**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought 
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by
Trend Micro -- Your Internet VirusWall 
http://www.antivirus.com/welcome/springfwd04052000.htm

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
April 5, 2000 - In this issue:

1. IN FOCUS
     - Application Service Providers: Are They Sitting Ducks? 

2. SECURITY RISKS
     - Index Server Exposes Web Code 
     - Malformed TCP/IP Print Request
     - UNC Mappings and IIS Virtual Paths Expose Code

3. ANNOUNCEMENTS
     - Register Today for Microsoft Tech-Ed 2000 
     - Turn Your Knowledge into Something You Can Drive!

4. SECURITY ROUNDUP
     - News: Office 2000 SR-1 Update Might Contain Numerous Bugs
     - News: IPv6 in Windows 2000 at Least 2 Years Out
     - News: Army to Adopt Biometric Security

5. NEW AND IMPROVED
     - Protection from Hacker Attacks
     - Increased Security for E-Commerce

6. HOT RELEASE (ADVERTISEMENT)
     - WebTrends Security Analyzer 3.5 - 1,000+ Tests

7. SECURITY TOOLKIT
     - Book Highlight: Managing TCP/IP Networks: Techniques, Tools and 
Security
     - Tip: Minimize the Risk of Using Windows 2000 Professional
     - Windows 2000 Security: Reducing the Risks of Group Policies
     - Ultimate Security Toolkit: Internet Scanner 6.1
     - Writing Secure Code: Avoiding Buffer Overruns with String Safety

8. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         Let Non-Administrators Add a Local Printer on NT Workstation
     - Win2KSecAdvice Mailing List
         Aureate/Radiate Update
         BAT.Chode.Worm Appears not to Affect NT/Win2K
     - HowTo Mailing List
         Enterprise Security Manager any Good?

