May 2004 - Posts
Many admins may find this tool useful. It generates MD5 or SHA-1 hash values for files so you can compare them against known good values. It will store these values in an XML database. Very useful if you suspect files have been changed.
The tool was created by Emmanuel Dreux out of Microsoft France.
Let us know if you have any feedback on this tool!
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290
From Coad's Code Block. I'm in there some where:
http://msmvps.com/coad/posts/7185.aspx
Overview
Microsoft Solutions for Security: The Antivirus Defense-in-Depth Guide provides an easy to understand overview of the assorted types of malware, their risks, characteristics, means of replication and payloads. The solution also details the considerations for implementing a comprehensive antivirus defense for your network, servers and clients which goes beyond simply installing antivirus software into the related tools which will help reduce your risk of infection. Lastly, the solution provides a comprehensive methodology for quickly and effectively responding to outbreaks or incidents when they occur.
http://go.microsoft.com/fwlink/?LinkId=28734
So you want to see how we do security for remote users here at Microsoft? Check out this Power Point presentation:
Overview
Detailed discussion of how Microsoft IT significantly improved the security of its corporate network remote access solution using the latest generation of Microsoft products, such Windows XP Professional, Windows Server 2003, Internet Authentication Service, SQL Server 2000, and Connection Manager. The solution deployed, called Secure Remote User (SRU), enabled Microsoft IT to manage specific remote desktop configurations, ensuring that all established security requirements are met when remote users access corporate network resources. SRU contributes to reducing the external attack surface of the Microsoft corporate network, thereby better protecting its intellectual property.
http://www.microsoft.com/downloads/details.aspx?familyid=5dac8310-29b8-4e38-a987-6983ff7acc6c&displaylang=en
Overview
Internet Security and Acceleration (ISA) Server 2000 Service Pack 2 (SP2) provides the latest updates to ISA Server 2000 and provides an even higher level of security, reliability and stability to customers. Microsoft strongly encourages customers to install SP2 on all computers running ISA Server.
ISA Server 2000 SP2 can be installed directly on ISA Server 2000, ISA Server 2000 Service Pack 1 or ISA Server 2000 Feature Pack 1 or any other combination of hot fixes.
ISA Server SP2 can be applied to ISA Server Standard and Enterprise Editions, and includes:
• All hot fixes and security updates issued since ISA Server was released to manufacturing.
• Fixes for common issues reported by customers through Microsoft Product Support Services (PSS).
• Enhanced stability of the ISA Server services and administration tool in a number of scenarios.
• Fixes that enable ISA Server to run on Microsoft Windows Server™ 2003, Standard Edition and Windows Server 2003, Enterprise Edition.
• Fixes recommended through an audit by third-party security experts.
http://www.microsoft.com/downloads/details.aspx?familyid=c8d3d98b-1cd4-406a-a04a-2aa2547d09a3&displaylang=en
Overview
Platform SDK – Windows XP Service Pack 2 Release Candidate 1 Build 2096
With Windows XP Service Pack 2 (SP2), Microsoft is introducing a set of security technologies that will help improve Windows XP-based computers' ability to withstand malicious attacks from viruses and worms. These technologies include:
Network protection
Memory protection
Improved email security
Safer browsing
Together, these security technologies will help make it more difficult to attack Windows XP, even if the latest patches or updates aren't applied. These security technologies together are particularly useful mitigation against worms and viruses. To developers these technologies will have impacts on the applications that they create and the tools they use.
The Platform SDK – Windows XP Service Pack 2 Release Candidate contains the information you need to develop applications for Microsoft Windows XP Service Pack 2 Release Candidate 1. Use this SDK to ensure that you have the latest documentation, samples, and SDK build environment (header files, libraries, and tools) for the RC1 release of Windows XP Service Pack 2.
http://www.microsoft.com/downloads/details.aspx?familyid=9be921b3-585e-47d9-bcc1-980879b69b34&displaylang=en
The latest in a series of Security Management articles by Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I.
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
See Jesper's other articles here:
http://www.microsoft.com/technet/community/columns/secmgmt/smarch.mspx
This latest article does a good job explaining why a compromised system should be rebuilt. The bottom line is that you cannot trust it anymore and the only sure way to be able to do so is to flatten the box and start over. I like the last point: This list makes patching look not so bad, yes?
Chat with Security Business Unit Vice President Mike Nash
=============================================================
Join Mike Nash, Vice President for the Microsoft Security Business Unit, and his team of security experts each month. Microsoft is working hard to improve security and Mike and his team invite you to join them in a candid Q&A session. Ask us your tough questions; share with us what is going well and what needs improvement. This is your chance to talk up front with the leading security minds at Microsoft.
When: May 13, 2004
9:00 - 10:00 A.M. Pacific time
12:00 - 2:00 P.M. Eastern time
16:00 - 17:00 GMT
Where: http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081
Add to calendar: http://www.microsoft.com/technet/downloads/vcs/sec_0513.vcs
May 11, 2004
Today Microsoft released the following Security Bulletins.
Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.
Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.
Bulletin Summaries:
Windows: http://www.microsoft.com/technet/security/Bulletin/winmay04.mspx
Important Bulletins:
MS04-015 - Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)
http://www.microsoft.com/technet/security/Bulletin/MS04-015.mspx
Re-Released Bulletins:
The following bulletins have been re-released. Please see the bottom of each bulletin for revision information.
MS04-014 - Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) - Important
http://www.microsoft.com/technet/security/Bulletin/MS04-014.mspx
Summary Bulletin:
http://www.microsoft.com/technet/security/Bulletin/winapr04.mspx
MS01-052 - Invalid RDP Data can Cause Terminal Service Failure - Moderate
http://www.microsoft.com/technet/security/bulletin/MS01-052.mspx
This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.
If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
Overview
In Microsoft Windows XP Service Pack 2, Microsoft is introducing a set of security technologies that will help to improve the ability of Windows XP-based computers to withstand malicious attacks from viruses and worms. The technologies include network protection, memory protection, safer e-mail handling, more secure browsing, and improved computer maintenance.
Together, these security technologies will help to make it more difficult to attack Windows XP, even if the latest updates are not applied. These security technologies together are particularly useful in mitigation against worms and viruses.
This document specifically focuses on the changes between earlier versions of Windows XP and Windows XP Service Pack 2 and reflects Microsoft’s early thinking about Service Pack 2 and its implications for developers. Examples and details are provided for several of the technologies that are experiencing the biggest changes. Future versions of this document will cover all new and changed technologies.
http://www.microsoft.com/downloads/details.aspx?familyid=7bd948d7-b791-40b6-8364-685b84158c78&displaylang=en
Overview
This guide is designed to provide you with essential information about how to harden your Microsoft® Exchange Server 2003 environment. In addition to practical, hands-on configuration recommendations, this guide includes strategies for combating spam, viruses, and other external threats to your Exchange 2003 messaging system. While most server administrators can benefit from reading this guide, it is designed to produce maximum benefits for administrators responsible for Exchange messaging, both at the mailbox and architect levels.
This guide is a companion to the Windows Server 2003 Security Guide . Specifically, many of the procedures in this guide are related directly to security recommendations introduced in the Windows Server 2003 Security Guide. Therefore, before you perform the procedures presented in this guide, it is recommended that you first read the Windows Server 2003 Security Guide.
http://www.microsoft.com/downloads/details.aspx?familyid=6a80711f-e5c9-4aef-9a44-504db09b9065&displaylang=en
Overview
Windows XP Service Pack 2 (SP2), currently a Release Candidate in Beta testing, includes significant enhancements to the Windows Firewall component, previously known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful host-based firewall that discards unsolicited incoming traffic, providing a level of protection for computers against malicious users or programs. To provide better protection for computers connected to any kind of network (such as the Internet, a home network, or an organization network), Windows XP SP2 enables Windows Firewall on all network connections by default. This new behavior can impair some types of communications. This article describes how to deploy the appropriate configuration settings for Windows Firewall on an organization network so that it is enabled and providing protection, and so that communications are not impaired.
http://www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a-bdcd-499f73a637d1&displaylang=en
What is this alert?
- Microsoft has been made aware of a worm identified as “W32.Sasser.worm” and it is currently circulating on the Internet. The worm exploits the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011 on April 13, 2004.
- Microsoft encourages customers to protect themselves against this worm by installing Microsoft Security Bulletin MS04-011 <www.microsoft.com/technet/security/bulletin/ms04-011.mspx> immediately.
- Customers who have enabled the Windows XP Firewall are protected from the vector this worm attacks, which is TCP Port 139. Most third party firewalls also block this attack vector by default.
If you have any questions regarding the security updates or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
Update:
UPDATE:
- Earlier today a second version of SASSER was released. This version was also analyzed, and while it spreads differently, it too drops no damaging payload.
- Microsoft has developed a cleanup tool for W32.Sasser.worm. You will find this removal tool at http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en and the corresponding Knowledge Base article KB841720 at http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720. This tool exists for customers infected with Sasser. Microsoft strongly encourages you to apply MS04-011 as soon as possible.
What is this alert?
- Microsoft has been made aware of a worm identified as “W32.Sasser.worm” and it is currently circulating on the Internet. The worm exploits the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011 on April 13, 2004.
- Microsoft encourages customers to protect themselves against this worm by installing Microsoft Security Bulletin MS04-011 <www.microsoft.com/technet/security/bulletin/ms04-011.mspx> immediately.
- Customers who have enabled the Windows XP Firewall are protected from the vector this worm attacks, which is TCP Port 139. Most third party firewalls also block this attack vector by default.