Windows & .NET Magazine Security UPDATE--August 6, 2003

===============

==== This Issue Sponsored By ====

Ecora Software http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBlS0A2

HP & Microsoft Network Storage Solutions Road Show http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB07cD0AM

==========

1. In Focus: The RPC/DCOM Bugs: How Bad Are They?

2. Security Risks - Information-Disclosure Vulnerability in Cisco AP1100 - DoS Vulnerability in Cisco WAP

3. Announcements - Need Help Managing Your Storage Investment? - Learn More About the Security Risks in Exchange 2003

4. Security Roundup - News: Microsoft Patches Leave Systems Insecure and Break RAS - News: Is RIAA Targeting You? - News: Bono Introduces Spyware Bill - News: Are You Vulnerable to RPC Exploitation?

5. Instant Poll - Results of Previous Poll: Cisco IOS Software Vulnerability - New Instant Poll: RPC/DCOM Probing

6. Security Toolkit - Virus Center - FAQ: What Command-Prompt Tool Reports System Uptime?

7. Event - New--Mobile & Wireless Road Show!

8. New and Improved - Monitor Web Content from Both Directions - Submit Top Product Ideas

9. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Auditing Software for Win2K? - HowTo Mailing List - Featured Thread: Batch Files in AD GPO

10. Contact Us See this section for a list of ways to contact us.

==========

==== Sponsor: Ecora Software ====

Perform patch audits in minutes with Ecora Patch Manager How confident are you that all critical security patches are deployed and up-to-date on every single system in your infrastructure? Need some help figuring it all out before the next big worm attack? Try a free copy of Ecora Patch Manager. Designed for IT professionals short on time, Patch Manager completely automates and simplifies the entire patch management cycle in just minutes. See for yourself how automation can save time, reduce costs, and keep your IT infrastructure stable and secure. Download a free, fully-functional trial of Ecora Patch Manager now! Patch Manager supports mission-critical OS platforms and applications, including Windows NT/2000/XP, Microsoft Exchange, IIS, SQL, MSDE, Windows Media Player, Microsoft Office, and IE. http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBlS0A2

==========

==== 1. In Focus: The RPC/DCOM Bugs: How Bad Are They? ==== by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

You've undoubtedly learned about the remote procedure call (RPC)-Distributed COM (DCOM) bug in Windows by now. If not, you were probably on vacation and returned to what might seem like a crisis. Microsoft released its patch for the problem, which you can read about in "Microsoft Patches Leave Systems Insecure and Break RAS" and "Are You Vulnerable to RPC Exploitation?" in this issue of Security UPDATE. However, users have discovered that the Microsoft patch doesn't exactly fix all the problems.

Users who obtained the "demonstration code" (I use that term loosely) to test their patched systems quickly learned that systems are still vulnerable to a Denial of Service (DoS) attack that crashes the svchost.exe process. One reader informed me that Microsoft has acknowledged that problem and said that it will release a fix.

Microsoft originally reported that disabling DCOM (by using dcomcnfg.exe) and blocking port 135 would mitigate attacks, which is true. However, the company later modified its bulletin to indicate that you must also block port 137 and port 445 because someone can launch an attack against those ports as well. Another reader pointed out that CERT's bulletin about the matter adds port 139 to the list of vulnerable ports. You should block access to all of these ports (UDP and TCP) wherever and whenever possible. Ports can be open on many machines, and it's always best to block everything that you don't need to leave exposed. http://www.cert.org/advisories/CA-2003-19.html

Defending against attacks by disabling DCOM might not be a practical workaround either, depending on your network environment. Members of various mailing lists (e.g., Full-Disclosure, Focus-MS) report that you might encounter critical problems with such attempted workarounds.

For example, even if you perform the blocking actions described, you might still be at risk if your Microsoft IIS servers have COM Internet Services enabled. In that case, attacks might be possible against port 80 and port 443. Also, disabling DCOM on your system eliminates the ability of different systems' COM objects to communicate with each other, which has wide-reaching effects.

Microsoft Systems Management Server (SMS) servers won't be able to perform their tasks correctly. Also, after you disable DCOM on a machine, your remote management tools won't be able to access that machine. For example, if you need to reenable DCOM to regain functionality, someone will have to physically visit that machine to turn it back on.

