Recently I received a question via Twitter (@yuridiogenes) that said: Hi Yuri, do you know how can I block P2P traffic via TMG? The answer here should be actually another question that says: why you have P2P software running on your corporate workstation in the first place? If this is not allowed, why is it there? Ah…I see, users are clever and they download applications, or bring USB drivers with unauthorized software to use in the corporate environment. I see.
This clearly shows that the problem is not really on the Edge device and trying to band aid by adding a firewall rule will not fix the root cause of this problem: unauthorized software running on corporate environment. There are many built in Windows features that can be used to lock down corporate workstations in order to assist controlling the environment. However even before you dig in to find the features that you need to use, you need to understand what are the major elements that can assist you hardening those workstations.
By start thinking that each user should only have access to what they really need (lease privilege) you are already ahead of the curve. Because the reality is that many companies will give wide access to users and later on will realize that the users have too much access. The problem here is that since the user got used to having wide access, he will get frustrated when you cut out those privileges. As a result you will have an user that now will keep trying to find a breach so he can have access again to the resources that he used to have. We don’t want to motivate this type of behavior and that’s another reason why least privilege is the way to go right in the beginning.
Back in April I wrote this post where I mentioned the need to use standard user account and I will say again: it is very important to use standard user account. While this is not the solution for everything, it can assist in the overall protection. When I say that this is not a solution, I want to echo a paper from Secunia called “Cybercriminals do not need administrative users”. When you read the conclusion of this paper you will see that standard user is an strategy that must be present on your security policy, but you can’t think of this as the only thing that needs to be done to secure the system.
In the first paragraph of this post I showed a common scenario where an IT Admin will try to use the Firewall as the resolution for bigger problems that are going to still in place even after he blocks the traffic to go out. These days you really need to bring the security closer to the endpoint, you can’t rely only on the Firewall. Remember the defense in depth approach? It is getting even more meaning nowadays. One built in Windows feature that you can use for that is the AppLocker. If you don’t know how AppLocker works, watch the video below:
By using Applocker you are adding another layer of protection to assist you in this battle to secure the endpoint. On top of those elements you should also hardening the workstation by disabling unnecessary services and moving forward create a workstation template that you can use to guarantee a seamless experience across the board. There are many templates that comes with the Security Compliance Manager Tool as shown below:
You can either use the templates that comes with SCM or you can built yours based on an existing SCM template. This can help you to have a starting point and make adjustments on the template to reflect your environment needs.
Keep that in mind and have a good (and safe) deployment!
I wrote many posts on this blog about Conficker and this weekend when I heard about Morto (which means Dead in Portuguese) and how it works it was like a Deja-vu. Not because they are alike from the side effect perspective, but because both exploit weak password. Let’s look the way that they spread (according to Microsoft Malware Encyclopedia) on a side by side view:
They both take advantage of weak password, which is usually created by an user that wants something simple but really doesn’t know too much about security. This brings again the discussion that the user is the weakest point in your security chain and that if you don’t train him well he will make mistakes that can compromise your investment in technology. There are two things you can do: educate users with security awareness training and have policy enforcement for strong password in place. Here are some article that you want to read about strong password:
Another important point about Morto is that it tries to contact remote hosts as you can see below:
Screenshot taken on 8/29/2011 5:32PM CST from : http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Morto.A
This means that you should configure your edge device to avoid access to those remote destinations. If you use Forefront TMG, create rules to block access to those destinations from your internal workstations and keep reviewing the logs for suspicious activity.
For updates about Morto use the following resources:
In May 2011 me and Tom Shinder started to work in a new project called From End to Edge and Beyond a Security Talk Show with Tom Shinder and Yuri Diogenes. In this post Tom explained why we went to this road rather than create different writing initiatives to the community. Writing security content is part of our core job and we wanted to bring something more to the community. Currently we have six episodes recorded, a great feedback from the audience and today I’m very happy to say that our show is featured in the Microsoft Security Newsletter – August 2011 Edition, you can find it on the Security Events and Training section as shown below:
If you do not receive the newsletter by e-mail, access the Security Newsletter web edition here. I would like to use this opportunity to also thank Tim Rains and Heather Poulsen for supporting this initiative, I truly appreciate.
Now if you are wondering how can you keep up with our show, here are our main channels:
Stay tuned because great episodes are on the way for the next two months!
From the past two years I advertised in this blog many posts about SCM (Security Compliance Manager) and today I want to write about SCM V2 (Beta). You can start by downloading the beta version from Connect after registering to be part of the Beta program. Once you download it and install this version you will notice that the interface changed:
Notice that the interface is much cleaner and easier to use than before. The Microsoft Baseline templates are all on the left pane separated by product. To demonstrate how this works, let’s use IE9 as an example:
1. On the left pane expand Internet Explorer 9.
2. Click Attachments / Guides. In the middle pane you have the DOCx file associated with this option and you can use the Save As option on the right pane to save the file locally.
3. Click IE9-Computer-Compliance-Beta 1.0.
4. On the middle pane look for the option User SmartScreen Filter and click on it. Click Settings Details to see more options.
Notice that you have a clear way to not only identify the policy that you want to know more, but also to identify the Description, Vulnerability that this feature can assist to mitigate, potential impact when you enable this feature and counter measure associated to this feature. In addition to that you have on the bottom the registry key affected by this setting. On the right pane you have lots of options that allows you to manipulate the whole template or just this particular setting. One of the options that I really like is the capability to export the whole baseline to Excel, which you can do by using the option below:
When you use this option, it will ask where you want to save and it will automatically open Excel to start import the content:
The reason why I like this option is because when you export the baseline to an Excel file you have all fields that you can play with by adding or removing columns, querying for particular values, etc. The Customize Fields button for example, allows you to add more columns in the current spreadsheet as shown below:
When you are troubleshooting or investigating a potential issues with a particular setting, this capability is very handy because it allows you to add the Registry Hive and Registry Key. Very cool indeed! Another feature that is very intuitive to use and very important is the capability to compare your own baseline with a particular Microsoft Baseline. Let’s use the Windows Server 2008 R2 SP1 Domain Controller Compliance Beta 1 as an example:
Once you select the baseline, you can use the option Compare in the right pane to compare against yours and see the differences.
What else?
The goal here was only to give you a glimpse of this new version, if you want to dig in more about the new feature read the post SCM v2 (BETA) + New Baselines Available to Download. But I truly encourage you to download the tool and start to play with it.
Throughout the years working with ISA and TMG I notice that one of the most challenging configuration for many Admins is to correctly setup the network settings on ISA/TMG. Although we have some great content out there about the subject, such as the An Inside Look into TMG Firewall Networks by Deb Shinder and the great series of 3 articles written by Tom Shinder: Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1), Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2) and Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3). Those are “most read” articles if you are planning your network configuration on TMG, add also on top of that the article Planning Forefront TMG network topology. But, in case you inherited an environment with Forefront TMG and you are experiencing weird problems, than it is time to step back and review your configuration. This post will highlight a very common configuration mistake that can cause network route issues.
Problem: clients on remote networks were randomly unable to access Internet.
Scenario: In this case the TMG Admin has the following topology that he needs to configure:
When TMG Admin opens up TMG Management Console this is what he see:
When he look at this he thinks it is okay. But you know what, IT IS NOT!! Here are the reasons:
For the second bullet, I want to call out the original source of this information, which says:
Forefront TMG does not support defining separate network objects that represent remote subnets
Issue: Forefront TMG does not support defining separate network objects that represent remote subnets.
Cause: When you define IP address ranges for a network, Forefront TMG checks all network adapters. When Forefront TMG finds an adapter with an IP address in the network range, it associates the network with that adapter. When a network includes remote subnets accessible by Forefront TMG through routers, the IP address of the remote subnets should be included in the network definition. If you define a separate network object for a remote subnet (instead of including it in the network definition), Forefront TMG tries to locate an adapter with an IP address of the network object, and fails. Forefront TMG assumes that the adapter is not available (disconnected or disabled), and sets network status to disconnected.
Solution: For best practice when defining your network configuration in Forefront TMG, take note of the following:
From: http://technet.microsoft.com/en-us/library/ee796231.aspx#NetworkAndRoutingIssues
This is a VERY common mistake and I’ve seen this over and over. The main argument that I also hear is: it always worked like that, why this is a problem now? Well, mainly because it is not supported, which means that Microsoft can’t guarantee that your setup will be functional with this setting.
Resolution: The correct way to setup this particular environment is:
Plan your network setting, if you can’t plan, make sure to review the TMG Alerts, usually TMG is screaming out loud saying that there is something wrong in this area.
Today it was officially announced on TechED Brazil website the list of breakout sessions that will available during the biggest Microsoft conference in South America. I will be delivering three breakout sessions , which are:
This will be my second TechED Brazil, first one was in 2008 and I’m sure this one will be even better!
During TechED week I will also be delivering presentations at MVP Open Day and MS Community Zone.
Hope to see you there.
Last Friday me and my friend Tom Shinder had a chance to participate in the Talk TechNet Show with Keith Combs and Matt Hester. During the show some interesting questions were raised by the audience, mainly around FOPE and other cloud related services. One question that came in was about auditing cloud applications, in particular Exchange. I would like to share the article “Use Auditing Reports in Exchange Online” that can give you more information about that and on the same token, the article “Compliance Features in Exchange Online” can also give you more details about the Exchange online compliance capabilities. Another information that I mentioned during the call was the link to the Security Intelligence Report and the SPAM message blocked by FOPE. The statistic that I mentioned appears in the diagram below:
Source: http://www.microsoft.com/security/sir/keyfindings/default.aspx#!section_5_1
If you did not watch our talk last week, the MP3 version is already available for download here:
http://blogs.technet.com/b/talktechnet/archive/2011/08/08/talk-technet-episode-48-cloud-security-with-dr-tom-shinder-and-yuri-diogenes.aspx
Enjoy the show!
Just to remind you that tomorrow me and Tom Shinder will be at Talk TechNet with Keith Combs and Matt Hester to discuss about Cloud Security. The registration is still open in the web site below:
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032490786&Culture=en-US
See ya tomorrow!!
This week I’m attending to TechReady in Seattle, where I will present two sessions about On-Premise Security while Migrating to the Cloud (matter of fact already presented one today). For the last two days I talked with some folks from the field and I got common comments about their talking points with customers when the subject is migrating to the cloud. The common question usually is: where is my data when it moves to the cloud? This is a great question, but instead of write about this, why not watch a video that explains in details the Microsoft Datacenter for Online Services? Sure, no problem…..enjoy the video below about that:
Introduction
The goal of this post is to show how DebugDiag 1.2 can assist you identifying a potential source of bottleneck on a scenario where TMG user mode process (wspsrv.exe) is consuming high amount of CPU.
Data Gathering
First part is to make sure you collect the user mode dump while the issue is happening. To do that, use the approach that I explain in the following post:
http://blogs.technet.com/b/yuridiogenes/archive/2010/05/01/how-to-capture-a-manual-dump-of-the-wspsrv-exe-process-on-tmg-2010.aspx
Data Analysis
Once you have the data you can use DebugDiag to analyze the dump. Follow the steps below in order to perform this analysis:
1. After installing Debug Diag (64 bits edition in this case), launch it and cancel the first window.
2. Click Advanced Analysis tab.
3. Click Add Data Files button and choose the dump file that was previously collected.
4. Choose the scenario that applies to this issue in the top pane. In this case the scenario is Crash/Hang Analyzers as shown below:
5. Click Start Analysis.
6. Wait until the report is generated.
Reviewing the Report
Don’t go too far on the report before reviewing the first part of it, which is the Analysis Summary. Here it is the example for this scenario:
In this case the warning message says:
Detected a possible critical section related problem in wspsrv.dmp Lock at 0x015e7c70 is Unlocked Impact analysis 0.67% of threads blocked (Threads 78) The following functions are involved in the root cause GapaEngine_1cc44e8_bace5e90+10e22
The thread number has a hyperlink on it, when you click on this hyperlink you will see the stack that it is referring to:
ntdll!ZwWaitForSingleObject+a ntdll!RtlpWaitOnCriticalSection+e8 ntdll!RtlEnterCriticalSection+d1 GapaEngine_1cc44e8_bace5e90+10e22 0x454b64d8 0x0300e000 0x015ccbe8 0x4b80e418 0x015ccbe8 GapaEngine_1cc44e8_bace5e90+ff44 0x00004441`014dd475 0x00000010
The recommendation that DebugDiag gives is:
The following vendors were identified for follow up based on root cause analysis Unknown vendor for module C:\Program Files\Microsoft Forefront Threat Management Gateway\IPS\GapaEngine_1cc44e8_bace5e90.dll Please follow up with the vendors identified above
In other words, it is telling me to investigate further this module. Now what? Well, now you have an initial path to follow, you know that GAPA Engine is involved, which means that you can start doing some tests, such as:
It is important to remember that troubleshooting performance issue can be a long process and DebugDiag can assist you to find the root cause. However, sometimes finding the culprit doesn’t fix the issue, just show who is causing the problem, in this case further investigation is needed to find out how to really fix the issue.
If you are following this blog for a long time you probably know about my previous posts related to ISA or TMG crashing and about the fact that 95% of the time is not an issue caused by ISA/TMG. Well, this is just another crash where the first blame goes to ISA/TMG, in this particular case, ISA. The first argument is: is ISA that is triggering the error on event viewer. True statement as we see below:
Event Type: Error Event Source: Microsoft ISA Server 2006 Event Category: None Event ID: 1000 Time: 17:31:40 User: N/A Description: Faulting application wspsrv.exe, version 5.0.5723.516, stamp 4a880d39, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x1078b242.
Still doesn't mean that it’s an ISA issue though, but I’m okay of looking for help with ISA folks first, it’s normal. If there is a crash we should also have a dump and if we don’t, use DebugDiag (the newer version that I showed yesterday) to attach to the crashed process and get the dump. Let’s see the dump for this particular scenario:
FAULTING_IP: AkrFiltr+b992 1203b992 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 1203b992 (<Unloaded_AkrFiltr.dll>+0x0000b992) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 1203b992 Attempt to read from address 1203b992
PROCESS_NAME: wspsrv.exe
FAULTING_MODULE: 7c800000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 48ebaac7 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 1203b992 READ_ADDRESS: 1203b992
FOLLOWUP_IP: AkrFiltr+b992 1203b992 ?? ??? FAULTING_THREAD: 00000fb0 BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR LAST_CONTROL_TRANSFER: from 00000000 to 1203b992
STACK_TEXT: 123ffc9c 00000000 1204109a 123ffd04 120d2110 <Unloaded_AkrFiltr.dll>+0xb992
FAILED_INSTRUCTION_ADDRESS: AkrFiltr+b992 1203b992 ?? ??? SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: AkrFiltr+b992 FOLLOWUP_NAME: MachineOwner
MODULE_NAME: AkrFiltr
IMAGE_NAME: AkrFiltr.dll STACK_COMMAND: ~40s; .ecxr ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_AkrFiltr.dll!Unloaded Followup: MachineOwner
This is a pretty straight forward stack and as a matter of fact a pretty straight forward dump. This module was causing the service to crash due an access violation (c0000005), as a result the whole process was going down. The solution was provided by the third party vendor owner of this module (an update).
For more references about crashes on ISA Server also see:
I wrote many posts in this blog about troubleshooting crash and hangs issues. In some of those posts (here it is one example) I used a tool called DebugDiag in order to either capture the dump or perform the initial analysis. Today the team that it’s developing DebugDiag announced a new version of this tool, I’m talking about DebugDiag 1.2. Below is the list of the new features introduced in this version:
Analysis Automation
Data Collection
Deployment Options
Note: It is important to mention that you must uninstall all previous DebugDiag versions before you install DebugDiag 1.2.
Go get DebugDiag 1.2 at http://www.microsoft.com/download/en/details.aspx?id=26798
This post is about a problem where Outlook was working fine through TMG publishing rule, however when TMG Admin tried to access OAB and OOF through Outlook he got an error. To bypass Outlook he tried to access https://mail.contoso.com/ews/exchange.asmx and got 403. The 403 was coming from Exchange vdir /EWS/, here an example of the header:
10.20.20.11 10.20.20.1 HTTP HTTP:Response, HTTP/1.1, Status Code = 403, URL: /ews/ - Http: Response, HTTP/1.1, Status Code = 403, URL: /ews/ ProtocolVersion: HTTP/1.1 StatusCode: 403, Forbidden Reason: Forbidden Server: Microsoft-IIS/7.5 Set-Cookie: exchangecookie=599fc2a7540e4e66b1169d9d5c358aa5; expires=Sat, 17-Jul-2011 21:39:05 GMT; path=/; HttpOnly XPoweredBy: ASP.NET Date: Fri, 29 Jan 2010 21:39:05 GMT ContentLength: 0 HeaderEnd: CRLF
Resolution: after some investigation we notice that the /EWS has anonymous on it (/EWS vdir on Exchange 2007 doesn't have anonymous by default), after disabling anonymous and leave only Basic (to match with the delegation) it worked.
Important points before adopting this resolution:
While working on this issue with the Exchange folks they warned me about this action (disabling anonymous for /EWS on Exchange 2010) and they told me that:
“There are some issues if you disable anonymous on /EWS/ vidr for Exchange 2010. Anonymous is enabled on the virtual directory because EWS uses ws-security for federating calendars and free/busy across organizations for the new calendar sharing feature. Federation occurs via the ws-security protocol, which authenticates via SOAP <wssecurity> header rather than an HTTP authentication header. IIS must let such requests go through, after which WCF (upon which EWS is built) will properly authenticate them - in other words the "anonymous" IIS setting does not allow anonymous requests to get through to EWS. Turning off anonymous has some side effects, namely that cross-organization (federated) calendar sharing breaks as does federated mailbox migration.”
Having those considerations in mind, what you can do in TMG to overcome that without disabling anonymous is:
Last May I went to a Security Conference here in Dallas called Takedowncon, organized by EC-Council. It was a great conference, great speakers and an amazing technical content. I personally recommend you to participate in the next stop of TakeDownCon, which will be in LA next December. I’m here today just to share one of the presentations that folks from TakeDownCon made available for public consumption this week:
Process And Memory Forensic Techniques by Kevin Cardwell
</p> <p>
More presentations from TakeDownCon Dallas 2011 can be found at http://www.youtube.com/TAKEDOWNCON2011
Enjoy it !
Last month I was traveling to deliver some presentations about Migration to the Cloud and On-Premise Security. While traveling and talking to IT PROs I realized that the majority of the companies that I was exposed to during those conversations are not investing to make sure that their employees are well trained when the subject is security. In the past security awareness training was something that only large enterprises used to implement as part of the mandatory annual training calendar for all employees. This can’t be the case today, as a matter of fact small and medium business must develop a plan to spread the word about security for their employees.
As companies are moving to the cloud, Internet become even more crucial to their business, which means that users will be even more exposed to online resources. More businesses are using social networks to get closer to their customers and employees are using social networks for both purposes: personal and professional. There are many risks involved with social networks, but the growing one is called “Social Engineering”. This trend is exposed in the Microsoft’s Security Intelligence Report - Volume 10. The slide below summarizes that:
For more information about the the slide above watch the video below with a brief discussion about MS SIR Volume 10:
After watching this video you will also see that social engineering attack will take place in the online world via social networks, phishing e-mails and other venues. These type of social engineering attacks are getting high exposure in the news, recently I read an article that says:
“Defendants targeted university's databases of faculty, staff, alumni, and student information, and financial accounts with a social engineering scheme that used poisoned USBs, phishing emails”
From: http://www.darkreading.com/database-security/167901020/security/application-security/231000376/former-college-kid-s-guilty-plea-to-hacking-highlights-low-tech-db-theft.html
I recommend you reading this article to really see the social engineering approach in this case and start thinking about this subject. What if this was with one of your employees? Are your employees trained to understand the security risks while dealing with similar situation? I guess that at this point in time we can easily answer the question that entitle this post.
What should I do?
A great way to start your security awareness program is by leveraging what is already available for you (for FREE). Microsoft has a security awareness program toolkit and guide that can assist you to kick off your security awareness initiative. You can download the content from the link below:
http://download.microsoft.com/download/1/9/9/1990AA19-2C4F-42D0-9A22-1E158EF0ABBC/Security%20Awareness%20Content.zip
When you extract this content you will see the following structure:
The “how to guide” has the guidance that you need in order to use this material. This package includes training materials for risk management, security controls and incident response. It also includes templates for:
In addition to that you can also download the Internet Safety for Enterprise & Organizations toolkit to help your employees learn the skills they need to work more safely on the Internet and better defend company, customer, and their own personal information.
Conclusion
In summary I want to conclude this post saying: while it is important to invest in technology to protect your assets it is also important to invest in education for your employees, a well trained employee can save you a lot time and money. Keep that in mind !
In the first part of this post I explained the scenario and the initial approach for data gathering, in this second part I’m going to discuss the approach to collect data while the incident is happening.
Understanding Data Gathering Process
To better understand the information gathering flow that we are about to configure, review the diagram below:
The expected flow in this scenario is:
Although this is the basic flow for this scenario, we also have an option to follow a different approach, for example: leave netmon running until the network traffic from the attacker’s IP is received and once event viewer shows the event you can trigger a different action. For this example we will use the following flow:
Preparing the Environment
In order to use Netwiz you should have Network Monitor installed first in your system, once you finish installing Netmon, download NetWiz from Codeplex and follow the steps below on your Edge device:
Second part is to configure Event Viewer to trigger an action when this event happens, in order to do that follow the guidelines from this post. The BAT (or script) that will be used during this process must have the command that will initiate a connection on port 80 of the internal web server (telnet webserver_IP 80). This is an important step in order to comply with the parameters that were configured in NetWiz. This BAT (or script) can also contain a lot more commands (including other tools that can gather more data about a target system); it all depends on what you want to collect in additional to netmon traces.
It is also important to emphasize that sometimes this type of attack comes from random IP addresses, if this is the case, you will not need to create filters to only collect data coming from one specific address.
Now What?
Once you have the traffic pattern and also identified the IP address that is starting the attack against your resource you can start by contacting your service provider to report the abuse of resources coming from this IP. Check if it is possible for your ISP to track this IP and take actions against this type of attack.
The presentation that I delivered last week during the TechPEDay and MS Sec Day V2 is now available in the link below (in Portuguese):
This presentation was based on the article that I co-wrote with Deb Shinder to the ISSA Jounal (May issue). In this presentation I showed a video (in English) from Chris Capossela, Senior Vice President of Microsoft's Business Division, where he responds to CIO concerns around data security in the cloud (see below).
Most of the good firewalls out there have the capability to identify suspicious activity and lof this information for you. However, there are some scenarios where you want more than just knowing what happened, you want to build a better footprint of the potential attack that the edge device is passing through. This post will explain how to combine the power of Event Viewer with the flexibility of Network Monitor Wizard to build trigger an action when an incident happen. To achieve that we will divide the post in two parts, this part one will explain the scenario, identify the issue and work on the data gathering process. For this post we will use Forefront TMG 2010 as our edge device; however the same approach can be used in any device that logs its major alerts to Windows Event Log.
