Security UPDATE--Gates Outlines New Security Technologies at RSA--February 22, 2006

1. In Focus: Gates Outlines New Security Technologies at RSA

2. Security News and Features

- Recent Security Vulnerabilities

- $10,000 Bug Bounty Offered

- 7 Microsoft Security Bulletins for February 2006

- Get Smart: Enterprise Antispyware

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum Featured Thread

- Instant Poll

- Share Your Security Tips

4. New and Improved

- RSA 2006 Product Announcement Roundup

==== Sponsor: DSRAZOR for Windows ====

DSRAZOR for Windows, from Visual Click, is your answer to a more secure and manageable network environment. Whether your organization is big or small, DSRAZOR's patented drag-n-drop interface gives you the power to build a more stable and secure network, with a click of the mouse!

Time for Network Compliance? Let Visual Click's DSRAZOR for Windows help you become compliant! Receive detailed reports of all security settings and definitions for your Active Directory. DSRAZOR will give you the ability to pinpoint specific security weaknesses. Register for your Free Assessment today!

http://www.visualclick.com/content/dsrazorw.htm?source=ITProISU2

==== 1. In Focus: Gates Outlines New Security Technologies at RSA ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Microsoft Chairman and Chief Software Architect Bill Gates gave the first keynote address at last week's RSA Conference in San Jose, California. Gates outlined four areas that he thinks the industry needs to focus on: a trust ecosystem, better engineering, simplification of security for administrators and end users, and fundamentally secure platforms.

Gates stressed a need to create platforms that are less tedious to build and use. He pointed out that the systems of yesteryear were secure primarily because of their isolated nature. However, the Internet changed that situation for many systems. Better authentication is a key need in this area; Gates said that "\[passwords\] are very quickly becoming the weak link" in terms of security and pointed to phishing attacks as proof. "We need to move to multifactor authentication," he continued and said that support for technology such as smart cards needs to be built down into the system itself.

Howard Ting, of the Microsoft Windows Server products division, helped the audience visualize aspects of Microsoft's trust ecosystem concept. Ting demonstrated the new Certificate Lifecycle Manager (CLM), which entered beta testing last week. CLM simplifies the management of digital certificates and the provisioning of smart cards. The product lets users provision a new card, protect it with a PIN, and download their certificates from Active Directory (AD) to the new card.

Ting also demonstrated a new feature of Windows Vista and Longhorn--Network Access Protection (NAP)--that helps enforce company policies. For example, if a system doesn't have the latest service packs and updates installed, NAP denies that machine network access except for any access required to download and install the required updates. NAP can automatically install updates without the user having to take any particular action. Once the machine is in compliance, it can join the network.

Another key demonstration was Active Directory Federation Services (ADFS), which is part of Windows Server 2003 Release 2 (R2). ADFS allows companies to establish trusts to streamline user identification and authentication across those companies. Effectively, ADFS can provide a method of single sign-on (SSO), which greatly simplifies a computer user's experience.

Gates presented Microsoft's new digital InfoCard technology as a way for people to gain more control over authentication processes and access to their private information. In a related demonstration, Microsoft employee Richard Turner showed how user-created InfoCards can be used to store credentials, such as a person's real name, username, and password, and can then be used to streamline logon to Web sites. Turner also showed how an InfoCard could be issued by a third-party vendor and then used in an e-commerce transaction without disclosing private information. In his example, Turner showed Vista contacting the vendor that issued the InfoCard to obtain a token, then sending the token to the e-commerce site instead of sending the user's private information.

In effect, InfoCards issued by third parties are somewhat similar to digital certificates in that one entity vouches for another's identity. But the similarities probably end there. InfoCards are more flexible than certificates because they can store varying types of information and protect user's private information from unnecessary disclosure.

Gates' closed his keynote presentation by suggesting that the industry is only in the beginning stages of building the trust ecosystem. "We've all got a common challenge here and yet an amazing opportunity to let these digital systems be used in the broadest way," he said.

==== Sponsor: Thawte ====

Secure Your Online Data Transfer with SSL

Increase your customers' confidence and your business by securely collecting sensitive information online. In this free white paper you'll learn about the various applications of SSL certificates and their appropriate deployment, along with details of how to test SSL on your web server.

http://www.windowsitpro.com/go/whitepapers/thawte/ssl?code=SECMid0222

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

$10,000 Bug Bounty Offered

iDefense announced that it will pay $10,000 to anyone who discovers a bug in a Microsoft product that results in a new Microsoft Security Bulletin with a severity rating of critical. But there's one slight catch: You must report your discovery by March 31, 12 midnight, Eastern Standard Time.

http://www.windowsitpro.com/Article/ArticleID/49416

7 Microsoft Security Bulletins for February 2006

Although Microsoft released seven security updates this month, organizations running Windows Server 2003 Service Pack 1 (SP1), Windows XP SP2, and Microsoft Office 2003 will be able to avoid loading all but one patch (MS06-005--Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)), assuming that administrators refrain from dangerous interactive activities on servers. Learn more in this article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/49424

Get Smart: Enterprise Antispyware

An increasing threat to business productivity, the prying eyes of spyware can expose crucial information about your enterprise or customers to the outside world. Jeff Fellinge compares three products that expose spyware in the enterprise.

http://www.windowsitpro.com/Article/ArticleID/48830

==== Resources and Events ====

Learn from Paul Robichaux about what to test, how to test, and what results to expect with your disaster recovery plan in this free Essential Guide

http://www.windowsitpro.com/go/essential/xosoft/disasterrecovery/?code=0222emailannc

Get the tools, tips, and training that you need to avoid a messaging meltdown when an outage strikes. View the FREE web seminar today!

http://www.windowsitpro.com/go/seminars/messaging/?partnerref=0222emailannc

Efficiently replicate file changes across WANS without worrying about your remote server backups using the improved Distributed File System in WSS R2. Live Event: March 14, 12:00 P.M. EST

http://www.windowsitpro.com/go/seminars/microsoft/branchoffice/?partnerref=0222emailannc

Use clustering technology to protect your company against network outages, power loss and natural disasters. Live Event: February 28, 12:00 P.M. EST

http://www.windowsitpro.com/go/seminars/xosoft/clustering/?partnerref=0222emailannc

Learn to gather evidence of compliance across multiple systems and link the data to regulatory and framework control objectives. Live Web Seminar: March 1, 12:00 P.M. EST

http://www.windowsitpro.com/go/seminars/bindview/multiregcompliance/?partnerref=0222emailannc

==== Featured White Paper ====

Align compliance with business efficiency, and learn how fax-document management plays a role in your strategy.

http://www.windowsitpro.com/go/whitepapers/esker/docmanagement?code=0222featwp

==== Hot Spot ====

Symantec

Manage your data growth, improve reliability and speed data recovery using continuous data protection.

http://www.windowsitpro.com/go/whitepapers/symantec/dataprotection?code=SECHot0222

==== 3. Security Toolkit ====

Security Matters Blog: Honeyd 1.5

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

A new version of the Honeyd honeypot software is available. According to the Honeyd Web site, Honeyd 1.5 (released February 11) includes a security fix and some new features, including an improved statistics collector, improved subsystems support, and subsystems that emulate open proxies and open mail relays.

http://www.windowsitpro.com/Article/ArticleID/49387

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I clear the cache from Microsoft Internet Explorer (IE)?

Find the answer at http://www.windowsitpro.com/Article/ArticleID/49292

Security Forum Featured Thread: Unable to Access Database in SQL Server 2000

A forum participant writes that when he tried to log in through SQL Query Analyzer by using Windows authentication, the following message appeared:

Unable to connect to server (server name) Server : ODBC: Msg 0, Level 16,State 1

\[Microsoft\] \[ODBC SQL Server Driver\] Timeout expired

If you have an idea about why this might have occurred or what to do about it, join the discussion at

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=46140&enterthread=y

New Instant Poll

What most excites you about MBSA 2.0?

- Its Microsoft Update functionality

- Its new catalog file for updates

- Its more intuitive UI

- I'm not excited about MBSA 2.0

Go to the Security Hot Topic and submit your vote

http://www.windowsitpro.com/windowssecurity#poll

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Announcements ====

(from Windows IT Pro and its partners)

The Windows IT Pro Magazine Master CD has it all!

Get the Windows IT Pro Magazine Master CD and get portable, high-speed access to the entire Windows IT Pro article database on CD – that's a library of over 9,000 articles in one place! The newest issue includes BONUS Windows IT Tips and if you sign up now, you will get 25% off. Limited quantities are available, so order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2262uc

Save 44% off Exchange & Outlook Administrator

For a limited time, order the Exchange & Outlook Administrator newsletter and SAVE up to $30 off the regular price. You'll discover endless tools and solutions you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. You'll also get FREE, unlimited access to the full online Exchange article database of more than 1000 articles. Subscribe now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2362ue

==== 4. New and Improved ====

by Mark Joseph Edwards, [email protected]

RSA 2006 Product Announcement Roundup

Many vendors announce new products, product features, and partnerships during the annual RSA Conference, which took place last week in San Jose, California. Here are some highlights:

Axalto announced support for Windows 2000 Service Pack (SP) 4, Windows XP, and Windows Server 2003 with its Cryptoflex .NET smart card; the support is included in Microsoft's Base Smart Card Cryptographic Service Provider, available via Microsoft Windows Update or Microsoft's Download Center.

http://www.axalto.com

RSA Security will release a new SecurID token based on Aladdin Knowledge Systems' eToken USB technology. The USB device will store digital certificates and passwords.

http://www.Aladdin.com/eToken

Liquid Machines announced that Liquid Machines Document Control 6.0 for RMS will enhance Windows Rights Management Services (RMS) with new capabilities that cover operations such as cut, copy, paste, drag and drop, and merge, without removing rights management protection; RMS protection will follow the data to its destination.

http://www.liquidmachines.com

Configuresoft demonstrated new Executive Compliance Dashboards and other features of its Enterprise Configuration Manager 4.8. The dashboards help enforce regulatory mandates and industry standards, such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and Microsoft security and hardening guides.

http://www.configuresoft.com

Trusted Computing Group (TCG), released TCG Trusted Software Stack 1.2, which is a specification to enable the development of applications for systems that use the Trusted Platform Module 1.2.

http://www.trustedcomputinggroup.org

ZoneLabs (a Check Point Software Technologies company) announced a preview beta of its upcoming 64-bit Windows firewall; the product is due to be officially released in the spring.

http://www.zonelabs.com

Citrix Systems announced the release of Citrix NetScaler Application Firewall Standard Edition, a new version based on the technology of Teros, which Citrix acquired 3 months ago. The new version is designed for midsized enterprises and business units within large companies.

http://www.citrix.com

Postini released its Encryption Manager, a suite of managed security services that can encrypt and secure email message content and connections between email servers.

http://www.postini.com

Altiris announced that its SecurityExpressions solution now supports PCI DSS to help companies that process, transmit, or store credit card data ensure compliance with the PCI DSS requirements.

http://www.altiris.com

PassMark Security and VASCO Data Security International announced a partnership that brings together both companies' authentication solutions into one solution for online banking.

http://www.passmarksecurity.com

http://www.vasco.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]