**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought 
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by

UltraBac Safety Net Backup
http://www.ultrabac.com

Too Many Passwords? Free Single Sign-on White Paper.
http://www.win2000mag.com/jump.cfm?ID=29
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
May 17, 2000 - In this issue:

1. IN FOCUS
     - Backpedaling Toward Security

2. SECURITY RISKS
     - Emurl 2.0 Exposes Users' Mailboxes
     - Office 2000 UA Control Scripting
     - NTMail 5.x Contains an Open Proxy
     - IIS Denial of Service and Code Exposure
     - IIS Denial of Service

3. ANNOUNCEMENTS
     - New Online Research Panel
     - Technet Puzzler--Contest Ends May 21!
     - Join Our Team

4. SECURITY ROUNDUP
     - Feature: NTFS Access Control Security Enhancements 
     - HowTo: Encrypting Files for Added Security

5. NEW AND IMPROVED
     - Message Attachment Scrubbing and Virus Protection
     - Increase Network Security in Small and Midsized Businesses 

6. SECURITY TOOLKIT
     - Book Highlight: Cyberwars: Espionage on the Internet
     - Tip: Detecting Email Worms in Outlook

7. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         Group/User Permissions
     - Win2KSecAdvice Mailing List
         Fix for Backdoor in Cart32 Software
     - HowTo Mailing List
         MS Proxy and Domain Filtering
         IPSEC VPN on Windows 2000

~~~~ SPONSOR: ULTRABAC SAFETY NET BACKUP ~~~~
Did the "I LOVE YOU" virus wreck havoc with your network? If so, this 
should reinforce the importance of using a fast, reliable backup to restore 
your computers. While nothing can protect you from a new virus, great 
backup software can certainly eliminate lost work and productivity. 
UltraBac offers multiple levels of protection against virus damage. Whether 
it’s standard file-by-file or our special image backup, UltraBac has both 
the fastest BACKUP and RESTORE speeds of any NT backup utility--image 
restores are lightning fast and can restore a 4GB disk in under 10 minutes! 
Visit http://www.ultrabac.com more info or to download the latest version 
of UltraBac.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone 
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, 
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) 
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

During the past 2 weeks, Love Letter virus reports have saturated the news 
headlines. As one popular columnist pointed out, we've probably never 
before seen a virus get so much ink. The virus received so much coverage 
because of its massive spread; it infected millions of computers around the 
world in a short period of time.
   People often like to remind others that hindsight is 20/20, and in the 
case of the Love Letter virus, that goes double for Microsoft. The company 
took a beating over the Love Letter virus from security aficionados because 
of the default functionality available in the Microsoft Outlook mail 
clients.
   To make Microsoft Outlook 2000 and Outlook 98 more secure, Microsoft has 
just released a beta version of an Outlook enhancement that will help 
prevent malicious file attachments from reaching end users. Because so many 
viruses, worms, and Trojans are aimed at Outlook, Microsoft's enhancement 
attempts to filter out certain attachments and restrict programmatic access 
to the Outlook address book and contacts. When a potential intruder makes a 
programmatic attempt to access the address book, a dialog box warns users 
of the attempt. Learn more about this enhancement at
http://officeupdate.microsoft.com/2000/articles/out2ksecarticle.htm.
   The enhancement also modifies the default security zone setting within 
Outlook from the Internet Zone to the Restricted Sites Zone, which helps 
prevent certain objects embedded in email from taking action on the system. 
But as Russ Cooper (moderator of NTBugTraq) pointed out, that particular 
modification is mostly useless without changes to the default settings in 
the Restricted Sites Zone itself, and those changes are not part of the 
beta release of the Outlook enhancement. NTSecurity.net columnist David 
LeBlanc publicly pointed out more than a year ago that if you don't turn 
