Securing Your Infrastructure

Verizon Business conducted a study on common mistakes made by network managers.  Over the years I have seen a lot of these mistakes in both large and small companies

The 10 dumbest mistakes network managers make | Security Central - InfoWorld

The Forefront Security Development Team launched a new capacity planning tool. The Forefront Security for Exchange Server capacity planning tool helps you understand what hardware, architecture, and configuration settings will produce recommended system performance and message throughput results for comprehensive protection of your Exchange Servers. The tool is an Excel spreadsheet with built in workflow and can be used to help plan your Forefront Security for Exchange Server 10 SP1/SP2 deployment.

Microsoft Forefront Server Security Blog : Introducing the Forefront Security for Exchange capacity planning tool

Mike Chan, Product Manager for Forefront Server for Exchange (FSE), gives details around some of the new features in the next version of FSE and Stirling.  This is a good video on the Forefront and EHF. 

Forefront Server for Exchange v2 features | Media | TechNet Edge

Report: Unauthorized Apps Run Rampant on Many Enterprise Networks - Desktop Security News Analysis - Dark Reading

In reading this article, I find this the case at many companies even here at Microsoft.  Employees will often bring in programs that are not part of the corporate suite of applications.  It could be a program to sync their Zune or dare I say iTunes music to the their device or it could be an application that they find useful.  The problem with these unknown applications is the impact they can have on the corporate infrastructure.  This Dark Reading article deals with the security downside of these applications.  But unknown applications can affect the corporate infrastructure in other ways.  The first is the availability of resources and the second is the impact on the help desk.  Availability of network bandwidth and network disk space can be dramatically affected by rampant applications.  Think about the applications that can stream media across the network to an individuals desktop.  One person doing this may not be a problem, but a significant number of employees streaming media can create rapidly absorb the available bandwidth.  The same can also be said of network drive space if employees save media to corporate resources including their workstations.  Help desk personnel also have to contend with these unauthorized applications.  The unauthorized applications can affect corporate applications or change default settings.  These changes can affect the ability of help desk to resolve the problem quickly.

So what is the IT department to do about these unauthorized applications.  The first step is get the executives in the corporation involved with the message to employees concerning unauthorized applications.  Without this buy in from executives, an program to reduce unauthorized applications is doomed to failure.  The second step is have a process in place to get exceptions approved.  In some organizations the process for getting an application approved was long, tedious and difficult.  With this type of process, employees were willing to take the chance of using an unapproved application rather than getting approved.  The third step is inventory what is out there.  This is where System Center Configuration Manager can be an invaluable tool.  Using Configuration Manager, the IT department can gain very good inventory of what applications users have installed.  They can use this list as a guide to reducing unapproved applications.  Using these steps along with other security related initiatives, the IT department can reduce the effect of unapproved applications.

Here are some other ways to reduce the impact of unapproved applications

• Remove administrator privileges for end users so they can install applications.
• Use ISA as a forward proxy and a plug in such as Websense or Surf Control to remove access to non-business  web sites.  The next version of ISA known as Threat Management Gateway will have this built in.
• Use SoftGrid Application Virtualization to reduce the impact of adding new applications to the corporate environment.
• Educate users on the policy and the downside of unauthorized applications.

I was working with the customer the other day using Forefront Server Security Management Console to distribute templates to Forefront for Exchange.  The customer was having problems with the templates working correctly based on how they thought the product worked.  After looking over what they were trying to do and our product documentation is was not clear how the product really distributed templates. The customer was trying to create custom templates for various configurations but was having problems with what they thought were "old" settings being applied.

By default, Forefront for Exchange will apply the settings stored in the Default Template.  If you want to configure all the hub servers with the same configurations, you would select the Default Transport Template and make all the modifications to that template.  To see the templates, on the Forefront management console, select File, Template and then click on View Templates. See screen shot below of how the console will look.

These modifications would include AV settings, filtering settings and notification settings.  These settings are stored in the template.fdb which is normally located in C:\Program Files\Microsoft Forefront Security\Exchange Server\Data. You would then copy the template.fdb file to the FSSMC server and distribute to all the servers with Forefront Server Security installed.  During the distribution process, FSSMC will update the default template and then will update Transport Job with the settings in the template file.  You can control what gets updated from the default template by selecting those items you want updated when you create a package.  See screen shot below.

In this case, those settings you select will be updated in the scan jobs.  So for example, if you wanted to update only the file filtering settings then select the file filtering in the package so only those setting are updated from the template file. 

The point to remember is that all the settings in the template file you create during the packaging file are placed in the template file.  So for instance, let’s assume that you have all the scan jobs (transport, real time and manual) configured to load settings from the default templates.  Let’s also assume for this process you have the Bias in the engines set to “Max Certainty”  and the file filtering to block on executables in the default templates.  You load the default template for the transport scan job in the Templates configuration and all is fine.  Now for the fun part, you go to another machine and create a default template you want to distribute to all Forefront for Exchange systems.  In this template, you accidentally configured the bias to “Max Performance” and have purposely configured the file filtering to block all .exe and .com files.  You want to use this template to update the file filtering on all the Exchange servers.  You copy template.fdb file to the FSSMC server, create a package to update only the file filtering and then distribute the package.  On the destination server, the scan job is update with the new file filtering settings.  However the template file (template.dfb) has been updated with both the new bias settings and the new file filtering settings.  So the current scan job and the default template do not match.  This doesn’t cause much of a problem because the default template is not loaded unless you do this in the Forefront administration console or the current scan job settings file becomes corrupted.   The problem is that it is not easy to identify this difference in any of the interfaces.  If someone in the future accidentally loads the default template,  the bias settings will be changed will be changed to “Max Performance”

Here is the screen capture of the Transport settings.

Here is the Default Transport Template

With this in mind, I would create a template file with all the settings you want for a particular scan job and distribute the template file so that it updates all the settings.  Doing this avoids having  the default template file not match the current scan job settings.  Creating a template file to update just a subset of the settings is possible but creates confusion of the default settings in the template file.

I was working with a customer the other day and found there really is not much information on how to setup an environment where one of the ISA servers is also a Configuration Storage Server (CSS).  The setup allows you setup the ISA server with the CSS on the same server but leaves a couple of critical steps out of the process.  This problem really does not show up until you try to add a second ISA server to the array.  This problem occurs when the ISA servers are setup in workgroup and not a member of a domain.

So what is missing out of the process.  First is that you need to install a certificate on the CSS server to allow other ISA servers to connect.  Second, setup inter-array credentials for the second ISA server.

Below are directions for completing this process.  The assumption here is that you have already setup an ISA server with the CSS.

Compete the following setups on the ISA server with the CSS service.

• Change the security mode of CSS from Windows Authentication to “Authenticate over SSL encrypted channel”.  This configuration is available when you right click on the array name, select Properties and the select the Configuration Storage” tab.
• Next you will need to create a certificate for this CSS server.  First create a rule from the local network to the internal network to allow web traffic to connect to the CA server.  You will need to create  a “Server Authentication Certificate” for the computer account.  Also mark the keys as exportable.  Later we will need to export the keys, so we can import them into the CSS for authentication.  Once you have created the certificate, install the certificate.
• Using the Certificate MMC snapin, export the keys to a file name ISA.PFX or something easy to remember.
• Now that the certificate has been created, installed and exported, you now need to import the keys into the CSS.  Do you this you will need to download the ISACertTool and install the certificate.  You download the tool at http://www.microsoft.com/downloads/details.aspx?familyid=F8F60164-C5A5-4716-9FF4-2D56C86506C3&displaylang=en.  Read through the ISACertTool readme file for instruction on how to use this tool and install the certificate.
• Now you will need to specify the Intra-Array credentials.
• In the ISA Server 2006 Management Console, expand Arrays in the left pane, and then right-click the array you created earlier.
• Select Properties, and then click the Intra-Array Credentials tab.
• Select the Authenticate using this account (for workgroup configuration only).
• Click Set Account and enter the Administrator account and password for the mirrored Administrator accounts on the firewall computers.
• Click OK to close the Properties dialog box.
• Click Apply in the upper pane of the Management Console to apply the changes.
• As a final step, add the second ISA server to the Array Members group in the ISA console.

Here are the steps for setting up the ISA array members to connect to the CSS.

