**********************************************************
WINDOWS NT MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT security update newsletter brought to you by
Windows NT Magazine and NTsecurity.net
http://www.winntmag.com/update/
**********************************************************

This week's issue sponsored by

Axent Technologies
http://www.winntmag.com/jump.cfm?ID=6
(Below Security Roundup)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
December 29, 1999 - In this issue:

1. IN FOCUS
     - Reflections from 1999 and into 2000

2. SECURITY RISKS
     - Savant Web Server Denial of Service
     - Avirt Rover Buffer Overflow
     - Netscape Navigator 4.5 Runs Arbitrary Code

3. ANNOUNCEMENTS
     - Managing Complex Environments: Live Webcast

4. SECURITY ROUNDUP
     - FEATURE: How Secure is Your Exchange Server? Update
     - HOW-TO: Using Windows 2000's Run As Command

5. NEW AND IMPROVED
     - Biometric Security Software
     - Cryptography Within Active Server Pages

6. HOT RELEASE
     - kforce.com

7. SECURITY TOOLKIT
     - Book Highlight: Firewalls Complete
     - Tip: Limit Shutdown Capabilities

8. HOT THREADS
     - Windows NT Magazine Online Forums:
         Find the Administrator Password
     - HowTo Mailing List:
         SMB Licensing Issue (Event ID 201)
         Name Conflict on PDC - Event ID 4319

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki
Peterson (Western and International Advertising Sales Manager) at 877-
217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

It's been a long year for many of us. I can't be the only person who
feels like they've squeezed 18 months of work into a 12-month time
frame. Whew!
   Looking back over 1999, it's easy to see that a lot of activity
occurred in the security world--much more than in 1998. If I had to
pick one security-related event during the last 12 months that affected
me more than any other event in that time frame, I'd have to say that
it was learning how China decided to deal with a couple of relatively
small-time computer crackers.
   In March of this year, China reported that it had arrested and
convicted two brothers of embezzling approximately $87,000 (US) from a
Chinese bank. The brothers cracked a bank's computer security and
transferred the funds to their own account. And for that act, China
sentenced the two men to death. But even while setting such a hard
precedent for thieves--especially cyber-thieves--China wasted no time
in displaying its bigotry by assuming that it's OK to steal super-
sensitive nuclear secrets from the United States. Oh, you didn't hear
about that theft? Check your favorite world news source for details.
   Another set of hacking events occurred that truly gained and held my
attention for most of 1999, and I see no sign of that attraction
letting up soon. The events to which I refer are the seemingly never-
ending security risks that Georgio Guninski discovered in Internet
Explorer (IE).
   In my opinion, Georgio has done more for the overall security of IE,
and the security of Windows desktops in general, than any other hacker
on the planet. Georgio has discovered more than a dozen security risks
in IE 5.x. Look at his IE Web page sometime, and you'll see why I feel
that Georgio deserves a gigantic pat on the back for his tireless
efforts (http://www.nat.bg/~joro/browsers.html).
   Looking ahead to 2000, I predict that by year's end, we'll find that
the biggest security events of 2000 took place during the first
quarter. In January and February of 2000, we'll be fighting Y2K
problems relentlessly. And in February, Microsoft will ship Windows
2000 (Win2K), which will open the flood gates for officially reporting
any security risks the new OS might contain.
   As with any new OS, it's safe to assume that it's not perfect, and
thus, we'll see more than a few risks surface in the new platform. In
fact, I bet hackers are already sitting on Win2K risk information,
waiting for the most inconvenient time to release that information. My
guess is that the time will come after the official release of the new
OS in February.
   But even so, I doubt that we'll see any risks as serious as the ones
discovered in Windows NT 4.0 over the last 24 months. Between finding
several ways to gain Administrator access and finding ways to subvert
Microsoft's encryption technology, hackers have given the company a
fairly serious beating over the security technology used in NT 4.0. I
think Microsoft has learned valuable lessons from these discoveries,
but I also know that no one is perfect and, therefore, we can assume
that Win2K has bugs. What are these bugs, and how will they impact your
network? Only time will tell. Nonetheless, I'm looking forward to the
year 2000 and the new OS from Microsoft.
   If you're among those people who have to work on New Year's Eve,
stop by and hang out with BindView at its online Web party on December
31. Visit http://www.BindView.com/onlineparty for details.
   It's been a great year. Have a safe and pleasant New Year's weekend.
Thanks to each of you for reading Security UPDATE Newsletter.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, http://www.ntsecurity.net)

* SAVANT WEB SERVER DENIAL OF SERVICE
USSRLabs discovered a problem with the Savant Web Server 2.0 caused by
a buffer overflow condition. By appending a NULL character to the end
of a URL, a malicious user can crash the server. The vendor is aware of
the problem but had not responded at the time of this writing.
   http://www.ntsecurity.net/go/load.asp?iD=/security/savant1.htm

* AVIRT ROVER BUFFER OVERFLOW
USSRLabs reported a problem with Avirt's Rover Server, which is a
software package that includes POP3 and SMTP services. The POP3 service
contains a buffer overflow condition that can lead to a server crash.
An intruder can induce the crash by sending a string of 10,000
characters as the username when logging into the POP server.
   Avirt has phased out the Rover and recommends migrating to a current
product (Avirt Mail 3.5 or later).
   http://www.ntsecurity.net/go/load.asp?iD=/security/avirt3.htm

* NETSCAPE NAVIGATOR 4.5 RUNS ARBITRARY CODE
A person using the pseudonym "darkplan" reported a buffer overflow
condition in Netscape Navigator 4.5. The problem might let arbitrary
code execute on a user's system. Netscape is aware of this problem;
however, no response was known at the time of this writing.
   http://www.ntsecurity.net/go/load.asp?iD=/security/nn45-1.htm

3. ========== ANNOUNCEMENTS ==========

* MANAGING COMPLEX ENVIRONMENTS: LIVE WEBCAST
Do you have questions regarding managing Windows 2000 environments? Now's
your chance to ask them!
   The new millennium is upon us and topics related to managing complex
environments are key to your migration efforts. Join IBM and Windows NT
Magazine for our upcoming live Webcast,"Managing complex environments
which include Windows 2000," January 6, from 10:00 A.M.-11:30 A.M. CST.
   Mark Minasi, Windows NT Magazine contributing editor and author of
Mastering Windows NT Server 4.0 and the upcoming Mastering Windows 2000
Server, as well as John Enck with the GartnerGroup, will discuss this
key area. Also, hear about IBM's Business Intelligence and Tivoli's
systems management solutions.
   Without leaving your desk, you can ask questions of our panel of
experts online or live. And you'll be eligible to download informative
white papers and technical reports. Find out more about our live Web
broadcast series, and register today at
http://webevents.broadcast.com/ibm/win2000/index.tl?loc=61.

4. ========== SECURITY ROUNDUP ==========

* FEATURE: HOW SECURE IS YOUR EXCHANGE SERVER? UPDATE
Last week, I mentioned Jerry Cochran's Web Exclusive article regarding
Exchange Server security. This week Jerry corrects some errors that
were present in his original article. The corrections are significant,
so be sure to read the new article.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=145&TB=f

* HOW-TO: USING WINDOWS 2000'S RUN AS COMMAND
In this Web Exclusive article, Zubair Ahmad offers some great insight
into a useful utility that ships with Windows 2000 (Win2K). You might
already be aware of a handy utility called Run As. The command tool
lets a user log on under one account and then run programs under a
different user.
   So, for example, a user might log on under an account that is a
member of the Administrators group but need to test programs as those
programs would run under a regular user account with membership in the
default Users group. The Run As command permits this type of
functionality. If you're migrating to Win2K in the next year, be sure
to read the article.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=116&TB=howto

~~~~ SPONSOR: AXENT TECHNOLOGIES ~~~~
How to protect against application level attacks
Raptor Firewall delivers the most intuitive management interface and
high performance, multi-threaded services, giving you the most secure,
manageable, and flexible solution for enterprise security needs.
Now through December 24, download your FREE guide, "Everything You Need
to Know about Network Security" at
http://www.winntmag.com/jump.cfm?ID=6
AXENT is the leading provider of e-security solutions for
your business, delivering integrated products and expert
services to 45 of the Fortune 50 companies.

5. ========== NEW AND IMPROVED ==========
(contributed by Carolyn Mascarenas, products@winntmag.com)

* BIOMETRIC SECURITY SOFTWARE
Net Nanny Software announced the beta of BioPassword LogOn for Windows
NT, software that adds biometric authentication as an extra level of
security during the NT logon process. Using keystroke dynamics, the
software combats problems associated with using traditional password
security, such as internal security breaches, password-cracking
programs, and employee negligence. The software complements existing NT
permissions and logon procedures. You install the BIOServer component
on the NT server and deploy the BIOClient component through the shared
network. The software then prompts users to enter their user ID and
password to create a unique keystroke profile. Users are authenticated
by matching their logon attempt against their keystroke profile, which
resides on the server in an encrypted template.
   Net Nanny Software is seeking beta testers with 100 workstations or
more to test BioPassword LogOn for Windows NT. Contact Net Nanny
Software, 425-688-3008.
   http://www.netnanny.com

* CRYPTOGRAPHY WITHIN ACTIVE SERVER PAGES
CryptoObject announced CryptoObject 1.0, software that enables
cryptography from within Microsoft's Active Server Pages (ASP).
CryptoObject is a COM object that wraps the base cryptography functions
provided by the Microsoft Cryptographic API (CryptoAPI). The CryptoAPI
works well for traditional C++ and Visual Basic (VB) developers but
doesn't work well when used within Internet Information Server (IIS),
ASP, or Windows Scripting Host. Until CryptoObject, the VBScript
couldn't call any Windows DLL functions, so it couldn't use any
CryptoAPI features. CryptoObject uses the original constant names,
function names, member variables, and error codes.
   CryptoObject works on Windows NT and Windows 9x systems and requires
a COM client. A single-server license starts at $100. Contact
CryptoObject, info@cryptoobject.com.
   http://www.cryptoobject.com

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* KFORCE.COM
Real results by real people!***kforce.com*** Resumes read by over 2,300
Career Specialists, Not another Job Board, But the Career Resource
Center.  Search our Vast Database, use the Salary Calculator, and
receive your own Career Development Coach.  Opportunity has a new
address kforce.com
http://ad.doubleclick.net/clk;629716;3578931;w?http://www.kforce.com

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: FIREWALLS COMPLETE
By Marcus Goncalves
Online Price: $43.95
Softcover; 632 pages
Published by McGraw-Hill Publishing, February 1998

With the McGraw-Hill Complete Series, you get 100 percent of what you
need to deliver fully functional applications quickly. You get complete
coverage of technical issues, from experts who understand the problems
you must solve. And the CD-ROM lets you demonstrate today's hottest
firewall products (because so many different technologies are on the
market, and they're not all created equal).

For Windows NT Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WINNTMAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/0070246459?from=SUT864.

* TIP: LIMIT SHUTDOWN CAPABILITIES
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

In many cases, it's necessary to control who might shut down a given
workstation or server. As you know, anyone can shut down Windows NT by
simply clicking the Shutdown button located on the logon screen dialog.
But did you know you can disable the logon dialog Shutdown button?
   If the logon dialog's Shutdown button is disabled, then a user must
first log on to the system before that user can shut down the system.
To disable the Shutdown button on the logon dialog, adjust the
following Registry key as indicated. Be advised that incorrectly
modifying the Registry can lead to a non-bootable system, so be sure to
back up your Registry before making changes.
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: ShutdownWithoutLogon
Type: REG_SZ
Value: 0

8. ========== HOT THREADS ==========

* WINDOWS NT MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
NT Magazine online forums (http://www.winntmag.com/support).

Find the Administrator Password
December 20, 1999, 01:37 P.M.
Is there an easy way to find the administrator password for the local
machine? A user changed the computer name on a machine and can no
longer log into the domain, and the previous IT guy used an unknown
password for the local login.

Thread continues at
http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag
e_ID=82781

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
"HowTo for Security" mailing list. The following threads are in the
spotlight this week:

1. SMB Licensing Issue (Event ID 201)
http://www.ntsecurity.net/go/L.asp?A2=IND9912D&L=HOWTO&P=418
2. Name Conflict on PDC - Event ID 4319
http://www.ntsecurity.net/go/L.asp?A2=IND9912C&L=HOWTO&P=2297

Follow this link to read all threads for Dec. Week 4:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS NT MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@winntmag.com)
Ad Sales Manager (Western and International) - Vicki Peterson
(vpeterson@winntmag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com)
Editor - Gayle Rodcay (gayle@winntmag.com)
New and Improved - Carolyn Mascarenas (products@winntmag.com)
Editor-at-Large - Jane Morrill (jane@winntmag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows NT Magazine Security UPDATE

To subscribe, go to http://www.winntmag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

To change your email address, you must first unsubscribe by sending
email to listserv@listserv.ntsecurity.net with the words "unsubscribe
securityupdate" in the body of the message without the quotes. Then,
resubscribe by going to http://www.winntmag.com/update and entering
your current contact information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

========== GET UPDATED! ==========
Receive the latest information on the NT topics of your choice.
Subscribe to these other FREE email newsletters at
http://www.winntmag.com/sub.cfm?code=up99inxsup.

Windows NT Magazine UPDATE
Windows NT Magazine Thin-Client UPDATE
Windows NT Exchange Server UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 1999, Windows NT Magazine

Security UPDATE Newsletter is powered by LISTSERV software
http://www.lsoft.com/LISTSERV-powered.html