Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
Free Brief: Personal HP Workstations = Higher ROI?
http://list.windowsitpro.com/t?ctl=47AA3:57B62BBB09A69279FD45A8336E9B675E
Understanding and Leveraging Code Signing Technologies
http://list.windowsitpro.com/t?ctl=47A94:57B62BBB09A69279FD45A8336E9B675E
esxRanger Professional: Hot Backups for VI3
http://list.windowsitpro.com/t?ctl=47AA2:57B62BBB09A69279FD45A8336E9B675E
=== CONTENTS ===================================================
IN FOCUS: SSTP One Reason to Look Forward to Vista SP1
NEWS AND FEATURES
- Fortify Software Extends Its Reach
- TJX Reveals Big Data Breach
- What's Hot: Readers Recommend the Best Products
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: 51 Reasons to Patch Your Oracle
Applications
- FAQ: Find a User's DN
- From the Forum: TACACS Authentication
- IT Pro of the Month--December 2006 Winner
- Share Your Security Tips
PRODUCTS
- New Endpoint Safety Features
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
FEATURED WHITE PAPER
ANNOUNCEMENTS
=== SPONSOR: Hewlett-Packard ===================================
Free Brief: Personal HP Workstations = Higher ROI?
Discover why financial services executives get a LOT more out of
their IT investments by investing in HP Personal Workstation
Technology. Quickly learn how workstations ensure accuracy and security
while driving down short and long term operating costs. This quick-read
guide is a must read today.
http://list.windowsitpro.com/t?ctl=47AA3:57B62BBB09A69279FD45A8336E9B675E
=== IN FOCUS: SSTP One Reason to Look Forward to Vista SP1 =====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Sometimes building a VPN can be tedious work, especially when firewalls
are involved. There are of course ways to build VPNs that can usually
traverse a firewall without the need to configure new rules. One of the
most common methods is to use a Secure Sockets Layer (SSL)-based VPN,
which can be made to operate over standard HTTP ports.
Microsoft's new VPN technology, Secure Socket Tunneling Protocol
(SSTP), does exactly that. SSTP is an SSL-based client-to-server VPN
tunneling protocol designed to make connectivity much easier.
The biggest benefit of SSTP is that because it works over standard HTTP
ports, SSTP traffic will be able to traverse a network to reach the
end-point server even when the client is behind a Network Address
Translation (NAT)-enabled network, Web proxy, or reasonably configured
firewall that at least allows Web traffic. This will be very helpful,
especially for mobile users who find themselves using networks at
hotels and conference centers, which sometimes lock down their networks
to the point of being unusable except for the most basic needs.
Microsoft has already released Windows Vista to businesses and is set
to release the new OS to consumers this week. As you might expect, the
company is busy working on Vista Service Pack 1 (SP1), and when that
update is released, it will include SSTP. The company also plans to
include SSTP in Windows Longhorn Server Beta 3, due sometime in the
first half of this year.
Samir Jain, lead programmer for Microsoft's RRAS technology, said that
SSTP integrates seamlessly into the OS so that it works through the
typical RRAS interfaces. The integration means that you'll get the same
types of functionality you're already accustomed to when using RRAS,
such as support for Network Access Protection (NAP), support for IPv6,
and support for various authentication mechanisms such as smart cards.
The way SSTP works is very similar to the way SSL works in a Web
browser, with some added intricacies of course. A client computer
connects to an SSTP-enabled server over TCP port 443--the standard SSL
port. After the SSL session is built, the two systems then negotiate a
Point-to-Point Protocol (PPP) session, including any required
authentication. That's basically all there is to it.
Jain said that you will be able to deploy SSTP on the same server on
which an existing L2TP VPN is deployed, and SSTP can share the same
server certificate as the L2TP VPN. Because SSTP integrates tightly
with RRAS, very little extra configuration will be necessary to
implement SSTP.
There are of course downsides to using SSTP. For example, it won't work
with Web proxies that require authentication. Another potential
downside is that SSTP won't work for establishing site-to-site
communication. This disadvantage is probably a minor one because site
operators typically have the ability to manage firewalls on their
networks, so they can use another method of connectivity. Microsoft
could however expand SSTP to work for site-to-site communication in the
future. Another downside might be that SSTP won't be supported on
Windows XP, but we'll have to wait and see about that. As far as I
know, the company hasn't said whether it will make SSTP available for
XP systems.
