Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SANS NewsBites Vol. 6 Num. 12
- From: The SANS Institute
- Date: Wed Mar 24 10:14:09 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In the category of free, useful software:
On Tuesday, the Center for Internet Security released an updated Windows
Security Scoring Tool along with the Windows XP Benchmark for Secure
Configuration. The XP scoring capability has four levels that correspond
with Microsoft's security levels. You can test your system to see how
safely configured it is, get a numerical score, and then see what needs
to be done to raise the score. (A more complete announcement is at the
end of this issue of NewsBites.) Download it free from
http://www.cisecurity.org
(But use it to test only your own personal machine unless your employer
is a CIS member. Member organizations can distribute it and use it on
all the systems they own.)
Alan
*************************************************************************
SANS NewsBites March 24, 2004 Vol. 6, Num. 12
*************************************************************************
TOP OF THE NEWS
Back-Up Tape of Citibank Customer Transactions is Lost
Possible Customer Data Compromise at BJ's Wholesale Club Computer
System
Former FBI Analyst Faces Charges of Unauthorized Data Access
Equifax Canada Data Compromised
San Diego State University Financial Aid Server Security Breached
Interior Ordered Off Line Again
ARTICLES ON SPAM
AOL Sees 27% Decline in Spam
Only US Receives More Spam than China
Asia-Pacific Region Joins in Fighting Spam
Korea Wants to Halve Spam Volume
THE REST OF THE WEEK'S NEWS
Man Pleads Guilty to Phishing Charges
Researchers Modeling Attacker Methods
GAO Publication Describes Varieties of Security Products
Voting Machine Problems Highlight Need for Paper Trail
Investigation Indicates Betting Sites Are Being Targeted by DDoS
Attacks
Task Force Action Plans: Early Warning System, Increased Security
Awareness
Windows XP SP2 RC1 Available to Beta Testers
China Shuts Down Blog Sites for Objectionable Content
Management Practices of High-Performing IT Organizations
US President Putnam Questions Agencies About IT Security
Opinion: Assessments Do Not Solve Problems
Treasury Dept. Will Outsource Some FISMA Security Evaluations
Company to Offer Open Source Insurance Policies
Plaxo Fixes Phishing Vulnerability
Internet Security Threat Report
Book on Security Holes Includes Some Zero-Day Vulnerabilities
Outsourcing and Data Security
New Zealand Man First to be Charged Under New Crimes Amendment (No. 6)
Act
Alleged Software Pirate Fights Extradition to US
VULNERABILITY UPDATES AND EFFECTS
Malicious "Witty" Worm Exploits Firewall Holes and Overwrites Data on
Hard Drives
Symantec Releases Fixes for Product Vulnerabilities
Bagle Variants Q, R, S & T Exploit IE Object Data Remote Execution
Vulnerability
Bagle Variants N, O & P Hide Zip File Password in Graphic File, Seek to
Destroy Netsky
Phatbot Trojan Spreads via P2P Technology, Launch DDoS Attacks and
Steals Data
Fixes Available for OpenSSL Flaws
Macromedia Releases Patches for Two Vulnerabilities
CIS ANNOUNCEMENT OF WINDOWS XP SECIRTY BENCHMARK AND FREE TESTING TOOL
************************** Sponsored by NetIQ *************************
Need security policies?
Don't start from scratch. Check out "Information Security Policies Made
Easy," the best security policy resource guide available, with 1,300+
ready-to-use security policies, easily customizable for any
organization. Also, don't miss our step-by-step guide,
"Information Security Roles & Responsibilities Made Easy."
Check them both out now.
http://www.netiq.com/f/form/form.asp?id=2202&origin=NS_SANS_032404
***********************************************************************
This Week's Featured Security Training Program:
We have added ten new conferences between May and July.
In the US: Colorado Springs, Chicago, Baltimore, Kansas City (Overland
Park), Denver and Minneapolis.
Plus Munich, Germany (late April) and Melbourne and Gold Coast
Australia, Vancouver, Canada, and London, England.
Find details at http://www.sans.org
*************************************************************************
TOP OF THE NEWS
--Back-Up Tape of Citibank Customer Transactions is Lost
(19 March 2004)
A back-up tape containing a month's worth of Japanese Citibank customer
transactions was lost while being transported to a data center in
Singapore. The information on the tape included account holders' names,
addresses, account numbers and balances. Citibank intends to inform
affected customers by letter.
http://mdn.mainichi.co.jp/news/20040319p2a00m0dm004000c.html
[Editor's Note (Shpantzer): Back-ups are subject to all kinds of
hazards, theft and accidental loss being only a couple on the list.
