**********************************************************************
The SANS NT Digest
A Resource for Computer and Network Security Professionals
Volume 3, Number 1
January 31, 2000
Dr. Jesper M. Johansson (Boston University)
Editorial Board:
Dr. Matt Bishop (Univ. California, Davis)
Jeff Brown (Merrill Lynch)
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (IBM Global Security Services)
Chris Lalka (ExxonMobil)
Steve Lewis (GRCI)
Eric Maiwald (Fortrex)
Rob Marchand (Array Systems),
Dr. Gene Schultz (Global Integrity Corporation, an SAIC Company)
Copyright 2000. The SANS Institute. All rights reserved.
You may forward this issue to your co-workers and encourage them to
subscribe. To do so, send a note with the subject "NT Digest" to
[EMAIL PROTECTED]
**********************************************************************
It has been an interesting month, to say the least. For the most part,
year 2000 problems never materialized, while Windows 2000 is looming
larger and larger. To drive that point home, we have reports of the
first hotfix for Windows 2000 (see section 1.6). Also on the security
front a new local GetAdmin exploit was discovered (see 1.3). This exploit
highlights an important point. Network administrators must realize that
it is virtually impossible to contain a determined attacker that has
physical access to a computer. This is not specific to NT. Rather, it
is an issue facing all operating systems. We can make it more difficult
to take over the system, but in the end, it is not possible to completely
keep attackers with physical access out. This is especially true if the
attacker is not concerned with covering his or her tracks. That does
not mean that vulnerabilities like this one are not important. They are
extremely important. Just because we cannot contain the most determined
attackers does not mean we should not bar the vast majority of them from
getting at our information. What it does mean, however, is that we need
to take this into account when crafting our security policy. Another
thing to consider is the impact of various user groups. Certain groups
are much more difficult, by design, to contain than others. Essentially,
Server Operators in all versions of NT and Power Users in Windows 2000
should probably be considered as Administrators who just have not made
themselves administrators yet. There are numerous rights possessed by
these groups, and holes in the OS, which enable them to promote themselves
to Administrators very easily.
We also wanted to inform you that starting next month the NT Digest is
changing its name. With the name change from Windows NT to Windows 2000,
it has become undesirable to retain the NT designation. Therefore,
starting in February, to coincide with the release of Windows 2000, we
will become the SANS Windows Security Digest. We will continue to bring
you the same information and the focus will remain on security issues
in the Windows NT based operating systems and the applications that run
on them.
JMJ
**********************************************************************
Table of Contents
1. Microsoft Security Bulletins
1.1 MS00-001 - Patch Available for "Malformed IMAP Request" Vulnerability
1.2 MS00-002 - Patch Available for "Malformed Conversion Data" Vulnerability
1.3 MS00-003 - Patch Available for "Spoofed LPC Port Request" Vulnerability
1.4 MS00-004 - Patch Available for "RDISK Registry Enumeration File"
Vulnerability
1.5 MS00-005 - Patch Available for "Malformed RTF Control Word" Vulnerability
1.6 MS00-006 - Patch Available for "Malformed Hit-Highlighting Argument"
Vulnerability
2. Virus warnings
2.1 InterScan VirusWall may allow infected attachments to pass through
3 Other NT Issues
3.1 Terminal Server BSOD due to faulty printer drivers.
3.2 IIS 4.0 Certificates can crash Navigator 4.7
4 Internet Explorer Issues
4.1 Injecting JavaScript in IE and Netscape Navigator
4.2 Circumventing Cross-Frame security policy possible
5. Third-party software issues
5.1. Buffer overflows discovered this month. Many buffer overflows are
discovered each month. We report to you the ones we know about
here. In addition, we have tried to give you a little more
information in a concise format. To that end, certain items are
marked with a # or @ sign. A # sign means that an exploit for this
issue is publicly available. An @ sign means that a fix is available
currently. We have also, in some cases, included a URL after the
item. That URL points to either a fix, if one is available, or to
the vendor's web-site, if we know it.
