Security UPDATE, May 7, 2003

[InfoSec News <isn () c4i org>]

********************

Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows Server 2003, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Windows & .NET Magazine
   http://list.winnetmag.com/cgi-bin3/DM/y/eQoY0CJgSH0CBw08zM0AE

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: WINDOWS & .NET MAGAZINE ~~~~
    GET WINDOWS & .NET MAGAZINE AT 25% OFF!
    Every issue of Windows & .NET Magazine includes intelligent,
impartial, and independent coverage of security, Active Directory,
Exchange, and much more. Our expert authors deliver content you simply
won't find anywhere else. Subscribe today at 25% off, and find out
what over 100,000 readers know that you don't!
   http://list.winnetmag.com/cgi-bin3/DM/y/eQoY0CJgSH0CBw08zM0AE
~~~~~~~~~~~~~~~~~~~~

May 7, 2003--In this issue:

1. IN FOCUS
     - Security: Out of the Box and into the Guides

2. SECURITY RISKS
     - Multiple Vulnerabilities in Microsoft's BizTalk Server 2002 and
       2000
     - Path Disclosure Vulnerability in Macromedia ColdFusion MX
       Server
     - Script Injection Vulnerability in Opera for Windows JavaScript
       Console
     - Long File Extension Heap Buffer-Overrun Vulnerability in Opera
       for Windows
     - Oracle Database Link Buffer Overflow

3. ANNOUNCEMENTS
     - Windows & .NET Magazine Connections: Win a Florida Vacation
     - Time Is Running Out to Join Our Storage Solutions Road Show!

4. SECURITY ROUNDUP
     - News: Microsoft Releases Win2K Hardening Guide
     - News: Continued Windows 2003 Documentation Push Focuses on
       Security
     - News: New eBook Helps Administrators and Programmers Secure IIS
     - News: Microsoft and Sanctum Host Secure Programming Webinar

5. SECURITY TOOLKIT
     - Virus Center
     - FAQ: Are There Any Circumstances Under Which Win2K Still Uses
       NTLM?

6. NEW AND IMPROVED
     - Lure Attackers with a Honeypot
     - Centralize Your Security Policy Management
     - Submit Top Product Ideas

7. HOT THREAD
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Does Windows Use Default Values If a
           Registry Key Isn't Present?

8. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* SECURITY: OUT OF THE BOX AND INTO THE GUIDES

As you know, Microsoft recently launched Windows Server 2003. One
significant aspect of the new OS is Microsoft's pledge of better
security. As history has shown, rushing a new OS out the door to eager
users complete with all the bells and whistles blowing loudly isn't
the best practice. Microsoft has taken longer than usual to develop
this new OS, especially in regard to security. So when you deploy it,
you'll find that rather than having loads of features turned on by
default, the OS has many features that you must intentionally enable.

Even when you enable features such as Microsoft Internet Information
Services (IIS) 6.0, you might find that they install with minimum
functionality enabled. Security professionals will prefer this
approach, but it doesn't address the larger question of how to
reasonably open up functionality while maintaining adequate security
levels.

To help you balance functionality and security in your Windows 2003
environment, Microsoft has released an extensive security guide.
Microsoft designed the guide to help you deploy Windows 2003
effectively while maintaining adequate security in three basic
environments: a legacy client environment, an enterprise environment,
and a high-security environment.

The "Windows Server 2003 Security Guide" contains 12 chapters.
Chapters 2 through 12 deal directly with configuring various network
elements and their associated systems. They help you configure domain
infrastructure, create baseline security for member servers, and
harden several system elements: domain controllers (DCs) and
infrastructure servers, file servers and print servers, IIS and
Internet Authentication Server (IAS), Certificate Services Servers
(CSSs), and bastion hosts.

All told, the security guide contains 290 pages of highly useful
recommendations. In addition to the main guide, you'll find delivery
guides (3), checklists (10), scripts (8), and templates (25) to help
you further secure your Windows 2003 environment.

Microsoft recommends that those charged with deploying and securing
Windows 2003 and Windows XP in an enterprise have MSCE 2000
certification, 2 or more years of security-related experience,
in-depth knowledge of Active Directory (AD), and experience with these
features and functions: Microsoft Management Console (MMC) and other
tools, Group Policy administration, and workstation and application
deployment in enterprise environments.

If you're considering using the security guide and wonder how
Microsoft arrived at the security recommendations, refer to the
"Testing Windows Server 2003 Security Guide" documentation included in
the overall security guide package. The documentation outlines how
Microsoft configured and tested the three basic network environments
(legacy, enterprise, and high security) to ensure that the guide's
recommendations are both accurate and adequate.

