[ISN] SSTP One Reason to Look Forward to Vista SP1

From: InfoSec News (alerts@private)
Date: Wed Jan 24 2007 - 23:25:44 PST

Forwarded from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>


Free Brief: Personal HP Workstations = Higher ROI?

Understanding and Leveraging Code Signing Technologies

esxRanger Professional: Hot Backups for VI3

=== CONTENTS ===================================================

IN FOCUS: SSTP One Reason to Look Forward to Vista SP1

   - Fortify Software Extends Its Reach 
   - TJX Reveals Big Data Breach
   - What's Hot: Readers Recommend the Best Products
   - Recent Security Vulnerabilities

   - Security Matters Blog: 51 Reasons to Patch Your Oracle 
   - FAQ: Find a User's DN
   - From the Forum: TACACS Authentication
   - IT Pro of the Month--December 2006 Winner
   - Share Your Security Tips

   - New Endpoint Safety Features
   - Wanted: Your Reviews of Products 




=== SPONSOR: Hewlett-Packard ===================================

Free Brief: Personal HP Workstations = Higher ROI?
   Discover why financial services executives get a LOT more out of 
their IT investments by investing in HP Personal Workstation 
Technology. Quickly learn how workstations ensure accuracy and security 
while driving down short and long term operating costs. This quick-read 
guide is a must read today.

=== IN FOCUS: SSTP One Reason to Look Forward to Vista SP1 =====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Sometimes building a VPN can be tedious work, especially when firewalls 
are involved. There are of course ways to build VPNs that can usually 
traverse a firewall without the need to configure new rules. One of the 
most common methods is to use a Secure Sockets Layer (SSL)-based VPN, 
which can be made to operate over standard HTTP ports. 

Microsoft's new VPN technology, Secure Socket Tunneling Protocol 
(SSTP), does exactly that. SSTP is an SSL-based client-to-server VPN 
tunneling protocol designed to make connectivity much easier. 

The biggest benefit of SSTP is that because it works over standard HTTP 
ports, SSTP traffic will be able to traverse a network to reach the 
end-point server even when the client is behind a Network Address 
Translation (NAT)-enabled network, Web proxy, or reasonably configured 
firewall that at least allows Web traffic. This will be very helpful, 
especially for mobile users who find themselves using networks at 
hotels and conference centers, which sometimes lock down their networks 
to the point of being unusable except for the most basic needs. 

Microsoft has already released Windows Vista to businesses and is set 
to release the new OS to consumers this week. As you might expect, the 
company is busy working on Vista Service Pack 1 (SP1), and when that 
update is released, it will include SSTP. The company also plans to 
include SSTP in Windows Longhorn Server Beta 3, due sometime in the 
first half of this year.

Samir Jain, lead programmer for Microsoft's RRAS technology, said that 
SSTP integrates seamlessly into the OS so that it works through the 
typical RRAS interfaces. The integration means that you'll get the same 
types of functionality you're already accustomed to when using RRAS, 
such as support for Network Access Protection (NAP), support for IPv6, 
and support for various authentication mechanisms such as smart cards. 

The way SSTP works is very similar to the way SSL works in a Web 
browser, with some added intricacies of course. A client computer 
connects to an SSTP-enabled server over TCP port 443--the standard SSL 
port. After the SSL session is built, the two systems then negotiate a 
Point-to-Point Protocol (PPP) session, including any required 
authentication. That's basically all there is to it. 

Jain said that you will be able to deploy SSTP on the same server on 
which an existing L2TP VPN is deployed, and SSTP can share the same 
server certificate as the L2TP VPN. Because SSTP integrates tightly 
with RRAS, very little extra configuration will be necessary to 
implement SSTP. 

There are of course downsides to using SSTP. For example, it won't work 
with Web proxies that require authentication. Another potential 
downside is that SSTP won't work for establishing site-to-site 
communication. This disadvantage is probably a minor one because site 
operators typically have the ability to manage firewalls on their 
networks, so they can use another method of connectivity. Microsoft 
could however expand SSTP to work for site-to-site communication in the 
future. Another downside might be that SSTP won't be supported on 
Windows XP, but we'll have to wait and see about that. As far as I 
know, the company hasn't said whether it will make SSTP available for 
XP systems.

Nevertheless, SSTP will ease the burden faced by many mobile users, and 
that's a plus. So there's your first reason to look forward to Vista 
SP1. I'm sure other reasons to look forward to SP1 will come to light 
as the year progresses. 


We're launching a new email newsletter! Starting February 1, Vista 
UPDATE is the twice-monthly resource for all things Vista, from 
deployment to security to virtual PC and beyond. Even if your company 
isn't moving to Vista yet, you'll stay current with what's happening in 
Vista with the help of Karen Forster, author of the "Hey Microsoft!" 
column in Windows IT Pro magazine. You'll also find desktop and client-
side tips and insights from David Chernicoff, info for users from Kathy 
Ivens, and Ivens's ever-popular Reader Challenge.
   Client UPDATE subscribers, you don't have to do a thing. All others, 
sign up now at http://list.windowsitpro.com/t?ctl=47A99:57B62BBB09A69279FD45A8336E9B675E
   And please whitelist this address to ensure that your new Vista 
UPDATE isn't mistakenly blocked by antispam software: 

=== SPONSOR: Thawte ============================================

Understanding and Leveraging Code Signing Technologies
   Learn all you need to know about code signing technology, including 
the goals and benefits of code signing, how code signing works and the 
underlying cryptographic and security concepts and building blocks.

