Information Security News
mailing list archives
Security UPDATE, June 20, 2001
From: InfoSec News <isn () c4i org>
Date: Thu, 21 Jun 2001 03:00:14 -0500 (CDT)
Windows 2000 Magazine Security UPDATE--brought to you by the Windows
2000 Magazine Network
**Watching the Watchers**
~~~~ THIS ISSUE SPONSORED BY ~~~~
WEBTRENDS FIREWALL SUITE -- DOWNLOAD FREE TRIAL!
~~~~ SPONSOR: WEBTRENDS FIREWALL SUITE--DOWNLOAD FREE TRIAL! ~~~~
Experienced IT Managers know security requires insight!
With WebTrends Firewall Suite, you'll get in-depth analysis of both
incoming and outgoing traffic through your network. Monitor bandwidth
usage, measure VPN activity, and receive alerts by e-mail or pager
whenever critical security events occur. Firewall Suite 3.1 provides
support for 35 leading firewall and proxy servers, including Cisco and
Check Point. Currently a featured download on Tech Republic.
Click here for your FREE trial, download now:
June 20, 2001--In this issue:
1. IN FOCUS
- Debugging Code: Haste Makes Waste
2. SECURITY RISKS
- SQL Server Cached Credentials Vulnerability
- IIS Buffer Overflow Condition in Index Server Component
- Visit the New Connected Home Web Site!
- Running Domino on Windows NT/2000?
4. SECURITY ROUNDUP
- News: NSA Releases Win2K Security Recommendation Guidelines
- Windows 2000 Magazine Network Names Tech Ed Best of Show
- News: Stay on Target
- Review: Endurance 6200 3.0
- Report: Internet Security: Repelling the Inevitable Attack
5. HOT RELEASES (ADVERTISEMENTS)
- Host Intrusion Prevention for Servers and Desktops
- LANguard SELM: Intrusion detection for NT/2000!
6. SECURITY TOOLKIT
- Book Highlight: Active Defense: A Comprehensive Guide to Network
- Virus Center: Flip.MP2153.A
- Virus Center: W32/Beast.A
- FAQ: Why Is My ISA Server Using 50 Percent of Available Memory
for the RAM Proxy Cache?
- SOHO Security: Spyware, Part 2
7. NEW AND IMPROVED
- Security Solution Secures Clients' Assets
- All PCs on a LAN Can Access Internet with One Connection
8. HOT THREADS
- Windows 2000 Magazine Online Forums
Setting Up VPN
- HowTo Mailing List
HKCR Permission on Windows 2000
9. CONTACT US
See this section for a list of ways to contact us.
1. ==== COMMENTARY ====
Do you run IIS? If so, you need to know that Microsoft has issued
security bulletin MS01-033 about yet another nasty hole in the IIS-based
Index Server 2.0 on Windows NT 4.0 and the Indexing Service on Windows
2000 and beta versions of Windows XP. eEye Digital Security discovered
( http://www.eeye.com/html/Research/Advisories/index.html ), which can
let an intruder access the server under the security context of the
built-in system account. The problem stems from an unchecked buffer in
an Internet Server API (ISAPI) filter used during the course of
processing .ida files, which are related to the Index Server and
Indexing Service. Read more about this problem in the related story
under SECURITY RISKS.
I point out this newly discovered problem because this is the fourth
time in 2 years that eEye Digital Security has discovered an exploit
against IIS that can grant an intruder system-level access. If hackers
can find such dangerous holes in IIS, why can't Microsoft find them
before the code rolls out to millions of Web servers around the planet?
Each time such a hole surfaces, countless systems become easy prey
because administrators don't apply security fixes fast enough. We can
blame administrators and less-than-thorough administration, but it's
Microsoft's fault that the holes exist to begin with.
Some time ago, Microsoft said it was placing more focus on the security
of its products, and the added effort shows. But even so, the company's
efforts obviously aren't enough. When confronted with the number of
security problems in its products, Microsoft shifts the blame to the
volume of code in Windows platforms and related products. The company
says that with millions of lines of code, finding every potential
security risk before a product ships is impossible. But hackers don't
seem to find many barriers to vulnerability discovery regardless of how
big Microsoft's code becomes. Microsoft needs to follow its own recent
advice and introduce a higher level of best practices into its
I admit that excellent hackers are a tough act to follow, but given the
resources available to Microsoft, I fail to understand why the company
doesn't do a better job of debugging its code before releasing it into
production. You've heard the adage, "Haste makes waste." In the case of
security-related bugs, any haste on Microsoft's part generally costs its
customers lots of money in subsequent damages.
I wonder why users have no recourse against defective software products
when they do have recourse against many other types of defective
products. After all, Microsoft dominates about 80 percent of all
desktops on the planet. A vast percentage of worldwide commerce pivots
around Microsoft technology, but the company produces less than safe
products. When we use Microsoft's products, we're subject to its license
structure and we must accept all the product's risks by default, by
using that license structure. Do you think General Motors could get away
with a similar license for its somewhat dangerous Sport Utility Vehicles
(SUVs) or any other automobile? Not a chance.
On a semi-related note, the National Security Agency (NSA) released a
set of documents and templates that help people secure their Windows
environments. Be sure to read the related news story in the SECURITY
ROUNDUP section of this newsletter. Xato Network Security downloaded the
documents and discovered some glaring contradictions and inaccuracies.
An Xato representative posted a message on our Win2KSecAdvice mailing
list detailing some of these findings, so be sure to read it at the URL
below before implementing any of NSA's templates or recommended
configuration settings. Until next time, have a great week.
Mark Joseph Edwards, News Editor
mark () ntsecurity net
2. ========== SECURITY RISKS =========
(contributed by Ken Pfeil, ken () win2000mag com)
* SQL SERVER CACHED CREDENTIALS VULNERABILITY
A vulnerability in Microsoft SQL Server 2000 and SQL Server 7.0 can
let an attacker execute SQL queries using the systems administrator
security context. When a user terminates a client connection to a SQL
Server, the connection remains cached for a period of time because of
performance reasons. One SQL query method contains this cache
vulnerability, and an attacker can use the query to reuse a cached
connection that once belonged to the systems administrator account. An
attacker can then take actions on the database (e.g., running code), and
under the right conditions, can assume full control of the server.
Microsoft has released security bulletin MS01-032 for this vulnerability
and recommends that users immediately apply the patch mentioned in
Microsoft article Q299717.
* IIS BUFFER OVERFLOW CONDITION IN INDEX SERVER COMPONENT
eEye Digital Security has discovered that a vulnerability in
Microsoft Index Server can let an attacker execute code under the system
security context and take any action on the server, including assuming
full control of the server. This vulnerability stems from an unchecked
buffer in the Index Server Internet Server API (ISAPI) extension,
idq.dll, which supports administration scripts. The buffer overrun
condition occurs before any indexing is requested; therefore, the server
remains vulnerable even if the Index Service isn't running. If you have
the script mappings for .ida and .idq extensions in place, and users can
establish Web sessions to the server, you have a vulnerable server.
Microsoft has released security bulletin MS01-033 and recommends that
users immediately apply the patch specified in the bulletin. The company
further recommends that you remove script mappings for .ida and .idq
extensions under IIS if you're not using them as mentioned in the
security checklists for IIS 4.0 and IIS 5.0, which are linked in the
report at the following URL:
3. ==== ANNOUNCEMENTS ====
* VISIT THE NEW CONNECTED HOME WEB SITE!
The people who bring you Connected Home EXPRESS have launched a new
Web site! Get how-to tips and tricks to help you with home networking,
home theater, audio, and much more. While you're there, sign up (for
free!) for the first issue of Connected Home Magazine, due out in late
October. Check it out!
* RUNNING DOMINO ON WINDOWS NT/2000?
Don't miss this chance to get the latest tips for enhancing your
Domino/Windows installation! Learn first hand from the Lotus product
team and world-renowned independent gurus who share their best
discoveries. You'll find cutting-edge sessions on Domino administration,
integration, and in-depth drilldowns for developers. Seats are going
fast, so reserve your spot today!
4. ==== SECURITY ROUNDUP ====
* NEWS: NSA RELEASES WIN2K SECURITY RECOMMENDATION GUIDELINES
The US National Security Agency (NSA) has released a set of
guidelines and templates to help you secure Windows 2000 systems. The
materials contain 5 templates to use with Microsoft's Security
Configuration Editor, 17 guides to secure various aspects of the OS, and
3 supporting documents with in-depth defense coverage and details about
various popular software packages.
* WINDOWS 2000 MAGAZINE NETWORK NAMES TECH ED BEST OF SHOW WINNERS
Penton Technology Media, publisher of Windows 2000 Magazine and SQL
Server Magazine, named winners of the Windows 2000 Magazine Network Best
of Show Awards at Microsoft Tech Ed 2001 in Atlanta this week.
Winternals Software's Administrator Pak won Best Overall Product. "This
bundle of Winternals' most popular repair and recovery utilities has
broad appeal for our audience," said Karen Forster, editor in chief of
Windows 2000 Magazine and SQL Server Magazine. "These tools give systems
administrators the ability to recover crashed systems, remotely access
systems for repair, reconstruct damaged files, edit the registry of
unbootable systems, and more. The value to our audience is unmatched."
Crystal Decisions' Crystal Analysis Professional won best product in the
SQL Server category, and CAST's Application Mining Suite was runner-up.
Quest Software's FastLane ActiveRoles won best product in the Windows
2000 category, and Marathon Technologies' Endurance product was named
runner-up. Sybari Software's Antigen 6.1 won best product in the
Exchange Server category, and BindView's bv-Control for Microsoft
Exchange was runner-up. For more details and a list of finalists in each
category, visit the Windows 2000 Magazine Web site.
* NEWS: STAY ON TARGET
Windows XP is moving toward its October general release, and if
you've been thinking about deploying Windows 2000 in your enterprise or
are in the middle of a Win2K rollout, the availability of XP has
undoubtedly raised questions for you. Before you start worrying about
whether you should scuttle your Win2K rollout and wait for XP, read Paul
Thurrott's perspective on our Web site.
* REVIEW: ENDURANCE 6200 3.0
Fault tolerance means different things to different people. According
to a broad definition, fault tolerance ensures that an application is
always available to its users. For example, if a problem occurs with an
application on one server in a clustered server scenario, another server
takes over. Although clusters provide high availability for
applications, they don't satisfy John Green's definition of true fault
tolerance because the application's recovery from a system failure isn't
always transparent to users. Be sure to read what Green says about
Endurance 6200 3.0--a new fault-tolerant server array that doesn't
suffer from the shortcomings of a clustered server.
* REPORT: INTERNET SECURITY: REPELLING THE INEVITABLE ATTACK
In this special report from Windows 2000 Magazine, Bob Kretschman
discusses how system intrusion can cost your company big money.
Kretschman discusses the damage suffered by Egghead.com and Omega
Engineering as examples of how expensive intrusions can become.
In addition, Jan De Clercq helps you understand the differences between
Windows 2000 and Windows NT security. According to De Clercq, OS
security is based on three core services: authentication, authorization
(or access control), and auditing. Although these three services serve
three different goals, they are interdependent: A good auditing system
depends on a good authorization system, which in turn depends on a good
authentication system. The document is available in Adobe PDF format on
our IT Buyer's Network.
5. ==== HOT RELEASES (ADVERTISEMENTS) =====
* HOST INTRUSION PREVENTION FOR SERVERS AND DESKTOPS
CyberwallPLUS uses a packet filtering firewall, stateful packet
inspection, and active intrusion detection to secure and protect
sensitive servers and workstations operating in "electronically open"
networks. Three levels of host security in one product - CyberwallPLUS
Free 30-day evaluation -
* LANGUARD SELM: INTRUSION DETECTION FOR NT/2000!
GFI's new LANguard Security Event Log Monitor & Reporter provides
centralized network-wide monitoring of NT/2000 security logs & alerts
the administrator of security breaches for immediate intrusion detection
(host-based). Download your evaluation copy at:
6. ==== SECURITY TOOLKIT ====
* BOOK HIGHLIGHT: ACTIVE DEFENSE: A COMPREHENSIVE GUIDE TO NETWORK
By Chris Brenton, Cameron Hunt
List Price: $49.99
Fatbrain Online Price: $39.99
Softcover; 736 pages
Published by Sybex, May 2001
For more information or to purchase this book, go to
and enter WIN2000MAG as the discount code when you order the book.
* VIRUS CENTER
Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
Virus Alert: Flip.MP2153.A
Flip.mp.2153.A is an MS-DOS-resident encrypted virus that infects
files with the following extensions: .exe, .com, or .ovl. The virus also
infects the command.com file (in the hard disk root directory) and
modifies the Master Boot Record (MBR) and the BOOT (the boot sector of
3.5" disks). Upon infection, the virus becomes memory resident, thereby
decreasing your memory's available free space by 3064 bytes.
Virus Alert: W32/Beast.A
W32/Beast.A is a hybrid virus that consists of two components: a
macro virus that affects Microsoft Word documents and a Windows 95
virus. Infections are carried out through its Windows 95 component. The
other section of the virus (the Word component) works as support. The
virus spreads to other systems using the same means common to most macro
viruses; therefore, the virus is contained in each previously infected
* FAQ: WHY IS MY ISA SERVER USING 50 PERCENT OF AVAILABLE MEMORY FOR THE
RAM PROXY CACHE?
( contributed by Paul Robichaux, http://www.windows2000faq.com )
By default, Internet Security and Acceleration (ISA) Server 2000 uses 50
percent of the available memory for a RAM-based proxy cache. To modify
the amount of memory ISA Server uses, perform the following steps:
1. Start the Microsoft Management Console (MMC) ISA Server Admin
snap-in (Start, Programs, Microsoft ISA Server, ISA Management).
2. Right-click the Cache Configuration branch, and select Properties.
3. Select the Advanced tab.
4. For "Percentage of free memory to use for caching," change the
number from 50 (the default) to the value you want (e.g., 5) and Click
5. When the system prompts you, choose to either save changes but not
restart the service or save changes and restart the service. Click OK.
* SOHO SECURITY: SPYWARE, PART 2
In Spyware, Part 1, Jonathan Hassell discussed how spyware can be an
unwelcome intrusion in your small office/home office (SOHO) computer
system. By integrating code with shareware, freeware, or other publicly
accessible programs, spyware monitors your computer activities and
reports the tracking data to a third party. In Part 2, Hassell shows you
some solutions for getting rid of these intrusion problems.
7. ==== NEW AND IMPROVED ====
(contributed by Judy Drennen, products () win2000mag com)
* SECURITY SOLUTION SECURES CLIENTS' ASSETS
Communication Technologies released No*Trace, a security application
that lets users permanently remove sensitive, confidential, or
proprietary information from their desktops or laptops. No*Trace
software runs on Microsoft Windows 2000, Windows NT, and Windows 9x, and
Communication Technologies offers 24 x 7 technical support. Single
purchases are available for $49.95; discounts are offered for multiple
or enterprise orders. Contact Communication Technologies at
* ALL PCS ON A LAN CAN ACCESS INTERNET WITH ONE CONNECTION
Ositis Software announced the release of WinProxy 4.0, the newest
version of its software that lets all PCs on a LAN access the Internet
through one connection. Key new features include the ability to create
rules-based alerts for virus events or usage infractions, restrict
Internet access privileges by user or user group, and scan outgoing
email messages for viruses. The new release also supports SMTP virus
scanning and VPN clients. WinProxy 4.0 is compatible with Windows 2000,
Windows NT, Windows Me, and Windows 9x. WinProxy 4.0 is available in 3,
5, 10, 25, and unlimited user versions. Pricing starts at $59.95 to
$799.95 for the unlimited user version. Contact Ositis at 888-9467769.
8. ==== HOT THREADS ====
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
Featured Thread: Setting Up VPN
(Five messages in this thread)
Serena needs help setting up a small office that needs a static IP
address and also needs to let a remote user with a dynamic IP address
access the network via VPN. Read the responses of others or lend a
helping hand at the following URL:
* HOWTO MAILING LIST
Featured Thread: HKCR Permissions on Windows 2000
(Three messages in this thread)
This user has a major application that requires users to have Read,
Execute, Write, and Delete (RXWD) permission on the entire HKEY_CLASSES
root key. The user wonders what the implications are of setting such
loose security on the HKEY_CLASSES area of the registry. Can you help?
Read the responses or lend a hand at the following URL:
9. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- mark () ntsecurity net
* ABOUT THE NEWSLETTER IN GENERAL -- tfaubion () win2000mag com; please
mention the newsletter name in the subject line.
* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
* PRODUCT NEWS -- products () win2000mag com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com
* WANT TO SPONSOR Security UPDATE? emedia_opps () win2000mag com
This weekly email newsletter is brought to you by Windows 2000
Magazine, the leading publication for Windows 2000/NT professionals who
want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Security UPDATE.
To subscribe send a blank email to
subscribe-Security_UPDATE () list win2000mag net
Copyright 2001, Penton Media, Inc.
ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com
- Security UPDATE, June 20, 2001 InfoSec News (Jun 21)