Information Security News
mailing list archives
Security UPDATE, July 11, 2001
From: InfoSec News <isn () c4i org>
Date: Thu, 12 Jul 2001 04:58:38 -0500 (CDT)
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
~~~~ THIS ISSUE SPONSORED BY ~~~~
UltraBac Version 6.3 Deploys Machines Faster!
~~~~ ULTRABAC VERSION 6.3 DEPLOYS MACHINES FASTER! ~~~~
UltraBac Software announces new support for Windows NT(R)/2000/XP
disaster recovery, disk cloning, and ultra-fast rollouts of server and
workstation installations. The utility runs using a Win9x/DOS bootable
floppy and can backup/restore only the clusters marked in-use. A system
administrator can now copy or restore multiple images onto a network
share (or tape) in significantly less time than other options. The
program is available without charge for personal use. Visit
http://go.win2000mag.net/UM/T.asp?A2153.23115.1203.1.532985 to download
a free live trial of the software.
July 11, 2001--In this issue:
1. IN FOCUS
- Updated Windows 2000 Security Tools
2. SECURITY RISKS
- Back Door in R.I. Soft Systems Screensavers
- SMTP Vulnerability in Windows 2000
- Get 25 Percent Off Windows 2000 Magazine!
- Now Is the Time, Now Is the Time . . .
4. SECURITY ROUNDUP
- News: Linux Community Fights .NET
- News: Windows XP Pricing, Packaging Revealed
- Review: Security Analyzer 3.5a
- Review: NTRama 3.0
5. SECURITY TOOLKIT
- Book Highlight: The Handbook of System and Network Security
- Virus Center
- Virus Alert: X97M/Barisada.C
- FAQ: How Can I Add a Boot Option that Starts with the Alternate
- Windows 2000 Security: Don't Shoot Yourself in the Foot with
Group Policy Security Settings, Part 1
- SOHO Security: Zombie Attackers
6. NEW AND IMPROVED
- Data Encryption and Smart Card Technology
- Track PC Use
7. HOT THREADS
- Windows 2000 Magazine Online Forums
- Featured Thread: Security Overview
- How-to Mailing List
- Featured Thread: Event ID 643
8. CONTACT US
See this section for a list of ways to contact us.
1. ==== COMMENTARY ====
On June 6, I wrote about the need for adequate exit procedures when an
employee leaves a company (for whatever reasons). This week, I came
across an interesting news item at ComputerWorld (see URL below) that
serves as a great case in point. A company suffered repeated Denial of
Service (DoS) attacks after firing two key software developers. As it
turned out, the company failed to change certain passwords after firing
the two employees, and subsequently, these two former employees used
those passwords to gain remote access to the company's application
server and crash it. Be sure to read the details of the story with its
You might also recall that on June 20, I mentioned that the National
Security Agency (NSA) had released a set of documents to help users
secure Windows 2000 systems. The demand for these documents was
overwhelming, and the NSA had to take the documents offline because of
the server load. NSA contracted with Conxion to host these documents,
which are available again from links at the NSA Web site. In addition,
NSA has made documents available that help secure Cisco routers. You can
find both sets of documents at the following URL.
Speaking of Win2K security, Microsoft has an updated version of the
cipher.exe tool that it's shipping with Win2K as part of the Encrypting
File System (EFS). The original cipher.exe version that ships with the
OS doesn't include a mechanism to wipe data off the hard disk; however,
the updated version does include such functionality. During typical
system operation, when you delete a file, the OS doesn't actually erase
the data associated with that file. Instead, the OS marks the disk
clusters related to that file as available empty space, and the data
remains intact within those clusters until another process overwrites
the clusters with new data. In other words, you can recover deleted
files from a Win2K system in certain instances.
Clem Colman of Colman Communications realized the problem and suggested
that Microsoft provide a cluster-wiping mechanism, and now this updated
cipher.exe version is available to overwrite all unallocated clusters,
guarding against unwanted data recovery. You can find the updated
cipher.exe file on Microsoft's TechNet Web site.
Of course, third-party tools that wipe data off the hard disk are also
available. A few freeware packages that I am aware of include Parisien
Encryption Tools from Parisien Research, Without a Trace from Karmadrome
Software, and BCWipe from Jetico. You can find the packages at their
respective URLs below. Until next time, have a great week.
Mark Joseph Edwards, News Editor, mark () ntsecurity net
2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, ken () win2000mag com)
* BACK DOOR IN R.I. SOFT SYSTEMS SCREENSAVERS
Steve Johns reported a back door in R.I. Soft Systems 4th of July
Fireworks and Living Waterfalls demo screensavers. By pressing the space
bar on the keyboard, you can circumvent the screensaver's lock
workstation function. A malicious user can open the default Web browser
with the R.I. Soft System Web site by using the security context of the
currently logged-on user. From there, the attacker can run explorer.exe
in the browser's address window to get the desktop and to run programs
under this context. A malicious user can also exploit this vulnerability
remotely through Windows 2000 Terminal Services Advanced Client
(formerly known as Terminal Services Web Client). The vendor, R.I. Soft
Systems, is aware of the vulnerabilities but doesn't intend to release a
fix. To work around this problem, a user can uninstall the demo
* SMTP VULNERABILITY IN WINDOWS 2000
Joao Gouveia reported a vulnerability in the default SMTP server that
is installed with the Windows 2000 Professional, Windows 2000 Server,
Windows 2000 Advanced Server, and Windows 2000 Datacenter Server
versions of Win2K. An attacker can use a vulnerability in the SMTP
authentication process to authenticate to the SMTP service using
incorrect credentials. An attacker can gain user-level privileges on the
SMTP service and use the service to perform SMTP mail relaying. This
vulnerability affects only standalone machines, not domain controllers
(DCs) or Microsoft Exchange mail servers running Win2K. Microsoft has
released security bulletin MS01-037 for this vulnerability and
recommends that Win2K users immediately apply the patch mentioned in the
bulletin. Patches for Win2K Datacenter are hardware specific and are
available only through the OEM. As usual, if a service is not needed, a
user should disable the service.
3. ==== ANNOUNCEMENTS ====
* GET 25 PERCENT OFF WINDOWS 2000 MAGAZINE!
Every issue of Windows 2000 Magazine is packed with superb coverage
of security, Active Directory (AD), disaster recovery, Exchange (and
more) and helps you navigate the rough waters of your job with ease.
Subscribe now (at 25 percent off the regular rate!) and find out why
your peers think we're simply the best independent resource for Windows
* NOW IS THE TIME, NOW IS THE TIME . . .
It's Windows 2000 Magazine LIVE! Hear and talk with the writers
you've come to trust. Minasi, Daily, Mar-Elia, and Russinovich join a
host of world-renowned gurus to help you be more successful. The seven
dedicated tracks include Active Directory (AD), .NET Servers, Security,
plus a bonus SMS track sponsored by Altiris. Attend concurrently running
XML & Web Services Connections for FREE! Now is the time to reserve your
4. ==== SECURITY ROUNDUP ====
* NEWS: LINUX COMMUNITY FIGHTS .NET
As expected, the Linux community announced a variety of open-source
replacements for Microsoft's .NET product line Monday, including a way
to run C# programs and the .NET Common Language Infrastructure (CLI) on
Linux. The Free Software Foundation (FSF) and Linux desktop application
maker Ximian are spearheading the development of these tools, which are
called DotGNU and GNU Mono. The companies say that their open-source
alternatives will overcome the limitations of Microsoft's centralized
* NEWS: WINDOWS XP PRICING, PACKAGING REVEALED
Amazon.com is the first online retailer to offer the Windows XP full
and upgrade versions for advanced sale, giving us an early idea of how
much the product will cost and what the packaging will look like. On
Amazon.com, the upgrade version of Windows XP Home Edition is priced
slightly higher than Windows Me, the product it's replacing; prices for
Windows XP Professional Edition are similarly higher than its
predecessor, Windows 2000 Professional. Although Microsoft has yet to
release official pricing for the products, Amazon's prices are roughly
equivalent to what we've been expecting.
* REVIEW: SECURITY ANALYZER 3.5A
NetIQ's Security Analyzer 3.5a architecture is based on profiles and
policies. Profiles let you create scanning conditions (i.e., which
policies to use and which hosts to scan) and policies define what
Security Analyzer will search for during a security check. NetIQ offers
10 default security policies: Complete Security Analysis, Standard
Security Analysis, Critical Security Analysis, Intermediate Security
Analysis, Inventory Scan, Port Scan Only (Well-Known Ports), Port Scan
Only (Standard Ports), Password Grinding Analysis, Ping Scan, and UNIX
Security Analysis. These policy files are essentially Perl scripts, so
if you know Perl, you can create your own policies. Security Analyzer
even includes a software development kit (SDK) to help you create custom
policy files. Learn more about this product in Jonathan Chau's Lab
Review on our Web site.
* REVIEW: NTRAMA 3.0
CoperNet's NTRama 3.0 is a network-discovery and inventory tool that
scans your network's Windows 2000, Windows NT, and Windows 9x computers.
The software saves the results to a central ODBC-compliant database
file, on which you can run queries to obtain a global vision of your
infrastructure. CoperNet didn't design NTRama as an end-all
network-management application. Instead, NTRama is a scaled-down
solution that functions impressively as a scanner, requiring no software
agents on any other computer on the network. Learn all about it in
Dennis Williams Lab Review on our Web site.
5. ==== SECURITY TOOLKIT ====
* BOOK HIGHLIGHT: THE HANDBOOK OF SYSTEM AND NETWORK SECURITY
By Julia H. Allen
Fatbrain Online Price: $39.99
Softcover; 464 pages
Published by Addison Wesley Longman, June 2001
For more information or to purchase this book, go to
and enter WIN2000MAG as the discount code when you order the book.
* VIRUS CENTER
Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
Virus Alert: X97M/Barisada.C
This virus contains a single macro associated with the
WindowDeactivate event. The virus triggers when a user moves from an
Excel window with an infected book to another Excel window. The virus
first checks the global variable StartUpPath to see whether a copy of
itself exists in the Excel Start directory. If this directory doesn't
exist, the virus provokes an interesting secondary effect: Because the
virus can't copy itself to where it wants, it opens two new Excel books,
which stops the user from exiting the program. The virus opens a number
of books and continually increases the number. For complete details on
this macro virus, be sure to visit the URL below.
* FAQ: HOW CAN I ADD A BOOT OPTION THAT STARTS WITH THE ALTERNATE
( contributed by John Savill, http://www.windows2000faq.com )
A. Under the registry key
is the value AlternateShell, which is set to cmd.exe (the command
prompt). When you press F8 during startup and select "Safe Mode with
Command Prompt," the system uses this alternate shell. You shouldn't
change the AlternateShell value. You can, however, create a boot option
so that you don't have to press F8, then select "Safe Mode with Command
1. Edit the boot.ini (c:\boot.ini) file attributes to make the file
nonread-only, nonsystem, and nonhidden (attrib c:\boot.ini -r -s -h).
2. Open boot.ini.
3. Add a line similar to the following:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL).
4. Save the file.
5. Reapply the correct permissions (attrib c:\boot.ini +r +s +h).
* WINDOWS 2000 SECURITY: DON'T SHOOT YOURSELF IN THE FOOT WITH GROUP
POLICY SECURITY SETTINGS, PART 1
Recently, when Randy Franklin Smith presented a Windows 2000 security
seminar, one of his students made a simple change to rights assignments
in Group Policy, and Randy discovered how easy it is to lock everyone
out of an Active Directory (AD) domain. The incident taught Randy how
important it is to use strict change-management controls, to follow
least-privilege doctrine, and to implement some fail-safe measures in AD
to protect domain controllers (DCs). To find out how Randy recovered
from this situation, read his latest article on our Web site!
* SOHO SECURITY: ZOMBIE ATTACKERS
While researching information to write Spyware, Part 1 and Part 2,
Jonathan Hassell explored the Gibson Research Corporation Web site.
Steve Gibson, an assembly language programmer and noted advocate for
consumer privacy on the Internet, is also interested in security systems
connected to the Internet. Recently, script kiddies attacked his Web
site (script kiddies are young crackers who maliciously knock off Web
Unlike most victims of an Internet assault, Gibson dissected and
analyzed the attack. On his Web site, Gibson describes what he did to
find out how the script kiddies used a Distributed Denial of Service
(DDoS) attack on his systems, and he shares what he did to protect his
Web site in the future. To find out how, be sure to read Jonathan
Hassell's latest article on our Web site!
6. ========== NEW AND IMPROVED ==========
(contributed by Scott Firestone, IV, products () win2000mag com)
* DATA ENCRYPTION AND SMART CARD TECHNOLOGY
WinMagic and Datakey announced integration of the Datakey Certified
Internet Professional (CIP) system with WinMagic's SecureDoc 2.5 disk
encryption software. The software encrypts all data written to the
disks. Users don't have to save files to certain folders or drives for
the software to encrypt the files. SecureDoc 2.5 runs on Windows 2000,
Windows NT, Windows Me, and Windows 9x systems. For pricing, contact
WinMagic at 905-502-7000 ext. 222.
* TRACK PC USE
Alexander Jmerik released Boss Everyware 2.3, security software that
records data about how people use a PC. The software keeps a log of
which programs each user runs, and how much time they've spent on those
programs. The software is password-protected, and only the network
administrator can access it. Boss Everyware 2.3 runs on Windows 2000,
Windows NT, Windows Me, and Windows 9x systems. Pricing starts at $49
for a single-user license. Contact Alexander Jmerik at
info () boss dids com
7. ==== HOT THREADS ====
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
Featured Thread: Security Overview
(Four messages in this thread)
A user wants recommendations for books that provide an overview of most
IT security aspects (e.g., firewalls, Secure Sockets Layer (SSL), and
demilitarized zone (DMZ)) and the security aspects of FTP, HTTP, HTTPS,
POP3, and SMTP. Also, ssh and Telnet (e.g., how they work, their
vulnerabilities). The books he has come across don't provide details
that a beginner or intermediate person in the security field can grasp.
Read the responses or lend a hand at the following URL:
* HOWTO MAILING LIST
Featured Thread: Event ID 643
(Two messages in this thread)
This user found an item in the Event Log associated with Event ID 643.
Typically, this ID reflects a condition in which an administrator has
changed the domain's password requirements or lockout policy. However,
this user said this wasn't the case, so he suspects the event might be
related to local policy changes, but he is uncertain what type of
changes to a local machine might trigger the logging of Event ID 643.
Can you help? Read the responses or lend a hand at the following URL:
8. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- mark () ntsecurity net
* ABOUT THE NEWSLETTER IN GENERAL -- tfaubion () win2000mag com; please
mention the newsletter name in the subject line.
* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
* PRODUCT NEWS -- products () win2000mag com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com
* WANT TO SPONSOR Security UPDATE? emedia_opps () win2000mag com
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Security UPDATE.
Copyright 2001, Penton Media, Inc.
ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com
- Security UPDATE, July 11, 2001 InfoSec News (Jul 12)