Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Real-World Strategies for Infrastructure Success
http://www.ibm.com/e-business/playtowin/n152

St. Bernard Software
http://www.stbernard.com/products/targetpages/win2kN-ue.asp
(below IN FOCUS)


SPONSOR: REAL-WORLD STRATEGIES FOR INFRASTRUCTURE SUCCESS

Learn how your company can tackle the challenge of continually integrating to remain competitive as e-business technologies evolve. The IBM white paper, "Managing e-business integration challenges," can help you understand how to identify key integration components. So even as today's systems becomes tomorrow's legacy systems, you'll be able to support ever-changing business goals. Also included is a discussion of how to assess your integration requirements for whatever state of e-business adoption your infrastructure has reached. Visit us online to get your complimentary copy today at
Visit http://www.ibm.com/e-business/playtowin/n152


July 31, 2002—In this issue:

1. IN FOCUS

  • Wireless Honeypots; Microsoft's New Vulnerability Reporting Preference

2. SECURITY RISKS

  • Authentication Vulnerability in Microsoft Metadirectory Services 2.2
  • Buffer Overrun in SQL Server 2000 Utilities
  • Multiple Vulnerabilities in SQL Server 2000
  • Buffer Overrun in Exchange Server 5.5
  • Correction: Symantec, Not Semantic

3. ANNOUNCEMENTS

  • Get Kudos & a Free Trip to SQL Server Magazine LIVE! in Orlando!
  • If You Have an Urgent or Annoying Windows NT/2000 Problem

4. SECURITY ROUNDUP

  • News: Rumors About Windows XP SP1 WPA Changes Not True
  • Feature: Firewall Buyer's Guide

5. HOT RELEASES

  • IBM e-business Integration White Paper
  • VeriSign The Value of Trust

6.SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Prevent WMP from Processing HTML Scripts Contained Within Media Files?

7. NEW AND IMPROVED

  • New Email Security Tests
  • Intrusion Protection Software
  • Submit Top Product Ideas

8. HOT THREADS

  • Windows & .NET Magazine Online Forums
  • Featured Thread: Recovery Console Password Recovery

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

  • WIRELESS HONEYPOTS; MICROSOFT'S NEW VULNERABILITY REPORTING PREFERENCE

  • I've discussed honeypots several times in the Security UPDATE newsletter. Now, several organizations are developing another type of honeypot to trap intruders. The Science Applications International Corporation (SAIC) has established the Wireless Information Security Experiment (WISE), which runs under the 802.11b wireless communication specification. According to SAIC, the new wireless honeypot network "sits behind a device where all inbound and outbound data is controlled and captured. \[The\] information is then analyzed to learn the tools, tactics, and motives of wireless system exploitation in order to develop information security tools and defenses."
    http://www.incident-response.org/WISE.htm
    http://www.saic.com

    In the March 27, 2002, edition of Security UPDATE, I discussed "war driving" (see the URL below), a phrase that describes the act of driving around with a wireless connectivity device with an antenna attempting to connect to unprotected wireless LANs (WLANs). SAIC's wireless honeypot is a response to intruders who perform war driving. WISE will be located in a major metropolitan area in which war drivers often search for vulnerable networks. The WISE honeypot network, designed to "develop effective information security, intrusion detection, and incident response, and forensic methodologies for wireless networks," will consist of several bridged wireless nodes designed to cover a large city area. SAIC will eventually connect the wireless honeypot to a satellite broadband system that will in turn connect the initial honeypot network to a similar network in another major city.
    http://www.secadministrator.com/articles/index.cfm?articleid=24616

    SAIC's wireless honeypot is part of the Honeynet Research Alliance, a group of organizations "actively researching, developing and deploying Honeynets and sharing the lessons learned." The alliance currently consists of 10 organizations around the world, each of which is involved in various aspects of honeypot development and research. Alliance members include the South Florida HoneyNet Project, Nodal Intrusion Forensics Technology Initiative, Incidents.org Virtual Honeynet Project, Paladion Networks Honeynet Project, Internet Systematics Lab Honeynet Project, SAIC Wireless Honeynet, AT&T Mexico Honeynet, NetForensics Honeynet, Azusa Pacific University Honeynet, and the Brazilian Honeynet Project. You'll find more information about honeypots and the alliance at the first URL below. Check out the Web site, especially if you're considering establishing a honeypot or honeynet of your own. For Windows & .NET Magazine articles about honeypots, visit our Web site at the second URL below.
    http://project.honeynet.org/alliance
    http://search.winnetmag.com/query.html?qt=honeypot

    Did you know that Microsoft has changed how users submit vulnerability reports? Formerly, users emailed vulnerability information to secure@microsoft.com. However, the company recently removed that contact address from its Web site and now requests that users contact the company about security vulnerabilities through a Secure Sockets Layer (SSL)-enabled Web form. The new Web form will help the company collect more complete information for vulnerability reports through the many fields that users must complete before they submit a report. For example, when you visit the Web page, you'll find that the form requests information such as OS, additional hardware installed on the system, and installed security patches and service packs. The form also provides space in which to describe how someone could mount an attack by using a given flaw and what results would occur. Be sure to look at the new form at the URL below. During the transition to the new Web form, the company will still monitor the secure@microsoft.com email address.
    https://www.microsoft.com/technet/security/bulletin/alertus.asp


    SPONSOR: WORST CASE SCENARIO: Hacker Attacks Your Network

    Security exploits are often a direct result of missing patches. UpdateEXPERT is a patch remediation tool that scans your network for missing hotfixes, and FIXES discovered weaknesses for increased network protection. UpdateEXPERT features an exclusive database of patches that are researched and tested for interdependencies by our in-house patch experts. Supporting Windows NT4/2000/XP, SQL Server, Exchange Server, IE, Outlook and other mission-critical applications, UpdateEXPERT installs updates to all servers and workstations remotely without a required client agent.
    FREE Live Trial:
    http://www.stbernard.com/products/targetpages/win2kN-ue.asp


    2. SECURITY RISKS
    (contributed by Ken Pfeil, ken@winnetmag.com)

  • AUTHENTICATION VULNERABILITY IN MICROSOFT METADIRECTORY SERVICES 2.2

  • Dan Pascal Huijbers and Thomas de Klerk of Info Support discovered a flaw that could let an unprivileged user access and manipulate data within Microsoft Metadirectory Services (MMS) that, by design, only MMS administrators should be able to access. Microsoft has released Security Bulletin MS02-036 (Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation) to address this vulnerability and recommends that affected users download and apply the service pack mentioned in the security bulletin.
    http://www.secadministrator.com/articles/index.cfm?articleid=26073

  • BUFFER OVERRUN IN SQL SERVER 2000 UTILITIES

  • Cesar Cerrudo discovered two vulnerabilities in Microsoft SQL Server 2000 and Microsoft SQL Server Desktop Engine (MSDE). The vulnerabilities are related to a buffer overrun and SQL injection. Microsoft has released Security Bulletin MS02-038 (Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution) to address these vulnerabilities and recommends that affected users download and apply the appropriate patch mentioned in the security bulletin.
    http://www.secadministrator.com/articles/index.cfm?articleid=26074

  • MULTIPLE VULNERABILITIES IN SQL SERVER 2000

  • Cesar Cerrudo discovered three new vulnerabilities in Microsoft SQL Server 2000 and Microsoft SQL Server Desktop Engine (MSDE). The vulnerabilities are two buffer overruns and a potential for Denial of Service (DoS) attacks. Microsoft has released Security Bulletin MS02-039 (Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the security bulletin.
    http://www.secadministrator.com/articles/index.cfm?articleid=26075

  • BUFFER OVERRUN IN EXCHANGE SERVER 5.5

  • Dan Ingevaldson of Internet Security Systems (ISS) discovered a buffer-overrun vulnerability in Microsoft Exchange Server 5.5 that can let an attacker remotely compromise the server. This vulnerability is the result of an unchecked buffer in the Internet Mail Connector (IMC) code that generates the response to the Extended Hello protocol command. Microsoft has released Security Bulletin MS02-037 (Server Response To SMTP Client EHLO Command Results In Buffer Overrun) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin.
    http://www.secadministrator.com/articles/index.cfm?articleid=26048

  • CORRECTION: SYMANTEC, NOT SEMANTIC

  • We apologize for inadvertently misspelling Symantec's name in the July 24, 2002, edition of Security UPDATE as we described a vulnerability in Symantec's Norton Personal Firewall that an attacker can exploit to execute code on the vulnerable system. We appreciate those readers who pointed out the error.

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • GET KUDOS & A FREE TRIP TO SQL SERVER MAGAZINE LIVE! IN ORLANDO!

  • Get the recognition you deserve for your cutting-edge SQL Server solution and take home the SQL Server Innovator's Cup. If you work with SQL Server and have created a technical solution to a problem or enhanced a program or system feature to improve performance or return on investment, you qualify to enter this awards program sponsored by Microsoft. Enter today at:
    http://www.sqlmag.com/awards

  • IF YOU HAVE AN URGENT OR ANNOYING WINDOWS NT/2000 PROBLEM

  • Then you need to visit our JSI FAQ site. Updated daily, this vast list of FAQs includes more than 4000 tips, tricks, and registry hacks to help you solve your toughest problems. Check it out!
    http://www.jsiinc.com/reghack.htm

    4. SECURITY ROUNDUP

  • NEWS: RUMORS ABOUT WINDOWS XP SP1 WPA CHANGES NOT TRUE

  • A bizarre rumor about Microsoft making sweeping changing to its Windows Product Activation (WPA) technology in Windows XP Service Pack 1 (SP1) is completely untrue, the company has stated. The rumor, which a small technology-enthusiast Web site started, had Microsoft changing the product keys for all its customers who use volume licensing.
    http://www.secadministrator.com/articles/index.cfm?articleid=26051

  • FEATURE: FIREWALL BUYER'S GUIDE

  • Today's centrally managed, software-based firewalls go well beyond packet filtering. Although interrogating a network datagram for IP addresses and port numbers is still a prerequisite, vendors, such as those in this firewall software Buyer's Guide, are including more functionality. To distinguish between excellent and run-of-the-mill firewalls, you need to look at a product's level of automation, additional features, and ease of management.
    http://www.secadministrator.com/articles/index.cfm?articleid=25651

    5. HOT RELEASES

  • IBM E-BUSINESS INTEGRATION WHITE PAPER

  • Learn to remain competitive as e-business technologies evolve. The IBM white paper, "Managing e-business integration challenges," will help you understand how to identify key integration components. Get your complimentary copy at
    http://www.ibm.com/e-business/playtowin/n122

  • VERISIGN THE VALUE OF TRUST

  • Get the strongest server security — 128-bit SSL encryption! Download VeriSign's FREE guide, "Securing Your Web Site for Business" and learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here!
    http://www.verisign.com/cgi-bin/go.cgi?a=n204087360057000

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: HOW CAN I PREVENT WMP FROM PROCESSING HTML SCRIPTS CONTAINED WITHIN MEDIA FILES?

  • (contributed by John Savill, http://www.windows2000faq.com)

    A. Microsoft Security Bulletin MS02-032 (Cumulative Patch for Windows Media Player) identifies several version-specific patches to secure Windows Media Player (WMP) against script attacks. To manually disable WMP's HTML-processing feature, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).


    2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences registry subkey.


    3. From the Edit menu, select New, DWORD Value.


    4. Enter a name of PlayerScriptCommandsEnabled, then press Enter.


    5. Double-click the new value, set it to 0 to prevent WMP from processing HTML scripts in media files, then click OK.
    6. Close the registry editor.


    7. Restart WMP.

    7. NEW AND IMPROVED
    (contributed by Judy Drennen, products@winnetmag.com)

  • NEW EMAIL SECURITY TESTS

  • GFI's Email Security Testing Zone launched three new free email tests. Administrators can test whether their networks are protected against attacks using the Iframe Remote and Object Codebase exploits and whether their antivirus software is working. Email users can sign up for these tests by submitting their names and email addresses to GFI's Email Security Testing Zone.
    http://www.gfi.com/emailsecuritytest

  • INTRUSION PROTECTION SOFTWARE

  • Abtrusion Security announced Abtrusion Protector, an intrusion and virus protection software for Windows NT OSs. The software verifies that a file is permitted to execute. If the software doesn't recognize the file, Abtrusion Protector prevents Windows from loading it. Abtrusion Protector works with firewalls and antivirus scanners and provides a last line of defense against malicious software. The software is undergoing beta testing for release later this year. For noncommercial private use, Abtrusion Protector is available for free. Abtrusion Security licenses the product for corporate use at $20 per workstation. Server licenses are $400. Volume discounts are available. For more information, email Abtrusion Security at info@abtrusion.com or go to the Web site.
    http://www.abtrusion.com

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

    8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

    Featured Thread: Recovery Console Password Recovery
    (One message in this thread)

    Kris believes that when he promotes a Windows 2000 server to a domain controller (DC), the local Administrator account is no longer accessible but might still be used for functions such as booting to the Recovery Console (RC) and restoring Active Directory (AD). Kris wants to know whether this is true and, if so, how he can get to the LAN Manager (LM)/NT LAN Manager (NTLM) hashes for the local Administrator account to run a password cracker against it. Read the responses or lend a hand:

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT IN FOCUS — mark@ntsecurity.net
    • ABOUT THE NEWSLETTER IN GENERAL — vpatterson@winnetmag.com
      (please mention the newsletter name in the subject line)
    • TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR Windows & .NET Magazine Security UPDATE SUBSCRIPTION?
      Customer Support — securityupdate@winnetmag.com

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email