Security UPDATE, June 13, 2001

[InfoSec News <isn () c4i org>]

********************

Windows 2000 Magazine Security UPDATE--brought to you by the Windows
2000 Magazine Network
   **Watching the Watchers**
   http://www.win2000mag.net/Channels/Security

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

BindView Corporation
   http://go.win2000mag.net/UM/T.asp?A2153.23115.1124.1.532985

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~
   Security is the key issue in today's interconnected world and
BindView is right on top of it with a new, highly informative eBook, The
Definitive Guide to Windows 2000 Security. This eBook covers all the
bases of a comprehensive security methodology for your Microsoft Windows
2000 environment. It's heavy into the detail of what goes into a great
IT security system, and is specifically geared for Windows 2000
platforms. Written by Paul Cooke, an Information Security professional
with more than 10 years' experience developing and deploying security
solutions, the tips, tricks, and info packed into this volume are
priceless! Get it FREE at
   http://go.win2000mag.net/UM/T.asp?A2153.23115.1124.1.532985

~~~~~~~~~~~~~~~~~~~~

June 13, 2001--In this issue:

1. IN FOCUS
     - New Tweaks and Tools

2. SECURITY RISKS
     - Script Execution Vulnerability in Microsoft Exchange OWA
     - Multiple Vulnerabilities in Microsoft Windows 2000 Telnet

3. ANNOUNCEMENTS
     - Tell Us about Your Connected Home!
     - The Black Hat Briefings: The Security Event the Experts Rave
About

4. SECURITY ROUNDUP
     - News: Windows XP to Sport UNIX-like Raw Sockets
     - News: The AD Backup Bug: Monster in the Closet?
     - News: Citrix and Sierra Wireless Join Forces to Provide Wireless
Access to Server-Based Applications
     - Review: IPSec and IKE: New VPN Standards

5. SECURITY TOOLKIT
     - Book Highlight: Configuring ISA Server 2000: Building Firewalls
       for Windows 2000
     - Virus Center: Worm Alert--Choke.A
     - FAQ: How Can I Uninstall Hidden Windows Components?
     - Windows 2000 Security: IE Security Options, Part 6
     - Event Highlight: Windows 2000 Magazine Live!

6. NEW AND IMPROVED
     - Defrag Your System
     - Biometric Authentication Sensor in New Keyboards

7. HOT THREADS 
     - Windows 2000 Magazine Online Forums
           Disable CD-ROM Eject
     - HowTo Mailing List:
           Suspicious Entry in My Web Server Log

8. CONTACT US
   See this section for a list of ways to contact us.

1. ==== COMMENTARY ====

Hello everyone,

Over the past week, I've learned about three Microsoft tools that help
you install Microsoft hotfixes in a more streamlined fashion and tighten
security on your dial-up networking clients. In addition, I've come
across some interesting articles that you might want to read. 

The tools are Qchain, the Windows 9x DUN 1.4 Upgrade, and Qfecheck.
Qchain lets you install multiple hotfixes without having to reboot after
each one. I found out about the tool while reading the June edition of
Microsoft's "Ask Us About Security" column on its Web site. You can find
the column at the first URL below. Qchain runs on Windows 2000 and
Windows NT. To use Qchain, you first install each required hotfix (in
proper sequence) with the -z command-line switch, which tells the
installation program not to reboot the OS after installing the fix. Then
run Qchain, which, according to article Q296861, "cleans the Pending
File Rename Operations key in the registry to make sure that only the
latest version of a file is installed after the computer is rebooted."
You can learn more about Qchain and download a copy at the second URL
below.
   http://www.microsoft.com/technet/security/columns.asp
   http://www.microsoft.com/technet/support/kb.asp?ID=296861

The DUN upgrade offers Windows 9x users support for 128-bit encryption
with PPTP and also improves the stability of PPTP connections. According
to Microsoft, "The DUN 1.4 release includes all of the features of all
previous DUN releases, as well as those that are included in the
Integrated Services Digital Network (ISDN) version 1.1 release." In
addition, DUN 1.4 has multilink support and support for internal ISDN
adapters and connection-time scripting, which helps automate nonstandard
connections. You can find the DUN 1.4 upgrade at the following URL:
   http://support.microsoft.com/support/kb/articles/Q285/1/89.ASP

The third tool is Qfecheck, which inspects a system to ensure that
hotfixes are installed correctly on Win2K systems. Hotfix information is
stored in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates.

Qfecheck reads information from that key and compares the information to
files on the system to ensure those files are the proper versions.
Qfecheck also ensures that the Windows File Protection (WFP) subsystem
has the information it needs to protect those files from tampering.
Learn more about Qfecheck, including where to download a copy, from
Microsoft's article.
   http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP

While reading this month's "Ask Us About Security" column from
Microsoft, I also learned that the company has begun producing no-reboot
patches for Win2K--finally! Microsoft said it now analyzes each security
patch it produces to determine whether a user can install it without a
system reboot; the company will release those patches as no-reboot
patches. The company also analyzed all of its former patches and found
it could repackage only two (MS00-067 and MS00-099) as no-reboot patches
using its current technology. So Microsoft is working on additional
technology that will let it repackage as many as 25 percent of the
currently available patches. That technology should also let the company
create a greater percentage of no-reboot patches in the future. You can
learn more about no-reboot patches on Microsoft's TechNet Web site.
   http://www.microsoft.com/TechNet/security/noreboot.asp

Before I sign off this week, I want to point out that Windows 2000
Magazine senior contributing editor Sean Daily has discovered a
potentially dangerous oddity with Active Directory (AD) backups. In
certain instances, AD backups can become corrupt, and you know what
happens when you restore corrupted data. You don't want to get bitten by
this bug, so be sure to read about Sean's news article in the SECURITY
ROUNDUP section of this newsletter. Until next time, have a great
week.

Sincerely,
Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ========== SECURITY RISKS =========
(contributed by Ken Pfiel, ken () win2000mag com)

* SCRIPT EXECUTION VULNERABILITY IN MICROSOFT EXCHANGE OWA
   Joao Gouveia discovered a flaw in the interaction between Microsoft
Exchange Server Outlook Web Access (OWA) and Microsoft Internet Explorer
(IE) for message attachments. If an attachment contains HTML code that
includes script, the script will execute when the user opens the
attachment, regardless of the attachment type. Microsoft has
acknowledged this vulnerability and recommends that users immediately
apply the patch mentioned in Security Bulletin MS01-030.
   http://www.windowsitsecurity.com/articles/index.cfm?articleID=21379

* MULTIPLE VULNERABILITIES IN MICROSOFT WINDOWS 2000 TELNET
   Seven different vulnerabilities exist in the version of Telnet that
Microsoft ships with Windows 2000. Two of these vulnerabilities relate
to the way that Telnet handles the sessions that a user creates, and
escalate the user's privilege. Four of these vulnerabilities let an
attacker create Denial of Service (DoS) attacks, and the seventh
vulnerability involves information disclosure that lets an attacker
enumerate Guest accounts exposed by using the Telnet server. Guardent,
Peter Grundl, Richard Reiner, and BindView's Razor team discovered the
problems. Microsoft acknowledges these vulnerabilities and recommends
that users immediately apply the patch mentioned in Security Bulletin
MS01-031. For Windows 2000 Datacenter Server users, the patches are
hardware specific, and users should contact the OEM.
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21380

3. ==== ANNOUNCEMENTS ====

* TELL US ABOUT YOUR CONNECTED HOME!  
   Does your computer technology savvy come in handy at home? We want to
know how you use home networking, computer technology, and home
automation technology for work and play. Take a few minutes to answer
our online survey! 
   http://www.zoomerang.com/survey.zgi?EGPTKEMTH7BQRBT9YE8FN3X8

* THE BLACK HAT BRIEFINGS: THE SECURITY EVENT THE EXPERTS RAVE ABOUT  
   Register now for Black Hat Briefings, the world's premier technical
event for IT and network security experts, July 11 and 12 in Las Vegas.
New this year is a Tools of the Trade track. Join 1500+ security experts
and underground security specialists at this truly unique conference
with lots of Windows 2000 sessions. 
   http://www.blackhat.com

4. ==== SECURITY ROUNDUP ====

* NEWS: WINDOWS XP TO SPORT UNIX-LIKE RAW SOCKETS
   Microsoft's new Windows XP OS will include UNIX-like raw sockets,
expanding on its current OSs. Winsock 2 already offers some raw socket
functionality; however, Windows XP's new functionality will allow source
IP address spoofing. Currently, Winsock overwrites a packet's source IP
address with the system's true IP address before sending that packet to
its destination. Early versions of Windows let malicious users spoof IP
addresses, but sometime during the evolution of Windows, Microsoft
decided to remove such functionality. With the company's decision to
reinstate the raw socket functionality in Windows XP, at least one
person is complaining loudly.
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21358

* NEWS: THE AD BACKUP BUG: MONSTER IN THE CLOSET?
   Making reliable backups is one of the most important tasks a network
administrator faces daily. At a recent conference, Sean Daily came
across some rather disturbing information--information that directly
affects administrators who run Windows 2000 networks based on Active
Directory (AD). An engineer for Aelita, an independent software vendor
(ISV) that produces Win2K and Windows NT administration and migration
tools, told Daily that roughly half of all AD backups resulted in
corrupt backup copies. For the complete details visit the following
URL.
   http://www.wininformant.com/Articles/Index.cfm?ArticleID=21351

* NEWS: CITRIX AND SIERRA WIRELESS JOIN FORCES TO PROVIDE WIRELESS
ACCESS TO SERVER-BASED APPLICATIONS
   Citrix Systems and Sierra Wireless have established a strategic
relationship to deliver business applications running on Citrix
MetaFrame servers over wireless networks to virtually any client device.
Key terms of the agreement include product-compatibility testing and
joint marketing and sales initiatives, beginning with Citrix
representation in the Sierra Wireless booth at this month's PC Expo.
Citrix has joined the Sierra Wireless WirelessReady Alliance (WRA), and
Sierra Wireless has become a premier-level member of the Citrix Business
Alliance (CBA).
   http://www.wininformant.com/Articles/Index.cfm?ArticleID=21346

* REVIEW: IPSEC AND IKE: NEW VPN STANDARDS
   The IP Security (IPSec) and Internet Key Exchange (IKE) protocols are
becoming standards in VPN communications. All but one of the products in
this review--Computer Associates (CA) eTrust VPN 2.1--use IPSec for
encapsulating sensitive IP communication. IPSec is taking its place as a
universal standard among firewall and router manufacturers. The reasons
for IPSec's growing popularity are its ability to work on many types of
network devices and its strong data-protection features. IPSec is
essentially a set of security protocols and algorithms that ensure data
security on the network layer. Learn all about it in Michael Norian's
comparative review on the Windows 2000 Web site.
   http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20070

5. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: CONFIGURING ISA SERVER 2000: BUILDING FIREWALLS FOR
WINDOWS 2000
By Tom Shinder
List Price: $49.95
Fatbrain Online Price: $39.96
Hardcover; 512 pages
Published by Syngress Publishing, April 2001
ISBN 1928994296

For more information or to purchase this book, go to
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=1928994296
and enter WIN2000MAG as the discount code when you order the book.

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
   http://www.windowsitsecurity.com/panda

WORM ALERT: CHOKE.A
   W32/Choke.A is an Internet worm written in Visual Basic (VB) 6.0 that
uses the program MSN Messenger to propagate. If this application is not
installed on your system, propagation isn't possible. The message body
of this message contains the following text: "President bush shooter is
game that allows you to shoot Bush balzz hahaha." For complete details
on this worm, be sure to visit the Center for Virus Control 
   http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1102

* FAQ: HOW CAN I UNINSTALL HIDDEN WINDOWS COMPONENTS?
   ( contributed by Paul Robichaux, http://www.windows2000faq.com )

When you start the Add/Remove Programs Control Panel applet and select
Add/Remove Windows components, the system doesn't display all of the
components because Windows doesn't want some of them uninstalled.
However, you can change which components the system displays. Perform
the following steps: 
   1. Open the sysoc.inf file located in the %systemroot%\inf folder. 
   2. Go to the Components section. 
   3. Locate the entry you want to make uninstallable and remove the
word "hide." For example, for MSN Messenger Service, change the line:
   msmsgs=ocgen.dll,OcEntry,msmsgs.inf,hide,7
   to
   msmsgs=ocgen.dll,OcEntry,msmsgs.inf,,7 
   4. Save the sysoc.inf file. 

* WINDOWS 2000 SECURITY: IE SECURITY OPTIONS, PART 6
   In Parts 2 through 5 of this article series, Randy Franklin Smith
described the many security settings in Microsoft Internet Explorer (IE)
5.0. You've probably identified some areas where you need to improve
browser security. But like many administrators, you might have hundreds
or even thousands of workstations where you need to make these changes.
In addition, you need to prevent users from going back and reversing
your stricter security settings. To accomplish these tasks in Windows
2000, you can use Group Policy Objects (GPOs) that you link to your
Active Directory (AD) domain or to organizational units (OUs) in your
domain. Learn how in Randy's latest column.
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21282

* EVENT HIGHLIGHT: WINDOWS 2000 MAGAZINE LIVE!
   Microsoft TechEd 2001
   June 17 through 21, 2001
   Georgia World Congress Center
   Atlanta, Georgia

Stop by the Windows 2000 Magazine booth at TechEd 2001 and meet our
technical editors and hear what they have to say about current topics.
Sunday, June 17, at 3:00 P.M., Tim Huckaby will discuss Web security
auditing. Monday, June 18, at 10:00 A.M., and Tuesday, June 19, at 9:30
A.M., Sean Daily will present some very useful--and in some cases,
undocumented--Windows 2000 tips, tricks, and customizations. Monday at
1:00 P.M., Mark Russinovich will discuss new stuff in the XP Kernel.
Wednesday, June 20, at 11:00 A.M., Bob Wells will discuss some new and
improved scripting goodies in Windows XP.

6. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () win2000mag com)

* DEFRAG YOUR SYSTEM
   Winternals Software released Defrag Commander Network Edition (NE),
software that features a remote, schedulable defragmenter that can
defrag Windows 2000 and Windows NT systems across the network without
having to install client software. A client component of the product
defragments Windows Me and Windows 9x systems through a logon script or
through the Microsoft Systems Management Server (SMS). Defrag Commander
NE is licensed by the number of simultaneous clients, and prices start
at $169 for 10 units. Contact Winternals Software at 512-330-9130 or
800-408-8415.
   http://www.winternals.com

* BIOMETRIC AUTHENTICATION SENSOR IN NEW KEYBOARDS
   DigitalPersona announced that its U.are.U biometric authentication
sensor will be included in a new generation of Darfon Electronics
keyboards. Biometric security solutions are becoming more popular as
system developers move away from expensive and time-consuming password
systems. Fingerprints provide a nonintrusive method to guarantee that
only authorized recipients obtain information.
   http://www.digitalpersona.com

7. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: Disable CD-ROM Eject 
   (Six messages in this thread)

This reader administers a school lab running Windows NT 4.0
workstations. He wants to know how to keep students from inserting game
CD-ROMs on their systems. Read the responses of others or lend a helping
hand at the following URL:
   http://www.win2000mag.net/forums/rd.cfm?app=64&id=68658

* HOWTO MAILING LIST
   http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo

Featured Thread: Suspicious Entry in My Web Server Log
   (Three messages in this thread)

This user found a suspicious entry in the Web server's logs that seems
to indicate some type of exploit was attempted against the server. The
log entry is as follows:

   2001-06-03 11:55:46 xxx.yyy.32.246 - W3SVC1 SERVERNAME
xxx.yyy.zzz.112 GET /winnt/system32/cmd.exe 401 5 80 - -

According to the user, the timing corresponds with what looks like a
scan of IP addresses on the same subnet looking for HTTP servers on port
80.  The user is not aware of an exploit but is trying to figure out
what the intruder was up to. Can you help? Read the responses or lend a
hand at the following URL:
   http://63.88.172.96/go/page_listserv.asp?A2=IND0106A&L=HOWTO&P=1165

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- tfaubion () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR Security UPDATE? emedia_opps () win2000mag com

********************
   This weekly email newsletter is brought to you by Windows 2000
Magazine, the leading publication for Windows 2000/NT professionals who
want to learn more and perform better. Subscribe today.
   http://www.win2000mag.com/sub.cfm?code=wswi201x1z

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-|

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE () list win2000mag net.

If you have questions or problems with your UPDATE subscription, please
contact securityupdate () win2000mag com. 
___________________________________________________________
Copyright 2001, Penton Media, Inc.













ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.