Security UPDATE, September 24, 2003


==== This Issue Sponsored By ====


NETIQ...The Anti-Spam


1. In Focus: Evaluating Intrusion Detection Systems

2. Security Risks - Buffer-Overflow Vulnerability in WideChapter Internet Browser for Windows - Directory Traversal Vulnerability in Plug & Play Web Server for Windows

3. Announcements - Get Problem-Solving Scripts That Will Simplify Your Life - New Web Seminars on Exchange, Active Directory, and More!

4. Security Roundup - Feature: RPC Security Round 2: Cleaning Up After the Latest RPC Vulnerability - Feature: Group Policy Changes in Windows Server 2003

5. Security Toolkit - Virus Center - FAQ: How Can I Work Around LDAP Administration Limits?

6. Event - New--Mobile & Wireless Road Show!

7. New and Improved - Secure Access to Your Applications - Reveal Your Enterprise's Security State - Tell Us About a Hot Product and Get a T-Shirt

8. Hot Threads - Windows & .NET Magazine Online Forums - Featured Thread: Exchange 2003 SMTP Server Authentication Problem - HowTo Mailing List - Featured Thread: Seeking Free Auditing Software

9. Contact Us See this section for a list of ways to contact us.


==== Sponsor: Avatier ==== Guarantee Dormant Account Termination For $995 When someone leaves your organization, how do you guarantee their access is removed from all systems? Can you ensure access to your network is compliant with regulations stemming from HIPAA, Homeland Security, and the Sarbanes-Oxley Act? Account Terminator is a web-based Identity Management application that allows your staff to securely disable or delete user accounts across all platforms in real time. These platforms include the most popular operating systems, directories, applications, and databases. For only $995.00 per platform, Account Terminator can be securely delegated to your IT or HR staff or even automated. Other core features include auditing, alerting, scheduled reporting, parallel processing, "Delayed" deletes, account enable, and guaranteed transaction queuing when a destination host is unreachable. Experience a live demo preview of Account Terminator now:


==== 1. In Focus: Evaluating Intrusion Detection Systems ==== by Mark Joseph Edwards, News Editor, [email protected]

Certainly, you all have at least one firewall in place on your network, and most of you probably have several. However, you might not use an Intrusion Detection System (IDS) on your network in addition to your firewall. I think an IDS is a good idea because it offers more information about events on your network than a firewall alone does.

I recently learned about a couple of great reports on IDSs, and you might want to read them to gain some technical insight into a few popular IDSs. The reports, published by NSS Group (a network and security testing organization), cover IDSs for 10Mbps/100Mbps Ethernet and Gigabit Ethernet networks. For each IDS, NSS Group looked at the architecture, installation process, configuration routine, manageability, event handling, event analysis, and alert reporting.

To test the IDSs, NSS Group established a test environment comprising several products specifically designed for testing and analysis: Network Critical Solutions' Critical TAPs to tap into the ports on a network switch; Spirent Communications' (formerly Caw Networks') WebAvalanche and WebReflector to generate high traffic loads that simulate a variety of network traffic and conditions including browser use, differing traffic speeds, packet loss, user input delay, and aborted transactions; and Spirent's SmartBits to measure network performance. The products and how NSS Group used them are described in more detail in the reports' appendices.

The 10Mbps/100Mbps Ethernet IDS report is NSS Group's fourth report on these products. The products tested were Cisco Systems' IDS 4235 Sensor 4.0, Internet Security Systems' (ISS's) Proventia A201, NFR Security's NID-310 3.2.1, and Snort 2.0.

The Gigabit Ethernet IDS report is NSS Group's second report on these products and covers ISS's RealSecure Gigabit Network 7.0, NetScreen Technologies' NetScreen-IDP 500 2.1; NFR's NID-320 3.2.1; and Symantec ManHunt 3.0.

NSS Group's reports review each product in detail, revealing precisely how the IDS faired in the test environment and showing the product's strong points and weak points under various attack conditions during various load conditions. The reports also provide the testers' opinions of the various products.

The reports are great resources if you're weighing various products for use on your network. The benchmarking is revealing. Even if you already have an IDS, the reports are a great way to see how your product stacks up against others. And the reports contain tidbits of general security-related information that you might not be aware of.

In addition to the IDS reports, NSS Group offers a new report on eight public key infrastructure (PKI) solutions as well as December 2002 reports on six firewalls and five vulnerability-assessment products. You can find all the reports at the NSS Group Web site and read them online after filling out and submitting a simple form or purchase copies of the reports in PDF format or on CD-ROM.


==== Sponsor: NETIQ...The Anti-Spam ==== Remember When Spam Just Bugged You? Now it's sucking you dry. Fight back. MailMarshal from NetIQ zaps spam. Dead. The most comprehensive spam-busting software on the planet, NetIQ MailMarshal has proprietary detection and analysis tools, plus robust reporting and management functions. It's more than just anti-spam--it's a total e-mail content filtering system. Download a free copy of our white paper, "Controlling Spam" at And tell those pesky spammers to bug off.


==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected]

Buffer-Overflow Vulnerability in WideChapter Internet Browser for Windows Bahaa Naamneh discovered that a vulnerability in Wintel's WideChapter for Windows Internet browser can result in the execution of arbitrary code on the vulnerable system. By initiating a long HTTP request, an attacker can cause a buffer overflow in WideChapter. This overflow permits modification of the Execution Instruction Point, which lets the attacker execute arbitrary code. Wintel has been notified.

Directory Traversal Vulnerability in Plug & Play Web Server Bahaa Naamneh discovered that a vulnerability in Plug & Play Software's Plug & Play Web Server can result in unauthorized read access to any file located on the vulnerable server. By using the "../" or "..\" string in a URL, an attacker can gain read access to any file that resides outside the intended Web-published file system directory. Plug & Play Software has been notified.


==== Sponsor: Virus Update from Panda Software ==== Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control. Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today!


==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Get Problem-Solving Scripts That Will Simplify Your Life OK, so you're not a programmer. But if you read Windows Scripting Solutions every month, you don't need to be. Tackle common problems and automate everyday, time-consuming tasks with our simple tools, tricks, and scripts. Try a no-charge sample issue today!

New Web Seminars on Exchange, Active Directory, and More! Check out the latest lineup of Web seminars from Windows & .NET Magazine. Prepare your enterprise for Exchange Server 2003, discover the legal ramifications of deterring email abuse, and find out how Active Directory can help you create and maintain a rock-solid infrastructure. There is no charge for these events, but space is limited, so register today!

==== 4. Security Roundup ====

Feature: RPC Security Round 2: Cleaning Up After the Latest RPC Vulnerability The MSBlaster (LoveSan) saga prompted a thorough analysis of Microsoft's implementation of remote procedure call (RPC) processing. During the analysis, several security firms uncovered three additional, and potentially nasty, vulnerabilities in how the RPC service processes malformed RPC requests. Learn how to clean your systems to defend against RPC-based attacks in this article by Paula Sharick.

Feature: Group Policy Changes in Windows Server 2003 Group Policy introduced the ability to control a wealth of computer and user-environment settings by Active Directory (AD) group (i.e., by site, domain, or organizational unit--OU) rather than by computer or user. For example, you can configure Group Policy Objects (GPOs) to standardize security policies for an entire OU and restrict users' ability to reconfigure their desktop computers. Unfortunately, Microsoft's implementation of all that power was imperfect. For example, Windows 2000 Server's Group Policy management tools don't provide a comprehensive view of GPO deployment and its effects. Windows Server 2003 tries to remedy Group Policy's shortcomings through several new GPO options and two GPO administration tools. Learn more about them in this article by Joe Rudich.

==== 5. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

FAQ: How Can I Work Around LDAP Administration Limits? contributed by Steve Seguis, [email protected]

You can use the ntdsutil.exe command (which is in the Support tools folder on the Windows 2000 Server installation CD-ROM) to set the MaxPageSize Lightweight Directory Access Protocol (LDAP) policy to a higher number so that userstatusrpt.vbs returns all your users. For more details, refer to the Microsoft article "HOW TO: View and Set Lightweight Directory Access Protocol Policies by Using Ntdsutil.exe in Windows 2000" ( ).

If your users are divided among organizational units (OUs) that each contain no more users than the maximum number that an LDAP query can return, you can simply run the script for each OU. For example, if you have a top-level OU called Department and three OUs beneath it called IT, Engineering, and Sales, and all your users are divided among these OUs, you can run the script three times in succession, once for each OU. Each time, you would specify a different baseDN and output file appropriate for that particular OU. Here are three sample commands that you would run one after the other to generate a complete report:

userstatusrpt.vbs "OU=IT,OU=Department,OU=DOMAIN,OU=COM" it.csv userstatusrpt.vbs "OU=Engineering,OU=Department,OU=DOMAIN,OU=COM" eng.csv userstatusrpt.vbs "OU=Sales,OU=Department,OU=DOMAIN,OU=COM" sales.csv

==== 6. Event ====

New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event!

==== 7. New and Improved ==== by Sue Cooper, [email protected]

Secure Access to Your Applications Citrix Systems announced Citrix MetaFrame Password Manager, which will provide password security and single sign-on (SSO) access to heterogeneous environments that include Windows, Web, proprietary, and host-based applications. The software lets users log on to any password-protected information system, enforces password policies, monitors password-related events, manages password changes, and generates complex and random passwords for users without complex scripting or application-level integration. Availability is scheduled for this month. Contact Citrix Systems at 800-424-8749 or 954-267-3000.

Reveal Your Enterprise's Security State NetVision released NVAssess, a vulnerability-assessment tool for Microsoft and Novell environments. The software lets you scan, audit, and receive reports regarding the security status of your directories, servers, and applications. NVAssess's NetVision Policy Enforcement Engine can automatically discover and fix any deviations from your defined policies and threshold levels. You can implement NVAssess as a standalone tool or as part of NetVision's Integrated Security Policy Management system. Pricing starts at $9 per user. Contact NetVision at 877-828-9180, 801-764-0400, or [email protected]

Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== 8. Hot Threads ====

Windows & .NET Magazine Online Forums

Featured Thread: Exchange 2003 SMTP Server Authentication Problem (1 message in this thread)

Reader jandrake writes that he has an environment that includes Microsoft Exchange Server 2003, Active Directory (AD), and Microsoft IIS with Microsoft Outlook Web Access (OWA). The services are all installed on one system that has two IP addresses. The reader wants to configure the system so that it has two SMTP servers, one on each of the assigned IP addresses. He wants DNS to publish one SMTP server for inbound SMTP traffic only. The server would allow only anonymous connections and disallow relaying for everybody. He wants to use the second SMTP server for email from employees outside the firewall. He also wants the traffic to that server encrypted and authentication required and the server to allow relaying for authenticated users. Jandrake's problem is that he can't get the second virtual server to require authentication. When he enables anonymous access on the server, all mail routes through and relaying is enabled for everyone. However, when he locks down the SMTP server in any way, he sees errors regarding a failure to authenticate. These problems occur when he's testing the server with a correctly configured Outlook 2002 client. Lend a hand or read the responses:

HowTo Mailing List

Featured Thread: Seeking Free Auditing Software (7 messages in this thread)

Jeffery Jacob wonders whether anyone knows of a freeware security audit tool besides Microsoft Baseline Security Analyzer (MBSA). He needs a tool that will check system configurations, event logs, network settings, and so on. He prefers that the tool be able to scan remote machines and store data in a central repository so that he doesn't have to install auditing software locally on each system. Lend a hand or read the responses. The message thread starts at

The thread continues at


==== Sponsored Links ====

Aelita Software Free message-level Exchange recovery web seminar October 9th;6098474;8214395;v?

CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support;5930423;8214395;j?

MailFrontier Eliminate spam once and for all. MailFrontier Anti-Spam Gateway.;6080289;8214395;q?


==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today.

Thank you for reading Security UPDATE! __________________________________________________________ Copyright 2003, Penton Media, Inc.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.