Security UPDATE, October 2, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com

THIS ISSUE SPONSORED BY

Free Security Seminar
http://www.bindview.com/GetSecure1

Networking UPDATE Email Newsletter
http://www.winnetmag.com/email
(below IN FOCUS)

SPONSOR: FREE SECURITY SEMINAR

How can you quickly locate and eliminate security vulnerabilities? Why were some companies protected from Nimda and Code Red when others were not? How can you become proactive, rather than reactive with security issues? Find out the answers to these and other questions at one of 12 free, half-day seminars co-sponsored by Microsoft and BindView Corporation, "Proactive Security Management for the Microsoft Enterprise." To find a location near you and to register, go to
http://www.bindview.com/GetSecure1

October 2, 2002—In this issue:

1. IN FOCUS

2. SECURITY RISKS

3. ANNOUNCEMENTS

4. SECURITY ROUNDUP

5. HOT RELEASE (ADVERTISEMENT)

6. INSTANT POLL

7. SECURITY TOOLKIT

8. NEW AND IMPROVED

9. HOT THREADS

10. CONTACT US

1. IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, [email protected])

Are you tired of Denial of Service (DoS) attacks, viruses, worms, and assorted causes of network downtime? A new solution might be on the (distant) horizon: The National Science Foundation (NSF) has selected five university computer science departments to create a new secure decentralized network infrastructure that would be resilient against failure and attack. The NSF awarded $12 million to launch development of the new project, called the Infrastructure for Resilient Internet Systems (IRIS). The selected universities are the Massachusetts Institute of Technology (MIT), the University of California at Berkeley, the International Computer Science Institute, New York University, and Rice University.
http://iris.lcs.mit.edu

The group of universities will work to develop a new network infrastructure based on distributed hash table (DHT) technology, which will act as the cornerstone to "securely orchestrate data retrieval and computation on open-ended large-scale networks such as the Internet, even when the individual nodes on the network are insecure or unreliable."

Whereas DNS typically involves systems accessed in hierarchical order, DHT would, in contrast, involve a range of systems accessed based on a data object that an application requires. Developers could use DHT to create a network infrastructure similar to peer-to-peer (P2P) file-sharing networks, such as Gnutella or KaZaA, but with significant replication and security improvements—potentially a viable new computing infrastructure for the business world.

According to the basic operational theory of the new infrastructure, an object stored on the network would be digitally signed and replicated to numerous other file servers on the network. In the event of network degradation or failure (e.g., DoS attack, system crash, system overload, virus or worm infection), the object would be available elsewhere transparently to users. A file-system API would ride on top of DHT and automatically move data back and forth to files based on information DHT provides to the API.

This new type of network would be self-configuring and would automatically incorporate new network nodes without manual intervention. Systems (e.g., file servers) could join or drop off the network without significantly affecting overall network operation. If a malicious user or file server were to participate in the network, that user's activities could be minimized to prevent security problems (though computer scientists are still considering how to minimize those activities).

According to a proposal that discusses the new technology (see the URL below), "In general, DHTs will be used to organize complex structures consisting of related objects. Thus a key concern is the ability to provide verifiable inter-object references, perhaps analogous to secure links between web pages. A simple example involves naming an object using a cryptographic hash of its content, an idea that fits well with DHTs. More difficult challenges include mutable objects; objects that more than one user can change; verifying that the freshest version of an object has been obtained; and verifying that a particular set of objects consists of consistent versions. Initial work by the [program interfaces] in these areas include self-certifying pathnames for mutable data and techniques to ensure consistent and correct mutable file systems in the face of malicious file servers."
http://iris.lcs.mit.edu/proposal.html

DHT isn't a new concept, but it hasn't been brought into mainstream business use. In the past, MIT computer scientists have outlined and discussed some of the security risks involved with P2P digital hash tables. According to Emil Sit and Robert Morris (see the URL below), the risks include incorrect routing lookups, incorrect routing updates, new network nodes being cross connected to a malicious parallel network, storage and retrieval attacks, inconsistent node behavior, unsolicited network traffic, and more.
http://www.cs.rice.edu/Conferences/IPTPS02/173.pdf

The IRIS project must address these problems and many others before a new infrastructure can perform as promised. But the proposed system could act as a secure storage system for the Internet and could help users (e.g., businesses, government) mitigate the many nuisances we experience today. For more information about this new infrastructure design, visit the IRIS Web site (see the first URL below). The IRIS Web site also lists similar and related projects, including a Microsoft research project called Farsite (see the second URL below).
http://iris.lcs.mit.edu/projects.html
http://www.research.microsoft.com/sn/farsite

SPONSOR: NETWORKING UPDATE EMAIL NEWSLETTER

NEW! NEWS, TIPS, AND MORE TO KEEP YOUR NETWORK HUMMING
Networking UPDATE brings you the how-to tips and news you need to implement and maintain a rock-solid networking infrastructure. We'll explore interoperability solutions, hardware (including servers, routers, and switches), network architecture, network management, network security, installation technology, network training, and WAN disaster recovery. Subscribe (at no cost!) at:
http://www.winnetmag.com/email

2. SECURITY RISKS

(contributed by Ken Pfeil, [email protected])

A buffer-overrun vulnerability exists in the SmartHTML Interpreter (shtml.dll), which ships as part of the Microsoft FrontPage Server Extensions (FPSE) package. The vulnerability affects the two versions, FPSE 2002 and FPSE 2000, differently. Microsoft has released Security Bulletin MS02-053 (Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution) to address these vulnerabilities. Be sure to read the bulletin (linked from the page listed below), and consider applying the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=26819

3. ANNOUNCEMENTS

(brought to you by Windows & .NET Magazine and its partners)

Windows & .NET Magazine Network Road Show 2002 is coming this October to New York, Chicago, Denver, and San Francisco! Industry experts Mark Minasi and Paul Thurrott will show you how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and Trend Micro. Registration is free, but space is limited so sign up now!
http://www.winnetmag.com/seminars/roadshow

Microsoft’s premier European conference for planning, deploying, and managing a connected infrastructure. Learn how to fully optimize the Microsoft Server Platform, including Windows .NET Servers, Active Directory, ISA, SharePoint Portal Server, SMS, and MOM. Topics include administration, management, planning, deployment, messaging, security, integration, and much more. Register now and save 300 euros!
http://www.microsoft.com/europe/itforum

4. SECURITY ROUNDUP

The new Kerberos delegation features that Microsoft has embedded in Windows .NET Server (Win.NET Server) 2003 make Kerberos an even better choice for user authentication in a Windows environment. (A basic understanding of the Kerberos authentication protocol will help as you read about Win.NET Server's Kerberos implementation.
http://www.secadministrator.com/articles/index.cfm?articleid=26450

Closing backup windows is one of the most difficult and overlooked challenges you face as a database administrator. On one hand, the window of time you have to perform a backup is shrinking. Databases are growing larger even as availability demands increase, leaving you with precious few minutes to back up your critical data. On the other hand, you need to make sure that your backup is secure, closing all inappropriate access paths. Read Michael Otey's article about Backup Windows on our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=26436

5. HOT RELEASES (ADVERTISEMENT)

Aelita InTrust(tm) closes the gap between policy and IT infrastructure, simplifying your regulatory compliance efforts. HIPAA? Gramm-Leach-Bliley? BS7799/ISO17799? Let Aelita provide your compliance solution. Start with our FREE security assessment tool: Aelita InTrust Audit Advisor!
http://www.aelita.com/update1002

6. INSTANT POLL

The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you think that your organization's network is more secure or less secure than it was a year ago?" Here are the results (+/- 2 percent) from the 215 votes:

The next Instant Poll question is, "Do you use Snort to implement an Intrusion Detection System (IDS) on your network?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, or b) No.
http://www.secadministrator.com

7. SECURITY TOOLKIT

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

(contributed by John Savill, http://www.windows2000faq.com)

A.Office XP can display HTTP images, which might let the hosting site track the image download. Authors have been known to place hidden HTTP images in a document to let them track the reading of a document. To disable the loading of HTTP-linked images in Word, perform the following steps:

To reenable HTTP-linked images, either delete the BlockHTTPImages registry value or set it to 0. To test whether you can view HTTP-linked images, download the testhttpimage.doc from the link below. If you can see the ntfaq.com link image in that .doc file, then you can download HTTP images.
http://www.windows2000faq.com/content/content/26865/testhttpimage.doc

8. NEW AND IMPROVED

(contributed by Judy Drennen, [email protected])

Symantec released Norton AntiVirus 2003, antivirus software that removes most malicious code automatically, protects email messages and Instant Messaging (IM) attachments, and keeps virus definitions up-to-date without requiring user intervention. Norton AntiVirus 2003 runs on Windows XP, Windows 2000, Windows Me, and Windows 98 and costs $49.95 ($69.95 for the Professional Edition). Contact Symantec at the Web site.
http://www.symantec.com

WatchGuard announced Firebox SOHO 6, Firebox SOHO 6tc, and Firebox SOHO 6tc (50-User version) firewall appliances. These new small office/home office (SOHO) models integrate WatchGuard's proven SOHO security features with a new custom-built high-performance hardware platform that delivers 75Mbps firewall and 20Mbps VPN throughputs. The list price for the Firebox SOHO 6 is $469; the list price for the Firebox SOHO 6tc is $629; and the list price for the SOHO 6tc 50-User version is $899. The products will be available by year-end. Contact WatchGuard at 800-734-9905 or [email protected].
http://www.watchguard.com

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

9. HOT THREADS

http://www.winnetmag.com/forums

(Two messages in this thread)

One user's company recently upgraded a server to Windows 2000 Advanced Server. During the process, staff members created a new domain controller (DC), which he calls DC101.com for the purposes of this explanation. This server is the only DC running Active Directory (AD), and it connects to the Internet. He discovered that someone had already registered a DC101.com domain.

By accident, he pinged a machine in his company, which is in New York City, and it resolved to an unknown IP address. He found that the unknown Address was in London (the network of the already registered DC101.com domain).

Upon further investigation, he noticed that the London server was attempting to access the TCP ports on his server. Can he solve the problems this scenario contains? What are the implications if he doesn't change his internal domain name? Read the responses or lend a hand:
http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=46958

(Three messages in this thread)

A user recently found a lot of audit failure events on her Web Server, which runs Windows 2000 Service Pack 3 (SP3) with Microsoft Internet Information Services (IIS) 5.0 and all the most recent security patches. Based on the event log, she can see that an intruder tried to log on with some of the organization's local user accounts. She wonders how the intruder might have discovered the local user account names. Read the responses or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?A2=IND0209D&L=HOWTO&P=253

10. CONTACT US

Here's how to reach us with your comments and questions:

(please mention the newsletter name in the subject line)

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email

Thank you for reading Security UPDATE.