Security UPDATE--Administrator Accounts and Root Kits--March 9, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Free util: Scan your site for system slowdowns

http://www.executive.com/profile/submit-select.aspx?a=l&PId=94&ad=witpdpan4

SQL Server Magazine

http://www.sqlmag.com/rd.cfm?code=00eu215xwu

===============

1. In Focus: Administrator Accounts and Root Kits 2. Security News and Features - Recent Security Vulnerabilities - Need Information About Internet Explorer 7.0? - Deploying Junk Mail Filter Lists in Outlook 2003 - @stake LC 5 3. Security Toolkit - Security Matters Blog - Web Chat - FAQ - Security Forum Featured Thread 4. New and Improved - Prevent Unauthorized Network Access

==========

==== Sponsor: Executive Software ==== Free util: Scan your site for system slowdowns Disk Performance Analyzer for Networks is a FREE utility that remotely checks your systems for performance bottlenecks caused by severe disk fragmentation. If not identified promptly, fragmentation builds exponentially and causes frustrating slowdowns, random crashes, even complete inability to boot. Disk Performance Analyzer for Networks zeros in on problem computers, showing you exactly how much performance and stability is being lost. Find systems that need attention now, BEFORE they become help desk calls! This is a free utility, not spyware or adware. Download Disk Performance Analyzer for Networks now! http://www.executive.com/profile/submit-select.aspx?a=l&PId=94&ad=witpdpan4

==========

==== 1. In Focus: Administrator Accounts and Root Kits ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about why you should try not to use administrative accounts unless you really need to. Several readers wrote to explain various scenarios and problems they've encountered while trying to use a nonadministrative account for certain tasks. Some of the problems involve using Windows Explorer, running debuggers, creating Data Source Names (DSNs), and accessing Control Panel items. Obviously, you'll need to log on as the administrator in some instances; using RunAs, even with the /netonly switch, might not always suffice. There are other possible solutions for some problems too. For example, Microsoft's OS resource kits include the su.exe tool, which can elevate privileges. Another tool, which I've mentioned before, is MakeMeAdmin, written by Aaron Margosis at Microsoft. The tool adds your account to the local Administrators group, spawns a command shell with your new elevated privileges, and then removes your account from the group. So, effectively, MakeMeAdmin gives you a command shell running with a new security token. You can perform whatever actions you need to in the shell. If you also need privileges on the network, you can initiate some kind of network access and authenticate by using whatever account you prefer. For example, you can map a drive by using the command net use and specifying an account with the required privileges. Or you could launch Windows Explorer on the desktop with elevated privileges by using its /root switch. You could also launch Control Panel applets by simply entering the applet name and extension (.cpl) as if it were any other executable program. If you run Microsoft Internet Explorer (IE) with elevated privileges, you can use Margosis's PrivBar add-on that shows which security level your browser is running under. http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx Another reader wrote to point out that Microsoft has published a document that explains some of the problems you can encounter when you run applications on the desktop with nonadministrative accounts. The article offers tips about how developers can remedy some of those problems and offers some insight into how the next release of Windows (codenamed Longhorn) will address the matter in more effective ways. One change will be a Protected Administrator status, which, if I understand correctly, will allow a user to use an administrator account but with the fewest privileges necessary for a given task. http://msdn.microsoft.com/library/en-us/dnlong/html/leastprivlh.asp Another topic I want to discuss this week is root kits, which as you know, can be a real problem. A Microsoft paper discusses research the company has done regarding ways to discover such nuisances. The paper mentions a related tool, Strider Ghostbuster, developed in the labs, which isn't available to the public. http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775 However, Sysinternals has a root kit discovery tool that you might find helpful. The new tool, RootkitRevealer, is still undergoing development, but you can download a copy and try it out. http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml F-Secure will release a beta version of its new root kit detection tool, F-Secure BlackLight Rootkit Elimination Technology, this week. You can learn more about that tool in the related article on our Web site. http://www.windowsitpro.com/Article/ArticleID/45631

==========

==== Sponsor: SQL Server Magazine ==== Get SQL Server Magazine and Get Answers Throughout the year in 2005, SQL Server Magazine is on target to deliver comprehensive coverage of all hot industry topics, including SQL Server 2005, performance tuning, security, Reporting Services, Integration Services, and .NET development. If you aren't already a subscriber, now is the time to sign up. You'll get unlimited online access to every article ever published in the magazine and you'll get 30% off the cover price. Don't miss out . . . sign up today: http://www.sqlmag.com/rd.cfm?code=00eu215xwu

==========

==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Need Information About Internet Explorer 7.0? If you need information about the upcoming Microsoft Internet Explorer (IE) 7.0, you can find some tidbits about it on IEBlog, which is operated by Microsoft's IE team. http://www.windowsitpro.com/Article/ArticleID/45560 Deploying Junk Mail Filter Lists in Outlook 2003 Microsoft released a hotfix for Outlook 2003 late last month for a feature that deals with importing junk mail filter lists into Outlook 2003. This feature lets you use registry values to tell Outlook to import the Safe Senders, Safe Recipients, and Blocked Senders lists from specific locations and either overwrite the user's existing junk mail filter lists or append entries to them. The hotfix makes some important changes to the way the feature works. http://www.windowsitpro.com/Article/ArticleID/45563 @stake LC 5 If you want a terrific password-auditing tool, Jeff Fellinge recommends the most recent version of L0phtCrack: @stake LC 5 (recently acquired by Symantec). New features let you remotely collect password hashes, schedule scans, score passwords, create audit reports, and speed up audits. LC 5 supports most password-cracking methods and comes in four versions (professional, administrator, site, and consultant). http://www.windowsitpro.com/Article/ArticleID/45256

==========

==== Resources and Events ==== The Must-Attend Event for Securing Your Wireless Deployments The Conference on Mobile & Wireless Security delivers on-target, need-to-know information on emerging issues and tech trends. Featuring first-class keynotes and sessions, an in-depth panel discussion, and interactive workshops, you will learn practical tactics for overcoming mobile security challenges and real-world strategies for maximizing the potential of your wireless devices. http://www.misti.com/01/mws05nl1.html Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0307emailanncs Windows Connections 2005 Conference April 17-20, 2005, Hyatt Regency San Francisco. Microsoft and Windows experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Don't miss Mark Minasi's entertaining and insightful keynote presentation on "The State of Windows" and your chance to win a 7-night Caribbean cruise! http://www.winconnections.com The Essential Guide to Active Directory Management Migrating from NDS and/or eDirectory to AD means changes in the way you manage your network, users, and network resources. Download this Essential Guide to Active Directory Management and learn hands-on approaches that reduce management complexity, IT workload, and costs and improve security--all with minimal impact on your organization. Download this guide today. http://www.windowsitpro.com/essential/index.cfm?code=0309emailannc Discover, Manage, and Archive Information Within Your Exchange Enterprise Limit your legal exposure and protect corporate information. In this free Web seminar, Exchange MVP Paul Robichaux provides an overview of general retention and compliance issues, knowledge of pitfalls you may encounter when implementing your policy, insight into managing mail data for best-efforts compliance, and Exchange's built-in archiving and compliance features. Register now! http://www.windowsitpro.com/seminars/exchangecompliance/index.cfm?code=0309 emailannc

==========

==== Hot Release ==== Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority With instant messaging virtually in all corporate environments, and expected to be as prevalent as email in the near future, it has rapidly become an indispensable business communication tool. Yet, IM growth within the enterprise brings an associated increase in security risks to both public and enterprise IM networks. In this free white paper, learn how you can take control of IM use on your network to ensure security and compliance. You'll learn how to protect yourself from Virus & worms attacks, Identity theft, Leakage of confidential information and more. Download now! http://www.windowsitpro.com/whitepapers/akonix/securingim/index.cfm?code=secnl0309

==========

==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Google Hacking: No Longer a Sure Thing for Intruders A new honeypot can trap intruders who use Google queries to find vulnerable systems. Such intruders typically use search engine queries to look for sites whose URLs contain particular words or phrases that might indicate that the site is using vulnerable applications. http://www.windowsitpro.com/Article/ArticleID/45535 Security Event Log Chat Randy Franklin Smith is one of the foremost authorities on the Windows Security event log and a respected trainer who teaches Monterey Technology Group's "Security Log Secrets" course. In his article in the March issue of Windows IT Pro magazine, Randy shines a light on this dark and mysterious corner of cryptic event IDs and codes and inaccurate Microsoft documentation. Here's your chance to ask Randy your questions about the Security log and get answers Microsoft doesn't provide. Join the chat March 16 at 1:00 P.M. Pacific time. For details, visit http://list.windowsitpro.com/t?ctl=4412:10355 FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q. How can I back up and restore user profiles when deploying a new OS via the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack? Find the answer at http://www.windowsitpro.com/Article/ArticleID/45527 Security Forum Featured Thread: Backup Account Permissions on Windows Server 2003 A forum participant is trying to remove service accounts from administrative groups. ARCServe by default puts its account in the Administrators and Domain Admins groups. Is there a workaround so that that particular account doesn't need to belong to those groups? Putting the account in the Backup and Server Operator groups doesn't seem to be sufficient. Can a security policy be adjusted to help? Join the discussion at http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=130151

==========

==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://www.windowsitpro.com/rd.cfm?code=theu2052up

==========

==== 4. New and Improved ==== by Renee Munshi, [email protected] Prevent Unauthorized Network Access MetaInfo has released SAFE DHCP as a stand-alone product. When a computer connects to the network, SAFE DHCP supplies a nonprivileged or "quarantined" IP address and checks the machine's identity before granting a privileged IP address. Several SAFE DHCP modules are available that can perform various identity and other security checks (such as checking for viruses or policy compliance). SAFE DHCP was previously available only as part of the MetaInfo Meta IP solution. For further information, visit http://www.metainfo.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==========

==== Contact Us ==== About the newsletter -- [email protected] About technical questions -- http://www.windowsitpro.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

===============

This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

http://www.secadministrator.com/rd.cfm?code=00ep254xeb

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.