Security UPDATE: Internet Security and Acceleration Server 2004


==== This Issue Sponsored By ====

Free Download: Shavlik Security Patch Management

Windows & .NET Magazine


==== Sponsor: Free Download: Shavlik Security Patch Management ====

Install the latest critical Microsoft security patch today with HFNetChkPro. A free, fully functional, no time-out version of HFNetChkPro is available to help you automate the delivery and testing of this critical patch. HFNetChkPro offers unlimited scanning, a complete GUI and Shavlik's exclusive PatchPush capabilities. Save time on patch deployment, ensure systems are fully protected and safeguard your systems from remote code execution, identity spoofing, arbitrary code execution and other attacks. It's free, and it simplifies patch management without agents. Learn more and download the free version of HFNetChkPro at


==== 1. In Focus: Spam-Fighting Technologies ====

by Mark Joseph Edwards, News Editor, [email protected]

Last week, I wrote about the spread of the MyDoom worm and how we might help avoid the spread of such nuisances in the future. A reader, Will Harper, wrote to me expressing his concern about unwanted email--especially spam, or junk email. Will thinks the industry is aiming at the wrong target by going after spammers. He thinks we'd do better by targeting advertisers, which he sees as the root of the spamming problem (i.e., without advertisers, spammers would be out of work).

I think Will has a valid point, but I also think that advertisers have the right to advertise through their chosen methods as long as the effort remains within the bounds of the law. The new CAN-SPAM Act attempts to regulate spam, but it's too early to know the effects of the law.

Regardless, it seems apparent that malicious email and spam both are festering problems in the minds of countless Internet users. As a result of the irritation we all feel, we're likely headed for changes in the way email is handled. Several entities are already testing new approaches, even if only in isolated lab environments.

Some people want servers to authenticate SMTP email senders before accepting email from them. Other people want a system in which recipients can charge senders that they don't know a fee in exchange for reading the sender's email message. Still other people think everyone should pay for sending and receiving email. Some analysts think that this last approach might quickly lead to people paying for their Internet connection not based on the bandwidth of their connection or their time online (as is most common now) but for the number of bytes they send or receive over their connection, regardless of the content type--somewhat similar to pay-per-view media. Other ideas are on the drawing board too.

Filtering email seems to work reasonably well and doesn't require a drastic change to the current email system. One effective filtering method not currently in widespread use is based on the message sender rather than the message content (as is the case with most spam-filtering software in use today). By maintaining a list of approved senders and putting aside until later or deleting any message that comes from someone not on the list, you can quickly obtain all your legitimate email without much effort. This method mimics the way many people handle paper mail: They grab the stack from the mailbox, open and read the important things first, and set the rest aside for later or toss them.

Challenge/response is another method for handling email and is sometimes used in conjunction with the filtering-by-sender method. If a sender isn't in the recipients' approved-senders list, the mail system sends a challenge to the sender and the sender must respond. If the response is correct, the mail system adds the sender to the recipient's approved senders list and delivers the sender's current and future email messages without further intervention. The mail server drops the messages of senders that don't respond to the challenge correctly. This approach lightens recipients' email load and helps curb spam tremendously.

The challenge/response technology works well but presents some difficulties for disabled people. For example, visually impaired people might not be able to respond to a challenge in the form of a graphical image, and hearing-impaired people might have trouble responding to an audio challenge. Software can sometimes automate the response to a visual or audio challenge by parsing the callenge, but spammers could exploit that type of challenge/response system.

Another type of challenge/response method would involve a computer calculation. The calculation would be difficult enough that a system required to perform many such computations (such as a spam server) would have trouble doing so in a reasonable amount of time due to processor overhead. However, the computational overhead wouldn't be a problem for the average user's system, which isn't sending out tens of thousands or even millions of email messages. This solution sounds viable and would leave email accessible to the disabled as well. Any decent antispam solution will also prevent the wide spread of malicious email messages, which we all know are nuisances of the worst kind.

