Security UPDATE, December 11, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

FREE eBook on W2K and AD Administration
http://www.aelita.com/update121102

FREE DOWNLOAD - Control PCs over the Internet
http://www.crossteccorp.com/w2kmag.htm
(below IN FOCUS)


SPONSOR: FREE EBOOK ON W2K AND AD ADMINISTRATION

Experience greater administrative control and security of Active Directory and Exchange with Aelita Enterprise Directory Manager. EDM's secure "Rules & Roles" enhances Exchange and Active Directory management allowing integration of Active Directory, Exchange 5.5 & 2000, and HR applications. The result is secure, integrated workflow for employee identity management and provisioning. Start with your FREE eBook today!
http://www.aelita.com/update121102


December 11, 2002—In this issue:

1. IN FOCUS

  • New Certification Standards for Firewalls

2. SECURITY RISKS

  • DoS in Microsoft Outlook 2002
  • Cross-Domain Security Vulnerability in Microsoft IE

3. ANNOUNCEMENTS

  • The Microsoft Mobility Tour Is Coming Soon to a City Near You!
  • Get the New Windows & .NET Magazine Network Super CD/VIP!

4. SECURITY ROUNDUP

  • News: IMlogic and CypherGuard Team to Better Secure IM
  • News: GFI Offers WebMonitor for ISA Server 2000 as Freeware
  • Feature: Microsoft Addresses Inherent Security of Windows

5. HOT RELEASE (ADVERTISEMENT)

  • ALERT: "Outsmart the Top 14 Web Application Hacks"

6. INSTANT POLL

  • Results of Previous Poll: Using Open-Source Products
  • New Instant Poll: ICSA Firewall Certification

7. SECURITY TOOLKIT

  • Virus Center
  • Virus Alert: W32/CIH.1106
  • FAQ: How Can I Hide Core Icons from the Windows XP Desktop?

8. NEW AND IMPROVED

  • Control Spam with Firewall Appliance
  • Locate and Remove Infestations
  • Submit Top Product Ideas

9. HOT THREADS

  • Windows & .NET Magazine Online Forums
  • Featured Thread: Netstat Output

10. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • NEW CERTIFICATION STANDARDS FOR FIREWALLS

  • ICSA Labs (see the URL below), a division of TruSecure, offers firewall certification by testing firewalls against a defined set of criteria. Firewall products that meet the criteria can claim ISCA Labs Certification. In the past, ICSA Labs has used one set of criteria to certify all firewall products, whether those firewalls were designed for large corporations, small businesses, or residential users.
    http://www.icsalabs.org

    ICSA Labs has now developed "Modular Firewall Certification Criteria 4.0." The criteria include a base set of requirements — plus three other sets of requirements that differ based on the firewall's target market. According to ICSA Labs, "Version 4.0 is the culmination of over a year and half of work with industry experts, end users and the Firewall Product Developers Consortium - an international forum of competing developers of firewall products that works toward common goals to benefit both members and end users. Version 4.0 reflects the different functional requirements in today's multi-segmented firewall market."

    The base criteria module — applicable to all firewalls — requires that firewalls adhere to specific logging requirements, provide certain administrative capabilities, and maintain security policy persistence. The firewalls must also pass functional tests to prove that their policies and administration features work as intended, that they prevent unauthorized access to administrative functions, that they aren't vulnerable to evolving sets of attacks, and that they don't introduce vulnerabilities through their integration into a network. The firewalls must also pass tests that demonstrate their resistance to trivial Denial of Service (DoS) attacks and their ability, if they fail, to fail in a way that stops all network traffic to protect the networks they guard. And, of course, the firewalls must also have thorough, accurate documentation in such areas as installation, administration, and maintenance.

    The other three criteria sets (corporate, business, and residential) have a few overlapping requirements, such as the default policy's allowed inbound and outbound protocols and remote administration capabilities. However, beyond those overlapping elements, the requirements differ significantly according to target market. As you might expect, the corporate firewall requirements are more stringent than those for business firewalls, and those for business firewalls more stringent that those for residential firewalls. The differences among the three modules lie mostly in the areas of logging, administration, and time/date persistence. Overall, the requirements for any type of firewall are stricter than the previous requirements ICSA Labs used. You can read about the exact criteria for each firewall type at the URL below.
    http://www.icsalabs.org/html/communities/firewalls/certification/criteria/criteria_4.0.shtml

    So far, the following companies and products have achieved ICSA Labs' 4.0 certification for corporate firewalls: Nortel Networks' Alteon Switched Firewall, Novell's BorderManager, Check Point Software Technologies' Check Point FireWall-1 Next Generation Linux FP-3, Cisco Systems' PIX Firewall Family, CyberGuard Premium Firewall Appliance, Global Technology Associates' (GTA's) GTA Firewall Family, Intoto's iGateway, Fortinet's FortiGate-300, and NetScreen Technologies' NetScreen Family. Other companies are in the process of certifying their corporate firewalls under the new criteria.

    To date, ICSA Labs hasn't certified any level 4.0 business products and has certified only two level 4.0 residential products (both hardware-based) — Jungo's OpenRG and RIAS's GreatSpeed GS-1540G. For a list of all ICSA Labs certified firewalls, visit the URL below.
    http://www.icsalabs.org/html/communities/firewalls/newsite/cert.shtml

    In general, the new multilevel certification criteria make sense. Usually, a residential user's firewall doesn't need to meet the same overall requirements as a firewall that protects a large corporate network. For example, a residential firewall often doesn't need the same remote administration capabilities that a business or corporate firewall needs. ICSA Labs' new approach to certification should give developers more flexibility by providing a way to certify products that serve different target users.


    SPONSOR: FREE DOWNLOAD - CONTROL PCS OVER THE INTERNET

    Control, access and support PCs over the Internet, LANs, WANs, or modems - just as if you were in front of them. NetOp Remote Control, winner of PC Magazine's Editors' Choice, now offers professionals even more options like support for Linux, Solaris and Symbian as well as all Windows platforms; a new inventory feature; additional security options; and better integration with management suites such as SMS and HP Openview. Click for a fully-functional NetOp evaluation copy:
    http://www.crossteccorp.com/w2kmag.htm

    2. SECURITY RISKS
    (contributed by Ken Pfeil, [email protected])

  • DoS IN MICROSOFT OUTLOOK 2002

  • Richard Lawley discovered a Denial of Service (DoS) vulnerability in Microsoft Outlook 2002. This vulnerability stems from a fault in the way Outlook 2002 processes email header information. To crash a vulnerable client, an attacker can send a message that contains specific header information. The client will remain affected until you delete the message from the server. Microsoft has released Security Bulletin MS02-067 (E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.
    http://www.secadministrator.com/articles/index.cfm?articleid=27503

  • CROSS-DOMAIN SECURITY VULNERABILITY IN MICROSOFT IE

  • GreyMagic Software and Thor Larholm discovered that a new Microsoft Internet Explorer (IE) vulnerability can permit an attacker to perform any action on the vulnerable computer that the user can perform. The cause of this vulnerability is a flaw in the way IE handles cross-domain security checks. Microsoft has released Security Bulletin MS02-068 (Cumulative Patch for Internet Explorer) to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. This cumulative patch also addresses all previously discovered vulnerabilities in IE.
    http://www.secadministrator.com/articles/index.cfm?articleid=27504

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • THE MICROSOFT MOBILITY TOUR IS COMING SOON TO A CITY NEAR YOU!

  • Brought to you by Windows & .NET Magazine, this outstanding seven-city event will help support your growing mobile workforce. Industry guru Paul Thurrott discusses the coolest mobility hardware solutions around, demonstrates how to increase the productivity of your "road warriors" with the unique features of Windows XP and Office XP, and much more. There is no charge for these live events, but space is limited so register today!
    http://www.winnetmag.com/seminars/mobility

  • GET THE NEW WINDOWS & .NET MAGAZINE NETWORK SUPER CD/VIP!

  • Everyone can appreciate a bargain in today's economy. That's why we've introduced the Windows & .NET Magazine Super CD/VIP Web site. You get exclusive subscriber-only access to all our publications through our new VIP Web site. Plus, you get Super CDs delivered twice a year, and we'll even throw in a 1-year print subscription to the magazine! The Super CD/VIP is a $545 value for just $279. Subscribe today!
    http://www.winnetmag.com/rd.cfm?code=wvei272lup

    4. SECURITY ROUNDUP

  • NEWS: IMLOGIC AND CYPHERGUARD TEAM TO BETTER SECURE IM

  • IMlogic and CypherGuard announced that they've teamed to help secure Instant Messaging (IM) software. The companies will release a business suite that includes IMlogic's IM Manager and CypherGuard's encryption tools. The suite will provide auditing, archiving, and compliance capabilities along with strong encryption capabilities to secure messages and files that IM clients transmit. The new suite will work with MSN Messenger, Yahoo Messenger, ICQ, and AOL Instant Messenger.
    http://www.secadministrator.com/articles/index.cfm?articleid=27474

  • NEWS: GFI OFFERS WEBMONITOR FOR ISA SERVER 2000 AS FREEWARE

  • GFI announced that it has released its WebMonitor product (formerly known as GFI Real Time Monitor for ISA Server) as freeware. WebMonitor works with Microsoft Internet Security and Acceleration (ISA) Server 2000 to monitor all current and recent HTTP and FTP connections that are active through the server. Administrators can use WebMonitor to monitor users' Internet activities and bandwidth usage.
    http://www.secadministrator.com/articles/index.cfm?articleid=27475

  • FEATURE: MICROSOFT ADDRESSES INHERENT SECURITY OF WINDOWS

  • At COMDEX Fall 2002, Paul Thurrott sat down with Mike Nash, vice president of Microsoft's Security Business Unit, to discuss various security concerns. Nash comments on the overall security of what he calls the Microsoft environment, which includes not just Windows, but all of Microsoft's core products, such as Visual Studio.NET and Microsoft Office. Read the article to learn what Nash had to say about Windows security.
    http://www.secadministrator.com/articles/index.cfm?articleid=27472

    5. HOT RELEASE (ADVERTISEMENT)

  • ALERT: "OUTSMART THE TOP 14 WEB APPLICATION HACKS"

  • Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS and Session Hijacking. All undetectable by Firewalls and IDS! FREE 15 Day Product Trial and Comprehensive Vulnerability Report
    http://www.spidynamics.com/mktg/freewebinspect29

    6. INSTANT POLL

  • RESULTS OF PREVIOUS POLL: USING OPEN-SOURCE PRODUCTS

  • The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you use open-source products on your network?" Here are the results (+/- 2 percent) from the 393 votes:
    • 74% Yes
    • 22% No
    • 2% Not sure
    • 2% We plan to

  • NEW INSTANT POLL: ICSA FIREWALL CERTIFICATION

  • The next Instant Poll question is, "Do you consider ICSA Labs Certification as a factor when you select a firewall?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, c) No, but we will.
    http://www.secadministrator.com

    7. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda Virus Alert: W32/CIH.1106
    W32/CIH.1106 is a virus that activates on the second day of any given month. The virus deletes BIOS information and contents of a system's installed hard drives. On Windows Me, Windows 98, and Win95 systems, the virus infects executable files with an .exe extension. For complete details about the virus, visit our Web site at the URL below.
    http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1307

  • FAQ: HOW CAN I HIDE CORE ICONS FROM THE WINDOWS XP DESKTOP?

  • (contributed by John Savill, http://www.windows2000faq.com)

    A. In earlier Windows versions, you could use a variety of registry changes or Microsoft's Tweak UI utility to hide core icons such as My Computer and Network Places from the desktop. With XP, Microsoft provides an interface in the core product that lets you accomplish the same task. To hide core icons from the desktop, perform the following steps:

    1. Start the Control Panel Display applet (go to Start, Control Panel, Display).
    2. Select the Desktop tab.
    3. Click Customize Desktop.
    4. Select the General tab.
    5. Under the "Desktop icons" section, clear the check boxes next to any icons that you don't want to appear on the desktop.

    8. NEW AND IMPROVED
    (contributed by Sue Cooper, [email protected])

  • CONTROL SPAM WITH FIREWALL APPLIANCE

  • BorderWare Technologies announced MXtreme Mail Firewall, a line of three rack-mount devices (for small-, medium-, or large-volume sites) designed for deployment between your internal mail server and the Internet. MXtreme Mail Firewalls now offer spam filtering based on five layers of defense, including Statistical Token Analysis (STA), which derives common indicators of spam and incorporates adaptive local learning. Radius support lets Windows 2000 Active Directory (AD) and Windows NT domain controllers (DCs) authenticate remote users. For pricing or more information, contact BorderWare at 905-853-5550, 877-814-7900, and [email protected].
    http://www.borderware.com

  • LOCATE AND REMOVE INFESTATIONS

  • PestPatrol released PestPatrol 4.0, nonviral malicious code scanning software that protects your local and remote client systems without the need to install and manage software on every workstation. New features include intelligent reporting, generic keylogger detection and removal, automated spyware cookie detection and removal, diagnostic tools, and an expanded detection database of more than 60,000 pests. PestPatrol 4.0 supports Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 98. Contact vendor for pricing at 717-243-6588 and [email protected].
    http://www.pestpatrol.com

  • LOCATE AND REMOVE INFESTATIONS

  • SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

    9. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums Featured Thread: Netstat Output
    (Fourteen messages in this thread)

    A user writes that when he views the TCP and UDP ports by using the "netstat -a" command, he always finds an entry for a TCP port 1638 with a foreign address for a Web site called "Ultimate Search." He wants to know why his computer is communicating with that site and how to close ports so that unwanted communications don't take place. Lend a hand or read the responses:
    http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=49906

    10. CONTACT US
    Here's how to reach us with your comments and questions:

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.com/email

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish