I wrote many posts on this blog about Conficker and this weekend when I heard about Morto (which means Dead in Portuguese) and how it works it was like a Deja-vu. Not because they are alike from the side effect perspective, but because both exploit weak password. Let’s look the way that they spread (according to Microsoft Malware Encyclopedia) on a side by side view:
They both take advantage of weak password, which is usually created by an user that wants something simple but really doesn’t know too much about security. This brings again the discussion that the user is the weakest point in your security chain and that if you don’t train him well he will make mistakes that can compromise your investment in technology. There are two things you can do: educate users with security awareness training and have policy enforcement for strong password in place. Here are some article that you want to read about strong password:
Another important point about Morto is that it tries to contact remote hosts as you can see below:
Screenshot taken on 8/29/2011 5:32PM CST from : http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Morto.A
This means that you should configure your edge device to avoid access to those remote destinations. If you use Forefront TMG, create rules to block access to those destinations from your internal workstations and keep reviewing the logs for suspicious activity.
For updates about Morto use the following resources:
In May 2011 me and Tom Shinder started to work in a new project called From End to Edge and Beyond a Security Talk Show with Tom Shinder and Yuri Diogenes. In this post Tom explained why we went to this road rather than create different writing initiatives to the community. Writing security content is part of our core job and we wanted to bring something more to the community. Currently we have six episodes recorded, a great feedback from the audience and today I’m very happy to say that our show is featured in the Microsoft Security Newsletter – August 2011 Edition, you can find it on the Security Events and Training section as shown below:
If you do not receive the newsletter by e-mail, access the Security Newsletter web edition here. I would like to use this opportunity to also thank Tim Rains and Heather Poulsen for supporting this initiative, I truly appreciate.
Now if you are wondering how can you keep up with our show, here are our main channels:
Stay tuned because great episodes are on the way for the next two months!
From the past two years I advertised in this blog many posts about SCM (Security Compliance Manager) and today I want to write about SCM V2 (Beta). You can start by downloading the beta version from Connect after registering to be part of the Beta program. Once you download it and install this version you will notice that the interface changed:
Notice that the interface is much cleaner and easier to use than before. The Microsoft Baseline templates are all on the left pane separated by product. To demonstrate how this works, let’s use IE9 as an example:
1. On the left pane expand Internet Explorer 9.
2. Click Attachments / Guides. In the middle pane you have the DOCx file associated with this option and you can use the Save As option on the right pane to save the file locally.
3. Click IE9-Computer-Compliance-Beta 1.0.
4. On the middle pane look for the option User SmartScreen Filter and click on it. Click Settings Details to see more options.
Notice that you have a clear way to not only identify the policy that you want to know more, but also to identify the Description, Vulnerability that this feature can assist to mitigate, potential impact when you enable this feature and counter measure associated to this feature. In addition to that you have on the bottom the registry key affected by this setting. On the right pane you have lots of options that allows you to manipulate the whole template or just this particular setting. One of the options that I really like is the capability to export the whole baseline to Excel, which you can do by using the option below:
When you use this option, it will ask where you want to save and it will automatically open Excel to start import the content:
The reason why I like this option is because when you export the baseline to an Excel file you have all fields that you can play with by adding or removing columns, querying for particular values, etc. The Customize Fields button for example, allows you to add more columns in the current spreadsheet as shown below:
When you are troubleshooting or investigating a potential issues with a particular setting, this capability is very handy because it allows you to add the Registry Hive and Registry Key. Very cool indeed! Another feature that is very intuitive to use and very important is the capability to compare your own baseline with a particular Microsoft Baseline. Let’s use the Windows Server 2008 R2 SP1 Domain Controller Compliance Beta 1 as an example:
Once you select the baseline, you can use the option Compare in the right pane to compare against yours and see the differences.
What else?
The goal here was only to give you a glimpse of this new version, if you want to dig in more about the new feature read the post SCM v2 (BETA) + New Baselines Available to Download. But I truly encourage you to download the tool and start to play with it.
Throughout the years working with ISA and TMG I notice that one of the most challenging configuration for many Admins is to correctly setup the network settings on ISA/TMG. Although we have some great content out there about the subject, such as the An Inside Look into TMG Firewall Networks by Deb Shinder and the great series of 3 articles written by Tom Shinder: Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1), Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2) and Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3). Those are “most read” articles if you are planning your network configuration on TMG, add also on top of that the article Planning Forefront TMG network topology. But, in case you inherited an environment with Forefront TMG and you are experiencing weird problems, than it is time to step back and review your configuration. This post will highlight a very common configuration mistake that can cause network route issues.
Problem: clients on remote networks were randomly unable to access Internet.
Scenario: In this case the TMG Admin has the following topology that he needs to configure:
When TMG Admin opens up TMG Management Console this is what he see:
When he look at this he thinks it is okay. But you know what, IT IS NOT!! Here are the reasons:
For the second bullet, I want to call out the original source of this information, which says:
Forefront TMG does not support defining separate network objects that represent remote subnets
Issue: Forefront TMG does not support defining separate network objects that represent remote subnets.
Cause: When you define IP address ranges for a network, Forefront TMG checks all network adapters. When Forefront TMG finds an adapter with an IP address in the network range, it associates the network with that adapter. When a network includes remote subnets accessible by Forefront TMG through routers, the IP address of the remote subnets should be included in the network definition. If you define a separate network object for a remote subnet (instead of including it in the network definition), Forefront TMG tries to locate an adapter with an IP address of the network object, and fails. Forefront TMG assumes that the adapter is not available (disconnected or disabled), and sets network status to disconnected.
Solution: For best practice when defining your network configuration in Forefront TMG, take note of the following:
From: http://technet.microsoft.com/en-us/library/ee796231.aspx#NetworkAndRoutingIssues
This is a VERY common mistake and I’ve seen this over and over. The main argument that I also hear is: it always worked like that, why this is a problem now? Well, mainly because it is not supported, which means that Microsoft can’t guarantee that your setup will be functional with this setting.
Resolution: The correct way to setup this particular environment is:
Plan your network setting, if you can’t plan, make sure to review the TMG Alerts, usually TMG is screaming out loud saying that there is something wrong in this area.
Today it was officially announced on TechED Brazil website the list of breakout sessions that will available during the biggest Microsoft conference in South America. I will be delivering three breakout sessions , which are:
This will be my second TechED Brazil, first one was in 2008 and I’m sure this one will be even better!
During TechED week I will also be delivering presentations at MVP Open Day and MS Community Zone.
Hope to see you there.
Last Friday me and my friend Tom Shinder had a chance to participate in the Talk TechNet Show with Keith Combs and Matt Hester. During the show some interesting questions were raised by the audience, mainly around FOPE and other cloud related services. One question that came in was about auditing cloud applications, in particular Exchange. I would like to share the article “Use Auditing Reports in Exchange Online” that can give you more information about that and on the same token, the article “Compliance Features in Exchange Online” can also give you more details about the Exchange online compliance capabilities. Another information that I mentioned during the call was the link to the Security Intelligence Report and the SPAM message blocked by FOPE. The statistic that I mentioned appears in the diagram below:
Source: http://www.microsoft.com/security/sir/keyfindings/default.aspx#!section_5_1
If you did not watch our talk last week, the MP3 version is already available for download here:
http://blogs.technet.com/b/talktechnet/archive/2011/08/08/talk-technet-episode-48-cloud-security-with-dr-tom-shinder-and-yuri-diogenes.aspx
Enjoy the show!
Just to remind you that tomorrow me and Tom Shinder will be at Talk TechNet with Keith Combs and Matt Hester to discuss about Cloud Security. The registration is still open in the web site below:
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032490786&Culture=en-US
See ya tomorrow!!