Nevertheless, SSTP will ease the burden faced by many mobile users, and
that's a plus. So there's your first reason to look forward to Vista
SP1. I'm sure other reasons to look forward to SP1 will come to light
as the year progresses.
===
We're launching a new email newsletter! Starting February 1, Vista
UPDATE is the twice-monthly resource for all things Vista, from
deployment to security to virtual PC and beyond. Even if your company
isn't moving to Vista yet, you'll stay current with what's happening in
Vista with the help of Karen Forster, author of the "Hey Microsoft!"
column in Windows IT Pro magazine. You'll also find desktop and client-
side tips and insights from David Chernicoff, info for users from Kathy
Ivens, and Ivens's ever-popular Reader Challenge.
Client UPDATE subscribers, you don't have to do a thing. All others,
sign up now at http://list.windowsitpro.com/t?ctl=47A99:57B62BBB09A69279FD45A8336E9B675E
And please whitelist this address to ensure that your new Vista
UPDATE isn't mistakenly blocked by antispam software:
Vista_Update@private
=== SPONSOR: Thawte ============================================
Understanding and Leveraging Code Signing Technologies
Learn all you need to know about code signing technology, including
the goals and benefits of code signing, how code signing works and the
underlying cryptographic and security concepts and building blocks.
http://list.windowsitpro.com/t?ctl=47A94:57B62BBB09A69279FD45A8336E9B675E
=== SECURITY NEWS AND FEATURES =================================
Fortify Software Extends Its Reach
Fortify Software announced that it's reached an agreement to acquire
certain intellectual property, capital assets, and resources from
Secure Software. A spokesperson for Fortify said that the acquisition
brings the company an increased customer base, increases its market
exposure, and extends its ability to assist customers with the
requirements and design phases of the software development lifecycle.
http://list.windowsitpro.com/t?ctl=47A92:57B62BBB09A69279FD45A8336E9B675E
TJX Reveals Big Data Breach
In what is surely one of the many data breaches to come in 2007, The
TJX Companies revealed that their customers' private data had been
compromised in a security breach. Owner of several retail chains,
including T.J. Maxx and Marshalls, TJX said that the company network
that handles its credit card, debit card, check, and merchandise return
transactions had been broken into.
http://list.windowsitpro.com/t?ctl=47A97:57B62BBB09A69279FD45A8336E9B675E
What's Hot: Readers Recommend the Best Products
Readers write to tell us a bit about some of their favorite
products: Barracuda Spam Firewall 300, KeePass Password Safe, and
System Information for Windows.
http://list.windowsitpro.com/t?ctl=47A9C:57B62BBB09A69279FD45A8336E9B675E
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=47A93:57B62BBB09A69279FD45A8336E9B675E
=== SPONSOR: Vizioncore ========================================
esxRanger Professional: Hot Backups for VI3
Still don't have a reliable disaster recovery plan in place?
Vizioncore's esxRanger Professional supports a sophisticated, yet
cost effective DR strategy for your VMware Infrastructure 3
environment. Restoring entire virtual machine images--or just files--
is smooth & seamless. Visit http://list.windowsitpro.com/t?ctl=47AA2:57B62BBB09A69279FD45A8336E9B675E
for a trial download today.
=== GIVE AND TAKE ==============================================
SECURITY MATTERS BLOG: 51 Reasons to Patch Your Oracle Applications
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=47AA0:57B62BBB09A69279FD45A8336E9B675E
Oracle released its first quarterly round of patches for 2007 and it
contains a whopping 51 security fixes! Get a link to those fixes in
this blog article.
http://list.windowsitpro.com/t?ctl=47A9B:57B62BBB09A69279FD45A8336E9B675E
FAQ: Find a User's DN
by John Savill, http://list.windowsitpro.com/t?ctl=47A9E:57B62BBB09A69279FD45A8336E9B675E
Q: How can I determine the logged-on user's distinguished name (DN)?
