Security UPDATE, February 6, 2002

[InfoSec News <isn () c4i org>]

******************** 
Security UPDATE--brought to you by Security Administrator, a print newsletter 
bringing you practical, how-to articles about securing your Windows .NET, 2000, 
and NT systems. 
   http://www.secadministrator.com 
******************** 

~~~~ THIS ISSUE SPONSORED BY ~~~~ 

SuperScout Web and Email Filter
   http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqD0Ah 

New Security Toolset: ELM Log Manager(tm) 3.0
   http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqE0Ai
   (Below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: SUPERSCOUT WEB AND EMAIL FILTER ~~~~
   It's time to realize the risks of NOT filtering. You can't be everywhere at 
once. What's worse, your users, either intentionally or accidentally, put your 
network/email systems in jeopardy on a daily basis: introducing VIRUSES, 
downloading BANDWIDTH intensive audio, or leaking CONFIDENTIAL INFORMATION. In 
any case, there's a price to pay and likely you'll be involved in the clean-up. 
Reduce the risk: download your FREE 30-Day trials of SuperScout Web and Email 
Filter today:
   http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqD0Ah 

~~~~~~~~~~~~~~~~~~~~ 

February 6, 2002--In this issue: 

1. IN FOCUS
     - Active Directory and the Common Criteria

2. SECURITY RISKS
     - Privilege Escalation Vulnerability in Win2K/NT Domains 
     - DoS in Snort

3. ANNOUNCEMENTS
     - Want 24 x 7 Availability?
     - We Want to Hear from You!

4. SECURITY ROUNDUP
     - News: Microsoft Reportedly Halts New Software Development Temporarily 
     - News: Tiny Software Announces Trojan Trap Software 
     - News: New Version of SPECTER IDS Honeypot Available for XP 
     - News: Microsoft Ships Win2K Security Rollup Package

5. HOT RELEASES (ADVERTISEMENTS)
     - IBM Secure E-business Infrastructure
     - Sponsored by VeriSign--The Value of Trust

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Run Scheduled Tasks in the Background When They Run as the 
       Currently Logged-on User?

7. NEW AND IMPROVED
     - Scan for Viruses
     - Protect Your Laptop from Theft

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: How to Control Bandwidth Use 
     - HowTo Mailing List
         - Featured Thread: User Becomes Locked Out

9. CONTACT US 
   See this section for a list of ways to contact us. 
~~~~~~~~~~~~~~~~~~~~ 

1. ==== IN FOCUS ==== 

* ACTIVE DIRECTORY AND THE COMMON CRITERIA

Hello everyone, 

Last week I wrote about Microsoft's white paper, "Design Considerations for 
Delegation of Administration in Active Directory," which discusses design 
considerations to maximize security for organizations that might need multiple 
domains. The paper, in part, suggests that such organizations should consider 
using multiple forests to minimize security risks. 

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmin.asp

Donald Bauer, MCSE and Certified Citrix Administrator (CCA) at Integery 
International, wrote to inform me that Lucent Technologies has a white paper, 
"Windows 2000 Active Directory Design, Restricting the Enterprise Administrators 
Group," which is available online in PDF format. Anyone wondering about the pros 
and cons of multiple forest directory models should read this paper.

http://www.lucent.com/knowledge/documentdetail/0,1983,inContentId+8839-inLocaleId+1,00.html 

The white paper outlines the advantages of grouping domains into a forest and 
discusses three Active Directory (AD) features that make this choice reasonable. 
The paper says, "There are many advantages to having domains grouped into a 
forest. First and foremost, the Windows 2000 AD automatically manages 
interdomain trusts within a forest. A second major advantage is that tools exist 
from both Microsoft and third parties to permit the movement of certain types of 
objects, such as user or computer accounts, from one domain to another in the 
same forest. A third advantage is a unified administrative model: a user can be 
designated an Enterprise Administrator (EA) and granted administrative rights to 
all domains in the forest." 

Great points. The paper also discusses the controversy about the third mentioned 
advantage--a unified administrative model. The paper states, "This third feature 
has caused some controversy; specifically, some organizations want to have a 
fully segregated domain design such that an administrator in one domain cannot 
interfere with another domain. This has led some organizations to consider 
creating separate forests. Separate forests, while they do solve the problem of 
overlapping administration introduce other complications into the mix; trusts 
between domains from different forests must be manually managed. If the 
organization employs Exchange 2000, a common global address book is not possible 
since the address book is defined on a forest basis. Finally, the ability to 
move user and computer objects between domains is lost since no tool currently 
exists to move an object from one forest to another."

Those are some additional interesting tidbits of information, don't you think? 
If you're using AD, be sure to read the eight-page white paper--it's worth your 
time to do so. 

On January 17, Microsoft released another white paper about AD called "The 
Common Criteria: Providing a Reliable Security Standard." The paper is available 
on the company's Web site. The paper discuses how to use AD to comply with the 
Common Criteria (CC). 
   http://www.microsoft.com/windows2000/techinfo/planning/commoncriteria.asp

According to the US government's CC Web site, "The governments of North American 
and European nations agreed in the spring of 1993 to develop a 'Common 
Information Technology Security Criteria.' Participants include France, Germany, 
the Netherlands, the UK, Canada, and the United States (National Institute of 
Standards and Technology--NIST--and National Security Administration--NSA). The 
Common Criteria Project is an international body of organizations charged with 
aligning the existing security criteria into a standard for certifying the 
security of products and systems. 

The CC Project consists of three parts. Part 1 defines general concepts and 
principles of IT security evaluation and presents a general model of evaluation. 
Part 2 establishes a set of standard components to express the functional 
security requirements for targets of security evaluation. Part 3 establishes a 
set of assurance components to express the assurance requirements for targets of 
evaluation. Be sure to visit the CC Web site and read about this initiative in 
detail. You can also read a brief explanation of the project at the SANS 
Institute Web site.
   http://csrc.nist.gov/cc/info/infolist.htm
   http://www.commoncriteria.org
   http://rr.sans.org/securitybasics/criteria.php

Until next time, have a great week. 

Sincerely, 
Mark Joseph Edwards, News Editor 
mark () ntsecurity net 

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: NEW SECURITY TOOLSET: ELM LOG MANAGER(tm) 3.0 ~~~~
   TNT Software's ELM Log Manager(tm) 3.0 gives Security Administrators the 
power to see event entries with unrivaled clarity. With or without installed 
Agents, ELM efficiently monitors and collects events with separate, easy to use, 
Monitor Items. Personal Views and scheduled Reports provide valuable event 
summaries. And a unique Alerts feature, one of the 14 Notification Methods, 
provides a single glance view of the most critical events allowing prompt 
action. Download ELM and see How the First-to-Know Stay Ahead(tm)
   For more information and download visit:
   http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqE0Ai 

~~~~~~~~~~~~~~~~~~~~
2. ==== SECURITY RISKS ==== 
   (contributed by Ken Pfeil, ken () winnetmag com) 

* PRIVILEGE ESCALATION VULNERABILITY IN WIN2K/NT DOMAINS
   A vulnerability in Windows 2000 and Windows NT 4.0 domains lets an attacker 
gain administrative access to computers in a trusting domain. This vulnerability 
stems from the fact that the trusting domain doesn't verify that the trusted 
domain is actually authoritative for all the SIDs in the authorization data. If 
one of the SIDs in the list identifies a user or security group that's not in 
the trusted domain, the trusting domain accepts the information and uses it for 
future access control decisions. By inserting SIDs into the authorization data 
at the trusted domain, an attacker can elevate his or her privileges to those 
associated with any user or group, including the Domain Administrators group for 
the trusting domain. Microsoft has released security bulletin MS02-01 to address 
this vulnerability and recommends that affected users apply the security rollup 
packages provided in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=23959

