**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows NT and Windows 2000 security update newsletter 
brought to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by

UltraBac.com
http://www.ultrabac.com/counter/winnt003s.htm

Symantec
http://www.symantec.com/specprog/sym/11200e.html
(Below Announcements) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
March 22, 2000 - In this issue:

1. IN FOCUS
     - New Precedents About To Be Set?

2. SECURITY RISKS
     - Oracle Web Listener May Run Arbitrary Commands
     - Microsoft Media License Manager Denial of Service
     - Internet Information Server Chunked Encoding Post

3. ANNOUNCEMENTS
     - Windows 2000 Magazine Affiliate Program

4. NEW AND IMPROVED
     - Security Scripting Language
     - Email Security Product

5. HOT RELEASE (ADVERTISEMENT)
     - VeriSign - The Internet Trust Company

6. SECURITY TOOLKIT
     - Book Highlight: Windows 2000 Security Little Black Book

7. HOT THREADS 
     - Windows 2000 Magazine Online Forums:
         PST Files as Offline Folders
     - Win2KSecAdvice Mailing List:
         Help for Relentless Port Scanning
         Win2K's Default High Security Policy
     - HowTo Mailing List:
         Legal Question Regarding Security
         Windows 2000 Desktop Lockdown

~~~~ SPONSOR: ULTRABAC.COM ~~~~
UltraBac backup and disaster recovery software for NT3.51/NT4/Win2000 
announces the release of Version 5.5. UltraBac v5.5 offers a new Oracle 
agent based on API's, enhanced Disaster Recovery features, enhanced SQL 
7.0 database restore options; and a new proprietary Locked File Backup 
(LFB) agent.  Disaster recovery enhancements for image backups include 
tape spanning with software compression, a new GUI for creating 
disaster recovery boot floppies, and support for Hewlett Packard's new 
One Button Disaster Recovery (OBDR) functionality that was recently 
added to HP's tape drive products.  For more information and to 
download your FREE 45-day copy, click here:
http://www.ultrabac.com/counter/winnt003s.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim 
Langone (Western Advertising Sales Manager) at 800-593-8268 or 
jim@win2000mag.com, OR Tanya T. TateWik (Eastern Advertising and 
International Advertising Sales Manager) at 877-217-1823 or 
ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Piracy is a big concern for a lot of development companies. The amount 
of money reportedly lost each year at the hands of pirates is 
staggering. Naturally, developers take the matter seriously and guard 
the security of their code-based assets as fiercely as they can. 
   One progressive way to guard software assets is to place the code 
into the public domain under some form of open-source licensing scheme. 
Thus, piracy becomes a moot point, and development takes more of a 
front seat to profits.
   However, many firms develop code that could not feasibly be 
protected under an open-source scheme. Instead, their products' 
protection must rely on honesty or secrecy. Take, for example, the DVD-
based Content Scrambling System (CSS) software technology, which relies 
on secrecy for protection. Developers use CSS to encrypt DVD-based 
media so that only DVD players can decrypt and play that media. This 
approach minimizes unauthorized duplication. But in November 1999, 
someone posted a program called DeCSS that can decrypt media that is 
copy protected with CSS. 
   The release of DeCSS has caused quite a ruckus in the computer 
industry as well as in the motion picture industry. Naturally, 
Hollywood wants to protect its movies from unauthorized duplication and 
is going to extremes to do so. In late December 1999, the DVD Copy 
Protection Association filed a lawsuit in California suing Web site 
operators who had posted copies of the DeCSS program. The association 
also sued Web site operators who merely posted links to sites that had 
the program online for download. The courts handed down an injunction 
prohibiting US sites from posting the code. 
   But hackers and supporters have struck back hard. Attorneys for the 
defendants wanted the CSS code submitted as evidence in the case, which 
would make the code a matter of public record because civil lawsuits 
are public information. In addition, hackers from Australia will soon 
air the source code on Australian television. Australian law does not 
prohibit such action.
   I think Hollywood has the right to sue the developers of DeCSS and 
people who distribute the program, but I also think the developers of 
