Security UPDATE: Exchange Server SMTP AUTH Attacks

==== This Issue Sponsored By ====

Postini Preemptive Email Protection

http://www.winnetmag.com/whitepapers/postini/emailsecurity/index.cfm

Windows Scripting Solutions

http://www.winscriptingsolutions.com/rd.cfm?code=fsep264xup

1. In Focus: New Exploits and a New Security Toolkit

2. Security News and Features

- Recent Security Vulnerabilities

- News: Remote Root Exploit Against IIS Servers

- News: TCP Vulnerabilities

- Feature: Exchange Server SMTP AUTH Attacks

3. Security Toolkit

- FAQ

- Featured Thread

4. New and Improved

- Secure Your Passwords

==== Sponsor: Postini Preemptive Email Protection ====

Free Whitepaper: Top 10 Reports for Email Admins

This paper will show you the top ten reports every email administrator really shouldn't live without including, dashboard views of inbound email activity, SMTP connection, and delivery monitoring, as well as outbound email and content. Assuring comprehensive email security and management for your enterprise requires real-time monitoring and detailed, flexible reporting. Postini provides an award-winning web console "dashboard" that helps email administrators manage their email protection more effectively and efficiently with a host of monitoring and trending reports. Reports show inbound spam by domain and recipient, as well as viruses by name and overall traffic by domain and recipient.

http://www.winnetmag.com/whitepapers/postini/emailsecurity/index.cfm

==== 1. In Focus: New Exploits and a New Security Toolkit ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

One of the security patches that Microsoft released in the Microsoft Security Bulletin MS04-011 on April 13 fixes a serious problem in the Private Communications Technology (PCT) protocol, which is part of Microsoft's Secure Sockets Layer (SSL) implementation. If you haven't patched your production systems yet, consider doing so immediately because exploits have already been released that can provide remote access to an intruder. So your unpatched systems are sitting ducks.

http://www.winnetmag.com/article/articleid/42438/42438.html

If you can't load the patch for some reason, consider disabling PCT, which you can do by adjusting a particular registry key. For more information about disabling PCT, see "Information about code that attempts to exploit PCT in SSL" at

http://www.microsoft.com/security/incident/pctdisable.asp

You also need to be aware of the recently reported TCP-reset vulnerability, which affects many devices, including routers. As you'll learn in the related news story below, exploiting the vulnerability causes routers to drop connections, including important border gateway protocol (BGP) sessions. A new Windows-based exploit tool was recently released, so be sure to check with your router vendors to determine whether their particular products are affected. If they are, install the latest updates.

http://www.winnetmag.com/article/articleid/42437/42437.html

You should ensure your Intrusion Detection System (IDS) has the most recent rules and signatures available. For example, new Snort rules became available on April 25 as I was writing this editorial. So if you use Snort, be sure to obtain the last rules files.

http://www.snort.org/dl/rules

A New Security Toolkit

I don't think a person can ever have enough security tools. If you share that opinion, you might want to download a copy of the recently released version 1.0.4 of Network Security Toolkit (NST), which is the creation of Paul Blankenbaker and Ron Henderson.

NST is available on a bootable CD-ROM or is downloadable as an International Organization for Standardization (ISO) image and is based on Red Hat Linux 9.0. The CD-ROM contains dozens upon dozens of tools and, according to the NST Web site, can "transform most x86 systems into a system designed for network traffic analysis, intrusion detection, network packet generation, a virtual system service server, or a sophisticated network/host scanner. This can all be done without disturbing or modifying any underlying sub-system disk. NST can be up and running on a typical x86 notebook in less than a minute by just rebooting with the NST ISO CD. The notebook's hard disk will not be altered in any way."

Head over to the NST Web site and have a look at NST's contents and capabilities. At the site, you'll also find the link to download the 194MB package.

http://www.networksecuritytoolkit.org/nst/index.html

==== Sponsor: Windows Scripting Solutions ====

Try a Sample Issue of Windows Scripting Solutions

Windows Scripting Solutions is the monthly newsletter from Windows & .NET Magazine that shows you how to automate time-consuming, administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Click here!

http://www.winscriptingsolutions.com/rd.cfm?code=fsep264xup

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.winnetmag.com/departments/departmentid/752/752.html

News: Remote Root Exploit Against IIS Servers

On April 21, a member of the Full Disclosure mailing list posted a message that revealed the existence of a new tool that can be used to exploit Microsoft IIS servers. By using Secure Sockets Layer (SSL) to target unpatched IIS servers, an attacker can cause the server to open a port that allows remote access to the system.

http://www.winnetmag.com/article/articleid/42438/42438.html

News: TCP Vulnerabilities

US-CERT and the UK National Infrastructure Security Co-ordination Centre (NISCC) published information about vulnerabilities in the TCP protocol. The problems can affect a wide array of platforms, including many types of routers, such as those used to operate the Internet at top-tier ISPs.

http://www.winnetmag.com/article/articleid/42437/42437.html

Feature: Exchange Server SMTP AUTH Attacks

If you run Microsoft Exchange Server to process incoming Internet email, spammers might be using your mail server as a relay, even though your server isn't an open relay. How is this possible? Spammers authenticate to your email server, then use your server to send mail. Alan Sugano outlines how you can determine whether someone is using your system as a mail relay, how to close the hole, and how to test the measures you've taken to prevent such attacks in an article at the first URL below. Paul Robichaux wrote about the attack last fall in the article at the second URL below.

http://www.winnetmag.com/article/articleid/42406/42406.html

http://www.winnetmag.com/article/articleid/40507/40507.html

==== Announcements ====

(from Windows & .NET Magazine and its partners)

Try a Sample Issue of Exchange & Outlook Administrator!

If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now!

http://www.exchangeadmin.com/rd.cfm?code=fsep234xup

Discover the Basics of Active Directory Fundamentals

In this free Web seminar, we'll look at the logical concepts as they relate to domain, trees, and forests and the physical concepts of domain controllers and sites. We'll also explain the relationship between Active Directory and the Domain Naming Service, as well as cover some operation functions. Register now!

http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032246759&culture=en-us

SQL Web Seminar--Tactics for Protecting Microsoft SQL Server

It is crucial to protect Microsoft SQL Server from outside forces, including weather, user error, or system outage, that can jeopardize application and associated data. Register now for a free, 1-hour Web seminar on May 4 and learn about the solutions associated with protecting SQL Server. Register now and receive a free evaluation version of Double-Take and a free white paper titled, "Protecting Your Microsoft SQL Server DataSign."

http://www.winnetmag.com/seminars/sqlprotectingms-sql/index.cfm?code=supdate

==== Hot Release ==== Symantec

Free White Paper: "Enterprise Systems and Storage Management Convergence using File Systems Virtualization"

Download this free technical white paper now, courtesy of Symantec and Windows & .NET Magazine's White Paper Central:

http://ad.doubleclick.net/clk;7556668;8469764;m?http://www.winnetmag.com/whitepapers/symantec/PowerQuest.pdf

==== 3. Security Toolkit ====

FAQ: Controlling Access to IISADMPWD

by John Savill, http://www.winnetmag.com/windowsnt20002003faq

Q: How can I control access to the IISADMPWD virtual directory?

A. When you use the default IISADMPWD virtual directory to enable a Web page on which users can change passwords (which I discussed in the FAQ "Does Windows Server 2003 provide a way to let users change their passwords remotely on the Web?"), the Microsoft IIS system sends the user's password information unencrypted over the network, which creates a security risk. To avoid transmitting unencrypted passwords, you must enable Secure Sockets Layer (SSL) by following these steps:

1. Start a command prompt by clicking Start, Run and typing

cmd.exe

2. Navigate to the C:\inetpub\adminscripts directory.

3. At the command prompt, type

adsutil.vbs set w3svc/1/PasswordChangeFlags 0

This command runs the adsutil.vbs script with the Set command. The w3svc/1 parameter specifies the first default Web site. The PasswordChangeFlags option with the 0 value means that SSL is required. (Setting the PasswordChangeFlags value to 1 specifies that SSL isn't used, and setting the value to 2 disables the user's ability to change the password.)

4. Restart the IIS server to effect the change.

A new tool lets intruders exploit unpatched IIS servers that use SSL (see the first News item above). Be sure to patch your server.

Featured Thread: BlackBerry Server Behind ISA Server

(One message in this thread)

A reader writes that he needs to set up BlackBerry Server behind a Microsoft ISA Server firewall. He's having trouble opening the correct port, which is TCP port 3101. He created a packet filter by selecting the following properties: IP Protocol: TCP, Direction: Outbound, Local Port: Fixed Port, Local Port Number 3101, Remote Port: All Ports, Remote Ports: subdued. It doesn't work, and he wants to know how to correct the problem. Lend a hand or read the responses:

http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=119881

==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

Sign Up for 2 Great Roadshows About Security and Exchange

Don't miss 2 free roadshow tours covering hot security and Exchange topics. Learn how to simplify your life with Windows Server 2003 and Exchange Server 2003 and protect your infrastructure and applications against security threats. Coming to your city soon. Register now!

http://www.winnetmag.com/roadshows

==== 4. New and Improved ====

by Jason Bovberg, [email protected]

Secure Your Passwords

TK8 Productions released TK8 Safe, Windows password-management software that simplifies the safe storage and retrieval of user IDs, passwords, serial numbers, and other confidential information that Web sites and software applications require. TK8 Safe stores all of a user's private information in an encrypted database that's accessible only by its owner, and the software supports multiple users on the same computer. TK8 Safe costs $19.95 for a single-user license, and multiuser discounts are available. For more information, contact TK8 Productions on the Web.

http://www.tk8.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

Argent

Comparison Paper: The Argent Guardian Easily Beats Out MOM

http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

Microsoft(R) TechNet

Microsoft(R) TechNet Webcasts: essential guidance, industry experts

http://ad.doubleclick.net/clk;7759917;8214395;c?http://www.microsoft.com/technet/community/webcasts/default.mspx

Microsoft Security

Knowledge Improves Security. Visit www.securitywhitepaper.com.

http://ad.doubleclick.net/clk;7836244;8214395;r?http://ad.doubleclick.net/clk;7812558;9026172;o?http://www.securitywhitepaper.com/default.asp?id=wn5548

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

==== Contact Our Sponsors ====

Primary Sponsor:

Postini -- http://www.postini.com

Hot Release Sponsor:

Symantec -- http://www.symantec.com