********************************************************** WINDOWS 2000 MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows 2000 and Windows NT security update newsletter brought to you by Windows 2000 Magazine and NTSecurity.net http://www.win2000mag.com/update/ ********************************************************** This week's issue sponsored by UltraBac Safety Net Backup http://www.ultrabac.com Too Many Passwords? Free Single Sign-on White Paper. http://www.win2000mag.com/jump.cfm?ID=29 (Below SECURITY ROUNDUP) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- May 17, 2000 - In this issue: 1. IN FOCUS - Backpedaling Toward Security 2. SECURITY RISKS - Emurl 2.0 Exposes Users' Mailboxes - Office 2000 UA Control Scripting - NTMail 5.x Contains an Open Proxy - IIS Denial of Service and Code Exposure - IIS Denial of Service 3. ANNOUNCEMENTS - New Online Research Panel - Technet Puzzler--Contest Ends May 21! - Join Our Team 4. SECURITY ROUNDUP - Feature: NTFS Access Control Security Enhancements - HowTo: Encrypting Files for Added Security 5. NEW AND IMPROVED - Message Attachment Scrubbing and Virus Protection - Increase Network Security in Small and Midsized Businesses 6. SECURITY TOOLKIT - Book Highlight: Cyberwars: Espionage on the Internet - Tip: Detecting Email Worms in Outlook 7. HOT THREADS - Windows 2000 Magazine Online Forums Group/User Permissions - Win2KSecAdvice Mailing List Fix for Backdoor in Cart32 Software - HowTo Mailing List MS Proxy and Domain Filtering IPSEC VPN on Windows 2000 ~~~~ SPONSOR: ULTRABAC SAFETY NET BACKUP ~~~~ Did the "I LOVE YOU" virus wreck havoc with your network? If so, this should reinforce the importance of using a fast, reliable backup to restore your computers. While nothing can protect you from a new virus, great backup software can certainly eliminate lost work and productivity. UltraBac offers multiple levels of protection against virus damage. Whether it’s standard file-by-file or our special image backup, UltraBac has both the fastest BACKUP and RESTORE speeds of any NT backup utility--image restores are lightning fast and can restore a 4GB disk in under 10 minutes! Visit http://www.ultrabac.com more info or to download the latest version of UltraBac. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone (Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) at 877-217-1823 or ttatewik@win2000mag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, During the past 2 weeks, Love Letter virus reports have saturated the news headlines. As one popular columnist pointed out, we've probably never before seen a virus get so much ink. The virus received so much coverage because of its massive spread; it infected millions of computers around the world in a short period of time. People often like to remind others that hindsight is 20/20, and in the case of the Love Letter virus, that goes double for Microsoft. The company took a beating over the Love Letter virus from security aficionados because of the default functionality available in the Microsoft Outlook mail clients. To make Microsoft Outlook 2000 and Outlook 98 more secure, Microsoft has just released a beta version of an Outlook enhancement that will help prevent malicious file attachments from reaching end users. Because so many viruses, worms, and Trojans are aimed at Outlook, Microsoft's enhancement attempts to filter out certain attachments and restrict programmatic access to the Outlook address book and contacts. When a potential intruder makes a programmatic attempt to access the address book, a dialog box warns users of the attempt. Learn more about this enhancement at http://officeupdate.microsoft.com/2000/articles/out2ksecarticle.htm. The enhancement also modifies the default security zone setting within Outlook from the Internet Zone to the Restricted Sites Zone, which helps prevent certain objects embedded in email from taking action on the system. But as Russ Cooper (moderator of NTBugTraq) pointed out, that particular modification is mostly useless without changes to the default settings in the Restricted Sites Zone itself, and those changes are not part of the beta release of the Outlook enhancement. NTSecurity.net columnist David LeBlanc publicly pointed out more than a year ago that if you don't turn off all scripting in all security zones for Internet Explorer (IE) and Outlook, you'll see instances where email-based code can still execute. Don't overlook that fact, or you might become a victim. No one seems to know why Microsoft has addressed this well-known issue after so much time. In a message to NTBugTraq readers, Cooper also pointed out that the current beta of the Outlook enhancement, which is set for release on May 22, has no provision to tighten security in Outlook Express. That fact is shocking to users who rely on the