Security UPDATE, January 22, 2003

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Panda Antivirus: Want Truly Automatic Daily Updates?
http://www.pandasecurity.com/new/email/form-4023.html

PacWest Security Road Show
http://www.winnetmag.com/roadshows/security2003
(below IN FOCUS)


SPONSOR: PANDA ANTIVIRUS: WANT TRULY AUTOMATIC DAILY UPDATES?

Most antivirus companies tell you they have daily automatic updates, but the truth is they only update their files twice a week at best. You can log on every day, but the files only update twice a week. How does this protect you? Panda Software truly automatically updates your antivirus every single day. And since you've probably been paying the other guys extra for tech support, you'll be happy to know that Panda's corporate tech support is FREE, 24 hours a day, 365 days per year. For more information on our award-winning network antivirus solutions, click below and receive a FREE gift from Panda Software.
http://www.pandasecurity.com/new/email/form-4023.html


January 22, 2003—In this issue:

1. IN FOCUS

  • Security Tools for Your Data-Gathering Efforts

2. SECURITY RISKS

  • Buffer-Overflow Vulnerability in CuteFTP 5.0 for XP

3. ANNOUNCEMENTS

  • Pharma-IT Summit: Real-World Solutions for Today's Pharma-IT Challenges, March 31, 2003
  • Windows & .NET Magazine Connections Announces Spring 2003 Dates

4. SECURITY ROUNDUP

  • News: Microsoft Opens Source Code to Governments
  • News: Group Espada Announces New Security Tools
  • Feature: Building a Secure VPN

5. INSTANT POLL

  • Results of Previous Poll: ISA Server 2000
  • New Instant Poll: Security Administrative Duties

6. SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Restore My Windows XP System Using an Automated System Recovery (ASR) Backup?

7. NEW AND IMPROVED

  • Let the Pros Keep You Secure
  • Inspect and Report on Computers' Security
  • Submit Top Product Ideas

8. HOT THREAD

  • Windows & .NET Magazine Online Forums
  • Featured Thread: Trouble with Network Windows XP Shares and Logons
  • HowTo Mailing List:
  • Featured Thread: Microsoft Windows PKI and PEM Certificates

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • SECURITY TOOLS FOR YOUR DATA-GATHERING EFFORTS

  • As part of your overall security efforts, you need to know which resources are available on your systems and how those resources are being used. It's important to monitor log files, and, in some cases, consolidate and generate log files—and some add-on tools can significantly simplify the task. In poking around the Internet recently, I found several tools that you might want to consider using in your Windows network environments. Most of the tools address log files, and one tool enumerates system characteristics on local and remote systems.

    First, consider Purdue University Engineering Computer Network's Eventlog to Syslog, a utility that runs on Windows and monitors event logs, reformats the log entries, and sends them to a UNIX-based syslog service for centralized collection. This utility helps administrators who use UNIX as their main desktop monitor events that take place on Windows-based systems.

    Second, consider SecurIT Informatique's LogAgent, another tool designed to centralize log files. LogAgent can gather text-based logs from just about any type of software and centralize those logs in one or more locations. For example, you can use the tool to gather and monitor text-based logs such as firewall logs, antivirus software logs, download managers, and content-screening software—without having to look at each one through that software's particular software interface.

    A third tool to consider—also available from SecurIT Informatique—is ComLog. This tool lets you introduce logging in a place in which logging might otherwise be impossible: in a Windows command shell. ComLog monitors everything that happens in a Windows command shell and logs it to a file. ComLog is written in Perl and compiled with Perl2Exe. The program replaces the cmd.exe file on your Windows systems and becomes a front end to that file. After ComLog is in place, the program captures all keystrokes and command output and writes the data to date-stamped log files for your review.

    Another tool, Foundstone's FileWatch, monitors files by detecting file-size changes and write operations. The tool can monitor log files for changes and produce a separate application when it detects changes. For example, you can use it to monitor firewall logs or logs from ComLog and LogAgent. You could also use Filewatch to send administrative alerts (through email or pager software) when file changes occur. Or you could use the tool to initiate other actions, such as shutting down services or network connections or starting data capture programs.

    Foundstone's NTLast lets you monitor Windows event logs (including saved log files) for logon information. You can use it to perform date-driven searches, filter based on hosts, distinguish data logged by Web servers, and produce formatted output suitable for Microsoft Excel spreadsheets.

