********************************************************** WINDOWS 2000 MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows 2000 and Windows NT security update newsletter brought to you by Windows 2000 Magazine and NTsecurity.net. http://www.win2000mag.com/update/ ********************************************************** This week's issue sponsored by Please Vote for BindView! http://www.bindview.com/email/trust.html Sunbelt Software - STAT: NT Vulnerability Scanner http://www.sunbelt-software.com/stat.htm (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- February 9, 2000 - In this issue: 1. IN FOCUS - Serious DoS Attacks 2. SECURITY RISKS - RDISK Race Condition: Update - Bypass surfControl URL Blocking - WWWThreads Elevates Privileges - Web Server Scripting Issues - Microsoft Java Exposes Files - Windows NT Recycle Bin Goes Unchecked 3. ANNOUNCEMENTS - The Windows(r) DNA 2000 Readiness Conference Featuring SQL Server(tm) 2000 - Technical Pursuit 2000 - Windows 2000 Magazine Launches IIS Administrator UPDATE - Security Book Available in Six Languages 4. SECURITY ROUNDUP - News: Windows NT 4.0 Is C2 Compliant--Windows 2000 Compliance Still 2 Years Out - News: FBI and CERT Warn Users Against Web-Based Scripting 5. NEW AND IMPROVED - IBM PCs Guard Critical Data with Windows 2000 Security - ZoneAlarm 2.0 Prevents Information Theft 6. SECURITY TOOLKIT - Book Highlight: Administering Web Servers, Security and Maintenance - Tip: Adjust Event Log Settings Remotely 7. HOT THREADS - Windows 2000 Magazine Online Forums: * Move People with DHCP - Win2KSecAdvice Mailing List: * Two MS FrontPage Issues * Windows API SHGetPathFromIDList Buffer Overflow - HowTo Mailing List: * NT as a Firewall for ISP * Question About CALCS ~~~~ SPONSOR: PLEASE VOTE FOR BINDVIEW! ~~~~ BindView has been nominated for the SC 2000 Awards. Voting for BindView in the Reader Trust Awards gives you the chance to spread the word and let others know what you already do--that BindView offers the best solutions for managing the configuration and security of Windows 2000/NT and NetWare environments. BindView's IT risk management solutions NOSadmin for Windows 2000/NT and NOSadmin for NetWare have been nominated in the Best General Security category. BindView's anti hacker software, HackerShield has been nominated for Best Internet Security Product products. Please vote for BindView at http://www.bindview.com/email/trust.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@win2000mag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Distributed computing is a powerful tool. And although distributed computing isn't new in the mainframe world, it is new in the PC arena when it comes to low-end applications. One of the more popular means of distributed processing is a methodology where individual PCs work together to process data from a centralized database. This approach spreads the processing load over numerous machines instead of one machine with several CPUs. The methodology quickens the overall processing time because no one machine or CPU has to process all the data. Distributed.net helped popularize this technique on PCs by developing software to crack encryption keys. Distributed.net hosts various encryption-cracking contests, such as the current RC5 challenge (see http://www.distributed.net for details). In a nutshell, the company's key-cracking software can run on any number of individual PCs; the software pulls a data set from a central database, processes that data on the local PC, and sends the results back to the central database-processing center. Black hat computer users have taken an interest in distributed processing. Why? Distributed processing lets these black hats take down a giant network with relative ease. They can muster the bandwidth and processing resources of numerous networks to launch an attack against another network or machine. In most instances, the attack quickly overpowers the network or machine, knocking the network or machine out of service because it can't handle the overwhelming processor and bandwidth loads. Without distributed processing, denying service to a remote network would be incredibly tough in most cases. You'd either have to know of a software bug that eats all available CPU cycles on the target machine, or you'd have to have more bandwidth and processing power than the target network. But with distributed denial of service (DoS) attack techniques, those factors have become moot. When I turned on the news this morning, I saw a headline story that informed me Yahoo's site was down because of a massive DoS attack. I was amazed that a DoS attack made national headline news. I was even more amazed that people think that a DoS attack is news in the first place. DoS attacks are as old as computers. The only thing new about the attack against Yahoo is that the attack successfully took down Yahoo's network, which has mammoth amounts of bandwidth and processing power. At the height of the attack, Yahoo received more than 1GBps of traffic. That's a huge amount of traffic by any standard. In all probability, the attack was a distributed attack because of the amount of bandwidth involved. So, how do you prevent this type of distributed attack? In most cases, it's incredibly difficult, if not impossible, to defend against distributed DoS attacks. Today's hardware and software are not equipped to fend off such attacks. Although some firewall systems and back-end services can prevent a few types of well-known DoS attacks, they have not proven they can stand up against even a lightweight distributed attack. The problem appears to be manifold. New developments must address all aspects of networking--from the network border hardware to the back-end applications--to prevent outages before we can fend off such attacks. Servers need faster processors in greater numbers, applications need better user-session filtering, and network hardware needs faster CPUs and improvements to the software code base. Until these developments happen, networks are easy targets. But even with improved hardware and software, DoS attacks will still boil down to a war of bandwidth, where the person with the most bandwidth almost always wins. And, with distributed processing attack methods, pipe size has no upper limit for the intruder. I don't see a definitive solution for preventing distributed DoS attacks in our near future. I do see that cyber-terrorism has, in fact, arrived, and it's riding on the coattails of distributed processing. Until next time, have a great week. Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * RDISK RACE CONDITION: UPDATE As you know, Microsoft recently released a patch for Windows NT Server 4.0, Terminal Server Edition (TSE) because of a problem with the RDISK utility. RDISK helps users create an Emergency Repair Disk (ERD) to record machine state information as a contingency against system failure. According to Microsoft's bulletin, during execution, RDISK creates a temporary file containing an enumeration of the Registry. The ACLs on the file allow global read permission, and as a result, a malicious user who knows that the administrator is running RDISK can open the file and read the Registry information during its creation. RDISK erases the file after completion, so under normal conditions no lasting vulnerability exists. Microsoft rereleased its bulletin because the utility is part of all versions of Windows NT 4.0, and the vulnerability exists on each NT 4.0 platform. Patches are now available for all affected versions. http://www.ntsecurity.net/go/load.asp?iD=/security/rdisk1.htm * BYPASS SURFCONTROL URL BLOCKING surfControl Scout software blocks access to specified URLs. However, by appending a period to the end of a URL, a malicious user can still access a blocked URL, thereby bypassing the rules defined in the surfScout application. For example, if an administrator used surfControl Scout to block the site http://www.xyzzy.com, then surfControl Scout will allow access to http://www.xyzzy.com. A patch is now available for surfControl that upgrades versions 2.1.6.x to version 2.6.1.7. In addition, a complete version 2.6.1.7 package is available for download. http://www.ntsecurity.net/go/load.asp?iD=/security/surfcntrl1.htm * WWWTHREADS ELEVATES PRIVILEGES WWWThreads is a Perl-based message-forum software that runs against a SQL server back end, such as Microsoft SQL Server or mySQL. According to a user identified as rain.forrest.puppy, an intruder can elevate a message-board user's privileges to board Administrator within the message-forum software. (Note: this is not the same as Administrator access on Windows NT.) The vendor, WCSoft, has released an updated version that corrects the vulnerability. http://www.ntsecurity.net/go/load.asp?iD=/security/wwwt1.htm * WEB SERVER SCRIPTING ISSUES The CERT Coordination Center published an advisory warning users of potentially malicious Web-based scripts that can instigate a man-in- the-middle attack, session-recording, desktop and local LAN manipulation, and other unwanted actions. (The CERT Coordination Center is part of the Survivable Systems Initiative at the Software Engineering Institute, a federally funded research and development center at Carnegie Mellon University.) CERT jointly published an advisory with the Department of Defense (DoD)-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND), the Federal Computer Incident Response Capability (FedCIRC), and the National Infrastructure Protection Center (NIPC). According to the advisory, "A Web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on invalidated input from untrustworthy sources. This can be a problem when a Web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user." http://www.ntsecurity.net/go/load.asp?iD=/security/webapps1.htm * MICROSOFT JAVA EXPOSES FILES Several developers in Japan jointly discovered and reported a security problem with Microsoft's Java implementation. The problem lets an intruder who knows the complete path to a file read that file without the user's permission. The problem affects Internet Explorer (IE) 4.x and 5.x users. Microsoft is aware of the problem but has issued no response at the time of this writing. http://www.ntsecurity.net/go/load.asp?iD=/security/java3.htm * WINDOWS NT RECYCLE BIN GOES UNCHECKED Arne Vidstrom and Nubuo Miwa discovered a problem with Windows NT's Recycle Bin that might let a malicious user manipulate any contained files without the file owner's knowledge. The problem exists because of the permission settings on the Recycle Bin directory. Microsoft issued a patch, FAQ, and Support Online article Q248339 regarding the matter. http://www.ntsecurity.net/go/load.asp?iD=/security/recyc1.htm 3. ========== ANNOUNCEMENTS ========== * THE WINDOWS(R) DNA 2000 READINESS CONFERENCE FEATURING SQL SERVER(TM) 2000 Join an exclusive audience of Microsoft(r) partners and customers from February 29 through March 3, 2000 in Denver, for The Windows DNA 2000 Readiness Conference featuring SQL Server 2000. This event will be the first opportunity to get intensive, technical training on the new Windows DNA 2000 products and SQL Server 2000 (code-named Shiloh)--a significant evolution of Microsoft's flagship relational database management system (RDBMS_. To register and learn more about the conference, go to http://msdn.microsoft.com/events/sqlserver2000. When registering, you'll need the following registration code: 2-10-secupe. Space is limited, so register early. * TECHNICAL PURSUIT 2000 Windows 2000 Magazine's "Technical Pursuit 2000" is your chance to show up the experts and win cool prizes! Match wits with Windows 2000 (Win2K) mavens Mark Smith, Sean Daily, and Kathy Ivens at the Windows 2000 Conference and Expo in San Francisco from February 15 to 17, 2000. "Technical Pursuit 2000" will be held at 11:00 A.M. and 2:00 P.M. on February 15 and 16, and at noon on February 17. To enter, drop by the Windows 2000 Magazine booth (#1315) at the Expo and pick up your free raffle ticket. A drawing will be held 10 minutes before each game to select a contestant. Contestants will try to answer five Win2K-related questions to win up to $250 in cash. On the final day of the Expo, we're giving away $500 for five correct answers! We'll also be giving away free prizes every hour during the entire conference, so you have plenty of chances to win. * WINDOWS 2000 MAGAZINE LAUNCHES IIS ADMINISTRATOR UPDATE IIS Administrator UPDATE is your direct link to the latest Internet Information Server (IIS) essentials. This FREE email newsletter keeps you informed with the latest news, product releases, tips, and expert advice from other IIS professionals. We'll help you stay on top of administration, programming, and security issues that you need to know to keep your server running at full speed. Enter your FREE subscription now at http://www.win2000mag.com/sub.cfm?code=up99inbiup. * SECURITY BOOK AVAILABLE IN SIX LANGUAGES By now, you know that Windows 2000 Magazine and NTSecurity.net have placed the book "Internet Security with Windows NT" online for free. But did you know that the book is available online in six different languages? To read the book in English, French, German, Italian, Spanish, or Portuguese, load the home page at http://www.ntsecurity.net. After the home page has loaded, click Translate on the menu bar at the top of the screen. On the translate page, select your language preference under the pull-down menu labeled, "Reload the entire home page translated from," and click the Go! button. When the newly translated home page loads in the language you chose, Select Security Book under the "So What's New?" section. http://www.ntsecurity.net/go/translate.asp 4. ========== SECURITY ROUNDUP ========== * NEWS: WINDOWS NT 4.0 IS C2 COMPLIANT--WINDOWS 2000 COMPLIANCE STILL 2 YEARS OUT Windows NT 4.0 recently received its C2-level security compliance certification; however, Service Pack 6 (SP6) and all the latest service packs must be installed to meet that rating. Companies that need C2- level security compliance in their environments won't be able to use Microsoft's Windows 2000 (Win2K) until at least 2002, which is how long it will take for the new OS to pass the required tests. The US government dictates C2-level security specifications under its Trusted Computer System Evaluation Criteria, and to date, NT 4.0 and 3.5 are Microsoft's only OSs that qualify. Win2K does, however, meet the federal government's FIPS 140-1 specification for encryption technology. Win2K meets FIPS 140-1 because it relies on Microsoft's CryptoAPI, which Microsoft developed and released on platforms prior to Win2K. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=209&TB=news * NEWS: FBI AND CERT WARN AGAINST WEB-BASED SCRIPTING The FBI and several software manufacturers are warning users of potential risks involved with seemingly harmless Web site surfing. CERT released an advisory on Tuesday to help make people aware of readily exploitable cross-site scripting risks. Although some security aficionados point out that problems of this nature have been known for some time, the problems remain widespread mostly due to vendor product development cycles that don't address issues that CERT cites in its advisory. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=208&TB=news ~~~~ SPONSOR: SUNBELT SOFTWARE - STAT: NT VULNERABILITY SCANNER ~~~~ Ever had that feeling of ACUTE PANIC that a hacker has invaded your network? Plug NT's holes before they plug you. There are now over 750 known NT vulnerabilities. You just have to protect your LAN _before_ it gets attacked. STAT comes with a responsive web-update service and a dedicated Pro SWAT team that helps you to hunt down and kill Security holes. Built by anti-hackers for DOD sites. Download a demo copy before you become a statistic. http://www.sunbelt-software.com/stat.htm 5. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, products@win2000mag.com) * IBM PCs GUARD CRITICAL DATA WITH WINDOWS 2000 SECURITY IBM announced that new PCs--IBM PC 300PL, IBM IntelliStation E Pro, and the IBM IntelliStation M Pro--will come preloaded with Windows 2000 (Win2K) and the industry's first embedded security chip. IBM is working to optimize the interaction between the security chip and Win2K, which will push PC security to a new high. IBM's embedded chip offers an integrated hardware and software security solution that supports Win2K and prevents unauthorized users from accessing sensitive information. Identity verification and authentication features complement encryption capabilities embedded into Win2K. For more information, contact IBM. http://www.ibm.com/Windows 2000 * ZONEALARM 2.0 PREVENTS INFORMATION THEFT Zone Labs released the new ZoneAlarm 2.0 Internet security utility. ZoneAlarm 2.0 provides users with essential protection for "always on" DSL and cable modems by uniting the safety of a dynamic firewall with total control over applications' Internet use. ZoneAlarm 2.0 provides five interlocking security services that deliver easy-to-use, comprehensive protection. Unlike other security utilities, ZoneAlarm 2.0 incorporates a firewall, application control, an Internet lock, dynamically assigned security levels, and zones. ZoneAlarm 2.0 provides out-of-the-box security because it automatically configures itself as the user surfs the Internet. The firewall provides state-of-the-art protection without requiring knowledge of ports, protocols, or hierarchical rule systems, thereby ensuring maximum protection. ZoneAlarm 2.0 works on Windows 2000 (Win2K), Windows NT, and Windows 9x and is available immediately on the Zone Labs Web site for download. Corporations can evaluate ZoneAlarm 2.0 for up to 60 days at no charge. For more information, contact Zone Labs, 415-547-0050. http://www.zonelabs.com 6. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: ADMINISTERING WEB SERVERS, SECURITY AND MAINTENANCE By Eric Larson and Brian Stephens Online Price: $40.00 Softcover; 350 pages Published by Prentice Hall, December 1999 This interactive workbook will get you started right away with real- world applications for Web server security and maintenance. Demand for these skills is sky-high, as businesses everywhere are moving toward e- commerce and full online presence. Learn from the experts in easy, step-by-step lessons. Every section includes reviews to help you check your work and assess your progress at every stage. Practical labs in the book help to reinforce what you're learning as you go. This book will help you master building new Web site networks, Web servers and Web clients, configuration and maintenance of your site, CGI security, and secure online transactions. For Windows 2000 Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WIN2000MAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/0130225347?from=SUT864. * TIP: ADJUST EVENT LOG SETTINGS REMOTELY (contributed by Mark Joseph Edwards, mark@ntsecurity.net) A reader wrote to ask how to remotely manipulate Registry keys. Specifically, the person wanted to adjust the keys that govern Event Log size and the keys that govern whether log entries are overwritten when the log becomes full. You can adjust the log setting parameters for a remote machine using Event Viewer if you have proper access to that remote machine. But using Event Viewer to adjust parameters on numerous machines can be time-consuming, so using an automation tool might be a better solution. To use an automation tool, you must know what keys to adjust and values to set. You can remotely manipulate any Registry key's setting provided you meet two criteria: You must have some type of remote Registry access to the machine you want to manipulate and you must know which Registry keys you wish to adjust. Step one in hacking most any setting in the Registry is to determine where the appropriate Registry keys are located. To learn this information, use a tool such as System Internals' RegMon. RegMon watches all Registry access and reports its findings in an easy-to-read display. I can fire up RegMon, open and use the Event Viewer to set the Log Settings parameters (under Log, Log Settings from the pull-down menus), and refer back to RegMon to see which keys you adjusted. In this case, a quick review of RegMon revealed the Registry keys that pertain to the Event Log settings are held in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog. Under the EventLog tree you'll find the three entries that pertain to each Event Log type: Application, System, and Security. Under each of those keys you'll find two values, MaxSize and Retention, that regulate log size and how the log is overwritten, respectively. To determine what values to set for these items, you need to conduct trials using Windows NT's built-in Event Viewer to change the Log Settings on your desktop. The trials reveal how NT records your selected parameters in the Registry. For example, you'll notice when you use Event Viewer to set the Log Settings to "Overwrite Events Older than 7 Days" with a log size of 2048KB, that the MaxSize value in the Registry will be 200000, and the Retention value will be 0x93a80. After you establish the proper values, you can use those values to automate the remote adjustment of Event Log's Registry entries on any machine that requires such action. 7. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.com/support). January 28, 2000 08:31 AM Move People with DHCP I need to move a large group of people (about 500) to a new subnet that has different IP addresses. We use NT DHCP to provide IP address for users. I can release IPs for each Win98 and Win NT workstation manually before it shuts down, but with 500 users it is going to take a long time. Is there a way to let me force users to release when they shut down their PCs automatically? I don't want to change lease duration time in DHCP server because other users will stay there. Thank you in advance. Thread continues at http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Mess age_ID=88133 * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following threads are in the spotlight this week: 1. Two MS FrontPage Issues http://www.ntsecurity.net/go/w.asp?A2=IND0002A&L=WIN2KSECADVICE&P=866 2. Windows API SHGetPathFromIDList Buffer Overflow http://www.ntsecurity.net/go/w.asp?A2=IND0002A&L=WIN2KSECADVICE&P=2580 Follow this link to read all threads for Feb. Week 2: http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following threads are in the spotlight this week: 1. NT as a Firewall for ISP http://www.ntsecurity.net/go/L.asp?A2=IND0002A&L=HOWTO&P=10292 2. Question About CALCS http://www.ntsecurity.net/go/L.asp?A2=IND0002A&L=HOWTO&P=8891 Follow this link to read all threads for Feb. Week 2: http://www.ntsecurity.net/go/l.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@win2000mag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@win2000mag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com) Editor - Gayle Rodcay (gayle@win2000mag.com) New and Improved – Judy Drennen (products@win2000mag.com) Copy Editor – Judy Drennen (jdrennen@win2000mag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows 2000 Magazine Security UPDATE. To subscribe, go to http://www.win2000mag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. To change your email address, you must first unsubscribe by sending email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. Then, resubscribe by going to http://www.win2000mag.com/update and entering your current contact information or by sending email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the Windows 2000 and Windows NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.win2000mag.com/sub.cfm?code=up99inxsup. Windows 2000 Magazine UPDATE Windows 2000 Magazine Thin-Client UPDATE Windows 2000 Magazine Exchange Server UPDATE Windows 2000 Magazine Enterprise Storage UPDATE Windows 2000 Pro UPDATE ASP Review UPDATE SQL Server Magazine UPDATE IIS Administrator UPDATE XML UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 2000, Windows 2000 Magazine Security UPDATE is powered by LISTSERV software. http://www.lsoft.com/LISTSERV-powered.html