Hello folks and Happy New Year for you all !!
If you are running Forefront TMG 2010 and has NIS (Network Inspection System) enabled and updated, you probably notice a new signature that was released to assist you protecting against CVE-2011-3414 (part of MS11-100) as shown below:
Notice also that the response it is already setup to “Block” and it is already enabled. If you open the properties for this signature and review the Details tab you will see it is classified as a high business impact:
The good news is: if an attacker tries to exploit this vulnerability against a server that was not patched yet and the traffic is crossing TMG then NIS will identify the traffic and it will block it. Although you have this additional layer of protection to mitigate attempts to exploit this particular vulnerability, it is strongly recommended that you update your servers with MS11-100 as quick as possible (mainly the ones that are exposed to the Internet).
Stay Safe in 2012 and have a great year !
If you are following this blog since 2008 when I started you probably noticed that troubleshooting is a subject that I love it. Troubleshooting using tools like Perfmon and Windbg is amazing. In my new role at Microsoft I don’t deal with this on the daily basis anymore (like I used to on CSS Forefront Edge Team), however the love did not go away. I’m still quiet involved with troubleshooting and researching about new things and hot to fix it when it is not working. This week for example me and Tom recorded the Episode 13 of our Security Talk show. This episode was called Demo Day and I demonstrated how to use Perfmon and Windbg to troubleshoot a performance issue on TMG.
The video is available here or you can watch below:
I hope you like it!
You can’t deny that social networks today are part of the vast majority of the people’s life. It is everywhere, you go to a supermarket and you see: “Like Us on Facebook at <URL>”…it’s on TV, on the streets….everywhere. Now, the questions are: do people know how to behave on social network? Do they know about the risks of revealing too much? Does your company have a security policy about social network usage? Did you have a security awareness training when you joined your current company? Was social network one of the topics of this training?
Incorrect usage of social network can cause harm not only to the individual but also to the company. Employees must be trained to correctly use social network, mainly when they are using it to advertise their work and sometimes exposing company’s information. Here in US we have a recent case where an employee was fired for ranted about his company on Facebook. As I’m not here to share something that you already know, just click here and see for yourself the security risks of social networks.
What I do want to share with you is something that happened this month in Brazil and I wrote about in my blog (in Portuguese). Matter of fact there were two recent episodes in Brazil that caught my attention. The first one (I originally wrote in Portuguese here) was about a student that used to brag about being rich by posting photos on Facebook to show the nice things that he had. His posts caught the attention of someone that was on his friend’s list. This person was able to get the key of the student’s house and handed over to thieves in order to robber those objects that were posted on Facebook. They did, they broke in to the student’s house looking for the stuff he said he had, however they found nothing other than mobile phone, some jewelry and cash. It turns out that the student was not rich, he was only bragging those things to call the attention of his friends on school.
For this particular case it is very important to understand that you need to educate your kids on how to safely use social network and other Internet resources. Here are some resources that you can start using for that:
The second case is even scarier in my opinion. While the first was about a kid saying things that he shouldn’t say but he was a minor and not fully educated to deal with such technology, the second case is about adult’s behavior. With the proliferation of social network integration with geographic service location we pretty much know everything that our friends are doing and where they are in such moment of time. While this can look as cool as it can be, it is also very dangerous. Last week I wrote in my blog (in Portuguese) about this case that happened in Brazil where someone left on vacation and posted: “I’m leaving on a trip”. When they got back home they didn’t have TV, computers and other electronics, all gone. The robbers left a note in a piece of paper saying: “Next time that you leave on a trip let us know”. Now that’s very serious….but I see that all the time. People are integrating all the social tools without be concert about privacy settings and when they post one thing in one place it is propagated everywhere. Sometimes those posts are wide open on Twitter and available for anyone with malicious intentions to take advantage of that.
Be careful, make sure to watch what you’re saying on social networks, make sure to not reveal too much, make sure to use the privacy settings that those platforms have available to at least create some restrictions on your profile. Be aware that everything that you write on a social network platform can (and might) be used against you in one way or another.
Back in 1999 I was working in one of the largest telecom company in Brazil, there I was responsible to maintain the core Windows NT 4 Servers and some of the services running on top of it (such as Exchange 5.5). Some days when I was scanning my badge to get into the datacenter I used to think: geez, we have so many servers on this datacenter, soon we will have to physically expand it just to be able to keep up the same level of services to our customers. Then I start thinking on the network infrastructure and all those VLANs to manage, the headache to move servers across VLANs, all the dependencies, etc. Not only that, but when we were stroke by “ILOVEYOU” I thought the world was coming to an end when I was trying to clean all those mailboxes. Fortunately this is past and the evolution of the datacenter is upon us. Do you want to know what I’m talking about? If you do, take your time and watch the video below from BUILD Conference to see what’s coming on this regard:
Make sure to watch the whole video before you think you can’t achieve secure isolation in the cloud at the same time that you build a low cost datacenter with powerful management tools.
Even I can’t believe that last time that I wrote here was 18 days ago, I think I was never away from here for so long. Although I’m away from here, I’ve been writing in many other places, recording episodes for our Security Talk Show and working on my regular activities at Microsoft (which is Win8 Security stuff)….so, it’s quiet busy these days. Here are some of my updates for this past month:
New Articles at TechNet Wiki
New Episodes of From End to Edge and Beyond
What’s coming next?
There are lots of things coming next and as soon as I can I will be announcing here a new project that me and Tom Shinder will work in 2012. For my Brazilians friends I can tell you that a new book about information security in Portuguese is also coming in 2012, it will be again published by Editora NovaTerra (more info soon) and the second edition of my Security+ book in Portuguese should also be out next year.
Our Security Talk Show is also going to finish the year with two more great episodes (13 and 14) that are planned to be released in December. In Episode 13 (called “Demo Day”), me and Tom Shinder will demonstrate some cool scenarios (probably related to DA and TMG) and on Episode 14 we will have the TechNet Guy talking about Cloud and Office 365.
See ya around !
Hello folks, a quick post here just to bring awareness about a new KB that was released today for Forefront TMG 2010. As the KB describes the symptoms are based on the following scenario:
In this scenario, the upload does not finish correctly under certain circumstances. In order to fix this problem you need to apply Forefront TMG 2010 SP2 and run the script from KB 2591803.
I want to give you a quick update in a new blog that our friends from the TechNet Wiki put out there. A lot of IT PROs (and DEVs) out there still don’t know the full potential of the TechNet Wiki and I think this blog will clarify a lot of that. So, start reading the post below:
Once you finish that, take a look on the interview that I gave to the WikiNinja Ed Price and understand why I think this platform rocks:
…and if you still having questions about how to contribute, watch the interview that I gave to David Tesar last March.
Enjoy the TechNet Wiki!
One of the presentations that I delivered this year at TechED Brazil was about On-Premise Security while Migrating to the Cloud. There are many reasons to migrate to the cloud and during this presentation I emphasized the three core elements below:
While those core elements sounds very good, we must also be alert for the new challenges that comes with this adoption, such as:
New Threat Landscape
The presentation was really focus on the second bullet (on-premise security). Some of the reasons why this is still an important point to address include:
The misconception that the migration to the cloud means offloading your security to the cloud provider is just plain wrong. You need to be diligent because at the end of the day it is your data that could get compromise if you relax the on-premise security. You should adopt a defense in depth approach. All the elements from the endpoint to the cloud must be secure, not only the hosts, but the path and the remote clients. Here is a typical example of how this will look like:
There are five key elements in this diagram
In summary the path to the cloud requires a lot of planning to make sure that your users can have a seamless experience while you keep your data secure.
If you are following my blog for a long time you probably read the post TMG E-Mail Protection Feature x Exchange 2010 SP1 (first published more than an year ago) when we were dealing with a major E-Mail protection issue on TMG. Due the nature of the integration between Forefront TMG and E-Mail Protection feature (Forefront for Exchange and Exchange Edge) I also wrote this presentation to assist you while troubleshooting this feature.
The good news is that Forefront TMG 2010 SP2 brings to you the following fixes that will alleviate lots of the issues that were present in the past with this integration:
Go get SP2 and enjoy it!!
This week Microsoft released a major update of Forefront TMG 2010 and many TMG Admins are very excited with the new features that were announced in the Forefront TMG team blog, such as the support for Kerberos authentication in an array scenario, the improved error pages and the new site activity report. These are already three reasons to apply SP2 on your TMG, but instead of only adding two other features I’m going to give you five more reasons to apply this update. Here are those:
1. Forefront TMG 2010 SP2 makes TMG startup operation ten times faster.
2. Do you remember KB2498831? No need to run that script anymore, with TMG 2010 SP2 a new option was added in the screen to allow you to do that as shown below:
3. Performance improved for cloud migration.
4. Improvement in the E-Mail Protection feature
5. Account lockout enhancements for FBA.
That’s it…go grab TMG 2010 SP2 and remember: in order to apply TMG 2010 SP2 you need TMG 2010 SP1 + Update 1.
This week was all about the new SIR 2011 version, lots of buzz about Microsoft findings and interesting perspective on that. I use the SIR report findings in many situations, recently when I was presenting at TechEd Brazil I had at least two slides where the content came from SIR Report 2010. The graphic below shows a summary of how SIR report gather data to produce this great piece of content.
If you didn’t download the report yet, go ahead and do it now using one of the following versions:
Security Intelligence Report v11 (Full Report)
Key findings summary in different languages
Also take some time to watch the video below about the new SIR Report and some of the findings:
Long time ago I wrote this post about how IAG 2007 Can Mitigate Against SQL Injection Attacks, this post was also presented during TechED Brazil 2008, where I showed live this demo. Today I’m here to challenge you, here it is the deal:
The first one that write this article, post it on the TechNet Wiki and send me a message via Twitter saying: @yuridiogenes, here it goes the UAG and SQL Injection article [link_to_the_article_at_TNWIKI] #TNWIKI , will receive by mail a signed copy of the UAG Deployment Guide book.
Make sure to:
Are you in?
Remember, I will give the book to the first person that tweet me the phrase that I previously mention. There is no timeline for that, first one will get it…so run and do it!
Consider a scenario where a client migrated from on-premise Exchange to Exchange Online and after this migration the users are experiencing issues while sending e-mail. During high peak times Outlook clients can’t send e-mails. Messages are getting stuck in the Outbox . When this issue was happening the event 31212 also was showing up on TMG:
One important point here to add is that when this issue was happening users were able to browse HTTP sites, but not HTTPS.
For this scenario we most likely will need:
When analyzing data of this nature you need to add to perfmon the core OS subsystems (memory, network, processor and disk), as well as the core Forefront TMG components. The diagram below shows an interesting trend where the Memory Pool for SSL Requests (black line in the diagram below) starts to decrease, it increases again to 100% and suddenly drops to zero.
This is exactly the time that users start to experience issues with Outlook getting messages stuck in the Outbox.
This problem happens because TMG was running out of memory pool for SSL requests. In order to fix that you need to change the registry key ProxyVmvmAlloc1pSize to a higher value (default is 1024). You can follow the guidelines from KB842438 (also applies to TMG) in order to adjust this value or you can install Forefront TMG 2010 SP2 (just released) that changes this value to 4096. For this particular case we noticed that after changing this value to 4096 the users didn’t experience this problem anymore and the server’s perfmon start looking way better even under heavy load, as shown below:
There are a couple of key takeaways regarding this scenario that I want to call out:
Planning is definitely the key for a success migration, but in order to have a good planning you really need to know your own environment, your traffic profile and your plan to grow. In order to reduce the impact during the cloud migration you should be able to determine that and perform a migration in different waves (not all users nor all applications at the same time).
Last week I was in Brazil and I had a chance to participate in the biggest Microsoft event in Latin America, TechED Brazil. One of the sessions that I delivered there was SIA301 (more info in Portuguese in this post), where I co-presented with Alberto Oliveira, a Microsoft Forefront MVP.
We divided the session in two main parts, first we talked about the current security landscape and some major security threats. In the second part we talked about Windows Security. One of the things that we covered in the Windows Security part was the Threats and Countermeasure Guide. The team that I work for at Microsoft is responsible to maintain this content available here. I also want to use this opportunity to bring awareness that our team is reviewing this content and you have a chance to give feedback about it, please read this post and make sure to participate on that.
During this presentation we talked about the fact that SPAM is still a big threat, mainly because of the social engineering behind many phishing e-mails. One of the videos that we showed in this presentation which is related to this subject was the recent case that Microsoft took down the Rustock botnet. You can watch the video below:
Another subject that we covered was the importance of thinking of security right in the beginning of the project, when you are writing the code for your application. For that we presented the SDL concept and demonstrated the SDL Threat Modeling Tool. In this video you can see a demo about this tool and also how to use it.
Throughout the next few days I will be posting more about TechED Brazil and the content that I delivered there. Stay tune!
Here is a sample of what’s coming on Episode 9 of our Security Talk show:
Last March I delivered a presentation in Redmond on the MVP Summit about NIS and I’m sharing with you here a summarized version of this presentation (as the full presentation has some NDA content):
In Episode 3 of From End to Edge and Beyond you can also watch a demo on how NIS can block attempts to exploit a vulnerability, check it out below:
Recently I received a question via Twitter (@yuridiogenes) that said: Hi Yuri, do you know how can I block P2P traffic via TMG? The answer here should be actually another question that says: why you have P2P software running on your corporate workstation in the first place? If this is not allowed, why is it there? Ah…I see, users are clever and they download applications, or bring USB drivers with unauthorized software to use in the corporate environment. I see.
This clearly shows that the problem is not really on the Edge device and trying to band aid by adding a firewall rule will not fix the root cause of this problem: unauthorized software running on corporate environment. There are many built in Windows features that can be used to lock down corporate workstations in order to assist controlling the environment. However even before you dig in to find the features that you need to use, you need to understand what are the major elements that can assist you hardening those workstations.
By start thinking that each user should only have access to what they really need (lease privilege) you are already ahead of the curve. Because the reality is that many companies will give wide access to users and later on will realize that the users have too much access. The problem here is that since the user got used to having wide access, he will get frustrated when you cut out those privileges. As a result you will have an user that now will keep trying to find a breach so he can have access again to the resources that he used to have. We don’t want to motivate this type of behavior and that’s another reason why least privilege is the way to go right in the beginning.
Back in April I wrote this post where I mentioned the need to use standard user account and I will say again: it is very important to use standard user account. While this is not the solution for everything, it can assist in the overall protection. When I say that this is not a solution, I want to echo a paper from Secunia called “Cybercriminals do not need administrative users”. When you read the conclusion of this paper you will see that standard user is an strategy that must be present on your security policy, but you can’t think of this as the only thing that needs to be done to secure the system.
In the first paragraph of this post I showed a common scenario where an IT Admin will try to use the Firewall as the resolution for bigger problems that are going to still in place even after he blocks the traffic to go out. These days you really need to bring the security closer to the endpoint, you can’t rely only on the Firewall. Remember the defense in depth approach? It is getting even more meaning nowadays. One built in Windows feature that you can use for that is the AppLocker. If you don’t know how AppLocker works, watch the video below:
By using Applocker you are adding another layer of protection to assist you in this battle to secure the endpoint. On top of those elements you should also hardening the workstation by disabling unnecessary services and moving forward create a workstation template that you can use to guarantee a seamless experience across the board. There are many templates that comes with the Security Compliance Manager Tool as shown below:
You can either use the templates that comes with SCM or you can built yours based on an existing SCM template. This can help you to have a starting point and make adjustments on the template to reflect your environment needs.
Keep that in mind and have a good (and safe) deployment!
I wrote many posts on this blog about Conficker and this weekend when I heard about Morto (which means Dead in Portuguese) and how it works it was like a Deja-vu. Not because they are alike from the side effect perspective, but because both exploit weak password. Let’s look the way that they spread (according to Microsoft Malware Encyclopedia) on a side by side view:
They both take advantage of weak password, which is usually created by an user that wants something simple but really doesn’t know too much about security. This brings again the discussion that the user is the weakest point in your security chain and that if you don’t train him well he will make mistakes that can compromise your investment in technology. There are two things you can do: educate users with security awareness training and have policy enforcement for strong password in place. Here are some article that you want to read about strong password:
Another important point about Morto is that it tries to contact remote hosts as you can see below:
Screenshot taken on 8/29/2011 5:32PM CST from : http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Morto.A
This means that you should configure your edge device to avoid access to those remote destinations. If you use Forefront TMG, create rules to block access to those destinations from your internal workstations and keep reviewing the logs for suspicious activity.
For updates about Morto use the following resources:
In May 2011 me and Tom Shinder started to work in a new project called From End to Edge and Beyond a Security Talk Show with Tom Shinder and Yuri Diogenes. In this post Tom explained why we went to this road rather than create different writing initiatives to the community. Writing security content is part of our core job and we wanted to bring something more to the community. Currently we have six episodes recorded, a great feedback from the audience and today I’m very happy to say that our show is featured in the Microsoft Security Newsletter – August 2011 Edition, you can find it on the Security Events and Training section as shown below:
If you do not receive the newsletter by e-mail, access the Security Newsletter web edition here. I would like to use this opportunity to also thank Tim Rains and Heather Poulsen for supporting this initiative, I truly appreciate.
Now if you are wondering how can you keep up with our show, here are our main channels:
Stay tuned because great episodes are on the way for the next two months!
From the past two years I advertised in this blog many posts about SCM (Security Compliance Manager) and today I want to write about SCM V2 (Beta). You can start by downloading the beta version from Connect after registering to be part of the Beta program. Once you download it and install this version you will notice that the interface changed:
Notice that the interface is much cleaner and easier to use than before. The Microsoft Baseline templates are all on the left pane separated by product. To demonstrate how this works, let’s use IE9 as an example:
1. On the left pane expand Internet Explorer 9.
2. Click Attachments / Guides. In the middle pane you have the DOCx file associated with this option and you can use the Save As option on the right pane to save the file locally.
3. Click IE9-Computer-Compliance-Beta 1.0.
4. On the middle pane look for the option User SmartScreen Filter and click on it. Click Settings Details to see more options.
Notice that you have a clear way to not only identify the policy that you want to know more, but also to identify the Description, Vulnerability that this feature can assist to mitigate, potential impact when you enable this feature and counter measure associated to this feature. In addition to that you have on the bottom the registry key affected by this setting. On the right pane you have lots of options that allows you to manipulate the whole template or just this particular setting. One of the options that I really like is the capability to export the whole baseline to Excel, which you can do by using the option below:
When you use this option, it will ask where you want to save and it will automatically open Excel to start import the content:
The reason why I like this option is because when you export the baseline to an Excel file you have all fields that you can play with by adding or removing columns, querying for particular values, etc. The Customize Fields button for example, allows you to add more columns in the current spreadsheet as shown below:
When you are troubleshooting or investigating a potential issues with a particular setting, this capability is very handy because it allows you to add the Registry Hive and Registry Key. Very cool indeed! Another feature that is very intuitive to use and very important is the capability to compare your own baseline with a particular Microsoft Baseline. Let’s use the Windows Server 2008 R2 SP1 Domain Controller Compliance Beta 1 as an example:
Once you select the baseline, you can use the option Compare in the right pane to compare against yours and see the differences.
The goal here was only to give you a glimpse of this new version, if you want to dig in more about the new feature read the post SCM v2 (BETA) + New Baselines Available to Download. But I truly encourage you to download the tool and start to play with it.
Throughout the years working with ISA and TMG I notice that one of the most challenging configuration for many Admins is to correctly setup the network settings on ISA/TMG. Although we have some great content out there about the subject, such as the An Inside Look into TMG Firewall Networks by Deb Shinder and the great series of 3 articles written by Tom Shinder: Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1), Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2) and Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3). Those are “most read” articles if you are planning your network configuration on TMG, add also on top of that the article Planning Forefront TMG network topology. But, in case you inherited an environment with Forefront TMG and you are experiencing weird problems, than it is time to step back and review your configuration. This post will highlight a very common configuration mistake that can cause network route issues.
Problem: clients on remote networks were randomly unable to access Internet.
Scenario: In this case the TMG Admin has the following topology that he needs to configure:
When TMG Admin opens up TMG Management Console this is what he see:
When he look at this he thinks it is okay. But you know what, IT IS NOT!! Here are the reasons:
For the second bullet, I want to call out the original source of this information, which says:
Forefront TMG does not support defining separate network objects that represent remote subnets
Issue: Forefront TMG does not support defining separate network objects that represent remote subnets.
Cause: When you define IP address ranges for a network, Forefront TMG checks all network adapters. When Forefront TMG finds an adapter with an IP address in the network range, it associates the network with that adapter. When a network includes remote subnets accessible by Forefront TMG through routers, the IP address of the remote subnets should be included in the network definition. If you define a separate network object for a remote subnet (instead of including it in the network definition), Forefront TMG tries to locate an adapter with an IP address of the network object, and fails. Forefront TMG assumes that the adapter is not available (disconnected or disabled), and sets network status to disconnected.
Solution: For best practice when defining your network configuration in Forefront TMG, take note of the following:
This is a VERY common mistake and I’ve seen this over and over. The main argument that I also hear is: it always worked like that, why this is a problem now? Well, mainly because it is not supported, which means that Microsoft can’t guarantee that your setup will be functional with this setting.
Resolution: The correct way to setup this particular environment is:
Plan your network setting, if you can’t plan, make sure to review the TMG Alerts, usually TMG is screaming out loud saying that there is something wrong in this area.
Today it was officially announced on TechED Brazil website the list of breakout sessions that will available during the biggest Microsoft conference in South America. I will be delivering three breakout sessions , which are:
This will be my second TechED Brazil, first one was in 2008 and I’m sure this one will be even better!
During TechED week I will also be delivering presentations at MVP Open Day and MS Community Zone.
Hope to see you there.
Last Friday me and my friend Tom Shinder had a chance to participate in the Talk TechNet Show with Keith Combs and Matt Hester. During the show some interesting questions were raised by the audience, mainly around FOPE and other cloud related services. One question that came in was about auditing cloud applications, in particular Exchange. I would like to share the article “Use Auditing Reports in Exchange Online” that can give you more information about that and on the same token, the article “Compliance Features in Exchange Online” can also give you more details about the Exchange online compliance capabilities. Another information that I mentioned during the call was the link to the Security Intelligence Report and the SPAM message blocked by FOPE. The statistic that I mentioned appears in the diagram below:
If you did not watch our talk last week, the MP3 version is already available for download here:
Enjoy the show!
Just to remind you that tomorrow me and Tom Shinder will be at Talk TechNet with Keith Combs and Matt Hester to discuss about Cloud Security. The registration is still open in the web site below:
See ya tomorrow!!
This week I’m attending to TechReady in Seattle, where I will present two sessions about On-Premise Security while Migrating to the Cloud (matter of fact already presented one today). For the last two days I talked with some folks from the field and I got common comments about their talking points with customers when the subject is migrating to the cloud. The common question usually is: where is my data when it moves to the cloud? This is a great question, but instead of write about this, why not watch a video that explains in details the Microsoft Datacenter for Online Services? Sure, no problem…..enjoy the video below about that: