Security UPDATE, January 8, 2003

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Black Hat Briefings & Training: Windows Security

Wireless Technologies Survey
(below IN FOCUS)


SPONSOR: BLACK HAT BRIEFINGS & TRAINING: WINDOWS SECURITY

Attend the world's premier technical event for Windows and .Net security experts, February 25-28, Seattle. Six tracks, seven training sessions and full support by Microsoft. See for yourself what the Black Hat buzz is all about.


January 8, 2003—In this issue:

1. IN FOCUS

  • Phasing In Trustworthy Computing

2. SECURITY RISKS

  • Protection Bypass Vulnerability in Pedestal Software's Integrity Protection Driver for Win2K

3. ANNOUNCEMENTS

  • Planning on Getting Certified? Make Sure to Pick Up Our New eBook!
  • The Microsoft Mobility Tour Is Coming Soon to a City Near You!

4. SECURITY ROUNDUP

  • Microsoft Releases ISA Server Feature Pack 1
  • Feature: Customizing Dimension Security
  • News: Network-1 to Discontinue CyberwallPLUS Firewall
  • News: Eight Tips to Better Secure Email

5. INSTANT POLL

  • Results of Previous Poll: ICSA Firewall Certification
  • New Instant Poll: ISA Server 2000

6. SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Protect My System from a Denial of Service (DoS) Attack?

7. NEW AND IMPROVED

  • Scan Domino Servers for Vulnerabilities
  • Protect Networks Against Insider Attacks
  • Submit Top Product Ideas

8. HOT THREAD

  • Windows & .NET Magazine Online Forums
  • Featured Thread: I Can't Connect to Windows.NET Server with Remote Desktop Connection

9. CONTACT US
See this section for a list of ways to contact us.


1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • PHASING IN TRUSTWORTHY COMPUTING

  • As you know, 1 year ago, Microsoft announced its Trustworthy Computing initiative. The first phase of the initiative included examining the current state of security in the company's products and educating its developers so that they could write more secure code from the ground up. (As an aside, Microsoft's efforts toward security include the 72 security patches published in 2002 for the company's existing software packages.)

    The second phase of Trustworthy Computing, which Microsoft calls "Designed for Trust," is well underway. As Craig Mundie, senior vice president and chief technical officer, advanced strategies and policy for Microsoft, pointed out in November 2002, "\[The second phase\] involves intercepting several products in mid-development and building in new approaches to security." Part of the effort produced Windows XP Service Pack 1 (SP1) and will produce Windows .NET Server (Win.NET Server) 2003, slated for release about April of this year. In addition, the company is working on "several Web security standards," which are bound to include Web Services Security Language (WS-Security). You can learn more about WS-Security in Christa Anderson's article "WS-Security Sets Standard for Web Services Transactions" (see the first URL below) and in the June 12, 2002, Security UPDATE newsletter (see the second URL below).
    http://www.secadministrator.com/articles/index.cfm?articleid=24401
    http://www.secadministrator.com/articles/index.cfm?articleid=25593

    According to a story at "eWeek" (see the URL below), the second phase of Trustworthy Computing also includes Prescriptive Architectural Guidance. The story states that the guidance "will lay out instructions for ways IT managers can lock down Windows 2000 machines. Under the guidelines, OEMs such as Dell Computer Corp. will be able to configure systems to customer specifications, including turning off unwanted services and features, such as active scripting in Internet Explorer \[IE\]."
    http://www.eweek.com/article2/0,3959,808254,00.asp

    You'll find even more ways to eliminate unwanted services in the upcoming Win.NET Server release. In the past, Windows server and workstation installations activated many services, and users had to use a checklist to disable unwanted services. However, Win.NET Server includes a technology called Secure Server Roles (SSR), which helps users configure their servers through a series of questions and answers. After users answer questions about how they'll use the server in a given network environment, unnecessary services would be left inactive, which lessens the chances of intrusion through inadvertent service provision.

