Information Security News
mailing list archives
Security UPDATE, October 17, 2001
From: InfoSec News <isn () c4i org>
Date: Thu, 18 Oct 2001 02:38:37 -0500 (CDT)
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
~~~~ THIS ISSUE SPONSORED BY ~~~~
Top 10 Windows and AD Security Threats
Prevent a Cyber Terrorism Attack on Your Network
(below SECURITY RISKS)
~~~~ SPONSOR: TOP 10 WINDOWS AND AD SECURITY THREATS ~~~~
Security vulnerabilities never die, they just become more
embarrassing when exploited. Protect your organization from common
security risks. To find out how, download a free white paper "Top Ten
Security Threats for Windows 2000 and Active Directory." This white
paper not only describes vulnerability threats such as IIS RDS, IIS
Unicode, SQL Server with no system administrator (SA) password, and
weak or no passwords, but also tells you how to protect your
organization from these Windows 2000 and Active Directory security
exposures. Download it FREE at
October 17, 2001--In this issue:
1. IN FOCUS
- Trapping Worms in a Honeypot
2. SECURITY RISKS
- Multiple Vulnerabilities in Microsoft Internet Explorer
- MEC 2001, Nice, France, November 6 through 9, 2001
- What Does a Connected Home Look Like?
4. SECURITY ROUNDUP
- Feature: XP Pro for the Administrator
- Review: Event Archiver 3.3.25 and Event Analyst 1.3.52
5. HOT RELEASES (ADVERTISEMENTS)
- LANguard Security Event Log Monitor Offer!
- VeriSign - The Internet Trust Company
6. SECURITY TOOLKIT
- Book Highlight: The CISSP Prep Guide: Mastering the Ten Domains
of Computer Security
- Virus Center
- FAQ: How Can I Prevent the OS from Storing LAN Manager Hashes in
Active Directory and the SAM?
7. NEW AND IMPROVED
- Web-Based Antivirus Service
- Protect Your PC
8. HOT THREADS
- Windows 2000 Magazine Online Forums
- Featured Thread: Recommended Antivirus Software
- HowTo Mailing List:
- Featured Thread: What Data Is Lost When an Account Is
9. CONTACT US
See this section for a list of ways to contact us.
1. ==== COMMENTARY ====
Is Nimda still attacking your network now and then? My Intrusion
Detection System (IDS) continues to catch related intrusion attempts
(two more as I write this editorial) even though weeks have passed
since corrective measures came out. Many Microsoft IIS administrators
still haven't plugged the holes in their systems. The attacks consume
my bandwidth and cause log files to grow to unruly proportions.
However, 2 weeks ago I found an interesting tool, called LaBrea, that
can help slow the spread of worms on Windows NT and UNIX systems.
Tom Liston, LaBrea's creator, calls the tool a tar pit or a sticky
honeypot because it's a lure that lets almost no intruder escape. When
a robot intruder (such as a worm) connects, a LaBrea system traps that
connection indefinitely by manipulating the TCP session parameters.
Liston says, "The LaBrea server software allows a normal three-way
handshake in response to a connect attempt. During the handshake, the
server sets a small (5 byte) TCP window. When the client sends its
first 5 bytes of data, the server responds with a TCP window of 0
(wait). The client then shifts into the persist state, where it sends
window probe packets at intervals that increase to a maximum of 4
minutes for an NT stack. The LaBrea server answers these probes to hold
the client in the persist state. At this point, a connection can be
maintained with a throughput of approximately 1215 bytes per hour. All
of this can be done without maintaining any 'state' on the
Using LaBrea slows the spread of worms. For example, to propagate, the
Code Red worm spawns about 100 threads. Each thread scans IP addresses
in rapid succession, looking for vulnerable hosts to infect--the
potential to spread rapidly is enormous. But by capturing some of those
threads as they attempt to infect your network, the LaBrea tool reduces
the spread of the worm exponentially--a neat idea that really works! Be
sure to look at LaBrea at the URL below. Liston says he must address
problems with the Windows 2000 TCP/IP stack before he can make the tool
run on that platform.
Speaking of computer attacks, the results are in on a survey that
InfoSecurity Magazine conducted in late July and early August 2001. The
2545 participants include security professionals involved in
government, consulting, manufacturing and reselling, banking and
finance, medical and healthcare, military, and education. One
interesting finding is that the number of people who reported attacks
against their Web servers has doubled since 2000--roughly half of those
polled reported such attacks. The survey also tracks a 33 percent
increase in the number of entities suffering buffer-overflow attacks,
and almost 90 percent of the respondents suffered some type of
infection by malicious code such as a virus, worm, or Trojan horse. The
survey has lots of other interesting facts and figures--be sure to stop
by and take a look:
I ran across an interesting document last week, "Best Practices for
Secure Development," written by Razvan Peteanu. The 72-page paper,
arranged in 12 sections, covers various topics including common
mistakes, security in a project life cycle, principles, services,
authorization, technologies, languages, platforms, distributed systems,
and tools. The document is a great top-level overview of those focus
areas rather than an intricate guide. Nevertheless, it's full of useful
advice and interesting anecdotes. You'll find it at the URL below.
Until next time, have a great week.
Mark Joseph Edwards, News Editor, mark () ntsecurity net
2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, ken () win2000mag com)
* MULTIPLE VULNERABILITIES IN MICROSOFT INTERNET EXPLORER
Michiel Kikkert and Joao Gouviea discovered several vulnerabilities
that affect Internet Explorer (IE) 6.0, 5.5, and 5.01. The first
problem involves using a dotless IP address with particular malformed
URL requests, which an attacker can use to cause a site to load under
the intranet zone security settings and can expose the client system to
further attack. The second problem occurs when an attacker encodes URLs
in a way that makes it possible to issue requests to a site
automatically on establishing a connection to that site. In doing so,
an intruder causes a variety of unwanted actions to take place, such as
deleting Web-based email and spoofing transactions. The third problem
occurs when an intruder launches Telnet from a URL within IE. Using the
Telnet client that ships as part of Microsoft Services for UNIX (SFU)
2.0, an attacker can make the Telnet Client receive and execute that
Microsoft released Security Bulletin MS01-051 and a patch to address
these matters. Microsoft articles Q306121 and Q308414, which discuss
this matter, should become available tomorrow.
~~~~ SPONSOR: PREVENT A CYBER TERRORISM ATTACK ON YOUR NETWORK ~~~~
The NIMDA Virus and other security threats are easily avoided if the
latest security updates are deployed with UpdateEXPERT(tm).
UpdateEXPERT is a solution that helps you secure your systems by
deploying service packs and hotfixes. UpdateEXPERT supports Windows NT
and 2000, and a long list of mission critical applications. Quickly
conduct research, take inventory, deploy updates and validate
installations of networked machines from the comfort of your
3. ==== ANNOUNCEMENTS ====
* MEC 2001, NICE, FRANCE, NOVEMBER 6 THROUGH 9, 2001
MEC 2001 offers in-depth technical training for planning, deploying,
and managing your enterprise infrastructure. Join industry experts to
discuss best practices for deploying Microsoft Exchange 2000 and Active
Directory (AD), extending the platform with Office XP, and integrating
Exchange 2000 with the other .NET Enterprise Servers. Call to register
at +44 1252 771 133, or visit the MEC Web site.
* WHAT DOES A CONNECTED HOME LOOK LIKE?
You've never seen anything like the Connected Home Magazine Virtual
Tour. Experience (room by room) the latest home entertainment, home
networking, and home automation options that are going to change how
you work and play. While you're there, enter to win a free copy of
4. ==== SECURITY ROUNDUP ====
* FEATURE: XP PRO FOR THE ADMINISTRATOR
You've probably heard how Windows XP Professional Edition is easier
to use and more productive for end users than Windows 2000
Professional. But, like most administrators, you probably want to hear
more about the XP Pro features that affect how you do your job.
Although the Windows 2000 Magazine Lab staff hasn't yet thoroughly
tested XP Pro, we've begun performing tests in environments that
include XP Pro clients. In our testing, we've discovered several
administrator-related features that we think you'll like. Ed Roth fills
you in on the details in this month's Lab Notes.
* REVIEW: EVENT ARCHIVER 3.3.25 AND EVENT ANALYST 1.3.52
Logging and monitoring network server events has always been
important for troubleshooting, trending, and long-term systems
management. Although Windows NT Event Viewer can be useful for managing
system logs, Windows 2000 and NT don't include extensive functionality
for managing logs across multiple systems. Dorian Software Creations'
Event Archiver 3.2.25 and Event Analyst 1.3.52 work together to
simplify enterprisewide collection, storage, and analysis of your
network systems' System, Application, and Security logs. Learn more
about them in Marty Scher's review on our Web site!
5. ==== HOT RELEASES (ADVERTISEMENTS) ====
* LANGUARD SECURITY EVENT LOG MONITOR OFFER!
Catch hackers red-handed with LANguard S.E.L.M.! Provides intrusion
detection through centralized NT/2000 security event log monitoring.
Extensive reporting identifies all machines being targeted and local
users trying to hack. Download your FREE starter pack today:
* VERISIGN -- THE INTERNET TRUST COMPANY
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and learn
about using SSL to encrypt e-commerce transactions. Get it now!
6. ==== SECURITY TOOLKIT ====
* BOOK HIGHLIGHT: THE CISSP PREP GUIDE: MASTERING THE TEN DOMAINS OF
By Ronald L. Krutz, Russell Dean Vines
List Price: $69.99
Fatbrain Online Price: $69.99
Hardcover; 556 pages
Published by John Wiley & Sons, September 2001
For more information or to purchase this book, go to
and enter WIN2000MAG as the discount code when you order the book.
* VIRUS CENTER
Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
* FAQ: HOW CAN I PREVENT THE OS FROM STORING LAN MANAGER HASHES IN
ACTIVE DIRECTORY AND THE SAM?
( contributed by John Savill, http://www.windows2000faq.com )
A. Both Windows XP and Windows 2000 support several authentication
methods, including LAN Manager (LM), NT LAN Manager (NTLM), and NTLM
version 2 (NTLMv2). LM stores passwords in a hashed format that's easy
to crack. Starting with Windows 2000 Service Pack 2 (SP2), Microsoft
addressed this weakness by adding the ability to disable the storage of
To disable LM hashes in Win2K, perform the following steps:
1. Start the registry editor (regedit.exe) on the domain controller
2. Navigate to
3. From the Edit menu, select New, Key.
4. Enter a name of NoLMHash, set the value to 1, and click Enter.
5. Close the registry editor.
6. Restart the computer for the change to take effect.
To disable LM hashes in XP, perform steps 1 and 2 above. At step 3,
from the Edit menu, select New, DWORD value. Complete the process by
performing steps 4 through 6 above. This change won't happen until each
user changes his or her password.
In XP, you can also use Group Policy (GP) to disable LM hashes under
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options. To change the settings for this policy,
locate the Network Security policy entitled "Do not store LAN Manager
hash value on next password change." Be aware that if you set this
option, some components that rely on LM hashes (e.g., the Windows 9x
change password operation, Win9x client authentication if you don't have
the Directory Services--DS--client pack installed) might not work as
7. ==== NEW AND IMPROVED ====
(contributed by Scott Firestone, IV, products () win2000mag com)
* WEB-BASED ANTIVIRUS SERVICE
McAfee announced that WatchGuard Technologies will offer McAfee's
ASaP Web-based managed virus scanning service for desktops. VirusScan
ASaP provides 24 x 7 protection against vulnerabilities in an online
delivery model that requires no internal resources from the channel
partner or customer. The service provides detailed reporting on viruses
detected and cleaned within the network. For pricing, contact
WatchGuard Technologies at 206-521-8340.
* PROTECT YOUR PC
Software Abroad announced an agreement with Danu Industries to
distribute TermiNET, its personal firewall product that protects your
PC from outside attack while you browse the Web or connect to other
networks. The firewall lets you control and restrict access to specific
services such as Web browsing or email. You can disallow access to
specified undesirable sites or you can allow access only to known
acceptable sites. TermiNET runs on Windows XP, Windows 2000, Windows
NT, Windows Me, and Windows 9x and costs $39.95. Contact Software
Abroad at 202-293-5151.
8. ==== HOT THREADS ====
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
Featured Thread: Recommended Antivirus Software
(Eighteen messages in this thread)
Brett uses Symantec's Norton Antivirus software to protect his Windows
NT-based systems against viral infection. He's thinking of switching to
a different product line and wonders whether you have suggestions for
another solution. Can you help? Read more about the questions and
responses or lend a hand at the following URL:
* HOWTO MAILING LIST
Featured Thread: What Data Is Lost When an Account Is Deleted?
(One message in this thread)
This user wonders what data is lost when a user account is deleted. He
believes that--minimally--lost data includes the user's last logon date
and time, as well as group memberships, SID, and exclusive file rights.
He also noticed that the former user's file ownerships change to
Unknown. Have you seen any other effects of deleting a user account?
Read the responses or lend a hand at the following URL:
9. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- mark () ntsecurity net
* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.
* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
* PRODUCT NEWS -- products () win2000mag com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com
* WANT TO SPONSOR SECURITY UPDATE? -- emedia_opps () win2000mag com
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Security UPDATE.
To subscribe, send a blank email to mailto:Security_UPDATE_Sub () lists win2000mag net
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- Security UPDATE, October 17, 2001 InfoSec News (Oct 18)