mail client. The lack seems odd given that Outlook Express installs by default with every copy of Windows 2000 and reportedly can't be removed from the OS. For that reason, some people jokingly refer to Outlook Express as a virus. In any event, Cooper and many others feel that Microsoft should not overlook the security needs of millions of Outlook Express users. Will Microsoft wait until some Love Letter-type virus affects millions of Outlook Express users before it addresses that mail client? Nonetheless, Outlook 2000 and Outlook 98 users might be pleased with the new functionality found with the enhancement. Be sure to read the details Microsoft provides and consider using the new enhancement to better protect your systems. Before I sign off this week, I'd like to point out that some people are filtering email messages based on keywords to prevent any message that contains the words "love letter" from getting into a user's inbox. The idea is to block the virus before it infects more systems. Although that approach works for the original virus strain, it won't work for the plethora of variants that continue to float around the Internet. Not only is word filtering a poor way to block malicious content, the act partially defeats the purpose of email and causes people to miss inbound mail they would like to receive, such as this newsletter. If you're performing simple keyword filtering to prevent virus infection, you should seriously consider investing in an enterprise-enabled antivirus solution. Also consider using Exchange Administrator Newsletter columnist Sue Mosher's Outlook 2000 script that automatically converts inbound HTML content to RTF for safe viewing. The script is a good way to filter content. You can find the script and other helpful Outlook goodies at http://www.slipstick.com/dev/code/zaphtml.htm. You might also want to read Russ Cooper's article (http://ntbugtraq.ntadvice.com/outlookviews.asp) about Outlook email. Russ outlines how the mail client responds to content under various scenarios, which can help clear up a lot of confusion. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, mark@ntsecurity.net) * EMURL 2.0 EXPOSES USERS' MAILBOXES Emurl allows Web-based access to user mailboxes via an encoded URL. Because of a product design flaw, a user who can properly encode a user account number can also access any mailbox on the system without a password. Furthermore, if identical mailboxes exist on two or more systems, an intruder can use the same URL to access the mailbox on all those systems. SeattleLab is aware of the problem and has released an updated version of Emurl. http://www.ntsecurity.net/go/load.asp?iD=/security/emurl2-1.htm * OFFICE 2000 UA CONTROL SCRIPTING The L0pht reported a problem with a Microsoft Office 2000 component called the Microsoft Office UA Control, which is installed by default and is categorized as being safe for scripting. L0pht analysis revealed the component contains functionality to script almost any action in Office 2000 that the user could perform from the keyboard, including lowering the macro security settings to low. Microsoft has released a patch for the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/office2000-1.htm * NTMAIL 5.X CONTAINS AN OPEN PROXY Simon Talbot reported a problem in NTmail version 5.x (and possibly other versions) where the product contains a Web configuration interface and can serve as a proxy for Web access. By default, the Web service listens on port 8000, and the proxy service listens on port 8080. If NTMail is configured to turn off the proxy, the proxy will stop listening on the default port; however, a user can point to the default Web port (8000) and gain open access to the Internet. NTMail doesn't prohibit use of the proxy on the Web-based configuration port. The vendor, NTMailUSA, is aware of the problem but hasn't released a fix. If you must restrict user access to Web sites via proxy, disable the Web configuration service in NTMail until the vendor resolves the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/ntmail5-1.htm * IIS DENIAL OF SERVICE AND CODE EXPOSURE Cerberus Information Security reported that Microsoft IIS contains two security vulnerabilities in the Internet Server API (ISAPI) extension (ism.dll) that provides Web-based password administration via .htr script files. The first vulnerability is a Denial of Service (DoS) attack that can occur when a user provides a password change request that is missing an expected delimiter. This crashes the ISAPI extension and degrades the overall performance of the IIS server. In the second vulnerability, a user can read fragments of certain files by providing a malformed request that causes the .htr processing to be applied to those files. Microsoft has released a fix for the problems. http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-10.htm * IIS DENIAL OF SERVICE USSRLabs reported a problem in Microsoft IIS that can allow Denial of Service (DoS) attacks against the server. IIS has built-in flexibility that lets it process any arbitrary sequence of file extensions or subresource identifiers (path_segments). By providing a URL that contains specially malformed file extension information, a user can arbitrarily increase the work factor associated with parsing the URL. This can consume much or all of the CPU availability, creating a DoS attack against the machine. Microsoft has released a fix for the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-11.htm 3. ========== ANNOUNCEMENTS ========== * NEW ONLINE RESEARCH PANEL Business Technology Research is offering qualified applicants a chance to join its new research panel. Provide direct feedback to leading technology manufacturers about products in development and influence the concept, content, and advertising for tomorrow's technology. Registrants will also be entered in a drawing to win a free Palm Pilot VII. Visit http://www.survey.com/btresearch/btrpanel.html * TECHNET PUZZLER--CONTEST ENDS May 21! Play the Microsoft TechNet Puzzler and use your expertise to win a trip to the Tech-Ed 2000 Conference in Orlando and a BMW Z3 Roadster! http://www.microsoft.com/technet/puzzler/default.asp * JOIN OUR TEAM The Windows 2000 Magazine group is seeking highly qualified editorial, technical, and ad sales talent to staff its rapidly growing network of print and electronic media resources. For more information visit http://www.duke.com/job.cfm. 4. ========== SECURITY ROUNDUP ========== * FEATURE: NTFS ACCESS CONTROL SECURITY ENHANCEMENTS In Windows 2000, Microsoft redesigned how NTFS handles access control to files and other objects. You might have noticed that Security Configuration Manager (SCM), which Microsoft released in Windows NT 4.0 Service Pack 4 (SP4), handles access control like Win2K does. The new NTFS access control model takes time to get used to, but it adds some important features. The redesign changes access control in three areas. To learn what those changes are, read Randy Franklin Smith's entire feature on our Web site. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=112&TB=f * HOWTO: ENCRYPTING FILES FOR ADDED SECURITY If you're running NTFS on your Windows 2000 system, you can give yourself extra security by encrypting files. To do so, open My Computer, drill down to the file or folder you want to encrypt, and right-click it to bring up a menu. Select Properties and click Advanced... on the Properties dialog box. You'll find an "Encrypt contents to secure data" check-box at the bottom of the dialog box. Check this box and click OK. Click OK again to dismiss the Properties dialog box. Be sure to read the rest of John D. Ruley's article on our Web site. http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=104&TB=h ~~~~ SPONSOR: TOO MANY PASSWORDS? FREE SINGLE SIGN-ON WHITE PAPER. ~~~~ AXENT's PassGo(tm) InSync gives users one single password for universal access and can be deployed for thousands of users in as little as four days, across the entire enterprise. PassGo InSync is part of AXENT's Lifecycle Security(tm) solutions for e-security. This week and through March 10, AXENT is offering a free copy of the white paper, "Fast Path to Single Sign-On: PassGo Solutions Simplifies Secure Access." http://www.win2000mag.com/jump.cfm?ID=29 5. ========== NEW AND IMPROVED ========== (contributed by Judy Drennen, products@win2000mag.com) * MESSAGE ATTACHMENT SCRUBBING AND VIRUS PROTECTION Sophos and United Messaging announced a licensing agreement that lets United Messaging customers benefit from Sophos Anti-Virus (SAV) technology through a product called Message Control. Message Control uses SAV to improve customers' network security through virus detection and attachment scrubbing. For more information, contact Sophos at 888-767-4679 or http://www.sophos.com. Or contact United Messaging at 888-993-5088 or http://www.unitedmessaging.com. * INCREASE NETWORK SECURITY IN SMALL AND MIDSIZED BUSINESSES RADWARE and NetGuard will coordinate sales and marketing of security solutions comprised of NetGuard's GuardianPRO, an NT firewall, and RADWARE's FireProof, an intelligent, redundant high-availability solution for managing traffic within multiple firewall systems. GuardianPRO supports all IP protocols and services including streaming media and Voice-over-IP (VoIP) services. For more information about NetGuard or GuardianPRO, call 972-738-6900 or go to the company's Web site at http://www.netguard.com. 6. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: CYBERWARS: ESPIONAGE ON THE INTERNET By Jean Guisnel, Gui Masai, et al. Online Price: $12.80 Softcover; 296 Pages Published by Perseus Books, December 1999 ISBN 0738202606 "Cyberwars" explores a world where international terrorists plot their attacks and are tracked by secret service organizations, drug traffickers do business and launder money, and electronic economic espionage is the order of the day. Examining efforts to police online communications and content, the authors assess the implications of pervasive surveillance for the Internet. To order this book, go to http://www.fatbrain.com/shop/info/0738202606?from=win2000mag or visit the Windows 2000 Magazine Network Bookstore at http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772. * TIP: DETECTING EMAIL WORMS IN OUTLOOK (contributed by Mark Joseph Edwards, mark@ntsecurity.net) The recent Love Letter virus infected millions of computer users. As you know, Love Letter spread quickly by accessing the user's address book and sending a copy of the virus to everyone listed therein. Outlook users (and possibly users of other mail clients) might find it useful to have a dummy user in the address book to help detect future worms. By creating a fictitious user with a bogus email address, a user can make Microsoft Outlook generate an onscreen error message about that bad address any time it's used to send email, including when used by a virus or worm. Having such a bogus email contact won't stop a virus or worm, but it will alert you that something is accessing your address book without your approval. You can then contact your network security personnel to investigate. 7. ========== HOT THREADS ========== * WINDOWS 2000 MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.com/support). May 16, 2000, 01:04 P.M. Group/User Permissions I seem to be having a little problem configuring some of the Group policies/permissions. Basically, what I need is to be able to give permission for some people to be able to install software at their local machine (yet logged into the network). This is mostly for the development group we have here; other users will still have to hunt down the sys admin. Is there a way to do this with Windows 2000? What did I miss? Thanks in advance. Thread continues at http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=70&Message_ID=103338. * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list. The following thread is in the spotlight this week. Fix for Backdoor in Cart32 Software Cart32, a popular shopping basket application, was discovered to contain a deliberate backdoor that could allow a person with adequate knowledge to perform actions against a remote system. The vendor, McMurtrey/Whitaker & Associates, has released a fix. http://www.ntsecurity.net/go/w.asp?A2=IND0005a&L=WIN2KSECADVICE&P=236 Follow this link to read all threads for May, Week 1: http://www.ntsecurity.net/go/w.asp?A1=ind0005a&L=win2ksecadvice * HOWTO MAILING LIST Each week we offer a quick recap of some of the highlights from the HowTo for Security mailing list. The following threads are in the spotlight this week. 1. MS Proxy and Domain Filtering I am trying to configure MS Proxy for Domain name filtering on multihomed server--with two internal sub-nets. What I need is domain name filtering just for one of the internal subnets. Can somebody help me with this? http://www.ntsecurity.net/go/L.asp?A2=IND0005C&L=HOWTO&P=892 2. IPSEC VPN on Windows 2000 Has anyone successfully set up a VPN connection using IPSEC on a Windows 2000 and Cisco router that uses IPSEC. I have problems when I am configuring the router and Win2K. http://www.ntsecurity.net/go/L.asp?A2=IND0005c&L=HOWTO&P=366 Follow this link to read all threads for May, Week 3: http://www.ntsecurity.net/go/l.asp?A1=ind0005c&L=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@win2000mag.com) Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com) Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com) Editor - Gayle Rodcay (gayle@win2000mag.com) New and Improved – Judy Drennen (products@win2000mag.com) Copy Editor – Judy Drennen (jdrennen@win2000mag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- ========== GET UPDATED! ========== Receive the latest information about the Windows 2000 and Windows NT topics of your choice, including Win2K Pro, Exchange Server, thin-client, training and certification, SQL Server, IIS administration, XML, application service providers, and more. Subscribe to our other FREE email newsletters at http://www.win2000mag.com/sub.cfm?code=up00inxwnf. SUBSCRIBE/UNSUBSCRIBE Thank you for reading Windows 2000 Magazine Security UPDATE. To subscribe, go to the UPDATE home page at http://www.win2000mag.com/update. To remove yourself from the list, send a blank email to securityupdate@win2000mag.com. If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution. |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-| Copyright 2000, Windows 2000 Magazine