Security UPDATE, August 14, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Top 10 Windows and AD Security Threats
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw032P0AO

VeriSign - The Value of Trust
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw01bI0A2
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: TOP 10 WINDOWS AND AD SECURITY THREATS ~~~~
   Do you know the 10 most widely exploited vulnerabilities in the
Windows environment and what you can do about them? The same
vulnerabilities get exploited again and again. In most cases they
aren't new - but left open, they can wreak havoc throughout your
organization. To find out how to protect your organization, download
the FREE white paper, "Top 10 Security Threats for Windows 2000 and
Active Directory." If nothing else, closing these Top 10 holes will go
a long way to securing your network! Download the white paper at
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw032P0AO

~~~~~~~~~~~~~~~~~~~~

August 14, 2002--In this issue:

1. IN FOCUS
     - Can Your Applications Jeopardize Your Security?

2. SECURITY RISKS
     - Multiple Vulnerabilities in Microsoft Content Management Server
       2001

3. ANNOUNCEMENTS
     - Enter the Windows & .NET Magazine/Transcender Sweepstakes!
     - Do You Like the Kind of Content You're Finding in This
       Newsletter?

4. SECURITY ROUNDUP
     - News: SP3 for Win2K Now Available
     - Feature: Forcing Password Changes
     - Feature: Synchronizing Logins

5. HOT RELEASES
     - Spectracom's NetClock, for Secure Network Time
     - IBM E-business Scalability White Paper

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: What Administrative Permissions Do I Need to Upgrade a
       System from Windows 2000 to Windows .NET Server (Win.NET 
       Server)?

7. NEW AND IMPROVED
     - Filter Objectionable Material from All Windows Applications
     - Enhance Enterprise VPN Performance
     - Submit Top Product Ideas

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
        - Featured Thread: I've Been Hacked

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* CAN YOUR APPLICATIONS JEOPARDIZE YOUR SECURITY?

In last week's Security UPDATE Special Edition, I discussed
Microsoft's plan to implement a hardware-level security system
code-named Palladium. In the commentary, I quoted Chairman and Chief
Software Architect Bill Gates' statement that it's "the growth of the
Internet and the advent of massive computing systems built from loose
affiliations of services, machines, communications networks and
application software that have helped create the potential for
increased vulnerabilities."
   http://www.microsoft.com/mscorp/execmail/

Although Gates' statement seemed to pass the buck to some
extent--without admitting in the same breath to his own company's
shortcomings--another Microsoft executive let the cat out of the bag.
In May, "eWeek" reported that a top Microsoft executive, Jim Allchin,
admitted that parts of the company's software contained flaws so
dangerous that making those sections of program code public could be a
severe blow to Windows security. Both statements leave it to readers
to discern that loose affiliations are the necessary nature of current
computing--that is, unless we want to let a couple of companies
dominate the industry.
   http://www.eweek.com/article2/0,3959,5264,00.asp

To facilitate third-party application development, Windows allows
considerable flexibility. When third parties develop applications,
it's safe to say that they don't have nearly as much information about
APIs as Microsoft does. The companies' limited knowledge leads to
security-related problems. However, even when Microsoft offers sound
advice to third parties, the parties might incompletely register or
only partially understand the information offered.

Operational security contexts for system services and desktop
applications offer a good case in point. Last week, Chris Paget
published a white paper that details how misused security contexts can
lead directly to unauthorized elevation of user privileges. In many
cases, users--even guest users--can elevate their privileges to those
of the built-in System account, which, as you know, is all-powerful.

Paget describes the steps a user can take that lead to the System
account security context. The process works as follows: A user first
uses a simple program to obtain the windows handle of an application
that's operating under the Local System account. The user uses the
handle to modify the application's window parameters so that the
window will accept a large amount of text from the Windows clipboard.