One auditor at a recent SANS conference told the group that she had
staked out a bank's back-up storage contractor, to see what kind of
vulnerabilities she could find in the process. She saw the van pull up
to the loading dock of the storage facility, and the driver parked the
entire box of tapes on the building's generator while he took a break.
The data was gone because of the generator's electromagnetic energy.]
--Possible Customer Data Compromise at BJ's Wholesale Club Computer
System
(19/12 March 2004)
Law enforcement agencies and credit card companies are investigating a
possible security breach of the BJ's Wholesale Club computer system.
The problem was brought to light when credit card companies began
reporting possible fraudulent activity on customers' accounts.
http://www.computerworld.com/printthis/2004/0,4814,91412,00.html
http://www.msnbc.msn.com/id/4516301
--Former FBI Analyst Faces Charges of Unauthorized Data Access
(17 March 2004)
Former FBI investigative analyst Jeffrey D. Fudge will face trial in
Dallas on felony charges stemming from allegations he accessed FBI data
without authorization. Fudge allegedly shared the information he
discovered with his family and friends. If convicted of all charges
against him, Fudge could face a 50-year prison sentence or a fine of as
much as 250 million USD.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25279
--Equifax Canada Data Compromised
(17 March 2004)
Equifax Canada has informed more than 1,400 people that the security of
their credit files was compromised; the breach apparently narrowly
targeted a specific geographic area, raising concerns that the attackers
were well-funded, otherwise all of Equifax Canada's database would have
been be compromised.
http://www.computerworld.com/printthis/2004/0,4814,91319,00.html
--San Diego State University Financial Aid Server Security Breached
(17 March 2004)
San Diego State University is contacting 178,000 students, alumni and
employees following an apparent intrusion in a university server
containing names, social security numbers and financial aid reports.
The breach occurred in December 2003; attackers used the server to send
spam and transfer files. The breach was discovered in February 2004,
when the server was taken off the network. The FBI has also been
notified. This is not the first case of computer intrusion at the
university; late last year, school officials warned about 1,000 people
after a library server was compromised.
http://www.signonsandiego.com/news/computing/20040317-9999-news_7m17hacker.html
--Interior Ordered Off Line Again
(16 March 2004)
For the third time in as many years, a federal judge has ordered the
Interior Department to remove many of its systems from the Internet.
Systems involved with energy and mineral trust for American Indians were
again found to be lacking adequate security measures. Systems that are
vital to police work and fire services are allowed to remain on line,
as are other bureaus that did not own the data in question.
http://money.cnn.com/2004/03/16/technology/interior_internet.reut/index.htm
[Editor's Note (Schneier): How many other departments would be ordered
off-line if they underwent the same sort of scrutiny that the Dept. of
Interior has?
(Pescatore): Because of the class action lawsuit against the Bureau of
Indian Affairs, the DoI is being held to a higher standard than other
government agencies, and even most commercial enterprises. However, the
continuing increase in identity theft due to mismanaged servers at
credit card agencies, online merchants, universities and other
enterprises means that either identity theft legislation or class action
lawsuits aren't far away. More judges may make similar calls to tell
other organizations to disconnect until the can protect their customers
data. That would end up being much more expensive than fixing the
problems in the first place.]
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) WHITE PAPER - Spam threatens network security. Learn how to protect
your enterprise.
REQUEST: http://www.sans.org/click.php?id=364
(2) (At SANS) 20 free vendor technical security white papers -
numerous areas of security discussed.
http://www.sans.org/click.php?id=365
***********************************************************************
ARTICLES ON SPAM
--AOL Sees 27% Decline in Spam
(19 March 2004)
America Online spokesman Nicholas Graham says the company has noted a
27% decrease in spam since February 20. During that same period, daily
AOL customer complaints about spam were cut nearly in half, from 12.7
million to 6.8 million.
http://www.forbes.com/technology/newswire/2004/03/19/rtr1305508.html
[Editor's Note (Grefer): No surprise there. The longer an ISP can fine
tune spam filters the more efficient the filters become. Also, through
implementation of their spam service site blocking, spammers do not get
"automatic address verification" through embedded web bugs and graphics
anymore.]
--Only US Receives More Spam than China
(18 March 2004)
According to the Internet Society of China, in 2003, spam accounted for
nearly one in every three e-mails received in China. Chinese servers
received at least 150 billion spam e-mails last year, placing the
country just behind the US in volume of spam received.
http://www.reuters.com/printerFriendlyPopup.jhtml?type=internetNews&storyID=4593895
--Asia-Pacific Region Joins in Fighting Spam
(22 March 2004)
The passage of the anti spam legislation in other parts of the world,
together with recent legal action brought against spammers by four major
Internet service providers (ISP) has inspired Asia-Pacific governments
and businesses to examine "measures" they can take to stem spam's tide.
Japan already has anti-spam legislation in place; Australia's anti-spam
laws take effect in April.
http://smh.com.au/cgi-bin/common/popupPrintArticle.pl?path=/articles/2004/03/22/1079823278794.html
[Editor's Note (Schneier): I have every confidence that the Asian effort
will be fully as effective as the U.S. CAN-SPAM laws have been.]
--Korea Wants to Halve Spam Volume
(19 March 2004)
The Korean government aims to cut the amount of spam in half by the end
of 2004. The country's Ministry of Information and Communication (MIC)
hit 68 spammers with stiff fines and sent warnings to an additional 127
entities.
http://times.hankooki.com/lpage/tech/200403/kt2004031917570311800.htm
THE REST OF THE WEEK'S NEWS
--Man Pleads Guilty to Phishing Charges
(22 March 2004)
Zachary Hill of Houston pleaded guilty to charges related to a phishing
scam that targeted America Online and Paypal customers. Hill will be
sentenced on May 17.
http://www.chron.com/cs/CDA/printstory.mpl/metropolitan/2461715
--Researchers Modeling Attacker Methods
(19 March 2004)
Researchers at the Florida Institute of Technology are working on
modeling cyber attackers' methods in the hopes of eventually developing
new security tools. The group has received more than $1million in
funding for this ongoing project to create detailed models of both the
intent and the semantics of every possible hacker attack. The group has
also created a computer language to describe these models.
http://www.computerworld.com/printthis/2004/0,4814,91453,00.html
[Editor's Note (Pescatore): This is a perennially popular area for
research funding but is sort of like studying rain drops in order to
fix a leak in the roof. Turns out that it doesn't matter what the
raindrops look like, or how they fall - close the windows and patch the
roof and you don't get wet.]
--GAO Publication Describes Varieties of Security Products
(19/16 March 2004)
The General Accounting Office (GAO) has released Technologies to Secure
Federal Systems, a study of commercially available security products
broken down into 18 types of tools in five categories: access control,
system integrity, cryptography, auditing and monitoring and
configuration management and assurance. The study hopes to help
agencies identify and choose appropriate technologies for their systems.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25352
http://www.fcw.com/fcw/articles/2004/0315/web-gao-03-16-04.asp
http://www.gao.gov/new.items/d04467.pdf
[Editor's Note (Pescatore): This report is so basic that if any security
manager in any government agency actually learns anything, I'm scared
to death.]
--Voting Machine Problems Highlight Need for Paper Trail
(19 March 2004)
Wired Magazine reports that an optical scanning machine used to read
paper ballots in Napa County, California for the March 2 election failed
to record more than 6,000 votes. The machine was improperly calibrated
and did not read certain types of ink. While the miscount did not
affect the outcome of any of the races, it underscores the need for
having a paper trail against which to check electronic voting results.
http://www.wired.com/news/print/0,1294,62721,00.html
--Investigation Indicates Betting Sites Are Being Targeted by DDoS
Attacks
(19/17 March 2004)
Online betting sites are being targeted by extortionists demanding money
to stave off threatened denial-of-service attacks. With the help of
server monitoring company Netcraft, BBC News Online monitored twenty
sites, sending queries every 15 minutes and noting the response time.
While it is not possible to determine the precise cause of an outage by
this method, some of the 35 outages noted did show characteristics
suggesting the sites were being targeted by denial-of-service attacks.
Thirty-five outages were reported. When contacted, people at most
betting sites didn't say what was causing their outages, but some
eventually admitted they were under denial-of-service attacks or had
received extortion threats.
http://news.bbc.co.uk/1/hi/technology/3549883.stm
http://www.theregister.co.uk/content/55/36344.html
--Task Force Action Plans: Early Warning System, Increased Security
Awareness
(18/16 March 2004)
Two of five task forces formed under the National Cyber Security
Partnership have released action plans for improving national cyber
security. One of the plans calls for the creation of an early warning
system for cyber security events; the other offers cyber security
awareness guidelines for home and small-business users. The guidelines
have been criticized for being "vendor-driven."
http://news.com.com/2102-7355_3-5175669.html?tag=st.util.print
http://www.computerworld.com/printthis/2004/0,4814,91368,00.html
http://www.fcw.com/fcw/articles/2004/0315/web-cybersec-03-18-04.asp
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=18400890
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25322
http://www.eweek.com/print_article/0,1761,a=121802,00.asp
--Windows XP SP2 RC1 Available to Beta Testers
(18 /17 March 2004)
Beta testers were able to receive Windows XP Service Pack 2 (SP2)
Release Candidate 1 (RC1) late last week. RC1 includes Windows Security
Center, a tool that makes it easy for users to access security settings.
