Category Archives: Security

Scott Culp’s two essays on the ten immutable laws of security (one set for administrators, one for users) turned two years old last month. They’re still timely and useful. Read them, live them, and know them.

Want to set up IPsec? Here’s a detailed step-by-step guide.

Here’s a useful tip: many SMTP proxy servers don’t support ESMTP. In particular, most of the SMTP proxies that clean and scan viruses don’t support it. What this means to you is that if you’re using a virus-scanning proxy, users aren’t likely to get delivery receipts. RFC 1891 specifies how SMTP delivery status notifications (DSNs) are to be requested; if your virus scanner blocks out additional parameters to rcpt to (like, for example, rcpt to: joe@blow.com notify=failure), you won’t get a DSN from that message.

If you allow Windows Messenger on your network, you might want to review this MS whitepaper on controlling Messenger via group policies. At a minimum, you’ll probably want to turn off file transfers.
For bonus points, consider blocking AOL IM, ICQ, and Yahoo! Messenger from your network. Tom Shinder explains how.

I had just gotten done writing a sidebar for Chapter 15 that said there was no good way to use SSL+IMAP on a PocketPC. Lo and behold, a little Googling produced at least one way to do it, although it requires you to install stunnel. If anyone’s gotten this to work, I’d love to hear about it.

There’s a new Windows worm spreading. It exploits a flaw in Outlook and Outlook Express that were patched by Microsoft on March 29, 2001. Of course you know what this means: the mass media, and the unwashed masses, will start clamoring that Microsoft doesn’t care about security. There will probably be some quotes from clueless “analysts” who claim that these worms are proof of the impending end of Western civilization, too. I expect that none of this blather will point out that the patch which prevents this exploit has been out for 18 months, which is surely enough time for even the slowest user to get it and install it.
Remember, you heard it here first: if you get this worm, it’s your own doggone fault. Patches don’t do any good if you don’t install ’em.

Dave Farber today said:

As of the time of this posting , the ms home page certainly does not have
any eye catching pointer to the fix. Shame on them.

To which I replied as follows:

To be fair, Dave, there are several ways to learn about security patches as soon as they’re released besides the MS home page (which I rarely visit). One channel, of course, is the ubiquitous (and frequently sensationalistic or incorrect, but hey, that’s another story) press reports, as represented by the Reuters report. It was filed at 8:11pm on 8/22. 99.9% of the time, press reports lag the other channels of notification, though.
First off, Microsoft has a free email service that sends security bulletin notifications. Visit http://www.microsoft.com/technet/security/bulletin/notify.asp or send email to securbas@microsoft.com. The bulletins are PGP-signed, so you can verify their authenticity if you like. If you don’t want to sign up for the MS notification service, you can subscribe to Ntbugtraq or other similar services which reprint the bulletins as they are issued. The Office security bulletin was released overnight on the 20th, so you would have learned about the bug two days earlier than Reuters reported it if you were a bulletin subscriber.
If you use the new Software Update Service (available for WinXP and Windows 2000 SP3), you’ll get a little system tray icon that appears when new security-critical Windows updates are released. You can choose whether or not new patches are automatically downloaded, and whether or not downloaded patches are installed.
Finally, there is a clear link to the Office XP SR2 release from the home page; it’s #1 under the “support” group on the lower-right corner. It is unfair to complain that there’s no big red “DANGER WILL ROBINSON” label applied to it. If Microsoft doesn’t release timely patches, people complain. If they do release timely patches, some segments of the community complain that it’s a vehicle to sneak in new license terms or get up to other mischief.

It’s official: I just signed a contract with Microsoft Press to write a book on Exchange 2000 security. The working title is Securing Microsoft Exchange, so that should give you some idea of its contents. The contract calls for me to finish it by 10/30 so it can be in stores by Christmas. I plan to post draft chapters online for review, and I will soon have a form that lets you sign up to be a reviewer. This is my first book in a while, and it’s my first book with MS Press, so it’s going to be like riding a bike for the first time after a long hiatus.

Wayne Rash trashes ISS in a ZDnet piece today. He’s got a very good point, one which was made in Brian Bilbrey’s comment the other day: ISS jumped the gun, released a broken patch, and violated their own agreement. I suspect Brian still thinks MS put them up to it, but I am willing to not ascribe to malice what can be explained by incompetence; I don’t think ISS has a very long track record in the OSS world. Not like this is gonna help…

Brian Bilbrey asks who ISS is and whether they’re in bed with Microsoft:

According to their website, ISS is Internet Security Systems. I hadn’t heard of them before this last few weeks. Certainly not one of the big boys, until all this recent press. From their marketing crap on the homepage (http://www.iss.net), it appears they are in the same biz as McAfee and Norton, but at a different tier.

So, let’s start with the simple stuff: ISS has been around for a long, long time as security firms go. I believe they started officially started operating in 1992 or so. Chris Klaus, the founder, dropped out of Georgia Tech after developing the core of what became ISS’ lead product, the RealSecure scanner. ISS had the first useful security scanner for Windows NT, and their products are very widely used out in industry and government. So, the answer to question #1: ISS is for-real, they didn’t just fall off the truck, and they are well-regarded in the security community.

Now, for Brian’s more interesting question: is ISS in bed with Microsoft?

Continue reading →

I consider Bob Thompson a good friend, as well as being a very knowledgeable guy. We’ve had a number of friendly debates about various things (hey, Bob, you still owe me a 3-liter bottle of caffeine-free diet Coke for this one!) We’re now engaged in a religious battle about Microsoft’s security. You can get the backstory of this particular debate here.
Greg Lincoln chimed in thusly:

It really annoys me when people call OpenSSH or Apache or “insert app that just happens to run on Linux here” vulnerabilities “Linux” vulnerabilities. OpenSSH and Apache are NOT Linux. They are applications that run on Linux. They also run on Windows and quite a few other OSes.
Most of the recent reports against Windows are in the media player or IE, or some other component which is considered by Microsoft as part of Windows and can not be removed. Therefore, they are holes in Windows.

Well, OK, I can see why that would bug Greg, but I think he’s wrong. Is Apache installed by default on the most common Linux distros? Yes. How about OpenSSH? I am less sure, but I’d bet the answer is “yes”. The issue isn’t whether or not they can be removed, but whether or not they’re default parts of the OS. Point being, of course, if I install a new Windows or Linux box, am I getting vulnerabilities without my knowing it? In addition, let’s not forget that one key feature in Windows XP SP1 is compliance with the consent decree requiring increased modularity in Windows. (And, FWIW, you can certainly remove, or not install, the Windows Media Player; I don’t have it installed on any of my boxen.)

Continue reading →