**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought 
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by
Trend Micro -- Your Internet VirusWall 
http://www.antivirus.com/spring.htm

Sunbelt Software - STAT: NT Vulnerability Scanner
http://www.sunbelt-software.com/stat.htm
(Below Security Roundup) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
March 29, 2000 - In this issue:

1. IN FOCUS
     - Outbound Traffic Is an Equally Serious Risk 

2. SECURITY RISKS
     - Microsoft Office 2000 Exposes Hidden Drives

3. ANNOUNCEMENTS
     - Windows 2000 Deployment Conference: Beyond the Basics 
     - Subscribe to Our Free Thin-Client UPDATE Email Newsletter
     - Security Poll: Should Companies Be Able to Sue Hackers for Reverse 
Engineering?

4. SECURITY ROUNDUP
     - News: Microsoft Internet Server Security Configuration Tool 1.0
     - News: Hazards and Pitfalls of Email
     - News: ASPAM Trojan on the Loose
     - News: Teen's Boast of Hacking Bill Gates Looks Empty

5. NEW AND IMPROVED
     - Integrated Firewall/VPN/Intrusion Detection Product
     - Smart Card-Based Security Solution

6. HOT RELEASE (ADVERTISEMENT)
     - AXENTs Free Linux WebCast

7. SECURITY TOOLKIT
     - Book Highlight: The Process of Network Security: Designing and 
Managing A Safe Network
     - Tip: Protect Against Unwanted Disk Access
     - HowTo: Windows 2000 Group Policies
     - HowTo: Good Programming and the Rules for Writing Secure Code

8. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         Adding Permissions
     - Win2KSecAdvice Mailing List
         Crypto-Gram Coverage of Kerberos, March 2000
     - HowTo Mailing List
         DMZ Area
         Print Quotas Under Windows 2000?

~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~
As the Vernal Equinox brings warmer weather and longer days, enjoy more 
leisure time and worry less about server content security across your 
network by using Trend Micro's antivirus product family. Trend Micro, a 
world leader in antivirus technologies, protects Internet gateways, Lotus 
Notes and Exchange email servers, desktops and everywhere in between - by 
forming a protective VirusWall all around your network. Get Trend and Relax 
this Spring!
http://www.antivirus.com/spring.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone 
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, 
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) 
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

A focal point for any network security administrator is the network 
perimeter. Companies spend a lot of time guarding against traffic that 
might enter their networks and not enough time guarding against traffic 
that might leave their networks.
   Typically, a company establishes a perimeter defense by blocking all 
inbound traffic, then letting only specific traffic types reach specific 
internal systems. To ease management headaches down the road, the company 
defines traffic rules that let any and all outbound traffic leave the 
network. After all, allowing all outbound traffic means no future rule 
definitions will be required to meet future needs. This approach also means 
the cost of managing perimeter security will be lower because no one will 
need to define new outbound rules. But think about that action for a 
moment. Are the savings really worth the risk in today's world?
   If there were only one reason that clearly points out the need to lock 
down outbound traffic as securely as you lock down inbound traffic, then 
that reason is Distributed Denial of Service (DDoS) attacks. Without an 
open port to move traffic out of, your network is far less likely to become 
a participant in such an attack.
   But DDoS attacks are not the only reason to restrict outbound traffic. 
Consider the risks of uncontrolled email or file transfers that might let 
someone inside your network move proprietary information offsite without 
proper consent. Do you have policies regarding email use? Do you screen 
outbound email for improper content? Do you block outbound FTP and other 
forms of file transfer? And what about improper Web or other multimedia 
use? Do you guard against those actions with security policies and 
software-based controls? Doing so might help reduce the chance of potential 
lawsuits against your company, which could include charges of defamation, 
sexual harassment, slander, and more. Without controls, you have to trust 
that an employee won't take an inappropriate action at an inappropriate 
time. Can you afford that risk?
   The bottom line is that you must protect against unwanted outbound 
traffic as fiercely as you protect against unwanted inbound traffic. 
Consider adding various content filters to your overall security arsenal. 
Content filtering tools can screen and prevent the movement of both inbound 
and outbound traffic over a variety of protocols, including Web, SMTP, 
POP3, and more. By using such technology you can significantly reduce a 
huge portion of the risk associated with general Internet connectivity.
   Before I sign off this week, I'd like to announce two new columnists for 
Windows 2000 Magazine's NTSecurity.net Web site. I'm pleased to inform you 
that Randy Franklin Smith and David LeBlanc have joined our Web team as 
regular columnists to bring you their hands-on experience gathered directly 
from the trenches.
   Randy looks at Win2K Security from the ground up to cover all the new 
bells, whistles, and techniques. David looks under the hood of writing 
secure Win32 code for Win2K and Windows NT platforms. If you're new to 
Win2K security administration or a code slinger looking to improve your 
application development for Win2K or NT, be sure to read the new 
columns--they're linked in the Toolkit section below. Until next time, have 
a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* MICROSOFT OFFICE 2000 EXPOSES HIDDEN DRIVES
The original release of Microsoft's Office 2000 contains a bug that lets a 
user see hidden drives, even when those drives are hidden through the "Hide 
these specified drives in My Computer" group policy setting. According to 
Microsoft Support Online article Q249949, the problem occurs when the My 
Documents folder is located on a restricted drive.
   Microsoft corrected the problem with the release of Microsoft Office 
2000 Service Release 1 (SR-1), which you can download from the company's 
Web site, as explained in Support Online Article Q245025.
   http://support.microsoft.com/support/kb/articles/q249/9/49.ASP
   http://support.microsoft.com/support/kb/articles/Q245/0/25.ASP
   http://officeupdate.microsoft.com/info/office2ksr1.htm

3. ========== ANNOUNCEMENTS ==========

* WINDOWS 2000 DEPLOYMENT CONFERENCE: BEYOND THE BASICS
If your organization is planning to deploy Windows 2000 (Win2K) or even if 
you're only considering it, the Windows 2000 Deployment Conference: Beyond 
the Basics will provide the answers you need. This in-depth conference 
takes place in New Orleans, April 26 through 28. Win2K development team 
members will present many of the technical sessions. They will take you 
beyond core essentials to provide the solid technical information you need 
to begin your Win2K pilot and roll-out programs. Register now! This will be 
the only 3-day, in-depth Win2K deployment conference that Microsoft offers 
in the United States.
http://www.microsoft.com/windows2000/training/win2000dc/default.asp

* SUBSCRIBE TO OUR FREE THIN-CLIENT UPDATE EMAIL NEWSLETTER
In a biweekly newsletter, Windows 2000 Magazine contributing editor and 
online columnist Christa Anderson provides the latest thin-client news and 
trends related to Windows-based terminals. Learn about different protocols, 
available add-on tools, and distributed applications. Thin-Client UPDATE 
will keep you current on how the industry is changing and show you how to 
create a low-cost, centrally managed Windows environment.
http://www.win2000mag.com/sub.cfm?code=UP99INXTC. 

* SECURITY POLL: SHOULD COMPANIES BE ABLE TO SUE HACKERS FOR REVERSE 
ENGINEERING?
As we've mentioned in the past, information security is setting several new 
legal precedents because of the actions of hackers. Some people agree that 
hackers act as a loosely knit, rogue consumer protection agency by testing 
the strength of various security solutions and openly reporting what they 
find.
   Is it OK for companies to sue hackers who test the strength of their 
security products and solutions when those hackers expose their findings? 
Let us know what you think. Cast your vote on our home page today.
   http://www.ntsecurity.net

4. ========== SECURITY ROUNDUP ==========

* NEWS: MICROSOFT INTERNET SERVER SECURITY CONFIGURATION TOOL 1.0
Microsoft has released version 1.0 of its new Internet Server Security 
Configuration Tool. According to Microsoft, the tool makes it easy to 
secure a system that uses IIS 5.0 by first interviewing the administrator, 
then deploying policies that meet those needs.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=112&TB=news

* NEWS: HAZARDS AND PITFALLS OF EMAIL
Marcelo Halpern discusses the hazards and pitfalls of using email in the 
workplace. In his column for ZDNET, Marcelo says that companies must 
control the use of email just as they control any other company resource. 
Failure to do so jeopardizes overall company welfare and can often lead to 
serious security problems.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=109&TB=news

* NEWS: ASPAM TROJAN ON THE LOOSE
Network Associates reported the discovery of a new virus that poses as an 
antispamming tool from Microsoft. The tool arrives via email as a file 
attachment along with a lengthy spoofed message that alleges to come from 
Microsoft's "Anti Spam Campaign."
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=108&TB=news

* NEWS: TEEN'S BOAST OF HACKING BILL GATES LOOKS EMPTY
An 18-year old UK man was arrested for cracking e-commerce sites and 
posting stolen credit card information on the Web. The man claimed to have 
obtained the credit card information of Microsoft cofounder Bill Gates. As 
it turns out, the man had obtained credit card information for a person 
named William F. Gates. The Gates of Microsoft fame is named William H. 
Gates.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=113&TB=news

~~~~ SPONSOR: SUNBELT SOFTWARE - STAT: NT VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your 
network? Plug NT's holes before they plug you. There are now over 750 known 
NT vulnerabilities. You just have to protect your LAN _before_ it gets 
attacked. STAT comes with a responsive web-update service and a dedicated 
Pro SWAT team that helps you to hunt down and kill Security holes. Built by 
anti-hackers for DOD sites. Download a demo copy before you become a 
statistic.
http://www.sunbelt-software.com/stat.htm

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* INTEGRATED FIREWALL/VPN/INTRUSION DETECTION PRODUCT
Ashley Laurent announced Virtual Private Communications (VPCom) 2.5, an 
integrated security product for small and midsized businesses. VPCom 
contains a comprehensive stateful inspection firewall (with NAT), IETF 
IPSec-compliant VPN, intrusion detection, and a multivendor remote VPN 
package. The highly integrated product lets branch offices and remote users 
hook up with a centralized DHCP server, eliminating the need for network 
infrastructure changes. The product also automatically resolves address 
conflicts between partner networks. You can implement VPCom as a firewall, 
VPN, or both. For more information, contact Ashley Laurent, 
1-512-322-0676.
   http://www.ashleylaurent.com.
 
* SMART CARD-BASED SECURITY SOLUTION
Gemplus announced GemSAFE Enterprise on Microsoft Windows 2000. GemSAFE 
Enterprise is a corporate security solution that uses smart cards to 
enhance security and ease management of functions such as digital 
signatures and file encryption. GemSAFE Enterprise secures applications 
such as email, business-to-business e-commerce, or network access. It adds 
trust, portability, and ease of use to corporate network security by 
leveraging the inherent benefits of smart cards.
   GemSAFE Enterprise integrates with all Windows-based applications 
running on Windows 2000 (Win2K), Windows NT, and Windows 9x. GemSAFE 
Enterprise licensing begins at $49 per user, with volume discounts 
available. For more information, go to the Gemplus Web site.
   http://www.gemplus.com

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* AXENTS FREE LINUX WEBCAST
Learn everything you need to know about installing a secure Linux 
environment. FREE one hour WebCast on April 27, 2000. Space is limited  
register today at:
http://www.win2000mag.com/jump.cfm?ID=23

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: THE PROCESS OF NETWORK SECURITY: DESIGNING AND MANAGING A 
SAFE NETWORK
By Thomas A. Wadlow
Online Price $31.45
Softcover; 283 Pages
Published by Addison Wesley, February 2000
ISBN 0201433176

In "The Process of Network Security," security specialist Thomas A. Wadlow 
reveals the approaches, techniques, and best practices that effectively 
secure the modern workplace. Written for network managers and 
administrators responsible for the security of large, enterprise-wide 
networks, this book focuses on security as a continuous process involving 
vigilant daily efforts in analysis, implementation, evaluation, and 
maintenance. It also emphasizes that to truly protect the enterprise, 
security professionals must consider not just individual machines, but the 
entire system--machines, people, and procedures. "The Process of Network 
Security" discusses the many issues involved and walks you through the 
specific steps of setting up a secure system, focusing on standard 
operating procedures and day-to-day operations and maintenance.

For Windows 2000 Magazine Security UPDATE readers only--Receive an 
additional 10 percent off the online price by typing WIN2000MAG in the 
discount field on the Shopping Basket Checkout Page. To order this book, go 
to
http://www.fatbrain.com/shop/info/0201433176?from=win2000mag

* TIP: PROTECT AGAINST UNWANTED DISK ACCESS
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

I can't begin to count the number of file system-related security holes 
that never became a problem on my systems. For example, older versions of 
IIS were known to expose sensitive information through the use of a URL 
that ended in a period or a "::$DATA" suffix. In addition, this week we 
cover a problem with Microsoft Office 2000 that exposes hidden drives to 
users who shouldn't be exposed to such resources. None of these problems 
affects an adequately protected Windows NT computer system.
