Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

FREE—SANS Top Trends in Security Management
http://www.netiq.com/f/form/form.asp?id=536

SPI Dynamics Web Application Security White Paper
http://www.spidynamics.com/mktg/webappsecurity7/
(below IN FOCUS)

SPONSOR: FREE—SANS TOP TRENDS IN SECURITY MANAGEMENT

What's the hottest trend shaping security this year? Read the FREE SANS report sponsored by NetIQ to find out. Learn what the top industry authorities had to say about security management in 2002. You'll gain valuable insights and expert advice on crucial topics including new threats, automated patching and continuous monitoring. Don't get left behind—discover the top 8 security trends for 2002 now. Download the must-have report today!
http://www.netiq.com/f/form/form.asp?id=536


April 24, 2002—In this issue:

1. IN FOCUS

  • Security Checklists and Handy Tools

2. SECURITY RISKS

  • Buffer Overflow in talentsoft's Web+ 5.0 and Web+ 4.6 Affects Microsoft IIS
  • Cross-Site Scripting Vulnerability in Microsoft IE

3. ANNOUNCEMENTS

  • Learn from (or Try to Stump) Top Windows Security Pros
  • Cast Your Vote for Our Reader's Choice Awards!

4. SECURITY ROUNDUP

  • News: Microsoft Article Q320751: DoS Workarounds
  • News: New Variant of Klez Worm Spreading
  • News: eEye Digital Security and St. Bernard Software Bundle Software
  • News: WebEyeAlert and Amcest Partner for Video Surveillance

5. INSTANT POLL

  • Results of Previous Poll: Hotfix Availability Notification
  • New Instant Poll: Antivirus Defense Location

6. SECURITY TOOLKIT

  • Virus Center
    • Virus Alert: W32/Klez.I
  • FAQ: How Can I Disable IPSec on a VPN Connection That Uses L2TP?

7. NEW AND IMPROVED

  • Secure Your Company with Cameras
  • Protect Your Hardware from Theft

8. HOT THREADS

  • Windows & .NET Magazine Online Forums
    • Featured Thread: View All Permissions and Shares
  • HowTo Mailing List
    • Featured Thread: Exceeding the 512-Character Limit of the Legal Logon Notice

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

  • SECURITY CHECKLISTS AND HANDY TOOLS

  • When you perform a new software installation, do you use a checklist to make sure you've adjusted the configuration for better security? Numerous helpful checklists are available for various systems, many of them online. Windows & .NET Magazine published a new guide in February 2002, which is available for free: "Secure Your Operating System—Guidelines for Hardening Windows 2000."

    Jan De Clercq, who writes the NT Gatekeeper column for the Security Administrator print newsletter, developed the checklist, which covers a variety of system-configuration settings. The guide covers topics such as authentication, access control, system-related hardening features, Group Policy settings, and using Microsoft's Security Configuration Tool Set. The guide also includes references to many security tools and resources available for free. You can download a copy of the guide in PDF format at the IT Buyer's Network Web site.

    I also recommend a set of free checklists from Australian-based company InterSect Alliance. You'll find valuable checklists for five products that many of you use: Win2K, Windows NT, Microsoft IIS, Apache Web server, and Linux.

    The checklists cover several aspects of the products, and, as you might expect, each checklist begins with suggestions about how to perform installation. The checklists also discuss network services and network access controls, object access controls, subsystems that particular products contain, and, of course, auditing. Even if you have checklists you already use, stop by the Web site and examine these lists as well—you might find additional items for consideration that you've overlooked.

    Arne Vidstrom, Swedish security aficionado, recently released a new security tool—PromisDetect—which is available for free. The tool runs on Windows XP, Win2K, and NT. The tool checks systems to determine whether their network adapters are running in promiscuous mode. Systems whose network adapter cards run in promiscuous mode probably run software that acts as a traffic sniffer, and you don't want just anybody running a sniffer on your network. As you know, network packets often contain sensitive information, including authentication data and proprietary company information, so letting sniffers run unchecked on the network weakens overall security. PromisDetect is a good way to identify rogue sniffers. However, as Vidstrom notes, because someone running a sniffer might also be intercepting traffic from software designed to detect sniffers, PromisDetect and similar sniffer detectors aren't foolproof. You can download a copy of PromisDetect, as well as several other useful security-related tools, at Vidstrom's Web site.
    http://www.ntsecurity.nu/toolbox

    As I read our "HowTo for Security" mailing list last week (you can subscribe at the URL below), I noticed that subscribers were asking how to map listening ports back to their respective system services. As you know, using a command such as the "netstat –a" command or the "netstat –an" command can produce a list of ports, port service names, and IP addresses. However, the lists don't include a map to the actual system service that opened the port in the first place. Although you can see which port is listening, which computer system is connected to it, and which service the port is typically used for, you're still in the dark about which application on your system actually opened the port.
    http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

    Fortunately, tools are available that support further discovery. Foundstone's Fport tool maps listening ports to the software on your system that opened the port. When you run the Fport tool, you see a list of open ports matched to a list of the applications that opened the ports. The list includes full pathnames so that you can more easily identify the exact programs referenced. You can download a copy of Fport and several other useful security tools at the Foundstone Web site.
    http://www.foundstone.com/knowledge/proddesc/fport.html

    Finally, are you keeping up with Microsoft security bulletins and related hotfixes? Even if you are, keep in mind that occasionally Microsoft publishes workarounds for security problems without releasing a related bulletin to alert you to the need for system-configuration adjustments. For example, Microsoft recently released the article, "Denial of Service Attack on Port 445 May Cause Excessive CPU Use". The article discusses registry settings that can help prevent particular Denial of Service (DoS) attacks. You can read about the matter in the related news story in this issue of Security UPDATE.
    http://www.secadministrator.com/articles/index.cfm?articleid=24948


    SPONSOR: SPONSOR: SPI DYNAMICS WEB APPLICATION SECURITY WHITE PAPER

    ALERT! Web applications are the new area of attack for hackers!
    By taking advantage of your website and using it to exploit your applications, a hacker can gain access to your backend data. All undetectable by today's methods of Internet security! Download this *FREE* white paper from SPI Dynamics that provides a complete guide of vulnerabilities and steps for protection!
    http://www.spidynamics.com/mktg/webappsecurity7/


    2. SECURITY RISKS

  • Buffer Overflow in Talentsoft'S Web+ 5.0 and WEB+ 4.6 AFFECTS MICROSOFT IIS

  • A buffer-overflow condition in talentsoft's Web+ 5.0 and Web+ 4.6 could result in the execution of code on the vulnerable system under the system security context. Requesting a Wireless Markup Language (WML) file from a Web server and supplying an overly long cookie can cause the internal buffer to overflow, overwriting a saved return address on the stack. The vendor, talentsoft, has created a patch for this vulnerability. For a link to the patch, visit the URL below.
    http://www.secadministrator.com/articles/index.cfm?articleid=24929

    3. ANNOUNCEMENTS

  • LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS

  • The Windows & .NET Magazine LIVE! event brings together industry gurus who take security seriously. Topic coverage includes Microsoft IIS security, deploying public key infrastructure (PKI), designing Group Policies to enhance security, tips for securing Windows 2000 networks, security pitfalls (and solutions) for your mobile workforce, and more. Register today before this event sells out!
    http://www.winnetmagLIVE.com

  • CAST YOUR VOTE FOR OUR READER'S CHOICE AWARDS!

  • Which companies and products do you think are the best on the market? Nominate your favorites in four different categories for our annual Windows & .NET Magazine Reader's Choice Awards. You could win a T-shirt or a free Windows & .NET Magazine Super CD, just for submitting your ballot. Click here!
    http://www.winnetmag.com/readerschoice

    4. SECURITY ROUNDUP

  • NEWS: MICROSOFT ARTICLE Q320751: DoS WORKAROUNDS

  • Peter Grundl, a researcher at KPMG in Denmark, discovered a Denial of Service (DoS) condition in Windows 2000 that could potentially cause systems to crash. Microsoft issued the article, " Denial of Service Attack on Port 445 May Cause Excessive CPU Use," regarding the matter. The article describes two methods to work around the vulnerability.
    http://www.secadministrator.com/articles/index.cfm?articleid=24948

  • NEWS: New Variant of Klez Worm Spreading

  • Antivirus software maker Panda Software has issued a warning about a dangerous new worm variant, W32/Klez.I, which is spreading across Europe and Asia. Panda Software expects the virus to spread to the United States beginning this week.
    http://www.secadministrator.com/articles/index.cfm?articleid=24867

  • NEWS: eEYE DIGITAL SECURITY AND ST. BERNARD SOFTWARE BUNDLE SOFTWARE

  • eEye Digital Security and St. Bernard Software have announced a strategic partnership to bundle eEye's Retina Network Security Scanner software with St. Bernard's UpdateEXPERT software. The software bundle lets administrators use Retina Network Security Scanner to scan for security vulnerabilities and use UpdateEXPERT to help correct a problem by guiding the administrator through the process of installing patches and making configuration adjustments.
    http://www.secadministrator.com/articles/index.cfm?articleid=24925

  • NEWS: WebEyeAlert AND AMCEST PARTNER FOR VIDEO SURVEILLANCE

  • WebEyeAlert, which develops WebEyeAlert video security surveillance technology, announced a strategic partnership with Amcest, a nationwide monitoring service. Under the terms of the partnership, Amcest will offer its dealers the WebEyeAlert solution to promote free video monitoring services to its customers.
    http://www.secadministrator.com/articles/index.cfm?articleid=24924

    5. INSTANT POLL

  • RESULTS OF PREVIOUS POLL: HOTFIX AVAILABILITY NOTIFICATION

  • The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "If someone makes information about a security vulnerability public before the company whose product is involved has developed a fix, should that company notify customers about an estimated time when a fix will be available?" Here are the results (+/- 2 percent) from the 473 votes:
    • 90% Yes
    • 6% No
    • 4% Not sure

  • NEW INSTANT POLL: ANTIVIRUS DEFENSE LOCATION

  • The next Instant Poll question is, "Where have you placed your organization's antivirus defenses?" Go to the Security Administrator Channel home page and submit your vote for a) on desktops, b) on email servers, c) on file servers, d) at the Internet border, or e) at two or more of the above locations.
    http://www.secadministrator.com

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • Virus Alert: W32/Klez.I

  • W32/Klez.I is a worm that's designed to spread through email. The messages the worm sends have different subjects, which include
    • A new website
    • Introduction on ADSL
    • Fw:virus,japanese lass' sexy pictures
    • A very new game
    • NOSHADE CLASS

    The body of the message the worm sends might contain any of the following text:
    This is a new website. I wish you would like it.
    This game is my first work.
    You're the first player.
    I hope you would enjoy it

    Files attached to messages the worm sends have random names. Once run, the worm creates a file in the Windows directory and a file in the Program Files folder.
    http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1154

  • FAQ: How can I disable IPSec on a VPN connection that uses L2TP?

  • ( contributed by John Savill, http://www.windows2000faq.com )

    A. Windows automatically creates an IP Security (IPSec) policy for Layer Two Tunneling Protocol (L2TP) connections because L2TP doesn't encrypt data. However, you might want to test a VPN L2TP connection without IPSec (e.g., when you're troubleshooting). Although you must disable IPSec on both the client and server in this situation, make sure you reenable the security policy after you resolve any problems; otherwise, your systems are vulnerable to attack. To disable IPSec, perform the following steps on both client and server:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters subkey.
    3. From the Edit menu, select New, DWORD Value.
    4. Enter a name of ProhibitIpSec and click Enter.
    5. Double-click the new value, set it to 1, and click OK.
    6. Restart the machine.

    For more information, see the Microsoft article "How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication."
    http://support.microsoft.com/default.aspx?scid=kb;en-us;q240262

    7. NEW AND IMPROVED
    (contributed by Judy Drennen, products@winnetmag.com)

  • SECURE YOUR COMPANY WITH CAMERAS

  • CamDevTeam released CamSurveillance, shareware capable of monitoring up to 50 IP-addressable network cameras to secure your company. You can use the cameras within your company's LAN or select your favorite WebCams from the Internet. CamSurveillance runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $49.95. Contact CamDevTeam at webmaster@camsurveillance.com for a trial download.
    http://www.camsurveillance.com

  • PROTECT YOUR HARDWARE FROM THEFT

  • Brigadoon Software announced PC PhoneHome Enterprise, software that gives enterprise-level users a security tool to protect computer hardware and intellectual property against theft. PC PhoneHome Enterprise works by sending periodic signals to a centralized command center the licensee chooses with the exact coordinates of the registrant's computer. If the computer is lost or stolen, the signals can pinpoint the computer's whereabouts. PC PhoneHome Enterprise runs on all Windows and Macintosh systems. For pricing, contact Brigadoon at the Web site.
    http://www.brigadoonsoftware.com

    8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.net/forums

    Featured Thread: View All Permissions and Shares
    (Two messages in this thread)
    Tom wants to know how he can view a list of all permissions and shares on a given system. Can you help?
    http://www.secadministrator.com/forums/thread.cfm?thread_id=102362

  • HOWTO MAILING LIST

  • http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

    Featured Thread: Exceeding the 512-Character Limit of the Legal Logon Notice
    (One message in this thread)
    Windows 2000 Group Policy restricts the length of the logon sequence legal notice text to 512 characters. This length is probably sufficient in most cases. However, some countries have a legal requirement to display such notices in more than one language, which can cause the total text displayed to exceed the 512-character limit. Are there any known workarounds to the 512-character restriction? Can you help? Read the responses or lend a hand at the following URL.
    http://63.88.172.96/listserv/page_listserv.asp?A2=ind0204c&l=howto&p=659

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT IN FOCUS — mark@ntsecurity.net
    • ABOUT THE NEWSLETTER IN GENERAL — vpatterson@winnetmag.com

    (please mention the newsletter name in the subject line)

    • TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR Security UPDATE SUBSCRIPTION?
      Customer Support — securityupdate@winnetmag.com
    • WANT TO SPONSOR Security UPDATE?
      emedia_opps@winnetmag.com

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Thank you for reading Security UPDATE.

    Copyright 2002, Penton Media, Inc.