From: Security UPDATE [Security_UPDATE@list.win2000mag.net]
Sent: Wednesday, October 18, 2000 3:57 PM
To: GlennEverhart@FIRSTUSA.COM
Subject: Security UPDATE, October 18, 2000

***********************************************************************
Windows 2000 Magazine Security UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter 
brought to you by the Windows IT Security channel on the Windows 2000 
Magazine Network
http://www.win2000mag.net/Email/Index.cfm?ID=5
***********************************************************************

This week's issue sponsored by

How Do Effective e-Businesses Leverage Directories?
http://www.access360.com/n-su1c.html 

VeriSign - The Internet Trust Company
http://www.verisign.com/cgi-bin/go.cgi?a=n046616750026000 
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
October 18, 2000 - In this issue:

1. IN FOCUS
     - More About Password Recovery

2. SECURITY RISKS
     - Patch Available for Microsoft VM
     - Internet Explorer Exposes Users' Cached Web Credentials
     - Windows Me and Win9x Allow Access to Shares Without Password
     - Windows Me and Win9x NWlink Subject to Denial of Service
     - WebTV for Windows Subject to Denial of Service

3. ANNOUNCEMENTS
     - Nothing but .NET     
     - Got a Project You Need to Outsource?

4. SECURITY ROUNDUP
     - Feature: Windows 2000 Recovery Tools
     - Feature: Restoring Databases

5. NEW AND IMPROVED
     - Monitor Web Sites
     - Prevent Introduction of Unauthorized Software

6. SECURITY TOOLKIT
     - Book Highlight: Inside Internet Security: What Hackers Don't 
Want You to Know
     - FAQ: I've Entered a Password for a Terminal Services Client 
Connection. Why Does the System Continue to Prompt Me? 
     - Writing Secure Code: Protecting Data Recovery Certificates in 
EFS

7. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         Username on Locked Console
     - Win2KSecAdvice Mailing List
         Potential Windows 2000 Holes
     - HowTo Mailing List
         NTFS Question

~~~~ SPONSOR: HOW DO EFFECTIVE E-BUSINESSES LEVERAGE DIRECTORIES? ~~~~
Discover how today's e-Businesses are successfully managing directories 
and provisioning systems in the enterprise environment by reading, 
"Effective Directory Management and Provisioning," an informative white 
paper from Access 360.
To download the free white paper, visit
http://www.access360.com/n-su1c.html 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Security UPDATE? Contact one of the following 
advertising reps:
Jim Langone (Western Advertising Sales Manager)--800-593-8268 or 
   jim@win2000mag.com
Sharon McGee (Central and International Advertising Sales 
   Manager)--866-392-9128 or smcgee@win2000mag.com
Tanya T. TateWik (Eastern Advertising Sales Manager)--877-217-1823
   or ttatewik@win2000mag.com
Greg Akin (National Account Executive)--970-613-4931 or 
   gakin@win2000mag.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Last week, I wrote about recovering lost Administrator passwords. I 
received lots of responses from people who want to share other quick 
methods of password recovery. Thanks to everyone who responded! Here 
are the reader suggestions in summary. 
   Several readers wrote that Petter Nordahl-Hagen has a free tool 
available that can reset any user account password, including the 
Administrator account. 
( http://home.eunet.no/~pnordahl/ntpasswd ) 
The tool uses a Linux 3.5" boot disk to access the SAM database and 
reportedly even works on systems that have SYSKEY enabled. Nordahl-
Hagen has made the source code available, and Christophe Grenier has 
subsequently ported the tool to DOS so users can run it in a DOS 
command window under Windows NT. 
( http://www.esiea.fr/public_html/Christophe.GRENIER/ntfs.html )
   Several other readers wrote to remind me that, in many cases, users 
can trick NT into running applications under privileged accounts. This 
tactic lets users gain system-level access and reset passwords with the 
User Manager application. For example, you can install a second copy of 
NT on a locked-out machine and boot that new copy. After the NT copy is 
running, you locate the logon.scr screensaver file in the locked-out 
system's %SYSTEMROOT%\SYSTEM32 subdirectory, rename it, copy usrmgr.exe 
or cmd.exe to logon.scr on the locked-out system. You then boot the 
locked-out system and wait for the screensaver to kick in. At that 
point, instead of launching the normal screensaver, NT will launch User 
Manager or a DOS command window under the context of the SYSTEM 
account. You can then reset passwords.
   In relation to the method described in the preceding paragraph, 
Steve French pointed out that you can replace system files using a 
modified Emergency Repair Disk (ERD), as Microsoft article Q164471 
explains. Using the method outlined in the document, you can replace 
the logon.scr file with a renamed copy of usrmgr.exe, cmd.exe, or other 
application using NT's native recovery system to provide access to the 
file system.
   Ted Tang wrote that another free password recovery utility is 
available from Ken Pfiel's NTToolBox. 
( http://www.nttoolbox.com/download.htm ) 
The utility is a Linux boot disk with NTFS support and a password-
resetting tool. Download the file (LinNT.zip), unzip it, and run the 
rawrite.exe program to create the boot disk and associated files. Be 
sure to download the utility's updated binary file, also linked on the 
NTToolBox download page. This utility might not work on systems that 
have SYSKEY installed.
   Other readers reminded me that when NT boots and finds the SAM 
database missing, NT creates a new SAM database with a blank 
administrator password. You can then log on and define the user 
accounts and passwords as you see fit. Keep in mind that if you delete 
the SAM database, you lose all account information held therein, so you 
probably don't want to try this method on a domain controller. 
Nonetheless, to access a system's NTFS file system to delete the SAM 
database, you can use a Linux boot disk, NTFSDOS Professional from 
Winternals Software, or a second NT installation on the same system, or 
you can install the drive to another accessible NT system. But if you 
can install the drive to another system, you'll find it simpler to use 
Christophe Grenier's DOS port of Nordahl-Hagen's utility to reset any 
unknown passwords.
   Don't overlook the rather obvious value of using an ERD. If you keep 
updated ERDs for all your systems, you can usually recover locked-out 
systems without third-party solutions.
   One final note: In last week's editorial, the URL for L0phtCrack was 
incorrect: I overlooked the fact that the L0pht's UNIX-based Web server 
is case sensitive. The correct URL is http://www.l0pht.com/l0phtcrack . 
Until next time, have a great week!

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* PATCH AVAILABLE FOR MICROSOFT VM
In the October 11 edition of Security UPDATE, we reported that Georgi
Guninski discovered a problem with Internet Explorer (IE) and Outlook 
Express that lets arbitrary programs execute on your system. The 
problem resides in the com.ms.activeX.ActiveXComponent Java object, 
which is part of Microsoft's Virtual Machine (VM--for Java) that ships 
with Windows 2000, Windows NT 4.0, Windows Millennium Edition (Windows 
Me), Windows 9x, and IE. Microsoft has now released patches to remedy 
the problem, which affects all builds in the 2000, 3100, 3200, and 3300 
series of its VM.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15794

* INTERNET EXPLORER EXPOSES USERS' CACHED WEB CREDENTIALS
ACROS Security reported a serious problem with Internet Explorer (IE) 
4.x and pre-5.5 versions, where the browser exposes a user's cached Web 
credentials under certain conditions. Microsoft has released a patch, 
FAQ, and article Q27386.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15859

* WINDOWS ME AND WIN9X ALLOW ACCESS TO SHARES WITHOUT PASSWORD
Nsfocus Security Team reported a problem with share-level-access 
passwords under Windows Millennium Edition (Windows Me) and Windows 9x. 
Users can compromise shared resources using a special utility without 
having the complete share password. The problem doesn't affect user-
level shared resources, such as those made available in a Windows NT 
domain. Microsoft is aware of the problem and has released patches, an 
FAQ, and article Q273991. 
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15827

* WINDOWS ME/WIN9X NWLINK SUBJECT TO DENIAL OF SERVICE
Microsoft reported a Denial of Service (DoS) condition within the 
Windows Millennium Edition (Windows Me)/Windows 9x NWLink protocol, 
where the Name Management Protocol on IPX (NMPI) might reply to network 
broadcast packets that weren't properly filtered out. Microsoft has 
released patches, an FAQ, and article Q273727.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15852

* WEBTV FOR WINDOWS SUBJECT TO DENIAL OF SERVICE
Microsoft reported that a Denial of Service (DoS) condition exists 
within WebTV for Windows, which ships with Windows Millennium Edition 
(Windows Me) and Windows 98, that can crash the WebTV application or 
the entire system. Microsoft has released patches, an FAQ, and article 
Q274113.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15853

3. ========== ANNOUNCEMENTS ==========

* NOTHING BUT .NET
Microsoft is betting the farm on its new .NET strategy, and you need to 
know, bottom-line, what it will mean to you. Our new .NET UPDATE email 
newsletter can help you sort through the hype, stay on top of news and 
developments, and get tips about how to prepare. Subscribe for free 
today! 
http://www.win2000mag.net/email/index.cfm?code=up00inxupd&id=19

GOT A PROJECT YOU NEED TO OUTSOURCE?     
Post your requirements at our new RFP Center and have vendors vying to 
bring you the best solution money can buy. Our streamlined process lets 
you search for and submit your bid to multiple vendors at once. Post 
your RFP today! 
http://www.win2000mag.newmediary.com/w2kemailnews2

4. ========== SECURITY ROUNDUP ==========

* FEATURE: WINDOWS 2000 RECOVERY TOOLS
Thanks to two tools that ship with Windows 2000, we now have more 
options when troubleshooting computer boot problems. If you have 
Windows 9x experience, you're probably familiar with the first tool, 
Safe Mode. The second, the Recovery Console (RC), is new to the 
Microsoft product line. In his Web exclusive Windows 2000 Ready 
article, Robert McIntosh discusses these tools and explains how you can 
use them to fix a system that won't start.
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15868

* FEATURE: RESTORING DATABASES
In last month's column for SQL Server Magazine, "Backup Strategies," 
available at the first URL below, Michael D. Reilly looked at SQL 
Server's four backup options and covered how to choose the best 
option--or combination of options--for your SQL Server installation. 
This month, Michael explains how these backup strategies affect the 
restore process and your choice of recovery models. Be sure to read the 
articles on our Web site.
http://www.sqlmag.com/Articles/Index.cfm?ArticleID=9629
http://www.sqlmag.com/Articles/Index.cfm?ArticleID=9808

~~~~ SPONSOR: VERISIGN - THE INTERNET TRUST COMPANY ~~~~
Upgrade your server security to 128-bit SSL encryption! 
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You 
will learn about using 128-bit SSL to encrypt your e-commerce 
transactions for serious online security.
http://www.verisign.com/cgi-bin/go.cgi?a=n046616750026000 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* MONITOR WEB SITES 
AlertSite announced MultiPOP, a service that monitors Web sites around-
the-clock. Each independently operated, time-synchronized POP station 
tests Web sites and reports results to a central database. Regular 
monthly service runs $9.95 to $49.95 based on monitoring intervals and 
features, with a free 2-week trial period for new subscribers. For more 
information or to register, visit the Alert Web site or call
877-302-5378.
http://www.alertsite.com

* PREVENT INTRODUCTION OF UNAUTHORIZED SOFTWARE
Oakley Data Services has released Smart Security 2000 for Windows, a 
Windows 2000 and Windows NT service that restricts access to devices, 
including 3.5" disks, CD-ROMs, removable devices, serial and parallel 
ports, and dial-up networking. Users are granted or denied access to 
devices based on their membership in groups related to those devices. 
Prices range from $25 for a single user to $5 per user for 1000 users 
or more. Find more information at the Oakley Web site.
http://www.ssec2000.com

6. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: INSIDE INTERNET SECURITY: WHAT HACKERS DON'T WANT YOU 
TO KNOW 
By Jeff Crume
Online Price: $29.95 
Softcover; 270 pages
Published by Addison-Wesley, August 2000
ISBN 0201675161

"Inside Internet Security: What Hackers Don't Want You to Know" will 
help system administrators make their networks immune to hackers, 
viruses, and other security risks. The book features practical advice, 
checklists for common problems, examples of attacks, and a look into 
the future of IT security.
   For more information or to purchase this book, go to the Windows 
2000 Magazine Bookstore and click UPDATE Highlights under Highlighted 
Titles.
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772
   Or go to
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?partner=win2000mag&theisbn=0201675161
and enter WIN2000MAG as the discount code when you 
order the book.

* FAQ: I'VE ENTERED A PASSWORD FOR A TERMINAL SERVICES CLIENT 
CONNECTION. WHY DOES THE SYSTEM CONTINUE TO PROMPT ME?
( contributed by http://www.windows2000faq.com )

By default, a Windows 2000 Server Terminal Services connection always 
prompts for a password, even if you've configured one in the connection 
logon information. To disable this option, perform the following steps:
1. Start the Microsoft Management Console (MMC) Terminal Services 
Configuration snap-in (Start, Programs, Administrative Tools, Terminal 
Services Configuration). 
2. Right-click the configuration for which you want to disable the 
default password setting, and select Properties from the context menu. 
3. Select the Logon Settings tab. 
4. Clear the "Always prompt for password" check box. Click Apply, click 
OK. 
5. Close the dialog box. Future connections will no longer force a 
password entry, which facilitates automatic logon. 

* WRITING SECURE CODE: PROTECTING DATA RECOVERY CERTIFICATES IN EFS
Windows 2000's Encrypting File System (EFS) won't work unless you 
define at least one recovery agent for each system. Win2K systems that 
are members of an Active Directory (AD) domain use the domain's 
recovery policy, and the domain Administrator account is the default 
recovery agent. Win2K systems that aren't members of an AD domain 
automatically define the local Administrator account as the recovery 
agent. The EFS cardinal rule is that data recovery agents should never 
store their private keys on a system. To learn more about protecting 
data recovery certificates, be sure to read this latest installment of 
Randy Franklin Smith's Web exclusive.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15819

7. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums.
http://www.win2000mag.net/forums 

October 16, 2000, 08:35 A.M. 
Username on Locked Console
Two Messages in this Thread
When you lock the console on a Windows NT box by using Ctrl+Alt+Del and 
choosing Lock Workstation or setting a password for a screen saver, the 
resulting Workstation Locked dialog box indicates the domain\username 
of the person logged on. Is there any way to prevent the 
domain\username information from appearing in these dialog boxes? 

Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=49123&mc=2

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.

Potential Windows 2000 Holes
Nine Messages in this Thread 
Just thought I would throw out two [issues] that I have come across to 
give fodder for others to think about. [The first issue is a way to 
cause] a version mismatch within a Group Policy. This first assumes 
that you have access to this portion of the Active Directory (AD), 
which means an Administration account, so you already have the farm, so 
to speak. [But because] the Group Policy Container (GPC) and the Group 
Policy Template (GPT) are separate entities (i.e., with separate file 
system objects and AD objects), there is a potential that they will be 
refreshed/updated at different times. To ensure that there is not an 
application of a GPO that has mismatching GPC and GPT, the version 
numbers in the GPC and GPT must agree. If they do not, an error will be 
logged, and the GPO will not be applied. Thus, if you can change the 
version number of the GPO in the AD, via say ADSIEdit, you can cause 
GPOs not to be applied. This may or may not be helpful.
   [The second issue is that when using the Anonymous account], GPOs 
are not applied. By default all GPOs grant the "Apply Group Policy" to 
the Authenticated Users group. Interestingly enough, it is not granted 
to the Everyone group, so anonymous connections are denied access to 
the GPO, and are thus not subject to the User Configuration settings of 
GPOs. VIP: Remember the rules of ACL application: If a user or group is 
not listed, then access is denied. Thus if anonymous connections are 
allowed, then this may be a way in if security is highly reliant on 
GPOs.
http://63.88.172.96/go/win2ks-l.asp?A2=ind0010b&L=win2ksecadvice&P=732

Follow this link to read all threads for October, Week 2:
http://63.88.172.96/go/w.asp?A1=ind0010b&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week.

NTFS Question
Four Messages in this Thread
I want to [closely] monitor certain [directories] on a server.  I was 
wondering if [it is possible] to find out who writes over files [or] 
creates new files in a specific folder on a server formatted with NTFS? 
In other words, does NTFS [record which users access which files?] Or 
do I have to run some sort of utility to do this trick? 
http://63.88.172.96/go/page_listserv.asp?A2=ind0010b&L=howto&P=1748

Follow this link to read all threads for October, Week 2:
http://63.88.172.96/go/page_listserv.asp?A1=ind0010b&L=howto

************************************************************
This Security UPDATE is brought to you by Windows 2000 Magazine, the 
leading publication for Windows 2000/NT professionals who want to learn 
more and perform better. Subscribe today.
http://www.win2000mag.com/sub.cfm?code=00inxupb

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Windows 2000 Magazine Security UPDATE Staff
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT 
topics of your choice, including Win2K Pro, Exchange Server, thin 
client, training and certification, SQL Server, BackOffice Server, IIS 
administration, XML, application service providers, and more. Visit our 
Web site to subscribe to our other FREE email newsletters.
http://www.win2000mag.com/sub.cfm?code=up00inxwnf
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Security UPDATE.



You are subscribed as GlennEverhart@FIRSTUSA.COM.

SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE@list.win2000mag.net.

UNSUBSCRIBE
To unsubscribe, send an email to U-A3.15.44654@list.win2000mag.net. Or
click http://go.win2000mag.net:80/UM/U.ASP?A3.15.44654 and you will be
removed from the list. Thank you!

If you have questions or problems with your UPDATE subscription, please
contact securityupdate@win2000mag.com. 
___________________________________________________________
Copyright 2000, Windows 2000 Magazine