**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter
brought to you by Windows 2000 Magazine and NTsecurity.net
http://www.win2000mag.com/update/
**********************************************************

This week's issue sponsored by

Trend Micro -- Your Internet VirusWall
http://www.antivirus.com/irish_luck.htm

FREE Denial of Service Attack WebCast
http://www.win2000mag.com/jump.cfm?ID=16
(Below SECURITY ROUNDUP)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
March 8, 2000 - In this issue:

1. IN FOCUS
     - Can Kerberos Remain an Open Standard?

2. SECURITY RISKS
     - Buffer Overflow in Clip Art Gallery
     - Device Names in a URL Can Crash Windows 9x
     - Internet Explorer 5.0 Allows Arbitrary Code Execution
     - Omniback Subject to Denial of Service

3. ANNOUNCEMENTS
     - Conference: Windows 2000 in the Enterprise
     - What's Up with Microsoft's Kerberos Documentation?

4. SECURITY ROUNDUP
     - Feature: Kerberos in Windows 2000
     - HowTo: Maximizing Proxy Server Security
     - Review: Synch Passwords with SAM/PS or P-Synch 3.5

5. NEW AND IMPROVED
     - New Internet Access Control Tool
     - Analyze Internal and External Firewall Activity

6. HOT RELEASE (ADVERTISEMENT)
     - VeriSign - The Internet Trust Company

7. SECURITY TOOLKIT
     - Book Highlight: Defending Your Digital Assets Against Hackers,
Crackers, Spies and Thieves
     - Tip: Disable Various Automatic Operations

8. HOT THREADS
     - Windows 2000 Magazine Online Forums:
         Copy Security
     - Win2KSecAdvice Mailing List:
         FrontPage Permissions with the Everyone Group
         Xing MP3 Player Disables Screensaver Under Win2K
     - HowTo Mailing List:
         Impact of C2 Configuration
         NT 4.0 Security Log Permissions

~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~
You'll not need the luck of the Irish or a four leaf clover this St.
Patrick's Day if you have Trend Micro's antivirus solutions installed
across your enterprise. Trend Micro is the world leader in antivirus
technologies that offer protection for the Internet gateway, Notes and
Exchange email servers, desktops and everywhere in between. Trend
Micro's products interlock under a web-based management console to form
an ironclad VirusWall all around your network. Get Trend Micro virus
protection and be as carefree as a leprechaun this St. Patrick's Day.
http://www.antivirus.com/irish_luck.htm
For more information, call 800-228-5651 or click the link above.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Martha
Schwartz (Western and International Advertising Sales Manager) at 212-
829-5609 or mschwartz@win2000mag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

I'm sure you're aware of networking standards such as HTML, POP3, FTP,
Kerberos, and more. But did you know that a formal body known as the
Internet Engineering Task Force (IETF--http://www.ietf.org) governs
these standards? The IETF helps govern the development and
standardization of protocols so that software developers can create
interoperable software based on those standards. Because of IETF
oversight, various Internet clients, such as Web browsers, work in
basically the same manner. You don't need a Netscape Web browser to
communicate with a Netscape Web server--any Web browser will work.
   When developers use IETF specifications to create a product, users
expect that product to work in the same manner as other products based
on IETF specifications; however, that's not always the case. Sometimes,
a development team will deviate from the specifications for its own
benefit, to the detriment of the user community. Microsoft's
implementation of Kerberos authentication is such a case. The
implementation deviates from IETF specifications, and various people in
the industry are understandably angry.
   The problem is Microsoft's use of the data authorization field. All
major Kerberos implementations except Microsoft's implementation leave
this field blank. Microsoft uses the field to provide access privileges
for a given user when that user authenticates against a Windows 2000
(Win2K) server. Because the field has no specific use in other major
Kerberos implementations, Microsoft's use of the field seems harmless;
however, Microsoft has refused to publish details about its proprietary
implementation of the data authorization field. Also, Microsoft
intentionally avoided usual IETF protocol when deviating from the
Kerberos specifications.
   According to Microsoft's Win2K Product Manager Shanen Boettcher, the
company is merely using a previously unused data field. But Boettcher
failed to state why Microsoft bypassed proper IETF channels.
Futhermore, Boettcher couldn't say whether Microsoft would release
documentation regarding proper use of the data authorization field. In
other words, third-party Kerberos developers are out of luck if they
want to fully and directly support Win2K clients. Furthermore,
businesses that have already invested heavily in UNIX-based Kerberos
solutions have only one choice if they intend to directly support Win2K
clients: buy Windows 2000 Server (Win2K Server) and pay for an
integration.
   Microsoft participates with the IETF in creating standards, but the
company didn't bother showing any goodwill in this case. Developers
made changes to Kerberos without consulting the IETF. Who benefits from
such action? To date, Microsoft has refused to document its Kerberos
changes. Who benefits from that action? I'm not the only person who
finds this situation highly suspicious. What's your opinion? Stop by
our home page and take our poll regarding this matter. Until next time,
have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* BUFFER OVERFLOW IN CLIP ART GALLERY
Microsoft's Clip Art Gallery lets users download clip art files (.cil
files) from the Web. Under certain conditions, a malformed field in the
.cil file can let arbitrary code execute on the user's computer. The
risk is heightened because .cil files can be made available from any
Web site and usually install without asking the user for confirmation.
Microsoft has issued a patch that corrects the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/clipart1.htm

