[ISN] Security UPDATE -- More Flexible Security Control in IIS 7.0 -- October 5, 2005

InfoSec News isn at c4i.org
Thu Oct 6 00:06:53 EDT 2005


====================

This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Free Webcast from Postini: Risks of Unmanaged IM
   http://list.windowsitpro.com/t?ctl=15605:4FB69 

Panda Software
   http://list.windowsitpro.com/t?ctl=155F8:4FB69

====================

1. In Focus: More Flexible Security Control in IIS 7.0

2. Security News and Features
   - Recent Security Vulnerabilities
   - Latest Office Updates Improve Outlook Security
   - Symantec to Acquire WholeSecurity

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread

4. New and Improved
   - A Security Partner

====================

==== Sponsor: Postini ====

Free Webcast from Postini: Risks of Unmanaged IM
   Join noted electronic messaging expert and author Michael Osterman 
on Thursday, October 20, 2005 as he explores the growing threats 
associated with Instant Messaging (IM) in your enterprise and what to 
do about them. In one short hour you'll learn how to find out where 
your enterprise is vulnerable ... protect against IM-borne threats ... 
and ensure regulatory compliance within IM. 
   Register today and learn why IM is the "next frontier" for hackers, 
spammers, and phishers ... what IM means to your compliance initiatives 
... why you can't stop IM threats with typical network safeguards ... 
and how an integrated message management strategy provides IM threat 
prevention and compliance. Free white paper and technology overview 
when you attend. Register now.
   http://list.windowsitpro.com/t?ctl=15605:4FB69 

====================

==== 1. In Focus: More Flexible Security Control in IIS 7.0
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

At the recent Microsoft Professional Developers Conference (PDC 2005), 
IIS Program Manager Chris Adams talked about upcoming features of IIS 
7.0, some of which are security related. 

IIS 7.0 is built on the IIS 6.0 platform, which is far more secure than 
previous versions of IIS. Adams said that IIS developers learned over 
time, particularly because of worms such as Code Red and Nimda, how to 
improve the Web server's security. Adams said that no security 
vulnerabilities have been discovered in what he calls the "IIS critical 
core" since the release of IIS 6.0. Therefore IIS 6.0 serves as a good 
base to build on. 

IIS 7.0 brings new security features such as delegation of authority, 
which is a significant improvement. This means that people can perform 
delegated tasks without having administrator-level authority. So for 
example, in the course of developing a new Web page, a Web developer 
might want to use a new file extension type. Traditionally, an 
administrator would need to add that type to the server. But the new 
delegation features let an administrator delegate that authority to the 
developer. This capability will improve security administration and 
increase productivity.

If you've spent a lot of time developing secure applications that run 
on IIS 6.0, you won't have to spend much time moving them to IIS 7.0. 
Adams said Microsoft has made sure that IIS 7.0 will support "legacy 
applications."

Unlike Windows XP, which includes IIS 5.1, and Windows Server 2003, 
which includes IIS 6.0, Windows Vista and Longhorn Server will ship 
with IIS 7.0. The different IIS versions on XP and Windows 2003 posed 
some developmental and security problems; Microsoft is aiming to avoid 
those problems in the new Windows client and server OSs.

With previous versions of IIS, developers typically used Internet 
Server API (ISAPI) and Common Gateway Interface (CGI) to develop custom 
functionality. But IIS 7.0 will be more modular, which brings at least 
two benefits: Administrators will be able to deploy IIS 7.0 with only 
the modules that they require, and developers will be able to replace 
functionality that they might not like. For example, if you want to use 
an authentication method other than connecting to the SAM database, you 
can write a replacement for IIS 7.0's authentication module. The 
ability to replace this module means that developers can not only 
create their own means of authenticating users but developers can also 
more easily integrate support for other OSs such as Linux, BSD, and Mac 
OS X. 

IIS 7.0 also has a new UI that exposes more of the central 
configuration (metabase) properties, possibly including some security 
properties. In previous versions, administrators had to modify some 
aspects of the metabase by using command-line tools or by manually 
editing configuration files with Notepad or the Microsoft MetaEdit 
tool. 

That's a brief summary of what you can expect. Development tools and 
additional information for IIS 7.0 should be available on Microsoft 
Developer Network (MSDN) by the end of the year. In addition, Paul 
Thurrott will provide a more extensive review of IIS 7.0 on our Web 
site sometime in the near future. 

====================

==== Sponsor: Panda Software ====

Stopping Crimeware and Malware
   Computer users can no longer wait for a new vaccine every time a new
security threat appears.  How do you defend your network in a world of
smarter, faster, Internet-borne zero-day attacks? Find out about
Intrusion Prevention that can detect and destroy unknown malware with
virtually zero false positives.
   http://list.windowsitpro.com/t?ctl=155F8:4FB69 

====================

==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=155FC:4FB69

Latest Office Updates Improve Outlook Security
   Microsoft released Office 2003 Service Pack 2 (SP2) and junk email 
filter updates for Office Outlook 2003. Together they can help protect 
against phishing attacks. Read more about the updates in this news 
story on our Web site. 
   http://list.windowsitpro.com/t?ctl=15602:4FB69

Symantec to Acquire WholeSecurity
   Symantec announced that it entered into an agreement to acquire 
privately held WholeSecurity. The deal is scheduled to close in 
October. WholeSecurity offers behavior-based security solutions and 
antiphishing technology. 
   http://list.windowsitpro.com/t?ctl=15604:4FB69

====================

==== Resources and Events ====

Get Ready for the SQL Server 2005 Roadshow in Europe
   Back By Popular Demand--Get the facts about migrating to SQL Server 
2005! SQL Server experts will present real-world information about 
administration, development, and business intelligence to help you 
implement a best-practices migration to SQL Server 2005 and improve 
your database-computing environment. Receive a one-year membership to 
PASS and one-year subscription to SQL Server Magazine. Register now.
   http://list.windowsitpro.com/t?ctl=155F7:4FB69

Windows Connections 2005 Conference--October 31 - November 3, 2005
   At the Manchester Grand Hyatt in San Diego, Microsoft and Windows 
experts present more than 40 in-depth sessions with real-world 
solutions you can take back and apply today. Register now and attend 
two conferences for the price on one!
   http://list.windowsitpro.com/t?ctl=1560B:4FB69

Discover SQL Server 2005 for the Enterprise. Are you prepared?
   In this free half-day event, you'll learn how the top new features 
of SQL Server 2005 will help you create and manage large-scale, 
mission-critical enterprise database applications and make your job 
easier. Find out how to leverage SQL Server 2005's new capabilities to 
best support your business initiatives. Register today!
   http://list.windowsitpro.com/t?ctl=155F9:4FB69

Deploy VoIP and FoIP Technologies
   Voice over Internet Protocol (VoIP) is the future of 
telecommunications, and many companies are already enjoying the 
benefits of transporting voice over IP networks to significantly reduce 
telephone and facsimile costs. Join industry expert David Chernicoff 
for this free Web seminar to learn the "ins and outs" of boardless fax 
in IP environments, tips for rolling out fax and integrating fax with 
telephony technologies, and more!
   http://list.windowsitpro.com/t?ctl=155FB:4FB69

Microsoft IT Forum 2005 November 15-17, Barcelona, Spain
   Microsoft's European conference for IT professionals on planning, 
deploying, and managing the secure connected enterprise. Three days of 
learning, one year of solutions. With a choice of 325+ Technical 
Learning Sessions, increase your productivity and support your business 
with new opportunities and ideas. See the Web site for registration 
information
   http://list.windowsitpro.com/t?ctl=15608:4FB69

====================

==== Featured White Paper ====

Build a Superior Windows File Serving Environment
   In this free white paper, get the tools you need to provide a 
scalable, highly available CIFS file service using inexpensive, 
industry-standard servers that you can add to incrementally as demands 
require, while retaining the management simplicity of a single server 
and a single pool of exported file systems.
   http://list.windowsitpro.com/t?ctl=155F6:4FB69

====================

==== Hot Release ====

Maximizing Network Security Against Spyware and Other Threats
   Spyware installation usually exploits an underlying security 
vulnerability in the OS. You can remove spyware, but if you don't also 
patch the underlying vulnerability, you don't solve the real problem. 
By leaving your systems open to reinfestation, you risk surging 
bandwidth consumption, system instability, overwhelmed Help desks, lost 
user productivity, and other consequences. Unauthorized applications 
can even result in noncompliance with regulatory requirements. This 
free white paper addresses the need to manage both the threats and 
vulnerabilities from one console as a comprehensive security solution.
   http://list.windowsitpro.com/t?ctl=155FA:4FB69 

====================

==== 3. Security Toolkit ==== 

Security Matters Blog: Synopsis of MS Security Bulletin Creation
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=15607:4FB69

   Ever wonder what goes on during the creation of a Microsoft security 
bulletin? Read this blog article to get a synopsis.
   http://list.windowsitpro.com/t?ctl=15603:4FB69

FAQ
   by John Savill, http://list.windowsitpro.com/t?ctl=15606:4FB69 

Q: Can I change the type of logging that Active Directory (AD) uses?

Find the answer at
   http://list.windowsitpro.com/t?ctl=15601:4FB69

Security Forum Featured Thread: Too Many Security Log Entries
   A forum participant writes that he needs to identify user logon and 
logoff events. However he needs to know only logon and logoff times and 
wants to log the minimum number of related events. He wants to know 
what policies to adjust to make that happen. Join the discussion at 
   http://list.windowsitpro.com/t?ctl=155F5:4FB69

====================

==== Announcements ====
   (from Windows IT Pro and its partners)

Become a VIP Subscriber!
   Get inside access to ALL the articles, tools, and helpful resources 
published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook 
Administrator, Windows Scripting Solutions, and Windows IT Security--
that's more than 26,000 articles at your fingertips. Your VIP 
subscription also includes a valuable one-year print subscription to 
Windows IT Pro and two VIP CDs (includes the entire article database on 
CD). Sign up now:
   http://list.windowsitpro.com/t?ctl=155FF:4FB69

Windows IT Pro Has Answers
   You won't want to miss any of the fall issues! Subscribe now and 
discover the best ways to plan for Longhorn, what you need to know 
about VBScript, ways to make sense of SQL Server, the 10 Security Tools 
You Can't Live Without, and much more. You'll also gain exclusive 
access to the entire Windows IT Pro online article database (more than 
9000 articles) and you'll SAVE 44% off the cover price. Click here:
   http://list.windowsitpro.com/t?ctl=155FE:4FB69

====================

==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

A Security Partner
   Integralis announced Secure Watch, a co-managed security service in 
two levels: Level 1 for small businesses and Level 2 for large 
businesses. Secure Watch lets customers work with Integralis Security 
professionals to protect their corporate networks. For Secure Watch 
Level 2, Integralis uses its Security Service Appliance (SSA) to 
monitor customer networks for thousands of unique problems. When it 
finds a problem, it alerts the customer's security team, which can then 
solve the problem or consult with Integralis professionals. Secure 
Watch Level 1 monitors system health and availability without the need 
for customer-premises equipment. For more information, go to
   http://list.windowsitpro.com/t?ctl=1560C:4FB69

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.

====================

==== Sponsored Links ====

Admins rush to install BLOG servers
   How to run your own blog server. Free 5-user license.
   http://list.windowsitpro.com/t?ctl=1560A:4FB69

====================

==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=15609:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com

====================

This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.
   http://list.windowsitpro.com/t?ctl=15600:4FB69

View the Windows IT Pro privacy policy at
   http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.





More information about the ISN mailing list