Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Security Auditing and Configuration Analysis!
http://www.aelita.com/w2k717

VeriSign - The Value of Trust
http://www.verisign.com/cgi-bin/go.cgi?a=n203987360057000
(below IN FOCUS)


SPONSOR: SECURITY AUDITING AND CONFIGURATION ANALYSIS!

How many people have administrative rights in your network? How many unused user accounts are in your domains? What changes were made to your directories during the last week? Security vulnerabilities occur when you can't answer these questions. Don't be vulnerable to attacks from inside and outside your network. Aelita Enterprise Directory Reporter offers a comprehensive directory reporting and security assessment solution for Windows NT/2000, Active Directory, and Exchange. Improve security with network configuration, Group Policy, and user information that lets you locate and correct problems and implement enterprise-wide policies. Download a FREE evaluation copy. Put Aelita in the lab!
Visit http://www.aelita.com/w2k717


July 17, 2002—In this issue:

1. IN FOCUS

  • Unwise Connectivity; Microsoft Obtains Third-Party Protection; and Camera/Shy

2. SECURITY RISKS

  • Multiple Vulnerabilities in Microsoft SQL Server 2000 and MSDE 2000
  • DoS in WatchGuard Firebox VPN Appliance
  • DoS in BEA WebLogic for Win2K and NT

3. ANNOUNCEMENTS

  • Register Today for Our Win2K Migration Web Seminar!
  • Enter the Windows & .NET Magazine/Transcender Sweepstakes!

4. SECURITY ROUNDUP

  • News: Survey Says Web Is More Vulnerable Than Ever
  • Feature: Security Holes Pop Up in Unexpected Places
  • Feature: Best Practices for Secure Administrator Accounts

5. HOT RELEASES

  • Sprint IP VPN Services: Special Offer
  • IBM E-Business Integration White Paper

6.SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Force a User to Use a Machine-Specific Group Policy Rather Than a User-Specific Group Policy?

7. NEW AND IMPROVED

  • Submit Top Product Ideas
  • Protect Your Valuable Notebook from Theft
  • Invisible Means Invulnerable

8. HOT THREADS

  • Windows & .NET Magazine Online Forums
  • Featured Thread: Blocking IRC Scripts

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

  • UNWISE CONNECTIVITY; MICROSOFT OBTAINS THIRD-PARTY PROTECTION; AND CAMERA/SHY

  • According to a provocative article from the Associated Press (AP) wire last week (which draws information from a Los Angeles Times report), US power and energy companies "have become targets for computer hackers who have managed to penetrate energy control networks as well as administrative systems."
    http://www.cbsnews.com/stories/2002/07/08/tech/main514426.shtml

    The article reports that the online power and energy companies surveyed have experienced an average of 1280 attacks in the past 6 months alone. Riptech, which performed the study, said that the number of attacks represents a 77 percent increase over the number of attacks experienced last year. According to the article, FBI Cybercrime Director Ronald Dick said, "The event that I fear most is a physical attack in conjunction with the success of a cyber attack on an infrastructure such as electric power or 911."

    The report points out the weakest link in the energy and power companies' infrastructure: control systems that monitor power grids and govern the flow of oil and water through pipelines. Formerly, these systems weren't connected to public networks such as the Internet, but now they are—and, as a result, they're vulnerable to attack.

    The story begs the obvious question: Why would any entity connect extremely critical infrastructures (e.g., power companies, national 911 services) to the Internet? By doing so, they ask for serious trouble. Is that wise in times such as these? I don't think so.

    In other recent and interesting news, PC World reported that Microsoft has adopted NetScreen-500 to help protect its corporate network (see the first URL below). NetScreen Technologies (see the second URL below) issued a press release regarding the adoption. NetScreen-500 is a firewall/VPN combination appliance that, among other things, helps stop viruses and worms from propagating into a network. What makes this news strange is that Microsoft touts its Internet Security and Acceleration (ISA) Server 2000 (see the third URL below) as a product that "protects the enterprise network from hacker intrusion and malicious worms through application-level filtering."
    http://www.pcworld.com/news/article/0,aid,102626,tk,dn071202X,00.asp
    http://www.netscreen.com/products/index.html
    http://www.microsoft.com/isaserver/howtobuy/upgrade.asp

    Are you looking for a way to transmit sensitive information? A group that calls itself Hacktivismo has released a new tool called Camera/Shy at the Hackers On Planet Earth (HOPE) Conference in New York. Camera/Shy is a steganography tool that encrypts and stores data in graphical image files. Steganography adds extra data to a typical image file so that when someone views the file, it seems to contain an ordinary image. After data is stored in an image file, you can transmit the file, and the recipient can recover the data stored therein. According to Hacktivismo, the tool is easy to use. Camera/Shy targets users who work behind network border devices that filter or censor Internet content. You can find a temporary download site for Camera/Shy and its documentation at the first URL below. Let's hope nobody uses Camera/Shy to attack power and energy companies. For additional information about steganography, go to the second URL below.
    http://members.cox.net/osioniusx/CameraShy.exe
    http://www.secadministrator.com/articles/index.cfm?articleid=20057


    SPONSOR: VERISIGN - THE VALUE OF TRUST

    FREE E-COMMERCE SECURITY GUIDE
    Is your e-business built on a strong, secure foundation? Find out with VeriSign's FREE White Paper, "Building an E-Commerce Trust Infrastructure." Learn how to authenticate your site to customers, secure your web servers with 128-Bit SSL encryption, and accept secure payments online. Click here:
    http://www.verisign.com/cgi-bin/go.cgi?a=n203987360057000


    2. SECURITY RISKS
    (contributed by Ken Pfeil, ken@winnetmag.com)

  • MULTIPLE VULNERABILITIES IN SQL SERVER 2000 AND MSDE 2000

  • Cesar Cerrudo and Mark Litchfield of Next Generation Security Software discovered multiple vulnerabilities in Microsoft SQL Server 2000 and Microsoft SQL Server Desktop Engine (MSDE) 2000, the most severe of which can lead to remote compromise of the vulnerable server. Microsoft has released Security Bulletin MS02-034 (Cumulative Patch for SQL Server) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin. These patches are cumulative and address all previously discovered vulnerabilities in the affected product.
    http://www.secadministrator.com/articles/index.cfm?articleid=25868

  • DoS IN WATCHGUARD FIREBOX VPN APPLIANCE

  • Andreas Sandor and Peter Grundl discovered a Denial of Service (DoS) condition in WatchGuard Technologies' Firebox with firmware 5.x.x. By sending a malformed packet to the listener service on TCP port 4110, an attacker can cause the Dynamic VPN Configuration Protocol (DVCP) service to fail. The vendor, WatchGuard, recommends that affected users upgrade their firmware to version 6.x.x, available through the company's LiveSecurity Service.
    http://www.secadministrator.com/articles/index.cfm?articleid=25812

  • DoS IN BEA WEBLOGIC FOR WIN2K AND NT

  • Peter Grundl discovered a Denial of Service (DoS) condition in BEA Systems' WebLogic Server when used with the performance pack, which installs by default. By data or connection flooding, an attacker can crash the Web service with a report of an error in ntdll.dll. The vendor, BEA Systems, has released a security advisory to address this problem and recommends that affected users apply the appropriate patch listed in this bulletin.
    http://www.secadministrator.com/articles/index.cfm?articleid=25811

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • REGISTER TODAY FOR OUR WIN2K MIGRATION WEB SEMINAR!

  • You can make the Windows 2000 road less bumpy—if you know how. Hear Jeremy Moskowitz talk about what to do before your Win2K migration actually begins, and what to be on the lookout for during the migration process. This special online event is scheduled for Thursday, July 18, so sign up today!
    http://www.winnetmag.com/seminars/epresence

  • ENTER THE WINDOWS & .NET MAGAZINE/TRANSCENDER SWEEPSTAKES!

  • Nothing can help you prepare for certification like Transcender products, and no one can help you master your job like Windows & .NET Magazine. Enter our combined sweepstakes contest, and you could win a Transcender Deluxe MCSE Core Pak (a $569 value) or one of several other great prizes. Sign up today!
    http://www.winnetmag.com/sub.cfm?code=swei202fus

    4. SECURITY ROUNDUP

  • NEWS: SURVEY SAYS WEB IS MORE VULNERABLE THAN EVER

  • A June 2002 Netcraft survey shows that Web sites are more vulnerable than ever because of several recently reported security problems with Microsoft IIS and Apache Web server. Netcraft polled 38,807,788 Web servers and found that 59.67 percent (more than 23 million sites) run Apache Web server and 28.96 percent run IIS.
    http://www.secadministrator.com/articles/index.cfm?articleid=25846

  • FEATURE: SECURITY HOLES POP UP IN UNEXPECTED PLACES

  • With so many obvious security holes that systems administrators must watch for, keeping up with all the potential problem areas that the Windows OSs present is tough. It's even worse when the security problems occur in a little-used but ubiquitous application such as the Windows Media Player (WMP).
    http://www.secadministrator.com/articles/index.cfm?articleid=25840

  • FEATURE: BEST PRACTICES FOR SECURE ADMINISTRATOR ACCOUNTS

  • Creating unique passwords for your Administrator accounts is one important step you can take to keep your systems secure. Dick Lewis offers best practices that can help you protect the powerful Administrator account from intruders. Be sure to read the article on our Web site!
    http://www.secadministrator.com/articles/index.cfm?articleid=25721

    5. HOT RELEASES

  • SPRINT IP VPN SERVICES: SPECIAL OFFER

  • For secure, global network access and great savings, visit
    http://ad.doubleclick.net/clk;4366192;7296505;q?http://www.sprintbiz.com/apps/tag/sprintbizQ2Growth/,16,27,S3,199/bsgpromo/ip1.html

  • IBM E-BUSINESS INTEGRATION WHITE PAPER

  • Learn to remain competitive as e-business technologies evolve. The IBM white paper, "Managing e-business integration challenges," will help you understand how to identify key integration components. Get your complimentary copy at
    http://www.ibm.com/e-business/playtowin/n122

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: HOW CAN I FORCE A USER TO USE A MACHINE-SPECIFIC GROUP POLICY RATHER THAN A USER-SPECIFIC GROUP POLICY?

  • (contributed by John Savill, http://www.windows2000faq.com)

    A. Typically, the settings that the OS applies when a user logs on are based on the user's account container (e.g., a domain, a site, an organizational unit—OU), regardless of which container the user's machine belongs to. In some instances, you might want to forgo using this default behavior and instead associate a user's settings with the location of the user's computer within Active Directory (AD). For example, you might want to set a strict, defined set of policies for a publicly accessible computer, regardless of who logs on to that computer.

    To establish machine-specific settings, use Group Policy to set the computer's container to "loopback" mode—so that the computer's client settings take precedence—by performing the following steps:

    1. Start Group Policy Editor (GPE) and load the policy that affects the computer whose behavior you want to modify (alternatively, you can start the Microsoft Management Console—MMC—Active Directory Users and Computers snap-in, right-click the container, select Properties, then select the Group Policy tab).


    2. Expand the Computer Configuration, Administrative Templates, System, Group Policy branches.


    3. Double-click the "Loopback Policy" option (or "User Group Policy loopback processing mode" in Windows .NET Server—Win.NET Server).


    4. Select the Enabled option, then select the Mode:
      - Merge Mode—loads a user's normal settings first, then loads any settings based on the computer's location, thus overwriting any conflicting user settings
      - Replace Mode—loads only settings based on the computer's location


    5. Click OK.

    7. NEW AND IMPROVED
    (contributed by Judy Drennen, products@winnetmag.com)

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

  • PROTECT YOUR VALUABLE NOTEBOOK FROM THEFT

  • Belkin released SafeTech, a line of security products for notebook computers, dock stations, flat-screen monitors, and other expensive computer devices. The SafeTech line features two locks: a keyless version, the SafeTech C100 Combo Security Lock at $24.95 and a keyed version, the SafeTech K100 Security Lock at $29.95. For more information, go to the Belkin Web site.
    http://www.belkin.com

  • INVISIBLE MEANS INVULNERABLE

  • Gianus Technologies introduced Phantom Total Security (PTS), security software that can protect any type of computer data by making it invisible to attackers, unauthorized users, and even viruses. PTS splits a computer hard disk into two parts, then makes one part disappear with the simple click of an icon. PTS costs $190 and runs on multiple OSs on the same computer, each OS transparent to the other. Contact Gianus Technologies at 212-838-7070.
    http://www.phantomts.com

    8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

    Featured Thread: Blocking IRC Scripts
    (Two messages in this thread)

    Brett writes that one of his clients found that someone has gained access to the client's Windows 2000 server and installed an Internet Relay Chat (IRC) script that lets a remote user control the server. The script uses two programs, firedeamon.exe and srchost.exe. Brett wants to know the best way to prevent the installation of such scripts.

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT IN FOCUS — mark@ntsecurity.net
    • ABOUT THE NEWSLETTER IN GENERAL — vpatterson@winnetmag.com
      (please mention the newsletter name in the subject line)
    • TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR Windows & .NET Magazine Security UPDATE SUBSCRIPTION?
      Customer Support — securityupdate@winnetmag.com

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email