**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought 
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by
BindView Corporation 
http://razor.bindview.com

VeriSign - The Internet Trust Company 
http://www.verisign.com/cgi-bin/go.cgi?a=n016007860008000
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
April 26, 2000 - In this issue:

1. IN FOCUS
     - Is Address Licensing Inevitable?

2. SECURITY RISKS
     - FrontPage 2000 Exposes Win2K Accounts
     - Buffer Overflow in Cmd.exe
     - Active Directory Mixed Object Access
     - Cisco IOS Subject to Denial of Service
     - Real Server Denial of Service
     - Netscape Communicator Exposes Local Files
     - Buffer Overflow and Path Exposure in HTimage
     - Internet Explorer 5.01 Allows Cross-Frame Navigation
     - Netware 5.1 Remote Administration Overflow
     - Panda Security 3.0 Can Be Bypassed

3. ANNOUNCEMENTS
     - Storage UPDATE--Free Email Newsletter 
     - Training & Certification UPDATE--Free Email Newsletter

4. SECURITY ROUNDUP
     - News: Hardware-based Packet Filter Hits Landmark Speeds
     - News: Equinix Opens High Security Facility

5. NEW AND IMPROVED
     - Alliance Offers Internet Security Tool
     - Enterprise Auditing, Security, and Protection Software
     - Security Kit for Laptops and Notebooks  

6. HOT RELEASE (ADVERTISEMENT)
     - GFI’s LANguard - Internet/Network Access Control
     - Network-1 Security Solutions - Securing e-Business Networks

7. SECURITY TOOLKIT
     - Book Highlight: Peter Norton's Guide to Network Security 
Fundamentals
     - Tip: Convert to NTFS During Unattended Installation
     - Writing Secure Code: Avoid Buffer Overruns with String Safety

8. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         Service Pack Release
     - Win2KSecAdvice Mailing List:
         HotMail Security Hole: Inject JavaScript into Email 
     - HowTo Mailing List:
         Free Internet Access, a Security Risk?
         Managing NT Permissions

~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~
Get secure with BindView! Not only do we provide best of breed IT risk 
management solutions to help you to secure your Windows NT, 2000, Microsoft 
Exchange, UNIX, and NetWare enterprises, we back them up with the RAZOR 
team. BindView's RAZOR is a worldwide team of security experts dedicated to 
researching and developing cutting-edge technology to secure networks and 
computers. Visit the RAZOR Web site and find out how BindView can help you 
get secure. While you are there sign up for our bi-monthly security 
newsletter that addresses the most up-to-date security issues at 
http://razor.bindview.com.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone 
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, 
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) 
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Distributed Denial of Service (DDoS) attacks are still making their way 
into the news, although not because someone launched another massive 
attack. The residual DDoS news centers on catching the perpetrators and 
developing remedies to prevent future attacks.
   I've learned about several avenues being explored to help prevent DDoS 
attacks. Vendors have created new product-related aids and announced 
alliances designed to share information to stop attacks, and Congress is 
pushing the Internet Security Act of 2000.
   Many companies have added detection code to their products that detect 
DDoS client software used in coordinated DDoS attacks. Other vendors have 
added detection to border protection software that can help determine 
whether a system on your network is flooding an external network on usually 
available ports. At least one company has announced a new chip that can 
filter packets at 100 times the speed of current packet filters.
   Numerous Internet access providers and upstream communication carriers 
have teamed up to share information as quickly as possible in the event of 
a DDoS attack against one of their networks. The cooperative efforts will 
help curb any shenanigans that crop up in the future because information 
gathered from routers and other network devices can reveal the origin of 
traffic, and the companies can shut down or block those end points to 
systematically eliminate an attack.
   Organizations will eventually push for new laws to help law enforcement 
deal with DDoS attacks. That's exactly what Congress is trying to do with 
the Internet Security Act of 2000 
(http://www.ntsecurity.net/security/bill-s2430.asp). The bill consists 
mostly of a long list of amendments to existing laws, including forfeiture 
laws for computer equipment used to commit a crime; provisions for pen 
registers and trap and trace devices; provisions for PC users to authorize 
wire taps when their machines are infiltrated or used to stage attacks 
(which, as written, can bypass court approval); and so on.
   These efforts are admirable, but are they enough? If we analyze the 
efforts, we learn that vendors are trying to solve the problem through 
better traffic management and cooperative information sharing, and law 
makers look not to solve the problem outright, but only to ensure they can 
identify a perpetrator after the fact. So the answer seems clear: Those 
efforts are not enough on the lawmaking side.
   In many respects, the Internet is no different than the street, so logic 
dictates that we try to apply the same rules as best we can without making 
any redundant efforts. On US streets, people travel freely until they raise 
the suspicion of law enforcement. And whether you've done something that is 
merely suspicious or blatantly obvious, you'll most likely have to identify 
yourself to law enforcement officials--usually with a driver's license, 
state ID card, or passport.
   Why can't we treat the Internet the same way? If I must have license 
plates on my car in case of a crime, accident, or other need to identify me 
as the owner, why shouldn't I have the same type of ID on my network 
packets so that if it becomes necessary, law enforcement officials can 
identify those packets as having come from my system?
   At this point, I see no other way to maintain a reasonable level of user 
privacy while providing a means to more readily identify perpetrators. If 
people are willing to drive around with license plates on their car, then 
they probably won't be upset about a similar tag on their network packets.
   What do you think? Are address licenses inevitable for the Internet? Is 
there a better way? Stop by our home page and post your comments to this 
editorial (http://www.ntsecurity.net), or send me email if you prefer. 
Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* FRONTPAGE 2000 EXPOSES WIN2K ACCOUNTS
When a valid FrontPage user connects to a remote Web server using a 
FrontPage client, that user can obtain a list of account names. This 
security risk first appeared under Windows NT 4.0, IIS 4.0, and FrontPage 
98; Microsoft apparently carried it over to the new platform unchecked. The 
workaround information for the NT 4.0 platform does not work on Windows 
2000 platforms.
   http://www.ntsecurity.net/go/load.asp?iD=/security/fp2000-1.htm

