AOH :: ISN-1652.HTM

Security UPDATE -- IE 7.0 and Windows Vista Bring More Secure

Security UPDATE -- IE 7.0 and Windows Vista Bring More Secure
Security UPDATE -- IE 7.0 and Windows Vista Bring More Secure

This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Quest Software 


1. In Focus: IE 7.0 and Windows Vista Bring More Secure Communications

2. Security News and Features
   - Recent Security Vulnerabilities
   - Problems with Microsoft's October Security Updates
   - Voice over IP Security Taking Shape

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread

4. New and Improved
   - Endpoint Compliance Without Client Software

==== Sponsor: Quest Software ===   Join us for a free Webcast that explains how organizations with 
heterogeneous enterprises can "Get to One" solution for systems 
management through Microsoft Systems Management Server (SMS). For most 
organizations, heterogeneous enterprises are a fact of life, but they 
present significant systems management challenges particularly for 
Unix, Linux and Mac systems. Fortunately, through natively implementing 
standards on non-Windows systems, those systems can participate in the 
systems management infrastructure offered by SMS. This Webcast will 
explain how an integrated architecture can streamline processes, save 
money, reduce complexity, increase security, and enable compliance for 
Windows, Unix, Linux, and Mac systems. Register to attend our Webcast 
on November 9, 2005 at 1:00 PM EDT 

==== 1. In Focus: IE 7.0 and Windows Vista Bring More Secure 
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Microsoft's IEBlog is published by the development team that works on 
Internet Explorer (IE). As such, the blog contains interesting 
information about what we might see in future versions of the browser. 

On October 22, the IE development team published an article that 
outlines a few changes Microsoft is making with Secure Sockets Layer 
(SSL) and Transport Layer Security (TLS). Current versions of IE 
support SSL 2.0, SSL 3.0, and TLS 1.0, all of which can be enabled or 
disabled (select Internet Options from the Tools menu, go to the 
Advanced tab, and scroll down to the Security section). In IE 6.0, SSL 
2.0 and SSL 3.0 are enabled and TLS 1.0 is disabled--at least that's 
the configuration in my default installations. However, SSL 3.0 and TLS 
1.0 are much more secure than SSL 2.0; therefore, Microsoft has decided 
that in IE 7.0, SSL 2.0 will be disabled by default and SSL 3.0 and TLS 
1.0 will be enabled by default. Many Web sites use SSL 2.0, so the 
changes in IE might cause connection problems for users unless sites 
begin offering SSL 3.0 before IE 7.0 enters widespread use. 

Another major change is the way certificates will be handled. IE 7.0 
will initially block access to sites whose certificates weren't issued 
by a trusted root or whose certificates have expired or been revoked. 
Under the first two conditions, the browser will offer the user the 
option of connecting anyway but not if the certificate has been 
revoked. In addition, the browser won't show nonsecure content on sites 
whose pages use both secure and nonsecure content unless the user 
explicitly unblocks the nonsecure content. 

Windows Vista will also bring changes to secure communications. With 
Vista, we'll finally see the use of 256-bit Advanced Encryption 
Standard (AES) to secure HTTP traffic. Vista will also use the Online 
Certificate Status Protocol (OSCP) for speedier certificate status 
checking and will implement some extensions to TLS that are outlined in 
Internet Engineering Task Force (IETF) Request for Comments (RFC) 3546. 

Web site administrators need to be aware of these upcoming features in 
IE and Vista and take the necessary steps towards compatibility. 
Otherwise you're bound to run into problems in the future, particularly 
with certificates used on systems that host virtual domains, due to 
server name parsing and other issues. 

You can learn more about these issues in IEBlog. You can also read a 
long list of comments and concerns from the blog's readers and post 
your own comments. If you want to learn more about the cryptography in 
Windows Vista, a video of an interview with Tomas Palmer and Tolga Acar 
(cryptography program managers at Microsoft) is available at MSDN. 

If you're interested in information about Outlook Express (which 
incidentally has been renamed Windows Mail) in Windows Vista, be sure 
to read Windows Mail developer Bryan Starbuck's blog for plenty of 
insight regarding antispam features and more. You can also watch 
another video interview at MSDN with the developers and testers of 
Windows Mail in which they discuss the new mail client. 

==== Sponsor: BindView===
Are You Prepared for the PCI-Data Security Standard? 
   If your organization handles credit card transactions with any of 
the major credit card companies, you need to assess and document your 
adherence to the PCI-data security standard. Failure to comply with the 
standard carries stiff penalties including fines, and the restriction 
of future transaction handling ability by negligent firms. Join 
BindView for a live Webcast where you will get an overview of the PCI-
Data Security Standard; how the standard's 12 major requirements impact 
IT; and how automated solutions can help demonstrate compliance with 
these requirements to satisfy an audit. Register at: 

==== 2. Security News and Features ===
Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

Problems with Microsoft's October Security Updates
   Earlier this month, Microsoft published Security Bulletins MS05-050 
and MS05-051 as part of its regular monthly security patch release 
schedule. In some instances, systems might still be vulnerable after 
installing a patch or administrators might find that various important 
services don't start. Find out more in this news article on our Web 

Voice over IP Security Taking Shape
   The Voice over IP Security Alliance (VOIPSA) released its security 
framework, which the alliance hopes will help the industry identify and 
mitigate potential threats to VoIP technology. 

==== Resources and Events ===
What Does It Mean to Be Compliant?
   We've all heard about legal and regulatory requirements, but there 
are other types of compliance that might also affect you--specifically 
email compliance. In this free Web seminar, you'll get insights into 
compliance and policy issues that you need to know about, as well as 
suggestions on what to look for when implementing your compliance 
strategy, and more. Register today! 

Get Ready for the SQL Server 2005 Roadshow in Europe--Get the facts 
about migrating to SQL Server 2005!
   SQL Server experts will present real-world information about 
administration, development, and business intelligence to help you 
implement a best-practices migration to SQL Server 2005 and improve 
your database-computing environment. Receive a one-year membership to 
PASS and one-year subscription to SQL Server Magazine. Register now. 

Get the Maximum Return on Software Investments by Optimizing Every 
Dollar Spent on Software
   Inaccurate information about software usage causes many 
organizations to either overspend and buy licenses they don't use, or 
underspend and deny some end users access to the software they need. 
Attend this free Web seminar and get a 5-step plan for quickly 
implementing a license management program today! 

Accelerate Time to Recovery with Minimal Data Loss
   Learn how to meet RPO (Recovery Point Objectives) and RTO (Recovery 
Time Objectives) with a continuous, or real-time backup system. In this 
free, on-demand Web seminar, you'll discover how to roll back data to 
any point in time--not just to the last snapshot or backup! 

Exploit the Opportunities of a Wireless Fleet
   With the endless array of mobile and wireless devices and 
applications, it's hard to decide what you can do with the devices 
beyond providing mobile email access. It's even tougher to know how to 
keep it all secure. Join industry guru Randy Franklin Smith in this 
free Web seminar and discover what you should do to leverage your 
mobile and wireless infrastructure, how to pick devices that are right 
for you, and more! 

==== Featured White Paper ===
Software Packaging Workflow Best Practices
   Managing desktop software configurations doesn't have to be a manual 
process resulting in unplanned costs, deployment delays, and client 
confusion. In this free whitepaper, you'll learn how to manage the 
software package preparation process and increase your desktop 
reliability, user satisfaction, and IT cost effectiveness. Download 
your copy now and discover the value of standardizing the software 
packaging process. 

==== 3. Security Toolkit ==== 

Security Matters Blog: Martin Roesch on Snort's Past, Present, and 
by Mark Joseph Edwards, 

   Ever wonder how the intrusion detection and prevention system Snort 
got started and where it might be going in the future? Snort creator 
Martin Roesch tells you all about it in an 18-minute audio interview. 

by John Savill, 

Q: How can I determine the logged-on user's distinguished name (DN)? 

Find the answer at 

Security Forum Featured Thread: Allow POP Email but Not Internet Access
   A forum participant has several clients with Windows 2000 boxes that 
need to get POP email on TCP ports 110 and 25. The users aren't 
supposed to have Internet access, but the machines need to get 
automatic antivirus software updates via the Internet. Join the 
discussion at 

==== Announcements ===   (from Windows IT Pro and its partners)

VIP Monthly Online Pass = Quick Answers
   Sign up for a VIP Monthly Online Pass and get online access to ALL 
the articles, tools, and helpful resources published in SQL Server 
Magazine, Windows IT Pro, Exchange and Outlook Administrator 
newsletter, Windows Scripting Solutions newsletter, and Windows IT 
Security newsletter. You'll have 24/7 access to a database of more than 
25,000 articles that will give you all the answers you need, when you 
need them. BONUS--Includes the latest issue of Windows IT Pro each 
month. Sign up now for just US$29.95 per month: 

The Exchange & Outlook Administrator Newsletter
   If you haven't already subscribed to the Exchange & Outlook 
Administrator newsletter, you're missing out on key information related 
to preventing serious messaging problems and downtime. This newsletter 
encompasses tools and solutions you won't find anywhere else to help 
you migrate, optimize, administer, backup, recover, and secure Exchange 
and Outlook. Order now: 

==== 4. New and Improved === by Renee Munshi, 

Endpoint Compliance Without Client Software
   ENDFORCE announced version 2.5 of its ENDFORCE Enterprise endpoint 
security policy enforcement solution. ENDFORCE Enterprise now includes 
a clientless Web agent that assesses unmanaged endpoints. Businesses 
can direct unmanaged endpoint users to a Web site where their system 
downloads an ActiveX component and undergoes a one-time assessment 
before gaining access to the network. Version 2.5 also gives companies 
the ability to send alerts to individuals and third-party monitoring 
systems, such as HP OpenView, based on compliance state changes and 
enforcement actions. For more information, go to 

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.

==== Contact Us ==== 

About the newsletter -- 
About technical questions -- 
About product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today. 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

Earn your Master's degree in Information Security ONLINE 
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.

Site design & layout copyright © 1986-2014 CodeGods