Security UPDATE--Limit Your Exposure: Don't Use Administrative Accounts--March 2, 2005

1. In Focus: Limit Your Exposure: Don't Use Administrative Accounts

2. Security News and Features

- Recent Security Vulnerabilities

- Numerous Security Flaws in Web Browsers Remain Unpatched

- Microsoft Adds Security Guidance Center for Small Businesses

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum Featured Thread

4. New and Improved

- 256-Bit SSL Certificates

==== Sponsor: St. Bernard Software ====

Exclusive Online Event: Email Protection at the Perimeter!

Learn how you can get award-winning anti-virus protection and superior spam blocking while assuring your critical business emails get through. Sign up today for this free online product demonstration and see the ePrism M500 from St. Bernard Software in action. Discover the secret behind the eGuard Analysts and how email is scoured for digital fingerprints left by spammers so you won't receive or send spam and viruses again! Sign up now!

http://www.windowsitpro.com/whitepapers/stbernard/eprismdemo/index.cfm?code=secnl

==== 1. In Focus: Limit Your Exposure: Don't Use Administrative Accounts ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You're probably well aware that running your desktop while logged on as an administrator can be risky. The reason of course is that administrators have full authority on the system, so any program that launches under an administrative account can perform almost any action you can think of.

As you'll learn if you read the Security Matters blog item "Windows Firewall: Another Good Reason Not to Login as Administrator" ( http://www.windowsitpro.com/Article/ArticleID/45476 ), spyware peddlers have already developed a way of adding their programs to the Windows Firewall's list of trusted applications. The spyware application simply adds a registry subkey that references the application under the subkey that stores trusted applications. Any trusted application is allowed to send traffic out of the computer. However, adding a subkey to the list of trusted applications works only if the user is logged on with administrative authority. So now you know one more reason why administrative accounts should be used sparingly.

Mark Minasi recently wrote an interesting editorial in Windows IT Pro UPDATE--Special Edition titled "Follow-Up: Why Microsoft Can't Stop Root Kits." Minasi pointed out that the primary leverage an intruder has is a user logged on with an administrative account.

http://www.windowsitpro.com/Article/ArticleID/45518

In a message posted to the Bugtraq mailing list, Chris Wyposal pointed out that "The security problem that has created the spyware malaise on Windows is the default Windows installation for home users, which creates the user's named account in the Administrators group. When this account is used to browse the Internet there is no protection to prevent spyware/malware from bypassing security mechanisms, such as the XP SP2 firewall, by exploiting vulnerabilities or tricking the user."

Wyposal's statement is true. The same thing goes for corporate users who use an administrative account primarily for visiting networks external to their company network. Wyposal also made the interesting prediction that due to the problem of spyware and malicious software, Microsoft will eventually change the Windows installation process so that at least two accounts are created: one for administrative use and another with limited permissions for everyday and Internet use.

http://securityfocus.com/archive/1/391029/2005-02-15/2005-02-21/0

Any of you who've used a Unix-based or Linux-based system know that this sort of dual-account use is standard practice. You log on with a regular user account, and when you need administrative privileges, you can use the "su" (super user) command to temporarily elevate your privileges, log out and log back in as "root" or some other administrative account, or create another logon session on your desktop.

Windows also lets users elevate their privileges, but this capability isn't used nearly as often as it should be. You probably know this already, but I'll point it out in case any readers are unaware: A simple way to elevate your privileges for specific application use in Windows is to use the RunAs feature, which lets you run programs under any account context provided that you supply the corresponding account password. This feature works great even for desktop systems on which some applications might not work correctly except under an account with some level of administrative authority. If you need help figuring out how to use RunAs, then check the articles at Microsoft's Web site.

http://search.microsoft.com/search/results.aspx?qu=RunAs

==== Sponsor: SQL Server Magazine ====

Get SQL Server Magazine and Get Answers

Throughout the year in 2005, SQL Server Magazine is on target to deliver comprehensive coverage of all hot industry topics including, SQL Server 2005, performance tuning, security, Reporting Services, Integration Services, and .NET development. If you aren't already a subscriber, now is the time to sign up. You'll get unlimited online access to every article ever published in the magazine and you'll get 30% off the cover price. Don't miss out . . . sign up today:

http://www.sqlmag.com/rd.cfm?code=00eu215xwu

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Numerous Security Flaws in Web Browsers Remain Unpatched

Dozens of security-related problems remain unpatched in the Microsoft Internet Explorer (IE), Mozilla Firefox, and Opera Web browsers. According to security solution provider Secunia, which tracks vulnerabilities in more than 4000 products, some of the unpatched browser vulnerabilities are considered to be either moderately or highly critical.

http://www.windowsitpro.com/Article/ArticleID/45493

Microsoft Adds Security Guidance Center for Small Businesses

Microsoft added a new Security Guidance Center to its Small Business Center Web site. The new content provides security information and advice to help businesses create a safer network environment.

http://www.windowsitpro.com/Article/ArticleID/45495

==== Resources and Events ====

Keeping Critical Applications Running in a Distributed Environment

Get up to speed fast with solid tactics you can use to fix problems you're likely to encounter as your network grows in geographic distribution and complexity, learn how to keep your network's critical applications running, and discover the best approaches for planning for future needs. Don't miss this exclusive opportunity--register now!

http://www.windowsitpro.com/seminars/windowsapplications/index.cfm?code=0302emailannc

Get Ready for SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0302emailanncs

Learn What You Can Do When Exchange Disaster Strikes

Messaging administrators can't always adequately plan for or prevent some kinds of disasters. In this free Web seminar, join Exchange MVP Paul Robichaux, as he describes some operational scenarios in which "disaster recovery" takes a back seat to "business continuance." Learn how to be prepared for events that might otherwise wipe out your messaging capability. Register now!

http://www.windowsitpro.com/seminars/exchangedisasterrecovery/index.cfm?code=0302emailannc

The Must-Attend Event for Securing Your Wireless Deployments

The Conference on Mobile & Wireless Security delivers on-target, need-to-know information on emerging issues and tech trends. Featuring first-class keynotes and sessions, an in-depth panel discussion, and interactive workshops, you will learn practical tactics for overcoming mobile security challenges and real-world strategies for maximizing the potential of your wireless devices.

http://www.misti.com/01/mws05nl1.html

Meet the Risks of Instant Messaging Head On in This Free Web Seminar

Don't overlook Instant Messaging in your compliance planning. Attend this free Web seminar and learn how to minimize IM's authentication and auditability risks and prevent security dangers. You'll also receive a list of the top requirements to consider when choosing a secure IM solution. Sign up now!

http://www.windowsitpro.com/seminars/instantmessaging/index.cfm?code=0302emailannc

==== 3. Security Toolkit ====

Security Matters Blog

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Windows Firewall: Another Good Reason Not to Login as Administrator

Administrator rights are dangerous enough already. Combine them with Windows Firewall protecting a system, and somebody from outside your network might be able to bypass the firewall.

http://www.windowsitpro.com/Article/ArticleID/45476

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q. How can I configure Group Policy-based scripts to display when they're executed?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/45434

Security Forum Featured Thread: Annoying Files That Continually Reappear

A forum participant is wondering about two files on his system, wkwgww.exe and hnhihh.exe. He thinks the files are related due to the file names. He has the latest updates for his antivirus and antispyware scanners, but those tools don't detect anything suspicious about the two files. When he deletes the files, they reappear on the system. Join the discussion at

http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=130224

==== Announcements ====

(from Windows IT Pro and its partners)

Get Windows IT Pro at 44% Off!

Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now:

http://www.windowsitpro.com/rd.cfm?code=theu2052up

==== 4. New and Improved ====

by Renee Munshi, [email protected]

256-Bit SSL Certificates

XRamp Technologies announced that it's now issuing 256-bit digital Secure Sockets Layer (SSL) certificates. The certificates work with all browsers and servers that support the 256-bit Advanced Encryption Standard (AES) and are backward-compatible for browsers and servers that can handle only 128-bit or 40-bit encryption. Microsoft hasn't yet implemented 256-bit capability into its servers and browser, but 256-bit AES encryption is available with Linux Web servers, and the free Mozilla Firefox Web browser supports 256-bit AES. A 1-year 256-bit SSL certificate from XRamp costs $128. Multiyear certificates are available at discounted prices. For more information, go to

http://www.xramp.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Automate Patch Management with Symantec ON iPatch

http://ad.doubleclick.net/clk;14381010;8214395;x?http://sea.symantec.com/IPWITPSL228

Quest Software

See Active Directory in a whole new light. And get a free flashlight!

http://ad.doubleclick.net/clk;13695556;8214395;t?http://wm.quest.com/WITPUpdatelinkSpotADflash205

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]