Security UPDATE, October 10, 2001

[InfoSec News <isn () c4i org>]

********************
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Close Massive Local Security Hole in NT/2000/XP
   http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDY0AO 

Connected Home Magazine Virtual Tour
   http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0LTe0AP 
   (below SECURITY RISKS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP ~~~~
   Did you ever consider that the same local administrator account and 
password is stored on every NT/2000/XP workstation in your 
organization?
   If this account were to become compromised, or one of your 
administrators were to leave, how would you change this backdoor 
account on all of your workstations? User Manager Pro for Windows 
NT/2000/XP makes mass changes to the local security of your 
workstations in minutes.
   FREE TRIAL: http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDY0AO 

********************

October 10, 2001--In this issue:

1. IN FOCUS
     - The New Microsoft STPP: Is It Enough?

2. SECURITY RISKS
     - Excel and PowerPoint Macro-Checking Bypass
     - DoS in AOL Instant Messenger
     - DoS in Cisco Secure PIX Firewall

3. ANNOUNCEMENT
     - Test Your Windows XP Knowledge--Free!

4. INSTANT POLL
     - Results of Previous Poll: Nimda Worm
     - Instant Poll: Drop Microsoft IIS?

5. SECURITY ROUNDUP
     - News: Microsoft Announces Major Changes to Security Practices
     - News: Sun Lowers Costs to Woo IIS Customers
     - News: Sun and AOL Announce Passport Competitors
     - Feature: 20 Tips for Exchange 2000 Migration 
     - Review: Enterprise Backup Solutions 

6. HOT RELEASE (ADVERTISEMENT)
     - Sponsored by Stop Password Hackers with Password Bouncer! 

7. SECURITY TOOLKIT
     - Virus Center
     - FAQ: Why Do I Receive Microsoft Passport-related Errors When I 
Visit Some Web Sites?

8. NEW AND IMPROVED
     - Manage Passwords
     - Establish a Secure Channel

9. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Recommended Antivirus Program
     - HowTo Mailing List:
         - Featured Thread: Outlook/Exchange Connection

10. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== COMMENTARY ====

Hello everyone,

You've no doubt heard the news by now: Microsoft launched the Strategic 
Technology Protection Program (STPP) to help companies get secure and 
stay secure. STPP consists of five offerings in consulting services and 
software that companies can use to change how they handle network 
security. The software helps lock down systems and services and helps 
automate patch installation. The consulting services help users deal 
with design, planning, and serious security threats, such as the Nimda 
worm, which affects multiple products. You can learn more about STPP by 
reading the related news item in the SECURITY ROUNDUP section of this 
newsletter. 

STPP is a good step forward for Microsoft and its customers, but is it 
enough? The STPP announcement comes after Gartner Group issued its 
stern statements 2 weeks ago. Gartner recommends that users who've been 
affected by security intrusions due to Microsoft IIS bugs should 
consider migrating to another Web server platform, such as iPlanet or 
Apache. You can read about Gartner's comments in Paul Thurrott's 
related news story on our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=22587

Gartner's comments stem from the number of exploitable vulnerabilities 
in the IIS source code. For example, as of October 9, 2001, the 
Microsoft security Web site lists 22 bulletins about Internet 
Information Services (IIS) 5.0 security vulnerabilities and 36 
bulletins about Internet Information Server (IIS) 4.0 security 
vulnerabilities. STPP will help Microsoft guard against security 
vulnerabilities, but the fact that users need so many patches clearly 
indicates a deeper problem: faulty coding practices. 

