Security UPDATE, July 3, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Connected Home Virtual Tour
   http://list.winnetmag.com/cgi-bin3/flo?y=eMYH0CJgSH0CBw0LTe0Ab <track>

Protection Where You're Most Vulnerable
   http://list.winnetmag.com/cgi-bin3/flo?y=eMYH0CJgSH0CBw02yQ0AS <track>
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: Connected Home Virtual Tour ~~~~
   WIN A FREE DIGITAL VIDEO RECORDER FROM SONICBLUE!
   Visit the Connected Home Virtual Tour and check out our summer
feature on networking your home. Sign up for prize drawings, too, and
you might win a free digital video recorder from SONICblue. Take the
tour today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eMYH0CJgSH0CBw0LTe0Ab <track>

~~~~~~~~~~~~~~~~~~~~

July 3, 2002--In this issue:

1. IN FOCUS
     - Patch Your Apache Servers Now

2. ANNOUNCEMENTS
     - Windows Scripting Solutions for the Systems Administrator
     - Attend Black Hat Briefings & Training, July 29 through August
       1, Las Vegas
 
3. SECURITY ROUNDUP
     - News: Microsoft's Secret Plan to Secure the PC
     - Feature: Guard Your Data with Kerberos
     - Feature: Personal Firewalls

4.SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Modify the Installation Credential Settings in
       Win2K?

5. NEW AND IMPROVED
     - Network Protection Solution
     - Internet Security Solution for Data Centers
 
6. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Outlook Personal Folders
      - HowTo Mailing List
         - Featured Thread: PC Configuration and Software Inventory

7. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor, mark () ntsecurity net)

* PATCH YOUR APACHE SERVERS NOW

Do you use an Apache Web server? Two weeks ago, a user reported a
vulnerability in the popular Web server software that lets intruders
run arbitrary code and possibly gain root access to a system. The
vulnerability relates to chunk-encoded data, per the HTTP 1.1 standard
that Internet Engineering Task Force (IETF) Request for Comments (RFC)
2616 outlines. The Apache Software Foundation hurried to release
patched code to protect against exploits, which were first thought to
affect only 64-bit platforms. However, a user released source code for
an exploit against 32-bit x86-based systems, which means users running
Apache on 32-bit platforms are also vulnerable.

On June 19 and June 21, a user identifying himself as "Gobbles" posted
the working exploit code to the BugTraq mailing list. Not
surprisingly, last Friday, June 28, users detected a new worm
spreading on the Internet, which exploits the chunked-encoding
vulnerability.

One user, Domas Mituzas, captured the worm in a honeypot system and
analyzed it, revealing several aspects of the worm's activity. The
worm spreads by scanning for other vulnerable Apache servers. It also
contains a command interface that listens on UDP port 2001 and lets
the worm be instructed to perform Distributed Denial of Service (DDoS)
attacks against specified targets. Shortly after Mituzas posted the
worm's binary executables to the Web, he received the complete source
code for the worm through email and subsequently posted that code to
the Web as well.
   http://dammit.lt/apache-worm

The problem is very serious because approximately 50 million Apache
Web servers operate on the Internet. The fact that many vendors, such
as Dell, have used Apache code to build Web management interfaces into
their various network-management products compounds the problem.

The Computer Emergency Response Team (CERT) issued an advisory
(CA-2002-17) about the vulnerability, which is available at the first
URL below. The Apache team has released updated software that helps
protect 64-bit and 32-bit versions and recommends that all users
upgrade to Apache 2.0.39 or Apache 1.3.26. Some users might be relying
on third-party patches to help correct the matter. However, not all of
those third-party patches address the complete scope of the
vulnerabilities. Therefore, I urge users to immediately obtain and
install patched code directly from the Apache Software Foundation.
   http://www.cert.org/advisories/CA-2002-17.html
   http://httpd.apache.org/info/security_bulletin_20020620.txt

But even with the new version, Apache 2.0.39, installed, Apache
servers might have trouble. Another user, Brett Glass, reported that
one of his Apache 2.0.39 servers "went berserk" by spawning the
maximum number of child processes, which locked up his system. His
logs revealed that the child processes had been attempting to free
memory space that had already been freed. No more information about
this anomaly is available right now. However, I'll keep you posted
regarding any significant new information. In the meantime, help ward
off a potential DDoS nightmare: Patch your Apache servers now.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: PROTECTION WHERE YOU'RE MOST VULNERABLE ~~~~
   In spite of your efforts, nearly 80% of Internet Attacks pass thru
your network firewall, targeting your Internet application and web
servers. Isn't it time you spent your budget on a solution that
actually works AND provides a tangible ROI for the guys upstairs?
Since 1999, Turillion's eServer Secure web application firewall has
saved thousands in IT mans hours without a single compromise. WANT
PROOF - Protect your enterprise today DOWNLOAD THE FREE 15-DAY EVAL OF
ESERVER SECURE--The 3rd Generation of Internet Security
   http://list.winnetmag.com/cgi-bin3/flo?y=eMYH0CJgSH0CBw02yQ0AS <track>

~~~~~~~~~~~~~~~~~~~~

2. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* WINDOWS SCRIPTING SOLUTIONS FOR THE SYSTEMS ADMINISTRATOR
   So, you're not a programmer, but that doesn't mean you can't learn
to create and deploy timesaving, problem-solving scripts. Discover
Windows Scripting Solutions online, the Web site that can help you
tackle common problems and automate everyday tasks with simple tools,
tricks, and scripts. While you're there, check out this article
( http://list.winnetmag.com/cgi-bin3/flo?y=eMYH0CJgSH0CBw02aD0Ap )
on WMI scripting for beginners!
   http://list.winnetmag.com/cgi-bin3/flo?y=eMYH0CJgSH0CBw02aE0Aq

