**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter
brought to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/
**********************************************************

This week's issue sponsored by

RippleTech LogCaster, "Monitor...Alert...Correct"
http://www.rippletech.com/nws_security

Symantec
http://www.symantec.com/specprog/sym/11200e.html
(Below Security Roundup)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
February 23, 2000 - In this issue:

1. IN FOCUS
     - Why Intruders Control Internet Insurance

2. SECURITY RISKS
     - Internet Information Server 4.0 Denial of Service
     - Windows Autorun.inf Vulnerability
     - Site Server Commerce User Input Unvalidated
     - Microsoft Java Virtual Machine Exposes User Files
     - Windows 2000 Professional Exposes System During Installation
     - Internet Explorer Exposes Users' Files

3. ANNOUNCEMENTS
     - Windows 2000 and Windows NT Seminars Delivered to Your Desktop
     - Windows 2000 Magazine Presents the Windows 2000 Experience

4. SECURITY ROUNDUP
     - News: Hewlett-Packard Releases Automated Security Product for NT
Web
     - News: Zombie Zapper Helps Shut Down DDoS Attacks
     - News: How to Defend Against DoS Attacks
     - Review: Novell Firewall for NT
     - Review: SurfinShield Censors Hostile Code

5. NEW AND IMPROVED
     - Security for E-Business Documents
     - Malicious Code Protection Software

6. HOT RELEASES (ADVERTISEMENT)
     - Toshiba Copiers and Fax: The 21st Century's Technological Leader
     - Network-1 Security Solutions - Securing E-Business Networks

7. SECURITY TOOLKIT
     - Book Highlight: Network Security Essentials: Applications and
Standards
     - Tip: Move Files and Retain Permissions and Attributes

8. HOT THREADS
     - Windows 2000 Magazine Online Forums:
        * Limiting Logons
     - Win2KSecAdvice Mailing List:
        * Black Hat Briefings Call for Papers
     - HowTo Mailing List:
        * Delete Files Older than X Days During Logon?
        * Permissions on Cluster
        * MSDTC through a Firewall

~~~~ SPONSOR: RIPPLETECH LOGCASTER, "MONITOR...ALERT...CORRECT" ~~~~
RippleTech LogCaster is a Windows NT/2000 Systems and Applications
Management software that provides real time application, server, and
NT/2000 monitoring. RippleTech LogCaster monitors TCP/IP devices such
as Firewall, Email, VPN Servers, etc. and alerts you if they should
fail. In addition, it provides security for its own services by
requiring a password to shutdown or restart. This eliminates the
possibility of a hacker trying to cover his or her tracks. RippleTech
LogCaster also filters through Windows NT/2000 Event Logs for security
specific events and immediately alerts or corrects, via pager, email,
SNMP trap, etc. Start securing your environment today. Download
RippleTech LogCaster.
http://www.rippletech.com/nws_security

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Vicki
Peterson (Western and International Advertising Sales Manager) at 877-
217-1826 or vpeterson@win2000mag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

I've read a startling headline topic twice in the past 10 days: High-
profile Web sites are moving to obtain hacker insurance. That topic is
startling because I see it as a huge obstacle in the push toward
popularizing e-commerce. When you think about it, don't intruders
actually control these hacker insurance policies outright?
   Let me clarify. I'm only using the term "hacker" because that's what
confused members of the media mistakenly call crackers and other types
of network intruders. Hackers are good guys, and the crackers, Denial
of Service (DoS) launchers, and other malicious intruders are the bad
guys.
   So what is this so-called hacker insurance? First, look at how the
insurance system works: In case of a loss, the insurance company pays a
sum of money to the insured suffering the loss. So hacker insurance
pays for losses suffered due to a hacking incident. In most cases, the
more you pay for insurance, the better coverage you receive. At the top
end of the insurance spectrum, the sum paid for a loss usually equals
the amount lost.
   Insurance costs depend on the risks involved. In other words, the
greater the risk the higher the cost of insurance. So who ultimately
controls the risks (and thus the insurance premium costs) from
distributed DoS (DDoS) attacks? The intruders! Intruders control at
least 90 percent of the risk involved with running an online e-commerce
site because DDoS attacks are largely indefensible at this point in
time.
   Think about that situation for a moment. Insurance rates factor into
the cost of doing business, and companies pass these costs to the
consumer in the price of a given item or service. Right now, companies
such as Amazon.com enjoy great success because of their competitive
pricing and ease of shopping. However, with intruders controlling
insurance rates indirectly, how long can Amazon.com's success last?
Will intrusions drive up the cost of books and other products at
Amazon.com? You bet they will. You can also bet that the same thing
will happen in every other sector of e-commerce--and it doesn't stop
there.
   Imagine that the Internet has become a new front for new kinds of
wars. In these wars, new e-commerce companies destroy local storefront
economies by out-pricing them with lower overhead and better buying
power. In time, mom-and-pop shops close, defeated by the new e-commerce
giants. Meanwhile, their children, who are now suffering from a poorer
family life and lackluster future because of a closed family business,
retaliate by launching DDoS attacks against the e-commerce giants who
forced their parents out of business. As a result, hacker insurance
rates soar, which causes e-commerce-based product and service prices to
rise.
   Far-fetched? Think again. This scenario is happening right now in
global politics, lower and higher education, and e-commerce markets.
The Internet is quickly becoming a new type of pseudo war zone where
people can launch an attack from anywhere they can get a dial tone.
Start a makeshift war without leaving the house--that's power. That
power will be available to anyone that can pay for a dial-up account
until enough disrespect is shown to force stronger controls. We're
headed in that direction at lightening speed.
   If intruders continue to turn the Internet into a war zone by
attacking networks, we'll all suffer the consequences. Intruders are
taking us directly into strict, heavy-handed controlled access to the
Internet.
   To the instigators of DDoS attacks and Web page defacements, I say,
"Think about the big picture before you act so selfishly. What's more
important? Your 15 seconds of fame or everyone's shared freedom in the
online world?"
   And to the new giants of e-commerce I say, "Spend your money on
serious technology improvements, not empty insurance policies that feed
inflation and slow the acceptance of e-commerce." The online world has
enough bandages in place already. Don't waste time endlessly guarding
against risks--work to eliminate the risks permanently. The best use of
your money is to give it to those who can create the necessary changes.
Until next time, have a great week.

Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* INTERNET INFORMATION SERVER 4.0 DENIAL OF SERVICE
Internet Information Server (IIS) 4.0 is subject to Denial of Service
(DoS) attacks when used in conjunction with Microsoft's IIS companion
SMTP mail server. An intruder can cause a DoS condition against IIS by
manipulating filenames within the SMTP service's directory structure.
By creating a filename more than 85 characters in length within the
\mailroot\pickup directory, the intruder can cause the mail server to
generate an error and crash the INETINFO service, which supports IIS.
   http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-4.htm

* WINDOWS AUTORUN.INF VULNERABILITY
Eric Stevens reported an interesting discovery regarding autorun.inf
files on Windows platforms. Autorun.inf files automatically launch a
program when you insert the program's CD-ROM into the drive. However,
Stevens discovered that you can place autorun.inf files on any system
drive, not just CD-ROM drives, where someone could launch the file
under certain circumstances.
   http://www.ntsecurity.net/go/load.asp?iD=/security/autorun1.htm

