[ISN] Security UPDATE -- Hacking IIS 6.0 -- April 13, 2005
isn at c4i.org
Thu Apr 14 08:55:40 EDT 2005
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Centralized Desktop Configuration from ScriptLogic
Converting a Microsoft Access Application to Oracle HTML DB
1. In Focus: Hacking IIS 6.0
2. Security News and Features
- Recent Security Vulnerabilities
- Eight Security Patches from Microsoft
- Help with HIPAA, SOX, and GLBA Compliance
- Auditing Permission Changes on a Folder
3. Security Toolkit
- Security Matters Blog
- Security Forum Featured Thread
4. New and Improved
- Keep Track of Your Registry
==== Sponsor: ScriptLogic ====
Centralized Desktop Configuration from ScriptLogic
Get a free T-shirt after you evaluate ScriptLogic's Desktop
Authority. Desktop Authority is the award-winning desktop management
solution that combines the functionality of logon scripting, group
policies, and user profiles, plus Remote Management. What's unique to
Desktop Authority is that you can use its patented Validation Logic
technology to centrally determine how, when, and where desktops are
configured! Centrally configure drive mappings, printer deployments,
security policies and more from an easy to use point and click
management console. Eliminate Roaming Profiles and the hassle and
complexity of maintaining logon scripts!
Download a free 30-day evaluation of Desktop Authority and receive a
free ScriptLogic T-shirt. Evaluate now at
==== 1. In Focus: Hacking IIS 6.0 ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Have you heard about Windows IT Pro's "Hack IIS 6.0 Challenge"? Roger
Grimes will secure a Microsoft IIS 6.0 system and make it available on
the Internet April 17 through June 8 so that people can try to break
into it. In the July issue, Roger will write about how he secured the
system and what happened during the contest. For more information about
the contest, go to
I've already read messages on one security mailing list from people
complaining about the challenge or poking fun at it. One person wrote
that it's a ploy to gather zero-day (previously unpublished) exploits.
I don't know whether anybody will collect packets during the contest or
whether such packets will be examined to learn more about how people
approach hacking an IIS 6.0 box. But such forensic analysis might
occur. Would that be a bad thing?
There were also comments that the contest is an attempt to identify
hackers and arrest them. That notion is laughable (and probably based
in paranoia) given the fact that people have been invited to hack the
Some people also felt that such challenges don't work because of
eventual Denial of Service (DoS) attacks. One person mentioned that the
hackiis6.com site is located on the same subnet as the magazine's Web
farm. So if somebody decides to launch a Distributed DoS (DDoS) attack
against the site, it could overwhelm the gateway and thereby render all
sites behind the gateway unavailable. That's true. But the hackiis6.com
site is only an information site. It's not the actual system that will
be made available for hacking. Sometime in the next week, further
information will become available at the hackiis6.com site, so check
back to learn more details, including the address of the system to
People also pointed out that the challenge can't really prove that the
site is secure. If no one manages to break into the site, it might just
be because somebody who might know how to break in doesn't take part in
the challenge. That's rational; we should probably assume that somebody
somewhere knows how to break any particular piece of software. It's a
widely held opinion that no system is completely secure.
We could enjoy the challenge for exactly what it is--a challenge--
without trying to read all sorts of motives into it. Many people attend
various hacker conferences at which such challenges are relatively
common. The main difference here is that this challenge is open to the
public. It's a way to test your skills and have some fun trying to find
a way to breach security. That's it.
Speaking of contests, the Windows IT Pro annual Readers' Choice contest
is underway. Vote for your favorite IT products and reward companies
that provide excellent products and services. The September 2005 issue
of Windows IT Pro will feature the winners. To vote, go to
And, finally, if you use the Windows IT Pro Web site, you might be
happy to have a chance to tell us how to improve it. Give us your
opinion in the usability survey at
==== Sponsor: Oracle ====
Converting a Microsoft Access Application to Oracle HTML DB
Get the most efficient, scaleable and secure approach to managing
information using an Oracle Database with a Web application as the user
interface. In this free white paper learn how you can use an Oracle
HTML Database to convert a Microsoft Access application into a Web
application that can be used by multiple users concurrently. You'll
learn how to improve the original application by adding hit
highlighting and an authorization scheme to provide access control to
different types of users. Download this free white paper now!
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
Eight Security Patches from Microsoft
Yesterday, April 12, was Patch Tuesday for Windows users, and
Microsoft released eight security patches. The company also announced
that beginning this month, it will change its Security Bulletin Advance
Notification information provisioning to include other useful
Help with HIPAA, SOX, and GLBA Compliance
Vigilar announced a new service aimed at helping companies comply
with the Sarbanes-Oxley (SOX) Act, the Gramm-Leach-Bliley (GLB) Act,
and the Health Insurance Portability and Accountability Act (HIPAA). A
compelling feature of Vigilar's new AuditPass program is that it
guarantees that your company will pass compliance and audit checks.
Auditing Permission Changes on a Folder
Randy Franklin Smith points out that you'll need to enable auditing
for successful object-access events on the servers on which the folders
reside and you'll need to enable auditing on the folders you want to
monitor. You'll also need to look for specific events in the Security
log. Learn the details in this article on our Web site.
==== Resources and Events ====
Does Windows Server 2003 Service Pack 1 Live Up to Expectations?
What can you expect when you deploy SP1 in real life? Join industry
guru Michael Otey as he reviews the service pack and answers your
questions about Windows Firewall, data execution prevention (DEP),
boot-time protection, the anxiously awaited Security Configuration
Wizard (SCW), and more.
Get Ready for SQL Server 2005 Roadshow in a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Attend and receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
Attend the Black Hat Briefings
Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in
Las Vegas. World renowned security experts reveal tomorrow's threats
today. Free of vendor pitches, the briefings are designed to be
pragmatic regardless of your security environment. Featuring 25 hands-
on training courses and 10 conference tracks. Lots of Windows stuff
Ensure SQL Server High Availability
In this free Web seminar, discover how to maintain business
continuity of your IT systems during routine maintenance and unplanned
disasters. Learn critical factors for establishing a secure and highly
available environment for SQL Server including overcoming the
technology barriers that affect SQL Server high availability. Find out
about Microsoft's out-of-the-box high-availability technologies,
including clustering, log shipping, and replication. Register Now!
Protect the Rest of Your Exchange Infrastructure
There is more to data protection for Exchange than protecting mail
and mail servers. In this free Web seminar, you'll learn some methods
for anticipating, avoiding, and overcoming technical problems that can
affect your Exchange environment, including corruption or errors in
Active Directory, DNS problems, configuration errors, service pack
installation problems, and more. Register now!
==== Featured White Paper ====
Quantify the Business Benefits of ITSM
This free white paper explores how to meet IT infrastructure's needs
and manage crucial support and service processes by implementing Help
desk, problem, change, configuration, and service-level agreement (SLA)
management into a single workflow. Improve productivity and service
delivery quality while reducing costs, resources, and downtime in your
organization. Download it now!
==== Hot Release ====
High Availability for Windows Services
It is no stretch to say that Windows high availability must be a
fundamental element in your short- and long-term strategic IT planning.
This free white paper discusses the core issues surrounding Windows
high availability, with a focus on business drivers and benefits.
You'll learn about the current market solutions, technologies and real-
world challenges including cost-benefit analyses. Plus, find out how to
assess technical elements required in choosing a high availability
solution, including the robustness of the technology, time-to-failover,
and implementation difficulties. Download this white paper now!
==== 3. Security Toolkit ====
Security Matters Blog
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=7622:4FB69
Need a Security Scorecard?
Looking for a simple way to assess desktop security? PivX Solutions
just released a new tool, PreView, that can tell you whether your
firewall offers enough protection, whether you're missing necessary
patches, and more.
by John Savill, http://list.windowsitpro.com/t?ctl=7620:4FB69
Q: Do I need to take any special steps when restoring a backup of my
Relative Identifier (RID) master?
Find the answer at
Security Forum Featured Thread: AD Permissions
A forum participant is having trouble restricting permissions in
Windows Server 2003. He's running Active Directory (AD) in Mixed Mode
and has a few global groups that need access to resources on a member
server. However, anyone--not just the intended groups--can access the
folders and subfolders that he's trying to secure. Join the discussion
==== Announcements ====
(from Windows IT Pro and its partners)
Check Out the New Windows IT Security Newsletter!
Security Administrator is now Windows IT Security. We've expanded
our content to include even more fundamentals on building and
maintaining a secure enterprise. Each issue also features product
coverage of the best security tools available and expert advice on the
best way to implement various security components. Plus, paid
subscribers get online access to our entire security article database!
Click here to try a sample issue today:
Nominate Yourself or a Friend for the MCP Hall of Fame
Are you a top-notch MCP who deserves to be a part of the first-ever
MCP Hall of Fame? Get the fame you deserve by nominating yourself or a
peer to become a part of this influential community of certified
professionals. You could win a VIP trip to Microsoft and other valuable
prizes. Enter now--it's easy:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Keep Track of Your Registry
ElcomSoft has released Advanced Registry Tracer 2.0, a utility that
lets you analyze changes made to your registry (whether by Trojan horse
programs, viruses, or software installations or removals) and store
snapshots of the registry in a database so that you can easily restore
the registry when you encounter problems. New features in version 2.0
include the ability to define scanning and comparison filters, an
object-tweaking feature that lets you safely experiment with registry
values, a new database format that reduces the size of the database,
the ability to compare keys in command-line mode, faster registry file
exports, and an improved interface. Advanced Registry Tracer 2.0 runs
under Windows 95/98/Me/NT4/2000/XP and costs $40 for a single-user
license. For more information, go to
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Sponsored Links ====
Heading to Exchange from Notes or GroupWise? Get Expert Help!
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=7625:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN