**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter 
brought to you by Windows 2000 Magazine and NTSecurity.net.
http://www.win2000mag.net/Email/Index.cfm?ID=5
**********************************************************

This week's issue sponsored by
Trend Micro -- Your Internet VirusWall
http://www.antivirus.com/2kUPDTRJUNE.htm

FREE Intrusion Detection WebCast
http://www.win2000mag.com/jump.cfm?ID=32 
(Below Security Roundup) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
June 7, 2000 - In this issue:

1. IN FOCUS
     - And Then Came HavenCo

2. SECURITY RISKS
     - Protected Store Key Length
     - Internet Explorer-Compiled HTML Might Run Unauthorized Code
     - Media Encoder Denial of Service
     - SQL Server 7.0 SP1 and SP2 Expose Admin Password
     - Imate WebMail Denial of Service
     - Buffer Overrun in ITHouse Mail Server
     - Buffer Overrun in Sambar Server

3. ANNOUNCEMENTS
     - Win2000mag.net--It's Like Spitting in the Ocean...
     - Free Books Online

4. SECURITY ROUNDUP
     - News: Microsoft's New Security Server

5. NEW AND IMPROVED
     - Increased Security for Universities
     - Simplify Access to Private Data and Applications

6. HOT RELEASES (ADVERTISEMENTS)
     - New! Desktop Firewall for PCs with Windows NT/2000
     - VeriSign - The Internet Trust Company

7. SECURITY TOOLKIT
     - Book Highlight: Information Security: Protecting the Global 
Enterprise
     - Tip: Event Log Security ID Descriptions
     - Windows 2000 Security: Creating a Custom Password-Reset MMC
     - Writing Secure Code: Bind Basics

8. HOT THREADS 
     - Windows 2000 Magazine Online Forums
          IIS and NTFS Security--ASP Problem
     - Win2KSecAdvice Mailing List
          Released: LibnetNT by eEye Digital Security
     - HowTo Mailing List
          Event Viewer Query