If you want to help hammer out ideas to shape the future of email, consider joining the Internet Research Task Force (IRTF) Anti-Spam Research Group (ASRG). I've been following the group's discussions over the past week, and interesting viewpoints are being presented and debated. ASRG offers two mailing lists you can join: a low-traffic list for announcements and a higher traffic list for discussions. You can learn more about ASRG and subscribe to the forums at the ASRG Web site.


==== Sponsor: Windows & .NET Magazine ====

Get 2 Sample Issues of Windows & .NET Magazine!

Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange Server, and more. Our expert authors deliver content you simply can't find anywhere else. Try two, no-risk sample issues today, and find out why 100,000 IT professionals read Windows & .NET Magazine each month!


==== 2. Announcements ====

(from Windows & .NET Magazine and its partners)

InfoSec World Conference and Expo/2004, Orlando, FL, March 22-24, 2004

Get dynamic techniques, real-world strategies, and innovative solutions for mitigating risk, securing critical data, and strengthening the enterprise at InfoSec World 2004. Featuring 80+ sessions, the CISO Executive Summit, in-demand keynoters, a huge vendor expo, optional workshops, and more, InfoSec World will deliver everything you need to meet today's tough information security challenges! For details and to register, go to:

Check Out 2 Free Web Seminars--Selecting the Right IM Security Solution and Streamlining User Provisioning and Password Management

Gain control over your IM security by learning about IM authentication, encryption, support for and interoperability between different IM networks, auditing, automatic legal disclaimers, and virus and worm scanning. Or, discover automating provisioning and centralizing password management and how to reduce support costs and security breaches. Register now!


==== Sponsor: Virus Update from Panda Software ====

Are your traditional antivirus solutions really protecting your network? Panda Antivirus GateDefender is a dedicated hardware device installed at the Internet gateway to block viruses before they contaminate your network. It scans 7 different communication protocols, achieving optimum protection against external attacks. Panda Antivirus GateDefender 7100 (25-500 seats) & Panda Antivirus GateDefender 7200 (500 seats+) provide the highest scalability with native load balancing that transparently adapts to traffic volume. Visit "Panda's GateDefender Stands Guard!" at for more information.


==== 3. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: Beta: Internet Security and Acceleration Server 2004

Microsoft has released Internet Security and Acceleration (ISA) Server 2004 into open beta testing. The new version has many changes, including a newly designed management console, which you can view at the ISA Server 2004 beta Web site. ISA Server 2004 protects unlimited networks, whereas ISA Server 2000 could protect only one internal, external, and demilitarized zone (DMZ) network. ISA Server 2004 lets you assign security policies on a per-network basis, and the beta supports stateful inspection on all network traffic, including content, Network Address Translation (NAT), and routed traffic; stateful inspection on VPN traffic; and IP Security (IPSec) support for VPN tunnels.

News: Microsoft Patches Three IE Security Holes

Microsoft issued fixes for three major security flaws in Microsoft Internet Explorer (IE). The fixes include one for a relatively well-known "phishing" (URL-spoofing) vulnerability that appears in all standards-compliant browsers and could let attackers silently redirect users to malicious Web sites. Microsoft made the updates available outside of its usual monthly schedule for crucial security fixes because the company felt they were important enough to release immediately.

Feature: What's the Big Deal with Windows and iSCSI?

The big deal about Internet SCSI (iSCSI) is its ability to connect to storage resources--particularly expensive Storage Area Network (SAN)-based devices--using block-mode data transfer over "cheapnet." Block-mode data transfer uses lower-level protocols and is the key to letting I/O-hungry applications such as Microsoft Exchange Server and Microsoft SQL Server use network-based storage. ISCSI makes block-mode data transfer to and from network-based storage devices a reality and lets vendors support using such devices with applications that have high I/O requirements. Read more about iSCSCI in Jerry Cochran's article on our Web site.

