Ever wonder what happened to the security guides from Microsoft Solution Accelerators? Your go-to security guidance from Solution Accelerators hasn’t disappeared, it’s just been repackaged. The previously stand-alone Microsoft product-specific security guides are now included within the Microsoft Security Compliance Manager (SCM) tool.

To simplify: Stand-alone security guides à Security Compliance Management Toolkit à Security Compliance Manager tool

Got it?

So, how do you get your hands on trusted guidance for Windows client and server operating systems and Microsoft applications from the Microsoft security experts? First download and install the SCM tool. Next, import your product baselines of choice (options include Windows 7, Windows Server 2008 R2, Internet Explorer 8, and more). Finally, select the Documents tab within a baseline to access the security guide for that Microsoft product. Simple, right?

Next steps:

• Download and install the Security Compliance Manager tool.
• Check out the SCM TechNet Wiki for more details on how to get up and running with the tool.
• Learn more about the Security Compliance Manager.
• Questions? Comments? Tell it to the development team: secwish@microsoft.com.
• Looking for a specific security baseline? Browse away!

• Windows Server 2008 R2 Security Baseline
• Windows Server 2008 Security Baseline
• Windows Server 2003 Security Baseline
• Windows 7 Security Baseline
• Windows Vista Security Baseline
• Windows XP Security Baseline
• Internet Explorer 8 Security Baseline
• Microsoft Office 2010 Security Baseline
• Microsoft Office 2007 SP2 Security Baseline

SCM is just one of the tools provided by the Microsoft Solution Accelerators team. The Microsoft Assessment and Planning Toolkit, Microsoft Deployment Toolkit, and Security Compliance Manager provide tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. All are freely available, and fully-supported by Microsoft. Learn more.

Before start today’s topic I want to quickly bring awareness that the Windows Security Survival Guide is featured at April’s Microsoft Security Newsletter, more info can be found at http://technet.microsoft.com/en-us/security/dd162324 . There you find the link to the Windows Security Survival Guide in the Security Guidance section as shown below:

Today we will talk about the last security pillar called Confidentiality, which is one of the greatest subject nowadays, mainly because it touches privacy issues. Is on the news all over the place, data breach is happening in many instances, let’s see some recent examples:

• Kroger Notifies Customers of Data Breach Stemming from Third-Party Email Vendor - http://www.securityweek.com/kroger-notifies-customers-data-breach-stemming-third-party-email-vendor
• Oklahoma hospital suffers data breach of 84,000 patient records - http://www.infosecurity-us.com/view/17024/oklahoma-hospital-suffers-data-breach-of-84000-patient-records
• One Lost Laptop is All it Takes - http://communities.intel.com/community/openportit/vproexpert/blog/2011/04/20/one-lost-laptop-is-all-it-takes

Those are only a few examples that happened this month (April 2011); I’m avoiding going back and retrieving other examples to make sure that you know that this issue is happening now. At the end of the day, this just shows you how important it is to correctly handle confidentiality in your environment.

Make sure to address all pieces

One way that confidentiality can be compromised is when data is in transit, but not only in transit from point A to point B via network, but also locally within the OS. If you fail to correctly address potential breaches locally while implementing a feature or developing an application, chances are that this will be  the area to be exploited.

As you can see it is not only a matter of saying: I’m going to encrypt all my traffic and I’m good on that. There are many other places that the correct countermeasure must be applied to avoid compromising the confidentiality of your data. What are the countermeasures that your company is adopting to address issues that will affect confidentiality? Are you using all resources that Windows has in order to assist you on that? Read the Confidentiality  section of the  Windows Security Survival Guide  to know more about the Windows resources that can assist you to overcome the challenges in this area.

There are many instances where you need to move a server to a new hardware. What you will carry from the old server to the new one will vary; you need to plan according to the server role in order to create your own checklist. Recently I had to move my own TMG Server to a new hardware (in this case a new VM) and I decided to install all over again and just import the rules. In a scenario with TMG, besides the core configuration (XML Backup) you also need to consider the certificates that are in use. As I only have a couple of certificates, there was no big deal, I just opened MMC and exported those certs. However, there are scenarios where you have a great amount of certificates and the process of exporting one by one can get quiet tedious.

