[ISN] Security UPDATE-- Group Policy and Corporate Policy--October 13, 2004

InfoSec News isn at c4i.org
Thu Oct 14 04:52:15 EDT 2004


This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which you
might be interested. Please take a moment to visit these advertisers'
Web sites and show your support for Security UPDATE.

The Unofficial Guide to IM for Executives

Security Administrator


1. In Focus: Group Policy and Corporate Policy

2. Security News and Features
   - Recent Security Vulnerabilities
   - Modify Your ASP.NET Applications for Added Security
   - Microsoft Working on Spyware Solution

3. Security Matters Blog
   - Security Fixes Available for Mac OS X
   - Security Update for Firefox Preview Release

4. Security Toolkit
   - FAQ
   - Security Forum Featured Thread

5. New and Improved
   - Use Certificates to Secure Your Files
   - Monitor Keystrokes, Passwords, Emails, and Web Site Visits



In September, we converted our email newsletters to HTML. This change
was based on audience feedback that led us to believe the scale had
tipped in the favor of HTML email newsletters.

Wow, did you ever chime in with feedback on this one! You resoundingly
told us, "Don't take away my text newsletters!" More than 1000 (and
counting) of you have taken time out of your busy day to tell how you
want your email newsletters delivered.

Now we're moving email newsletters back to text format. At the top of
this newsletter, we've included a link for any reader who wants to
sign up for the HTML format, which we will offer again when demand for
this format has built up.

It's wonderful to see how responsive our audience is and how much you
care about the content. We want to continue providing high-value
content in these free email newsletters. Our sponsors and your clicks
are what allow us to produce this high-quality content for free in the
email newsletters.

We have been overwhelmed by your response and appreciate this
incredible testament to the deep community relationship we have with
you. In a meeting the other day, we were discussing how cool it is
that thousands of you felt strongly enough to take the time to write
us an email and tell us your thoughts!

We work really hard to listen to you, our loyal (and opinionated!)
audience, and we feel privileged to have been the hub of this
incredibly active Windows IT community over the past 10 years. Keep
the feedback coming, because you know we're listening!

Best regards,
Karen Forster


==== Sponsor: Akonix ====
   The Unofficial Guide to IM for Executives
   This free white paper will help managers, directors and executives
in all types of businesses understand Instant Messaging and the
powerful benefits it brings to the workplace when properly managed and
controlled. According to Giga Information Group, a large majority of
mid- to large-sized organizations have no formal IT support for IM.
This means employees are often logging onto public IM networks without
permission and without protection from viruses and worms, corporate
policy control or the ability to monitor and log conversations. Start
protecting your organization and get the white paper now!


==== 1. In Focus: Group Policy and Corporate Policy ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Recently on a popular mailing list devoted to security on Microsoft
platforms, a member explained that he had configured Group Policy to
prevent people from installing unapproved software on their systems.
He wrote that he wasn't content with Group Policy Objects (GPOs),
because they only block the installation of software packaged in
Windows Installer (.msi) files, which means that executables could
still run and install programs.

In response, another list member suggested that administrators could
adjust ACLs on areas of the registry (such as the
subkey) and on directories (such as the Program Files directory) to
restrict regular user accounts from having write access, which would
prevent the installation of software. These actions could work but
might break some applications that need to write to those areas of the
registry and file system.

Another list member suggested that administrators could configure
restrictions that prevent programs such as setup.exe and install.exe
from running. This might work too, but some users will realize they
can simply rename typical installation programs and the programs will
run just fine.

Obviously, a combination of tactics is required. Completely
restricting people from installing software on their systems, whether
you use controls built into the OS or add-on controls from third
parties, is challenging. The further you programmatically restrict
activity on a system, the greater chance you have of breaking some
application that users need.

As I read the message thread, it became clearer how much
administrators struggle to outmaneuver the people who use the
computers on their networks. It seems to me that there is an
additional, less stressful way to address this particular problem.
Companies can establish written guidelines that explain exactly what
employees are allowed and not allowed to do with company computers and
make employees liable for any misuse of company computers to deter
employees from acting outside the guidelines.

If someone installs software on a computer without permission,
somewhere along the line, an administrator will probably have to
uninstall that software or rebuild the system to ensure some desired
level of system integrity. This work costs the company money and is
basically a waste of company time. So why not consider a corporate
policy that lets you charge the negligent employee for the time and
labor needed to restore a system to its original configuration? Of
course, you could also add even stronger deterrents to your policies
if your situation warrants them.


==== Sponsor: Security Administrator ====
   Try a Sample Issue of Security Administrator! Security
Administrator is the monthly newsletter from Windows IT Pro that shows
you how to protect your network from external intruders and control
access for internal users. Sign up now to get a 1-month trial
issue--you'll feel more secure just knowing you did. Click here!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

Modify Your ASP.NET Applications for Added Security
   The new Microsoft article "Programmatically check for
canonicalization issues with ASP.NET" (
http://support.microsoft.com/?kbid=887459 ) recommends program code
adjustments for applications that use ASP.NET. The changes will help
strengthen overall security because they prevent intruders from
gaining access to files they shouldn't be able to access.

Microsoft Working on Spyware Solution
   During a recent trip to the Computer History Museum in Mountain
View, California, Microsoft Chairman and Chief Software Architect Bill
Gates revealed that his company is working on an antispyware software
solution. Gates didn't say when the company would ship the technology
or whether it would be bundled with Windows or shipped as a standalone


==== Announcements ====
   (from Windows IT Pro and its partners)

Get the Charter Issue of Windows IT Pro!
   Windows & .NET Magazine is now Windows IT Pro! Act now to get our
special charter issue rate of just $39.95--that's 52% off the cover
price! The September issue shows you how to plug DNS holes and select
the best scripting editor, plus learn more about the business side of
IT. And discover the top 10 PC trends we think you need to keep an eye
on. This is a limited-time offer, so order today!

Microsoft Exchange Connections October 24-27 in Orlando, FL
   Microsoft and Windows IT Pro team up to produce the essential
conference for network administrators and IT managers on Exchange
Server and Outlook technology. Register early, and attend sessions at
concurrently run Windows Connections for free. See the complete
conference brochure online or call 800-505-1201 for more information.

Join Itzik Ben-Gan, William Vaughn, and Gert Drapers in Brussels!
   Learn from SQL Server Magazine experts at Europe's premiere SQL
Server event--Brussels SQL Server Day on October 26. Join Microsoft
and SQL Server Magazine for a free, full-day event that gives SQL
Server users the tools they need to unleash the power of SQL Server
2000, deploy SQL Server Express, and get ready for SQL Server 2005.
Register now!


==== 3. Security Matters Blog ====
   by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

Security Fixes Available for Mac OS X
   For those of you who support Apple systems on your network, be
aware that a new set of security patches for Apple Mac OS X is
available now.

Security Update for Firefox Preview Release
   If you're using the Mozilla Firefox Web browser, you might need to
install an update to protect your systems against possible attacks. On
September 29, Alex Vincent reported a vulnerability that might let
intruders delete files on a user's system. Mozilla issued an update
for the browser on October 1.

==== 4. Security Toolkit ====

   by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: Why can't clients view a Web site that I'm hosting on a system that
has Windows XP Service Pack 2 (SP2) installed?

Find the answer at

Security Forum Featured Thread
   A reader writes that he wants to move some data into a shared
read-only area in his file system. The data should ideally retain its
current permissions to the extent that only those with access now can
still access the data after the migration. To achieve this goal, he
proposes to use the Everyone group with a "deny" attribute to ensure
that, despite existing permissions, the highest level of access
available to the user community will be read-only. He would also like
to prevent anyone from mass-copying data out of this area. He wants to
know whether what he's trying to achieve is possible and, if so, how
he can do it. Join the discussion at


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
IT Pro at http://www.windowsitpro.com/events )

Are You "Getting By" Using Fax Machines or Relying on a Less Savvy
Solution That Doesn't Offer Truly Integrated Faxing from Within User
   Attend this free Web seminar and learn what questions to ask when
selecting an integrated fax solution, discover how an integrated fax
solution is more efficient than traditional faxing methods, and
discover how to select the fax technology that's right for your
organization. Register now!


==== 5. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Use Certificates to Secure Your Files
   EldoS offers EldoS PKI Tools, which encrypts and signs files using
X.509 certificates and manages the certificates. EldoS PKI Tools lets
you perform simple file operations such as packing files into a .zip
archive, sending files as email attachments, and securely deleting
files. You can also perform advanced security operations such as
signing and encrypting files and folders. All operations are performed
with just a few clicks. EldoS PKI Tools uses digital certificates
instead of passwords to provide better information security and
integrity. EldoS PKI Tools supports smart cards and USB tokens for
storing certificates. EldoS PKI Tools runs on Windows
2003/XP/2000/Me/98. For more information, or to purchase and download
EldoS PKI Tools, go to

Monitor Keystrokes, Passwords, Emails, and Web Site Visits
   iOpus Software's ActMon replaces STARR PC & Internet Monitor.
ActMon monitoring software claims several unique features:
"kernel-level" file protection that makes files completely
inaccessible and invisible to unauthorized users, "kernel-level"
keyboard recording that even logs the keystrokes entered during
Windows XP/2000 logon, and an activity data log that's protected with
256-bit encryption and that can run in an endless loop. In addition to
its unique features, ActMon performs the usual monitoring tasks,
tracking keyboard strokes, passwords, incoming and outgoing chat
conversations, email messages, and visited Web sites. The ActMon PRO
Edition adds advanced features such as flexible network functions to
send and receive reports via the Internet or a local network. ActMon
PRO costs $69.95, with discounts available for multiple users, sites,
and nonprofit organizations. ActMon runs under Windows
2003/XP/2000/Me/98. You can purchase ActMon or download a free 30-day
trial version at

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin at windowsitpro.com. If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://www.windowsitpro.com/forums
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Windows IT Pro,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list