The user then uses the clipboard to paste command-shell code into the
window and sends a message to the window that executes the code. After
the code executes, the user has access to a command shell running
under the Local System account from which the user can perform any
desired action. To use Paget's technique, the user must usually have
either the ability to coax a user into running a malicious program or
physical access to the user's computer. However, Paget said that he
could use the technique to gain control over a remote Terminal Server
system because the remote server drives those desktops.
   http://security.tombom.co.uk/shatter.html

Before he published the white paper, Paget notified Microsoft about
his findings and his intent to publish them. Microsoft's response (see
the first URL below) noted that the company was aware of the
circumstances that could cause the vulnerability and had offered
advice that helps mitigate them. Microsoft had previously published an
essay titled, "The Ten Immutable Laws of Security" (see the second URL
below), in which laws 1 and 3 offer modest advice for third-party
developers, but only indirectly. Law 1 states, "If a bad guy can
persuade you to run his program on your computer, it's not your
computer anymore," and Law 3 states, "If a bad guy has unrestricted
physical access to your computer, it's not your computer anymore."
   http://security.tombom.co.uk/response.txt
   http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp

Although both laws state truths and apply to the techniques Paget
outlines, they do little to inform developers about the extreme risks
associated with running desktop applications and user services under
the context of the System account. Unless developers fully realize the
risks, they unnecessarily place systems in jeopardy. Paget tested the
process of privilege elevation that he describes by exploiting Network
Associates' (formerly McAfee's) VirusScan 4.5.1, which opens windows
on the desktop under the Local System account.

You can help mitigate the risk of such an exploit by "attacking" your
own systems. From the Web page that contains Paget's white paper, you
can link to a small application called Shatter, which obtains an
application's window handles. You can use Shatter with Netcat, a
hexadecimal editor, and a Windows debugging application (also linked
in the white paper) to test various applications on your desktop to
see whether you can gain elevated privileges.

If you succeed in elevating privileges, you can respond in one of
three ways. You can ignore the fact that a given application
jeopardizes your security. You can notify the vendor about the
situation and insist that the vendor change the application's
behavior. Or you can stop using that particular software altogether.
You must police applications on your own systems--unless you want
Palladium to do it for you.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: VERISIGN - THE VALUE OF TRUST ~~~~
   FREE E-COMMERCE SECURITY GUIDE
   Is your e-business built on a strong, secure foundation? Find out
with VeriSign's FREE White Paper, "Building an E-Commerce Trust
Infrastructure." Learn how to authenticate your site to customers,
secure your web servers with 128-Bit SSL encryption, and accept secure
payments online. Click here:
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw01bI0A2

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* MULTIPLE VULNERABILITIES IN MICROSOFT CONTENT MANAGEMENT SERVER 2001
   Joao Gouveia discovered three new vulnerabilities in Microsoft
Content Management Server 2001, the most serious of which could give a
potential attacker full control over the vulnerable server. These
three vulnerabilities consist of a buffer overrun in a low-level
function that performs user authentication, a SQL injection
vulnerability, and two flaws that affect a function that lets a user
upload files to the server. Microsoft has released Microsoft Security
Bulletin MS02-041 (Unchecked Buffer in Content Management Server Could
Enable Server Compromise) to address this vulnerability and recommends
that affected users download and apply the appropriate patch mentioned
in the security bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26212

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* ENTER THE WINDOWS & .NET MAGAZINE/TRANSCENDER SWEEPSTAKES!
   Nothing can help you prepare for certification like Transcender
products, and no one can help you master your job like Windows & .NET
Magazine. Enter our combined sweepstakes contest, and you could win a
Transcender Deluxe MCSE Select Pak (a $729 value) or one of several
other great prizes. Sign up today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw028j0At

* DO YOU LIKE THE KIND OF CONTENT YOU'RE FINDING IN THIS NEWSLETTER?
   If so, we have more than a dozen email newsletters just as
informative as this one on the topics you care about most. From
Windows 2000/NT to security to storage, our technical authors cut to
the chase about what's going on in the industry so that you can stay
informed in less than 5 minutes a day! Subscribe at no charge.
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac

4. ==== SECURITY ROUNDUP ====

* NEWS: SP3 FOR WIN2K NOW AVAILABLE
   On July 30, Microsoft released Service Pack 3 (SP3) for Windows
2000. Users should consider loading the new service pack for a variety
of reasons, including the fact that the new service pack contains all
the fixes presented in the Win2K Security Rollup Package 1 (SRP1). But
that's not all. The new service pack also contains other
security-related modifications for Win2K systems, so be sure to read
the news story on our Web site to learn the details.
   http://www.wininformant.com/articles/index.cfm?articleid=26219

* FEATURE: FORCING PASSWORD CHANGES
   Do you subscribe to our Windows Client UPDATE newsletter? If not,
you missed some interesting commentary. Last week, David Chernicoff
discussed network problems that a systems administrator encountered
after a quarterly security audit. During the audit process, users'
passwords were changed and unpredictable behavior set in regarding
access to file shares and Encrypting File System (EFS)-encrypted
files. Visit our Web site and read about the circumstances. You might
find yourself in a similar situation.
