Security UPDATE: SP2 Improves Window's XP's Security


==== This Issue Sponsored By ====

Shavlik: Free Security Patch Management Software

Microsoft Security Solutions;6576015;8608758;x?


1. In Focus: Get a Head Start on Planning an XP SP2 Rollout

2. Announcements

- Attend Black Hat Briefings 2004

- 2004 Date Announced: Windows & .NET Magazine Connections

3. Security News and Features

- Recent Security Vulnerabilities

- News: Global Council of CSOs

- News: Microsoft Patch Day, Take Two

- Feature: Protecting SMTP Traffic with TLS

4. Security Toolkit

- Virus Center

- Virus Alert: Webber.C

- FAQ: What's the Windows Server 2003 Volume Shadow Copy Service (VSS)?

- Featured Thread: Port Filtering on NT Server 4.0

5. Event

- Have You Checked Out Windows & .NET Magazine's Archived Web Seminars Lately?

6. New and Improved

- Sixth Layer of Protection for RemotelyAnywhere 5.0

- Spam Prevention

- Tell Us About a Hot Product and Get a T-Shirt

7. Contact Us

See this section for a list of ways to contact us.


==== Sponsor: Shavlik: Free Security Patch Management Software ====

Install the latest critical Microsoft security patches MS03-048 through MS03-051 today with HFNetChkPro. A free, fully functional, no time-out version of HFNetChkPro is available to help you automate the delivery and testing of these critical patches. HFNetChkPro offers unlimited scanning, a complete GUI and Shavlik's exclusive PatchPush capabilities. Save time on patch deployment, ensure systems are fully protected and safeguard your systems from remote code execution, identity spoofing, arbitrary code execution and other attacks. It's free, and it simplifies patch management without agents. Learn more and download the free version of HFNetChkPro at


==== 1. In Focus: Get a Head Start on Planning an XP SP2 Rollout ====

by Mark Joseph Edwards, News Editor, [email protected]

Several weeks ago, I discussed the upcoming Service Pack 2 (SP2) for Windows XP, which will include OS enhancements that improve security for networking, memory, email, and Web browsing. More detailed information is now available about the changes to networking and memory, and some changes in SP2 will affect applications, so developers and administrators will need to be aware of the changes.

Changes to the network will include modifications to Internet Connection Firewall (ICF), the remote procedure call (RPC) interface, and Distributed COM (DCOM). ICF will be modified so that it starts much earlier during the boot sequence. This way, the network stack won't be active for a window of time when the ICF isn't. ICF will also include an application white list that will help automate access-port provisioning. ICF will also include support for RPC traffic, such as file sharing and remote administration traffic, and a new shielded mode that can prevent unsolicited inbound traffic from entering the system.

RPC has been a sore spot in Windows for quite some time, presenting a few dangerous security holes that have been exploited to the dismay of countless users around the world. SP2 will improve RPC by eliminating remote anonymous access to RPC interfaces by default and requiring NT LAN Manager (NTLM) authentication for connections. As a result, you'll need to modify RPC-based client software.

Microsoft will change DCOM behavior in SP2 so that computerwide restrictions as well as granular COM permissions exist. A new ACL check will be introduced for activation, launch, and calls to COM servers and will be configurable through the Microsoft Management Console (MMC) Component Services snap-in. The new computerwide restrictions will cause a computerwide ACL check (in addition to server-specific ACL checks) before a COM action is allowed on that computer. Microsoft doesn't anticipate that the new restrictions and permissions will require modifications to software, but configuration adjustments might be required.

In addition to the standard anonymous COM calls that XP permits, SP2 will introduce four new rights: remote launch, local launch, remote activate, and local activate. The rights require authentication, and you'll need to modify ACLs if you implement the rights. The new rights allow for backward compatibility with existing software that relies on default COM security settings.

SP2 also introduces support for execution protection features built into some processors. The SP2 capability, called "no execute" (NX), will mark some memory space (i.e., the heap, stacks, and memory pools) as nonexecutable space. This action will help protect systems against buffer overruns, which worms such as MSBlaster have used to compromise systems. Microsoft said that in the case of MSBlaster, NX would have caused the system to generate a memory access violation and terminate the process. A Denial of Service (DoS) condition would have been created; however, the worm couldn't have spread to other systems. Currently only AMD's K8 processor and Intel's Itanium processors have execution protection features.

Microsoft has said it will also improve the security of Outlook Express and Windows Messenger so that attached files will become isolated and less prone to breach system security. Microsoft Internet Explorer (IE) improvements will help mitigate problems presented by malicious scripts, downloads, ActiveX controls, and spyware, which in many cases enters and is executed on a system without a user's awareness.

You can read more information about SP2 in "Windows XP Service Pack 2: A Developer's View" at the URL below. Whether you're an administrator or a developer, be sure to check it out so that you have a head start on planning for an SP2 rollout.


==== Sponsor: Microsoft Security Solutions ====

Invest in the best network protection: Readiness.

Introducing the Microsoft(R) Security Readiness Kit: This is your source for creating an enhanced risk-management plan. Visit;6576015;8608758;x? to order your free kit.


==== 2. Announcements ====

(from Windows & .NET Magazine and its partners)

Attend Black Hat Briefings 2004

Black Hat Windows Security 2004 Briefings & Training is January 27-30, 2004, in Seattle. This is the world's premier Windows IT security event and is fully supported by Microsoft. Come for six tracks and eight 2-day training sessions. Register today!

2004 Date Announced: Windows & .NET Magazine Connections

Windows & .NET Magazine Connections will be held April 4 to 7, 2004, in Las Vegas at the new Hyatt Lake Las Vegas Resort. Be sure to save these dates on your calendar. Early registrants will receive the greatest possible discount. For more information, call 203-268-3204 or 800-505-1201 or go online at


==== Sponsor: Virus Update from Panda Software ====

Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control.

Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today!


==== 3. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: Global Council of CSOs

Ten chief security officers (CSOs) of well-known corporations have banded together to form the new Global Council of CSOs. The council's purpose is to serve as a think tank to find ways to meet new challenges in information security.

News: Microsoft Patch Day, Take Two

Making good on its promise to release its most important security fixes on the second Tuesday of each month, Microsoft released three security fixes for Windows (two critical) and one for Office on November 11. Microsoft bundled several patches together to make it easier to roll out the fixes: The three Windows patches fix eight vulnerabilities, for example.

Feature: Protecting SMTP Traffic with TLS

One of the most common security problems that Microsoft Exchange Server sites face is how to protect the contents of sensitive messages. You can solve this problem in several different ways, depending on why you're trying to protect the messages and what specific threats you're protecting against. Read Paul Robichaux's article to learn how.


==== Hot Release ====

Get Thawte's New Step-by-Step SSL Guide for MSIIS

In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on your MSIIS web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now:;6543264;8586149;w


==== 4. Security Toolkit ====

Virus Center

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

Virus Alert: Webber.C

Webber.C is a Trojan horse that downloads a file from the Internet that steals passwords for accessing various services. Webber.C is easy to recognize because the subject of the email message that carries it is always "RE: Your credit application" and the message attachment is called WWW.CITIBANKHOMELOAN.HTM.PIF. When the message recipient runs the attachment, the Trojan horse is installed on the computer. Webber.C is sent by a spammer; it can't spread by itself. For more information about Webber.C, visit Panda Software's Web site.

FAQ: What's the Windows Server 2003 Volume Shadow Copy Service (VSS)?

by John Savill,

A. Windows 2003 includes several new file system features, such as enhanced DFS closest-site selection, the Virtual Disk Service (VDS), and Automated System Recovery (ASR). The most useful new feature is VSS.

Local Windows file systems include the Recycle Bin on the desktop, from which you can recover a deleted file. However, you can't recover deleted files on network shares unless you install third-party software. One thing VSS does is replicate the Recycle Bin for the network.

At configurable intervals, VSS takes a snapshot (aka Shadow Copy) of the state of content stored on selected volume shares. VSS stores only the changes for the shares, not the entire share content. For example, if you make a small change to a 5GB file, VSS stores only information about the change. The service stores as many as 64 versions of a share, depending on disk space. When the service creates the 65th Shadow Copy (or if you've used all the disk space allotted for Shadow Copies), the service deletes the oldest snapshot to make space for the newest snapshot. You can enable Shadow Copies only on NTFS volumes; you can't enable them for FAT volumes. To learn more about VSS and how to enable it on your systems, visit our FAQ Web site.

Featured Thread: Port Filtering on NT Server 4.0

(Nine messages in this thread)

A forum user writes that he has enabled port filtering on his Windows NT Server 4.0 system and has permitted full access to the following TCP and UDP ports: TCP 80, 110, 137, 138, 139, 2028, 20, 21, and 25, and UDP 53, 137, 138, and 2028. With those ports enabled, he can't browse the Internet and his Symantec antivirus software can't connect to update the antivirus definitions. When he removes all the filter settings, his server works as it should. He wants to know why the filtering blocks Internet and antivirus access. Lend a hand or read the responses:

==== 5. Event ====

Have You Checked Out Windows & .NET Magazine's Archived Web Seminars Lately?

Find timely information about email abuse and the security and business concerns surrounding the use and abuse of email within companies. Or, learn more about identity management and how you can benefit from greater security, improved productivity, and better manageability. Sign up and receive a free identity management white paper. Register now for these two informative Web seminars!

==== 6. New and Improved ====

by Jason Bovberg, [email protected]

Sixth Layer of Protection for RemotelyAnywhere 5.0

3am Labs announced that it has joined the RSA Secured Partner Program to provide a trusted-identity and access-management solution for its flagship product, RemotelyAnywhere. Leveraging RSA Security's RSA SecurID two-factor authentication technology, RemotelyAnywhere 5.0 now provides a sixth layer of protection that lets you more securely manage your network through the Web and wireless devices. In addition to RSA SecurID integration, RemotelyAnywhere uses Windows built-in authentication, Secure Sockets Layer (SSL), 128-bit encryption, IP address filtering, and Intrusion Detection Systems (IDSs). For more information about RemotelyAnywhere's addition of RSA SecureID, contact 3am Labs on the Web.

Spam Prevention

Qurb announced Qurb Spam 2.0, the next generation of its antispam software that integrates with Microsoft Outlook and Outlook Express. Qurb Spam 2.0 develops and maintains a white list of legitimate email senders and quarantines questionable messages until you approve them. Unlike content-filtering tools, Qurb's security and authentication features protect you from scams that trick you into giving up credit-card, account, and other personal information while ensuring delivery of personal and opt-in email. Qurb Spam 2.0's pricing starts at $29.95. To download a free 30-day trial version of the product, contact Qurb on the Web.

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====

Sybari Software

Free! "Admins Shortcut Guide to Email Protection" from Sybari;6574227;8214395;q?

Microsoft(R) Security Readiness Kit

Get your free kit for creating an enhanced risk-management plan.;6600432;8214395;e?;6576037;8608804;t?

VMware Inc.

FREE VMware Workstation for Microsoft Certified Trainers.;6602582;8214395;m?


==== 7. Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today.

Copyright 2003, Penton Media, Inc.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.