********************************************************** WINDOWS 2000 MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows 2000 and Windows NT security update newsletter brought to you by Windows 2000 Magazine and NTSecurity.net http://www.win2000mag.net/Email/Index.cfm?ID=5 ********************************************************** This week's issue sponsored by Dorian Software Creations - Event Archiver 3.2 http://www.doriansoft.com Sunbelt Software - STAT: NT/2000 Vulnerability Scanner http://www.sunbelt-software.com/product.cfm?id=899 (Below SECURITY ROUNDUP) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- June 14, 2000 - In this issue: 1. IN FOCUS - The Need for Layered Physical Security 2. SECURITY RISKS - Registry Request Denial of Service - Spoofing McAfee VirusScan Alerts - Unify eWave ServletExec Exposes Source Code - Path Exposure and Buffer Overrun in Ceilidh - Firewall-1 Denial of Service - Buffer Overflow Condition in EServ - Circumventing IE Cross-Frame Security - Win2K/NT Denial of Service via Invalid SMB Field - IE Mishandles SSL Certificates - NT Subject to User Session Key Reuse - Win2K and NT SMB-based Denial of Service 3. ANNOUNCEMENTS - Conference and Expo on Windows 2000/NT 4.0 Security and Control - Win2000mag.net--A Mile Deep 4. SECURITY ROUNDUP - Microsoft Releases Outlook Security Update 5. NEW AND IMPROVED - Management Tool Streamlines Network Security - Desktop Antivirus Certified for Win2K 6. SECURITY TOOLKIT - Book Highlight: Securing Intranets - Tip: How to Recover a Lost Administrator Password - Windows 2000 Security: Checking Your Current Configuration in Group Policy 7. HOT THREADS - Windows 2000 Magazine Online Forums Security Configuration Manager - Win2KSecAdvice Mailing List Reporting Security Issues to Microsoft - HowTo Mailing List Trojan-like Activity with ICMP ~~~~ SPONSOR: DORIAN SOFTWARE CREATIONS--EVENT ARCHIVER 3.2 ~~~~ Boost your network security and system reliability by automating and centralizing the collection of your Windows NT/2000 event logs. Running as a 24/7 service on a single server, Event Archiver Enterprise can collect all of the event logs in your domain(s) remotely without the use of clients! A friendly GUI management console, flexible scheduling, and many data storage options (EVT, TXT, Access, and ODBC) makes Dorian Software Creations' Event Archiver a necessary application in any security administrator's tool suite. Download your FREE 30-day evaluation from http://www.doriansoft.com/. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone (Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, Over the past few months, I've read at least four news reports about various world government agencies that have either lost computer hardware and data or inappropriately provided access to sensitive data. In April, a laptop with classified code-word information was reported missing from an allegedly secure conference room at the US State Department. The laptop had been missing since February. According to reports, the theft resulted not from poor security procedures but from department employees' failure to follow existing procedures. The State Department said 15 additional laptops with unclassified information are missing too. In late May, Australia reported a similar incident in which five of its Parliament laptops were stolen from private, allegedly secure areas of Parliament House. Then, we learned that former CIA Director John Deutch took classified information home without permission and left it accessible in his house. This week, we're hearing reports that hard disks are missing from Los Alamos Laboratory vaults-–drives that contain US and Russian nuclear secrets. Some military experts say our national arsenal has subsequently been completely compromised. At first, I didn't want to believe these events actually happened. After all, they took place in highly secured facilities. But the events are real indeed, and they're probably just the tip of the iceberg when it comes to less-than-acceptable physical security in government facilities. Risk management is only as effective as its weakest link. After all, what good are high-tech biometric security systems, VPNs, data encryption techniques, and other forms of defense if physical access management is inadequate? What about your facilities? Are they as secure as you'd like them to be? As with layered network defenses, you must protect physical premise access with a layered strategy. Just as you might divide up pieces of a master password among several people so no one person has the entire password, you might also consider dividing up authority and accountability with regard to physical security. Involving several people in a procedure helps build accountability along the way. Intruders are less likely to attempt mischievous endeavors when several checks and balances are involved in the process of entering and leaving a premise. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * REGISTRY REQUEST DENIAL OF SERVICE Before a remote machine's request to access the Registry is processed, it must be authenticated by the Remote Registry server, which is contained within the winlogon.exe process. If the request is malformed in a specific fashion, the Remote Registry server can misinterpret it and crash the entire system. http://www.ntsecurity.net/go/load.asp?iD=/security/nt4-10.htm * SPOOFING MCAFEE VIRUSSCAN ALERTS By default, McAfee VirusScan uses a shared network directory for storing inbound alerts. The directory lets all VirusScan users read, write, and delete files in the shared directory. Because of loose directory permissions and alert files that are formatted in plain text, malicious users can delete valid virus alerts and spoof bogus alerts. http://www.ntsecurity.net/go/load.asp?iD=/security/mcafee2.htm * UNIFY EWAVE SERVLETEXEC EXPOSES SOURCE CODE The Unify eWave ServletExec software exposes source code for its files if a user appends ".jsp" to the end of a generated URL. The vendor is aware of this problem but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/servlet1.htm * PATH EXPOSURE AND BUFFER OVERRUN IN CEILIDH By using a specially crafted POST statement, an intruder can spawn multiple copies of the ceilidh.exe program where each process takes approximately 1 percent of available CPU cycles and approximately 700KB of memory. Because memory resources are not freed properly, the intruder can deny service to a Web system hosting the software. The vendor is aware of this problem but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/ceilidh1.htm * FIREWALL-1 DENIAL OF SERVICE A Denial of Service (DoS) condition caused by fragmented IP packets exists in version 4.0 of CheckPoint's FireWall-1. According to Checkpoint, if a person uses the jolt2 program to send a stream of extremely large IP fragments to a FireWall-1 gateway, the action might cause the write mechanism to consume all CPU resources on the firewall system. Checkpoint is working on a fix and has provided a workaround for use in the meantime. http://www.ntsecurity.net/go/load.asp?iD=/security/fw1-2.htm * BUFFER OVERFLOW CONDITION IN ESERV A malicious user can crash the Eserv Web Server by sending it long queries. Because of an unchecked buffer condition, the user can run arbitrary code on the server. http://www.ntsecurity.net/go/load.asp?iD=/security/eserv1.htm * CIRCUMVENTING IE CROSS-FRAME SECURITY Georgi Guninski discovered that by using Javascript to access the document object model (DOM) of HTML documents, an intruder can circumvent Microsoft Internet Explorer's (IE's) cross-frame security policy. The problem allows reading local files, reading files from other hosts, window spoofing, and cookies exposure. The problem is that when the NavigateComplete2 event is initiated, it passes an argument of WebBrowser control. The WebBrowser control has an accessible property document that allows access to the DOM of the target document. http://www.ntsecurity.net/go/load.asp?iD=/security/ie521.htm * WIN2K/NT DENIAL OF SERVICE VIA INVALID SMB FIELD Sending Server Message Block (SMB) requests to a Windows 2000 or Windows NT system without acknowledging those requests causes Denial of Service (DoS) conditions against the system. Microsoft is aware of this matter but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-6.htm * IE MISHANDLES SSL CERTIFICATES According to a Microsoft bulletin, two vulnerabilities exist in the way Internet Explorer (IE) handles digital certificates. When a user connects to a secure server via either an image or a frame, IE verifies only that the server’s Secure Sockets Layer (SSL) certificate was issued by a trusted root; it does not verify the server name or the expiration date. When a connection is made via any other means, all expected validation is performed. The second issue is that even when the initial validation is made correctly, IE does not revalidate the certificate if a new SSL session is established with the same server during the same IE session. http://www.ntsecurity.net/go/load.asp?iD=/security/ie5-20.htm * NT SUBJECT TO USER SESSION KEY REUSE When an administrator uses usrmgr.exe or srvmgr.exe to remotely add users or workstations to a domain or changes a user's password, the tool sends an encrypted 516-byte password block over the network. An intruder can intercept the data block and take it apart to reveal a User Session Key, which the intruder can use to decrypt further communication intercepted between the administrator and the domain controllers. For example, if an administrator changes a user's password remotely, the intruder can decrypt that password to reveal the clear text version using the captured User Session Key. Microsoft is aware of this matter but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/nt4-9.htm * WIN2K AND SMB-BASED DENIAL OF SERVICE If a distributed computing environment (DCE)/remote procedure call (RPC) request is encapsulated inside a Server Message Block (SMB) request along with an invalid data length field, the system crashes, and a reboot is necessary to restore functionality. Microsoft is aware of the problem but has not yet responded. http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-7.htm 3. ========== ANNOUNCEMENTS ========== * CONFERENCE AND EXPO ON WINDOWS 2000/NT 4.0 SECURITY AND CONTROL The Conference and Expo on Windows 2000/NT 4.0 Security and Control comes to Boston, July 11 through 13, 2000, with optional workshops on July 10 and July 13. Produced