Security UPDATE, October 17, 2001

[InfoSec News <isn () c4i org>]

********************
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Top 10 Windows and AD Security Threats
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0KwR0A3 

Prevent a Cyber Terrorism Attack on Your Network
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0gcc0AT 
   (below SECURITY RISKS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: TOP 10 WINDOWS AND AD SECURITY THREATS ~~~~
   Security vulnerabilities never die, they just become more 
embarrassing when exploited. Protect your organization from common 
security risks. To find out how, download a free white paper "Top Ten 
Security Threats for Windows 2000 and Active Directory." This white 
paper not only describes vulnerability threats such as IIS RDS, IIS 
Unicode, SQL Server with no system administrator (SA) password, and 
weak or no passwords, but also tells you how to protect your 
organization from these Windows 2000 and Active Directory security 
exposures. Download it FREE at 
http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0KwR0A3 

********************

October 17, 2001--In this issue:

1. IN FOCUS
     - Trapping Worms in a Honeypot

2. SECURITY RISKS
     - Multiple Vulnerabilities in Microsoft Internet Explorer

3. ANNOUNCEMENTS
     - MEC 2001, Nice, France, November 6 through 9, 2001
     - What Does a Connected Home Look Like?

4. SECURITY ROUNDUP
     - Feature: XP Pro for the Administrator
     - Review: Event Archiver 3.3.25 and Event Analyst 1.3.52

5. HOT RELEASES (ADVERTISEMENTS)
     - LANguard Security Event Log Monitor Offer!
     - VeriSign - The Internet Trust Company

6. SECURITY TOOLKIT
     - Book Highlight: The CISSP Prep Guide: Mastering the Ten Domains 
       of Computer Security
     - Virus Center
     - FAQ: How Can I Prevent the OS from Storing LAN Manager Hashes in 
       Active Directory and the SAM?

7. NEW AND IMPROVED
     - Web-Based Antivirus Service
     - Protect Your PC

8. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Recommended Antivirus Software
     - HowTo Mailing List:
         - Featured Thread: What Data Is Lost When an Account Is 
           Deleted?

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== COMMENTARY ====

Hello everyone,

Is Nimda still attacking your network now and then? My Intrusion 
Detection System (IDS) continues to catch related intrusion attempts 
(two more as I write this editorial) even though weeks have passed 
since corrective measures came out. Many Microsoft IIS administrators 
still haven't plugged the holes in their systems. The attacks consume 
my bandwidth and cause log files to grow to unruly proportions. 
However, 2 weeks ago I found an interesting tool, called LaBrea, that 
can help slow the spread of worms on Windows NT and UNIX systems.

Tom Liston, LaBrea's creator, calls the tool a tar pit or a sticky 
honeypot because it's a lure that lets almost no intruder escape. When 
a robot intruder (such as a worm) connects, a LaBrea system traps that 
connection indefinitely by manipulating the TCP session parameters. 
Liston says, "The LaBrea server software allows a normal three-way 
handshake in response to a connect attempt. During the handshake, the 
server sets a small (5 byte) TCP window. When the client sends its 
first 5 bytes of data, the server responds with a TCP window of 0 
(wait). The client then shifts into the persist state, where it sends 
window probe packets at intervals that increase to a maximum of 4 
minutes for an NT stack. The LaBrea server answers these probes to hold 
the client in the persist state. At this point, a connection can be 
maintained with a throughput of approximately 1215 bytes per hour. All 
of this can be done without maintaining any 'state' on the 
connections."

Using LaBrea slows the spread of worms. For example, to propagate, the 
Code Red worm spawns about 100 threads. Each thread scans IP addresses 
in rapid succession, looking for vulnerable hosts to infect--the 
potential to spread rapidly is enormous. But by capturing some of those 
threads as they attempt to infect your network, the LaBrea tool reduces 
the spread of the worm exponentially--a neat idea that really works! Be 
sure to look at LaBrea at the URL below. Liston says he must address 
problems with the Windows 2000 TCP/IP stack before he can make the tool 
run on that platform. 
   http://www.threenorth.com/LaBrea

Speaking of computer attacks, the results are in on a survey that 
InfoSecurity Magazine conducted in late July and early August 2001. The 
2545 participants include security professionals involved in 
government, consulting, manufacturing and reselling, banking and 
finance, medical and healthcare, military, and education. One 
interesting finding is that the number of people who reported attacks 
against their Web servers has doubled since 2000--roughly half of those 
polled reported such attacks. The survey also tracks a 33 percent 
increase in the number of entities suffering buffer-overflow attacks, 
and almost 90 percent of the respondents suffered some type of 
infection by malicious code such as a virus, worm, or Trojan horse. The 
survey has lots of other interesting facts and figures--be sure to stop 
by and take a look: 
   http://www.infosecuritymag.com/articles/october01/images/survey.pdf

I ran across an interesting document last week, "Best Practices for 
Secure Development," written by Razvan Peteanu. The 72-page paper, 
arranged in 12 sections, covers various topics including common 
mistakes, security in a project life cycle, principles, services, 
authorization, technologies, languages, platforms, distributed systems, 
and tools. The document is a great top-level overview of those focus 
areas rather than an intricate guide. Nevertheless, it's full of useful 
advice and interesting anecdotes. You'll find it at the URL below. 
Until next time, have a great week.
   http://members.home.net/razvan.peteanu/best_prac_for_sec_dev4.pdf

Sincerely,

Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () win2000mag com)

* MULTIPLE VULNERABILITIES IN MICROSOFT INTERNET EXPLORER
   Michiel Kikkert and Joao Gouviea discovered several vulnerabilities 
that affect Internet Explorer (IE) 6.0, 5.5, and 5.01. The first 
problem involves using a dotless IP address with particular malformed 
URL requests, which an attacker can use to cause a site to load under 
the intranet zone security settings and can expose the client system to 
further attack. The second problem occurs when an attacker encodes URLs 
in a way that makes it possible to issue requests to a site 
automatically on establishing a connection to that site. In doing so, 
an intruder causes a variety of unwanted actions to take place, such as 
deleting Web-based email and spoofing transactions. The third problem 
occurs when an intruder launches Telnet from a URL within IE. Using the 
Telnet client that ships as part of Microsoft Services for UNIX (SFU) 
2.0, an attacker can make the Telnet Client receive and execute that 
file.
   Microsoft released Security Bulletin MS01-051 and a patch to address 
these matters. Microsoft articles Q306121 and Q308414, which discuss 
this matter, should become available tomorrow.
   http://www.secadministrator.com/articles/index.cfm?articleid=22873

********************

~~~~ SPONSOR: PREVENT A CYBER TERRORISM ATTACK ON YOUR NETWORK ~~~~
   The NIMDA Virus and other security threats are easily avoided if the 
latest security updates are deployed with UpdateEXPERT(tm). 
UpdateEXPERT is a solution that helps you secure your systems by 
deploying service packs and hotfixes. UpdateEXPERT supports Windows NT 
and 2000, and a long list of mission critical applications. Quickly 
conduct research, take inventory, deploy updates and validate 
installations of networked machines from the comfort of your 
workstation.
   Free Trial:
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0gcc0AT 

~~~~~~~~~~~~~~~~~~~~

3. ==== ANNOUNCEMENTS ====

* MEC 2001, NICE, FRANCE, NOVEMBER 6 THROUGH 9, 2001
   MEC 2001 offers in-depth technical training for planning, deploying, 
and managing your enterprise infrastructure. Join industry experts to 
discuss best practices for deploying Microsoft Exchange 2000 and Active 
Directory (AD), extending the platform with Office XP, and integrating 
Exchange 2000 with the other .NET Enterprise Servers. Call to register 
at +44 1252 771 133, or visit the MEC Web site.
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0gcd0AU 

* WHAT DOES A CONNECTED HOME LOOK LIKE?
   You've never seen anything like the Connected Home Magazine Virtual 
Tour. Experience (room by room) the latest home entertainment, home 
networking, and home automation options that are going to change how 
you work and play. While you're there, enter to win a free copy of 
Windows XP!
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0LTe0An 

4. ==== SECURITY ROUNDUP ====

* FEATURE: XP PRO FOR THE ADMINISTRATOR 
   You've probably heard how Windows XP Professional Edition is easier 
to use and more productive for end users than Windows 2000 
Professional. But, like most administrators, you probably want to hear 
more about the XP Pro features that affect how you do your job. 
Although the Windows 2000 Magazine Lab staff hasn't yet thoroughly 
tested XP Pro, we've begun performing tests in environments that 
include XP Pro clients. In our testing, we've discovered several 
administrator-related features that we think you'll like. Ed Roth fills 
you in on the details in this month's Lab Notes. 
   http://www.secadministrator.com/articles/index.cfm?articleid=22237

* REVIEW: EVENT ARCHIVER 3.3.25 AND EVENT ANALYST 1.3.52
   Logging and monitoring network server events has always been 
important for troubleshooting, trending, and long-term systems 
management. Although Windows NT Event Viewer can be useful for managing 
system logs, Windows 2000 and NT don't include extensive functionality 
for managing logs across multiple systems. Dorian Software Creations' 
Event Archiver 3.2.25 and Event Analyst 1.3.52 work together to 
simplify enterprisewide collection, storage, and analysis of your 
network systems' System, Application, and Security logs. Learn more 
about them in Marty Scher's review on our Web site!
   http://www.secadministrator.com/articles/index.cfm?articleid=22240

5. ==== HOT RELEASES (ADVERTISEMENTS) ====

* LANGUARD SECURITY EVENT LOG MONITOR OFFER!
   Catch hackers red-handed with LANguard S.E.L.M.! Provides intrusion 
detection through centralized NT/2000 security event log monitoring. 
Extensive reporting identifies all machines being targeted and local 
users trying to hack. Download your FREE starter pack today:
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0gce0AV 

* VERISIGN -- THE INTERNET TRUST COMPANY
   Secure your servers with 128-bit SSL encryption! Grab your copy of 
VeriSign's FREE Guide, "Securing Your Web site for Business," and learn 
about using SSL to encrypt e-commerce transactions. Get it now!
   http://lists.win2000mag.net/cgi-bin3/flo?y=eIGg0CJgSH0BVg0Lo50AS 

6. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: THE CISSP PREP GUIDE: MASTERING THE TEN DOMAINS OF 
COMPUTER SECURITY
   By Ronald L. Krutz, Russell Dean Vines
   List Price: $69.99
   Fatbrain Online Price: $69.99
   Hardcover; 556 pages
   Published by John Wiley & Sons, September 2001
   ISBN 0471413569

For more information or to purchase this book, go to 
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471413569 
and enter WIN2000MAG as the discount code when you order the book.

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT THE OS FROM STORING LAN MANAGER HASHES IN 
ACTIVE DIRECTORY AND THE SAM?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Both Windows XP and Windows 2000 support several authentication 
methods, including LAN Manager (LM), NT LAN Manager (NTLM), and NTLM 
version 2 (NTLMv2). LM stores passwords in a hashed format that's easy 
to crack. Starting with Windows 2000 Service Pack 2 (SP2), Microsoft 
addressed this weakness by adding the ability to disable the storage of 
LM hashes.

To disable LM hashes in Win2K, perform the following steps:

   1. Start the registry editor (regedit.exe) on the domain controller 
(DC). 
   2. Navigate to 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. 
   3. From the Edit menu, select New, Key. 
   4. Enter a name of NoLMHash, set the value to 1, and click Enter. 
   5. Close the registry editor. 
   6. Restart the computer for the change to take effect. 

   To disable LM hashes in XP, perform steps 1 and 2 above. At step 3, 
from the Edit menu, select New, DWORD value. Complete the process by 
performing steps 4 through 6 above. This change won't happen until each 
user changes his or her password.
   In XP, you can also use Group Policy (GP) to disable LM hashes under 
Computer Configuration\Windows Settings\Security Settings\Local 
Policies\Security Options. To change the settings for this policy, 
locate the Network Security policy entitled "Do not store LAN Manager 
hash value on next password change." Be aware that if you set this 
option, some components that rely on LM hashes (e.g., the Windows 9x 
change password operation, Win9x client authentication if you don't have 
the Directory Services--DS--client pack installed) might not work as 
expected.

7. ==== NEW AND IMPROVED ====
   (contributed by Scott Firestone, IV, products () win2000mag com)

* WEB-BASED ANTIVIRUS SERVICE
   McAfee announced that WatchGuard Technologies will offer McAfee's 
ASaP Web-based managed virus scanning service for desktops. VirusScan 
ASaP provides 24 x 7 protection against vulnerabilities in an online 
delivery model that requires no internal resources from the channel 
partner or customer. The service provides detailed reporting on viruses 
detected and cleaned within the network. For pricing, contact 
WatchGuard Technologies at 206-521-8340.
   http://www.watchguard.com
   http://www.mcafeeb2b.com

* PROTECT YOUR PC
   Software Abroad announced an agreement with Danu Industries to 
distribute TermiNET, its personal firewall product that protects your 
PC from outside attack while you browse the Web or connect to other 
networks. The firewall lets you control and restrict access to specific 
services such as Web browsing or email. You can disallow access to 
specified undesirable sites or you can allow access only to known 
acceptable sites. TermiNET runs on Windows XP, Windows 2000, Windows 
NT, Windows Me, and Windows 9x and costs $39.95. Contact Software 
Abroad at 202-293-5151.
   http://www.sastore.com

8. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: Recommended Antivirus Software
   (Eighteen messages in this thread)

Brett uses Symantec's Norton Antivirus software to protect his Windows 
NT-based systems against viral infection. He's thinking of switching to 
a different product line and wonders whether you have suggestions for 
another solution. Can you help? Read more about the questions and 
responses or lend a hand at the following URL:
   http://www.secadministrator.com/forums/thread.cfm?thread_id=79459

* HOWTO MAILING LIST
http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: What Data Is Lost When an Account Is Deleted?
   (One message in this thread)

This user wonders what data is lost when a user account is deleted. He 
believes that--minimally--lost data includes the user's last logon date 
and time, as well as group memberships, SID, and exclusive file rights. 
He also noticed that the former user's file ownerships change to 
Unknown. Have you seen any other effects of deleting a user account? 
Read the responses or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0110c&l=howto&p=805

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR SECURITY UPDATE? -- emedia_opps () win2000mag com

********************

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe, send a blank email to mailto:Security_UPDATE_Sub () lists win2000mag net.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.