Security UPDATE, April 24, 2002
Mark Joseph Edwards directs you to several security checklists and tools that can help you improve your security configurations. Many are available for free and online.
April 23, 2002
Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com
THIS ISSUE SPONSORED BY
FREE—SANS Top Trends in Security Management
http://www.netiq.com/f/form/form.asp?id=536
SPI Dynamics Web Application Security White Paper
http://www.spidynamics.com/mktg/webappsecurity7/
(below IN FOCUS)
SPONSOR: FREE—SANS TOP TRENDS IN SECURITY MANAGEMENT
What's the hottest trend shaping security this year? Read the FREE SANS report sponsored by NetIQ to find out. Learn what the top industry authorities had to say about security management in 2002. You'll gain valuable insights and expert advice on crucial topics including new threats, automated patching and continuous monitoring. Don't get left behind—discover the top 8 security trends for 2002 now. Download the must-have report today!
http://www.netiq.com/f/form/form.asp?id=536
April 24, 2002—In this issue:
1. IN FOCUS
Security Checklists and Handy Tools
2. SECURITY RISKS
Buffer Overflow in talentsoft's Web+ 5.0 and Web+ 4.6 Affects Microsoft IIS
Cross-Site Scripting Vulnerability in Microsoft IE
3. ANNOUNCEMENTS
Learn from (or Try to Stump) Top Windows Security Pros
Cast Your Vote for Our Reader's Choice Awards!
4. SECURITY ROUNDUP
News: Microsoft Article Q320751: DoS Workarounds
News: New Variant of Klez Worm Spreading
News: eEye Digital Security and St. Bernard Software Bundle Software
News: WebEyeAlert and Amcest Partner for Video Surveillance
5. INSTANT POLL
Results of Previous Poll: Hotfix Availability Notification
New Instant Poll: Antivirus Defense Location
6. SECURITY TOOLKIT
Virus Center
Virus Alert: W32/Klez.I
FAQ: How Can I Disable IPSec on a VPN Connection That Uses L2TP?
7. NEW AND IMPROVED
Secure Your Company with Cameras
Protect Your Hardware from Theft
8. HOT THREADS
Windows & .NET Magazine Online Forums
Featured Thread: View All Permissions and Shares
HowTo Mailing List
Featured Thread: Exceeding the 512-Character Limit of the Legal Logon Notice
9. CONTACT US
See this section for a list of ways to contact us.
1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])
SECURITY CHECKLISTS AND HANDY TOOLS
When you perform a new software installation, do you use a checklist to make sure you've adjusted the configuration for better security? Numerous helpful checklists are available for various systems, many of them online. Windows & .NET Magazine published a new guide in February 2002, which is available for free: "Secure Your Operating System—Guidelines for Hardening Windows 2000."
Jan De Clercq, who writes the NT Gatekeeper column for the Security Administrator print newsletter, developed the checklist, which covers a variety of system-configuration settings. The guide covers topics such as authentication, access control, system-related hardening features, Group Policy settings, and using Microsoft's Security Configuration Tool Set. The guide also includes references to many security tools and resources available for free. You can download a copy of the guide in PDF format at the IT Buyer's Network Web site.
I also recommend a set of free checklists from Australian-based company InterSect Alliance. You'll find valuable checklists for five products that many of you use: Win2K, Windows NT, Microsoft IIS, Apache Web server, and Linux.
The checklists cover several aspects of the products, and, as you might expect, each checklist begins with suggestions about how to perform installation. The checklists also discuss network services and network access controls, object access controls, subsystems that particular products contain, and, of course, auditing. Even if you have checklists you already use, stop by the Web site and examine these lists as well—you might find additional items for consideration that you've overlooked.
Arne Vidstrom, Swedish security aficionado, recently released a new security tool—PromisDetect—which is available for free. The tool runs on Windows XP, Win2K, and NT. The tool checks systems to determine whether their network adapters are running in promiscuous mode. Systems whose network adapter cards run in promiscuous mode probably run software that acts as a traffic sniffer, and you don't want just anybody running a sniffer on your network. As you know, network packets often contain sensitive information, including authentication data and proprietary company information, so letting sniffers run unchecked on the network weakens overall security. PromisDetect is a good way to identify rogue sniffers. However, as Vidstrom notes, because someone running a sniffer might also be intercepting traffic from software designed to detect sniffers, PromisDetect and similar sniffer detectors aren't foolproof. You can download a copy of PromisDetect, as well as several other useful security-related tools, at Vidstrom's Web site.
http://www.ntsecurity.nu/toolbox
As I read our "HowTo for Security" mailing list last week (you can subscribe at the URL below), I noticed that subscribers were asking how to map listening ports back to their respective system services. As you know, using a command such as the "netstat –a" command or the "netstat –an" command can produce a list of ports, port service names, and IP addresses. However, the lists don't include a map to the actual system service that opened the port in the first place. Although you can see which port is listening, which computer system is connected to it, and which service the port is typically used for, you're still in the dark about which application on your system actually opened the port.
http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
Fortunately, tools are available that support further discovery. Foundstone's Fport tool maps listening ports to the software on your system that opened the port. When you run the Fport tool, you see a list of open ports matched to a list of the applications that opened the ports. The list includes full pathnames so that you can more easily identify the exact programs referenced. You can download a copy of Fport and several other useful security tools at the Foundstone Web site.
http://www.foundstone.com/knowledge/proddesc/fport.html
Finally, are you keeping up with Microsoft security bulletins and related hotfixes? Even if you are, keep in mind that occasionally Microsoft publishes workarounds for security problems without releasing a related bulletin to alert you to the need for system-configuration adjustments. For example, Microsoft recently released the article, "Denial of Service Attack on Port 445 May Cause Excessive CPU Use". The article discusses registry settings that can help prevent particular Denial of Service (DoS) attacks. You can read about the matter in the related news story in this issue of Security UPDATE.
http://www.secadministrator.com/articles/index.cfm?articleid=24948
SPONSOR: SPONSOR: SPI DYNAMICS WEB APPLICATION SECURITY WHITE PAPER
ALERT! Web applications are the new area of attack for hackers!
By taking advantage of your website and using it to exploit your applications, a hacker can gain access to your backend data. All undetectable by today's methods of Internet security! Download this *FREE* white paper from SPI Dynamics that provides a complete guide of vulnerabilities and steps for protection!
http://www.spidynamics.com/mktg/webappsecurity7/
2. SECURITY RISKS
Buffer Overflow in Talentsoft'S Web+ 5.0 and WEB+ 4.6 AFFECTS MICROSOFT IIS
A buffer-overflow condition in talentsoft's Web+ 5.0 and Web+ 4.6 could result in the execution of code on the vulnerable system under the system security context. Requesting a Wireless Markup Language (WML) file from a Web server and supplying an overly long cookie can cause the internal buffer to overflow, overwriting a saved return address on the stack. The vendor, talentsoft, has created a patch for this vulnerability. For a link to the patch, visit the URL below.
http://www.secadministrator.com/articles/index.cfm?articleid=24929
3. ANNOUNCEMENTS
LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS
The Windows & .NET Magazine LIVE! event brings together industry gurus who take security seriously. Topic coverage includes Microsoft IIS security, deploying public key infrastructure (PKI), designing Group Policies to enhance security, tips for securing Windows 2000 networks, security pitfalls (and solutions) for your mobile workforce, and more. Register today before this event sells out!
http://www.winnetmagLIVE.com
CAST YOUR VOTE FOR OUR READER'S CHOICE AWARDS!
Which companies and products do you think are the best on the market? Nominate your favorites in four different categories for our annual Windows & .NET Magazine Reader's Choice Awards. You could win a T-shirt or a free Windows & .NET Magazine Super CD, just for submitting your ballot. Click here!
http://www.winnetmag.com/readerschoice
4. SECURITY ROUNDUP
NEWS: MICROSOFT ARTICLE Q320751: DoS WORKAROUNDS
Peter Grundl, a researcher at KPMG in Denmark, discovered a Denial of Service (DoS) condition in Windows 2000 that could potentially cause systems to crash. Microsoft issued the article, "Denial of Service Attack on Port 445 May Cause Excessive CPU Use," regarding the matter. The article describes two methods to work around the vulnerability.
http://www.secadministrator.com/articles/index.cfm?articleid=24948
NEWS: New Variant of Klez Worm Spreading
Antivirus software maker Panda Software has issued a warning about a dangerous new worm variant, W32/Klez.I, which is spreading across Europe and Asia. Panda Software expects the virus to spread to the United States beginning this week.
http://www.secadministrator.com/articles/index.cfm?articleid=24867
NEWS: eEYE DIGITAL SECURITY AND ST. BERNARD SOFTWARE BUNDLE SOFTWARE
eEye Digital Security and St. Bernard Software have announced a strategic partnership to bundle eEye's Retina Network Security Scanner software with St. Bernard's UpdateEXPERT software. The software bundle lets administrators use Retina Network Security Scanner to scan for security vulnerabilities and use UpdateEXPERT to help correct a problem by guiding the administrator through the process of installing patches and making configuration adjustments.
http://www.secadministrator.com/articles/index.cfm?articleid=24925
NEWS: WebEyeAlert AND AMCEST PARTNER FOR VIDEO SURVEILLANCE
WebEyeAlert, which develops WebEyeAlert video security surveillance technology, announced a strategic partnership with Amcest, a nationwide monitoring service. Under the terms of the partnership, Amcest will offer its dealers the WebEyeAlert solution to promote free video monitoring services to its customers.
http://www.secadministrator.com/articles/index.cfm?articleid=24924
5. INSTANT POLL
RESULTS OF PREVIOUS POLL: HOTFIX AVAILABILITY NOTIFICATION
The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "If someone makes information about a security vulnerability public before the company whose product is involved has developed a fix, should that company notify customers about an estimated time when a fix will be available?" Here are the results (+/- 2 percent) from the 473 votes:
90% Yes
6% No
4% Not sure
NEW INSTANT POLL: ANTIVIRUS DEFENSE LOCATION
The next Instant Poll question is, "Where have you placed your organization's antivirus defenses?" Go to the Security Administrator Channel home page and submit your vote for a) on desktops, b) on email servers, c) on file servers, d) at the Internet border, or e) at two or more of the above locations.
http://www.secadministrator.com
6. SECURITY TOOLKIT
VIRUS CENTER
Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda
Virus Alert: W32/Klez.I
W32/Klez.I is a worm that's designed to spread through email. The messages the worm sends have different subjects, which include
A new website
Introduction on ADSL
Fw:virus,japanese lass' sexy pictures
A very new game
NOSHADE CLASS
The body of the message the worm sends might contain any of the following text:
This is a new website. I wish you would like it.
This game is my first work.
You're the first player.
I hope you would enjoy it
Files attached to messages the worm sends have random names. Once run, the worm creates a file in the Windows directory and a file in the Program Files folder.
http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1154
FAQ: How can I disable IPSec on a VPN connection that uses L2TP?
( contributed by John Savill, http://www.windows2000faq.com )
A. Windows automatically creates an IP Security (IPSec) policy for Layer Two Tunneling Protocol (L2TP) connections because L2TP doesn't encrypt data. However, you might want to test a VPN L2TP connection without IPSec (e.g., when you're troubleshooting). Although you must disable IPSec on both the client and server in this situation, make sure you reenable the security policy after you resolve any problems; otherwise, your systems are vulnerable to attack. To disable IPSec, perform the following steps on both client and server:
Start a registry editor (e.g., regedit.exe).
Navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManParameters subkey.
From the Edit menu, select New, DWORD Value.
Enter a name of ProhibitIpSec and click Enter.
Double-click the new value, set it to 1, and click OK.
Restart the machine.
For more information, see the Microsoft article "How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication."
http://support.microsoft.com/default.aspx?scid=kb;en-us;q240262
7. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])
SECURE YOUR COMPANY WITH CAMERAS
CamDevTeam released CamSurveillance, shareware capable of monitoring up to 50 IP-addressable network cameras to secure your company. You can use the cameras within your company's LAN or select your favorite WebCams from the Internet. CamSurveillance runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $49.95. Contact CamDevTeam at [email protected] for a trial download.
http://www.camsurveillance.com
PROTECT YOUR HARDWARE FROM THEFT
Brigadoon Software announced PC PhoneHome Enterprise, software that gives enterprise-level users a security tool to protect computer hardware and intellectual property against theft. PC PhoneHome Enterprise works by sending periodic signals to a centralized command center the licensee chooses with the exact coordinates of the registrant's computer. If the computer is lost or stolen, the signals can pinpoint the computer's whereabouts. PC PhoneHome Enterprise runs on all Windows and Macintosh systems. For pricing, contact Brigadoon at the Web site.
http://www.brigadoonsoftware.com
8. HOT THREADS
WINDOWS & .NET MAGAZINE ONLINE FORUMS
http://www.winnetmag.net/forums
Featured Thread: View All Permissions and Shares
(Two messages in this thread)
Tom wants to know how he can view a list of all permissions and shares on a given system. Can you help?
http://www.secadministrator.com/forums/thread.cfm?thread_id=102362
HOWTO MAILING LIST
http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
Featured Thread: Exceeding the 512-Character Limit of the Legal Logon Notice
(One message in this thread)
Windows 2000 Group Policy restricts the length of the logon sequence legal notice text to 512 characters. This length is probably sufficient in most cases. However, some countries have a legal requirement to display such notices in more than one language, which can cause the total text displayed to exceed the 512-character limit. Are there any known workarounds to the 512-character restriction? Can you help? Read the responses or lend a hand at the following URL.
http://63.88.172.96/listserv/page_listserv.asp?A2=ind0204c&l=howto&p=659
9. CONTACT US
Here's how to reach us with your comments and questions:
ABOUT IN FOCUS — [email protected]
ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
PRODUCT NEWS — [email protected]
QUESTIONS ABOUT YOUR Security UPDATE SUBSCRIPTION?
Customer Support — [email protected]
WANT TO SPONSOR Security UPDATE?
[email protected]
This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email
Thank you for reading Security UPDATE.
Copyright 2002, Penton Media, Inc.
About the Author
You May Also Like