[ISN] Security UPDATE--A Long Way from Junk-Free Inboxes--May 26, 2004

InfoSec News isn at c4i.org
Fri May 28 08:46:37 EDT 2004


==== This Issue Sponsored By ====

Exchange & Outlook Administrator

Implementing Client Security on Windows 2000/XP


1. In Focus: A Long Way from Junk-Free Inboxes

2. Security News and Features
   - Recent Security Vulnerabilities
   - News: Yahoo Publishes IETF Draft for DomainKeys
   - News: 20 Tips on Securing Outlook in 20 Minutes
   - News: Microsoft Identity and Access Management Series
   - News: Shavlik Technologies Partners with NetIQ and ENDFORCE

3. Security Toolkit
   - FAQ
   - Featured Thread

4. New and Improved
   - Enterprise-Class Firewall for the Small Business


==== Sponsor: Exchange & Outlook Administrator ====

   Try a Sample Issue of Exchange & Outlook Administrator!
   If you haven't seen Exchange & Outlook Administrator, you're
missing out on key information that will go a long way towards
preventing serious messaging problems and downtime. Request a sample
issue today, and discover tools you won't find anywhere else to help
you migrate, optimize, administer, and secure Exchange and Outlook.
Order now!


==== 1. In Focus: A Long Way from Junk-Free Inboxes ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

In the March 3, 2004, edition of Security Update, I briefly explained
three proposed technologies--Sender Policy Framework (SPF),
DomainKeys, and Caller ID for E-Mail--that might help curb the amount
of junk mail influx most of us receive each day. You can read the
article at the following URL:

Recently Yahoo!, developer of the DomainKeys technology, submitted a
draft to the Internet Engineering Task Force (IETF) that outlines the
basics of the technology. As you'll learn when you read the draft,
which is linked in the related news story, "Yahoo Publishes IETF Draft
For DomainKeys," in this edition of the newsletter, Yahoo! still has
plenty of work to do on DomainKeys.

The developers of SPF technology have also submitted a draft proposal
to the IETF (see the first URL below), and Microsoft has also
submitted a draft proposal for Caller ID for E-Mail. You can learn
more about SPF and Caller ID at the second, third, and fourth URLs

In essence, DomainKeys technology works by digitally signing email
messages, then attempting to verify digital signatures by
communicating with the domain that allegedly sent the email message.
SPF and Caller ID try to verify the alleged sending domain of a given
email message, but they don't use digital signatures. At the time of
this writing, both SPF and Caller ID try to verify that the mail
headers of a given message haven't been forged (as is the case with a
lot of junk mail) by checking particular DNS records (specially
formatted TXT records) against records written into mail headers.

Although all three technologies provide reasonable ways to verify an
email message's origin, they all contain problems that determined
spammers could exploit. Thus none of the technologies is an end-all
solution for junk mail. However, using all three technologies together
might improve the ability to curb unwanted email.

As was pointed out on the IETF Anti-Spam Research Group (ARGS) mailing
list, even with all three of the proposed technologies in place,
domain operators can further reduce junk mail by adding other
technologies--such as those that ban senders, domains, and sets of IP
addresses--commonly referred to as blacklisting. But even combining
all these technologies won't completely eliminate junk mail.

So far, the only solutions I've seen that can eliminate nearly all
unwanted email are the types that use some sort of challenge and
response system. For example, some solutions require a sender to visit
a Web page the first time he or she sends an email to a certain user.
At the Web page, the sender might have to type in a keyword shown on
the screen or perform some other type of response. Other solutions
might use email to deliver and process the challenge and response.
These solutions are minor inconveniences for most people, but they
often present major problems for sightless individuals.

Even though many thousands of networks and software vendors, including
AOL, Earthlink, Google, Symantec, and Brightmail, have already
integrated SPF and thousands of others are undoubtedly slated to begin
using DomainKeys or Caller ID or both, many people will continue to
receive more junk mail than they care to tolerate. And because even a
combined set of the current and proposed solutions won't satisfy every
network's needs, we'll likely see more solutions become available.

Incidentally, Symantec recently purchased Brightmail for approximately
$370 million. Brightmail provides solutions that guard against spam,
spoofed email, viruses, and more. Given Brightmail's extensive client
base of major corporations, including AT&T, Microsoft, Cisco Systems,
Lucent Technologies, Motorola, and eBay, the deal will permit Symantec
to provide an even more rounded solution for email processing. You can
read about the acquisition at Brightmail's Web site.


==== Sponsor: Implementing Client Security on Windows 2000/XP ====

   Learn the requirements for securing client computers in
environments where Windows Server 2003, Windows 2000 and Windows NT
4.0 servers are present. You will also learn how to implement best
practices for clients in extreme high-security environments. The
session will discuss the use of Group Policy and Administrative
Templates to secure Windows 2000 and Windows XP installations and
provide guidance on software restriction policies, anti-virus
strategies, and distributed firewall technologies. This session also
covers configuring Microsoft Office and Internet Explorer to help
achieve a secure client environment. Register now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

News: Yahoo Publishes IETF Draft for DomainKeys
   Yahoo submitted a draft of its proposed junk mail solution,
DomainKeys, to the Internet Engineering Task Force (IETF). The
proposal outlines the concepts and some of the technical
specifications that could be implemented on mail servers to help
verify the identity of the actual domain used to send email messages.
Yahoo anticipates that such identification will help pinpoint people
who send unwanted or illegal email solicitations.

News: 20 Tips on Securing Outlook in 20 Minutes
   Windows & .NET Magazine author Paul Robichaux wrote a book, "Secure
Messaging with Exchange Server 2003," which is published by Microsoft
Press. An excerpt chapter from the book, "20 Tips on Securing Outlook
in 20 Minutes," is now available online to help people secure their
Outlook clients.

News: Microsoft Identity and Access Management Series
   Microsoft published a new article series, "Identity and Access
Management," which helps explain how digital identity can be
implemented and used to access network resources.

News: Shavlik Technologies Partners with NetIQ and ENDFORCE
   Shavlik Technologies announced it has entered into partnering
agreements with NetIQ and ENDFORCE. The two companies will incorporate
Shavlik's HFNetChkPRO patch-management software into their respective
enterprise solutions.


==== Announcements ====
   (from Windows & .NET Magazine and its partners)

Get 2 Sample Issues of Windows & .NET Magazine!
   Every issue of Windows & .NET Magazine includes intelligent,
impartial, and independent coverage of security, Active Directory,
Exchange, scripting, and much more. Our expert authors deliver how-to
articles and product evaluations that will help you do your job
better. Try two, no-risk sample issues today, and find out why 100,000
IT professionals rely on Windows & .NET Magazine each month!

Get the Most Out of IIS 6.0 Performance and Tuning
   In this free Web seminar, you'll learn about the Internet
Information Services (IIS) performance-tuning tools, including System
Monitor, Application Center Test, and Log Manager. The Webcast will
show how to use these tools to gather Web server baseline performance
information, optimize performance and memory utilization, and test
performance of applications running on the Web server with different
caching and configuration settings. Register now!

Free White Paper
   Get a free white paper and learn how to eliminate the top 5 email
security threats including spam and viruses.


==== Hot Release: Symantec ====

   Free White Paper: "Automated Patch Management with ON iPatch"
   Download this free technical white paper now, courtesy of Symantec
and Windows & .NET Magazine's White Paper Central:


==== 4. Security Toolkit ====

FAQ: What's the Account Lockout Status Tool?
   by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. The Account Lockout Status tool (lockoutstatus.exe) displays
lockout information for a specified user by querying every contactable
domain controller (DC) in the user's domain. You can download the
Account Lockout Status tool at
To use the tool, you must be running Windows 2000 Service Pack 3 (SP3)
or later. To install lockoutstatus.exe, perform the following steps:

   1. Download the Account Lockout Status tool, then execute the
downloaded lockoutstatus.msi file.
   2. Click Next to start the installation wizard.
   3. Check "I accept the terms in the license agreement" and click
   4. Click Install Now.
   5. After installation is complete, click Finish.

By default, the tool is installed in the C:\program files\windows
resource kits\tools folder. Double-click lockoutstatus.exe. From the
tool's File menu, click Select Target and enter the user whose status
you want to check. You'll see a window, like the one in the figure at
Figure, which displays the user's lockout information.

You can also check a user's lockout information at the command line.
To do so, enter the follow command where the suffix after -u is the

   lockoutstatus -u:administrator at savilltech.com

Featured Thread: Blackberry Server behind ISA
   (Two messages in this thread)
   A reader writes that he needs to use BlackBerry devices from behind
a Microsoft Internet Security and Acceleration (ISA) Server, but he's
having some trouble defining rules for the ports. He needs to open TCP
port 3101 for bidirectional traffic and wants to know how to do it
properly. He created a packet filter with the following
characteristics: IP Protocol: TCP, Direction: Outbound, Local port:
Fixed Port, Local Port Number 3101, Remote Port: All Ports, Remote
Ports: Subdued. However, that approach doesn't work, and he wants to
know what he's doing wrong. Lend a hand or read the responses:


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
& .NET Magazine: http://www.winnetmag.com/events )

New--From Chaos to Control: Using Service Management to Reclaim Your
   Take control of your workday! If you're supporting 24 x 7
operations by working around the clock instead of 9 to 5, learn how
you can benefit from a sound service-management strategy. In this free
Web seminar, you'll learn practical steps for implementing service
management for your key Windows systems and applications. Register


==== 5. New and Improved ====
   by Jason Bovberg, products at winnetmag.com

Enterprise-Class Firewall for the Small Business
   Comodo Trustix announced that its new entry level for the Trustix
Firewall is five users and more. Trustix Firewall gives small and
midsized business the benefits of an enterprise-class
firewall-management solution. You can install and set up the product
in less than 25 minutes. Trustix Firewall's GUI makes the product
easily configurable, saving you money on time, maintenance, and
licensing costs. Trustix Firewall is part of a portfolio of
business-infrastructure solutions, which include Trustix LAN Server
for file sharing, Trustix Mail Server for communication, and Trustix
Web Server for interaction with business partners and customers. Each
product is ready to use out of the box and benefits from the
platform-independent Xploy utility. Trustix Firewall costs $270. For
more information about the product, contact Comodo Trustix on the Web.

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot at winnetmag.com.


==== Sponsored Links ====

   Comparison Paper: The Argent Guardian Easily Beats Out MOM

Microsoft(R) TechNet
   Microsoft(R) TechNet Webcasts: essential guidance, industry experts


==== Contact Us ====

About the newsletter -- letters at winnetmag.com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products at winnetmag.com
About your subscription -- securityupdate at winnetmag.com
About sponsoring Security UPDATE -- emedia_opps at winnetmag.com


==== Contact Our Sponsors ====

Hot Release Sponsor:
   Symantec -- http://www.symantec.com


This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.

You received this email message because you asked to receive
additional information about products and services from the Windows &
.NET Magazine Network. To unsubscribe, send an email message to
mailto:Security-UPDATE_Unsub at list.winnetmag.com. Thank you!

View the Windows & .NET Magazine privacy policy at

Windows & .NET Magazine, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list