Granted, Microsoft released URLScan, which is a fantastic way to 
prevent unknown bugs from becoming exploitable security risks, but even 
so, many people view URLScan as just another patch. As you'll learn by 
reading our news story about STPP, Microsoft designed new analysis 
tools to use when developing Windows XP code--tools that help find bugs 
that can become security risks. Microsoft is also using those tools to 
analyze Windows 2000 patches and service pack code. So we can expect 
IIS 5.0 to become more secure as Microsoft releases new service packs, 
and IIS 6.0 should be more secure than its predecessors. URLScan will 
be built into IIS 6.0

Before you take Gartner's advice, you might give Microsoft a chance to 
show how its new code analysis provides increased security in IIS 6.0. 
Of course, to use IIS 6.0, you must move to XP, in which case you might 
be interested to learn that Microsoft has again postponed its 
controversial new licensing program. Read about it in Paul Thurrott's 
new story on our WinInformant Web site at the URL below. 
   http://www.wininformant.com/articles/index.cfm?articleid=22808

I asked Scott Culp, manager of Microsoft's Security Response Center, if 
IIS 6.0 is stronger code than its predecessors. As you know, IIS 5.1 
ships with XP, and Culp said Microsoft believes that the quality of the 
code in IIS 5.1 is in fact better than what is in IIS 5.0. 

"IIS 5.1 was built using the processes and tools that were developed as 
part of the Secure Windows Initiative [SWI], and we're seeing dramatic 
improvements in products built under SWI, across the board. Fewer 
coding errors means fewer vulnerabilities, which should mean better 
security. But as you know, security is about more than just code 
quality," Culp said. "That's where IIS 6.0 (which will be part of 
Windows .Net Server) comes in. The primary difference between IIS 5.1 
and IIS 5.0 is the code quality--most other aspects of the product are 
the same or only changed in minor ways. In contrast, IIS 6.0 contains 
code quality improvements, but also includes significant architectural 
changes as well. For instance, IIS 6.0 won't install by default. When 
you do install it, the setup wizard will interview you to find out what 
you're planning to do with the server, and only enable the services 
you'll need. The net is that IIS 5.1 should be more secure than its 
predecessors because of the code quality improvements. But IIS 6.0 will 
encompass code changes, architectural improvements, and new features. 
As a result, the security improvements there should be much more 
dramatic."

Nevertheless, if you're considering a move away from IIS, you'll be 
interested to know that Sun Microsystems lowered the cost of iPlanet to 
woo IIS customers. Formerly, iPlanet cost $1495 per CPU; however, Sun 
now offers the platform for $940 per CPU to any customer who moves from 
a competing platform. See the news story in the SECURITY ROUNDUP 
section of this newsletter. 

According to Netcraft's September Web survey results, 49.6 percent of 
all Web systems polled run a Microsoft OS and probably IIS. Results 
also show that many of those systems exhibit known security risks. As 
of September 1, 8.5 percent of the systems Netcraft surveyed still have 
the root.exe program, which is a backdoor associated with the Code Red 
worm, installed; 37.14 percent still have the IIS-related WebDAV 
functionality overly exposed; and 17.14 percent have their 
administration Web pages open to the public and are vulnerable to known 
URL-encoding exploits and known bugs in IIS-related sample pages and 
scripts. Overall, one out of every five IIS servers is vulnerable to 
attack. You can read Netcraft's survey results on its Web site. 
   http://www.netcraft.com/survey

Speaking of surveys, be sure to stop by our Security Administrator home 
page to take our new poll concerning Gartner's comments. Are you 
planning to switch Web server platforms? We're interested to know how 
Gartner's comments might affect your decisions. 
   http://www.secadministrator.com

Last week, I mentioned the Eraser tool, which helps users prevent 
unauthorized recovery of deleted files. Norman Samuelson wrote to 
remind me that to keep data safe, users should be aware that some disk-
defragmentation software can inadvertently expose some or all of your 
sensitive data. This scenario might occur when you move sensitive files 
during a defragmentation process and the software doesn't wipe the data 
sufficiently clean from the disk's formerly occupied sectors. It's a 
good idea either to mark your sensitive data files as unmovable within 
your defragmentation software or to configure the defragmentation 
software to wipe disk data after moving files, if your software offers 
such functionality. Otherwise, use a disk-wiping tool that wipes all 
unused disk sectors after you've completed the defragmentation process. 
Eraser can do that on demand or based on your defined schedule (see URL 
below). Until next time, have great week. 
   http://www.tolvanen.com/eraser/download.shtml

