Security UPDATE, May 1, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Computer Associates International, Inc. (CA)
http://ca.com/ads/hotdeals

VeriSign—The Value of Trust
http://www.verisign.com/cgi-bin/go.cgi?a=n203987360057000
(below IN FOCUS)


SPONSOR: COMPUTER ASSOCIATES INTERNATIONAL, INC. (CA)

Prevent viruses from halting your business. Keeping out costly viruses is a full-time job. Let CA's eTrust(TM) Virus Defense Solution stop viruses in their tracks, from the gateway to the desktop, while you stay focused on your business. eTrust Virus Defense from Computer Associates is a flexible, nodal-based solution that is also easy on your bottom line. Call 1-800-875-9659 or visit
http://ca.com/ads/hotdeals


May 1, 2002—In this issue:

1. IN FOCUS

  • Should Microsoft Add Another Security-Related Mailing List?

2. SECURITY RISK

  • Automatic Script Execution Vulnerability in Outlook 2002 and Outlook 2000

3. ANNOUNCEMENTS

  • Need 24 x 7 Availability?
  • Win a Personal Cinema Card at the Connected Home Virtual Tour

4. SECURITY ROUNDUP

  • News: Intruders in Europe Might Face Jail Time
  • Feature: SQL Server: Effective Installation
  • Feature: Windows XP Warning Overblown
  • Feature: Wireless Security

5. Instant Poll

  • Results of Previous Poll: Antivirus Defense Location
  • New Instant Poll: Security Information Notification

6. SECURITY TOOLKIT

  • Virus Center
  • FAQ: What Is MBSA?

7. NEW AND IMPROVED

  • Virus Engines Bundled in Email Security Package
  • Enhanced Security for Remote Control with AES

8. HOT THREADS

  • Windows & .NET Magazine Online Forums
    • Featured Thread: How Can I Remove a COM1 Folder?
  • HowTo Mailing List
    • Featured Thread: Email Attachment as an Executable

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • SHOULD MICROSOFT ADD ANOTHER SECURITY-RELATED MAILING LIST?

  • Did you read the NTBugtraq mailing list last week? If not, you missed some good points that list moderator Russ Cooper made. Cooper points out that Microsoft sometimes falls short in the area of security notifications, as I'm sure many of you will agree (see the URL below). Cooper said, for example, that Microsoft doesn't adequately notify its customers about the release of new service packs, security rollup packages, and security updates for specific products, such as the Outlook Email Security Update. In addition, the company doesn't directly notify customers when it releases new security tools, such as Microsoft Baseline Security Analyzer (MBSA), HFNetChk, and URLScan for Microsoft IIS.
    http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=9960

    Without such notification, customers remain unaware of new security-related tools and patch packages—at least until word gets out through security-related mailing lists or until members of the press learn about the tools and packages and publish articles that notify readers. The lack of notification also makes Microsoft customers do extra work. Cooper notes, for example, that installing Microsoft's security rollup packages often eliminates the need to install numerous individual patches because the rollup packages contain all the patches released to date. In addition, security rollup packages might contain additional patches not related to a specific Microsoft security bulletin.

    Cooper didn't but could have included security-related TechNet articles among the examples that support his point. Sometimes, Microsoft releases security information exclusively in TechNet articles but doesn't notify customers about the articles. The recent Microsoft article "Denial of Service Attack on Port 445 May Cause Excessive CPU Use," which outlines registry tweaks that help prevent Denial of Service (DoS) attacks, is a case in point. Microsoft released the article in mid-April to help administrators, but didn't notify customers about it. Instead, customers found out through mailing lists and news reports. We published a related news story ("Microsoft Article Q320751: Denial of Service Workarounds") in last week's Security UPDATE (see the URL below).
    http://www.secadministrator.com/articles/index.cfm?articleid=24930

    If you read that news story and clicked the embedded link to the Microsoft article, you know that the article was on the TechNet Web site at the time of publication. However, when I looked for the article Monday, someone had removed it from the TechNet Web site. What's going on? I don't know because Microsoft doesn't publish any information in such instances—so it's a case of now you see it, now you don't!

    Microsoft apparently has at least two approaches to security-related notifications: one approach for issued security bulletins and another for other security-related matters. Cooper believes that in addition to security-related hotfixes, Microsoft should issue a security bulletin every time the company releases a security-related patch or tool. That's a good idea, but perhaps publishing all security-related information in security bulletins might not be the best way to handle such user notification.

    Alternatively, Microsoft could establish a second security-related mailing list to notify users about non-bulletin security matters, such as the release of new service packs, the publication or withdrawal of pertinent TechNet articles, and the release or update of new security-related tools such as MBSA and URLScan. Developing an additional user-notification method—whether that involves new bulletins or a second mailing list—would certainly benefit Microsoft's "Get Secure and Stay Secure" initiative. As matters stand now, users must rely on third parties for important security information.

    What do you think? Would you benefit from Microsoft notifying you about additional security-related information and resources? If you believe you would benefit, would you prefer to be notified through a security bulletin or through a new Microsoft security mailing list? Please stop by the Security Administrator home page (see the URL below) and respond to our new Instant Poll. I also welcome email messages with your further thoughts about security-related notification ([email protected]). I look forward to your responses.
    http://www.secadministrator.com


    SPONSOR: VERISIGN—THE VALUE OF TRUST

    FREE E-COMMERCE SECURITY GUIDE
    Is your e-business built on a strong, secure foundation? Find out with VeriSign's FREE White Paper, "Building an E-Commerce Trust Infrastructure." Learn how to authenticate your site to customers, secure your web servers with 128-Bit SSL encryption, and accept secure payments online. Click here:
    http://www.verisign.com/cgi-bin/go.cgi?a=n203987360057000


    2. SECURITY RISK
    (contributed by Ken Pfeil, [email protected])

  • AUTOMATIC SCRIPT EXECUTION VULNERABILITY IN OUTLOOK 2002 AND OUTLOOK 2000

  • Microsoft Outlook 2002 and Outlook 2000 contain a vulnerability that can let an attacker execute arbitrary scripts under the user's security context on the vulnerable computer. This vulnerability stems from a difference in the security settings that the system applies when it displays rather than edits an email message. Microsoft has released Security Bulletin MS02-021 (E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward) to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=25002

    3. ANNOUNCEMENTS

  • NEED 24 X 7 AVAILABILITY?

  • High-availability networks, systems, and applications are crucial to every business. Sign up for our free Webinar taking place on May 24 (sponsored by MKS), and find out how to achieve 24 x 7 availability on Windows 2000. Windows & .NET Magazine author Tim Huckaby shares his expertise on load balancing, monitoring, and more. Register today!
    http://www.winnetmag.com/webinar/availability.cfm

  • WIN A PERSONAL CINEMA CARD AT THE CONNECTED HOME VIRTUAL TOUR

  • If you think you've already seen the Connected Home Virtual Tour, think again. Browse through the latest home entertainment, home networking, and home automation options and check out our special feature on wiring your home. Sign up for prize drawings, too, and you might win a free personal cinema card, courtesy of VisionTek and nVIDIA. Take the tour today!
    http://www.connectedhomemag.com/virtualtour

    4. SECURITY ROUNDUP

  • NEWS: Intruders in Europe MIGHT Face Jail Time

  • The European Union (EU) has proposed a "Council Framework Decision" that would help standardize criminal law across all member nations as they prosecute computer-related crimes. The framework defines punishment for offenses that include unauthorized access to computers, Denial of Service (DoS) attacks, intentional propagation of destructive code such as worms and viruses, malicious interception of communications, and identity theft.
    http://www.secadministrator.com/articles/index.cfm?articleid=24982

  • FEATURE: SQL SERVER: Effective Installation

  • Microsoft tries to make installing its software as smooth and easy as possible, and Microsoft SQL Server 2000's installation is no exception. From the installation CD-ROM, you load setupsql.exe from the x86\setup folder, fill in a few details on the setup screens, and within a few minutes, the installation proceeds without further user intervention. You can even successfully install SQL Server 2000 without understanding what the choices mean, just by clicking Next in most of the setup dialog boxes. However, I strongly advise you not to treat the installation lightly. Pay attention to each option, and make sure you thoroughly understand the implications of each choice you make. Some bad decisions, such as wrong collation settings, might be hard to fix; others, such as accepting the default authentication, might create security holes.
    http://www.secadministrator.com/articles/index.cfm?articleid=24317

  • FEATURE: Windows XP Warning Overblown

  • When it comes to Windows XP, no report is too innocuous to be dragged out, dissected, and—apparently—blown out of proportion by the mainstream media. Consider, for example, the XP Universal Plug and Play (UPnP) vulnerability. By far, the most interesting aspect about the UPnP vulnerability is the irresponsible way in which various media entities reported it.
    http://www.secadministrator.com/articles/index.cfm?articleid=24487

  • FEATURE: Wireless Security

  • The weak security of 802.11's built-in Wired Equivalent Privacy (WEP) algorithm is enough to give managers nightmares. Indeed, many IT managers have delayed 802.11 implementations until standards committees finish work on a more robust means of securing wireless networks. Others have decided to use WEP and hope for the best. However, secure solutions are available.
    http://www.secadministrator.com/articles/index.cfm?articleid=24549

    5. INSTANT POLL

  • RESULTS OF PREVIOUS POLL: ANTIVIRUS DEFENSE LOCATION

  • The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Where have you placed your organization's antivirus defenses?" Here are the results (+/X percent) from the 365 votes:
    • 5% On desktops
    • 3% On email servers
    • 2% On file servers
    • 1% At the Internet border
    • 89% At two or more of the above locations

  • NEW INSTANT POLL: SECURITY INFORMATION NOTIFICATION

  • The next Instant Poll question is, "How should Microsoft notify its customers about new service packs and new or updated security-related rollup packages, tools, and TechNet articles?" Go to the Security Administrator Channel home page and submit your vote for a) Microsoft should issue security bulletins for all security-related matters, b) Microsoft should add a mailing list for non-bulletin security matters, or c) Microsoft needn't notify customers in any additional ways.
    http://www.secadministrator.com

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: What is MBSA?

  • ( contributed by John Savill, http://www.windows2000faq.com )

    A. Microsoft has released Microsoft Baseline Security Analyzer (MBSA), a tool that analyzes a system for security information related to its Windows OS version, Microsoft IIS version, Microsoft SQL Server version, hotfixes, and passwords.

    You can use MBSA to run checks against local or remote machines. The tool runs only on Windows .NET Server (Win.NET Server), Windows XP, and Windows 2000-based systems. However, you can use the tool to scan remote computers that run Windows NT 4.0 Service Pack 4 (SP4) or later.

    For more information about MBSA, visit Microsoft's Web site at the first URL below. To download MBSA, visit Microsoft's download Web site at the second URL below.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;q320454
    http://download.microsoft.com/download/win2000platform/install/1.0/nt5xp/en-us/mbsasetup.msi

    After you download the tool, run the mbsasetup.msi file to install MBSA. You can execute the MBSA shortcut from the Start menu to run the tool in graphical mode, or you can type mbsacli.exe at the command prompt. Windows doesn't add the MBSA program to the PATH variable by default, so you must either navigate to the \%programfiles%\microsoft baseline security analyzer folder or add this folder to your PATH statement.

    7. NEW AND IMPROVED
    (contributed by Judy Drennen, [email protected])

  • VIRUS ENGINES BUNDLED IN EMAIL SECURITY PACKAGE

  • SOFTWIN announced that its ICSA-certified BitDefender virus engine and Norman Virus Control will ship with GFI's MailSecurity, a new email security package. GFI MailSecurity runs multiple best-of-breed virus engines simultaneously to ensure maximum protection against virus assaults. GFI MailSecurity is available for the Virus Scanning (VS) API or as an SMTP gateway version. The VS API version integrates seamlessly with Microsoft Exchange Server 2000 and scans the Exchange 2000 Information Stores (ISs). Price includes virus updates for 1 year and free support for 3 months after purchase. Prices start at $295 for 10 mailboxes. Contact GFI at 888-243-4329 or [email protected].
    http://www.gfi.com/mailsecurity

  • ENHANCED SECURITY FOR REMOTE CONTROL WITH AES
  • Vector Networks released PC-Duo 7.0, a remote control PC-management product that includes encryption options ranging from 56-bit Data Encryption Standard (DES) through new Pentagon-driven 256-bit Advanced Encryption Standard (AES). PC-Duo supports Windows XP Server and XP Professional and costs $817.50 per 10-user license. Contact Vector Networks at 800-330-5035 or [email protected]
    http://www.vector-networks.com

    8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.net/forums

  • Featured Thread: How Can I Remove a COM1 Folder?

  • (21 messages in this thread)

    Christer writes that he runs an FTP server, and he noticed a COM1 directory within his PUB directory. The COM1 folder contains 600GB of data, but he can't open or delete the folder. When he tries, Windows reports that the directory can't be found. Do you know how he can remove the folder? Read the responses or lend a hand at the following URL:
    http://www.secadministrator.com/forums/thread.cfm?thread_id=99095

  • HOWTO MAILING LIST

  • http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

  • Featured Thread: Email Attachment as an Executable

  • (One message in this thread)

    Dante received a sample of a file as an email attachment, and the file might contain a virus. The file was saved as hammerhart.txt.\{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B\}.

    When he right-clicks the file, it shows as an HTML application, and the file wants to execute. He wants to know whether anyone knows why a file extension of .\{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B\} is considered an application? Can you help? Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?a2=ind0204d&l=howto&p=438

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    TAGS: Security
    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish