Security UPDATE--Enforcing Corporate Web Policies--May 17, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.





1. In Focus: Enforcing Corporate Web Policies

2. Security News and Features

- Recent Security Vulnerabilities

- Novell's New Alternative for Microsoft Customers

- WebDAV for Remote Access

- Permission Changes Surprise Mobile Device Administrators

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

- Instant Poll

- Share Your Security Tips

4. New and Improved

- SMS Does Group Policy


==== Sponsor: Diskeeper ====

Free download! Fast, thorough automatic defragmentation

NEW Diskeeper 10! FREE download! Boost access speeds like never before with breakthrough disk performance calibration technology. Get fast, thorough defragmentation transparently in the background for every system on your network. See why Diskeeper is the number one automatic defragmenter - download FREE 30-day fully-functional trialware now


==== 1. In Focus: Enforcing Corporate Web Policies ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week I blogged (at the URL below) about an upcoming tool, Psiphon, that will undoubtedly give some administrators a difficult challenge. The reason is that your users could employ Psiphon to bypass your content or URL filters.

According to information posted on the Web (at the URL below), "Psiphon is a user-friendly stand-alone proxy application designed to securely circumvent Internet censorship.... Unlike other circumvention technologies, Psiphon relies on multiple social networks of trust, rather than mass publication of IPs or proxies, which can be easily intercepted and filtered by a determined state."

Psiphon is a script written in the popular Python language. It works in a similar fashion to a traditional proxy server--that is, a remote Psiphon server intercepts and processes URL requests, then returns the data to the requesting client. The traffic is encrypted between the Psiphon client and server. The idea is to have a trusted friend or associate, or possibly one of your own computers, run the Psiphon server at the remote location. Psiphon servers require a username and password from the client, so access to them can be controlled.

Another popular tool in a similar vein is The Onion Router (Tor, at the URL below), based on the SOCKS protocol. Tor is a bit different from Psiphon in that anonymous people run Tor servers. Effectively, Tor acts as an anonymous network of proxy servers, and your traffic might pass through any number of them (but at least three), depending on how you configure the client. TOR directory servers keep track of the addresses of Tor proxy servers and automatically deliver those addresses to Tor clients.

One major attraction of Tor is that it offers relative anonymity. Anyone can run a Tor client or server without having to reveal anything to the outside world except an IP address, and that address is only made known to the first TOR server your traffic passes through. Furthermore, all traffic on the TOR network is encrypted, which helps protect against snooping.

There are of course a number of other proxy services that could be used to circumvent your corporate policies. Here I point out Psiphon and Tor because Psiphon is new and although Tor has been around for quite some time, both are gaining more attention as the days go by.

Preventing the use of outside proxy services can be tedious. You could of course limit the ability to install unauthorized software such as Python, Psiphon, and Tor, or regularly audit systems to look for unauthorized software, or both. Another tactic could be to filter connections to proxies. However, it would be difficult to filter all the many third-party proxies that operate over port 80, particularly because you must discover them before you can filter them and because you probably can't block at your network borders.

The overall problem is compounded if you use Web browsers, mail clients, and other Internet-related tools that don't offer much control over their configuration. If you can restrict the client configuration of proxy and SOCKS settings, you can better control policy enforcement; if you can't restrict configuration due to software limitations, savvy users will go the end around if they want to.

I think one of the best deterrents is to have written acceptable-use policies that include clearly defined grounds for termination of employment. If people value their jobs, they'll probably follow the rules.

I'm curious about how you deal with this problem of policy circumvention on your network, if at all. If you can share details, send me an email. If I receive enough responses, I'll summarize them in a future edition of this newsletter.


==== Sponsor: Symantec ====

Don't take chances with your email security - learn to evaluate product strength and vendor viability to make the best purchase decisions.


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Novell's New Alternative for Microsoft Customers

Coming at a time when Microsoft customers are mulling over the upcoming Windows Vista platform, Novell announced its Open Workgroup Suite, which the company says is an open, low-cost alternative to the Windows-centric solution.

WebDAV for Remote Access

Are you looking for a better way to provide remote workers access to internal file servers? Look no further than leveraging Windows XP's and Windows Server 2003's built-in support for the Web Distributed Authoring and Versioning (WebDAV) protocol, which provides secure access through an application proxy. Learn more about it in this article on our Web site.

Permission Changes Surprise Mobile Device Administrators

The difficulty of balancing security and functionality has recently been highlighted by a change Microsoft made to the way mailbox permissions are applied in Exchange Server 2003 and Exchange 2000 Server and how the change affected mobile device users. Paul Robichaux explains in this article on our Web site.


==== Resources and Events ====

Exchange and Office 2007 Roadshow

Get the facts about deploying Exchange and Office 2007! You'll come away with a clear understanding of how to implement a best-practices migration to Exchange Server 2007, how to use Exchange Server 2007's new capabilities to improve your messaging environment, and how you and your end users can get the most out of Office 2007.

Use virtual lab automation solutions to address special challenges in pre-production and staging environments, such as virtual server file library management, provisioning, configuration, and remote access concerns. Live Event: Thursday, May 18

Mark Joseph Edwards discusses emerging spyware threats, including rootkits and keyloggers, and spyware distribution methods. Live Event: Tuesday, May 30

Maximize your VoIP environment by integrating FoIP technology to increase ROI and streamline processes.

Learn the advantages of running SQL Server 2005 and its BI subsystems on the x64 platform; the performance benefits the x64 architecture provides for Analysis Services, Integration Services, and Reporting Services; and how to migrate to the new 64-bit x64 platform.


==== Featured White Paper ====

Determining effective permissions on Windows can be incredibly challenging. In this must-have white paper, you'll learn why it's essential to determine effective permissions; how to determine who has access to critical information in Windows; how to resolve overlapping permissions for network access, shared hierarchies, and local machine rights; and how entitlement reporting can overcome the challenges with an automated solution.


==== Hot Spot ====

ThreatSentry - IIS Host IPS & Application Firewall

Malicious or unauthorized traffic plaguing your Web servers? ThreatSentry combines a state-of-the-art Application Firewall and advanced behavioral intrusion prevention components to block any activity falling outside of trusted parameters. Get enterprise-grade, multi-layered protection for Microsoft IIS at a small business price! Download free trial today.


==== 3. Security Toolkit ====

Security Matters Blog: Psiphon Due Out by End of May

by Mark Joseph Edwards,

As mentioned in the commentary above, Psiphon might be a potential headache for your policy enforcement. Then again, it might be a good tool to have on hand for a variety of testing purposes. Learn more in this blog entry.


by John Savill,

Q: What is Microsoft System Center?

Find the answer at

Security Forum Featured Thread: Antivirus Solution

A forum participant needs to purchase a new antivirus solution for his company. He supports 75 to 100 thin clients that generate a lot of mail activity. The company's call center has a large and complicated system that includes voice recording servers, NAS, and lots of Web and FTP traffic. He's especially interested in people's experience with Symantec's and Trend Micro's enterprise solutions. Join the discussion at

New Instant Poll

Which technologies do you use to secure your WLANs?


- WPA or WPA2 with 802.1x


- Other

- We don't support WLANs

See the article "Reaping the Benefits of WPA and PEAP" at

Submit your vote at

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Announcements ====

(from Windows IT Pro and its partners)

Windows IT Pro Master CD--SAVE 50%!

Subscribe today and get portable, high-speed access to the entire Windows IT Pro article database on CD. This searchable library includes every Windows IT Pro issue ever published. The newest issue also includes BONUS Windows IT Tips. Order now and save:

May Exclusive: Save $100 off Windows Scripting Solutions

For a limited time, order the Windows Scripting Solutions newsletter and SAVE up to $100! You'll get 12 helpful issues loaded with expert-reviewed code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article library (more than 500 articles). Subscribe now:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

SMS Does Group Policy

FullArmor announced a Microsoft Systems Management Server (SMS) 2003 version of GPAnywhere. GPAnywhere for SMS lets administrators create Group Policy Objects (GPOs) in the SMS 2003 console and use SMS to deliver them to clients that might be outside the Active Directory (AD) domain. GPAnywhere for SMS also ships with three templates containing Group Policy settings recommended for high, medium, and low security environments and a template designer. GPAnywhere for SMS works with Windows 2000 Server and later versions. Prices start at $6 per managed machine and $1250 for the management console. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected]


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.