Sincerely,

Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () win2000mag com)

* EXCEL AND POWERPOINT MACRO-CHECKING BYPASS
   Peter Ferrie of Symantec Security Response reported a vulnerability 
in Microsoft Excel and PowerPoint (for Windows and Macintosh) that 
might let a malicious user bypass macro-checking to automatically 
execute a script when opening a document. Microsoft released Security 
Bulletin MS01-050 to address this problem. The bulletin lists the 
patches and patch-installation instructions.
   http://www.secadministrator.com/articles/index.cfm?articleid=22789

* DOS IN AOL INSTANT MESSENGER
   Matthew Sachs reported a Denial of Service (DoS) condition in AOL 
Instant Messenger. An attacker who can send instant messages to a user 
signed on to the AOL Instant Messenger service can crash that user's 
AOL Instant Messenger. The default settings let anyone send instant 
messages to the user. When an attacker sends a text message with 
certain symbols repeatedly (approximately 640 or more times), the 
Instant Messenger client crashes. To minimize exposure to this 
vulnerability, users should restrict the ability to receive instant 
messages to only the people the users select. AOL has been notified of 
this vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=22757

* DOS IN CISCO SECURE PIX FIREWALL
   A vulnerability in the Cisco Secure PIX Firewall Authentication lets 
a Denial of Service (DoS) condition exist. When a user configures AAA 
(Authentication, Authorization, Accounting) authentication services on 
the Cisco Secure PIX Firewall, a single-source address can consume all 
authentication resources, preventing other legitimate users from 
authenticating. This DoS affects only the authentication resources; 
other established traffic continues unaffected, and the DoS prevents 
only new authentication requests. Cisco issued a notice about this 
vulnerability and recommends that customers obtain a firmware upgrade 
through Cisco distribution channels.
   http://www.secadministrator.com/articles/Index.cfm?articleid=22758

********************

~~~~ SPONSOR: CONNECTED HOME MAGAZINE VIRTUAL TOUR ~~~~
   What Does The Home Of The Not-Too-Distant Future Look Like?
   You've never seen anything like the Connected Home Magazine Virtual 
Tour. Experience (room by room) the latest home entertainment, home 
networking, and home automation options that are going to change how 
you work and play. While you're there, sign up for a free copy of 
Windows XP!  
   http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0LTe0AP 

~~~~~~~~~~~~~~~~~~~~

3. ==== ANNOUNCEMENT ====

* TEST YOUR WINDOWS XP KNOWLEDGE--FREE!
   Our MCSE Exam 70-270 Question-of-the-Day email dives into the new 
Windows XP topics such as installing and configuring handheld devices 
and managing mobile users, while also measuring your skills in 
networking basics, TCP/IP fundamentals, user accounts, protocol 
features, and much more. Sign up (for FREE) today!
   http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0KrD0AL 

4. ==== INSTANT POLL ==== 

* RESULTS OF PREVIOUS POLL: NIMDA WORM 
   The voting has closed in Windows 2000 Magazine's Security 
Administrator Channel nonscientific Instant Poll for the question, "Has 
your system become infected by the Nimda worm?" Here are the results 
(+/-2 percent) from the 715 votes:
   - 31% Significantly--we've lost days disinfecting systems 
   - 37% Not at all 
   - 18% Somewhat 
   - 14% Hardly at all

* INSTANT POLL: DROP MICROSOFT IIS?
   The Gartner Group is recommending that companies affected by 
security problems in Microsoft IIS drop IIS in favor of other "Web-
server platforms. The current Instant Poll question is, "Does your 
company plan to do one of the following? a) Move to a yet-to-be-
determined platform, b) Move to Apache? c) Move to iPlanet, d) Consider 
the recommendation, or e) Not change--you need Microsoft technology?" 
Go to the Security Administrator Channel home page and submit your 
vote.
   http://www.secadministrator.com

5. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT ANNOUNCES MAJOR CHANGES TO SECURITY PRACTICES
   Microsoft announced several major changes to its security practices 
designed to help mitigate unpatched systems that the Code Red and Nimda 
worms recently affected. Microsoft also hopes these practices will help 
companies build security into any future networks from the outset. 
Brian Valentine, senior vice president of the Windows division at 
Microsoft, said that the company will make an unprecedented effort to 
help customers secure their systems from Internet-based threats by 
using the new Microsoft Strategic Technology Protection Program (STPP).
   http://www.secadministrator.com/articles/index.cfm?articleid=22751

* NEWS: SUN LOWERS COSTS TO WOO IIS CUSTOMERS
   In a bid to take advantage of the recent Microsoft product security 
scares, Sun Microsystems has lowered the price of its iPlanet Web 
Server by 37 percent. The company hopes that Microsoft IIS customers, 
worried about constant security breaches, will move to the Sun 
platform. Sun will provide additional tools that ease the process. The 
price reduction cuts the cost of iPlanet from $1495 per processor to 
$940 per processor, for any customer moving from a competing platform.
   http://www.secadministrator.com/Articles/Index.cfm?ArticleID=22809

* NEWS: SUN AND AOL ANNOUNCE PASSPORT COMPETITORS
   A growing feeling in the computer industry is that, where Microsoft 
is concerned, you should strike when the company is down. In light of 
the amount of negative press this year about Microsoft Windows XP, 
HailStorm (now called .NET My Services), and Passport, we shouldn't be 
surprised that the company's competitors--such as AOL, Oracle, Sun 
Microsystems, and IBM--recently announced initiatives that will compete 
with Microsoft's plans for the .NET future. Two of these competitors, 
Sun and AOL, announced services that the companies hope will supplant 
Passport.
   http://www.secadministrator.com/articles/index.cfm?articleid=22783

* FEATURE: 20 TIPS FOR EXCHANGE 2000 MIGRATION
   The move from Microsoft Exchange Server 5.5 to Exchange 2000 Server 
and the corresponding move from Windows NT to Windows 2000 are among 
the most significant changes you'll make to your infrastructure in the 
near future. Because an Exchange 2000 migration requires some 
fundamental changes to your environment, setting out on the road to 
Exchange 2000 without understanding every detail of the migration isn't 
smart. Read Kieran McCorry's article for Windows 2000 Magazine (October 
2001) to be sure you don't overlook anything crucial.
   http://secadministrator.com/articles/index.cfm?articleid=22252

* REVIEW: ENTERPRISE BACKUP SOLUTIONS
   Enterprise-level backup programs can provide peace of mind that the 
data on your servers is safe and secure. If your backup software 
doesn't give that protected feeling, you might want to invest in a 
solid insurance policy for your data. Ed Roth found seven products that 
offer the comprehensive client support and advanced features necessary 
to enable centralized backup in an enterprise.
   The products that Roth considered for this comparative review needed 
to offer backup and restoration capabilities on Windows 2000, Windows 
NT, Novell NetWare 5.1, and Sun Microsystems' Solaris 8 platforms. The 
products also needed to be able to perform online backups and restores 
of SQL Server 7.0 databases and Microsoft Exchange Server 5.5's 
Directory Store, Information Store (IS), and individual mailboxes. Read 
the review to learn what Roth found regarding base capabilities, 
performance, media-control features, and manageability.
   http://secadministrator.com/articles/index.cfm?articleid=22239

6. ==== HOT RELEASE (ADVERTISEMENT) ====

* SPONSORED BY STOP PASSWORD HACKERS WITH PASSWORD BOUNCER!
   Are your employees and contractors unwittingly leaving your 
enterprise exposed to password attacks? Password Bouncer screens new 
passwords against "Hacker Wordlists" and prevents users from choosing 
vulnerable passwords. Defend your network today with Password Bouncer!
   http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDZ0AP 

7. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: WHY DO I RECEIVE MICROSOFT PASSPORT-RELATED ERRORS WHEN I VISIT 
SOME WEB SITES?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. I recently encountered this problem in the Microsoft Developer 
Network (MSDN) subscriber download area. I can connect to several 
Microsoft Passport-related Web sites, but I was unable to use my 
Microsoft Passport to connect to the MSDN site. To remedy this 
situation, I had to delete my MSDN Microsoft Passport cookie. Your Web 
browser stores cookies on your computer in the Cookies subfolder of 
your user profile using the following format:

   <username>@<site name>  

If you're running Microsoft Internet Explorer (IE) 5.5 or IE 6.0, you 
can choose to delete all cookies simultaneously. However, if you remove 
all your cookies, you'll lose any information contained within your Web 
site profiles. To remove all cookies in IE 5.5 or IE 6.0, perform the 
following steps:

   1. Start IE. 
   2. From the Tools menu, select Internet Options. 
   3. In the Temporary Internet files section of the General tab, click 
Delete Cookies. 
   4. Click OK. 
   5. Close IE.

8. ==== NEW AND IMPROVED ====
   (contributed by Scott Firestone, IV, products () win2000mag com)

* MANAGE PASSWORDS
   Zemerick Software released myPasswords Professional, password-
managing software. The Password Recovery tool lets you recover the 
passwords that asterisks have hidden in a program's dialogs. The 
Password Generator tool creates complex passwords of any length 
containing any combination of letters, numbers, and symbols. The 
software can handle unlimited databases and entries, and users can 
protect each database with a unique password. The software runs on 
Windows 2000, Windows NT, Windows Me, Windows 9x, and other systems and 
costs $30. Contact Zemerick Software at 304-469-4031.
   http://www.zemericks.com

* ESTABLISH A SECURE CHANNEL
   Pragma Systems released SecureShell 2.0, a dual, secure-shell server 
that supports Secure Shell 1 (SSH1) and Secure Shell 2 (SSH2) protocols 
with Advanced Encryption Standard (AES) Rijndael encryption. The 
software establishes a secure channel over any TCP/IP-based connection 
for both client and server applications by encrypting data and file 
transfers over the Internet. SecureShell 2.0 uses RSA/DSA public-key 
encryption and runs on Windows 2000, Windows NT, and Windows 9x 
systems. The software costs $799 per server for unlimited client 
connections. Contact Pragma Systems at 512-219-7270.
   http://www.pragmasys.com

9. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: Recommended Antivirus Program
   (Six messages in this thread)

Brett wants to know what antivirus program he should use to protect 
Windows NT servers. He's using Norton Antivirus but isn't happy with it 
and wants suggestions. Read more about the questions and responses, or 
lend a hand at the following URL:
   http://www.win2000mag.net/forums/rd.cfm?app=64&id=79459

* HOWTO MAILING LIST
http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Outlook/Exchange Connection
   (Eight messages in this thread)
   
This user is having a problem with his Microsoft Outlook client when 
receiving mail from an Exchange Server. His Outlook client doesn't 
notify him when new mail arrives, yet the notification functionality 
works on other Outlook clients running on other workstations on his 
network. Can you help? Read the responses or lend a hand at the 
following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0110a&l=howto&p=181

10. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR SECURITY UPDATE? -- emedia_opps () win2000mag com

********************

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0KrD0AL

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Storage UPDATE.

SUBSCRIBE
To subscribe, send a blank email to mailto:Security_UPDATE_Sub () lists win2000mag net.


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.