Obviously, patches that correct these matters would provide the best solution. By the time you read this, Microsoft might have released another patch that corrects all the problems. I hope so, because many people are concerned that someone will unleash a worm or virus that could lead to massive DoS episodes--or release Trojan horses that open back doors. Unfortunately, both possibilities are likely and at least one worm, Autorooter, has already been discovered. (You can read about the worm at the Kaspersky Lab Web site--see the URL below.) Other exploits might already have occurred by the time you read this newsletter. If such exploits occur, who will be responsible: the intruders, the people who fail to patch their systems, or the people who release proof-of-concept code? Perhaps all of those groups will have played a part. http://www.viruslist.com/eng/viruslist.html?id=61506

In the meantime, you can monitor attack trends at Internet Storm Center. The site provides useful information about security risk trends by gathering that information from numerous network sensors around the world. Be sure to check it out. http://www.incidents.org

==========

==== Sponsor: HP & Microsoft Network Storage Solutions Road Show ==== Missed the Network Storage Solutions Road Show? If you couldn't make the HP & Microsoft Network Storage Solutions Road Show, you missed Mark Smith talking about Windows-Powered NAS, file server consolidation, and more. The good news is that you can now view the Webcast event in its entirety at: http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB07cD0AM

==========

==== 2. Security Risks ==== contributed by Ken Pfeil, ken@winnetmag.com

Information-Disclosure Vulnerability in Cisco AP1100 VIGILANTe discovered that a vulnerability in Cisco Systems' Aironet AP1100 Wireless Access Point (WAP) can lead to information disclosure. The device is subject to a brute-force attack. Cisco has issued a notice about this vulnerability and recommends that affected users work through their usual support channels to obtain a software upgrade. http://www.secadministrator.com/articles/index.cfm?articleid=39710

DoS Vulnerability in Cisco WAP VIGILANTe discovered that a vulnerability in Cisco Systems' Aironet AP1200 and Aironet AP1100 Wireless Access Point (WAP) can lead to a Denial of Service (DoS) condition. By sending a malformed URL to the Cisco Aironet AP1200 or Aironet AP1100, an attacker can cause the device to reload. Repeating this action results in the DoS condition. Cisco has issued a notice about this vulnerability and recommends that affected users work through their usual support channels to obtain a software upgrade. http://www.secadministrator.com/articles/index.cfm?articleid=39711

==== Sponsor: Virus Update from Panda Software ====

Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control. http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBlT0A3

Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBDp0Aq

==========

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Need Help Managing Your Storage Investment? Planning and managing your storage deployment can be costly and complex. Check out Windows & .NET Magazine's Storage Administration Web site for the latest advice, news, and tips to help you make the most of your storage investment. You'll find problem-solving articles, eye-opening white papers, a technical forum, and much more! http://www.storageadmin.com

Learn More About the Security Risks in Exchange 2003 Videotaped live at Microsoft TechEd 2003, this free archived Web seminar delivers an introduction to the new security features and enhancements of Exchange Server 2003, including the new security APIs that can minimize virus risk and spam traffic. Plus, you'll discover more about the future of the messaging industry and what's on the horizon in assessing risk. Register today! http://www.winnetmag.com/seminars/securityrisks

==== 4. Security Roundup ====

News: Microsoft Patches Leave Systems Insecure and Break RAS Users are reporting problems with two of Microsoft's recent security hotfixes, which patch problems with remote procedure call (RPC) and Windows file-management functions. Demonstration code related to the RPC problem that Microsoft Security Bulletin MS03-026 addresses (Buffer Overrun In RPC Interface Could Allow Code Execution) was released on the Internet. Users discovered that even with the RPC patch installed, systems were still vulnerable to Denial of Service (DoS) attacks. Other users reported that after installing the patch related to the file-management problem that Security Bulletin MS03-029 addresses (Flaw in Windows Function Could Allow Denial of Service), their RAS servers stopped working properly. Microsoft says that it will release patches that correct those problems. http://www.secadministrator.com/articles/index.cfm?articleid=39709

News: Is RIAA Targeting You? The Recording Industry Association of America (RIAA) is hot on the heels of file swappers, namely those who use popular programs such as Kazaa to trade music files. If you wonder whether they're targeting you or your networks, learn how to find out through this news story. http://www.secadministrator.com/articles/index.cfm?articleid=39724

