Security UPDATE, Web exclusive March 12, 2003

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

* CONCISE SECURITY KNOWLEDGE AVAILABLE ONLINE

If you're looking for help securing Windows Server 2003, Windows 2000 Server, Microsoft SQL Server, Microsoft Exchange Server, and other related technologies, several online sources of information can assist you. Some of the resources I discuss are chapters excerpted from books, and others are entire books available online for free.

Last week, Erik Birkholz announced that a discussion among colleagues at the recent Black Hat Windows Security 2003 conference convinced him to release a chapter from the upcoming book "Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle," a book that he developed with the help of several knowledgeable authors. Birkholz released Chip Andrews' Chapter 12, "Attacking and Defending the Microsoft SQL Server." The chapter offers 38 pages of highly useful information.

As the chapter title implies, the material covers a wealth of tactics you can use to attack and defend SQL Server. The discussion delves into information such as server instances, authentication, network libraries, security principles for SQL Server, server discovery and related tools, acquiring accounts for security contexts, escalating privileges, exploiting unpatched vulnerabilities, configuring a secure installation, monitoring, and maintenance. You can find the chapter in PDF format at the Special Ops Internal Network Security Web site. \[http://www.specialopssecurity.com\]

Also last week, Paul Robichaux released three chapters of his new book, "Secure Messaging with Microsoft Exchange Server 2000." He calls the book a "broad guide to securing Exchange-based systems, beginning with risk and vulnerability assessment and continuing through applying communications security, patch management, and service-specific approaches to make Exchange systems more secure." He also said, "I had a lot of help from the Exchange development and support team while writing the book, and there's a great deal of material there that isn't widely available elsewhere."

The three sample chapters are "Windows & Exchange Security Architecture," "Threat & Risk Assessment," and "SMTP, Relaying, and Spam Control." The security-architecture chapter covers built-in accounts and groups, what happens during the logon process, how Exchange modifies the Windows discretionary ACL (DACL) evaluation process, Exchange-specific permissions, roles, mailboxes, public folders, and more.

The threat-assessment chapter discussion includes identifying threats, threat classification, possible courses of action, and risk assessment. The SMTP chapter covers mail relaying--explaining why mail relaying might be necessary, how it can lead to trouble, and how to control it. The chapter also discusses how to deal with unwanted email, including how to use Exchange's built-in email filters. The chapters are available in PDF format at the E2K Security Web site. \[http://www.e2ksecurity.com\]

Realtimepublishers.com is another excellent resource for online security information. Sean Daily, president and CEO of the company, has published many guidebooks related to enterprise computing--and several of them pertain directly to security. You can read them in their entirety online by simply registering for access. At the company's Web site, \[http://www.realtimepublishers.com\] you'll find security-related titles such as "The Definitive Guide To Windows 2000 Security," "The Definitive Guide To Windows 2000 Group Policy," "The Definitive Guide To Identity Management," "The Tips and Tricks Guide To Securing .NET Server," and "The Tips and Tricks Guide To Windows 2000 Group Policy." Realtimepublishers.com has about 2 dozen eBooks online, and more are in the works.

Overall, you can find a lot of information online about securing your particular platform--from white papers and checklists to chapters and entire books. Check out the publications I mention; they're among the most timely resources available. And if you know about other new publications I didn't mention, send me an email with the details.