**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter 
brought to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by

BindView Corporation
http://www.bindview.com/securitysuite.html

VeriSign - The Internet Trust Company 
http://www.verisign.com/cgi-bin/go.cgi?a=n016107860151000
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
May 31, 2000 - In this issue:

1. IN FOCUS
     - Think You're Safe from Sniffing? 

2. SECURITY RISKS
     - Windows Computer Browser Denial of Service
     - Master Browser Denial of Service
     - WebShield SMTP Buffer Overflow Condition
     - Buffer Overflows in PDGSoft Shopping Cart
     - Mailsite Buffer Overflow

3. ANNOUNCEMENTS
     - Discover Windows 2000 Magazine
     - Microsoft Tech-Ed 2000 WebCast

4. SECURITY ROUNDUP
     - News: Beware of Killer Resumes 
     - News: Microsoft Delays Outlook Security Update

5. NEW AND IMPROVED
     - PC Security
     - Collaboration to Deliver Subscription Services to Hotmail Users

6. SECURITY TOOLKIT
     - Book Highlight: Virus Proof: The Ultimate Guide to Protecting 
Your System
     - Tip: Microsoft's Online Security Papers
     - Windows 2000 Security: Creating a Custom Password-Reset MMC

7. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         User Passwords
     - Win2KSecAdvice Mailing List
         Windows DoS Code (jolt2.c)
     - HowTo Mailing List
         Using a Logon Script to Update Virus Signature Files
         Windows NT 4.0 System Policy

~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~
Get secure with BindView. BindView is not only committed to keeping 
your enterprise secure with award winning IT risk management solutions 
for Windows 2000, NT, NetWare, Microsoft Exchange, SAP and UNIX, but is 
dedicated to keeping you on the cutting edge of security issues. 
Subscribe to our bi-monthly security newsletter containing editorials 
and hotlinks to hot security news. We also offer a Web site maintained 
by RAZOR, BindView's team of security experts. Find out what BindView 
can offer you by checking out our main Web site's new dedicated 
security area at http://www.bindview.com/securitysuite.html.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim 
Langone (Western Advertising Sales Manager) at 800-593-8268 or 
jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International 
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Do you use Ethernet switches to help protect network traffic from 
prying eyes? For a long time, switches have been a tactic against 
snoops. A switched network separates traffic so that a user on one 
segment can't easily sniff traffic on another segment. To sniff traffic 
on a switched network, a user must either place a sniffer on the actual 
target segment or get machines on the target segment to send traffic 
through your network segment or your system. Instructing a remote 
machine to forward packets your way used to be difficult; you had to 
somehow change the remote host's gateway. Not an easy task, unless you 
have a copy of arpredirect. 
   Arpredirect is an Address Resolution Protocol (ARP) poisoning tool. 
The tool can instruct a remote system to change its gateway address by 
sending the host the appropriate ARP packets. For example, an intruder 
can use arpredirect to instruct a remote host to forward all packets to 
the intruder's IP address. The intruder can analyze or save the 
packets, then forward them to their final destination without the 
remote user's knowledge. 
   Dug Song originally developed the arpredirect tool in December 1999. 
The tool is part of his dsniff package, which is available at Song's 
Web site (http://naughty.monkey.org/~dugsong/dsniff). I had forgotten 
about arpredirect until I recently read an article by Stuart McClure 
and Joel Shambray in a competing publication. The two men point out 
that we need to be aware of arpredirect and the entire dsniff package 
because it can be dangerous in the wrong hands. 
   In a nutshell, dsniff is the Swiss army knife of privacy invasion. 
The package ships with a handful of powerful tools, including urlsnarf, 
webspy, mailsnarf, and the dsniff tool. Urlsnarf grabs every URL that 
passes across the wire and stores it for later examination. Webspy can 
grab URLs off the wire and open the URL in your local browser window so 
you can follow along and view what a remote user is seeing on his or 
her Web browser. Mailsnarf is just as nasty as webspy--it can sniff 
SMTP-related packets off the wire and reassemble entire email messages 
into a common format that popular mail clients can read. The dsniff 
tool is one of the most powerful password grabbers I've seen. It can 
snag passwords off the wire from many different protocols, including 
FTP, Telnet, Web, POP3, IMAP, LDAP, Citrix ICA, pcAnywhere, SMB, Oracle 
SQL*Net, and numerous others.
   Even though the tools found in the dsniff package are written for 
UNIX platforms, you still need to be aware that these tools exist 
because they could be used against your Windows-based networks. Song's 
package is incredibly powerful, whether used with good or bad intent. 
The tools point out a well-known problem with networks in general: 
malicious users can easily sniff clear text from packets to glean 
sensitive data. Although blocking ARP redirects and monitoring ARP 
traffic and tables can help protect against tools like arpredirect, 
those tactics are certainly not cure-alls. They help prevent packets 
from becoming misdirected, but most data still travels in clear text 
over your networks, which means localized intruders can glean sensitive 
data with packet-sniffing tools. To better protect your data, you must 
encrypt it at some level before sending it out on the wire, and you 
must use sniffer-detecting tools to help stop the snoops.
   The decision about which tactics to use for data protection depends 
on your data and your organization, so I can't give you much more 
advice on the matter. Just be aware that ARP poisoning and data 
sniffing are real problems that you need to guard against. Until next 
time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* WINDOWS COMPUTER BROWSER DENIAL OF SERVICE
Under the Common Internet File System (CIFS) protocol, every domain on 
a Windows subnet has a Master Browser and can also have one or more 
backup browsers. A malicious user can deny service on network browsers 
by sending those systems a ResetBrowser command (called a frame) 
because you can't configure a browser to ignore ResetBrowser frames. 
Microsoft has issued a patch for the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-4.htm

