David Ziembicki on Infrastructure Architecture : Security

Completing 5 days of Forefront Protection Suite (Stirling) Training

davidzi — Tue, 28 Jul 2009 18:12:00 GMT

Last week I came out to Redmond for 5 days of training on the Forefront Protection Suite, formerly Forefront codenamed “Stirling”. The final name was announced at the Worldwide Partner Conference:

Forefront codename “Stirling” - the next generation of the Forefront Security Suite for integrated, comprehensive protection across endpoints, servers and the edge – will be officially known as Forefront Protection Suite (FPS).

FPS will include the products in the current suite, plus the Forefront Protection Manager (formerly known as the “Stirling” management console) and the Forefront Threat Management Gateway Web Security Service.

The training was pretty interesting. We covered most of the components of the suite, the console, and the integration between all the components. That integration is going to be the real differentiator. Client, Server, and Edge security can all be tightly integrated as well as Network Access Protection (NAP). The solution is built on top of PowerShell so there are significant automation capabilities even beyond the in box solutions.

With very capable component pieces and many integration points, there are a huge number of implementation scenarios and options. This can be very powerful but also a bit daunting until you gain experience with the products. The suite leverages the System Center infrastructure, particularly Operations Manager.

I came away from the 5 days pretty impressed with the suite and the scenarios it enables but also with a healthy respect for the effort required to implement the solution. If the appropriate time and resources are allocated, the end result can be a very robust security infrastructure and most importantly a single console providing situational awareness and reporting across the entire security infrastructure.

If you want to take a look at the suite yourself, the Beta2 release is available here both in installable form and in a pre-configured virtual machine.

New Microsoft Security Site for Governments

davidzi — Tue, 07 Jul 2009 00:44:41 GMT

A new Security section has been added to the government site on Microsoft.com. The site consolidates a number of relevant tools, solutions, case studies, and links relevant to Public Sector organizations. Several of the solutions call for specific mentions here:

Federal Desktop Core Configuration (FDCC)

Federal Server Core Configuration (FSCC)

Infrastructure Optimization (IO)

Server Virtualization

The site also includes a brief interview with a colleague of mine in the Federal practice, Bill Billings, the Chief Security Officer of Microsoft Federal. In the video Bill discusses some of the cyber security priorities of the Obama administration and the areas Microsoft is working with the administration.

Threat Modeling Guide for IT Infrastructure

davidzi — Tue, 23 Jun 2009 02:41:07 GMT

Over on the Solution Accelerators Security Blog is a post and link to the IT Infrastructure Threat Modeling Guide.

From the guide:

The IT Infrastructure Threat Modeling Guide provides an easy-to-understand method for developing threat models that can help prioritize investments in IT infrastructure security. This guide describes and considers the extensive methodology that exists for Microsoft Security Development Lifecycle (SDL) threat modeling and uses it to establish a threat modeling process for IT infrastructure.

This is one example of what I think will be a growing trend where the lines between infrastructure and development will be blurred. This is a positive as there are a substantial number of best practices in both disciplines that can be shared. A structured approach to threat modeling is a prime example.

Networking and Remote Desktop Technical Resources

davidzi — Fri, 12 Jun 2009 20:15:15 GMT

The links below lead to a series of technical whitepapers on DirectAccess, BranchCache, and Remote Desktop Services in Windows Server 2008 R2.

Networking Resources: DirectAccess and BranchCache

Remote Desktop Resources: Kerberos, User Profiles, RemoteApp

Windows Server 2008 R2 to RTM in July!

davidzi — Wed, 03 Jun 2009 02:09:14 GMT

The Windows Server Division blog announced that Windows Server 2008 R2 is tracking with Windows 7 and both are planned to RTM in the second half of July with General Availability on Oct 22! That RTM date is earlier than I thought it would be, I was thinking late August. The more I dig into R2 the more impressed I am with how many new features (Hyper-V R2, lots of RDS improvements, DirectAccess, etc, etc) were added in what the product group calls a minor release!

Microsoft SDL: Get it to go

davidzi — Wed, 20 May 2009 04:02:09 GMT

Today Microsoft made available the Microsoft SDL Process Template. This was announced over on the SDL Blog. Roger has some comments on it as well.

The SDL Process Template is a free downloadable template for Visual Studio Team System that integrates the SDL directly into a customer’s software development environment. The template helps:

Installs SDL requirements as work items
Includes SDL-based check-in policies
Customizes security bugs and queries
Includes extensive SDL how-to and guidance documentation
Generates auditable Final Security Review report
Accommodates third-party tool integration, e.g. the SDL Threat Modeling Tool
Includes project plans and security risk assessment templates

IIS Gaining Rapidly on Apache

davidzi — Tue, 07 Aug 2007 14:48:00 GMT

I hadn't taken note of the market share numbers in a while but check out the results from the most recent Netcraft survey. They state the following:

"Microsoft continues to increase its web server market share, adding 2.6 million sites this month as Apache loses 991K hostnames. As a result, Windows improves its market share by 1.4% to 34.2%, while Apache slips by 1.7% to 48.4%. Microsoft's recent gains raise the prospect that Windows may soon challenge Apache's leadership position." ... "But if Microsoft continues to gain share at its current pace, it could close the gap on Apache sometime in 2008."

That is a substantial change especially considering that the percentages remained essentially stable through all of 2004 and 2005 with Apache leading by 30-40 points. Getting the gap down to 14 points is a significant achievment. Remember also that IIS used to be a toxic term in the late '90s and earlier this decade.

With the major improvements coming in IIS7 on Windows 2008, IIS may well become the leading web server platform in the very near future. That's a turn around that I don't think the team gets enough credit for.

Microsoft and Juniper Announce NAP Interoperability

davidzi — Mon, 21 May 2007 22:35:00 GMT

From this press release:

"Juniper Networks Inc. (NASDAQ: JNPR) and Microsoft Corp. (NASDAQ: MSFT) today announced the companies are working together to provide customers and partners with open standards-based interoperability between Juniper Networks Unified Access Control (UAC) and Microsoft Network Access Protection (NAP). "

This is similar to an announcement last year that we did with Cisco around interoperability with their Network Admission Control system. What's exciting about these technologies is the integration of the network infrastructure with the server and client infrastructure. In most cases to date these infrastructure have not been well integrated. The network infrastructure has had little or no awareness of the type and state of clients/servers attached to it and the computing infrastructure has had little or no awareness of the underlying network it relies on other than its up or down status. With these interoperability announcements, decisions at the network level will be able to leverage data originating from higher in the stack. The most frequently cited example is the unpatched client machine attaching to the network. With the integration of the network UAC/NAC with NAP, the client machine will be prevented fomr connecting to the main network until the appropriate patches are applied. While extremely valuable, this example just scratches the surface of what is possible. NAP is platform that can be built and extended by partners in many ways such as creating custom health models etc. The integration of the network and computing infrastructure in the future will enable all kinds of advanced scenarios such as dynamic quality of service or dyanmic secure VLANs based on the authentication method used, etc.

The First International Cyberwar?

davidzi — Thu, 17 May 2007 17:35:00 GMT

The Guardian is reporting that "A three-week wave of massive cyber-attacks on the small Baltic country of Estonia, the first known incidence of such an assault on a state, is causing alarm across the western alliance, with Nato urgently examining the offensive and its implications.". Yahoo is also carrying a similar story from Agence France-Presse (AFP). The accusation is that this is a state-run cyber attack originating from Russia. What's also interesting is that Estonia has been a member of NATO since March 2004. The articles point out that NATO does not currently define a "cyber attack" as a military action so they would not currently trigger Article V which is basically the "an attack on one is an attack on all" doctrine. Leaving aside the politics of the Estonia/Russia dispute which I know nothing about, the situation does lead to interesting questions like whether a state-backed cyber attack should be considered a military event, how should countries and alliance respond in such a case, etc.

In working with the customers I do, which include government agencies who you would expect to be targets of this type of activity, it is clear that most people and even policy makers in some cases do not realize how much of this activity occurs every day in terms of organized network reconnasaince and penetration efforts, etc. My view is that over the last 3 years in particular, the issue of information security has gotten particularly more difficult and complicated as it has moved from the proverbail "teen in the basement" writing viruses and looking for fame to a much more dangerous environment where the threats come more from organized crime rings with theft/fraud as their goal and governments/terrorist organizations with active efforts to find weaknesses in critical millitary or economic systems. These folks are not going to publish their exploits, or use them in large scale, easily detected manner. That is the main reason why it is so foolish when you hear users of the various operating systems saying "my OS is much more secure" or "there are no remotely exploitable vulnerabilities in X, Y, or Z". The bottom line is that it is impossible to know with certainty. All code has flaws, and over time new means of exploit are found that were not knowable previously. That is a key point. If you had the resources to exhaustively analyze a piece of code or a complete OS today, and if you could find every single flaw with perfect knowledge of all existing computer science there is still a high degree of likelihood that within the useful life of that code new, previously unknown techniques will have been developed to exploit it. This is why millitary and intelligence agencies put so much emphasis on defense in depth and other layering techniques. If lives are on the line you don't assume that any component is completely secure whether it is Vista, OSX, Linux, etc. In evaluating system components, those that themselves implement defense in depth should be given preference.

Changes to the Security Bulletin Advanced Notification Service

davidzi — Thu, 17 May 2007 03:07:00 GMT

The Microsoft Security Response Center (MSRC) announced some changes to the Advanced Notification Service (ANS) which is basically a service anyone can subscribe to which provides notice on Thursday the week before each month's Tuesday security bulletin releases of the number, severity, and affected products for that month's security bulletins. The changes are additional detail that will be provided for each individual bulletin including:

Maximum Severity Rating
Impact of the Vulnerability
Detection Information
Affected Software

The changes are a good idea. The ANS is it is today is somewhat valuable in that it gives you some idea of what is coming on patch Tuesday but really only enough information to make high level staffing decisions ie. have ops staff primed for testing and deployment. With the additional information in the new service, you should be able to get more prepared since you'll know more of the specifics of each bulletin, how to detect if you are vulnerable, etc. It should help ops staff to have a more complete test and deployment plan ready to roll by each Tuesday.

The MSRC also announced changes to the Security Bulletins themselves to make them more readable and quicker to get the important parts like deciding applicability and finding direct links to the hotfix downloads. They've posted a sample of what the new bulleting format looks like here.

Microsoft Security Intelligence Report

davidzi — Wed, 25 Apr 2007 15:40:00 GMT

This report is a very interesting read. It discusses recent trends and data collected around viruses, malware, exploits, etc. Some of the conclusions:

"Disclosed vulnerabilities for 2006 rose 41 percent over the previous year, continuing an upward trend in new vulnerability disclosures. More vulnerabilities were disclosed in the second half of 2006 than in any single year from 2000 to 2004."

"A much larger percentage of vulnerabilities were "complex to exploit" than in previous years, supporting the observation that the security researcher industry is maturing and utilizing better tools and techniques to find more complex issues."

"Application vulnerabilities continued to grow relative to operating system vulnerabilities as a percentage of all disclosures during 2006, supporting the observation that security vulnerability researchers may be focusing more on applications than in the past."

Here's a link to the report.

Jim Allchin on Security Features vs Convenience

davidzi — Thu, 25 Jan 2007 19:30:00 GMT

Jim Allchin has a great post over on the Vista Team's blog about the tradeoffs and choices made in terms of all the new Vista security features such as User Account Control (UAC) and Data Execution Prevention (DEP). He really drills into the importance of those feaures but also the importance of not making them so cumbersome that users turn them off. Also remember that these design choices will end up effecting hundreds of millions of users over Vista's lifetime and you can see the importance of seemingly small decisions like "should we really prompt the user when he tries to change x, y, or z?". Also you can see from his post that there was quite a bit of feedback from beta testers and customers that was taken into account and did result in changes.