* BUFFER OVERFLOW IN CMD.EXE
Cmd.exe, the command processor for Windows 2000 and Windows NT 4.0, has an 
unchecked buffer in the code that handles environment strings. If a server 
provides batch or other script files, a user can potentially provide 
arguments that create an extremely large environment string, which 
overflows the buffer. This overflow can cause the process to fail, which 
presents a dialog box on the console screen. The memory allocated to the 
process won't be available again until that dialog box is cleared.
   http://www.ntsecurity.net/go/load.asp?iD=/security/cmd-exe-dos1.htm

* ACTIVE DIRECTORY MIXED OBJECT ACCESS
Active Directory (AD) contains a bug that under specific conditions lets a 
user change information in the AD that should not be changeable. This can 
occur only if the changes are combined in a particular way with other 
changes that involve attributes the user does have permission to modify.
   http://www.ntsecurity.net/go/load.asp?iD=/security/win2000-4.htm

* CISCO IOS SUBJECT TO DENIAL OF SERVICE
Some security scanners test for two particular security vulnerabilities 
associated with several UNIX-based platforms, and when those tests are run 
against certain Cisco hardware and software, a Denial of Service (DoS) 
attack against the device can occur.
   http://www.ntsecurity.net/go/load.asp?iD=/security/cisco3.htm

* REAL SERVER DENIAL OF SERVICE
By sending the Real Server 471 bytes of malformed data on port 7070, a user 
can crash the service. USSRLabs published an executable program along with 
source code that can test for this vulnerability. Real Networks has been 
informed of this problem but has not responded.
   http://www.ntsecurity.net/go/load.asp?iD=/security/realserver2.htm

* NETSCAPE COMMUNICATOR EXPOSES LOCAL FILES
Netscape Communicator 4.x lets a Web site read HTML files on a user's hard 
disk, including the user's bookmarks file and browser cache files. The 
exploit works by setting a cookie whose value contains JavaScript code.
   http://www.ntsecurity.net/go/load.asp?iD=/security/netscape2.htm

* BUFFER OVERFLOW AND PATH EXPOSURE IN HTIMAGE
HTimage is a CERN-compatible image map dispatcher that ships with FrontPage 
98. The utility exposes path information and contains a buffer overflow 
condition that might let code execute on the server.
   http://www.ntsecurity.net/go/load.asp?iD=/security/fp2.htm

* INTERNET EXPLORER 5.01 ALLOWS CROSS-FRAME NAVIGATION
Internet Explorer (IE) 5.01 lets an intruder circumvent its cross-frame 
security policy by accessing the Domain Object Model (DOM) of documents 
using Java or JavaScript. The problem exposes the entire DOM of the target 
document and opens additional security risks. The problem allows reading 
local files, reading files from any host, window spoofing, and retrieving 
cookies.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie516.htm

* NETWARE 5.1 REMOTE ADMINISTRATION OVERFLOW
The Remote Administration service contains a buffer overflow condition that 
lets an attacker launch a Denial of Service (DoS) attack against the system 
or inject code into the OS for execution. Because of improper connection 
clean up, it's possible to saturate such a system with connections so that 
the system will stop responding on the network.
   http://www.ntsecurity.net/go/load.asp?iD=/security/netware2.htm

* PANDA SECURITY 3.0 CAN BE BYPASSED
Panda Security 3.0 is vulnerable to indirect Registry key modifications, 
which let any logged-on user manipulate Panda Security. A lack of system 
integrity checks lets a user uninstall the entire software package.
   http://www.ntsecurity.net/go/load.asp?iD=/security/pandasec1.htm