* MASTER BROWSER DENIAL OF SERVICE
A user can send a large number of bogus HostAnnouncement frames 
(commands) to a Master Browser, where the subsequent replication 
traffic between the Master Browser and any backup browsers can consume 
a large amount of network bandwidth and cause other problems as well. 
Microsoft has issued a patch for the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/winnt4-5.htm

* WEBSHIELD SMTP BUFFER OVERFLOW CONDITION
By telneting to a machine that runs the WebShield SMTP management 
agent, a person can access current server configuration information. In 
addition, an unchecked buffer exists that can let code pass to the 
service for execution. If a user sends 208 bytes or more with one of 
the configuration parameters, the service crashes, overwriting the 
stack. NAI is aware of the problem; however, no fix is available yet. 
In the meantime, run the WebShield SMTP service under a restricted 
account or disable the service.
   http://www.ntsecurity.net/go/load.asp?iD=/security/webshield1.htm

* BUFFER OVERFLOWS IN PDGSOFT SHOPPING CART
PDGSoft's shopping cart ships with two executables that contain 
unchecked buffers that let an intruder inject code for execution on the 
server. The two executables are redirect.exe and changepw.exe and are 
accessible via the Web. PDGSoft has issued patches for all versions of 
the shopping cart software.
   http://www.ntsecurity.net/go/load.asp?iD=/security/pdgsoft1.htm

* MAILSITE BUFFER OVERFLOW
Rockcliffe Mailsite lets remote users access POP3 accounts to read 
email via the Web. The service, which listens on port 90, contains a 
buffer overflow condition that lets an attacker execute arbitrary code 
on the server. Rockcliffe has released a patch to correct the problem.
   http://www.ntsecurity.net/go/load.asp?iD=/security/mailsite2.htm

3. ========== ANNOUNCEMENTS ==========

* DISCOVER WINDOWS 2000 MAGAZINE 
Subscribe to the single best source of independent, hands-on, practical 
information for people who make their living deploying and maintaining 
Windows 2000 and Windows NT. Every issue contains extensive advice and 
tips so that you can do your job better today while you prepare for 
tomorrow's technology developments. 
http://www.win2000mag.com/sub.cfm?=00inxupd

* MICROSOFT TECH-ED 2000 WEBCAST
The Microsoft Tech-Ed 2000 WebCast, June 5 through 8, is for developers 
and IT professionals who need the technical content being presented at 
Microsoft Tech-Ed 2000 but can’t attend. You can view a total of 38 
sessions for only $99. There will be a Q&A session with the WebCast 
audience after each of the 18 live sessions, including live Q&A with 
Bill Gates and Bob Muglia after their keynotes. Register today at
http://msdn.microsoft.com/events/tewebcast/default.asp.

