January 2004 - Posts
Update to - Security Update will modify the behavior of Internet Explorer for handling user information in URLs
There are a few questions that are getting asked about this on a pretty frequent basis so I will try to address them.
Q - Will this affect the use of user information in FTP URLs?
A - No, it will not
Q - Isn't this change a violation of RFC 1738?
A - The confusion here is understandable. Section 3.1 of RFC 1738 would appear to indicate that the use of user names and passwords in the URL are part of the scheme. This however is the “Common Internet Scheme Syntax” and refers more to FTP than HTTP(s) URLs.
Scrolling down the RFC to section 3.2, you will see that FTP URLs are to follow the scheme in section 3.1. Good, this will not change.
Scroll down further to section 3.3, you will see that it contains language specifically prohibiting the use of a user name and password in an HTTP(s) URL:
3.3. HTTP
The HTTP URL scheme is used to designate Internet resources
accessible using HTTP (HyperText Transfer Protocol).
The HTTP protocol is specified elsewhere. This specification only
describes the syntax of HTTP URLs.
An HTTP URL takes the form:
http://host:port/path?searchpart
where (host) and (port) are as described in Section 3.1. If :(port)
is omitted, the port defaults to 80. No user name or password is
allowed. (path) is an HTTP selector, and (searchpart) is a query
string. The (path) is optional, as is the (searchpart) and its
preceding "?". If neither (path) nor (searchpart) is present, the "/"
may also be omitted.
Within the (path) and components, "/", ";", "?" are
reserved. The "/" character may be used within HTTP to designate a
hierarchical structure.
Q - Isn't RFC 1738 superceeded by RFC 2396?
A - No. RFC replaces the “generic definitions of RFC 1738 (section 3.1).
Q - What about RFC 2616 section 3.2.1 where it states that RFC 2396 replaces RFC 1738?
A - Again, this specifically states that 2396 replaces “Generic Syntax and Semantics” of 1738. 2396 itself, in the abstract section states that it “revises and replaces the generic definitions in RFC 1738”. In 2396, it states in section 3.2.2:
Some URL schemes use the format "user:password" in the userinfo
field. This practice is NOT RECOMMENDED, because the passing of
authentication information in clear text (such as URI) has proven to
be a security risk in almost every case where it has been used.
In summary, RFC 1738 specifically states that the use of user name and password in the URL are not allowed. RFC 2396, while not 100% clear on this, was implemented to replace the generic definitions in 1738. Where 2396 addresses the user name and password issue, it recommends that they not be used which can appear to make the whole issue a little squishy. IMHO, removing this feature from IE is more in compliance with the RFC's than not and is also a good move to protect the security and privacy of user information.
2/5/04 8:00 AM
Windows Server/Security TechNet Webcast: Windows Server 2003 Security Infrastructures - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242274&Culture=en-US
Windows Server 2003 is Microsoft's enterprise operating system resulting with a more secure and reliable system. This session provides an overview of the operating system's authentication, authorization, key management and security management infrastructure services and how you can use them in an enterprise IT environment.
2/5/04 9:30 AM
Windows Server/Security TechNet Webcast: Implementing Security Patch Management - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242568&Culture=en-US
In this session you will learn how to apply security best practices and use available tools and technologies to implement a patch management process and strategy within your organization. The session will discuss the patch management lifecycle and demonstrate how tools such as Microsoft Baseline Security Analyzer and Software Update Services can be used to quickly and effectively respond to published security bulletins and establish patch compliance across your infrastructure.
2/9/2004 9:00 AM
Windows Server Microsoft Executive Circle Webcast: Best Practices for Patch Management in the Microsoft Infrastructure
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242175&Culture=en-US
Do you want to protect your enterprise from security vulnerabilities; take the EMERGENCY out of the patch management process, and upgrade on your schedule? An effective patch management process, including risk assessment; security policies based on business risks, and preventative software to protect against viruses and worms seeking to infect your infrastructure will be highlighted in this webcast. International Network Services (INS), an independent consulting company and Microsoft® Security partner will focus on practical solutions to develop your security policies and implement them with available tools (both Microsoft and 3rd party). Topics will include: methodology to assess your business risk, software and hardening techniques that can protect your business applications, and tools that can be used to update servers suited to your schedule. Please join us for an informative and practical discussion on protecting your infrastructure and keeping it secure.
2/11/04 8:00 AM
Windows Server TechNet Webcast: Implementing Server Security on Windows 2000 and Windows Server 2003 - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242867&Culture=en-US
In this session you will learn how to apply prescriptive host hardening guidance to secure servers used in legacy, enterprise client, and high-security environments. The session will discuss configuring the domain infrastructure through Active Directory and applying security templates to establish security baselines. Building on this knowledge, you will learn hardening best practices for domain controllers and member servers operating in various roles.
2/11/04 10:00 AM
Security TechNet Security Webcast: Information about Microsoft's February Security Bulletins
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242708&Culture=en-US
On February 10, Microsoft will release its monthly security bulletins. Join us in this webcast for a live discussion of the technical details of the February security bulletins and steps you can take to protect your environment.
2/11/04 11:30 AM
Security TechNet Webcast: Essentials of Security - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242277&Culture=en-US
In this session you will gain knowledge and skills essential for the design and implementation of a secure computing environment. The session will cover important security concepts and discuss the need for establishing a process for security within an organization. You will learn how to identify system criticalities, understand and assess system vulnerabilities and apply best practices to improve the security of your infrastructure.
2/12/2004 9:00
Security TechNet Chat: Trustworthy computing with Mike Nash
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081
Mike Nash, Vice President of Microsoft's Security Business Unit (SBU), invites you to join him for a one hour discussion on security issues with Microsoft products. Come and let Mike know the issues you are facing and ask questions about what Microsoft i
2/13/2004 9:00
Security TechNet Chat: Security Bulletin Discussion
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015
"Each month, after we release a security patch, the PSS Security Core team will conduct a chat to explain the patch and vulnerability to users and allow those users to understand the impact of the patch in their environments.
2/16/04 9:30 AM
Windows Client/Security TechNet Webcast: Implementing Client Security on Windows 2000 and Windows XP - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242878&Culture=en-US
In this you will learn the requirements for securing client computers in environments where Windows Server 2003, Windows 2000 and Windows NT 4.0 servers are present. You will also learn how to implement best practices for clients in extreme high-security environments. The session will discuss the use of Group Policy and Administrative Templates to secure Windows 2000 and Windows XP installations and provide guidance on software restriction policies, anti-virus strategies, and distributed firewall technologies. This session also covers configuring Microsoft Office and Internet Explorer to help achieve a secure client environment.
2/16/2004 12:00
Windows Networking/Security TechNet Chat: Securing your Microsoft network (Security Essentials)
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015
Come and ask your questions about best practices in creating a truly secure network; in other words, a network that includes not only technical security, but also physical security, application security, and process-oriented security. By following some ba
2/17/04 9:00 AM
Security MSDN Webcast: Computer Crime and Security – Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032243051&Culture=en-US
The typical misconception is that a hardware firewall will prevent a security breach. In fact, the majority of today’s IT security breaches occur through a web application. In this webcast we will discuss the most pervasive methods that hackers use to penetrate systems, where these attacks originate from, how they are accomplished and the financial impact of these breaches. Developers and managers should plan on attending to obtain a clear understanding of the challenges they may face in securing our web applications.
2/17/2004 10:00
Windows Networking TechNet Chat: Chat with the Internet Authentication Service (RADIUS) Team
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015
2/17/04 10:00 AM
Windows Server TechNet Support WebCast: Troubleshooting Group Policy and profile issues in a domain environment by using Userenv logging
http://support.microsoft.com/default.aspx?kbid=835302
This Support WebCast Level 200 session will discuss common problems that you may experience when working with Group Policy deployment and user profiles. It will also talk about how to troubleshoot these issues by using Userenv logging.
2/18/04 8:00 AM
Windows Server TechNet Webcast: New Features of Windows Server 2003 Active Directory - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242282&Culture=en-US
This session covers most aspects of Microsoft® Windows Server™ 2003 Active Directory operations, focusing on new features for deployment, administration and management, forest trusts, Group Policies, and application support. The target audience includes anyone considering upgrading to Windows Server 2003 Active Directory (either from Windows NT 4.0 or Windows 2000) as well as first-time adopters.
2/18/04 9:00 AM
Windows Networkring Security/RTC/Development MSDN Webcast: Dave's Secure Remoting Chat Application – Level 300
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032243058&Culture=en-US
Have you ever wondered if those pesky network-savvy individuals that are in possession of packet-sniffing software such as Snort or Ethereal might be eavesdropping on your Instant Messenger (IM) conversations? Of course, even though we all use IM in the workplace, you might not want your chat conversations going out in plain-text over the wire. In this webcast we will write a secure peer-to-peer chat program that cannot be eavesdropped by packet-sniffers. Experienced developers shouldn’t miss the discussions covering remoting, encryption, streaming and multi-threading.
2/18/2004 12:30
Windows Server TechNet Chat: Building a Kerberos based authentication infrastructure: New technologies, interoperability, and troubleshooting
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015
This chat provides an opportunity to find out how you can use the Kerberos capabilities in Windows to build an authentication infrastructure that is secure, interoperable and flexible. Talk to the engineers and architects building the Kerberos capabilitie
2/20/04 11:30 AM
Windows Server TechNet Webcast: Software and Patch Management with Software Update Service, Windows Update and SMS - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242287&Culture=en-US
This session covers installation and configuration of Software Update Services (SUS) and use of Group Policy to configure clients to use SUS for Automatic Updates. Review Systems Management Server (SMS) features and learn how to install and distribute SUS packages for SMS.
2/25/04 11:30 AM
Window Server TechNet Webcast: Deployment of the Terminal Services Client via Intellimirror, SMS, and the Web Client - Level 300
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032243218&Culture=en-US
This talk will cover the various methods and options you have to deploy the Terminal Services Client in your enterprise, including Intellimirror, SMS, and the web client, as well as other problems you may encounter. I’ll also be fielding questions about the client and gathering feedback on the Terminal Services Client.
The Product Support Services security team released this alert late yesterday:
On 27 January 2004, Microsoft published a Knowledge Base article, 834489, that details changes which will be made in a forthcoming security update in the behavior of how Internet Explorer handles user information in HTTP and HTTPS URLs. Specifically, once this forthcoming security update is applied, by default, URLs that contain user information will no longer be supported and users will receive the error message "Invalid syntax error". HTTP and HTTPS URLs that contain user information take the format of:
http(s)://username:password@server/resource.ext.
Web site operators who currently rely on HTTP or HTTPS URLs with user information should take steps to implement other forms of authentication, as detailed in the Knowledge Base article to minimize the likely impact that this design change will have on their customers.
While it is not recommended, it is possible for customers to re-enable support for user information in HTTP and HTTPS URLs via a registry change on the client system. This information is detailed in the knowledge base article.
This change is not to remediate any specific or particular product vulnerability. Instead, it is a design change that is being made to enhance overall security in Internet Explorer.
More details are available in Knowledge Base article, 834489.
http://support.microsoft.com/?kbid=834489
If you have any questions regarding this alert, you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
Thank you,
PSS Security
This started really ripping across the net yesterday. One of the big dangers with this one is that it spoofs the FROM address. I was able to stop my wife from infecting her machine just in time when she received an email that looked like it came from me when it actually came from her brother who had both of our addressed in his address book. Not sure if this thing actually targets similar email addresses for more affective social engineering or if that was a coincidence.
For more information, see the Microsoft virus alert here:
http://www.microsoft.com/security/antivirus/mydoom.asp
Today Microsoft released the following Security Bulletins.
Note: »www.microsoft.com/technet/security and »www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.
Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.
Bulletins Summaries:
ISA Server: http://www.microsoft.com/technet/security/bulletin/isajan04.asp
Exchange: http://www.microsoft.com/technet/security/bulletin/excjan04.asp
Windows (MDAC): http://www.microsoft.com/technet/security/bulletin/winjan04.asp
Critical Bulletins:
MS04-001 - Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458)
http://www.microsoft.com/technet/security/bulletin/MS04-001.asp
Important Bulletins:
MS04-003 - Buffer Overrun in MDAC Function Could Allow Code Execution (832483)
http://www.microsoft.com/technet/security/bulletin/MS04-003.asp
MS03-045 – Re-Release: Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
http://www.microsoft.com/technet/security/bulletin/MS03-045.asp
Reason for re-release: V4.0 January 13, 2004: Bulletin updated to reflect the release of updated Windows NT 4.0 Workstation and Server updates for Arabic, Hebrew, and Thai languages only.
Moderate Bulletins:
MS04-002 - Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)
http://www.microsoft.com/technet/security/bulletin/MS04-002.asp
This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.
If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
1/6/04 9:30 AM
Windows Server/IIS/Security TechNet Webcast: Security Enhancements for Internet Information Services 6.0 - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032240688&Culture=en-US
Are you looking to improve the security of your web site? Using Windows Server 2003 and IIS 6.0 can certainly get you started. In this session I will explore some of the types of attacks on a web server and show you how to secure a web server against them on Windows 2003 Server.
1/7/04 10:00 AM
Windows Server/Networking Deploying site-to-site VPNs using Windows Server 2003
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015 (TechNet)
Join the Routing and Remote Access team to discuss tips, techniques, and best practices for deploying demand-dial solutions. We encourage you to review the whitepaper at http://www.microsoft.com/vpn beforehand.
1/13/04 9:30 AM
Security TechNet Webcast: Using the Microsoft Security Tools - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241658&Culture=en-US
This session looks at a variety of free Microsoft tools that can help make systems more secure.
1/13/04 10:00 AM
Windows Networking TechnetChat: Home Wireless Networking with Microsoft Windows
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015 (TechNet)
Microsoft Windows XP and Server 2003 family include built-in support for IEEE 802.11 networks configuration. Learn more about IEEE 802.11 wireless LAN networking in a Windows environment at
1/14/04 10:00 AM
Security TechNet Security Webcast: Information about Microsoft’s January Security Bulletins
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241586&Culture=en-US
On January 13, Microsoft will release its monthly security bulletins. Join us in this webcast for a live discussion of the technical details of the January security bulletins and steps you can take to protect your environment.
1/14/04 12:30 PM
Security Building a Kerberos based authentication infrastructure: New technologies, interoperability, and troubleshooting
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015 (TechNet)
This chat provides an opportunity to find out how you can use the Kerberos capabilities in Windows to build an authentication infrastructure that is secure, interoperable and flexible. Talk to the engineers and architects building the Kerberos capabilitie
1/15/04 12:30 PM
Security TechNet Webcast: Internet Datacenter Security - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241729&Culture=en-US
Attend this webcast and learn about from-the-trenches attacks & countermeasures from the co-author of Hacking Exposed and Microsoft's front-line Internet security group, MSN. This webcast will cover key threats, countermeasures, policies, procedures, politics, and principles to keep your business out of the security headlines. From spammers to Slammer, this talk will cover the most important aspects of “operational” security, including access control strategies, patching procedures, DDoS mitigation techniques, and aligning technology with policy.
1/16/04 9:00 AM
Security Security Bulletin Discussion
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015 (TechNet)
Each month, after we release a security patch, the PSS Security Core team will conduct a chat to explain the patch and vulnerability to users and allow those users to understand the impact of the patch in their environments.
1/19/04 9:00 AM
Security Microsoft Executive Circle: Implementing more security products won’t make you more secure, better management will
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241542&Culture=en-US
Security is not just about preventing malicious attacks on a company’s networks and information systems, or even about protecting information and intellectual property. Security is about creating and managing an environment in which people can work together with confidence. Every time that a security flaw is identified in an application, operating system or a piece of hardware you are using, a vendor patch will be provided for implementation. And with each patch, you need to know that it’s going to make things better and not worse, and to do that you need to be sure that it has been tested. There are some first class tools available to manage this process, allowing you to keep a meticulous record of the current state and history of your environment, but decisions still need to be made. This presentation will show you some of the best practices in addressing these issues.
1/20/04 8:30 AM
Security Microsoft Executive Circle Webcast: Monthly Update from Microsoft’s VP for Security
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241793&Culture=en-US
Join Mike Nash, Microsoft’s senior executive in charge of security, for his monthly security update. Mike will provide the latest details on Microsoft’s security enhancements, offer tips and insights into key security strategies for customers and provide new information on Microsoft’s security technologies being delivered in upcoming service packs.