• On the second ISA server, go to the CA and save the Root Certificate to a file so that it can be used during install to allow the second ISA server to communicate with the CSS service. 
• During the install process follow the directions below for connecting to the CSS
• On the Locate Configuration Storage Server page, specify the CSS server. On this page, you will have to provide the credentials of an enterprise or array administrator, in order to connect to the Configuration Storage server. Select Connect using this account, enter the account specified above, specify the correct password, and then click Next.
• On the Array Membership page, select Join an Existing Array, and then click Next.
• On the Join an Existing Array page, click Browse to open the Arrays to join dialog box, and then select the array from the list. Click Next.
• On the Configuration Storage Server Authentication Options page, select Authentication over SSL encrypted channel.
• Select Install a trusted Root CA certificate, browse to the location of the root certificate which you copied locally in the previous procedure.

Researchers Raise Alarm Over New Iteration of Coreflood Botnet - Desktop Security News Analysis - Dark Reading.

This recent article from the Dark Reading web site talks about the Coreflood Trojan horse virus which steals passwords.  The major concern of this virus is the ability of this virus to steal accounts and passwords from the infected machine and transfer those accounts to the hackers.  While signature based virus detection programs can detect and remove the virus, it is too late since the program has done its damage.  The prediction is that this botnet will become a favorite among hackers to steal passwords and then use those passwords to carry out attacks on enterprises. The problem in mind is how to protect against such an attack.  The first is pretty much common since which is to always have AV protection and the latest signature file.  We will not go into this area since this pretty much common practice.  The second area and perhaps more difficult to address is to have a process of bringing new systems into the environment.

So here is the problem.  You image a new system with an image that was create a couple of months ago.  The image has A/V protection but the signature file is a couple of months old.  The system imaging goes fine but shortly after initial boot to the network, the system gets attacked by a virus.  The problem here is that the system does not have a current signature file and the virus was not captured by the heuristics technology built into most A/V products.  Now you are stuck with how to clean the system.  So how do you avoid this type of problem in the first place.  I have defined three ways to avoid this potential problem.  These are in the imaging process, using a safe network and Network Access Protection (NAP).

First lets start off with a solution that could be implemented pretty easy today and does help reduce the exposure time.  As part of the imaging process add a step in the process that downloads the latest signature file from a known location.  One way to implement this is simply to have a script that kicks off the signature update process with the A/V client.  To do this the client will need access to the network which still leaves it open to attacks.  Another way to implement this process is to store the latest signature file on a USB device so the signature can be updated before the client attaches to the network.  By using either of these two methods, you will either reduce or eliminate the exposure time on the network

Another way to attack this problem is to build a safe network.  As safe network is a network that had a limited number of clients with no Internet or corpnet connectivity.  The client is built on this safe network and the signature file is updated before the client is allowed to connect to the corpnet.  This may require a change in your build process especially if a re-imaging process is part of the part of the problem resolution process.  In this case, the end user may have to bring his system to a help desk location with a safe network connection.

The third way to address this problem is to leverage NAP and quarantine the client to a restricted network until the signature file is updated.  You will need to use a NAP implementation that uses the network devices and not a simple DHCP solution.  You will want a separate network to protect the client.  In the quarantine environment, you provide all the necessary systems to build a system and update the system with the latest signature files and security updates. 

Using one of these three ways (and there are probably others) you can start with a clean protected system and reduce the number of infections due to unprotected systems.  Carefully look at your a build process and identify ways of reduce the exposure time to attacks.

Over the weekend I attended a minor league baseball game and immediately noticed the different level of security.  Instead of the usually metal detectors and the deep scan of bags when entering a major league stadium, the security was much less instrusive and made the entry into the field much more pleasant.  That got me thinking about how we apply security to our IT assets.

The key to securing assets is applying the right level of security based on the value and needs of the asset.  Using the example of a baseball game, the assets at a major league game which includes both the players and those in attendance are much higher than those assets at a minor league game.  This is not to say the people and players at minor league game are not important or just as valuable.  But in the eyes of an attacker, attacking a major league game is much valuable than attacking a minor league game.  For IT assets, one can apply the same principle.  When looking at protecting assets, consider both internal factors and external factors.   I have found that a lot of security people just focus on the internal factors to determine the value of IT assets.  This can lead to an inflated value of the asset and spending too much on security.  Remember when determining the value of an asset, it is not so much the value the company places on the asset but the value to a would be attacker.  For instance, hackers are much more inclined to attack Microsoft than a small family owned company.  To hackers, Microsoft is a more valued attack than a small family owned company.

The point here is that spend what you need to protect your IT assets but try to avoid overspending. Spending more on IT security than you need is not going to provide you with any benefit.  That money is better spent on profit making opportunities.

I recently read an article on Dark Reading web site  that talked about the loss of laptops in airports. According to the report approximately 12,000 laptops a year are lost in airports.  This represents a significant loss of not only hardware but also information.  Considering most people who travel for business are customer facing individuals for their company.  They store an array of information on their laptops which could range from customer sales information to sensitive legal documents.  The loss of this information can be a significant impact to the organization.  There are a number of well documented cases of medical records, military records and credit card data being extracted from stolen laptops.  I have three recommendations to minimize the impact of laptop loss.

First is to use encryption.  While having a password may seem adequate protection against some one trying to access the data, iIt is pretty easy to get around this password protection.  You simply remove the hard drive from the system and connect it to another system as a drive.  From there it is a simple matter of accessing the files on the drive.  Windows 2000 and above operating systems provide some level of encryption.  Using this encryption will provide some level of deterrence against some one trying to pull data from your hard drive.  In Windows 2000 and Windows XP you can use EFS to encrypt a file or directory.  Using this technology, if a thief attempts to open you encrypted file they will not have the ability to read the contents.  One caution here is that given enough time and resources, a thief could break the encryption.  Windows Vista kicks it up a notch when it comes to drive protection.  Using the Bitlocker Drive Encryption, you can encrypt the entire drive making it very difficult to extract information from the drive. Before using any of these technologies, read the documentation and do some planning.  There nothing like you losing the keys to your own data.

Second is to backup your data.  One side of losing your laptop is who may see your data but the other side is you won't have your data any more.  Backup is the best defense against losing your data.  For travelers, backing you data up to a file share or collaboration application may not be the best strategy based on the connectivity back to corporate.  Using small USB or Flash drives is a cheap way to back your critical data in case of laptop lose.  Windows 2000 and above do have a backup tool that makes it easy to back up data to a USB/Flash drive. Or you can simply use the good old fashion copy method.  Just make sure you keep your drive in a separate location such as your checked or carry on luggage.  If some one steals you laptop bag, then the backup is worthless.

Third use a laptop security cable.  Hotels and other areas are prime targets for laptop theft.  Using a security cable will help deter some thiefs from stealing the laptop.  In an airport scenario, locking your laptop to those very comfortable airport chairs may not be the best decision when that boarding announcement comes but you could do it.  Here is my unique solution to using a laptop security cable in an airport situation.  Take one end cable, loop it around a belt loop on your pants and lock the other end to the laptop.  That way when you jump up to be the first in line when the announcement is made, you won't leave without your laptop because it will be attached to you.  (writer assumes no responsibility for loss of pants or exposing your underwear).  I'm predicting this solution will reduce the number of lost laptops at airports.

Laptop loss is a major pain in the tail end and could be an embarressment to you and your company.  By taking the right precautions, you can minimize the impact of loosing you laptop by encrypting critical data and backing it up.

In talking security to various organizations, I often find varying opinions and methods of securing the environment.  One thing that does come across in a number of discussions is how security is veiwed.  Often security is veiwed a necessary evil that IT people avoid or ignore in the deployment of IT systems.  IT people outside the security organization often do not involve security because of the fear of security of stopping a project becasuse of security issue.  This thinking is often brought on by the security organization themselves.  The security organization views themselves as simply as a approving/disapproving organization.  If project does not meet certain published or in some cases unplublished standards, the project is blocked and is sent back to the drawing table. This is a poor way of running security as it builds resistance between the groups and delays projects.

My view of security has always been one of as enabler which I developed in my years in the military.  The "Start Now" title to my blog is how I feel security should be involved in a project.  Security should be a core part of the project from inception and every team member needs to take responsibility for developing/deploying a secure system.  By involving security from the start, the security team is better understand the project have input into the overall development rather than a simple barrier to pass.  Systems deployed with this type of security involvement are much more secure by the simple fact the system is designed as a secure system and not "patched up" at the end to pass the security "test".

Now that you understand my view of security, my blogs will focus around how to securely build and deploy systems.