Security UPDATE, March 19, 2003

Subject: Security UPDATE, March 19, 2003


Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems.



New Shavlik HFNetChkPro 4.0!

More e-Security - Less Money (below IN FOCUS)


~~~~ SPONSOR: NEW SHAVLIK HFNetChkPro 4.0! ~~~~ Introducing Shavlik HFNetChkPro 4.0 - the next generation in security patch management. HFNetChkPro 4.0 is an automated scanning and remediation solution from Shavlik, the developers of HFNetChk and MBSA for Microsoft. It includes loads of new features that save time for busy security professionals while offering greater enterprise security. HFNetChkPro 4.0 automates patch remediation for Microsoft Office, Windows Server 2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Its intuitive Drag-n-Drop Patch Management(tm) interface allows you to precisely control which groups will be scanned, by what criteria and when and how patches are deployed. Visit for details! ~~~~~~~~~~~~~~~~~~~~

March 19, 2003--In this issue:

1. IN FOCUS - Audit Your Windows Shares

2. SECURITY RISKS - Unchecked Buffer in Windows 2000 WebDAV

3. ANNOUNCEMENTS - Join The HP & Microsoft Network Storage Solutions Road Show! - Windows & .NET Magazine Connections: Win a Florida Vacation

4. SECURITY ROUNDUP - News: New Code Red Variant Spreading - Feature: Event-Log Auditing, Part 2

5. HOT RELEASE (ADVERTISEMENT) - eToken USB-based 2-Factor Authentication

6. INSTANT POLL - Results of Previous Poll: Spam Filtering - New Instant Poll: WebDAV and IIS

7. SECURITY TOOLKIT - Virus Center - FAQ: Why Do I Receive Event ID 529 in My Security Event Log?

8. NEW AND IMPROVED - Secure Corporate IM Use - Manage Retina Scanners from Browser - Submit Top Product Ideas

9. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Personal Laptop Security on Client Networks - HowTo for Security Mailing List - Featured Thread: A New DDoS Client?

10. CONTACT US See this section for a list of ways to contact us.




(contributed by Mark Joseph Edwards, News Editor, [email protected])


CERT issued an advisory last week regarding exploitation of Windows shares. The team is receiving an increasing number of reports about intrusion against shares on Windows XP and Windows 2000 systems. Intruders who exploit weak Administrator account passwords have compromised thousands of systems.

CERT said the recent examples of tools used to compromise systems include W32/Deloder, GT-bot, sdbot, and W32/Slackor. Each of these tools can automatically scan networks for other systems to compromise, which lets such tools spread rapidly to countless systems. Attackers could use compromised systems to launch still other attacks in the future, such as Distributed Denial of Service (DDoS) attacks; or intruders could use the compromised systems to cover nefarious activities.

W32/Deloder and W32/Slackor scan for systems with a listening port 445, which handles Server Message Block (SMB) sessions over TCP/IP. W32/Deloder includes a Virtual Network Computing (VNC) tool that lets a remote intruder view the compromised system's desktop. Internet Relay Chat (IRC) is one way that all four tools let a remote intruder gain control over a compromised system. GT-bot and sdbot both include functionality that directly facilitates DDoS attacks. CERT's advisory contains descriptions of these tools, including their components, and offers advice about how to detect them on your systems.

With remote access to a system, intruders can perform many possible actions. If you notice large amounts of traffic destined for or targeting port 445, you might consider checking to determine the source of the traffic--it might be coming from one compromised system. CERT advises, for example, that if a given system isn't meant to be a file server, that system shouldn't have share points, and such sharing should be disabled on all nonserver systems. CERT's advice includes disabling hidden administrative shares on XP and Win2K platforms.

CERT advises--as security professionals have long emphasized--that you use strong passwords, antivirus software, firewalls, and ingress and egress filtering to help curb unwanted network traffic. And never run programs that you don't implicitly trust.

CERT's recommendations, as always, are sound. In addition to following that advice, be sure to use the security scanner of your choice and security checklists that Microsoft and other third-party companies publish to examine your system's security. You can find Microsoft's checklists and guides at the URLs below.

And if you aren't aware of it already, another version of the Code Red worm, called Code Red F, is spreading around the Internet. You can read about that in the related news story "New Code Red Variant Spreading" in the Security Roundup section of this newsletter. By now, you should have patched your systems so that they aren't susceptible to Code Red, but if you haven't done so, read the news story to learn about the Microsoft IIS patch that can help prevent infection. Also, be sure to read the vulnerability report "Unchecked Buffer in Windows 2000 WebDAV," regarding the newly reported problem with WWW Distributed Authoring and Versioning (WebDAV). It's important that you patch your servers as soon as possible.


~~~~ SPONSOR: MORE e-SECURITY - LESS MONEY ~~~~ Pay 2/3 less than the industry leader for Strong (two-factor) Authentication for VPN and Web using the Authenex A-Key(tm) USB token. Plus with the same A-Key USB Token, you can leverage an entire suite of strong e-Security applications, including: Web Access Control, Endpoint Encryption to protect either files or the entire hard drive, Secure File Exchange, and Storage for Digital Certificates. Click now for a FREE A-Key USB Token. ~~~~~~~~~~~~~~~~~~~~



(contributed by Ken Pfeil, [email protected])

* UNCHECKED BUFFER IN WINDOWS 2000 WEBDAV A new vulnerability exists in Windows 2000 that could result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from an unchecked buffer in a component that WWW Distributed Authoring and Versioning (WebDAV) uses. A potential attacker could exploit this vulnerability by sending a specially formed HTTP request to a machine running Microsoft IIS. The request could cause the server to fail or to execute code of the attacker's choice. The vendor, Microsoft, has released Security Bulletin MS03-007 (Unchecked Buffer In Windows Component Could Cause Web Server Compromise) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.



(brought to you by Windows & .NET Magazine and its partners)

* JOIN THE HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW! Now is the time to start thinking of storage as a strategic weapon in your IT arsenal. Come to our 10-city Network Storage Solutions Road Show, and learn how existing and future storage solutions can save your company money--and make your job easier! There is no fee for this event, but space is limited. Register today!

* WINDOWS & .NET MAGAZINE CONNECTIONS: WIN A FLORIDA VACATION Simply the best lineup of technical training for today's Windows IT professional. Register now for this exclusive opportunity to learn in-person from the Windows & .NET Magazine writers you trust. Attendees will have a chance to win a free Florida vacation for two. Register today and you'll also save $300.



* NEWS: NEW CODE RED VARIANT SPREADING Russ Cooper reports that a new variant of the Code Red worm, called Code Red F, is spreading on the Internet. Cooper said in a message posted to the NTBugTraq mailing list that the worm was detected in Finland using the WormCatcher monitoring software.

* FEATURE: EVENT-LOG AUDITING, PART 2 Logon and logoff reports are one of the most common management-requested types of auditing reports. Management can use these reports for many tasks--from verifying time-sheet entries to detecting unusual network activity. Generating logon and logoff reports for a given user seems fairly straightforward: Collect your security audit logs for the time interval for which you want a report, then filter the logs for the entries that correspond to the user of interest. Although creating a robust script to perform this operation isn't simple, you can do it--and you'll discover how in this article by Steve Seguis.



* eTOKEN USB-BASED 2-FACTOR AUTHENTICATION eToken from Aladdin offers simple, reliable and affordable 2-factor authentication for secure network logon, VPN access, web access, e-mail, and PC security. No reader or server required to securely store users' passwords, keys, and certificates.



* RESULTS OF PREVIOUS POLL: SPAM FILTERING The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you participate in a spam-filtering network?" Here are the results from the 163 votes. - 15% Yes--SpamAssassin - 12% Yes--SpamNet - 6% Yes--SpamCop - 21% Yes--Other - 46% No * NEW INSTANT POLL: WEBDAV AND IIS The next Instant Poll question is, "Does your company use WWW Distributed Authoring and Versioning (WebDAV) with Microsoft IIS?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, or c) I'm not sure.



* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

* FAQ: Why Do I Receive Event ID 529 in My Security Event Log? ( contributed by John Savill, )

A. Windows will generate event ID 529 if the machine environment meets the following criteria: - The machine is running Windows XP. - The machine is a member of a domain. - The machine is using a machine local account. - You've enabled logon failure auditing.

When the user logs off, Windows will write event ID 529 to the log file because the OS incorrectly tries to contact the domain controller (DC), even though the machine is using a local account. Microsoft currently doesn't provide a fix for this problem, but you can safely ignore this event ID.



(contributed by Sue Cooper, [email protected])

* SECURE CORPORATE IM USE NetIQ released NetIQ imMarshal for MSN, content-security software designed to enforce corporate policies for Instant Messaging (IM) use by acting as a filter for MSN Messenger. The software permits preapproved content and communication through customizable policies that you can apply to individuals, user groups, or the entire organization. You can control users' access to IM, manage file transfers, create activity reports, archive chat sessions, and protect your systems from viruses. NetIQ imMarshal is expected to support additional IM platforms by the end of 2003. Contact NetIQ at 888-323-6768.

* MANAGE RETINA SCANNERS FROM BROWSER eEye Digital Security announced Retina Remote Manager, a Web-based interface that augments the remote management of multiple distributed Retina Network Security Scanners within your organization. You can strategically place scanners throughout the network and configure them to constantly monitor that portion of your network for vulnerabilities. Retina Remote Manager lets you log in through a secured HTTP Secure (HTTPS) interface to create, schedule, and view the results of scans, letting you manage the entire vulnerability assessment and remediation process for a geographically dispersed enterprise network. Contact eEye Digital Security at 949-349-9062, 866-339-3732, and [email protected]

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]




Featured Thread: Personal Laptop Security on Client Networks (Four messages in this thread)

A user writes that he's a contractor who uses his own laptop to connect to various clients' networks. Each network tries to apply its policies to his laptop, including installing antivirus software, setting up Microsoft Outlook profiles, changing icons, and blocking access to certain areas of the laptop. He uses NetSwitcher, so logging on to different networks isn't a problem. He currently uses Windows 98, and the client networks are mainly Windows 2000 domains. Can he block these policies at his computer, or must he go to the systems administrators for help? Should he upgrade to Windows XP Professional or Win2K to locally limit the access allowed to his local user accounts? Lend a hand or read the responses:


Featured Thread: A New DDoS Client? (One message in this thread)

A user writes that he has Windows 2000 Server with Service Pack 3 (SP3) running RRAS, but he hasn't applied the latest hotfixes. The server has one internal NIC and one NIC that leads to a demilitarized zone (DMZ) that attaches to a DSL router. He found a Trojan horse on his system, running from a file called stde9.exe and wonders whether anyone has seen this Trojan horse before. Read the responses or lend a hand at the following URL:



Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- [email protected]

* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)


* PRODUCT NEWS -- [email protected]



******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.


Thank you for reading Security UPDATE.

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.