[Windows 2000 Magazine Security UPDATE] 2000 - February 2 ********************************************************** WINDOWS 2000 MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows NT and Windows 2000 security update newsletter brought to you by Windows 2000 Magazine and NTsecurity.net http://www.win2000mag.com/update/ ********************************************************** This week's issue sponsored by Trend Micro-Your Internet Virus Wall http://antivirus.com/SecureValentine.htm WebTrends Firewall Suite 2.0 - New Version! http://www.webtrends.com/redirect/fire-sec1.htm (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- February 2, 2000 - In this issue: 1. IN FOCUS - How Do You Want Your Patches: Sooner or Later? 2. SECURITY RISKS - Outlook Express Object Access - Firewall-1 Allows Script Rule Circumvention - Index Server Exposes File System 3. ANNOUNCEMENTS - Windows 2000 Magazine Launches Three Free Email Newsletters - Conference: Windows 2000 in the Enterprise - Security Poll: Do You Think Online Credit Card-Based Purchasing is Safe Yet? 4. SECURITY ROUNDUP - News: Visa Admits Its Sites Were Hacked - News: Security Holes Bite Online Bank - Feature: Kerberos 5 in Windows 2000 - How-To: Creating a Special TSE Logon Script 5. NEW AND IMPROVED - Secure Desktop and Notebook Systems - e-Security Announces Extended Integration 6. HOT RELEASES (ADVERTISEMENT) - VeriSign - the Internet Trust Company - Network-1 Security Solutions – Embedded NT Firewalls - ISS Connect 2000: Information Security Summit 7. SECURITY TOOLKIT - Book Highlight: IIS 4 and Proxy Server 2 24Seven - Tip: Unmap Unused File Extension in IIS - Review: eEye Digital Security's Retina Security Scanner 8. HOT THREADS - Windows 2000 Magazine Online Forums: * Local Proxy Server Blocking Site Access - Win2KSecAdvice Mailing List: * ZBServer 1.50-r1x Risk Example Code - HowTo Mailing List: * Windows 2000 and Default Security * Reverse Proxying with Microsoft Proxy 2.0? * IOMega Tools Keeps an Insecure Copy of the SAM ~~~~ SPONSOR: TREND MICRO-YOUR INTERNET VIRUS WALL ~~~~ Your network can be "broken" much like your heart. So this Valentine's Day find the ideal partner for your network with the Trend Interscan product family. Protect the heart of your network with Trend's wide range of antivirus solutions. Trend is a leader in antivirus technologies, offering protection and security for the Internet gateway, Notes and Exchange email servers, the desktop, and everywhere in between. Building a protective, virtual VirusWall around the pulse- the network. http://antivirus.com/SecureValentine.htm For more information call 800-228-5651, or click the link above. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@win2000mag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, The security world has been rather quiet over the past week. One significant event that did occur was that Microsoft released its first Windows 2000 (Win2K) security hotfix. The hotfix corrects a problem with the Win2K Indexing Service and Windows NT 4.0 Index Server. Although some readers might wince at the fact that Microsoft has already released a security hotfix for a brand-new OS--an OS not even on store shelves yet--there is no cause for alarm. We can expect to see bugs in Win2K are to be expected, especially security bugs, because hackers spend more time banging away against security subsystems than they do against other system components. I've noticed that some technologists have hammered Microsoft over the past week because a security patch actually beat the new OS to market. I think those people are being shortsighted. Expecting a perfect set of code from day one is incredibly unrealistic. I appreciate the fact that a security patch is already available for Win2K. I'd rather have a patch than a hole in my OS, and the sooner I get that patch the better. Most of you realize that bug-free software is unlikely, and Win2K is no exception. Odds dictate that other security risks are present in the Win2K code, so the question is, "Where are the risks and how soon can we find them?" Obviously, no blanket answer exists for that question. We can expect hackers and crackers alike to try most of the commonly known Windows- related exploits against the new OS and any services running on the new platform. The Indexing Service risk is a good example; similar path revelation problems have appeared in the past, and I'd be willing to speculate that at least one or two other security bugs have carried over from older NT 4.0-based code as well. Only time will tell. On another note, starting this week, we launch the first of several new columns scheduled on the NTSecurity.net Web site. The first column, The Ultimate Security Toolkit, is a biweekly column by Steve Manzuik. Every other week, Steve will review a new security product. Steve offers his professional, from-the-trenches opinion about each tool and his personal recommendation to help you make buying decisions. This week, Steve reviews eEye's Retina security scanner, so be sure to check it out. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * OUTLOOK EXPRESS OBJECT ACCESS Georgio Guninski reported a problem with Outlook Express that could let an intruder open and read email messages without a user's permission. Microsoft is aware of the problem but has issued no response at the time of this writing. http://www.ntsecurity.net/go/load.asp?iD=/security/outlook3.htm * FIREWALL-1 ALLOWS SCRIPT RULE CIRCUMVENTION Arne Vidstrom discovered a problem with the Firewall-1 script filtering rules that might let unwanted scripts execute on the desktop. According to Vidstrom's report, an intruder can circumvent the Strip Script Tags feature by adding an extra less than sign (<) to the <SCRIPT> tag syntax. Checkpoint is aware of the problem but has issued no response to date. * INDEX SERVER EXPOSES FILE SYSTEM David Litchfield discovered two problems with Microsoft's Index Server and Indexing Service technology. According to the report, the first problem is that webhits.dll does not properly restrict file access, and thus it is possible to navigate outside of virtual directories. The second problem involves error messages that nonexistent .idq files appear to display. When a user requests such a file from Windows 2000 Web Services (formerly Microsoft Internet Information Server 5.0), the server might reveal virtual directory path information, thereby exposing a portion of file system structure to a potential intruder. http://www.ntsecurity.net/go/load.asp?iD=/security/index1.htm 3. ========== ANNOUNCEMENTS ========== * WINDOWS 2000 MAGAZINE LAUNCHES THREE FREE EMAIL NEWSLETTERS XML UPDATE, Enterprise Storage UPDATE, and IIS Administrator UPDATE are the latest offerings from Windows 2000 Magazine. Each email newsletter focuses on a new and important segment of the Windows IT professional's job. Written by industry insiders, the UPDATEs contain the news, tips, and advice that you can't find anywhere else. Subscribe to just one or all of our FREE updates. http://www.winntmag.com/sub.cfm?code=up99inbup * CONFERENCE: WINDOWS 2000 IN THE ENTERPRISE Will Windows 2000 (Win2K) be your server platform of choice? This thorny question is the reason more and more organizations are turning to GartnerGroup to evaluate the promise and pitfalls of this new technology. GartnerGroup analysts offer an in-depth, yet independent, assessment of Win2K and give you the information you need to make an informed decision. You can experience GartnerGroup's expertise at our conference, "Windows 2000 in the Enterprise: Off the Shelf and Into the Fire," to take place April 26 to 28, 2000, in San Francisco. For additional information about this exciting conference, just use the link http://www.gartner.com/nt/usa. * SECURITY POLL: DO YOU THINK ONLINE CREDIT CARD-BASED PURCHASING IS SAFE YET? How safe do you think online credit card-based purchasing is? Come to the Web site and let us know your thoughts. http://www.ntsecurity.net 4. ========== SECURITY ROUNDUP ========== * NEWS: VISA ADMITS ITS SITES WERE HACKED Does it matter how secure your e-commerce solution is when a credit card company can't keep crackers out of its networks? Visa International recently admitted that crackers penetrated its systems in July 1999 and stole information. The crackers later contacted Visa by email and telephone in attempts to extort money from the firm. Visa subsequently contacted Scotland Yard and the FBI, which are investigating the matter. Visa claims to have long since secured the breached systems. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=204&TB=news * NEWS: SECURITY HOLES BITE ONLINE BANK Online bank X.COM received quite a "wake-up call" recently when users discovered that while establishing a new account, anyone could transfer money into an X.COM account from any other bank account in the United States due to nonexistent security controls on wire transfer mechanisms. X.COM corrected the problems when other banks complained to the online bank about fraud attempts against customer accounts. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=206&TB=news * FEATURE: KERBEROS 5 IN WINDOWS 2000 Windows 2000 (Win2K) offers many security improvements over Windows NT. Probably the biggest advance has been in the OS's primary authentication protocol. NT LAN Manager (NTLM) has been the primary authentication protocol for all versions of NT. Win2K supports NTLM and Secure Sockets Layer/Transport Layer Security (SSL/TLS) authentication protocols. But Win2K's primary authentication protocol is Kerberos 5, which takes its name from Cerberus, Greek mythology’s three-headed dog that guarded the gates of Hades. Zubair Ahmad takes a closer look at Kerberos 5 and how Kerberos security works in Win2K. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=148&TB=f * HOW-TO: CREATING A SPECIAL TSE LOGON SCRIPT On our Windows NT network, we have two Windows NT 4.0, Terminal Server Edition (TSE) servers with MetaFrame that we have set up as member servers. We want to use Application Security (APPSEC) to limit the applications that users can run. When we run APPSEC, the TSE servers don't appear to run the NT logon scripts. How can I make the logon script run with APPSEC activated? David Carroll answers that question and more in this Web Exclusive article. http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=117&TB=h ~~~~ SPONSOR: WEBTRENDS FIREWALL SUITE 2.0 - NEW VERSION! ~~~~ WebTrends is the emerging leader in security management and assessment. WebTrends Firewall Suite and WebTrends Security Analyzer now offer the most comprehensive solution for intrusion prevention, firewall traffic monitoring, and vulnerability analysis. The new Firewall Suite 2.0 provides support for 32 different firewalls and includes embedded SurfWatch web site categorization technology. Click here for your free trial download and start analyzing your incoming and outgoing traffic. http://www.webtrends.com/redirect/fire-sec1.htm 5. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, products@win2000mag.com) * SECURE DESKTOP AND NOTEBOOK SYSTEMS IBM announced new desktop and notebook systems to keep data secure. The PCs include security features such as identity verification and authentication, and encryption capabilities that complement Windows 2000 (Win2K) and come preloaded with the new OS. The new models include the ThinkPad 600X notebook, PC 300 desktop series, and Intellistation Professional Workstation series. IBM also offers the Smart Card Security Kit and an embedded security chip. The Smart Card Security Kit and security chip support Win2K, accompany any PC or mobile system, and prevent unauthorized users from accessing sensitive data. For pricing on the new desktop and notebook systems, contact IBM, 800-772-2227. http://www.ibm.com/Windows2000 * E-SECURITY ANNOUNCES EXTENDED INTEGRATION e-Security announced extended integration of 29 security products with its Open e-Security Platform (OeSP). The integration specifies 10 separate categories of information security: Firewalls, Intrusion Detection, Operating Systems, Anti-Virus, Web Servers, Databases, Policy Monitoring, Vulnerability Assessmen, and Authentication. OeSP integrates multivendor security software and other security devices so that companies can conduct realtime surveillance of their distributed enterprise security environment from one console with an intuitive graphical display. For more information, contact e-Security, 800-474- 9191. http://www.esecurityinc.com 6. ========== HOT RELEASES (ADVERTISEMENT) ========== * VERISIGN - THE INTERNET TRUST COMPANY Secure your servers with 128-bit SSL encryption! Click here for VeriSign's FREE guide, "Securing Your Web Site for Business". Learn how to secure your e-commerce with 128-bit SSL encryption! http://www.verisign.com/cgi-bin/go.cgi?a=n016005190013000 * NETWORK-1 SECURITY SOLUTIONS – EMBEDDED NT FIREWALLS CyberwallPLUS-SV is the first embedded firewall for NT servers. It secures valuable servers with network access controls and intrusion prevention. Visit http://www.network-1.com/eval/eval6992.htm to receive a free CyberwallPLUS evaluation kit and white paper. *ISS CONNECT 2000: INFORMATION SECURITY SUMMIT Internet Security Systems (ISS) announces the return of the most dynamic, cost-effective information security conference (March 19, 2000 - March 24, 2000). Attend more than sixty sessions and workshops on securing e-business. To register call 1-800-416-8749. http://connect.iss.net/ 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: IIS 4 AND PROXY SERVER 2 24SEVEN By M. Shane Stigler and Mark A. Linsenbardt Online Price: $24.45 Softcover; 608 pages Published by Sybex Computer Books, August 1999 For experienced administrators running Internet Information Server (IIS) and Proxy Server, here at last is the book you've been waiting for. Starting where other books and training courses end and the real world begins, "IIS 4 and Proxy Server 2 24Seven" delivers the detailed, high-level information that working administrators really need to reach the level of true expert. IIS and Proxy gurus M. Shane Stigler and Mark A. Linsenbardt deliver the advanced coverage that will enable you to make the most of your IIS and Proxy Server installations. For Windows NT Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WIN2000MAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/0782125301?from=SUT864. * TIP: UNMAP UNUSED FILE EXTENSIONS IN IIS (contributed by Mark Joseph Edwards, mark@ntsecurity.net) Internet Information Server (IIS) lets you map various file extensions to various application services. For instance, you can map .pl extensions to a PERL interpreter or .cfm extensions to a Cold Fusion engine. When you load a fresh copy of IIS, the software installs several mappings by default. Many of these mappings go unused unless you also implement the specialized services that use those mappings. For example, .idq files define query parameters for an Index Server search. However, if you aren't using Index Server, or don't use .idq files in conjunction with your Index Server installation, then there's no reason to leave the .idq file mapping in place. You will want to remove all unused file mappings. Even if you think you'll need a particular mapping later, remove it until you actually need it. Removing the unused mappings minimizes your overall Web site risk. The Index Server risk reported in this issue of Security UPDATE is a perfect example of why you need to remove these mappings--an intruder can exploit the mappings to circumvent system security in certain instances. The problem is that we won't know what those instances are until the intruder discovers them. What mappings can you remove from IIS? Any mapping that a site hosted on the Web server is not using. Use a site analysis tool such as Site Server Express or FrontPage to inventory your Web site. A site inventory will help determine which file extensions you need and then you can easily remove any unused mappings. Please note that before you remove any file extension mappings, be sure to record their parameters in case you need to redefine them at a later time. The file extension mappings occur in different places in each version of IIS, so consult IIS's online Help system to determine the location of the actual configuration dialog box. * REVIEW: EEYE DIGITAL SECURITY'S RETINA SECURITY SCANNER In his first biweekly product review, Steve Manzuik takes a close look at a beta release of Retina, eEye Digital Security's first product offering in the security market space. Steve was impressed with the first release of Retina. He found the product to be reasonably functional but did point out some shortcomings he'd like to see addressed in a future version. If you're curious about this new security scanner, be sure read the entire review! http://www.ntsecurity.net/go/ultimate.asp 8. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.com/support). January 27, 2000, 09:59 P.M. Local Proxy Server Blocking Site Access I am using an NT 4 based network with IE5 and connect to the Internet through a local proxy server running MS Proxy on our network. When I bypass the local proxy server, I can access this particular site that requires an authorized username and password. When I go through the proxy server, access is denied. Any suggestions as to what I need to do? Thread continues at http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Mess age_ID=88063 * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following threads are in the spotlight this week: 1. ZBServer 1.50-r1x Risk Example Code http://www.ntsecurity.net/go/w.asp?A2=IND0001E&L=WIN2KSECADVICE&P=92 Follow this link to read all threads for Feb. Week 1: http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the "HowTo for Security" mailing list. The following threads are in the spotlight this week: 1. Windows 2000 and Default Security http://www.ntsecurity.net/go/L.asp?A2=IND0002A&L=HOWTO&P=192 2. Reverse Proxying with Microsoft Proxy 2.0? http://www.ntsecurity.net/go/L.asp?A2=IND0002A&L=HOWTO&P=425 3. IOMega Tools Keeps an Insecure Copy of the SAM http://www.ntsecurity.net/go/L.asp?A2=IND0001E&L=HOWTO&P=478 Follow this link to read all threads for Feb. Week 1: http://www.ntsecurity.net/go/l.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@win2000mag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@win2000mag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com) Editor - Gayle Rodcay (gayle@win2000mag.com) New and Improved – Judy Drennen (products@win2000mag.com) Copy Editor – Judy Drennen (jdrennen@win2000mag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows 2000 Magazine Security UPDATE. To subscribe, go to http://www.win2000mag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. To change your email address, you must first unsubscribe by sending email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. Then, resubscribe by going to http://www.win2000mag.com/update and entering your current contact information or by sending email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the Windows NT and Windows 2000 topics of your choice. Subscribe to these other FREE email newsletters at http://www.win2000mag.com/sub.cfm?code=up99inxsup. Windows 2000 Magazine UPDATE Windows 2000 Magazine Thin-Client UPDATE Windows 2000 Exchange Server UPDATE Windows 2000 Pro UPDATE Windows 2000 Magazine Enterprise Storage UPDATE ASP Review UPDATE SQL Server Magazine UPDATE IIS Administrator UPDATE XML UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 2000, Windows 2000 Magazine Security UPDATE is powered by LISTSERV software http://www.lsoft.com/LISTSERV-powered.html