********************
Windows 2000 Magazine Security UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter from
the Windows 2000 Magazine Network
http://www.win2000mag.net/Channels/Security
********************
This week's issue sponsored by
BindView Corporation
http://www.bindview.com/hurwitz4
|-+-|-+-|-+-|-+-|-+-|-+-|
April 18, 2001 - In this issue:
1. IN FOCUS
- Embedded Firewalls: The Next Wave?
2. SECURITY RISKS
- Windows PGP ASCII Armor Parser Vulnerability
- Denial of Service Condition in Lotus Domino Web Server R5
- Denial of Service Condition in Compaq Presario PCs
3. ANNOUNCEMENTS
- Read the Latest Addition to the Windows 2000 IT Library--Free!
- Announcing Windows 2000 Magazine Network Seminars!
4. SECURITY ROUNDUP
- News: Microsoft Cancels Windows NT 4.0 SP7
- Feature: Watch Out for Possible Problems with Task Scheduler,
Cacls, and Xcacls
- Feature: So You Want to Be Your Own Certificate Authority!
- Feature: Terminal Services Security; Securing a Windows 2000
Terminal Server
5. HOT RELEASE (ADVERTISEMENT)
- CyberwallPLUS Firewalls for NT/2000 Servers
6. SECURITY TOOLKIT
- Book Highlight: RSA Security's Official Guide to Cryptography
- FAQ: What's an Image Backup?
- Windows 2000 Security: Internet Explorer Security Options, Part
2
7. NEW AND IMPROVED
- Gateway-to-Gateway VPN Security Appliance
- Reduce Help Desk Calls
- Antivirus Solution for Internet Mail
8. HOT THREADS
- Windows 2000 Magazine Online Forums
Unroutable Addresses Protect Against Spoofs?
- HowTo Mailing List
How to Lock Users
9. CONTACT US
See this section for a list of ways to contact us.
~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~
Are your security practices adequate enough to protect you from hackers
and crackers? How do you provide remote access to your users, enable
E-mail messaging, Internet sites and e-commerce activity, and at the
same time maintain security? Can you implement and administer the
effective security measures you need without doing battle with the
people who need access to your network?
Download FREE the latest Hurwitz Group Report, Management Controls:
Security Impact of IT Administration at
http://www.bindview.com/hurwitz4
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Security UPDATE?
Email emedia_opps@win2000mag.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
Certainly your organization uses a firewall, most likely at your network
borders. And many of you have adopted firewalls to protect your internal
network segments, servers, and workstations. Most of these solutions are
software-based--you must load that software on top of an existing OS.
The exceptions are dedicated hardware-based firewalls and routers with
embedded firewall add-ons.
Software-based firewalls are great tools, but some people argue that
hardware-based firewalls are more effective because they're harder to
tamper with. Another cited benefit is that hardware-based firewalls are
standalone units that are less prone to interruption from services that
often run on an underlying OS.
At the recent RSA Security Conference in San Francisco, 3COM announced
that it's taking hardware-based firewalls to the next level by embedding
distributed firewall technology in its new network cards. The idea is to
offer centralized control of network traffic at the NIC level where the
user has no access or control over the embedded firewall. 3COM partnered
with Secure Computing to produce the 3COM Embedded Firewall. Secure
Computing makes the popular Sidewinder firewall solution.
According to 3COM, the solution works by using associated 3COM Embedded
Firewall Policy Servers. Security policy is managed centrally on the
Policy Servers and then downloaded to the appropriate NICs across the
network. According to 3COM, the solution will help prevent users from
operating packet sniffers, spoofing packets, and running unauthorized
services of all types. 3COM will offer a 10-client starter kit that
includes hardware and software, including one Policy Server, for a list
price of $2114. The solution will be available third quarter 2001 and
will initially support Windows 2000, Windows NT, and Windows 9x. 3Com
made no mention of Windows Me support in its press release.
http://www.3com.com/corpinfo/en_US/pressbox/press_release.jsp?INFO_ID=2002706
3COM did well to partner with an existing and reputable firewall maker
to establish its new embedded solution. By doing so, the company gains
credibility and some amount of initial trust for its solution. I haven't
seen the product in action yet, but it seems like a tempting solution.
And the price of roughly $210 per seat for a 10-seat network is
certainly competitive with various other firewall solutions on the
market.
Embedded firewalls seem like the next logical step in the evolution of
firewall technology--I'm pleased to see this technology become
available. And with 3COM using its own 3XP processor on board its new
NICs, the firewall probably won't add any more overhead than a
traditional desktop or server-based firewall. In fact, having the
firewall embedded in the NIC might lower system overhead in some cases.
In my experience, hardware-based firewalls typically cause far fewer
headaches than firewalls that run on top of existing OSs, mainly because
they stand alone and are unaffected by any OS-related snafus. So I'm
glad to finally see a firewall embedded in a NIC. Perhaps we'll see
other vendors follow 3COM's lead. It doesn't seem far-fetched to think
that Intel might respond by creating a similar solution related to its
NIC products and router-based PIX firewall technology.
What do you think? Would centrally managed NIC-based firewall solutions
benefit your network? Send me a note with your thoughts or post them as
a Reader Comment
( http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20703 ).
Until next time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* WINDOWS PGP ASCII ARMOR PARSER VULNERABILITY
@Stake reported that by using Pretty Good Privacy (PGP) versions 5.0 to
7.0.3 (on Windows 2000, Windows NT, Windows Me, and Windows 9x), a
malicious attacker can wrap a specially formed ASCII armored file around
a file with arbitrary name and contents. After parsing the armored file
using PGP, the attacker can extract the binary file. Because of how
Windows OSs load the .dll files, if the extracted file is a .dll file,
the intruder can trick several applications into loading the .dll files
and executing potentially malicious code. The vendor, Network
Associates, has released several patches to correct this
vulnerability.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20645
* DENIAL OF SERVICE CONDITION IN LOTUS DOMINO WEB SERVER R5
Defcom Labs reports that an HTTP header-activated Denial of Service
(DoS) condition exists in Lotus Domino Web Server R5 versions earlier
than 5.0.7. An attacker can repeatedly request document root (/) with
various accept fields (accept: a, accept: aa, accept: aaa aso) that can
cause the server to run out of physical memory. The server might
continue to run but won't accept any new requests, or the server process
can crash, requiring a server restart. The vendor, Lotus Development,
has acknowledged this vulnerability and recommends that users upgrade to
version 5.0.7. Users can obtain a copy of this upgrade from the
Notes.net Web site.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20646
* DENIAL OF SERVICE CONDITION IN COMPAQ PRESARIO PCS
Compaq provides customer support features through its Knowledge Center
and Back Web components for its Presario PCs running Windows Me and
Windows 98. Users use ActiveX controls to implement some of Presario's
custom support features. By using the ActiveX control function
LogDataListToFile, a malicious attacker can use a Web page to write a
specified file to the system's hard disk, creating a potential Denial of
Service (DoS) condition. The intruder can't modify the file's content
but can access the hardware and software configuration information. The
vendor, Compaq Computer, has released Softpaq 16629 to correct this
vulnerability.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20647
3. ========= ANNOUNCEMENTS ==========
* READ THE LATEST ADDITION TO THE WINDOWS 2000 IT LIBRARY--FREE!
According to Tony Redmond, the Microsoft Exchange development team
performed major surgery when it created Exchange 2000. Visit the Windows
IT Library and read more from Tony about the factors that have driven
the change, how the transport core works, and how the new routing
mechanism affects designs. Check it out!
http://www.windowsitlibrary.com/Content/519/06/toc.html
* ANNOUNCING WINDOWS 2000 MAGAZINE NETWORK SEMINARS!
Don't miss our new 1- and 2-day seminars presented by industry experts
Mark Minasi, Kalen Delaney, and Steve Milroy. Polish your IT skills in
informative sessions about Windows 2000 Server, SQL Server, and mobile
and wireless connectivity. Seminars will be held in Los Angeles, Boston,
and San Francisco in May and June. Sign up today!
http://www.win2000mag.net/seminars
4. ========== SECURITY ROUNDUP ==========
* NEWS: MICROSOFT CANCELS WINDOWS NT 4.0 SP7
Late yesterday, Microsoft confirmed that it has canceled development of
what would have been the seventh and final service pack for Windows NT
4.0. According to a Microsoft representative, the company decided to
cancel Service Pack 7 (SP7) because of customer feedback; the number of
hotfixes Microsoft has issued since SP6a's release in November 1999 has
dropped considerably in recent days.
http://www.wininformant.com/Articles/Index.cfm?ArticleID=20690
* FEATURE: WATCH OUT FOR POSSIBLE PROBLEMS WITH TASK SCHEDULER, CACLS,
AND XCACLS
For some time, Dick Lewis has been testing his scripts to ensure that
they function correctly in Windows 2000. When Lewis recently tested a
few scripts on a server running Win2K Server Service Pack 1 (SP1), he
ran into problems with three commonly used tools: Task Scheduler, Cacls,
and Xcacls. Learn the details about those problems and the Microsoft
hotfixes available to fix them in this Windows Scripting Solutions
feature article.
http://www.winscriptingsolutions.com/Articles/Index.cfm?ArticleID=20510
* FEATURE: SO YOU WANT TO BE YOUR OWN CERTIFICATE AUTHORITY!
