Hello folks, a quick post here just to let you know that me and my friend Tom Shinder will be presenting at TechEd US (in Orlando) and TechEd Europe (in Amsterdam). We will deliver the same session in both events, which is  Understanding and Deploying Hosted Cloud: Concepts and Implementation. We will also use this opportunity to network with the IT PRO / SEC Community and record an episode for our Security Talk Show (From End to Edge and Beyond) with your participate, so I really hope to see you there !

Here it is why you can’t miss TechED 2012.

Recently I saw this thread on the TMG Forum and found it very interesting as it was quiet easy to repro. Yesterday Microsoft released a signature update that address this issue. The problem that TMG’s administrators were facing is documented here:

From: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3aJS%2fBlacole.BW

Make sure to go to TMG Update Center and force an update (in case Malware Inspection is not showing as 1.119.1988.0). If it is higher than that you should be fine as shown below:

Today I received an email from a friend with the subject: Remove my photo from FACEBOOK. On the body of the email it says:

“Hey, who gave you permission to post my photo at Facebook??? Be aware that I didn’t like that and I would like you to remove ASAP. Are you playing around with me?”

Under this paragraph a link pretending to be to the Facebook picture. Here it is the original email (in Portuguese):

Well, when I saw that I knew it was fake e-mail (a typical social engineering e-mail) and I also knew that if I wait a little bit, probably Hotmail will be redirecting this to my Junk Mail. But I was curious to understand what this was about, so I copied the URL to a lab environment that I have (isolated from my production network).

What happened?

I configured my TMG’s live logging to watch the particular client where I was doing the test and here it is what I saw:

1. A redirect from the short URL:

2. Another redirect from the target (notice my friend’s email address is on the GET Request:

3. Right after that this is what I see on my client workstation:

4. Immediately FEP 2010 opened the window below on the client workstation:

5. When I clicked show details this is what I got:

A severe threat (Trojan) that was trying to land into my system. I was luck to have FEP 2010 fully updated and ready to mitigate such risk, however some users might not have that.

What about your friend?

The best thing you can do if you believe your friend is sending compromised content (probably because he was compromised) is to take an action to inform Hotmail that this happened. From Hotmail web interface you can flag that message saying that your friend was hacked:

…or you can also send the message to Junk folder and flag that your friend was hacked:

Keep yourself and your friends safe!

Me and my friend Tom Shinder, along with John Weston will be speaking at Shared Cloud Dallas 2012 in March. Me and Tom will share the stage to talk about Private Cloud Security and we will also use this opportunity to record an special edition of our Security Talk Show – From End to Edge and Beyond. If you are going to attend to this event, come meet us and chat about Private Cloud Security. We will also give away some Forefront books during our presentation.

See you there !

You might not have noticed but this month (last January 10th) ISA Server 2006 Mainstream Support ended as shown in the table below:

Source: http://support.microsoft.com/lifecycle/?p1=11928

The question that you might have is: what about this extended support that goes until January 2017? Extended support means the following:

Better to start planning your migration as part of your new year’s resolution.

Yesterday we released a new version of the Private Cloud Security Hub at TechNet Wiki, you can access it from here:

http://social.technet.microsoft.com/wiki/contents/articles/6642.a-solution-for-private-cloud-security.aspx

The good news with this release is that you can also access the full set of DOCs (3) that corresponds to those TechNet Wiki articles from one single place. That’s right, we compiled everything in a single ZIP file that you can download from here:

http://gallery.technet.microsoft.com/A-Solution-for-Private-67209ab1

These papers will guide you through the design of private cloud security, the understanding of the security blueprint and the secure service operation of a private cloud. Feel free to leave your comments and feedbacks, they are very important to us.

Hello Folks,

Today we have some new KB Articles published for Forefront TMG 2010. If you are experience any of those issues, make sure to read these articles and apply the new update called Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 . All articles are available at http://support.microsoft.com/kb/2649961

Me and my great friend Tom Shinder are very pleased to announce that we signed a contract with Syngress to write our next book, which will be about Windows 8 Security. This is our greatest project for 2012 and we are very excited about this new partnership with Syngress. If you take a look on Syngress’s website you will see that their infosec portfolio cover many areas such as:

• Digital Forensics
• Hacking and Penetration Testing
• Certification
• Information Security and System Administrators

Note: you will also find in one of these pages the book that our friend Tim “Thor” Mullen wrote (watch Episode 10 for more details).