The test documentation explains, chapter by chapter, the steps
Microsoft took to test the guide's recommendations. Microsoft also
used a third party to perform extensive penetration testing against
the enterprise and high-security environments. After several weeks of
testing, the servers remained secure. Microsoft notes one
vulnerability, however: Where brute-force attacks can expose user
passwords, intruders might be able to intercept Kerberos network
traffic. According to Microsoft, to mitigate this vulnerability, you
can use complex user passwords or IP Security (IPSec) to encrypt
network traffic. The guide recommends strong user passwords.

Obviously, the guide can't guarantee that Windows 2003 users won't
encounter security problems. Nevertheless, if you follow the guide's
advice, you'll be less likely to find your systems compromised.
Microsoft's third-party testing helps assure that much.

If you still wonder about various threats and possible
countermeasures, you can find additional security help. Microsoft has
released "Threats and Countermeasures: Security Settings in Windows
Server 2003 and Windows XP." This guide details threats and potential
countermeasures in detail--and discusses how deploying the recommended
configuration settings affects users.

The 287-page threat guide also discusses domain level and audit
policies, user rights assignments, security options, event logs,
system services, software restriction policies, administrative
templates, additional registry settings, and additional procedures for
hardening member servers.

So--with the new OS, Microsoft offers two guides full of
security-related configuration recommendations. Microsoft hopes you'll
use this information to secure your Windows 2003 network environment.
If you wonder whether your company can benefit from Windows 2003's
strengthened security, review the guides to gain insight.

If you use the security guides, send me an email message about their
usefulness. I want to know how they work for you and whether you found
significant problems when you used them in your network environment.

You can download the new guides from Microsoft's Web site. You can
also link to them from Paul Thurrott's news story, "Continued Windows
2003 Documentation Push Focuses on Security," in this issue of the
newsletter.
   http://www.secadministrator.com/articles/index.cfm?articleid=38837

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* MULTIPLE VULNERABILITIES IN MICROSOFT'S BIZTALK SERVER 2002 AND 2000
   Two new vulnerabilities exist in Microsoft BizTalk Server 2002 and
BizTalk Server 2000, one of which can result in the execution of
arbitrary code on the vulnerable system. The second vulnerability is a
Microsoft SQL injection vulnerability in some of the pages that
BizTalk 2002 and BizTalk 2000's Document Tracking and Administration
(DTA) uses. Microsoft has released Security Bulletin MS03-016
(Cumulative Patch for BizTalk Server) to address these vulnerabilities
and recommends that affected users immediately apply the appropriate
patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=38855

* PATH DISCLOSURE VULNERABILITY IN MACROMEDIA COLDFUSION MX SERVER
   A vulnerability in Macromedia Coldfusion MX Server's default
installation can result in the inadvertent disclosure of the physical
path of the server installation. In a default installation, the Enable
Robust Exception Information setting is enabled under Debugging
Settings. According to Macromedia, you should clear this setting on
production systems.
   http://www.secadministrator.com/articles/index.cfm?articleid=38848

* SCRIPT INJECTION VULNERABILITY IN OPERA FOR WINDOWS JAVASCRIPT
CONSOLE
   A vulnerability in Opera for Windows can result in the execution of
an arbitrary script in the Local Computer zone. This vulnerability is
a result of code in Opera 7.x's console.html file that doesn't
sanitize the single quotation mark. The flaw permits a malicious
intruder to inject an arbitrary script into the link on the Microsoft
JavaScript console. Opera has yet to respond to this problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=38849

* LONG FILE EXTENSION HEAP BUFFER-OVERRUN VULNERABILITY IN OPERA FOR
WINDOWS
   Several versions of Opera for Windows contain a Denial of Service
(DoS) condition. The condition results from an unchecked buffer on the
heap and Opera's failure to check the length of a filename. Opera has
yet to respond to this problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=38850

* ORACLE DATABASE LINK BUFFER OVERFLOW
   The Oracle database server contains a buffer-overflow condition. To
exploit the condition, a malicious user can provide a long parameter
for a connect string with the CREATE DATABASE LINK query. Oracle has
released a patch to correct the problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=38825

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* WINDOWS & .NET MAGAZINE CONNECTIONS: WIN A FLORIDA VACATION
   Don't miss this exclusive opportunity to learn in person from your
favorite writers you know and trust. All attendees will receive a free
1-year subscription to Windows & .NET Magazine plus a chance to win a
Florida vacation for two. Connections has simply the best lineup of
technical training for today's Windows IT pro. Conference begins May
18, so hurry and register now:
   http://list.winnetmag.com/cgi-bin3/DM/y/eQoY0CJgSH0CBw0KXQ0A2

* TIME IS RUNNING OUT TO JOIN OUR STORAGE SOLUTIONS ROAD SHOW!
   Attend the HP & Microsoft Network Storage Solutions Road Show, and
learn how existing and future storage solutions can save your company
money--and make your job easier! Attendees have lots of chances to win
incredible prizes. There is absolutely no fee for this event, but
space is limited. We've just added Minneapolis to our list of cities,
so register now!
   http://list.winnetmag.com/cgi-bin3/DM/y/eQoY0CJgSH0CBw07cD0Af

4. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT RELEASES WIN2K HARDENING GUIDE
   Microsoft announced the release of a new guide designed to help
users harden the security of their Windows 2000 systems. The guide
consists of six chapters, three appendices, and checklists to help
deploy the measures outlined in the guide. The guide helps configure
Win2K in a more secure fashion in any of six different server roles.
   http://www.secadministrator.com/articles/index.cfm?articleid=38828

* NEWS: CONTINUED WINDOWS 2003 DOCUMENTATION PUSH FOCUSES ON SECURITY
   Microsoft has issued its voluminous "Windows Server 2003 Security
Guide," a threats and countermeasures document for Windows 2003 and
Windows XP, and companion documentation designed to help harden
Windows 2000 Server and Win2K Professional against attack. According
to Microsoft, the "Windows Server 2003 Security Guide" focuses on
providing a set of easy to understand guidance, tools, and templates
to help secure Windows 2003 in many environments.
   http://www.secadministrator.com/articles/index.cfm?articleid=38837

* NEWS: NEW eBOOK HELPS ADMINISTRATORS AND PROGRAMMERS SECURE IIS
   Jason Coombs has released a free eBook, "IIS Security and
Programming Countermeasures," designed to help administrators and
programmers better secure their IIS servers.
   http://www.secadministrator.com/articles/index.cfm?articleid=38829

* NEWS: MICROSOFT AND SANCTUM HOST SECURE PROGRAMMING WEBINAR
   Microsoft and Sanctum will present a webinar, "Security Best
Practices in the .NET Framework Environment," on May 9 at 4:30 P.M.
Eastern time. Sanctum Chief Technology Officer (CTO) Steve Orrin and
Microsoft Senior Security Program Manager for the Secure Windows
Initiative Michael Howard will host the presentation. The two will
discuss security unit testing in Windows .NET Framework development.
   http://www.secadministrator.com/articles/index.cfm?articleid=38813

5. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: Are There Any Circumstances Under Which Win2K Still Uses NTLM?
   (contributed by Randy Franklin Smith, rsmith () montereytechgroup com)

A: Yes, Windows 2000 still uses NT LAN Manager (NTLM) rather than
Kerberos in certain situations. Because NTLM is much more vulnerable
to eavesdropping and subsequent cracking, you should know the
circumstances under which Win2K uses NTLM. For Win2K to use Kerberos
when a user logs on, all computers involved--workstations, domain
controllers (DCs), and servers--must be Win2K or later and members of
the same domain or at least the same forest. In addition, the user
account that's logging on must be an Active Directory (AD) user
account, not an account in a computer's local SAM or an account from a
Windows NT domain. For a list of situations in which Win2K uses NTLM,
be sure to read the rest of the article on our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=24670

6. ==== NEW AND IMPROVED ====
   (contributed by Sue Cooper, products () winnetmag com)

* LURE ATTACKERS WITH A HONEYPOT
   KeyFocus released KFSensor, a honeypot-based Intrusion Detection
System (IDS) that attracts and detects attackers by simulating
vulnerable system services, Trojan horses, and servers such as Telnet
and SMTP. This configurable system features detailed logging, attack
analysis, and security alerts. Because KFSensor isn't activated until
attacked, it consumes little processor time or network resources and
doesn't affect usual machine use. KFSensor supports Windows
XP/2000/NT/Me/98 and costs $149 per user. Contact KeyFocus at
contact () keyfocus net.
   http://www.keyfocus.net

* CENTRALIZE YOUR SECURITY POLICY MANAGEMENT
   Pedestal Software announced SecurityExpressions 3.0, an agentless
system security policy management solution that lets you apply and
monitor policies the software creates or deploy a policy that security
or government organizations predefine. SecurityExpressions 3.0
verifies policy compliance on each server, workstation, and desktop.
You can then implement fixes to any problems discovered during that
audit. Features new to this version include a Web console that lets
others perform an audit without compromising enterprise security, a
distributed proxy that lets one console scan systems in remote
locations, and ODBC Reporting that lets you store the scan results in
a centralized ODBC-compliant database. Pricing is based on the number
of systems scanned and starts at $495 per server and $30 per desktop.
Contact Pedestal Software at 617-928-5550 or
sales () pedestalsoftware com.
   http://www.pedestalsoftware.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

7. ==== HOT THREAD ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Does Windows Use Default Values If a Registry Key
Isn't Present?
   (Two messages in this thread)

A reader wants to know whether Windows uses a default value if a
registry key isn't present or is intentionally deleted. For example,
how does Windows behave if the following registry key is set to zero
or deleted:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\
NtfsDisable8dot3NameCreation

Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58174

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.