by MIS Training Institute and cosponsored by Windows 2000 Magazine, this conference is the place to gain the technical skills you need to implement and exploit Microsoft's newest OS. For more details or to register, call 508-879-7999, ext. 346, or go to http://www.misti.com/conference_show.asp?id=NT00US. WIN2000MAG.NET--A MILE DEEP * Introducing the Windows 2000 Magazine Network, a portal site with a distinct advantage--deep content. Scour more than 10,000 articles from two magazines, three newsletters, and a dozen Web sites. Search easily for impartial, straightforward solutions so that you can find the answer you need, and get on with things. Raise Your IT IQ at http://www.win2000mag.net. 4. ========== SECURITY ROUNDUP ========== * MICROSOFT RELEASES OUTLOOK SECURITY UPDATE Microsoft has released the anticipated Outlook Security Update, which was prompted in part by the rapid spread of the VBS/Loveletter virus. The update works for Outlook 2000 and Outlook 98 with Office Service Release 1 (SR1) to prevent certain file types from taking action within the mail client without the user's direct intervention. According to Steven Sinofsky, senior vice president of Microsoft Office, the update provides four key benefits to Outlook users. It prevents users from accessing potentially unsafe email attachments; it intercepts programmatic attempts to access an Outlook Address Book; it warns with a dialog box if a program tries to send email; and it changes security zone settings from the Internet Zone to Restricted Zone. Before you apply the update, be sure to read Microsoft articles Q262634 and Q262631 to learn more details, including the current known limitations. You can download the update from Microsoft's Office Update Web site. http://www.officeupdate.com http://support.microsoft.com/support/kb/articles/Q262/6/34.asp http://support.microsoft.com/support/kb/articles/Q262/6/31.ASP ~~~~ SPONSOR: SUNBELT SOFTWARE--STAT: NT/2000 VULNERABILITY SCANNER ~~~~ Ever had that feeling of ACUTE PANIC that a hacker has invaded your network? Plug NT/2000's over 850 holes before they plug you. You _have_ to protect your LAN _before_ it gets attacked. STAT comes with a responsive web-update service and a dedicated Pro SWAT team that helps you to hunt down and kill Security holes. Built by anti-hackers for DOD sites. Download a demo copy before you become a statistic. http://www.sunbelt-software.com/product.cfm?id=899 5. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, products@win2000mag.com) * MANAGEMENT TOOL STREAMLINES NETWORK SECURITY Labcal Technologies announced NetPulse, a security management tool for Windows NT. NetPulse enables remote auditing, reporting, setting, and correction of security features from one software installation. A NetPulse trial version is available from Labcal's Web site. For more information, contact Labcal, 877-752-2225. http://www.labcal.com * DESKTOP ANTIVIRUS CERTIFIED FOR WIN2K Trend Micro released PC-cillin 2000, PC virus-protection software certified by VeriTest for Windows 2000. It also runs on Windows NT and Win 9x. PC-cillin 2000 includes real-time email virus scanning, manual- scan capabilities for personal folders, and incremental virus pattern updates. PC-cillin 2000 is available for download for $29.95 or on CD- ROM for $39.95. For additional information, contact Trend Micro, 800- 228-5651. http://www.pc-cillin.com 6. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: SECURING INTRANETS By NIIT Online Price: $99.00 CD-ROM Published by NIIT, January 2000 ISBN IT10216040 "Securing Intranets" is a CD-ROM-based training course for system administrators and network administrators who want to protect their networks from various threats posed by connecting to the Internet. After completing this course, you'll be able to list the encryption techniques and the methods to secure email communication, describe the working of pretty good privacy (PGP) and RSA, and describe how firewalls work on different OSs. To order the CD-ROM, go to http://www.fatbrain.com/shop/info/IT10216040?from=win2000mag or visit the Windows 2000 Magazine Network Bookstore at http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772&from=win2000mag. * TIP: HOW TO RECOVER A LOST ADMINISTRATOR PASSWORD (contributed by Mark Joseph Edwards, mark@ntsecurity.net) At some point, most of you will need to retrieve a lost Administrator account password. As I tell those who email me for help in this situation, you have two basic choices: You must either brute-force crack it or reset it to something known. Resetting the password will take much less time than brute-force cracking, so it's a more cost- effective way to handle the situation. If you do want to brute-force crack the password to see what it was set to, you need to use a tool such as L0phtcrack, and you must obtain a copy of the system's SAM database using NTFSDOS or a Linux boot disk with NTFS drivers on it. Either of those tools let you boot a system from a disk and read the installed NTFS partitions. You can find NTFSDOS at Winternals (http://www.winternals.com), and Linux boot disks are available at various sites, such as Ken Pfiel's NT Toolbox Web site (http://www.nttoolbox.com). But if you have access to the SAM database, why not just reset the Administrator password to something known and be done with it? In that scenario, you can use NT Locksmith, also available at the Winternals Web site. If you must have a cost-free way of password recovery, use a Linux boot disk that comes with a tool that can perform that action. The Linux boot available for free download at The NT Toolbox site can reset a Windows NT system's Administrator password. Of course, you get what you pay for, so don't expect a ton of documentation and an experienced professional waiting for you to call for help. But using the boot disk to reset a password is much easier and quicker than reinstalling NT, so it's worth any problems you encounter. I think every security administrator should have a copy of a Linux boot disk such as the one at NT Toolbox. After you download the zip file, unzip it and run the included executable file to create the actual boot disk. While you're at The NT Toolbox be sure to check out the other great security-related tools available for download. http://www.nttoolbox.com/public/tools/LinNT.zip http://www.nttoolbox.com * WINDOWS 2000 SECURITY: CHECKING YOUR CURRENT CONFIGURATION IN GROUP POLICY Although you might have a good idea of what a system's security configuration should be from your knowledge of the Group Policy Objects relevant to that system, wouldn't you like to see your system's actual configuration? In this installment of Randy Franklin Smith's biweekly column, he explains step-by-step how you can achieve that goal. Be sure to stop by our Web site and read the entire article. http://www.ntsecurity.net/go/win2ksec.asp 7. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.net/forums). June 08, 2000 03:26 PM Security Configuration Manager I have been looking at the MMC plugin Security Configuration Manager, and like what I see: a simple interface for creating a security baseline; however, it only operates if you are working locally on the server. Ideally, I would like to run the application on my admin workstation and remotely analyze and configure the servers. Question: Does anyone know how to get around this limitation? Thread continues at http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=38900&mc=3. * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following thread is in the spotlight this week. Reporting Security Issues to Microsoft There's been a recent increase in the number of postings whose theme is "I reported this to Microsoft but never heard anything back." In each case, we've checked our records but, in most cases, found no record of the issue having been sent to the Security Response Center. We answer every email and track every report we receive, so we believe that the reports in question may have been sent to other email addresses at Microsoft. http://www.ntsecurity.net/go/w.asp?A2=IND0006b&L=WIN2KSECADVICE&P=517 Follow this link to read all threads for June, Week 2: http://www.ntsecurity.net/go/w.asp?A1=ind0006b&L=win2ksecadvice * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following thread is in the spotlight this week. Trojan-like Activity with ICMP I've been at a customer site the last few days trying to track down this issue. They have multiple internal client machines trying to hit a couple of different external addresses with a Type 3 Internet Control Message Protocol (ICMP) request. We're blocking the clients at the firewall, so ICMP is not getting out of the network but I cannot get the client machines to stop broadcasting. I've tried various Trojan cleaners and zombie zappers to no avail. Most of the clients are SP5 or SP6. Here's what icmpsnif found when executing on one of the clients (note that the source address isn't on their network so I'm assuming that it is spoofed). http://www.ntsecurity.net/go/L.asp?A2=IND0006b&L=HOWTO&P=80 Follow this link to read all threads for June, Week 2: http://www.ntsecurity.net/go/l.asp?A1=ind0006b&L=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@win2000mag.com) Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com) Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com) Editor - Gayle Rodcay (gayle@win2000mag.com) New and Improved - Judy Drennen (products@win2000mag.com) Copy Editor - Judy Drennen (jdrennen@win2000mag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- ========== GET UPDATED! ========== Receive the latest information about the Windows 2000 and Windows NT topics of your choice, including Win2K Pro, Exchange Server, thin- client, training and certification, SQL Server, IIS administration, XML, application service providers, and more. Subscribe to our other FREE email newsletters at http://www.win2000mag.com/sub.cfm?code=up00inxwnf. |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Security UPDATE. You are subscribed as packet@PACKETSTORM.SECURIFY.COM. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATE@list.win2000mag.net. UNSUBSCRIBE To unsubscribe, send an email to U-A3.15.87030@list.win2000mag.net. Or click http://go.win2000mag.net:80/UM/U.ASP?A3.15.87030 and you will be removed from the list. Thank you! If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. ___________________________________________________________ Copyright 2000, Windows 2000 Magazine