[ISN] Security UPDATE -- IE 7.0 and Windows Vista Bring More Secure
Communications -- November 2, 2005
InfoSec News
isn at c4i.org
Thu Nov 3 09:45:53 EST 2005
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Quest Software
http://list.windowsitpro.com/t?ctl=183DF:4FB69
BindView
http://list.windowsitpro.com/t?ctl=183DD:4FB69
====================
1. In Focus: IE 7.0 and Windows Vista Bring More Secure Communications
2. Security News and Features
- Recent Security Vulnerabilities
- Problems with Microsoft's October Security Updates
- Voice over IP Security Taking Shape
3. Security Toolkit
- Security Matters Blog
- FAQ
- Security Forum Featured Thread
4. New and Improved
- Endpoint Compliance Without Client Software
====================
==== Sponsor: Quest Software ====
Join us for a free Webcast that explains how organizations with
heterogeneous enterprises can "Get to One" solution for systems
management through Microsoft Systems Management Server (SMS). For most
organizations, heterogeneous enterprises are a fact of life, but they
present significant systems management challenges particularly for
Unix, Linux and Mac systems. Fortunately, through natively implementing
standards on non-Windows systems, those systems can participate in the
systems management infrastructure offered by SMS. This Webcast will
explain how an integrated architecture can streamline processes, save
money, reduce complexity, increase security, and enable compliance for
Windows, Unix, Linux, and Mac systems. Register to attend our Webcast
on November 9, 2005 at 1:00 PM EDT
http://list.windowsitpro.com/t?ctl=183DF:4FB69
====================
==== 1. In Focus: IE 7.0 and Windows Vista Bring More Secure
Communications
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Microsoft's IEBlog is published by the development team that works on
Internet Explorer (IE). As such, the blog contains interesting
information about what we might see in future versions of the browser.
http://list.windowsitpro.com/t?ctl=183EF:4FB69
On October 22, the IE development team published an article that
outlines a few changes Microsoft is making with Secure Sockets Layer
(SSL) and Transport Layer Security (TLS). Current versions of IE
support SSL 2.0, SSL 3.0, and TLS 1.0, all of which can be enabled or
disabled (select Internet Options from the Tools menu, go to the
Advanced tab, and scroll down to the Security section). In IE 6.0, SSL
2.0 and SSL 3.0 are enabled and TLS 1.0 is disabled--at least that's
the configuration in my default installations. However, SSL 3.0 and TLS
1.0 are much more secure than SSL 2.0; therefore, Microsoft has decided
that in IE 7.0, SSL 2.0 will be disabled by default and SSL 3.0 and TLS
1.0 will be enabled by default. Many Web sites use SSL 2.0, so the
changes in IE might cause connection problems for users unless sites
begin offering SSL 3.0 before IE 7.0 enters widespread use.
Another major change is the way certificates will be handled. IE 7.0
will initially block access to sites whose certificates weren't issued
by a trusted root or whose certificates have expired or been revoked.
Under the first two conditions, the browser will offer the user the
option of connecting anyway but not if the certificate has been
revoked. In addition, the browser won't show nonsecure content on sites
whose pages use both secure and nonsecure content unless the user
explicitly unblocks the nonsecure content.
Windows Vista will also bring changes to secure communications. With
Vista, we'll finally see the use of 256-bit Advanced Encryption
Standard (AES) to secure HTTP traffic. Vista will also use the Online
Certificate Status Protocol (OSCP) for speedier certificate status
checking and will implement some extensions to TLS that are outlined in
Internet Engineering Task Force (IETF) Request for Comments (RFC) 3546.
http://list.windowsitpro.com/t?ctl=183ED:4FB69
Web site administrators need to be aware of these upcoming features in
IE and Vista and take the necessary steps towards compatibility.
Otherwise you're bound to run into problems in the future, particularly
with certificates used on systems that host virtual domains, due to
server name parsing and other issues.
You can learn more about these issues in IEBlog. You can also read a
long list of comments and concerns from the blog's readers and post
your own comments. If you want to learn more about the cryptography in
Windows Vista, a video of an interview with Tomas Palmer and Tolga Acar
(cryptography program managers at Microsoft) is available at MSDN.
http://list.windowsitpro.com/t?ctl=183E5:4FB69
If you're interested in information about Outlook Express (which
incidentally has been renamed Windows Mail) in Windows Vista, be sure
to read Windows Mail developer Bryan Starbuck's blog for plenty of
insight regarding antispam features and more. You can also watch
another video interview at MSDN with the developers and testers of
Windows Mail in which they discuss the new mail client.
http://list.windowsitpro.com/t?ctl=183E6:4FB69
====================
==== Sponsor: BindView====
Are You Prepared for the PCI-Data Security Standard?
If your organization handles credit card transactions with any of
the major credit card companies, you need to assess and document your
adherence to the PCI-data security standard. Failure to comply with the
standard carries stiff penalties including fines, and the restriction
of future transaction handling ability by negligent firms. Join
BindView for a live Webcast where you will get an overview of the PCI-
Data Security Standard; how the standard's 12 major requirements impact
IT; and how automated solutions can help demonstrate compliance with
these requirements to satisfy an audit. Register at:
http://list.windowsitpro.com/t?ctl=183DD:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=183E0:4FB69
Problems with Microsoft's October Security Updates
Earlier this month, Microsoft published Security Bulletins MS05-050
and MS05-051 as part of its regular monthly security patch release
schedule. In some instances, systems might still be vulnerable after
installing a patch or administrators might find that various important
services don't start. Find out more in this news article on our Web
site.
http://list.windowsitpro.com/t?ctl=183EA:4FB69
Voice over IP Security Taking Shape
The Voice over IP Security Alliance (VOIPSA) released its security
framework, which the alliance hopes will help the industry identify and
mitigate potential threats to VoIP technology.
http://list.windowsitpro.com/t?ctl=183E8:4FB69
====================
==== Resources and Events ====
What Does It Mean to Be Compliant?
We've all heard about legal and regulatory requirements, but there
are other types of compliance that might also affect you--specifically
email compliance. In this free Web seminar, you'll get insights into
compliance and policy issues that you need to know about, as well as
suggestions on what to look for when implementing your compliance
strategy, and more. Register today!
http://list.windowsitpro.com/t?ctl=183DE:4FB69
Get Ready for the SQL Server 2005 Roadshow in Europe--Get the facts
about migrating to SQL Server 2005!
SQL Server experts will present real-world information about
administration, development, and business intelligence to help you
implement a best-practices migration to SQL Server 2005 and improve
your database-computing environment. Receive a one-year membership to
PASS and one-year subscription to SQL Server Magazine. Register now.
http://list.windowsitpro.com/t?ctl=183DA:4FB69
Get the Maximum Return on Software Investments by Optimizing Every
Dollar Spent on Software
Inaccurate information about software usage causes many
organizations to either overspend and buy licenses they don't use, or
underspend and deny some end users access to the software they need.
Attend this free Web seminar and get a 5-step plan for quickly
implementing a license management program today!
http://list.windowsitpro.com/t?ctl=183DC:4FB69
Accelerate Time to Recovery with Minimal Data Loss
Learn how to meet RPO (Recovery Point Objectives) and RTO (Recovery
Time Objectives) with a continuous, or real-time backup system. In this
free, on-demand Web seminar, you'll discover how to roll back data to
any point in time--not just to the last snapshot or backup!
http://list.windowsitpro.com/t?ctl=183DB:4FB69
Exploit the Opportunities of a Wireless Fleet
With the endless array of mobile and wireless devices and
applications, it's hard to decide what you can do with the devices
beyond providing mobile email access. It's even tougher to know how to
keep it all secure. Join industry guru Randy Franklin Smith in this
free Web seminar and discover what you should do to leverage your
mobile and wireless infrastructure, how to pick devices that are right
for you, and more!
http://list.windowsitpro.com/t?ctl=183D9:4FB69
====================
==== Featured White Paper ====
Software Packaging Workflow Best Practices
Managing desktop software configurations doesn't have to be a manual
process resulting in unplanned costs, deployment delays, and client
confusion. In this free whitepaper, you'll learn how to manage the
software package preparation process and increase your desktop
reliability, user satisfaction, and IT cost effectiveness. Download
your copy now and discover the value of standardizing the software
packaging process.
http://list.windowsitpro.com/t?ctl=183D8:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: Martin Roesch on Snort's Past, Present, and
Future
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=183EC:4FB69
Ever wonder how the intrusion detection and prevention system Snort
got started and where it might be going in the future? Snort creator
Martin Roesch tells you all about it in an 18-minute audio interview.
http://list.windowsitpro.com/t?ctl=183E9:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=183EB:4FB69
Q: How can I determine the logged-on user's distinguished name (DN)?
Find the answer at
http://list.windowsitpro.com/t?ctl=183E7:4FB69
Security Forum Featured Thread: Allow POP Email but Not Internet Access
A forum participant has several clients with Windows 2000 boxes that
need to get POP email on TCP ports 110 and 25. The users aren't
supposed to have Internet access, but the machines need to get
automatic antivirus software updates via the Internet. Join the
discussion at
http://list.windowsitpro.com/t?ctl=183D7:4FB69
====================
==== Announcements ====
(from Windows IT Pro and its partners)
VIP Monthly Online Pass = Quick Answers
Sign up for a VIP Monthly Online Pass and get online access to ALL
the articles, tools, and helpful resources published in SQL Server
Magazine, Windows IT Pro, Exchange and Outlook Administrator
newsletter, Windows Scripting Solutions newsletter, and Windows IT
Security newsletter. You'll have 24/7 access to a database of more than
25,000 articles that will give you all the answers you need, when you
need them. BONUS--Includes the latest issue of Windows IT Pro each
month. Sign up now for just US$29.95 per month:
http://list.windowsitpro.com/t?ctl=183E1:4FB69
The Exchange & Outlook Administrator Newsletter
If you haven't already subscribed to the Exchange & Outlook
Administrator newsletter, you're missing out on key information related
to preventing serious messaging problems and downtime. This newsletter
encompasses tools and solutions you won't find anywhere else to help
you migrate, optimize, administer, backup, recover, and secure Exchange
and Outlook. Order now:
http://list.windowsitpro.com/t?ctl=183E3:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Endpoint Compliance Without Client Software
ENDFORCE announced version 2.5 of its ENDFORCE Enterprise endpoint
security policy enforcement solution. ENDFORCE Enterprise now includes
a clientless Web agent that assesses unmanaged endpoints. Businesses
can direct unmanaged endpoint users to a Web site where their system
downloads an ActiveX component and undergoes a one-time assessment
before gaining access to the network. Version 2.5 also gives companies
the ability to send alerts to individuals and third-party monitoring
systems, such as HP OpenView, based on compliance state changes and
enforcement actions. For more information, go to
http://list.windowsitpro.com/t?ctl=183F0:4FB69
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=183EE:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=183E4:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list