Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
THIS ISSUE SPONSORED BY
Windows & .NET Magazine — Exclusive Rate
(below IN FOCUS)
SPONSOR: MASSIVE WORKSTATION SECURITY HOLE...IGNORED!
In just a few minutes any of your domain users could become the administrator of ALL your machines without your knowledge. A quick search of Google.com for password crackers is all it takes. There is a solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS FLAW in Windows.
January 1, 2003—In this issue:
1. IN FOCUS
- It's a Great Time to Check Your Security
2. SECURITY RISKS
- Privilege Escalation in Microsoft WM_TIMER
- Vulnerability in Microsoft SMB
- Multiple Vulnerabilities in Microsoft VM
- The Microsoft Mobility Tour Is Coming Soon to a City Near You!
- Get the New Windows & .NET Magazine Network Super CD/VIP!
4. SECURITY ROUNDUP
- Feature: Security and Parameterization
- Feature: CA Basics
5. SECURITY TOOLKIT
- Virus Center
- FAQ: How Can I Configure Microsoft's Secure Desktop Restriction Setting in Windows 2000 Service Pack 1 (SP1) and Later?
6. NEW AND IMPROVED
- Maintenance-Free Spam Protection
- Easily Set Up Remote Site Firewalls
- Submit Top Product Ideas
7. HOT THREAD
- Windows & .NET Magazine Online Forums
- Featured Thread: Bypassing Proxy Servers
8. CONTACT US
See this section for a list of ways to contact us.
1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])
It's 2003, and you might want to start the new year by checking the security of all your systems. Toward that effort, I've located several security checklists to assist you. The checklists cover Windows XP; Windows 2000; Windows NT; Microsoft IIS, SQL Server, Exchange Server, and Internet Explorer (IE); various UNIX systems; and Apache. Keep in mind that these are just a few of the many checklists available. To find more, use your favorite search engine.
LabMice.net hosts a "Windows XP Security Checklist."
The checklist is divided into three categories: basic, intermediate, and advanced. The items covered include user accounts, groups, passwords, hardware, ports, shares, risky subsystems, and risky features.
Microsoft also provides a security checklist for XP Home Edition and XP Professional. According to the related TechNet Web page, the checklists "outline the steps you should take to reach a baseline of security with Windows XP Home Edition and Windows XP Professional computers, either on their own or as part of a Windows NT or Windows 2000 domain." The checklists cover such matters as shares, policies, and accounts and passwords.
LabMice.net also hosts the "Windows 2000 Security Checklist," which provides the same thorough coverage provided in the LabMice.net XP security checklist.
If you have NT systems on your network, check out the NT security checklist that Windows IT Library hosts. Originally compiled by Rob Davis with the help of several others, the checklist includes information from Microsoft's Web site. The list addresses such concerns as protecting files and directories, NetBIOS, dangerous services, passwords and hashes, registry entries, resource sharing, auditing, caching, and memory paging.
Microsoft offers the Internet Information Server (IIS) 4.0 Baseline Security Checklist, which helps you better secure the popular Web server. The list discusses installing the minimum Internet services required, setting appropriate authentication methods, setting appropriate virtual directory permissions and partitioning Web application space, setting appropriate IIS log file ACLs, enabling logging, setting up Secure Sockets Layer (SSL), disabling or removing all sample applications, removing the IISADMPWD virtual directory, removing unused script mappings, and disabling Remote Data Services (RDS) support. Microsoft also provides a Web-based checklist form that helps you keep track of which configuration actions you've taken on a Web server. The form contains hotlinks that describe each item listed. The company also provides a lockdown tool for IIS. Finally, Microsoft offers a useful checklist for Internet Information Services (IIS) 5.0.
SQLSecurity.com provides the "SQL Server Security Checklist" to help you secure SQL Server installations. The extensive list covers such matters as service packs, protocols, user accounts, dropping dangerous procedures, deleting stored procedures, logging, alerts, groups and roles, and user logins.
The IMIBO Web site discusses Exchange Server security and offers sample code that shows you how Microsoft handles security inside the server. The site's information addresses subjects such as logons, directory objects, security descriptors, modifying access, and public folder access control.
DevX provides "Eight Tips to Secure Exchange." The tips cover areas such as ports, underlying OS services, server location, passwords, using communities, dial-up access, and administrative rights.
You can find additional information about Exchange Server and Outlook security at Slipstick Systems. At the Slipstick Web site, search on the term "security."
Microsoft provides a rudimentary Web page that explains IE security. The page includes settings for SSL and security zones. The most important thing to remember about IE security is to load the many available patches.
More Microsoft Security Tools and Checklists
For more complete access to Microsoft security checklists and tools, visit the company's TechNet Web site. The site includes items for most of Microsoft's enterprise products (although not for SQL Server).
CERT offers a "UNIX Security Checklist v2.0." The checklist covers the basic OS, major services, patches, and details about specific UNIX OSs. The checklist appendix lists security tools, commands, and five "essential" steps to secure your UNIX systems before you put them into operation.
Apache HTTP Server
If you're among the many people who run Apache HTTP server, you'll be happy to know that the Apache Server Project hosts a Web page, "Security Tips for Server Configuration." The content includes permissions on server root directories, server-side includes, Common Gateway Interface (CGI) in general, aliased CGI, dynamic content, system settings, and protecting server files.
Finally, Windows & .NET Magazine has published many in-depth articles that discuss how to better secure your systems. Be sure to use the Web site search engine to find material about the security topics most important to you.
SPONSOR: WINDOWS & .NET MAGAZINE - EXCLUSIVE RATE
HERE'S AN OFFER YOU CAN'T AFFORD TO PASS UP!
For a limited time, you can get an exclusive $19.95 rate to one year of Windows & .NET Magazine. That's only $1.66 an issue in the US — a whopping 60% off our regular rate. This offer won't be around forever, so subscribe today at http://www.winnetmag.com/rd.cfm?code=nfei202lup
2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])
A vulnerability in Microsoft WM_TIMER Message Handling can grant an attacker complete control over the vulnerable system. The vulnerability occurs because one process in the interactive desktop can use a WM_TIMER message to cause another process to execute a callback function at the address of its choice, even if the second process didn't set a timer. Microsoft has released Security Bulletin MS02-071 (Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation) to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.
A new vulnerability in Microsoft Server Message Block (SMB) lets an attacker silently downgrade the SMB Signing settings on a vulnerable system, which might then let the attacker change Group Policy information. Microsoft has released Security Bulletin MS02-070 (Flaw in SMB Signing Could Enable Group Policy to be Modified) to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. This patch is included in Windows XP Service Pack 1 (SP1) and will be included in Windows 2000 SP4.
GreyMagic Software and Thor Larholm discovered eight new vulnerabilities in Microsoft Virtual Machine (VM). The most serious of these vulnerabilities can give an attacker complete control over the vulnerable system. Microsoft has released Security Bulletin MS02-069 (Flaw in Microsoft VM Could Enable System Compromise) to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch available through Windows Update.
(brought to you by Windows & .NET Magazine and its partners)
Brought to you by Windows & .NET Magazine, this outstanding seven-city event will help support your growing mobile workforce. Industry guru Paul Thurrott discusses the coolest mobility hardware solutions around, demonstrates how to increase the productivity of your "road warriors" with the unique features of Windows XP and Office XP, and much more. There is no charge for these live events, but space is limited so register today!
Everyone can appreciate a bargain in today's economy. That's why we've introduced the Windows & .NET Magazine Super CD/VIP Web site. You get exclusive subscriber-only access to all our publications through our new VIP Web site. Plus, you get Super CDs delivered twice a year, and we'll even throw in a 1-year print subscription to the magazine! The Super CD/VIP is a $545 value for just $279. Subscribe today!
4. SECURITY ROUNDUP
In SQL Server 2000 Analysis Services, Microsoft introduced dimension-level security, which can limit the members of a cube dimension that a user can view. The most straightforward way to use this feature is to create a security role for each unique set of permissions in the application. But in a sales application, every user might need a unique set of permissions for the sales data. This requirement could introduce hundreds—if not thousands—of security roles. However, even if you could create an administrative application to manage this number of security roles, Analysis Services couldn't handle it. Russ Whitney works around this limitation and creates a scalable solution. Read how at the URL below.
A primary condition for enabling Secure Sockets Later (SSL) encryption is that your server and clients must have a digital certificate from a trusted root Certificate Authority (CA). The server and client certificates must be from the same CA. For the example in this article, Gary Zaika used Microsoft Certificate Services to issue certificates for all clients inside the company. Read more on our Web site.
5. SECURITY TOOLKIT
Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
(contributed by John Savill, http://www.windows2000faq.com)
A. Users who interactively log on to a computer running Win2K or later can perform tasks that might be security risks, such as gaining access to display and input devices that a computer process with wider-reaching privileges owns. These users then can create a process to capture passwords or sensitive data. For more information about the problem, see Microsoft Security Bulletin MS00-020 (Patch Available for "Desktop Separation" Vulnerability) at the Microsoft Web site.
Win2K SP1 corrected this vulnerability by adding a Secure Desktop Restriction setting, but the new locked-down functionality might adversely affect certain applications. If your application vendor advises you to disable this security setting, perform the following steps:
- Start a registry editor (e.g., regedit.exe).
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows.
- From the Edit menu, select New, DWORD Value.
- Enter a name of SecureDesktop.
- Double-click the new value, set it to 0 to disable the setting (you can set the value to 1 to reenable the default configuration), then click OK.
- Restart the machine for the change to take effect.
6. NEW AND IMPROVED
(contributed by Sue Cooper, [email protected])
Singlefin announced the Global Email Gateway Service, which blocks unwanted email and viruses at the gateway, before they enter your network. The service uses a three-step filtering process to block only spam: email address baiting, proprietary message scoring, and proprietary fingerprinting and addition to Singlefin's database. The service uses two virus engines to support its 10-minute update intervals. Contact Singlefin at 619-222-1362, 866-566-3346, and [email protected].
PowerWallz Network Security announced the ProShield v1000 firewall appliance, designed for branch offices, telecommuters, and small and midsized enterprise users. ProShield v1000 features high-end encryption and EasyVPN, a proprietary configuration utility to simplify the installation and configuration process for your remote or small office settings. ProShield v1000 is available in rack-mount and standalone models, with Web-based central administration. It's expected to ship in first quarter 2003 with prices starting at $899. Contact PowerWallz Network Security at 604-233-2822, 888-889-6988, and [email protected].
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].
7. HOT THREAD
Featured Thread: Bypassing Proxy Servers
(Four messages in this thread)
A user writes that his company uses a Cisco Systems PIX firewall and WebSense URL-blocking software. However, some users have found applications that let them bypass the WebSense system to surf the Internet unrestricted. He wants to know where users might get such programs. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=51474
8. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT IN FOCUS — [email protected]
- ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR Windows & .NET Magazine Security UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR Windows & .NET Magazine Security UPDATE?