    Finally, check into SourceForge's Winfingerprint. This tool determines OS type and can enumerate users, groups, shares, SIDs, network transports, disk drives, sessions, and services. Winfingerprint can also determine service pack and hotfix levels and discover any open TCP and UDP ports. It works with Windows NT domains and Active Directory (AD) network structures and can interrogate remote systems based on a range of IP addresses.

    Be sure to consider these and other log-related and system-enumeration utilities. Of course, this brief list of utilities can't be more than a sampling. If you're a security administrator who has found a tool that's particularly useful in managing log files or enumerating system resources, I'd like to hear about it. Such tools help administrators become aware of suspicious events and activities that might otherwise go completely unnoticed—or go unnoticed until damage has been done.


    SPONSOR: PACWEST SECURITY ROAD SHOW

    BACK BY POPULAR DEMAND - DON'T MISS OUR SECURITY ROAD SHOW EVENT!

    If you missed last year's popular security Road Show event, now's your chance to catch it again in Portland and Redmond. Learn from experts Mark Minasi and Paul Thurrott about how to shore up your system's security and what desktop security features are planned for .NET and beyond. Registration is free so sign up now!
    http://www.winnetmag.com/roadshows/security2003


    2. SECURITY RISKS
    (contributed by Ken Pfeil, [email protected])

  • BUFFER-OVERFLOW VULNERABILITY IN CUTEFTP 5.0 FOR XP

  • A buffer-overflow vulnerability in GlobalSCAPE's CuteFTP 5.0 XP for Windows could result in a potential attacker executing arbitrary code on the vulnerable system. When an FTP Server is responding to a "LIST" (directory listing) command, the response is sent over a data connection. Sending 257 bytes over this connection will cause a buffer to overflow, and the IP register can be overwritten completely by sending 260 bytes of data.
    http://www.secadministrator.com/articles/index.cfm?articleid=37731

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • PHARMA-IT SUMMIT: REAL-WORLD SOLUTIONS FOR TODAY'S PHARMA-IT CHALLENGES, MARCH 31, 2003

  • Annual executive conference highlights the increased focus on IT security in global pharmaceutical enterprises. Networking, case studies, intensive workshops forums help CIOs, CTOs, CFOs, VPs and other top-decision-makers leverage pharmaceutical IT solutions successfully. Keynote presentations by executives from Aventis, Novartis, Astrazeneca, Hoffman-Laroche and Pfizer, plus US Dept. of Health & Human Services.
    http://www.pharmaitsummit.com

  • WINDOWS & .NET MAGAZINE CONNECTIONS ANNOUNCES SPRING 2003 DATES

  • Learn first hand from the magazine writers you know and trust. In-depth coverage by the world's top gurus regarding security insights about Windows Server 2003, Windows XP, Windows 2000 Server, IIS, SQL Server, and the Microsoft .NET platform. Benefit immediately from the latest real-world tips on Active Directory, Group Policy, and migration techniques. May 18-21, 2003. Register today.
    http://www.winconnections.com/win

    4. SECURITY ROUNDUP

  • NEWS: Microsoft Opens Source Code to Governments

  • Microsoft announced it has opened its source code to governments under a new Government Security Program (GSP). The GSP lets governments review code to address security and other concerns. Governments have long had access to UNIX platform source code, including Linux versions. However, ensuring the security of Microsoft products has been a stumbling block for government acceptance.
    http://www.wininformant.com/articles/index.cfm?articleid=37683

  • NEWS: Group Espada Announces New Security Tools

  • Group Espada announced it would release a set of new security tools now undergoing beta testing. The new tools consist of KATANA, KATANA.NET, and KATANA for SQL Server 2000 and will be available as a suite or as individual components.
    http://www.wininformant.com/articles/index.cfm?articleid=37700

  • FEATURE: Building a Secure VPN

  • The VPN concept has been around for almost 10 years. Technologies that use public data lines for private corporate traffic promise companies a cornucopia of benefits—from saving money on expensive leased lines to a workforce empowered to access the entire wealth of corporate IT resources from any kind of connection anywhere on the globe. But as with other overhyped and overmarketed technologies, the devil is in the details. Read all about it in this article by Tony Howlett.
    http://www.secadministrator.com/articles/index.cfm?articleid=37447

