Subject: Security UPDATE, March 5, 2003

********************

Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

NEW Shavlik HFNetChkPro 4.0 http://www.shavlik.com

RippleTech PatchWorks: Improve Security Today! http://www.rippletech.com/wm (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: NEW SHAVLIK HFNetChkPro 4.0 ~~~~ Introducing Shavlik HFNetChkPro 4.0 - the next generation in security patch management. HFNetChkPro 4.0 is an automated scanning and remediation solution from Shavlik, the developers of HFNetChk and MBSA for Microsoft. It includes loads of new features that save time for busy security professionals while offering greater enterprise security. HFNetChkPro 4.0 automates patch remediation for Microsoft Office, Windows Server 2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Its intuitive Drag-n-Drop Patch Management(tm) interface allows you to precisely control which groups will be scanned, by what criteria and when and how patches are deployed. Visit www.shavlik.com for details! http://www.shavlik.com ~~~~~~~~~~~~~~~~~~~~

March 5, 2003--In this issue:

1. IN FOCUS - Targeting Spam

2. SECURITY RISKS - Unchecked Buffer in Microsoft Windows Me's Help and Support Center

3. ANNOUNCEMENTS - Join The HP & Microsoft Network Storage Solutions Road Show! - Start Your Spring Training with Windows & .NET Magazine Web Seminars!

4. SECURITY ROUNDUP - News: Securing Windows 2000 Server Guide Now Available - News: Microsoft Trustworthy Computing Academic Advisory Board - News: Windows Rights Management Services for Windows 2003 - Feature: Snort Made Easy

5. HOT RELEASES (ADVERTISEMENTS) - eToken USB-based 2-factor Authentication - Get a free "Rio Riot" MP3 Player!

6. INSTANT POLL - Results of Previous Poll: Early Warning Network - New Instant Poll: Spam Filtering

7. SECURITY TOOLKIT - Virus Center - FAQ: Why Does the "The Password Is Not Valid" Error Message Appear When I Log On to Windows XP's Recovery Console (RC), Even Though I Enter the Correct Password?

8. NEW AND IMPROVED - Prevent Viral Reinfections - Submit Top Product Ideas

9. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: Policy Propagation Errors with Active Directory

10. CONTACT US See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

* TARGETING SPAM

In December, I wrote about the nuisance of unsolicited email and one simple way to help filter it out before it reaches your Inbox. To read "Tired of Unwanted Email? Try This Simple Solution," visit the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=27495

Last week, I learned that the Internet Engineering Task Force (IETF) has created a new Anti-Spam Research Group that's now working to create standards that will help determine how to detect spam. Probably the biggest hurdle in detecting spam is determining exactly what constitutes junk mail. Does the term refer only to unsolicited email advertisements, or does it also refer to email sent to a wide array of people who didn't formally ask to receive mass mailings? Personally, I think of junk mail mainly as unwanted advertisements--the electronic version of paper-based advertisements that most of us receive and immediately throw in the nearest trash can.

The Anti-Spam Research Group will hold its first meeting March 20 at the 56th IETF Meeting, to be held in San Francisco. The group expects hundreds of participants from all areas of the online industry. And I think we can expect a handful of spammers to slip into the meetings too, if for no other reason than to learn how their money-making schemes might become squashed. http://www.ietf.org/meetings/IETF-56.html

In August of last year, Paul Graham released a paper that describes a plan to help stop unsolicited email. According to Graham, the paper "describes the spam-filtering techniques used in the new spamproof web-based mail reader we're building to exercise Arc" (Arc is an improved version of the Lisp programming language). At the Massachusetts Institute of Technology (MIT), Graham organized a conference, which about 500 programmers attended, to discuss ideas for creating a spam filter that would totally eliminate unwanted email. You can read more about the IETF group as well as Graham's conference at the first and second URLs below. You can read Graham's paper and more about Arc at the third and fourth URLs. http://www.pcworld.com/news/article/0,aid,109614,00.asp http://www.pcworld.com/news/article/0,aid,108859,00.asp http://www.paulgraham.com/spam.html http://www.paulgraham.com/arc.html

If you're a Microsoft Outlook user interested in another way to help stop unsolicited email right now, I've discovered another helpful tool you can use. Cloudmark SpamNet is an Outlook plugin that sends information about spam back to a central network. The plugin is a filtering and reporting tool that includes a toolbar button in your Outlook client. When you receive new mail, the tool creates and sends a message digest (fingerprint signature) to Cloudmark. Cloudmark checks the message digest against the SpamNet database to see whether the message is known to be spam. If it's known junk mail, SpamNet tags the mail so that you can filter it into a spam folder. If previously unknown junk mail slips through, you can select that message and click the SpamNet button to report the message to the SpamNet network. SpamNet can then filter it from other users' Inboxes. I'm not sure whether SpamNet performs checks against submitted information to determine whether a given message truly is spam. However, the SpamNet tool checks messages individually, so even if someone were to report something you consider a legitimate message as spam, that wouldn't prevent you from sending a SpamNet user another message with different content. You can read more about how it works at the following URL. http://www.cloudmark.com/products/spamnet/learnmore/security.php

SpamNet is a slick idea and easy to use. But it's not the only solution. Many similar networked solutions are available, such as SpamAssassin and SpamCop. Plugins and scripts are available to help you participate in those networks too. In addition, the Spam Prevention Early Warning System (SPEWS) provides a database that tracks known spammers and spam-friendly networks, so you can use the database to help filter your email. The site also maintains lists of other helpful email-filtering technologies that you might want to consider, including spam-filtering gateways. http://www.spamassassin.org http://www.spamcop.com http://www.spews.org

If junk mail is a problem on your network--and I bet that it is--be sure to check out the resources I've mentioned. They definitely help you reduce the clutter in your Inbox and help you reduce wasted bandwidth and disk space.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: RIPPLETECH PATCHWORKS: IMPROVE SECURITY TODAY! ~~~~ Code Red and the Slammer virus weren't a problem for many businesses. Why? They use PatchWorks! Many IT departments struggle to find time for patch management, so PatchWorks makes it easy to remotely manage and deploy security updates, hotfixes and service packs. Plus, our proprietary database contains information from analysts who research and test each patch. For research, software inventory, policy enforcement and more, try PatchWorks FREE today and increase security in your environment! http://www.rippletech.com/wm ~~~~~~~~~~~~~~~~~~~~

2.

SECURITY RISKS

(contributed by Ken Pfeil, ken@winnetmag.com)

* UNCHECKED BUFFER IN MICROSOFT WINDOWS ME'S HELP AND SUPPORT CENTER A new vulnerability exists in the Windows Me Help and Support Center that could result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from an unchecked buffer in the URL Handler used for the "hcp://" prefix. A potential attacker could exploit this vulnerability by constructing a URL that, when the user clicks on it, executes code of the attacker's choice in the context of Local Computer on the vulnerable system. http://www.secadministrator.com/articles/index.cfm?articleid=38197

3.

ANNOUNCEMENTS

(brought to you by Windows & .NET Magazine and its partners)

* JOIN THE HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW! Now is the time to start thinking of storage as a strategic weapon in your IT arsenal. Come to our 10-city Network Storage Solutions Road Show, and learn how existing and future storage solutions can save your company money--and make your job easier! There is no fee for this event, but space is limited. Register today! http://www.winnetmag.com/roadshows/nas

* START YOUR SPRING TRAINING WITH WINDOWS & .NET MAGAZINE WEB SEMINARS! March is a great time to strengthen your knowledge of security and Active Directory. Register today for one of our Web seminars, and find out what our experts know that could be saving you hours of time and your company bundles of money. Sign up now! http://www.winnetmag.com/seminars

4.

SECURITY ROUNDUP

* NEWS: SECURING WINDOWS 2000 SERVER GUIDE NOW AVAILABLE Microsoft's Solutions for Security team has released a new guide, "Securing Windows 2000 Server." The guide, published February 17, consists of 11 chapters of information and includes three supplemental guides for testing, delivery, and support readiness. http://www.secadministrator.com/articles/index.cfm?articleid=38162

* NEWS: MICROSOFT TRUSTWORTHY COMPUTING ACADEMIC ADVISORY BOARD Microsoft has formed an academic advisory board to assist the company with its Trustworthy Computing initiative. The board consists of 14 people from various US and European universities. The board's purpose is to create a think tank of academic opinion regarding Microsoft's ideas for better Windows security. http://www.secadministrator.com/articles/index.cfm?articleid=38143