A pop-up blocker will be on by default as will a built-in firewall;
Windows messenger is turned off.
http://www.computerworld.com/printthis/2004/0,4814,91352,00.html
http://news.com.com/2102-1016_3-5174903.html?tag=st.util.print
--China Shuts Down Blog Sites for Objectionable Content
(18 March 2004)
Chinese government officials closed two web sites that housed thousands
of personal blogs. Some Chinese Internet users said the Web log sites
were shut because one or more personal Web pages carried opinions on a
letter from a well-known doctor to China's senior leadership asking them
to reassess the 1989 Tiananmen Square pro-democracy protests.
http://zdnet.com.com/2102-1104_2-5175258.html?tag=printthis
[Editor's Note (Pescatore): I remember thinking back in 1987 when the
Phil Donahue show began to be aired in the old USSR that the end was
near for that closed society. Watching China try to play "block the
Internet Twister" is deja vu all over again.]
--Management Practices of High-Performing IT Organizations
(17 March 2004)
In the first of a pair of related articles on high-performing IT
organizations, Gene Kim describes three management practices such
organizations employ: enforcing change management processes, fostering
a "culture of causality", and "integrating security teams into change
management processes."
http://www.computerworld.com/printthis/2004/0,4814,91205,00.html
[Editor's Note (Schneier): This seems awfully buzzword-heavy, but I
suppose there's value in looking at systems that work well and trying
to analyze why.]
--US President Putnam Questions Agencies About IT Security
(22/17/16 March 2004)
During a hearing on information security, Adam Putnam, chair of the
House Government Reform Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census, chastised government
agencies for moving too slowly in their efforts to secure their computer
systems. The agencies received a collective security grade of "D" for
2003. Some agencies showed marked improvement; the Nuclear Regulatory
Commission and the National Science Foundation both received individual
grades of "A."
http://news.com.com/2102-7348_3-5174112.html?tag=st.util.print
http://www.fcw.com/fcw/articles/2004/0315/web-omb-03-16-04.asp
http://www.fcw.com/fcw/articles/2004/0322/mgt-nuke-03-22-04.asp
--Opinion: Assessments Do Not Solve Problems
(22 March 2004)
Richard Forno offers his opinion that "annual assessments are an
exercise in bureaucratic idleness designed to 'address' but not
'resolve' security problems in any meaningful fashion." He goes on to
say that activity, in this case accreditation and certification, has
become confused with progress, or actually fixing problems.
http://www.theregister.co.uk/content/55/36429.html
[Editor's Note (Pescatore): For enterprises that are in denial, bringing
in an outsider to do a security assessment is unfortunately often the
only way to convince management there is a problem. This isn't peculiar
to the security industry - most of the consulting world exists to tell
management the same thing their own people were trying to tell them.
But Rik is certainly right that stopping at step four (doing a fearless
inventory of yourself) of the 12 step program to becoming more secure
is too often what happens.]
--Treasury Dept. Will Outsource Some FISMA Security Evaluations
(16 March 2004)
Treasury Department Inspector General Jeffrey Rush Jr. says his office
plans to outsource Federal Information Security Management Act
(FISMA)-mandated evaluations of non-national security systems. Rush's
office lost 70% of its auditing staff last year to the Department of
Homeland Security.
http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25266
--Company to Offer Open Source Insurance Policies
(16 March 2004)
Taking advantage of a unique market niche, New York-based Open Source
Risk Management LLC plans to offer policies to companies that use
open-source software but are worried about being sued by SCO.
http://www.computerworld.com/printthis/2004/0,4814,91289,00.html
--Plaxo Fixes Phishing Vulnerability
(16 March 2004)
Plaxo, an on line contacts management company, says it has fixed a
security hole that would have allowed phishers to steal customers'
passwords.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39149309-39020375t-10000025c
--Internet Security Threat Report
(15 March 2004)
Symantec's most recent Internet Security Threat Report says that while
the number of software vulnerabilities has remained fairly constant,
they have become more severe and easier to exploit. The report found
that viruses increased 250% in the second half of 2003 over the same
period in 2002.
http://www.eweek.com/print_article/0,1761,a=121625,00.asp
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25258
http://www.theregister.co.uk/content/55/36251.html
--Book on Security Holes Includes Some Zero-Day Vulnerabilities
(15 March 2004)
A group of security researchers has written The Shellcoder's Handbook:
Discovering and Exploiting Security Holes. The book contains
instructions for writing code to exploit software vulnerabilities,
including several zero-day, or previously undisclosed, vulnerabilities.