* SITE SERVER COMMERCE USER INPUT UNVALIDATED
Microsoft Site Server Commerce 3.0 has a problem with the sample
Volcano Coffee site and the sample custom site that the Site Builder
Wizard creates. The sample sites ship with code that doesn't check user
input before acting upon that input. This oversight could let an
intruder inject SQL code into a remote system running the sample sites.
Microsoft issued a patch for the problem. Any application code that
developers based on the sample sites might also contain the security
risk. Examine those applications to ensure that they verify all user
input for accuracy before further processing by the system.
   http://www.ntsecurity.net/go/load.asp?iD=/security/site-server3.htm

* MICROSOFT JAVA VIRTUAL MACHINE EXPOSES USER FILES
Microsoft reported a problem with its Java Virtual Machine (JVM) that
ships with Internet Explorer (IE) 4.x and 5.x, and several other
Microsoft packages. According to the report, the version of the
Microsoft VM that ships with IE contains a security vulnerability that
could let a Java applet operate outside the bounds set by the sandbox.
A malicious user could write a Java applet that could read--but not
change, delete, or add--files from the computer of a person who visits
the user's site, or read Web content from inside an intranet if a
computer from within that intranet visits the malicious site.
   Microsoft issued an FAQ and a patched version for the 2000, 3100,
and 3200 build series of its JVM. Use the JVIEW command-line utility
(installed when you install the JVM) to determine which JVM version you
have on your system.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie511.htm

* WINDOWS 2000 PROFESSIONAL EXPOSES SYSTEM DURING INSTALLATION
According to Stephane Aubert, during the installation of Windows 2000
Professional (Win2K Pro), a user can access the ADMIN$ share via the
Administrator user account without providing a password for that
account. The ADMIN$ share is mapped by default onto the main Windows
root directory.
   Aubert said that the user had defined an Administrator password
during the installation process; however, the password did not take
affect until after the system rebooted. During the interim, a person
could connect to resources using the Administrator account and a blank
password.
   http://www.ntsecurity.net/go/load.asp?iD=/security/win2kpro2.htm

* INTERNET EXPLORER EXPOSES USER FILES
When a Web server navigates a window from one domain into another one,
the Internet Explorer (IE) security model checks the server's
permissions on the new page. However, a Web server could open a browser
window to a client-side local file and then navigate the window to a
page in the Web site's domain in such a way that the data in the
client-side local file is accessible to the new window.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie510.htm

3. ========== ANNOUNCEMENTS ==========

* WINDOWS 2000 AND WINDOWS NT SEMINARS DELIVERED TO YOUR DESKTOP
There's no substitute for learning about technology from the
professionals. Now you can watch and listen to our experts conveniently
from the comfort of your home or office. Windows 2000 Magazine TV, our
online video library, provides more than 40 hours of searchable
content, with seminars added monthly. Industry authorities
such as Mark Minasi, Sean Daily, Mark Russinovich, and Paula Sharick
discuss a wide range of topics including Windows 2000 (Win2K)
preparation, Registry management and security, and cross-platform
networking. Learn more about this subscription-based service and check
out a seminar sample at http://www.win2000tv.com.

* WINDOWS 2000 MAGAZINE PRESENTS THE WINDOWS 2000 EXPERIENCE
Before making any decision concerning Windows 2000 (Win2K), get the
facts from a trusted source. The Windows 2000 Experience Web site
brings you the how-to knowledge, resources, and product information you
need to evaluate and deploy Win2K. Everything you expect in a deep,
high-quality site: news, in-depth articles, forums, product offerings--
all focused on Win2K. Visit the Web site at
http://www.windows2000experience.com.

4. ========== SECURITY ROUNDUP ==========

* NEWS: HEWLETT-PACKARD RELEASES AUTOMATED SECURITY PRODUCT FOR NT WEB
On January 17, at the RSA 2000 Security Conference, Hewlett-Packard
released Praesidium WebEnforcer for Windows NT, a new product for
securing NT-based Web servers. HP claims that WebEnforcer fixes all
known security holes in NT and monitors and enforces security issues.
Read the rest of C. Thi Nguyen's Web exclusive article on our Web site.
 http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=209&TB=news

* NEWS: ZOMBIE ZAPPER HELPS SHUT DOWN DDOS ATTACKS
BindView's Razor team has created a new tool called Zombie Zapper that
helps administrators fend off Distributed Denial of Service (DDoS)
attacks launched by the trin00, tfn, and Stacheldraht DDoS software.
The software is freely available on the BindView Razor Web site.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=215&TB=news

* NEWS: HOW TO DEFEND AGAINST DDOS ATTACKS
On March 20, 2000, Internet Security Systems (ISS) will host an
intensive full-day workshop called "Securing e-Business: Focus on
Denial of Service." The workshop is in conjunction with ISS Connect
2000, the company's annual international user conference and
information security summit. Speakers include Senator Sam Nunn; Howard
Schmidt, the head of security for Microsoft; ISS President and Chief
Executive Officer, Tom Noonan; and ISS Founder and Chief Technology
Officer, Christopher Klaus.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=214&TB=news

* REVIEW: NOVELL FIREWALL FOR NT
James R. Borck reviewed the Novell Firewall for NT and found that it's
a good solution for small- to medium-size networks. According to
Borck's report for InfoWorld, the product includes an affordable
pricing structure; easy, centralized administration; integration for
directory services; and a good traffic management utility.
   http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=117&TB=r

* REVIEW: SURFINSHIELD CENSORS HOSTILE CODE
In her review for InfoWorld, Ana Orubeondo takes a close look at
SurfinShield, a product that claims to defend against Web attacks by
censoring Web-based application code. According to Orubeondo, the
product sports proactive monitoring and helps plug security holes in
some instant messaging programs such as ICQ. The product is easy to
use, but setting up its security policies is time-consuming, and the
product requires frequent fine-tuning by a security administrator.
   http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=118&TB=r

~~~~ SPONSOR: SYMANTEC ~~~~
Norton Ghost? 6.0 is the premier tool for Windows 2000 migration, PC
deployment, cloning, and PC recovery. It dramatically reduces IT costs
by streamlining the configuration of networked workstations.
Administrators can restore a system image onto a failed PC in as little
as seven minutes, and reduce PC deployment and upgrade times by 90
percent or more. Click here to order your free trialware!
http://www.symantec.com/specprog/sym/11200e.html

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* SECURITY FOR E-BUSINESS DOCUMENTS
E-Lock Technologies announced Assured Office, a utility that provides
trust and security to e-business documents by providing digital signing
and encryption of documents from within applications such as Microsoft
Word, Excel, Exchange, and Adobe Acrobat, and from the desktop. Assured
Office enables enterprises to secure vital digital business information
traversing the Internet, extranets, and intranets. Assured Office works
with any x509v3 certificates that are in the certificate store of
Microsoft CryptoAPI and works with the Windows 2000 (Win2K) security
framework. For more information, contact E-Lock Technologies, 1-703-
383-9360 ext. 206.
   http://www.elock.com

* MALICIOUS CODE PROTECTION SOFTWARE
F-Secure introduced F-Secure Anti-Virus for Firewalls Version 3.0,
software that provides higher and faster throughput in scanning massive
amounts of data for a distributed workforce. The firewall intercepts
Web browsing, FTP, and email traffic and ensures the antivirus server
scans it first. The cooperation between the antivirus software and the
firewall is based on the Content Vectoring Protocol (CVP). Most
firewalls are CVP-compliant and provide a faster, more robust way of
transferring data between the firewall and F-Secure Anti-Virus for
Firewalls. From one console, an administrator can set security
policies, send software updates and receive alerts, and support all
workstations and servers. The product is priced at $24.80 per user for
a 100-user license. For more information, go to the F-Secure Web site.
   http://www.f-secure.com/

6. ========== HOT RELEASES (ADVERTISEMENT) ==========

* TOSHIBA COPIERS AND FAX: THE 21ST CENTURY'S TECHNOLOGICAL LEADER
Visit
http://static.admaximize.com/redirect/0034/002266d/0002/ESV/A09/01/
to check out Toshiba's multifunctional and networking product line. No
matter what your business needs: Demand more, Demand Toshiba.