4. ========== SECURITY ROUNDUP ==========

* NEWS: BEWARE OF KILLER RESUMES
A new worm based on the Melissa strain is circulating the Internet. The 
worm spreads in files attached to email messages with the subject 
"Resume--Janet Simons." According to Symantec, the attachment is a Word 
97 document that arrives with any of several file names, including 
explorer.doc, resume.doc, resume1.doc, and normal.doc. The file 
contains a destructive macro virus that deletes files on the system and 
spreads the worm via email.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=146&TB=news

* NEWS: MICROSOFT DELAYS OUTLOOK SECURITY UPDATE
Microsoft delayed the release of its Outlook 2000 and Outlook 98 
Security Update so it can add new functionality that lets 
administrators better control the update's new features. Administrators 
can make different configurations available depending on a user's 
profile. For example, administrators can define which file types a user 
can receive, execute, or save to disk. In addition, customizable 
dialogs warn the user when access attempts are made against the address 
book. Microsoft has not stated when the update will be available, but 
speculators estimate that it will be available this week.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=145&TB=news

~~~~ SPONSOR: VERISIGN - THE INTERNET TRUST COMPANY ~~~~
Running a server farm? If you're managing multiple servers in your 
organization, securing all of them can quickly become complicated. But 
now, you can learn how to simplify security administration through a 
single point of management - with a valuable new guide from VeriSign. 
Request the FREE Guide "Securing Intranet and Extranet Servers" at: 
http://www.verisign.com/cgi-bin/go.cgi?a=n016107860151000

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* PC SECURITY
Ensure Technologies announced XyLoc Professional, a wireless PC 
security solution that recognizes users based on their proximity to the 
PC. The user wears a badge to communicate securely with proximity-
detection hardware and software that resides on each PC. XyLoc unlocks 
the PC only after identifying the user. When the user walks away from 
the PC, XyLoc Professional secures the PC until that user returns or 
another authorized user approaches. 
   XyLoc Professional runs on Windows 2000, Windows NT, and Windows 9x 
systems. For pricing, contact Ensure Technologies, 734-668-8800.
   http://www.ensuretech.com/

* COLLABORATION TO DELIVER SUBSCRIPTION SERVICES TO HOTMAIL USERS
McAfee announced that it signed a 2-year agreement with Microsoft to 
provide Clinic Services to MSN Hotmail users. Under terms of the 
agreement, McAfee will provide virus-scanning software to automatically 
scan all email attachments for Hotmail's 58 million users. McAfee will 
also offer Hotmail users the existing features of McAfee Clinic 
Services, including online virus scanning, ActiveShield 24x7 antivirus 
protection, PC maintenance utilities, and other McAfee.com services as 
they become available. For more information, contact McAfee at 408-572-
1500 or http://www.mcafee.com. 

6. ========== SECURITY TOOLKIT ==========

BOOK HIGHLIGHT: VIRUS PROOF: THE ULTIMATE GUIDE TO PROTECTING YOUR 
SYSTEM
By Prima Development
Online Price: $27.95
Softcover; 288 pages
Published by Prima Publishing, April 2000
ISBN 0761527478
Like biological viruses, computer viruses can spread quickly and are 
often difficult to get rid of without causing damage. "Virus Proof: The 
Ultimate Guide to Protecting Your System" provides key steps you should 
take to protect your system from these destructive viruses. You'll 
learn what common viruses do, how they spread, and how to recover lost 
data. To order this book, go to
http://www.fatbrain.com/shop/info/0761527478?from=win2000mag
or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772.

* TIP: MICROSOFT'S ONLINE SECURITY PAPERS
(contributed by mark@ntsecurity.net)

Many people still aren't familiar with Windows 2000-related security. 
To help get up to speed, Microsoft has made lots of information 
available online. For example, in one streaming media presentation, 
Microsoft's Darol Timberlake discusses various Win2K security 
enhancements, such as Kerberos, the new Encrypting File System (EFS), 
the IP Security (IPSec) protocol, group policies, and security 
templates. You can find Timberlake's presentation at the first URL 
listed below. 
   In addition, Microsoft's Web site has dozens of papers that give 
users in-depth information and deployment procedures for Windows 2000 
Security Services, including security management using the Microsoft 
Security Configuration Tool Set and support for IPSec, EFS, public key 
infrastructure (PKI), smart cards, and Kerberos. You can find this 
supplemental reading at the second URL listed below. 
  
http://support.microsoft.com/servicedesks/webcasts/wc040600/WC040600.asp?fr=1
  
http://www.microsoft.com/windows2000/library/technologies/security/default.asp

* WINDOWS 2000 SECURITY: CREATING A CUSTOM PASSWORD-RESET MMC
In a previous column, Randy Franklin Smith explained how to give your 
Help desk staff the authority to handle forgotten passwords without 
giving them sweeping administrative privileges. But what if your 
company wants to delegate password-reset authority or a similar task to 
users other than the Help desk staff? By creating a custom Microsoft 
Management Console (MMC), you can provide designated users with a 
simplified, streamlined interface for quickly handling these password 
resets. In his latest column, Randy outlines how to create such a 
customized MMC.
   http://www.ntsecurity.net/go/win2ksec.asp

7. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

May 25, 2000, 09:02 A.M. 
User Passwords 
In our NT domain with a PDC and BDC, when Windows 98 workstations 
attempt to change their domain passwords, they get an error: "Unable to 
change the password for the following reason: Access has been denied." 
In User Manager, we have allowed users to change their passwords. We 
are on SP6a. Any thoughts? 

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=104735.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.

Windows DoS Code (jolt2.c)
Here is the proof-of-concept code for the * Windows denial-of-service 
attack described by BindView's Razor Team, in reference to Microsoft 
bulletin MS00-029. This code will cause CPU utilization to go to 100 
percent. 
http://www.ntsecurity.net/go/w.asp?A2=IND0005d&L=WIN2KSECADVICE&P=1228

Follow this link to read all threads for May, Week 4:
   http://www.ntsecurity.net/go/w.asp?A1=ind0005d&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week.

1. Using a Logon Script to Update Virus Signature Files
I am trying to use a logon script that will update our virus signature 
files on each computer. I downloaded the update from Norton and would 
like to run this update when a user logs on, but I do not want it to 
prompt the user at all. Does anyone know a switch that I can use to 
disable the prompts? Or am I going about this all wrong?
http://www.ntsecurity.net/go/l.asp?A2=IND0005d&L=HOWTO&P=3417

2. Windows NT 4.0 System Policy
We have policies in effect in our domain. I need to make another policy 
file only take effect for one PC. This policy includes group user and 
computer policies. Can I do this? 
http://www.ntsecurity.net/go/l.asp?A2=IND0005d&L=HOWTO&P=6868

Follow this link to read all threads for May, Week 4:
   http://www.ntsecurity.net/go/l.asp?A1=ind0005d&L=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT 
topics of your choice, including Win2K Pro, Exchange Server, thin-
client, training and certification, SQL Server, IIS administration, 
XML, application service providers, and more. Subscribe to our other 
FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.

UNSUBSCRIBE
To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or
click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be
removed from the list. Thank you!

If you have questions or problems with your UPDATE subscription, please
contact 
securityupdate@win2000mag.com. 
___________________________________________________________
Copyright 2000, Windows 2000 Magazine