Find the answer at
http://list.windowsitpro.com/t?ctl=47A9A:57B62BBB09A69279FD45A8336E9B675E
FROM THE FORUM: TACACS Authentication
A forum participant writes that he receives an "Authentication
Failed" message when trying to log on to a Cisco router by using a
Terminal Access Controller Access Control System (TACACS) server. The
TACACS server log has the message "Authentication session aborted by
request from NAS," which is the router. What could be causing the
error? Join the discussion at
http://list.windowsitpro.com/t?ctl=47A8D:57B62BBB09A69279FD45A8336E9B675E
IT PRO OF THE MONTH--December 2006 Winner
Congratulations to Steven Fellwock, who was voted the December 2006
"IT Pro of the Month." Steven successfully improved a logon process by
creating a SQL Server database that maintains Active Directory (AD)
information. His new logon script never needs modification and is
portable--able to run in any AD environment that includes a SQL Server
database. To learn more about Steven's solution and to find out how you
can become the next "IT Pro of the Month," please visit:
http://list.windowsitpro.com/t?ctl=47AA1:57B62BBB09A69279FD45A8336E9B675E
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@private If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
=== PRODUCTS ===================================================
by Renee Munshi, products@private
New Endpoint Safety Features
Safend announced Safend Protector 3.1, which adds data encryption,
the blocking of network bridging, and protection from PS/2 hardware
keystroke-logging devices to the endpoint security product. The data
encryption feature lets administrators require automatic encryption
when data is transferred to USB drives and other portable storage
devices. The anti-network bridging feature lets you block use of Wi-Fi,
Bluetooth, and other protocols while a PC is connected to the wired
corporate network. Safend Protector 3.1 adds new protection against
PS/2 hardware key loggers to its previous protection against USB
hardware key loggers. For more information, go to
http://list.windowsitpro.com/t?ctl=47AA6:57B62BBB09A69279FD45A8336E9B675E
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot@private and get a Best Buy gift certificate.
=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit
http://list.windowsitpro.com/t?ctl=47A9D:57B62BBB09A69279FD45A8336E9B675E
Prevent installation and execution of unauthorized software on the
computers on your network. Download this free white paper today for a
comparison of different techniques for detecting and preventing
unauthorized code. Protect against emerging risks today!
http://list.windowsitpro.com/t?ctl=47A8F:57B62BBB09A69279FD45A8336E9B675E
Learn the essentials about how you can use consolidation and selected
technology updates to build an infrastructure that handles change
effectively.
http://list.windowsitpro.com/t?ctl=47A91:57B62BBB09A69279FD45A8336E9B675E
You can't control what nature throws at your IT systems, such as
floods, hurricanes, and earthquakes. You can't always control what
people might do to your systems, either. Download this free eBook and
learn to protect your business in the face of both natural and human-
made disasters.
http://list.windowsitpro.com/t?ctl=47A90:57B62BBB09A69279FD45A8336E9B675E
=== FEATURED WHITE PAPER =======================================
Combat phishing and pharming: Implement complete protection against
complex Internet threats by filtering at multiple points on the gateway
and network and at endpoints.
http://list.windowsitpro.com/t?ctl=47A8E:57B62BBB09A69279FD45A8336E9B675E
=== ANNOUNCEMENTS ==============================================
Make Your Mark on the IT Community!
Nominate yourself or a peer to become "IT Pro of the Month." This is
your chance to get the recognition you deserve! Winners will receive
over $600 in IT resources and be featured in Windows IT Pro. It's easy
to enter--we're accepting February nominations now for a limited time!
Submit your nomination today:
http://list.windowsitpro.com/t?ctl=47AA1:57B62BBB09A69279FD45A8336E9B675E
Special Invitation for VIP Access
Become a VIP subscriber and get continuous, inside access to ALL the
content published in Windows IT Pro, SQL Server Magazine, Exchange &
Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now
and SAVE $100:
http://list.windowsitpro.com/t?ctl=47A95:57B62BBB09A69279FD45A8336E9B675E
================================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://list.windowsitpro.com/t?ctl=47A9F:57B62BBB09A69279FD45A8336E9B675E
http://list.windowsitpro.com/t?ctl=47AA5:57B62BBB09A69279FD45A8336E9B675E
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=47A98:57B62BBB09A69279FD45A8336E9B675E
Be sure to add Security_UPDATE@private
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters@private
About technical questions -- http://list.windowsitpro.com/t?ctl=47AA4:57B62BBB09A69279FD45A8336E9B675E
About your product news -- products@private
About your subscription -- windowsitproupdate@private
About sponsoring Security UPDATE -- salesopps@private
View the Windows IT Pro privacy policy at
http://list.windowsitpro.com/t?ctl=47A96:57B62BBB09A69279FD45A8336E9B675E
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Jan 24 2007 - 23:34:51 PST