing and Securing IM in the Enterprise: Why It Should Be a Top 
   With instant messaging virtually in all corporate environments, 
and expected to be as prevalent as email in the near future, it has 
rapidly become an indispensable business communication tool. Yet, IM 
growth within the enterprise brings an associated increase in 
security risks to both public and enterprise IM networks. In this 
free white paper, learn how you can take control of IM use on your 
network to ensure security and compliance. You'll learn how to 
protect yourself from Virus & worms attacks, Identity theft, Leakage 
of confidential information and more. Download now!


==== 3. Security Toolkit ==== 

Security Matters Blog 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=48D1:4FB69

Google Hacking: No Longer a Sure Thing for Intruders
   A new honeypot can trap intruders who use Google queries to find 
vulnerable systems. Such intruders typically use search engine 
queries to look for sites whose URLs contain particular words or 
phrases that might indicate that the site is using vulnerable 

Security Event Log Chat
   Randy Franklin Smith is one of the foremost authorities on the 
Windows Security event log and a respected trainer who teaches 
Monterey Technology Group's "Security Log Secrets" course. In his 
article in the March issue of Windows IT Pro magazine, Randy shines 
a light on this dark and mysterious corner of cryptic event IDs and 
codes and inaccurate Microsoft documentation. Here's your chance to 
ask Randy your questions about the Security log and get answers 
Microsoft doesn't provide. Join the chat March 16 at 1:00 P.M. 
Pacific time. For details, visit

   by John Savill, http://list.windowsitpro.com/t?ctl=48CD:4FB69 

Q. How can I back up and restore user profiles when deploying a new 
OS via the Microsoft Systems Management Server (SMS) OS Deployment 
Feature Pack? 

Find the answer at

Security Forum Featured Thread: Backup Account Permissions on Windows 
Server 2003
   A forum participant is trying to remove service accounts from 
administrative groups. ARCServe by default puts its account in the 
Administrators and Domain Admins groups. Is there a workaround so 
that that particular account doesn't need to belong to those groups? 
Putting the account in the Backup and Server Operator groups doesn't 
seem to be sufficient. Can a security policy be adjusted to help? 
Join the discussion at


==== Announcements ====
   (from Windows IT Pro and its partners)

Get Windows IT Pro at 44% Off!
   Windows & .NET Magazine is now Windows IT Pro! Act now to get an 
entire year for just $39.95--that's 44% off the cover price! Our 
March issue shows you what you need to know about Windows Server 2003 
SP1, how to get the best out of your IT staff, and how to fight 
spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. 
This is a limited-time, risk-free offer, so click here now:


==== 4. New and Improved ====
   by Renee Munshi, products@private

Prevent Unauthorized Network Access
   MetaInfo has released SAFE DHCP as a stand-alone product. When a 
computer connects to the network, SAFE DHCP supplies a nonprivileged 
or "quarantined" IP address and checks the machine's identity before 
granting a privileged IP address. Several SAFE DHCP modules are 
available that can perform various identity and other security checks 
(such as checking for viruses or policy compliance). SAFE DHCP was 
previously available only as part of the MetaInfo Meta IP solution. 
For further information, visit

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Security Administrator print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rsecadmin@private If we print your submission, you'll get 
$100. We edit submissions for style, grammar, and length.


==== Contact Us ==== 

About the newsletter -- letters@private
About technical questions -- http://list.windowsitpro.com/t?ctl=48D3:4FB69
About product news -- products@private
About your subscription -- windowsitproupdate@private
About sponsoring Security UPDATE -- emedia_opps@private


This email newsletter is brought to you by Security Administrator,
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Thu Mar 10 2005 - 03:15:42 PST