* # IMail IMONITOR Server v. 5.08
(http://www.ipswitch.com/Products/IMail_Server/index.asp)
* # Nullsoft Winamp 2.10
* # Nosque Workshop SMTP Server for WinNT Version 1.9x (DOS only)
(http://shareit1.element5.com/programs.html?nr=100364)
* # InetServ 3.0
* Trend Micro's PC-Cillin 6.x (http://www.antivirus.com/pc-cillin/products.htm)
5.2 Sygate 3.11 backdoor vulnerability
5.3 WarFtpd 1.70b Allows unrestricted user access to entire server
5.4 Script tags can be passed through Firewall-1
5.5 Hotmail allows execution of JavaScript in e-mail messages
5.6 New Allaire security bulletins
5.6.1 Addressing Enhancing Authenticated Webtop User Security in Allaire
Spectra 1.0
5.6.2 Potential denial of service problem with installation files in
Allaire Spectra 1.0
5.6.3 Patch available for potential information exposure by the CFCACHE tag
5.7 Barely obfuscated passwords stored by CuteFTP
5.8 Lotus Notes Clients crashing since 1/1/2000
5.9 Netscape Mail Notification utility sends clear-text passwords
5.10 Website Pro reveals directory structure
5.11 Axent Enterprise Security Manager password changing problems
5.12 Timbuktu Pro 2.0 and 3.0 sends NT password in cleartext
5.13 Systems Management Server 2.0 fails to set permission on Remote
Control executable
5.14 Sabine Systems FTPPro contains trojan monitor code
6. Tip of the month: New Management Tools in Windows 2000
=======================================================================
1. Microsoft Security Bulletins
We would like to point out that Microsoft has changed the web-sites for
security bulletins. The new location for the bulletins is:
http://www.microsoft.com/technet/security/bulletin/ms<two-digit
year>-<bulletin number>.asp
For the FAQs the new location is
http://www.microsoft.com/technet/security/bulletin/fq<two-digit-year>-<bulletin
number>.asp
Unfortunately, Microsoft forgot to update their templates with these
new paths, so the links in the first five bulletins sent out this year
are wrong. In addition, all old links, such as those quoted in previous
NT Digests, are now out of date.
1.1 MS00-001 - Patch Available for "Malformed IMAP Request" Vulnerability
There is an unchecked buffer in Microsoft's Commercial Internet Server
2.0 and 2.5. The buffer is in the IMAP service of the MCIS Mail function.
It is remotely exploitable. Microsoft has issued a patch that is available
at:
* Intel: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17124
* Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17122
To verify whether an installation has been patched examine the IMAPSVC.DLL
file. The patched versions are dated November 9, 1999 and have the
following sizes:
* Intel 302,864 bytes
* Alpha 442,128 bytes
For more information, please see:
* Microsoft Security Bulletin MS00-001
http://www.microsoft.com/technet/security/bulletin/MS00-001.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-001
http://www.microsoft.com/technet/security/bulletin/fq00-001.asp
* Microsoft Knowledge Base (KB) article Q246731 "MCIS: MCIS Mail Services
unexpectedly stop"
http://support.microsoft.com/support/kb/articles/q246/7/31.asp
1.2 MS00-002 - Patch Available for "Malformed Conversion Data" Vulnerability
Another buffer overflow was discovered in Microsoft's Word 5.0 converter
for Japanese, Korean, Simplified and Traditional Chinese. This converter
primarily ships with the respective language versions of Word, but is
also available with the Microsoft Converter Pack 2000 and Office 2000
Multilanguage Version. The patch is available on Office Update. For more
information on this bug and specific update locations for your software,
please refer to the following references:
* Microsoft Security Bulletin MS00-002
http://www.microsoft.com/technet/security/bulletin/MS00-002.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-002
http://www.microsoft.com/technet/security/bulletin/fq00-002.asp
* Microsoft Knowledge Base (KB) article Q249881 "WD: Patch Available
for "Malformed Conversion Data" Vulnerability (East Asian Word)"
http://support.microsoft.com/support/kb/articles/q249/8/81.asp
1.3 MS00-003 - Patch Available for "Spoofed LPC Port Request" Vulnerability
Bindview's security team discovered a local GetAdmin type exploit in
all versions of Windows NT 4.0. The exploit involves using a mostly
undocumented API called LPC ports. LPC ports are used to make local
procedure calls on a machine. The culprit function is called
NtImpersonateClientOfPort and lets the caller specify which client to
impersonate. It is possible to call this function and impersonate
LocalSystem, thus gaining complete access to the computer.
According to Microsoft, this vulnerability is only exploitable by locally
logged on users. This means that certain machines are more vulnerable
than others. Specifically, Terminal Servers are particularly vulnerable
since all users are logged on locally to the Terminal Server itself.
Workstations are also more vulnerable than servers, since normal users
typically do not have local logon privileges on servers.
The patch is available for all versions of NT 4.0 at Microsoft Downloads.
Note, however, that as of January 28, Microsoft has not been able to
produce a patch for Terminal Server.
* Intel http://www.microsoft.com/downloads/release.asp?ReleaseID=17382.
* Alpha http://www.microsoft.com/downloads/release.asp?ReleaseID=17383
* Microsoft Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly. Check back at
http://www.microsoft.com/downloads/search.asp?Search=Product&Value='655'&OpSysID=252
regularly. Click the Find It button when you get there.
To verify whether a particular system has been patched examine
%systemroot\system32\ntoskrnl.exe. It should be dated December 02, 1999,
and have the following size:
* Intel: 932,736 bytes
* Alpha: 1,372,032 bytes
For more information, see the following:
* Microsoft Security Bulletin MS00-003:
http://www.microsoft.com/technet/security/bulletin/MS00-003.asp
* Microsoft Security Bulletin MS00-003: Frequently Asked Questions
http://www.microsoft.com/technet/security/bulletin/fq00-003.asp
* The BindView Security Advisory:
http://www.bindview.com/security/advisory/adv_NtImpersonate.html
* Microsoft Knowledge Base (KB) article Q247869 "Local Procedure Call
may Permit Unauthorized Account Usage"
http://support.microsoft.com/support/kb/articles/q247/8/69.asp.
1.4 MS00-004 - Patch Available for "RDISK Registry Enumeration File"
Vulnerability
The fourth bulletin of the year announces a race condition vulnerability
in the RDISK tool. When RDISK is run it creates a temporary file called
$$hive$$.tmp, which is deleted when RDISK is finished. The problem is
that this file is world-readable. Thus, while RDISK is running, any user
that can get to the file can read it.
Microsoft believes that this vulnerability only affects Terminal Servers.
The reasoning is that the location where the temp file is created is
not ordinarily accessible over the network, meaning that an ordinary
user would have to be logged on at the console to read the file. On
non-terminal servers this is ostensibly impossible since the administrator
has to be logged on to run RDISK. We believe that this is a na�ve view
of how RDISK is run. RDISK is commonly scripted using the /s- switch,
and run from a scheduled batch file. Therefore, the administrator does
not have to be logged on to run RDISK, allowing an ordinary user to be
logged on while it is running. We have not tested this scenario, and
Microsoft has skirted the issue of whether the RDISK executables are
identical on Terminal Servers and other NT 4.0 machines. Microsoft has
released a patch which they claim is only for Terminal Servers. It is
available from Microsoft Downloads at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17384
For more information see:
* Microsoft Security Bulletin MS00-004
http://www.microsoft.com/security/bulletins/MS00-004.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-004
http://www.microsoft.com/security/bulletins/fq00-004.asp
* Microsoft Knowledge Base (KB) article Q249108 "Registry Data Is Viewable
By All Users During Rdisk Repair Update"
http://support.microsoft.com/support/kb/articles/q249/1/08.asp.
* Microsoft Knowledge Base (KB) article Q156328 "Description of Windows
NT Emergency Repair Disk"
http://support.microsoft.com/support/kb/articles/q156/3/28.asp.
1.5 MS00-005 - Patch Available for "Malformed RTF Control Word" Vulnerability
This bulletin announces the availability of a patch for a buffer overflow
in the RTF reader that ships with all current Windows operating systems.
This vulnerability can cause the program calling the RTF component to
crash. For example, if a user has preview mode in Outlook turned on and
receives an e-mail containing the exploit code, Outlook will crash.
Microsoft claims that the buffer is not exploitable, although posts on
BugTraq indicate that it might be under certain conditions.
Patches for Windows NT are available as follows:
* Intel:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510
* Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17511
The Terminal Server patch is not yet available. Patches are available
for Windows 9x on Windows Update. Windows 2000 is not vulnerable.
For more information see:
* Microsoft Security Bulletin MS00-005
http://www.microsoft.com/security/bulletins/MS00-005.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-005
http://www.microsoft.com/security/bulletins/fq00-005.asp
* Microsoft Knowledge Base (KB) article Q249973 "Default RTF File Viewer
Interrupts Normal Application Processing"
http://support.microsoft.com/support/kb/articles/q249/9/73.asp.
1.6 MS00-006 - Patch Available for "Malformed Hit-Highlighting Argument"
Vulnerability
This bulletin actually discusses two patches. The bulletin received its
name from the first, which concerns the webhits.dll file that comes with
Microsoft Index Server. Webhits.dll provides hit highlighting in files
returned by Index Server, highlighting the search words. Webhits.dll
takes an argument called CiWebHitsFile as the file that should be
highlighted. This argument can be passed as part of the URL, allowing
a user to tell webhits.dll which file to process. This in and of itself
is not good. What is worse, however, is that webhits.dll will follow ..
arguments. Thus, an attacker can break out of the webroot and request
any file on the logical drive where the web-server root directory is
located.
Of course, being able to do this means that the attacker has to know
where the web-server root directory is located. That information is
available with the second vulnerability discussed in this bulletin. If
an attacker requests a non-existent Index Server query file (.idq file)
the web-server will return a message that "the file
<drive>\<path>\<nonexistent idq file>.idq could not be found." Therefore,
using the two vulnerabilities in conjunction an attacker can determine
the directory structure of the web-server, and then proceed to read any
file in that file system.
This vulnerability affects all systems with Index Server 2.0 installed
and Windows 2000 systems running the Indexing Service. Patches are
available as follows:
* Index Server 2.0 Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
* Index Server 2.0 Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
* Indexing Services for Windows 2000:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726
For more information on this issue, see the following:
* Microsoft Security Bulletin MS00-006
http://www.microsoft.com/technet/security/bulletin/MS00-006.asp.
* Frequently Asked Questions: Microsoft Security Bulletin MS00-006
http://www.microsoft.com/technet/security/bulletin/fq00-006.asp.
* The Cerberus Information Security Advisory
http://www.cerberus-infosec.co.uk/adviishtw.html
* Microsoft Knowledge Base (KB) article Q251170 "Malformed Argument in
Hit-Highlighting Request Allows Access to Web Server Files"
http://www.microsoft.com/technet/support/kb.asp?ID=251170.
* Microsoft Knowledge Base (KB) article Q252463 "Index Server Error
Message Reveals Physical Location of Web Directories"
http://www.microsoft.com/technet/support/kb.asp?ID=252463.
2. Virus warnings
2.1 InterScan VirusWall may allow infected attachments to pass through
Trend Micro's InterScan VirusWall performs virus scanning on e-mail
attachments that pass into a network. However, by modifying the message
in certain ways an attacker can cause an infected attachment to be
allowed to pass through. Trend Micro posted a patch for VirusWall on
January 22. However, the readme file included with the patch does not
mention fixes this problem, and we have been unable to verify whether
it does or not. When a patch is made available, it will be posted to
http://www.antivirus.com/download/patches/default.htm.
3. Other NT Issues
3.1 Terminal Server BSOD due to faulty printer drivers.
Printer drivers that are not multi-user aware may cause Terminal Server
to crash. Terminal Server administrators should therefore test printer
drivers prior to allowing users to install them. To keep users from
installing untested printer drivers Terminal Server Service Pack 5
provides a registry value called "LoadTrustedDrivers." Using that value
an administrator can restrict users to only being able to install certain,
tested, drivers. Service Pack 5 is available at:
http://www.microsoft.com/ntserver/terminalserver/downloads/recommended/tsesp5
For more information see Microsoft KBase article Q238070:
http://support.microsoft.com/support/kb/articles/Q238/0/70.asp
3.2. IIS 4.0 Certificates can crash Navigator 4.7
According to a report on MSNBC, Internet Information Server 4.0 does
not correctly support 56-bit certificates. This can cause international
versions of Netscape Navigator 4.7 to crash because the security
negotiation fails. Microsoft is reportedly working on a fix. In the
interim, Navigator users can solve the problem by disabling 56-bit
certificates.
For the original MSNBC report, see http://www.msnbc.com/news/357775.asp?cp1=1
4. Internet Explorer Issues
4.1 Injecting JavaScript in IE and Netscape Navigator
Georgi Guninski publicized several vulnerabilities in Internet Explorer
that allow an attacker to force the browser to execute arbitrary
JavaScript. Several of these attacks also affect Netscape Navigator.
These methods are primarily a problem with web-mail services, such as
Hotmail. Hotmail escapes JavaScript in e-mail messages so that it is
not executed. However, it is still possible to cause JavaScript in an
e-mail message to execute. The methods include:
* Putting the JavaScript inside an IMG LOWSRC tag
* Putting the JavaScript inside an IMG DYNRC tag
* Putting the JavaScript inside an @import url style sheet tag
* Substituting the ASCII characters in JavaScript with their hex
equivalents, and then encapsulating this inside an IMG SRC tag
The workaround for this issue is to disable Active Scripting (JavaScript
in Netscape Navigator).
4.2 Circumventing Cross-Frame security policy possible
Georgi Guninski also discovered that it is possible to circumvent the
Cross-Frame Navigation security policy in Internet Explorer. Cross Frame
navigation occurs when one window gets access to information in another
window. For example, say a user opens a file in a browser window. If
the user then opens a new file in the same window scripts in the new
file have access to the properties of the old file until the new file
is completely parsed. This means that the new file could read the contents
of the old one. These properties are called the DOM, or domain, of the
file. Thus, it has been publicized that Internet Explorer allows
circumvention of domain security. However, the domain of the file is
purely a programming construct used in scripts and has nothing whatsoever
to do with a Windows NT domain.
This vulnerability affects all Internet Explorer 5.x versions, including
the one that ships with the retail version of Windows 2000. The only
current workaround is to disable Active Scripting.
5. Third-party software issues
5.1 Buffer overflows discovered this month were covered in the table of
contents above
5.2. Sygate 3.11 backdoor vulnerability
Sygate is an Internet connection sharing program made by Sybergen
(http://www.sybergen.com). Sygate contains an undocumented remote
administration feature which listens on port 7323. This utility is
supposed to only be accessible on the internal interface. However, recent
reports have indicated that the utility may also be accessible from the
outside. This poses a serious vulnerability as it allows a remote shutdown
of the Sygate connection sharing program from the Internet.
This vulnerability is only present if the Enhanced Security feature is
not enabled, and if Sybergen's firewall product, Sybergen Secure Desktop,
are not installed. Sybergen has created a patched version of Sygate,
but apparently this patch is only available by contacting Sybergen
technical support at this point.
5.3 WarFtpd 1.70b Allows unrestricted user access to entire server
A serious problem was reported in War FTP 1.70, a freeware FTP server
for Windows. War FTP comes with a number of macros. However, the server
fails to determine whether the user has permissions to execute the macros
before doing so. Consequently, many of the macros can be executed without
even logging in to the server. Jarle Aase, the author of War FTP has
published an advisory, and is working on an update. The advisory is
available at http://war.jgaa.com/alert/. The updated version, 1.71, can
be downloaded at http://war.jgaa.com/alert/files/. However, it is still
in testing and Mr. Aase recommends that all War FTP servers running
version 1.70 are taken off line until the upgrade is installed. A similar
problem also besets version 1.67, but that bug fix is available for
download at http://war.jgaa.com/alert/files/.
5.4 Script tags can be passed through Firewall-1
Checkpoint Firewall-1
(http://www.checkpoint.com/products/firewall-1/index.html) contains a
feature to strip script tags from incoming web-pages. In version 3.0,
at least, this feature can be easily circumvented by simply adding a <
to the script tag. It is unknown at this point whether version 4.0 of
Firewall-1 is affected. Checkpoint have been notified and are looking
into the issue.
5.5 Hotmail allows execution of JavaScript in e-mail messages
This issue was described in item 4.1 above.
