Security UPDATE on Hacking 04050513
Security UPDATE on Hacking 04050513
Hacking and SecurityHave you heard about Windows IT Pro's "Hack IIS 6.0 Challenge"? Roger
Grimes will secure a Microsoft IIS 6.0 system and make it available on
the Internet April 17 through June 8 so that people can try to break
into it. In the July issue, Roger will write about how he secured the
system and what happened during the contest.
I've already read messages on one security mailing list from people
complaining about the challenge or poking fun at it. One person wrote
that it's a ploy to gather zero-day (previously unpublished) exploits.
I don't know whether anybody will collect packets during the contest or
whether such packets will be examined to learn more about how people
approach hacking an IIS 6.0 box. But such forensic analysis might
occur. Would that be a bad thing?
There were also comments that the contest is an attempt to identify
hackers and arrest them. That notion is laughable (and probably based
in paranoia) given the fact that people have been invited to hack the
box.
Some people also felt that such challenges don't work because of
eventual Denial of Service (DoS) attacks. One person mentioned that the
hackiis6.com site is located on the same subnet as the magazine's Web
farm. So if somebody decides to launch a Distributed DoS (DDoS) attack
against the site, it could overwhelm the gateway and thereby render all
sites behind the gateway unavailable. That's true. But the hackiis6.com
site is only an information site. It's not the actual system that will
be made available for hacking. Sometime in the next week, further
information will become available at the hackiis6.com site, so check
back to learn more details, including the address of the system to
hack.
People also pointed out that the challenge can't really prove that the
site is secure. If no one manages to break into the site, it might just
be because somebody who might know how to break in doesn't take part in
the challenge. That's rational; we should probably assume that somebody
somewhere knows how to break any particular piece of software. It's a
widely held opinion that no system is completely secure.
We could enjoy the challenge for exactly what it is--a challenge--
without trying to read all sorts of motives into it. Many people attend
various hacker conferences at which such challenges are relatively
common. The main difference here is that this challenge is open to the
public. It's a way to test your skills and have some fun trying to find
a way to breach security. That's it.
Speaking of contests, the Windows IT Pro annual Readers' Choice contest
is underway. Vote for your favorite IT products and reward companies
that provide excellent products and services. The September 2005 issue
of Windows IT Pro will feature the winners.
And, finally, if you use the Windows IT Pro Web site, you might be
happy to have a chance to tell us how to improve it.
Security News and Features
Eight Security Patches from Microsoft
Yesterday, April 12, was Patch Tuesday for Windows users, and
Microsoft released eight security patches. The company also announced
that beginning this month, it will change its Security Bulletin Advance
Notification information provisioning to include other useful
information.
Help with HIPAA, SOX, and GLBA Compliance
Vigilar announced a new service aimed at helping companies comply
with the Sarbanes-Oxley (SOX) Act, the Gramm-Leach-Bliley (GLB) Act,
and the Health Insurance Portability and Accountability Act (HIPAA). A
compelling feature of Vigilar's new AuditPass program is that it
guarantees that your company will pass compliance and audit checks.
Auditing Permission Changes on a Folder
Randy Franklin Smith points out that you'll need to enable auditing
for successful object-access events on the servers on which the folders
reside and you'll need to enable auditing on the folders you want to
monitor. You'll also need to look for specific events in the Security
log.
Resources and Events
Does Windows Server 2003 Service Pack 1 Live Up to Expectations?
What can you expect when you deploy SP1 in real life? Join industry
guru Michael Otey as he reviews the service pack and answers your
questions about Windows Firewall, data execution prevention (DEP),
boot-time protection, the anxiously awaited Security Configuration
Wizard (SCW), and more.
Get Ready for SQL Server 2005 Roadshow in a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Attend and receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine.
Attend the Black Hat Briefings
Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in
Las Vegas. World renowned security experts reveal tomorrow's threats
today. Free of vendor pitches, the briefings are designed to be
pragmatic regardless of your security environment. Featuring 25 hands-
on training courses and 10 conference tracks. Lots of Windows stuff
profiled.
Ensure SQL Server High Availability
In this free Web seminar, discover how to maintain business
continuity of your IT systems during routine maintenance and unplanned
disasters. Learn critical factors for establishing a secure and highly
available environment for SQL Server including overcoming the
technology barriers that affect SQL Server high availability. Find out
about Microsoft's out-of-the-box high-availability technologies,
including clustering, log shipping, and replication.
Protect the Rest of Your Exchange Infrastructure
There is more to data protection for Exchange than protecting mail
and mail servers. In this free Web seminar, you'll learn some methods
for anticipating, avoiding, and overcoming technical problems that can
affect your Exchange environment, including corruption or errors in
Active Directory, DNS problems, configuration errors, service pack
installation problems, and more.
Featured Business Benefits of ITSM
Quantify the Business Benefits of ITSM
This free white paper explores how to meet IT infrastructure's needs
and manage crucial support and service processes by implementing Help
desk, problem, change, configuration, and service-level agreement (SLA)
management into a single workflow. Improve productivity and service
delivery quality while reducing costs, resources, and downtime in your
organization.
High Availability for Windows Services
It is no stretch to say that Windows high availability must be a
fundamental element in your short- and long-term strategic IT planning.
This free white paper discusses the core issues surrounding Windows
high availability, with a focus on business drivers and benefits.
You'll learn about the current market solutions, technologies and real-
world challenges including cost-benefit analyses. Plus, find out how to
assess technical elements required in choosing a high availability
solution, including the robustness of the technology, time-to-failover,
and implementation difficulties.
Security Forum Featured Thread: AD Permissions
A forum participant is having trouble restricting permissions in
Windows Server 2003. He's running Active Directory (AD) in Mixed Mode
and has a few global groups that need access to resources on a member
server. However, anyone--not just the intended groups--can access the
folders and subfolders that he's trying to secure.
Keep Track of Your Registry
ElcomSoft has released Advanced Registry Tracer 2.0, a utility that
lets you analyze changes made to your registry (whether by Trojan horse
programs, viruses, or software installations or removals) and store
snapshots of the registry in a database so that you can easily restore
the registry when you encounter problems. New features in version 2.0
include the ability to define scanning and comparison filters, an
object-tweaking feature that lets you safely experiment with registry
values, a new database format that reduces the size of the database,
the ability to compare keys in command-line mode, faster registry file
exports, and an improved interface. Advanced Registry Tracer 2.0 runs
under Windows 95/98/Me/NT4/2000/XP and costs $40 for a single-user
license.
..in part by Mark Edwards
