********************************************************** WINDOWS 2000 MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows 2000 and Windows NT security update newsletter brought to you by Windows 2000 Magazine and NTSecurity.net. http://www.win2000mag.net/Email/Index.cfm?ID=5 ********************************************************** This week's issue sponsored by Trend Micro -- Your Internet VirusWall http://www.antivirus.com/2kUPDTRJUNE.htm FREE Intrusion Detection WebCast http://www.win2000mag.com/jump.cfm?ID=32 (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- June 7, 2000 - In this issue: 1. IN FOCUS - And Then Came HavenCo 2. SECURITY RISKS - Protected Store Key Length - Internet Explorer-Compiled HTML Might Run Unauthorized Code - Media Encoder Denial of Service - SQL Server 7.0 SP1 and SP2 Expose Admin Password - Imate WebMail Denial of Service - Buffer Overrun in ITHouse Mail Server - Buffer Overrun in Sambar Server 3. ANNOUNCEMENTS - Win2000mag.net--It's Like Spitting in the Ocean... - Free Books Online 4. SECURITY ROUNDUP - News: Microsoft's New Security Server 5. NEW AND IMPROVED - Increased Security for Universities - Simplify Access to Private Data and Applications 6. HOT RELEASES (ADVERTISEMENTS) - New! Desktop Firewall for PCs with Windows NT/2000 - VeriSign - The Internet Trust Company 7. SECURITY TOOLKIT - Book Highlight: Information Security: Protecting the Global Enterprise - Tip: Event Log Security ID Descriptions - Windows 2000 Security: Creating a Custom Password-Reset MMC - Writing Secure Code: Bind Basics 8. HOT THREADS - Windows 2000 Magazine Online Forums IIS and NTFS Security--ASP Problem - Win2KSecAdvice Mailing List Released: LibnetNT by eEye Digital Security - HowTo Mailing List Event Viewer Query ~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~ Stop viruses like LOVELETTER, NEWLOVE, RESUME and other malicious content from jamming up your network. Trend Micro ScanMail for Microsoft Exchange provides enterprise-strength antivirus and content security. ScanMail implements uniform virus and content security policy across the enterprise. The optional eManager plug-in stops SPAM. ScanMail is fully compatible with Windows 2000 and can automatically scan either on-demand or at prescheduled intervals. Software, Scan engine and virus pattern updates distribute automatically to each networked Exchange Server. Keep viruses out of your Exchange servers with Trend Micro. http://www.antivirus.com/2kUPDTRJUNE.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone (Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Although fending off network-based intruders is a formidable task, you can achieve it. But how do you protect your data from physical system access? The obvious answer is by using adequate guards against physical premise access, which can be expensive. As a result, many companies co- locate data or servers at offsite locations. For example, you might rent an entire cage or set of racks within a cage from a major ISP. The cage or racks come with high-speed bandwidth. Or you might simply rent a secure e-commerce site from a Web service provider and let the provider worry about premise-access concerns. The ultimate solution obviously depends on your needs. The more sensitive the data, the more sheltered the final solution needs to be. Today, hundreds of companies around the world offer various secured co-location or data-hosting services. When it comes to security, there are all kinds of boasts and guarantees, but none can match the claim I heard about this week. Companies come and companies go, but then came HavenCo. Located on a tiny man-made island 7 miles off the coast of Great Britain, HavenCo has a most unique claim to security fame: It not only operates a secure network co-location center, it operates an entire sovereign country! Let me explain. During World War II, Britain built several gun platforms off its coast to help fend off Nazi warplanes. One of the platforms, named Roughs Tower, was only 10 by 25 yards and was built on two cement caissons off the coast of Britain in what was then international waters. After the war, Britain dismantled all the platforms except Roughs Tower, which sat abandoned until 1967 when former English major Paddy Roy Bates and his family took up residence on the man-made island. Bates proclaimed the island his own state and bestowed upon himself the title of Prince--his wife took the title of Princess--to reign over their newly formed Principality of Sealand. After several legal encounters over the island, the English court eventually ruled it had no jurisdiction over Sealand, and Sealand became formally recognized as its own country. Today, the Bates family has moved off the island and turned over operation of the property and the Sealand government to the newly formed HavenCo business. In a nutshell, HavenCo offers Sealand as a country in which to operate a business. You can buy a server, bandwidth, and complete security solution direct from HavenCo and have that business totally based in Sealand, which provides protection from overly strict data traffic laws, foreign subpoenas, and other outside interference. According to HavenCo, Sealand has no laws governing data traffic, and the terms of HavenCo's agreement with Sealand provide that no data traffic laws will ever be enacted. You might think HavenCo will soon become a haven for less-than-favorable network users, such as system crackers, porn peddlers, and spammers, but perhaps that won’t happen. The HavenCo acceptable use policy clearly states that it prohibits "the distribution of child pornography from its servers, and prohibits use of the network to send bulk unsolicited communications or launch digital attacks against other computers or networks." Only time will tell how well HavenCo enforces its guidelines. After all, Sealand has few laws, and probably none would force HavenCo to take any specific action other than to terminate a company's service. I'm not sure what to think about HavenCo. The company professes to offer a pretty darn secure solution package, but I think it's too soon to form a solid opinion. Sealand, a country with almost no laws, lets anyone run a business. Even more interesting is Sealand's claim about protection from foreign subpoena. According to HavenCo, you can set up an email system or other service type on its network, and keep it safe from search and seizure. Microsoft could have used that service to help fend off the US Department of Justice (DOJ). With its professed strong physical and network security and fat bandwidth, HavenCo offers an intriguing solution. It will be interesting to see who winds up using the services. But it will be even more interesting to see how world governments react to Sealand's new data haven. That reaction will depend on how HavenCo's customers use its multifaceted protected services. Be sure to stop by the HavenCo Web site (http://www.havenco.com/) and read about its service offerings as well as the history of Sealand. I'm sure you'll find it as interesting as I did. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * PROTECTED STORE KEY LENGTH By design, the Protected Store in Windows 2000 should always encrypt information using the strongest cryptography available on the system. However, the Win2K implementation uses a 40-bit key to encrypt the Protected Store even if stronger cryptography is installed on the system. The 40-bit key encryption weakens the protection on the Protected Store, which lets an intruder more easily crack the key to gain access to the Protected Store. http://www.ntsecurity.net/go/load.asp?iD=/security/win2k4-5.htm * INTERNET EXPLORER-COMPILED HTML MIGHT RUN UNAUTHORIZED CODE According to a Microsoft security bulletin, if a malicious Web site references an Internet Explorer (IE)-compiled HTML Help file (which has a .chm extension), the site can potentially launch code on a visiting user's computer without the user's approval. Such code can take any actions that the user can take, including adding, changing, or deleting data or communicating with a remote Web site. http://www.ntsecurity.net/go/load.asp?iD=/security/ie517.htm * MEDIA ENCODER DENIAL OF SERVICE Microsoft's Media Encoder contains a bug whereby an intruder can send a particular malformed request to an affected encoder, causing it to deny formatted content to the Windows Media Server. The vulnerability primarily affects real-time streaming media providers. Microsoft made a patch available but then removed the patch for reasons unknown at the time of this writing. http://www.ntsecurity.net/go/load.asp?iD=/security/media4-2.htm * SQL SERVER 7.0 SP1 AND SP2 EXPOSE ADMIN PASSWORD According to Microsoft, when SQL Server 7.0 Service Pack 1 (SP1) or SP2 is installed on a machine configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator account is recorded in plain text in the file \%TEMP%\sqlsp.log. The file's default permissions let any user that can log on interactively to the server read the file. Microsoft has updated SP2 to help guard against the risk. http://www.ntsecurity.net/go/load.asp?iD=/security/sql7-5.htm * IMATE WEBMAIL DENIAL OF SERVICE A malicious user can crash Imate's SMTP mail service by sending a string of 1119 characters as a parameter to the HELO command. The vendor, Concatus, is aware of the problem and has made a patch available through its support department. http://www.ntsecurity.net/go/load.asp?iD=/security/imate25-1.htm * BUFFER OVERRUN IN ITHOUSE MAIL SERVER A malicious user can crash ITHouse's SMTP mail service by sending a string of 2270 characters as a parameter to the RCPT TO command. During the crash, characters beyond 2270 overwrite the EIP Register making it possible to run arbitrary code on the remote system. http://www.ntsecurity.net/go/load.asp?iD=/security/ithouse1.htm * BUFFER OVERRUN IN SAMBAR SERVER A user can crash the Sambar Server by using the default finger and whois scripts provided with the Sambar Server software. By sending a long string of 32,290 characters to either of the scripts, a malicious user can overflow an unchecked buffer in the sambar.dll file and cause arbitrary code to run on the machine. http://www.ntsecurity.net/go/load.asp?iD=/security/sambar1.htm 3. ========== ANNOUNCEMENTS ========== * WIN2000MAG.NET--IT'S LIKE SPITTING IN THE OCEAN... You can't miss with our new portal for IT professionals. Access technical remedies, certification advice, vendor solutions, and professional development tools, or post a question in our technical forums. Surely one of our 500,000 monthly Web visitors has solved the same problem you face now. Raise Your IT IQ at http://www.win2000mag.net/. * FREE BOOKS ONLINE Now online--a technical reference library specifically for Windows IT professionals. Windows IT Library, a member of the Windows 2000 Magazine Network, provides the information you need when you need it. For your source of free books and other technical content, visit http://WindowsITLibrary.com/. 4. ========== SECURITY ROUNDUP ========== * NEWS: MICROSOFT'S NEW SECURITY SERVER On June 6, Microsoft released Beta 3 of its new Internet Security and Acceleration (ISA) Server 2000. Designed for Windows 2000 Server platforms, ISA Server is an application-level firewall with data-aware filtering capabilities, IP packet filtering functionality, and Active Directory (AD) support. Administrators can use ISA Server to control access by user and group, application, content type, and schedule. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=147&TB=news ~~~~ SPONSOR: FREE INTRUSION DETECTION WEBCAST ~~~~ AXENT(R)'s "Everything You Need to Know About Intrusion Detection" WebCast teaches you how to protect yourself against intruders with AXENT’s Prowler Series (NetProwler(tm) and Intruder Alert(tm)) by transparently monitoring traffic in real-time and instantly reacting to attempted attacks. Space is limited - register today at http://www.win2000mag.com/jump.cfm?ID=32 to reserve your spot. AXENT is the leading provider of e-security solutions for your business, delivering integrated products and expert services to 45 of the Fortune 50 companies. 5. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, products@win2000mag.com) * INCREASED SECURITY FOR UNIVERSITIES WebTrends announced the Secure University Program, offering a free version of WebTrends Security Analyzer Professional Edition and a discount on Security Analyzer Enterprise Edition to any qualified university. With the Secure University Program, WebTrends wants to bring increased security to universities and raise security awareness, given the recent Distributed Denial of Service (DDoS) attacks in some of the world's largest education systems. For more information, go to http://www.webtrends.com/secureuniversityprogram.htm. * SIMPLIFY ACCESS TO PRIVATE DATA AND APPLICATIONS Jela Company released OnlyYou 1.1, software that lets Windows NT and Windows 9x users protect their IDs and passwords. Press the OnlyYou hot key and identify yourself to extract your password from 128-bit encrypted storage. OnlyYou 1.1 costs $23.50 for a single-user license. Network and volume licenses are available. For more information, contact Jela Company at 800-275-0097 or go to the Web site. http://www.jelaco.com/ 6. ========== HOT RELEASES (ADVERTISEMENTS) ========== * NEW! DESKTOP FIREWALL FOR PCS WITH WINDOWS NT/2000 CyberwallPLUS-WS is a desktop firewall for PCs running Windows NT 4.0 or Windows 2000. It protects against network attacks with an ICSA- certified packet filter that provides access controls, intrusion detection and traffic logs. Free Evaluation: http://www.network-1.com/WSeval/index.htm * VERISIGN - THE INTERNET TRUST COMPANY Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n016007870003000 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: INFORMATION SECURITY: PROTECTING THE GLOBAL ENTERPRISE By Donald Pipkin Online Price: $39.99 Softcover; 300 pages Published by Prentice Hall, May 2000 ISBN 0130173231 IT security expert Donald Pipkin addresses every aspect of information security: the business issues, the technical-process issues, and the legal issues, including the personal liabilities of corporate officers in protecting information assets. To order this book, go to http://www.fatbrain.com/shop/info/0130173231?from=win2000mag or visit the Windows 2000 Magazine Network Bookstore at http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772. * TIP: EVENT LOG SECURITY ID DESCRIPTIONS (contributed by Mark Joseph Edwards, http://www.ntsecurity.net/) You use event logs to audit security events on your systems, but do you always know what a given event ID code represents? It's hard to remember details about each event ID because Microsoft lists more than 50 different security event ID codes. Microsoft article Q174074 lists dozens of event ID codes along with detailed examples of what those event log entries will look like. You might want to bookmark or print the page for future reference. http://www.microsoft.com/technet/support/kb.asp?ID=174074 * WRITING SECURE CODE: BIND BASICS In his latest Web exclusive column, David LeBlanc points out that to understand how to bind a TCP socket to a port, you need to look at the arguments for the bind() function. One of these arguments (the second) is a pointer to a sockaddr structure. For IP applications, that pointer is typically a sockaddr_in structure that contains the numeric IP address and port that you want to bind to locally. If you can't easily identify what interfaces are available, you can simply bind to all available local interfaces by specifying INADDR_ANY as the address. One security risk that you need to be aware of is that users can bind two sockets to the same port using a socket option known as SO_REUSEADDR. In other words, two different applications can answer connections on the same port. Be sure to read the rest of David's column on our Web site. http://www.ntsecurity.net/go/seccode.asp 8. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.net/forums/). IIS and NTFS Security--ASP Problem Scenario: IIS 4 with SP6a. I attempted to apply RX security to the OS file system. While HTML still served up, no ASP pages would work. After extensive search on Microsoft's site, I came up empty-handed, and had to allow the Change perms on NTFS. I ensured that the anonymous user had NTFS read and execute permissions to the entire file system. Any suggestions? Thread continues at http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=38701&mc=2. * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following thread is in the spotlight this week. Released: LibnetNT by eEye Digital Security Libnet for UNIX is used in many of today's popular security programs because of how easy it is to implement low-level packet functionality into a program. Now that same ease-of-use development API is available for Windows NT platforms. http://www.ntsecurity.net/go/w.asp?A2=IND0006A&L=WIN2KSECADVICE&P=89 Follow this link to read all threads for June, Week 1: http://www.ntsecurity.net/go/w.asp?A1=ind0006a&L=win2ksecadvice * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following thread is in the spotlight this week. Event Viewer Query This is going to seem like a strange question, but it has me a bit baffled. If you have a standalone server with full auditing enabled on it, how does the Event ID 528 (as seen in the Event Viewer) apply? Because the standalone server is not capable of authentication, then this should mean that someone physically went to the standalone server and logged on, and if done locally, then it should be indicated under Domain, which it isn't. However, it does list "MachineTwo" as the workstation name where the logon was successful. What remote logon will trigger this Event ID? http://www.ntsecurity.net/go/L.asp?A2=IND0006a&L=HOWTO&P=159 Follow this link to read all threads for June, Week 1: http://www.ntsecurity.net/go/l.asp?A1=ind0006a&L=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@win2000mag.com) Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com) Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com) Editor - Gayle Rodcay (gayle@win2000mag.com) New and Improved - Judy Drennen (products@win2000mag.com) Copy Editor - Judy Drennen (jdrennen@win2000mag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- ========== GET UPDATED! ========== Receive the latest information about the Windows 2000 and Windows NT topics of your choice, including Win2K Pro, Exchange Server, thin- client, training and certification, SQL Server, IIS administration, XML, application service providers, and more. Subscribe to our other FREE email newsletters at http://www.win2000mag.com/sub.cfm?code=up00inxwnf. |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATE@list.win2000mag.net. UNSUBSCRIBE To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be removed from the list. Thank you! If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. ___________________________________________________________ Copyright 2000, Windows 2000 Magazine