[ISN] Security UPDATE -- Hacking IIS 6.0 -- April 13, 2005

InfoSec News isn at c4i.org
Thu Apr 14 08:55:40 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Centralized Desktop Configuration from ScriptLogic

Converting a Microsoft Access Application to Oracle HTML DB


1. In Focus: Hacking IIS 6.0

2. Security News and Features
   - Recent Security Vulnerabilities
   - Eight Security Patches from Microsoft
   - Help with HIPAA, SOX, and GLBA Compliance
   - Auditing Permission Changes on a Folder 

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread

4. New and Improved
   - Keep Track of Your Registry


==== Sponsor: ScriptLogic ====

Centralized Desktop Configuration from ScriptLogic
   Get a free T-shirt after you evaluate ScriptLogic's Desktop 
Authority. Desktop Authority is the award-winning desktop management 
solution that combines the functionality of logon scripting, group 
policies, and user profiles, plus Remote Management. What's unique to 
Desktop Authority is that you can use its patented Validation Logic 
technology to centrally determine how, when, and where desktops are 
configured! Centrally configure drive mappings, printer deployments, 
security policies and more from an easy to use point and click 
management console. Eliminate Roaming Profiles and the hassle and 
complexity of maintaining logon scripts!
   Download a free 30-day evaluation of Desktop Authority and receive a 
free ScriptLogic T-shirt. Evaluate now at


==== 1. In Focus: Hacking IIS 6.0 ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Have you heard about Windows IT Pro's "Hack IIS 6.0 Challenge"? Roger 
Grimes will secure a Microsoft IIS 6.0 system and make it available on 
the Internet April 17 through June 8 so that people can try to break 
into it. In the July issue, Roger will write about how he secured the 
system and what happened during the contest. For more information about 
the contest, go to

I've already read messages on one security mailing list from people 
complaining about the challenge or poking fun at it. One person wrote 
that it's a ploy to gather zero-day (previously unpublished) exploits. 
I don't know whether anybody will collect packets during the contest or 
whether such packets will be examined to learn more about how people 
approach hacking an IIS 6.0 box. But such forensic analysis might 
occur. Would that be a bad thing? 

There were also comments that the contest is an attempt to identify 
hackers and arrest them. That notion is laughable (and probably based 
in paranoia) given the fact that people have been invited to hack the 

Some people also felt that such challenges don't work because of 
eventual Denial of Service (DoS) attacks. One person mentioned that the 
hackiis6.com site is located on the same subnet as the magazine's Web 
farm. So if somebody decides to launch a Distributed DoS (DDoS) attack 
against the site, it could overwhelm the gateway and thereby render all 
sites behind the gateway unavailable. That's true. But the hackiis6.com 
site is only an information site. It's not the actual system that will 
be made available for hacking. Sometime in the next week, further 
information will become available at the hackiis6.com site, so check 
back to learn more details, including the address of the system to 

People also pointed out that the challenge can't really prove that the 
site is secure. If no one manages to break into the site, it might just 
be because somebody who might know how to break in doesn't take part in 
the challenge. That's rational; we should probably assume that somebody 
somewhere knows how to break any particular piece of software. It's a 
widely held opinion that no system is completely secure.

We could enjoy the challenge for exactly what it is--a challenge--
without trying to read all sorts of motives into it. Many people attend 
various hacker conferences at which such challenges are relatively 
common. The main difference here is that this challenge is open to the 
public. It's a way to test your skills and have some fun trying to find 
a way to breach security. That's it. 

Speaking of contests, the Windows IT Pro annual Readers' Choice contest 
is underway. Vote for your favorite IT products and reward companies 
that provide excellent products and services. The September 2005 issue 
of Windows IT Pro will feature the winners. To vote, go to

And, finally, if you use the Windows IT Pro Web site, you might be 
happy to have a chance to tell us how to improve it. Give us your 
opinion in the usability survey at 


==== Sponsor: Oracle ====

Converting a Microsoft Access Application to Oracle HTML DB
   Get the most efficient, scaleable and secure approach to managing 
information using an Oracle Database with a Web application as the user 
interface. In this free white paper learn how you can use an Oracle 
HTML Database to convert a Microsoft Access application into a Web 
application that can be used by multiple users concurrently. You'll 
learn how to improve the original application by adding hit 
highlighting and an authorization scheme to provide access control to 
different types of users. Download this free white paper now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Eight Security Patches from Microsoft
   Yesterday, April 12, was Patch Tuesday for Windows users, and 
Microsoft released eight security patches. The company also announced 
that beginning this month, it will change its Security Bulletin Advance 
Notification information provisioning to include other useful 

Help with HIPAA, SOX, and GLBA Compliance
   Vigilar announced a new service aimed at helping companies comply 
with the Sarbanes-Oxley (SOX) Act, the Gramm-Leach-Bliley (GLB) Act, 
and the Health Insurance Portability and Accountability Act (HIPAA). A 
compelling feature of Vigilar's new AuditPass program is that it 
guarantees that your company will pass compliance and audit checks.

Auditing Permission Changes on a Folder
   Randy Franklin Smith points out that you'll need to enable auditing 
for successful object-access events on the servers on which the folders 
reside and you'll need to enable auditing on the folders you want to 
monitor. You'll also need to look for specific events in the Security 
log. Learn the details in this article on our Web site. 


==== Resources and Events ====

Does Windows Server 2003 Service Pack 1 Live Up to Expectations?
   What can you expect when you deploy SP1 in real life? Join industry 
guru Michael Otey as he reviews the service pack and answers your 
questions about Windows Firewall, data execution prevention (DEP), 
boot-time protection, the anxiously awaited Security Configuration 
Wizard (SCW), and more.

Get Ready for SQL Server 2005 Roadshow in a City Near You
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Attend and receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

Attend the Black Hat Briefings
   Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in 
Las Vegas. World renowned security experts reveal tomorrow's threats 
today. Free of vendor pitches, the briefings are designed to be 
pragmatic regardless of your security environment. Featuring 25 hands-
on training courses and 10 conference tracks. Lots of Windows stuff 

Ensure SQL Server High Availability
   In this free Web seminar, discover how to maintain business 
continuity of your IT systems during routine maintenance and unplanned 
disasters. Learn critical factors for establishing a secure and highly 
available environment for SQL Server including overcoming the 
technology barriers that affect SQL Server high availability. Find out 
about Microsoft's out-of-the-box high-availability technologies, 
including clustering, log shipping, and replication. Register Now!

Protect the Rest of Your Exchange Infrastructure
   There is more to data protection for Exchange than protecting mail 
and mail servers. In this free Web seminar, you'll learn some methods 
for anticipating, avoiding, and overcoming technical problems that can 
affect your Exchange environment, including corruption or errors in 
Active Directory, DNS problems, configuration errors, service pack 
installation problems, and more. Register now!


==== Featured White Paper ====

Quantify the Business Benefits of ITSM
   This free white paper explores how to meet IT infrastructure's needs 
and manage crucial support and service processes by implementing Help 
desk, problem, change, configuration, and service-level agreement (SLA) 
management into a single workflow. Improve productivity and service 
delivery quality while reducing costs, resources, and downtime in your 
organization. Download it now!


==== Hot Release ====

High Availability for Windows Services
   It is no stretch to say that Windows high availability must be a 
fundamental element in your short- and long-term strategic IT planning. 
This free white paper discusses the core issues surrounding Windows 
high availability, with a focus on business drivers and benefits. 
You'll learn about the current market solutions, technologies and real-
world challenges including cost-benefit analyses. Plus, find out how to 
assess technical elements required in choosing a high availability 
solution, including the robustness of the technology, time-to-failover, 
and implementation difficulties. Download this white paper now!


==== 3. Security Toolkit ==== 

Security Matters Blog 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=7622:4FB69

Need a Security Scorecard?
   Looking for a simple way to assess desktop security? PivX Solutions 
just released a new tool, PreView, that can tell you whether your 
firewall offers enough protection, whether you're missing necessary 
patches, and more. 

   by John Savill, http://list.windowsitpro.com/t?ctl=7620:4FB69 

Q: Do I need to take any special steps when restoring a backup of my 
Relative Identifier (RID) master?

Find the answer at

Security Forum Featured Thread: AD Permissions
   A forum participant is having trouble restricting permissions in 
Windows Server 2003. He's running Active Directory (AD) in Mixed Mode 
and has a few global groups that need access to resources on a member 
server. However, anyone--not just the intended groups--can access the 
folders and subfolders that he's trying to secure. Join the discussion 


==== Announcements ====
   (from Windows IT Pro and its partners)

Check Out the New Windows IT Security Newsletter!
   Security Administrator is now Windows IT Security. We've expanded 
our content to include even more fundamentals on building and 
maintaining a secure enterprise. Each issue also features product 
coverage of the best security tools available and expert advice on the 
best way to implement various security components. Plus, paid 
subscribers get online access to our entire security article database! 
Click here to try a sample issue today:

Nominate Yourself or a Friend for the MCP Hall of Fame
   Are you a top-notch MCP who deserves to be a part of the first-ever 
MCP Hall of Fame? Get the fame you deserve by nominating yourself or a 
peer to become a part of this influential community of certified 
professionals. You could win a VIP trip to Microsoft and other valuable 
prizes. Enter now--it's easy:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Keep Track of Your Registry
   ElcomSoft has released Advanced Registry Tracer 2.0, a utility that 
lets you analyze changes made to your registry (whether by Trojan horse 
programs, viruses, or software installations or removals) and store 
snapshots of the registry in a database so that you can easily restore 
the registry when you encounter problems. New features in version 2.0 
include the ability to define scanning and comparison filters, an 
object-tweaking feature that lets you safely experiment with registry 
values, a new database format that reduces the size of the database, 
the ability to compare keys in command-line mode, faster registry file 
exports, and an improved interface. Advanced Registry Tracer 2.0 runs 
under Windows 95/98/Me/NT4/2000/XP and costs $40 for a single-user 
license. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Quest Software
   Heading to Exchange from Notes or GroupWise? Get Expert Help!


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=7625:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list