[ISN] Security UPDATE -- Browser Security; More About Security Through Obscurity -- June 8, 2005

InfoSec News isn at c4i.org
Thu Jun 9 01:17:49 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

A New Dimension in IT Infrastructure Management: Integrated KVM and 
Serial Console Control Systems

Avoiding Availability Pitfalls in Microsoft Exchange Environments


1. In Focus: Browser Security; More About Security Through Obscurity

2. Security News and Features
   - Recent Security Vulnerabilities
   - Does Web Browser Choice Affect Security?
   - Setting Up Windows Server Update Services 

3. Security Toolkit
   - Security Matters Blog
   - FAQ

4. New and Improved
   - Keep Your Windows PC Secure


==== Sponsor: Raritan Computer ====

A New Dimension in IT Infrastructure Management: Integrated KVM and 
Serial Console Control Systems
   In this free white paper learn how today's KVM and serial console 
control tools have evolved to meet the challenge of large, 
multiplatform, heterogeneous infrastructures data centers becoming ever 
more complex. Plus - discover the many benefits of integrated KVM and 
serial solutions, which include reduced downtime, mean-time-to-repair, 
lower costs and improved ROI. Download your copy now!


==== 1. In Focus: Browser Security; More About Security Through 
Obscurity ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

In a recent survey performed by Opera Software, approximately 32 
percent of respondents had no idea whether the browser they choose 
affects their system's overall security (see the news item below). It's 
probably safe to assume that those people don't know how any 
application might affect their system's overall security. 

Some people might argue that using any browser other than Microsoft 
Internet Explorer (IE) is far safer. That might not be true depending 
on how someone uses IE. For example, if you load the latest patches, 
stay on top of the latest vulnerabilities and exploits, use add-on 
tools that increase security, and possibly modify certain registry 
settings, then IE can become much safer to use than it is in its 
default configuration. Plus, if you use Windows XP with Service Pack 2 
(SP2), IE is much safer. 

If you subscribe to our WinInfo Daily UPDATE newsletter, you probably 
read last Friday's Short Takes edition in which Paul Thurrott mentioned 
that IE 7.0 is in development. It will undoubtedly be more secure than 
previous versions, but there's a catch: It will be available only for 
Windows XP and Windows Server 2003. At this time, it seems that 
Microsoft won't make the new browser version available for Windows 
2000. Mainstream support for that OS ends June 30, but that doesn't 
mean that no security patches will be available. Since the company will 
provide free security patches until June 2010, I think we can assume 
that includes security patches for IE on Win2K. 

It's certainly possible to switch from IE to another browser on any 
Windows platform, but of course doing so presents problems because some 
application interfaces rely on the use of IE. This means that in many 
cases, you'll have to use two browsers, which isn't a big deal, but you 
do incur the added work of managing an additional application on your 

Last week, I wrote about security through obscurity. One reader wrote 
to say that in his opinion I completely missed the point of what the 
phrase "security through obscurity" really means. There's no sense 
arguing semantics. I'll just say that I was advocating adding as much 
security as possible even if the added amount is trivial. Another 
reader wrote with a comment that illustrates this point. He said that 
even though he knows a thief can quickly unlock his car door and steal 
the vehicle, he locks the car anyway. 

That about sums it up. However, there is the notion of cost, which I 
didn't cover last week. Some might argue that the cost of managing 
something like MAC address filtering on wireless Access Points (APs) is 
excessively expensive for the amount of security gained. This could be 
true depending on the size of your environment, the size of your budget 
and your ideas about where that money is best spent, and the manner in 
which you implement network management. Obviously, you have to decide 
that for yourself. 

A feature item below mentions a feature article about Windows Server 
Update Services (WSUS). You can read the complete feature article on 
our Web site and chat about WSUS with Doug Toombs today at 12 P.M. 
Eastern (9 A.M. Pacific). Learn more about the "WSUS Is Not for 
Wussies!" Web chat at


==== Sponsor: MessageOne ====

Avoiding Availability Pitfalls in Microsoft Exchange Environments
   When Microsoft Exchange is down, many businesses are down. Although 
many solutions are targeted at making Exchange email environments more 
reliable, a wide range of potential difficulties still lurk, waiting to 
interrupt service and, ultimately, your business. In this free white 
paper, discover the more common pitfalls that can lessen Exchange 
availability and the recommendations for what you can do to avoid the 
problem and better plan your Microsoft Exchange messaging environment.  


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Does Web Browser Choice Affect Security?
   A recent survey revealed that many people still don't realize how 
applications might affect overall system security. The survey revealed 
that 17 percent of respondents thought that the browser played no role 
in overall system security and 32 percent said they didn't know one way 
or the other. 

Setting Up Windows Server Update Services 
   Patch management is a headache for security administrators at most 
organizations. Windows Server Updates Services (WSUS) offers benefits 
for organizations of all sizes. In this article, John Howie walks you 
through the process of installing and configuring WSUS for your 
organization, obtaining updates, and configuring clients to use WSUS to 
obtain updates.


==== Resources and Events ====

Antispam product not working?
   Many email administrators are experiencing increased frustration 
with their current antispam products as they battle new and more 
dangerous email threats. In-house software, appliances, and even some 
services may no longer work effectively and require too much IT staff 
time to update and maintain or to satisfy the needs of different users. 
In this free Web seminar, learn how you can search for a better way to 
protect your email systems and users.

Register For This Free Web Seminar--You Could Win a Windows IT Pro VIP 
   In this free Web seminar, learn what the most common fax messaging 
challenges encountered in the workforce are and solutions for how to 
turn these common fax "headaches" into cost-effective, easy-to-use, 
business communications. You'll also receive a free, industry white 
paper on fax deployment and integration techniques. Register now and 
you'll receive a 30-day software trial and a Starbucks gift card for 

Diagnose and Resolve Performance Problems
   Maximizing application performance isn't easy, and database is only 
one component of today's complex, multi-tiered systems. In this free 
Essential Guide, learn how to follow a solid monitoring practice and 
troubleshoot issues before they get out of hand. You'll discover how 
you can ensure optimal SQL Server performance and satisfied users.

Get Ready for SQL Server 2005 Roadshow in Europe
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

Recover Your Active Directory
   Get answers to all your Active Directory recovery questions here! 
Join industry guru Darren Mar-Elia in this free Web Seminar and 
discover how to use native recovery tools and methods, how to implement 
a lag site to delay replication, limitations to native recovery 
approaches and more. Learn how you can develop an effective AD backup 
strategy - Register today!


==== Featured White Paper ====

Antispam Product Not Working?
   In-house software, appliances, and some services may no longer work 
effectively and require too much IT staff time to update and maintain 
or to satisfy the email security needs of different users. In this free 
white paper, learn how a managed service solution can lower overhead 
and administrative costs, get more flexible end-user controls, improve 
service and support, and more.


==== Hot Release ====

Converting a Microsoft Access Application to Oracle HTML DB
   Get the most efficient, scaleable and secure approach to managing 
information using an Oracle Database with a Web application as the user 
interface. In this free white paper learn how you can use an Oracle 
HTML Database to convert a Microsoft Access application into a Web 
application that can be used by multiple users concurrently. You'll 
learn how to improve the original application by adding hit 
highlighting and an authorization scheme to provide access control to 
different types of users. Download this free white paper now!


==== 3. Security Toolkit ==== 

Security Matters Blog: TCPDUMP for Windows
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=BB55:4FB69

   If you've been looking for a Windows-based version of the popular 
tcpdump tool, MicroOLAP Technologies offers MicroOLAP TCPDUMP for 
Windows, which the company says reproduces all the features found in 
the original tcpdump for UNIX. 

   by John Savill, http://list.windowsitpro.com/t?ctl=BB52:4FB69 

Q: How can I enable the List Object security option in Active Directory 

Find the answer at


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Keep Your Windows PC Secure
   WinKeeper Professional 4.85 is the most recent version of a suite of 
12 Windows security utilities from WinKeeper Software. Spyware Doctor 
detects and cleans spyware, adware, Trojan horses, keyloggers, spybots, 
and other malware that might be on your PC. Security Task Manager lets 
you examine the processes that run on your computer and ensure that 
there are no intruders. BHO Cleaner lets you easily control the browser 
helper objects that have been installed on your computer. Other suite 
utilities can help you clear your IE history file, erase files, and 
manage passwords. WinKeeper Professional 4.85 runs under Windows 
98/Me/NT 4.0/2000/XP and costs $34.95 for a single-user license. For 
more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Optimizing Disk-Based Backups for SMBs and Distributed Enterprises
   Combine disk-based backup with automated backup technology. Download 

Free Active Directory Recovery white paper
   Recover data in minutes with Quest Recovery Manager for AD


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=BB56:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list