The book is targeted at network administrators who want to close
security holes in their systems. The book is scheduled for release on
March 22.
http://www.computerworld.com/printthis/2004/0,4814,91265,00.html
--Outsourcing and Data Security
(15 March 2004)
Advice for maintaining the security of data when it's been outsourced
includes asking to see a security audit, setting up a clean room that
prevents workers from taking any data out, limiting workers' access to
data, and knowing your workers.
http://www.computerworld.com/printthis/2004/0,4814,91085,00.html
[Editor's Note (Shpantzer): Some DRM vendors make software that allows
for post-delivery content restrictions, whether viewing or printing.
There are even customized products for portals that focus on sensitive
data-entry cubicle-farms, such as those often seen in outsourcing
projects.]
--New Zealand Man First to be Charged Under New Crimes Amendment
(No. 6) Act
(15 March 2004)
A New Zealand man who was granted name suppression is the first person
to be charged under the country's Crimes Amendment (No 6) Act, which
imposes stiff penalties for cyber crimes. The charges stem from alleged
damages caused to a Maryland company's web site and computer systems.
One of the charges the man faces carries a maximum sentence of 7 years
in prison; another carries a maximum 2-year sentence. The Crimes
Amendment (No 6) Act passed last year after four years in parliament.
http://www.stuff.co.nz/stuff/0,2106,2845353a6022,00.html
--Alleged Software Pirate Fights Extradition to US
(14 March 2004)
Hew Raymond Griffiths of New South Wales Australia is fighting
extradition to the US to face piracy charges. Griffiths is allegedly
the leader of the DrinkOrDie piracy group. Several US members of the
group have been in jail for as long as four years; others are awaiting
trial and sentencing. If Griffiths is convicted in the US, he could
face a 10-year prison term and a 500,000 USD fine.
http://www.news.com.au/common/printpage/0,6093,8957483,00.html
VULNERABILITY UPDATES AND EFFECTS
--Malicious "Witty" Worm Exploits Firewall Holes and Overwrites Data
on Hard Drives
(21 March 2004)
http://www.theregister.co.uk/content/56/36413.html
http://www.washingtonpost.com/ac2/wp-dyn/A11310-2004Mar20?language=printer
[Editor's Note (Tan): If you are running the vulnerable BlackICE version
and you have not corrected the problem, you will be infected immediately
when you connect your system to the Internet. Imagine trusting the
firewall to protect your system from attacks, but the firewall actually
causes the damage. This worm spreads like Slammer, fast and
destructive, through UDP. And being memory resident, most anti-virus
scanners are not able to detect it. From what I have seen, SANS Internet
Storm Center is the first site that reported this worm. Johannes Ullrich
has done a great job in getting the alert out and elevating to yellow
infocon level.]
--Symantec Releases Fixes for Product Vulnerabilities
(19 March 2004)
http://news.com.com/2102-7355_3-5176442.html?tag=st.util.print
--Bagle Variants Q, R, S & T Exploit IE Object Data Remote Execution
Vulnerability
(19/18 March 2004)
http://www.computerworld.com/printthis/2004/0,4814,91408,00.html
http://www.theregister.co.uk/content/56/36362.html
http://news.com.com/2102-7355_3-5175727.html?tag=st.util.print
http://www.techweb.com/wire/story/TWB20040318S0009
[Editor's Note (Tan): This is going to be a record. Hitting Z soon, so
what is the letter after Z?]
--Bagle Variants N, O & P Hide Zip File Password in Graphic File, Seek
to Destroy Netsky
(16/15 March 2004)
http://www.zdnet.co.uk/print/?TYPE=story&AT=39149030-39020330t-10000025c
http://www.zdnet.co.uk/print/?TYPE=story&AT=39149316-39020375t-10000025c
--Phatbot Trojan Spreads via P2P Technology, Launch DDoS Attacks and
Steals Data
(21/18/17 March 2004)
http://www.computerworld.com/printthis/2004/0,4814,91365,00.html
http://news.com.com/2102-1009_3-5175025.html?tag=st.util.print
http://www.theregister.co.uk/content/6/36414.html
--Fixes Available for OpenSSL Flaws
(19/17 March 2004)
The flaws affect a number of Cisco products; fixes are available.
http://news.com.com/2102-1002_3-5174911.html?tag=st.util.print
http://www.theregister.co.uk/content/55/36400.html
http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml
--Macromedia Releases Patches for Two Vulnerabilities
(16 March 2004)
http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1214
--CIS ANNOUNCEMENT OF WINDOWS XP SECIRTY BENCHMARK AND FREE TESTING TOOL
March 23, 2004 - The Center For Internet Security
("CIS") announced today the public release of a new Benchmark (v.1.1.3)
for Windows XP Professional and an updated Windows Scoring Tool
(v.2.1.12). Both the Benchmark and the Scoring Tool are available for
download, free of charge, from the CIS web site,
http://www.cisecurity.org.
CIS Benchmarks specify technical security controls that strengthen a
system's defenses against malicious attacks. The Benchmarks are unique
because security professionals from around the world contribute to the
consensus security configuration recommendations. This group of
security professionals includes the public/private user community, as
represented by CIS member organizations, as well as representatives from
participating software vendors.
CIS Scoring Tools evaluate host systems, comparing their security
configurations against the Benchmarks. They produce easy to understand
reports that rate system security on a simple numeric scale.
The CIS Benchmark for Windows XP Professional contains four levels of
technical control settings intended for use in XP Professional systems,
enabling users to choose the consensus security configuration most
appropriate for their particular environments. The four names and
security level definitions are consistent with Microsoft's published
security configuration guides. The four security levels are:
LEGACY: Settings in this level are designed for XP Professional systems
that need to operate with older systems such as Windows NT, or in
environments where older third party applications are required. The
settings will not affect the function or performance of the operating
system or of applications that are running on the system.
ENTERPRISE STANDALONE: Settings in this level are designed for XP
Professional systems operating in a managed environment where
interoperability with legacy systems is not required. It assumes that
all operating systems within the enterprise are Windows 2000 or later,
therefore able to use all possible security features available within
those systems. In such environments, these Enterprise-level settings
are not likely to affect the function or performance of the OS.
However, one should carefully consider the possible impact to software
applications when applying these recommended XP Professional technical
controls.
ENTERPRISE LAPTOP: These settings are nearly identical to the Enterprise
Standalone settings, but with modifications appropriate for mobile users
whose systems must operate both on and away from the corporate network.
In environments where all systems are Windows 2000 or later, these
Enterprise-level settings are not likely to affect the function or
performance of the OS. However, one should carefully consider the
possible impact to software applications when applying these recommended
XP Professional technical controls.
HIGH: Settings in this level are designed for XP Professional systems
in which security and integrity are the highest priorities, even at the
expense of functionality, performance, and interoperability. Therefore,
each setting should be considered carefully and only applied by an
experienced administrator who has a thorough understanding of the
potential impact of each setting or action in a particular environment.
The updated CIS Scoring Tool (v2.1.12) checks the conformity of Windows
XP Professional operating system configuration as compared to the
Windows XP Professional Benchmark (v1.1.3). The tool also evaluates
host systems as compared to the CIS Benchmarks for Windows NT and 2000.
The Scoring Tool download package is available via the CIS website at
http://www.cisecurity.org.
The download package contains the CIS Benchmarks, the Benchmark security
templates (INF files), the scoring tool, and a detailed users' guide
for installation and use of the tool. It also contains 14 other
publicly available Windows security templates for selective use.
In addition to these security resources for Windows XP Professional,
CIS also distributes consensus Benchmark and Scoring Tools free of
charge for Windows 2000 and NT, Solaris, Linux and HP-UX operating
systems, as well as Cisco Router IOS and Oracle Database.
CIS Benchmarks are updated with configuration recommendations that
mitigate new vulnerabilities as they are identified. Continuous
feedback from users ensures broad consensus regarding the recommended
technical controls. More information on CIS, its Benchmarks, and Tools
can be obtained from the CIS website, http://www.cisecurity.org.
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAYQXA+LUG5KFpTkYRAsCzAJ0TiQW5vsUEsqjT4b9mphkadrzg2gCdGFs8
ELQJZwxEq3ea8QhU7oPj+nk=
=tXwt
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