* DOS IN SNORT
   A remote Denial of Service (DoS) condition exists in the open-source 
Intrusion Detection System (IDS) Snort. An attacker can use specially crafted 
Internet Control Message Protocol (ICMP) echo and echo-reply packets with fewer 
than 5 bytes of ICMP data to remotely crash the system. Snort recommends that 
affected users apply the available patch and recompile the binaries or download 
the latest version (build 90 or better).
   http://www.secadministrator.com/articles/index.cfm?articleid=23923

3. ==== ANNOUNCEMENTS ==== 

* WANT 24 X 7 AVAILABILITY?
   High-availability networks, systems, and applications are critical to every 
business. Sign up for our (free!) Webinar taking place on February 26 and 
sponsored by MKS, and find out how to achieve 24 x 7 availability on Windows 
2000. Windows & .NET Magazine author Tim Huckaby shares his expertise on load 
balancing, monitoring, and more. Register today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qQh0Al 

* WE NEED TO HEAR FROM YOU!
   Your feedback is invaluable to us. Tell us who you are and how you use our 
products and you could win a free T-shirt, mag light, or padfolio. To get 
started, go to the following URL.
   http://www.zoomerang.com/survey.zgi?d9ng21n8yxanak2gl8wswtql

4. ==== SECURITY ROUNDUP ==== 

* NEWS: MICROSOFT REPORTEDLY HALTS NEW SOFTWARE DEVELOPMENT TEMPORARILY
   According to a report in Government Computer News (GCN), an IT publication 
aimed at federal, state, and local governments in the United States, Microsoft 
has halted all new software development for 1 month so that the company's 
programmers can focus on fixing existing bugs. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23971

* NEWS: TINY SOFTWARE ANNOUNCES TROJAN TRAP SOFTWARE
   Tiny Software announced the release of Trojan Trap, a security tool designed 
to prevent malicious applications and code from entering a network. The program 
consists of a series of executables, DLLs, and kernel-level drivers--each 
protecting a different aspect of an OS. Trojan Trap creates a closed sandbox 
environment in which code can execute. The software monitors the code to protect 
against unwanted access to system drivers, services, the registry, system files, 
and network ports.
   http://www.secadministrator.com/articles/index.cfm?articleid=23952

* NEWS: NEW VERSION OF SPECTER IDS HONEYPOT AVAILABLE FOR XP 
   NETSEC announced version 6.0 of its SPECTER IDS honeypot software for Windows 
XP, Windows 2000, and Windows NT 4.0. The new version simulates 13 different 
OSs, includes new services and traps, and provides improved tools for incident 
analysis.
   http://www.secadministrator.com/articles/index.cfm?articleid=23940

* NEWS: MICROSOFT SHIPS WIN2K SECURITY ROLLUP PACKAGE
   Microsoft finally shipped its long-awaited Security Rollup Package for Win2K, 
which aggregates all the security fixes the company has shipped since Win2K 
Service Pack 2 (SP2). The cumulative patch requires that Win2K customers first 
install SP2.
   http://www.secadministrator.com/articles/index.cfm?articleid=23928

5. ==== HOT RELEASES (ADVERTISEMENTS) ====

* IBM SECURE E-BUSINESS INFRASTRUCTURE
   Not worried about hackers? You should be. If your customers don't 
feel comfortable working with you, they'll work with someone else. 
Learn how IBM e-business can help, and get our complimentary 
security book at
   http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0qqF0Aj 

* SPONSORED BY VERISIGN--THE VALUE OF TRUST
   Is your e-business secure? Learn why it's vital to encrypt business 
transactions, secure intranets and authenticate your Web site with the strongest 
encryption available--128-bit SSL. Get VeriSign's FREE Guide, "Securing Your Web 
Site for Business" now: 
   http://list.winnetmag.com/cgi-bin3/flo?y=eKca0CJgSH0CBw0p5N0Aq 

6. ==== SECURITY TOOLKIT ==== 

* VIRUS CENTER 
   Panda Software and the Windows & .NET Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security. 
   http://www.secadministrator.com/panda 

* FAQ: HOW CAN I RUN SCHEDULED TASKS IN THE BACKGROUND WHEN THEY RUN AS THE 
CURRENTLY LOGGED-ON USER?
 ( contributed by John Savill, http://www.windows2000faq.com ) 

A. Scheduled tasks usually run under the SYSTEM context and run in the 
background. However, if you change a service to run as a user account and that 
account is currently logged on to the machine, the scheduled task will run in 
the foreground. To change this behavior, follow these steps: 

   1. Start a registry editor (e.g., regedit.exe). 
   2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon. 
   3. Double-click Shell (which is explorer.exe). 
   4. Modify this value to "<C:\windows>\explorer.exe," (don't type the quotes 
but do type the comma) where <C:\windows> is your local machine's system root. 
   5. Click OK.

7. ==== NEW AND IMPROVED ==== 
   (contributed by Scott Firestone IV, products () winnetmag com) 

* SCAN FOR VIRUSES
   Central Command released Vexira Antivirus, virus-protection software that 
combines a fast virus-scanning speed with various virus-detection technologies. 
The software features Vexira Guard, a realtime scanner that operates in the 
background until it detects a virus. The software then stops access to the 
infected files to prevent accidental infection. Vexira Antivirus runs on Windows 
XP, Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs 
$49.95. Contact Central Command at 330-723-2062 or 866-243-8289.
   http://www.centralcommand.com

* PROTECT YOUR LAPTOP FROM THEFT
   Caveo Technology released Caveo Anti-Theft, an integrated security solution 
for laptops that is available in the form of a PC Card. The solution deters 
theft by detecting motion and issuing audible warning signals. If someone moves 
the laptop beyond a distance specified by you, the system assumes theft and 
implements strong security responses. The security measures include shutting 
down the laptop, an audible alarm, and the option to encrypt the hard disk. The 
Caveo Anti-Theft PC Cards cost $99. Contact Caveo Technology at 800-363-1418.
   http://www.caveo.com

8. ==== HOT THREADS ==== 

* WINDOWS & .NET MAGAZINE ONLINE FORUMS 
   http://www.winnetmag.net/forums 

Featured Thread: How to Control Bandwidth Use
   (One message in this thread)

Spike's company uses a single Internet connection for its Web server and proxy 
server. The company's priority is the Web server, and Spike wants to know how he 
can control the bandwidth use of the proxy server so that users take up less 
bandwidth, thereby freeing up bandwidth for server use. If you can help, visit 
the following URL:
   http://www.secadministrator.com/forums/thread.cfm?thread_id=84618

* HOWTO MAILING LIST 
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto 

Featured Thread: User Becomes Locked Out
   (One message in this thread)

Dimitri has a situation in which one user complains about once a week that his 
account has locked him out. Dimitri checks event logs on the domain controllers 
(DCs) and doesn't see anything unusual--no failed logons anywhere in the 
organization. Dimitri enabled logging for all events, whether successful or 
failed. He checked to ensure that he doesn't have drives mapped to other 
machines and to ensure that no other software tries to authenticate to the 
network. He also confirmed that the user isn't dialed in or running a VPN from 
home with a connection left running. Can you help? Read the responses or lend a 
hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?a2=ind0202a&l=howto&p=3527

9. ==== CONTACT US ==== 
   Here's how to reach us with your comments and questions: 

* ABOUT IN FOCUS -- mark () ntsecurity net 

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () winnetmag com (please 
mention the newsletter name in the subject line) 

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 

* PRODUCT NEWS -- products () winnetmag com 

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
Support -- securityupdate () winnetmag com 

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com 

******************** 

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters. 
   http://www.winnetmag.net/email 

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe, send a blank email to mailto:Security-UPDATE_Sub () list winnetmag com.

Copyright 2002, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.