**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter
brought to you by Windows 2000 Magazine and NTSecurity.net.
http://www.win2000mag.net/Email/Index.cfm?ID=5
**********************************************************
This week's issue sponsored by
Trend Micro -- Your Internet VirusWall
http://www.antivirus.com/2kUPDTRJUNE.htm
FREE Intrusion Detection WebCast
http://www.win2000mag.com/jump.cfm?ID=32
(Below Security Roundup)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
June 7, 2000 - In this issue:
1. IN FOCUS
- And Then Came HavenCo
2. SECURITY RISKS
- Protected Store Key Length
- Internet Explorer-Compiled HTML Might Run Unauthorized Code
- Media Encoder Denial of Service
- SQL Server 7.0 SP1 and SP2 Expose Admin Password
- Imate WebMail Denial of Service
- Buffer Overrun in ITHouse Mail Server
- Buffer Overrun in Sambar Server
3. ANNOUNCEMENTS
- Win2000mag.net--It's Like Spitting in the Ocean...
- Free Books Online
4. SECURITY ROUNDUP
- News: Microsoft's New Security Server
5. NEW AND IMPROVED
- Increased Security for Universities
- Simplify Access to Private Data and Applications
6. HOT RELEASES (ADVERTISEMENTS)
- New! Desktop Firewall for PCs with Windows NT/2000
- VeriSign - The Internet Trust Company
7. SECURITY TOOLKIT
- Book Highlight: Information Security: Protecting the Global
Enterprise
- Tip: Event Log Security ID Descriptions
- Windows 2000 Security: Creating a Custom Password-Reset MMC
- Writing Secure Code: Bind Basics
8. HOT THREADS
- Windows 2000 Magazine Online Forums
IIS and NTFS Security--ASP Problem
- Win2KSecAdvice Mailing List
Released: LibnetNT by eEye Digital Security
- HowTo Mailing List
Event Viewer Query
~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~
Stop viruses like LOVELETTER, NEWLOVE, RESUME and other malicious
content from jamming up your network. Trend Micro ScanMail for
Microsoft Exchange provides enterprise-strength antivirus and content
security. ScanMail implements uniform virus and content security policy
across the enterprise. The optional eManager plug-in stops SPAM.
ScanMail is fully compatible with Windows 2000 and can automatically
scan either on-demand or at prescheduled intervals. Software, Scan
engine and virus pattern updates distribute automatically to each
networked Exchange Server. Keep viruses out of your Exchange servers
with Trend Micro.
http://www.antivirus.com/2kUPDTRJUNE.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim
Langone (Western Advertising Sales Manager) at 800-593-8268 or
jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
Although fending off network-based intruders is a formidable task, you
can achieve it. But how do you protect your data from physical system
access? The obvious answer is by using adequate guards against physical
premise access, which can be expensive. As a result, many companies co-
locate data or servers at offsite locations.
For example, you might rent an entire cage or set of racks within a
cage from a major ISP. The cage or racks come with high-speed
bandwidth. Or you might simply rent a secure e-commerce site from a Web
service provider and let the provider worry about premise-access
concerns. The ultimate solution obviously depends on your needs. The
more sensitive the data, the more sheltered the final solution needs to
be.
Today, hundreds of companies around the world offer various secured
co-location or data-hosting services. When it comes to security, there
are all kinds of boasts and guarantees, but none can match the claim I
heard about this week.
Companies come and companies go, but then came HavenCo. Located on a
tiny man-made island 7 miles off the coast of Great Britain, HavenCo
has a most unique claim to security fame: It not only operates a secure
network co-location center, it operates an entire sovereign country!
Let me explain.
During World War II, Britain built several gun platforms off its
coast to help fend off Nazi warplanes. One of the platforms, named
Roughs Tower, was only 10 by 25 yards and was built on two cement
caissons off the coast of Britain in what was then international
waters.
After the war, Britain dismantled all the platforms except Roughs
Tower, which sat abandoned until 1967 when former English major Paddy
Roy Bates and his family took up residence on the man-made island.
Bates proclaimed the island his own state and bestowed upon himself the
title of Prince--his wife took the title of Princess--to reign over
their newly formed Principality of Sealand.
