Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
THIS ISSUE SPONSORED BY
Consolidated Security Auditing and Monitoring
VeriSign - The Value of Trust
SPONSOR: CONSOLIDATED SECURITY AUDITING AND MONITORING
HIPAA? Gramm-Leach-Bliley? BS7799/ISO17799? Aelita InTrust(tm) bridges the gap between industry regulations & policies and your IT infrastructure. InTrust consolidates, archives, and analyzes heterogeneous IT audit data and offers numerous reports to assist in documenting compliance. And InTrust's data repositories enable efficient, permanent storage of all event data. Get started with the FREE security assessment tool: Aelita InTrust Audit Advisor!
September 11, 2002—In this issue:
1. IN FOCUS
- Assessing Security Threats to Microsoft SQL Server
2. SECURITY RISKS
- Application Execution Vulnerability in Microsoft Visual FoxPro 6.0
- Multiple Vulnerabilities in Cisco VPN 3000 Series Concentrator and VPN 3002 Hardware Client
- Mark Minasi and Paul Thurrott Are Bringing Their Security Expertise to You!
- UNIX, Linux, and Windows: Managing the Unruly Trinity
4. SECURITY ROUNDUP
- News: Microsoft Releases Windows XP SP1
- News: Microsoft Solves Windows Hacking Mystery
5. SECURITY TOOLKIT
- Virus Center
- FAQ: How Can I Prevent Users from Changing Their Passwords Except When Windows 2000 Prompts Them To?
6. NEW AND IMPROVED
- Antispam Server for the Enterprise
- Lock Up Your Hard Disk
- Submit Top Product Ideas
7. HOT THREADS
- Windows & .NET Magazine Online Forums
- Featured Thread: Obtaining Hashes from the Win2K SAM Database
8. CONTACT US
- See this section for a list of ways to contact us.
1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])
When did you last profile your Microsoft SQL Server 2000 system for potential threats? If you haven't done so, you might want a toolkit and some easy-to-understand guidelines.
Next Generation Security Software (NGSSoftware) recently published "Threat Profiling Microsoft SQL Server," which describes in detail tools and procedures that you can use to gauge your exposure to intruders. According to NGSSoftware, the paper has "four main sections. The first section will cover attacks that do not require the attacker to have a user ID and password for the SQL Server, that is, the attacks are unauthenticated. The second section will cover those attacks that do require authentication; to succeed the user must be logged onto the SQL Server. The third section will consider those attacks that can be launched from a compromised server. The final and fourth section will touch briefly upon attacks via the Web using SQL Injection."
"Threat Profiling Microsoft SQL Server" discusses SQL Monitor port attacks, network-sniffing opportunities, brute-force attacks, file-system attacks, Trojan horses in extended stored procedures, client attacks (e.g., against the SQL Enterprise Manager), navigating the database server, password cracking, bypassing access controls, and more. The paper lists a series of tools you need to obtain before you start. Minimally, you'll need various SQL client tools (such as Query Analyzer and ODBCPing), Microsoft Visual C++, SQLPing, NGSSQuirreL, NGSSQLCrack, and NGSSniff. The SQL Server CD-ROM contains SQL client tools. SQLSecurity.com (see the first URL below) offers SQLPing. NGSSoftware offers the latter three tools through the company's Web site (see the second URL below). According to NGSSoftware, NGSSQuirreL is an auditing tool that can find and fix holes in the SQL Server; NGSSQLCrack can crack the passwords of standard SQL logins; and NGSSniff is a network traffic capture and analysis tool. Overall, the paper contains a wealth of information about securing your SQL Server.
Other steps you can take toward SQL Server security include keeping up with Microsoft security bulletins and reviewing other resources. Microsoft has issued 11 security bulletins for SQL Server 2000 so far, including a cumulative patch in August 2002 that contains all the other security patches. Be sure you've loaded the ones you might need--or the cumulative patch if you want to load them all.
SQL Server Magazine and its related Web site often discuss SQL Server security. For example, when you visit the Web site (see the URL below), you'll find Michael Otey's article "Free SQL Server Tools," which discusses his favorite free SQL Server tools, among which are security-related tools. You'll also find Kalen Delaney's article "Safe Transit," which discusses how to ensure that user and passwords match up after a database restoration.
Regularly reviewing the potential threats to your SQL Server will help keep it secure. I hope the resources mentioned will support that review process.
SPONSOR: VERISIGN - THE VALUE OF TRUST
Get the strongest server security -- 128-bit SSL encryption!
Download VeriSign's FREE guide, "Securing Your Web Site for Business" and learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here!
2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])
Cristobal Bielza and Juan Carlos G. Cuartango from Instituto Seguridad Internet discovered a vulnerability in Microsoft Visual FoxPro 6.0 that can result in an attacker gaining control over the vulnerable system. This vulnerability stems from a Visual FoxPro installation in which the application doesn't register itself with Microsoft Internet Explorer (IE). As a result, an attacker can use a Web page or HTML email to launch an application on the vulnerable system. Microsoft has released Security Bulletin MS02-049 (Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning) to address this vulnerability.
Multiple vulnerabilities exist in Cisco Systems' VPN 3000 series concentrators and VPN 3002 Hardware Client that can result in information disclosure, Denial of Service (DoS) conditions, and unauthenticated display of passwords on the vulnerable devices. Cisco has issued a notice regarding these vulnerabilities and recommends that affected users upgrade to a fixed release of its software through regular support channels or the Cisco Web site.
(brought to you by Windows & .NET Magazine and its partners)
Windows & .NET Magazine Network Road Show 2002 is coming this October to New York, Chicago, Denver, and San Francisco! Industry experts Mark Minasi and Paul Thurrott will show you how to shore up your system's security and what desktop security features are planned for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and Trend Micro. Registration is free, but space is limited so sign up now!
Sign up for our latest Web seminar at which we'll discuss the concerns associated with managing a heterogeneous server environment. You'll learn more about the management characteristics of each platform and about existing management solutions and how well they work. Sponsored by NetIQ. There's no charge for this online event, but space is limited so register now at
4. SECURITY ROUNDUP
Delivering on its promise to release Windows XP Service Pack 1 (SP1), Microsoft issued the critical upgrade to its latest desktop OS on September 9. With XP SP1's release to manufacturing (RTM), the company provides its first comprehensive set of bug and security fixes for the fastest-selling Windows version ever. XP users can download the SP1 release for free from the Microsoft Web site or order the release on CD-ROM for about $10.
The notion that Windows users might be the targets of attacks is nothing new, given the platform's vast market domination and the sheer number of Windows-based desktops and servers. But a mysterious new type of attack had security watchdogs and Microsoft itself baffled. Now the problem has been identified, and it's apparently not a new security vulnerability.
5. SECURITY TOOLKIT
Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
(contributed by John Savill, http://www.windows2000faq.com)
A. You can configure your domain through a group policy so that users can change their passwords only when the system prompts them:
- Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (Start, Programs, Administrative Tools, Active Directory Users and Computers).
- Right-click the container (site/domain or organizational unit--OU) on which you want to enforce the policy, and select Properties.
- Select the Group Policy tab.
- Select the policy and click Edit.
- Expand User Configuration, Administrative Templates, System, Logon/Logoff.
- Double-click Disable Change Password, and on the Policy tab, select Enabled.
- Click Apply, then OK.
- Close all dialog boxes.
- Refresh the policy with the following command:
C:\> secedit /refreshpolicy user_policy
You can also configure this feature on a per-user basis. To do so, perform the following steps:
- Start regedit.exe. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies. Under System, create a new value of type DWORD (Edit, New, DWORD value). Type a name of DisableChangePassword, and press Enter. Double-click the new value, and set it to 1. Click OK. Close regedit.exe.
6. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])
Mail-Filters.com announced SpamCure, a filtering server designed to eliminate junk email messages from coming into businesses and enterprises from the Internet. SpamCure works best for organizations with 50 to 50,000 mailboxes. Each email message is subjected to 11 categories of tests, which results in 95 percent of all spam messages being identified and categorized. After spam has been identified, the customer can choose, by domain or mailbox, how it's handled. SpamCure runs on Windows 2000 Server, and the price starts at $2.75 per mailbox and decreases as the number of mailboxes increases. Contact Mail-Filters at 650-212-6245.
Innovative Security Products announced the Lid Lock Padlock, a lock to secure your data and components inside your PC. The lock won't damage your equipment and includes a proprietary component that prevents break-ins. It can be installed in less than a minute and includes a resettable combination padlock. Your organization can code all its padlocks differently, code them all alike, or code by department. The Lid Lock Padlock costs $9.95. Contact Innovative Security Products at 913-385-2002.
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].
7. HOT THREADS
Featured Thread: Obtaining Hashes from the Win2K SAM Database
(Two messages in this thread)
Tony writes that in Windows NT, you can get a copy of the SAM (or password hashes) to feed into L0phtCrack. Within a reasonable time, you can crack the user accounts and passwords. But in Windows 2000, things change drastically because Microsoft allows the use of 128-bit encryption algorithms through Syskey. Is there a way to get the password hashes from a Win2K machine to which you have physical but not administrative access? Read the responses or lend a hand:
8. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT IN FOCUS — [email protected]
- ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR Windows & .NET Magazine Security UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR Windows & .NET Magazine Security UPDATE?
This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.