Skip navigation

Security UPDATE--Hacking IIS 6.0--April 13, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Centralized Desktop Configuration from ScriptLogic

Converting a Microsoft Access Application to Oracle HTML DB


1. In Focus: Hacking IIS 6.0

2. Security News and Features

- Recent Security Vulnerabilities

- Eight Security Patches from Microsoft

- Help with HIPAA, SOX, and GLBA Compliance

- Auditing Permission Changes on a Folder

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

4. New and Improved

- Keep Track of Your Registry


==== Sponsor: ScriptLogic ====

Centralized Desktop Configuration from ScriptLogic

Get a free T-shirt after you evaluate ScriptLogic's Desktop Authority. Desktop Authority is the award-winning desktop management solution that combines the functionality of logon scripting, group policies, and user profiles, plus Remote Management. What's unique to Desktop Authority is that you can use its patented Validation Logic technology to centrally determine how, when, and where desktops are configured! Centrally configure drive mappings, printer deployments, security policies and more from an easy to use point and click management console. Eliminate Roaming Profiles and the hassle and complexity of maintaining logon scripts!

Download a free 30-day evaluation of Desktop Authority and receive a free ScriptLogic T-shirt. Evaluate now at


==== 1. In Focus: Hacking IIS 6.0 ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Have you heard about Windows IT Pro's "Hack IIS 6.0 Challenge"? Roger Grimes will secure a Microsoft IIS 6.0 system and make it available on the Internet April 17 through June 8 so that people can try to break into it. In the July issue, Roger will write about how he secured the system and what happened during the contest. For more information about the contest, go to

I've already read messages on one security mailing list from people complaining about the challenge or poking fun at it. One person wrote that it's a ploy to gather zero-day (previously unpublished) exploits. I don't know whether anybody will collect packets during the contest or whether such packets will be examined to learn more about how people approach hacking an IIS 6.0 box. But such forensic analysis might occur. Would that be a bad thing?

There were also comments that the contest is an attempt to identify hackers and arrest them. That notion is laughable (and probably based in paranoia) given the fact that people have been invited to hack the box.

Some people also felt that such challenges don't work because of eventual Denial of Service (DoS) attacks. One person mentioned that the site is located on the same subnet as the magazine's Web farm. So if somebody decides to launch a Distributed DoS (DDoS) attack against the site, it could overwhelm the gateway and thereby render all sites behind the gateway unavailable. That's true. But the site is only an information site. It's not the actual system that will be made available for hacking. Sometime in the next week, further information will become available at the site, so check back to learn more details, including the address of the system to hack.

People also pointed out that the challenge can't really prove that the site is secure. If no one manages to break into the site, it might just be because somebody who might know how to break in doesn't take part in the challenge. That's rational; we should probably assume that somebody somewhere knows how to break any particular piece of software. It's a widely held opinion that no system is completely secure.

We could enjoy the challenge for exactly what it is--a challenge--without trying to read all sorts of motives into it. Many people attend various hacker conferences at which such challenges are relatively common. The main difference here is that this challenge is open to the public. It's a way to test your skills and have some fun trying to find a way to breach security. That's it.

Speaking of contests, the Windows IT Pro annual Readers' Choice contest is underway. Vote for your favorite IT products and reward companies that provide excellent products and services. The September 2005 issue of Windows IT Pro will feature the winners. To vote, go to

And, finally, if you use the Windows IT Pro Web site, you might be happy to have a chance to tell us how to improve it. Give us your opinion in the usability survey at


==== Sponsor: Oracle ====

Converting a Microsoft Access Application to Oracle HTML DB

Get the most efficient, scaleable and secure approach to managing information using an Oracle Database with a Web application as the user interface. In this free white paper learn how you can use an Oracle HTML Database to convert a Microsoft Access application into a Web application that can be used by multiple users concurrently. You'll learn how to improve the original application by adding hit highlighting and an authorization scheme to provide access control to different types of users. Download this free white paper now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Eight Security Patches from Microsoft

Yesterday, April 12, was Patch Tuesday for Windows users, and Microsoft released eight security patches. The company also announced that beginning this month, it will change its Security Bulletin Advance Notification information provisioning to include other useful information.

Help with HIPAA, SOX, and GLBA Compliance

Vigilar announced a new service aimed at helping companies comply with the Sarbanes-Oxley (SOX) Act, the Gramm-Leach-Bliley (GLB) Act, and the Health Insurance Portability and Accountability Act (HIPAA). A compelling feature of Vigilar's new AuditPass program is that it guarantees that your company will pass compliance and audit checks.

