Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
THIS ISSUE SPONSORED BY
FREE Security Assessment Tool
VeriSign - The Value of Trust
(below IN FOCUS)
SPONSOR: FREE SECURITY ASSESSMENT TOOL
Aelita InTrust(tm) 7.0 bridges the gap between industry regulations & policies and your IT infrastructure. InTrust consolidates, archives, and analyzes heterogeneous IT audit data and offers reports to assist in documenting compliance. And InTrust's data repositories enable efficient, permanent storage of all event data. Get started with the FREE security assessment tool: Aelita InTrust Audit Advisor!
October 23, 2002—In this issue:
1. IN FOCUS
- Increasing Wireless Security with TKIP
2. SECURITY RISKS
- Information Disclosure Vulnerability in Word and Excel
- Unchecked Buffer in Outlook Express S/MIME Parser
- Subscribe to Windows & .NET Magazine and Receive an eBook Gift!
- Real-World Tips and Solutions Here for You
4. SECURITY ROUNDUP
- News: Microsoft Licenses RSA Security Technology
- News: Foundstone Files Suit Against NT OBJECTives
- Feature: Limited-Function Server Roles
5. SECURITY TOOLKIT
- Virus Center
- FAQ: How Can I Stop Windows 2000 from Using an Encrypted Format When I Copy Encrypted Files to a Server?
6. NEW AND IMPROVED
- Security Software Package Released
- Fight Back Against Unauthorized PC Monitoring
- Submit Top Product Ideas
7. HOT THREADS
- Windows & .NET Magazine Online Forums
- Featured Thread: Administrator Accounts
8. CONTACT US
- See this section for a list of ways to contact us.
1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])
The current wireless networking standards use security technology that's far less secure than it could be. For example, most wireless network administrators are familiar with the Wired Equivalent Privacy (WEP) protocol, which uses RC4 encryption to help protect data as it travels over the airwaves.
However, researchers have proven that intruders can easily crack WEP. Last year, a team of researchers published "Weakness in the Key Scheduling Algorithm of RC4," a paper that describes a series of vulnerabilities that make WEP vulnerable. In roughly the same time frame that the paper was published, someone posted Perl scripts on the Internet that helped demonstrate how vulnerabilities in WEP could be verified. You can read about the paper and the scripts in an editorial I wrote in August 2001 (see the URL below).
Because of the weaknesses in WEP security, several entities are developing stronger security technology, such as the 802.11a and 802.11b specifications, for use with wireless network technologies. If you aren't familiar with the various 802.11x network specifications, you can learn more about them by reading Mark Weitz's article at the URL below.
One up-and-coming 802.11x specification, 802.11i, is still involved in development and approval processes. The specification might be officially released by early 2003. After it's available, 802.11i will provide replacement technology for WEP security. Initially, 802.11i will provide Temporal Key Integrity Protocol (TKIP) security that you can add to existing hardware with a firmware upgrade. Upgraded units should be backward-compatible with hardware that still uses WEP. Sometime later, new chip-based security that uses the stronger Advanced Encryption Standard (AES) protocol will replace TKIP, and the new chips will probably be backward-compatible with TKIP. In effect, TKIP is a temporary protocol for use until manufacturers implement AES at the hardware level.
TKIP is a quick-fix method to quickly overcome the inherent weaknesses in WEP security, especially the reuse of encryption keys. According to "802.11 Planet," "The TKIP \[security\] process begins with a 128-bit 'temporal key,' \[which is\] shared among clients and access points. TKIP combines the temporal key with the \[client machine's\] MAC address and then adds a relatively large 16-octet initialization vector to produce the key that will encrypt the data. This procedure ensures that each station uses different key streams to encrypt the data. TKIP uses RC4 to perform the encryption, which is the same as WEP. A major difference from WEP, however, is that TKIP changes temporal keys every 10,000 packets. This provides a dynamic distribution method that significantly enhances the security of the network."
In relation to TKIP, some companies have implemented TKIP-like solutions called Simple Secure Networks (SSNs), which also use an encryption key that changes periodically. One company, Symbol Technologies, currently has SSN-based products on the market. In addition, vendors such as Atheros Communications and Resonext Communications are producing chips that support WEP, TKIP, and AES security technologies, and wireless network gear vendors, such as Nokia, are already shipping hardware that's ready for TKIP security, waiting for the standard to be finalized.
For a more in-depth look at wireless encryption technology, especially WEP and TKIP, be sure to read the two articles from Intel listed below. The first article discusses encryption key management in both WEP and TKIP protocols, and the second article discusses TKIP in considerable detail.
SPONSOR: VERISIGN - THE VALUE OF TRUST
Get the strongest server security — 128-bit SSL encryption! Download VeriSign's FREE guide, "Securing Your Web Site for Business" and learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here!
2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])
An information-disclosure vulnerability in Microsoft Word and Microsoft Excel lets an attacker create a document that, when opened, updates itself to include the contents of any file from the vulnerable computer. Microsoft has released Security Bulletin MS02-059 (Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin.
Noam Rathaus of Beyond Security discovered a buffer-overrun vulnerability in Microsoft Outlook Express's Secure MIME (S/MIME) parser that can lead to the execution of arbitrary code on the vulnerable system. This vulnerability stems from a problem in the code that generates a warning message when a particular error condition associated with digital signatures occurs. By creating a digitally signed email message, editing it to introduce specific data, and sending it to another user, an attacker can cause the vulnerable mail client to fail or execute arbitrary code. Microsoft has released Security Bulletin MS02-058 (Unchecked Buffer in Outlook Express S/MIME Parsing Could Enable System Compromise) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.
(brought to you by Windows & .NET Magazine and its partners)
Windows & .NET Magazine is a problem-solving manual designed to help systems administrators better manage their Windows 2000 and Windows NT enterprise. Subscribe today and, with your paid subscription, you can choose from one of three eBooks about Active Directory, public key infrastructure, or automating tasks with VBScript. Subscribe now!
Last Chance to register for Windows & .NET Magazine LIVE!—sign up today and you'll also receive access to sessions of concurrently run XML and Web Services Connections. Access more than 70 sessions and save $1395. Discover why more than half of our attendees choose only our conferences to attend each year. This conference is chock-full of "been there, done that" knowledge from people who use Microsoft technologies in the real world. Register today!
4. SECURITY ROUNDUP
RSA Security announced that Microsoft has licensed RSA technology for use in Microsoft's products. The first initiative that stems from this agreement is the use of RSA Security's RSA SecurID two-factor authentication software.
Foundstone has filed a temporary restraining order and accompanying lawsuit against NT OBJECTives (NTO), claiming that NTO has violated Foundstone's trade secrets and harmed the company's business in the process. Foundstone is seeking to block the release of NTO's impending Fire and Water toolkit, which is slated for release in early November.
Server roles debuted in Microsoft SQL Server 7.0. These helpful security tools assign a predefined set of permissions to one or more database logins. The sysadmin role is the most powerful fixed server role because its members can perform any function on the server. Learn to use the remaining limited-function fixed server roles, listed in this article, to grant limited permissions to specific types of users and revoke or reassign permissions as users' job duties change.
5. SECURITY TOOLKIT
Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
( contributed by John Savill, http://www.windows2000faq.com )
A. By default, when you copy locally encrypted files to a server, Win2K retains the encryption format. However, you might not want server-based files to be encrypted. For example, a laptop user might want to encrypt files locally for security reasons but want the server-based files to be unencrypted so that other users can view the files. To stop Win2K from copying files to a server in an encrypted format, perform the following steps on the destination server:
- Start a registry editor (e.g., regedit.exe).
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem registry subkey.
- Select the NtfsEncryptionService value, then select Edit, Delete from the menu bar.
- Close the registry editor.
- Reboot the server for the change to take effect.
After you make this change, you'll no longer be able to encrypt files on the server and Win2K will decrypt any encrypted files that users copy to the server.
6. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])
Butterfly Security announced CodeSeeker EX, a Web application security software package. CodeSeeker EX provides realtime blocking of malicious attacks that get past firewalls. The software also provides comprehensive reporting capabilities that reveal not only that an intruder has made an attack but also specific details about the attack and its origin. CodeSeeker EX runs on any combination of platforms—Windows XP, Windows 2000, Windows NT, Linux, and Solaris—from a single console. Policies and servers can be grouped and organized in the user interface any way you choose. Contact Butterfly at 408-333-9948 for pricing information.
Raytown released Anti-keylogger, a software application that can provide computers with protection against most types of unauthorized activity monitoring. Unlike the typical antivirus pattern-matching product, Anti-keylogger works on new or unknown types of activity-monitoring programs to detect and eliminate threats to the integrity and security of your computer network. Anti-keylogger runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x and costs $59.95 for a single license. Contact Raytown at [email protected] or go to the Web site.
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]
7. HOT THREADS
(Two messages in this thread)
A user writes that several users in his IT department require Windows NT administrator access. He's considering the following options. He could have everyone use the same administrator account; he could provide each user with regular user account and a separate administrative account; or he could give each user limited administrator rights on his or her regular user accounts. Is there a best practice for handling this particular need? Read the responses or lend a hand:
8. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT THE COMMENTARY — [email protected]
- ABOUT KEEPING UP WITH WIN2K AND NT — [email protected]
- ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR SECURITY UPDATE?
This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Security UPDATE.