News: Bono Introduces Spyware Bill Representative Mary Bono (R-CA) introduced a new bill, cosponsored by Representative Edolphus Towns (D-NY), that would regulate computer spyware that companies use to gather various information from users. http://www.secadministrator.com/articles/index.cfm?articleid=39715

News: Are You Vulnerable to RPC Exploitation? If you've read any of the news stories on the Internet about the recently reported remote procedure call (RPC) security problem, you might wonder whether the Internet will be brought to its knees any time. While security experts continue to analyze the extent of the danger, you do need to protect your systems--and don't depend on Windows Update service. http://www.secadministrator.com/articles/index.cfm?articleid=39740

==== 5. Instant Poll ====

Results of Previous Poll: Cisco IOS Software Vulnerability The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Did your network experience problems as a result of the recently reported Cisco IOS software vulnerability?" Here are the results from the 83 votes. - 1% Yes--We experienced a Denial of Service (DoS) because of the attack - 25% We experienced downtime but only because of an IOS upgrade - 65% No - 8% Not sure (Deviations from 100 percent are due to rounding.)

New Instant Poll: RPC/DCOM Probing The next Instant Poll question is, "Has your company experienced someone probing to determine whether you systems are vulnerable to a remote procedure call(RPC)/Distributed COM (DCOM) exploit?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, or c) I'm not sure. http://www.secadministrator.com

==== 6. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

FAQ: What Command-Prompt Tool Reports System Uptime? contributed by Jan De Clercq

Sysinternals' PsInfo is an interesting freeware tool that you can use to report system uptime. You can download this command-prompt tool from http://www.sysinternals.com/ntw2k/freeware/psinfo.shtml. PsInfo also reports on other system characteristics, such as kernel version and processor type. If you add the -h switch, the PsInfo command also reports on installed hotfixes. If you add the -s switch, the command adds a report on installed software. You can also use the tool to query remote machines. The following command reports uptime and other system-related information for the machine named fileserver1:

psinfo \\fileserver1

If you want to query a remote machine, the account that runs the PsInfo tool must have remote registry access to the remote machine's HKEY_LOCAL_MACHINE\SYSTEM registry subkey. For more information about configuring remote registry access, see "NT Gatekeeper: Securing Remote Access to the System Registry," October 2001, InstantDoc ID 22417. http://www.secadministrator.com/articles/index.cfm?articleid=22417

==== 7. Event ====

New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://www.winnetmag.com/roadshows/wireless

==== 8. New and Improved ==== by Sue Cooper, products@winnetmag.com

Monitor Web Content from Both Directions Clearswift announced MIMEsweeper for Web 5.0, content filtering that manages and enforces your Web usage, security, privacy, and compliance policies. The software offers analysis of HTTP and browser-based FTP traffic, integration with leading antivirus applications, URL-based blocking of banned sites, comprehensive auditing and reporting, email alerts to administrators, and granular policy management. MIMEsweeper for Web disassembles Web transfers, breaking them down into individual objects for content analysis according to policy as it applies to the user who initiates the transmission. MIMEsweeper for Web 5.0 has improved scalability, performance, and manageability. The product will be available later in August. Contact Clearswift at 425-460-6000 or info.us@clearswift.com. http://www.clearswift.com

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

==== 9. Hot Threads ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: Auditing Software for Win2K? (Two messages in this thread)

A user writes that on his Windows 2000 Server, the Event Viewer Security logs shows thousands of logon attempts a day for the Administrator account. He thinks that someone is trying to break into the account. The information Event Viewer provides (he has also tried capturing network frames using Network Monitor) isn't sufficient to find the source. He wants to know the best way to determine the origin of the logon attempts. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61753

HowTo Mailing List http://63.88.172.96/listserv/page_listserv.asp?s=howto

Featured Thread: Batch Files in AD GPO (Six messages in this thread)

A user wants to know whether batch files can be assigned to a Group Policy Object (GPO) and whether scripts in a GPO must be in VBScript. Lend a hand or read the responses: http://63.88.172.96/listserv/page_listserv.asp?A2=IND0307D&L=HOWTO&P=80

==== Sponsored Links ====

Ultrabac FREE live trial-Backup & Disaster Recovery software w/ encryption http://ad.doubleclick.net/clk;5945485;8214395;x?http://www.ultrabac.com/default.asp?src=WINTxtLAug03tgt=./

CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/w2kmag.htm

=========

==== 10. Contact Us ====

About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.