**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter 
brought to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.net/Email/Index.cfm?ID=5
**********************************************************

This week's issue sponsored by
Dorian Software Creations - Event Archiver 3.2
http://www.doriansoft.com

Sunbelt Software - STAT: NT/2000 Vulnerability Scanner
http://www.sunbelt-software.com/product.cfm?id=899
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
June 14, 2000 - In this issue:

1. IN FOCUS
     - The Need for Layered Physical Security

2. SECURITY RISKS
     - Registry Request Denial of Service
     - Spoofing McAfee VirusScan Alerts
     - Unify eWave ServletExec Exposes Source Code
     - Path Exposure and Buffer Overrun in Ceilidh
     - Firewall-1 Denial of Service
     - Buffer Overflow Condition in EServ
     - Circumventing IE Cross-Frame Security
     - Win2K/NT Denial of Service via Invalid SMB Field
     - IE Mishandles SSL Certificates
     - NT Subject to User Session Key Reuse
     - Win2K and NT SMB-based Denial of Service

3. ANNOUNCEMENTS
     - Conference and Expo on Windows 2000/NT 4.0 Security and Control
     - Win2000mag.net--A Mile Deep

4. SECURITY ROUNDUP
     - Microsoft Releases Outlook Security Update

5. NEW AND IMPROVED
     - Management Tool Streamlines Network Security
     - Desktop Antivirus Certified for Win2K

6. SECURITY TOOLKIT
     - Book Highlight: Securing Intranets
     - Tip: How to Recover a Lost Administrator Password
     - Windows 2000 Security: Checking Your Current Configuration in 
Group Policy

7. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         Security Configuration Manager 
     - Win2KSecAdvice Mailing List
         Reporting Security Issues to Microsoft
     - HowTo Mailing List
         Trojan-like Activity with ICMP

~~~~ SPONSOR: DORIAN SOFTWARE CREATIONS--EVENT ARCHIVER 3.2 ~~~~
Boost your network security and system reliability by automating and 
centralizing the collection of your Windows NT/2000 event logs. Running 
as a 24/7 service on a single server, Event Archiver Enterprise can 
collect all of the event logs in your domain(s) remotely without the 
use of clients! 
   A friendly GUI management console, flexible scheduling, and many 
data storage options (EVT, TXT, Access, and ODBC) makes Dorian Software 
Creations' Event Archiver a necessary application in any security 
administrator's tool suite. Download your FREE 30-day evaluation from 
http://www.doriansoft.com/.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim 
Langone (Western Advertising Sales Manager) at 800-593-8268 or 
jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International 
Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Over the past few months, I've read at least four news reports about 
various world government agencies that have either lost computer 
hardware and data or inappropriately provided access to sensitive data. 
In April, a laptop with classified code-word information was reported 
missing from an allegedly secure conference room at the US State 
Department. The laptop had been missing since February. According to 
reports, the theft resulted not from poor security procedures but from 
department employees' failure to follow existing procedures. The State 
Department said 15 additional laptops with unclassified information are 
missing too. 
   In late May, Australia reported a similar incident in which five of 
its Parliament laptops were stolen from private, allegedly secure areas 
of Parliament House. Then, we learned that former CIA Director John 
Deutch took classified information home without permission and left it 
accessible in his house.
   This week, we're hearing reports that hard disks are missing from 
Los Alamos Laboratory vaults-–drives that contain US and Russian 
nuclear secrets. Some military experts say our national arsenal has 
subsequently been completely compromised.
   At first, I didn't want to believe these events actually happened. 
After all, they took place in highly secured facilities. But the events 
are real indeed, and they're probably just the tip of the iceberg when 
it comes to less-than-acceptable physical security in government 
facilities. 
   Risk management is only as effective as its weakest link. After all, 
what good are high-tech biometric security systems, VPNs, data 
encryption techniques, and other forms of defense if physical access 
management is inadequate? What about your facilities? Are they as 
secure as you'd like them to be?
   As with layered network defenses, you must protect physical premise 
access with a layered strategy. Just as you might divide up pieces of a 
master password among several people so no one person has the entire 
password, you might also consider dividing up authority and 
accountability with regard to physical security. Involving several 
people in a procedure helps build accountability along the way. 
Intruders are less likely to attempt mischievous endeavors when several 
checks and balances are involved in the process of entering and leaving 
a premise. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* REGISTRY REQUEST DENIAL OF SERVICE
Before a remote machine's request to access the Registry is processed, 
it must be authenticated by the Remote Registry server, which is 
contained within the winlogon.exe process. If the request is malformed 
in a specific fashion, the Remote Registry server can misinterpret it 
and crash the entire system.
   http://www.ntsecurity.net/go/load.asp?iD=/security/nt4-10.htm

* SPOOFING MCAFEE VIRUSSCAN ALERTS
By default, McAfee VirusScan uses a shared network directory for 
storing inbound alerts. The directory lets all VirusScan users read, 
write, and delete files in the shared directory. Because of loose 
directory permissions and alert files that are formatted in plain text, 
malicious users can delete valid virus alerts and spoof bogus alerts.
   http://www.ntsecurity.net/go/load.asp?iD=/security/mcafee2.htm

* UNIFY EWAVE SERVLETEXEC EXPOSES SOURCE CODE
The Unify eWave ServletExec software exposes source code for its files 
if a user appends ".jsp" to the end of a generated URL. The vendor is 
aware of this problem but has not yet responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/servlet1.htm

* PATH EXPOSURE AND BUFFER OVERRUN IN CEILIDH
By using a specially crafted POST statement, an intruder can spawn 
multiple copies of the ceilidh.exe program where each process takes 
approximately 1 percent of available CPU cycles and approximately 700KB 
of memory. Because memory resources are not freed properly, the 
intruder can deny service to a Web system hosting the software. The 
vendor is aware of this problem but has not yet responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ceilidh1.htm

* FIREWALL-1 DENIAL OF SERVICE
A Denial of Service (DoS) condition caused by fragmented IP packets 
exists in version 4.0 of CheckPoint's FireWall-1. According to 
Checkpoint, if a person uses the jolt2 program to send a stream of 
extremely large IP fragments to a FireWall-1 gateway, the action might 
cause the write mechanism to consume all CPU resources on the firewall 
system. Checkpoint is working on a fix and has provided a workaround 
for use in the meantime.
   http://www.ntsecurity.net/go/load.asp?iD=/security/fw1-2.htm

* BUFFER OVERFLOW CONDITION IN ESERV
A malicious user can crash the Eserv Web Server by sending it long 
queries. Because of an unchecked buffer condition, the user can run 
arbitrary code on the server.
   http://www.ntsecurity.net/go/load.asp?iD=/security/eserv1.htm

* CIRCUMVENTING IE CROSS-FRAME SECURITY
Georgi Guninski discovered that by using Javascript to access the 
document object model (DOM) of HTML documents, an intruder can 
circumvent Microsoft Internet Explorer's (IE's) cross-frame security 
policy. The problem allows reading local files, reading files from 
other hosts, window spoofing, and cookies exposure. The problem is that 
when the NavigateComplete2 event is initiated, it passes an argument of 
WebBrowser control. The WebBrowser control has an accessible property 
document that allows access to the DOM of the target document.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie521.htm

* WIN2K/NT DENIAL OF SERVICE VIA INVALID SMB FIELD
Sending Server Message Block (SMB) requests to a Windows 2000 or 
Windows NT system without acknowledging those requests causes Denial of 
Service (DoS) conditions against the system. Microsoft is aware of this 
matter but has not yet responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-6.htm

* IE MISHANDLES SSL CERTIFICATES
According to a Microsoft bulletin, two vulnerabilities exist in the way 
Internet Explorer (IE) handles digital certificates. When a user 
connects to a secure server via either an image or a frame, IE verifies 
only that the server’s Secure Sockets Layer (SSL) certificate was 
issued by a trusted root; it does not verify the server name or the 
expiration date. When a connection is made via any other means, all 
expected validation is performed. The second issue is that even when 
the initial validation is made correctly, IE does not revalidate the 
certificate if a new SSL session is established with the same server 
during the same IE session.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-20.htm

* NT SUBJECT TO USER SESSION KEY REUSE
When an administrator uses usrmgr.exe or srvmgr.exe to remotely add 
users or workstations to a domain or changes a user's password, the 
tool sends an encrypted 516-byte password block over the network. An 
intruder can intercept the data block and take it apart to reveal a 
User Session Key, which the intruder can use to decrypt further 
communication intercepted between the administrator and the domain 
controllers. For example, if an administrator changes a user's password 
remotely, the intruder can decrypt that password to reveal the clear 
text version using the captured User Session Key. Microsoft is aware of 
this matter but has not yet responded. 
http://www.ntsecurity.net/go/load.asp?iD=/security/nt4-9.htm

* WIN2K AND SMB-BASED DENIAL OF SERVICE
If a distributed computing environment (DCE)/remote procedure call 
(RPC) request is encapsulated inside a Server Message Block (SMB) 
request along with an invalid data length field, the system crashes, 
and a reboot is necessary to restore functionality. Microsoft is aware 
of the problem but has not yet responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-7.htm

3. ========== ANNOUNCEMENTS ==========

* CONFERENCE AND EXPO ON WINDOWS 2000/NT 4.0 SECURITY AND CONTROL
The Conference and Expo on Windows 2000/NT 4.0 Security and Control 
comes to Boston, July 11 through 13, 2000, with optional workshops on 
July 10 and July 13. Produced by MIS Training Institute and cosponsored 
by Windows 2000 Magazine, this conference is the place to gain the 
technical skills you need to implement and exploit Microsoft's 
newest OS. For more details or to register, call 508-879-7999, ext. 
346, or go to
http://www.misti.com/conference_show.asp?id=NT00US.

WIN2000MAG.NET--A MILE DEEP
* Introducing the Windows 2000 Magazine Network, a portal site with a 
distinct advantage--deep content. Scour more than 10,000 articles from 
two magazines, three newsletters, and a dozen Web sites. Search easily 
for impartial, straightforward solutions so that you can find the 
answer you need, and get on with things. Raise Your IT IQ at 
http://www.win2000mag.net.

4. ========== SECURITY ROUNDUP ==========

* MICROSOFT RELEASES OUTLOOK SECURITY UPDATE
Microsoft has released the anticipated Outlook Security Update,
which was prompted in part by the rapid spread of the VBS/Loveletter 
virus. The update works for Outlook 2000 and Outlook 98 with Office 
Service Release 1 (SR1) to prevent certain file types from taking 
action within the mail client without the user's direct intervention.
   According to Steven Sinofsky, senior vice president of Microsoft 
Office, the update provides four key benefits to Outlook users. It 
prevents users from accessing potentially unsafe email attachments; it 
intercepts programmatic attempts to access an Outlook Address Book; it 
warns with a dialog box if a program tries to send email; and it 
changes security zone settings from the Internet Zone to Restricted 
Zone.
   Before you apply the update, be sure to read Microsoft articles 
Q262634 and Q262631 to learn more details, including the current known 
limitations. You can download the update from Microsoft's Office Update 
Web site.
   http://www.officeupdate.com
   http://support.microsoft.com/support/kb/articles/Q262/6/34.asp
   http://support.microsoft.com/support/kb/articles/Q262/6/31.ASP

~~~~ SPONSOR: SUNBELT SOFTWARE--STAT: NT/2000 VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your 
network? Plug NT/2000's over 850 holes before they plug you. You _have_ 
to protect your LAN _before_ it gets attacked. STAT comes with a 
responsive web-update service and a dedicated Pro SWAT team that helps 
you to hunt down and kill Security holes. Built by anti-hackers for DOD 
sites. Download a demo copy before you become a statistic.
http://www.sunbelt-software.com/product.cfm?id=899

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* MANAGEMENT TOOL STREAMLINES NETWORK SECURITY
Labcal Technologies announced NetPulse, a security management tool for 
Windows NT. NetPulse enables remote auditing, reporting, setting, and 
correction of security features from one software installation. A 
NetPulse trial version is available from Labcal's Web site. For more 
information, contact Labcal, 877-752-2225.
   http://www.labcal.com 
 
* DESKTOP ANTIVIRUS CERTIFIED FOR WIN2K
Trend Micro released PC-cillin 2000, PC virus-protection software 
certified by VeriTest for Windows 2000. It also runs on Windows NT and 
Win 9x. PC-cillin 2000 includes real-time email virus scanning, manual-
scan capabilities for personal folders, and incremental virus pattern 
updates. PC-cillin 2000 is available for download for $29.95 or on CD-
ROM for $39.95. For additional information, contact Trend Micro, 800-
228-5651.
   http://www.pc-cillin.com

6. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: SECURING INTRANETS
By NIIT
Online Price: $99.00
CD-ROM
Published by NIIT, January 2000
ISBN IT10216040

"Securing Intranets" is a CD-ROM-based training course for system 
administrators and network administrators who want to protect their 
networks from various threats posed by connecting to the Internet. 
After completing this course, you'll be able to list the encryption 
techniques and the methods to secure email communication, describe the 
working of pretty good privacy (PGP) and RSA, and describe how 
firewalls work on different OSs.
To order the CD-ROM, go to
http://www.fatbrain.com/shop/info/IT10216040?from=win2000mag
or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772&from=win2000mag.

* TIP: HOW TO RECOVER A LOST ADMINISTRATOR PASSWORD
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

At some point, most of you will need to retrieve a lost Administrator 
account password. As I tell those who email me for help in this 
situation, you have two basic choices: You must either brute-force 
crack it or reset it to something known. Resetting the password will 
take much less time than brute-force cracking, so it's a more cost-
effective way to handle the situation.
   If you do want to brute-force crack the password to see what it was 
set to, you need to use a tool such as L0phtcrack, and you must obtain 
a copy of the system's SAM database using NTFSDOS or a Linux boot disk 
with NTFS drivers on it. Either of those tools let you boot a system 
from a disk and read the installed NTFS partitions. You can find 
NTFSDOS at Winternals (http://www.winternals.com), and Linux boot disks 
are available at various sites, such as Ken Pfiel's NT Toolbox Web site 
(http://www.nttoolbox.com).
   But if you have access to the SAM database, why not just reset the 
Administrator password to something known and be done with it? In that 
scenario, you can use NT Locksmith, also available at the Winternals 
Web site. If you must have a cost-free way of password recovery, use a 
Linux boot disk that comes with a tool that can perform that action.
   The Linux boot available for free download at The NT Toolbox site 
can reset a Windows NT system's Administrator password. Of course, you 
get what you pay for, so don't expect a ton of documentation and an 
experienced professional waiting for you to call for help. But using 
the boot disk to reset a password is much easier and quicker than 
reinstalling NT, so it's worth any problems you encounter.
   I think every security administrator should have a copy of a Linux 
boot disk such as the one at NT Toolbox. After you download the zip 
file, unzip it and run the included executable file to create the 
actual boot disk. While you're at The NT Toolbox be sure to check out 
the other great security-related tools available for download.
   http://www.nttoolbox.com/public/tools/LinNT.zip
   http://www.nttoolbox.com

* WINDOWS 2000 SECURITY: CHECKING YOUR CURRENT CONFIGURATION IN GROUP 
POLICY
Although you might have a good idea of what a system's security 
configuration should be from your knowledge of the Group Policy Objects 
relevant to that system, wouldn't you like to see your system's actual 
configuration? In this installment of Randy Franklin Smith's biweekly 
column, he explains step-by-step how you can achieve that goal. Be sure 
to stop by our Web site and read the entire article.
   http://www.ntsecurity.net/go/win2ksec.asp

7. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.net/forums). 

June 08, 2000 03:26 PM 
Security Configuration Manager 
I have been looking at the MMC plugin Security Configuration Manager, 
and like what I see: a simple interface for creating a security 
baseline; however, it only operates if you are working locally on the 
server. Ideally, I would like to run the application on my admin 
workstation and remotely analyze and configure the servers. 
Question: Does anyone know how to get around this limitation? 
Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=38900&mc=3.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.

Reporting Security Issues to Microsoft
There's been a recent increase in the number of postings whose theme is 
"I reported this to Microsoft but never heard anything back." In each 
case, we've checked our records but, in most cases, found no record of 
the issue having been sent to the Security Response Center. We answer 
every email and track every report we receive, so we believe that the 
reports in question may have been sent to other email addresses at 
Microsoft. 
http://www.ntsecurity.net/go/w.asp?A2=IND0006b&L=WIN2KSECADVICE&P=517

Follow this link to read all threads for June, Week 2:
   http://www.ntsecurity.net/go/w.asp?A1=ind0006b&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following thread is in the
spotlight this week.

Trojan-like Activity with ICMP
I've been at a customer site the last few days trying to track down 
this issue. They have multiple internal client machines trying to hit a 
couple of different external addresses with a Type 3 Internet Control 
Message Protocol (ICMP) request. We're blocking the clients at the 
firewall, so ICMP is not getting out of the network but I cannot get 
the client machines to stop broadcasting. I've tried various Trojan 
cleaners and zombie zappers to no avail. Most of the clients are SP5 or 
SP6. Here's what icmpsnif found when executing on one of the clients 
(note that the source address isn't on their network so I'm assuming 
that it is spoofed). 
http://www.ntsecurity.net/go/L.asp?A2=IND0006b&L=HOWTO&P=80

Follow this link to read all threads for June, Week 2:
   http://www.ntsecurity.net/go/l.asp?A1=ind0006b&L=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT 
topics of your choice, including Win2K Pro, Exchange Server, thin-
client, training and certification, SQL Server, IIS administration, 
XML, application service providers, and more. Subscribe to our other 
FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Security UPDATE.

You are subscribed as packet@PACKETSTORM.SECURIFY.COM.

SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.

UNSUBSCRIBE
To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or
click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be
removed from the list. Thank you!

If you have questions or problems with your UPDATE subscription, please
contact securityupdate@win2000mag.com. 
___________________________________________________________
Copyright 2000, Windows 2000 Magazine