**********************************************************
WINDOWS NT MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT security update newsletter brought to you by
Windows NT Magazine and NTsecurity.net
http://www.winntmag.com/update/
**********************************************************

This week's issue sponsored by

BindView's Network Security Suite
http://www.bindview.com/winnt.html

Syngress Media
http://www.syngress.com/customer_info/info.cfm?mailid=ntmag01

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
January 12, 2000 - In this issue:

1. IN FOCUS
     - Is Free Really Free?

2. SECURITY RISKS
     - Internet Explorer Allows Circumvention of Domain Security
     - IMail IMonitor Subject to Denial of Service
     - MCIS IMAP Buffer Overflow Condition

3. ANNOUNCEMENTS
     - Windows NT Magazine Announces New Affiliate Program
     - Security Book Now Available Online for Free

4. SECURITY ROUNDUP
     - News: CSI Announces NetSec 2000

5. NEW AND IMPROVED
     - Secure Server Consolidation Software
     - Email Security

6. HOT RELEASES
     - Toshiba Copier and Fax: The 21st Century's Technological Leader
     - Ashley Laurent - Integrated Firewall/VPN/Bandwidth Control
     - Network-1 Security Solutions - Embedded NT Firewalls

7. SECURITY TOOLKIT
     - Book Highlight: Big Book of IPSec RFCS: Internet Security
Architecture
     - Tip: Inspect Those ISAPI DLLS

8. HOT THREADS
     - Windows NT Magazine Online Forums:
         * Stronger Passwords with Passfilt.dll
     - Win2KSecAdvice Mailing List:
        * Yet Another Hotmail Security Hole
        * WinAmp Buffer Overflow Advisory
     - HowTo Mailing List:
        * NFS Security Risks?

~~~~ SPONSOR: BINDVIEW'S NETWORK SECURITY SUITE ~~~~
Do you spend 4+ hours per week scanning for old or unnecessary files to
recapture disk space?  Do you want to know which accounts have not
logged in during the past 30, 60 or 90 days?  How about all the
accounts that have never logged in?  Or a list of all administrator
equivalent accounts?  Would you like to scan all your network devices
to find potential security leaks?
BindView's Network Security Suite--consisting of NOSadmin
and HackerShield--can give you the information you need to
proactively protect your network.  Request your FREE
evaluation copies at http://www.bindview.com/winnt.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki
Peterson (Western and International Advertising Sales Manager) at 877-
217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

When it comes to free stuff, I'm just like Andy Rooney: I find that, in
most cases, free stuff simply costs too much, so I usually shy away
from free offers. But once in a blue moon, people actually do give
something away without asking for anything in return, and today is one
of those times.
   29th Street Press, Windows NT Magazine, and NTSecurity.NET are
pleased to announced that our book "Internet Security with Windows NT"
is now available on the Web in its entirety, absolutely free, with no
strings attached.
   "Internet Security with Windows NT" covers NT security as it
pertains to TCP/IP-based networks and is largely geared for novice or
moderately knowledgeable administrators. The book is a collective
effort by some notable names in the security industry, including
myself, Bill Hamilton, Marcus Ranum, Peter Carden, Andy Baron, and
several others. The book covers a wide array of security information
that leaves the reader with a solid security foundation to build
additional knowledge upon.
   Why did we put the book online for free? Because Windows NT Magazine
wants to provide IT professionals with even more high quality and
timely online technical content. Ultimately, we feel that living, Web-
based books are the best way to provide the most up-to-date material on
technical subject matters. And because our goal is to provide the
quality technical material you need to get your job done better, the
release of "Internet Security with Windows NT" on the Web is the next
step toward that goal.
   Although the online version of the book is the same as the original
print version, we'll continue to update the content of the book with
the latest relevant material. We also have hardcopy versions of the
book available for those of you that want a professionally printed and
bound version.
   We hope you enjoy using the online book, which you can find at
http://www.ntsecurity.net/book. Please let me know what you think of
our effort, and drop me a line with any suggestions you have for
improving the book's content or the Web site in general. Until next
time, have a great week!

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* INTERNET EXPLORER ALLOWS CIRCUMVENTION OF DOMAIN SECURITY
Georgio Guninski discovered a problem with Internet Explorer (IE) 5.01
and other IE versions that might expose an entire domain. The problem
might allow unauthorized file access, window spoofing, and other
unwanted activity.
   Microsoft is aware of the problem but has not yet responded. For
complete details, including example code that demonstrates the problem,
visit the URL below.
   http://www.ntsecurity.net/go/load.asp?iD=/security/ie59.htm

* IMAIL IMONITOR SUBJECT TO DENIAL OF SERVICE
UssrLabs discovered a denial of service (DoS) condition in IPSwitch's
IMail IMonitor Server 5.08 for Windows NT. The problem might also
affect other versions of the software.
   Within Imonitor, a CGI script called status.cgi determines whether
the server services are running. By executing the script many times in
a short time period, IMonitor will crash, citing an Invalid Memory
Address error. IPSwitch is aware of the problem but has not responded
at the time of this writing.
   http://www.ntsecurity.net/go/load.asp?iD=/security/imonitor.htm

* MCIS IMAP BUFFER OVERFLOW CONDITION
Tristan Goode discovered a buffer overflow condition in Microsoft
Commercial Internet System's (MCIS's) Internet Message Access Protocol
(IMAP) service. If a malformed request that contains random data passes
to the IMAP service, that request might cause any of several associated
services to crash, including the SMTP and LDAP services. In addition,
an intruder can use specific malformed data to cause arbitrary code to
execute on the server.
   Microsoft has released a fix for Intel and Alpha. For more
information, see Microsoft Support Online article Q246731.
   http://support.microsoft.com/support/kb/articles/q246/7/31.asp
   Intel http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17124
   Alpha http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17122

3. ========== ANNOUNCEMENTS ==========

* WINDOWS NT MAGAZINE ANNOUNCES NEW AFFILIATE PROGRAM
Windows NT Magazine, in cooperation with LinkShare, announces a new Web
affiliate program. By simply placing a link on your Web site, you can
earn up to $10 for each customer who clicks through from your site to
ours and orders a subscription to either Windows NT Magazine or SQL
Server Magazine. Becoming an affiliate allows you to leverage your
existing Web traffic to help you earn commissions, as well as associate
your Web site with a well-established market leader. Visit
http://www.winntmag.com/AboutUs/Index.cfm?Action=affiliate or
http://www.sqlmag.com/Info/affiliate.cfm for more information.

* SECURITY BOOK NOW AVAILABLE ONLINE FOR FREE
Do you need answers to security questions fast? The book, "Internet
Security with Windows NT," by noted security expert Mark Joseph
Edwards, is now available online for free. To have this valuable
content at your fingertips, point your browser to
http://www.ntsecurity.net/book.

4. ========== SECURITY ROUNDUP ==========

* NEWS: CSI ANNOUNCES NETSEC 2000
Computer Security Institute (CSI) announced NetSec 2000, the 10th
Annual Network Security Conference, which will take place June 12 to
14, 2000, at the Hyatt Regency Embarcadero in San Francisco. NetSec
2000 focuses on the latest technologies, strategies, and solutions for
securing an organization's networks, including navigating the
challenges of electronic commerce, remote access, and computer crime.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=199&TB=news

~~~~ SPONSOR: SYNGRESS MEDIA ~~~~
Just Published! Configuring Windows 2000 Server Security, 600+ pages
dedicated to Windows 2000 security issues such as Kerberos, Distributed
Security Services, EFS, Security Configuration Tool Set, Smart Cards,
and more. All Syngress books come with a one-year warranty against
obsolescence that includes free monthly technology updates, 6- and 9-
month newsletters, "Ask the Author"(tm) query forms, and other bonus
coverage.
Get your copy of Configuring Windows 2000 Server Security now at:
http://www.syngress.com/customer_info/info.cfm?mailid=ntmag01

5. ========== NEW AND IMPROVED ==========
(contributed by Carolyn Mascarenas, products@winntmag.com)

* SECURE SERVER CONSOLIDATION SOFTWARE
Small Wonders Software released Secure Copy 2.0, software that lets you
copy files and directories on NTFS partitions while maintaining
security, creating shares, and migrating local groups. The new
differential copying feature copies only files that you've changed in
the source server. You can save multiple jobs and schedule them to run
after hours. Another new feature is the GUI interface. Secure Copy also
lets you migrate existing shares and local groups from the source
server to the destination server while keeping permissions intact.
   Secure Copy 2.0 runs on Windows NT Server. Pricing is $299 for a
single-server copy. Contact Small Wonders Software, 407-248-2558.
   http://www.smallwonders.com

* EMAIL SECURITY
A partnership between Viasec and Elron Software now provides
interoperable email security solutions. Viasec produces Consus, a
server-based email encryption gateway. Elron Software provides Internet
policy management software to help organizations develop and enforce
Internet usage policies. The partnership lets you seamlessly integrate
all solutions that address different security aspects. Consus users who
need to augment encryption and signature verification with email
content management can now add Elron's CommandView Message Inspector to
their information security infrastructure. CommandView Message
Inspector lets you regulate incoming and outgoing email content from
your network.
   Consus communicates seamlessly with Microsoft Outlook, Netscape,
Lotus Notes, and Novell GroupWise. CommandView Message runs on Windows
NT and Windows 9x systems. Pricing for Consus is $3400 for a 25-user
license. Pricing for CommandView Message is $1995 for a 25-user
license. Contact Viasec, 617-621-7177. Contact Elron Software, 781-993-
6000.
   http://www.viasec.com
   http://www.elron.com

6. ========== HOT RELEASES (ADVERTISEMENT) ==========

* TOSHIBA COPIER AND FAX: THE 21ST CENTURY'S TECHNOLOGICAL LEADER
Visit http://static.admaximize.com/redirect/0034/002266d/0002/ESV/A07/01/
to check out Toshiba's multifunctional and networking product line. No
matter what your business needs: Demand more, Demand Toshiba.

* ASHLEY LAURENT - INTEGRATED FIREWALL/VPN/BANDWIDTH CONTROL
Ashley Laurent, the leader in Remote VPN support, introduces VPCom 2.5,
an integrated Firewall, VPN, and Bandwidth Control product.  It's
simple, affordable, and reliable.  For a free trial or online
demonstration, visit
http://www.ashleylaurent.com

* NETWORK-1 SECURITY SOLUTIONS - EMBEDDED NT FIREWALLS
CyberwallPLUS-SV is the first embedded firewall for NT servers.  It
secures valuable servers with network access controls and intrusion
prevention.  Visit http://www.network-1.com/eval/eval6992.htm to
receive a free CyberwallPLUS evaluation kit and white paper.

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: BIG BOOK OF IPSEC RFCS: INTERNET SECURITY
ARCHITECTURE
By Pete Loshin
Online Price: $34.95
Softcover; 560 pages
Published by Morgan Kaufmann Publishers, November 1999

The security architecture for the Internet protocol, IP Security
(IPSec), is already defining the way organizations and individuals
secure their networks. An entire body of work, the Requests for
Comments (RFCs), describes IPSec. This book compiles and organizes
these important documents in one printed volume and adds a glossary and
extensive index that makes the RFCs easy to locate. You no longer have
to wade through countless RFCs trying to find the answer to your IPSec
question-the book compiles all the solutions in one location.

For Windows NT Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WINNTMAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/0124558399?from=SUT864.

* TIP: INSPECT THOSE ISAPI DLLS
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

Many of you operate Internet Information Server (IIS) -based Web sites
and must let third-party Internet Server Application Programming
Interface (ISAPI) DLLs execute on the Web server. But did you know an
ISAPI DLL can easily take over your server? It's possible for an ISAPI
DLL to elevate its privileges to the level of the built-in and all-
powerful SYSTEM account by calling an API function called
RevertToSelf(). ISAPI DLLs rarely need to perform that type of
privilege elevation so it's best to ensure that no third-party DLLs do
so.
   To guard against that type of action, you must inspect each ISAPI
DLL using an analysis tool capable of dumping out any included function
calls. For example, a program called Dumpbin.exe ships with many
Microsoft development platforms, and you can use it for this type of
DLL inspection. To use Dumpbin to look for RevertToSelf() calls, use
the following command line syntax:
   dumpbin /imports FILENAME.DLL | find "RevertToSelf"

Replace FILENAME.DLL with the name of the DLL you wish to inspect on
your system. Also, be advised that functions might be called through
the LoadLibrary() function and therefore, you should inspect each DLL
for the nature of that function call too.

8. ========== HOT THREADS ==========

* WINDOWS NT MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
NT Magazine online forums (http://www.winntmag.com/support).

January 07, 2000, 02:30 P.M.
Stronger Passwords with Passfilt.dll

Has anyone used the passfilt.dll to enable strong password
functionality in a Windows NT domain? I have read the technet article
Q1611990 that explains this. I understand all this just fine. I am just
looking for people who have used it that can let me know if there are
any bumps, or does it work as advertised?

Thread continues at
http://winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID
=84828

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. Yet Another Hotmail Security Hole
http://www.ntsecurity.net/go/w.asp?A2=IND0001A&L=WIN2KSECADVICE&P=2522
2. WinAmp Buffer Overflow Advisory
http://www.ntsecurity.net/go/w.asp?A2=IND0001A&L=WIN2KSECADVICE&P=3375

Follow this link to read all threads for Jan. Week 2:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
"HowTo for Security" mailing list. The following threads are in the
spotlight this week:

1. NFS Security Risks?
http://www.ntsecurity.net/go/L.asp?A2=IND0001B&L=HOWTO&P=418

Follow this link to read all threads for Jan. Week 2:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS NT MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@winntmag.com)
Ad Sales Manager (Western and International) - Vicki Peterson
(vpeterson@winntmag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com)
Editor - Gayle Rodcay (gayle@winntmag.com)
New and Improved - Carolyn Mascarenas (products@winntmag.com)
Copy Editor - Judy Drennen (jdrennen@winntmag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows NT Magazine Security UPDATE

To subscribe, go to http://www.winntmag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the quotes

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

To change your email address, you must first unsubscribe by sending
email to listserv@listserv.ntsecurity.net with the words "unsubscribe
securityupdate" in the body of the message without the quotes. Then,
resubscribe by going to http://www.winntmag.com/update and entering
your current contact information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

========== GET UPDATED! ==========
Receive the latest information on the NT topics of your choice.
Subscribe to these other FREE email newsletters at
http://www.winntmag.com/sub.cfm?code=up99inxsup.

Windows NT Magazine UPDATE
Windows NT Magazine Thin-Client UPDATE
Windows NT Exchange Server UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 2000, Windows NT Magazine

Security UPDATE Newsletter is powered by LISTSERV software
http://www.lsoft.com/LISTSERV-powered.html