[ISN] Security UPDATE -- Administrator Accounts and Root Kits --
March 9, 2005
isn at c4i.org
Thu Mar 10 04:05:40 EST 2005
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which you
might be interested. Please take a moment to visit these advertisers'
Web sites and show your support for Security UPDATE.
Free util: Scan your site for system slowdowns
SQL Server Magazine
1. In Focus: Administrator Accounts and Root Kits
2. Security News and Features
- Recent Security Vulnerabilities
- Need Information About Internet Explorer 7.0?
- Deploying Junk Mail Filter Lists in Outlook 2003
- @stake LC 5
3. Security Toolkit
- Security Matters Blog
- Web Chat
- Security Forum Featured Thread
4. New and Improved
- Prevent Unauthorized Network Access
==== Sponsor: Executive Software ====
Free util: Scan your site for system slowdowns
Disk Performance Analyzer for Networks is a FREE utility that
remotely checks your systems for performance bottlenecks caused by
severe disk fragmentation. If not identified promptly, fragmentation
builds exponentially and causes frustrating slowdowns, random
crashes, even complete inability to boot. Disk Performance Analyzer
for Networks zeros in on problem computers, showing you exactly how
much performance and stability is being lost. Find systems that need
attention now, BEFORE they become help desk calls! This is a free
utility, not spyware or adware. Download Disk Performance Analyzer
for Networks now!
==== 1. In Focus: Administrator Accounts and Root Kits ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Last week, I wrote about why you should try not to use administrative
accounts unless you really need to. Several readers wrote to explain
various scenarios and problems they've encountered while trying to
use a nonadministrative account for certain tasks. Some of the
problems involve using Windows Explorer, running debuggers, creating
Data Source Names (DSNs), and accessing Control Panel items.
Obviously, you'll need to log on as the administrator in some
instances; using RunAs, even with the /netonly switch, might not
There are other possible solutions for some problems too. For
example, Microsoft's OS resource kits include the su.exe tool, which
can elevate privileges. Another tool, which I've mentioned before, is
MakeMeAdmin, written by Aaron Margosis at Microsoft. The tool adds
your account to the local Administrators group, spawns a command
shell with your new elevated privileges, and then removes your
account from the group.
So, effectively, MakeMeAdmin gives you a command shell running with a
new security token. You can perform whatever actions you need to in
the shell. If you also need privileges on the network, you can
initiate some kind of network access and authenticate by using
whatever account you prefer. For example, you can map a drive by
using the command
and specifying an account with the required privileges. Or you could
launch Windows Explorer on the desktop with elevated privileges by
using its /root switch. You could also launch Control Panel applets
by simply entering the applet name and extension (.cpl) as if it were
any other executable program. If you run Microsoft Internet Explorer
(IE) with elevated privileges, you can use Margosis's PrivBar add-on
that shows which security level your browser is running under.
Another reader wrote to point out that Microsoft has published a
document that explains some of the problems you can encounter when
you run applications on the desktop with nonadministrative accounts.
The article offers tips about how developers can remedy some of those
problems and offers some insight into how the next release of Windows
(codenamed Longhorn) will address the matter in more effective ways.
One change will be a Protected Administrator status, which, if I
understand correctly, will allow a user to use an administrator
account but with the fewest privileges necessary for a given task.
Another topic I want to discuss this week is root kits, which as you
know, can be a real problem. A Microsoft paper discusses research the
company has done regarding ways to discover such nuisances. The paper
mentions a related tool, Strider Ghostbuster, developed in the labs,
which isn't available to the public.
However, Sysinternals has a root kit discovery tool that you might
find helpful. The new tool, RootkitRevealer, is still undergoing
development, but you can download a copy and try it out.
F-Secure will release a beta version of its new root kit detection
tool, F-Secure BlackLight Rootkit Elimination Technology, this week.
You can learn more about that tool in the related article on our Web
==== Sponsor: SQL Server Magazine ====
Get SQL Server Magazine and Get Answers
Throughout the year in 2005, SQL Server Magazine is on target to
deliver comprehensive coverage of all hot industry topics, including
SQL Server 2005, performance tuning, security, Reporting Services,
Integration Services, and .NET development. If you aren't already a
subscriber, now is the time to sign up. You'll get unlimited online
access to every article ever published in the magazine and you'll get
30% off the cover price. Don't miss out . . . sign up today:
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
Need Information About Internet Explorer 7.0?
If you need information about the upcoming Microsoft Internet
Explorer (IE) 7.0, you can find some tidbits about it on IEBlog,
which is operated by Microsoft's IE team.
Deploying Junk Mail Filter Lists in Outlook 2003
Microsoft released a hotfix for Outlook 2003 late last month for a
feature that deals with importing junk mail filter lists into Outlook
2003. This feature lets you use registry values to tell Outlook to
import the Safe Senders, Safe Recipients, and Blocked Senders lists
from specific locations and either overwrite the user's existing junk
mail filter lists or append entries to them. The hotfix makes some
important changes to the way the feature works.
@stake LC 5
If you want a terrific password-auditing tool, Jeff Fellinge
recommends the most recent version of L0phtCrack: @stake LC 5
(recently acquired by Symantec). New features let you remotely
collect password hashes, schedule scans, score passwords, create
audit reports, and speed up audits. LC 5 supports most password-
cracking methods and comes in four versions (professional,
administrator, site, and consultant).
==== Resources and Events ====
The Must-Attend Event for Securing Your Wireless Deployments
The Conference on Mobile & Wireless Security delivers on-target,
need-to-know information on emerging issues and tech trends.
Featuring first-class keynotes and sessions, an in-depth panel
discussion, and interactive workshops, you will learn practical
tactics for overcoming mobile security challenges and real-world
strategies for maximizing the potential of your wireless devices.
Get Ready for SQL Server 2005 Roadshow in a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server
experts will present real-world information about administration,
development, and business intelligence to help you implement a best-
practices migration to SQL Server 2005 and improve your database
computing environment. Receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
Windows Connections 2005 Conference
April 17-20, 2005, Hyatt Regency San Francisco. Microsoft and
Windows experts present over 40 in-depth sessions with real-world
solutions you can take back and apply today. Don't miss Mark Minasi's
entertaining and insightful keynote presentation on "The State of
Windows" and your chance to win a 7-night Caribbean cruise!
The Essential Guide to Active Directory Management
Migrating from NDS and/or eDirectory to AD means changes in the
way you manage your network, users, and network resources. Download
this Essential Guide to Active Directory Management and learn hands-
on approaches that reduce management complexity, IT workload, and
costs and improve security--all with minimal impact on your
organization. Download this guide today.
Discover, Manage, and Archive Information Within Your Exchange
Limit your legal exposure and protect corporate information. In
this free Web seminar, Exchange MVP Paul Robichaux provides an
overview of general retention and compliance issues, knowledge of
pitfalls you may encounter when implementing your policy, insight
into managing mail data for best-efforts compliance, and Exchange's
built-in archiving and compliance features. Register now!
==== Hot Release ====
Managing and Securing IM in the Enterprise: Why It Should Be a Top
With instant messaging virtually in all corporate environments,
and expected to be as prevalent as email in the near future, it has
rapidly become an indispensable business communication tool. Yet, IM
growth within the enterprise brings an associated increase in
security risks to both public and enterprise IM networks. In this
free white paper, learn how you can take control of IM use on your
network to ensure security and compliance. You'll learn how to
protect yourself from Virus & worms attacks, Identity theft, Leakage
of confidential information and more. Download now!
==== 3. Security Toolkit ====
Security Matters Blog
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=48D1:4FB69
Google Hacking: No Longer a Sure Thing for Intruders
A new honeypot can trap intruders who use Google queries to find
vulnerable systems. Such intruders typically use search engine
queries to look for sites whose URLs contain particular words or
phrases that might indicate that the site is using vulnerable
Security Event Log Chat
Randy Franklin Smith is one of the foremost authorities on the
Windows Security event log and a respected trainer who teaches
Monterey Technology Group's "Security Log Secrets" course. In his
article in the March issue of Windows IT Pro magazine, Randy shines
a light on this dark and mysterious corner of cryptic event IDs and
codes and inaccurate Microsoft documentation. Here's your chance to
ask Randy your questions about the Security log and get answers
Microsoft doesn't provide. Join the chat March 16 at 1:00 P.M.
Pacific time. For details, visit
by John Savill, http://list.windowsitpro.com/t?ctl=48CD:4FB69
Q. How can I back up and restore user profiles when deploying a new
OS via the Microsoft Systems Management Server (SMS) OS Deployment
Find the answer at
Security Forum Featured Thread: Backup Account Permissions on Windows
A forum participant is trying to remove service accounts from
administrative groups. ARCServe by default puts its account in the
Administrators and Domain Admins groups. Is there a workaround so
that that particular account doesn't need to belong to those groups?
Putting the account in the Backup and Server Operator groups doesn't
seem to be sufficient. Can a security policy be adjusted to help?
Join the discussion at
==== Announcements ====
(from Windows IT Pro and its partners)
Get Windows IT Pro at 44% Off!
Windows & .NET Magazine is now Windows IT Pro! Act now to get an
entire year for just $39.95--that's 44% off the cover price! Our
March issue shows you what you need to know about Windows Server 2003
SP1, how to get the best out of your IT staff, and how to fight
spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0.
This is a limited-time, risk-free offer, so click here now:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Prevent Unauthorized Network Access
MetaInfo has released SAFE DHCP as a stand-alone product. When a
computer connects to the network, SAFE DHCP supplies a nonprivileged
or "quarantined" IP address and checks the machine's identity before
granting a privileged IP address. Several SAFE DHCP modules are
available that can perform various identity and other security checks
(such as checking for viruses or policy compliance). SAFE DHCP was
previously available only as part of the MetaInfo Meta IP solution.
For further information, visit
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin at windowsitpro.com. If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=48D3:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com
This email newsletter is brought to you by Security Administrator,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN