Security UPDATE, June 18, 2003

Security Administrator

Windows & .NET Magazine Security UPDATE--June 18, 2003


==== This Issue Sponsored By ====


Windows & .NET Magazine


1. In Focus: Are IDSs Overrated?

2. Security Risks - Multiple Buffer-Overflow Vulnerabilities in FlashFXP FTP Client for Windows - Multiple Buffer-Overflow Vulnerabilities in SmartFTP FTP Client for Windows

3. Announcements - New--Test-Drive Our Performance Portal! - Fight Spam and Viruses, and Secure Exchange 2003!

4. Security Roundup - News: News: Microsoft Gears Up for Antivirus Efforts - News: Win2K SP4 Is Coming Soon; The Newest IIS Security Rollup - Feature: Where to Place Your Antivirus Defenses

5. Security Toolkit - Virus Center - FAQ: What's the purpose of the SELF Subject I See in Windows 2000 Active Directory (AD)?

6. Event - Security 2003 Road Show 7. New and Improved - Leave the Monitoring to Professionals - Use Plant DNA Codes to Authenticate Users - Submit Top Product Ideas

8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: How to Issue Certificates with an Offline CA

9. Contact Us See this section for a list of ways to contact us.


==== Sponsor: Hewlett-Packard ====

HP OpenView for Windows Test Drive Monitor the availability and performance of your corporate website -- FREE for 30 days, using powerful HP OpenView management software for Windows. Simulate activity. Monitor complex transactions. Meet business demands. Manage web services. Click here.


==== 1. In Focus: Are IDSs Overrated? ==== by Mark Joseph Edwards, News Editor, [email protected]

Microsoft recently announced plans to acquire the technological and intellectual assets of GeCAD Software, a Romanian antivirus software vendor. The acquisition lets Microsoft add another layer to its existing set of security protection mechanisms across the majority of its product lines. You can read about the acquisition in the related news story, "Microsoft Gears Up for Antivirus Efforts," in this edition of Security UPDATE.

Microsoft is adding a layer of security that will eventually become available to customers. At the same time, Gartner recommends that enterprises remove a layer of security from their protection schemes.

In a press release issued last week, Gartner declared that Intrusion Detection Systems (IDSs) are a market failure because they fail to add value relative to their costs. Gartner recommends that instead of spending money on an IDS, companies spend their money on firewall solutions that offer both network-level and application-level protection.

Gartner's comments about IDSs appeared in a press release that promotes the company's recently released report, "Hype Cycles" (interested parties can purchase the report from Gartner). The report considers what the future technology will be, including whether IDSs' current popularity results more from hype than from their lasting value and cost-effectiveness. Gartner's prognosis leads me to pose a couple of questions to you. Do you believe that the cost of an IDS outweighs its benefits? Do you believe that removing your standalone IDS would benefit your enterprise?

As Gartner notes, firewalls, whether they reside in the network layer, the application layer, or the desktop layer, serve well to defend against attack. Even so, I believe IDSs have a place among the layers.

IDS technology lets you view the type of traffic traveling into your networks. Proactive IDSs sometimes reveal attack types about which firewalls "know" nothing. If IDSs are positioned behind a firewall, they can reveal and shut down attacks that bypass the firewall. If proactive IDSs are positioned in front of a firewall, they can shut down suspicious traffic before it reaches the firewall.

Gartner also notes that IDS technology often provides false positives and false negatives, that it places an increased burden on staff (requiring round-the-clock monitoring every day of the year), that it requires a tedious incident-response process, and that it can't monitor traffic at speeds exceeding 600Mbps. One could make the first three complaints about firewalls too. Firewall users deal with false detections (all shops that are serious about security must monitor many matters around the clock), and most security incidents (and even nonsecurity incidents, such as a failed server or desktop installation) are time-consuming and tedious to handle--not to mention frustrating.

As for IDSs being unable to monitor traffic that exceeds 600Mbps: That concern is addressable--because it depends in large part on the underlying hardware and OS. The fastest platforms seem to be standalone units designed for specific purposes (e.g., Internet Security Systems'--ISS's--new Proventia security appliances). Proventia appliances combine firewall, intrusion detection, VPN, and virus-scanning capabilities in standalone units that can operate at speeds that far exceed 1Gbps.

However, using a standalone all-in-one unit can sometimes create a single point of failure--a notable risk. If intruders somehow break the appliance unit, they might break all the included security features, including the firewall, IDS, and the antivirus protection. Even if you use multiple standalone units, the same holds true--an exploitable flaw in one unit might be an exploitable flaw in all identical units, depending on configuration and circumstances. In such a potential event, a multivendor and multifunction security solution might hold up better.

I think IDSs do have a place in the security market and that they're not simply overhyped solutions. But if today's firewall vendors intend to diversify their security-related offerings, they'll need to provide proven fail-safe solutions that don't create a single point of failure. And that's not an easy task, especially when it comes to the "proving" part.


==== Sponsor: Windows & .NET Magazine ====

Insider's Guide to IT Certification eBook Get the eBook that will help you get certified! The "Insider's Guide to IT Certification," from the Windows & .NET Magazine Network, has one goal: to help you save time and money on your quest for certification. Find out how to choose the best study guides, save hundreds of dollars, and be successful as an IT professional. The amount of time you spend reading this book will be more than made up by the time you save preparing for your certification exams. Order your copy today!


==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected]

Multiple Buffer-Overflow Vulnerabilities in FlashFXP FTP Client for Windows Two buffer-overflow vulnerabilities in FlashFXP FTP Client for Windows can result in the execution of arbitrary code on the vulnerable computer. These two vulnerabilities consist of a buffer overflow that occurs if a server replies to a PASV command request with a long string and a buffer overflow that occurs if a long host name is specified as the destination server. FlashFXP has released version 2.1, which doesn't contain these vulnerabilities.

Multiple Buffer-Overflow Vulnerabilities in SmartFTP FTP Client for Windows Two buffer-overflow vulnerabilities in SmartFTP FTP Client for Windows can result in the execution of arbitrary code on the vulnerable computer. If a server responds to a PWD command request with a reply that contains a long address, a buffer overflow can occur. If a server returns a File List that contains a long string, a buffer overflow can also occur. SmartFTP has released version 1.0.976, which doesn't contain these vulnerabilities.

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

New--Test-Drive Our Performance Portal! The Windows & .NET Magazine Performance Portal site is an online service that lets IT professionals test client/server scalability and application performance of client/server database, workflow, streaming media, and office productivity applications. Check out this innovative service at

Fight Spam and Viruses, and Secure Exchange 2003! Check out our June Web events, and get expert advice that will help you fight spam and viruses and also help you assess the security risks of Exchange 2003. There's no charge for any of these eye-opening, educational events, but space is limited so sign up now!

==== 4. Security Roundup ====

News: Microsoft Gears Up for Antivirus Efforts Microsoft announced its intention to acquire the intellectual property and technology assets of Romanian-based antivirus software maker GeCAD Software. Viruses, worms, and Trojan horses constantly plague Microsoft products, so we'll probably see the company release an antivirus solution based on GeCAD technology in the near future.

News: Win2K SP4 Is Coming Soon; The Newest IIS Security Rollup According to Windows & .NET Magazine columnist Paula Sharick, Windows 2000 bug reports and hotfixes have slowed to a trickle during the past few months. This slowdown always presages the release of a new service pack. As of June 8, the Microsoft Knowledge Base contained 23 Win2K pre–Service Pack 5 (SP5) articles, including the recommended Layer Two Tunneling Protocol (L2TP), IP Security (IPSec), and Network Address Translation (NAT) update. These pre–SP5 articles indicate that SP4 won't include fixes for several USB problems or problems with terminal servers that fail in high-stress environments. So ramp up your software distribution scripts, and put SP4 on the schedule for a late summer or early fall deployment.

Feature: Where to Place Your Antivirus Defenses Deciding whether to run a virus scanner is a "no-brainer." The key decision is where to place it. You must place antivirus products where attackers might introduce malicious code into your environment. Because you probably don't have an unlimited security budget, you must make good cost/benefit decisions about antivirus products. Your decisions involve your entire environment--including those assets you choose not to protect with virus scanners. However, by carefully reviewing your networked environment, knowing which antivirus resources you can afford to implement, and placing the virus protection strategically, you can develop the most effective overall protection for your organization. Learn more about this crucial aspect of network security in Roger A. Grimes's article on our Web site.

==== 5. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

FAQ: What's the Purpose of the SELF Subject I See in Windows 2000 Active Directory (AD)? ( contributed by Randy Franklin Smith, [email protected] )

A. The SELF subject is specific to AD--you won't find this subject in ACLs for objects outside AD (e.g., files, folders). SELF lets you control what users can do to their accounts. SELF comes in handy because you can use it to define--at the organizational unit (OU) level--which operations your users can perform on themselves; you don't need to edit each user object's ACL.

Child objects (e.g., user accounts) in an OU inherit the permissions that you set on the OU. Therefore, if you want to let all users in an OU perform certain operations on their accounts, you can create an OU-level access control entry (ACE) for which the subject is SELF and the "Apply onto" field is User objects. For example, if you want users in the SalesReps OU to be responsible for keeping their phone numbers and email addresses up-to-date, you can add an ACE to the SalesReps OU that grants all its members SELF Write access to Phone and Mail options.

==== 6. Event ====

Security 2003 Road Show Join Mark Minasi and Paul Thurrott as they deliver sound security advice at our popular Security 2003 Road Show event.

==== 7. New and Improved ==== by Sue Cooper, [email protected]

Leave the Monitoring to Professionals I-Trap announced the I-Trap Internet security service, which combines an onsite appliance with offsite monitoring to provide intrusion detection and an external-to-the-firewall attack detection system. The solution sniffs the packets of incoming data for signatures of software code that intruders use. I-Trap routes the network activity data to the servers at I-Trap's 24-hour Network Operation Center (NOC), which filters and makes data available to you in real time, through detailed online reports. I-Trap's security professionals review your network activity for threats and, when indicated, alert you and remotely reconfigure the network or firewall to block the threat. Contact I-Trap at 888-658-8727, 330-658-1040, or [email protected]

Use Plant DNA Code to Authenticate Users Applied DNA Sciences announced Applied DNA Security Access System, which employs biotechnology to identify users and authenticate their credit card-type media. The technology integrates unique nonhuman DNA code into a nonsilicon-based microchip, creating a DNA security access microchip. Only the proprietary DNA Chip Reader can read the security access microchip. Without authentication, the product into which the microchip is embedded won't let the user proceed. Possible uses of the System include ID verification, card counterfeit protection, and personnel access control. Contact Applied DNA Sciences at 310-860-1362 or [email protected]

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]

==== 8. Hot Thread ====

Windows & .NET Magazine Online Forums

Featured Thread: How to Issue Certificates with an Offline CA (Five messages in this thread)

A user wants to know whether the Certificate Authority (CA) administrator can create and issue browser certificates on behalf of clients, thereby keeping the client off the CA. He needs to be able to issue certificates from an offline standalone CA, so he would like to create browser certificates for clients and issue them through email. Lend a hand or read the responses:

==== Sponsored Link ====

FaxBack Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial)


==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today.

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.