* DEVICE NAMES IN A URL CAN CRASH WINDOWS 9X
An intruder can crash Windows 95 and Windows 98 using specifically
coded URLs that point to a system device (e.g., CON, AUX, NUL) instead
of a Web page. An intruder can also use various applications to crash
the OS. For example, a malformed WarFTPd command that incorporates a
device name will cause a system crash. Microsoft is aware of the
problem but has not yet responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/win95-dos2.htm

* INTERNET EXPLORER 5.0 ALLOWS ARBITRARY CODE EXECUTION
Internet Explorer (IE) 5.0 supports an HTML coding method called
window.showHelp() that lets you open .chm files. Under normal operating
circumstances, IE disallows opening .chm files using HTTP. However, if
the .chm file resides on a network file server or on the local system,
IE will open the file. Because of this characteristic, a malicious user
can execute arbitrary programs using a .chm-embedded shortcut command.
Microsoft is aware of the problem but has not yet responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie513.htm

* OMNIBACK SUBJECT TO DENIAL OF SERVICE
Omniback is a Hewlett-Packard product that performs system backup
routines. An Omniback service typically listens on TCP port 5555. When
a connection is made on port 5555 of an Omniback-enabled system,
Omniback's Omnilnet process consumes memory until the system crashes.
Omniback does not free up allocated memory when the connection closes,
so an intruder can launch a Denial of Service (DoS) attack by opening
an excessive number of connections to consume all available system
resources.
   http://www.ntsecurity.net/go/load.asp?iD=/security/omniback1.htm

3. ========== ANNOUNCEMENTS ==========

* CONFERENCE: WINDOWS 2000 IN THE ENTERPRISE
Will Windows 2000 (Win2K) be your server platform of choice? This
thorny question is the reason more and more organizations are turning
to The GartnerGroup to evaluate the promise and pitfalls of this new
technology.
   GartnerGroup analysts offer an in-depth, yet independent, assessment
of Win2K and give you the information you need to make an informed
decision. You can experience GartnerGroup's expertise at our
conference, "Windows 2000 in the Enterprise: Off the Shelf and Into the
Fire," to take place April 26 to 28, 2000, in San Francisco. For additional
information about this exciting conference, go to
http://www.gartner.com/nt/usa.

* SECURITY POLL: WHAT'S UP WITH MICROSOFT'S KERBEROS DOCUMENTATION?
Internet developers are fuming at Microsoft's lack of documentation
regarding its use of Kerberos' data authorization field. Why won't
Microsoft release documentation? We pose this question in a new survey
on our home page. Stop by and cast your vote today.
   http://www.ntsecurity.net

4. ========== SECURITY ROUNDUP ==========

* FEATURE: KERBEROS IN WINDOWS 2000
In Greek mythology, Kerberos is the three-headed dog that guards the
entrance to the underworld. The latest Kerberos development is a little
less ferocious. Request for Comments (RFC) 1510 defines the basic
Kerberos protocol, which MIT researchers developed as part of the
Athena project and deals with user authentication. Microsoft embedded
its version of Kerberos in Windows 2000 (Win2K) as the default
authentication protocol. In this article, Jan de Clercq discusses key
features of Microsoft's Kerberos implementation.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=153&TB=f

* HOWTO: MAXIMIZING PROXY SERVER SECURITY
For many organizations, Microsoft Proxy Server is the front line of
security for their network. Proxy Server's ability to hide a company's
internal IP address space and prevent IP routing between the internal
network and the Internet gives companies a good security baseline.
Proxy Server also attracts many customers by promising Plug-and-Play
(PnP) security and by leveraging a company's existing Windows NT and
Microsoft BackOffice infrastructure and user account database. Be sure
to read the rest of Sean Daily's article on our Web site.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=119&TB=h

* REVIEW: SYNCH PASSWORDS WITH SAM/PS OR P-SYNCH 3.5
In today's mixed network environment, users have too many passwords to
remember, and each environment has different rules for password quality
and aging. Users frequently forget their passwords and are locked out
by each system's intruder-detection policy. Single sign-on (SSO) is an
elegant solution, but it might be too complex and expensive to
implement in your environment. When SSO doesn't work, you need to
consider consistent sign-on (CSO). CSO's core function is password
synchronization.
   Looking for a password synchronization solution? Be sure to read
Randy Franklin Smith's review of two password synchronization tools,
SAM/PS and P-Synch 3.5.
   http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=120&TB=r

~~~~ SPONSOR: FREE DENIAL OF SERVICE ATTACK WEBCAST ~~~~
AXENT(R)’s "Everything You Need to Know About Distributed Denial of
Service Attacks" WebCast teaches you how to protect yourself against
DDoS attacks with NetProwler(tm) and Intruder Alert(tm) by
transparently monitoring traffic in real-time and instantly reacting to
attempted attacks.
Space is limited - register today at
http://www.win2000mag.com/jump.cfm?ID=16 to reserve your spot.
AXENT is the leading provider of e-security solutions for your
business, delivering integrated products and expert services to 45 of
the Fortune 50 companies.

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* NEW INTERNET ACCESS CONTROL TOOL
GFI FAX & VOICE launched LANguard, a new Internet access control tool
that monitors internal traffic for threats and helps secure the network
against unauthorized access. LANguard also stems unproductive use of
the Internet by monitoring users’ Web surfing patterns according to the
organization’s specific requirements and helps protect against internal
security threats, such as users accessing confidential data. The
product blocks TCP/IP external traffic from the Internet and helps
protect the network from electronic break-ins and other threats.
   LANguard pricing starts at $250 for the 10-user version. An
evaluation copy is available from
http://www.languard.com/languard/landownload.htm.
   http://www.languard.com

* ANALYZE INTERNAL AND EXTERNAL FIREWALL ACTIVITY
WebTrends released WebTrends Firewall Suite 2.0, a utility that
monitors and analyzes an enterprise's firewall, VPN, and proxy usage.
New features include remote reporting on high-traffic installations,
Web site categorization using SurfWatch Software technology, integrated
bandwidth cost analysis, and support for several new firewalls.
WebTrends Firewall Suite helps businesses secure their investments in
corporate data, manage bandwidth, and ensure that employees are using
the Web productively. Advanced monitoring features let managers analyze
internal and external firewall activity and identify security breaches.
WebTrends Firewall Suite 2.0 pricing starts at $1999. For more
information or to download a free 14-day trial, go to the company's Web
site or call 503-294-7025 x 2249.
   http://www.webtrends.com

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* VERISIGN - THE INTERNET TRUST COMPANY
Running an e-commerce site? Then you need a new FREE Guide from
VeriSign, "Securing Your Web Site for Business." You will learn
everything you need for serious online security. Click here now!
http://www.verisign.com/cgi-bin/go.cgi?a=n034505190013000

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: DEFENDING YOUR DIGITAL ASSETS AGAINST HACKERS,
CRACKERS, SPIES AND THIEVES
By Randall K. Nichols, Daniel Ryan, et al.
Online Price: $39.95
Softcover; 858 pages
Published by McGraw-Hill, December 1999
ISBN: 0072122854

With computer attacks and break-ins becoming more widespread, network
administrators need a valuable resource to help them protect their
systems. Defending Your Digital Assets Against Hackers, Crackers, Spies
and Thieves is written for the manager and policy maker, to assist
professionals responsible for protecting their organization's
information assets. Anyone working with information security--from CIOs
and operations directors to programmers and database managers--can
benefit from this detailed examination of IT security.

For Windows 2000 Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WIN2000MAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/0072122854?from=SUT864.

* TIP: DISABLE VARIOUS AUTOMATIC OPERATIONS
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

We've reported numerous security risks that involve the OS's automatic
actions against certain file types. The buffer overflow risk reported
this week in regard to Microsoft's Clip Art Gallery is a perfect
example of an automatic operation. By default, the system automatically
installs clip art update files after download without user
intervention, and that situation represents a significant risk. How do
you prevent this and other automatic file operations? The answer is
simple: Adjust the parameters for various file types.
   If you open Windows NT Explorer and choose View, Folder Options,
File Types, you'll notice that you can control each entry in a manner
that requires user intervention before the system takes any action.
Double-click a file-type entry to view its properties. You'll see a
checkbox at the bottom of the dialog box labeled "Confirm open after
download." When you check this box, downloading that file type will
cause a prompt to appear, asking you whether you're certain you want to
open the file.
   Navigate the list of file types and inspect each item in the list.
Enable the confirmation checkbox discussed above for file types with
known security risks, such as compiled HTML files (.cil) or Clip Art
Gallery Download Packages (.chm). This procedure won't eliminate all
file-type risks, but it will reduce your risk by preventing files from
being downloaded and acted upon by the OS without your direct
knowledge.

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).

March 06, 2000, 08:36 A.M.
Copy Security
I have added a new external array (logical drive) to my file server. I
need to copy folders and files to the new array. To be more specific, I
am going to copy the home folders over to the external array. I am
running out of disk space on my server. I want to be able to move or
copy the security permissions and share permissions with the folders
and files. I have looked at permcopy but it doesn't really do what I
want.

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Mess
age_ID=93816

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. FrontPage Permissions with the Everyone Group
http://www.ntsecurity.net/go/w.asp?A2=IND0003A&L=WIN2KSECADVICE&P=938

2. Xing MP3 Player Disables Screensaver Under Win2K
http://www.ntsecurity.net/go/w.asp?A2=IND0003A&L=WIN2KSECADVICE&P=608

Follow this link to read all threads for March, Week 1:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

1. Impact of C2 Configuration
http://www.ntsecurity.net/go/L.asp?A2=IND0003A&L=HOWTO&P=6710

2. NT 4.0 Security Log Permissions
http://www.ntsecurity.net/go/L.asp?A2=IND0003A&L=HOWTO&P=6920

Follow this link to read all threads for March, Week 1:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western and International) – Martha Schwartz
(mschwartz@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows 2000 Magazine Security UPDATE.

To subscribe, go to http://www.win2000mag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

To change your email address, you must first unsubscribe by sending
email to listserv@listserv.ntsecurity.net with the words "unsubscribe
securityupdate" in the body of the message without the quotes. Then,
resubscribe by going to http://www.win2000mag.com/update and entering
your current contact information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

========== GET UPDATED! ==========
Receive the latest information on the Windows 2000 and Windows NT
topics of your choice. Subscribe to these other FREE email newsletters
at http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Enterprise Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
IIS Administrator UPDATE
XML UPDATE
WinInfo UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 2000, Windows 2000 Magazine

Security UPDATE is powered by LISTSERV software
http://www.lsoft.com/LISTSERV-powered.html