Modern Vulnerabilities in Microsoft Applications In this section, I enumerate security weaknesses in some very commonly used Microsoft applications. Microsoft Internet Explorer (Microsoft's Web browser, also known as MSIE), Microsoft Exchange Server (a mail administration package), and Internet Information Server (IIS) are three key networking applications. Microsoft Internet Explorer Microsoft Internet Explorer has several serious vulnerabilities; some of them are covered briefly here. Those vulnerabilities that are classified as either critical or severe can result in system compromise, and are therefore of great interest to system administrators. The Active Setup Download Vulnerability Microsoft Internet Explorer Version: 4.x, 5.x Impact: Malicious Webmasters can download a .CAB file to any disk on your box. Class: Severe Fix for MSIE 4.x and 5.01: http://www.microsoft.com/windows/ie/download/critical/patch8.htm Fix for MSIE 5.5: http://www.microsoft.com/windows/ie/download/critical/patch11.htm Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-042.asp Credit: Unknown A malicious Web site can download a .CAB file to any disk on your box and then use the .CAB file to overwrite files, including system files. This could render your machine inoperable and create a denial of service on your box. The Cached Web Credentials Vulnerability Microsoft Internet Explorer Version: 4.x and 5.x prior to version 5.5 Impact: Malicious intruders can obtain your user ID and password to a Web site. Class: Moderate to Severe Fix: http://www.microsoft.com/windows/ie/download/critical/q273868.htm Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-076.asp Credit: ACROS Security When you use Basic authentication to authenticate to a secured Web page, MSIE caches your user ID and password. MSIE does this to minimize the number of times you must authenticate to the same site. Although MSIE should only pass your cached credentials to secured pages on the site, it will also send them to the site's nonsecured pages. If an attacker has control of your box's network communications when you log on to a secured site, the attacker can spoof a request for a nonsecured page and then collect your credentials. The IE Script Vulnerability Microsoft Internet Explorer Version: 4.01 SP2 and higher, when Microsoft Access 97 or Microsoft Access 2000 is present on the machine Impact: Permits an attacker to run code of his choice on your box, potentially allowing the attacker to take full control of it. Class: Extremely Severe Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm or set an Administrator password for Microsoft Access Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-049.asp Credit: Georgi Guninski This vulnerability enables an attacker to embed malicious VB code into Microsoft Access via Internet Explorer. Simply visiting a malicious Web site or previewing an e-mail that contains malicious code can compromise your box. The Microsoft Internet Explorer GetObject() File Disclosure Vulnerability Microsoft Internet Explorer Version: 5.x Impact: If you visit a malicious Web site or read a mail message with Active Scripting enabled, MSIE might disclose files on your box. Class: Moderate to Severe Fix: Until Microsoft releases a patch to fix this problem, you should disable Active Scripting in Internet Explorer in any zone with untrusted hosts. If you run any other products that respect Internet Explorer security zones, you should configure them to run VBScript in trusted zones only. In addition, Microsoft recommends configuring Outlook using the guidelines found at: http://www.microsoft.com/office/outlook/downloads/security.htm Additional Info: http://www.kb.cert.org/vuls/id/800893 Credit: Georgi Guninski Microsoft designed IE to prevent programs on Web sites from reading files on your box without authorization. Microsoft also designed Outlook and Outlook Express to prevent programs embedded in mail messages from reading files on your box without authorization. Unfortunately, a flaw in the behavior of the GetObject call in VBScript permits access to files despite the fact that VBScript doesn't include file I/O or direct access to the underlying operating system. This flaw can cause a malicious VBScript to forward the contents of a document through electronic mail or back to the Web site. The Office HTML Script Vulnerability Microsoft Internet Explorer Version: 4.01 SP2 or higher when Microsoft Excel 2000, Microsoft Powerpoint 2000, or Microsoft PowerPoint 97 are present on the machine Impact: Permits an attacker to run code of his or her choice on a victims's box, potentially allowing the attacker to take full control of that box. Class: Extremely Severe Fix for Microsoft Excel 2000 and PowerPoint 2000: http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm Fix for Microsoft PowerPoint 97: http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-049.asp Credit: Unknown This vulnerability enables a script that is stored either on a malicious Web operator's site or in an HTML e-mail message to save an Excel 2000, Powerpoint 2000, or Powerpoint 97 file to a victim's box. The attacker can code this file to launch automatically. If this file successfully launches, it could cause a macro or Visual Basic for Applications (VBA) code to run that will potentially allow the attacker to take full control of that box. The SSL Certificate Validation Vulnerability Microsoft Internet Explorer Version: 4.x, 5.0, and 5.01 Note: MSIE 5.01 Service Pack 1 and MSIE 5.5 are not affected. Impact: Two flaws exist in MSIE that can allow a malicious Web site to pose as a legitimate Web site. The attacker can trick users into disclosing information (such credit card numbers or personal data) intended for a legitimate Web site. Class: Moderate Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm or upgrade to MSIE 5.5. Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-039.asp Credit: ACROS Penetration Team, Slovenia When a connection to a secure server is made through either a frame or an image on a Web site, MSIE only verifies that the server's Secure Sockets Layer (SSL) certificate was issued by a trusted root, and does not verify either the server name or the expiration date of the certificate. When you make a secure connection via any other means, MSIE performs the expected validation. If a user establishes a new SSL session with the same server during the same MSIE session, MSIE does not revalidate the certificate. The Unauthorized Cookie Access Vulnerability Microsoft Internet Explorer Version: 4.x, 5.0, and 5.01 Note: MSIE 5.01 Service Pack 1 and MSIE 5.5 are not affected. Impact: This vulnerability can allow a malicious Webmaster to obtain personal information from a user's box. Class: Moderate Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm Additional Info: http://www.microsoft.com/technet/security/bulletin/FQ00-033.asp#B. Credit: Unknown A malicious Web site operator could entice a user to click a link on the operator's site that would allow the operator to read, change, or add a cookie to that user's box. Microsoft Exchange Server The following sections list important vulnerabilities in Microsoft Exchange Server 2000 and Exchange Server 5.x. Microsoft Exchange Encapsulated SMTP Address Vulnerability Microsoft Exchange Server Version: 5.5 Impact: Intruder can perform mail relaying. Class: Moderate Denial of Service Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/imc-fix/ Additional Info: http://www.microsoft.com/technet/security/bulletin/fq99-027.asp Credit: Laurent Frinking of Quark Deutschland GmbH This vulnerability could enable an intruder to get around the antirelaying features of an Internet-connected Exchange server. Because encapsulated Simple Mail Transfer Protocol (SMTP) addresses are not subject to the same antirelaying protections as nonencapsulated SMTP addresses, an intruder can cause a server to forward an encapsulated SMTP address from the attacker to any e-mail address he or she wants as though the server were the sender of the e-mail. Microsoft Exchange Malformed Bind Request Vulnerability Microsoft Exchange Server Version: 5.5 Impact: An intruder can cause denial of service attacks or can run code on the server. Class: Severe Denial of Service Fix for X86-based Exchange: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRI.EXE Fix for Alpha-based Exchange: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRA.EXE Additional Info: http://www.microsoft.com/technet/security/bulletin/ms99-009.asp Credit: ISS X-Force The Bind function has an unchecked buffer that can pose two threats to operation: An attacker could send a malformed Bind request, causing the Exchange Directory service to crash. A carefully constructed Bind request can be sent by an attacker whose purpose is to cause arbitrary code to execute on the server using a classic buffer overrun technique. Microsoft Exchange Malformed MIME Header Vulnerability Microsoft Exchange Server Version: 5.5 Impact: A malicious user can cause an Exchange Server to fail. Class: Severe Denial of Service Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443 or Exchange 5.5 SP4 Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-082.asp Credit: Art Savelev The Exchange Server normally checks for invalid values in the MIME header fields. However, the Exchange service will fail if a particular type of invalid value is present in certain MIME header fields. You can restore normal operations by restarting the Exchange Server and then deleting the offending mail. The offending mail will be at the front end of the queue after you restart the Exchange service. Microsoft Exchange NNTP Denial-of-Service Vulnerability Microsoft Exchange Server Versions: 5.0 and 5.5 Impact: An attacker can cause the Server Information Store to choke. Class: Medium Denial of Service Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Post-SP2-STORE/Exchg5.0/Post-SP2-STORE/ or install SP1 or later Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-007.asp Credit: Internet Security Systems, Inc.'s X-Force team When an attacker issues a series of incorrect data, an application error can result in the Server Information Store failing. It also causes users to fail in their attempt to connect to their folders on the Exchange Server. Microsoft Exchange SMTP Denial of Service Vulnerability Microsoft Exchange Server Versions: 5.0 and 5.5 Impact: An attacker can cause the Internet Mail Service to choke. Class: Medium Denial of Service Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/post-sp2-ims/ or install SPI or later Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-007.asp Credit: Internet Security Systems, Inc.'s X-Force team When an attacker issues a series of incorrect data, an application error can result in the Internet Mail Service failing. Microsoft Exchange Error Message Vulnerability Microsoft Exchange Server Versions: 5.0 and 5.5 Impact: An intruder might be able to recover encrypted data from your network. Class: Moderate to Severe Fix: Download the latest version of Schannel.dll. Check out this URL for information on where to obtain the latest version http://support.microsoft.com/support/kb/articles/q148/4/27.asp Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-002.asp Credit: Daniel Bleichenbacher An intruder, running a sniffer on your network, might be able to observe an SSL-encrypted session, interrogate the server involved in that session, recover the session key used in that session, and then recover the encrypted data from that session. Microsoft Exchange User Account Vulnerability Microsoft Exchange Server Version: 2000 Impact: An intruder can remotely log on to an Exchange 2000 Server and possibly onto other servers in the affected Exchange Server's network. Class: Moderate to Severe Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25866 Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-088.asp Credit: Unknown A malicious user can log on to Exchange by using an account with a known username (EUSR_EXSTOREEVENT) and a password that Exchange creates during the setup process. Normally this account has only local user rights, meaning that the account is neither a privileged account nor can it gain access to Exchange 2000 data. However, when you install Exchange 2000 on a domain controller, the system automatically gives Domain User privileges to the account, and so it can gain access to other resources on the affected domain. Microsoft recommends that you disable or delete this account after the setup process has completed. IIS (Internet Information Server) IIS is a very popular Internet server package and like most server packages, it has vulnerabilities. IIS is covered here in detail. However, please note that the list of vulnerabilities discussed is not exhaustive. Other vulnerabilities of lesser severity exist. The IIS Cross-Site Scripting Vulnerabilities IIS Version: 4.0 and 5.0 Impact: An attacker can run code on your machine masquerading as a third-party Web site. Class: Severe Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25534 Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533 Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-060.asp Credit: Peter Grundl of Defcom When a malicious user runs code masquerading as a third-party Web site, that code can take any action on your box that the third-party Web site is permitted to take. If you designate that Web site as a trusted site, the attacker's code could take advantage of the increased privileges. The attacker can make the code persistent, so that if you return to that Web site in the future, the code will begin to run again. The IIS Malformed Web Form Submission Vulnerability IIS Version: 4.0 and 5.0 Impact: An attacker can prevent a Web server from providing service. Class: Severe Denial of Service Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704 Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277 Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-100.asp Credit: eEye Digital Security FrontPage Server Extensions ship with IIS 4.0 and IIS 5.0 and provide browse-time support functions. A vulnerability exists in some of these functions that allows an attacker to levy a malformed form submission to an IIS server that would cause the IIS service to fail. In IIS 4.0, you have to restart the service manually. In IIS 5.0, the IIS service will restart by itself. The IIS New Variant of File Fragment Reading via .HTR Vulnerability IIS Version: 4.0 and 5.0 Impact: An attacker can read fragments of files from a Web server. Class: Moderate Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27492 Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27491 Additional Info: http://www.microsoft.com/technet/security/bulletin/MS01-004.asp Credit: Unknown An attacker can cause a requested file to be processed by the .HTR ISAPI extension in such a way as to cause fragments of server-side files, such as .ASP files, to be sent to the attacker. The IIS Session ID Cookie Marking Vulnerability IIS Version: 4.0 and 5.0 Impact: A malicious user can hijack another user's secure Web session. Class: Critical Fix for IIS 4.0 x86 platforms: http://www.microsoft.com/ntserver/nts/downloads/critical/q274149 Fix for IIS 4.0 Alpha platforms: Available from Microsoft Product Support Services Fix for IIS 5.0: http://www.microsoft.com/Windows2000/downloads/critical/q274149 Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-080.asp Credit: ACROS Security and Ron Sires and C. Conrad Cady of Healinx IIS uses the same Session ID for both secure and nonsecure pages on the same Web site. What this means to you is that when you initiate a session with a secure Web page, the Session ID cookie is protected by SSL. If you subsequently visit a nonsecure page on the same site, that same Session ID cookie is exchanged, only this time in plaintext. If a malicious user has control over the communications channel of your box, she could then read the plaintext Session ID cookie and use it to take any action on the secure page that you can. The IIS Web Server File Request Parsing Vulnerability IIS Version: 4.0 and 5.0 Impact: Remote users can run operating system commands on a Web server. Class: Critical Fix for IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q277873 Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547 Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-086.asp Credit: NSFocus An attacker can execute operating system commands that would enable her to take any action that any interactively logged-on user could take. This would enable her to add, delete, or change files on the server; modify Web pages; reformat the hard drive; run existing code on the server; or upload code onto the server and then run it. The Invalid URL Vulnerability IIS Version: 4.0 Impact: Attacker can cause IIS service to fail. Class: Severe Denial of Service Fix for NT 4.0 Workstation, Server and Server Enterprise Editions: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24403 Credit: Peter Grundl of VIGILANTe An attacker can send an invalid URL to the server which, through a sequence of events, could result in an invalid memory request that would cause the IIS service to fail. Microsoft engineers believe that the underlying problem actually exists within Windows NT 4.0 itself. The Myriad Escaped Characters Vulnerability IIS Version: 4.0 and 5.0 Impact: An attacker can slow an IIS server's response or prevent it from providing service. Class: Medium to Severe Denial of Service Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292 Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286 Credit: Vanja Hrustic of the Relay Group By sending a malformed URL with an extremely large number of escape characters, an attacker can consume large quantities of CPU time and thus slow down or prevent the IIS server from providing service for a period of time. The Web Server Folder Traversal Vulnerability IIS Version: 4.0 and 5.0 Impact: An attacker can take destructive actions against a Web server. Class: Critical Fix: http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-078.asp Credit: Rain Forest Puppy An attacker can change or delete files or Web pages, run existing code on the Web server, upload new code and run it, format the hard disk, or take any number of other destructive actions. Tools After you establish your Windows NT 4.0 or Windows 2000 server, you can obtain several indispensable tools that will help you keep it secure. No Windows NT 4.0 or Windows 2000 administrator should be caught without these tools. Administrator Assistant Tool Kit Administrator Assistant Tool Kit is an application suite that contains utilities to streamline system administration on Windows NT boxes. Aelita Software 3978 North Hampton Drive Powell, OH 43065 800-263-0036 Windows Version: Windows NT 4.0 or Windows NT 3.51 Email: Services@aelita.com URL: http://www.aelita.net/products/AdminAssist.htm Administrator's Pak The Administrator's Pak includes a variety of tools for recovering crashed Windows 2000 and Windows NT 4.0 systems. This bundle includes the NT Locksmith, NTRecover, Remote Recover, and NTFSDOS Pro tools, just to name a few. The Administrator's Pak bundle is a great value for tools that will help with recovering your Windows 2000 and Windows NT boxes. Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, TX 78746 512-330-9130 Windows Version: Windows 2000 or Windows NT 4.0 Email: info@winternals.com URL: http://www.winternals.com/ AntiSniff 1.021 AntiSniff 1.021 is a proactive security monitoring tool that searches for computers that are in promiscuous mode. This product help administrators and security teams detect who is watching traffic at their site. Security Software Technologies, Inc. Windows Version: Windows NT 4.0 or Windows 9x. SST expects to release the Windows 2000 version soon. Email: sst@securitysoftwaretech.com URL: http://www.securitysoftwaretech.com/antisniff/index.html/ FileAdmin FileAdmin is an advanced tool for manipulating file permissions on large Windows NT-based networks. This utility can save you many hours of work. Aelita Software 3978 North Hampton Drive Powell, OH 43065 800-263-0036 Windows Version: Windows NT 4.0 or Windows NT 3.51 Email: Services@aelita.com URL: http://www.aelita.net/products/FileAdmin.htm Kane Security Analyst 5.0 Kane Security Analyst provides real-time intrusion detection for Windows NT 4.0 and Windows 2000. This utility monitors and reports security violations and is very configurable. It assesses six critical security areas: access control, data confidentiality, data integrity, password strength, system monitoring, and user account restrictions. Intrusion.com, Inc. USA 1101 East Arapaho Rd, Suite 100 Richardson, TX 75081 888-637-7770 Windows Version: Windows 2000, Windows NT, or Windows 9x Email: info@intrusion.com URL: http://www.intrusion.com/Products/analystnt.shtml L0phtCrack 3.0 L0phtCrack is a tool that audits Windows 2000 and Windows NT passwords. L0phtCrack is a powerful tool that really needs to be part of every administrator's toolkit. You can display various information about the password tests, including how long it took to crack each password, the cracked passwords, and encrypted password hashes. Security Software Technologies, Inc. Windows Version: Windows 2000 or Windows NT 4.0 Email: sst@securitysoftwaretech.com URL: http://www.securitysoftwaretech.com/l0phtcrack/ LANguard Internet Access Control Internet Access Control not only enables you to monitor and control Internet usage on your network, it also monitors network traffic to detect break-ins from outside your network. With Internet Access Control, you use keywords to block access to unwanted sites (such as IRC). You can also use keywords to block searches for objectionable material at search engine sites without blocking the entire search engine. With the network monitor, you can watch for suspicious incoming traffic to a specific server that shouldn't be accessible to outside traffic. GFI Fax & Voice USA 105 Towerview Court Cary, NC 27513 888-2GFIFAX Windows Version: Windows 2000 or Windows NT 4.0 Email: sales@gfi.com URL: http://www.gfi.com/ LANguard Security Reporter Security Reporter collects data about your Windows NT 4.0 or Windows 2000 network, such as user rights, users having administrative rights, and resource permissions, among others. This information is stored in a central database. You use the information in this database to generate reports that help you to identify and fix potential security problems. GFI Fax & Voice USA 105 Towerview Court Cary, NC 27513 888-2GFIFAX Windows Version: Windows 2000 or Windows NT 4.0 Email: sales@gfi.com URL: http://www.gfi.com/ NT Crack NT Crack is a tool that audits Windows NT passwords. This is the functional equivalent of Crack for UNIX. Secure Networks, Inc. Suite 330 1201 5th Street S.W. Calgary, Alberta Canada T2R-0Y6 Windows Version: Windows NT (all versions) URL: http://www.system7.org/archive/Nt-Hacking/windows.html NT Locksmith NT Locksmith will access a Windows NT box without a password. It is a recovery utility that allows you to set a new admin password. Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, TX 78746 512-330-9130 Windows Version: Windows 2000 or Windows NT 4.0 Email: info@winternals.com URL: http://www.winternals.com/ NTFSDOS Pro NTFSDOS Pro allows you to copy and rename permissions on Windows 2000 and Windows NT 4.0 from a DOS diskette. This is a great tool to keep around for emergencies (for example, when you lose that Administrator password). Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, TX 78746 512-330-9130 Windows Version: Windows 2000 or Windows NT 4.0 Email: info@winternals.com URL: http://www.winternals.com/ NTHandle NTHandle identifies open processes in Windows NT and thus allows you to keep an eye on your users. NT Internals Mark Russinovich Windows Version: Windows 9x/Me, Windows NT 4.0, Windows 2000, or Whistler Beta 1 Email: mark@sysinternals.com URL: http://www.sysinternals.com NTRecover NTRecover is a salvage program. It allows you to access dead Windows NT drives via serial lines now is that cool or what? NTRecover uses a serial cable to access files and volumes on a dead NT box. You use the serial cable connection to make the disks on the dead box seem as though they are mounted on your own system. Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, TX 78746 512-330-9130 Windows Version: Windows 2000 or Windows NT 4.0 Email: info@winternals.com URL: http://www.winternals.com/ PC Firewall ASaP PC Firewall ASaP is a bi-directional packet filter suite for Windows 9x/Me and Windows NT 4.0 clients. myCIO.com (Network Associates, Inc.) 3965 Freedom Circle Santa Clara, CA 95054 877-796-9246 Windows Version: Windows 9x/Me or Windows NT 4.0 Email: support@mycio.com URL: http://www.mycio.com/ RedButton RedButton is a tool for testing remote vulnerabilities of a publicly accessible Registry. Download Rbutton.zip. Midwestern Commerce, Inc. 1601 West Fifth Avenue, Suite 207 Columbus, OH 43212 Windows Version: Windows NT (all versions) URL: http://www.system7.org/archive/Nt-Hacking/windows.html RegAdmin RegAdmin is an advanced tool for manipulating Registry entries on large networks, which is a big timesaver. Aelita Software 3978 North Hampton Drive Powell, OH 43065 800-263-0036 Windows Version: Windows NT 4.0 or Windows NT 3.51 Email: Services@box.omna.com URL: http://www.aelita.net/products/RegAdmin.htm Remote Recover Remote Recover acts in the same way as NTRecover. The difference is that it treats remote drives as though they were locally installed. It allows you to access and modify drives on unbootable or new boxes using the network and a bootable floppy. Winternals Software LP 3101 Bee Caves Road, Suite 150 Austin, TX 78746 512-330-9130 Windows Version: Windows 2000 or Windows NT 4.0 Email: info@winternals.com URL: http://www.winternals.com/ ScanNT Plus ScanNT Plus is a dictionary password attack utility. Test your NT passwords. Midwestern Commerce, Inc. (Ntsecurity.com) 1601 West Fifth Avenue Suite 207 Columbus, OH 43212 Windows Version: Windows NT 4.0 Email: Services@box.omna.com URL: http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles/info.html?b=pcm&fcode=000H36 Sniffer Basic Sniffer Basic (formerly named NetXRay Analyzer) is a powerful protocol analyzer (sniffer) and network monitoring tool for Windows NT. It is probably the most comprehensive NT sniffer available. Sniffer Technologies 3965 Freedom Circle Santa Clara, CA 95054 800-SNIFFER Windows Version: Windows NT (all versions) or Windows 98 Note: Sniffer Technologies released Sniffer Pro 4.5 for laptop platforms in January, 2001. This version includes support for Windows 2000. Email: bcahillane@nai.com URL: http://www.sniffer.com/products/sniffer-basic/default.asp?A=2 Somarsoft DumpSec Somarsoft DumpSec dumps permissions for the Windows NT file system in the Registry, including shares and printers. It offers a bird's-eye view of permissions, which are normally hard to gather on large networks. SystemTools LLP P.O. Box 1209 La Vernia, TX 78121 877-797-8665 Windows Version: Windows NT (all versions) Email: sales@systemtools.com URL: http://www.somarsoft.com/ Somarsoft DumpEvt Somarsoft DumpEvt dumps Event Log information for importation into a database for analysis. SystemTools LLP P.O. Box 1209 La Vernia, TX 78121 877-797-8665 Windows Version: Windows 2000 or Windows NT (all versions) Email: sales@systemtools.com URL: http://www.somarsoft.com/ Somarsoft DumpReg Somarsoft DumpReg dumps Registry information for analysis. It also allows incisive searching and matching of keys. SystemTools LLP P.O. Box 1209 La Vernia, TX 78121 877-797-8665 Windows Version: Windows NT (all versions) or Windows 98 Email: info@somarsoft.com URL: http://www.somarsoft.com/ Virtuosity Virtuosity is a wide-scale management and Windows NT rollouts tool. (Good for heavy-duty rollouts.) Raxco, Ltd. Orchard House Narborough Wood Park Enderby, Leicester, UK LE9 5XT +44 (0)116 239-5888 Windows Version: Windows NT 4.0 or Windows NT 3.51 URL: http://www.domainmigration.com/fp_virtuosity.html Access Control Software The following section introduces several good packages for adding access control to Windows 2000, Windows NT, and Windows 9x/Me. Cetus StormWindow Cetus Software, Inc. P.O. Box 1450 Marshfield, MA 02050 781-834-4411 Windows Version: Windows 2000, Windows NT 4.0 or Windows 9x/Me Email: cetussoft@aol.com URL: http://www.cetussoft.com/ Cetus StormWindow allows you to incisively hide and protect almost anything within the system environment, including the following: Links and folders Drives and directories Networked devices and printers In all, Cetus StormWindow offers very comprehensive access control. (This product will also intercept most alternate boot requests, such as warm boots, Ctrl+Alt+Delete, and function keys.) Clasp2000 Clasp2000 4 Grand Banks Circle Marlton, NJ 08053 FAX: 810-821-6250 Windows Version: Windows 2000 or Windows 9x Email: service@claspnow.com URL: http://www.cyberenet.net/~ryan/ Clasp2000 offers strong password protection, disables access to Windows 95 and Windows 98, and intercepts warm boot Ctrl+Alt+Delete sequences. ConfigSafe Complete Recovery v4 by imagine LAN, Inc. imagine LAN, Inc. 74 Northeastern Blvd. Suite 12 Nashua, NH 03062 800-372-9776 Windows Version: Windows 2000, Windows 4.0 or Windows 9x/Me Email: feedback@imagelan.com URL: http://www.configsafe.com ConfigSafe Complete Recovery v4 records changes and updates made to the Registry, system files, drivers, directory structures, DLL files, and system hardware. You can instantly restore a system to a previously working configuration with ConfigSafe. DECROS Security Card by DECROS, Ltd. DECROS, Ltd. J. S. Baara 40 370 01 Ceske Budejovice Czech Republic 420-38-731 2808 Windows Version: Windows 2000, Windows NT 4.0 or Windows 9x/Me Email: info@decros.cz URL: http://www.decros.com/security_division/p_list_hw.htm DECROS Security Card provides C2-level access control using physical security in the form of a card key. Without that card, no one will gain access to the system. Desktop Surveillance Enterprise and Personal Editions Omniquad, Ltd. Hanovia House 28/29 Eastman Road London W3 7YG, UK +44 (0) 181 743 8093 Windows Version: Windows NT 4.0 or Windows 9x Email: support@omniquad.com URL: http://www.omniquad.com/ Desktop Surveillance is a full-fledged investigation and access control utility. (This product has strong logging and audit capabilities.) HDD-Protect 2.5c Gottfried Siehs Tiergartenstrasse 99 A-6020 Innsbruck, Austria / Europe Windows Version: Windows 98 or Windows 95 Email: g.siehs@tirol.com URL: http://www.geocities.com/SiliconValley/Lakes/8753/ HDD-Protect has hardware-level access control and actually restricts access to the hard disk drive. Omniquad Detective 2.1 Hanovia House 28/29 Eastman Road London W3 7YG, UK +44 (0) 181 743 8093 Windows Version: Windows NT 4.0 or Windows 9x Email: support@omniquad.com URL: http://www.omniquad.com/ The Detective is a simple but powerful tool for monitoring system processes. Omniquad Detective enables you to monitor computer usage, reconstruct activities that have occurred on a workstation or server, identify intruders who try to cover their tracks, perform content analysis, and define user search patterns. In all, this very comprehensive tool is tailor-made to catch someone in the act, and is probably suitable for investigating computer-assisted crime in the workplace. Secure4U 5.0 Sandbox Security AG Lilienthalstr. 1 82178 Puchheim Germany +49 (0) 89 800 70 0 Windows Version: Windows 2000, Windows NT 4.0 or Windows 9x/Me Email: sales@SandboxSecurity.com URL: http://www.sandboxsecurity.com/main.htm Secure4U provides powerful filtering and access control. It specifically targets ActiveX, Java, and other embedded-text plug-ins and languages from flowing into your network. StopLock Suite by Conclusive Logic, Inc. Conclusive Logic, Inc. 800 W. El Camino Real Suite 180 Mountain View, CA 94040 USA 650-943-2359 Windows Version: Windows 2000, Windows 4.0 or Windows 9x Email: info@conclusive.com URL: http://www.conclusive.com/ StopLock provides access control. The package also includes boot control, auditing functionality, and logging tools. TrueFace eTrue, Inc. 144 Turnpike Rd. Suite 100 Southboro, MA 01772 508-303-9901 Windows Version: Windows 32-bit platforms URL: http://www.miros.com/solutions/face.htm TrueFace is a face recognition program. The software recognizes only those faces that are registered in its face database. The machine actually looks at you to determine whether you are an authorized user. The company claims that the technology on which TrueFace is based is neural net technology. Windows Task-Lock by Posum LLC Posum LLC P.O. Box 21015 Huntsville, AL 35824 256-895-9857 Windows Version: Windows 2000, Windows 4.0, or Windows 9x/Me Email: support@posum.com URL: http://posum.com/ Windows Task-Lock 6.0 provides a simple, inexpensive, and effective way to password-protect specified applications no matter how you (or someone else) execute them. It is easy to configure and requires little to no modifications to your current system configuration. Optional Sound events, stealth mode, and password timeout are also included. WP WinSafe PBNSoft Windows Version: Windows NT or Windows 9x Email: info@pnbsoft.com URL: http://www.pbnsoft.com/ WinSafe, a promising utility, allows you to encrypt your files using strong cryptography algorithms such as Blowfish and CAST. With WinSafe you can choose from among 28 different algorithms. Other tools included with this package are File Wiping and Merge Files. File Wiping will rewrite deleted files with random trash for the number of times that you specify. Merge Files enables you to merge two files so that you can hide one file into another. Caution The documentation suggests that using the Windows Policy editor to set the real-mode DOS settings could potentially conflict with WinSafe. SafeGuard Easy Utimaco Safeware, Inc. 2 Chestnut Place Suite 310 22 Elm Street Worcester, MA 01608 USA 508-799-4333 Windows Version: Windows 2000, Windows NT 4.0, Windows 9x, or MS-DOS Email: info.us@utimaco.de URL: http://www.utimaco.de/newpage/indexmain.html SafeGuard Easy offers hard disk drive encryption, protection against booting from a floppy, password aging, and password authentication for Windows operating systems. SafeGuard supports several strong encryption algorithms, including both DES and International Data Encryption Algorithm (IDEA). The SafeGuard line of products includes SafeGuard VPN, SafeGuard LAN Crypt, and SafeGuard Personal FireWall. Of special interest is that these products can be installed over a network (thereby obviating the need to make separate installations). Secure Shell F-Secure, Inc. 5007 Lincoln Avenue, Suite 310 Lisle, IL 60532 USA 630-810-8901 Windows Version: Windows 2000, Windows NT 4.0, Windows 9x, or Windows 3x Email: Chicago@F-secure.com URL: http://www.f-secure.com/products/network_security/ Secure Shell (SSH) provides safe, encrypted communication over the Internet or other untrusted networks. SSH is an excellent replacement for Telnet or rlogin. SSH uses IDEA and Rivest-Shamir-Adelman (RSA) encryption and is therefore extremely secure. It is reported that the keys are discarded and new keys are made once an hour. SSH completely eliminates the possibility of third parties capturing your communication (for example, passwords that might otherwise be passed in clear text). SSH sessions cannot be overtaken or hijacked, nor can they be sniffed. The only real drawback is that for you to use SSH, the other end must also be using it. Although you might think such encrypted communication would be dread fully slow, it isn't. Good Online Sources of Information This section contains many good Windows resource links. Most are dynamic and house material that is routinely updated. The Windows NT Security FAQ If you are new to Windows NT security, the Windows NT Security Frequently Asked Questions document is an absolute must. I would wager that better than half of the questions you have about NT security are answered in this document. http://www.it.kth.se/~rom/ntsec.html NTBugTraq NTBugTraq is an excellent resource provided by Russ Cooper of RC Consulting. The site includes a database of Windows NT vulnerabilities, plus the archived and searchable versions of the NTBugTraq mailing list. http://www.ntbugtraq.com NTSECURITY.COM for Windows 2000 and Windows NT This site is hosted by Aelita Software Group division of Midwestern Commerce, Inc., a well-known development firm that designs security applications for Windows 2000 and Windows NT, among other things. http://www.ntsecurity.com/default.htm Expert Answers for Windows 2000, Windows NT, and Windows 9x/Me This is a forum in which advanced Windows 2000, Windows NT, and Windows 9x/Me issues are discussed. It is a good place to find possible solutions to very obscure and configuration-specific problems. Regulars post clear, concise questions and answers along the lines of "I have a PPRO II w/ NT 4.0 and IIS 3 running MS Exchange 5.0, with SP3 for NT and SP1 for Exchange. So, why is my mail server dying?" http://community.zdnet.com/cgi-bin/podium/show?ROOT=331&MSG=331&T=index Windows IT Security (Formerly NTSecurity.net) The Windows IT Security site, hosted by Windows 2000 Magazine, is full of information about the latest in security. You can subscribe to discussion lists about advanced vulnerabilities in the Windows 2000 and Windows NT operating systems. You can find it at the following URL: http://www.ntsecurity.net/ "An Introduction to the Windows 2000 Public Key Infrastructure" "An Introduction to the Windows 2000 Public Key Infrastructure" is an article written by Microsoft Press. It presents and introduction to one of Windows 2000 new security features, PKI. http://www.microsoft.com/WINDOWS2000/library/howitworks/security/pkiintro.asp Windows 2000 Magazine Online I know what you're thinking that commercial magazines are probably not very good sources for security information. I am happy to report that this site is an exception. Some very valuable articles and editorials about Windows NT 2000 and Windows NT 4.0 appear here. http://www.winntmag.com/ Securing Windows NT Installation Securing Windows NT Installation is an incredibly detailed document from Microsoft on establishing a secure Windows NT server. You can find it at this site: http://www.microsoft.com/ntserver/security/exec/overview/Secure_NTInstall.asp Checklist for Upgrading to Windows 2000 Server Microsoft lists the steps necessary to upgrade to Windows 2000. They include how to check whether your hardware and software is compatible with Windows 2000 and how to choose a file system. You can find it here: http://www.microsoft.com/TechNet/win2000/srvchk.asp The University of Texas at Austin Computation Center NT Archive This site contains a wide (and sometimes eclectic) range of tools and fixes for Windows NT. (A good example is a fully-functional Curses library for use on NT.) ftp://microlib.cc.utexas.edu:/microlib/nt/ Books on Windows 2000 and Windows NT Security The following titles are assorted treatments on Windows 2000 and NT security. Securing Windows NT/2000 Servers for the Internet. Stefan Norberg, Deborah Russell. O'Reilly & Associates. 1-56592-768-0. 2000. Windows 2000 Security. Roberta Bragg. New Riders Publishing. 0-73570-991-2. 2000. Windows 2000 Security: Little Black Book. Ian McLean. The Coriolis Group. 1-57610-387-0. 2000. Configuring Windows 2000 Server Security. Thomas W. Shinder and D. Lynn White. Syngress Media, Inc. 1-92899-402-4. 1999. Microsoft Windows 2000 Security Technical Reference. Internet Security Systems, Inc. Micro soft Press. 0-73560-858-X. 2000. Microsoft Windows 2000 Security Handbook. Jeff Schmidt. Que. 0-78971-999-1. 2000. Microsoft Windows NT 4.0 Security, Audit, and Control (Microsoft Technical Reference). James G. Jumes. Microsoft Press. 1-57231-818-X. 1998. NT 4 Network Security. Matthew Strebe. Sybex. 0-78212-425-9. 1999. Windows NT/2000 Network Security (Circle Series). E. Eugene Schultz. New Riders Publishing. 1-57870-253-4. 2000. Windows 2000 Security Handbook. Phillip Cox. McGraw-Hill Professional Publishing. 0-07212-433-4. 2000. Windows NT Server Security Guide (Prentice Hall Series on Microsoft Technologies). Marcus Goncalves. Prentice Hall Computer Books. 0-13679-903-5. 1998. Windows NT Security Handbook. Thomas Sheldon. Osborne McGraw-Hill. 0-07882-240-8. 1996. 
| 