Security UPDATE--In Focus: pGina Open Source GINA Replacement--March 30, 2005

1. In Focus: pGina Open Source GINA Replacement

2. Security News and Features

- Recent Security Vulnerabilities - Altiris to Acquire Pedestal Software

- BMC Acquires OpenNetwork

- Consolidated Security Event IDs in Windows 2003

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum Featured Thread

4. New and Improved

- Encryption with Two-Factor Authentication

==== Sponsor: PatchLink====

Free Info Kit on Automating Patch Management

Now, in a free information kit, learn how easily you can identify, deploy, and maintain patches critical to the security and availability of your network. You'll also discover how you can maintain bulletproof security -- against a range of threats -- at every network endpoint. This information-packed kit, from the pros at PatchLink, also shows you how to reduce IT workload by automating the installation of critical patches while being confident that all installed patches are pre-tested –- without having to do the testing. Click here to get your Free "Automating Patch Management" Kit now, and learn how to ease one of your biggest IT burdens. Download your Free Kit at:

http://www.patchlink.connectthe.com/nlwin1

==== 1. In Focus: pGina Open Source GINA Replacement ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You're probably aware that Windows Graphical Identification and Authentication (GINA) DLL is the interface used for logons during user authentication. You might also be aware that you can install a GINA replacement if you need to use nonstandard authentication methods or to integrate additional authentication types, such as a fingerprint logon system.

It's probably not wise to replace GINA unless you really need to because doing so could weaken both your system and network security. But in some cases, that might not matter to you as much as the management headache that you'd incur if you didn't replace GINA.

Some vendors--particularly those that make alternative authentication systems--offer GINA replacements to help integrate their products into a Windows platform. But there are undoubtedly some network architectures in which you'd really like to a have a GINA replacement, yet haven't found anything suitable that can address all your needs.

Recently in SecurityFocus's Focus-MS mailing list, someone mentioned an open-source GINA replacement, pGina, that seems like it could be helpful to those with diverse authentication needs. pGina, from XPA Systems, is unique in that it uses a plug-in architecture that lets you add just about any kind of authentication mechanism you can imagine. If there isn't a plug-in that meets your needs, then you can use the source code to develop one or have someone develop a plug-in for you. Depending on your needs and network architecture, pGina might let you centralize all your user credentials, which could save a lot of time and effort in management.

http://pgina.xpasystems.com/info

Numerous plug-ins are already available for pGina. For example, the Remote Authentication Dial-in User Service (RADIUS) plug-in lets you authenticate users to any RADIUS server. The ACE plug-in lets you use RSA Security's RSA SecureID two-factor authentication system for Windows logons--although last I heard, RSA does offer its own GINA replacement. Another interesting plug-in works with MySQL open-source database servers, which could be used to store user credentials. Yet another plug-in works with the Bluesocket architecture, which is very useful for authenticating mobile users. There are also plug-ins for Network Information Service (NIS) servers, Lightweight Directory Access Protocol (LDAP) servers, OpenAFS (based on the Andrew File System), and more.

GINA replacements are also available from other sources. FrontMotion sells source code to a GINA replacement that supports most versions of Windows and includes domain support and Active Directory (AD) support. Doug Scoular offers a free GINA replacement that helps integrate Windows with Unix or Linux platforms by using FTP as an authentication mechanism. Deakin University offers free GINA source code that can be used to authenticate with NIS servers.

http://www.frontmotion.com/products.htm

http://www.arch.usyd.edu.au/~doug/gina.html

http://nisgina.deakin.edu.au

==== Sponsor: CrossTec ====

FREE Download – The Next Generation of End-Point Security is Available Today.

NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines even before Windows loads - without slowing them down. NetOp is also the only solution to provide process control as well as application control to give you the highest level of security. The NetOp Desktop Firewall utilizes real-time centralized management and control, intelligent network detection, stateful packet filtering, port blocking, protection from process hijacking, and much more. Try it FREE.

http://www.crossteccorp.com/netopfirewall/?utm_source=winitpro&utm_medium=email&utm_campaign=ndf

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Altiris to Acquire Pedestal Software

Altiris announced that it will acquire Pedestal Software in a deal valued at $65 million. Altiris further said that after the deal closes at the end of March, the company will immediately begin integrating Pedestal products into its distribution channels and will continue offering Pedestal's SecurityExpressions and AuditExpress products as standalone solutions.

http://www.windowsitpro.com/Article/ArticleID/45805

BMC Acquires OpenNetwork

BMC Software announced that it has reached an agreement to acquire OpenNetwork, makers of Web application management and single sign-on (SSO) technology. BMC said OpenNetwork's solutions will allow BMC to expand its browser-based authentication and authorization offerings, which compliment its existing offerings for workflow, audit and compliance, enterprise-enabled SSO, provisioning, and directory content management.

http://www.windowsitpro.com/Article/ArticleID/45803

Consolidated Security Event IDs in Windows 2003

Randy Franklin Smith tells why Windows Server 2003 domain controllers (DCs) don't report domain-account authentication failures, except for bad password attempts.

http://www.windowsitpro.com/Article/ArticleID/45556

==== Resources and Events ====

The Essential Guide to Active Directory Management

Migrating from NDS and/or eDirectory to AD means changes in the way you manage your network, users, and network resources. Download this Essential Guide to Active Directory Management and learn hands-on approaches that reduce management complexity, IT workload, and costs and improve security--all with minimal impact on your organization. Download this guide today.

http://www.windowsitpro.com/essential/index.cfm?code=0330emailannc

Get Chapter 2 of "SQL Server Administration for Oracle DBAs"

Learn the key concepts that give Oracle DBAs a firm foundation in mapping Oracle database-management skills, knowledge, and experience to SQL Server database management. Chapter 2 of this free eBook discusses SQL Server management, including managing memory, processes, storage, sessions and transactions, and low-level structures (e.g., locks, latches). Download Chapter 2 now!

http://www.windowsitlibrary.com/ebooks/sqlserveradminoracle/index.cfm?code=0330emailanncs

Attend This Free Web Seminar for a Chance to Win a $1000 American Express Gift Check!

Achieve High Availability and Disaster Recovery for Microsoft Servers. In this Web seminar, discover what it takes to minimize the likelihood of downtime through reliability and resilience in your Microsoft server environment, including Exchange Server, SQL Server, File Server, IIS, and SharePoint. Sign up today!

http://www.windowsitpro.com/seminars/microsofthighavailability/index.cfm?code=0330emailannc

Hey Europe! Get Ready to Become the Next Gatekeeper Champion

Get a leg up on your fellow European IT pros by getting all the study materials you'll need to help you prepare for the next Gatekeeper competition on April 4. Windows IT Pro will help you hone your security skills and become the ultimate IT security expert. Start preparing now by visiting:

http://emea.windowsitpro.com/emea/index.cfm?action=Gatekeeper

Sensible Best Practices for Exchange Availability On-Demand Web Seminar

If you're discouraged about not having piles of money for improving the availability of your Exchange server, join Exchange MVP Paul Robichaux for this free Web seminar and learn how to maximize your existing configuration. Survive unexpected outages, plan for the unplannable, and evaluate what your real business requirements are without great expense. Register now!

http://www.windowsitpro.com/seminars/exchangeavailability/index.cfm?code=0330emailannc

==== 3. Security Toolkit ====

Security Matters Blog

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Patching with WSUS

If you're interested in using Windows Server Update Services (WSUS--formerly Windows Update Services), then you might consider watching Microsoft's new on-demand TechNet Webcast, "Introduction to Security Patching Using Windows Update Services." The Webcast offers insight into WSUS's new features and offers planning and deployment guidance. Microsoft also released a WSUS release candidate (RC) and said that after April 22, WUS beta 2 will no longer receive updates. So if you were testing the beta, you need to update your copy to the RC.

http://www.windowsitpro.com/Article/ArticleID/45780

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I deploy missing patches to my Microsoft Systems Management Server (SMS) clients?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/45723

Security Forum Featured Thread: Password Control Via IIS

A forum participant has an intranet that requires domain authentication for access to data on one Windows 2000 Server machine. He's set a password timeout period for x number of days. But users don't see a password expiration warning because they log on via an IIS site. In addition, passwords seem to stop working for some time before they expire. How can he deliver a password expiration notification to the users? Join the discussion at

http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=131117

==== Announcements ====

(from Windows IT Pro and its partners)

Get Windows IT Pro at 44% Off!

Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now:

http://www.windowsitpro.com/rd.cfm?code=theu2052up

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Encryption with Two-Factor Authentication Mobile Armor announced that its PolicyServer and DataArmor products have "RSA SecurID Ready" certification, meaning that they now integrate with RSA SecurID two-factor authentication technology. DataArmor software provides preboot authentication and high-speed full-device encryption, especially for mobile devices; PolicyServer integrates DataArmor with other security software such as antivirus solutions, VPNs, and firewalls. For more information, go to

http://www.mobilearmor.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]