Security UPDATE--Administrator Accounts and Root Kits--March 9, 2005

Help for Windows users who run into problems when using nonadministrative accounts. Also, tools for detecting root kits and links to security news items, blog entries, and FAQs.

ITPro Today

March 8, 2005

11 Min Read
ITPro Today logo in a gray background | ITPro Today

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Free util: Scan your site for system slowdowns

http://www.executive.com/profile/submit-select.aspx?a=l&PId=94&ad=witpdpan4

SQL Server Magazine

http://www.sqlmag.com/rd.cfm?code=00eu215xwu

===============

==========

==== Sponsor: Executive Software ==== Free util: Scan your site for system slowdowns Disk Performance Analyzer for Networks is a FREE utility that remotely checks your systems for performance bottlenecks caused by severe disk fragmentation. If not identified promptly, fragmentation builds exponentially and causes frustrating slowdowns, random crashes, even complete inability to boot. Disk Performance Analyzer for Networks zeros in on problem computers, showing you exactly how much performance and stability is being lost. Find systems that need attention now, BEFORE they become help desk calls! This is a free utility, not spyware or adware. Download Disk Performance Analyzer for Networks now! http://www.executive.com/profile/submit-select.aspx?a=l&PId=94&ad=witpdpan4

==========

==== 1. In Focus: Administrator Accounts and Root Kits ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about why you should try not to use administrative accounts unless you really need to. Several readers wrote to explain various scenarios and problems they've encountered while trying to use a nonadministrative account for certain tasks. Some of the problems involve using Windows Explorer, running debuggers, creating Data Source Names (DSNs), and accessing Control Panel items. Obviously, you'll need to log on as the administrator in some instances; using RunAs, even with the /netonly switch, might not always suffice. There are other possible solutions for some problems too. For example, Microsoft's OS resource kits include the su.exe tool, which can elevate privileges. Another tool, which I've mentioned before, is MakeMeAdmin, written by Aaron Margosis at Microsoft. The tool adds your account to the local Administrators group, spawns a command shell with your new elevated privileges, and then removes your account from the group. So, effectively, MakeMeAdmin gives you a command shell running with a new security token. You can perform whatever actions you need to in the shell. If you also need privileges on the network, you can initiate some kind of network access and authenticate by using whatever account you prefer. For example, you can map a drive by using the command net use and specifying an account with the required privileges. Or you could launch Windows Explorer on the desktop with elevated privileges by using its /root switch. You could also launch Control Panel applets by simply entering the applet name and extension (.cpl) as if it were any other executable program. If you run Microsoft Internet Explorer (IE) with elevated privileges, you can use Margosis's PrivBar add-on that shows which security level your browser is running under. http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx Another reader wrote to point out that Microsoft has published a document that explains some of the problems you can encounter when you run applications on the desktop with nonadministrative accounts. The article offers tips about how developers can remedy some of those problems and offers some insight into how the next release of Windows (codenamed Longhorn) will address the matter in more effective ways. One change will be a Protected Administrator status, which, if I understand correctly, will allow a user to use an administrator account but with the fewest privileges necessary for a given task. http://msdn.microsoft.com/library/en-us/dnlong/html/leastprivlh.asp Another topic I want to discuss this week is root kits, which as you know, can be a real problem. A Microsoft paper discusses research the company has done regarding ways to discover such nuisances. The paper mentions a related tool, Strider Ghostbuster, developed in the labs, which isn't available to the public. http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775 However, Sysinternals has a root kit discovery tool that you might find helpful. The new tool, RootkitRevealer, is still undergoing development, but you can download a copy and try it out. http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml F-Secure will release a beta version of its new root kit detection tool, F-Secure BlackLight Rootkit Elimination Technology, this week. You can learn more about that tool in the related article on our Web site. http://www.windowsitpro.com/Article/ArticleID/45631

==========

==== Sponsor: SQL Server Magazine ==== Get SQL Server Magazine and Get Answers Throughout the year in 2005, SQL Server Magazine is on target to deliver comprehensive coverage of all hot industry topics, including SQL Server 2005, performance tuning, security, Reporting Services, Integration Services, and .NET development. If you aren't already a subscriber, now is the time to sign up. You'll get unlimited online access to every article ever published in the magazine and you'll get 30% off the cover price. Don't miss out . . . sign up today: http://www.sqlmag.com/rd.cfm?code=00eu215xwu

==========

==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Need Information About Internet Explorer 7.0? If you need information about the upcoming Microsoft Internet Explorer (IE) 7.0, you can find some tidbits about it on IEBlog, which is operated by Microsoft's IE team. http://www.windowsitpro.com/Article/ArticleID/45560 Deploying Junk Mail Filter Lists in Outlook 2003 Microsoft released a hotfix for Outlook 2003 late last month for a feature that deals with importing junk mail filter lists into Outlook 2003. This feature lets you use registry values to tell Outlook to import the Safe Senders, Safe Recipients, and Blocked Senders lists from specific locations and either overwrite the user's existing junk mail filter lists or append entries to them. The hotfix makes some important changes to the way the feature works. http://www.windowsitpro.com/Article/ArticleID/45563 @stake LC 5 If you want a terrific password-auditing tool, Jeff Fellinge recommends the most recent version of L0phtCrack: @stake LC 5 (recently acquired by Symantec). New features let you remotely collect password hashes, schedule scans, score passwords, create audit reports, and speed up audits. LC 5 supports most password-cracking methods and comes in four versions (professional, administrator, site, and consultant). http://www.windowsitpro.com/Article/ArticleID/45256

==========

==========

==== Hot Release ==== Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority With instant messaging virtually in all corporate environments, and expected to be as prevalent as email in the near future, it has rapidly become an indispensable business communication tool. Yet, IM growth within the enterprise brings an associated increase in security risks to both public and enterprise IM networks. In this free white paper, learn how you can take control of IM use on your network to ensure security and compliance. You'll learn how to protect yourself from Virus & worms attacks, Identity theft, Leakage of confidential information and more. Download now! http://www.windowsitpro.com/whitepapers/akonix/securingim/index.cfm?code=secnl0309

==========

==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Google Hacking: No Longer a Sure Thing for Intruders A new honeypot can trap intruders who use Google queries to find vulnerable systems. Such intruders typically use search engine queries to look for sites whose URLs contain particular words or phrases that might indicate that the site is using vulnerable applications. http://www.windowsitpro.com/Article/ArticleID/45535 Security Event Log Chat Randy Franklin Smith is one of the foremost authorities on the Windows Security event log and a respected trainer who teaches Monterey Technology Group's "Security Log Secrets" course. In his article in the March issue of Windows IT Pro magazine, Randy shines a light on this dark and mysterious corner of cryptic event IDs and codes and inaccurate Microsoft documentation. Here's your chance to ask Randy your questions about the Security log and get answers Microsoft doesn't provide. Join the chat March 16 at 1:00 P.M. Pacific time. For details, visit http://list.windowsitpro.com/t?ctl=4412:10355 FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q. How can I back up and restore user profiles when deploying a new OS via the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack? Find the answer at http://www.windowsitpro.com/Article/ArticleID/45527 Security Forum Featured Thread: Backup Account Permissions on Windows Server 2003 A forum participant is trying to remove service accounts from administrative groups. ARCServe by default puts its account in the Administrators and Domain Admins groups. Is there a workaround so that that particular account doesn't need to belong to those groups? Putting the account in the Backup and Server Operator groups doesn't seem to be sufficient. Can a security policy be adjusted to help? Join the discussion at http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=130151

==========

==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://www.windowsitpro.com/rd.cfm?code=theu2052up

==========

==========

==== Contact Us ==== About the newsletter -- [email protected] About technical questions -- http://www.windowsitpro.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

===============

This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

http://www.secadministrator.com/rd.cfm?code=00ep254xeb

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like