    In addition, Win.NET Server will include the option of having the server act as an intermediary—by pulling Microsoft patches into the network and automatically sending them out to workstations and servers. The technology is already available as Microsoft Software Update Services (SUS). SUS runs on Win.NET Server and Win2K Server and can deploy patches to XP and Win2K systems. The update service is a great concept that could potentially save companies a lot of time and effort; however, in some instances, patches still break system functionality and on rare occasions reintroduce previously patched problems. Microsoft patch testing must become more thorough—in fact, impeccable—if the company expects users to adopt automatic updates with total confidence.

    The third phase of the Trustworthy Computing initiative, which Microsoft calls "Architected for Trust," involves products still on the drawing board. Among those products, presumably, are the next version of Windows, code-named Longhorn, and the new security subsystem, code-named Palladium. To learn more about Longhorn and Palladium, search our Web sites at the URLs below.
    http://search.win2000mag.net/query.html?col=0&qt=longhorn
    http://search.win2000mag.net/query.html?col=0&qt=palladium

    At this point, Microsoft's initiative seems to be working to some extent. However, the brunt of the company's road map remains to come in future products. Getting more secure and staying more secure will undoubtedly require users to expense new hardware and software. And those who choose to keep their existing platforms for longer periods of time might find themselves gaining more value for their investments, yet at the same time incurring slightly higher risks. How the initiative balances out in the long run remains to be seen.


    SPONSOR: WIRELESS TECHNOLOGIES SURVEY

    TELL US WHAT YOU THINK ABOUT WIRELESS TECHNOLOGIES!
    Take our short, confidential survey on wireless technologies and you could win an HP 1.3 megapixel digital camera worth $300. Click here!


    2. SECURITY RISKS
    (contributed by Ken Pfeil, [email protected])

  • Protection Bypass Vulnerability in Pedestal Software's Integrity Protection Driver for Win2K

  • A vulnerability in Pedestal Software's Integrity Protection Driver (IPD) 1.3 for Windows 2000 can result in the driver's kernel protection being bypassed. By using a certain function in Win2K, a potential attacker can bypass the IPD by creating a symbolic link that points to the Windows driver's directory. The vendor has released IPD 1.4, which isn't vulnerable to this condition.
    http://www.secadministrator.com/articles/index.cfm?articleid=37570

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • PLANNING ON GETTING CERTIFIED? MAKE SURE TO PICK UP OUR NEW EBOOK!

  • "The Insider's Guide to IT Certification" eBook is hot off the presses and contains everything you need to know to help you save time and money while preparing for certification exams from Microsoft, Cisco Systems, and CompTIA and have a successful career in IT. Get your copy of the Insider's Guide today!

  • THE MICROSOFT MOBILITY TOUR IS COMING SOON TO A CITY NEAR YOU!

  • This outstanding seven-city event will help support your growing mobile workforce. Industry guru Paul Thurrott discusses the coolest mobility hardware solutions around, demonstrates how to increase the productivity of your "road warriors" with the unique features of Windows XP and Office XP, and much more. You could also win an HP iPAQ Pocket PC. There is no charge for these live events, but space is limited so register today! Sponsored by Microsoft, HP, and Toshiba.

    4. SECURITY ROUNDUP

  • NEWS: MICROSOFT RELEASES ISA SERVER FEATURE PACK 1

  • Yesterday, Microsoft announced the release of Internet Security and Acceleration (ISA) Server 2000 Feature Pack 1, a set of add-ons that enhance the security for Microsoft Exchange Server, IIS, and Outlook Web Access (OWA) and improve ease of use for administrators.
    http://www.secadministrator.com/articles/index.cfm?articleid=37583

  • FEATURE: Customizing Dimension Security

  • A virtual cube can provide flexible, scalable security. The virtual-cube approach uses a separate fact table to store all the allowed combinations of usernames and dimension members. Because the number of records in a fact table is unlimited, you have the flexibility you need to define specific privileges for your users. Read more about virtual cubes in Russ Whitney's article from SQL Server Magazine on our Web site.

  • NEWS: Network-1 to Discontinue CyberwallPLUS Firewall

  • Network-1 Security Solutions announced that it would discontinue its CyberwallPLUS firewall product line. The company announced in November that it didn't expect the product line to be profitable. Network-1, which has also reduced its staff, is seeking a merger and might sell the CyberwallPLUS product line to an interested buyer.
    http://www.secadministrator.com/articles/index.cfm?articleid=37548

  • NEWS: Eight Tips to Better Secure Email

  • 800onemail, a secure email service provider, published a list of eight tips to help companies better secure their email systems. With the New Year just arrived, it's a good time to turn over a new leaf toward all-around security, email systems included.
    http://www.secadministrator.com/articles/index.cfm?articleid=37547

    5. INSTANT POLL

  • RESULTS OF PREVIOUS POLL: ICSA FIREWALL CERTIFICATION

  • The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you consider ICSA Labs Certification as a factor when you select a firewall?" Here are the results from the 164 votes. (Deviations from 100 percent are due to rounding error.)
    - 37% Yes
    - 52% No
    - 10% No, but we will

  • NEW INSTANT POLL: ISA SERVER 2000

  • The next Instant Poll question is, "Does your company use Microsoft Internet Security and Acceleration (ISA) Server 2000?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, or c) No, but we intend to implement it.
    http://www.secadministrator.com

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: HOW CAN I PROTECT MY SYSTEM FROM A DENIAL OF SERVICE (DoS) ATTACK?

  • (contributed by John Savill, http://www.windows2000faq.com)

    A. Firewall products can protect your machines from DoS attacks, and you should use a firewall whenever possible. However, built-in Windows functionality can also help protect against DoS attacks and quickly time out SYN requests. To enable this functionality, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey.
    3. From the Edit menu, select New, DWORD Value.
    4. Enter the name SynAttackProtect, then press Enter.
    5. Double-click the new value, set it to 2, then click OK.
    6. Close the registry editor.
    7. Reboot the machine.

    The SynAttackProtect default value is 0, which offers no protection. A value of 1 limits the number of SYN retries and delays the route cache entry when the maximum number of open TCP connections (i.e., the connections in the SYN_RECEIVED state known as TcpMaxHalfOpen) and retries (i.e., TcpMaxHalfOpenRetried) has been met. When SynAttackProtect has a value of 2, the effect is similar to when the value is set to 1 but includes a delayed Winsock notification until the three-way handshake involved in the SYN process is complete. Because Windows invokes the SynAttackProtect value only after the system exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values, I recommend that you also create the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values under the same registry key (both DWORD values) and set them to 100 and 80, respectively.

    7. NEW AND IMPROVED
    (contributed by Sue Cooper, [email protected])

  • SCAN DOMINO SERVERS FOR VULNERABILITIES

  • Application Security announced AppDetective for Lotus Domino, an application security scanner that performs network-based penetration testing and vulnerability assessments. The software locates, examines, reports, and helps fix security holes in Lotus Domino Groupware and Web Application Servers. The product supports Lotus Domino 4.5 through Lotus Domino 6.x, Windows XP Professional, Windows 2000 Professional, and Windows NT. Contact Application Security at 212-420-9270, 866-927-7732, and [email protected].
    http://www.appsecinc.com

  • PROTECT NETWORKS AGAINST INSIDER ATTACKS

  • SmartLine released PortsLock, a software firewall with user-level access controls for Windows XP, Windows 2000, and Windows NT. It's transparent to your users and compatible with their other firewalls and routers. PortsLock can block access to network resources for your users or groups, control access based on time of day and day of the week, audit network activity for users or groups, and monitor applications' network activities in realtime for possible malicious programs. The price of a single license is $50; a site license is $2000. Contact SmartLine on the Web.
    http://www.protect-me.com

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

    8. HOT THREAD

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

    Featured Thread: I Can't Connect to Win.NET Server with Remote Desktop Connection
    (One message in this thread)

    A user uses Windows .NET Server (Win.NET Server) 2003 and Windows 2000 Server Terminal Services, but when he connects to the server with Remote Desktop Connection, he receives an error. He enters the username, password, and domain, and the response he receives states "You do not have the proper encryption level to access this session." How can he configure the correct encryption level? Lend a hand or read the responses:
    http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=52124

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish