Security UPDATE, November 13, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com

THIS ISSUE SPONSORED BY

FREE Security Assessment Tool!

Tips & Tricks Web Summit
(below IN FOCUS)

SPONSOR: FREE SECURITY ASSESSMENT TOOL!

Do you comply with industry security regulations or corporate security policies? Download the FREE Aelita InTrust(tm) Audit Advisor to identify systems that are not compliant with industry standard security policies, such as those published by SANS and the NSA, or your company specific policies. Then check out Aelita InTrust to consolidate IT audit data and produce compliance reports for industry regulations and policies. Download your FREE tool today!
http://www.aelita.com/updateInT111302

November 13, 2002—In this issue:

1. IN FOCUS

Security Assertion Markup Language

2. SECURITY RISKS

Buffer-Overrun Vulnerability in Oracle iSQL
DoS in Microsoft Windows XP and Win2K PPTP
Multiple Vulnerabilities in Microsoft IIS 5.1, 5.0, and 4.0

3. ANNOUNCEMENTS

How Can You Reclaim 30% to 50% of Windows Server Space?
Give Us Your Feedback and Be Entered to Win a Digital Camera

4. SECURITY ROUNDUP

News: Common Criteria Configuration Guides for Win2K
Feature: EventComb: It's Free; It's Essential; Get It!
Fire & Water Toolkit Beta Available

5. HOT RELEASES (ADVERTISEMENTS)

Focus your IT resources
Test Your Web Applications for Security Flaws!

6. INSTANT POLL

Results of Previous Poll: Reading the EULA
New Instant Poll: Using SAML

7. SECURITY TOOLKIT

Virus Center
FAQ: How Can I Clear My Customized Folder Settings in Windows XP?

8. NEW AND IMPROVED

User-Friendly Finger Image Reader
Security Solution for Network Clients and Remote Users
Submit Top Product Ideas

9. HOT THREADS

Windows & .NET Magazine Online Forums

Featured Thread: Securing Servers Under Insecure Conditions

HowTo Mailing List

Featured Thread: Promoting a DC

10. CONTACT US
See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

SECURITY ASSERTION MARKUP LANGUAGE

Last week, the Organization for the Advancement of Structured Information Standards (OASIS) approved the new Security Assertion Markup Language (SAML), which has been in development for some time. SAML uses XML to enable new Web-based security functions that interoperate across different Web sites, which will help create federated networks.

In April 2002, Microsoft, IBM, and VeriSign announced Web Services Security (WS-Security), and in the June 12, 2002, Security UPDATE commentary, I discussed WS-Security to some extent. The specification will support many types of credential information, including Kerberos, public key infrastructure (PKI), Extensible Rights Markup Language (XrML), SAML, and Secure Sockets Layer (SSL)/Transport Layer Security (TLS). Sun Microsystems also announced Liberty Alliance, its effort to help develop federated network technology.

According to James Kobielus, senior analyst at Burton Group, "SAML 1.0 supports secure interchange of authentication and authorization information by leveraging the core Web services standards of Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Transport Layer Security (TLS). Most vendors of Web access management solutions have committed to SAML 1.0 and are currently implementing the specification in their products."

Joe Pato of Hewlett-Packard (HP), co-chair of the OASIS Security Services Technical Committee, said that a major SAML design goal was single sign-on (SSO) capabilities, which would let users authenticate in one domain and access resources in another domain. SAML 1.0 includes that capability. In addition, according to Pato, "Several profiles of SAML are currently being defined that support different styles of SSO and the securing of SOAP payloads."

If you're completely unfamiliar with WS-Security, read Christa Anderson's summary of the technology, which helps explain what it is and what it can do. You'll find her article, "WS-Security Sets Standard for Web Services Transactions."

If you're a Web developer or you administer Web server security, you might be interested in reading about SAML assertions and protocols in a document that outlines the syntax and semantics. Another specification document can help you obtain a better understanding of how SAML works with WS-Security. That document describes how to use WS-Security headers to securely add SAML assertions.

But there's a catch regarding Microsoft's implementation of SAML. In July, "Network World Fusion" reported that Microsoft is implementing SAML 1.0, but only to a limited extent. In the article, Kobielus said, "\[Microsoft is\] not implementing the full suite of SAML assertions and profiles the way others are ... At some point you have to ask what is the purpose, if Microsoft is going to do it their own way." The article points out that Microsoft used the same tactic when the company implemented Kerberos in Windows 2000. To learn more about how Microsoft implements SAML, be sure to read the related Microsoft document, "WS-Security Profile for XML-based Tokens," on the Microsoft Web site.

According to OASIS, Baltimore Technologies, BEA Systems, Computer Associates (CA), Entrust, HP, Hitachi, IBM, Netegrity, Oblix, OpenNetwork, Quadrasis, RSA Security, Sun, VeriSign, and other members of the OASIS Security Services Technical Committee developed the SAML OASIS Open Standard.

Many vendors support SAML, and some of you might have begun using the technology before its official approval. Please participate in our Instant Poll this week and tell us whether you use SAML or some other credential technology for your Web applications.

SPONSOR: TIPS & TRICKS WEB SUMMIT

ATTEND OUR FREE TIPS & TRICKS WEB SUMMIT
Join us on December 19th for our Tips & Tricks Web Summit featuring three eye-opening events: Disaster Recovery Tips & Tricks, Intrusion Detection: Win2K Security Log Secrets, and Merging Exchange Systems: Tips for Managing 5 Key Challenges. There is no charge for this event, but space is limited so register today!
http://www.winnetmag.com/seminars/tipstricks

2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])

BUFFER-OVERRUN VULNERABILITY IN ORACLE ISQL

A vulnerability exists in Oracle's iSQL*Plus Web-based application that lets an attacker compromise the vulnerable system and obtain system-level access. This vulnerability stems from a buffer-overflow condition in the iSQL application. The vendor, Oracle, has released Security Alert #46 to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in Oracle's alert.
http://www.secadministrator.com/articles/index.cfm?articleid=27240

DoS IN MICROSOFT WINDOWS XP AND WIN2K PPTP

A Denial of Service (DoS) vulnerability exists in Windows XP and Windows 2000 PPTP. This DoS vulnerability results from an unchecked buffer in a section of code that processes the control data used to establish, maintain, and tear down PPTP connections. The vendor, Microsoft, has released Security Bulletin MS02-063 (Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.
http://www.secadministrator.com/articles/index.cfm?articleid=27227

MULTIPLE VULNERABILITIES IN MICROSOFT IIS 5.1, 5.0, AND 4.0

Four new vulnerabilities exist in Microsoft IIS. The most serious problem lets an attacker escalate privileges. Another problem results in a Denial of Service (DoS) condition on the vulnerable server. The vendor, Microsoft, has released Security Bulletin MS02-062 (Cumulative Patch for Internet Information Service) to address these vulnerabilities and recommends that affected users apply the appropriate patch mentioned in the bulletin. This patch is cumulative and addresses all previously discovered vulnerabilities.
http://www.secadministrator.com/articles/index.cfm?articleid=27228

3. ANNOUNCEMENTS
(brought to you by Windows & .NET Magazine and its partners)

HOW CAN YOU RECLAIM 30% TO 50% OF WINDOWS SERVER SPACE?

Attend our newest Web seminar, brought to you by Windows & .NET Magazine and Precise SRM, and discover the secrets. Steven Toole will also advise you on how to reduce storage growth and backups by 30% and how to reduce storage administration by 25% or more. Space is limited for this important Web event, so register today!
http://www.winnetmag.com/seminars/precise

GIVE US YOUR FEEDBACK AND BE ENTERED TO WIN A DIGITAL CAMERA

Internet filtering is becoming a financial and legal concern for companies of all sizes. Complete our brief survey about the topic and you could win a digital camera. Click here!
http://www.zoomerang.com/recipient/survey-intro.zgi?ID=LANFS30XK4W0&PIN=432G51SDFR43

4. SECURITY ROUNDUP

NEWS: COMMON CRITERIA CONFIGURATION GUIDES FOR WIN2K

In conjunction with the announcement that Windows 2000 received the highest security certification level available to an OS, Microsoft released two new guides, the "Common Criteria Evaluated Configuration User's Guide," and the "Common Criteria Evaluated Configuration Administrator's Guide," which help people configure the OS securely.
http://www.secadministrator.com/articles/index.cfm?articleid=27178

FEATURE: EVENTCOMB: IT'S FREE; IT'S ESSENTIAL; GET IT!

EventComb is a new free tool from Microsoft that lets you search event logs for specific information. EventComb is part of a Microsoft document called "Security Operations Guide for Windows 2000 Server." To obtain EventComb, you need to go to Microsoft's Web site (the URL is linked in this article) and download secops.exe. When you run secops.exe, the program creates a folder called SecurityOps. Within SecurityOps is a folder named EventComb, which contains a compiled HTML Help file and the EventComb program.
http://www.secadministrator.com/articles/index.cfm?articleid=27132

NEWS: FIRE & WATER TOOLKIT BETA AVAILABLE

NTObjectives (NTO) announced that its new Fire & Water Toolkit is now available for public beta. The toolkit is an assessment and defense tool that you can use on local and remote networks. NTO said, "Fire & Water is a collection of cohesive, interactive command-line tools that perform network discovery, mapping, assessment, and reporting, as well as robust Web server defense." By using XML output interactively, Fire & Water can effectively manage multiple scans and their resulting output through standard output in the command line, Comma Separated Value (CSV), and HTML reports (created through Extensible Style Language—XSL templates provided with the tools) or through custom report formats.
http://www.secadministrator.com/articles/index.cfm?articleid=27273

5. HOT RELEASES (ADVERTISEMENTS)

FOCUS YOUR IT RESOURCES

Learn how better infrastructure management practices can speed the integration of e-business enterprises, while providing assurance of continuous availability, flexibility and scalability. Get the IBM white paper, "Infrastructure Resource Management: A Holistic Approach," at http://www.ibm.com/e-business/playtowin/n339

TEST YOUR WEB APPLICATIONS FOR SECURITY FLAWS!

ALERT! "Outsmart Web Application Attackers" 75% of today's successful hacks involve Web Application attacks such as SQL Injection and Cross-Site Scripting. All undetectable by Firewalls and IDS!
FREE 15 Day Product Trial which delivers a Comprehensive Vulnerability Report

6. INSTANT POLL

RESULTS OF PREVIOUS POLL: READING THE EULA

The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you read the End User License Agreement (EULA) before you install new software?" Here are the results (+/

2 percent) from the 540 votes:

3% Always
19% Sometimes
31% Rarely
46% Never

NEW INSTANT POLL: USING SAML

The next Instant Poll question is, "Do you use Security Assertion Markup Language (SAML) for security in your Web applications?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, c) Not yet, but we will, d) No—We use Extensible Rights Markup Language (XrML), and e) No—We use other security technology.
http://www.secadministrator.com

7. SECURITY TOOLKIT

VIRUS CENTER

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda

FAQ: HOW CAN I CLEAR MY CUSTOMIZED FOLDER SETTINGS IN WINDOWS XP?

(contributed by John Savill, http://www.windows2000faq.com)

A. To clear any customized folder settings, perform the following steps:

1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell registry subkey. 3. Delete the Bags and BagMRU subkeys. 4. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam registry subkey. 5. Delete the Bags and BagMRU subkeys. 6. Close the registry editor, then reboot the machine for the changes to take effect.

8. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])

USER-FRIENDLY FINGER IMAGE READER

Biometric Access Corporation (BAC) announced a USB model of the SecureTouch PC, the company's latest computer/network control product. The USB model PC replaces its predecessor, the SecureTouch 2000. The product secures employee workstations, protects patient health records, grants access to transaction-authorization codes, clocks in/out on time and attendance applications, and enables manager override approvals on point-of-sale systems. SecureTouch PC runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. Contact BAC for pricing information at 800-873-4133 or go to the Web site for more information.
http://www.biometricaccess.com

SECURITY SOLUTION FOR NETWORK CLIENTS AND REMOTE USERS

Symantec announced Symantec Client Security, an integrated security solution for network clients and remote users. Symantec Client Security integrates antivirus, personal firewall, and intrusion-detection technologies to effectively protect desktops against today's blended threats. To reduce administration time, administrators can easily deploy Symantec Client Security by using one of three prepackaged installations—full installation, lightly managed, and thin client (the smallest possible footprint without sacrificing protection). For pricing information, contact Symantec at 408-517-8000.
http://www.symantec.com

SUBMIT TOP PRODUCT IDEAS

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

9. HOT THREADS

WINDOWS & .NET MAGAZINE ONLINE FORUMS

http://www.winnetmag.com/forums

Featured Thread: Securing Servers Under Insecure Conditions
(Eight messages in this thread)

A user writes that he has a client who has servers located in facilities without locked rooms. Some of the servers run Windows NT 4.0 and some run Windows 2000. He wonders how to secure servers at these sites when he can't physically lock the server in a room. Read the responses or lend a hand at the following URL: http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=49147

HOWTO MAILING LIST

http://63.88.172.96/listserv/page_listserv.asp?a0=howto

Featured Thread: Promoting a DC
(Nine messages in this thread)

A user writes that he has two Windows 2000 servers. One of them is the PDC and the other is a BDC. The PDC suffered a hard drive error. He wonders how to promote the BDC to take the PDC's place. Because there are no PDCs or BDCs in Win2K, you'll want to read what other users have said or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?A2=IND0211A&L=HOWTO&P=1861

10. CONTACT US
Here's how to reach us with your comments and questions:

ABOUT IN FOCUS — [email protected]
ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)

TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
PRODUCT NEWS — [email protected]
QUESTIONS ABOUT YOUR Windows & .NET Magazine Security UPDATE SUBSCRIPTION?
Customer Support — [email protected]

WANT TO SPONSOR Windows & .NET Magazine Security UPDATE?
[email protected]

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email