Symptom
The true value of having logging enabled on your system is the capability to review it and identify suspicious activities that took place during that time. In this particular case the Firewall Administrator identified the following entry in the Event Viewer:
When reviewing such event, pay attention to the following fields:
The reason why I added the flags is because usually when you raise two flags while analyzing potential suspicious activity you have enough reason to move forward in the investigation process. Is important to also mention that in this particular scenario, as I’m using Forefront TMG as example of Edge device, the same event that you see on Event Viewer will be also available at Monitoring/Alerts within TMG’s console as shown below:
Footprint
Now that you identified the suspicious activity on your edge device and you know which IP address you should hunting for, you can move forward. The information gathering will vary according to your internal process to respond to incidents; however there are usually some commons steps that can be used during this process, such as:
All those methods are passive and the goal is only to know more about who is originating that suspicious traffic against your edge device.
Moving Forward
The second part of this article will explain how to capture live data and how to connect the dots to formulate your final conclusion.
Last May 2nd me and Tom started this project as he outlined in this post. We currently have two episodes live: Episode 1 with hosting Jim Harrison as guest and Episode 2 hosting Kevin Saye as Guest. We already recorded Episode 3, where will not have a guest, but we will discuss general security topics and demonstrate an attempt to exploit a vulnerability in a Windows system. Episode 3 will be live next week (first week of June).
But I’m here today to invite you Forefront MVP and Enterprise Security MVP to participate on the show. Even if you can’t be here in Texas (where we record the Episodes), we have plans to host you as a guest using Live Meeting. Sounds interesting? It is…I think it is a good way that you can reach out the community and discuss security topics with us, for example: demonstrate a technology that you feel it is important to assist customers using Microsoft products with their security needs.
Start planning now what you want to present and make sure to reach me and Tom with your proposal. Access the Security Talk show blog and send an e-mail to us with your plan. We already have a solid agenda for Episodes 4 and 5 (July), but we are open for Episode 6 (August). Think about and let’s talk about security with us.
Have a great weekend and if you are in US, have a great Memorial Day.
Almost three years ago I wrote this post about using Netmon to identify unexpected traffic. Although Netmon is a great tool and the advices that were written on that post are still valid, there are some scenarios that you need to go beyond that and identify if the process that is generating this traffic is suspicious or not. This post will describe how to use TCPView and Process Monitor to identify suspicious activity on your local system.
Symptoms
Investigation Process
When investigating issues of this nature and mainly when you’ve done the basics of scanning the computer the next step will be to understand if this computer is sending anything (or receiving) through the network. One great test that should be done right in the beginning is to ask/test: does the performance issue still happen if you remove the network cable from the computer? Many times a potential compromised computer will behave differently when you unplug it from the network. As this step was not done in this case, we will start the investigation using TCPView to understand the current footprint for this computer.
This is a great tool because it allows you to view many aspects of the process from the socket perspective to the TCP state of the connection. You can argue that this is similar to run the command netstat -naob and I’m okay using netstat tool, but the nice thing TCPView is that you have live experience with what’s going on. In other words, you don’t need to refresh it, if a connection gets closed, it will update the UI. With netstat, you will need to keep running to see if the state changed or not, this is the main reason I prefer using this tool for live investigation on issues of this nature. Apparently there is no suspicious activity; however there is a process that doesn’t seems to be a valid process, it is called msupdate.exe. Notice that this process is listening on port 3349, which is also not a usual port. Now is time to use Process Explorer to better understand what this process is trying to do:
There are some suspicious signs around this process:
Note: I’m saying suspicious signs because this could indicate a malicious process, but at this point we don’t have enough information to confirm that.
To investigate further this process, right click on the suspicious process and choose Properties, the window below will appear:
As you can see this process is located in the %windir%\system32 folder and it is starting a command line with some additional parameters. As I’m not sure which process is that, one way to obtain more information about what this process loaded in memory is to verity the Strings tab (choose memory radio button on the bottom of this window). Notice that in this case the Strings tab shows some interesting information about the process, such as the one that I pointed out below:
This line is used by NC (NetCat) tool and it matches with the parameters that we saw in the Image tab for this executable file. This means that this executable file is actually the NC tool, renamed to msupdate.exe, it is listening on port 3349 and once someone access this port this tool will execute Command Prompt (cmd.exe).
The findings here showed that this workstation was compromised with an implementation of NC that could be used as a backdoor. A simple implementation but for the purpose of this investigation was enough to understand how we can leverage Process Explorer to identify suspicious activities that sometimes are not caught by antivirus.
Another event that I will be presenting as speaker was confirmed for June, this one is called TechPE Day and it will happen in Recife/PE/Brazil. The agenda and registration for this event can be found at https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032487195&culture=pt-br . I will be delivering two presentations:
If you are in Recife in June make sure to register and I hope to see you there.
E-Mail Protection feature in TMG was a feature that I used to work a lot when I was in CSS. This year I delivered a session internally about Troubleshooting E-Mail Protection in TMG and today I’m sharing the slide deck (the public version) with you. Feel free to download it:
Note: most of the troubleshooting tips that I added in this slide deck were also included in the Forefront Threat Management Gateway (TMG) 2010 Troubleshooting Survival Guide, E-mail Protection Troubleshooting section.
Enjoy it
Two years ago I was announcing in this blog the registration for a presentation called MS Security Day. Today I’m going to announce that MS Security Day V2 is going to happen again in Fortaleza/CE and the registration is now open at https://msevents.microsoft.com/cui/EventDetail.aspx?EventID=1032486309&culture=pt-BR . My presentation is called “Migration to the Cloud and On-Premise Security”, which is based on the article that I wrote for ISSA Journal - May 2011 issue.
Hope to see you there!!
Before joining the Windows iX IT PRO Security team I spent my last 11 years working in the enterprise support field, where 5 were at Microsoft CSS (former PSS). During the Conficker outbreak I was in Oklahoma for New Years Eve 2008/2009 (which BTW is pretty cool) and while I was there I wrote this post about blocking Conficker proliferation via ISA Server. Six months later I kept hearing comments from the IR (Incident Response) folks about getting new cases related to Conficker. I remember talking to one of those guys and hearing from him that some companies were without patches for years. We are not talking about small offices; I’m talking about enterprise level type of company with thousands of workstations and hundreds of servers - unpatched.
While it is hard to believe that this type of practice still happening, today reading this article I got the confirmation that Conficker didn’t teach the full lesson to everybody. Unfortunately the reality is that there are still many servers and workstations (regardless of the OS) unpatched out there. In other hand, it is also very good to see that people are warning about that in many ways, such as with an article like this: “Patch Management Crucial to Defend Against Cyber-Attacks: Report” that explains how important it is to patch and beyond that, how important it is to make sure all platforms are patched. The article has a great statement, that says:
“While Windows vulnerabilities receive wide attention, Norman security experts also warned that IT administrators in enterprises, government and small to midsize businesses (SMBs) should focus on patch management involving all major operating systems, including Microsoft Windows, Linux, Mac OS, Sun Solaris and HP.”
If you don’t know where to start on patch management subject for your Microsoft platform or if you want to review if you patch management strategy is correct, go ahead and download the Microsoft Security Update Guide, Second Edition – this is a great source of information about this subject.
Stay safe!
The ISSA Journal May 2011 issue was just released and this issue brings an article that I wrote with Deb Shinder about some considerations while migrating to the cloud and on-premise resources. The subject is very interesting and we tried to cover some core points on why it is important to keep the defense in depth approach while migrating to the cloud. ISSA members will be able to download the full Journal from here. However, if you want to read only our article you can access from here.
I would like thanks Deb Shinder for partnering with me in this article, it was indeed a great experience writing and brainstorming ideas with you !!