Roger's Security Blog : Microsoft Products

Summary of Bitlocker Discussions

rhalbh — Fri, 11 Dec 2009 09:54:36 GMT

Last week there was quite some discussion about “successful attacks” on Bitlocker. Those discussions are often quite interesting for me as they show sometimes that people are looking for one technical solution for all the problems.

Bitlocker has a clear threat model it wants to protect you from. This is mainly the loss of your computer. If it is running and the attacker is admin – well Bitlocker cannot protect you. To quote a blog post of our Windows Security Team: Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off).

So, if you want to read the whole post, it is definitely worth it: Windows BitLocker Claims

Roger

The New Bing Maps – Freaking Cool!!!

rhalbh — Wed, 02 Dec 2009 19:58:52 GMT

It has nothing to do with security – I know but it is very, very, very cool!!!!

We just released the new Bing Maps explorer! The first thing you will see is that we integrated Photosynth and Silverlight. So, no tiles anymore when loading a map. It just comes smoothly. And zooming in to photos is not possible as well – it rocks. But that’s just the start.

Remember the days, where you tried to understand which map version (Road, Aerial, Bird’s View) just fits best based on the data which is available? Well, when you are living outside the US, you will know what I am talking of… This time is definitely over. Bing Maps takes automatically care of this “problem” and it really works:

That’s the maps. But there is a cool API you can use to build integrated applications with Bing Maps. These are the ones for the Redmond Campus location:

So, using the Current Traffic now brings me to the well-known traffic map (in Sliverlight – of course):

And now you know the feeling. All these things work great – if you are in the US… But as soon as you are outside, the data is missing – wrong again. Let’s take the Today’s front pages as an example. I have been in Zagreb last week, so let’s see what we find there:

The front page of a local newspaper. And as this is an extensible platform, there is nothing which prohibits you from writing an additional add-in.

BTW: Did I tell you already that I think this new Bing Maps is really, really cool?

Roger

“Black Screen of Death” Reports

rhalbh — Tue, 01 Dec 2009 20:16:00 GMT

Oh, wow – sometimes the power of social media, the blogs and the Internet can backfire. I guess in the meantime you have seen the claims by Prevx that approx. 80 Mio of PCs are affected by the Black Screen of Death problems supposedly caused by our November Security Updates. This caused (and still causes) a huge wave of reports about that and one could feel that there is a really big problem out there. On one of the blogs you see a collection of the articles about that: Latest Microsoft patches cause black screen of death, Microsoft looking into Windows 'black screen of death' problem.

Now, there are different worries for me: One is that the post by Prevx as well as the title of the above mentioned blog post state it as a fact that our Security Updates caused that. Additionally Prevx makes a statement about the supposed size of the problem – this statement is approximately as good a guess as you could do by taking any random number between 1 and 480’000’000 (the approx. hitrate on Microsoft Update). And finally – and this is the biggest concern to me – customers are now holding back the deployment of our Security Update because of this.

So, let’s get it straight: We have been looking into this problem (obviously). You can find the official statement quoted in the SeattlePI:

Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers.
Based on our investigation so far we can say that we're not seeing this as an issue from our support organization.
The issues as described also do not match any known issues that have been documented in the security bulletins or KB articles.
As always, we encourage customers to review the security bulletin and related KB articles and test and deploy security updates.
If customers do encounter an issue with security updates, we encourage them to contact our Customer Service and Support group for no-charge assistance. Customers can contact CSS using the information at http://support.microsoft.com/security.

If we add some additional meat to this: Up to now, we have no evidence at all to validate the concerns. Currently we do not have any support volumes to either support the claims or validate the presence of a growing concern. Additionally, our investigation has shown no evidence at all that our security updates nor the Malicious Software Removal Tool nor the non-security updates make the changes as claimed by the Previx reports.

Looking at that, you should now make your risk assessment and decide which source you want to trust. For me, the ultimate source for information you should build your assessment on is neither Twitter nor your brother’s sister in law’s father's brother (unless he works for Microsoft’s security) but our website.

UPDATED WITH MSRC BLOG POST: http://blogs.technet.com/msrc/archive/2009/12/01/reports-of-issues-with-november-security-updates.aspx

Roger

Talking about Transparency – Windows Azure Dashboard

rhalbh — Fri, 20 Nov 2009 08:21:00 GMT

This is a nice feature – on this page http://www.microsoft.com/windowsazure/support/status/servicedashboard.aspx we show the current state of our Azure services. This is the kind of transparency (on the operations’ side) we need. There is much more needed with regards to process transparency but this is a great first step

Roger

Security Compliance Management Toolkit Series for IE 8 and Windows 7

rhalbh — Fri, 30 Oct 2009 16:09:53 GMT

Just a brief one: the Security Compliance Management Toolkit Series has been updated to incorporate Internet Explorer 8 and Windows 7. So, to help you to manage security and compliance in your environment, you should have a look at it: http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Roger

Secure Datacenter, Secure Cloud, Secure Government

rhalbh — Wed, 28 Oct 2009 07:06:00 GMT

At the moment I invest a lot of my time in a Whitepaper on Client and Cloud Security. There are a few fundamentals, which are already clear to me:

You will not be able to run a trusted cloud ecosystem without a trusted client and trusted interactions. So, the End to End Trust model is needed in the cloud as well.
A strong, federated identity metasystem is at the base of any cloud security
Process transparency as an absolute need if you move to the cloud. If the provider tells you “you should not care about that, we take care of your security” – walk away from the deal.

This morning I read a blog post by Theresa Carlson. She is a Vice President in the Public Sector at Microsoft Us and blogged about Secure the Datacenter, Secure the Cloud. She raises the issue of process transparency as well and it is a post which is definitely worth readying.

Roger

COFEE now distributed via a NW3C as well

rhalbh — Fri, 16 Oct 2009 09:15:00 GMT

COFEE is a tool available to Law Enforcement only to capture online evidence with a little training as possible. The idea behind the tool is, that there is little need for high-trained staff to be available during e.g. house searches and that a normal, much less trained officer can capture all the data. Until today, Interpol was the only channel for distribution. Now, the US National White Collar Crime Center is the second organization being able to distribute it.

If you are a Law Enforcement Agency/Officer and want access to the tool, you may contact Interpol or NW3C

Roger

SharePoint External Collaboration Toolkit moved to Codeplex

rhalbh — Wed, 14 Oct 2009 11:20:59 GMT

Quite a while ago I blogged about the SharePoint External Collaboration Toolkit. I just wanted to make you aware that this toolkit is now moved to Codeplex and can be found here: http://cks.codeplex.com/

Roger

Microsoft Security Essentials – Ready to download

rhalbh — Tue, 29 Sep 2009 19:20:03 GMT

Why pay for a Anti-Malware solution if you can get one of the best solutions in the world for free – go and download it! It is there: http://www.microsoft.com/security_essentials/

And now, the disclaimer: It runs only on genuine Windows!

Have fun, enjoy. I am running it since quite a while with my friends and families and they all love it as they do not see and feel it at all – unless something bad happens. It is great!

Moving to the Cloud: Where it worked and where I was challenged

rhalbh — Mon, 21 Sep 2009 10:46:09 GMT

I am running a whole environment at home to experience our technology. However, up to now it was all “on premise”, no Cloud integration. This has to change. Therefore I was more than happy to join our internal Hosted Exchange 14 beta program. We are offering the hosted Exchange program to Live@Edu – but we can use it for Friends and Families as well – which I wanted to do. There were a few requirements I had:

As I am hosting (or better: was hosting) quite some mailboxes for my family ending on @halbheer.ch and @halbheer.info, I needed a migration which is smooth and easy and gives me the possibility to move back on premise, whenever I feel like it
Due to historical reasons, I am hosting two domains for one mailbox. So, roger@halbheer.ch and roger@halbheer.info – that’s just me
I want to have Outlook 2007 and Outlook 2010 Technical Preview as the client
My users are real end-users, so I do not want to have any impact on them (well I have but that’s something for later)

This was my starting point. I then looked at outlook.com. The information about outlook.com is on help.outlook.com. After studying the webiste (yes, I read the manual) I decided to go for it - and started this Friday.

The migration by itself was basically straight-forward:

Signing up for the service for halbheer.ch
Adding the mailboxes, which are needed (this can be automated via scripts – samples are included on the help-site)
Adding a few DNS records (e.g. SRV, autodiscovery)
Changing all the DNS records (MX, SPV)
Confirming the setup and making sure it is active
Signing up for the service for halbheer.info (as a secondary domain)

The admin website just looks like this:

So, it is easy to do and straight-forward. You can even have a joint address book with external people you want to have in your organization.

It was time to get ready for the first Outlook client. As the environment requests – well, even requires – autodiscovery, this is only a matter of setting the DNS-servers right. The reason why autodiscovery is required is simple: When our Exchange Online people decide to move our mailboxes to a different server, Outlook shall automatically change the configuration. After a few hiccups, this simply worked. Take Outlook, add an account, use your e-mail address and the password and the rest is done by Outlook.

And that was it! I was pretty much impressed – it took me a little bit more than an hour and then I switched off my Exchange server. This sound too good to be true – well, it is not that easy…

Let’s briefly look into a few considerations when doing something like this:

Basically, there are different levels of could services. Christofer Hoff, Cisco made a good distinction based on the OSI model:
and then he maps it to the security controls:

Clearly I use Software as a Service in this model. I move my whole mail-system to the cloud. Therefore I have to address a few questions:

Compliance, Policy Enforcement and Risk Mitigation: This is not a big deal in my case – however, it might be one for you. I am using here a free, beta service. There are some policy options you can enforce in this given service through Powershell. However, if you enter a deal to outsource a service, make sure you understand how you can ensure policy compliance. From a risk perspective, I significantly reduced the risks with regards to availability – which was my goal. I actually transferred it.

Data Security and Control: From my point of view, this is probably the “easiest” of all challenges for an e-mail application. There are basically two options to protect the confidentiality of your mails: You can use S/MIME and encrypt the mails or use Rights Management Services, which does much more than to encrypt the mail – it protects if from forwarding, copying etc. As long as you control the key and/or access to the services (in the case of RMS), you are pretty much safe. The problem stays with the contacts, tasks and calendar which you cannot encrypt nor RMS-protect. In my case, this is not a problem and we have to see –again – the scope of the service I use.

Service Availability and Reliability: Well, this was the real reason, why I moved to the cloud. This is now not my problem anymore and I guess that Microsoft has more experience running such a service and a little bit more capacity than me…

Application Security: In the case of mail, there is no real difference on the application layer security between on-premise and in the Cloud as we both use Exchange. The only discussion point here is about patch management. This is now outsourced as well. I guess we are on par here as my servers are usually updated(and rebooted!) within a few days after the release of a security update.

Identity and Interoperability: Leaves the biggest one in the cloud in my opinion – the identity (interoperability is not really a problem in the mail scenario). As this offering is targeted at a service we call Live@Edu, where we offer Live services to the education sector, the identity management problem is solved as it bases transparently on LiveID to deliver the service. The accounts are generated if necessary as soon as you create the mailbox. Transparent and easy. In my case it was a bigger challenge as I am running my on-premise domain. Currently in this environment we would need to be able to federate my on-premise identity out to the Live environment, which is not a scenario, which is supported with the mail service offered. What you can do is a GAL sync to synchronize your Active Directory environment with the Exchange environment, which already helps you to keep the accounts in line. However, to me the whole area of federated identities and claims-based identities will most probably be the big theme of the cloud.

A few final challenges and remarks: So, after the migration, everything works well and fine and smooth – well, until I realized that there are a lot of internal services, which count of an accessible SMTP-server which does not require authentication (sometimes this is solvable) but for sure no encryption. SCOM, WSUS, SharePoint, my NAS, my Access Points, my Photo Gallery – just to name a few. All of a sudden a service, which was offered internally, is not offered anymore… I finally solved this as well – but honestly, this was the biggest junk of work at the end of the day. The whole planning of the migration did not consider such dependencies – or better: My planning of the migration… The dependencies in your network should not be underestimated. Especially the ones you never knew of…

Roger

Microsoft SDL Team Releases New Security Testing Tools

rhalbh — Wed, 16 Sep 2009 16:10:37 GMT

I often mention that we try to give you all the tools we have as long as it makes sense form a risk perspective. The risk perspective is a simple one: If we give it to you as our customer, we give it as well to the criminals.

There are two new tools which just made the bar and which are now released by the Security Development Lifecycle (SDL) team:

BinScope Binary Analyzer is a verification tool that confirms they the use of the correct compiler and linker protections required by the SDL. One of the things we learned is that the right compiler settings may change a lot (if the compiler and the linker are able to deliver accurate security)
MiniFuzz File Fuzzer is a simple file fuzzer that is designed to ease your introduction into fuzz testing by supplying file formats that your application would otherwise not expect.

So, if you develop in-house, look at them and make use of them. If not, make sure your supplier uses them or something similar (we do…)

Additionally, you might remember that we released a Security Development Lifecycle Template for VisualStudio earlier this year (Security Development Lifecycle Template - Your next step to "Secure Development). Based on your feedback the SDL team has written a whitepaper on how to integrate their practices into your own process template: Whitepaper: Manually Integrating the SDL Process Template

Roger

Typing Arabic without a Arabic Keyboard: Microsoft Maren

rhalbh — Wed, 09 Sep 2009 11:44:30 GMT

I am using a Latin keyboard and my Arabic is kind of “rusty” but I guess that this could be of real help if you write Arabic:

Microsoft Maren

There is a good video on that page.

Roger

Monitoring the Virtual Environment

rhalbh — Wed, 09 Sep 2009 00:44:13 GMT

I recently blogged on how I monitor my environment: Monitoring - a Key Activity to a Trustworthy Infrastructure? In the meantime, I am doing more. I was just recently looking into System Center Virtual Machine Manager (VMM).

So, I installed it on my monitoring server and started to manage my virtual hosts centrally. Basically VMM gives me some pretty good information at one single source. As an example, I can look at my hosts:

So, I see how they are doing and see the key performance indicators. Additionally, I see a similar picture for the virtual machines:

Now, there are a lot of functionalities, like a Library for machines and disks, drag and drop between hosts (if they use the same add-ons) etc. So, a lot of possibilities not only to monitor but to manage your machines centrally.

Last but not least, there is close integration with System Center Operations Manager, where VMM leverages this platform. So, you are able to look at the network (physically):

Or the health status of the virtual server:

where you can see that I have a problem at the moment at the very server you might be reading this post on…

So, a lot of additional possibilities to manage your environment.

Last but definitely not least there are the PRO Tips – tips which are based on the performance indicators which are collected by VMM and help you to take decisions, how to optimize your environment.

And everything can be used across our virtualization technology as well as VMWare!

Roger

Why it pays to be secure – Chapter 2 – Vulnerabilities

rhalbh — Thu, 03 Sep 2009 23:11:00 GMT

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

The Microsoft Security Intelligence Report (SIR) provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.

http://www.microsoft.com/security/portal/sir.aspx

Updating 3rd Party applications is something most customers forget about, we in Security Support often hear customers say “We always deploy all the Microsoft Updates every month, how were we breached? We thought we were secure.”

Microsoft products are still perceived to be not too secure, but the data below from the SIR might very well surprise you, the perception in this case is not the reality.

I guess if you are reading my blog every now and then, you know that our products are best in class when it comes to security!

Henk and Roger

Windows 7 XP Mode - Sophos error: facts not found

rhalbh — Thu, 27 Aug 2009 22:09:55 GMT

Well, the title is not completely from me – I just quoted another blog post. I wrote recently on Why Windows 7 XP Mode makes sense from a security perspective and was even quoted on the register. The “funny” thing was the history of that blog: I was readying some Tweets and blogs where XP Mode was just questioned. I actually never read Richard Jacobs’ blog post on this. I just wanted to share the process I went through.

However, my post again caused a reply by Jacobs – so he seems to read my blog…

Unfortunately he got some facts quite wrong – but at least he got some attention. If you are interested in the facts, read the James O’Neill’s post called Sophos error: facts not found – where I have the title from.

As I wrote in the first post: XP Mode is here to help our customers to benefit from the undisputable higher security in Windows 7 for 95% of their tasks and removing the migration blocker called “compatibility” by using XP Mode. Let me give you another example:

I helped a SME last weekend to migrate from an XP environment (even their server was on XP) to a state-of-the-art Windows Server 2008 SBS and Windows Vista environment. We failed! Because of one application, which is a 16bit-DOS accounting application which we have been unable to stabilize on Windows Vista and being able to print. Even though we switched on all the compatibility settings, it crashed about every 15 minutes. Migration is not an option as a customer of them is still using this application. So, what are the options:

Fall back to XP
Live with the crashes
Find a solution……

What we did at the end (after several hours of trial and error) was to keep one old XP box and to Remote Desktop to run this DOS application – basically we did XP Mode on a physical level instead of virtually and by far not as transparent as with XP Mode for the user – however, managing the XP box now is definitely harder (or at least as hard) than XP Mode (see James’ post).

So, as I said in my first post on this: It is all about Risk Management.

Roger