Security UPDATE, November 13, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

FREE Security Assessment Tool!
   http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GA0Aw

Tips & Tricks Web Summit
   http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05nz0AX
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FREE SECURITY ASSESSMENT TOOL! ~~~~
   Do you comply with industry security regulations or corporate
security policies? Download the FREE Aelita InTrust(tm) Audit Advisor
to identify systems that are not compliant with industry standard
security policies, such as those published by SANS and the NSA, or
your company specific policies. Then check out Aelita InTrust to
consolidate IT audit data and produce compliance reports for industry
regulations and policies.  Download your FREE tool today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GA0Aw
~~~~~~~~~~~~~~~~~~~~

November 13, 2002--In this issue:

1. IN FOCUS
     - Security Assertion Markup Language

2. SECURITY RISKS
     - Buffer-Overrun Vulnerability in Oracle iSQL
     - DoS in Microsoft Windows XP and Win2K PPTP
     - Multiple Vulnerabilities in Microsoft IIS 5.1, 5.0, and 4.0

3. ANNOUNCEMENTS
     - How Can You Reclaim 30% to 50% of Windows Server Space?
     - Give Us Your Feedback and Be Entered to Win a Digital Camera

4. SECURITY ROUNDUP
     - News: Common Criteria Configuration Guides for Win2K
     - Feature: EventComb: It's Free; It's Essential; Get It!
     - Fire & Water Toolkit Beta Available

5. HOT RELEASES (ADVERTISEMENTS)
     - Focus your IT resources
     - Test Your Web Applications for Security Flaws!

6. INSTANT POLL
     - Results of Previous Poll: Reading the EULA
     - New Instant Poll: Using SAML

7. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Clear My Customized Folder Settings in Windows
       XP?

8. NEW AND IMPROVED
     - User-Friendly Finger Image Reader
     - Security Solution for Network Clients and Remote Users
     - Submit Top Product Ideas
 
9. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Securing Servers Under Insecure Conditions
     - HowTo Mailing List
         - Featured Thread: Promoting a DC
 
10. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* SECURITY ASSERTION MARKUP LANGUAGE

Last week, the Organization for the Advancement of Structured
Information Standards (OASIS) approved the new Security Assertion
Markup Language (SAML), which has been in development for some time.
SAML uses XML to enable new Web-based security functions that
interoperate across different Web sites, which will help create
federated networks.
   http://www.oasis-open.org/committees/security

In April 2002, Microsoft, IBM, and VeriSign announced Web Services
Security (WS-Security), and in the June 12, 2002, Security UPDATE
commentary, I discussed WS-Security to some extent (see the first URL
below). The specification will support many types of credential
information, including Kerberos, public key infrastructure (PKI),
Extensible Rights Markup Language (XrML), SAML, and Secure Sockets
Layer (SSL)/Transport Layer Security (TLS). Sun Microsystems also
announced Liberty Alliance, its effort to help develop federated
network technology.
   http://www.secadministrator.com/articles/index.cfm?articleid=25593
   http://www.ws-i.org

According to James Kobielus, senior analyst at Burton Group, "SAML 1.0
supports secure interchange of authentication and authorization
information by leveraging the core Web services standards of
Extensible Markup Language (XML), Simple Object Access Protocol
(SOAP), and Transport Layer Security (TLS). Most vendors of Web access
management solutions have committed to SAML 1.0 and are currently
implementing the specification in their products."
   http://www.oasis-open.org/news/oasis_news_11_06_02.shtml

Joe Pato of Hewlett-Packard (HP), co-chair of the OASIS Security
Services Technical Committee, said that a major SAML design goal was
single sign-on (SSO) capabilities, which would let users authenticate
in one domain and access resources in another domain. SAML 1.0
includes that capability. In addition, according to Pato, "Several
profiles of SAML are currently being defined that support different
styles of SSO and the securing of SOAP payloads."

If you're completely unfamiliar with WS-Security, read Christa
Anderson's summary of the technology, which helps explain what it is
and what it can do. You'll find her article, "WS-Security Sets
Standard for Web Services Transactions" at the URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=24401

If you're a Web developer or you administer Web server security, you
might be interested in reading about SAML assertions and protocols.
The document you'll find at the first URL below outlines the syntax
and semantics. Another specification document can help you obtain a
better understanding of how SAML works with WS-Security. That document
(see the second URL below) describes how to use WS-Security headers to
securely add SAML assertions.
   http://www.oasis-open.org/committees/security/docs/cs-sstc-core-01.pdf
   http://www.oasis-open.org/committees/security/docs/draft-sstc-ws-sec-profile-04.pdf

But there's a catch regarding Microsoft's implementation of SAML. In
July, "Network World Fusion" (see the first URL below) reported that
Microsoft is implementing SAML 1.0, but only to a limited extent. In
the article, Kobielus said, "[Microsoft is] not implementing the full
suite of SAML assertions and profiles the way others are ... At some
point you have to ask what is the purpose, if Microsoft is going to do
it their own way." The article points out that Microsoft used the same
tactic when the company implemented Kerberos in Windows 2000. To learn
more about how Microsoft implements SAML, be sure to read the related
Microsoft document, "WS-Security Profile for XML-based Tokens," on the
Microsoft Web site (see the second URL below).
   http://www.nwfusion.com/news/2002/0716msla.html
   http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security-xml-tokens.asp

According to OASIS, Baltimore Technologies, BEA Systems, Computer
Associates (CA), Entrust, HP, Hitachi, IBM, Netegrity, Oblix,
OpenNetwork, Quadrasis, RSA Security, Sun, VeriSign, and other members
of the OASIS Security Services Technical Committee developed the SAML
OASIS Open Standard.

Many vendors support SAML, and some of you might have begun using the
technology before its official approval. Please participate in our
Instant Poll this week and tell us whether you use SAML or some other
credential technology for your Web applications.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: TIPS & TRICKS WEB SUMMIT ~~~~
   ATTEND OUR FREE TIPS & TRICKS WEB SUMMIT
   Join us on December 19th for our Tips & Tricks Web Summit featuring
three eye-opening events: Disaster Recovery Tips & Tricks, Intrusion
Detection: Win2K Security Log Secrets, and Merging Exchange Systems:
Tips for Managing 5 Key Challenges. There is no charge for this event,
but space is limited so register today!        
 http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05nz0AX
~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* BUFFER-OVERRUN VULNERABILITY IN ORACLE ISQL
   A vulnerability exists in Oracle's iSQL*Plus Web-based application
that lets an attacker compromise the vulnerable system and obtain
system-level access. This vulnerability stems from a buffer-overflow
condition in the iSQL application. The vendor, Oracle, has released
Security Alert #46 to address this vulnerability and recommends that
affected users apply the appropriate patch mentioned in Oracle's
alert.
   http://www.secadministrator.com/articles/index.cfm?articleid=27240

* DoS IN MICROSOFT WINDOWS XP AND WIN2K PPTP
   A Denial of Service (DoS) vulnerability exists in Windows XP and
Windows 2000 PPTP. This DoS vulnerability results from an unchecked
buffer in a section of code that processes the control data used to
establish, maintain, and tear down PPTP connections. The vendor,
Microsoft, has released Security Bulletin MS02-063 (Unchecked Buffer
in PPTP Implementation Could Enable Denial of Service Attacks) to
address this vulnerability and recommends that affected users apply
the appropriate patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=27227

* MULTIPLE VULNERABILITIES IN MICROSOFT IIS 5.1, 5.0, AND 4.0
   Four new vulnerabilities exist in Microsoft IIS. The most serious
problem lets an attacker escalate privileges. Another problem results
in a Denial of Service (DoS) condition on the vulnerable server. The
vendor, Microsoft, has released Security Bulletin MS02-062 (Cumulative
Patch for Internet Information Service) to address these
vulnerabilities and recommends that affected users apply the
appropriate patch mentioned in the bulletin. This patch is cumulative
and addresses all previously discovered vulnerabilities.
   http://www.secadministrator.com/articles/index.cfm?articleid=27228

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* HOW CAN YOU RECLAIM 30% TO 50% OF WINDOWS SERVER SPACE?
   Attend our newest Web seminar, brought to you by Windows & .NET
Magazine and Precise SRM, and discover the secrets. Steven Toole will
also advise you on how to reduce storage growth and backups by 30% and
how to reduce storage administration by 25% or more. Space is limited
for this important Web event, so register today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06A10Aa

* GIVE US YOUR FEEDBACK AND BE ENTERED TO WIN A DIGITAL CAMERA
   Internet filtering is becoming a financial and legal concern for
companies of all sizes. Complete our brief survey about the topic and
you could win a digital camera. Click here!
   http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw05zl0AV

4. ==== SECURITY ROUNDUP ====

* NEWS: COMMON CRITERIA CONFIGURATION GUIDES FOR WIN2K
   In conjunction with the announcement that Windows 2000 received the
highest security certification level available to an OS, Microsoft
released two new guides, the "Common Criteria Evaluated Configuration
User's Guide," and the "Common Criteria Evaluated Configuration
Administrator's Guide," which help people configure the OS securely.
   http://www.secadministrator.com/articles/index.cfm?articleid=27178

* FEATURE: EVENTCOMB: IT'S FREE; IT'S ESSENTIAL; GET IT!
   EventComb is a new free tool from Microsoft that lets you search
event logs for specific information. EventComb is part of a Microsoft
document called "Security Operations Guide for Windows 2000 Server."
To obtain EventComb, you need to go to Microsoft's Web site (the URL
is linked in this article) and download secops.exe. When you run
secops.exe, the program creates a folder called SecurityOps. Within
SecurityOps is a folder named EventComb, which contains a compiled
HTML Help file and the EventComb program.
   http://www.secadministrator.com/articles/index.cfm?articleid=27132

* NEWS: FIRE & WATER TOOLKIT BETA AVAILABLE
   NTObjectives (NTO) announced that its new Fire & Water Toolkit is
now available for public beta. The toolkit is an assessment and
defense tool that you can use on local and remote networks. NTO said,
"Fire & Water is a collection of cohesive, interactive command-line
tools that perform network discovery, mapping, assessment, and
reporting, as well as robust Web server defense." By using XML output
interactively, Fire & Water can effectively manage multiple scans and
their resulting output through standard output in the command line,
Comma Separated Value (CSV), and HTML reports (created through
Extensible Style Language--XSL templates provided with the tools) or
through custom report formats.
   http://www.secadministrator.com/articles/index.cfm?articleid=27273

5. ==== HOT RELEASES (ADVERTISEMENTS) ====

* FOCUS YOUR IT RESOURCES
   Learn how better infrastructure management practices can speed the
integration of e-business enterprises, while providing assurance of
continuous availability, flexibility and scalability. Get the IBM
white paper, "Infrastructure Resource Management: A Holistic
Approach," at
   http://www.ibm.com/e-business/playtowin/n339

* TEST YOUR WEB APPLICATIONS FOR SECURITY FLAWS!
   ALERT! "Outsmart Web Application Attackers"
   75% of today's successful hacks involve Web Application attacks
such as SQL Injection and Cross-Site Scripting. All undetectable by
Firewalls and IDS!
   FREE 15 Day Product Trial which delivers a Comprehensive
Vulnerability Report
   http://list.winnetmag.com/cgi-bin3/flo?y=eOR10CJgSH0CBw06GB0Ax

6. ==== INSTANT POLL ====
 
* RESULTS OF PREVIOUS POLL: READING THE EULA
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Do
you read the End User License Agreement (EULA) before you install new
software?" Here are the results (+/- 2 percent) from the 540 votes:
   -  3% Always
   - 19% Sometimes
   - 31% Rarely
   - 46% Never
 
* NEW INSTANT POLL: USING SAML
   The next Instant Poll question is, "Do you use Security Assertion
Markup Language (SAML) for security in your Web applications?" Go to
the Security Administrator Channel home page and submit your vote for
a) Yes, b) No, c) Not yet, but we will, d) No--We use Extensible
Rights Markup Language (XrML), and e) No--We use other security
technology.
   http://www.secadministrator.com

7. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I CLEAR MY CUSTOMIZED FOLDER SETTINGS IN WINDOWS XP?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. To clear any customized folder settings, perform the following
steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell registry subkey.
   3. Delete the Bags and BagMRU subkeys.
   4. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam registry
 subkey.
   5. Delete the Bags and BagMRU subkeys.
   6. Close the registry editor, then reboot the machine for the
changes to take effect.

8. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* USER-FRIENDLY FINGER IMAGE READER
   Biometric Access Corporation (BAC) announced a USB model of the
SecureTouch PC, the company's latest computer/network control product.
The USB model PC replaces its predecessor, the SecureTouch 2000. The
product secures employee workstations, protects patient health
records, grants access to transaction-authorization codes, clocks
in/out on time and attendance applications, and enables manager
override approvals on point-of-sale systems. SecureTouch PC runs on
Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x.
Contact BAC for pricing information at 800-873-4133 or go to the Web
site for more information.
   http://www.biometricaccess.com

* SECURITY SOLUTION FOR NETWORK CLIENTS AND REMOTE USERS
   Symantec announced Symantec Client Security, an integrated security
solution for network clients and remote users. Symantec Client
Security integrates antivirus, personal firewall, and
intrusion-detection technologies to effectively protect desktops
against today's blended threats. To reduce administration time,
administrators can easily deploy Symantec Client Security by using one
of three prepackaged installations--full installation, lightly
managed, and thin client (the smallest possible footprint without
sacrificing protection). For pricing information, contact Symantec at
408-517-8000.
   http://www.symantec.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

9. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Securing Servers Under Insecure Conditions
   (Eight messages in this thread)

A user writes that he has a client who has servers located in
facilities without locked rooms. Some of the servers run Windows NT
4.0 and some run Windows 2000. He wonders how to secure servers at
these sites when he can't physically lock the server in a room. Read
the responses or lend a hand at the following URL:
   http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=49147

* HOWTO MAILING LIST
   http://63.88.172.96/listserv/page_listserv.asp?a0=howto

Featured Thread: Promoting a DC
   (Nine messages in this thread)

A user writes that he has two Windows 2000 servers. One of them is the
PDC and the other is a BDC. The PDC suffered a hard drive error. He
wonders how to promote the BDC to take the PDC's place. Because there
are no PDCs or BDCs in Win2K, you'll want to read what other users
have said or lend a hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?A2=IND0211A&L=HOWTO&P=1861

10. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.