5.6. New Allaire security bulletins
Allaire has posted three new bulletins on their security website: 5.6.1.
Enhancing Authenticated Webtop User Security in Allaire Spectra 1.0
Bulletin ASB00-01 is available at:
http://www.allaire.com/handlers/index.cfm?ID=13976&Method=Full. This
bulletin discusses a vulnerability whereby users who have been granted
access to one part of the webtop can access other parts by typing an
explicit URL. The bulletin describes a workaround.
5.6.2 Potential denial of service problem with installation files in
Allaire Spectra 1.0
Bulletin ASB00-02 is available at
http://www.allaire.com/handlers/index.cfm?ID=13977&Method=Full. When
Allaire Spectra is installed it installs a file in
webroot/allaire/spectra/install that is used to index the server. An
attacker can repeatedly call this file from a browser causing the server
to use up all available processor cycles for indexing.
5.6.3 Patch available for potential information exposure by the CFCACHE tag
Bulletin ASB00-03 is available at
http://www.allaire.com/handlers/index.cfm?ID=13978&Method=Full. Allaire
is announcing a new version of the CFCACHE tag. The old version created
several temporary files, including one that contained information on
the location of template files. These temporary files were stored in
the same directory as the .CFM template that called CFCACHE. Since that
directory is typically publicly readable, an attacker can request these
files with a browser, thereby gaining information on the directory
structure of the server.
5.7 Barely obfuscated passwords stored by CuteFTP
CuteFTP, a very popular shareware FTP client, apparently stores barely
obfuscated user passwords in text files on the client. Versions 1.x and
2.x used a file called tree.dat, while in version 3.x the file is called
smdata.dat. Users can optionally store passwords in these files. CuteFTP
obfuscates the passwords by simply adding a hex value to their ASCII
equivalents. Furthermore, CuteFTP stores the plaintext username and
password for any firewall configuration in the INI file for versions
1.x and 2.x. In version 3.x, that same information is stored in a registry
key, again in plaintext: Hive: HKEY_CURRENT_USER Key:
\Software\GlobalSCAPE\CuteFTP 3.0\CuteFTP
Users of CuteFTP are advised to take appropriate action to maintain the
security of their passwords.
5.8 Lotus Notes Clients crashing since 1/1/2000
Users of Lotus Notes 4.5x through 5.x clients (including Domino clients)
may have noticed the clients crashing since January 1, 2000. The problem
occurs if a user runs a Simple Action agent that uses the Send Mail
Message action and the Include Copy of Document option. If the included
document's form contains a text field populated by a date value the
client will crash soon after the agent completes.
Lotus plans to include a fix in the next quarterly maintenance release.
For more information, see the Lotus technote at:
http://www.support.lotus.com/sims2.nsf/c7835bf039c01dc285256688006fae9b/35b578b76f3ec78e85256859007173ec?OpenDocument
5.9 Netscape Mail Notification utility sends clear-text passwords
Netscape Communicator ships with a little utility called Netscape Mail
Notification. This utility can be used to notify users that they have
new mail. If the user has not stored an e-mail server username and
password in Netscape Mail, the Mail Notification utility will ask for
them. It will then store them and use them to check e-mail, regardless
of whether the user has selected to store the password in the main Mail
program. Further, even if the user has requested Netscape Mail to use
an SSL connection, the Mail Notification utility still sends the username
and password in clear text.
5.10 Website Pro reveals directory structure
In its default installation Website Pro from O'Reilly will reveal the
directory structure of a web site when it cannot find a document. This
could allow an attacker to gain information about the structure of the
server. O'Reilly has some optional extensions to the server which allow
you to fix the problem by creating custom error messages. For more
details see:
http://software.oreilly.com/techsupport/kb/website_kb_article_display_frame.cfm?ID_KBArticle=102
5.11 Axent Enterprise Security Manager password changing problems
There is a problem when an administrator changes the password in Axent
Technologies Enterprise Security Manager console. When an administrator
changes the password in the console the password is not updated in all
the places where it is used. This includes the individual ESM managers,
as well as the underlying database.
To solve the problems with the individual ESM managers, Axent recommends
the following workaround:
* Right-click on the ESM manager that caused the error and choose "Connect
As..."
* Enter the username and password and click "Save name and password."
* Repeat these steps for all the managers that had errors
As far as the database goes there appears to be no simple workaround
other than to remove the password from the database. Axent has promised
a more permanent solution for the ESM managers problem shortly. It is
unknown whether they will fix the problem of synchronizing the password
on the underlying database.
5.12 Timbuktu Pro 2.0 and 3.0 sends NT password in clear text
Netopia's Timbuktu Pro 2.0 and 3.0 can be used to remotely control a
computer running Windows NT. However, when a client connects it passes
the username and password in clear text across the network. There appears
to be no solution for this problem other than to only establish the
connection through an encrypted tunnel. The editorial board is not aware
of an official solution from Netopia.
5.13 Systems Management Server 2.0 fails to set permission on Remote
Control executable
There is a problem with permissions on the remote control executable
used on Systems Management Server 2.0 clients. When the remote control
component is installed no access control list is applied to it. This
allows ordinary users to replace it with a trojan of their choosing.
When the Administrator connects to the remote control component, the
trojan would then be executed in the administrative context. System
administrators would be wise to properly protect this file: <SMS local
installation directory>\ms\sms\clicomp\remctrl\wuser32.exe
5.14 Sabine Systems FTPPro contains trojan monitor code
Sabine Systems FTPPro contains code that monitors whether users have
paid the shareware fee for the program. According to a post on BugTraq
(http://www.securityfocus.com), after users used the program without
paying the shareware fee their Internet Service Provider received e-mails
threatening legal action unless the ISP somehow forced the users to pay
the shareware fee or terminated their accounts. The e-mails contained
the user's local login name as well as the FTP user name. Apparently,
the program transmits this information to Sabine Systems when users
connect to FTP servers. It is not known whether the password was also
transmitted, but it was not contained in the e-mail.
6. Tip of the month: New Management Tools in Windows 2000
One of the most frequent complaints about Windows NT 4.0 is that the
management tools are scattered throughout the system. To add users, you
go to one place, to monitor performance you go to another, to examine
the event logs you go to a third, and so on. Microsoft has attempted to
address this issue with the Microsoft Management Console in Windows
2000. The MMC actually debuted with IIS 4.0. However, in Windows 2000
many of the familiar management tools have migrated in there. Some of
the tools you need to become familiar with are:
* Users and Groups (User Manager for Domains/User Manager)
* Performance Logs and Alerts (Performance Monitor)
* Event Viewer
* Disk Management (Disk Administrator)
* Services and Applications\Services (Services control panel)
* Share Folders (Shares option in Server Manager under NT 4.0)
These tools all show up in an MMC console settings file accessible from
Control Panel\Administrative Tools\Computer Management. You can add many
more snap-ins to this file, such as the Group Policy, which is the
replacement for the venerable Policy Editor.
It takes a while to get used to the locations of the new tools. For
example, I had problems finding the settings for user rights that used
to be in User Manager for Domains. This option has been buried in the
Computer Policy settings, under Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment. You
can also get to them slightly more directly by opening the MMC Console
file called "Security Policy" (also available in Control
Panel\Administrative Tools).
You can control a different computer from the Computer Management console.
Right-click on Computer Management (Local), select "Connect to Another
Computer..." and select the computer to connect to. If you now right-click
Computer Management you can view and modify the system properties on
the remote computer and also perform a remote shutdown or reboot. If
you routinely manage a certain computer from a remote location, you can
add a Computer Management snap-in for that computer by adding a snap-in
and selecting "Remote Computer" when MMC asks which computer you want
to manage. Save the console and the next time you open it you have access
to the remote computer.
=======================================================================
The SANS NT Digest is provided at no cost to those people who attend
SANS and SANS Network Security conferences. Email <[EMAIL PROTECTED]> with
complete instructions and your SD number (from the headers) for subscribe,
unsubscribe, change address, add other digests, or any other comments.
http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX ::
http://techscape.net/ - Webhosting: Dual T3 on Dual Pentium III 450Mhz
Only US$1.95/month -> CGI SSL 5MB Unlimited Traffic & Mail FP2000
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
