**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT and Windows 2000 security update newsletter
brought to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/
**********************************************************

This week's issue sponsored by

New for Windows 95/98/NT/2000
http://www.execsoft.com/execsoft.asp

Network-1 Security Solutions – Embedded NT Firewalls
http://www.network-1.com/eval/eval6992.htm
(Below SECURITY ROUNDUP)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
March 1, 2000 - In this issue:

1. IN FOCUS

2. SECURITY RISKS
     - TelnetD Subject to Denial of Service
     - Windows Media Services Denial of Service
     - Systems Management Server Might Allow Elevated Privileges
     - Wordpad Can Execute Embedded Code
     - Internet Explorer Allows Component Regression

3. ANNOUNCEMENTS
     - Join the 60,000 Professionals Who Read SQL Server Magazine
UPDATE!
     - Enterprise Storage UPDATE - Free Email Newsletter
     - Conference: Windows 2000 in the Enterprise
     - Security Poll: Do You Think The NSA Uses Echelon Illegally?

4. SECURITY ROUNDUP
     - News: Echelon: Nothing Sacred
     - Feature: Add Fuel to Your Firewall
     - Feature: Backups Are Bad News
     - HowTo: Is Your RAS Server Listening?

5. NEW AND IMPROVED
     - Extended Integration of Popular Security Products
     - Identify Security Deficiencies

6. HOT RELEASES (ADVERTISEMENT)
     - Controlled Migration Suite for Windows 2000 Migration
     - AXENT’s FREE Denial of Service Attack WebCast

7. SECURITY TOOLKIT
     - Book Highlight: Intrusion Detection
     - Tip: Disable Source Routing on Windows NT
     - Review: Hackershield 2.0

8. HOT THREADS
     - Windows 2000 Magazine Online Forums:
        * Exchange Password Change
     - Win2KSecAdvice Mailing List:
* Classic Buffer Overflow Explanation?
        * Troj_Trin00 and ZZ
     - HowTo Mailing List:
        * Logging and Monitoring Traffic at the Firewall
        * Deny Source-Routed Addressing

~~~~ SPONSOR: NEW FOR WINDOWS 95/98/NT/2000 ~~~~
Diskeeper 5.0, the market leading network defragmenter, has just been
officially recognized as ‘Windows 2000 Certified.’ “We’re pleased to
announce that Executive Software’s Diskeeper 5.0 has become the first
and only utility to pass the stringent requirements of being Windows
2000 Certified,” says John McVay, Microsoft Certified Logo Program
Manager for VeriTest.  After passing each point of Microsoft’s 500-page
certification checklist, Diskeeper 5.0 has been judged to provide the
safety, manageability and reliability required in any product that
wears the coveted ‘Windows 2000 Certified’ logo. Experience first hand
the benefits of increased system performance across your entire site.
Test new Diskeeper 5.0 today at http://www.execsoft.com/execsoft.asp

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Martha
Schwartz (Western and International Advertising Sales Manager) at 212-
829-5609 or mschwartz@win2000mag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

By now you've probably heard the rumors about the National Security
Agency's (NSA) alleged communications spy network called Echelon. In
case you aren't aware, Echelon allegedly can monitor almost every type
of communication, including telephone conversations; faxes; email
messages; radio, satellite, fiber optic, and microwave transmissions;
and even face-to-face conversations in many instances.
   The public first heard about Echelon years ago as a tool in the
Cold War. Echelon was supposed to help America keep an eye on our
alleged enemies. During the Cold War, people didn't seem to care about
such electronic eavesdropping--they'd do anything to prevent another
world war. But today's widespread use of the Internet and other forms
of electronic communication make the concern over Echelon a different
ball game.
   Privacy is one of the hottest topics associated with electronic
technology, and people take extreme measures to secure their privacy.
With Echelon in place, you probably can't achieve total privacy in
electronic communication.
   But strong encryption protects your data and communications, you
say? I don't think that matters anymore. If a loosely organized group
cracking effort (such as the ones organized by distributed.net) can
crack a 56-bit Data Encryption Standard (DES) encryption key in only 22
hours using personal computers, imagine what a boat load of state-of-
the-art supercomputers can do to your supposedly secure 1024-bit Pretty
Good Privacy (PGP) key. Logic dictates that with enough money to buy
the necessary processing power, malicious users can crack even large
keys in a reasonable time period.
   People such as British author Duncan Campbell have consistently
drawn attention to Echelon, and the TV program 60 Minutes aired a show
about Echelon last Sunday. These ongoing reports allege that the NSA
and other global spy organizations have run an Echelon-type operation
for years. In the past, the NSA would have denied the existence of
Echelon; today the NSA focuses on fending off claims that personal
privacy is being abused using the Echelon network.
   The NSA claims that government agencies aren't using Echelon to
invade the privacy of citizens, but who is accountable to ensure that
claim remains true? Where are the necessary checks and balances, and
how can we, the public who funds such activities, inspect these checks
and balances to arrive at some level of comfort? The answer is that
we currently have no public controls over this clandestine operation.
   Without proper government oversight and public disclosure about
Echelon operations, we can only hope that the spy network is being
properly used, and that's not good enough when it comes to our privacy.
Where there is secrecy, there is also suspicion, so when the NSA asks
American citizens to accept on faith that it isn't violating our
constitutional rights, I have to wonder whose track record we're
supposed to base our faith on.
   Can Echelon operators resist the temptation to abuse such
technology? Are the rights of citizens truly respected during the NSA's
foreign intelligence gathering activities? We simply don't know for
sure. I'm interested in what you think. Stop by our home page
(http://www.ntsecurity.net), and cast your vote in our new security
poll regarding Echelon. We'll print the results in a future issue of
this newsletter. Until next time, have a great week.

Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* TELNETD SUBJECT TO DENIAL OF SERVICE
UssrLabs reported a problem in older builds of TelnetD in which the
code that handles the logon commands for a telnet session contains an
unchecked buffer. An intruder can overflow the buffer and run arbitrary
code on the server. Pragma Systems recommends upgrading to the latest
build, which does not contain this error.
   UssrLabs also found a bug in TelnetD Build 7, in which the code that
performs the client connection procedure has an unchecked buffer that
can cause the TelnetD service to crash, leading to a Denial of Service
(DoS) attack. Pragma Systems responded immediately by issuing a patched
version of the software.
   http://www.ntsecurity.net/go/load.asp?iD=/security/telnetd2.htm
   http://www.ntsecurity.net/go/load.asp?iD=/security/telnetd3.htm

* WINDOWS MEDIA SERVICES DENIAL OF SERVICE
If client-side handshake packets are sent in a particular disordered
sequence, with certain timing constraints, the Windows Media Services
server will attempt to use a resource before the resource is
initialized, causing the Windows Media Unicast Service to crash.
Microsoft has released patches that correct this matter.
   http://www.ntsecurity.net/go/load.asp?iD=/security/media1.htm

* SYSTEMS MANAGEMENT SERVER MIGHT ALLOW ELEVATED PRIVILEGES
According to a Microsoft report, if a user has installed and enabled
the Systems Management Server (SMS) 2.0 Remote Control feature, the
folder in which the remote agent resides has its permissions set to
Everyone Full Control by default. If a malicious user replaces the
client code, the new code will run automatically in a system context
the next time someone logs on. Microsoft has released patches for Intel
and Alpha platforms that correct this matter.
   http://www.ntsecurity.net/go/load.asp?iD=/security/sms3.htm

* WORDPAD CAN EXECUTE EMBEDDED CODE
Georgi Guninski reported a vulnerability in Wordpad that lets an
intruder run arbitrary programs, without warning the user, after
activating an embedded or linked object. Wordpad executes programs
embedded in .doc or .rtf documents without any warning if a user
double-clicks the item. An intruder can exploit this vulnerability
under Internet Explorer (IE) for Windows 9x using the View Source:
protocol. Microsoft has made no public comment regarding this matter.
   http://www.ntsecurity.net/go/load.asp?iD=/security/wordpad2.htm

* INTERNET EXPLORER ALLOWS COMPONENT REGRESSION
Juan Carlos Garcia Cuartango discovered that under normal operational
circumstances, a Web-based installation process running under Internet
Explorer (IE) will inform the user about any authentication signature
found in a software package before letting the user install the
software. However, this procedure doesn't apply to programs with
Microsoft authentication signatures; these programs install without
user notification. Microsoft has made no comment at the time of this
writing.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie512.htm

3. ========== ANNOUNCEMENTS ==========

* JOIN THE 60,000 PROFESSIONALS WHO READ SQL SERVER MAGAZINE UPDATE!
More than 60,000 SQL Server professionals subscribe to SQL Server
Magazine UPDATE--a FREE and fast way to get the latest SQL Server
information. The email newsletter is delivered every Thursday and
provides you with what you need to know to get your job done. Written
by experts, SQL Server Magazine UPDATE is for anyone working with SQL
Server. You can't afford to miss the next issue! And for those of you
who work with XML, become a charter subscriber to the new XML UPDATE,
which is scheduled to launch in late March. Click below to subscribe
today!
   http://www.win2000mag.com/sub.cfm?code=up00inxsqp

* ENTERPRISE STORAGE UPDATE - FREE EMAIL NEWSLETTER
Storage has become a dynamic and vital industry, with new products and
new approaches to managing and storing data, the enterprise's lifeblood
and most tangible asset. Enterprise Storage UPDATE, the newest offering
from Windows 2000 Magazine, will cover new developments, technological
advances, and important products in the Windows 2000 (Win2K) and
Windows NT storage market. Subscribe now at
http://www.win2000mag.com/sub.cfm?code=up99inbiup.

* CONFERENCE: WINDOWS 2000 IN THE ENTERPRISE
Will Windows 2000 (Win2K) be your server platform of choice? This
thorny question is the reason more and more organizations are turning
to The GartnerGroup to evaluate the promise and pitfalls of this new
technology.
   GartnerGroup analysts offer an in-depth, yet independent, assessment
of Win2K and give you the information you need to make an informed
decision. You can experience GartnerGroup's expertise at our
conference, "Windows 2000 in the Enterprise: Off the Shelf and Into the
Fire," to take place April 26 to 28, 2000, in San Francisco,
California. For additional information about this exciting conference,
just use the link http://www.gartner.com/nt/usa.

* SECURITY POLL: DO YOU THINK THE NSA USES ECHELON ILLEGALLY?
The global spy and data gathering network known as Echelon is
attracting heated attention. We've posted a new survey asking whether
you believe the NSA's claim that it does not break the law when it uses
Echelon to snoop on communications worldwide. Stop by our home page and
submit your answer today.
   http://www.ntsecurity.net

4. ========== SECURITY ROUNDUP ==========

* NEWS: ECHELON: NOTHING SACRED
British author Duncan Campbell spoke at a hearing of the European
Parliament (EP) on February 23 and stated that his new report on
Echelon is the first real proof that such a network actually exists.
Campbell claims that Microsoft, IBM, and an unnamed "large American
microchip maker" are participating in Echelon through the provision of
certain features in their products that allow the interception of any
information that flows from an affected system.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=218&TB=news

* FEATURE: ADD FUEL TO YOUR FIREWALL
To secure an Internet-connected network, firewalls are a necessary
component in your arsenal of tools. However, firewalls alone are no
longer sufficient protection because they're static devices that
enforce a particular rule set. This setup means that intruders can use
valid, legal packets to attack your network and compromise your
security. Read the rest of Gary C. Kessler's article on our Web site.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=152&TB=f

* FEATURE: BACKUPS ARE BAD NEWS
Mark Minasi's new assistant started her first backup the other day.
After Mark ran her through the backup options, he turned her loose to
do a full backup of the main servers. She fired up Windows NT Backup,
which promptly locked up the whole system, including Task Manager. She
did the right thing and left NT Backup running. Read the rest of Mark's
article on our Web site.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=151&TB=f

* HOWTO: IS YOUR RAS SERVER LISTENING?
When Windows NT, Windows 9x, or Windows for Workgroups (WFW) clients
use RAS to connect to an NT network, what subset of functionality do
they have vs. local LAN-connected clients? To answer this question,
Sean Daily delved under the hood and determined how NT limits RAS
client connectivity, and what you can do to change this behavior. Be
sure to read the rest of Sean's article on our Web site.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=118&TB=h

~~~~ SPONSOR: NETWORK-1 SECURITY SOLUTIONS – EMBEDDED NT FIREWALLS ~~~~
Don’t let your network become a target of denial of service attacks.
Defend it with CyberwallPLUS - the first embedded firewall designed
specifically to protect NT and 2000 servers.  It is the only firewall
that gives system administrators the network access control and
intrusion prevention needed to secure valuable servers and cost-
effectively scale to preserve performance and reliability.
CyberwallPLUS gives NT a whole new meaning – No Trespassing.
Visit http://www.network-1.com/eval/eval6992.htm for a free
CyberwallPLUS evaluation kit and white paper.

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* EXTENDED INTEGRATION OF POPULAR SECURITY PRODUCTS
e-Security announced extended integration of 29 popular security
products with its Open e-Security Platform (OeSP). The integration is
specific to 10 separate categories of information security: firewalls,
intrusion detection (network- and host- based), OSs, antivirus, Web
servers, databases, policy monitoring, vulnerability assessment, and
authentication. OeSP integrates multivendor security software and other
security devices so that companies can conduct real-time surveillance
of their distributed enterprise security environment from one console
with an graphical display.
   http://www.esecurityinc.com/

* IDENTIFY SECURITY DEFICIENCIES
Harris released Security Test and Analysis Tool (STAT) 3.0, security
software that helps you identify and eliminate security deficiencies.
The AutoFix feature lets you automatically detect and repair security
problems. Other features include enhanced screen navigation and the
ability to access hidden network machines. With a mouse click you can
perform analysis of one machine or an entire domain. A monthly update
service provides information about the latest security threats and
defense techniques.
   STAT 3.0 runs on Windows NT systems. For pricing, contact Harris,
800-442-7747 extension 700.
   http://www.statonline.com

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* CONTROLLED MIGRATION SUITE FOR WINDOWS 2000 MIGRATION
Eliminate help desk calls during migration! Aelita Software's
Controlled Migration Suite is the FIRST and ONLY solution offering
PASSWORD SYCHRONIZATION, migration of NT user passwords to Windows
2000. Other unique features: SIDhistory Cleanup and AD planning.
Visit: http://www.aelita.com/Products/cms.htm

* AXENT’S FREE DENIAL OF SERVICE ATTACK WEBCAST
Learn how to protect your e-business against Denial of Service attacks
by transparently monitoring traffic in real-time and instantly reacting
to attempted attacks.  Free one-hour webcast on March 22.  Space is
limited - register today:
http://www.win2000mag.com/jump.cfm?ID=15

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: INTRUSION DETECTION
By Rebecca Gurley Bace
Special Price: $50.00
Hardcover; 339 pages
Published by Macmillan Computer Publishing, December 1999
ISBN 1578701856

With the number of intrusion and hacking incidents on the rise, the
importance of having dependable intrusion detection systems in place is
greater than ever. Offering both a developmental and technical
perspective on this crucial element of network security, Intrusion
Detection covers
- Practical considerations for selecting and implementing intrusion
detection systems
- Methods for handling the results of analysis, and the options for
responses to detected problems
- Data sources commonly used in intrusion detection and how they
influence the capabilities of all intrusion detection systems
- Legal issues surrounding detection and monitoring that affect the
design, development, and operation of intrusion detection systems

For Windows 2000 Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WIN2000MAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/1578701856?from=SUT864.

* TIP: DISABLE SOURCE ROUTING ON WINDOWS NT
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

A user recently asked how to disable source routing on his Windows NT
system. (Source routing can fool routers into thinking that the packets
originated from within their own borders, when in reality, they came
from outside the network borders. Intruders can use source routing to
help penetrate a network by injecting particular packets into the
network.) To prevent source-routed packets from traversing your network
borders, disable that functionality on your router equipment. If your
router can't block source-routed packets, it's time to get a new
router!
   In some cases, people use NT as a router to control traffic flow. If
you must disable source routing on an NT system, perform the following
Registry modification, which requires Service Pack 5 (SP5) or higher.
Locate the following key in the Registry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Under that key, add a value with the following parameters:
  Name:  DisableIPSourceRouting
  Type:  REG_DWORD
  Value: 0, 1 or 2

A value of zero enables source routing; 1 disables source routing when
IP forwarding is also enabled; and 2 disables source routing
completely, which is the recommended setting for the best security.
You'll find a copy of these instructions in Microsoft's Support Online
article Q217336.
   http://support.microsoft.com/support/kb/articles/q217/3/36.asp

* REVIEW: HACKERSHIELD 2.0
Bindview's HackerShield detects and tests for security vulnerabilities
in NT hosts. It checks for more than 450 potential problems and can
automatically update itself with new security checks from BindView.
HackerShield can also repair some vulnerabilities automatically and
reverse any changes made, if necessary.
   In addition to common Web server vulnerabilities, the scanner also
tests for potential Denial of Service (DoS) problems. It tests and
scans all TCP/IP devices, but this review focuses on HackerShield's
performance and features when scanning NT-only environments. Be sure to
read the rest of Steve Manzuik's Web exclusive review on the
NTSecurity.net Web site.
   http://www.ntsecurity.net/go/ultimate.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).

Exchange Password Change
February 28, 2000 12:48 PM
I have a problem with Exchange and was hoping someone out there could
help. Our Exchange Server is a BDC and when I changed the password to
administrator for our domain, Exchange services no longer start up.
Where else do I have to change the password and such for everything to
work?

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Mess
age_ID=92861

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. Classic Buffer Overflow Explanation?
http://www.ntsecurity.net/go/w.asp?A2=IND0002D&L=WIN2KSECADVICE&P=3994

2. Troj_Trin00 and ZZ
http://www.ntsecurity.net/go/w.asp?A2=IND0002D&L=WIN2KSECADVICE&P=3903

Follow this link to read all threads for Feb. Week 5:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

1. Logging and Monitoring Traffic at the Firewall
http://www.ntsecurity.net/go/L.asp?A2=IND0002D&L=HOWTO&P=3805

2. Deny Source-Routed Addressing
http://www.ntsecurity.net/go/L.asp?A2=IND0002D&L=HOWTO&P=2951

Follow this link to read all threads for Feb. Week 5:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western and International) - Martha Schwartz
(mschwartz@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows 2000 Magazine Security UPDATE.

To subscribe, go to http://www.win2000mag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the quotes

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

To change your email address, you must first unsubscribe by sending
email to listserv@listserv.ntsecurity.net with the words "unsubscribe
securityupdate" in the body of the message without the quotes. Then,
resubscribe by going to http://www.win2000mag.com/update and entering
your current contact information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

========== GET UPDATED! ==========
Receive the latest information on the Windows NT and Windows 2000
topics of your choice.
Subscribe to these other FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Exchange Server UPDATE
Windows 2000 Magazine Enterprise Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
IIS Administrator UPDATE
XML UPDATE
WinInfo UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 2000, Windows 2000 Magazine

Security UPDATE is powered by LISTSERV software.
http://www.lsoft.com/LISTSERV-powered.html