   http://www.secadministrator.com/articles/index.cfm?articleid=26210

* FEATURE: SYCHRONIZING LOGINS
   In our most recent Reader Challenge, a reader posed a problem about
the task of synchronizing logins across multiple Microsoft SQL Server
machines as follows: Ray's company runs SQL Server 7.0 on its
production servers and SQL Server 2000 on its staging servers. Ray
needs to build a script that can synchronize logins between the
production and staging servers (i.e., add missing logins from the
production servers to the staging servers). Synchronized logins will
let him create an identical environment for testing application
upgrades, SQL Server, and the OS on a different server. When a staging
server is configured identically to a production server and holds the
same data, he can also test service pack upgrades on the staging
server. Then, after the upgrade is finished, he can switch the server
roles. The production servers are configured for mixed authentication,
which means that users can connect to a SQL Server instance by using
either Windows authentication or SQL Server authentication. Visit our
Web site to see how the challenge winner helped Ray write a script
that can synchronize the logins between the servers while preserving
all login properties.
   http://www.secadministrator.com/articles/index.cfm?articleid=25710

5. ==== HOT RELEASES ====

* SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME
   Does your network depend on a Time Source that's outside your
Firewall? Doesn't your network need an accurate clock source? Think
"Time" is FREE over the Internet? Spectracom's NetClock/NTP and
White-Paper can help you.
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw02fG0A5
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw02fF0A4

* IBM E-BUSINESS SCALABILITY WHITE PAPER
   Learn real-world techniques for meeting the scalability demands of
your e-business. The IBM white paper, "Design for Scalability,"
includes information that can help you meet changing usage demands.
Get your complimentary copy at
   http://www.ibm.com/e-business/playtowin/n177

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: WHAT ADMINISTRATIVE PERMISSIONS DO I NEED TO UPGRADE A SYSTEM
FROM WINDOWS 2000 TO WINDOWS .NET SERVER (WIN.NET SERVER)?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. The permissions required to upgrade a server from Win2K to Win.NET
Server vary depending on the server, its position in the forest, and
which domain users use to log on to the network. For all upgrades, you
need the ability to
   1. back up files and directories
   2. modify firmware environment values
   3. restore files and directories
   4. shut down the system

The tables listed on our FAQ site at the URL below show which
administrative roles have access to domain controllers (DCs) and
member servers, depending on whether the administrator is logged on to
a root domain or a nonroot domain.
   http://www.secadministrator.com/articles/index.cfm?articleid=26082

7. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* FILTER OBJECTIONABLE MATERIAL FROM ALL WINDOWS APPLICATIONS
   Security Software Systems released Cyber Sentinel, software that
filters objectionable material from all Windows
applications--including Microsoft Word, Microsoft Excel, email,
attachments, instant messages, and chats--not just from the Internet.
Cyber Sentinel delivers reports so that you can see where your
problems lie and who's causing the violations. The software costs $49
for up to 25 users. Contact Security Software Systems at 630-466-1038
or info () securitysoft com.
   http://www.securitysoft.com

* ENHANCE ENTERPRISE VPN PERFORMANCE
   WatchGuard Technologies announced the RapidStream "Secured by Check
Point" line of high-performance security appliances, targeted at the
Global 1000 and large enterprise market. The RapidStream line, which
includes RapidStream 11000, RapidStream 8100, RapidStream 6100, and
Rapid Stream 2100 models, is designed to address VPN performance,
scalability, and flexibility in a Check Point appliance solution.
Pricing starts at $5000 for the RapidStream 2100, which supports up to
400 IP Security (IPSec) tunnels and 8000 concurrent sessions. Contact
WatchGuard at 206-521-8340.
   http://www.rapidstream.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: I've Been Hacked
   (10 messages in this thread)

Bruce writes that a few days ago he noticed a new icon in the system
tray of one of his Windows 2000 servers. The icon was for slave.exe
from Remote-Anything. He also found remnants of Serv-U installed.
Neither had been installed locally. He has uninstalled slave.exe and
is still trying to find a way to safely uninstall Serv-U. He wants to
know whether any available software monitors who's connected to which
ports. Also, should he report the offender to his ISP (his ISP is in
Israel; Bruce is in Canada)? Read the responses or lend a hand at:
   http://www.secadministrator.com/forums/thread.cfm?thread_id=111167

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.