[Windows 2000 Magazine Security UPDATE] 2000 - February 2

**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT and Windows 2000 security update newsletter
brought to you by Windows 2000 Magazine and NTsecurity.net
http://www.win2000mag.com/update/
**********************************************************

This week's issue sponsored by

Trend Micro-Your Internet Virus Wall
http://antivirus.com/SecureValentine.htm

WebTrends Firewall Suite 2.0 - New Version!
http://www.webtrends.com/redirect/fire-sec1.htm
(Below Security Roundup)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
February 2, 2000 - In this issue:

1. IN FOCUS
     - How Do You Want Your Patches: Sooner or Later?

2. SECURITY RISKS
     - Outlook Express Object Access
     - Firewall-1 Allows Script Rule Circumvention
     - Index Server Exposes File System

3. ANNOUNCEMENTS
     - Windows 2000 Magazine Launches Three Free Email Newsletters
     - Conference: Windows 2000 in the Enterprise
     - Security Poll: Do You Think Online Credit Card-Based Purchasing
is Safe Yet?

4. SECURITY ROUNDUP
     - News: Visa Admits Its Sites Were Hacked
     - News: Security Holes Bite Online Bank
     - Feature: Kerberos 5 in Windows 2000
     - How-To: Creating a Special TSE Logon Script

5. NEW AND IMPROVED
     - Secure Desktop and Notebook Systems
     - e-Security Announces Extended Integration

6. HOT RELEASES (ADVERTISEMENT)
     - VeriSign - the Internet Trust Company
     - Network-1 Security Solutions – Embedded NT Firewalls
     - ISS Connect 2000: Information Security Summit

7. SECURITY TOOLKIT
     - Book Highlight: IIS 4 and Proxy Server 2 24Seven
     - Tip: Unmap Unused File Extension in IIS
     - Review: eEye Digital Security's Retina Security Scanner

