**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/
**********************************************************
This week's issue sponsored by
Trend Micro -- Your Internet VirusWall
http://www.antivirus.com/spring.htm
Sunbelt Software - STAT: NT Vulnerability Scanner
http://www.sunbelt-software.com/stat.htm
(Below Security Roundup)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
March 29, 2000 - In this issue:
1. IN FOCUS
- Outbound Traffic Is an Equally Serious Risk
2. SECURITY RISKS
- Microsoft Office 2000 Exposes Hidden Drives
3. ANNOUNCEMENTS
- Windows 2000 Deployment Conference: Beyond the Basics
- Subscribe to Our Free Thin-Client UPDATE Email Newsletter
- Security Poll: Should Companies Be Able to Sue Hackers for Reverse
Engineering?
4. SECURITY ROUNDUP
- News: Microsoft Internet Server Security Configuration Tool 1.0
- News: Hazards and Pitfalls of Email
- News: ASPAM Trojan on the Loose
- News: Teen's Boast of Hacking Bill Gates Looks Empty
5. NEW AND IMPROVED
- Integrated Firewall/VPN/Intrusion Detection Product
- Smart Card-Based Security Solution
6. HOT RELEASE (ADVERTISEMENT)
- AXENTs Free Linux WebCast
7. SECURITY TOOLKIT
- Book Highlight: The Process of Network Security: Designing and
Managing A Safe Network
- Tip: Protect Against Unwanted Disk Access
- HowTo: Windows 2000 Group Policies
- HowTo: Good Programming and the Rules for Writing Secure Code
8. HOT THREADS
- Windows 2000 Magazine Online Forums
Adding Permissions
- Win2KSecAdvice Mailing List
Crypto-Gram Coverage of Kerberos, March 2000
- HowTo Mailing List
DMZ Area
Print Quotas Under Windows 2000?
~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUSWALL ~~~~
As the Vernal Equinox brings warmer weather and longer days, enjoy more
leisure time and worry less about server content security across your
network by using Trend Micro's antivirus product family. Trend Micro, a
world leader in antivirus technologies, protects Internet gateways, Lotus
Notes and Exchange email servers, desktops and everywhere in between - by
forming a protective VirusWall all around your network. Get Trend and Relax
this Spring!
http://www.antivirus.com/spring.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com,
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager)
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
A focal point for any network security administrator is the network
perimeter. Companies spend a lot of time guarding against traffic that
might enter their networks and not enough time guarding against traffic
that might leave their networks.
Typically, a company establishes a perimeter defense by blocking all
inbound traffic, then letting only specific traffic types reach specific
internal systems. To ease management headaches down the road, the company
defines traffic rules that let any and all outbound traffic leave the
network. After all, allowing all outbound traffic means no future rule
definitions will be required to meet future needs. This approach also means
the cost of managing perimeter security will be lower because no one will
need to define new outbound rules. But think about that action for a
moment. Are the savings really worth the risk in today's world?
If there were only one reason that clearly points out the need to lock
down outbound traffic as securely as you lock down inbound traffic, then
that reason is Distributed Denial of Service (DDoS) attacks. Without an
open port to move traffic out of, your network is far less likely to become
a participant in such an attack.
But DDoS attacks are not the only reason to restrict outbound traffic.
Consider the risks of uncontrolled email or file transfers that might let
someone inside your network move proprietary information offsite without
proper consent. Do you have policies regarding email use? Do you screen
outbound email for improper content? Do you block outbound FTP and other
forms of file transfer? And what about improper Web or other multimedia
use? Do you guard against those actions with security policies and
software-based controls? Doing so might help reduce the chance of potential
lawsuits against your company, which could include charges of defamation,
sexual harassment, slander, and more. Without controls, you have to trust
that an employee won't take an inappropriate action at an inappropriate
time. Can you afford that risk?
The bottom line is that you must protect against unwanted outbound
traffic as fiercely as you protect against unwanted inbound traffic.
Consider adding various content filters to your overall security arsenal.
Content filtering tools can screen and prevent the movement of both inbound
and outbound traffic over a variety of protocols, including Web, SMTP,
POP3, and more. By using such technology you can significantly reduce a
huge portion of the risk associated with general Internet connectivity.
Before I sign off this week, I'd like to announce two new columnists for
Windows 2000 Magazine's NTSecurity.net Web site. I'm pleased to inform you
that Randy Franklin Smith and David LeBlanc have joined our Web team as
regular columnists to bring you their hands-on experience gathered directly
from the trenches.
Randy looks at Win2K Security from the ground up to cover all the new
bells, whistles, and techniques. David looks under the hood of writing
secure Win32 code for Win2K and Windows NT platforms. If you're new to
Win2K security administration or a code slinger looking to improve your
application development for Win2K or NT, be sure to read the new
columns--they're linked in the Toolkit section below. Until next time, have
a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* MICROSOFT OFFICE 2000 EXPOSES HIDDEN DRIVES
The original release of Microsoft's Office 2000 contains a bug that lets a
user see hidden drives, even when those drives are hidden through the "Hide
these specified drives in My Computer" group policy setting. According to
Microsoft Support Online article Q249949, the problem occurs when the My
Documents folder is located on a restricted drive.
Microsoft corrected the problem with the release of Microsoft Office
2000 Service Release 1 (SR-1), which you can download from the company's
Web site, as explained in Support Online Article Q245025.
http://support.microsoft.com/support/kb/articles/q249/9/49.ASP
http://support.microsoft.com/support/kb/articles/Q245/0/25.ASP
http://officeupdate.microsoft.com/info/office2ksr1.htm
3. ========== ANNOUNCEMENTS ==========
* WINDOWS 2000 DEPLOYMENT CONFERENCE: BEYOND THE BASICS
If your organization is planning to deploy Windows 2000 (Win2K) or even if
you're only considering it, the Windows 2000 Deployment Conference: Beyond
the Basics will provide the answers you need. This in-depth conference
takes place in New Orleans, April 26 through 28. Win2K development team
members will present many of the technical sessions. They will take you
beyond core essentials to provide the solid technical information you need
to begin your Win2K pilot and roll-out programs. Register now! This will be
the only 3-day, in-depth Win2K deployment conference that Microsoft offers
in the United States.
http://www.microsoft.com/windows2000/training/win2000dc/default.asp
* SUBSCRIBE TO OUR FREE THIN-CLIENT UPDATE EMAIL NEWSLETTER
In a biweekly newsletter, Windows 2000 Magazine contributing editor and
online columnist Christa Anderson provides the latest thin-client news and
trends related to Windows-based terminals. Learn about different protocols,
available add-on tools, and distributed applications. Thin-Client UPDATE
will keep you current on how the industry is changing and show you how to
create a low-cost, centrally managed Windows environment.
http://www.win2000mag.com/sub.cfm?code=UP99INXTC.
* SECURITY POLL: SHOULD COMPANIES BE ABLE TO SUE HACKERS FOR REVERSE
ENGINEERING?
As we've mentioned in the past, information security is setting several new
legal precedents because of the actions of hackers. Some people agree that
hackers act as a loosely knit, rogue consumer protection agency by testing
the strength of various security solutions and openly reporting what they
find.
Is it OK for companies to sue hackers who test the strength of their
security products and solutions when those hackers expose their findings?
Let us know what you think. Cast your vote on our home page today.
http://www.ntsecurity.net
4. ========== SECURITY ROUNDUP ==========
* NEWS: MICROSOFT INTERNET SERVER SECURITY CONFIGURATION TOOL 1.0
Microsoft has released version 1.0 of its new Internet Server Security
Configuration Tool. According to Microsoft, the tool makes it easy to
secure a system that uses IIS 5.0 by first interviewing the administrator,
then deploying policies that meet those needs.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=112&TB=news
* NEWS: HAZARDS AND PITFALLS OF EMAIL
Marcelo Halpern discusses the hazards and pitfalls of using email in the
workplace. In his column for ZDNET, Marcelo says that companies must
control the use of email just as they control any other company resource.
Failure to do so jeopardizes overall company welfare and can often lead to
serious security problems.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=109&TB=news
* NEWS: ASPAM TROJAN ON THE LOOSE
Network Associates reported the discovery of a new virus that poses as an
antispamming tool from Microsoft. The tool arrives via email as a file
attachment along with a lengthy spoofed message that alleges to come from
Microsoft's "Anti Spam Campaign."
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=108&TB=news
* NEWS: TEEN'S BOAST OF HACKING BILL GATES LOOKS EMPTY
An 18-year old UK man was arrested for cracking e-commerce sites and
posting stolen credit card information on the Web. The man claimed to have
obtained the credit card information of Microsoft cofounder Bill Gates. As
it turns out, the man had obtained credit card information for a person
named William F. Gates. The Gates of Microsoft fame is named William H.
Gates.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=113&TB=news
~~~~ SPONSOR: SUNBELT SOFTWARE - STAT: NT VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your
network? Plug NT's holes before they plug you. There are now over 750 known
NT vulnerabilities. You just have to protect your LAN _before_ it gets
attacked. STAT comes with a responsive web-update service and a dedicated
Pro SWAT team that helps you to hunt down and kill Security holes. Built by
anti-hackers for DOD sites. Download a demo copy before you become a
statistic.
http://www.sunbelt-software.com/stat.htm
5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* INTEGRATED FIREWALL/VPN/INTRUSION DETECTION PRODUCT
Ashley Laurent announced Virtual Private Communications (VPCom) 2.5, an
integrated security product for small and midsized businesses. VPCom
contains a comprehensive stateful inspection firewall (with NAT), IETF
IPSec-compliant VPN, intrusion detection, and a multivendor remote VPN
package. The highly integrated product lets branch offices and remote users
hook up with a centralized DHCP server, eliminating the need for network
infrastructure changes. The product also automatically resolves address
conflicts between partner networks. You can implement VPCom as a firewall,
VPN, or both. For more information, contact Ashley Laurent,
1-512-322-0676.
http://www.ashleylaurent.com.
* SMART CARD-BASED SECURITY SOLUTION
Gemplus announced GemSAFE Enterprise on Microsoft Windows 2000. GemSAFE
Enterprise is a corporate security solution that uses smart cards to
enhance security and ease management of functions such as digital
signatures and file encryption. GemSAFE Enterprise secures applications
such as email, business-to-business e-commerce, or network access. It adds
trust, portability, and ease of use to corporate network security by
leveraging the inherent benefits of smart cards.
GemSAFE Enterprise integrates with all Windows-based applications
running on Windows 2000 (Win2K), Windows NT, and Windows 9x. GemSAFE
Enterprise licensing begins at $49 per user, with volume discounts
available. For more information, go to the Gemplus Web site.
http://www.gemplus.com
6. ========== HOT RELEASE (ADVERTISEMENT) ==========
* AXENTS FREE LINUX WEBCAST
Learn everything you need to know about installing a secure Linux
environment. FREE one hour WebCast on April 27, 2000. Space is limited
register today at:
http://www.win2000mag.com/jump.cfm?ID=23
7. ========== SECURITY TOOLKIT ==========
* BOOK HIGHLIGHT: THE PROCESS OF NETWORK SECURITY: DESIGNING AND MANAGING A
SAFE NETWORK
By Thomas A. Wadlow
Online Price $31.45
Softcover; 283 Pages
Published by Addison Wesley, February 2000
ISBN 0201433176
In "The Process of Network Security," security specialist Thomas A. Wadlow
reveals the approaches, techniques, and best practices that effectively
secure the modern workplace. Written for network managers and
administrators responsible for the security of large, enterprise-wide
networks, this book focuses on security as a continuous process involving
vigilant daily efforts in analysis, implementation, evaluation, and
maintenance. It also emphasizes that to truly protect the enterprise,
security professionals must consider not just individual machines, but the
entire system--machines, people, and procedures. "The Process of Network
Security" discusses the many issues involved and walks you through the
specific steps of setting up a secure system, focusing on standard
operating procedures and day-to-day operations and maintenance.
For Windows 2000 Magazine Security UPDATE readers only--Receive an
additional 10 percent off the online price by typing WIN2000MAG in the
discount field on the Shopping Basket Checkout Page. To order this book, go
to
http://www.fatbrain.com/shop/info/0201433176?from=win2000mag
* TIP: PROTECT AGAINST UNWANTED DISK ACCESS
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
I can't begin to count the number of file system-related security holes
that never became a problem on my systems. For example, older versions of
IIS were known to expose sensitive information through the use of a URL
that ended in a period or a "::$DATA" suffix. In addition, this week we
cover a problem with Microsoft Office 2000 that exposes hidden drives to
users who shouldn't be exposed to such resources. None of these problems
affects an adequately protected Windows NT computer system.
So how do you introduce adequate protection? By assuming the worst-case
scenario and setting permissions accordingly. For example, you can
certainly hide a drive from users, but you already know that obscurity
offers very little security. Therefore, you must establish strict access
permissions for the hidden drive to ensure only authorized users can access
the data in the event that the drive is discovered.
You can apply similar logic to IIS and other Web server platforms that
support the use of embedded code for server-side processing, such as
Microsoft's Active Server Pages (ASP) technology on IIS. ASP lets
developers embed application code for specialized server-side processing,
such as performing database queries against a SQL Server. You probably
don't want users viewing your SQL query code because it might contain
sensitive user credentials for connecting to a given SQL Server.
To protect your Web code, put the code in a directory that disallows
Read permission to Web site users. The Read permission settings block IIS
from sending the unprocessed code to users, which prevents unwanted eyes
from seeing that code. By doing so, you can prevent the IIS risks I
mentioned previously and simultaneously guard against any future similar
vulnerabilities.
Be sure to inspect your file systems carefully to ensure you've set the
strictest possible permissions. And remember to work from a worst-case
scenario viewpoint when deciding which permissions to apply to disk drives,
whether or not those drives are hidden.
* HOWTO: WINDOWS 2000 GROUP POLICIES
You've read Randy Franklin Smith's security-related articles in Windows
2000 Magazine. Now you'll find even more of Randy's expert opinion and
hands-on advice at NTSecurity.net. In his new biweekly column, Randy covers
Win2K security from the ground up.
As you know, Win2K has numerous new security features and an entirely
new way of handling overall security architecture through Active Directory
(AD). In his first column, Randy covers the basics of Group Policy under
Win2K and discusses differences from Windows NT 4.0 policies.
http://www.ntsecurity.net/go/win2ksec.asp
* HOWTO: GOOD PROGRAMMING AND THE RULES FOR WRITING SECURE CODE
Windows 2000 Magazine welcomes David LeBlanc to our team! As you know,
David is a senior technologist at Microsoft, working with information
security. In his new biweekly column, David looks under the hood of Win32
application development to cover issues and concerns centered on writing
secure code.
In his first installment, David focuses on writing secure code using C
and C++. Microsoft used C and C++ to develop Windows 2000 (Win2K) and
Windows NT, and developers can most easily access the OSs' security
features using these languages. Be sure to stop by and read David's first
column.
http://www.ntsecurity.net/go/secure-code.asp
8. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).
March 21, 2000, 01:38 P.M.
Adding Permissions
Is there a way to just blindly add a user/group to the permissions of
subfolders without disrupting the current permission setup? For example,
can I add Domain Admins to a group of user folders without changing the
current setup of permissions and without disrupting the users of those
folders? I do not want to remove any permissions, just add one.
Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=96001
* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week:
Crypto-Gram Coverage of Kerberos, March 2000
http://www.ntsecurity.net/go/w.asp?A2=IND0003D&L=WIN2KSECADVICE&P=1410
Follow this link to read all threads for March, Week 5:
http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:
1. DMZ Area
http://www.ntsecurity.net/go/L.asp?A2=IND0003D&L=HOWTO&P=1775
2. Print Quotas Under Windows 2000?
http://www.ntsecurity.net/go/L.asp?A2=IND0003D&L=HOWTO&P=1585
Follow this link to read all threads for March, Week 4:
http://www.ntsecurity.net/go/l.asp?s=howto
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved Judy Drennen (products@win2000mag.com)
Copy Editor Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT topics
of your choice. Subscribe to these other FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up99inxsup.
Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS
Thank you for reading Windows 2000 Magazine Security UPDATE.
To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.
To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.
To change your email address, send a message with the sentence
set securityupdate email="new email address"
as the message text to securityupdate@list.win2000mag.net. Replace the words "new email address" with your new email address (in
clude the quotes).
If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address y
our questions or problems as quickly as we can, but please allow 2 issues for resolution.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
Copyright 2000, Windows 2000 Magazine