**********************************************************
WINDOWS NT MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT security update newsletter brought to you by
Windows NT Magazine and NTsecurity.net
http://www.winntmag.com/update/
**********************************************************

This week's issue sponsored by

Sunbelt Software - STAT: NT Vulnerability Scanner
http://www.sunbelt-software.com/stat.htm

Network-1 Security Solutions - Embedded NT Firewalls
http://www.network-1.com/eval/eval6992.htm
(Below Security Roundup)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
November 24, 1999 - In this issue:

1. IN FOCUS
     - Windows NT Magazine and NTSecurity.net Join Forces

2. SECURITY RISKS
     - Internet Explorer 5.0 XML Redirects
     - Vermillion FTP Server Subject to Denial of Service
     - WordPad Subject to Crash
     - HP JetDirect Denial of Service
     - ZetaMail 2.1 Subject to Denial of Service
     - G6 FTP Server Subject to Denial of Service

3. ANNOUNCEMENTS
     - Answers To NT Frequently Asked Questions
     - Security Poll: Have You Taken Any Formal Security Training?

4. SECURITY ROUNDUP
     - Feature: Melissa Variant Prilissa on the Loose
     - Feature: ESE Page Zeroing Enhances Exchange Security
     - Feature: The Philosophy of Security - UNIX vs. NT
     - Review: 3Com's New 3CR990 Encrypting NIC

5. NEW AND IMPROVED
     - Virus Protection for File Servers

6. HOT RELEASE
     - kforce.com

7. SECURITY TOOLKIT
     - Book Highlight: Windows NT Magazine Administrator's Survival
Guide: System Management and Security
     - Security Shareware: NightVision
     - Tip: Controlling NetBIOS Access
     - HowTo: Backing Up and Restoring Win2K System State

8. HOT THREADS
     - Windows NT Magazine Online Forums:
         Default Admin Share
     - Win2KSecAdvice Mailing List:
         Event Logs of Failed Logons
         Windows Update Carries a Bug
     - HowTo Mailing List:
         Removing Hidden Shares
         MS Access Security

~~~~ SPONSOR: SUNBELT SOFTWARE - STAT: NT VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your
network?
Plug NT's holes before they plug you. There are many hundreds of known
NT vulnerabilities. New ones are found daily. You just have to protect
your LAN _before_ it gets attacked. STAT is a new tool that solves your
NT security exposure in a completely unique fashion. STAT is not just a
shrink-wrap product. It comes with a responsive web-update service and
a dedicated Pro SWAT team that helps you to hunt down and kill Security
holes. Originally built by anti-hacker experts for Secure Government
sites. Download a demo copy before you become a statistic.
http://www.sunbelt-software.com/stat.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki
Peterson (Western and International Advertising Sales Manager) at 877-
217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

It's now official: NTSecurity.net has joined forces with Windows NT
Magazine to bring you an even stronger offering of NT security
information. With the new partnership, Windows NT Magazine and
NTSecurity.net will combine resources and efforts to produce a stronger
security newsletter and a more content-rich NT-related security Web
site.
   To understand how we've reorganized our security-related
publications under the new alliance, you might need to understand a bit
about the history of NTSecurity.net. I started NTSecurity.net in 1996
as an independent project to offer the community a quick summary of all
known NT-related security vulnerabilities and fixes in one location.
The site quickly evolved to include vulnerabilities for all Microsoft
OSs and applications, as well as third-party Windows-based
applications. Today, NTSecurity.net encompasses more than just
vulnerability and fix information. At the site, you'll finds news,
features, product reviews, how-to articles, books, security software
tools, several security mailing lists, a newsletter, and a wealth of
other timely security-related information.
   If you're a frequent visitor to NTSecurity.net, you already know
about the Windows Security Alerts (WinSA) and Windows Security Digest
(WinSD) mailing lists. The lists have been around for some time and are
popular with the security community. Subscribers to the WinSA mailing
list receive security alerts as we learn of new risks; WinSD is a
weekly digest newsletter that covers security news from a variety of
third-party information resources.
   Under the new partnership, WinSA, WinSD, and the Security UPDATE
mailing list are combined into one mailing list. The content formerly
published in WinSD will become part of Security UPDATE.
   In addition to receiving new content, each Security UPDATE
subscriber will now automatically receive the security alerts formerly
provided by WinSA. What are security alerts? As we become aware of new
Windows-related security risks, we analyze the risk, write up the
details (including any known workarounds and fixes) and immediately
alert our readers via email. The alert service reduces the time you
spend learning about new risks on your own, and helps you avoid
overlooking any new risks that may affect your network.
   Not only have we combined the email-based publications, but we are
also consolidating Web-based resources. Although you'll still find
security-related information on the Windows NT Magazine Web site, most
security information will now appear on NTSecurity.net instead of
WinNTMag.com. In a nutshell, NTSecurity.net has become the new point-
of-publication for all of Windows NT Magazine's Web-based security-
related articles and information.
   In the near future, you'll begin to see notable changes at the
NTSecurity.net Web site that reflect this new partnership. You'll find
new, regularly published content that includes exclusive columns from
notable industry insiders, weekly editorials and news analysis, in-
house product reviews, how-to articles, lots of security tips, even
more book recommendations, and several other features that are still on
the drawing board (more on those in a future edition of this
newsletter).
   The alliance represents Windows NT Magazine's commitment to
providing each of you with the best and most up-to-date security
information available anywhere today. We hope you enjoy this first
edition of Security UPDATE using the new expanded format. And by all
means, if you have any comments or suggestions, please feel free to
send them my way. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, http://www.ntsecurity.net)

* INTERNET EXPLORER 5.0 XML REDIRECTS
Georgio Guninski reported a problem with Internet Explorer (IE) 5.0
under Windows NT 4.0 and Windows 95. According to the report, IE 5.0
has a problem with the way it handles HTTP redirects in Extensible
Markup Language (XML) objects. The problem unnecessarily exposes a
user's local file.
   When a user embeds an XML document within an HTML document, IE 5.0
doesn't handle the HTTP redirects properly, thereby allowing access to
the domain of the embedded XML document.
   http://www.ntsecurity.net/go/load.asp?iD=/security/IE54.htm

* VERMILLION FTP SERVER SUBJECT TO DENIAL OF SERVICE
USSRLabs discovered a denial of service (DoS)condition in Vermillion
FTP Daemon (VFTPD) 1.23 caused by a buffer overflow condition in the
CWD command. By sending a CWD command three times in a row with a
command buffer of exactly 504 characters, an intruder can crash the
server.
   http://www.ntsecurity.net/go/load.asp?iD=/security/verm1.htm

* WORDPAD SUBJECT TO CRASH
Windows NT and Windows 9x ship with a built-in word processor
(WordPad), which relies on riched20.dll. The DLL has an overflow
condition present when viewing Rich Text Format (RTF) files that can
cause WordPad to crash. The vulnerability doesn't appear to offer a
means of executing arbitrary code, so the risk is limited to that of a
minor nuisance.
   http://www.ntsecurity.net/go/load.asp?iD=/security/richedit1.htm

* HP JETDIRECT DENIAL OF SERVICE
The HP JetDirect J3111A module with firmware G.05.35 suffers from a
buffer overflow in its internal Web server that can lead to a crash
and, thus, a denial of service (DoS). If a user enters a particular URL
in a Web browser, the printer crashes and prints a diagnostics page
showing the contents of all registers and 64 bytes of all memory
addresses that the address registers point to.
   http://www.ntsecurity.net/go/load.asp?iD=/security/jetdirect1.htm

* ZETAMAIL 2.1 SUBJECT TO DENIAL OF SERVICE
UssrLabs discovered a buffer overflow condition in ZetaMail 2.1 mail
server; the condition is present in the server's user login sequence.
By sending a username and password of 3500 characters, an intruder can
crash the server.
   http://www.ntsecurity.net/go/load.asp?iD=/security/zetamail1.htm

* G6 FTP SERVER SUBJECT TO DENIAL OF SERVICE
UssrLabs reported a denial of service (DoS) vulnerability in Gene6's G6
FTP Server caused by a buffer overflow condition. When a user logs into
the FTP server using a long username (2000 characters), the service
will begin consuming memory and CPU cycles until it exhausts all
resources, causing the server to stop responding.
   http://www.ntsecurity.net/go/load.asp?iD=/security/g6ftp.htm

3. ========== ANNOUNCEMENTS ==========

* ANSWERS TO NT FREQUENTLY ASKED QUESTIONS
Check out this technically rich FAQ site:
http://www.jsiinc.com/reghack.htm. Established by Jerold Schulman, it
includes more than 1800 fully searchable Windows NT tips, techniques,
and Registry hacks. With new listings added daily, it is a superior
resource from one of the sharpest minds in the industry.

* SECURITY POLL: HAVE YOU TAKEN ANY FORMAL SECURITY TRAINING?
On November 1, we posted a nonscientific survey on NTSecurity.net
asking readers if they had taken any security training, and if so, was
that training mandated or voluntary. To view the survey results, visit
http://www.ntsecurity.net/go/loadit.asp?/forums/2cents/polls.asp?idf=107&tb=
polls

4. ========== SECURITY ROUNDUP ==========

* FEATURE: MELISSA VARIANT PRILISSA ON THE LOOSE
Users recently discovered a Melissa virus variant named Prilissa. The
virus infects Word 97 documents and spreads by sending the infected
document as an email attachment using Microsoft Outlook to the first 50
addresses in each address book.
   The subject line reads "Message From (username)." The text in the
body of the message reads "This document is very Important and you've
GOT to read this!!!" When a user opens the infected document, the virus
disables virus protection security settings, conversion confirmation,
and recently opened file list.
   In addition, the virus triggers on December 25, a Christian holiday.
Once triggered, the virus writes a Moslem-related message on the
screen, modifies the user's autoexec.bat file and, upon reboot,
displays a second Moslem-related message.
   Most major antivirus software vendors have produced signature files
to detect and remove the virus. Be sure to update your files today.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=179&TB=news
   http://www.symantec.com/press/1999/n991122b.html

* FEATURE: ESE PAGE ZEROING ENHANCES EXCHANGE SECURITY
Extensible Storage Engine (ESE) Page Zeroing, also called scrubbing, is
a feature that Microsoft first made available in Exchange Server 5.5
Service Pack 2 (SP2). Scrubbing overwrites unused pages in Exchange
Server databases with a byte pattern so that a user can't recover data
within these unused pages using conventional means.
   When users delete an item from the Exchange server, such as when
they delete a message from their mailbox, Exchange removes references
to the item and marks as unused the pages the item was occupying
(assuming you've disabled Deleted Item Retention). Without scrubbing,
someone can retrieve the deleted data using conventional retrieval
methods.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=138&TB=f

* FEATURE: THE PHILOSOPHY OF SECURITY - UNIX VS. NT
Simson L. Garfinkel writes a compelling article for ZDTV that looks at
some of the fundamental differences between the security approaches in
Windows NT and UNIX.
   Garfinkel points out several shortcomings that Microsoft developers
could have taken efforts to eliminate and also points out that UNIX
isn't perfect either.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=137&TB=f

* REVIEW: 3COM'S NEW 3CR990 ENCRYPTING NIC
In his review for Planet IT, Edward J. Correia examines 3Com's new
3CR990-TX 10/100 Fast Ethernet NIC. The new network adapter sports Data
Encryption Standard (DES) and 3DES encryption and offloads processing
from the system with its built-in encryption hardware engine.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=112&TB=howto

~~~~ SPONSOR: NETWORK-1 SECURITY SOLUTIONS - EMBEDDED NT FIREWALLS ~~~~
CyberwallPLUS-SV is the first embedded firewall for NT servers.  It
secures valuable servers with network access controls and intrusion
prevention.  Visit <http://www.network-1.com/eval/eval6992.htm> to
register for a free trip to SANS Security `99 in San Francisco.

5. ========== NEW AND IMPROVED ==========
(contributed by Carolyn Mascarenas, products@winntmag.com)

* VIRUS PROTECTION FOR FILE SERVERS
Trend Micro announced ServerProtect 5.0, virus protection software for
file servers. You can organize a series of antivirus management
operations into one task. You can centrally and remotely manage
multiple Windows NT and Novell NetWare servers and domains
simultaneously from one Windows-based management console. You can
configure ServerProtect to automatically download scan engines, pattern
files, and program files to ensure you are updated with all the latest
technology needed to fight the newest viruses. Pricing is on a per
seat/volume basis and starts at $600 for 25 users. Contact Trend Micro,
408-867-6404.
   http://www.antivirus.com

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* KFORCE.COM
Afraid of getting lost on another job board? Real results by real
people at kforce.com. Resumes read by 2,300 Career Specialists,
Confidential Searching, and a Career Development Coach! Click on
***kforce.com*** where opportunity has a new address.
http://ad.doubleclick.net/clk;629716;3578931;w?http://www.kforce.com

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: WINDOWS NT MAGAZINE ADMINISTRATOR'S SURVIVAL GUIDE:
SYSTEM MANAGEMENT AND SECURITY
By John Enck
Online Price: $31.95
Softcover; 359 pages
Published by Duke Press, June 1998

Windows NT Magazine brings you Windows NT Magazine Administrator's
Survival Guide: System Management and Security--the first book in the
Survival Guide series. John Enck has assembled the best articles and
authors to share their vast experience with mission-critical system
management and security issues. The articles have been updated, and
Enck has added new introductory material to set the context for
readers. Busy NT users will find the hands-on, problem-solving approach
they have come to rely on in the magazine invaluable in this rich,
user-friendly resource.

For Windows NT Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing in WINNTMAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/188241988X?from=SUT864.

* SECURITY SHAREWARE: NIGHTVISION
(contributed by Jonathan Chau, jjc@winntmag.com)

For administrators, there's nothing worse than when the network goes
down overnight. NightVision, a new network monitoring utility, acts as
the eyes behind your head. NightVision can monitor both Windows and
UNIX machines over a TCP/IP or UDP connection, and you can seamlessly
integrate the program into any network. The product works by
periodically checking to determine whether the connected systems are
still up and responsive. If NightVision detects an error, it can email
or page the specified administrator to alert them to the problem.
http://www.jriver.com/products/night-vision.html

* TIP: CONTROLLING NETBIOS ACCESS
(contributed by Mark Joseph Edwards, http://www.ntsecurity.net)

About once each month, someone asks me how to block access to NetBIOS
from the Internet without using a firewall. You can accomplish this
task in at least two different ways, and both are fairly simple to
implement.
   The first method uses Windows NT's built-in TCP/IP security, in
which an administrator defines which ports to block. By examining the
TCP/IP properties under the Network applet in the Control Panel, you'll
find the security settings. The dialog box is located on the IP Address
tab under the Enabled Security section.
   Keep in mind that when you block ports using this feature, the ports
remain blocked until you re-adjust the settings. To block NetBIOS, deny
incoming access to TCP ports 135, 137, and 138, as well as UDP port
139.
   Another way to achieve the same result is to stop the Server
service. The Server service is necessary for NetBIOS functionality, and
when that service is not running, NetBIOS is not available. The Server
service is not required to run an Internet Information Server (IIS) Web
server or many other servers you might expose to the Internet. The only
limitation in stopping the Server service is that you can no longer
access that machine's resources using NetBIOS-based tools such as NT
Explorer or User Manager. To use such tools, you simply start the
Server service for the required time period, then stop the service when
you're done managing the server over NetBIOS.
   Even though both methods block NetBIOS access to a given NT system,
these methods are not replacements for an adequate network border
protection system such as a firewall.

* HOWTO: BACKING UP AND RESTORING WIN2K SYSTEM STATE
Windows 2000 (Win2K) contains several crucial system components that
are essential to successful operation. You should ensure that you
properly back up these components and that you can successfully restore
them if things go wrong. In his Web Exclusive for Windows NT Magazine
Online, Zubair Ahmad discusses Win2K system state recovery tips and
techniques that you'll find useful with Win2K.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=112&TB=howto

8. ========== HOT THREADS ==========

* WINDOWS NT MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
NT Magazine online forums (http://www.winntmag.com/support).

November 18, 1999, 10:21 A.M.
Default Admin Share
How do I stop the default Admin share on a Windows NT Workstation
permanently?

Thread continues at
http://winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID
=78648

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KsecAdvice mailing list. The following threads are in the spotlight
this week:

1. Event Logs of Failed Logons
http://www.ntsecurity.net/go/page_listserv.asp?A2=IND9911C&L=WIN2KSECADVICE&
P=2241

2. Windows Update Carries a Bug
http://www.ntsecurity.net/go/page_listserv.asp?A2=IND9911C&L=WIN2KSECADVICE&
P=1043

Follow this link to read all threads for November Week 3:
http://www.ntsecurity.net/go/loadit.asp?id=page_listserv.asp?s=win2ksec

* HOWTO MAILING LIST
Each week, we offer a quick recap of highlights from the "HowTo for
Security" mailing list. The following threads are in the spotlight this
week:

1. Removing Hidden Shares
http://www.ntsecurity.net/go/loadit.asp?/go/page_listserv.asp?A2=IND9911C&L=
HOWTO&D=0&P=8802

2. MS Access Security
http://www.ntsecurity.net/go/loadit.asp?/go/page_listserv.asp?A2=IND9911C&L=
HOWTO&D=0&P=9968

Follow this link to read all threads for November Week 3:
http://www.ntsecurity.net/go/loadit.asp?id=page_listserv.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS NT MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@winntmag.com)
Ad Sales Manager (Western and International) - Vicki Peterson
(vpeterson@winntmag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com)
Editor - Gayle Rodcay (gayle@winntmag.com)
New and Improved - Carolyn Mascarenas (products@winntmag.com)
Security Shareware - Jonathan Chau (jjc@winntmag.com)
Editor-at-Large - Jane Morrill (jane@winntmag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows NT Magazine Security UPDATE

To subscribe, go to http://www.winntmag.com/update or send email to
listserv@listserv.ntsecurity.net with the words
"subscribe securityupdate anonymous" in the body of the message without
the quotes.

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

========== GET UPDATED! ==========
Receive the latest information on the NT topics of your choice.
Subscribe to these other FREE email newsletters at
http://www.winntmag.com/sub.cfm?code=up99inxsup.

Windows NT Magazine UPDATE
Windows NT Magazine Thin-Client UPDATE
Windows NT Exchange Server UPDATE
Windows 2000 Pro UPDATE
SQL Server Magazine UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 1999, Windows NT Magazine