    5. INSTANT POLL

  • RESULTS OF PREVIOUS POLL: ISA SERVER 2000

  • The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Does your company use Microsoft Internet Security and Acceleration (ISA) Server 2000?" Here are the results from the 348 votes. (Deviations from 100 percent are due to rounding errors.)
    • 38% Yes
    • 55% No
    • 7% No, but we intend to implement it

  • NEW INSTANT POLL: SECURITY ADMINISTRATIVE DUTIES

  • The next Instant Poll question is, "What is currently the main focus of your security-related administrative duties?" Go to the Security Administrator Channel home page and submit your vote for a) Tightening general security, b) Defending against network attacks, c) Defending against Web site attacks, d) Filtering junk email, or e) Controlling employee surfing habits.
    http://www.secadministrator.com

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: How can I restore my Windows XP system using an Automated System Recovery (ASR) backup?

  • ( contributed by John Savill, http://www.windows2000faq.com )

    A. If you experience a core-OS corruption in XP and you've created an ASR backup, you can use the ASR backup to restore your system by performing the following steps:

    1. Boot from your original XP media.
    2. If prompted, press a key to boot the system from the CD-ROM.
    3. During the text mode portion of setup, press F2 to initiate an ASR restore.
    4. When prompted, insert the ASR backup disk and follow the onscreen instructions.

    7. NEW AND IMPROVED
    (contributed by Sue Cooper, [email protected])

  • LET THE PROS KEEP YOU SECURE

  • Dimension Data Holdings launched Surveyor for Security, a security assessment and risk management service. Dimension Data assesses your IT environment and determines the probability and impact associated with security risks. Dimension Data's security experts develop a remediation road map to ensure that the appropriate people, tools, and processes are in place to protect your company's assets. Dimension Data's security personnel then implement those safeguards and provide ongoing security management and monitoring services. Contact Dimension Data Holdings at 703-262 3200 or email the Director of North America Marketing at [email protected].
    http://www.didata.com

  • INSPECT AND REPORT ON COMPUTERS' SECURITY

  • Shavlik Technologies announced EnterpriseInspector 2.1, software that remotely inspects and reports on the security of your servers and workstations. EnterpriseInspector 2.1 combines the security checklist of the Microsoft Baseline Security Analyzer (MBSA), which Shavlik Technologies developed, with the power of Microsoft SQL Server 2000 and a custom reporting engine. New features include detection on Microsoft Exchange Server and Windows Media Player (WMP), scanning on all instances of SQL Server, support for Microsoft Software Update Services (SUS), and database statistics and maintenance. Contact Shavlik Technologies at 651-426-6624, 800-690-6911, and [email protected].
    http://www.shavlik.com

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]

    8. HOT THREAD

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

  • Featured Thread: Trouble with Network Windows XP Shares and Logons

  • (Two messages in this thread)

    A user says he's using Windows 2000 Server as a PDC and the only domain controller (DC) on his network. He uses XP, Win2K, and Windows NT clients.

    When he logs on to the domain with an XP client, all the network shares and printers work for a certain amount of time, but then they stop working. If he tries to connect to a network share, he receives the error message:

    "The system detected a possible compromise in security. Please ensure that you can contact the server that authenticated you."

    The event log shows the following error, with the source as NETLOGON:

    "No Domain Controller is available for domain \[domain name\] due to the following: There are currently no logon servers available to service the logon request. Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator."

    If he logs off and logs on again, everything works again. He doesn't have any problems with Win2K and NT clients, and the domain server is available all the time. Also, it takes users more than a minute to log on after they enter their password. He wants to know why. Lend a hand or read the responses:
    http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=52550

  • HOWTO MAILING LIST

  • http://63.88.172.96/listserv/page_listserv.asp?a0=howto

  • Featured Thread: Microsoft Windows and PEM Certificates

  • (One message in this thread)

    A user writes that he's attempting to implement Microsoft's Certificate Authority (CA) using Windows 2000. His company's development and engineering team wants to generate and send out certificates in certain applications using Privacy Enhanced Mail (PEM) formatting, which is the ASCII base-64 format of DER. How does the CA format its certificates—in binary or in text? Will this approach work? Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?a2=ind0301c&l=howto&p=330

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish