[ISN] Security UPDATE -- Limit Your Exposure: Don't Use
Administrative Accounts -- March 2, 2005
InfoSec News
isn at c4i.org
Thu Mar 3 02:50:02 EST 2005
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which you
might be interested. Please take a moment to visit these advertisers'
Web sites and show your support for Security UPDATE.
Exclusive Online Event: Email Protection at the Perimeter!
http://list.windowsitpro.com/t?ctl=3DFB:4FB69
SQL Server Magazine
http://list.windowsitpro.com/t?ctl=3E0B:4FB69
====================
1. In Focus: Limit Your Exposure: Don't Use Administrative Accounts
2. Security News and Features
- Recent Security Vulnerabilities
- Numerous Security Flaws in Web Browsers Remain Unpatched
- Microsoft Adds Security Guidance Center for Small Businesses
3. Security Toolkit
- Security Matters Blog
- FAQ
- Security Forum Featured Thread
4. New and Improved
- 256-Bit SSL Certificates
====================
==== Sponsor: St. Bernard Software ====
Exclusive Online Event: Email Protection at the Perimeter!
Learn how you can get award-winning anti-virus protection and
superior spam blocking while assuring your critical business emails
get through. Sign up today for this free online product demonstration
and see the ePrism M500 from St. Bernard Software in action. Discover
the secret behind the eGuard Analysts and how email is scoured for
digital fingerprints left by spammers so you won't receive or send
spam and viruses again! Sign up now!
http://list.windowsitpro.com/t?ctl=3DFB:4FB69
====================
==== 1. In Focus: Limit Your Exposure: Don't Use Administrative
Accounts ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
You're probably well aware that running your desktop while logged on
as an administrator can be risky. The reason of course is that
administrators have full authority on the system, so any program that
launches under an administrative account can perform almost any
action you can think of.
As you'll learn if you read the Security Matters blog item "Windows
Firewall: Another Good Reason Not to Login as Administrator"
( http://list.windowsitpro.com/t?ctl=3E02:4FB69 ), spyware
peddlers have already developed a way of adding their programs to the
Windows Firewall's list of trusted applications. The spyware
application simply adds a registry subkey that references the
application under the subkey that stores trusted applications. Any
trusted application is allowed to send traffic out of the computer.
However, adding a subkey to the list of trusted applications works
only if the user is logged on with administrative authority. So now
you know one more reason why administrative accounts should be used
sparingly.
Mark Minasi recently wrote an interesting editorial in Windows IT Pro
UPDATE--Special Edition titled "Follow-Up: Why Microsoft Can't Stop
Root Kits." Minasi pointed out that the primary leverage an intruder
has is a user logged on with an administrative account.
http://list.windowsitpro.com/t?ctl=3E03:4FB69
In a message posted to the Bugtraq mailing list, Chris Wyposal
pointed out that "The security problem that has created the spyware
malaise on Windows is the default Windows installation for home
users, which creates the user's named account in the Administrators
group. When this account is used to browse the Internet there is no
protection to prevent spyware/malware from bypassing security
mechanisms, such as the XP SP2 firewall, by exploiting
vulnerabilities or tricking the user."
Wyposal's statement is true. The same thing goes for corporate users
who use an administrative account primarily for visiting networks
external to their company network. Wyposal also made the interesting
prediction that due to the problem of spyware and malicious software,
Microsoft will eventually change the Windows installation process so
that at least two accounts are created: one for administrative use
and another with limited permissions for everyday and Internet use.
http://list.windowsitpro.com/t?ctl=3DFF:4FB69
Any of you who've used a Unix-based or Linux-based system know that
this sort of dual-account use is standard practice. You log on with a
regular user account, and when you need administrative privileges,
you can use the "su" (super user) command to temporarily elevate your
privileges, log out and log back in as "root" or some other
administrative account, or create another logon session on your
desktop.
Windows also lets users elevate their privileges, but this capability
isn't used nearly as often as it should be. You probably know this
already, but I'll point it out in case any readers are unaware: A
simple way to elevate your privileges for specific application use in
Windows is to use the RunAs feature, which lets you run programs
under any account context provided that you supply the corresponding
account password. This feature works great even for desktop systems
on which some applications might not work correctly except under an
account with some level of administrative authority. If you need help
figuring out how to use RunAs, then check the articles at Microsoft's
Web site.
http://list.windowsitpro.com/t?ctl=3E00:4FB69
====================
==== Sponsor: SQL Server Magazine ====
Get SQL Server Magazine and Get Answers
Throughout the year in 2005, SQL Server Magazine is on target to
deliver comprehensive coverage of all hot industry topics including,
SQL Server 2005, performance tuning, security, Reporting Services,
Integration Services, and .NET development. If you aren't already a
subscriber, now is the time to sign up. You'll get unlimited online
access to every article ever published in the magazine and you'll get
30% off the cover price. Don't miss out . . . sign up today:
http://list.windowsitpro.com/t?ctl=3E0B:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=3DFE:4FB69
Numerous Security Flaws in Web Browsers Remain Unpatched
Dozens of security-related problems remain unpatched in the
Microsoft Internet Explorer (IE), Mozilla Firefox, and Opera Web
browsers. According to security solution provider Secunia, which
tracks vulnerabilities in more than 4000 products, some of the
unpatched browser vulnerabilities are considered to be either
moderately or highly critical.
http://list.windowsitpro.com/t?ctl=3E06:4FB69
Microsoft Adds Security Guidance Center for Small Businesses
Microsoft added a new Security Guidance Center to its Small
Business Center Web site. The new content provides security
information and advice to help businesses create a safer network
environment.
http://list.windowsitpro.com/t?ctl=3E05:4FB69
====================
==== Resources and Events ====
Keeping Critical Applications Running in a Distributed Environment
Get up to speed fast with solid tactics you can use to fix
problems you're likely to encounter as your network grows in
geographic distribution and complexity, learn how to keep your
network's critical applications running, and discover the best
approaches for planning for future needs. Don't miss this exclusive
opportunity--register now!
http://list.windowsitpro.com/t?ctl=3DF9:4FB69
Get Ready for SQL Server 2005 Roadshow in a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server
experts will present real-world information about administration,
development, and business intelligence to help you implement a best-
practices migration to SQL Server 2005 and improve your database
computing environment. Receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
http://list.windowsitpro.com/t?ctl=3DFC:4FB69
Learn What You Can Do When Exchange Disaster Strikes
Messaging administrators can't always adequately plan for or
prevent some kinds of disasters. In this free Web seminar, join
Exchange MVP Paul Robichaux, as he describes some operational
scenarios in which "disaster recovery" takes a back seat to "business
continuance." Learn how to be prepared for events that might
otherwise wipe out your messaging capability. Register now!
http://list.windowsitpro.com/t?ctl=3DF8:4FB69
The Must-Attend Event for Securing Your Wireless Deployments
The Conference on Mobile & Wireless Security delivers on-target,
need-to-know information on emerging issues and tech trends.
Featuring first-class keynotes and sessions, an in-depth panel
discussion, and interactive workshops, you will learn practical
tactics for overcoming mobile security challenges and real-world
strategies for maximizing the potential of your wireless devices.
http://list.windowsitpro.com/t?ctl=3E0D:4FB69
Meet the Risks of Instant Messaging Head On in This Free Web Seminar
Don't overlook Instant Messaging in your compliance planning.
Attend this free Web seminar and learn how to minimize IM's
authentication and auditability risks and prevent security dangers.
You'll also receive a list of the top requirements to consider when
choosing a secure IM solution. Sign up now!
http://list.windowsitpro.com/t?ctl=3DFA:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=3E0C:4FB69
Windows Firewall: Another Good Reason Not to Login as Administrator
Administrator rights are dangerous enough already. Combine them
with Windows Firewall protecting a system, and somebody from outside
your network might be able to bypass the firewall.
http://list.windowsitpro.com/t?ctl=3E02:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=3E08:4FB69
Q. How can I configure Group Policy-based scripts to display when
they're executed?
Find the answer at
http://list.windowsitpro.com/t?ctl=3E04:4FB69
Security Forum Featured Thread: Annoying Files That Continually
Reappear
A forum participant is wondering about two files on his system,
wkwgww.exe and hnhihh.exe. He thinks the files are related due to the
file names. He has the latest updates for his antivirus and
antispyware scanners, but those tools don't detect anything
suspicious about the two files. When he deletes the files, they
reappear on the system. Join the discussion at
http://list.windowsitpro.com/t?ctl=3DFD:4FB69
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Get Windows IT Pro at 44% Off!
Windows & .NET Magazine is now Windows IT Pro! Act now to get an
entire year for just $39.95--that's 44% off the cover price! Our
March issue shows you what you need to know about Windows Server 2003
SP1, how to get the best out of your IT staff, and how to fight
spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0.
This is a limited-time, risk-free offer, so click here now:
http://list.windowsitpro.com/t?ctl=3E07:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
256-Bit SSL Certificates
XRamp Technologies announced that it's now issuing 256-bit digital
Secure Sockets Layer (SSL) certificates. The certificates work with
all browsers and servers that support the 256-bit Advanced Encryption
Standard (AES) and are backward-compatible for browsers and servers
that can handle only 128-bit or 40-bit encryption. Microsoft hasn't
yet implemented 256-bit capability into its servers and browser, but
256-bit AES encryption is available with Linux Web servers, and the
free Mozilla Firefox Web browser supports 256-bit AES. A 1-year 256-
bit SSL certificate from XRamp costs $128. Multiyear certificates are
available at discounted prices. For more information, go to
http://list.windowsitpro.com/t?ctl=3E11:4FB69
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin at windowsitpro.com. If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.
====================
==== Sponsored Links ====
Automate Patch Management with Symantec ON iPatch
http://list.windowsitpro.com/t?ctl=3E12:4FB69
Quest Software
See Active Directory in a whole new light. And get a free
flashlight!
http://list.windowsitpro.com/t?ctl=3E13:4FB69
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=3E0F:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com
====================
This email newsletter is brought to you by Security Administrator,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal
users. Subscribe today.
http://list.windowsitpro.com/t?ctl=3E01:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list