3. ========== ANNOUNCEMENTS ==========

* STORAGE UPDATE--FREE EMAIL NEWSLETTER 
Storage has become a dynamic and vital industry with new products and 
new approaches to managing and storing data emerging all the time. Storage 
UPDATE, a new electronic newsletter from Windows 2000 Magazine, covers 
developments, technological advances, and essential products found in the 
Windows 2000/NT storage market.
http://www.win2000mag.com/sub.cfm?code=up00inxent

* TRAINING & CERTIFICATION UPDATE--FREE EMAIL NEWSLETTER 
If you're preparing for a certification exam (or even thinking about it), 
you know how important it is to get advice and tips from the people who've 
been there. Steve Linthicum, our resident expert, brings you the latest 
news from the training and certification worlds, with hints and 
recommendations to help you pass your exams--on the first try. Test your 
knowledge with our sample questions to assist you in preparing for the real 
thing. Sign up for Windows 2000 Magazine Training & Certification UPDATE at 
http://www.win2000mag.com/sub.cfm?code=up00indup.

4. ========== SECURITY ROUNDUP ==========

* NEWS: HARDWARE-BASED PACKET FILTER HITS LANDMARK SPEEDS
Juniper Networks has released a new chip called the Internet Processor II. 
The new chip builds on Juniper's original Internet Processor chip 
technology by adding enhanced security, sampling, counting, and 
load-balancing capabilities. The new chip can perform filtering operations 
at 20,000,000 packets per second.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=122&TB=news

* NEWS: EQUINIX OPENS HIGH SECURITY FACILITY
A new hosting center, IBX, has taken an extreme approach to physical 
security on PCs. IBX operator Equinix is betting that companies with lots 
of money at stake through e-commerce will want their online servers hosted 
in facilities that can guarantee a high level of physical security.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=124&TB=news

~~~~ SPONSOR: VERISIGN - THE INTERNET TRUST COMPANY ~~~~
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will 
learn everything you need to know about using SSL to encrypt your 
e-commerce transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016007860008000

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* ALLIANCE OFFERS INTERNET SECURITY TOOL
The Alliance for Internet Security released NetLitmus, a tool that 
determines whether corporate networks are vulnerable to participating in 
cyber attacks. NetLitmus lets administrators take corrective action before 
their systems are used as part of Distributed Denial of Service (DDoS) 
attacks. Developed by ICSA.net, the company that spearheaded the creation 
of the Alliance for Internet Security, NetLimus searches Web sites to 
determine whether filters (i.e., routers and firewalls) are in place and 
properly configured to prevent a system from participating in a DDoS 
attack. The tool is free to anyone who joins the Alliance. For more 
information, call 703-453-0500, or go to the Web site.
   http://www.icsa.net

* ENTERPRISE AUDITING, SECURITY, AND PROTECTION SOFTWARE  
PentaSafe Security Technologies announced the VigilEnt Security Management 
Solution, software to secure digital economy. VigilEnt provides auditing, 
security, and protection software for enterprise systems, applications, and 
business-critical data from a single point of control. VigilEnt runs on 
Windows NT, UNIX, IBM AS/400, Apache, and Linux OSs, and soon Netscape and 
Microsoft IIS Web servers. A Windows 2000 version of the VigilEnt Security 
Management Solution is expected in mid-June. The pricing for VigilEnt 
Security Agent for NT starts at $750 per server. For more information, 
contact PentaSafe, 713-523-1992, or go to the Web site.
   http://www.pentasafe.com

* SECURITY KIT FOR LAPTOPS AND NOTEBOOKS
Innovative Security Products released Safe Notebook, a one-piece theft 
deterrent kit that secures notebook and laptop computers to prevent theft. 
Safe Notebook uses the security retention socket found on most portable 
computers and PDAs. An additional steel security lock-down plate is 
included as a secure anchoring point. Safe Notebook costs $34.95.
   http://www.wesecure.com

6. ========== HOT RELEASE (ADVERTISEMENT) ==========

* GFI’S LANGUARD - INTERNET/NETWORK ACCESS CONTROL
Is someone running a password cracker on your network?  If you don’t know 
the answer, you need LANguard!  Use LANguard's sniffer detection to find 
users/computers running password crackers, and take corrective action. 
Download your free copy:
http://www.gfi.com/securitysnifflan.shtml

* NETWORK-1 SECURITY SOLUTIONS - SECURING E-BUSINESS NETWORKS 
Secure your critical NT/2000 servers now. CyberwallPLUS-SV is the first 
embedded firewall for NT servers. It secures servers with network access 
controls and intrusion prevention. Visit
http://www.network-1.com/SVeval/index.htm for a free evaluation kit and 
white paper.

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: PETER NORTON'S GUIDE TO NETWORK SECURITY FUNDAMENTALS
By Peter Norton and Michael Stockman
Online Price: $31.95
Softcover; 232 Pages
Published by Sams, November 1999
ISBN 0672316919

"Peter Norton's Guide to Network Security" provides an overview of common 
network types and supplies the details necessary to build and implement a 
successful network security strategy. Because most commercial networks use 
a combination of new and legacy equipment and systems, this book addresses 
the common network systems and protocols that network administrators use 
daily and describes the security measures necessary to keep the systems 
working smoothly and securely.

For Windows 2000 Magazine Security UPDATE readers only--Receive an 
additional 10 percent off the online price by typing WIN2000MAG in the 
discount field on the Shopping Basket Checkout page. To order this book, go 
to
http://www.fatbrain.com/shop/info/0672316919?from=win2000mag.

Or visit the Windows 2000 Magazine Network Bookstore at

http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772.

* TIP: CONVERT TO NTFS DURING UNATTENDED INSTALLATION
(contributed by http://www.jsiinc.com)

FAT file systems offer little security, so it's wise to format your drives 
to use the NTFS file system, where you can control access to files and 
directories on a per-user basis. Although formatting a drive to NTFS is 
straightforward, performing that conversion during an unattended 
installation of Windows NT might not be straightforward for you.
   To convert a FAT file system to NTFS during an unattended installation, 
copy the I386 or Alpha directory from the installation CD-ROM onto your 
hard disk. The following instructions assume you copied the I386 from the 
CD-ROM to the I386 directory on your hard disk.
   Expand the file I386\INITIAL.IN_ to I386\INITIAL.INF. Rename the 
I386\INITIAL.IN_ to I386\INITIAL.BK_. Edit the SetAcls section of the 
I386\INITIAL.INF file, changing the line "set Convert_Winnt = $($1)" to 
"set Convert_Winnt = YES." Save the file and run the unattended 
installation; the installation process will convert the file system to 
NTFS.

* WRITING SECURE CODE: AVOID BUFFER OVERRUNS WITH STRING SAFETY
In his latest column, David LeBlanc says that although you can find several 
explanations of buffer overruns on the Web, most tend to be very technical 
and are often designed to show how to exploit a particular application. In 
his current column, LeBlanc demonstrates the overrun problem with an 
example program that you can step through to see how the overrun occurs.
   http://www.ntsecurity.net/go/seccode.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

April 18, 2000, 12:54 P.M. 
Service Pack Release 
Just curious if anyone has heard when the first service pack is due out for 
Windows 2000 (Server or Professional). It seems that there are a number of 
applications that will not be released with Win2K compatibility until after 
the service pack is out. I heard a great deal about this right after Win2K 
was launched and not much since. Thanks for your help.

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=70&Message_ID=99771.

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week:

HotMail Security Hole: Inject JavaScript into Email
Several months ago in my Advisory #3 for 2000, I alerted everyone about a 
Hotmail bug with the "@import url (javascript:...)" functionality. That bug 
was fixed, but now I found a similar bug in HotMail that allows the 
injection and execution of JavaScript code into a user's email.
http://www.ntsecurity.net/go/w.asp?A2=IND0004D&L=WIN2KSECADVICE&P=231

Follow this link to read all threads for April, Week 3:
   http://www.ntsecurity.net/go/w.asp?A1=ind0004c&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

Free Internet Access, a Security Risk?
I thought I'd throw this one out to everyone because I would like to get 
some opinions. What kind of security risks, if any, do the free Internet 
access services pose? Are there any cracks in security with companies such 
as Blue Light, Free-I, NetZero, or Free-DSL?
http://www.ntsecurity.net/go/L.asp?A2=IND0004C&L=HOWTO&P=2716

Managing NT Permissions
There is an NT user right "bypass traverse checking," which, if I remember 
right, is given by default to the Everyone group and allows the Everyone 
group to browse through directory listings even when they have no access 
rights.
http://www.ntsecurity.net/go/L.asp?A2=IND0004D&L=HOWTO&P=81

Follow this link to read all threads for April, Week 3:
   http://www.ntsecurity.net/go/l.asp?A1=ind0004c&L=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT topics 
of your choice. Subscribe to these other FREE email newsletters at 
http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Storage UPDATE
Windows 2000 Magazine Training & Certification UPDATE
Windows 2000 Pro UPDATE
Application Service Provider UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE




SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS

Thank you for reading Windows 2000 Magazine Security UPDATE.

You are currently subscribed to securityupdate as: packet@PACKETSTORM.SECURIFY.COM

To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.

To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.

To change your email address, send a message with the sentence

set securityupdate email="new email address"

as the message text to lyris@list.win2000mag.net. Replace the words "new email address" with your new email address (include the quotes).

If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

Copyright 2000, Windows 2000 Magazine