* NEWS: WINDOWS RIGHTS MANAGEMENT SERVICES FOR WINDOWS 2003 Microsoft announced that new Rights Management Service (RMS) will be included in Windows Server 2003. RMS will help companies secure internal business information such as reports and other documents. Microsoft said that RMS will let applications such as email clients, word processors, and information portals be built so that administrators can assign digital rights that control who has access to information and the type of access a user has. http://www.secadministrator.com/articles/index.cfm?articleid=38142

* FEATURE: SNORT MADE EASY Snort is a free tool that's often described as a virus scanner for network packets. Snort has three modes: network sniffer, network packet logger, and network intrusion detector. Snort is perfect for detecting Denial of Service (DoS) attacks, fragmentation attacks, Code Red infiltration, and Microsoft SQL Server injection attacks. Originally written by Martin Roesch in 1998 for his personal use, Snort enjoys a large open-source-community support system. To learn how to implement Snort, see Roger A. Grimes' article on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=37789

5.

HOT RELEASES (ADVERTISEMENTS)

* eTOKEN USB-BASED 2-FACTOR AUTHENTICATION eToken from Aladdin offers simple, reliable and affordable 2-factor authentication for secure network logon, VPN access, web access, e-mail, and PC security. No reader or server required to securely store users' passwords, keys, and certificates. http://www.eAladdin.com/eToken

* GET A FREE "RIO RIOT" MP3 PLAYER! Close the gap on email predators with Sybari's Antigen! Go to http://www.sybari.com/su to register for an Antigen web demo and automatically get entered to win an MP3 player! Attend the demo by March 25th, and get a free t-shirt!

6.

INSTANT POLL

* RESULTS OF PREVIOUS POLL: EARLY WARNING NETWORK The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you participate in an 'early warning' network that gathers forensic information from firewall and Intrusion Detection System (IDS) logs?" Here are the results from the 122 votes. - 11% Yes--DShield.org - 5% Yes--Symantec DeepSight Analyzer - 0% Both of the above - 15% Other - 69% No * NEW INSTANT POLL: SPAM FILTERING The next Instant Poll question is, "Do you participate in a spam-filtering network?" Go to the Security Administrator Channel home page and submit your vote for a) Yes--SpamAssassin, b) Yes--SpamNet, c) Yes--SpamCop, d) Yes--Other, or e) No. http://www.secadministrator.com

7.

SECURITY TOOLKIT

* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

* FAQ: WHY DOES THE "THE PASSWORD IS NOT VALID" ERROR MESSAGE APPEAR WHEN I LOG ON TO WINDOWS XP'S RECOVERY CONSOLE (RC), EVEN THOUGH I ENTER THE CORRECT PASSWORD? ( contributed by John Savill, http://www.windows2000faq.com )

A. This error message might appear if you originally installed XP from a Sysprep image or if you ran Sysprep 2.0 on the computer at one time. Sysprep.exe changes the way the registry stores password keys. As a result, these changes aren't compatible with the XP RC logon routine. To resolve this problem, follow the instructions in the Microsoft article "'The Password Is Not Valid' Error Message Appears When You Log On to Recovery Console in Windows XP." http://support.microsoft.com/?kbid=308402

8.

NEW AND IMPROVED

(contributed by Sue Cooper, products@winnetmag.com)

* PREVENT VIRAL REINFECTIONS Global Hauri announced ViRobot Management Server (VMS) 2.7, a client/server antivirus management application that goes beyond quarantining by destroying most viruses and preventing reinfection. When a virus is detected in your network, VMS tracks the infection route to locate the source of the infection. It monitors the clients' status 24 hours a day, gathering data and providing the latest virus definition files through its server-based daemon. VMS 2.7 supports all Windows platforms and carries the Designed for Windows XP certification. Contact Global Hauri at 408-232-5463 or sales@globalhauri.com. http://www.globalhauri.com

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

9.

HOT THREAD

* WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums

Featured Thread: Policy Propagation Errors with AD (Three messages in this thread)

A user writes that he's constantly receiving an event log item with event ID 1000 and event ID 1202, with an error code "-536870656," and he can't find any way to fix the problem. He writes that all clients on his network receive the same error message and that his domain policy isn't propagating down to any workstations or servers in any of his organizational units (OUs) in Active Directory (AD). He wants to know whether anyone understands what the error code means and how to fix the problem. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=54943

10.

CONTACT US

Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark@ntsecurity.net

* ABOUT THE NEWSLETTER IN GENERAL -- letters@winnetmag.com (please mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products@winnetmag.com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdate@winnetmag.com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps@winnetmag.com

******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.