=== SECURITY NEWS AND FEATURES =================================

Fortify Software Extends Its Reach
   Fortify Software announced that it's reached an agreement to acquire 
certain intellectual property, capital assets, and resources from 
Secure Software. A spokesperson for Fortify said that the acquisition 
brings the company an increased customer base, increases its market 
exposure, and extends its ability to assist customers with the 
requirements and design phases of the software development lifecycle. 

TJX Reveals Big Data Breach
   In what is surely one of the many data breaches to come in 2007, The 
TJX Companies revealed that their customers' private data had been 
compromised in a security breach. Owner of several retail chains, 
including T.J. Maxx and Marshalls, TJX said that the company network 
that handles its credit card, debit card, check, and merchandise return 
transactions had been broken into.

What's Hot: Readers Recommend the Best Products
   Readers write to tell us a bit about some of their favorite 
products: Barracuda Spam Firewall 300, KeePass Password Safe, and 
System Information for Windows. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: Vizioncore ========================================

esxRanger Professional: Hot Backups for VI3
   Still don't have a reliable disaster recovery plan in place?
   Vizioncore's esxRanger Professional supports a sophisticated, yet 
cost effective DR strategy for your VMware Infrastructure 3 
environment. Restoring entire virtual machine images--or just files--
is smooth & seamless. Visit http://list.windowsitpro.com/t?ctl=47AA2:57B62BBB09A69279FD45A8336E9B675E
for a trial download today.

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: 51 Reasons to Patch Your Oracle Applications
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=47AA0:57B62BBB09A69279FD45A8336E9B675E

Oracle released its first quarterly round of patches for 2007 and it 
contains a whopping 51 security fixes! Get a link to those fixes in 
this blog article. 

FAQ: Find a User's DN
   by John Savill, http://list.windowsitpro.com/t?ctl=47A9E:57B62BBB09A69279FD45A8336E9B675E 

Q: How can I determine the logged-on user's distinguished name (DN)?

Find the answer at

   A forum participant writes that he receives an "Authentication 
Failed" message when trying to log on to a Cisco router by using a 
Terminal Access Controller Access Control System (TACACS) server. The 
TACACS server log has the message "Authentication session aborted by 
request from NAS," which is the router. What could be causing the 
error? Join the discussion at

IT PRO OF THE MONTH--December 2006 Winner
   Congratulations to Steven Fellwock, who was voted the December 2006 
"IT Pro of the Month." Steven successfully improved a logon process by 
creating a SQL Server database that maintains Active Directory (AD) 
information. His new logon script never needs modification and is 
portable--able to run in any AD environment that includes a SQL Server 
database. To learn more about Steven's solution and to find out how you 
can become the next "IT Pro of the Month," please visit:

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products@private

New Endpoint Safety Features
   Safend announced Safend Protector 3.1, which adds data encryption, 
the blocking of network bridging, and protection from PS/2 hardware 
keystroke-logging devices to the endpoint security product. The data 
encryption feature lets administrators require automatic encryption 
when data is transferred to USB drives and other portable storage 
devices. The anti-network bridging feature lets you block use of Wi-Fi, 
Bluetooth, and other protocols while a PC is connected to the wired 
corporate network. Safend Protector 3.1 adds new protection against 
PS/2 hardware key loggers to its previous protection against USB 
hardware key loggers. For more information, go to

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Prevent installation and execution of unauthorized software on the 
computers on your network. Download this free white paper today for a 
comparison of different techniques for detecting and preventing 
unauthorized code. Protect against emerging risks today! 

Learn the essentials about how you can use consolidation and selected 
technology updates to build an infrastructure that handles change 

You can't control what nature throws at your IT systems, such as 
floods, hurricanes, and earthquakes. You can't always control what 
people might do to your systems, either. Download this free eBook and 
learn to protect your business in the face of both natural and human-
made disasters. 

=== FEATURED WHITE PAPER =======================================

Combat phishing and pharming: Implement complete protection against 
complex Internet threats by filtering at multiple points on the gateway 
and network and at endpoints. 

=== ANNOUNCEMENTS ==============================================

Make Your Mark on the IT Community!  
   Nominate yourself or a peer to become "IT Pro of the Month." This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting February nominations now for a limited time! 
Submit your nomination today: 

Special Invitation for VIP Access 
   Become a VIP subscriber and get continuous, inside access to ALL the 
content published in Windows IT Pro, SQL Server Magazine, Exchange & 
Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now 
and SAVE $100:  


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=47AA4:57B62BBB09A69279FD45A8336E9B675E
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 24 2007 - 23:34:51 PST