~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~
Stop viruses like LOVELETTER, NEWLOVE, RESUME and other malicious 
content from jamming up your network. Trend Micro ScanMail for 
Microsoft Exchange provides enterprise-strength antivirus and content 
security. ScanMail implements uniform virus and content security policy 
across the enterprise. The optional eManager plug-in stops SPAM. 
ScanMail is fully compatible with Windows 2000 and can automatically 
scan either on-demand or at prescheduled intervals. Software, Scan 
engine and virus pattern updates distribute automatically to each 
networked Exchange Server. Keep viruses out of your Exchange servers 
with Trend Micro. 
http://www.antivirus.com/2kUPDTRJUNE.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim 
Langone (Western Advertising Sales Manager) at 800-593-8268 or 
jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International 
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Although fending off network-based intruders is a formidable task, you 
can achieve it. But how do you protect your data from physical system 
access? The obvious answer is by using adequate guards against physical 
premise access, which can be expensive. As a result, many companies co-
locate data or servers at offsite locations.
   For example, you might rent an entire cage or set of racks within a 
cage from a major ISP. The cage or racks come with high-speed 
bandwidth. Or you might simply rent a secure e-commerce site from a Web 
service provider and let the provider worry about premise-access 
concerns. The ultimate solution obviously depends on your needs. The 
more sensitive the data, the more sheltered the final solution needs to 
be. 
   Today, hundreds of companies around the world offer various secured 
co-location or data-hosting services. When it comes to security, there 
are all kinds of boasts and guarantees, but none can match the claim I 
heard about this week.
   Companies come and companies go, but then came HavenCo. Located on a 
tiny man-made island 7 miles off the coast of Great Britain, HavenCo 
has a most unique claim to security fame: It not only operates a secure 
network co-location center, it operates an entire sovereign country! 
Let me explain. 
   During World War II, Britain built several gun platforms off its 
coast to help fend off Nazi warplanes. One of the platforms, named 
Roughs Tower, was only 10 by 25 yards and was built on two cement 
caissons off the coast of Britain in what was then international 
waters. 
   After the war, Britain dismantled all the platforms except Roughs 
Tower, which sat abandoned until 1967 when former English major Paddy 
Roy Bates and his family took up residence on the man-made island. 
Bates proclaimed the island his own state and bestowed upon himself the 
title of Prince--his wife took the title of Princess--to reign over 
their newly formed Principality of Sealand. 
   After several legal encounters over the island, the English court 
eventually ruled it had no jurisdiction over Sealand, and Sealand 
became formally recognized as its own country. Today, the Bates family 
has moved off the island and turned over operation of the property and 
the Sealand government to the newly formed HavenCo business. 
   In a nutshell, HavenCo offers Sealand as a country in which to 
operate a business. You can buy a server, bandwidth, and complete 
security solution direct from HavenCo and have that business totally 
based in Sealand, which provides protection from overly strict data 
traffic laws, foreign subpoenas, and other outside interference.
   According to HavenCo, Sealand has no laws governing data traffic, 
and the terms of HavenCo's agreement with Sealand provide that no data 
traffic laws will ever be enacted. You might think HavenCo will soon 
become a haven for less-than-favorable network users, such as system 
crackers, porn peddlers, and spammers, but perhaps that won’t happen. 
The HavenCo acceptable use policy clearly states that it prohibits "the 
distribution of child pornography from its servers, and prohibits use 
of the network to send bulk unsolicited communications or launch 
digital attacks against other computers or networks." Only time will 
tell how well HavenCo enforces its guidelines. After all, Sealand has 
few laws, and probably none would force HavenCo to take any specific 
action other than to terminate a company's service.
   I'm not sure what to think about HavenCo. The company professes to 
offer a pretty darn secure solution package, but I think it's too soon 
to form a solid opinion. Sealand, a country with almost no laws, lets 
anyone run a business. Even more interesting is Sealand's claim about 
protection from foreign subpoena. According to HavenCo, you can set up 
an email system or other service type on its network, and keep it safe 
from search and seizure. Microsoft could have used that service to help 
fend off the US Department of Justice (DOJ).
   With its professed strong physical and network security and fat 
bandwidth, HavenCo offers an intriguing solution. It will be 
interesting to see who winds up using the services. But it will be even 
more interesting to see how world governments react to Sealand's new 
data haven. That reaction will depend on how HavenCo's customers use 
its multifaceted protected services. 
   Be sure to stop by the HavenCo Web site (http://www.havenco.com/) 
and read about its service offerings as well as the history of Sealand. 
I'm sure you'll find it as interesting as I did. Until next time, have 
a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* PROTECTED STORE KEY LENGTH
By design, the Protected Store in Windows 2000 should always encrypt 
information using the strongest cryptography available on the system. 
However, the Win2K implementation uses a 40-bit key to encrypt the 
Protected Store even if stronger cryptography is installed on the 
system. The 40-bit key encryption weakens the protection on the 
Protected Store, which lets an intruder more easily crack the key to 
gain access to the Protected Store.
   http://www.ntsecurity.net/go/load.asp?iD=/security/win2k4-5.htm

* INTERNET EXPLORER-COMPILED HTML MIGHT RUN UNAUTHORIZED CODE
According to a Microsoft security bulletin, if a malicious Web site 
references an Internet Explorer (IE)-compiled HTML Help file (which has 
a .chm extension), the site can potentially launch code on a visiting 
user's computer without the user's approval. Such code can take any 
actions that the user can take, including adding, changing, or deleting 
data or communicating with a remote Web site.
    http://www.ntsecurity.net/go/load.asp?iD=/security/ie517.htm

* MEDIA ENCODER DENIAL OF SERVICE
Microsoft's Media Encoder contains a bug whereby an intruder can send a 
particular malformed request to an affected encoder, causing it to deny 
formatted content to the Windows Media Server. The vulnerability 
primarily affects real-time streaming media providers. Microsoft made a 
patch available but then removed the patch for reasons unknown at the 
time of this writing.
   http://www.ntsecurity.net/go/load.asp?iD=/security/media4-2.htm

* SQL SERVER 7.0 SP1 AND SP2 EXPOSE ADMIN PASSWORD
According to Microsoft, when SQL Server 7.0 Service Pack 1 (SP1) or SP2 
is installed on a machine configured to perform authentication using 
Mixed Mode, the password for the SQL Server standard security System 
Administrator account is recorded in plain text in the file 
\%TEMP%\sqlsp.log. The file's default permissions let any user that can 
log on interactively to the server read the file. Microsoft has updated 
SP2 to help guard against the risk.
   http://www.ntsecurity.net/go/load.asp?iD=/security/sql7-5.htm

* IMATE WEBMAIL DENIAL OF SERVICE
A malicious user can crash Imate's SMTP mail service by sending a 
string of 1119 characters as a parameter to the HELO command. The 
vendor, Concatus, is aware of the problem and has made a patch 
available through its support department. 
   http://www.ntsecurity.net/go/load.asp?iD=/security/imate25-1.htm

* BUFFER OVERRUN IN ITHOUSE MAIL SERVER
A malicious user can crash ITHouse's SMTP mail service by sending a 
string of 2270 characters as a parameter to the RCPT TO command. During 
the crash, characters beyond 2270 overwrite the EIP Register making it 
possible to run arbitrary code on the remote system.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ithouse1.htm

* BUFFER OVERRUN IN SAMBAR SERVER
A user can crash the Sambar Server by using the default finger and 
whois scripts provided with the Sambar Server software. By sending a 
long string of 32,290 characters to either of the scripts, a malicious 
user can overflow an unchecked buffer in the sambar.dll file and cause 
arbitrary code to run on the machine.
   http://www.ntsecurity.net/go/load.asp?iD=/security/sambar1.htm

3. ========== ANNOUNCEMENTS ==========

* WIN2000MAG.NET--IT'S LIKE SPITTING IN THE OCEAN...
You can't miss with our new portal for IT professionals. Access 
technical remedies, certification advice, vendor solutions, and 
professional development tools, or post a question in our technical 
forums. Surely one of our 500,000 monthly Web visitors has solved the 
same problem you face now. Raise Your IT IQ at 
http://www.win2000mag.net/.

* FREE BOOKS ONLINE
Now online--a technical reference library specifically for Windows IT 
professionals. Windows IT Library, a member of the Windows 2000 
Magazine Network, provides the information you need when you need it. 
For your source of free books and other technical content, visit 
http://WindowsITLibrary.com/.

4. ========== SECURITY ROUNDUP ==========

* NEWS: MICROSOFT'S NEW SECURITY SERVER
On June 6, Microsoft released Beta 3 of its new Internet Security and 
Acceleration (ISA) Server 2000. Designed for Windows 2000 Server 
platforms, ISA Server is an application-level firewall with data-aware 
filtering capabilities, IP packet filtering functionality, and Active 
Directory (AD) support. Administrators can use ISA Server to control 
access by user and group, application, content type, and schedule. 
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=147&TB=news

~~~~ SPONSOR: FREE INTRUSION DETECTION WEBCAST ~~~~
AXENT(R)'s "Everything You Need to Know About Intrusion Detection" 
WebCast teaches you how to protect yourself against intruders with 
AXENT’s Prowler Series (NetProwler(tm) and Intruder Alert(tm)) by 
transparently monitoring traffic in real-time and instantly reacting to 
attempted attacks. Space is limited - register today at 
http://www.win2000mag.com/jump.cfm?ID=32 to reserve your spot.
AXENT is the leading provider of e-security solutions for your 
business, delivering integrated products and expert services to 45 of 
the Fortune 50 companies.

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* INCREASED SECURITY FOR UNIVERSITIES
WebTrends announced the Secure University Program, offering a free 
version of WebTrends Security Analyzer Professional Edition and a 
discount on Security Analyzer Enterprise Edition to any qualified 
university. With the Secure University Program, WebTrends wants to 
bring increased security to universities and raise security awareness, 
given the recent Distributed Denial of Service (DDoS) attacks in some 
of the world's largest education systems. For more information, go to 
http://www.webtrends.com/secureuniversityprogram.htm.

* SIMPLIFY ACCESS TO PRIVATE DATA AND APPLICATIONS
Jela Company released OnlyYou 1.1, software that lets Windows NT and 
Windows 9x users protect their IDs and passwords. Press the OnlyYou hot 
key and identify yourself to extract your password from 128-bit 
encrypted storage. OnlyYou 1.1 costs $23.50 for a single-user license. 
Network and volume licenses are available. For more information, 
contact Jela Company at 800-275-0097 or go to the Web site. 
   http://www.jelaco.com/

6. ========== HOT RELEASES (ADVERTISEMENTS) ==========

* NEW! DESKTOP FIREWALL FOR PCS WITH WINDOWS NT/2000
CyberwallPLUS-WS is a desktop firewall for PCs running Windows NT 4.0 
or Windows 2000. It protects against network attacks with an ICSA-
certified packet filter that provides access controls, intrusion 
detection and traffic logs.
Free Evaluation: http://www.network-1.com/WSeval/index.htm

* VERISIGN - THE INTERNET TRUST COMPANY 
Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE 
guide, "Securing Your Web Site for Business." You will learn everything 
you need to know about using SSL to encrypt your e-commerce 
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016007870003000

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: INFORMATION SECURITY: PROTECTING THE GLOBAL 
ENTERPRISE
By Donald Pipkin
Online Price: $39.99
Softcover; 300 pages
Published by Prentice Hall, May 2000
ISBN  0130173231

IT security expert Donald Pipkin addresses every aspect of information 
security: the business issues, the technical-process issues, and the 
legal issues, including the personal liabilities of corporate officers 
in protecting information assets.
To order this book, go to
http://www.fatbrain.com/shop/info/0130173231?from=win2000mag
or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772.

* TIP: EVENT LOG SECURITY ID DESCRIPTIONS
(contributed by Mark Joseph Edwards, http://www.ntsecurity.net/)

You use event logs to audit security events on your systems, but do you 
always know what a given event ID code represents? It's hard to 
remember details about each event ID because Microsoft lists more than 
50 different security event ID codes. Microsoft article Q174074 lists 
dozens of event ID codes along with detailed examples of what those 
event log entries will look like. You might want to bookmark or print 
the page for future reference. 
   http://www.microsoft.com/technet/support/kb.asp?ID=174074

* WRITING SECURE CODE: BIND BASICS
In his latest Web exclusive column, David LeBlanc points out that to 
understand how to bind a TCP socket to a port, you need to look at the 
arguments for the bind() function. One of these arguments (the second) 
is a pointer to a sockaddr structure. For IP applications, that pointer 
is typically a sockaddr_in structure that contains the numeric IP 
address and port that you want to bind to locally. If you can't easily 
identify what interfaces are available, you can simply bind to all 
available local interfaces by specifying INADDR_ANY as the address.
One security risk that you need to be aware of is that users can bind 
two sockets to the same port using a socket option known as 
SO_REUSEADDR. In other words, two different applications can answer 
connections on the same port. Be sure to read the rest of David's 
column on our Web site. 
   http://www.ntsecurity.net/go/seccode.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.net/forums/). 

IIS and NTFS Security--ASP Problem 
Scenario: IIS 4 with SP6a. I attempted to apply RX security to the OS 
file system. While HTML still served up, no ASP pages would work. After 
extensive search on Microsoft's site, I came up empty-handed, and had 
to allow the Change perms on NTFS. I ensured that the anonymous user 
had NTFS read and execute permissions to the entire file system. Any 
suggestions? 

Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=38701&mc=2.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.

Released: LibnetNT by eEye Digital Security
Libnet for UNIX is used in many of today's popular security programs 
because of how easy it is to implement low-level packet functionality 
into a program. Now that same ease-of-use development API is available 
for Windows NT platforms.
http://www.ntsecurity.net/go/w.asp?A2=IND0006A&L=WIN2KSECADVICE&P=89

Follow this link to read all threads for June, Week 1:
   http://www.ntsecurity.net/go/w.asp?A1=ind0006a&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following thread is in the
spotlight this week.

Event Viewer Query
This is going to seem like a strange question, but it has me a bit 
baffled. If you have a standalone server with full auditing enabled on 
it, how does the Event ID 528 (as seen in the Event Viewer) apply? 
Because the standalone server is not capable of authentication, then 
this should mean that someone physically went to the standalone server 
and logged on, and if done locally, then it should be indicated under 
Domain, which it isn't. However, it does list "MachineTwo" as the 
workstation name where the logon was successful. What remote logon will 
trigger this Event ID?
http://www.ntsecurity.net/go/L.asp?A2=IND0006a&L=HOWTO&P=159

Follow this link to read all threads for June, Week 1:
   http://www.ntsecurity.net/go/l.asp?A1=ind0006a&L=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT 
topics of your choice, including Win2K Pro, Exchange Server, thin-
client, training and certification, SQL Server, IIS administration, 
XML, application service providers, and more. Subscribe to our other 
FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.

UNSUBSCRIBE
To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or
click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be
removed from the list. Thank you!

If you have questions or problems with your UPDATE subscription, please
contact securityupdate@win2000mag.com. 
___________________________________________________________
Copyright 2000, Windows 2000 Magazine