Security UPDATE, May 7, 2003

Security UPDATE, May 7, 2003 Security Administrator

Subject: Security UPDATE, May 7, 2003

********************

Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com

********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Windows & .NET Magazine http://www.winnetmag.com/rd.cfm?code=edwi203dup

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: WINDOWS & .NET MAGAZINE ~~~~ GET WINDOWS & .NET MAGAZINE AT 25% OFF! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, and much more. Our expert authors deliver content you simply won't find anywhere else. Subscribe today at 25% off, and find out what over 100,000 readers know that you don't! http://www.winnetmag.com/rd.cfm?code=edwi203dup ~~~~~~~~~~~~~~~~~~~~

May 7, 2003--In this issue:

1. IN FOCUS - Security: Out of the Box and into the Guides

2. SECURITY RISKS - Multiple Vulnerabilities in Microsoft's BizTalk Server 2002 and 2000 - Path Disclosure Vulnerability in Macromedia ColdFusion MX Server - Script Injection Vulnerability in Opera for Windows JavaScript Console - Long File Extension Heap Buffer-Overrun Vulnerability in Opera for Windows - Oracle Database Link Buffer Overflow

3. ANNOUNCEMENTS - Windows & .NET Magazine Connections: Win a Florida Vacation - Time Is Running Out to Join Our Storage Solutions Road Show!

4. SECURITY ROUNDUP - News: Microsoft Releases Win2K Hardening Guide - News: Continued Windows 2003 Documentation Push Focuses on Security - News: New eBook Helps Administrators and Programmers Secure IIS - News: Microsoft and Sanctum Host Secure Programming Webinar

5. SECURITY TOOLKIT - Virus Center - FAQ: Are There Any Circumstances Under Which Win2K Still Uses NTLM?

6. NEW AND IMPROVED - Lure Attackers with a Honeypot - Centralize Your Security Policy Management - Submit Top Product Ideas

7. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: Does Windows Use Default Values If a Registry Key Isn't Present?

8. CONTACT US See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, [email protected])

* SECURITY: OUT OF THE BOX AND INTO THE GUIDES

As you know, Microsoft recently launched Windows Server 2003. One significant aspect of the new OS is Microsoft's pledge of better security. As history has shown, rushing a new OS out the door to eager users complete with all the bells and whistles blowing loudly isn't the best practice. Microsoft has taken longer than usual to develop this new OS, especially in regard to security. So when you deploy it, you'll find that rather than having loads of features turned on by default, the OS has many features that you must intentionally enable.

Even when you enable features such as Microsoft Internet Information Services (IIS) 6.0, you might find that they install with minimum functionality enabled. Security professionals will prefer this approach, but it doesn't address the larger question of how to reasonably open up functionality while maintaining adequate security levels.

To help you balance functionality and security in your Windows 2003 environment, Microsoft has released an extensive security guide. Microsoft designed the guide to help you deploy Windows 2003 effectively while maintaining adequate security in three basic environments: a legacy client environment, an enterprise environment, and a high-security environment.

The "Windows Server 2003 Security Guide" contains 12 chapters. Chapters 2 through 12 deal directly with configuring various network elements and their associated systems. They help you configure domain infrastructure, create baseline security for member servers, and harden several system elements: domain controllers (DCs) and infrastructure servers, file servers and print servers, IIS and Internet Authentication Server (IAS), Certificate Services Servers (CSSs), and bastion hosts.

All told, the security guide contains 290 pages of highly useful recommendations. In addition to the main guide, you'll find delivery guides (3), checklists (10), scripts (8), and templates (25) to help you further secure your Windows 2003 environment.

Microsoft recommends that those charged with deploying and securing Windows 2003 and Windows XP in an enterprise have MSCE 2000 certification, 2 or more years of security-related experience, in-depth knowledge of Active Directory (AD), and experience with these features and functions: Microsoft Management Console (MMC) and other tools, Group Policy administration, and workstation and application deployment in enterprise environments.

If you're considering using the security guide and wonder how Microsoft arrived at the security recommendations, refer to the "Testing Windows Server 2003 Security Guide" documentation included in the overall security guide package. The documentation outlines how Microsoft configured and tested the three basic network environments (legacy, enterprise, and high security) to ensure that the guide's recommendations are both accurate and adequate.

The test documentation explains, chapter by chapter, the steps Microsoft took to test the guide's recommendations. Microsoft also used a third party to perform extensive penetration testing against the enterprise and high-security environments. After several weeks of testing, the servers remained secure. Microsoft notes one vulnerability, however: Where brute-force attacks can expose user passwords, intruders might be able to intercept Kerberos network traffic. According to Microsoft, to mitigate this vulnerability, you can use complex user passwords or IP Security (IPSec) to encrypt network traffic. The guide recommends strong user passwords.

Obviously, the guide can't guarantee that Windows 2003 users won't encounter security problems. Nevertheless, if you follow the guide's advice, you'll be less likely to find your systems compromised. Microsoft's third-party testing helps assure that much.

If you still wonder about various threats and possible countermeasures, you can find additional security help. Microsoft has released "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP." This guide details threats and potential countermeasures in detail--and discusses how deploying the recommended configuration settings affects users.

The 287-page threat guide also discusses domain level and audit policies, user rights assignments, security options, event logs, system services, software restriction policies, administrative templates, additional registry settings, and additional procedures for hardening member servers.

So--with the new OS, Microsoft offers two guides full of security-related configuration recommendations. Microsoft hopes you'll use this information to secure your Windows 2003 network environment. If you wonder whether your company can benefit from Windows 2003's strengthened security, review the guides to gain insight.

If you use the security guides, send me an email message about their usefulness. I want to know how they work for you and whether you found significant problems when you used them in your network environment.

You can download the new guides from Microsoft's Web site. You can also link to them from Paul Thurrott's news story, "Continued Windows 2003 Documentation Push Focuses on Security," in this issue of the newsletter. http://www.secadministrator.com/articles/index.cfm?articleid=38837

~~~~~~~~~~~~~~~~~~~~

2.

SECURITY RISKS

(contributed by Ken Pfeil, [email protected])

* MULTIPLE VULNERABILITIES IN MICROSOFT'S BIZTALK SERVER 2002 AND 2000 Two new vulnerabilities exist in Microsoft BizTalk Server 2002 and BizTalk Server 2000, one of which can result in the execution of arbitrary code on the vulnerable system. The second vulnerability is a Microsoft SQL injection vulnerability in some of the pages that BizTalk 2002 and BizTalk 2000's Document Tracking and Administration (DTA) uses. Microsoft has released Security Bulletin MS03-016 (Cumulative Patch for BizTalk Server) to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=38855

* PATH DISCLOSURE VULNERABILITY IN MACROMEDIA COLDFUSION MX SERVER A vulnerability in Macromedia Coldfusion MX Server's default installation can result in the inadvertent disclosure of the physical path of the server installation. In a default installation, the Enable Robust Exception Information setting is enabled under Debugging Settings. According to Macromedia, you should clear this setting on production systems. http://www.secadministrator.com/articles/index.cfm?articleid=38848

* SCRIPT INJECTION VULNERABILITY IN OPERA FOR WINDOWS JAVASCRIPT CONSOLE A vulnerability in Opera for Windows can result in the execution of an arbitrary script in the Local Computer zone. This vulnerability is a result of code in Opera 7.x's console.html file that doesn't sanitize the single quotation mark. The flaw permits a malicious intruder to inject an arbitrary script into the link on the Microsoft JavaScript console. Opera has yet to respond to this problem. http://www.secadministrator.com/articles/index.cfm?articleid=38849

* LONG FILE EXTENSION HEAP BUFFER-OVERRUN VULNERABILITY IN OPERA FOR WINDOWS Several versions of Opera for Windows contain a Denial of Service (DoS) condition. The condition results from an unchecked buffer on the heap and Opera's failure to check the length of a filename. Opera has yet to respond to this problem. http://www.secadministrator.com/articles/index.cfm?articleid=38850

* ORACLE DATABASE LINK BUFFER OVERFLOW The Oracle database server contains a buffer-overflow condition. To exploit the condition, a malicious user can provide a long parameter for a connect string with the CREATE DATABASE LINK query. Oracle has released a patch to correct the problem. http://www.secadministrator.com/articles/index.cfm?articleid=38825

3.

ANNOUNCEMENTS

(brought to you by Windows & .NET Magazine and its partners)

* WINDOWS & .NET MAGAZINE CONNECTIONS: WIN A FLORIDA VACATION Don't miss this exclusive opportunity to learn in person from your favorite writers you know and trust. All attendees will receive a free 1-year subscription to Windows & .NET Magazine plus a chance to win a Florida vacation for two. Connections has simply the best lineup of technical training for today's Windows IT pro. Conference begins May 18, so hurry and register now: http://www.winconnections.com

* TIME IS RUNNING OUT TO JOIN OUR STORAGE SOLUTIONS ROAD SHOW! Attend the HP & Microsoft Network Storage Solutions Road Show, and learn how existing and future storage solutions can save your company money--and make your job easier! Attendees have lots of chances to win incredible prizes. There is absolutely no fee for this event, but space is limited. We've just added Minneapolis to our list of cities, so register now! http://www.winnetmag.com/roadshows/nas

4.

SECURITY ROUNDUP

* NEWS: MICROSOFT RELEASES WIN2K HARDENING GUIDE Microsoft announced the release of a new guide designed to help users harden the security of their Windows 2000 systems. The guide consists of six chapters, three appendices, and checklists to help deploy the measures outlined in the guide. The guide helps configure Win2K in a more secure fashion in any of six different server roles. http://www.secadministrator.com/articles/index.cfm?articleid=38828

* NEWS: CONTINUED WINDOWS 2003 DOCUMENTATION PUSH FOCUSES ON SECURITY Microsoft has issued its voluminous "Windows Server 2003 Security Guide," a threats and countermeasures document for Windows 2003 and Windows XP, and companion documentation designed to help harden Windows 2000 Server and Win2K Professional against attack. According to Microsoft, the "Windows Server 2003 Security Guide" focuses on providing a set of easy to understand guidance, tools, and templates to help secure Windows 2003 in many environments. http://www.secadministrator.com/articles/index.cfm?articleid=38837

* NEWS: NEW eBOOK HELPS ADMINISTRATORS AND PROGRAMMERS SECURE IIS Jason Coombs has released a free eBook, "IIS Security and Programming Countermeasures," designed to help administrators and programmers better secure their IIS servers. http://www.secadministrator.com/articles/index.cfm?articleid=38829

* NEWS: MICROSOFT AND SANCTUM HOST SECURE PROGRAMMING WEBINAR Microsoft and Sanctum will present a webinar, "Security Best Practices in the .NET Framework Environment," on May 9 at 4:30 P.M. Eastern time. Sanctum Chief Technology Officer (CTO) Steve Orrin and Microsoft Senior Security Program Manager for the Secure Windows Initiative Michael Howard will host the presentation. The two will discuss security unit testing in Windows .NET Framework development. http://www.secadministrator.com/articles/index.cfm?articleid=38813

5.

SECURITY TOOLKIT

* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

* FAQ: Are There Any Circumstances Under Which Win2K Still Uses NTLM? (contributed by Randy Franklin Smith, [email protected])

A: Yes, Windows 2000 still uses NT LAN Manager (NTLM) rather than Kerberos in certain situations. Because NTLM is much more vulnerable to eavesdropping and subsequent cracking, you should know the circumstances under which Win2K uses NTLM. For Win2K to use Kerberos when a user logs on, all computers involved--workstations, domain controllers (DCs), and servers--must be Win2K or later and members of the same domain or at least the same forest. In addition, the user account that's logging on must be an Active Directory (AD) user account, not an account in a computer's local SAM or an account from a Windows NT domain. For a list of situations in which Win2K uses NTLM, be sure to read the rest of the article on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=24670

6.

NEW AND IMPROVED

(contributed by Sue Cooper, [email protected])

* LURE ATTACKERS WITH A HONEYPOT KeyFocus released KFSensor, a honeypot-based Intrusion Detection System (IDS) that attracts and detects attackers by simulating vulnerable system services, Trojan horses, and servers such as Telnet and SMTP. This configurable system features detailed logging, attack analysis, and security alerts. Because KFSensor isn't activated until attacked, it consumes little processor time or network resources and doesn't affect usual machine use. KFSensor supports Windows XP/2000/NT/Me/98 and costs $149 per user. Contact KeyFocus at [email protected]. http://www.keyfocus.net

* CENTRALIZE YOUR SECURITY POLICY MANAGEMENT Pedestal Software announced SecurityExpressions 3.0, an agentless system security policy management solution that lets you apply and monitor policies the software creates or deploy a policy that security or government organizations predefine. SecurityExpressions 3.0 verifies policy compliance on each server, workstation, and desktop. You can then implement fixes to any problems discovered during that audit. Features new to this version include a Web console that lets others perform an audit without compromising enterprise security, a distributed proxy that lets one console scan systems in remote locations, and ODBC Reporting that lets you store the scan results in a centralized ODBC-compliant database. Pricing is based on the number of systems scanned and starts at $495 per server and $30 per desktop. Contact Pedestal Software at 617-928-5550 or [email protected]. http://www.pedestalsoftware.com

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

7.

HOT THREAD

* WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums

Featured Thread: Does Windows Use Default Values If a Registry Key Isn't Present? (Two messages in this thread)

A reader wants to know whether Windows uses a default value if a registry key isn't present or is intentionally deleted. For example, how does Windows behave if the following registry key is set to zero or deleted: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58174

8.

CONTACT US

Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- [email protected]

* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- [email protected]

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- [email protected]

* WANT TO SPONSOR SECURITY UPDATE? [email protected]

******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.