~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~
Now that spring has turned the clock forward, don't lose any more hours 
of sleep worrying about your network servers' virus security. Instead, use 
Trend Micro's family of antivirus solutions. Trend Micro is a world leader 
in antivirus and content security technologies. They offer protection for 
the Internet gateway, Notes and Exchange email servers, desktop machines 
and everywhere in between -- forming a protective, content security 
VirusWall around your entire network.
http://www.antivirus.com/welcome/springfwd04052000.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone 
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, 
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) 
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Two years ago, when someone used the acronym ASP, they were probably 
referring to Microsoft's Active Server Pages technology. Today, a new group 
of entities that call themselves application service providers (ASPs) has 
appropriated the acronym. ASPs offer businesses and other end users 
centralized network-based access to a set of everyday applications for a 
fee. Using a high-speed network connection, users connect to an ASP to run 
the applications they need.
   Microsoft CEO Steve Balmer once said that shrink-wrapped software will 
one day become a thing of the past. I think that ASPs are the inevitable 
replacement to shrink-wrapped software, so what are the pros and cons of 
this form of computing?
   With the use of ASPs, the cost of operation for a network will replace 
cost of ownership. In the future, instead of owning your network, you might 
lease it. Large ASPs might eventually offer your business a total network 
solution, including all software, hardware, cabling, maintenance, support, 
Internet connectivity, and upgrades. With that basic network service plan, 
ASPs will probably guarantee uptime, network response time, and information 
security.
   If anything will stymie ASPs' acceptance in the marketplace, it will be 
security. The reasons are manifold but are mainly found in the potential 
for Denial of Service (DoS) attacks and data interception. Are today's OSs 
and network hardware robust enough to fend off Distributed Denial of 
Service (DDoS) attacks? Has VPN technology been tested thoroughly enough 
that a business can trust its ability to continually protect data? I think 
you'll find that the answer is no to both questions.
   For example, Microsoft's VPN solution is PPTP. Security organizations 
Counterpane and L0pht proved that Microsoft's first rendition of PPTP was 
seriously flawed. Microsoft corrected those shortcomings with the release 
of PPTPv2, but what other problems remain undetected or unreported? An even 
bigger concern might be why Microsoft didn't detect these problems before 
releasing the technology. Numerous vendors release less-than-secure 
products, so Microsoft is not alone in that category.
   Perhaps I'm wrong, but it seems as though vendors prefer to release 
software, then wait for independent hackers to find problems with it, which 
the vendor then fixes at its leisure. This routine of waiting for third 
parties to find bugs in already-released software shifts the cost of 
debugging from the vendor to the consumers. Is it fair to put consumers at 
risk like that? And more importantly, will that cost-shifting methodology 
work with ASP-based solutions? I seriously doubt it.
   The public doesn't accept claims of product security at face value. If a 
vendor makes a claim about security, hackers will test that claim and 
report their findings. If vendors don't change the way they test code and 
do a more thorough job of looking for security risks, hackers will have a 
field day on ASPs. Hackers will quickly prove how easily they can disrupt 
ASP service or compromise information security. And if hackers do those 
things, isn't that beneficial to everyone who relies on the ASP and its 
applications? I think so. Perhaps insecure applications are no different 
than any other defective product, where it’s the manufacturer's ultimate 
responsibility to keep the product safe to use.
   The bottom line is that for ASP technology to become acceptable across 
the board, it must first be certified as a secure computing method. But who 
will make that certification? You certainly can't accept a vendor's claims 
at face value--they've proved time and again that they are fallible when it 
comes to the development of risk-free applications.
   And even if the applications are deemed secure, which ASP will boldly 
certify that it's DDoS-proof or crack proof? If an ASP becomes the target 
of DDoS attacks or a serious breach of security, how will that ASP 
compensate its clients for any subsequent loss of business revenue? Will 
businesses have to wave the right to revenue recovery when they contract 
with an ASP? Will governments have to eventually intervene on behalf of any 
businesses affected by ASP security issues? Will ASPs become regulated like 
other communication services?
   ASP technology raises many questions, most of which have no clear answer 
yet. But one thing seems clear: ASPs are not ready for prime time. The 
security risks alone are too great for most businesses to accept. 
Nonetheless, Microsoft and other vendors intend to realize their envisioned 
future of a society without shrink-wrapped software. Several aspects of 
computing will need to change before that happens: Vendors must enhance the 
way they test their code for security problems, and networks must become 
more resistant to all types of DoS attacks. Until that happens, I think 
ASPs will remain sitting ducks.
   On a related note, you can stay current on the latest ASP happenings by 
subscribing to our biweekly ASP Review UPDATE electronic newsletter 
featuring News Editor Christa Anderson. Stop by our Web site at 
http://www.win2000mag.com/ourproducts/email to subscribe.
   Also, I'd like to point out that you can now find my weekly editorial 
posted on our NTSecurity.net Web site each Wednesday afternoon, complete 
with functionality that let's you post your own comments. Be sure to stop 
by and discuss ASPs with me. I'm anxious to learn your ideas, concerns, and 
opinions. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* INDEX SERVER EXPOSES WEB CODE
If a request is made for a particular IIS URL related to Index Server, the 
system can be tricked into exposing source code for files on the Web site. 
The problem resides in Microsoft's implementation of the webhits.dll, which 
has an associated memory-resident file entitled null.htw. The file exists 
only in memory, where the webhits.dll code handles all calls to the file. 
If you append a space in a particular manner to the end of a URL destined 
for null.htw, the system reveals a file's source code instead of processing 
the file as usual.
   The problem affects Indexing Service on Windows 2000 (Win2K) and Index 
Server 2.0 on Windows NT 4.0. Microsoft has issued patches, an FAQ, and a 
Support Online article regarding this matter.
   http://www.ntsecurity.net/go/loader.asp?iD=/security/iis4-7.htm

* MALFORMED TCP/IP PRINT REQUEST
USSRLabs reported that a specially malformed TCP/IP print request can cause 
the tcpsvc.exe to crash, which not only prevents the server from providing 
printing services, but also stops several other services, including DHCP. 
The problem affects users of Windows 2000 (Win2K) and Windows NT 4.0.
   Users should note that the affected TCP/IP print service is not the same 
as native print service under Win2K Pro and NT 4.0. Microsoft has issued 
patches, an FAQ, and a Support Online article regarding this matter.
   http://www.ntsecurity.net/go/loader.asp?iD=/security/ntprint1.htm

* UNC MAPPINGS AND IIS VIRTUAL PATHS EXPOSE CODE
If a virtual directory on an IIS server is mapped to a Universal Naming 
Convention (UNC) share, and a request for a file in the directory contains 
one of several specific characters at the end, the expected ISAPI extension 
processing might not occur. The result is that the source code of the file 
is sent to the browser.
   The problem affects Microsoft IIS 4.0 and 5.0, Proxy Server 2.0, Site 
Server, Site Server Commerce Edition 3.0, and Commercial Internet System 
2.0 and 2.5. Microsoft has released patches, an FAQ, and a Support Online 
article related to this matter.
   http://www.ntsecurity.net/go/loader.asp?iD=/security/iis4-6.htm

3. ========== ANNOUNCEMENTS ==========

* REGISTER TODAY FOR MICROSOFT TECH-ED 2000!
Microsoft Tech-Ed 2000 focuses specifically on products and technologies 
that you can use TODAY! Join more than 10,000 of your peers at the premier 
technical training event--Microsoft Tech-Ed 2000, June 5 through 8 in 
Orlando, Florida.
   This year, Microsoft Tech-Ed 2000 will feature more than 220 sessions 
delivered by Microsoft developers and third-party experts. They will cover 
topics related to the core products that make up Windows DNA 2000--the 
platform that gives you the fastest time-to-market for building Web 
applications that can integrate with your existing applications.
   Don't miss out on all this valuable technical training! Get the in-depth 
technical education you need about the latest products, technologies, and 
services that will change business computing in the coming year, and solve 
your real business issues now.
   Register now at
http://msdn.microsoft.com/events/teched/defaultr.asp

* TURN YOUR KNOWLEDGE INTO SOMETHING YOU CAN DRIVE!
Ready to test your knowledge of evaluating, deploying, maintaining, and 
troubleshooting Microsoft products? Here's your chance to compete in a 
skills-based sweepstakes for a BMW Z3 Roadster from BMW of North America. 
Enter the Microsoft TechNet Puzzler contest today!
http://www.microsoft.com/technet/puzzler/default.ASP


4. ========== SECURITY ROUNDUP ==========

* NEWS: OFFICE 2000 SR-1 UPDATE MIGHT CONTAIN NUMEROUS BUGS
Last week we learned that BugNet was investigating claims about no less 
than 10 serious problems that reside within Microsoft's Service Release 1 
(SR-1) Update for Office 2000. On March 31, Microsoft released an updated 
version of SR-1, which corrects numerous problems. If you're an Office 2000 
user, be sure to load the latest SR-1 Update.
   http://officeupdate.microsoft.com/2000/downloadDetails/O2kSR1DDL.htm

* NEWS: IPV6 IN WINDOWS 2000 AT LEAST 2 YEARS OUT
In March, Microsoft posted preview code that enables Windows 2000 (Win2K) 
to support the newer IPv6 protocol specification. However, according to 
Mitch Wagner's report for TechWeb, Microsoft's official support for IPv6 
under Win2K is still at least 2 years away.
   As you know, IPv6 provides expanded address space, better routing, and 
enhanced support for security features, such as the ability to deny address 
spoofing and support for IPSec.
   http://www.techweb.com/se/directlink.cgi?INW20000327S0031

* NEWS: ARMY TO ADOPT BIOMETRIC SECURITY
Dan Verton reports that the US Army is studying the ethical and legal 
implications of replacing personal passwords with biometric devices. As you 
know, biometric devices enhance security through their ability to read 
fingerprints, recognize voices and faces, and capture a host of other 
personal biologically related information from a given computer user.
   http://www.fcw.com/fcw/articles/2000/0403/tec-mouse-04-03-00.asp

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* PROTECTION FROM HACKER ATTACKS
Recourse Technologies released ManHunt, a security solution designed to 
protect corporations from hacker attacks. ManHunt lets businesses track 
hackers across Internet boundaries. ManHunt working with ManTrap enables 
companies to track and trap hackers. ManHunt detects attacks against 
distributed computer networks and responds by tracking the attacker back 
across numerous Internet hops. ManHunt determines the precise network entry 
point and forwards the information to upstream ISPs. Contact Recourse 
Technologies at 877-786-9633 or visit the Web site.
   http://www.recourse.com
 
* INCREASED SECURITY FOR E-COMMERCE
RapidStream announced RapidStream Scalable Security Architecture (RSSA) 
that takes network security to a new performance level. The RapidStream 
architecture addresses the previously missing technical advancement needed 
in security systems to meet increased security requirements for e-commerce, 
email, voice, and hosts (Web servers, application servers, file servers). 
By deploying RapidStream Security Appliances, a company can secure its 
internal network by adding access control (firewall and hacker detection) 
and data secrecy (encryption). Outsourced Web servers and application 
servers can also receive this same level of protection from Internet 
attacks without giving up performance, a critical requirement for service 
providers who offer Service Level Agreements (SLAs). The RapidStream 
architecture was designed to execute multiple services simultaneously at 
high throughputs while adding minimal delay (latency).
   For more information, contact Bruce Byrd at 408-519-4891, Fran Aun at 
415-288-0401, or visit the RapidStream Web site.
   http://www.RapidStream.com.

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* WEBTRENDS SECURITY ANALYZER 3.5 - 1,000+ TESTS
WebTrends Security Analyzer 3.5 provides complete security vulnerability 
analysis with over 1,000 tests for Windows 95, 98, NT, 2000, Red Hat and VA 
Linux, and Solaris systems. Get the FREE 10 System Edition for immediate 
download.
http://www.webtrends.com/redirect/securityupdate1.htm

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: MANAGING TCP/IP NETWORKS: TECHNIQUES, TOOLS AND SECURITY
By Gilbert Held
Online Price $89.95
Hardcover; 334 Pages
Published by John Wiley & Sons, February 2000
ISBN 0471800031

Numerous management issues are associated with the construction and 
operation of a TCP/IP network. This comprehensive text addresses these 
issues, ranging from the planning behind the assignment of TCP/IP addresses 
to the ability to recognize network problems and the appropriate use of 
diagnostic tools to discover their cause. This  book's accessible style 
will appeal to a wide-ranging audience. For professionals in the field of 
data communications and computer science, LAN administrators, network 
managers, network analysts, network designers, and network engineers. It's 
also essential reading for students of electrical and electronic 
engineering, computer science, and communications.

For Windows 2000 Magazine Security UPDATE readers only--Receive an 
additional 10 percent off the online price by typing in WIN2000MAG in the 
discount field on the Shopping Basket Checkout page. To order this book, go 
to

http://www.fatbrain.com/shop/info/0471800031?from=win2000mag

Or visit the Windows 2000 Magazine Network Bookstore at 
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772

* TIP: MINIMIZE THE RISK OF USING WINDOWS 2000 PROFESSIONAL
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

Windows 2000 Professional (Win2K Pro) is a brand new OS with lots of bells 
and whistles, so its available services deserve careful inspection before 
connecting it to the Internet. If you perform your own Win2K Pro 
installation, install only the services that you absolutely require. If 
someone other than yourself built or maintains your system, you should 
review all services for proper configuration. For example, did you know 
that Win2K Pro lets a remote user start the Telnet service if your system 
is not protected against such action? Therefore, if you don't need a Telnet 
service, don't install it. And if the service is already installed, remove 
or disable it.
   Minimally, inspect each installed service to ensure no unwanted services 
have been enabled for automatic or manual start. If you have services 
installed that you'll never use, remove them from your systems. These 
actions help prevent intruders from starting services without your 
knowledge. If you have a service installed that you'll use only on rare 
occasions, disable that service until you need it.
   Be sure to inspect and test all the security aspects of any installed 
services for proper configuration. For example, if you have an FTP service 
installed, ensure that only authorized accounts can log on to that service 
and that those accounts can access only the parts of the file system you 
authorize.

* WINDOWS 2000 SECURITY: REDUCING THE RISKS OF GROUP POLICIES
In the second installment of his biweekly column, Randy Franklin Smith 
looks at some of the major differences between Group Policy under Windows 
2000 (Win2K) and Windows NT 4.0. Randy points out some caveats and offers 
advice about how to avoid pitfalls as your network evolves. Be sure to stop 
by and read Randy's new article today.
   http://www.ntsecurity.net/go/win2ksec.asp

* ULTIMATE SECURITY TOOLKIT: INTERNET SCANNER 6.1
Steve Manzuik looks at Internet Scanner 6.1 from Internet Security Systems 
in Atlanta. According to Steve, the product is stable and scans for more 
than 600 vulnerabilities, but it can be expensive compared to some 
competing tools on the market today. Stop by and read what Steve has to say 
about this leading-edge tool.
   http://www.ntsecurity.net/go/ultimate.asp

* WRITING SECURE CODE: AVOIDING BUFFER OVERRUNS WITH STRING SAFTEY
This week, David LeBlanc offers developers advice that will help avoid some 
of the pitfalls with string handling. Denial of Service (DoS) attacks are 
the leading form of attack on most networks today. Proper string handling 
in an application can prevent many common DoS attacks by not providing an 
attacker the means to overrun a buffer. As you know, buffer overruns can 
corrupt system memory, crash system services, and in some cases let an 
attacker run arbitrary code on your system. If you're a Win32 application 
developer, be sure to read David's latest column.
   http://www.ntsecurity.net/go/seccode.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

March 23, 2000, 03:58 A.M. 
Let Non-administrators Add a Local Printer on NT Workstation 
The users on our NT 4.0 Workstation (SP6a) laptops do not have local 
administrator privileges. This gives a certain level of security, but 
unfortunately, they are not able to add a local printer either. Is there a 
way to work around this?

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=96337.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. Aureate/Radiate Update
I believe that people are getting MUCH TOO UPSET by OptOut's reports of the 
presence of Aureate/Radiate's advertising software in their computers. So I 
need to clearly state a few things right now for the record.
http://www.ntsecurity.net/go/w.asp?A2=IND0004A&L=WIN2KSECADVICE&P=322

2. BAT.Chode.Worm Appears not to Affect NT/Win2K
It appears that the worm will only work on Win9x, DOS, Win 3.x boxes and 
not NT or Win2K. From reading the technical details the worm relies on 
autoexec.bat, win.com, and winsock.vbs in order to run. Again, it is 
probably possible to modify this worm to affect NT/Win2K.
http://www.ntsecurity.net/go/w.asp?A2=IND0004A&L=WIN2KSECADVICE&P=204

Follow this link to read all threads for April, Week 1:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following thread is in the
spotlight this week:

Enterprise Security Manager Any Good?
Does anybody know if Axents Security product Enterprise Security Manager 
(ESM) is any good? We are going to evaluate a few security products and I 
want to know if it is worth evaluating ESM.
   http://www.ntsecurity.net/go/L.asp?A2=IND0004A&L=HOWTO&P=81

Follow this link to read all threads for April, Week 1:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT topics 
of your choice. Subscribe to these other FREE email newsletters at 
http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE




SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS

Thank you for reading Windows 2000 Magazine Security UPDATE.


To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.

To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.

To change your email address, send a message with the sentence

set securityupdate email="new email address"

as the message text to securityupdate@list.win2000mag.net. Replace the words "new email address" with your new email address (include the quotes).

If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

Copyright 2000, Windows 2000 Magazine