Security UPDATE, September 11, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Consolidated Security Auditing and Monitoring
   http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04gJ0A7

VeriSign - The Value of Trust
   http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04gK0A8
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: CONSOLIDATED SECURITY AUDITING AND MONITORING ~~~~
   HIPAA? Gramm-Leach-Bliley? BS7799/ISO17799? Aelita InTrust(tm)
bridges the gap between industry regulations & policies and your IT
infrastructure. InTrust consolidates, archives, and analyzes
heterogeneous IT audit data and offers numerous reports to assist in
documenting compliance. And InTrust's data repositories enable
efficient, permanent storage of all event data. Get started with the
FREE security assessment tool: Aelita InTrust Audit Advisor!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04gJ0A7

~~~~~~~~~~~~~~~~~~~~

September 11, 2002--In this issue:

1. IN FOCUS
     - Assessing Security Threats to Microsoft SQL Server

2. SECURITY RISKS
     - Application Execution Vulnerability in Microsoft Visual FoxPro 6.0
     - Multiple Vulnerabilities in Cisco VPN 3000 Series Concentrator
       and VPN 3002 Hardware Client

3. ANNOUNCEMENTS
     - Mark Minasi and Paul Thurrott Are Bringing Their Security
       Expertise to You!
     - UNIX, Linux, and Windows: Managing the Unruly Trinity

4. SECURITY ROUNDUP
     - News: Microsoft Releases Windows XP SP1
     - News: Microsoft Solves Windows Hacking Mystery
 
5. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Prevent Users from Changing Their Passwords
       Except When Windows 2000 Prompts Them To?

6. NEW AND IMPROVED
     - Antispam Server for the Enterprise
     - Lock Up Your Hard Disk
     - Submit Top Product Ideas
 
7. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Obtaining Hashes from the Win2K SAM
           Database

8. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* ASSESSING SECURITY THREATS TO MICROSOFT SQL SERVER

When did you last profile your Microsoft SQL Server 2000 system for
potential threats? If you haven't done so, you might want a toolkit
and some easy-to-understand guidelines.

Next Generation Security Software (NGSSoftware) recently published
"Threat Profiling Microsoft SQL Server," which describes in detail
tools and procedures that you can use to gauge your exposure to
intruders. According to NGSSoftware, the paper has "four main
sections. The first section will cover attacks that do not require the
attacker to have a user ID and password for the SQL Server, that is,
the attacks are unauthenticated. The second section will cover those
attacks that do require authentication; to succeed the user must be
logged onto the SQL Server. The third section will consider those
attacks that can be launched from a compromised server. The final and
fourth section will touch briefly upon attacks via the Web using SQL
Injection."
   http://www.nextgenss.com/papers/tp-SQL2000.pdf

"Threat Profiling Microsoft SQL Server" discusses SQL Monitor port
attacks, network-sniffing opportunities, brute-force attacks,
file-system attacks, Trojan horses in extended stored procedures,
client attacks (e.g., against the SQL Enterprise Manager), navigating
the database server, password cracking, bypassing access controls, and
more. The paper lists a series of tools you need to obtain before you
start. Minimally, you'll need various SQL client tools (such as Query
Analyzer and ODBCPing), Microsoft Visual C++, SQLPing, NGSSQuirreL,
NGSSQLCrack, and NGSSniff. The SQL Server CD-ROM contains SQL client
tools. SQLSecurity.com (see the first URL below) offers SQLPing.
NGSSoftware offers the latter three tools through the company's Web
site (see the second URL below). According to NGSSoftware, NGSSQuirreL
is an auditing tool that can find and fix holes in the SQL Server;
NGSSQLCrack can crack the passwords of standard SQL logins; and
NGSSniff is a network traffic capture and analysis tool. Overall, the
paper contains a wealth of information about securing your SQL Server.
   http://www.sqlsecurity.com/desktopdefault.aspx
   http://www.nextgenss.com

Other steps you can take toward SQL Server security include keeping up
with Microsoft security bulletins and reviewing other resources.
Microsoft has issued 11 security bulletins for SQL Server 2000 so far,
including a cumulative patch in August 2002 that contains all the
other security patches. Be sure you've loaded the ones you might
need--or the cumulative patch if you want to load them all.
   http://www.microsoft.com/technet/security/current.asp?productid=30

SQL Server Magazine and its related Web site often discuss SQL Server
security. For example, when you visit the Web site (see the URL
below), you'll find Michael Otey's article "Free SQL Server Tools,"
which discusses his favorite free SQL Server tools, among which are
security-related tools. You'll also find Kalen Delaney's article "Safe
Transit," which discusses how to ensure that user and passwords match
up after a database restoration.
   http://www.sqlmag.com

Regularly reviewing the potential threats to your SQL Server will help
keep it secure. I hope the resources mentioned will support that
review process.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: VERISIGN - THE VALUE OF TRUST ~~~~
   Get the strongest server security -- 128-bit SSL encryption!
   Download VeriSign's FREE guide, "Securing Your Web Site for
Business" and learn everything you need to know about using SSL to
encrypt your e-commerce transactions for serious online security.