1/20/04 9:30 AM
Windows Server/Security TechNet Webcast: Implementing Server Security on Windows 2000 and Windows Server 2003 - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241894&Culture=en-US
In this session you will learn how to apply prescriptive host hardening guidance to secure servers used in legacy, enterprise client, and high-security environments. The session will discuss configuring the domain infrastructure through Active Directory and applying security templates to establish security baselines. Building on this knowledge, you will learn hardening best practices for domain controllers and member servers operating in various roles.
1/20/04 10:00 AM
Windows Networking Wireless Networking with Microsoft IAS server
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000015 (TechNet)
Join the IAS/ Authentication team for your 4th chat session. We will talk about IAS RADIUS server and how you can use it to install a wireless network. We can chat about the security benefits, the features and what IAS can do for a wireless network. If
1/21/04 11:30 AM
Windows Server/Security TechNet Webcast: Designing a Secure - Reliable - and Usable Patch Management Infrastructure - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241739&Culture=en-US
Patch management is one of the core tenants of any security policy. This session provides practical advice on designing and deploying an effective and responsive patch management infrastructure with Microsoft tools and technologies. In addition, the Microsoft Solution for Patch management will be introduced and its core operating architecture discussed in depth.
1/22/04 9:30 AM
Windows Server TechNet Webcast: Database Scripting for System Administrators - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241884&Culture=en-US
Have you mastered the art of using text files as a way to store data? Are you beginning to think that sifting through 10,000-line text files and trying to generate statistics and look for trends isn’t as easy as much fun as it sounded? If so, then you might be ready to start using databases as a way to get data into, and save data out of, your system administration scripts. In this Webcast, the Scripting Guys will show you how to add ADO (ActiveXData Objects) to your scripting arsenal.
1/23/04 9:30 AM
Security TechNet Webcast: Essentials of Security - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241750&Culture=en-US
In this session for experienced IT professionals, you will gain knowledge and skills essential for the design and implementation of a secure computing environment. The session will cover important security concepts and discuss the need for establishing a process for security within an organization. You will learn how to identify system criticalities, understand and assess system vulnerabilities and apply best practices to improve the security of your infrastructure.
1/27/04 9:30 AM
Windows Server/Security TechNet Webcast: Implementing Security Patch Management - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241886&Culture=en-US
In this session you will learn how to apply security best practices and use available tools and technologies to implement a patch management process and strategy within your organization. The session will discuss the patch management lifecycle and demonstrate how tools such as Microsoft Baseline Security Analyzer and Software Update Services can be used to quickly and effectively respond to published security bulletins and establish patch compliance across your infrastructure.
1/28/04 8:00 AM
Windows Client/Security TechNet Webcast: Implementing Client Security on Windows 2000 and Windows XP - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241903&Culture=en-US
In this you will learn the requirements for securing client computers in environments where Windows Server 2003, Windows 2000 and Windows NT 4.0 servers are present. You will also learn how to implement best practices for clients in extreme high-security environments. The session will discuss the use of Group Policy and Administrative Templates to secure Windows 2000 and Windows XP installations and provide guidance on software restriction policies, anti-virus strategies, and distributed firewall technologies. This session also covers configuring Microsoft Office and Internet Explorer to help achieve a secure client environment.
1/28/04 11:00 AM
Windows Server/Security/SUS/SMS TechNet Webcast: Software and Patch Management with Software Update Service, Windows Update and SMS - Level 200
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241751&Culture=en-US
This session covers installation and configuration of Software Update Services (SUS) and use of Group Policy to configure clients to use SUS for Automatic Updates. Review Systems Management Server (SMS) features and learn how to install and distribute SUS packages for SMS.
1/29/04 9:30 AM
Window Network TechNet Webcast: ISA Server 2000/2004
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032241909&Culture=en-US
This webcast will describe how ISA Server 2000 and ISA Server 2004 is built from the ground up to work better together with your existing Microsoft infrastructure. In this session we will show you the architecture differences between ISA Server 2000 and ISA Server 2004. The presentation will also cover the new scenarios that are enabled by the new architecture. We will show you how with ISA Server 2004, we also extend our application filtering capabilities as well as provide a better platform to address future security needs.