Security UPDATE, December 19, 2001

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET, 2000, and NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Free WebTrends Firewall Suite Trial from NetIQ
http://lists.win2000mag.net/cgi-bin3/flo?y=eJpv0CJgSH0BVg0pYN0A3 

Lieberman & Associates--Shore Up Your Back Doors
   http://lists.win2000mag.net/cgi-bin3/flo?y=eJpv0CJgSH0BVg0pYO0A4 
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FREE WEBTRENDS FIREWALL SUITE TRIAL FROM NETIQ ~~~~
   Do you need to capture every move, incoming and outgoing, across 
your company's firewall? Then leave nothing to chance--download a FREE 
trial of WebTrends' award-winning Firewall Suite from NetIQ. Firewall 
Suite provides immediate alerts, identifies and reports on critical 
security events and generates more than 200 reports for IT managers and 
security professionals. It also provides support for more than 35 
leading firewall and proxy servers, including Check Point and Cisco. 
Download your free trial today at:
http://lists.win2000mag.net/cgi-bin3/flo?y=eJpv0CJgSH0BVg0pYN0A3 

********************

December 19, 2001--In this issue:

1. IN FOCUS
     - Office XP SP1: No More HTML Messages

2. SECURITY RISK
     - DoS in Win2K Internet Key Exchange
     
3. ANNOUNCEMENTS
     - Check Out the New WebSphere Professional Site!
     - What Does a Connected Home Look Like?

4. SECURITY ROUNDUP
     - News: A Quick Look at the First Office XP Service Pack
     - News: BlackICE Now Offers VPN Protection
     - News: Specially Formed Script in HTML Mail Can Execute in 
Exchange 5.5 OWA
     - Feature: Securing Exchange 2000 Servers

5. HOT RELEASE (ADVERTISEMENT)
     - Sponsored by VeriSign--The Value of Trust

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Enable Users to Set the Administrator Password 
       During a Remote Installation Services Installation?

7. NEW AND IMPROVED
     - Security Partnership
     - Protect Your Password

8. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: To Whom Do I Report an Ongoing Attack?
     - HowTo Mailing List:
         - Featured Thread: How Can I Monitor Third-Party Email?

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====

[Editor's note: Windows 2000 Magazine has a new name: Windows & .NET 
Magazine. But, our mission hasn't changed: We're still providing 
technical, how-to content to help you do your job now--and help you 
make smart decisions about new technology for the future. We think the 
new name better conveys the scope of our coverage--we hope you think so 
too.]

* OFFICE XP SP1: NO MORE HTML MESSAGES

Hello everyone,

Are you using Microsoft Office XP 2002? If so, you'll want to read Paul 
Thurrott's article about Office XP Service Pack 1 (SP1). Thurrott spoke with 
Office XP Product Manager Nicole von Kaenel about some of the changes 
and improvements SP1 offers, including use of the suite's error-
feedback tool. You can find the story at the URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=23525

SP1 also includes all of the previous Office suite security fixes, and 
future suite updates will depend on this service pack already being 
installed, so be sure to consider loading it (first URL below). You can 
read Paul's original story about the service pack on our WinInfo Web 
site (second URL below). 
   http://support.microsoft.com/default.aspx?scid=kb;en-us;q307841
   http://www.wininformant.com/articles/index.cfm?articleid=23492

One slick feature of SP1 is its ability to read nonsecure email as 
plain text. As you'll learn in Microsoft article Q307594, by adjusting 
an Outlook-related registry key, all nondigitally-signed email and 
nonencrypted email will appear in plain text whether the message is 
opened separately or displayed in the preview pane. Individual users 
can use the feature, and administrators can set policies for Outlook 
2002 that apply across the enterprise.
   http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307594

On December 4, I wrote a news story about Russ Cooper's NoHTML tool 
(first URL below) for Outlook 2002 and Outlook 2000 clients. The new 
functionality in SP1 goes beyond the capability Cooper introduced; 
however, SP1 contains no such feature for Outlook 2000 clients, so 
Cooper's tool is a great way to introduce more security into those 
products. You can find the tool by going to the second URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=23391   
   http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=55&did=38

This week, I learned about a new Java-based packet sniffer and analyzer 
called Mognet, which is free and comes complete with source code. It 
runs on handheld devices or on desktops and is available under the GNU 
General Public License (GPL). 
   http://chocobospore.org/mognet

Until the next issue, on January 2, have a great holiday.

Mark Joseph Edwards, News Editor, mark () ntsecurity net

********************

~~~~ SPONSOR: LIEBERMAN & ASSOCIATES--SHORE UP YOUR BACK DOORS ~~~~
   THE NEW YEAR IS KNOCKING! Use your year-end budget dollars for 
management tools you have always wanted. With Service Account Manager 
you can report and change service settings on all your servers in 
seconds. With User Manager Pro you can make the same changes to all 
your workstations in a few mouse clicks. Get the award winning tools 
you've been waiting for all year. Year-end discounts through December 
31. Microsoft Gold Certified FREE TRIAL at 
http://lists.win2000mag.net/cgi-bin3/flo?y=eJpv0CJgSH0BVg0pYO0A4 

2. ==== SECURITY RISK ====

* DOS IN WIN2K INTERNET KEY EXCHANGE
   A Denial of Service (DoS) condition exists in Microsoft Windows 2000 
Internet Key (IKE) Exchange Service. If an attacker connects to a Win2K 
system on port 500 and floods the service with UDP packets of 800 bytes 
or greater, the system stops responding. Microsoft has not released a 
fix or workaround for this problem. As a temporary workaround, affected 
users who aren't using IP Security (IPSec) in their Win2K firewall can 
turn off port 500.
   http://www.secadministrator.com/articles/index.cfm?articleid=23515

3. ==== ANNOUNCEMENTS ====

* CHECK OUT THE NEW WEBSPHERE PROFESSIONAL SITE!
   Look to this great new site for invaluable resources, such as our V4 
Portal, which brings you fast, in-depth information about V4, the 
WebSphere Road Map that will help you get started, DocFinder for help 
finding IBM WebSphere reference materials, and forums for your 
questions and comments. While you're there, sign up for FREE email 
newsletters with news you can use!
   http://www.webspherepro.com

* WHAT DOES A CONNECTED HOME LOOK LIKE?
   You've never seen anything like the Connected Home Magazine Virtual 
Tour. Experience (room by room) the latest home entertainment, home 
networking, and home automation options that are going to change how 
you work and play. While you're there, enter to win a free copy of 
Windows XP!
   http://www.connectedhomemag.com/virtualtour

4. ==== SECURITY ROUNDUP ====

* NEWS: A QUICK LOOK AT THE FIRST OFFICE XP SERVICE PACK
   Microsoft expects last week's Office XP Service Pack 1 (SP1) release 
to usher in a new era of corporate adoptions of the product because 
many organizations wait for the first consolidated update package 
before upgrading. In this case, that expectation is probably warranted: 
In addition to focusing on the three general areas of security, 
stability, and performance, Office XP SP1 includes a number of Windows 
XP-specific performance improvements that let the two systems work more 
efficiently together. Paul Thurrott spoke with Office XP product 
manager Nicole von Kaenel about the release (see URL below).
   http://www.secadministrator.com/articles/index.cfm?articleid=23525

* NEWS: BLACKICE NOW OFFERS VPN PROTECTION
   Internet Security Systems (ISS) announced BlackICE Agent for 
Workstations 3.1, a combination firewall and Intrusion Detection System 
(IDS) that analyzes network activity on servers, workstations, and 
network segments that VPN connections use. The product can protect 
mobile users, remote users, and systems inside a network perimeter. 
Learn more about the new version at the following URL.
   http://www.secadministrator.com/articles/index.cfm?articleid=23466

* NEWS: SPECIALLY FORMED SCRIPT IN HTML MAIL CAN EXECUTE IN EXCHANGE 
5.5 OWA
   Microsoft released a patch for Exchange Server 5.5 to fix an Outlook 
Web Access (OWA) problem in which special script in an HTML-format 
message could execute and perform operations on the user's Exchange 
mailbox when the user opens the message. This patch is suitable only 
for OWA servers running Internet Explorer (IE) 5.0 or later. Because no 
full set of security patches exists for IE 5.0, Microsoft recommends 
that companies with earlier versions of IE upgrade their OWA servers to 
either IE 5.5 Service Pack 2 (SP2) or IE 6.0.
   http://www.microsoft.com/technet/security/bulletin/ms01-057.asp

* FEATURE: SECURING EXCHANGE 2000 SERVERS
   In this feature article for Exchange and Outlook UPDATE, Tony 
Redmond discusses techniques that can help you better secure your 
Microsoft Exchange Servers. Be sure to stop by our Web site and check 
it out!
   http://www.secadministrator.com/articles/index.cfm?articleid=23516

5. ==== HOT RELEASE (ADVERTISEMENT) ====

* SPONSORED BY VERISIGN -- THE VALUE OF TRUST
   Secure your servers with 128-bit SSL encryption! Grab your copy of 
VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn 
about using SSL to encrypt e-commerce transactions. Get it now!
   http://lists.win2000mag.net/cgi-bin3/flo?y=eJpv0CJgSH0BVg0Lo50AP 

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I ENABLE USERS TO SET THE ADMINISTRATOR PASSWORD DURING 
A REMOTE INSTALLATION SERVICES INSTALLATION?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. When you use the Microsoft Remote Installation Services (RIS), by 
default the Administrator password is set to null (blank) during the 
installation. You can, however, let the user set a password during the 
final GUI portion of installation by following these steps: 

On the RIS server, open the .sif file of the installation you want to 
modify. By default, this file is in the 
RemoteInstall\Setup\[language]\Images\[folder name]\I386\Templates 
folder with a name of ristndrd.sif. 

Go to the [GuiUnattended] section of the .sif file, and find the 
following line:

   AdminPassword = * 

   Change this line to read as follows:

   AdminPassword = "" 

   Save the change. 

During installation, the system will prompt the user to type an 
Administrator password. You should test this change to ensure that it 
works correctly.

As a side note, instead of "" you could type a password (e.g., 
AdminPassword = "fred"), which sets the Administrator password to the 
password you specify and doesn't prompt the user. However, this 
password travels as clear text, so I don't recommend this approach.

The Microsoft Windows 2000 Server Resource Kit describes another 
option: You can use a Custom Installation Wizard and let the user type 
in a password. However, this approach is quite complex.

7. ==== NEW AND IMPROVED ====
   (contributed by Scott Firestone, IV, products () winnetmag com)

* SECURITY PARTNERSHIP
   Symantec and TruSecure announced a partnership that lets Symantec 
Security Services use the TruSecure Service Provider 2001 service to 
certify the security position of its Security Operations Centers. 
Symantec Security Services will offer its customers the TruSecure 2001 
service, which provides a process for managing information security 
risks. TruSecure will also utilize NetRecon, Symantec's vulnerability 
assessment tool, as part of its security assurance services. Contact 
Symantec at 408-517-8000.
   http://www.symantec.com

* PROTECT YOUR PASSWORD
   SSH Communications Security released SSH Secure Shell 3.1, software 
that protects you from people who try to steal passwords from the 
Internet. The software supports Online Certificate Status Protocol for 
improved security through realtime verification of a certificate's 
validity. The new version also supports Secure File Transfer Protocol 
event logging at the server end, enabling recording of user actions for 
improved security. Pricing starts at $99 per workstation license, $475 
per UNIX server license, and $565 per Windows server license. Contact 
SSH Communications Security at 650-251-2700.
   http://www.ssh.com

8. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.winnetmag.net/forums 

Featured Thread: To Whom Do I Report an Ongoing Attack? 
   (Four messages in this thread)
   
Our server was hit earlier this year with the Code Red worm. I applied 
all the recommended security fixes. However, our server continues to log 
ongoing probes from changing IP addresses in the Web service log.  
   
Every day we get hits searching for root.exe and cmd.exe in different 
directories. Currently, I manually enter all originating IP addresses in 
the "Excluded Computer" property sheet in the Directory Security tab. 
However, I want to track down the perpetrators and stop the probes. The 
machine is running an intranet site and needs to be connected so 
employees in different states can access it. 
   
Is there any law enforcement entity or other agency that can help? Can 
you help? Read the responses or lend a hand at the 
following URL:
   http://www.secadministrator.com/forums/thread.cfm?thread_id=87730

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: How Can I Monitor Third-Party Email? 
   (Six messages in this thread)

Sebastian wonders how a business can monitor the email messages that 
users send using third-party mail servers such as Hotmail and Yahoo. Can 
you help? Read the responses or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0112b&L=howto&F=&S=&P=84

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.net/email

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe, send a blank email to mailto:Security_UPDATE_Sub () lists win2000mag net.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.