Security UPDATE, January 1, 2003

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Massive Workstation Security Hole...Ignored!
   http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07DQ0AC

Windows & .NET Magazine - Exclusive Rate
   http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: MASSIVE WORKSTATION SECURITY HOLE...IGNORED! ~~~~
   In just a few minutes any of your domain users could become the
administrator of ALL your machines without your knowledge. A quick
search of Google.com for password crackers is all it takes. There is a
solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS
FLAW in Windows.
   http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07DQ0AC

~~~~~~~~~~~~~~~~~~~~

January 1, 2003--In this issue:

1. IN FOCUS
     - It's a Great Time to Check Your Security

2. SECURITY RISKS
     - Privilege Escalation in Microsoft WM_TIMER
     - Vulnerability in Microsoft SMB
     - Multiple Vulnerabilities in Microsoft VM

3. ANNOUNCEMENTS
     - The Microsoft Mobility Tour Is Coming Soon to a City Near You!
     - Get the New Windows & .NET Magazine Network Super CD/VIP!

4. SECURITY ROUNDUP
     - Feature: Security and Parameterization
     - Feature: CA Basics

5. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Configure Microsoft's Secure Desktop Restriction
       Setting in Windows 2000 Service Pack 1 (SP1) and Later?

6. NEW AND IMPROVED
     - Maintenance-Free Spam Protection
     - Easily Set Up Remote Site Firewalls
     - Submit Top Product Ideas
 
7. HOT THREAD
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Bypassing Proxy Servers

8. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* IT'S A GREAT TIME TO CHECK YOUR SECURITY

It's 2003, and you might want to start the new year by checking the
security of all your systems. Toward that effort, I've located several
security checklists to assist you. The checklists cover Windows XP;
Windows 2000; Windows NT; Microsoft IIS, SQL Server, Exchange Server,
and Internet Explorer (IE); various UNIX systems; and Apache. Keep in
mind that these are just a few of the many checklists available. To
find more, use your favorite search engine.

- Windows XP
   LabMice.net hosts a "Windows XP Security Checklist." The checklist
is divided into three categories: basic, intermediate, and advanced.
The items covered include user accounts, groups, passwords, hardware,
ports, shares, risky subsystems, and risky features.
   http://www.labmice.net/articles/winxpsecuritychecklist.htm

Microsoft also provides a security checklist for XP Home Edition and
XP Professional. According to the related TechNet Web page, the
checklists "outline the steps you should take to reach a baseline of
security with Windows XP Home Edition and Windows XP Professional
computers, either on their own or as part of a Windows NT or Windows
2000 domain." The checklists cover such matters as shares, policies,
and accounts and passwords.
   http://www.microsoft.com/technet/security/tools/chklist/xpcl.asp

- Win2K
   LabMice.net also hosts the "Windows 2000 Security Checklist," which
provides the same thorough coverage provided in the LabMice.net XP
security checklist.
   http://www.labmice.net/articles/securingwin2000.htm

Microsoft also provides checklists for Win2K Professional and Win2K
Server. The comprehensive lists are on the TechNet Web site.
   http://www.microsoft.com/technet/security/tools/chklist/w2kprocl.asp
   http://www.microsoft.com/technet/security/tools/chklist/w2ksvrcl.asp

- NT
   If you have NT systems on your network, check out the NT security
checklist that Windows IT Library hosts. Originally compiled by Rob
Davis with the help of several others, the checklist includes
information from Microsoft's Web site. The list addresses such
concerns as protecting files and directories, NetBIOS, dangerous
services, passwords and hashes, registry entries, resource sharing,
auditing, caching, and memory paging.
   http://www.windowsitlibrary.com/content/121/18/toc.html

- IIS
   Microsoft offers the Internet Information Server (IIS) 4.0 Baseline
Security Checklist, which helps you better secure the popular Web
server. The list discusses installing the minimum Internet services
required, setting appropriate authentication methods, setting
appropriate virtual directory permissions and partitioning Web
application space, setting appropriate IIS log file ACLs, enabling
logging, setting up Secure Sockets Layer (SSL), disabling or removing
all sample applications, removing the IISADMPWD virtual directory,
removing unused script mappings, and disabling Remote Data Services
(RDS) support (see the first URL below). Microsoft also provides a
Web-based checklist form that helps you keep track of which
configuration actions you've taken on a Web server. You'll find the
form, which contains hotlinks that describe each item listed, at the
second URL below. The company also provides a lockdown tool for IIS,
which you'll find at the third URL below. Finally, you'll find a
useful checklist for Internet Information Services (IIS) 5.0 at the
fourth URL below.
   http://www.microsoft.com/technet/security/tools/chklist/iis4cl.asp
   http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/iischk.asp
   http://www.microsoft.com/technet/security/tools/tools/locktool.asp
   http://www.microsoft.com/technet/security/tools/chklist/iis5cl.asp

- SQL Server
   SQLSecurity.com provides the "SQL Server Security Checklist" to
help you secure SQL Server installations. The extensive list covers
such matters as service packs, protocols, user accounts, dropping
dangerous procedures, deleting stored procedures, logging, alerts,
groups and roles, and user logins.
   http://www.sqlsecurity.com/checklist.asp

- Exchange Server
   The IMIBO Web site discusses Exchange Server security and offers
sample code that shows you how Microsoft handles security inside the
server. The site's information addresses subjects such as logons,
directory objects, security descriptors, modifying access, and public
folder access control.
   http://www.imidev.galaxite.net/exc/security/contents.htm

DevX provides "Eight Tips to Secure Exchange." The tips cover areas
such as ports, underlying OS services, server location, passwords,
using communities, dial-up access, and administrative rights.
 http://archive.devx.com/upload/free/features/exchange/2000/10oct00/jh0010/jh0010.asp

You can find additional information about Exchange Server and Outlook
security at Slipstick Systems. At the Slipstick Web site, search on
the term "security."
   http://www.slipstick.com

- Microsoft IE
   Microsoft provides a rudimentary Web page that explains IE
security. The page includes settings for SSL and security zones. The
most important thing to remember about IE security is to load the many
available patches.
   http://www.microsoft.com/technet/security/tools/chklist/iecl.asp

- More Microsoft Security Tools and Checklists
   For more complete access to Microsoft security checklists and
tools, visit the company's TechNet Web site. The site includes items
for most of Microsoft's enterprise products (although not for SQL
Server).
   http://www.microsoft.com/technet/security/tools/tools.asp

- UNIX OSs
   CERT offers a "UNIX Security Checklist v2.0." The checklist covers
the basic OS, major services, patches, and details about specific UNIX
OSs. The checklist appendix lists security tools, commands, and five
"essential" steps to secure your UNIX systems before you put them into
operation.
   http://www.cert.org/tech_tips/usc20_full.html

- Apache HTTP Server
   If you're among the many people who run Apache HTTP server, you'll
be happy to know that the Apache Server Project hosts a Web page,
"Security Tips for Server Configuration." The content includes
permissions on server root directories, server-side includes, Common
Gateway Interface (CGI) in general, aliased CGI, dynamic content,
system settings, and protecting server files.
   http://httpd.apache.org/docs/misc/security_tips.html

Finally, Windows & .NET Magazine has published many in-depth articles
that discuss how to better secure your systems. Be sure to use the Web
site search engine to find material about the security topics most
important to you.
   http://search.winnetmag.com

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: WINDOWS & .NET MAGAZINE - EXCLUSIVE RATE ~~~~
   http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE
   HERE'S AN OFFER YOU CAN'T AFFORD TO PASS UP!
   For a limited time, you can get an exclusive $19.95 rate to one
year of Windows & .NET Magazine. That's only $1.66 an issue in the US
-- a whopping 60% off our regular rate. This offer won't be around
forever, so subscribe today at
   http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw07CT0AE

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* PRIVILEGE ESCALATION IN MICROSOFT WM_TIMER
   A vulnerability in Microsoft WM_TIMER Message Handling can grant an
attacker complete control over the vulnerable system. The
vulnerability occurs because one process in the interactive desktop
can use a WM_TIMER message to cause another process to execute a
callback function at the address of its choice, even if the second
process didn't set a timer. Microsoft has released Security Bulletin
MS02-071 (Flaw in Windows WM_TIMER Message Handling Could Enable
Privilege Elevation) to address this vulnerability and recommends that
affected users immediately apply the appropriate patch mentioned in
the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=37436
 
* VULNERABILITY IN MICROSOFT SMB
   A new vulnerability in Microsoft Server Message Block (SMB) lets an
attacker silently downgrade the SMB Signing settings on a vulnerable
system, which might then let the attacker change Group Policy
information. Microsoft has released Security Bulletin MS02-070 (Flaw
in SMB Signing Could Enable Group Policy to be Modified) to address
this vulnerability and recommends that affected users immediately
apply the appropriate patch mentioned in the bulletin. This patch is
included in Windows XP Service Pack 1 (SP1) and will be included in
Windows 2000 SP4.
   http://www.secadministrator.com/articles/index.cfm?articleid=37435

* MULTIPLE VULNERABILITIES IN MICROSOFT VM
   GreyMagic Software and Thor Larholm discovered eight new
vulnerabilities in Microsoft Virtual Machine (VM). The most serious of
these vulnerabilities can give an attacker complete control over the
vulnerable system. Microsoft has released Security Bulletin MS02-069
(Flaw in Microsoft VM Could Enable System Compromise) to address these
vulnerabilities and recommends that affected users immediately apply
the appropriate patch available through Windows Update.
   http://www.secadministrator.com/articles/index.cfm?articleid=37434

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* THE MICROSOFT MOBILITY TOUR IS COMING SOON TO A CITY NEAR YOU!
   Brought to you by Windows & .NET Magazine, this outstanding
seven-city event will help support your growing mobile workforce.
Industry guru Paul Thurrott discusses the coolest mobility hardware
solutions around, demonstrates how to increase the productivity of
your "road warriors" with the unique features of Windows XP and Office
XP, and much more. There is no charge for these live events, but space
is limited so register today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw06Kw0Au

* GET THE NEW WINDOWS & .NET MAGAZINE NETWORK SUPER CD/VIP!
   Everyone can appreciate a bargain in today's economy. That's why
we've introduced the Windows & .NET Magazine Super CD/VIP Web site.
You get exclusive subscriber-only access to all our publications
through our new VIP Web site. Plus, you get Super CDs delivered twice
a year, and we'll even throw in a 1-year print subscription to the
magazine! The Super CD/VIP is a $545 value for just $279. Subscribe
today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eO4O0CJgSH0CBw06oc0AC

4. ==== SECURITY ROUNDUP ====

* FEATURE: SECURITY AND PARAMETERIZATION
   In SQL Server 2000 Analysis Services, Microsoft introduced
dimension-level security, which can limit the members of a cube
dimension that a user can view. The most straightforward way to use
this feature is to create a security role for each unique set of
permissions in the application. But in a sales application, every user
might need a unique set of permissions for the sales data. This
requirement could introduce hundreds--if not thousands--of security
roles. However, even if you could create an administrative application
to manage this number of security roles, Analysis Services couldn't
handle it. Russ Whitney works around this limitation and creates a
scalable solution. Read how at the URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=27040

* FEATURE: CA BASICS
   A primary condition for enabling Secure Sockets Later (SSL)
encryption is that your server and clients must have a digital
certificate from a trusted root Certificate Authority (CA). The server
and client certificates must be from the same CA. For the example in
this article, Gary Zaika used Microsoft Certificate Services to issue
certificates for all clients inside the company. Read more on our Web
 site.
   http://www.secadministrator.com/articles/index.cfm?articleid=27141

5. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I CONFIGURE MICROSOFT'S SECURE DESKTOP RESTRICTION
SETTING IN WINDOWS 2000 SERVICE PACK 1 (SP1) AND LATER?
   ( contributed by John Savill, http://www.windows2000faq.com )
 
A. Users who interactively log on to a computer running Win2K or later
can perform tasks that might be security risks, such as gaining access
to display and input devices that a computer process with
wider-reaching privileges owns. These users then can create a process
to capture passwords or sensitive data. For more information about the
problem, see Microsoft Security Bulletin MS00-020 (Patch Available for
"Desktop Separation" Vulnerability) at the Microsoft Web site.
   Win2K SP1 corrected this vulnerability by adding a Secure Desktop
Restriction setting, but the new locked-down functionality might
adversely affect certain applications. If your application vendor
advises you to disable this security setting, perform the following
steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter a name of SecureDesktop.
   5. Double-click the new value, set it to 0 to disable the setting
(you can set the value to 1 to reenable the default configuration),
then click OK.
   6. Restart the machine for the change to take effect.

6. ==== NEW AND IMPROVED ====
   (contributed by Sue Cooper, products () winnetmag com)

* MAINTENANCE-FREE SPAM PROTECTION
   Singlefin announced the Global Email Gateway Service, which blocks
unwanted email and viruses at the gateway, before they enter your
network. The service uses a three-step filtering process to block only
spam: email address baiting, proprietary message scoring, and
proprietary fingerprinting and addition to Singlefin's database. The
service uses two virus engines to support its 10-minute update
intervals. Contact Singlefin at 619-222-1362, 866-566-3346, and
info () singlefin net.
   http://www.singlefin.net

* EASILY SET UP REMOTE SITE FIREWALLS
   PowerWallz Network Security announced the ProShield v1000 firewall
appliance, designed for branch offices, telecommuters, and small and
midsized enterprise users. ProShield v1000 features high-end
encryption and EasyVPN, a proprietary configuration utility to
simplify the installation and configuration process for your remote or
small office settings. ProShield v1000 is available in rack-mount and
standalone models, with Web-based central administration. It's
expected to ship in first quarter 2003 with prices starting at $899.
Contact PowerWallz Network Security at 604-233-2822, 888-889-6988, and
sales () powerwallz com.
   http://www.powerwallz.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

7. ==== HOT THREAD ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Bypassing Proxy Servers
   (Four messages in this thread)

A user writes that his company uses a Cisco Systems PIX firewall and
WebSense URL-blocking software. However, some users have found
applications that let them bypass the WebSense system to surf the
Internet unrestricted. He wants to know where users might get such
programs. Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=51474

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

This email newsletter is brought to you by Security Administrator, the
print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.