* ATTEND BLACK HAT BRIEFINGS & TRAINING, JULY 29 THROUGH AUGUST 1, LAS
VEGAS
   This is the world's premier technical security event! Includes 8
tracks, 12 training sessions, a Richard Clarke keynote, 1500 delegates
from 30 nations, and lots of new sessions and sponsors just added.
Some classes are near sellouts. See what the buzz is about for
yourself. Visit:
   http://list.winnetmag.com/cgi-bin3/flo?y=eMYH0CJgSH0CBw0pHV0Ak

3. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT'S SECRET PLAN TO SECURE THE PC
   You've heard of Trustworthy Computing and the massive corporate
remodeling going on at Microsoft: The company has asked all its
developers, product managers, and executive assistants to rethink
everything they do in the context of security. Well, that's just the
tip of the iceberg. Secretly, the company has been working on a plan
to rearchitect the PC from the ground up, to address the security,
privacy, and intellectual property theft concerns that dog the
industry today.
   http://www.secadministrator.com/articles/index.cfm?articleid=25681

* FEATURE: GUARD YOUR DATA WITH KERBEROS
   Servers depend on the twin processes of authentication and
authorization. If the server doesn't have total confidence in the
user's identity and thus can't be sure of the permissions a user has,
all attempts to control access to data fail. Microsoft has long
preferred Windows NT-authenticated logons over SQL
Server-authenticated logins because Windows has more effective
mechanisms for verifying users' identities than just comparing an
account and password combination. Kerberos authentication, Windows
2000's default authentication protocol, improves on NT's
authentication protocol in several ways and offers identification of
both the client and the server.
   http://www.secadministrator.com/articles/index.cfm?articleid=25080

* FEATURE: PERSONAL FIREWALLS
   All you want to do is use your computer to do your job, play games,
learn, buy, and surf the Web. You don't want to worry about malicious
intruders, port scans, Trojan horses, worms, and all the other
mischievous stuff that hunts your computer. You shouldn't have to
worry, but you must; thousands of malicious programs exist solely to
break into your PC. That's where personal firewalls come in. Roger A.
Grimes reviews six personal firewalls. Be sure to read the review on
our Web site!
   http://www.secadministrator.com/articles/index.cfm?articleid=25348

4. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I MODIFY THE INSTALLATION CREDENTIAL SETTINGS IN WIN2K?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. An administrator can lock down a system to prevent a user from
installing new software or configure the system so that the user can
provide credentials to let the installation continue. To modify the
installation credential settings for one machine, perform the
following steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer registry subkey.
   3. Double-click the NoRunasInstallPrompt value; set it to 1 to
disable credentials or 0 to allow credentials.
   4. Click OK.

To modify the installation credential settings for network
installations, perform the following steps:
   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer registry subkey.
   3. Double-click the PromptRunasInstallNetPath value; set it to 1 to
disable credentials or 0 to allow credentials.
   4. Click OK.

5. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* NETWORK PROTECTION SOLUTION
   Internet Security Systems (ISS) announced RealSecure Server Sensor
for Microsoft Internet Security and Acceleration (ISA) Server 2000.
RealSecure is an advanced protection solution designed to help
Microsoft users in small to midsize organizations detect, prevent, and
respond to an ever-changing spectrum of online threats. RealSecure
continuously detects and responds to unauthorized or suspicious
network behavior in realtime. For pricing information, contact ISS at
888-901-7477.
   http://www.iss.net/isaserver

* INTERNET SECURITY SOLUTION FOR DATA CENTERS
   Check Point Software Technologies announced Check Point
VPN-1/FireWall-1 VSX, a carrier-class multipolicy Internet security
solution for service providers and corporate data centers. Through
software virtualization and Virtual LAN (VLAN) technology,
VPN-1/FireWall-1 VSX scales the Check Point VPN-1/FireWall-1 to create
up to 100 separate virtual systems on one hardware platform.
VPN-1/FireWall-1 VSX costs $24,000 for 10 customer policies. Contact
Check Point at 800-429-4391.
   http://www.checkpoint.com

6. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Outlook Personal Folders
   (One message in this thread)

Magnus has a Windows NT domain with a few Windows 2000 clients. All
users have roaming profiles. When a user has been working on a Win2K
client system, then goes to an NT client system, that user profile
does not work correctly. When the user checks email, he or she gets a
message requesting them to enter a Windows password, which doe'''t
exist. Magnus has found two solutions to the problem: He either
disables the service for Outlook Personal Folders or recreates the
user whole profile. Do you have a better solution?
   http://www.secadministrator.com/forums/thread.cfm?thread_id=107785

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: PC Configuration and Software Inventory
   (Twenty-one messages in this thread)

Julias must perform a security audit that includes auditing installed
software. At the same time, he needs to obtain information about the
computer hardware configuration for several PCs on his network. He
wants to know whether anyone knows of a PC configuration or software
audit program that he can run from a 3.5" disk. The PCs he must audit
run Windows 2000, Windows NT, Windows 9x, and DOS. Read the responses
or lend a hand at the following URL:
  http://63.88.172.96/listserv/page_listserv.asp?a2=ind0206c&l=howto&p=80

7. ==== CONTACT US ====
   Here is how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.