off all scripting in all security zones for Internet Explorer (IE) and 
Outlook, you'll see instances where email-based code can still execute. 
Don't overlook that fact, or you might become a victim. No one seems to 
know why Microsoft has addressed this well-known issue after so much time.
   In a message to NTBugTraq readers, Cooper also pointed out that the 
current beta of the Outlook enhancement, which is set for release on May 
22, has no provision to tighten security in Outlook Express. That fact is 
shocking to users who rely on the mail client. The lack seems odd given 
that Outlook Express installs by default with every copy of Windows 2000 
and reportedly can't be removed from the OS. For that reason, some people 
jokingly refer to Outlook Express as a virus.
   In any event, Cooper and many others feel that Microsoft should not 
overlook the security needs of millions of Outlook Express users. Will 
Microsoft wait until some Love Letter-type virus affects millions of 
Outlook Express users before it addresses that mail client?
   Nonetheless, Outlook 2000 and Outlook 98 users might be pleased with the 
new functionality found with the enhancement. Be sure to read the details 
Microsoft provides and consider using the new enhancement to better protect 
your systems.
   Before I sign off this week, I'd like to point out that some people are 
filtering email messages based on keywords to prevent any message that 
contains the words "love letter" from getting into a user's inbox. The idea 
is to block the virus before it infects more systems. Although that 
approach works for the original virus strain, it won't work for the 
plethora of variants that continue to float around the Internet. Not only 
is word filtering a poor way to block malicious content, the act partially 
defeats the purpose of email and causes people to miss inbound mail they 
would like to receive, such as this newsletter. If you're performing simple 
keyword filtering to prevent virus infection, you should seriously consider 
investing in an enterprise-enabled antivirus solution.
   Also consider using Exchange Administrator Newsletter columnist Sue 
Mosher's Outlook 2000 script that automatically converts inbound HTML 
content to RTF for safe viewing. The script is a good way to filter 
content. You can find the script and other helpful Outlook goodies at 
http://www.slipstick.com/dev/code/zaphtml.htm. You might also want to read 
Russ Cooper's article (http://ntbugtraq.ntadvice.com/outlookviews.asp) 
about Outlook email. Russ outlines how the mail client responds to content 
under various scenarios, which can help clear up a lot of confusion. Until 
next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* EMURL 2.0 EXPOSES USERS' MAILBOXES
Emurl allows Web-based access to user mailboxes via an encoded URL. Because 
of a product design flaw, a user who can properly encode a user account 
number can also access any mailbox on the system without a password. 
Furthermore, if identical mailboxes exist on two or more systems, an 
intruder can use the same URL to access the mailbox on all those systems. 
SeattleLab is aware of the problem and has released an updated version of 
Emurl.
   http://www.ntsecurity.net/go/load.asp?iD=/security/emurl2-1.htm

* OFFICE 2000 UA CONTROL SCRIPTING
The L0pht reported a problem with a Microsoft Office 2000 component called 
the Microsoft Office UA Control, which is installed by default and is 
categorized as being safe for scripting. L0pht analysis revealed the 
component contains functionality to script almost any action in Office 2000 
that the user could perform from the keyboard, including lowering the macro 
security settings to low. Microsoft has released a patch for the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/office2000-1.htm

* NTMAIL 5.X CONTAINS AN OPEN PROXY
Simon Talbot reported a problem in NTmail version 5.x (and possibly other 
versions) where the product contains a Web configuration interface and can 
serve as a proxy for Web access. By default, the Web service listens on 
port 8000, and the proxy service listens on port 8080.
   If NTMail is configured to turn off the proxy, the proxy will stop 
listening on the default port; however, a user can point to the default Web 
port (8000) and gain open access to the Internet. NTMail doesn't prohibit 
use of the proxy on the Web-based configuration port.
   The vendor, NTMailUSA, is aware of the problem but hasn't released a 
fix. If you must restrict user access to Web sites via proxy, disable the 
Web configuration service in NTMail until the vendor resolves the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ntmail5-1.htm

* IIS DENIAL OF SERVICE AND CODE EXPOSURE
Cerberus Information Security reported that Microsoft IIS contains two 
security vulnerabilities in the Internet Server API (ISAPI) extension 
(ism.dll) that provides Web-based password administration via .htr script 
files. The first vulnerability is a Denial of Service (DoS) attack that can 
occur when a user provides a password change request that is missing an 
expected delimiter. This crashes the ISAPI extension and degrades the 
overall performance of the IIS server. In the second vulnerability, a user 
can read fragments of certain files by providing a malformed request that 
causes the .htr processing to be applied to those files. Microsoft has 
released a fix for the problems.
   http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-10.htm

* IIS DENIAL OF SERVICE
USSRLabs reported a problem in Microsoft IIS that can allow Denial of 
Service (DoS) attacks against the server. IIS has built-in flexibility that 
lets it process any arbitrary sequence of file extensions or subresource 
identifiers (path_segments). By providing a URL that contains specially 
malformed file extension information, a user can arbitrarily increase the 
work factor associated with parsing the URL. This can consume much or all 
of the CPU availability, creating a DoS attack against the machine. 
Microsoft has released a fix for the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-11.htm

3. ========== ANNOUNCEMENTS ==========

* NEW ONLINE RESEARCH PANEL
Business Technology Research is offering qualified applicants a 
chance to join its new research panel. Provide direct feedback 
to leading technology manufacturers about products in development 
and influence the concept, content, and advertising for tomorrow's 
technology. Registrants will also be entered in a drawing to win a free 
Palm Pilot VII. Visit
http://www.survey.com/btresearch/btrpanel.html

* TECHNET PUZZLER--CONTEST ENDS May 21!
Play the Microsoft TechNet Puzzler and use your expertise to win a trip 
to the Tech-Ed 2000 Conference in Orlando and a BMW Z3 Roadster!
http://www.microsoft.com/technet/puzzler/default.asp

* JOIN OUR TEAM
The Windows 2000 Magazine group is seeking highly qualified editorial, 
technical, and ad sales talent to staff its rapidly growing network of 
print and electronic media resources. For more information visit 
http://www.duke.com/job.cfm.

4. ========== SECURITY ROUNDUP ==========

* FEATURE: NTFS ACCESS CONTROL SECURITY ENHANCEMENTS
In Windows 2000, Microsoft redesigned how NTFS handles access control to 
files and other objects. You might have noticed that Security Configuration 
Manager (SCM), which Microsoft released in Windows NT 4.0 Service Pack 4 
(SP4), handles access control like Win2K does. The new NTFS access control 
model takes time to get used to, but it adds some important features. The 
redesign changes access control in three areas. To learn what those changes 
are, read Randy Franklin Smith's entire feature on our Web site.
   http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=112&TB=f

* HOWTO: ENCRYPTING FILES FOR ADDED SECURITY
If you're running NTFS on your Windows 2000 system, you can give yourself 
extra security by encrypting files. To do so, open My Computer, drill down 
to the file or folder you want to encrypt, and right-click it to bring up a 
menu. Select Properties and click Advanced... on the Properties dialog box. 
You'll find an "Encrypt contents to secure data" check-box at the bottom of 
the dialog box. Check this box and click OK. Click OK again to dismiss the 
Properties dialog box. Be sure to read the rest of John D. Ruley's article 
on our Web site.
   http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=104&TB=h

~~~~ SPONSOR: TOO MANY PASSWORDS? FREE SINGLE SIGN-ON WHITE PAPER. ~~~~
AXENT's PassGo(tm) InSync gives users one single password for universal 
access and can be deployed for thousands of users in as little as four 
days, across the entire enterprise. PassGo InSync is part of AXENT's 
Lifecycle Security(tm) solutions for e-security.
This week and through March 10, AXENT is offering a free copy of the white 
paper, "Fast Path to Single Sign-On: PassGo Solutions Simplifies Secure 
Access."  http://www.win2000mag.com/jump.cfm?ID=29

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* MESSAGE ATTACHMENT SCRUBBING AND VIRUS PROTECTION
Sophos and United Messaging announced a licensing agreement that lets 
United Messaging customers benefit from Sophos Anti-Virus (SAV) technology 
through a product called Message Control. Message Control uses SAV to 
improve customers' network security through virus detection and attachment 
scrubbing.
   For more information, contact Sophos at 888-767-4679 or 
http://www.sophos.com. Or contact United Messaging at 888-993-5088 or 
http://www.unitedmessaging.com.

* INCREASE NETWORK SECURITY IN SMALL AND MIDSIZED BUSINESSES
RADWARE and NetGuard will coordinate sales and marketing of security 
solutions comprised of NetGuard's GuardianPRO, an NT firewall, and 
RADWARE's FireProof, an intelligent, redundant high-availability solution 
for managing traffic within multiple firewall systems. GuardianPRO supports 
all IP protocols and services including streaming media and Voice-over-IP 
(VoIP) services. For more information about NetGuard or GuardianPRO, call 
972-738-6900 or go to the company's Web site at http://www.netguard.com.

6. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: CYBERWARS: ESPIONAGE ON THE INTERNET
By Jean Guisnel, Gui Masai, et al.
Online Price: $12.80
Softcover; 296 Pages
Published by Perseus Books, December 1999
ISBN 0738202606

"Cyberwars" explores a world where international terrorists plot their 
attacks and are tracked by secret service organizations, drug traffickers 
do business and launder money, and electronic economic espionage is the 
order of the day. Examining efforts to police online communications and 
content, the authors assess the implications of pervasive surveillance for 
the Internet.

To order this book, go to
http://www.fatbrain.com/shop/info/0738202606?from=win2000mag

or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772.

* TIP: DETECTING EMAIL WORMS IN OUTLOOK
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

The recent Love Letter virus infected millions of computer users. As you 
know, Love Letter spread quickly by accessing the user's address book and 
sending a copy of the virus to everyone listed therein.
  Outlook users (and possibly users of other mail clients) might find it 
useful to have a dummy user in the address book to help detect future 
worms. By creating a fictitious user with a bogus email address, a user can 
make Microsoft Outlook generate an onscreen error message about that bad 
address any time it's used to send email, including when used by a virus or 
worm. Having such a bogus email contact won't stop a virus or worm, but it 
will alert you that something is accessing your address book without your 
approval. You can then contact your network security personnel to 
investigate.

7. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

May 16, 2000, 01:04 P.M. 
Group/User Permissions 
I seem to be having a little problem configuring some of the Group 
policies/permissions. Basically, what I need is to be able to give 
permission for some people to be able to install software at their local 
machine (yet logged into the network). This is mostly for the development 
group we have here; other users will still have to hunt down the sys admin. 
Is there a way to do this with Windows 2000? What did I miss? Thanks in 
advance.

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=70&Message_ID=103338.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.

Fix for Backdoor in Cart32 Software
Cart32, a popular shopping basket application, was discovered to contain a 
deliberate backdoor that could allow a person with adequate knowledge to 
perform actions against a remote system. The vendor, McMurtrey/Whitaker & 
Associates, has released a fix.
http://www.ntsecurity.net/go/w.asp?A2=IND0005a&L=WIN2KSECADVICE&P=236

Follow this link to read all threads for May, Week 1:
   http://www.ntsecurity.net/go/w.asp?A1=ind0005a&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week.

1. MS Proxy and Domain Filtering
I am trying to configure MS Proxy for Domain name filtering on multihomed 
server--with two internal sub-nets. What I need is domain name filtering 
just for one of the internal subnets. Can somebody help me with this?
http://www.ntsecurity.net/go/L.asp?A2=IND0005C&L=HOWTO&P=892

2. IPSEC VPN on Windows 2000
Has anyone successfully set up a VPN connection using IPSEC on a Windows 
2000 and Cisco router that uses IPSEC. I have problems when I am 
configuring the router and Win2K.
http://www.ntsecurity.net/go/L.asp?A2=IND0005c&L=HOWTO&P=366

Follow this link to read all threads for May, Week 3:
   http://www.ntsecurity.net/go/l.asp?A1=ind0005c&L=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT 
topics of your choice, including Win2K Pro, Exchange Server, thin-client, 
training and certification, SQL Server, IIS administration, XML, 
application service providers, and more. Subscribe to our other FREE email 
newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.


SUBSCRIBE/UNSUBSCRIBE
Thank you for reading Windows 2000 Magazine Security UPDATE. 
To subscribe, go to the UPDATE home page at http://www.win2000mag.com/update.
To remove yourself from the list, send a blank email to securityupdate@win2000mag.com.
If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. 
We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution. 
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-| 


Copyright 2000, Windows 2000 Magazine