8. HOT THREADS
     - Windows 2000 Magazine Online Forums:
        * Local Proxy Server Blocking Site Access
     - Win2KSecAdvice Mailing List:
        * ZBServer 1.50-r1x Risk Example Code
     - HowTo Mailing List:
        * Windows 2000 and Default Security
        * Reverse Proxying with Microsoft Proxy 2.0?
        * IOMega Tools Keeps an Insecure Copy of the SAM

~~~~ SPONSOR: TREND MICRO-YOUR INTERNET VIRUS WALL ~~~~
Your network can be "broken" much like your heart. So this Valentine's
Day find the ideal partner for your network with the Trend Interscan
product family. Protect the heart of your network with Trend's wide
range of antivirus solutions. Trend is a leader in antivirus
technologies, offering protection and security for the Internet
gateway, Notes and Exchange email servers, the desktop, and everywhere
in between. Building a protective, virtual VirusWall around the pulse-
the network. http://antivirus.com/SecureValentine.htm
For more information call 800-228-5651, or click the link above.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Vicki
Peterson (Western and International Advertising Sales Manager) at 877-
217-1826 or vpeterson@win2000mag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

The security world has been rather quiet over the past week. One
significant event that did occur was that Microsoft released its first
Windows 2000 (Win2K) security hotfix. The hotfix corrects a problem
with the Win2K Indexing Service and Windows NT 4.0 Index Server.
   Although some readers might wince at the fact that Microsoft has
already released a security hotfix for a brand-new OS--an OS not even
on store shelves yet--there is no cause for alarm. We can expect to see
bugs in Win2K are to be expected, especially security bugs, because
hackers spend more time banging away against security subsystems than
they do against other system components.
   I've noticed that some technologists have hammered Microsoft over
the past week because a security patch actually beat the new OS to
market. I think those people are being shortsighted. Expecting a
perfect set of code from day one is incredibly unrealistic.
   I appreciate the fact that a security patch is already available for
Win2K. I'd rather have a patch than a hole in my OS, and the sooner I
get that patch the better. Most of you realize that bug-free software
is unlikely, and Win2K is no exception. Odds dictate that other
security risks are present in the Win2K code, so the question is,
"Where are the risks and how soon can we find them?"
   Obviously, no blanket answer exists for that question. We can expect
hackers and crackers alike to try most of the commonly known Windows-
related exploits against the new OS and any services running on the new
platform. The Indexing Service risk is a good example; similar path
revelation problems have appeared in the past, and I'd be willing to
speculate that at least one or two other security bugs have carried
over from older NT 4.0-based code as well. Only time will tell.
   On another note, starting this week, we launch the first of several
new columns scheduled on the NTSecurity.net Web site. The first column,
The Ultimate Security Toolkit, is a biweekly column by Steve Manzuik.
Every other week, Steve will review a new security product. Steve
offers his professional, from-the-trenches opinion about each tool and
his personal recommendation to help you make buying decisions. This
week, Steve reviews eEye's Retina security scanner, so be sure to check
it out. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* OUTLOOK EXPRESS OBJECT ACCESS
Georgio Guninski reported a problem with Outlook Express that could let
an intruder open and read email messages without a user's permission.
Microsoft is aware of the problem but has issued no response at the
time of this writing.
   http://www.ntsecurity.net/go/load.asp?iD=/security/outlook3.htm

* FIREWALL-1 ALLOWS SCRIPT RULE CIRCUMVENTION
Arne Vidstrom discovered a problem with the Firewall-1 script filtering
rules that might let unwanted scripts execute on the desktop. According
to Vidstrom's report, an intruder can circumvent the Strip Script Tags
feature by adding an extra less than sign (<) to the <SCRIPT> tag
syntax. Checkpoint is aware of the problem but has issued no response
to date.

* INDEX SERVER EXPOSES FILE SYSTEM
David Litchfield discovered two problems with Microsoft's Index Server
and Indexing Service technology. According to the report, the first
problem is that webhits.dll does not properly restrict file access, and
thus it is possible to navigate outside of virtual directories.
   The second problem involves error messages that nonexistent .idq
files appear to display. When a user requests such a file from Windows
2000 Web Services (formerly Microsoft Internet Information Server 5.0),
the server might reveal virtual directory path information, thereby
exposing a portion of file system structure to a potential intruder.
   http://www.ntsecurity.net/go/load.asp?iD=/security/index1.htm

3. ========== ANNOUNCEMENTS ==========

* WINDOWS 2000 MAGAZINE LAUNCHES THREE FREE EMAIL NEWSLETTERS
XML UPDATE, Enterprise Storage UPDATE, and IIS Administrator UPDATE
are the latest offerings from Windows 2000 Magazine. Each email
newsletter focuses on a new and important segment of the Windows IT
professional's job. Written by industry insiders, the UPDATEs contain
the news, tips, and advice that you can't find anywhere else. Subscribe
to just one or all of our FREE updates.
   http://www.winntmag.com/sub.cfm?code=up99inbup

* CONFERENCE: WINDOWS 2000 IN THE ENTERPRISE
Will Windows 2000 (Win2K) be your server platform of choice? This
thorny question is the reason more and more organizations are turning
to GartnerGroup to evaluate the promise and pitfalls of this new
technology.
   GartnerGroup analysts offer an in-depth, yet independent, assessment
of Win2K and give you the information you need to make an informed
decision. You can experience GartnerGroup's expertise at our
conference, "Windows 2000 in the Enterprise: Off the Shelf and Into the
Fire," to take place April 26 to 28, 2000, in San Francisco. For
additional information about this exciting conference,
just use the link http://www.gartner.com/nt/usa.

* SECURITY POLL: DO YOU THINK ONLINE CREDIT CARD-BASED PURCHASING IS
SAFE YET?
How safe do you think online credit card-based purchasing is? Come to
the Web site and let us know your thoughts.
   http://www.ntsecurity.net

4. ========== SECURITY ROUNDUP ==========

* NEWS: VISA ADMITS ITS SITES WERE HACKED
Does it matter how secure your e-commerce solution is when a credit
card company can't keep crackers out of its networks? Visa
International recently admitted that crackers penetrated its systems in
July 1999 and stole information. The crackers later contacted Visa by
email and telephone in attempts to extort money from the firm. Visa
subsequently contacted Scotland Yard and the FBI, which are
investigating the matter. Visa claims to have long since secured the
breached systems.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=204&TB=news

* NEWS: SECURITY HOLES BITE ONLINE BANK
Online bank X.COM received quite a "wake-up call" recently when users
discovered that while establishing a new account, anyone could transfer
money into an X.COM account from any other bank account in the United
States due to nonexistent security controls on wire transfer
mechanisms. X.COM corrected the problems when other banks complained to
the online bank about fraud attempts against customer accounts.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=206&TB=news

* FEATURE: KERBEROS 5 IN WINDOWS 2000
Windows 2000 (Win2K) offers many security improvements over Windows NT.
Probably the biggest advance has been in the OS's primary
authentication protocol. NT LAN Manager (NTLM) has been the primary
authentication protocol for all versions of NT. Win2K supports NTLM and
Secure Sockets Layer/Transport Layer Security (SSL/TLS) authentication
protocols. But Win2K's primary authentication protocol is Kerberos 5,
which takes its name from Cerberus, Greek mythology’s three-headed dog
that guarded the gates of Hades. Zubair Ahmad takes a closer look at
Kerberos 5 and how Kerberos security works in Win2K.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=148&TB=f

* HOW-TO: CREATING A SPECIAL TSE LOGON SCRIPT
On our Windows NT network, we have two Windows NT 4.0, Terminal Server
Edition (TSE) servers with MetaFrame that we have set up as member
servers. We want to use Application Security (APPSEC) to limit the
applications that users can run. When we run APPSEC, the TSE servers
don't appear to run the NT logon scripts.
   How can I make the logon script run with APPSEC activated? David
Carroll answers that question and more in this Web Exclusive article.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=117&TB=h

~~~~ SPONSOR: WEBTRENDS FIREWALL SUITE 2.0 - NEW VERSION! ~~~~
WebTrends is the emerging leader in security management and assessment.
WebTrends Firewall Suite and WebTrends Security Analyzer now offer the
most comprehensive solution for intrusion prevention, firewall traffic
monitoring, and vulnerability analysis. The new Firewall Suite 2.0
provides support for 32 different firewalls and includes embedded
SurfWatch web site categorization technology. Click here for your free
trial download and start analyzing your incoming and outgoing traffic.
http://www.webtrends.com/redirect/fire-sec1.htm

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* SECURE DESKTOP AND NOTEBOOK SYSTEMS
IBM announced new desktop and notebook systems to keep data secure. The
PCs include security features such as identity verification and
authentication, and encryption capabilities that complement Windows
2000 (Win2K) and come preloaded with the new OS. The new models include
the ThinkPad 600X notebook, PC 300 desktop series, and Intellistation
Professional Workstation series. IBM also offers the Smart Card
Security Kit and an embedded security chip. The Smart Card Security Kit
and security chip support Win2K, accompany any PC or mobile system, and
prevent unauthorized users from accessing sensitive data. For pricing
on the new desktop and notebook systems, contact IBM, 800-772-2227.
   http://www.ibm.com/Windows2000

* E-SECURITY ANNOUNCES EXTENDED INTEGRATION
e-Security announced extended integration of 29 security products with
its Open e-Security Platform (OeSP). The integration specifies 10
separate categories of information security: Firewalls, Intrusion
Detection, Operating Systems, Anti-Virus, Web Servers, Databases,
Policy Monitoring, Vulnerability Assessmen, and Authentication. OeSP
integrates multivendor security software and other security devices so
that companies can conduct realtime surveillance of their distributed
enterprise security environment from one console with an intuitive
graphical display. For more information, contact e-Security, 800-474-
9191.
   http://www.esecurityinc.com

6. ========== HOT RELEASES (ADVERTISEMENT) ==========

* VERISIGN - THE INTERNET TRUST COMPANY
Secure your servers with 128-bit SSL encryption!
Click here for VeriSign's FREE guide, "Securing Your Web Site for
Business". Learn how to secure your e-commerce with 128-bit SSL
encryption!
http://www.verisign.com/cgi-bin/go.cgi?a=n016005190013000

* NETWORK-1 SECURITY SOLUTIONS – EMBEDDED NT FIREWALLS
CyberwallPLUS-SV is the first embedded firewall for NT servers.  It
secures valuable servers with network access controls and intrusion
prevention.  Visit http://www.network-1.com/eval/eval6992.htm to
receive a free CyberwallPLUS evaluation kit and white paper.

*ISS CONNECT 2000: INFORMATION SECURITY SUMMIT
Internet Security Systems (ISS) announces the return of the most
dynamic, cost-effective information security conference (March 19, 2000
- March 24, 2000). Attend more than sixty sessions and workshops on
securing e-business. To register call 1-800-416-8749.
http://connect.iss.net/

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: IIS 4 AND PROXY SERVER 2 24SEVEN
By M. Shane Stigler and Mark A. Linsenbardt
Online Price: $24.45
Softcover; 608 pages
Published by Sybex Computer Books, August 1999

For experienced administrators running Internet Information Server
(IIS) and Proxy Server, here at last is the book you've been waiting
for. Starting where other books and training courses end and the real
world begins, "IIS 4 and Proxy Server 2 24Seven" delivers the detailed,
high-level information that working administrators really need to reach
the level of true expert. IIS and Proxy gurus M. Shane Stigler and Mark
A. Linsenbardt deliver the advanced coverage that will enable you to
make the most of your IIS and Proxy Server installations.

For Windows NT Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WIN2000MAG in
the referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/0782125301?from=SUT864.

* TIP: UNMAP UNUSED FILE EXTENSIONS IN IIS
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

Internet Information Server (IIS) lets you map various file extensions
to various application services. For instance, you can map .pl
extensions to a PERL interpreter or .cfm extensions to a Cold Fusion
engine.
   When you load a fresh copy of IIS, the software installs several
mappings by default. Many of these mappings go unused unless you also
implement the specialized services that use those mappings. For
example, .idq files define query parameters for an Index Server search.
However, if you aren't using Index Server, or don't use .idq files in
conjunction with your Index Server installation, then there's no reason
to leave the .idq file mapping in place.
   You will want to remove all unused file mappings. Even if you think
you'll need a particular mapping later, remove it until you actually
need it. Removing the unused mappings minimizes your overall Web site
risk. The Index Server risk reported in this issue of Security UPDATE
is a perfect example of why you need to remove these mappings--an
intruder can exploit the mappings to circumvent system security in
certain instances. The problem is that we won't know what those
instances are until the intruder discovers them.
   What mappings can you remove from IIS? Any mapping that a site
hosted on the Web server is not using. Use a site analysis tool such as
Site Server Express or FrontPage to inventory your Web site. A site
inventory will help determine which file extensions you need and then
you can easily remove any unused mappings. Please note that before you
remove any file extension mappings, be sure to record their parameters
in case you need to redefine them at a later time.
   The file extension mappings occur in different places in each
version of IIS, so consult IIS's online Help system to determine the
location of the actual configuration dialog box.

* REVIEW: EEYE DIGITAL SECURITY'S RETINA SECURITY SCANNER
In his first biweekly product review, Steve Manzuik takes a close look
at a beta release of Retina, eEye Digital Security's first product
offering in the security market space. Steve was impressed with the
first release of Retina. He found the product to be reasonably
functional but did point out some shortcomings he'd like to see
addressed in a future version. If you're curious about this new
security scanner, be sure read the entire review!
   http://www.ntsecurity.net/go/ultimate.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).

January 27, 2000, 09:59 P.M.
Local Proxy Server Blocking Site Access
I am using an NT 4 based network with IE5 and connect to the Internet
through a local proxy server running MS Proxy on our network. When I
bypass the local proxy server, I can access this particular site that
requires an authorized username and password. When I go through the
proxy server, access is denied. Any suggestions as to what I need to
do?

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Mess
age_ID=88063

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. ZBServer 1.50-r1x Risk Example Code
http://www.ntsecurity.net/go/w.asp?A2=IND0001E&L=WIN2KSECADVICE&P=92

Follow this link to read all threads for Feb. Week 1:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
"HowTo for Security" mailing list. The following threads are in the
spotlight this week:

1. Windows 2000 and Default Security
http://www.ntsecurity.net/go/L.asp?A2=IND0002A&L=HOWTO&P=192

2. Reverse Proxying with Microsoft Proxy 2.0?
http://www.ntsecurity.net/go/L.asp?A2=IND0002A&L=HOWTO&P=425

3. IOMega Tools Keeps an Insecure Copy of the SAM
http://www.ntsecurity.net/go/L.asp?A2=IND0001E&L=HOWTO&P=478

Follow this link to read all threads for Feb. Week 1:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western and International) - Vicki Peterson
(vpeterson@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows 2000 Magazine Security UPDATE.

To subscribe, go to http://www.win2000mag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the quotes

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

To change your email address, you must first unsubscribe by sending
email to listserv@listserv.ntsecurity.net with the words "unsubscribe
securityupdate" in the body of the message without the quotes. Then,
resubscribe by going to http://www.win2000mag.com/update and entering
your current contact information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

========== GET UPDATED! ==========
Receive the latest information on the Windows NT and Windows 2000
topics of your choice.
Subscribe to these other FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Exchange Server UPDATE
Windows 2000 Pro UPDATE
Windows 2000 Magazine Enterprise Storage UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
IIS Administrator UPDATE
XML UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 2000, Windows 2000 Magazine

Security UPDATE is powered by LISTSERV software
http://www.lsoft.com/LISTSERV-powered.html