   So how do you introduce adequate protection? By assuming the worst-case 
scenario and setting permissions accordingly. For example, you can 
certainly hide a drive from users, but you already know that obscurity 
offers very little security. Therefore, you must establish strict access 
permissions for the hidden drive to ensure only authorized users can access 
the data in the event that the drive is discovered.
   You can apply similar logic to IIS and other Web server platforms that 
support the use of embedded code for server-side processing, such as 
Microsoft's Active Server Pages (ASP) technology on IIS. ASP lets 
developers embed application code for specialized server-side processing, 
such as performing database queries against a SQL Server. You probably 
don't want users viewing your SQL query code because it might contain 
sensitive user credentials for connecting to a given SQL Server.
   To protect your Web code, put the code in a directory that disallows 
Read permission to Web site users. The Read permission settings block IIS 
from sending the unprocessed code to users, which prevents unwanted eyes 
from seeing that code. By doing so, you can prevent the IIS risks I 
mentioned previously and simultaneously guard against any future similar 
vulnerabilities.
   Be sure to inspect your file systems carefully to ensure you've set the 
strictest possible permissions. And remember to work from a worst-case 
scenario viewpoint when deciding which permissions to apply to disk drives, 
whether or not those drives are hidden.

* HOWTO: WINDOWS 2000 GROUP POLICIES
You've read Randy Franklin Smith's security-related articles in Windows 
2000 Magazine. Now you'll find even more of Randy's expert opinion and 
hands-on advice at NTSecurity.net. In his new biweekly column, Randy covers 
Win2K security from the ground up.
   As you know, Win2K has numerous new security features and an entirely 
new way of handling overall security architecture through Active Directory 
(AD). In his first column, Randy covers the basics of Group Policy under 
Win2K and discusses differences from Windows NT 4.0 policies.
   http://www.ntsecurity.net/go/win2ksec.asp

* HOWTO: GOOD PROGRAMMING AND THE RULES FOR WRITING SECURE CODE
Windows 2000 Magazine welcomes David LeBlanc to our team! As you know, 
David is a senior technologist at Microsoft, working with information 
security. In his new biweekly column, David looks under the hood of Win32 
application development to cover issues and concerns centered on writing 
secure code.
   In his first installment, David focuses on writing secure code using C 
and C++. Microsoft used C and C++ to develop Windows 2000 (Win2K) and 
Windows NT, and developers can most easily access the OSs' security 
features using these languages. Be sure to stop by and read David's first 
column.
   http://www.ntsecurity.net/go/secure-code.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

March 21, 2000, 01:38 P.M. 
Adding Permissions 
Is there a way to just blindly add a user/group to the permissions of 
subfolders without disrupting the current permission setup? For example, 
can I add Domain Admins to a group of user folders without changing the 
current setup of permissions and without disrupting the users of those 
folders? I do not want to remove any permissions, just add one.

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=96001

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week:

Crypto-Gram Coverage of Kerberos, March 2000
http://www.ntsecurity.net/go/w.asp?A2=IND0003D&L=WIN2KSECADVICE&P=1410

Follow this link to read all threads for March, Week 5:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

1. DMZ Area
http://www.ntsecurity.net/go/L.asp?A2=IND0003D&L=HOWTO&P=1775

2. Print Quotas Under Windows 2000?
http://www.ntsecurity.net/go/L.asp?A2=IND0003D&L=HOWTO&P=1585

Follow this link to read all threads for March, Week 4:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved  Judy Drennen (products@win2000mag.com)
Copy Editor  Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT topics 
of your choice. Subscribe to these other FREE email newsletters at 
http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS

Thank you for reading Windows 2000 Magazine Security UPDATE.


To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.

To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.

To change your email address, send a message with the sentence

set securityupdate email="new email address"

as the message text to securityupdate@list.win2000mag.net. Replace the words "new email address" with your new email address (in
clude the quotes).

If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address y
our questions or problems as quickly as we can, but please allow 2 issues for resolution.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

Copyright 2000, Windows 2000 Magazine