Security UPDATE--Administrator Accounts and Root Kits--March 9, 2005

1. In Focus: Administrator Accounts and Root Kits

2. Security News and Features

- Recent Security Vulnerabilities

- Need Information About Internet Explorer 7.0?

- Deploying Junk Mail Filter Lists in Outlook 2003

- @stake LC 5

3. Security Toolkit

- Security Matters Blog

- Web Chat

- FAQ

- Security Forum Featured Thread

4. New and Improved

- Prevent Unauthorized Network Access

==== Sponsor: Executive Software ====

Free util: Scan your site for system slowdowns

Disk Performance Analyzer for Networks is a FREE utility that remotely checks your systems for performance bottlenecks caused by severe disk fragmentation. If not identified promptly, fragmentation builds exponentially and causes frustrating slowdowns, random crashes, even complete inability to boot. Disk Performance Analyzer for Networks zeros in on problem computers, showing you exactly how much performance and stability is being lost. Find systems that need attention now, BEFORE they become help desk calls! This is a free utility, not spyware or adware. Download Disk Performance Analyzer for Networks now!

http://www.executive.com/profile/submit-select.aspx?a=l&PId=94&ad=witpdpan4

==== 1. In Focus: Administrator Accounts and Root Kits ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about why you should try not to use administrative accounts unless you really need to. Several readers wrote to explain various scenarios and problems they've encountered while trying to use a nonadministrative account for certain tasks. Some of the problems involve using Windows Explorer, running debuggers, creating Data Source Names (DSNs), and accessing Control Panel items. Obviously, you'll need to log on as the administrator in some instances; using RunAs, even with the /netonly switch, might not always suffice.

There are other possible solutions for some problems too. For example, Microsoft's OS resource kits include the su.exe tool, which can elevate privileges. Another tool, which I've mentioned before, is MakeMeAdmin, written by Aaron Margosis at Microsoft. The tool adds your account to the local Administrators group, spawns a command shell with your new elevated privileges, and then removes your account from the group.

So, effectively, MakeMeAdmin gives you a command shell running with a new security token. You can perform whatever actions you need to in the shell. If you also need privileges on the network, you can initiate some kind of network access and authenticate by using whatever account you prefer. For example, you can map a drive by using the command

net use

and specifying an account with the required privileges. Or you could launch Windows Explorer on the desktop with elevated privileges by using its /root switch. You could also launch Control Panel applets by simply entering the applet name and extension (.cpl) as if it were any other executable program. If you run Microsoft Internet Explorer (IE) with elevated privileges, you can use Margosis's PrivBar add-on that shows which security level your browser is running under.

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx

Another reader wrote to point out that Microsoft has published a document that explains some of the problems you can encounter when you run applications on the desktop with nonadministrative accounts. The article offers tips about how developers can remedy some of those problems and offers some insight into how the next release of Windows (codenamed Longhorn) will address the matter in more effective ways. One change will be a Protected Administrator status, which, if I understand correctly, will allow a user to use an administrator account but with the fewest privileges necessary for a given task.

http://msdn.microsoft.com/library/en-us/dnlong/html/leastprivlh.asp

Another topic I want to discuss this week is root kits, which as you know, can be a real problem. A Microsoft paper discusses research the company has done regarding ways to discover such nuisances. The paper mentions a related tool, Strider Ghostbuster, developed in the labs, which isn't available to the public.

http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775

However, Sysinternals has a root kit discovery tool that you might find helpful. The new tool, RootkitRevealer, is still undergoing development, but you can download a copy and try it out.

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

F-Secure will release a beta version of its new root kit detection tool, F-Secure BlackLight Rootkit Elimination Technology, this week. You can learn more about that tool in the related article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/45631

==== Sponsor: SQL Server Magazine ====

Get SQL Server Magazine and Get Answers

Throughout the year in 2005, SQL Server Magazine is on target to deliver comprehensive coverage of all hot industry topics, including SQL Server 2005, performance tuning, security, Reporting Services, Integration Services, and .NET development. If you aren't already a subscriber, now is the time to sign up. You'll get unlimited online access to every article ever published in the magazine and you'll get 30% off the cover price. Don't miss out . . . sign up today:

http://www.sqlmag.com/rd.cfm?code=00eu215xwu

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Need Information About Internet Explorer 7.0?

If you need information about the upcoming Microsoft Internet Explorer (IE) 7.0, you can find some tidbits about it on IEBlog, which is operated by Microsoft's IE team.

http://www.windowsitpro.com/Article/ArticleID/45560

Deploying Junk Mail Filter Lists in Outlook 2003

Microsoft released a hotfix for Outlook 2003 late last month for a feature that deals with importing junk mail filter lists into Outlook 2003. This feature lets you use registry values to tell Outlook to import the Safe Senders, Safe Recipients, and Blocked Senders lists from specific locations and either overwrite the user's existing junk mail filter lists or append entries to them. The hotfix makes some important changes to the way the feature works.

http://www.windowsitpro.com/Article/ArticleID/45563

@stake LC 5

If you want a terrific password-auditing tool, Jeff Fellinge recommends the most recent version of L0phtCrack: @stake LC 5 (recently acquired by Symantec). New features let you remotely collect password hashes, schedule scans, score passwords, create audit reports, and speed up audits. LC 5 supports most password-cracking methods and comes in four versions (professional, administrator, site, and consultant).

http://www.windowsitpro.com/Article/ArticleID/45256

==== Resources and Events ====

The Must-Attend Event for Securing Your Wireless Deployments

The Conference on Mobile & Wireless Security delivers on-target, need-to-know information on emerging issues and tech trends. Featuring first-class keynotes and sessions, an in-depth panel discussion, and interactive workshops, you will learn practical tactics for overcoming mobile security challenges and real-world strategies for maximizing the potential of your wireless devices.

http://www.misti.com/01/mws05nl1.html

Get Ready for SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0307emailanncs

Windows Connections 2005 Conference

April 17-20, 2005, Hyatt Regency San Francisco. Microsoft and Windows experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Don't miss Mark Minasi's entertaining and insightful keynote presentation on "The State of Windows" and your chance to win a 7-night Caribbean cruise!

http://www.winconnections.com

The Essential Guide to Active Directory Management

Migrating from NDS and/or eDirectory to AD means changes in the way you manage your network, users, and network resources. Download this Essential Guide to Active Directory Management and learn hands-on approaches that reduce management complexity, IT workload, and costs and improve security--all with minimal impact on your organization. Download this guide today.

http://www.windowsitpro.com/essential/index.cfm?code=0309emailannc

Discover, Manage, and Archive Information Within Your Exchange Enterprise

Limit your legal exposure and protect corporate information. In this free Web seminar, Exchange MVP Paul Robichaux provides an overview of general retention and compliance issues, knowledge of pitfalls you may encounter when implementing your policy, insight into managing mail data for best-efforts compliance, and Exchange's built-in archiving and compliance features. Register now!

http://www.windowsitpro.com/seminars/exchangecompliance/index.cfm?code=0309 emailannc

==== Hot Release ====

Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority

With instant messaging virtually in all corporate environments, and expected to be as prevalent as email in the near future, it has rapidly become an indispensable business communication tool. Yet, IM growth within the enterprise brings an associated increase in security risks to both public and enterprise IM networks. In this free white paper, learn how you can take control of IM use on your network to ensure security and compliance. You'll learn how to protect yourself from Virus & worms attacks, Identity theft, Leakage of confidential information and more. Download now!

http://www.windowsitpro.com/whitepapers/akonix/securingim/index.cfm?code=secnl0309

==== 3. Security Toolkit ====

Security Matters Blog

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Google Hacking: No Longer a Sure Thing for Intruders

A new honeypot can trap intruders who use Google queries to find vulnerable systems. Such intruders typically use search engine queries to look for sites whose URLs contain particular words or phrases that might indicate that the site is using vulnerable applications.

http://www.windowsitpro.com/Article/ArticleID/45535

Security Event Log Chat

Randy Franklin Smith is one of the foremost authorities on the Windows Security event log and a respected trainer who teaches Monterey Technology Group's "Security Log Secrets" course. In his article in the March issue of Windows IT Pro magazine, Randy shines a light on this dark and mysterious corner of cryptic event IDs and codes and inaccurate Microsoft documentation. Here's your chance to ask Randy your questions about the Security log and get answers Microsoft doesn't provide. Join the chat March 16 at 1:00 P.M. Pacific time. For details, visit

http://list.windowsitpro.com/t?ctl=4412:10355

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q. How can I back up and restore user profiles when deploying a new OS via the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/45527

Security Forum Featured Thread: Backup Account Permissions on Windows Server 2003

A forum participant is trying to remove service accounts from administrative groups. ARCServe by default puts its account in the Administrators and Domain Admins groups. Is there a workaround so that that particular account doesn't need to belong to those groups? Putting the account in the Backup and Server Operator groups doesn't seem to be sufficient. Can a security policy be adjusted to help? Join the discussion at

http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=130151

==== Announcements ====

(from Windows IT Pro and its partners)

Get Windows IT Pro at 44% Off!

Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now:

http://www.windowsitpro.com/rd.cfm?code=theu2052up

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Prevent Unauthorized Network Access

MetaInfo has released SAFE DHCP as a stand-alone product. When a computer connects to the network, SAFE DHCP supplies a nonprivileged or "quarantined" IP address and checks the machine's identity before granting a privileged IP address. Several SAFE DHCP modules are available that can perform various identity and other security checks (such as checking for viruses or policy compliance). SAFE DHCP was previously available only as part of the MetaInfo Meta IP solution. For further information, visit

http://www.metainfo.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]