DeCSS have the right to tell the world what they discovered. After all, 
the developers of DeCSS weren't the people who said the CSS technology 
was secure--they only proved that it wasn't. 
   That statement leads me to an interesting thought: What about the 
people who developed and promoted CSS as a secure technology in the 
first place? Aren't they to blame, too? If a company claims its 
technology is secure, but it turns out that the product is not, could 
the company be sued for fraud? 
   The case raises so many questions that it likely will set more than 
one precedent for the computer industry and the Internet. I think those 
precedents will include new legal views on antipiracy and reverse 
engineering, which could dramatically impact the way security-related 
problems are discovered and reported in the future. If you're a 
developer or a company that sells security-related solutions (whether 
software, hardware, or services), be sure to keep an eye on the DeCSS 
case. It might change the way you do business. 
   Before I sign off this week, I want to inform you all that the 
NTSecurity.net Web site may be offline until Friday morning. We have 
encountered some unexpected difficulties while moving the site from one 
data center to another. Thanks for your patience while we work to 
quickly bring the site back online. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* ORACLE WEB LISTENER MAY RUN ARBITRARY COMMANDS
Oracle Application Server ships with a component called Oracle Web 
Listener. Cerebus Information Security reported a problem with the 
component that could let an intruder run arbitrary commands on the 
server. 
http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003b&L=win2ksecadvice&F=&S=&P=4178

* MICROSOFT MEDIA LICENSE MANAGER DENIAL OF SERVICE
According to Microsoft's documentation, Windows Media License Manager 
is part of a technology set that enables distribution of copyrighted 
digital media. When Media Player opens a protected medium, it contacts 
the media provider to receive a license key. A malformed license key 
request can cause the License Manager to halt.
   For details, see Microsoft Support Online article Q257200 
(http://support.microsoft.com/support/kb/articles/Q257/2/00.ASP?LNG=ENG&SA=ALLKB&FR=0).

* INTERNET INFORMATION SERVER CHUNKED ENCODING POST
Internet Information Server (IIS) supports chunked encoding transfers 
for PUT and POST operations; however, the server does not limit the 
amount of memory that can be requested for such a transfer during a 
given user session. Therefore an attacker can request large amounts of 
memory from the server and cause a Denial of Service (DoS) attack for 
the duration of that user's session. According to Microsoft's report, 
when the attacker closes the Web browser, IIS resumes normal operation. 
For more information, see Microsoft Support Online article Q252693 
(http://support.microsoft.com/support/kb/articles/q252/6/93.asp?LNG=ENG&SA=ALLKB&FR=0).

3. ========== ANNOUNCEMENTS ==========

* WINDOWS 2000 MAGAZINE AFFILIATE PROGRAM
Windows 2000 Magazine, in cooperation with LinkShare, announces a new 
Web affiliate program. By simply placing a text or banner link on your 
Web site, you can earn up to $10 for each customer who clicks through 
from your site to ours and orders a subscription to either Windows 2000 
Magazine or SQL Server Magazine. For more information, visit 
http://www.win2000mag.com/AboutUs/Index.cfm?Action=affiliate or
http://www.sqlmag.com/Info/affiliate.cfm. 

~~~~ SPONSOR: SYMANTEC ~~~~
Norton Ghost? 6.0 is the premier tool for Windows 2000 migration, PC 
deployment, cloning, and PC recovery. It dramatically reduces IT costs 
by streamlining the configuration of networked workstations. 
Administrators can restore a system image onto a failed PC in as little 
as seven minutes, and reduce PC deployment and upgrade times by 90 
percent or more. Click here to order your free trialware!
http://www.symantec.com/specprog/sym/11200e.html

4. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* SECURITY SCRIPTING LANGUAGE 
Trusted Systems Services (TSS) announces AdvancedChecker 2.0, a 
security scripting language for Windows 2000 (Win2K) and Windows NT 
that installs, checks, sets, and fixes network security for large and 
small sites. AdvancedChecker is available as a beta. New features 
include user-defined macros, functions to query the Security log and 
System and Application Event logs, and the ability to compile several 
source files into one object file. Contact TSS, 217-344-0996. 
   http://www.trustedsystems.com 

