********************************************************** WINDOWS NT MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows NT security update newsletter brought to you by Windows NT Magazine and NTsecurity.net http://www.winntmag.com/update/ ********************************************************** This week's issue sponsored by Axent Technologies http://www.winntmag.com/jump.cfm?ID=6 (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- December 29, 1999 - In this issue: 1. IN FOCUS - Reflections from 1999 and into 2000 2. SECURITY RISKS - Savant Web Server Denial of Service - Avirt Rover Buffer Overflow - Netscape Navigator 4.5 Runs Arbitrary Code 3. ANNOUNCEMENTS - Managing Complex Environments: Live Webcast 4. SECURITY ROUNDUP - FEATURE: How Secure is Your Exchange Server? Update - HOW-TO: Using Windows 2000's Run As Command 5. NEW AND IMPROVED - Biometric Security Software - Cryptography Within Active Server Pages 6. HOT RELEASE - kforce.com 7. SECURITY TOOLKIT - Book Highlight: Firewalls Complete - Tip: Limit Shutdown Capabilities 8. HOT THREADS - Windows NT Magazine Online Forums: Find the Administrator Password - HowTo Mailing List: SMB Licensing Issue (Event ID 201) Name Conflict on PDC - Event ID 4319 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, It's been a long year for many of us. I can't be the only person who feels like they've squeezed 18 months of work into a 12-month time frame. Whew! Looking back over 1999, it's easy to see that a lot of activity occurred in the security world--much more than in 1998. If I had to pick one security-related event during the last 12 months that affected me more than any other event in that time frame, I'd have to say that it was learning how China decided to deal with a couple of relatively small-time computer crackers. In March of this year, China reported that it had arrested and convicted two brothers of embezzling approximately $87,000 (US) from a Chinese bank. The brothers cracked a bank's computer security and transferred the funds to their own account. And for that act, China sentenced the two men to death. But even while setting such a hard precedent for thieves--especially cyber-thieves--China wasted no time in displaying its bigotry by assuming that it's OK to steal super- sensitive nuclear secrets from the United States. Oh, you didn't hear about that theft? Check your favorite world news source for details. Another set of hacking events occurred that truly gained and held my attention for most of 1999, and I see no sign of that attraction letting up soon. The events to which I refer are the seemingly never- ending security risks that Georgio Guninski discovered in Internet Explorer (IE). In my opinion, Georgio has done more for the overall security of IE, and the security of Windows desktops in general, than any other hacker on the planet. Georgio has discovered more than a dozen security risks in IE 5.x. Look at his IE Web page sometime, and you'll see why I feel that Georgio deserves a gigantic pat on the back for his tireless efforts (http://www.nat.bg/~joro/browsers.html). Looking ahead to 2000, I predict that by year's end, we'll find that the biggest security events of 2000 took place during the first quarter. In January and February of 2000, we'll be fighting Y2K problems relentlessly. And in February, Microsoft will ship Windows 2000 (Win2K), which will open the flood gates for officially reporting any security risks the new OS might contain. As with any new OS, it's safe to assume that it's not perfect, and thus, we'll see more than a few risks surface in the new platform. In fact, I bet hackers are already sitting on Win2K risk information, waiting for the most inconvenient time to release that information. My guess is that the time will come after the official release of the new OS in February. But even so, I doubt that we'll see any risks as serious as the ones discovered in Windows NT 4.0 over the last 24 months. Between finding several ways to gain Administrator access and finding ways to subvert Microsoft's encryption technology, hackers have given the company a fairly serious beating over the security technology used in NT 4.0. I think Microsoft has learned valuable lessons from these discoveries, but I also know that no one is perfect and, therefore, we can assume that Win2K has bugs. What are these bugs, and how will they impact your network? Only time will tell. Nonetheless, I'm looking forward to the year 2000 and the new OS from Microsoft. If you're among those people who have to work on New Year's Eve, stop by and hang out with BindView at its online Web party on December 31. Visit http://www.BindView.com/onlineparty for details. It's been a great year. Have a safe and pleasant New Year's weekend. Thanks to each of you for reading Security UPDATE Newsletter. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, http://www.ntsecurity.net) * SAVANT WEB SERVER DENIAL OF SERVICE USSRLabs discovered a problem with the Savant Web Server 2.0 caused by a buffer overflow condition. By appending a NULL character to the end of a URL, a malicious user can crash the server. The vendor is aware of the problem but had not responded at the time of this writing. http://www.ntsecurity.net/go/load.asp?iD=/security/savant1.htm * AVIRT ROVER BUFFER OVERFLOW USSRLabs reported a problem with Avirt's Rover Server, which is a software package that includes POP3 and SMTP services. The POP3 service contains a buffer overflow condition that can lead to a server crash. An intruder can induce the crash by sending a string of 10,000 characters as the username when logging into the POP server. Avirt has phased out the Rover and recommends migrating to a current product (Avirt Mail 3.5 or later). http://www.ntsecurity.net/go/load.asp?iD=/security/avirt3.htm * NETSCAPE NAVIGATOR 4.5 RUNS ARBITRARY CODE A person using the pseudonym "darkplan" reported a buffer overflow condition in Netscape Navigator 4.5. The problem might let arbitrary code execute on a user's system. Netscape is aware of this problem; however, no response was known at the time of this writing. http://www.ntsecurity.net/go/load.asp?iD=/security/nn45-1.htm 3. ========== ANNOUNCEMENTS ========== * MANAGING COMPLEX ENVIRONMENTS: LIVE WEBCAST Do you have questions regarding managing Windows 2000 environments? Now's your chance to ask them! The new millennium is upon us and topics related to managing complex environments are key to your migration efforts. Join IBM and Windows NT Magazine for our upcoming live Webcast,"Managing complex environments which include Windows 2000," January 6, from 10:00 A.M.-11:30 A.M. CST. Mark Minasi, Windows NT Magazine contributing editor and author of Mastering Windows NT Server 4.0 and the upcoming Mastering Windows 2000 Server, as well as John Enck with the GartnerGroup, will discuss this key area. Also, hear about IBM's Business Intelligence and Tivoli's systems management solutions. Without leaving your desk, you can ask questions of our panel of experts online or live. And you'll be eligible to download informative white papers and technical reports. Find out more about our live Web broadcast series, and register today at http://webevents.broadcast.com/ibm/win2000/index.tl?loc=61. 4. ========== SECURITY ROUNDUP ========== * FEATURE: HOW SECURE IS YOUR EXCHANGE SERVER? UPDATE Last week, I mentioned Jerry Cochran's Web Exclusive article regarding Exchange Server security. This week Jerry corrects some errors that were present in his original article. The corrections are significant, so be sure to read the new article. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=145&TB=f * HOW-TO: USING WINDOWS 2000'S RUN AS COMMAND In this Web Exclusive article, Zubair Ahmad offers some great insight into a useful utility that ships with Windows 2000 (Win2K). You might already be aware of a handy utility called Run As. The command tool lets a user log on under one account and then run programs under a different user. So, for example, a user might log on under an account that is a member of the Administrators group but need to test programs as those programs would run under a regular user account with membership in the default Users group. The Run As command permits this type of functionality. If you're migrating to Win2K in the next year, be sure to read the article. http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=116&TB=howto ~~~~ SPONSOR: AXENT TECHNOLOGIES ~~~~ How to protect against application level attacks Raptor Firewall delivers the most intuitive management interface and high performance, multi-threaded services, giving you the most secure, manageable, and flexible solution for enterprise security needs. Now through December 24, download your FREE guide, "Everything You Need to Know about Network Security" at http://www.winntmag.com/jump.cfm?ID=6 AXENT is the leading provider of e-security solutions for your business, delivering integrated products and expert services to 45 of the Fortune 50 companies. 5. ========== NEW AND IMPROVED ========== (contributed by Carolyn Mascarenas, products@winntmag.com) * BIOMETRIC SECURITY SOFTWARE Net Nanny Software announced the beta of BioPassword LogOn for Windows NT, software that adds biometric authentication as an extra level of security during the NT logon process. Using keystroke dynamics, the software combats problems associated with using traditional password security, such as internal security breaches, password-cracking programs, and employee negligence. The software complements existing NT permissions and logon procedures. You install the BIOServer component on the NT server and deploy the BIOClient component through the shared network. The software then prompts users to enter their user ID and password to create a unique keystroke profile. Users are authenticated by matching their logon attempt against their keystroke profile, which resides on the server in an encrypted template. Net Nanny Software is seeking beta testers with 100 workstations or more to test BioPassword LogOn for Windows NT. Contact Net Nanny Software, 425-688-3008. http://www.netnanny.com * CRYPTOGRAPHY WITHIN ACTIVE SERVER PAGES CryptoObject announced