Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Features Introduced in Reflection for Secure IT Windows Server 6.0
Technical Note 1904
Last Reviewed 23-Aug-2006
Applies To
Reflection for Secure IT Windows Server version 6.0
Summary

This document lists the features introduced in Reflection for Secure IT Windows Server version 6.0.

Note the following:

  • Reflection for Secure IT version 7.0 is available beginning in February 2008. For a list of new features in 7.0, see Technical Note 2273. For information about purchasing Reflection for Secure IT, please e-mail us: SalesRecept@attachmate.com.
  • Beginning with version 6.0, the F-Secure SSH product line has a new name: Reflection for Secure IT.

This note is divided into the following topics:

Reflection for Secure IT Server Security Vulnerability Update
Features Introduced in Version 6.0
Supported Platforms
Product Manual
Release Notes
Technical Support

Reflection for Secure IT Server Security Vulnerability Update

  • Reflection for Secure IT Windows Server version 6.0 build 42 or higher contains a fix that prevents the possibility of executing specially-crafted and potentially malicious binary files in place of subsystem binaries, such as the sftp subsystem.

For more information, see Technical Note 2112.

  • A security vulnerability, which affects Reflection for Secure IT Windows Server version 6.x, has been fixed in Reflection for Secure IT UNIX Server version 6.0 build 38.

This build fixes a format string vulnerability in sftp server logging. Without this fix, a remote attacker may be able to execute arbitrary code via the user's privileges if they can persuade an authenticated SSH user to stat a specially-crafted file. A malicious, authenticated user could also launch a denial-of-service attack against the SSH server.

For more information, see Technical Note 1882.

Features Introduced in Version 6.0

The following features were added in version 6.0 of Reflection for Secure IT Windows Server.

  • Support for domain accounts with the RSA SecurID and User Public Key authentication methods has been added for the Windows Server 2003 platform. Support for domain accounts with the RSA SecurID and User Public Key authentication is not available on NT4 or Windows 2000 Server.
  • Support for domain accounts with password authentication is available on all platforms and was available in earlier versions.
  • Event log for maximum password attempts.

The server now logs data indicating when the number of maximum password attempts has been exceeded for a user. The event log will log a message, “Maximum password guess count exceeded for user %s.”

  • A new ssh-certtool.exe tool is available. You can use ssh-certtool.exe to create PKCS#10 certificate requests and PKCS#12 packages, including specification of the Subject Alternative Name extensions.
  • The ssh-certenroll2.exe tool has been renamed to ssh-cmpclient.exe.
  • Key codes are no longer required for installation.
  • Time-limited evaluation is extended.

If you are considering purchasing Reflection for Secure IT, you can obtain an evaluation version and use it for up to 60 days. To request an evaluation version, click Trial Versions from http://support.attachmate.com/downloads/.

  • The ssh-certview tool has been extended to be able to display more certificate extensions.

Supported Platforms

Windows 2003 Server
Windows 2000 Server
Windows NT 4.0 Server with Service Pack 5

Product Manual

See the product manual for information about installing (including a silent installation) and configuring Reflection for Secure IT Windows Server. The manual (pdf) is linked from http://support.attachmate.com/manuals/sshdocs.html.

Release Notes

The release notes contain a brief list of known issues:

  • Users upgrading from F-Secure SSH Server for Windows version 5.2 or 5.3 on the Windows Server 2003 platform may see an error: "The procedure entry point ssh-random-get-bytes could not be located in the dynamic link library fssh32.dll".

Note: This error message appears because an SSH service is running on the machine; however, the error does not appear if you uninstall the earlier version before installing version 6.0.

Click OK to dismiss the error message, and proceed with the install.

  • Users upgrading from F-Secure SSH Server for Windows version 5.1, (without first uninstalling version 5.1) will see an F-Secure management icon in the system tray after completing the install.

Clicking this icon displays a management tool that incorrectly suggests that the 5.1 product is still installed. Some services pertaining to the 5.1 product may also be running. Neither the icon nor the services affect the operation of the 6.0 product.

  • The Install chapter in the "SSH Server for Windows Reference" pdf (page 5) instructs you to "Restart your computer to get the server software started."

A restart is necessary only if you are installing the product on Windows Server 2003. On other supported platforms, no restart is necessary.

  • Microsoft Windows Server 2003 and Microsoft Windows 2000 Server ship with built-in accounts, such as Administrator and Guest. Microsoft recommends that these accounts be renamed or disabled in order to prevent potential hackers from exploiting them.

If either of these accounts was renamed after being configured for SSH public key authentication, there is potential for a security breach as the server will continue to accept user keys from users who authenticated via public key to the original Guest or Administrator account.

This is a problem only if SSH was configured to run on the server with public key authentication and with built-in accounts that were subsequently renamed. We are not aware of any exploits of this vulnerability, but we do recommend that you fix it immediately.

Workaround Options:

There are two possible workarounds. Please select the one that works better in your environment.

Workaround 1:

Change the server configuration using the GUI as follows:

    1. Add the string administrator to the Deny login for users in User Restrictions.
    2. Create a subconfiguration entry in the Advanced screen by adding a UserSpecificConfig line to the end of the file, for example:
UserSpecificConfig New-Admin-Name admin.config
    1. Click Apply to notify the running server of the changes.
    2. Create a file named admin.config in the folder where the server was installed (usually "C:\Program Files\F-Secure\ssh server"); the file should contain the following line:
UserConfigDirectory "C:\\Documents and Settings\\administrator\\.ssh2"

Note: The doubled \\ is required. The permissions of the sshd2_config and admin.config files should be changed to permit only the Administrator group access to these files.

Workaround 2:

Follow these steps to move and restrict access to the security files:

    1. In the Documents and Settings folder, create a new folder using the new Administrator user name as the folder name. For example, "C:\Documents and Settings\New-Admin-Name."
    2. In the new folder, create a new .ssh2 folder. For example, "C:\Documents and Settings\New-Admin-Name\.ssh2."
    3. Move all public key files and the authorization file to the new \.ssh2 folder.

Note: Move the files, do not copy the files.

    1. Set the .ssh2 folder permissions to allow only the New-Admin-Name user access to these files.

Technical Support

For Attachmate Technical Support information, see http://support.attachmate.com/contact/.

Related Technical Notes
1882 Reflection for Secure IT Server Security Vulnerability Update and Workaround: SFTP Subsystem Server
1898 Readme: Features Introduced in Reflection for Secure IT Windows Server 6.1
1999 Reflection for Secure IT Technical Notes
2112 Reflection for Secure IT Windows Server Security Vulnerability (iDefense Advisory 11.15.05)
2273 New Features in Reflection for Secure IT Windows Server 7.0 and Release Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.