Picture
It! 2000Microsoft says in Picture It! 2000 the steps for “Create a new folder”
in the Catalog Help topic aren’t accurate. An existing folder can be
cataloged, but creating a new folder in the Picture It! 2000 catalog
isn’t possible.

Norton Internet Security 2000

Your user NetBIOS name may be available on your Internet Service Provider’s network,
unless the workaround provided is applied to Symantec Norton Internet Security 2000 (for all supported
platforms).

QuickBooks

2000Before upgrading to Windows 2000, rename the Intuit QuickBooks 2000 QBCONV32.DLL file.
Unless you rename it, the Windows 2000 Readiness Analyzer can’t complete
the install on a Windows 95 or 98 system. Once the install is complete,
you’ll have to rename the file back to qbconv32.dll to keep QuickBooks
happy.

Internet
Explorer 5Without write
permissions to an FTP site, when a program makes that second FtpOpenFile
function call to a file on a File Transfer Protocol (FTP) server, Microsoft
Internet Explorer 5 for Windows 95, 98, and NT 4.0 may hang. Microsoft
has a fix, but at the time of this writing, it wasn’t fully regression
tested. Therefore, they suggest applying it only if the problem causes
major difficulties. For the fix, head over to Microsoft Product Support.
Services

WinFax
PRO 10Across all
supported platforms, once Microsoft Word 2000 is shut down, WinFax PRO
10.0 may generate this message, says Symantec: “Changes have been
made that affect the global template, Normal.dot. do you want to save
those changes?” At the time of this writing a solid fix wasn’t
available, but a workaround which entails disabling the Save prompt
from appearing in Microsoft Word 2000 .

Combat
Flight SimulatorDo you have
an AGP video adapter installed on your Windows system, and does Combat
Flight Simulator hang within the first five minutes of play time? If
so, Microsoft says, the problem is the AGP adapter.

where you’ll find the latest
Internet Explorer 5.01 Service Pack for Windows 95, 98, 98, NT 4.0,
and 2000. It fixes the vulnerability that allows a Web site to retrieve
cookies that weren’t created by that Web site from your computer, says
Microsoft.

Norton
AntiVirus 2000Beware the
witching hour! If Symantec Norton AntiVirus 2000 for Windows 95 or 98
is installed, and Auto-Protect is enabled, the chances that your system
may come to a screeching halt on any given day at 11:59 P.M. are good.
Doing a Ctrl+Alt+Del maneuver to open the Close Program box, generates
the error, “Msgsrv32.exe (Not responding)”, requiring a reboot.
Symantec Technical Support was alerted of this glitch after the June
16, 2000 and June 19, 2000 virus release definitions. Since then, new
definitions that resolve the problem have been posted to Symantec’s
LiveUpdate. Look for a date after 10 P.M. PST, June 21, 2000 or later
to eliminate any chance of a recurrence.

Norton
Ghost 2000 Personal EditionThe error
message, “(15173) FAT32 detected but not assigned to MBR”,
may display in Symantec Ghost 2000 Personal for Windows 95 and 98 when
users select a drive to create an image, to clone directly, or to check
the drive integrity with Ghost. The fix: Run any disk utility — if
errors exist, they’ll be repaired.

Internet
Explorer 5.5Currently
the Autocomplete feature on the address bar in Internet Explorer 5.5
for Windows 95, 98, 98 SE, and NT 4.0, doesn’t complete a LOCAL intranet
URL. However, the feature does prompt users with possible URLs when
an Internet URL is entered. For now, users will have to type the entire
intranet URL to work around this flub.

Internet
Explorer 5.5To add a
component to Microsoft Internet Explorer (IE) 5.5 in Windows 2000, the
approved method is to use the Add/Remove tool located in the Control
Panel. But in IE 5.5, the Add component may be missing if the browser
was downloaded in Windows 2000. Apparently, this curious behavior is
by design, and the additional components are available at the Windows

WindowsMicrosoft
says visiting a Web page containing a JavaScript Uniform Resource Locator
(URL) in an IMG (image) tag could create the perfect set of conditions
for a malicious web site operator to view files on an unsuspecting user’s
system. To get a handle on this vulnerability, head over toInternet
Explorer 5An “ImportExportFavorites”
vulnerability rears its ugly head in Microsoft Internet Explorer (IE)
5 for these operating systems only: Windows 95, 98, and NT 4.0. In this
case, a malicious Web site operator has an opportunity to take any action
on the computer that the user would be capable of taking. Disabling
Active Scripting in IE 5 puts the kibosh on any attempts by unwelcome
visitors.

Windows 2000 Server Message Block (SMB), Microsoft’s Eric Schultze has clarified the fixes necessary to guard against it. To recap: SMB is a NetBIOS protocol widely used in Windows networking to share files, printers, and other services. A new hacker tool, SMBRelay, exploits several legacy security options embedded in the NetBIOS/SMB protocols that would allow an attacker to interpose between the client and host, and “hijack” a secure session.

The exploit can be blocked by closing down NetBIOS ports at the firewall. The critical ports are UDP 137 and 138, TCP 139, TCP and UDP 445. Inside the firewall, we recommended upgrading NT systems to NTLMv2 (NT LAN Manager version 2), a 128-bit encrypted version of NT LAN Manager (NTLM). However, according to Eric Schultze, NTLMv2 “won’t prevent” an SMBRelay-type man-in-the-middle attack. Other than port filtering, the only way to secure exposed NetBIOS host-client communication is to enable SMB Server Signing. This prevents the remote host from establishing the necessary “back channel” with the target host.

SMB Server Signing supports both mutual authentication and message authentication by placing digital signatures into each SMB session, which is then verified by both the client and the server. If SMB Signing is enabled WHEN POSSIBLE on the server, then clients also enabled for SMB Signing will utilize the protocol during subsequent sessions. Otherwise they will default to legacy standards. If SMB signing is enabled ALWAYS on the server, a client will not be able to establish a session unless it is also enabled for SMB signing.

To enable SMB Signing in Windows 2000, go to the Control Panel and select Administrative Tools > Local Security Settings > Local Policies > Security Options. Under Policy double-click on Digitally sign server communications (always) or Digitally sign server communications (when possible), and select Enabled. SMB Signing can be set up in Windows NT and Windows 98 by adding a pair of keys to the Registry.

If you’ve been waiting for a really good reason to upgrade the security of your Windows network, one Sir Dystic, of the infamous hacker group Cult of the Dead Cow, has come up with one. His utility, SMBRelay, coupled with Security Software Technology’s L0phtCrack password-cracking software, vastly simplifies the process of breaking passwords collected from Windows-based LAN and Internet hosts.

Unblocking the SMB

SMBRelay takes advantage of a long-known vulnerability in the Server Message Block (SMB) file sharing protocol. SMB is layered onto NetBIOS, the networking application interface first created by IBM and adopted by Microsoft for DOS. When you share a Windows directory or drive over a local area network, you are most likely utilizing SMB over NetBIOS over NetBEUI, IPX, or TCP/IP.

Both SMB and NetBIOS have evolved over time, and Microsoft has endeavored to maintain backward compatibility with its older “dialects.” But this backward compatibility means that when a SMB session is initiated, a more primitive “plain text” level of authentication can often be negotiated that provides for maximum exposure of the password data.

Additionally, because SMB was developed to facilitate file and print sharing on local networks, a Windows client will automatically attempt to log onto an SMB server. In the process, the host and client will exchange password hashes. These pairs of password hashes (the challenge from the host plus the response from the client) can be “sniffed” and saved for later cracking.

Middleman Grabs Authentication

More insidious than network sniffing is session hijacking. An attacker makes himself the “man in the middle” by virtually interposing himself between the client and host. To expedite things, the attacker can send a client of the targeted host an HTML e-mail message with a link to a NetBIOS share on the web server. As the target’s computer attempts to establish a NetBIOS connection, the attacker steps in, intercepts the client’s credentials, and passes them off as his own.

Sir Dystic’s SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client’s host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.

Taking It to the Next Level

The primary weakness with NetBIOS, also inherited by LAN Manager, lies in its willingness to negotiate security to the lowest common denominator when handling SMB sessions. For this reason, password hash collecting and man-in-the-middle attacks on the NetBIOS/SMB protocols are not new. Microsoft has admitted that, “Recent improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords.”

To this end Microsoft developed NT LAN Manager version 2 (NTLMv2), a 128-bit encrypted version of NT LAN Manager that does not depend on the exchange of password hashes for authentication. To lock out weaker protocol dialects, however, NTLM must be disabled so that session authentication defaults to NTLMv2. Enabling NTLMv2 exclusively on Windows networks is covered in Microsoft Knowledge Base article Q239869.

Eliminating Unnecessary Services

One aspect of making a software product “user friendly” is anticipating all the possible ways in which it might be used. For Microsoft, this means covering a lot of bases, and so installations of the Windows 9.x operating systems tend to throw in the kitchen sink. But as a result, you will be left with a lot of services running you probably don’t need; worse, they could pose considerable security risks.

To start with, on standalone machines NetBIOS and NetBIOS shares should be turned off. Secure Design has a page on Basic Windows 9.x Security that runs down the steps you can take to shut down unneeded Windows network services.

As a further check of your computer security, a number of security firms such as Sdesign and Gibson Research will scan your computer over the Internet for open ports and exposed NetBIOS traffic.

The SMB and other NetBIOS exploits depend on attackers finding an open NetBIOS port on the targeted machine. According to SDesign, 22 percent of the systems they scan are open on port 139, which is required for NetBIOS connections. Security consultants recommend blocking TCP/UDP ports 135, 137, and 139, and UDP port 138 at the firewall to prevent SMBRelay-type cracking attempts.

Many ISPs block these ports in order to ensure their own network security and that of their customers. In any case, especially those home users with “always-on” high-speed Internet service should deploy a personal firewall. All the major anti-virus software companies sell personal firewalls, and Zone Labs provides its popular ZoneAlarm personal firewall free to individuals and non-profit organizations.