Click here!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04gK0A8

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* APPLICATION EXECUTION VULNERABILITY IN MICROSOFT VISUAL FOXPRO 6.0
   Cristobal Bielza and Juan Carlos G. Cuartango from Instituto
Seguridad Internet discovered a vulnerability in Microsoft Visual
FoxPro 6.0 that can result in an attacker gaining control over the
vulnerable system. This vulnerability stems from a Visual FoxPro
installation in which the application doesn't register itself with
Microsoft Internet Explorer (IE). As a result, an attacker can use a
Web page or HTML email to launch an application on the vulnerable
system. Microsoft has released Security Bulletin MS02-049 (Flaw Could
Enable Web Page to Launch Visual FoxPro 6.0 Application Without
Warning) to address this vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=26543

* MULTIPLE VULNERABILITIES IN CISCO VPN 3000 SERIES CONCENTRATOR AND
VPN 3002 HARDWARE CLIENT
   Multiple vulnerabilities exist in Cisco Systems' VPN 3000 series
concentrators and VPN 3002 Hardware Client that can result in
information disclosure, Denial of Service (DoS) conditions, and
unauthenticated display of passwords on the vulnerable devices. Cisco
has issued a notice regarding these vulnerabilities and recommends
that affected users upgrade to a fixed release of its software through
regular support channels or the Cisco Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=26501

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* MARK MINASI AND PAUL THURROTT ARE BRINGING THEIR SECURITY EXPERTISE
TO YOU!
   Windows & .NET Magazine Network Road Show 2002 is coming this
October to New York, Chicago, Denver, and San Francisco!  Industry
experts Mark Minasi and Paul Thurrott will show you how to shore up
your system's security and what desktop security features are planned
for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and
Trend Micro. Registration is free, but space is limited so sign up
now!
   http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw03lK0AD

* UNIX, LINUX, AND WINDOWS: MANAGING THE UNRULY TRINITY
   Sign up for our latest Web seminar at which we'll discuss the
concerns associated with managing a heterogeneous server environment.
You'll learn more about the management characteristics of each
platform and about existing management solutions and how well they
work. Sponsored by NetIQ. There's no charge for this online event, but
space is limited so register now at
   http://list.winnetmag.com/cgi-bin3/flo?y=eNTO0CJgSH0CBw04Wf0AK

4. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT RELEASES WINDOWS XP SP1
   Delivering on its promise to release Windows XP Service Pack 1
(SP1), Microsoft issued the critical upgrade to its latest desktop OS
on September 9. With XP SP1's release to manufacturing (RTM), the
company provides its first comprehensive set of bug and security fixes
for the fastest-selling Windows version ever. XP users can download
the SP1 release for free from the Microsoft Web site or order the
release on CD-ROM for about $10.
   http://www.wininformant.com/articles/index.cfm?articleid=26555

* NEWS: MICROSOFT SOLVES WINDOWS HACKING MYSTERY
   The notion that Windows users might be the targets of attacks is
nothing new, given the platform's vast market domination and the sheer
number of Windows-based desktops and servers. But a mysterious new
type of attack had security watchdogs and Microsoft itself baffled.
Now the problem has been identified, and it's apparently not a new
security vulnerability.
   http://www.wininformant.com/articles/index.cfm?articleid=26566

5. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT USERS FROM CHANGING THEIR PASSWORDS EXCEPT
WHEN WINDOWS 2000 PROMPTS THEM TO?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. You can configure your domain through a group policy so that users
can change their passwords only when the system prompts them:
   1. Start the Microsoft Management Console (MMC) Active Directory
Users and Computers snap-in (Start, Programs, Administrative Tools,
Active Directory Users and Computers).
   2. Right-click the container (site/domain or organizational
unit--OU) on which you want to enforce the policy, and select
 Properties.
   3. Select the Group Policy tab.
   4. Select the policy and click Edit.
   5. Expand User Configuration, Administrative Templates, System,
 Logon/Logoff.
   6. Double-click Disable Change Password, and on the Policy tab,
select Enabled.
   7. Click Apply, then OK.
   8. Close all dialog boxes.
   9. Refresh the policy with the following command:
      C:\> secedit /refreshpolicy user_policy

You can also configure this feature on a per-user basis. To do so,
perform the following steps:
   1. Start regedit.exe.
   2. Go to
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies.
If the System key exists, select it. Otherwise create it (Edit, New,
Key, System).
   3. Under System, create a new value of type DWORD (Edit, New, DWORD
 value).
   4. Type a name of DisableChangePassword, and press Enter.
   5. Double-click the new value, and set it to 1. Click OK.
   6. Close regedit.exe.

6. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* ANTISPAM SERVER FOR THE ENTERPRISE
   Mail-Filters.com announced SpamCure, a filtering server designed to
eliminate junk email messages from coming into businesses and
enterprises from the Internet. SpamCure works best for organizations
with 50 to 50,000 mailboxes. Each email message is subjected to 11
categories of tests, which results in 95 percent of all spam messages
being identified and categorized. After spam has been identified, the
customer can choose, by domain or mailbox, how it's handled. SpamCure
runs on Windows 2000 Server, and the price starts at $2.75 per mailbox
and decreases as the number of mailboxes increases. Contact
Mail-Filters at 650-212-6245.
   http://www.mail-filters.com

* LOCK UP YOUR HARD DISK
   Innovative Security Products announced the Lid Lock Padlock, a lock
to secure your data and components inside your PC. The lock won't
damage your equipment and includes a proprietary component that
prevents break-ins. It can be installed in less than a minute and
includes a resettable combination padlock. Your organization can code
all its padlocks differently, code them all alike, or code by
department. The Lid Lock Padlock costs $9.95. Contact Innovative
Security Products at 913-385-2002.
   http://www.wesecure.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

7. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Obtaining Hashes from the Win2K SAM Database
   (Two messages in this thread)

Tony writes that in Windows NT, you can get a copy of the SAM (or
password hashes) to feed into L0phtCrack. Within a reasonable time,
you can crack the user accounts and passwords. But in Windows 2000,
things change drastically because Microsoft allows the use of 128-bit
encryption algorithms through Syskey. Is there a way to get the
password hashes from a Win2K machine to which you have physical but
not administrative access? Read the responses or lend a hand:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=45005

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.