Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Connected Home Virtual Tour
http://www.connectedhomemag.com/virtualtour

Protection Where You're Most Vulnerable
http://www.turillion.com/products
(below IN FOCUS)


SPONSOR: Connected Home Virtual Tour

WIN A FREE DIGITAL VIDEO RECORDER FROM SONICBLUE!
Visit the Connected Home Virtual Tour and check out our summer feature on networking your home. Sign up for prize drawings, too, and you might win a free digital video recorder from SONICblue. Take the tour today!
http://www.connectedhomemag.com/virtualtour


July 3, 2002—In this issue:

1. IN FOCUS

  • Patch Your Apache Servers Now

2. ANNOUNCEMENTS

  • Windows Scripting Solutions for the Systems Administrator
  • Attend Black Hat Briefings & Training, July 29 through August 1, Las Vegas

3. SECURITY ROUNDUP

  • News: Microsoft's Secret Plan to Secure the PC
  • Feature: Guard Your Data with Kerberos
  • Feature: Personal Firewalls

4. SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Modify the Installation Credential Settings in Win2K?

5. NEW AND IMPROVED

  • Network Protection Solution
  • Internet Security Solution for Data Centers

6. HOT THREADS

  • Windows & .NET Magazine Online Forums
    • Featured Thread: Outlook Personal Folders
  • HowTo Mailing List
    • Featured Thread: PC Configuration and Software Inventory

7. CONTACT US

  • See this section for a list of ways to contact us.

1. COMMENTARY
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

  • PATCH YOUR APACHE SERVERS NOW

  • Do you use an Apache Web server? Two weeks ago, a user reported a vulnerability in the popular Web server software that lets intruders run arbitrary code and possibly gain root access to a system. The vulnerability relates to chunk-encoded data, per the HTTP 1.1 standard that Internet Engineering Task Force (IETF) Request for Comments (RFC) 2616 outlines. The Apache Software Foundation hurried to release patched code to protect against exploits, which were first thought to affect only 64-bit platforms. However, a user released source code for an exploit against 32-bit x86-based systems, which means users running Apache on 32-bit platforms are also vulnerable.

    On June 19 and June 21, a user identifying himself as "Gobbles" posted the working exploit code to the BugTraq mailing list. Not surprisingly, last Friday, June 28, users detected a new worm spreading on the Internet, which exploits the chunked-encoding vulnerability.

    One user, Domas Mituzas, captured the worm in a honeypot system and analyzed it, revealing several aspects of the worm's activity. The worm spreads by scanning for other vulnerable Apache servers. It also contains a command interface that listens on UDP port 2001 and lets the worm be instructed to perform Distributed Denial of Service (DDoS) attacks against specified targets. Shortly after Mituzas posted the worm's binary executables to the Web, he received the complete source code for the worm through email and subsequently posted that code to the Web as well.
    http://dammit.lt/apache-worm

    The problem is very serious because approximately 50 million Apache Web servers operate on the Internet. The fact that many vendors, such as Dell, have used Apache code to build Web management interfaces into their various network-management products compounds the problem.

    The Computer Emergency Response Team (CERT) issued an advisory (CA-2002-17) about the vulnerability, which is available at the first URL below. The Apache team has released updated software that helps protect 64-bit and 32-bit versions and recommends that all users upgrade to Apache 2.0.39 or Apache 1.3.26. Some users might be relying on third-party patches to help correct the matter. However, not all of those third-party patches address the complete scope of the vulnerabilities. Therefore, I urge users to immediately obtain and install patched code directly from the Apache Software Foundation.
    http://www.cert.org/advisories/CA-2002-17.html \[caps required\] http://httpd.apache.org/info/security_bulletin_20020620.txt

    But even with the new version, Apache 2.0.39, installed, Apache servers might have trouble. Another user, Brett Glass, reported that one of his Apache 2.0.39 servers "went berserk" by spawning the maximum number of child processes, which locked up his system. His logs revealed that the child processes had been attempting to free memory space that had already been freed. No more information about this anomaly is available right now. However, I'll keep you posted regarding any significant new information. In the meantime, help ward off a potential DDoS nightmare: Patch your Apache servers now.


    SPONSOR: PROTECTION WHERE YOU'RE MOST VULNERABLE

    In spite of your efforts, nearly 80% of Internet Attacks pass thru your network firewall, targeting your Internet application and web servers. Isn't it time you spent your budget on a solution that actually works AND provides a tangible ROI for the guys upstairs? Since 1999, Turillion's eServer Secure web application firewall has saved thousands in IT mans hours without a single compromise. WANT PROOF - Protect your enterprise today DOWNLOAD THE FREE 15-DAY EVAL OF ESERVER SECURE—The 3rd Generation of Internet Security
    http://www.turillion.com/products


    2. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • WINDOWS SCRIPTING SOLUTIONS FOR THE SYSTEMS ADMINISTRATOR

  • So, you're not a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions online, the Web site that can help you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. While you're there, check out this article ( http://www.winscriptingsolutions.com/articles/index.cfm?articleid=20376 ) on WMI scripting for beginners!
    http://www.winscriptingsolutions.com

  • ATTEND BLACK HAT BRIEFINGS & TRAINING, JULY 29 THROUGH AUGUST 1, LAS VEGAS

  • This is the world's premier technical security event! Includes 8 tracks, 12 training sessions, a Richard Clarke keynote, 1500 delegates from 30 nations, and lots of new sessions and sponsors just added. Some classes are near sellouts. See what the buzz is about for yourself. Visit:
    http://www.blackhat.com

    3. SECURITY ROUNDUP

  • NEWS: Microsoft's Secret Plan to Secure the PC

  • You've heard of Trustworthy Computing and the massive corporate remodeling going on at Microsoft: The company has asked all its developers, product managers, and executive assistants to rethink everything they do in the context of security. Well, that's just the tip of the iceberg. Secretly, the company has been working on a plan to rearchitect the PC from the ground up, to address the security, privacy, and intellectual property theft concerns that dog the industry today.
    http://www.secadministrator.com/articles/index.cfm?articleid=25681

  • FEATURE: Guard Your Data with Kerberos

  • Servers depend on the twin processes of authentication and authorization. If the server doesn't have total confidence in the user's identity and thus can't be sure of the permissions a user has, all attempts to control access to data fail. Microsoft has long preferred Windows NT-authenticated logons over SQL Server-authenticated logins because Windows has more effective mechanisms for verifying users' identities than just comparing an account and password combination. Kerberos authentication, Windows 2000's default authentication protocol, improves on NT's authentication protocol in several ways and offers identification of both the client and the server.
    http://www.secadministrator.com/articles/index.cfm?articleid=25080

  • FEATURE: Personal Firewalls

  • All you want to do is use your computer to do your job, play games, learn, buy, and surf the Web. You don't want to worry about malicious intruders, port scans, Trojan horses, worms, and all the other mischievous stuff that hunts your computer. You shouldn't have to worry, but you must; thousands of malicious programs exist solely to break into your PC. That's where personal firewalls come in. Roger A. Grimes reviews six personal firewalls. Be sure to read the review on our Web site!
    http://www.secadministrator.com/panda

    4. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.winnetmag.com/mobile

  • FAQ: How can I modify the installation credential settings in Win2K?

  • ( contributed by John Savill, http://www.windows2000faq.com )

    A. An administrator can lock down a system to prevent a user from installing new software or configure the system so that the user can provide credentials to let the installation continue. To modify the installation credential settings for one machine, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer registry subkey.
    3. Double-click the NoRunasInstallPrompt value; set it to 1 to disable credentials or 0 to allow credentials.
    4. Click OK.

    To modify the installation credential settings for network installations, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

      Explorer registry subkey.

    3. Double-click the PromptRunasInstallNetPath value; set it to 1 to disable credentials or 0 to allow credentials.
    4. Click OK.

    5. NEW AND IMPROVED
    (contributed by Judy Drennen, products@winnetmag.com)

  • NETWORK PROTECTION SOLUTION

  • Internet Security Systems (ISS) announced RealSecure Server Sensor for Microsoft Internet Security and Acceleration (ISA) Server 2000. RealSecure is an advanced protection solution designed to help Microsoft users in small to midsize organizations detect, prevent, and respond to an ever-changing spectrum of online threats. RealSecure continuously detects and responds to unauthorized or suspicious network behavior in realtime. For pricing information, contact ISS at 888-901-7477.
    http://www.iss.net/isaserver

  • INTERNET SECURITY SOLUTION FOR DATA CENTERS

  • Check Point Software Technologies announced Check Point VPN-1/FireWall-1 VSX, a carrier-class multipolicy Internet security solution for service providers and corporate data centers. Through software virtualization and Virtual LAN (VLAN) technology, VPN-1/FireWall-1 VSX scales Check Point's VPN-1/FireWall-1 to create up to 100 separate virtual systems on one hardware platform. VPN-1/FireWall-1 VSX costs $24,000 for 10 customer policies. Contact Check Point at 800-429-4391.
    http://www.checkpoint.com

    6. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

  • Featured Thread: Outlook Personal Folders

  • (One message in this thread)

    Magnus has a Windows NT domain with a few Windows 2000 clients. All users have roaming profiles. When a user has been working on a Win2K client system, then goes to an NT client system, that user's profile doesn't work correctly. When the user checks email, he or she gets a message requesting them to enter a Windows password, which doesn't exist. Magnus has found two solutions to the problem: He either disables the service for Outlook Personal Folders or recreates the user's whole profile. Do you have a better solution?
    http://www.secadministrator.com/forums/thread.cfm?thread_id=107785

  • HOWTO MAILING LIST

  • http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

  • Featured Thread: PC Configuration and Software Inventory

  • (Twenty-one messages in this thread)

    Julias must perform a security audit that includes auditing installed software. At the same time, he needs to obtain information about the computer hardware configuration for several PCs on his network. He wants to know whether anyone knows of a PC configuration or software audit program that he can run from a 3.5" disk. The PCs he must audit run Windows 2000, Windows NT, Windows 9x, and DOS. Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?a2=ind0206c&l=howto&p=80

    7. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT IN FOCUS — mark@ntsecurity.net
    • ABOUT THE NEWSLETTER IN GENERAL — vpatterson@winnetmag.com

    (please mention the newsletter name in the subject line)

    • TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
      Customer Support — securityupdate@winnetmag.com
    • WANT TO SPONSOR SECURITY UPDATE?
      emedia_opps@winnetmag.com

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Thank you for reading Security UPDATE.