==== 4. Instant Poll ====

Results of Previous Poll: Wireless Networking

The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Does your company use wireless networking?" Here are the results from the 134 votes.

4% - Yes, we use 802.11a

31% - Yes, we use 802.11b

17% - Yes, we use 802.11g

47% - No

(Deviations from 100 percent are due to rounding.)

New Instant Poll: Protecting APs

The next Instant Poll question is, "Does your company protect rogue wireless access points on its network?" Go to the Security Web page and submit your vote for

- Yes

- No, we're not sure how to protect them

- No, we're unconcerned about protecting them

- I'm not sure

==== 5. Security Toolkit ====

Virus Center

Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

FAQ: Why can't I back up the system state on a Windows 2000 Server system?

by John Savill,

A. The system state contains core system elements such as Active Directory (AD); the System Volume (Sysvol); the machine's domain controller (DC) status (i.e., whether the system is a DC); the boot files; the registry; and COM+ configuration information. To back up the system state, a user must have "Back up files and directories" and "Restore files and directories" rights; otherwise, the option to back up the system state might be unavailable in Windows Backup. To grant a user these rights, perform the following steps:

1. Log on to a DC.

2. Start the Microsoft Management Console (MMC) Domain Security Policy snap-in (select Start, Programs, Administrative Tools, and click Domain Security Policy).

3. Expand the Security Settings, Local Policies, and User Rights Assignment nodes.

4. Double-click the "Back up files and directories" policy.

5. Select the "Define these Policy Settings" check box, then click "Add Users or Group."

6. Click Browse and locate the user you want to add (or a group that the user is in), then click OK.

7. Click OK to return to the main policy dialog box.

8. Repeat steps 4, 5, 6, and 7 for the "Restore files and directories" policy.

9. After you finish Step 8, close the snap-in and force a refresh of the policies. To refresh the policies, open a command line and type

secedit /refreshpolicy machine_policy /enforce

10. Log off and log on.

Featured Thread: IE Security Level Problems

(Three messages in this thread)

Kristof writes that he's having a problem with Microsoft Internet Explorer (IE) security levels, as seen in IE's Internet options. He can't figure out why some users can't change the default level settings even if they log on as an administrator, but other users can. He isn't using Group Policy in this instance, so Group Policy Objects (GPOs) aren't the problem. Do you know why he might be having trouble? Lend a hand or read the responses:

==== 6. Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

New--Microsoft Security Strategies Roadshow!

We've teamed with Microsoft, Avanade, and Network Associates to bring you a full day of training to help you get your organization secure and keep it secure. You'll learn how to implement a patch-management strategy; lock down servers, workstations, and network infrastructure; and implement security policy management. Register now for this free, 20-city tour.

==== 7. New and Improved ====

by Jason Bovberg, [email protected]

A Multifaceted Security Approach

Shavlik Technologies announced Shavlik HFNetChkPro AdminSuite, a security analysis and remediation solution with patch-management support. Shavlik HFNetChkPro AdminSuite combines three security tools--Shavlik EnterpriseInspector (security assessment), Shavlik HFNetChkPro (automated patch management), and Shavlik AccountInspector (account and password evaluation)--to help you monitor your networks for existing vulnerabilities, automatically download and deploy patches to individual machines or groups of machines, and manage enterprise account security for workstations and servers. For information about pricing, contact Shavlik Technologies at 800-690-6911 or [email protected], or on the Web.

Automate SSL Certificate Management

Entrust announced its Entrust Certificate Management Service, which automates Secure Sockets Layer (SSL) certificate management. The service helps relieve the cost and complexity of managing the SSL certificate life cycle (i.e., certificate request, installation, and renewal). The Certificate Management Service includes Entrust's SSL certificates and Entrust's account-administration tools. For information about pricing and availability, contact Entrust on the Web.

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====


Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?

Javelina Software

Check out ADvantage to bulk modify Active Directory attributes.;7115967;8214395;t?


==== 8. Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Copyright 2004, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.