Security UPDATE: Understanding Front-End Servers


==== This Issue Sponsored By ====

Shavlik HFNetChkPro AdminSuite

Exchange & Outlook Administrator


1. In Focus: Show Me the Code!

2. Announcements

- Order Windows & .NET Magazine and the Article Archive CD at One Low Rate!

- COMDEX Las Vegas 2003

3. Security News and Features

- Recent Security Vulnerabilities

- News: Securing the Perimeter

- Feature: Understanding Front-End Servers

- Feature: SMTP AUTH Attacks: Readers Respond

4. Instant Poll

- Results of Previous Poll: OS Use

- New Instant Poll: Work Responsibilities

5. Security Toolkit

- Virus Center

- Virus Alert: Lohack.C

- FAQ: How can I enable advanced file, folder, and share security for a Windows XP machine in a workgroup?

- Featured Thread: Permissions on Folders

6. Event

- We've Added 3 New Web Seminars

7. New and Improved

- Protect AD

- Lock Your Screen

- Tell Us About a Hot Product and Get a T-Shirt

8. Contact Us

See this section for a list of ways to contact us.


==== Sponsor: Shavlik HFNetChkPro AdminSuite ====

As you prepare to roll out the next critical security patch, don't be sour. For a limited time, Shavlik is offering an exclusive opportunity to purchase HFNetChkPro AdminSuite for the price of HFNetChkPro. With a savings of over $1,000 and three notable security tools — patch management, assessment and account and password evaluation — it's a "suite" deal. Go to for details.


==== 1. In Focus: Show Me the Code! ====

by Mark Joseph Edwards, News Editor, [email protected]

Open-source supporters have long enjoyed having access to source code. Some time ago, Microsoft countered the open-source movement in a minor way by providing limited access to its own product source code. To date, the company has let only select entities view its source code. Typically, those entities have been universities, technology companies, and governments that are willing to sign tight licensing agreements.

Last week, Microsoft announced that it will further expand its Shared Source Initiative program by offering more access to those who provide technical support to users through various types of online communities. One way the company will do so is by letting Microsoft Most Valued Professionals (MVPs) view more source code.

In the past, MVPs have had access to source code for Windows CE .NET, ASP.NET, Visual Studio .NET, and Passport Manager. Now, they'll be offered a new shared source license for source code related to Windows Server 2003, Windows XP, Windows 2000 Server, and future OSs.

Those MVPs invited to participate will receive a smart card that will let them access 50 percent to 90 percent of the total OS code stored on a secured server hosted by Microsoft. The remainder of the code is off limits either because it's too sensitive (e.g., product activation code) or because Microsoft has licensed it from third parties and can't directly release it.

I suspect that MVP access to source code won't do much for Windows platform security. I'm not sure how many security researchers participate in Microsoft's MVP program, but I suspect that you could count them on one hand. The company should give the best security researchers access to its code for the benefit of users everywhere, but don't hold your breath waiting for that to happen.

For those of you fluent in working with program source code, whether you're a developer or perform source code audits to help tighten security, another resource might assist your endeavors. Last week, Microsoft published a new white paper, "Expert Tips for Finding Security Defects in Your Code," written by company program manager Michael Howard. It's available at the URL below. Howard and David LeBlanc coauthored the book "Writing Secure Code" (Microsoft Press).

The new white paper helps identify "patterns and best practices that all developers can follow when tracking down potential security loopholes." Howard said he uses a set of questions to determine how much time he'll need to spend reviewing code. The more "yes" answers to the questions, the more time Howard spends looking at the source code for problems. The questions are:

- Does the code run by default?

- Does the code run with elevated privileges?

- Is the code listening on a network interface?

- Is the network interface unauthenticated?

- Is the code written in C/C++?

- Does the code have a prior history of vulnerability?

- Is this component under close scrutiny by security researchers?

- Does the code handle sensitive or private data?

- Is the code reusable (for example, a DLL, C++ class header, library, or assembly)?

- Based on the threat model, is this component in a high-risk environment or subject to many high-risk threats?

If you're a developer or source code auditor, I think you'll find the paper worth reading. Even if you're not a developer or don't perform source code audits, you might find the paper interesting. Howard helped start Microsoft's Secure Windows Initiative, so Microsoft probably uses his methods and ideas to audit its code.


==== Sponsor: Exchange & Outlook Administrator ====

Get a Sample Issue of Exchange & Outlook Administrator

Exchange & Outlook Administrator, the monthly print newsletter from Windows & .NET Magazine, gives you the in-depth articles you need to secure, maintain, and troubleshoot your messaging environment. Try an issue of Exchange & Outlook Administrator, and discover for yourself what our expert authors know that you don't. Click here!


==== 2. Announcements ====

(from Windows & .NET Magazine and its partners)

Order Windows & .NET Magazine and the Article Archive CD at One Low Rate!

What's better than Windows & .NET Magazine? Try Windows & .NET Magazine and the Windows & .NET Magazine Article Archive CD at one super low rate. Read Windows & .NET Magazine in the office. Take the Article Archive CD with you on the road. Subscribe now!

COMDEX Las Vegas 2003

At COMDEX, you'll have the opportunity to learn the ins and outs of the most prominent platform of the enterprise, data center, and desktop. Key elements include in-depth sessions on Windows Server 2003, Exchange Server 2003, reducing spam with Exchange Server 2003 and Outlook 2003. Come to Las Vegas this November 16-20 and take charge.;6362174;8504795;s?


==== Sponsor: Virus Update from Panda Software ====

Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control.

Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today!


==== 3. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: Securing the Perimeter

Microsoft CEO Steve Ballmer recently discussed his company's ever-evolving plans to secure its users' systems at the Microsoft Worldwide Partner Conference 2003 in New Orleans. Going forward, Ballmer pledged that Microsoft would reduce the size of patches, reduce the number of reboots that patches cause, introduce better patch-deployment automation, address the needs of legacy systems, provide more predictable patch schedules, and provide more guidance about securely deploying and managing Microsoft systems. Paul Thurrott provides the details in this news article.

Feature: Understanding Front-End Servers

Many organizations that implement Microsoft Outlook Web Access (OWA) based on Exchange Server 2003 or Exchange 2000 Server don't connect client browsers directly to the Exchange server on which the user's mailbox is located. Rather, a front-end Exchange server accepts the OWA connection from a client, then proxies the connection to the back-end server on which the user's mailbox resides. The front-end model offers the advantage of letting all users specify the same URL to access their mailbox.

However, the traditional front-end model also has disadvantages. Kieran McCorry examines the traditional front-end server model and the limitations of its authentication method. Then, McCorry outlines a mechanism for using a variant of the front-end server configuration to implement a normalized namespace with OWA. This alternative approach avoids the drawbacks of Basic authentication while letting all users enter the same URL to access their email.

Feature: SMTP AUTH Attacks: Readers Respond

Paul Robichaux's commentary in a recent Exchange & Outlook UPDATE about SMTP AUTH attacks struck a chord with readers. Robichaux received an interesting variety of questions, suggestions, and personal stories about reader experiences with this kind of attack. Read the follow-up commentary to learn what readers had to say.

==== 4. Instant Poll ====

Results of Previous Poll: OS Use

The voting has closed in the Windows & .NET Magazine Network Security Web site's nonscientific Instant Poll for the question, "What is your company's primary OS?" Here are the results from the 528 votes.

- 6% Windows Server 2003

- 21% Windows XP Professional

- 56% Windows 2000 Server or Professional

- 12% Windows NT Server or Workstation

- 4% Windows 9x or Me

(Deviations from 100 percent are due to rounding.)

New Instant Poll: Work Responsibilities

The next Instant Poll question is, "Which of the following options best describes your work-related responsibilities?" Go to the Security Web site home page and submit your vote for

- Administration only

- Administration and auditing

- Administration, auditing, and network monitoring

- Networking monitoring and auditing

- Development

==== 5. Security Toolkit ====

Virus Center

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

Virus Alert: Lohack.C

Lohack.C is a worm that spreads across networks through email. Messages carrying Lohack.C are in Spanish and have variable characteristics. The content of many of these messages refers to the Spanish Information Society and E-mail Services Law. Lohack.C also tricks users into thinking that the message has been sent from a trustworthy source and exploits a vulnerability in Microsoft Internet Explorer (IE) 5.5 and IE 5.01 that lets the attachment run automatically when the recipient views the message in the Preview Pane. In addition, Lohack.C moves the mouse pointer around the screen. For complete details about the worm, be read Panda's report at

FAQ: How can I enable advanced file, folder, and share security for a Windows XP machine in a workgroup?

by John Savill,

A. When an XP machine belongs to a domain with shared resources, a Security tab appears on the Properties dialog box for files, folders, and shares. You can use this tab to assign advanced sharing permissions. However, this tab is missing for XP machines that belong to a workgroup.

A new feature in XP effectively logs all remote logons in a workgroup as Guest, regardless of the account and password credentials that the remote user enters. (This approach prevents the need for different machines in a workgroup to replicate local accounts, which is the method Windows 2000 uses to enable transparent sharing.) XP locks down the Everyone group (to which Guest belongs) permissions, which cuts down on the security problems that exist in Win2K as a result of enabling the Guest account. Because all machines in a workgroup are effectively Guest connections, the advanced security features aren't very useful, which is why Microsoft disabled them in XP.

If you want to enable advanced file, folder, and share security, you must disable the ForceGuest registry setting by performing the following steps:

1. Start a registry editor (e.g., regedit.exe).

2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey.

3. Double-click forceguest, set it to 0, then click OK.

4. Restart the computer for the change to take effect.

If you disable the Guest account while the ForceGuest setting is enabled, remote connections will fail, even when users log on with a valid username and password.

Featured Thread: Permissions on Folders

(Two messages in this thread)

A reader writes that he has just assumed responsibility for more than 60 servers and needs a utility or software that will let him harvest NTFS and share permissions from the servers and determine which folders are secured by which groups and whether a group is global or local. He would like to be able to just run a utility and end up with a report. Lend a hand or read the responses:

==== 6. Event ====

We've Added 3 New Web Seminars

You won't want to miss our latest free Web seminars: Understanding the Identity Management Roadmap and How it Fits with Your Microsoft Infrastructure, Assessing IM Risks on Your Network, and Five Keys to Choosing the Right Patch Management Solution. Register today for these informative and timely Web events!

==== 7. New and Improved ====

by Jason Bovberg, [email protected]

Protect AD

NetPro Computing announced DirectoryLockdown, Active Directory (AD) security-monitoring and intrusion-detection software that protects against AD attacks that exploit the Microsoft-announced remote procedure call (RPC) vulnerability. The RPC vulnerability--a "critical" vulnerability in Windows 2003/XP/Win2K/NT--can permit remote attackers to issue commands with the highest system privileges and gain unencumbered access to AD. DirectoryLockdown protects your AD implementation against the RPC vulnerability, as well as other attacks that target the Configuration and Schema naming contexts (NCs). The tool protects against Denial of Service (DoS) problems, security breaches, and reliability and service interruptions. For more information about DirectoryLockdown or to request an evaluation copy, contact NetPro Computing at 602-346-3600 or on the Web.

Lock Your Screen

DMVsoft announced a new version of ActiveScreenLock, software that lets you protect your computers from unauthorized access. ActiveScreenLock simply adds a password-protected window on top of other windows when you click the software program's icon or after the computer has been idle for a set period of time. To remove the window, the user must enter the correct password. ActiveScreenLock blocks WinKey and the Alt+F4, Ctrl+Alt+Del, and Alt+Tab key combinations. The software keeps a log of all invalid access attempts and wrong passwords. ActiveScreenLock costs $24.95. For more information about ActiveScreenLock or to obtain a free evaluation version, contact DMVsoft on the Web.

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====


Free Download - NEW NetOp 7.6 - faster, more secure, remote support;5930423;8214395;j?


Eliminate spam once and for all. MailFrontier Anti-Spam Gateway.;6080289;8214395;q?


==== 8. Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

This email newsletter is brought to you by Security Administrator, the Windows & .NET Magazine print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today.

Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.