Security UPDATE--In Focus: Yet Another Linux vs. Windows Report--March 23, 2005

1. In Focus: Yet Another Linux vs. Windows Report

2. Security News and Features

- Recent Security Vulnerabilities

- Help Writing an Incident Response Plan

- CyberGuard Acquires Zix Security Assets

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum Featured Thread

4. New and Improved

- Fine-Tuning Permissions

==== Sponsor: PatchLink ====

Free Info Kit on Automating Patch Management

Now, in a free information kit, learn how easily you can identify, deploy, and maintain patches critical to the security and availability of your network. You'll also discover how you can maintain bulletproof security -- against a range of threats -- at every network endpoint. This information-packed kit, from the pros at PatchLink, also shows you how to reduce IT workload by automating the installation of critical patches while being confident that all installed patches are pre-tested – without having to do the testing. Click here to get your Free "Automating Patch Management" Kit now, and learn how to ease one of your biggest IT burdens. Download your Free Kit at:

http://www.patchlink.connectthe.com/nlwin1

==== 1. In Focus: Yet Another Linux vs. Windows Report ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

How many reports and related news stories have you read that allege they will reveal that Linux is more secure than Windows or vice versa? Get set for yet another one.

A recent news story, "Controversial Report Finds Windows More Secure than Linux," discusses a soon-to-be released report by a research professor at Florida Institute of Technology's College of Engineering and a director of research at a security technology provider. The report will compare Windows Server 2003 and Red Hat Enterprise Linux ES 3.0. As you might expect, the report is causing a stir of debate even before its release.

There are problems with these kinds of comparison reports and their related news stories. One problem is that the media often generalize to the point that they propagate misinformation to the unknowing. For example, some people might not know that there are multiple versions of Linux, just as there are multiple versions of Windows. Dozens of entities produce their own unique brands of Linux, updating these brands with new versions over time. A statement such as "Windows is more secure than Linux" is broad to the point of being meaningless.

Another problem with the comparative reports is that they lack adequate context. The researchers often seem somewhat blind to other factors that play a key role in the risk in using any OS or application.

According to the news story, the research report covers (among other information) statistics about the vulnerabilities that were found in each platform during 2004. Certainly that kind of information helps determine the overall security of an OS, but other data is necessary to put such reports in context. Among the data should be the answers to such questions as: How many security researchers were looking for security bugs and in what time frame? In which OS version were they looking? How much time did they spend on such efforts? What were their capabilities and what tools did they have at their disposal?

Obviously, if less collective time is spent looking for security problems in a platform, then the probability is high that fewer problems will be found in that platform. Likewise, if more time is spent looking for problems in a platform, then the probability of discovering more problems in that platform increases. Applications also play a key role in the security of a platform. So data could be gathered about application vulnerabilities and how they've affected overall security.

Equally as important, if not even more important, is the question of what motivates intruders and the makers of malware. How did these people spend their time? What OSs did they target most often and why?

Another set of interesting questions relate to how many of the cited vulnerabilities can be mitigated using configuration changes or defenses that are (or should) already be in place. For example, could a simple configuration change or a border or desktop firewall or Intrusion Prevention System (IPS) adequately defend against a particular vulnerability?

None of this type of data is offered in any comparative reports that I know of. Yet all these questions should come into play when researching for security comparison purposes because this data would provide a much more complete picture of how much risk is involved in using a particular piece of software, whether it be an OS, a related service, or an application. Without this kind of data to offer a larger context, these comparative reports are far less useful than their production and associated media coverage imply. If you know of a report that includes this sort of context, please let me know about it. I'd surely like to read it.

==== Sponsor: Lieberman Software ====

Security on All Workstations Compromised in Minutes

In just a few minutes any of your domain users could become the administrator of ALL your machines without your knowledge. A quick search of Google.com for password crackers is all it takes. There is a solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS FLAW in Windows. Our Random Password Generator + (New) Web Based Delegated Password Recovery Console automatically solve the common administrator account/password flaw that your workstations suffer from. We have a wide range of tools to beef up your workstation and server security. Contact us for a free demo.

http://promo.liebsoft.com/?p=WITUMP323

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Help Writing an Incident Response Plan

Do you have a plan in place for responding to security incidents? If not, a newly published outline can help you get started writing such a plan for your business.

http://www.windowsitpro.com/Article/ArticleID/45760

CyberGuard Acquires Zix Security Assets

CyberGuard announced that it has acquired Zix's antispam, antivirus, and URL filtering assets for approximately $4 million in cash. CyberGuard will integrate Zix's technology into its Webwasher business and hopes to gain new customers through cross-selling to users of Zix products.

http://www.windowsitpro.com/Article/ArticleID/45712

==== Resources and Events ====

Improve Service Levels and Maximize IT Staff Efficiency

Keeping your IT infrastructure on course can be a challenge given the complexity of servers, infrastructure, and application software. In this free Web seminar, learn practical techniques to monitor and manage your infrastructure applications, such as Active Directory and Exchange.

http://www.windowsitpro.com/seminars/managingapplications/index.cfm?code=0323emailannc

Get Ready for SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0321emailanncs

Don't Miss Out--SQL Server Administration for Oracle DBAs On-Demand Web Seminar

Sign up now for this free Web seminar and get a quick start in mapping Oracle database-management skills, knowledge, and experience to SQL Server database management. Learn about the varying similarities and differences between Oracle and SQL Server and get a preview of real-world tips and techniques for managing these associated technologies. Register now!

http://www.windowsitpro.com/seminars/sqlserveroracledba/index.cfm/index.cfm?code=0323emailannc

Exchange, Retention, and Regulatory Compliance

The advent of Sarbanes-Oxley, Gramm-Leach-Bliley, and assorted market-specific regulations means that you may be legally required to have an email compliance and retention policy. In this free Web seminar, Exchange MVP Paul Robichaux will teach you to discover, manage, and archive information within your Exchange enterprise to successfully limit your legal exposure and protect your corporate information. Sign up today!

http://www.windowsitpro.com/seminars/exchangecompliance/index.cfm?code=0323emailannc

New eBook--Windows Certification and Public Keys

PKI services are increasingly important in today's IT environment. PKI offers strong security services to internal and external users, computers, and applications. In this free eBook, you'll discover a starting point for understanding the PKI and certificate services available in Windows Server 2003. Download it now and learn about trust relationships, validating digital certificates, and more.

http://www.windowsitlibrary.com/ebooks/WindowsCertification/index.cfm?code=0323emailannc

==== Hot Release ====

Try it Free – New NetOp Remote Control v8.0 – Faster, more secure, remote access & support, PC inventory, file transfers and scripting. New Remote Management Console and security options to help you meet today's auditing and compliancy requirements. NetOp - Nothing comes remotely close. Try it today.

http://www.crossteccorp.com/netopremote/?utm_source=winitpro&utm_medium=email&utm_campaign=v8_45

==== 3. Security Toolkit ====

Security Matters Blog

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Is Your Mail Server on a Blacklist?

Ever wonder if your mail server somehow wound up on a blacklist? I've found a tool that checks dozens of blacklist service databases for a server's IP address in one fell swoop.

http://www.windowsitpro.com/Article/ArticleID/45738

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: Under which user accounts do the various Group Policy scripts run?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/45735

Security Forum Featured Thread

A forum participant is having trouble installing OpenSSH on Windows 2003 Server. He's reasonably sure that he's set all NTFS permissions correctly (allowing read and write on working folders and read and execute on program folders). But he can't connect to an OpenSSH Secure FTP (SFTP) server using known SFTP clients (such as FileZilla or PuTTY SFTP--PSFTP). He can clearly see in the Application log that OpenSSH recognizes the user and authenticates the session by confirming that the right password has been used, but the logon attempt fails anyway. Join the discussion at

http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=130820

==== Announcements ====

(from Windows IT Pro and its partners)

Get Windows IT Pro at 44% Off!

Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now:

http://www.windowsitpro.com/rd.cfm?code=theu2052up

Vote for the Next MCP Hall of Famer

Help decide who the most valuable member of the MCP community is. Take the time to reward excellence to those that deserve it and to make yourself a part of the first-ever MCP Hall of Fame. Voting only takes a few seconds, so cast your vote now for Round 2. Click here:

http://www.windowsitpro.com/mcphalloffame/index.cfm?code=ALLannct0321

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Fine-Tuning Permissions

DesktopStandard (formerly AutoProf) offers PolicyMaker Application Security (PMAS), a Group Policy Management Console (GPMC) add-on that lets network administrators enforce the "least privilege" security principle on Windows desktops. PMAS makes it possible to reduce or elevate permissions on a per-application or per-task basis. Pricing starts at $25 per seat for enterprises with up to 500 computers; volume discounts are available for larger organizations. PolicyMaker supports Windows 2003 Server/XP/2000, Windows Terminal Services, Citrix MetaFrame, and all versions of Microsoft Outlook, Microsoft Office, and Microsoft Internet Explorer (IE). For more information, go to

http://www.desktopstandard.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Exclusive Online Event: Email Protection at the Perimeter!

Sign up today for this free online product demonstration and see the ePrism M500 from St. Bernard Software in action.

http://www.windowsitpro.com/whitepapers/stbernard/eprismdemo/index.cfm?code=nlsplink

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]