Auditing Permission Changes on a Folder

Randy Franklin Smith points out that you'll need to enable auditing for successful object-access events on the servers on which the folders reside and you'll need to enable auditing on the folders you want to monitor. You'll also need to look for specific events in the Security log. Learn the details in this article on our Web site.


==== Resources and Events ====

Does Windows Server 2003 Service Pack 1 Live Up to Expectations?

What can you expect when you deploy SP1 in real life? Join industry guru Michael Otey as he reviews the service pack and answers your questions about Windows Firewall, data execution prevention (DEP), boot-time protection, the anxiously awaited Security Configuration Wizard (SCW), and more.;15179132;6134865;j?

Get Ready for SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

Attend the Black Hat Briefings

Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the briefings are designed to be pragmatic regardless of your security environment. Featuring 25 hands-on training courses and 10 conference tracks. Lots of Windows stuff profiled.

Ensure SQL Server High Availability

In this free Web seminar, discover how to maintain business continuity of your IT systems during routine maintenance and unplanned disasters. Learn critical factors for establishing a secure and highly available environment for SQL Server including overcoming the technology barriers that affect SQL Server high availability. Find out about Microsoft's out-of-the-box high-availability technologies, including clustering, log shipping, and replication. Register Now!

Protect the Rest of Your Exchange Infrastructure

There is more to data protection for Exchange than protecting mail and mail servers. In this free Web seminar, you'll learn some methods for anticipating, avoiding, and overcoming technical problems that can affect your Exchange environment, including corruption or errors in Active Directory, DNS problems, configuration errors, service pack installation problems, and more. Register now!


==== Featured White Paper ====

Quantify the Business Benefits of ITSM

This free white paper explores how to meet IT infrastructure's needs and manage crucial support and service processes by implementing Help desk, problem, change, configuration, and service-level agreement (SLA) management into a single workflow. Improve productivity and service delivery quality while reducing costs, resources, and downtime in your organization. Download it now!


==== Hot Release ====

High Availability for Windows Services

It is no stretch to say that Windows high availability must be a fundamental element in your short- and long-term strategic IT planning. This free white paper discusses the core issues surrounding Windows high availability, with a focus on business drivers and benefits. You'll learn about the current market solutions, technologies and real-world challenges including cost-benefit analyses. Plus, find out how to assess technical elements required in choosing a high availability solution, including the robustness of the technology, time-to-failover, and implementation difficulties. Download this white paper now!


==== 3. Security Toolkit ====

Security Matters Blog

by Mark Joseph Edwards,

Need a Security Scorecard?

Looking for a simple way to assess desktop security? PivX Solutions just released a new tool, PreView, that can tell you whether your firewall offers enough protection, whether you're missing necessary patches, and more.


by John Savill,

Q: Do I need to take any special steps when restoring a backup of my Relative Identifier (RID) master?

Find the answer at

Security Forum Featured Thread: AD Permissions

A forum participant is having trouble restricting permissions in Windows Server 2003. He's running Active Directory (AD) in Mixed Mode and has a few global groups that need access to resources on a member server. However, anyone--not just the intended groups--can access the folders and subfolders that he's trying to secure. Join the discussion at


==== Announcements ====

(from Windows IT Pro and its partners)

Check Out the New Windows IT Security Newsletter!

Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database! Click here to try a sample issue today:

Nominate Yourself or a Friend for the MCP Hall of Fame

Are you a top-notch MCP who deserves to be a part of the first-ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Keep Track of Your Registry

ElcomSoft has released Advanced Registry Tracer 2.0, a utility that lets you analyze changes made to your registry (whether by Trojan horse programs, viruses, or software installations or removals) and store snapshots of the registry in a database so that you can easily restore the registry when you encounter problems. New features in version 2.0 include the ability to define scanning and comparison filters, an object-tweaking feature that lets you safely experiment with registry values, a new database format that reduces the size of the database, the ability to compare keys in command-line mode, faster registry file exports, and an improved interface. Advanced Registry Tracer 2.0 runs under Windows 95/98/Me/NT4/2000/XP and costs $40 for a single-user license. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Quest Software

Heading to Exchange from Notes or GroupWise? Get Expert Help!;14771969;8214395;x?


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.