CryptoObject 1.0, software that enables cryptography from within Microsoft's Active Server Pages (ASP). CryptoObject is a COM object that wraps the base cryptography functions provided by the Microsoft Cryptographic API (CryptoAPI). The CryptoAPI works well for traditional C++ and Visual Basic (VB) developers but doesn't work well when used within Internet Information Server (IIS), ASP, or Windows Scripting Host. Until CryptoObject, the VBScript couldn't call any Windows DLL functions, so it couldn't use any CryptoAPI features. CryptoObject uses the original constant names, function names, member variables, and error codes. CryptoObject works on Windows NT and Windows 9x systems and requires a COM client. A single-server license starts at $100. Contact CryptoObject, info@cryptoobject.com. http://www.cryptoobject.com 6. ========== HOT RELEASE (ADVERTISEMENT) ========== * KFORCE.COM Real results by real people!***kforce.com*** Resumes read by over 2,300 Career Specialists, Not another Job Board, But the Career Resource Center. Search our Vast Database, use the Salary Calculator, and receive your own Career Development Coach. Opportunity has a new address kforce.com http://ad.doubleclick.net/clk;629716;3578931;w?http://www.kforce.com 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: FIREWALLS COMPLETE By Marcus Goncalves Online Price: $43.95 Softcover; 632 pages Published by McGraw-Hill Publishing, February 1998 With the McGraw-Hill Complete Series, you get 100 percent of what you need to deliver fully functional applications quickly. You get complete coverage of technical issues, from experts who understand the problems you must solve. And the CD-ROM lets you demonstrate today's hottest firewall products (because so many different technologies are on the market, and they're not all created equal). For Windows NT Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing WINNTMAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/0070246459?from=SUT864. * TIP: LIMIT SHUTDOWN CAPABILITIES (contributed by Mark Joseph Edwards, mark@ntsecurity.net) In many cases, it's necessary to control who might shut down a given workstation or server. As you know, anyone can shut down Windows NT by simply clicking the Shutdown button located on the logon screen dialog. But did you know you can disable the logon dialog Shutdown button? If the logon dialog's Shutdown button is disabled, then a user must first log on to the system before that user can shut down the system. To disable the Shutdown button on the logon dialog, adjust the following Registry key as indicated. Be advised that incorrectly modifying the Registry can lead to a non-bootable system, so be sure to back up your Registry before making changes. Hive: HKEY_LOCAL_MACHINE Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon Name: ShutdownWithoutLogon Type: REG_SZ Value: 0 8. ========== HOT THREADS ========== * WINDOWS NT MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows NT Magazine online forums (http://www.winntmag.com/support). Find the Administrator Password December 20, 1999, 01:37 P.M. Is there an easy way to find the administrator password for the local machine? A user changed the computer name on a machine and can no longer log into the domain, and the previous IT guy used an unknown password for the local login. Thread continues at http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag e_ID=82781 * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the "HowTo for Security" mailing list. The following threads are in the spotlight this week: 1. SMB Licensing Issue (Event ID 201) http://www.ntsecurity.net/go/L.asp?A2=IND9912D&L=HOWTO&P=418 2. Name Conflict on PDC - Event ID 4319 http://www.ntsecurity.net/go/L.asp?A2=IND9912C&L=HOWTO&P=2297 Follow this link to read all threads for Dec. Week 4: http://www.ntsecurity.net/go/l.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS NT MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@winntmag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@winntmag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com) Editor - Gayle Rodcay (gayle@winntmag.com) New and Improved - Carolyn Mascarenas (products@winntmag.com) Editor-at-Large - Jane Morrill (jane@winntmag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows NT Magazine Security UPDATE To subscribe, go to http://www.winntmag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. To change your email address, you must first unsubscribe by sending email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. Then, resubscribe by going to http://www.winntmag.com/update and entering your current contact information or by sending email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.winntmag.com/sub.cfm?code=up99inxsup. Windows NT Magazine UPDATE Windows NT Magazine Thin-Client UPDATE Windows NT Exchange Server UPDATE Windows 2000 Pro UPDATE ASP Review UPDATE SQL Server Magazine UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 1999, Windows NT Magazine Security UPDATE Newsletter is powered by LISTSERV software http://www.lsoft.com/LISTSERV-powered.html