Security UPDATE--SSTP One Reason to Look Forward to Vista SP1--January 24, 2007


Free Brief: Personal HP Workstations = Higher ROI?

Understanding and Leveraging Code Signing Technologies

esxRanger Professional: Hot Backups for VI3

=== CONTENTS ===================================================

IN FOCUS: SSTP One Reason to Look Forward to Vista SP1


- Fortify Software Extends Its Reach

- TJX Reveals Big Data Breach

- What's Hot: Readers Recommend the Best Products

- Recent Security Vulnerabilities


- Security Matters Blog: 51 Reasons to Patch Your Oracle Applications

- FAQ: Find a User's DN

- From the Forum: TACACS Authentication

- IT Pro of the Month--December 2006 Winner

- Share Your Security Tips


- New Endpoint Safety Features

- Wanted: Your Reviews of Products




=== SPONSOR: Hewlett-Packard ===================================

Free Brief: Personal HP Workstations = Higher ROI?

Discover why financial services executives get a LOT more out of their IT investments by investing in HP Personal Workstation Technology. Quickly learn how workstations ensure accuracy and security while driving down short and long term operating costs. This quick-read guide is a must read today.

=== IN FOCUS: SSTP One Reason to Look Forward to Vista SP1 =====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Sometimes building a VPN can be tedious work, especially when firewalls are involved. There are of course ways to build VPNs that can usually traverse a firewall without the need to configure new rules. One of the most common methods is to use a Secure Sockets Layer (SSL)-based VPN, which can be made to operate over standard HTTP ports.

Microsoft's new VPN technology, Secure Socket Tunneling Protocol (SSTP), does exactly that. SSTP is an SSL-based client-to-server VPN tunneling protocol designed to make connectivity much easier.

The biggest benefit of SSTP is that because it works over standard HTTP ports, SSTP traffic will be able to traverse a network to reach the end-point server even when the client is behind a Network Address Translation (NAT)-enabled network, Web proxy, or reasonably configured firewall that at least allows Web traffic. This will be very helpful, especially for mobile users who find themselves using networks at hotels and conference centers, which sometimes lock down their networks to the point of being unusable except for the most basic needs.

Microsoft has already released Windows Vista to businesses and is set to release the new OS to consumers this week. As you might expect, the company is busy working on Vista Service Pack 1 (SP1), and when that update is released, it will include SSTP. The company also plans to include SSTP in Windows Longhorn Server Beta 3, due sometime in the first half of this year.

Samir Jain, lead programmer for Microsoft's RRAS technology, said that SSTP integrates seamlessly into the OS so that it works through the typical RRAS interfaces. The integration means that you'll get the same types of functionality you're already accustomed to when using RRAS, such as support for Network Access Protection (NAP), support for IPv6, and support for various authentication mechanisms such as smart cards.

The way SSTP works is very similar to the way SSL works in a Web browser, with some added intricacies of course. A client computer connects to an SSTP-enabled server over TCP port 443--the standard SSL port. After the SSL session is built, the two systems then negotiate a Point-to-Point Protocol (PPP) session, including any required authentication. That's basically all there is to it.

Jain said that you will be able to deploy SSTP on the same server on which an existing L2TP VPN is deployed, and SSTP can share the same server certificate as the L2TP VPN. Because SSTP integrates tightly with RRAS, very little extra configuration will be necessary to implement SSTP.

There are of course downsides to using SSTP. For example, it won't work with Web proxies that require authentication. Another potential downside is that SSTP won't work for establishing site-to-site communication. This disadvantage is probably a minor one because site operators typically have the ability to manage firewalls on their networks, so they can use another method of connectivity. Microsoft could however expand SSTP to work for site-to-site communication in the future. Another downside might be that SSTP won't be supported on Windows XP, but we'll have to wait and see about that. As far as I know, the company hasn't said whether it will make SSTP available for XP systems.

Nevertheless, SSTP will ease the burden faced by many mobile users, and that's a plus. So there's your first reason to look forward to Vista SP1. I'm sure other reasons to look forward to SP1 will come to light as the year progresses.


We're launching a new email newsletter! Starting February 1, Vista UPDATE is the twice-monthly resource for all things Vista, from deployment to security to virtual PC and beyond. Even if your company isn't moving to Vista yet, you'll stay current with what's happening in Vista with the help of Karen Forster, author of the "Hey Microsoft!" column in Windows IT Pro magazine. You'll also find desktop and client-side tips and insights from David Chernicoff, info for users from Kathy Ivens, and Ivens's ever-popular Reader Challenge.

Client UPDATE subscribers, you don't have to do a thing. All others, sign up now at

And please whitelist this address to ensure that your new Vista UPDATE isn't mistakenly blocked by antispam software: [email protected]

=== SPONSOR: Thawte ============================================

Understanding and Leveraging Code Signing Technologies

Learn all you need to know about code signing technology, including the goals and benefits of code signing, how code signing works and the underlying cryptographic and security concepts and building blocks.

=== SECURITY NEWS AND FEATURES =================================

Fortify Software Extends Its Reach

Fortify Software announced that it's reached an agreement to acquire certain intellectual property, capital assets, and resources from Secure Software. A spokesperson for Fortify said that the acquisition brings the company an increased customer base, increases its market exposure, and extends its ability to assist customers with the requirements and design phases of the software development lifecycle.

TJX Reveals Big Data Breach

In what is surely one of the many data breaches to come in 2007, The TJX Companies revealed that their customers' private data had been compromised in a security breach. Owner of several retail chains, including T.J. Maxx and Marshalls, TJX said that the company network that handles its credit card, debit card, check, and merchandise return transactions had been broken into.

What's Hot: Readers Recommend the Best Products

Readers write to tell us a bit about some of their favorite products: Barracuda Spam Firewall 300, KeePass Password Safe, and System Information for Windows.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Vizioncore ========================================

esxRanger Professional: Hot Backups for VI3

Still don't have a reliable disaster recovery plan in place?

Vizioncore's esxRanger Professional supports a sophisticated, yet cost effective DR strategy for your VMware Infrastructure 3 environment. Restoring entire virtual machine images--or just files-- is smooth & seamless. Visit for a trial download today.

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: 51 Reasons to Patch Your Oracle Applications

by Mark Joseph Edwards,

Oracle released its first quarterly round of patches for 2007 and it contains a whopping 51 security fixes! Get a link to those fixes in this blog article.

FAQ: Find a User's DN

by John Savill,

Q: How can I determine the logged-on user's distinguished name (DN)?

Find the answer at


A forum participant writes that he receives an "Authentication Failed" message when trying to log on to a Cisco router by using a Terminal Access Controller Access Control System (TACACS) server. The TACACS server log has the message "Authentication session aborted by request from NAS," which is the router. What could be causing the error? Join the discussion at

IT PRO OF THE MONTH--December 2006 Winner

Congratulations to Steven Fellwock, who was voted the December 2006 "IT Pro of the Month." Steven successfully improved a logon process by creating a SQL Server database that maintains Active Directory (AD) information. His new logon script never needs modification and is portable--able to run in any AD environment that includes a SQL Server database. To learn more about Steven's solution and to find out how you can become the next "IT Pro of the Month," please visit:


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================

by Renee Munshi, [email protected]

New Endpoint Safety Features

Safend announced Safend Protector 3.1, which adds data encryption, the blocking of network bridging, and protection from PS/2 hardware keystroke-logging devices to the endpoint security product. The data encryption feature lets administrators require automatic encryption when data is transferred to USB drives and other portable storage devices. The anti-network bridging feature lets you block use of Wi-Fi, Bluetooth, and other protocols while a PC is connected to the wired corporate network. Safend Protector 3.1 adds new protection against PS/2 hardware key loggers to its previous protection against USB hardware key loggers. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================

For more security-related resources, visit

Prevent installation and execution of unauthorized software on the computers on your network. Download this free white paper today for a comparison of different techniques for detecting and preventing unauthorized code. Protect against emerging risks today!

Learn the essentials about how you can use consolidation and selected technology updates to build an infrastructure that handles change effectively.

You can't control what nature throws at your IT systems, such as floods, hurricanes, and earthquakes. You can't always control what people might do to your systems, either. Download this free eBook and learn to protect your business in the face of both natural and human-made disasters.

=== FEATURED WHITE PAPER =======================================

Combat phishing and pharming: Implement complete protection against complex Internet threats by filtering at multiple points on the gateway and network and at endpoints.

=== ANNOUNCEMENTS ==============================================

Make Your Mark on the IT Community! Nominate yourself or a peer to become "IT Pro of the Month." This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting February nominations now for a limited time! Submit your nomination today:

Special Invitation for VIP Access

Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, Exchange & Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe now and SAVE $100:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.