********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

FREE--SANS Top Trends in Security Management
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0rCF0Al

SPI Dynamics Web Application Security White Paper
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zPL0AE
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FREE--SANS TOP TRENDS IN SECURITY MANAGEMENT ~~~~
   What's the hottest trend shaping security this year? Read the FREE
SANS report sponsored by NetIQ to find out. Learn what the top industry
authorities had to say about security management in 2002. You'll gain
valuable insights and expert advice on crucial topics including new
threats, automated patching and continuous monitoring. Don't get left
behind--discover the top 8 security trends for 2002 now. Download the
must-have report today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0rCF0Al

~~~~~~~~~~~~~~~~~~~~

April 24, 2002--In this issue:

1. IN FOCUS
     - Security Checklists and Handy Tools
 
2. SECURITY RISKS
     - Buffer Overflow in talentsoft's Web+ 5.0 and Web+ 4.6 Affects
Microsoft IIS
     - Cross-Site Scripting Vulnerability in Microsoft IE

3. ANNOUNCEMENTS
     - Learn from (or Try to Stump) Top Windows Security Pros
     - Cast Your Vote for Our Reader's Choice Awards!

4. SECURITY ROUNDUP
     - News: Microsoft Article Q320751: DoS Workarounds
     - News: New Variant of Klez Worm Spreading
     - News: eEye Digital Security and St. Bernard Software Bundle
Software
     - News: WebEyeAlert and Amcest Partner for Video Surveillance

5. INSTANT POLL
     - Results of Previous Poll: Hotfix Availability Notification
     - New Instant Poll: Antivirus Defense Location

6. SECURITY TOOLKIT
     - Virus Center
          - Virus Alert: W32/Klez.I
     - FAQ: How Can I Disable IPSec on a VPN Connection That Uses L2TP?

7. NEW AND IMPROVED
     - Secure Your Company with Cameras
     - Protect Your Hardware from Theft

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: View All Permissions and Shares
     - HowTo Mailing List
         - Featured Thread: Exceeding the 512-Character Limit of the
           Legal Logon Notice

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
markntsecurity.net)

* SECURITY CHECKLISTS AND HANDY TOOLS

When you perform a new software installation, do you use a checklist to
make sure you've adjusted the configuration for better security?
Numerous helpful checklists are available for various systems, many of
them online. Windows & .NET Magazine published a new guide in February
2002, which is available for free: "Secure Your Operating System--
Guidelines for Hardening Windows 2000."

Jan De Clercq, who writes the NT Gatekeeper column for the Security
Administrator print newsletter, developed the checklist, which covers a
variety of system-configuration settings. The guide covers topics such
as authentication, access control, system-related hardening features,
Group Policy settings, and using Microsoft's Security Configuration
Tool Set. The guide also includes references to many security tools and
resources available for free. You can download a copy of the guide in
PDF format at the IT Buyer's Network Web site.
   http://www.itbuynet.com/pdf/0202-security.pdf

I also recommend a set of free checklists from Australian-based company
InterSect Alliance. You'll find valuable checklists for five products
that many of you use: Win2K, Windows NT, Microsoft IIS, Apache Web
server, and Linux.

The checklists cover several aspects of the products, and, as you might
expect, each checklist begins with suggestions about how to perform
installation. The checklists also discuss network services and network
access controls, object access controls, subsystems that particular
products contain, and, of course, auditing. Even if you have checklists
you already use, stop by the Web site and examine these lists as well--
you might find additional items for consideration that you've
overlooked.
   http://www.intersectalliance.com/projects/index.html

Arne Vidstrom, Swedish security aficionado, recently released a new
security tool--PromisDetect--which is available for free. The tool runs
on Windows XP, Win2K, and NT. The tool checks systems to determine
whether their network adapters are running in promiscuous mode. Systems
whose network adapter cards run in promiscuous mode probably run
software that acts as a traffic sniffer, and you don't want just
anybody running a sniffer on your network. As you know, network packets
often contain sensitive information, including authentication data and
proprietary company information, so letting sniffers run unchecked on
the network weakens overall security. PromisDetect is a good way to
identify rogue sniffers. However, as Vidstrom notes, because someone
running a sniffer might also be intercepting traffic from software
designed to detect sniffers, PromisDetect and similar sniffer detectors
aren't foolproof. You can download a copy of PromisDetect, as well as
several other useful security-related tools, at Vidstrom's Web site.
   http://www.ntsecurity.nu/toolbox

As I read our "HowTo for Security" mailing list last week (you can
subscribe at the URL below), I noticed that subscribers were asking how
to map listening ports back to their respective system services. As you
know, using a command such as the "netstat –a" command or the "netstat
–an" command can produce a list of ports, port service names, and IP
addresses. However, the lists don't include a map to the actual system
service that opened the port in the first place. Although you can see
which port is listening, which computer system is connected to it, and
which service the port is typically used for, you're still in the dark
about which application on your system actually opened the port.
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Fortunately, tools are available that support further discovery.
Foundstone's Fport tool maps listening ports to the software on your
system that opened the port. When you run the Fport tool, you see a
list of open ports matched to a list of the applications that opened
the ports. The list includes full pathnames so that you can more easily
identify the exact programs referenced. You can download a copy of
Fport and several other useful security tools at the Foundstone Web
site.
   http://www.foundstone.com/knowledge/proddesc/fport.html

Finally, are you keeping up with Microsoft security bulletins and
related hotfixes? Even if you are, keep in mind that occasionally
Microsoft publishes workarounds for security problems without releasing
a related bulletin to alert you to the need for system-configuration
adjustments. For example, Microsoft recently released the article,
"Denial of Service Attack on Port 445 May Cause Excessive CPU Use"
( http://support.microsoft.com/default.aspx?scid=kb;en-us;q320751 ).
The article discusses registry settings that can help prevent
particular Denial of Service (DoS) attacks. You can read about the
matter in the related news story in this issue of Security UPDATE.
   http://www.secadministrator.com/articles/index.cfm?articleid=24948

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: SPI DYNAMICS WEB APPLICATION SECURITY WHITE PAPER ~~~~
   ALERT! Web applications are the new area of attack for hackers!
   By taking advantage of your website and using it to exploit your
applications, a hacker can gain access to your backend data. All
undetectable by today's methods of Internet security! Download this
*FREE* white paper from SPI Dynamics that provides a complete guide of
vulnerabilities and steps for protection!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zPL0AE
   
~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====

* BUFFER OVERFLOW IN TALENTSOFT'S WEB+ 5.0 AND WEB+ 4.6 AFFECTS
MICROSOFT IIS
   A buffer-overflow condition in talentsoft's Web+ 5.0 and Web+ 4.6
could result in the execution of code on the vulnerable system under
the system security context. Requesting a Wireless Markup Language
(WML) file from a Web server and supplying an overly long cookie can
cause the internal buffer to overflow, overwriting a saved return
address on the stack. The vendor, talentsoft, has created a patch for
this vulnerability. For a link to the patch, visit the URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=24929

* CROSS-SITE SCRIPTING VULNERABILITY IN MICROSOFT IE
   Thor Larholm discovered a universal cross-site scripting
vulnerability in Microsoft's WebBrowser control for Microsoft Internet
Explorer (IE) that could result in elevated privileges and session-
hijacking of the MSN Messenger client. This vulnerability stems from an
error in the validation code in the dialogArguments property. Detailed
information is available on the discoverer's Web site (see the URL
below). Microsoft hasn't released a hotfix or workaround for this
problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=24928

3. ==== ANNOUNCEMENTS ====

* LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS
   The Windows & .NET Magazine LIVE! event brings together industry
gurus who take security seriously. Topic coverage includes Microsoft
IIS security, deploying public key infrastructure (PKI), designing
Group Policies to enhance security, tips for securing Windows 2000
networks, security pitfalls (and solutions) for your mobile workforce,
and more. Register today before this event sells out!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0qQl0Ac

* CAST YOUR VOTE FOR OUR READER'S CHOICE AWARDS!
   Which companies and products do you think are the best on the
market? Nominate your favorites in four different categories for our
annual Windows & .NET Magazine Reader's Choice Awards. You could win a
T-shirt or a free Windows & .NET Magazine Super CD, just for submitting
your ballot. Click here!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLfP0CJgSH0CBw0zMs0Ao

4. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT ARTICLE Q320751: DoS WORKAROUNDS
   Peter Grundl, a researcher at KPMG in Denmark, discovered a Denial
of Service (DoS) condition in Windows 2000 that could potentially cause
systems to crash. Microsoft issued the article, "Denial of Service
Attack on Port 445 May Cause Excessive CPU Use,"
(http://support.microsoft.com/default.aspx?scid=kb;en-us;q320751 )
regarding the matter. The article describes two methods to work around
the vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=24948

* NEWS: NEW VARIANT OF KLEZ WORM SPREADING
   Antivirus software maker Panda Software has issued a warning about a
dangerous new worm variant, W32/Klez.I, which is spreading across
Europe and Asia. Panda Software expects the virus to spread to the
United States beginning this week.
   http://www.secadministrator.com/articles/index.cfm?articleid=24867

* NEWS: eEYE DIGITAL SECURITY AND ST. BERNARD SOFTWARE BUNDLE SOFTWARE
   eEye Digital Security and St. Bernard Software have announced a
strategic partnership to bundle eEye's Retina Network Security Scanner
software with St. Bernard's UpdateEXPERT software. The software bundle
lets administrators use Retina Network Security Scanner to scan for
security vulnerabilities and use UpdateEXPERT to help correct a problem
by guiding the administrator through the process of installing patches
and making configuration adjustments.
   http://www.secadministrator.com/articles/index.cfm?articleid=24925

* NEWS: WebEyeAlert AND AMCEST PARTNER FOR VIDEO SURVEILLANCE
   WebEyeAlert, which develops WebEyeAlert video security surveillance
technology, announced a strategic partnership with Amcest, a nationwide
monitoring service. Under the terms of the partnership, Amcest will
offer its dealers the WebEyeAlert solution to promote free video
monitoring services to its customers.
   http://www.secadministrator.com/articles/index.cfm?articleid=24924

5. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: HOTFIX AVAILABILITY NOTIFICATION
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "If
someone makes information about a security vulnerability public before
the company whose product is involved has developed a fix, should that
company notify customers about an estimated time when a fix will be
available?" Here are the results (+/- 2 percent) from the 473 votes:
   - 90% Yes
   - 6% No
   - 4% Not sure

* NEW INSTANT POLL: ANTIVIRUS DEFENSE LOCATION
   The next Instant Poll question is, "Where have you placed your
organization's antivirus defenses?" Go to the Security Administrator
Channel home page and submit your vote for a) on desktops, b) on email
servers, c) on file servers, d) at the Internet border, or e) at two or
more of the above locations.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

- Virus Alert: W32/Klez.I
   W32/Klez.I is a worm that's designed to spread through email. The
messages the worm sends have different subjects, which include

   A new website
   Introduction on ADSL
   Fw:virus,japanese lass' sexy pictures
   A very new game
   NOSHADE CLASS

The body of the message the worm sends might contain any of the
following text:

   This is a new website. I wish you would like it.
   This game is my first work.
   You're the first player.
   I hope you would enjoy it

Files attached to messages the worm sends have random names. Once run,
the worm creates a file in the Windows directory and a file in the
Program Files folder.
   http://63.88.172.127/panda/index.cfm?fuseaction=virus&virusid=1154

* FAQ: HOW CAN I DISABLE IPSEC ON A VPN CONNECTION THAT USES L2TP?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Windows automatically creates an IP Security (IPSec) policy for
Layer Two Tunneling Protocol (L2TP) connections because L2TP doesn't
encrypt data. However, you might want to test a VPN L2TP connection
without IPSec (e.g., when you're troubleshooting). Although you must
disable IPSec on both the client and server in this situation, make
sure you reenable the security policy after you resolve any problems;
otherwise, your systems are vulnerable to attack. To disable IPSec,
perform the following steps on both client and server:

   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
subkey.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter a name of ProhibitIpSec and click Enter.
   5. Double-click the new value, set it to 1, and click OK.
   6. Restart the machine.

   For more information, see the Microsoft article "How to Configure a
L2TP/IPSec Connection Using Pre-shared Key Authentication."
   http://support.microsoft.com/default.aspx?scid=kb;en-us;q240262

7. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, productswinnetmag.com)

* SECURE YOUR COMPANY WITH CAMERAS
   CamDevTeam released CamSurveillance, shareware capable of monitoring
up to 50 IP-addressable network cameras to secure your company. You can
use the cameras within your company's LAN or select your favorite
WebCams from the Internet. CamSurveillance runs on Windows XP, Windows
2000, Windows NT, Windows Me, and Windows 9x systems and costs $49.95.
Contact CamDevTeam at webmastercamsurveillance.com for a trial
download.
    http://www.camsurveillance.com

* PROTECT YOUR HARDWARE FROM THEFT
   Brigadoon Software announced PC PhoneHome Enterprise, software that
gives enterprise-level users a security tool to protect computer
hardware and intellectual property against theft. PC PhoneHome
Enterprise works by sending periodic signals to a centralized command
center the licensee chooses with the exact coordinates of the
registrant's computer. If the computer is lost or stolen, the signals
can pinpoint the computer's whereabouts. PC PhoneHome Enterprise runs
on all Windows and Macintosh systems. For pricing, contact Brigadoon at
the Web site.
   http://www.brigadoonsoftware.com

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.net/forums

Featured Thread: View All Permissions and Shares
   (Two messages in this thread)

Tom wants to know how he can view a list of all permissions and shares
on a given system. Can you help?
   http://www.secadministrator.com/forums/thread.cfm?thread_id=102362

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Exceeding the 512-Character Limit of the Legal Logon
Notice
   (One message in this thread)

Windows 2000 Group Policy restricts the length of the logon sequence
legal notice text to 512 characters. This length is probably sufficient
in most cases. However, some countries have a legal requirement to
display such notices in more than one language, which can cause the
total text displayed to exceed the 512-character limit. Are there any
known workarounds to the 512-character restriction? Can you help? Read
the responses or lend a hand at the following URL.
   http://63.88.172.96/listserv/page_listserv.asp?A2=ind0204c&l=howto&p=659

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- markntsecurity.net

* ABOUT THE NEWSLETTER IN GENERAL -- vpattersonwinnetmag.com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums

* PRODUCT NEWS -- productswinnetmag.com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdatewinnetmag.com

* WANT TO SPONSOR SECURITY UPDATE? emedia_oppswinnetmag.com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise. Subscribe
today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.net/email

|-+-+-+-+-+-+-+-+-+-|

Thank you for reading Security UPDATE.

SUBSCRIBE
To subscribe, send a blank email to mailto:Security-UPDATE_Sublist.winnetmag.com.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]