[ISN] Security UPDATE -- More Flexible Security Control in IIS 7.0
-- October 5, 2005
InfoSec News
isn at c4i.org
Thu Oct 6 00:06:53 EDT 2005
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Free Webcast from Postini: Risks of Unmanaged IM
http://list.windowsitpro.com/t?ctl=15605:4FB69
Panda Software
http://list.windowsitpro.com/t?ctl=155F8:4FB69
====================
1. In Focus: More Flexible Security Control in IIS 7.0
2. Security News and Features
- Recent Security Vulnerabilities
- Latest Office Updates Improve Outlook Security
- Symantec to Acquire WholeSecurity
3. Security Toolkit
- Security Matters Blog
- FAQ
- Security Forum Featured Thread
4. New and Improved
- A Security Partner
====================
==== Sponsor: Postini ====
Free Webcast from Postini: Risks of Unmanaged IM
Join noted electronic messaging expert and author Michael Osterman
on Thursday, October 20, 2005 as he explores the growing threats
associated with Instant Messaging (IM) in your enterprise and what to
do about them. In one short hour you'll learn how to find out where
your enterprise is vulnerable ... protect against IM-borne threats ...
and ensure regulatory compliance within IM.
Register today and learn why IM is the "next frontier" for hackers,
spammers, and phishers ... what IM means to your compliance initiatives
... why you can't stop IM threats with typical network safeguards ...
and how an integrated message management strategy provides IM threat
prevention and compliance. Free white paper and technology overview
when you attend. Register now.
http://list.windowsitpro.com/t?ctl=15605:4FB69
====================
==== 1. In Focus: More Flexible Security Control in IIS 7.0
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
At the recent Microsoft Professional Developers Conference (PDC 2005),
IIS Program Manager Chris Adams talked about upcoming features of IIS
7.0, some of which are security related.
IIS 7.0 is built on the IIS 6.0 platform, which is far more secure than
previous versions of IIS. Adams said that IIS developers learned over
time, particularly because of worms such as Code Red and Nimda, how to
improve the Web server's security. Adams said that no security
vulnerabilities have been discovered in what he calls the "IIS critical
core" since the release of IIS 6.0. Therefore IIS 6.0 serves as a good
base to build on.
IIS 7.0 brings new security features such as delegation of authority,
which is a significant improvement. This means that people can perform
delegated tasks without having administrator-level authority. So for
example, in the course of developing a new Web page, a Web developer
might want to use a new file extension type. Traditionally, an
administrator would need to add that type to the server. But the new
delegation features let an administrator delegate that authority to the
developer. This capability will improve security administration and
increase productivity.
If you've spent a lot of time developing secure applications that run
on IIS 6.0, you won't have to spend much time moving them to IIS 7.0.
Adams said Microsoft has made sure that IIS 7.0 will support "legacy
applications."
Unlike Windows XP, which includes IIS 5.1, and Windows Server 2003,
which includes IIS 6.0, Windows Vista and Longhorn Server will ship
with IIS 7.0. The different IIS versions on XP and Windows 2003 posed
some developmental and security problems; Microsoft is aiming to avoid
those problems in the new Windows client and server OSs.
With previous versions of IIS, developers typically used Internet
Server API (ISAPI) and Common Gateway Interface (CGI) to develop custom
functionality. But IIS 7.0 will be more modular, which brings at least
two benefits: Administrators will be able to deploy IIS 7.0 with only
the modules that they require, and developers will be able to replace
functionality that they might not like. For example, if you want to use
an authentication method other than connecting to the SAM database, you
can write a replacement for IIS 7.0's authentication module. The
ability to replace this module means that developers can not only
create their own means of authenticating users but developers can also
more easily integrate support for other OSs such as Linux, BSD, and Mac
OS X.
IIS 7.0 also has a new UI that exposes more of the central
configuration (metabase) properties, possibly including some security
properties. In previous versions, administrators had to modify some
aspects of the metabase by using command-line tools or by manually
editing configuration files with Notepad or the Microsoft MetaEdit
tool.
That's a brief summary of what you can expect. Development tools and
additional information for IIS 7.0 should be available on Microsoft
Developer Network (MSDN) by the end of the year. In addition, Paul
Thurrott will provide a more extensive review of IIS 7.0 on our Web
site sometime in the near future.
====================
==== Sponsor: Panda Software ====
Stopping Crimeware and Malware
Computer users can no longer wait for a new vaccine every time a new
security threat appears. How do you defend your network in a world of
smarter, faster, Internet-borne zero-day attacks? Find out about
Intrusion Prevention that can detect and destroy unknown malware with
virtually zero false positives.
http://list.windowsitpro.com/t?ctl=155F8:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=155FC:4FB69
Latest Office Updates Improve Outlook Security
Microsoft released Office 2003 Service Pack 2 (SP2) and junk email
filter updates for Office Outlook 2003. Together they can help protect
against phishing attacks. Read more about the updates in this news
story on our Web site.
http://list.windowsitpro.com/t?ctl=15602:4FB69
Symantec to Acquire WholeSecurity
Symantec announced that it entered into an agreement to acquire
privately held WholeSecurity. The deal is scheduled to close in
October. WholeSecurity offers behavior-based security solutions and
antiphishing technology.
http://list.windowsitpro.com/t?ctl=15604:4FB69
====================
==== Resources and Events ====
Get Ready for the SQL Server 2005 Roadshow in Europe
Back By Popular Demand--Get the facts about migrating to SQL Server
2005! SQL Server experts will present real-world information about
administration, development, and business intelligence to help you
implement a best-practices migration to SQL Server 2005 and improve
your database-computing environment. Receive a one-year membership to
PASS and one-year subscription to SQL Server Magazine. Register now.
http://list.windowsitpro.com/t?ctl=155F7:4FB69
Windows Connections 2005 Conference--October 31 - November 3, 2005
At the Manchester Grand Hyatt in San Diego, Microsoft and Windows
experts present more than 40 in-depth sessions with real-world
solutions you can take back and apply today. Register now and attend
two conferences for the price on one!
http://list.windowsitpro.com/t?ctl=1560B:4FB69
Discover SQL Server 2005 for the Enterprise. Are you prepared?
In this free half-day event, you'll learn how the top new features
of SQL Server 2005 will help you create and manage large-scale,
mission-critical enterprise database applications and make your job
easier. Find out how to leverage SQL Server 2005's new capabilities to
best support your business initiatives. Register today!
http://list.windowsitpro.com/t?ctl=155F9:4FB69
Deploy VoIP and FoIP Technologies
Voice over Internet Protocol (VoIP) is the future of
telecommunications, and many companies are already enjoying the
benefits of transporting voice over IP networks to significantly reduce
telephone and facsimile costs. Join industry expert David Chernicoff
for this free Web seminar to learn the "ins and outs" of boardless fax
in IP environments, tips for rolling out fax and integrating fax with
telephony technologies, and more!
http://list.windowsitpro.com/t?ctl=155FB:4FB69
Microsoft IT Forum 2005 November 15-17, Barcelona, Spain
Microsoft's European conference for IT professionals on planning,
deploying, and managing the secure connected enterprise. Three days of
learning, one year of solutions. With a choice of 325+ Technical
Learning Sessions, increase your productivity and support your business
with new opportunities and ideas. See the Web site for registration
information
http://list.windowsitpro.com/t?ctl=15608:4FB69
====================
==== Featured White Paper ====
Build a Superior Windows File Serving Environment
In this free white paper, get the tools you need to provide a
scalable, highly available CIFS file service using inexpensive,
industry-standard servers that you can add to incrementally as demands
require, while retaining the management simplicity of a single server
and a single pool of exported file systems.
http://list.windowsitpro.com/t?ctl=155F6:4FB69
====================
==== Hot Release ====
Maximizing Network Security Against Spyware and Other Threats
Spyware installation usually exploits an underlying security
vulnerability in the OS. You can remove spyware, but if you don't also
patch the underlying vulnerability, you don't solve the real problem.
By leaving your systems open to reinfestation, you risk surging
bandwidth consumption, system instability, overwhelmed Help desks, lost
user productivity, and other consequences. Unauthorized applications
can even result in noncompliance with regulatory requirements. This
free white paper addresses the need to manage both the threats and
vulnerabilities from one console as a comprehensive security solution.
http://list.windowsitpro.com/t?ctl=155FA:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: Synopsis of MS Security Bulletin Creation
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=15607:4FB69
Ever wonder what goes on during the creation of a Microsoft security
bulletin? Read this blog article to get a synopsis.
http://list.windowsitpro.com/t?ctl=15603:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=15606:4FB69
Q: Can I change the type of logging that Active Directory (AD) uses?
Find the answer at
http://list.windowsitpro.com/t?ctl=15601:4FB69
Security Forum Featured Thread: Too Many Security Log Entries
A forum participant writes that he needs to identify user logon and
logoff events. However he needs to know only logon and logoff times and
wants to log the minimum number of related events. He wants to know
what policies to adjust to make that happen. Join the discussion at
http://list.windowsitpro.com/t?ctl=155F5:4FB69
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Become a VIP Subscriber!
Get inside access to ALL the articles, tools, and helpful resources
published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook
Administrator, Windows Scripting Solutions, and Windows IT Security--
that's more than 26,000 articles at your fingertips. Your VIP
subscription also includes a valuable one-year print subscription to
Windows IT Pro and two VIP CDs (includes the entire article database on
CD). Sign up now:
http://list.windowsitpro.com/t?ctl=155FF:4FB69
Windows IT Pro Has Answers
You won't want to miss any of the fall issues! Subscribe now and
discover the best ways to plan for Longhorn, what you need to know
about VBScript, ways to make sense of SQL Server, the 10 Security Tools
You Can't Live Without, and much more. You'll also gain exclusive
access to the entire Windows IT Pro online article database (more than
9000 articles) and you'll SAVE 44% off the cover price. Click here:
http://list.windowsitpro.com/t?ctl=155FE:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
A Security Partner
Integralis announced Secure Watch, a co-managed security service in
two levels: Level 1 for small businesses and Level 2 for large
businesses. Secure Watch lets customers work with Integralis Security
professionals to protect their corporate networks. For Secure Watch
Level 2, Integralis uses its Security Service Appliance (SSA) to
monitor customer networks for thousands of unique problems. When it
finds a problem, it alerts the customer's security team, which can then
solve the problem or consult with Integralis professionals. Secure
Watch Level 1 monitors system health and availability without the need
for customer-premises equipment. For more information, go to
http://list.windowsitpro.com/t?ctl=1560C:4FB69
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Sponsored Links ====
Admins rush to install BLOG servers
How to run your own blog server. Free 5-user license.
http://list.windowsitpro.com/t?ctl=1560A:4FB69
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=15609:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=15600:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN
mailing list