* EMAIL SECURITY PRODUCT 
TurnSafe Technologies announced SafeWrite, an email security product 
featuring advanced encryption technology. SafeWrite is easy to use--
just type in the recipient's address and send your message. SafeWrite 
lets you send secure messages without having to worry about the 
receiver's software, without having to keep track of any public keys, 
and without forcing the receiver to install SafeWrite or other special 
viewing software. You can use your existing POP, IMAP4, Web-based, or 
AOL email account. SafeWrite is compatible with most OSs, including 
Windows, MacOs, Linux, OS/2, and UNIX. SafeWrite sends messages with 
dissolving keys, so that after a user reads a message, it cannot be re-
opened. SafeWrite secure email service is available by subscription to 
individuals for 2 years at a cost of $39.95, and includes product 
updates during the subscription period. Multiuser and domain rates are 
also available. 
   http://www.turnsafe.com

5. ========== HOT RELEASE (ADVERTISEMENT) ==========

* VERISIGN - THE INTERNET TRUST COMPANY
Protect your servers with 128-bit SSL encryption! Get a FREE guide, 
"Securing Your Web Site for Business." You'll learn how to use SSL 
encryption for serious online security.
http://www.verisign.com/cgi-bin/go.cgi?a=n016005190008000

6. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: WINDOWS 2000 SECURITY LITTLE BLACK BOOK 
By Ian Mclean
Online Price: $19.95 
Softcover; 400 pages
Published by Coriolis, February 2000
ISBN: 1576103870

"Windows 2000 Security Little Black Book" is an indispensable tool for 
the security professional working in the Windows 2000 (Win2K) 
environment. This book is packed with methods and tips for implementing 
secure, but useable, network policies. 
   Whether you work in a small organization with a few hundred users or 
a large multinational group working across WANs and the Internet, 
you'll find the information you need presented in an accessible, user-
friendly format. Using this book, you can unlock the secrets of Win2K's 
Active Directory (AD), Group Policy, security protocols, encryption, 
public key security, security certificates, smart cards, IP security, 
VPNs, and the security toolset.

For Windows 2000 Magazine Security UPDATE readers only--Receive an 
additional 10 PERCENT off the online price by typing WIN2000MAG in the 
referral field on the Shopping Basket Checkout page. To order this 
book, go to http://www.fatbrain.com/shop/info/1576103870?from=SUT864.

7. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

March 17, 2000, 07:09 A.M. 
PST Files as Offline Folders 
When selecting my network-based PST Folders as Offline Folders, I get a 
synchronization error and it fails. The rest of the folders can be set 
as offline. I have already shut down Outlook and checked that there are 
no file locks or anything. I did successfully select them in RC2, but 
since upgrading, I can't do it. Anyone know if there is a fix or is 
this a "feature?" 

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=70&Message_ID=95536

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. Help for Relentless Port Scanning
http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=win2ksecadvice&P=1614

2. Win2K's Default High Security Policy
http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=win2ksecadvice&P=861

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

1. Legal Question Regarding Security
http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=howto&P=2783

2. Windows 2000 Desktop Lockdown
http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=howto&P=12148

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved  Judy Drennen (products@win2000mag.com)
Copy Editor  Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows 2000 Magazine Security UPDATE.


To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update or send an email to join-securityupdate@list.win2000mag.net.

To remove yourself from the list, send a blank email to leave-securityupdate@list.win2000mag.net.

To change your email address, send a message with the content below to securityupdate@list.win2000mag.net.
    set securityupdate email="new email address"  
    Replace "new email address" (including quotes)
    with your new email address.


If you have questions or problems with your UPDATE subscription, please contact 
owner-securityupdate@list.win2000mag.net.


========== GET UPDATED! ==========
Receive the latest information on the Windows 2000 and Windows NT topics of your choice. Subscribe to these other FREE email newsletters at  http://www.win200
0mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Enterprise Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

Copyright 2000, Windows 2000 Magazine