Setting up a Web server for a secure public key infrastructure (PKI)
requires subscribing to the services of a Certificate Authority (CA). A
CA is a trusted source from which you can acquire a digital certificate.
The CA vouches for your identity, and the digital certificate becomes
your own digital signature. You can use your digital certificate to
communicate and transact securely with various systems.
Did you know that you can use the CA software included with Lotus Domino
for no fee? In "Domino Internet Security: Implementing SSL and X.509"
(Group Computing, March 2001), D'Artagnan Fischer offered information
about requesting and accepting certificates from a CA as well as how to
use a certificate. In this article, Fischer addresses how you can become
your own CA.
http://archives.groupcomputing.com//index.cfm?fuseaction=viewarticle&ContentID=595
* FEATURE: TERMINAL SERVICES SECURITY: SECURING A WINDOWS 2000 TERMINAL
SERVER
When Morris Lewis was creating an online library for his students, he
decided to use Windows 2000 Server Terminal Services to give them access
to research material. Unfortunately, Lewis discovered that this solution
creates security problems because Terminal Services treats users as if
they were logged on locally to the computer. The challenge was to find a
way to control access to the system while still making resources
available. Learn how Lewis solved these issues in this feature article
from our Security Administrator Newsletter.
http://www.secadministrator.com/Articles/Index.cfm?ArticleID=16524
5. ========== HOT RELEASE (ADVERTISEMENT) ==========
* CYBERWALLPLUS FIREWALLS FOR NT/2000 SERVERS
CyberwallPLUS uses stateful packet inspection and fine-grain network
access control to bring full feature firewall security to NT/2000
servers operating in "electronically open" networks - and it includes
active intrusion detection to further protect servers.
Free 30-day evaluation -
http://www.network-1.com/support/download.html
6. ========== SECURITY TOOLKIT ==========
* BOOK HIGHLIGHT: RSA SECURITY'S OFFICIAL GUIDE TO CRYPTOGRAPHY
By Steve Burnett and Steve Paine
List Price: $59.99
Fatbrain Online Price: $47.99
Softcover; 448 pages
Published by McGraw-Hill Professional Book Group, April 2001
ISBN 007213139X
Learn to protect your network from hackers with "RSA Security's Official
Guide to Cryptography." Written by RSA Security experts, this practical
guide shows you how to implement cryptography to secure your network
from attacks. This book covers symmetric-key and public-key
cryptography, public key infrastructure (PKI), and X.509 directories.
The book also includes case studies analyzing different types of
security weaknesses.
For more information or to purchase this book, go to the Windows 2000
Magazine Bookstore and click UPDATE Highlights under Highlighted Titles.
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772
Or go to
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=007213139X
and enter WIN2000MAG as the discount code when you order the book.
* FAQ: WHAT'S AN IMAGE BACKUP?
( contributed by Windows NT and 2000 FAQ, http://www.windows2000faq.com
)
Image backups (aka sector backups) have been a fixture on mainframes for
years. In general, an image backup focuses on sectors and is independent
of the sectors' content. Therefore, an image backup contains information
about partition tables, file tables (e.g., FAT, Master File Table--MFT),
and the Master Boot Record (MBR). File backups are a more recent
development. File backups contain information about files and file
attributes. In a file backup, you can selectively restore individual
files, whereas in an image backup, you attempt to restore an entire
disk.
Both backup types offer distinct advantages. An image backup lets you
boot to a set of 3.5" disks and restore the tape contents, thereby
regenerating your hard disk. However, the size of the disk to which you
restore must be at least equal to the size of the disk that you back up.
(Best practice is to use disks of identical size.) In all cases, the
disks should be low-level formatted to optimize the restore. You don't
need to partition or format the recipient disk.
As you might expect, you can't perform an incremental image backup.
Consequently, you should use image backups only for true disaster
recovery and use file backups for individual file restoration. (Computer
Associates' ARCserve was the first backup application to allow specific
file restoration from an image backup, so exceptions exist to the rule
about using image backup restorations.)
* WINDOWS 2000 SECURITY: INTERNET EXPLORER SECURITY OPTIONS, PART 2
In Part 1 of this series, Randy Franklin Smith described the security
zones in Microsoft Internet Explorer (IE) 5.0. In Part 2, Randy shows
you how to configure the security settings for each zone. In the final
part of this series, Randy will explain how to use rules in Active
Directory (AD) to centrally and consistently configure these IE security
settings for all users in your domain according to each type of user.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20622
7. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* GATEWAY-TO-GATEWAY VPN SECURITY APPLIANCE
Cylink released NetHawk, a high-speed VPN appliance for secure,
site-to-site Internet communications. NetHawk is an IP Security (IPSec)
solution that transparently integrates into the network. NetHawk
performs at wire throughput speeds in Ethernet (10Mbps) and Fast
Ethernet (100Mbps) environments while supporting strong Triple-DES
encryption--without slowing down the network. NetHawk is available in
four models, from an Ethernet model supporting 5000 simultaneous
connections to a high-performance fast Ethernet that supports up to
20,000 simultaneous connections. Pricing for NetHawk begins at $3500.
Contact Cylink at 800-533-3958 for more information.
http://www.cylink.com/
* REDUCE HELP DESK CALLS
Courion announced that Bear Stearns, a securities trading, investment
banking, and brokerage firm, is implementing Courion PasswordCourier and
ProfileBuilder to give its 10,000 employees the ability to securely
manage authentication credentials and reset, change, and synchronize
passwords on systems and applications via Web browser or desktop access.
Password management modules are available for Windows 2000, Windows NT,
Windows 98, Netscape Directory Server, Novell NetWare NDS, Sun Solaris,
HP-UX, IBM AIX, IBM mainframes, Oracle, Microsoft SQL Server, Sybase,
and RSA SecurID. For more information, go to the Courion Web site.
http://www.courion.com
* ANTIVIRUS SOLUTION FOR INTERNET MAIL
F-Secure announced F-Secure Anti-Virus for Internet Mail, software that
protects email traffic against inbound and outbound security threats in
real time. Because email can bypass traditional workstation and
server-based virus protection, businesses need an antivirus solution at
the gateway level. Updates are distributed automatically through
F-Secure Policy Manager, and protection is always on and transparent to
the end user. The product supports Windows 2000 and Windows NT, and the
email server can sit on any platform. Visit the F-Secure Web site for
more information.
http://www.fsecure.com
8. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums.
http://www.win2000mag.net/forums
April 05, 2001, 12:20 P.M.
Unroutable Addresses Protect Against Spoofs?
(Two messages in this thread)
I am setting up a small corporate network that will utilize a Cisco
router firewall. The firewall does packet filtering and utilizes NAT to
get out. I read in the Cisco documentation that this setup will leave
you open to spoof attacks. If I am using nonroutable IP addresses inside
(ie.10.10.10.X), this should not be an issue because Internet routers
will drop the address as invalid. Is this a correct assumption? Before
anybody asks, the company is small and on a budget, so a stand-alone
firewall is out of the question, I am just trying to CYA on the router
solution.
Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=63662&mc=2
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following thread is in the
spotlight this week.
How to Lock Users
(Five messages in this thread)
In my organization, we have some domains running Windows NT 4.0 with
Service Pack 5. Here in Italy, a law requires us to lock out a UserID if
the user does not log on for 6 months. Is there a tool or a function we
can use to obey this law?
http://63.88.172.96/go/page_listserv.asp?A2=IND0104B&L=HOWTO&P=81
Follow this link to read all threads for April, Week 2:
http://63.88.172.96/go/page_listserv.asp?A1=ind0104B&L=howto
9. ============ CONTACT US ============
Here's how to reach us with your comments and questions.
* COMMENTS ABOUT THE COMMENTARY?
Email Mark Joseph Edwards at mark@ntsecurity.net
* COMMENTS ABOUT THE NEWSLETTER IN GENERAL?
Email Managing Editor Trish Faubion at tfaubion@win2000mag.com. Please
mention the name of the newsletter in the subject line or body.
* TECHNICAL QUESTIONS?
Please post your technical questions to the discussion area.
http://www.win2000mag.net/forums
* PRODUCT NEWS?
Email press releases to products@win2000mag.com.
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
Email Customer Support at securityupdate@win2000mag.com.
* WANT TO SPONSOR SECURITY UPDATE?
Email emedia_opps@win2000mag.com
********************
This Security UPDATE is brought to you by Windows 2000 Magazine, the
leading publication for Windows 2000/NT professionals who want to learn
more and perform better. Subscribe today.
http://www.win2000mag.com/sub.cfm?code=00inxupb
|-+-|-+-|-+-|-+-|-+-|-+-|
Windows 2000 Magazine Security UPDATE Staff
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice, including Win2K Pro, Exchange Server, training
and certification, SQL Server, IIS administration, .NET development,
application service provision, .NET, wireless and mobile devices, and
more. Visit our Web site to subscribe to our other FREE email
newsletters.
http://www.win2000mag.com/sub.cfm?code=up00inxwnf
|-+-|-+-|-+-|-+-|-+-|-+-|-
Thank you for reading Security UPDATE.
SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Thu Apr 19 03:45 CDT 2001