Security UPDATE--So You Found a Security Problem, Now What?--June 29, 2005

1. In Focus: So You Found a Security Problem, Now What?

2. Security News and Features

- Recent Security Vulnerabilities

- No More Antigen for Unix and Linux

- Firewall Appliances, Part 1

- Importing Security Settings into a GPO

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum Featured Thread

4. New and Improved

- SOHO Broadband Security Appliance

==== Sponsor: Executive Software ====

Free download: Speed up your systems with Diskeeper

Keeping systems up and available to the users is vital! Slow, crash-prone systems have a devastating effect on productivity and security. Disk fragmentation is a major cause of crashes and slowdowns -- but who has the time to defragment every system, every day? The solution: Diskeeper, the Number One Automatic Defragmenter. Automatic defragmentation boosts performance and reliability and decreases Help Desk traffic. Click the link to get FREE fully-functional Diskeeper trialware. You'll discover why Diskeeper is the Number One Automatic Defragmenter with over 17 million sold.

http://www.executive.com/profile/submit-select.aspx?a=l&PId=95&ad=witpdk8

==== 1. In Focus: So You Found a Security Problem, Now What? ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Lots of people find security problems with hardware and software products, network services, Web sites, and more. Some find problems through day-to-day computer use; others search for security problems purposely either as a hobby or as part of their job.

When you find a security problem, what do you do? The obvious answer is to contact the company that produced the product. However, alerting a company to your discovery of a problem in one of its products can be a challenge. Lots of companies simply don't prepare for reports of problems in their products and services. Their employees don't know what to do when people try to report problems. Nor do their Web sites or product documentation provide any information about who to contact for security matters.

Like many of you, I subscribe to a lot of security mailing lists. I can't even begin to remember the number of times I've read a message to one of those lists from someone asking how to contact a given company. The messages typically say something like, "I found a security problem in Product XYZ. I tried to contact the company via email and received no response. Does anybody have security contact info for the company?"

A good case in point happened last week. Someone found a problem in a widely used product and tried to contact the company via email and by phone. The person couldn't make it past the receptionist and so couldn't offer the information about the security problem to anybody in a position to do something about it. The person posted a description of the experience to a popular security mailing list, and now the company has to endure the embarrassment that comes along with public knowledge of its shortcomings--and the company's customers are more exposed to someone exploiting the publicized vulnerability. Had the company trained the receptionist to handle calls regarding security matters, the incident probably wouldn't have happened. As it turns out, the company in question read the message on the popular mailing list and quickly contacted the researcher. The company also quickly established a "security@" mailbox to which future reports can be sent.

Of course, in other cases, it turns out that the person who posted the vulnerability details didn't try very hard to contact the vendor. I'll sidestep the endless debate about whether vulnerability information should be publicly posted and say that these situations point out that every company that provides products and services should have information listed in plain sight in the product documentation and on the company Web site that shows who to contact about security matters. Even if a company's Web site serves only as an advertising vehicle and not as an ecommerce site, the company should include such contact information.

Likewise, when you're shopping for products, you should check whether a vendor lists security contact information. After all, you want the most secure products you can get, right? If a company doesn't provide a highly visible contact for security problems, the company is making it more difficult than necessary for people to report security problems directly to the company. And as I pointed out earlier, such difficulty can lead to vulnerabilities being publicly disclosed.

The trend seems to be to establish a "security@" or possibly a "secure@" email address that people can use to report potential security problems. Vendors should consider establishing such an address, if they haven't already.

==== Sponsor: Symantec ====

Symantec Storage and Systems Management Solutions

Symantec invites you to view a series of on-demand webcasts featuring Gartner Analysts to learn how Symantec's LiveState solutions can help ensure that your client devices are secure, available, and compliant with corporate standards -- from acquisition to disposal. Webcasts focus on Client Management Issues, Effective Patch Management, Protecting the Integrity and Availability of your Company's Information, and Discovery of IT Assets. Learn how to stay competitive in a world where change is inevitable. Find more information and register now at

http://sea.symantec.com/GWCWIPSU629

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

No More Antigen for Unix and Linux

Microsoft completed its acquisition of Sybari and said it will discontinue new sales of Sybari Antigen for Unix and Linux. No surprise there. The company will continue sales of Antigen for other products.

http://www.windowsitpro.com/Article/ArticleID/46800

Firewall Appliances, Part 1

When it comes to network security, the firewall is your primary line of defense. Firewalls have undergone a major transition in the past few years. In this two-part series, Thomas W. Shinder looks at popular firewall appliances and makes recommendations based on the size of your organization, the level of security you require, and the cost of the solution.

http://www.windowsitpro.com/Article/ArticleID/46588

Importing Security Settings into a GPO

Unfortunately, you can't export a GPO's security settings. Moving settings from one GPO to another requires a fairly simple workaround. Randy Franklin Smith explains how to do it by using the Secedit command.

http://www.windowsitpro.com/Article/ArticleID/46277

==== Resources and Events ====

The Essential Guide to Exchange Preventative Maintenance

Database health is the weakest link in most Microsoft Exchange Server environments. Download this Essential Guide now and find out how the ideal solution is an automated, end-to-end maintenance and management tool that provides a centralized view of the entire managed infrastructure. Get your free copy now!

http://www.windowsitpro.com/essential/index.cfm?code=0629emailannc

Show Us How You've Used Windows Technology in Innovative Ways

If you've used Windows technology in creative ways to devise specific, beneficial solutions to problems your business has faced, we want you! Now's your chance to get the recognition you deserve. Enter the 2005 Windows IT Pro Innovators Contest now! You could win a complimentary conference pass to Exchange and Windows Connections in San Diego in late October 2005.

http://www.windowsitpro.com/AWARDS/innovators_2005.cfm

Simplify, Automate and Reduce the Cost of Demonstrating Regulatory Compliance

The need to comply with regulations has increased as legislation such as Sarbanes-Oxley, HIPAA, GLBA, and Basel II take effect. The growth of these mandates has caused an increase in manually intensive, compliance-related tasks that reduce IT efficiency. In this free Web seminar, learn how you can simplify, automate, and reduce the cost of achieving IT security and regulatory compliance. Register now!

http://www.windowsitpro.com/seminars/regulatorycompliance/index.cfm?code=0629emailannc

Back By Popular Demand--SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0629emailannc

It Just Got Easier to Network With Your IT Peers!

Windows IT Pro forums are easier to use, searchable, and complete with RSS feeds so that you'll always receive the latest discussion topics instantly! Check out the new and improved Windows IT Pro forums today.

http://forums.windowsitpro.com

Congratulations to the 4th Annual Best of TechEd 2005 Awards winners!

Windows IT Pro and SQL Server Magazine presented awards to Windows and SQL technology vendors in 12 categories and one overall winner at the Best of TechEd Awards in Orlando. The field included more than 260 entries and products were evaluated based on their strategic importance in the market, competitive advantage, and value to the customer. Click here to learn all of the Best of TechEd 2005 winners.

http://www.windowsitpro.com/awards

==== Featured White Paper ====

Instant Recovery and Data Protection for SQL Servers

Depending on your environment, Microsoft SQL Server may be your most critical application. In this free white paper, learn the data protection strategies you need to really protect your database, compare the costs, evaluate alternatives, and more!

http://www.windowsitpro.com/whitepapers/NSISoftware/SQLServerProtection/index.cfm?code=0629emailannc

==== Hot Release ====

FREE Download -- The Next Generation of End-point Security is Available Today.

NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines from all types of malware even before Windows loads and without slowing them down. NetOp provides process & application control, real-time centralized management, automatic network detection & profiles and more. Try it FREE.

http://www.crossteccorp.com/netopfirewall/?utm_source=winitpro&utm_medium=email&utm_campaign=ndf45

==== 3. Security Toolkit ====

Security Matters Blog: Firefox 1.0.5 Just Around the Corner

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Waiting for Firefox 1.0.5? You can get it now or later. The "nightly builds" of the new version are available, although the version is still in testing. If you're adventurous, download a copy now. If you like to play it safe, then you better wait for the official release, which undoubtedly is just around the corner.

http://www.windowsitpro.com/Article/ArticleID/46801

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I control which authentication methods my Active Directory (AD) domain supports?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/46818

Security Forum Featured Thread: Removing Access

I just took a position as CIO. The previous CIO moved to another area of the business and no longer needs all the access she once gave herself. Can anyone recommend tools to scan the network drives to find where her account is assigned? We have Windows 2000 Active Directory (AD).

Join the discussion at

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=42091

==== Announcements ====

(from Windows IT Pro and its partners)

Why Do You Need the Windows IT Pro Master CD?

There are three good reasons to order our latest Windows IT Pro Master CD. One, because it's a lightning-fast, portable tool that lets you search for solutions by topic, author, or issue. Two, because it includes our Top 100 Windows IT Pro Tips. Three, because you'll also receive exclusive, subscriber-only access to our entire online article database. Click here to discover even more reasons:

http://www.windowsitpro.com/rd.cfm?code=cdeu2256up

Monthly Online Pass = Quick Security Answers!

Sign up today for your Monthly Online Pass and get 24/7 access to the entire online Windows IT Security article database, including exclusive subscriber-only content. That's a database of over 1900 Security articles to help you get all the answers you need, when you need them. Sign up now for just $14.95 per month:

http://www.secadministrator.com/rd.cfm?code=mpeu2556su

==== 4. New and Improved ====

by Dustin Ewing, [email protected]

SOHO Broadband Security Appliance

Electronics Lifestyle Integration (ELI) announced the availability of its fully managed Eli broadband security appliance for home, small office/home office (SOHO), and remote-office Internet users. Eli combines a firewall, antispam and antivirus capability, a DSL modem, a cable router, VPN support, and a Web interface. Eli is designed to deliver the kind of managed security previously available to large enterprises at an affordable price for the SOHO consumer. Pricing is $199.99 per device, and managed service starts at $9.99 per month. For more information, go to

http://www.trusteli.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Quest Software

Eleven things you must know about quick AD recovery!

http://ad.doubleclick.net/clk;17412125;8214395;c?http://wm.quest.com/WITPNLSponlink11ThingsWPRMAD60105

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]