But, you can use certutil to automate that. The first step in this procedure is to identity the certificate’s thumbprint (or serial number – depends on the approach in use). To do that you can use the PowerShell commands below:

Or you can also use the CertUtil command to list all the certificate in your local store:

Write it down the certificate’s serial number and assuming that the key is exportable, you now just need to run the command below:

certutil -exportPFX -p "Password" my 610df5bb000000000002 contoso.pfx

See the article Manual Key Archival for more information about CertUtil tool with -ExportPFX parameter.

Today, the Exploring Windows Security Survival Guide brings another security triad, called Availability. This is a very important element as today the vast majority of the online business can’t afford to be unavailable for too much time. But it is not only online business that can’t afford downtime; in nowadays all business are working in high level degree of dependency in other services, many time to access other services the media that will be used is Internet, therefore even if the business does not have a high Internet presence, it is still using core Internet services such as e-mail. While the discussion of Availability goes way beyond the OS itself, the purpose of this post is to emphasize the Windows features and capabilities that may assist you while planning for a high availability scenario.

The Different Availability Layers in the OS

The discussion around availability from the OS perspective is very broad, it goes from deep OS implementation details to features that allow other applications to take advantage and provide high availability. The four pillars in Windows are:

Windows features such as failover clustering allows applications such as Exchange Server and SQL Server to offer high availability capability for data access. There are many built in Windows features that allow a better recovery against failure which helps to meet high availability requirements. The Windows Hardware Error Architecture Predictive Failure Analysis (WHEA) is new predictive failure analysis (PFA) feature that uses this information to predict and manage memory errors. From the traffic standpoint, Windows Network Load Balance also increases availability by allowing multiple hosts to share the traffic load.

Make sure to review the Availability section of the Windows Security Survival Guide for more information and links to Windows features that deals with Availability.

For the last three weeks I was interacting with you in this contest, it was fun to me to write those questions, to receive your answers and chat about the results. Today I’m going to give you the answers for the last round (FPE) and also the final result with the name of the professional that will win the Forefront book collection signed by me and Tom Shinder. Let’s start by the FPE answers:

1. T,F,T,F
2. C
3. D
4. B
5. C

This round we just had two IT PRO that were able to make it above 10 points, which means the #FF for the week goes to @liontux (15 points) and @usouzajr (12 points). If you make the calculation and read my previous posts you will realize that the only one that never missed even one question was @liontux…so yes, he is the winner!!

Congratulations Leonel Leperlier the Forefront book collection is yours!!

I would like to also thanks all the other folks that participated in this contest, here it is the full list:

@hypervfan
@cfalta
@dabasinkas
@twitfperalta
@_AlbertoOliveir
@Nerijaus
@liontux
@poliveirasilva
@jjatsilversands
@_busbar
@usouzajr
@pkpatel8
@Terendo
@paulohecko
@teemukir
@bibbleq

This is it folks, thanks again and keep in touch !!

When Microsoft released Windows Vista one of the features that I was more amazed from the architecture perspective was UAC. As during that time I was working at Microsoft CSS Enterprise Support I also heard the other side of the coin and heard many complaints from customers about the amount of authentication prompt. It was indeed a shift on user’s mind about stopping to have everything to have less and even worst, ask for authorization in order to have what they used to have. With Windows 7 the amount of prompts were reduced, the core architecture principle was preserved and enhanced in some areas. But beyond the implementations details and the improvements that we had on Windows 7, there is a core goal of using UAC – keep administrative rights away from end users.

Today I was reading an article from Info Security Magazine that was entitled “Report recommends removing admin rights from end users”. While I was reading this article my mind put me back to year 2007 when I was delivering a presentation about new security features in Windows Vista. The report mentioned in this from BeyondTrust brings again the discussion about reducing attack surface by limiting user rights and avoid using administrative accounts for regular tasks. What’s interesting about this subject is that four years ago Mark Russinovich emphasized the need to do that at TechED and the slide below (from that presentation) summarizes that:

The reason I particularly like this slide is because it covers the three core points of this discussion. As I previously mention, my goal here is not go to the implementations improvements on Windows 7 from the UAC perspective, but really to emphasize how important it is to keep end users running as standard users. This can dramatically assist you to enhance the security of your environment by mitigating potential threats that are trying to exploit vulnerabilities that require administrative privileges in order to succeed.

You can watch Mark’s presentation here to really see the value of UAC:

More about UAC on Windows 7 see:

• User Account Control
• Adjust User Account Control settings in Windows 7

Last February when I wrote the Windows Security Survival Guide on the TechNet Wiki my goal was to create a document where we emphasize Windows features and functionalities that supports the security pillars of Confidentiality, Integrity and Availability. The goal of this series of blog posts that I’m going to write here is to explore some areas of the Windows Security Survival Guide where Windows platform can contribute with the three core security pillars, this week I will start with Integrity.

Windows Integrity Mechanism

There are a variety of resources available when the subject is WIM (Windows Integrity Mechanism), but before even go to this direction, what about understand what we want to achieve with Integrity on the OS perspective? We all know why we want to keep integrity while data is in transit, but what about when data is still in process in the OS? We can use the following definition of integrity that fits perfectly in this discussion:

“The integrity level is a representation of the trustworthiness of running application processes and objects, such as files created by the application. The integrity mechanism provides the ability for resource managers, such as the file system, to use pre-defined policies that block processes of lower integrity, or lower trustworthiness, from reading or modifying objects of higher integrity. The integrity mechanism allows the Windows security model to enforce new access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs).” Source http://msdn.microsoft.com/en-us/library/bb625957.aspx

Enforcing some level of control is the core goal of many security models, such as Clark-Wilson and Biba Model. Biba integrity model for example is based on the idea that a subject with a specific level of integrity cannot write in a higher level and cannot read on the lower level. The goal here is not to read data from a lower level to avoid data contamination (reading from a source that has a lower level) and also the integrity of higher levels by disallowing lower level to write to it.

The same WIM article mentioned before brings a great paragraph that explains what Windows integrity model does not implement from Biba model:

“The Windows integrity policies do not inhibit or prevent higher-integrity subjects from reading or executing lower-integrity objects. There are many examples of attacks where reading malformed, untrusted input data results in an exploit of a vulnerability in an application and arbitrary code execution. The Windows integrity mechanism does not inhibit or prevent reading data at any level. Windows does not enforce a strict integrity policy described in the Biba model. The integrity design assumes that processes that are designed to handle untrusted data from an unknown or untrusted source are running at a lower integrity level, or that untrusted data is verified before use. However, the Windows integrity mechanism does not enforce that constraint.”

But WIM resembles the Biba model in other areas, such as:

• It uses a hierarchy of integrity labels (integrity labels are not the same as security labels in the Bell-LePadula model).
• The system uses a set of ordered subjects, objects, and integrity levels.
• The subject’s integrity level dominates (is greater than or equal to) the object’s integrity level.
• Integrity policies inhibit access to objects but are not used primarily to limit the flow of information.
• Preventing information disclosure is not a goal of the integrity mechanism in Windows

Source: http://msdn.microsoft.com/en-us/library/bb625957.aspx

There are many Windows features that enforces access level control, not only from the administrative standpoint, but also from the developer standpoint. For example the SYSTEM_MANDATORY_LABEL_ACE Structure allows you to implement mandatory access policies. Another function that leverages the concept of integrity level is SidDominates, which compares the mandatory integrity levels expressed in two SIDs.

Wrapping up

This quick overview of integrity in Windows is just a reminder that there are many areas to explore when the subject is integrity other than only be concern about integrity when data is in transit. Make sure to review the Integrity section of the Windows Security Survival Guide for more information and links to Windows feature that deals with Integrity.

Yesterday the last round of questions for the Forefront quiz were published, the numbers were even lower than with UAG, 6 out 16 contestants answered the FPE questions. I guess I will never see again what I saw with TMG where 16 contestants were answering all questions. In this round only 2 received bonus point and only 1 got all questions right. This is it folks, the end of the Forefront contest quiz. I would like to thank you for your participation. It was great to interact with you every Monday and Friday on Twitter. Keep in touch and let’s wait for Friday to see who is the big winner.

I hope you had a great weekend and that you are now ready for the last round of questions, now about Forefront Protection for Exchange, one of the leaders in the Gartner Magic Quadrant for E-Mail Gateway category. Before we start I recommend you to review the rules on the following posts:

• http://blogs.technet.com/b/yuridiogenes/archive/2011/03/25/forefront-contest-quiz-will-begin.aspx
• http://blogs.technet.com/b/yuridiogenes/archive/2011/03/28/forefront-contest-round-one-tmg-questions.aspx

Having read that, let’s move on to the FPE questions:

Question 1) Choose T (True) or F (False) for the sentences below about Best Practices to deploy Forefront Protection for Exchange: (2 points).
(Note: only the full set of correct answers will receive 2 points)

a. (__) Running such scans using the on-demand scan is not recommended. Use the scheduled scan instead.
b. (__)The default values for the transport and realtime process counts are 2. On systems with greater than 4 processor cores, performance may be improved by increasing the number of processes towards the total number of CPU cores available.
c. (__)Change the value of the Maximum container file size: (megabytes) setting in Global Settings – Advanced Options to match your e-mail policy concerning the largest permissible file attachment size.
d. (__)Use inbound, outbound, and internal transport scanning only on Transport Server.

Question 2) Review the filter below and choose the best option that applies to the filter’s criteria:

a. With this criteria all files with any name and any extension will be blocked.
b. With this criteria all files with any name and only with an EXE extension will be blocked.
c. With this criteria all files with any name and that the extension starts with EXE will be blocked.
d. With this criteria all files with any name and only with an EXE extension will be allowed.

Question 3) How many Engines does Forefront Protection for Exchange supports?

a. 3
b. 2
c. 4
d. 5

Question 4) You are installing Forefront Protection for Exchange in a Server that previously had another VSAPI-based antivirus product. The Messaging administrator confirmed that the previous AV was uninstalled a week ago. When you start installing FPE you receive the error message below:

From the options below, which one is the most recommended in such scenario?

a. Remove all folders from the previous AV solution.
b. Remove the registry key HKLM\System\CurrentControlSet\Services\MSExchangeIS\VirusScan before install FPE.
c. Run a repair on Exchange installation and try to install FPE again.
d. Run FPE installation with elevated privileges.

Question 5) Which FPE Powershell cmdlet will disable worm purging for the scheduled scan job?

a. Set-FseTransportScan -EnableWormPurge $false
b. Set-FseRealtimeScan -EnableWormPurge $false
c. Set-FseScheduledScan -EnableWormPurge $false
d. Set-FseScheduledScan -EnableWormPurge $true

Good lucky and remember that this quiz will be open until tomorrow 6:35AM CST. Tomorrow the results for this quiz and Friday the final result with the winner’s name !!

It’s Friday and this means that we have the results for the round two (UAG), without delays let’s move on to the answers:

• Question 1) A
• Question 2) A
• Question 3) F,T,F,T
• Question 4) C
• Question 5) C

In this round we didn’t have too many questionable scenarios; most of the contestants didn’t have difficult to interpret the questions. Matter of fact question number one made some people to think that I was trying to trick them, which I actually was . Remember, UAG is an ISAPI filter, so it doesn’t have any native kernel driver, it leverages HTTP.SYS and take advantage of TMG Kernel driver (FWENG.SYS), but still no native driver.

Let’s congratulate the champs of the second round of questions in the Forefront Contest Quiz, they got either all possible points (15) or most of them (12):

@liontux (15) @jjatsilversands (15) @cfalta (12) @pkpatel8 (12) @usouzajr (12) @teemukir (12)

Congratulations guys and enjoy your weekend because Monday we have the last round with FPE questions!!

I just want to drop a quick note to all Security MVPs that were able to join this morning in the webcast below:

It was great meeting you and sharing some details of our community plan. I’m really excited with what’s coming and as I said you have a big role and the capability of making a huge impact. Looking forward to work with you even more!

As soon as the recording session is available I will drop a note here as well.

In the last 24 hours the questions for the Forefront quiz round two were published, for my surprise from the 16 contestants that were participating last week only 50% answered questions this week. Not sure why this happened, maybe not many people use UAG? Maybe people are too scary of UAG? Not sure why this happened but the other interesting fact is that from 8 folks that answered the quiz, 3 got all full points and 2 got 4 correct answers.

In summary the contestants that answered UAG questions were really sharp on their choices. Keep up the good job and Friday I will be posting the result, meanwhile start to study for FPE’s quiz next week.

I hope you had a great weekend and that you are now ready for the second round of questions. Before we start I recommend you to review the rules on the following posts:

• http://blogs.technet.com/b/yuridiogenes/archive/2011/03/25/forefront-contest-quiz-will-begin.aspx
• http://blogs.technet.com/b/yuridiogenes/archive/2011/03/28/forefront-contest-round-one-tmg-questions.aspx

Having read that, let’s move on to the UAG questions:

Question 1) What is the name of the native Forefront UAG Kernel component? (2 points)

a. UAG doesn’t have a native kernel mode component.
b. fweng.sys
c. HTTP.sys
d. TCPIP.sys

Question 2) Consider a scenario where the UAG administrator is trying to publish Exchange 2010 OWA and users are complaining that when they access it they see the following screen: (2 points)

UAG administrator notices the following entry in the UAG’s web monitor log:

What could be the reason for this behavior?

a. The OWA portal was published using the wrong template.
b. Users don’t have permission to access the OWA portal.
c. Exchange CAS is denying the request.
d. UAG rule was not activated yet.

Question 3) Choose T (True) or F (False) for the sentences below about array management on UAG: (2 points)
(Note: only the full set of correct answers will receive 2 points)

a. (__) An UAG node can only be joined to an array as part of the installation.
b. (__) If you have SSL Trunks, make sure you have the SSL certificates installed on each member. Certificates are not replicated automatically! If member is missing such a certificate, activation will fail on this member.
c. (__) Domain membership is not required prior to creating the array and joining new members.
d. (__) Array Admin role is needed in both TMG and UAG to create and join nodes to the array.

Question 4) About SSTP in UAG SP1, what option below is NOT true? (2 points)

a. SSTP uses non-split tunneling by default.
b. In array, only static IP configuration is supported - no DHCP
c. It supports all major Windows versions as client (from XP to 7).
d. Any disconnection in SSTP tunnel is propagated to SSL App tunnel.

Question 5) You are installing UAG and during the installation you receive an error message saying: “UAG Setup Failed”. You looked at %windir%\temp folder but all the information there are related to TMG. Where UAG setup logs are located? (2 points)

a. %windir%\UAG\Logs
b. %ProgramFiles%\UAG\Logs
c. %ProgramData%\Microsoft\UAG\Logs
d. %ProgramFiles%\Microsoft\Forefront UAG\Logs

I would like to start today’s post with a BIG THANK YOU for your GREAT participation; regardless of the result I think that the learning experience is the most important thing here. Now let’s go to the results:

• Question 1) C
• Question 2) B
• Question 3) A
• Question 4) D
• Question 5) A,C (only the full answer is considered correct, half answer = 0 points)

Some facts from those answers considering that we had 16 contestants:

• Only four chosen another answer other than C on Question 1.
• All contestants got the Question 2 correct.
• Only four chosen another answer other than A on Question 3.
• Seven contestants chosen another answer other than D on Question 4.
• Only four contestants correctly answered (full answer) Question 5.

Some questions are documented in blogs that I wrote, for example question 3 and 4 are documented here. Let’s congratulate the champs of the first round of questions in the Forefront Contest Quiz, they got either all possible points (15) or most of them (12):

@liontux (15) @jjatsilversands (15) @Terendo (12) @cfalta (12) @pkpatel8 (12) @usouzajr (12)

Note: I will be sending a Twitter DM for all other contestants with their current points.

Congratulations guys and enjoy your weekend because Monday we have the second round with UAG questions!!