* NETWORK-1 SECURITY SOLUTIONS - SECURING E-BUSINESS NETWORKS
Getting nervous about denial of service attacks? CyberwallPLUS-SV is
the first embedded firewall for NT servers.  It secures servers with
network access controls and intrusion prevention.  Visit
http://www.network-1.com/products/svintro.htm for a free evaluation kit
and white paper.

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: NETWORK SECURITY ESSENTIALS: APPLICATIONS AND STANDARDS
By William Stallings
Special Price: $39.00
Hardcover; 464 pages
Published by Prentice Hall, January 2000

As we enter the age of universal electronic connectivity in which
viruses, hackers, electronic eavesdropping, and electronic fraud can
threaten the prosperity and productivity of corporations and
individuals, security is increasingly important. Fortunately, the
discipline of network security has matured, leading to the development
of practical, available applications to enforce network security. This
book provides integrated, comprehensive, up-to-date coverage of
Internet-based security tools and applications vital to any treatment
of data communications or networking.

For Windows 2000 Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WIN2000MAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/0130160938?from=SUT864.


* TIP: MOVE FILES AND RETAIN PERMISSIONS AND ATTRIBUTES
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

A reader recently asked how to use a batch file to automate the
movement of files but still retain the files' security permission and
audit settings. Windows' built-in XCOPY and MOVE commands are fantastic
tools; however, neither will retain security attributes while
processing files. Windows doesn't ship with any tools for this task, so
you must obtain a third-party tool. One such tool is SCOPY from the
Windows NT Server 4.0 Resource Kit.
   SCOPY works similar to the COPY command, with the added benefit of
two command-line switches that let users specify whether to copy a
file's security permissions and audit settings. The /o switch instructs
the tool to copy owner security information, and the /a switch copies
the audit information.
   http://mspress.microsoft.com/reslink/nt40/kits
   http://mspress.microsoft.com/reslink/nt40/toolbox/tools/scopy.htm

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).

February 22, 2000, 07:53 A.M.
Limiting Logons
Has anyone seen a logon script or utility that allows a logon limit per
user? I would think this is a fairly common practice, but I can't seem
to find anything. Thanks in advance for any help.

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Mess
age_ID=91949

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. Black Hat Briefings Call for Papers
http://www.ntsecurity.net/go/w.asp?A2=IND0002C&L=WIN2KSECADVICE&P=395

Follow this link to read all threads for Feb. Week 4:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

1. Delete Files Older than X Days During Logon?
http://www.ntsecurity.net/go/L.asp?A2=IND0002C&L=HOWTO&P=883

2. Permissions on Cluster
http://www.ntsecurity.net/go/L.asp?A2=IND0002C&L=HOWTO&P=1001

3. MSDTC through a Firewall
http://www.ntsecurity.net/go/L.asp?A2=IND0002C&L=HOWTO&P=772

Follow this link to read all threads for Feb. Week 4:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western and International) - Vicki Peterson
(vpeterson@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows 2000 Magazine Security UPDATE.

To subscribe, go to http://www.win2000mag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the quotes

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

To change your email address, you must first unsubscribe by sending
email to listserv@listserv.ntsecurity.net with the words "unsubscribe
securityupdate" in the body of the message without the quotes. Then,
resubscribe by going to http://www.win2000mag.com/update and entering
your current contact information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

========== GET UPDATED! ==========
Receive the latest information on the Windows 2000 and Windows NT
topics of your choice. Subscribe to these other FREE email newsletters
at http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Exchange Server UPDATE
Windows 2000 Magazine Enterprise Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
IIS Administrator UPDATE
XML UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 2000, Windows 2000 Magazine

Security UPDATE is powered by LISTSERV software.
http://www.lsoft.com/LISTSERV-powered.html