Security UPDATE--IE 7.0 and Windows Vista Bring More Secure Communications--November 2, 2005

1. In Focus: IE 7.0 and Windows Vista Bring More Secure Communications

2. Security News and Features

- Recent Security Vulnerabilities

- Problems with Microsoft's October Security Updates

- Voice over IP Security Taking Shape

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum Featured Thread

4. New and Improved

- Endpoint Compliance Without Client Software

==== Sponsor: Quest Software ====

Join us for a free Webcast that explains how organizations with heterogeneous enterprises can "Get to One" solution for systems management through Microsoft Systems Management Server (SMS). For most organizations, heterogeneous enterprises are a fact of life, but they present significant systems management challenges particularly for Unix, Linux and Mac systems. Fortunately, through natively implementing standards on non-Windows systems, those systems can participate in the systems management infrastructure offered by SMS. This Webcast will explain how an integrated architecture can streamline processes, save money, reduce complexity, increase security, and enable compliance for Windows, Unix, Linux, and Mac systems. Register to attend our Webcast on November 9, 2005 at 1:00 PM EDT

http://ads.quest.com/WindowsITProSecurityUpdateNLVintelaSysMon110205

==== 1. In Focus: IE 7.0 and Windows Vista Bring More Secure Communications

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Microsoft's IEBlog is published by the development team that works on Internet Explorer (IE). As such, the blog contains interesting information about what we might see in future versions of the browser.

http://blogs.msdn.com/ie

On October 22, the IE development team published an article that outlines a few changes Microsoft is making with Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Current versions of IE support SSL 2.0, SSL 3.0, and TLS 1.0, all of which can be enabled or disabled (select Internet Options from the Tools menu, go to the Advanced tab, and scroll down to the Security section). In IE 6.0, SSL 2.0 and SSL 3.0 are enabled and TLS 1.0 is disabled--at least that's the configuration in my default installations. However, SSL 3.0 and TLS 1.0 are much more secure than SSL 2.0; therefore, Microsoft has decided that in IE 7.0, SSL 2.0 will be disabled by default and SSL 3.0 and TLS 1.0 will be enabled by default. Many Web sites use SSL 2.0, so the changes in IE might cause connection problems for users unless sites begin offering SSL 3.0 before IE 7.0 enters widespread use.

Another major change is the way certificates will be handled. IE 7.0 will initially block access to sites whose certificates weren't issued by a trusted root or whose certificates have expired or been revoked. Under the first two conditions, the browser will offer the user the option of connecting anyway but not if the certificate has been revoked. In addition, the browser won't show nonsecure content on sites whose pages use both secure and nonsecure content unless the user explicitly unblocks the nonsecure content.

Windows Vista will also bring changes to secure communications. With Vista, we'll finally see the use of 256-bit Advanced Encryption Standard (AES) to secure HTTP traffic. Vista will also use the Online Certificate Status Protocol (OSCP) for speedier certificate status checking and will implement some extensions to TLS that are outlined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3546.

http://www.ietf.org/rfc/rfc3546.txt

Web site administrators need to be aware of these upcoming features in IE and Vista and take the necessary steps towards compatibility. Otherwise you're bound to run into problems in the future, particularly with certificates used on systems that host virtual domains, due to server name parsing and other issues.

You can learn more about these issues in IEBlog. You can also read a long list of comments and concerns from the blog's readers and post your own comments. If you want to learn more about the cryptography in Windows Vista, a video of an interview with Tomas Palmer and Tolga Acar (cryptography program managers at Microsoft) is available at MSDN.

http://channel9.msdn.com/Showpost.aspx?postid=116710

If you're interested in information about Outlook Express (which incidentally has been renamed Windows Mail) in Windows Vista, be sure to read Windows Mail developer Bryan Starbuck's blog for plenty of insight regarding antispam features and more. You can also watch another video interview at MSDN with the developers and testers of Windows Mail in which they discuss the new mail client.

http://channel9.msdn.com/showpost.aspx?postid=116711

==== Sponsor: BindView====

Are You Prepared for the PCI-Data Security Standard?

If your organization handles credit card transactions with any of the major credit card companies, you need to assess and document your adherence to the PCI-data security standard. Failure to comply with the standard carries stiff penalties including fines, and the restriction of future transaction handling ability by negligent firms. Join BindView for a live Webcast where you will get an overview of the PCI-Data Security Standard; how the standard's 12 major requirements impact IT; and how automated solutions can help demonstrate compliance with these requirements to satisfy an audit. Register at:

http://www.bindview.com/Events/GetEvents.cfm?NUM=1491&AD=EB-WinITPro1110WBNR-Q405

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Problems with Microsoft's October Security Updates

Earlier this month, Microsoft published Security Bulletins MS05-050 and MS05-051 as part of its regular monthly security patch release schedule. In some instances, systems might still be vulnerable after installing a patch or administrators might find that various important services don't start. Find out more in this news article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/48243

Voice over IP Security Taking Shape

The Voice over IP Security Alliance (VOIPSA) released its security framework, which the alliance hopes will help the industry identify and mitigate potential threats to VoIP technology.

http://www.windowsitpro.com/Article/ArticleID/48239

==== Resources and Events ====

What Does It Mean to Be Compliant?

We've all heard about legal and regulatory requirements, but there are other types of compliance that might also affect you--specifically email compliance. In this free Web seminar, you'll get insights into compliance and policy issues that you need to know about, as well as suggestions on what to look for when implementing your compliance strategy, and more. Register today!

http://www.windowsitpro.com/go/seminars/compliance/?partnerref=1102emailannc

Get Ready for the SQL Server 2005 Roadshow in Europe--Get the facts about migrating to SQL Server 2005!

SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now.

http://www.windowsitpro.com/roadshows/sqlservereurope/index.cfm?code=1102emailannc

Get the Maximum Return on Software Investments by Optimizing Every Dollar Spent on Software

Inaccurate information about software usage causes many organizations to either overspend and buy licenses they don't use, or underspend and deny some end users access to the software they need. Attend this free Web seminar and get a 5-step plan for quickly implementing a license management program today!

http://www.windowsitpro.com/go/seminars/softwarelicense/?partnerref=1102emailannc

Accelerate Time to Recovery with Minimal Data Loss

Learn how to meet RPO (Recovery Point Objectives) and RTO (Recovery Time Objectives) with a continuous, or real-time backup system. In this free, on-demand Web seminar, you'll discover how to roll back data to any point in time--not just to the last snapshot or backup!

http://www.windowsitpro.com/seminars/continuousbackup/index.cfm?code=1102emailannc

Exploit the Opportunities of a Wireless Fleet

With the endless array of mobile and wireless devices and applications, it's hard to decide what you can do with the devices beyond providing mobile email access. It's even tougher to know how to keep it all secure. Join industry guru Randy Franklin Smith in this free Web seminar and discover what you should do to leverage your mobile and wireless infrastructure, how to pick devices that are right for you, and more!

http://www.windowsitpro.com/go/seminars/mobileandwireless/?partnerref=1102emailannc

==== Featured White Paper ====

Software Packaging Workflow Best Practices Managing desktop software configurations doesn't have to be a manual process resulting in unplanned costs, deployment delays, and client confusion. In this free whitepaper, you'll learn how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. Download your copy now and discover the value of standardizing the software packaging process.

http://www.windowsitpro.com/go/whitepapers/macrovision/softwarepkgbest?code=1102emailannc

==== 3. Security Toolkit ====

Security Matters Blog: Martin Roesch on Snort's Past, Present, and Future

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Ever wonder how the intrusion detection and prevention system Snort got started and where it might be going in the future? Snort creator Martin Roesch tells you all about it in an 18-minute audio interview.

http://www.windowsitpro.com/Article/ArticleID/48236

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I determine the logged-on user's distinguished name (DN)?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/48208

Security Forum Featured Thread: Allow POP Email but Not Internet Access

A forum participant has several clients with Windows 2000 boxes that need to get POP email on TCP ports 110 and 25. The users aren't supposed to have Internet access, but the machines need to get automatic antivirus software updates via the Internet. Join the discussion at

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=44072&enterthread=y

==== Announcements ====

(from Windows IT Pro and its partners)

VIP Monthly Online Pass = Quick Answers

Sign up for a VIP Monthly Online Pass and get online access to ALL the articles, tools, and helpful resources published in SQL Server Magazine, Windows IT Pro, Exchange and Outlook Administrator newsletter, Windows Scripting Solutions newsletter, and Windows IT Security newsletter. You'll have 24/7 access to a database of more than 25,000 articles that will give you all the answers you need, when you need them. BONUS--Includes the latest issue of Windows IT Pro each month. Sign up now for just US$29.95 per month:

https://store.pentontech.com/index.cfm?s=1&promocode=eu275buv

The Exchange & Outlook Administrator Newsletter

If you haven't already subscribed to the Exchange & Outlook Administrator newsletter, you're missing out on key information related to preventing serious messaging problems and downtime. This newsletter encompasses tools and solutions you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu235aue

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Endpoint Compliance Without Client Software

ENDFORCE announced version 2.5 of its ENDFORCE Enterprise endpoint security policy enforcement solution. ENDFORCE Enterprise now includes a clientless Web agent that assesses unmanaged endpoints. Businesses can direct unmanaged endpoint users to a Web site where their system downloads an ActiveX component and undergoes a one-time assessment before gaining access to the network. Version 2.5 also gives companies the ability to send alerts to individuals and third-party monitoring systems, such as HP OpenView, based on compliance state changes and enforcement actions. For more information, go to

http://www.endforce.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]