While we can’t reveal too many details about what we will cover in this book, you can definitely expect broad and deep coverage of many security features that are coming with Windows 8 as well as Cloud implementations.

Stay tune also on Tom’s blog, he will bring some more details about the project.

Hello folks and Happy New Year for you all !!

If you are running Forefront TMG 2010 and has NIS (Network Inspection System) enabled and updated, you probably notice a new signature that was released to assist you protecting against CVE-2011-3414 (part of MS11-100) as shown below:

Notice also that the response it is already setup to “Block” and it is already enabled. If you open the properties for this signature and review the Details tab you will see it is classified as a high business impact:

The good news is: if an attacker tries to exploit this vulnerability against a server that was not patched yet and the traffic is crossing TMG then NIS will identify the traffic and it will block it. Although you have this additional layer of protection to mitigate attempts to exploit this particular vulnerability, it is strongly recommended that you update your servers with MS11-100 as quick as possible (mainly the ones that are exposed to the Internet).

Stay Safe in 2012 and have a great year !

If you are following this blog since 2008 when I started you probably noticed that troubleshooting is a subject that I love it. Troubleshooting using tools like Perfmon and Windbg is amazing. In my new role at Microsoft I don’t deal with this on the daily basis anymore (like I used to on CSS Forefront Edge Team), however the love did not go away. I’m still quiet involved with troubleshooting and researching about new things and hot to fix it when it is not working. This week for example me and Tom recorded the Episode 13 of our Security Talk show. This episode was called Demo Day and I demonstrated how to use Perfmon and Windbg to troubleshoot a performance issue on TMG.

The video is available here or you can watch below:

I hope you like it!

You can’t deny that social networks today are part of the vast majority of the people’s life. It is everywhere, you go to a supermarket and you see: “Like Us on Facebook at <URL>”…it’s on TV, on the streets….everywhere. Now, the questions are: do people know how to behave on social network? Do they know about the risks of revealing too much? Does your company have a security policy about social network usage? Did you have a security awareness training when you joined your current company? Was social network one of the topics of this training?

Incorrect usage of social network can cause harm not only to the individual but also to the company. Employees must be trained to correctly use social network, mainly when they are using it to advertise their work and sometimes exposing company’s information. Here in US we have a recent case where an employee was fired for ranted about his company on Facebook. As I’m not here to share something that you already know, just click here and see for yourself the security risks of social networks.

What I do want to share with you is something that happened this month in Brazil and I wrote about in my blog (in Portuguese). Matter of fact there were two recent episodes in Brazil that caught my attention. The first one (I originally wrote in Portuguese here) was about a student that used to brag about being rich by posting photos on Facebook to show the nice things that he had. His posts caught the attention of someone that was on his friend’s list. This person was able to get the key of the student’s house and handed over to thieves in order to robber those objects that were posted on Facebook. They did, they broke in to the student’s house looking for the stuff he said he had, however they found nothing other than mobile phone, some jewelry and cash. It turns out that the student was not rich, he was only bragging those things to call the attention of his friends on school.

For this particular case it is very important to understand that you need to educate your kids on how to safely use social network and other Internet resources. Here are some resources that you can start using for that:

• How to help your kids use social websites more safely
• Teach kids online security basics

The second case is even scarier in my opinion. While the first was about a kid saying things that he shouldn’t say but he was a minor and not fully educated to deal with such technology, the second case is about adult’s behavior. With the proliferation of social network integration with geographic service location we pretty much know everything that our friends are doing and where they are in such moment of time. While this can look as cool as it can be, it is also very dangerous. Last week I wrote in my blog (in Portuguese) about this case that happened in Brazil where someone left on vacation and posted: “I’m leaving on a trip”. When they got back home they didn’t have TV, computers and other electronics, all gone. The robbers left a note in a piece of paper saying: “Next time that you leave on a trip let us know”. Now that’s very serious….but I see that all the time. People are integrating all the social tools without be concert about privacy settings and when they post one thing in one place it is propagated everywhere. Sometimes those posts are wide open on Twitter and available for anyone with malicious intentions to take advantage of that.

Be careful, make sure to watch what you’re saying on social networks, make sure to not reveal too much, make sure to use the privacy settings that those platforms have available to at least create some restrictions on your profile. Be aware that everything that you write on a social network platform can (and might) be used against you in one way or another.

Stay safe!

Back in 1999 I was working in one of the largest telecom company in Brazil, there I was responsible to maintain the core Windows NT 4 Servers and some of the services running on top of it (such as Exchange 5.5). Some days when I was scanning my badge to get into the datacenter I used to think: geez, we have so many servers on this datacenter, soon we will have to physically expand it just to be able to keep up the same level of services to our customers. Then I start thinking on the network infrastructure and all those VLANs to manage, the headache to move servers across VLANs, all the dependencies, etc. Not only that, but when we were stroke by “ILOVEYOU” I thought the world was coming to an end when I was trying to clean all those mailboxes. Fortunately this is past and the evolution of the datacenter is upon us. Do you want to know what I’m talking about? If you do, take your time and watch the video below from BUILD Conference to see what’s coming on this regard:

Make sure to watch the whole video before you think you can’t achieve secure isolation in the cloud at the same time that you build a low cost datacenter with powerful management tools.

Even I can’t believe that last time that I wrote here was 18 days ago, I think I was never away from here for so long. Although I’m away from here, I’ve been writing in many other places, recording episodes for our Security Talk Show and working on my regular activities at Microsoft (which is Win8 Security stuff)….so, it’s quiet busy these days. Here are some of my updates for this past month:

New Articles at TechNet Wiki

• Deploy Windows Server Updates Services (WSUS) 3 SP2 on a DMZ Protected by Forefront TMG 2010 SP2
• Publishing Windows Server Updates Services (WSUS) 3 SP2 through Forefront TMG 2010 SP2

New Episodes of From End to Edge and Beyond

• From End to Edge and Beyond-Episode 11: Threat Management Gateway 2010 Service Pack 2 Chat with MVP Richard Hicks
• Episode 12….coming soon (today or tomorrow), stay tuned on this channel

What’s coming next?

There are lots of things coming next and as soon as I can I will be announcing here a new project that me and Tom Shinder will work in 2012. For my Brazilians friends I can tell you that a new book about information security in Portuguese is also coming in 2012, it will be again published by Editora NovaTerra (more info soon) and the second edition of my Security+ book in Portuguese should also be out next year.

Our Security Talk Show is also going to finish the year with two more great episodes (13 and 14) that are planned to be released in December. In Episode 13 (called “Demo Day”), me and Tom Shinder will demonstrate some cool scenarios (probably related to DA and TMG) and on Episode 14 we will have the TechNet Guy talking about Cloud and Office 365.

See ya around !

Hello folks, a quick post here just to bring awareness about a new KB that was released today for Forefront TMG 2010. As the KB describes the symptoms are based on the following scenario:

• A web proxy client establishes a secure socket layer (SSL) connection to an external web server by using a server that is running Microsoft Forefront Threat Management Gateway 2010.
• HTTPS inspection is not involved. Therefore, an end-to-end SSL tunnel between the client and the web server is established.
• Inside this established connection, the client uploads data to the web server.
• The connection and TCP flow to the web server are slow.

In this scenario, the upload does not finish correctly under certain circumstances. In order to fix this problem you need to apply Forefront TMG 2010 SP2 and run the script from KB 2591803.

Hello Folks,

I want to give you a quick update in a new blog that our friends from the TechNet Wiki put out there. A lot of IT PROs (and DEVs) out there still don’t know the full potential of the TechNet Wiki and I think this blog will clarify a lot of that. So, start reading the post below:

http://blogs.technet.com/b/wikininjas/archive/2011/10/30/welcome-to-wiki-ninjas.aspx

Once you finish that, take a look on the interview that I gave to the WikiNinja Ed Price and understand why I think this platform rocks:

http://blogs.technet.com/b/wikininjas/archive/2011/10/31/monday-interview-with-a-wiki-ninja-yuri-diogenes.aspx

…and if you still having questions about how to contribute, watch the interview that I gave to David Tesar last March.

Enjoy the TechNet Wiki!

One of the presentations that I delivered this year at TechED Brazil was about On-Premise Security while Migrating to the Cloud. There are many reasons to migrate to the cloud and during this presentation I emphasized the three core elements below:

	New Economics Pay for what you use Lower and predictable costs Accelerate speed to value
	Reduced Patch Management No patching, maintenance Faster deployment Robust multi-layered security Reliability and fault-tolerance
	Increase Productivity Latest software for users Internet collaboration Anywhere access Instant self-provisioning

While those core elements sounds very good, we must also be alert for the new challenges that comes with this adoption, such as:

New Threat Landscape Internal Threats On-premise Security Endpoint Protection Trusting Vendor’s Security Model Obtaining Support For Investigation Indirect Administration Accountability

The presentation was really focus on the second bullet (on-premise security). Some of the reasons why this is still an important point to address include:

• Key parts of the overall solution still remain on premises
• Parts which, if broken, would compromise the security of the entire solution
• The customer organization is very likely the weakest link in the security model
• Attackers know this and are actively targeting end users and on-premise servers

The misconception that the migration to the cloud means offloading your security to the cloud provider is just plain wrong. You need to be diligent because at the end of the day it is your data that could get compromise if you relax the on-premise security. You should adopt a defense in depth approach. All the elements from the endpoint to the cloud must be secure, not only the hosts, but the path and the remote clients. Here is a typical example of how this will look like:

There are five key elements in this diagram

• Internal client security: you must continue the effort to protect your on-premise client. Nowadays the end user is way more exposed to social engineers attacks and one mistake from them can compromise your company’s data.
• Server Security: most likely there will still be some servers running on-premise (such as legacy application, file servers, etc). You must adopt security policies and best practices to protect those servers.
• Edge Security: regardless of which edge solution you use, always try to identify a solution that can offer the elements described in the diagram above.
• Remote Client Security: while most of your internal clients will take a lot of advantage of accessing cloud services without having to connect to the internal network, there will still be scenarios where the internal client will access some kind of resource located in the internal network. You must validate this access before allowing the client computer to access those internal resources.

In summary the path to the cloud requires a lot of planning to make sure that your users can have a seamless experience while you keep your data secure.

If you are following my blog for a long time you probably read the post TMG E-Mail Protection Feature x Exchange 2010 SP1 (first published more than an year ago) when we were dealing with a major E-Mail protection issue on TMG. Due the nature of the integration between Forefront TMG and E-Mail Protection feature (Forefront for Exchange and Exchange Edge) I also wrote this presentation to assist you while troubleshooting this feature.

The good news is that Forefront TMG 2010 SP2 brings to you the following fixes that will alleviate lots of the issues that were present in the past with this integration:

• 2591744 FIX: The Email Policy Integration feature that redirects spam email messages to a quarantine mailbox address does not work when Forefront Protection for Exchange 2010 is installed on Forefront Threat Management Gateway 2010
• 2591719 FIX: "0x80070057 (The parameter is incorrect)" error message is logged, and the Forefront TMG Managed Control service cannot start, when you enable and configure the "Email Policy" feature for Forefront Threat Management Gateway 2010
• 2619992 FIX: The email policy configuration is reapplied when you configure email policy settings in Forefront Protection for Exchange that are not configured in a Forefront Threat Management Gateway 2010 environment
• 2591729 FIX: The Exchange Edge default Receive connector is disabled unexpectedly when the "Email policy integration" feature is not configured in Forefront Threat Management Gateway 2010

Go get SP2 and enjoy it!!

This week Microsoft released a major update of Forefront TMG 2010 and many TMG Admins are very excited with the new features that were announced in the Forefront TMG team blog, such as the support for Kerberos authentication in an array scenario, the improved error pages and the new site activity report. These are already three reasons to apply SP2 on your TMG, but instead of only adding two other features I’m going to give you five more reasons to apply this update. Here are those:

1. Forefront TMG 2010 SP2 makes TMG startup operation ten times faster.

• If you were in my presentation at TechED Brazil you already know that because I explained this during the presentation. But the fact of the matter is that Forefront TMG Development team did a great job enhancing the startup time on TMG. In a test done in lab the startup time decreased from 26 minutes to 3 minutes (ok, almost ten times).

2. Do you remember KB2498831? No need to run that script anymore, with TMG 2010 SP2 a new option was added in the screen to allow you to do that as shown below:

3. Performance improved for cloud migration.

• Read this post where I explain the scenario where TMG 2010 SP2 enhances that.

4. Improvement in the E-Mail Protection feature

• Some of the problems with this feature were fixed. More details on KB2555840 (once is live)

5. Account lockout enhancements for FBA.

• More details on KB2555840 (once is live).

That’s it…go grab TMG 2010 SP2 and remember: in order to apply TMG 2010 SP2 you need TMG 2010 SP1 + Update 1.

This week was all about the new SIR 2011 version, lots of buzz about Microsoft findings and interesting perspective on that. I use the SIR report findings in many situations, recently when I was presenting at TechEd Brazil I had at least two slides where the content came from SIR Report 2010. The graphic below shows a summary of how SIR report gather data to produce this great piece of content.

If you didn’t download the report yet, go ahead and do it now using one of the following versions:

Security Intelligence Report v11 (Full Report)

Key findings summary in different languages

• English
• Chinese Simplified
• French
• German
• Italian
• Japanese
• Korean
• Portuguese-Brazilian
• Russian
• Spanish

Also take some time to watch the video below about the new SIR Report and some of the findings:

Hello folks!

Long time ago I wrote this post about how IAG 2007 Can Mitigate Against SQL Injection Attacks, this post was also presented during TechED Brazil 2008, where I showed live this demo. Today I’m here to challenge you, here it is the deal:

• I want you to re-write this article in the TechNet Wiki platform, but now for UAG 2010.
• The VMs that you can use to prepare the steps are available here.
• The SQL Injection Demo is available here.
• Make sure to add the following paragraph right in the beginning of your TechNet Wiki Article:
• [Note: this article was originally posted at http://blogs.technet.com/b/edgeaccessblog/archive/2008/09/19/how-iag-2007-can-mitigate-sql-injection-attacks-demo-scenario.aspx ]
• This is a common approach and I’ve done that in the past, see this example here.
• Yes, MVPs are welcome to participate

The first one that write this article, post it on the TechNet Wiki and send me a message via Twitter saying: @yuridiogenes, here it goes the UAG and SQL Injection article [link_to_the_article_at_TNWIKI] #TNWIKI , will receive by mail a signed copy of the UAG Deployment Guide book.

Make sure to:

• Test your findings before you post. You must use UAG 2010 and update all screenshots for UAG 2010.
• You can copy the text from the original post that I wrote, not a problem, just keep the reference and keep a good format on the page.
• Write the article at TechNet Wiki, if you write on your own blog you won’t be eligible to get the book.

Are you in?

Remember, I will give the book to the first person that tweet me the phrase that I previously mention. There is no timeline for that, first one will get it…so run and do it!

Introduction

Consider a scenario where a client migrated from on-premise Exchange to Exchange Online and after this migration the users are experiencing issues while sending e-mail. During high peak times Outlook clients can’t send e-mails. Messages are getting stuck in the Outbox . When this issue was happening the event 31212 also was showing up on TMG:

One important point here to add is that when this issue was happening users were able to browse HTTP sites, but not HTTPS.

Data Collection

For this scenario we most likely will need:

• Client: Network Monitor trace on the client
• Server:
• TMG Data Packager
• Perfmon
• User mode dump

Data Analysis

When analyzing data of this nature you need to add to perfmon the core OS subsystems (memory, network, processor and disk), as well as the core Forefront TMG components. The diagram below shows an interesting trend where the Memory Pool for SSL Requests (black line in the diagram below) starts to decrease, it increases again to 100% and suddenly drops to zero.

This is exactly the time that users start to experience issues with Outlook getting messages stuck in the Outbox.

Solution

This problem happens because TMG was running out of memory pool for SSL requests. In order to fix that you need to change the registry key ProxyVmvmAlloc1pSize to a higher value (default is 1024). You can follow the guidelines from KB842438 (also applies to TMG) in order to adjust this value or you can install Forefront TMG 2010 SP2 (just released) that changes this value to 4096. For this particular case we noticed that after changing this value to 4096 the users didn’t experience this problem anymore and the server’s perfmon start looking way better even under heavy load, as shown below:

Takeaway

There are a couple of key takeaways regarding this scenario that I want to call out:

• Don’t go directly to the cloud without proper planning, you might experience issues like the one described in this article and you could potentially think that the cloud services is the one causing problem.
• Remember that when you start moving your main applications (Exchange, CRM, Sharepoint, etc) to the cloud the traffic from inside to outside will increase and you need to have your edge device (regardless of which one you use) ready for that.

Planning is definitely the key for a success migration, but in order to have a good planning you really need to know your own environment, your traffic profile and your plan to grow. In order to reduce the impact during the cloud migration you should be able to determine that and perform a migration in different waves (not all users nor all applications at the same time).

Last week I was in Brazil and I had a chance to participate in the biggest Microsoft event in Latin America, TechED Brazil. One of the sessions that I delivered there was SIA301 (more info in Portuguese in this post), where I co-presented with Alberto Oliveira, a Microsoft Forefront MVP. 

