Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: Roadmap to Email Archiving and Compliance http://list.windowsitpro.com/t?ctl=51990:57B62BBB09A692798848BDD6C5A546E6 Guide to SQL Server Backup and Recovery http://list.windowsitpro.com/t?ctl=5198E:57B62BBB09A692798848BDD6C5A546E6 Beyond the Buzzword: Demystifying Virtualization http://list.windowsitpro.com/t?ctl=5198F:57B62BBB09A692798848BDD6C5A546E6 === CONTENTS =================================================== IN FOCUS: More Help Securing PHP Installations NEWS AND FEATURES - Scrub Your Ajax Applications to Remove Security Problems - Wireless Equivalent Privacy Offers No Privacy - Top 10 Configuration Mistakes and How to Avoid Them - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: NGSSoftware on Oracle Forensics - FAQ: View the Full Network Map in Vista - From the Forum: Why Does Installing Word on a Server Fix EFS Problems? - Tell Us About the Products You Love! - Share Your Security Tips PRODUCTS - Enforce Strong Passwords RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: Sherpa Software =================================== Roadmap to Email Archiving and Compliance How will compliance regulations affect your IT infrastructure? Help design your retention and retrieval, privacy and security policies to make sure that your organization is compliant. Download the free eBook today! http://list.windowsitpro.com/t?ctl=51990:57B62BBB09A692798848BDD6C5A546E6 === IN FOCUS: More Help Securing PHP Installations ============= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You probably recall the Month of PHP Bugs (MOPB), which I wrote about in March (see the first URL below). By the end of the MOPB, 41 bugs had been published. Jeff Forristal, a senior research and development engineer at SPI Dynamics, monitored the bug postings, and mid-month, he wrote an article that offers a general overview and analysis (at the second URL below). http://list.windowsitpro.com/t?ctl=51993:57B62BBB09A692798848BDD6C5A546E6 http://list.windowsitpro.com/t?ctl=5198B:57B62BBB09A692798848BDD6C5A546E6 Forristal's article offers some interesting information about the potential impact of the bugs released up to that time. Most notable is that two of the bugs could lead to a serious server security compromise for those who allow third parties to upload and run PHP-based scripts on their servers. Forristal wrote that "Web hosting companies offering PHP hosting services should be really concerned right now." Last week, Forristal published a second article regarding MOPB, which is available at the URL below. Again he offers some very interesting analysis that gives you plenty of reason to make absolutely certain that you're using the latest version of PHP 4 or 5. While the analysis is very helpful, I found the information in the section "Being proactive with your PHP installation" even more helpful. http://list.windowsitpro.com/t?ctl=5198A:57B62BBB09A692798848BDD6C5A546E6 In that section, Forristal offers a lengthy list of various configuration settings that should be checked. In some cases, you might find that there are a lot of PHP features that your applications don't use and that therefore shouldn't be enabled. You can think of securing your PHP installation as you would any other server hardening process-- if you aren't using a component, it shouldn't be enabled on the system. The next version of PHP 5--PHP 5.2.2--is under development, and Release Candidate 1 (RC1) will have been released into testing by the time you read this or soon will be. While the final version release date isn't set yet, hopefully it won't be too far in the future. When it becomes available, make certain that you upgrade as soon as you can. Unfortunately, there isn't any news as to when a new version of PHP 4 will become available. You can check for news at the PHP.net Web site, and look for future announcements in the php.internals news group at the URL below. http://list.windowsitpro.com/t?ctl=519A7:57B62BBB09A692798848BDD6C5A546E6 For yet more ways to secure your PHP installation, see my earlier article at the URL below. http://list.windowsitpro.com/t?ctl=5199C:57B62BBB09A692798848BDD6C5A546E6 === TechX Interoperability Web site and UPDATE email newsletter: Do you work in a mixed environment? Visit TechX World (at the first URL below) for information about Windows interoperability. The TechX World community gives you access to interoperability articles that aren't available anywhere else; news, tips, and tricks from interop experts and other users; and forums and blog posts by other community members. Join the TechX World community and sign up for the TechX Interoperability UPDATE email newsletter (at the second URL below). http://list.windowsitpro.com/t?ctl=519A9:57B62BBB09A692798848BDD6C5A546E6 http://list.windowsitpro.com/t?ctl=519A5:57B62BBB09A692798848BDD6C5A546E6 === SPONSOR: Idera ============================================= Guide to SQL Server Backup and Recovery Maximize uptime by using four high-availability technologies that are provided by SQL Server 2005: failover clustering, database mirroring, log shipping and replication. Download this essential guide now and learn to optimize your SQL Server backup and recovery with technologies you already have. http://list.windowsitpro.com/t?ctl=5198E:57B62BBB09A692798848BDD6C5A546E6 === SECURITY NEWS AND FEATURES ================================= Scrub Your Ajax Applications to Remove Security Problems Fortify Software recently released an advisory that discusses what it calls "a new class of vulnerability: JavaScript Hijacking" that can affect Web applications written in Asynchronous JavaScript and XML (Ajax). http://list.windowsitpro.com/t?ctl=51998:57B62BBB09A692798848BDD6C5A546E6 Wireless Equivalent Privacy Offers No Privacy WEP is even less secure than originally thought. New methods can crack the encryption in a matter of minutes. http://list.windowsitpro.com/t?ctl=5199A:57B62BBB09A692798848BDD6C5A546E6 Top 10 Configuration Mistakes and How to Avoid Them Blake Eno recently spoke with Configuresoft's Technology Strategist, George Gerchow, and Vice President of Marketing, Andrew Byrd, about the top 10 configuration mistakes most commonly made and how to avoid them. Get a rundown in this article on our Web site. http://list.windowsitpro.com/t?ctl=5199B:57B62BBB09A692798848BDD6C5A546E6 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=51992:57B62BBB09A692798848BDD6C5A546E6 === SPONSOR: HP ================================================ Beyond the Buzzword: Demystifying Virtualization Total Cost of Ownership--TCO--It's every executive's favorite buzzword, but what does it really mean and how does it affect you? In this podcast, Ben Smith explains how your organization can use virtualization technology to measurably improve the TCO for servers and clients. http://list.windowsitpro.com/t?ctl=5198F:57B62BBB09A692798848BDD6C5A546E6 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: NGSSoftware on Oracle Forensics by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=519A3:57B62BBB09A692798848BDD6C5A546E6 If you use Oracle database server, you'll probably find these three new papers from Next Generation Security Software (NGSSoftware)'s Databasesecurity.com Web site very useful. http://list.windowsitpro.com/t?ctl=5199E:57B62BBB09A692798848BDD6C5A546E6 FAQ: View the Full Network Map in Vista by John Savill, http://list.windowsitpro.com/t?ctl=519A0:57B62BBB09A692798848BDD6C5A546E6 Q: How do I enable the "Full Network Map" in Windows Vista when the machine is part of a domain? Find the answer at http://list.windowsitpro.com/t?ctl=5199D:57B62BBB09A692798848BDD6C5A546E6 FROM THE FORUM: Why Does Installing Word on a Server Fix EFS Problems? A forum participant writes that he has two computers running Windows XP Professional SP2. They access Encrypting File System (EFS)-encrypted files on a Windows Server 2003 computer, which happens to be the domain controller (DC). Several types of files are encrypted, including .doc, .xls, .pdf, other Adobe Systems file types, and .txt. Everything worked fine except that users received an error message when they tried to save a Word file, even one they just created. The forum participant installed Word on the server, and the problem went away. However, the participant notes that Excel, for example, is not on the server, and Excel operations work fine. The participant wonders if this is a known issue and if there's a better way of fixing the problem. http://list.windowsitpro.com/t?ctl=5198C:57B62BBB09A692798848BDD6C5A546E6 TELL US ABOUT THE PRODUCTS YOU LOVE! What products are you using that save you time or make your workload a little lighter? What hot product discoveries have you made that other IT pros need to know about? Let the world know about your experiences in Windows IT Pro's monthly What's Hot department. If we publish your story in What's Hot, we'll send you a Best Buy gift card! Send information about your favorite product and how it has helped you to whatshot@private SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@private If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS =================================================== by Renee Munshi, products@private Enforce Strong Passwords Altus Network Solutions offers Passfilt Pro 3.54, a password filtering and policy enforcement solution that lets you maintain as many as six password policies in one Windows domain. A new client component provides password requirements specific to the end user, gauges password strength as the user types a new password, and if the password doesn't meet the requirements, gives the user the reasons for failure. Passfilt Pro is controlled by Group Policy Objects (GPOs); it doesn't require a separate password policy server. Passfilt Pro compares a proposed password against a multilanguage dictionary of more than 2 million common passwords and rejects any proposed passwords that are in the dictionary. For more information, go to http://list.windowsitpro.com/t?ctl=519A1:57B62BBB09A692798848BDD6C5A546E6 === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=5199F:57B62BBB09A692798848BDD6C5A546E6 Windows + UNIX/Linux = You Need TechX World! If you work in an environment that includes both Windows and UNIX or Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today! http://list.windowsitpro.com/t?ctl=51999:57B62BBB09A692798848BDD6C5A546E6 Get Ready for the Windows Server Longhorn Roadshow! Seize control of your Windows infrastructure with Microsoft's biggest server release since Windows 2003. Get a live, under-the-hood look at Longhorn virtualization, deployment, Web services, and breakthroughs in core reliability. This one-day event is filled with demonstrations and in-depth discussions designed for IT pros who want a deep understanding of Windows Server Longhorn. http://list.windowsitpro.com/t?ctl=51996:57B62BBB09A692798848BDD6C5A546E6 Deploy Exchange Server 2007 Without a Hitch! This one-day technical training event teaches you how to preempt pitfalls and avoid corrupting your email infrastructure. Learn how to effectively install, manage, and secure Exchange Server 2007 in a 64- bit environment. You'll also get a peek into the integration of Outlook, SharePoint Server 2007, and Exchange Server 2007. Register today! http://list.windowsitpro.com/t?ctl=51991:57B62BBB09A692798848BDD6C5A546E6 === FEATURED WHITE PAPER ======================================= Do you want to block unwanted or undesirable email? Download this free white paper to learn how to manage the content of messages traversing your network. http://list.windowsitpro.com/t?ctl=5198D:57B62BBB09A692798848BDD6C5A546E6 === ANNOUNCEMENTS ============================================== Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=51994:57B62BBB09A692798848BDD6C5A546E6 Grab Your Share of the Spotlight! Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting June nominations now, but only for a limited time! Submit your nomination today: http://list.windowsitpro.com/t?ctl=519A4:57B62BBB09A692798848BDD6C5A546E6 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=519A2:57B62BBB09A692798848BDD6C5A546E6 http://list.windowsitpro.com/t?ctl=519A8:57B62BBB09A692798848BDD6C5A546E6 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=51997:57B62BBB09A692798848BDD6C5A546E6 Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=519A6:57B62BBB09A692798848BDD6C5A546E6 About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=51995:57B62BBB09A692798848BDD6C5A546E6 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. __________________________ Subscribe to InfoSec News http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Apr 11 2007 - 23:18:03 PDT