After several legal encounters over the island, the English court
eventually ruled it had no jurisdiction over Sealand, and Sealand
became formally recognized as its own country. Today, the Bates family
has moved off the island and turned over operation of the property and
the Sealand government to the newly formed HavenCo business.
In a nutshell, HavenCo offers Sealand as a country in which to
operate a business. You can buy a server, bandwidth, and complete
security solution direct from HavenCo and have that business totally
based in Sealand, which provides protection from overly strict data
traffic laws, foreign subpoenas, and other outside interference.
According to HavenCo, Sealand has no laws governing data traffic,
and the terms of HavenCo's agreement with Sealand provide that no data
traffic laws will ever be enacted. You might think HavenCo will soon
become a haven for less-than-favorable network users, such as system
crackers, porn peddlers, and spammers, but perhaps that won’t happen.
The HavenCo acceptable use policy clearly states that it prohibits "the
distribution of child pornography from its servers, and prohibits use
of the network to send bulk unsolicited communications or launch
digital attacks against other computers or networks." Only time will
tell how well HavenCo enforces its guidelines. After all, Sealand has
few laws, and probably none would force HavenCo to take any specific
action other than to terminate a company's service.
I'm not sure what to think about HavenCo. The company professes to
offer a pretty darn secure solution package, but I think it's too soon
to form a solid opinion. Sealand, a country with almost no laws, lets
anyone run a business. Even more interesting is Sealand's claim about
protection from foreign subpoena. According to HavenCo, you can set up
an email system or other service type on its network, and keep it safe
from search and seizure. Microsoft could have used that service to help
fend off the US Department of Justice (DOJ).
With its professed strong physical and network security and fat
bandwidth, HavenCo offers an intriguing solution. It will be
interesting to see who winds up using the services. But it will be even
more interesting to see how world governments react to Sealand's new
data haven. That reaction will depend on how HavenCo's customers use
its multifaceted protected services.
Be sure to stop by the HavenCo Web site (http://www.havenco.com/)
and read about its service offerings as well as the history of Sealand.
I'm sure you'll find it as interesting as I did. Until next time, have
a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* PROTECTED STORE KEY LENGTH
By design, the Protected Store in Windows 2000 should always encrypt
information using the strongest cryptography available on the system.
However, the Win2K implementation uses a 40-bit key to encrypt the
Protected Store even if stronger cryptography is installed on the
system. The 40-bit key encryption weakens the protection on the
Protected Store, which lets an intruder more easily crack the key to
gain access to the Protected Store.
http://www.ntsecurity.net/go/load.asp?iD=/security/win2k4-5.htm
* INTERNET EXPLORER-COMPILED HTML MIGHT RUN UNAUTHORIZED CODE
According to a Microsoft security bulletin, if a malicious Web site
references an Internet Explorer (IE)-compiled HTML Help file (which has
a .chm extension), the site can potentially launch code on a visiting
user's computer without the user's approval. Such code can take any
actions that the user can take, including adding, changing, or deleting
data or communicating with a remote Web site.
http://www.ntsecurity.net/go/load.asp?iD=/security/ie517.htm
* MEDIA ENCODER DENIAL OF SERVICE
Microsoft's Media Encoder contains a bug whereby an intruder can send a
particular malformed request to an affected encoder, causing it to deny
formatted content to the Windows Media Server. The vulnerability
primarily affects real-time streaming media providers. Microsoft made a
patch available but then removed the patch for reasons unknown at the
time of this writing.
http://www.ntsecurity.net/go/load.asp?iD=/security/media4-2.htm
* SQL SERVER 7.0 SP1 AND SP2 EXPOSE ADMIN PASSWORD
According to Microsoft, when SQL Server 7.0 Service Pack 1 (SP1) or SP2
is installed on a machine configured to perform authentication using
Mixed Mode, the password for the SQL Server standard security System
Administrator account is recorded in plain text in the file
\%TEMP%\sqlsp.log. The file's default permissions let any user that can
log on interactively to the server read the file. Microsoft has updated
SP2 to help guard against the risk.
http://www.ntsecurity.net/go/load.asp?iD=/security/sql7-5.htm
* IMATE WEBMAIL DENIAL OF SERVICE
A malicious user can crash Imate's SMTP mail service by sending a
string of 1119 characters as a parameter to the HELO command. The
vendor, Concatus, is aware of the problem and has made a patch
available through its support department.
http://www.ntsecurity.net/go/load.asp?iD=/security/imate25-1.htm
* BUFFER OVERRUN IN ITHOUSE MAIL SERVER
A malicious user can crash ITHouse's SMTP mail service by sending a
string of 2270 characters as a parameter to the RCPT TO command. During
the crash, characters beyond 2270 overwrite the EIP Register making it
possible to run arbitrary code on the remote system.
http://www.ntsecurity.net/go/load.asp?iD=/security/ithouse1.htm
* BUFFER OVERRUN IN SAMBAR SERVER
A user can crash the Sambar Server by using the default finger and
whois scripts provided with the Sambar Server software. By sending a
long string of 32,290 characters to either of the scripts, a malicious
user can overflow an unchecked buffer in the sambar.dll file and cause
arbitrary code to run on the machine.
http://www.ntsecurity.net/go/load.asp?iD=/security/sambar1.htm
3. ========== ANNOUNCEMENTS ==========
* WIN2000MAG.NET--IT'S LIKE SPITTING IN THE OCEAN...
You can't miss with our new portal for IT professionals. Access
technical remedies, certification advice, vendor solutions, and
professional development tools, or post a question in our technical
forums. Surely one of our 500,000 monthly Web visitors has solved the
same problem you face now. Raise Your IT IQ at
http://www.win2000mag.net/.
* FREE BOOKS ONLINE
Now online--a technical reference library specifically for Windows IT
professionals. Windows IT Library, a member of the Windows 2000
Magazine Network, provides the information you need when you need it.
For your source of free books and other technical content, visit
http://WindowsITLibrary.com/.
4. ========== SECURITY ROUNDUP ==========
* NEWS: MICROSOFT'S NEW SECURITY SERVER
On June 6, Microsoft released Beta 3 of its new Internet Security and
Acceleration (ISA) Server 2000. Designed for Windows 2000 Server
platforms, ISA Server is an application-level firewall with data-aware
filtering capabilities, IP packet filtering functionality, and Active
Directory (AD) support. Administrators can use ISA Server to control
access by user and group, application, content type, and schedule.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=147&TB=news
~~~~ SPONSOR: FREE INTRUSION DETECTION WEBCAST ~~~~
AXENT(R)'s "Everything You Need to Know About Intrusion Detection"
WebCast teaches you how to protect yourself against intruders with
AXENT’s Prowler Series (NetProwler(tm) and Intruder Alert(tm)) by
transparently monitoring traffic in real-time and instantly reacting to
attempted attacks. Space is limited - register today at
http://www.win2000mag.com/jump.cfm?ID=32 to reserve your spot.
AXENT is the leading provider of e-security solutions for your
business, delivering integrated products and expert services to 45 of
the Fortune 50 companies.
5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* INCREASED SECURITY FOR UNIVERSITIES
WebTrends announced the Secure University Program, offering a free
version of WebTrends Security Analyzer Professional Edition and a
discount on Security Analyzer Enterprise Edition to any qualified
university. With the Secure University Program, WebTrends wants to
bring increased security to universities and raise security awareness,
given the recent Distributed Denial of Service (DDoS) attacks in some
of the world's largest education systems. For more information, go to
http://www.webtrends.com/secureuniversityprogram.htm.
* SIMPLIFY ACCESS TO PRIVATE DATA AND APPLICATIONS
Jela Company released OnlyYou 1.1, software that lets Windows NT and
Windows 9x users protect their IDs and passwords. Press the OnlyYou hot
key and identify yourself to extract your password from 128-bit
encrypted storage. OnlyYou 1.1 costs $23.50 for a single-user license.
Network and volume licenses are available. For more information,
contact Jela Company at 800-275-0097 or go to the Web site.
http://www.jelaco.com/
6. ========== HOT RELEASES (ADVERTISEMENTS) ==========
* NEW! DESKTOP FIREWALL FOR PCS WITH WINDOWS NT/2000
CyberwallPLUS-WS is a desktop firewall for PCs running Windows NT 4.0
or Windows 2000. It protects against network attacks with an ICSA-
certified packet filter that provides access controls, intrusion
detection and traffic logs.
Free Evaluation: http://www.network-1.com/WSeval/index.htm
* VERISIGN - THE INTERNET TRUST COMPANY
Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE
guide, "Securing Your Web Site for Business." You will learn everything
you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016007870003000
7. ========== SECURITY TOOLKIT ==========
* BOOK HIGHLIGHT: INFORMATION SECURITY: PROTECTING THE GLOBAL
ENTERPRISE
By Donald Pipkin
Online Price: $39.99
Softcover; 300 pages
Published by Prentice Hall, May 2000
ISBN 0130173231
IT security expert Donald Pipkin addresses every aspect of information
security: the business issues, the technical-process issues, and the
legal issues, including the personal liabilities of corporate officers
in protecting information assets.
To order this book, go to
http://www.fatbrain.com/shop/info/0130173231?from=win2000mag
or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772.
* TIP: EVENT LOG SECURITY ID DESCRIPTIONS
(contributed by Mark Joseph Edwards, http://www.ntsecurity.net/)
You use event logs to audit security events on your systems, but do you
always know what a given event ID code represents? It's hard to
remember details about each event ID because Microsoft lists more than
50 different security event ID codes. Microsoft article Q174074 lists
dozens of event ID codes along with detailed examples of what those
event log entries will look like. You might want to bookmark or print
the page for future reference.
http://www.microsoft.com/technet/support/kb.asp?ID=174074
* WRITING SECURE CODE: BIND BASICS
In his latest Web exclusive column, David LeBlanc points out that to
understand how to bind a TCP socket to a port, you need to look at the
arguments for the bind() function. One of these arguments (the second)
is a pointer to a sockaddr structure. For IP applications, that pointer
is typically a sockaddr_in structure that contains the numeric IP
address and port that you want to bind to locally. If you can't easily
identify what interfaces are available, you can simply bind to all
available local interfaces by specifying INADDR_ANY as the address.
One security risk that you need to be aware of is that users can bind
two sockets to the same port using a socket option known as
SO_REUSEADDR. In other words, two different applications can answer
connections on the same port. Be sure to read the rest of David's
column on our Web site.
http://www.ntsecurity.net/go/seccode.asp
8. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.net/forums/).
IIS and NTFS Security--ASP Problem
Scenario: IIS 4 with SP6a. I attempted to apply RX security to the OS
file system. While HTML still served up, no ASP pages would work. After
extensive search on Microsoft's site, I came up empty-handed, and had
to allow the Change perms on NTFS. I ensured that the anonymous user
had NTFS read and execute permissions to the entire file system. Any
suggestions?
Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=38701&mc=2.
* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.
Released: LibnetNT by eEye Digital Security
Libnet for UNIX is used in many of today's popular security programs
because of how easy it is to implement low-level packet functionality
into a program. Now that same ease-of-use development API is available
for Windows NT platforms.
http://www.ntsecurity.net/go/w.asp?A2=IND0006A&L=WIN2KSECADVICE&P=89
Follow this link to read all threads for June, Week 1:
http://www.ntsecurity.net/go/w.asp?A1=ind0006a&L=win2ksecadvice
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following thread is in the
spotlight this week.
Event Viewer Query
This is going to seem like a strange question, but it has me a bit
baffled. If you have a standalone server with full auditing enabled on
it, how does the Event ID 528 (as seen in the Event Viewer) apply?
Because the standalone server is not capable of authentication, then
this should mean that someone physically went to the standalone server
and logged on, and if done locally, then it should be indicated under
Domain, which it isn't. However, it does list "MachineTwo" as the
workstation name where the logon was successful. What remote logon will
trigger this Event ID?
http://www.ntsecurity.net/go/L.asp?A2=IND0006a&L=HOWTO&P=159
Follow this link to read all threads for June, Week 1:
http://www.ntsecurity.net/go/l.asp?A1=ind0006a&L=howto
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice, including Win2K Pro, Exchange Server, thin-
client, training and certification, SQL Server, IIS administration,
XML, application service providers, and more. Subscribe to our other
FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Thank you for reading Security UPDATE.
SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.
UNSUBSCRIBE
To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or
click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be
removed from the list. Thank you!
If you have questions or problems with your UPDATE subscription, please
contact securityupdate@win2000mag.com.
___________________________________________________________
Copyright 2000, Windows 2000 Magazine