We divided the session in two main parts, first we talked about the current security landscape and some major security threats. In the second part we talked about Windows Security. One of the things that we covered in the Windows Security part was the Threats and Countermeasure Guide. The team that I work for at Microsoft is responsible to maintain this content available here. I also want to use this opportunity to bring awareness that our team is reviewing this content and you have a chance to give feedback about it, please read this post and make sure to participate on that.

During this presentation we talked about the fact that SPAM is still a big threat, mainly because of the social engineering behind many phishing e-mails. One of the videos that we showed in this presentation which is related to this subject was the recent case that Microsoft took down the Rustock botnet. You can watch the video below:

Another subject that we covered was the importance of thinking of security right in the beginning of the project, when you are writing the code for your application. For that we presented the SDL concept and demonstrated the SDL Threat Modeling Tool. In this video you can see a demo about this tool and also how to use it. 

Throughout the next few days I will be posting more about TechED Brazil and the content that I delivered there. Stay tune!

Here is a sample of what’s coming on Episode 9 of our Security Talk show:

Interviews with:

• Paulo Oliveira (Microsoft Forefront MVP) – about a recent experience that he had with Windows 7 deployment and security features that his company is using.
• Rodrigo Immaginario (Microsoft Enterprise Security MVP) – about Direct Access, covering some aspects of a Case Study from his company.
• Marcelo Tozin (Microsoft Principal PFE) – about cloud migration and some insights from the field.

Stay tune!!

Last March I delivered a presentation in Redmond on the MVP Summit about NIS and I’m sharing with you here a summarized version of this presentation (as the full presentation has some NDA content):

In Episode 3 of From End to Edge and Beyond you can also watch a demo on how NIS can block attempts to exploit a vulnerability, check it out below:

Enjoy!

Recently I received a question via Twitter (@yuridiogenes) that said: Hi Yuri, do you know how can I block P2P traffic via TMG? The answer here should be actually another question that says: why you have P2P software running on your corporate workstation in the first place? If this is not allowed, why is it there? Ah…I see, users are clever and they download applications, or bring USB drivers with unauthorized software to use in the corporate environment. I see.

This clearly shows that the problem is not really on the Edge device and trying to band aid by adding a firewall rule will not fix the root cause of this problem: unauthorized software running on corporate environment. There are many built in Windows features that can be used to lock down corporate workstations in order to assist controlling the environment.  However even before you dig in to find the features that you need to use, you need to understand what are the major elements that can assist you hardening those workstations.

By start thinking that each user should only have access to what they really need (lease privilege) you are already ahead of the curve. Because the reality is that many companies will give wide access to users and later on will realize that the users have too much access. The problem here is that since the user got used to having wide access, he will get frustrated when you cut out those privileges. As a result you will have an user that now will keep trying to find a breach so he can have access again to the resources that he used to have. We don’t want to motivate this type of behavior and that’s another reason why least privilege is the way to go right in the beginning.

Back in April I wrote this post where I mentioned the need to use standard user account and I will say again: it is very important to use standard user account. While this is not the solution for everything, it can assist in the overall protection. When I say that this is not a solution, I want to echo a paper from Secunia called “Cybercriminals do not need administrative users”. When you read the conclusion of this paper you will see that standard user is an strategy that must be present on your security policy, but you can’t think of this as the only thing that needs to be done to secure the system.

In the first paragraph of this post I showed a common scenario where an IT Admin will try to use the Firewall as the resolution for bigger problems that are going to still in place even after he blocks the traffic to go out. These days you really need to bring the security closer to the endpoint, you can’t rely only on the Firewall. Remember the defense in depth approach? It is getting even more meaning nowadays. One built in Windows feature that you can use for that is the AppLocker. If you don’t know how AppLocker works, watch the video below:

By using Applocker you are adding another layer of protection to assist you in this battle to secure the endpoint. On top of those elements you should also hardening the workstation by disabling unnecessary services and moving forward create a workstation template that you can use to guarantee a seamless experience across the board. There are many templates that comes with the Security Compliance Manager Tool as shown below:

You can either use the templates that comes with SCM or you can built yours based on an existing SCM template. This can help you to have a starting point and make adjustments on the template to reflect your environment needs.

Keep that in mind and have a good (and safe) deployment!