Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Protect Your Systems with Real Time Monitoring
http://www.tntsoftware.com/121802

Lieberman & Associates
http://www.lanicu.com/cgi-bin/w2k121802.cfm
(below IN FOCUS)


SPONSOR: PROTECT YOUR SYSTEMS WITH REAL TIME MONITORING

A proactive Security Administrator installed TNT Software's ELM Enterprise Manager 3.0 on his critical servers to assess the benefits of real time monitoring. During the first week, EEM 3.0 paged him as a disgruntled employee attempted to access confidential files, emailed him during a port scan barrage, and automatically restarted a failed anti-virus service. As a result, ELM Enterprise Manager was purchased and fully deployed during the second week. To experience how real time monitoring with ELM Enterprise Manager will protect your systems, download your FREE 30-day evaluation copy from:
http://www.tntsoftware.com/121802


December 18, 2002—In this issue:

1. IN FOCUS

  • Critical Updates for Microsoft VM

2. SECURITY RISKS

  • Buffer Overrun in Enceladus Web Server for Windows

3. ANNOUNCEMENTS

  • Black Hat Briefings & Training: Windows Security
  • Planning on Getting Certified? Make Sure to Pick Up Our New eBook!

4. SECURITY ROUNDUP

  • News: Microsoft Releases MBSA 1.1
  • Feature: 7 Steps to SSL Encryption

5. HOT RELEASE (ADVERTISEMENT)

  • Get your FREE InTrust Audit Advisor tool

6. SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Enable Saving Attachments in Microsoft Outlook Express 6.0?

7. RESOURCES

  • Protect NetApp Filers from Viruses
  • Secure Heterogeneous Enterprises
  • Correction: Control Spam with Firewall Appliance
  • Submit Top Product Ideas

8. HOT THREADS

  • Windows & .NET Magazine Online Forums
  • Featured Thread: Forensics Tools
  • HowTo Mailing List
  • Featured Thread: Account Lockout

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

  • CRITICAL UPDATES FOR MICROSOFT VM

  • Are you keeping up with all the patches Microsoft has issued? Microsoft has issued 71 security bulletins so far this year. One bulletin in particular, MS02-069 (Flaw in Microsoft VM Could Enable System Compromise) issued December 11, addresses several problems with the Microsoft Virtual Machine (VM) used for Java code. Versions of the VM software through version 5.0.3805 are vulnerable. According to Microsoft, "The most serious of these issues could enable a Web site to compromise your system and take actions such as changing data, loading and running programs, and reformatting the hard disk." The patch is a critical update, and everyone should install it.
    http://www.microsoft.com/security/security_bulletins/ms02-069.asp In the past, Microsoft has indicated that it will remove Java support from Windows. In June, Microsoft announced that because of a legal settlement with Sun Microsystems, after January 1, 2004, the company can no longer make modifications to Sun's Java code, including security fixes. Because of the settlement, Microsoft said, the company wouldn't include Java with Windows after that date. The decision stems from a legal argument between the two companies (to read more about that story, see the WinInfo Web site at the first URL below; to find the latest updates about the legal proceedings between Sun and Microsoft, see the second URL below).
    http://www.wininformant.com/articles/index.cfm?articleid=25620
    http://search.winnetmag.com/query.html?col=wininfo&qt=Java Even if Microsoft removes Java support from Windows, you might still use the Microsoft VM in the future, so consider loading the latest patch anyway, just in case. The patch will replace the "jview" program on your system with the latest version. While you're updating the Microsoft VM on your systems, consider upgrading other Java runtime components. You can do that by downloading the latest Java runtime environment (the Java 2 Platform) directly from Sun's Java Web site. Sun's runtime environment works with Windows XP, Windows 2000, Windows NT, Windows Me, Windows 9x, Sun Solaris, Linux, and Macintosh platforms.
    http://java.sun.com/getjava/download.html Speaking of patches, have you visited PivX Solutions' list of unpatched security holes in Microsoft products lately? Last updated December 9, 2002, the page lists 19 unpatched security vulnerabilities. Two items listed pertain to Java, and I can't tell whether this latest patch from Microsoft fixes those items. However, even if the patch does fix the Java vulnerabilities, take note of the 17 other unpatched holes that you should be aware of. The problems range from the simple to the complex, including circumventing Microsoft Internet Explorer's (IE's) security zones, reading local files on a user's computer, and executing arbitrary code. The oldest problem listed on the Web page was reported almost a year ago, December 22, 2001, and relates to man-in-the-middle attacks against Secure Sockets Layer (SSL) traffic. The newest problem, posted December 3, 2002, pertains to cookie theft and monitoring users' Web activity. Be sure to read the Web page — and guard your systems against those holes until Microsoft develops a patch.
    http://www.pivx.com/larholm/unpatched/

    SPONSOR: LIEBERMAN & ASSOCIATES

    Massive Workstation Security Hole...Ignored!
    In just a few minutes any of your domain users could become the administrator of ALL your machines without your knowledge. A quick search of Google.com for password crackers is all it takes. There is a solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS FLAW in Windows.
    http://www.lanicu.com/cgi-bin/w2k121802.cfm


    2. SECURITY RISKS
    (contributed by Ken Pfeil, ken@winnetmag.com)

  • BUFFER OVERRUN IN ENCELADUS WEB SERVER FOR WINDOWS

  • Tamer Sahin discovered that a buffer-overrun vulnerability in Enceladus Web and FTP Server Suite 3.9 can let an attacker execute arbitrary code on the vulnerable system. If an attacker supplies a long sequence of characters as an argument to the CD command, thereby exceeding the length of the input buffer, the excess data will overwrite other variables on the stack and the stack frame. As a result, an attacker can execute arbitrary code. Mollensoft Software has been notified but hasn't yet released a patch for this problem.
    http://www.secadministrator.com/articles/index.cfm?articleid=27545

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • BLACK HAT BRIEFINGS & TRAINING: WINDOWS SECURITY

  • Attend the world's premier technical event for Windows and .NET security experts, February 25-28, 2002 in Seattle. You'll find six tracks, seven training sessions, and full support from Microsoft. See for yourself what the Black Hat buzz is all about. Register today!
    http://www.blackhat.com

  • PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!

  • "The Insider's Guide to IT Certification" eBook is hot off the presses and contains everything you need to know to help you save time and money while preparing for certification exams from Microsoft, Cisco Systems, and CompTIA and have a successful career in IT. Get your copy of the Insider's Guide today!
    http://winnet.bookaisle.com/ebookcover.asp?ebookid=13475

    4. SECURITY ROUNDUP

  • NEWS: MICROSOFT RELEASES MBSA 1.1

  • Microsoft recently released a new version of Microsoft Baseline Security Analyzer (MBSA), which Shavlik Technologies developed for Microsoft. New features in MBSA 1.1 include Exchange and Windows Media Player (WMP) security update detection, full HFNetChk 3.81 support in the MBSA command-line interface, support for Microsoft Software Update Services (SUS) during security update scans, compatibility with Microsoft Systems Management Server (SMS) 2.0 Software Update Services Feature Pack, and detection for multiple Microsoft SQL Server instances.
    http://www.secadministrator.com/articles/index.cfm?articleid=27551

  • FEATURE: 7 STEPS TO SSL ENCRYPTION

  • In Microsoft SQL Server 2000, Microsoft introduced new features to satisfy its customers' growing concerns about data security. One little-understood feature is automatic support of Secure Sockets Layer (SSL)-encrypted network traffic between the clients and the server. Encryption slightly slows performance because it requires extra actions on both sides of the network connection. However, for users who are concerned about the security of their network communications, the benefits of encryption outweigh this slight performance penalty. Encryption is especially useful when clients connect to the SQL Server across the Internet and data travels across public networks.
    http://www.secadministrator.com/articles/index.cfm?articleid=26908

    5. HOT RELEASE (ADVERTISEMENT)

  • GET YOUR FREE INTRUST AUDIT ADVISOR TOOL

  • Do you meet security regulations & corporate rules? Get your FREE InTrust Audit Advisor tool to estimate the resources needed to deploy and implement auditing practices, for a secure environment. Close the security gap with InTrust.
    http://www.aelita.com/updateIAA121802

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: HOW CAN I ENABLE SAVING ATTACHMENTS IN MICROSOFT OUTLOOK EXPRESS 6.0?

  • (contributed by John Savill, http://www.windows2000faq.com) By default and as a security precaution to avoid saving a virus to your computer, Outlook Express doesn't let you save files locally. To enable file saving within Outlook Express, perform the following steps:
    1. Start Outlook Express.
    2. From the Tools menu, select Options.
    3. Select the Security tab.
    4. Clear the "Do not allow attachments to be saved or opened that could potentially be a virus" check box, then click OK.

    7. NEW AND IMPROVED
    (contributed by Sue Cooper, products@winnetmag.com)

  • PROTECT NETAPP FILERS FROM VIRUSES

  • Symantec announced Symantec AntiVirus for NetApp Filers, software that provides scalable virus scanning and repair services to protect data on Network Appliance (NetApp) storage solutions. One scanner can service multiple filers, protecting your data from damage or deletion because of virus infection. A Central Quarantine feature lets you redirect irreparable, virus-infected files to a safe area on a centralized server for further inspection. For trialware, licensing information, or reseller locations, go to http://enterprisesecurity.symantec.com.
    http://symantec.com

  • SECURE HETEROGENEOUS ENTERPRISES

  • SnapGear is shipping the SnapGear SME5xx family of VPN firewall appliances. Based on the Hitachi SuperH SH4 microprocessor, the appliances are built for small to midsized enterprises. These appliances offer narrowband and broadband access, intrusion detection, a URL content-filtering option, a stateful firewall, a VPN, LAN throughputs up to 50Mbps, VPN throughputs up to 10Mbps, no built-in user limitation, and lifetime firmware upgrades. Management is browser-based. Prices start at $349. Contact SnapGear at 801-282-8492 and sales@snapgear.com.
    http://www.snapgear.com

  • CORRECTION: CONTROL SPAM WITH FIREWALL APPLIANCE

  • In last week's Security UPDATE item about BorderWare Technologies' MXtreme Mail Firewall, the first of the two phone numbers listed was incorrect. Here's the corrected information: Contact BorderWare at 905-804-1855, 877-814-7900, and sales@mxtreme.com.
    http://www.borderware.com

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

    8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

  • Featured Thread: Forensics Tools

  • (Three messages in this thread) A user who's studying computer forensics wants to know which network tools (in addition to Netstat, Snort, and Tcpdump) are helpful. Lend a hand or read the responses:
    http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=51198

  • HOWTO MAILING LIST

  • http://63.88.172.96/listserv/page_listserv.asp?a0=howto

  • Featured Thread: Account Lockout

  • (Nine messages in this thread) A user has a problem with a particular user account that's locked out two or three times a day. When he searches the domain controllers' (DCs') event logs, no events are logged against the user's account. Event auditing is turned on, and he would expect to see event ID 529 (Unknown username or bad password) and event ID 539 (Account locked out), but those events aren't logged. Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?A2=IND0212B&L=HOWTO&P=984

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.com/email