Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
THIS ISSUE SPONSORED BY
FREE Security White Paper from NetIQ!
ST. BERNARD SOFTWARE
(below IN FOCUS)
SPONSOR: FREE SECURITY WHITE PAPER FROM NETIQ!
Need to secure your network against intrusion while minimizing IT costs and downtime? Get a real-time solution for immediate action and future protection. A security event correlation system pulls together information from all three stages of network security: prevention, detection and reaction. Learn the best practices you need to secure your network today. Read NetIQ's free white paper, "Security Event Correlation: "Where are We Now?"
Download it now!
June 12, 2002—In this issue:
1. IN FOCUS
- Federated Networks: The Next Wave of Security
2. SECURITY RISKS
- DoS in ISC's BIND 9.0
- Unchecked Buffer in ASP.NET Component of Microsoft .NET
- Multiple Vulnerabilities in Yahoo! Messenger
- Get Valuable Info for Free with IT Consultant Newsletter
- Attend Black Hat Briefings & Training,
July 29-August 1, 2002, Las Vegas
4. SECURITY ROUNDUP
- Feature: Microsoft Plans SQL Server Security Guide
- Feature: Roll Out Secure Servers
- Feature: Hunting Malicious Code
- News: Microsoft Counters Sun Liberty Alliance with TrustBridge
5. INSTANT POLL
- Results of Previous Poll: IM Policy
- New Instant Poll: IM Add-Ons
6. HOT RELEASE
- Is Your Network at Risk? Test Sybari's Antigen!
7. SECURITY TOOLKIT
- Virus Center
- FAQ: How to Automatically Install URLScan
8. NEW AND IMPROVED
- Submit Top Product Ideas
- Security Assessment Product
- Book: Securing Windows NT/2000: From Policies to Firewalls
9. HOT THREADS
- Windows & .NET Magazine Online Forums
- Featured Thread: Stop Applications from Executing
10. CONTACT US
- See this section for a list of ways to contact us.
1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])
Have you heard about the upcoming federated networks? Two groups, the Liberty Alliance and the Web Services Interoperability Organization (WS-I), are developing the technology to let users better manage their credentials for cross-site authentication and network access between dissimilar topologies and protocols. The goal is to make single sign-on (SSO) easier by developing methods that let users authenticate once with the provider of their choice and gain subsequent access to other networks within a federation transparently.
Sun Microsystems launched the Liberty Alliance Project last September. The Liberty Alliance intends to "create an open, federated solution for network identity—enabling ubiquitous single sign on, decentralized authentication and open authorization from any device connected to the Internet, from traditional desktop computers and cellular phones through to TVs, automobiles, credit cards and point-of-sale terminals." The Liberty Alliance maintains that the development and adoption of such specifications would prevent various service providers from creating "Internet toll-booths."
"Without an open federated identity model for the Internet, there's risk that only a few companies and their preferred sets of partners will become firmly established as the service brokers of the Internet," said a Liberty Alliance spokesperson. "Companies will be charged to use services brokered through these Internet toll takers. Merchants and financial institutions will certainly pay for authentication and access to these profiles. In short, a company that is not a service broker will be charged for access to \[its\] own communities—communities built on the backs of \[its\] own shareholders and citizens."
The Liberty Alliance is developing an open specification and invites participation in the process. Various alliance membership levels are available to any organization. To date, more than 40 major companies participate in the organization, including American Express, Visa, MasterCard, Citigroup, AOL, General Motors, Sony, Cisco Systems, Hewlett-Packard (HP), United Airlines, Novell, RSA Security, Entrust, the Apache Software Foundation, and VeriSign. Phase I of the specification is due for release any time now, and the organization expects to announce the next development phases, including the time frames in which protocols for the specification will be made available.
In April, Microsoft, IBM, and VeriSign announced Web Services Security (WS-Security) with an accompanying specification. The specification defines a standard set of Simple Object Access Protocol (SOAP) extensions or message headers for exchanging secure, signed messages in a Web services environment. According to Microsoft, WS-Security is "designed to support XML Web services capable of seamlessly crossing organizational, network, application, database, and trust boundaries." The specification will support many types of credential information, including Kerberos, public key infrastructure (PKI), Extensible Rights Markup Language (XrML), Security Assertion Markup Language (SAML), and Secure Sockets Layer (SSL)/Transport Layer Security (TLS). The support "means that organizations can begin to build solutions on this foundation today, and do not need to throw away their current security infrastructure investments." Furthermore, WS-Security will let users directly federate Active Directories (ADs) over the Internet and let Windows .NET Server (Win.NET Server) accept Microsoft .NET Passport as a credential type when passports are mapped to an AD account.
Microsoft announced that it will release TrustBridge for Win.NET Server in 2003. TrustBridge will be built on WS-Security technology and will let Win.NET Server-based applications use credentials that non-Microsoft products that use WS-Security generate. For example, IBM will add WS-Security support to its middleware products. You can read the related news story in this newsletter for more information about TrustBridge. Use either the news story reference or the URL
Microsoft anticipates that "the proposed model and specifications that emerge (WS-Security) will be broadly available from multiple vendors and will be considered by appropriate standards organizations." In the meantime, the company also announced that .NET Passport would support WS-Security by 2003, and that it will add WS-Security to Visual Studio .NET and .NET Framework this year. The WS-I organization expects to see its members release a set of sample applications that demonstrate WS-Security interoperability this year.
WS-I boasts more than 1000 members, including notable heavyweights such as Intel, AT&T, Procter and Gamble, and Sabre. And although some companies such as HP and VeriSign have chosen to participate in both efforts, another industry leader, Sun, hasn't joined the WS-I organization. According to an InfoWorld Media Group report, Sun wants to participate, but only if it can have a seat on the board of directors with its competitors Microsoft and IBM in an effort to gain parity in decision making. To date, WS-I has declined to modify its current board, which isn't surprising given that Sun's Java competes with Microsoft's .NET Web services technology.
Federated networks promise to further change the way we manage privacy and authentication credentials. Be sure to keep an eye on the Liberty Alliance Project and WS-I's developments.
SPONSOR: PC MAGAZINE EDITORS' CHOICE FOR WEB FILTERING
There are many approaches to Web filtering today, from desktop software to server and firewall add-ons to ISP/ASP services to filtering appliances. PC Magazine tested a dozen of the leading Web filtering solutions and selected the iPrism Filtering Appliance as best for business use. They concluded, "iPrism's the best return on a busy network administrator's time and money."
To find out if iPrism might be best for you, please visit:
2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])
The Internet Software Consortium (ISC) reported a Denial of Service (DoS) condition in its BIND DNS software. This vulnerability stems from a logic error in BIND that lets remote attackers cause a DNS server running BIND 9.0 to BIND 9.2.0 to fail, shut down, and manually restart. ISC recommends that affected users either apply a patch an OEM supplies or upgrade immediately to BIND 9.2.1.
A vulnerability in the ASP.NET component of the Microsoft .NET Framework can result in a Denial of Service (DoS) condition or execution of arbitrary code on the vulnerable system. This vulnerability stems from an unchecked buffer in a routine that handles cookie processing in the StateServer mode. Microsoft has released Microsoft Security Bulletin MS02-026 (Unchecked Buffer in ASP.NET Worker Process) to address this vulnerability and recommends that affected users apply the appropriate patch.
Scott Woodward, Phuong Nguyen, and Adam Lang discovered multiple vulnerabilities in Yahoo! Messenger that can lead to remote compromise of the affected system. The first vulnerability is a buffer-overflow condition in the messenger Uniform Resource Identifier (URI) handler "ymsgr:". The second vulnerability, in the Yahoo! Messenger "addview" function, lets an attacker execute arbitrary script and HTML in the Internet security zone of the local machine. Yahoo! recommends that affected users upgrade to version 5, 0, 0, 1065 or a later version.
(brought to you by Windows & .NET Magazine and its partners)
Sign up today for IT ConsultantWire, a FREE email newsletter from Penton Media. This newsletter is specifically designed for IT consultants, bringing you news, product analysis, project management and business logic trends, industry events, and more. Find out more about this solution-packed resource and sign up for FREE at
Black Hat Briefings is the world's premier technical security event, featuring 8 tracks and 12 training sessions, with lots of Windows topics coverage, full support by Microsoft, and a keynote by Richard Clarke. See for yourself what the buzz is all about. Register today!
4. SECURITY ROUNDUP
Security has always been an important aspect of database management. However, according to James Hamilton, one of three architects on the Microsoft SQL Server development team, some of the ground rules for how a DBA needs to think about security have changed. Brian Moran gleaned some interesting perspectives about security during a conversation with Hamilton, who has responsibility and vision for "thinking about security" as it relates to SQL Server.
Once upon a time, Mark Minasi thought nothing of building a new test server without hotfixes or service packs. After all, it was just a test server; it contained no important data, so he didn't care whether the server was secure. But those were the days before the Microsoft IIS worms. Nowadays, if he puts an unsecured server on the network, it could become infected and become one of the legions of machines that spend all day looking for other computers to infect.
A fan of both scripting and Microsoft Remote Installation Services (RIS), Minasi shows you how to set up a RIS server that will let you start an automated Windows 2000 installation, walk away for a while, and return to find all the latest hotfixes installed. Although he builds his example on RIS, this approach also works on a simpler network-based installation that uses a shared i386.
The phone calls always start the same way: "My antivirus scanner isn't finding anything, but I know something is there." No one calls an antivirus consultant until the usual antivirus tools and checks have failed. And the caller's statement doesn't surprise me. So, how do you find malicious code (e.g., worms, viruses, Trojan horses, backdoor programs) when the expert tools can't find it? Seven steps will help you find viruses and other types of malicious programs on all Windows systems.
Microsoft has announced TrustBridge, a new technology that will let businesses share user identity information between applications and organizations. A Microsoft spokesperson said, "TrustBridge technology will allow different organizations using the Windows operating system to exchange user identities and interoperate in heterogeneous environments."
5. INSTANT POLL
The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Which of the following answers best describes your organization's approach to Instant Messaging (IM) use?" Here are the results (+/- 2 percent) from the 259 votes:
- 20% We standardize on one package
- 16% We let users make their own IM choice
- 62% We don't let users use IM
The next Instant Poll question is, "If your organization permits Instant Messaging (IM) software use, do you use security add-ons?" Go to the Security Administrator Channel home page and submit your vote for the answer that most closely matches your organization's approach to IM: a) Yes—We use IM software plus an antivirus add-on, b) Yes—We use IM software plus an encrypted-transport add-on, c) Yes—We use IM software plus antivirus and encrypted-transport add-ons, or d) No—We use IM software without security add-ons.
6. HOT RELEASE
Take the Sybari Challenge and test Antigen. If Antigen catches viruses missed by your installed solution, you'll get a free t-Shirt and 5% off your Antigen purchase through June 30th. For details go to
7. SECURITY TOOLKIT
Panda Software and the Windows & .NET Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
(contributed by Randy Franklin Smith, [email protected])
To install URLScan automatically, use the IIS Lockdown Wizard, which is included in the IIS Lockdown tool. The wizard asks you which type of Web server you're running and which Microsoft IIS-related products (e.g., Microsoft FrontPage Server Extensions, Microsoft Commerce Server) are installed. The wizard then attempts to lock down your server without breaking any functionality that your installed tools and products require. The wizard installs URLScan, disables specified script mappings ( for information about these script mappings, go to http://www.microsoft.com/technet/security/tools/tools/locktool.asp ), disables specified services, removes specified folders that contain dangerous sample content (from the default installation of IIS), and strengthens file permissions to prevent anonymous users from writing to content directories and running system utilities.
If using the IIS Lockdown Wizard breaks your Web site, simply run the wizard again. Answer Yes to the question "Do you want to restore your original settings?" that you see on the first page of the wizard when you rerun it, and the wizard will restore your original settings.
8. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]
SPI Dynamics announced WebInspect 2.0, a next-generation Web application security assessment product that helps ensure the security of your entire network through automated and adaptable processes that scan Web applications to identify known and unknown vulnerabilities. WebInspect runs on Windows XP, Windows 2000, Windows NT 4.0 with Service Pack 6a (SP6a), and Windows 98 and costs $4995 per server for perpetual licensing with volume discounts available for enterprise purchases. Consultant and corporate auditors can purchase WebInspect on an annual per seat basis at $20,000.
CRC Press announced Michael A. Simonyi's "Securing Windows NT/2000: From Policies to Firewalls," a managerial and practical technical tutorial for Windows 2000 and Windows NT. The book discusses how to develop a strategy to implement security within an organization. It presents in-depth knowledge about how, why, and where these Windows OSs must be tuned to connect securely to the Internet. The book costs $49.95. For more information, contact CRC Press at 800-272-7737 ext. 2524 or go to the Web site.
9. HOT THREADS
Featured Thread: Stop Applications from Executing
(One message in this thread)
Edward wants to know a way (besides using the RestrictRun and DisallowRun registry settings) to prevent applications from running. Some of his users have figured out that they can simply rename imported applications to common windows application names such as notepad.exe or iexplore.exe and run them because those filenames are allowed to execute on the desktop.
10. CONTACT US
Here's how to reach us with your comments and questions:
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR SECURITY UPDATE?
This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Windows & .NET Magazine UPDATE.