Roger's Security Blog : Technology

Why it pays to be secure – Chapter 3 – But how do I?

rhalbh — Sun, 18 Oct 2009 18:20:00 GMT

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Security — you hear about it every day. Being responsible for information security can be a daunting task, so where do you begin?

From the design of acceptable use policies to preventing insiders from stealing data, the job can be a challenging one. Join Senior Security Strategist with the Microsoft Trustworthy Computing Group Kai Axford, as he explores each layer of Defense in Depth during this eight-part webcast series. Kai shows you how mitigate the new risks in security and may have you rethinking the methods you’re using. He also spends time talking about your hot topics of the day.

Specifically there is an 8 part series as detailed below:

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200) Original Air Date: January 7, 2008

In the first session of the series, we discuss risk and the impact of security on the business. We look at some popular methods to assess risk and identify the need for an overall security strategy. We also explore why you should care about information security, how to measure the success of your program, and how to prove it to your boss using the concept of Return on Security Investment (ROSI). Learn how security impacts the cash flow of your business. Bring your CFO to this one!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200) Original Air Date: January 8, 2008

In our second session, we take a look at what is considered to be the most important aspect of information security: security policies. We discuss the policies that exist within your company and how to strengthen them. After all, what good is a policy if it is not enforceable? We also investigate the most cost-effective way for you to increase the security posture of your business. What is it? You have to tune in to see! You will not be disappointed.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200) Original Air Date: January 9, 2008

Today we look at an aspect of information security that is often overlooked by technical folks. It is the physical security aspect of our job. Are you aware that every year at DEFCON there is a lock picking contest? In this session, we dive into various techniques and methods that we should be considering when it comes to providing physical security around our datacenters. We discuss some of the recent trends in this area, such as IP video surveillance, and also discuss resources that can assist you in coming up with a good overall physical security plan. (No locks were harmed in preparation of this session.)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200) Original Air Date: January 10, 2008

In case you are not aware, the Internet is not a safe and happy place. Have you thought about all the other branch offices and partners you are connected too? Bad things are going on and you would like to do what you can to keep them out in the wild. In today's session, we look at some of those risks, and also discuss some technologies you should be considering when looking at securing the perimeter. You know about Intrusion Protection Systems (IPS), Intrusion Detection Systems (IDS), and firewalls, but are they doing any good? Is the DMZ as we know it today…dead?

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200) Original Air Date: January 14, 2008

We start the week by discussing a problem that is close to your heart: your network. But how can we even begin to take on that challenge? What are some of the things on the horizon that we need to be aware of? In this session, we look at technologies and concepts such as IP Security (IPSec) Domain Isolation and Network Access Protection (NAP). We also look into some practical things that you should be doing right now to protect one of your most valuable assets.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200) Original Air Date: January 15, 2008

Servers. We all love them. Wouldn't it be so much easier if we simply did away with everything else? There is no argument that the multitude of desktops, laptops, and mobile devices has created headaches for the IT security professional. Just when you lock down a desktop, the sales guy gets a new laptop, and then a new mobile phone. We cannot (legally) eliminate the users, but join us to see what we can do to stay ahead of the risks!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won't Come (Level 200) Original Air Date: January 16, 2008

Grab the caffeine and pizza! Today we step into the dark underground of AppDev and discuss methods for securing applications that run inside your infrastructure. As we harden the network and hosts, the bad guys are looking for other ways in, and often it is the applications being written by your own developers. Do your developers have the time and tools required to build their applications securely, or is security merely an afterthought? What tools are available to assist them? We show you today. No coding required.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 8 of 8): If a Terabyte Falls in the Middle of the (Active Directory) Forest (Level 200) Original Air Date: January 17, 2008

Got data? Sure you do, but how much? Where is it? How is it protected? What is it worth to you? Which is the most important? If you could save only one database, which would it be? Answers to all these burning questions, as well as some closing thoughts from Kai, are going to be covered in this final session. You do not want to miss this electrifying and intense final webcast!

Henk and Roger

The Future of the Internet in 2020

rhalbh — Tue, 25 Aug 2009 19:58:42 GMT

This is a pretty interesting survey: Future of the Internet III: How the Experts See It

Here are the key findings:

The mobile device will be the primary connection tool to the internet for most people in the world in 2020.
The transparency of people and organizations will increase, but that will not necessarily yield more personal integrity, social tolerance, or forgiveness.
Voice recognition and touch user-interfaces with the internet will be more prevalent and accepted by 2020.
Those working to enforce intellectual property law and copyright protection will remain in a continuing "arms race," with the "crackers" who will find ways to copy and share content without payment.
The divisions between personal time and work time and between physical and virtual reality will be further erased for everyone who is connected, and the results will be mixed in their impact on basic social relations.
"Next-generation" engineering of the network to improve the current internet architecture is more likely than an effort to rebuild the architecture from scratch.

This shows to me that our End-to-End Trust vision is more important than ever as we will be relying on a trusted stack and a strong identity.

Roger

Monitoring – a Key Activity to a Trustworthy Infrastructure?

rhalbh — Tue, 11 Aug 2009 18:20:00 GMT

As you might have read, I recently blogged about my infrastructure and the future of a platform towards a better management of compliance. I wrote about

Especially the Time Sync post was more about a technical challenge rather than a high-level view but nevertheless I think interesting. Let me walk further on the way to share some experiences with you I had when I started to deploy additional technology in my network at home.

I will definitely touch on certain themes like NAP and IPSec but at the beginning, I had to get the basics right. One of the basics to me was trying to get monitoring fixed.

I look at monitoring from two sides: One internally and one from externally. The reason why I wanted to look at external monitoring was, that I had sometimes challenges that my ISP had a problem and I did not realize this as all my infrastructure was up and running but still there was no availability from the outside.

Let’s start with internal monitoring first:

I knew that I had to have System Center Operations Manager 2007 R2 in place in order to get Stirling running later, I recently upgraded to SCOM R2.

Most of you probably know the drill: You run through the prerequisite-checker and fix all your pre-reqs until it starts installing. You deploy the agents and import all the management packs you think you want to have. If you need to do it, start small in order to really understand the different Alerts you will get, fix the issues (I had quite a few, which I did not find before) and then tailor the Alerts to the needs you have.

That’s standard procedure but let me add a few things I did in addition:

I have a NAS in my network. The way I do “monitoring” of this NAS is that I told my NAS the mail-address of the Operator (me but on a different mail-address) and go for the NAS telling me if it feels “sick”. However, I would like to have it integrated into my SCOM environment. As my NAS is capable of doing syslog transfers (as are quite some devices), I decided to go down that path. Once you know what your device is actually flagging, it is pretty straight-forward. There is a KB describing this: How to collect and monitor UNIX Syslogs in System Center Operations Manager 2007 or in System Center Essentials 2007
When it comes to Unix/Linux integration however, I would go down a different path as the monitoring of these OSs is now natively integrated into SCOM.
Another problem is how to monitor network devices like print servers. Again, this is pretty easy to do if you want to use SNMP (and please do not use the default community strings). Basically you can just go through the wizard to add a device and give it the IP-range and the SNMP community string and you are set.

So, you see the internal monitoring is pretty straight-forward.

The same is actually true with external monitoring.

I found an interesting service called mon.itor.us. The basic service is for free and it saved my live more than once. Say: I was outside my network (and being the only network admin this happens pretty often) and e.g. my Internet connection fails. There is no way for SCOM to get hold of me as it cannot send mail anymore (and I do not pay for an SMS service).

With mon.itor.us you are able to define URLs or IPs and Ports to be monitored. So, I decided to have four services to be monitored from the outside:

My web server (standard HTTP)
My mail server (standard SMTP)
Terminal service to two of the key servers internally to see whether they are still alive

So, to monitor now you services (again from the outside) you get different options. You can use a Windows Vista Sidebar Gadget, which works on Windows 7 as well:

I use this pretty often as I can easily see if one of the servers go red. Sometimes, however, there is a problem with the mon.itor.us system and just one of the three locations gets a timeout. So, if you logon to your website consisting of a dashboard with different gadgets on like the one below:

Here you see the the US got a delay (sometimes even a timeout) whereas the other two locations have good performance – no reason for me to act.

And finally, there is an RSS Feed for messages

I linked it into my homepage in IE (my.live.com) and always see, when I have a problem – here I rebooted my firewall.

This is really cool stuff!

Roger

Patch Management, a key step towards compliance!

rhalbh — Fri, 22 May 2009 15:18:34 GMT

As you might have read, I recently blogged about my infrastructure and the future of a platform towards a better management of compliance – honestly, I actually played with our latest technology .

I wrote about

Now, a necessary and very important next step towards compliance as well as a secure environment is a sound Patch Management process and then – in the second place - the underlying technology. I blogged several times already about Patch Management as I see a lot of companies failing to deliver on this. I recently wrote a post called Patch Management – Cover the whole 9 yards. in there I mention different papers you could/should read:

and I reference Christopher Budd’s Ten Principles of Patch Management:

Service packs should form the foundation of your patch management strategy
Make Product Support Lifecycle a key element in your strategy
Perform risk assessment using the Severity Rating System as a starting point
Use mitigating factors to determine applicability and priority
Only use workarounds in conjunction with deployment
Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article
Test updates before deployment
Contact Microsoft Customer Support Services if you encounter problems in testing or deployment
Use only methods and information recommended for detection and deployment
The Security Bulletin is always authoritative

First of all (and you see that in the articles referenced above) it is of outmost importance to have a process in place. Basically the core schema to run such a process is:

I have seen different complexities to deploy such processes. From highly complex to pretty simply and straight-forward ones. The ones of you who know me know, that my preference is KISS (Keep it Simple, Stupid). So, make the process as complex as necessary and as slim as possible.

So, once you have the process in place and take a conscious decision, the question is about deployment and reporting.

So, let’s talk about technology now.

In order to get an overview over the state of your computers, you might use the Microsoft Baseline Security Analyzer. This is an excellent tool to scan your Windows machines and get an overview of the security state of the machines. It might not deliver the same level of sophistication as very expensive tools, but the difference is: We provide it for free and – in my opinion – it gives you a good starting point to look at vulnerabilities including the level of Security Updates of a given PCs. Here is an example of one of these assessments:

But this does not really resolve your base problem about the Security Update compliance of the computers on your network as well as the distribution of them. From my point of view, there are different options to do so:

If you are a small and medium business, one of the coolest solutions for you to go is System Center Essentials. It is System Center Configuration Manager, System Center Operations Manager and Windows Server Update Services in one package. However, it is limited to 30 servers and 500 clients. If you are in this limit, it rocks.
System Center Configuration Manager: If you already use this technology to distribute software and configurations, leverage this.
Windows Server Update Services: It is kind of unbelievable but this is free! So, to be clear – we do not charge for it! You can download and install it and it scales even for large Enterprises (did I tell you already that it is free ?).
A third-party solution

I am using WSUS and am more than happy with it. The way I am organized is, that I get regularly a mail from WSUS with the current state of “the nation”:

As I am mail-driven, this allows me to see, what I have to do with regards to WSUS. I then can log-on to my WSUS server to get more granular reports:

From here on, I can decide, which actions I want to take, based on detailed reports I can get by clicking one of the texts in the UI:

BTW: this machine is patched in the meantime – so do not even think about it

Even if you cannot enforce the security update level technically that way (and we will talk about Network Access Protection in a later post), it at least helps you to understand, where you stand and what you have to do in order to get compliant.

Again (as I did so often) my call to action to you: Make sure that you have a straight-forward process in place and then use technology (like WSUS) to deploy the updates and ensure that you have deployed them correctly!

Roger

The Carbon Footprint of Spam

rhalbh — Sat, 25 Apr 2009 22:36:18 GMT

McAfee just published an interesting report as they are taking a different approach on Spam. They were looking at the environmental impact of Spam. So, how much energy do we have to invest in order to fight spam?

These are the key findings from their report:

An estimated worldwide total of 62 trillion spam emails were sent in 2008
Globally, annual spam energy use totals 33 billion kilowatt-hours (KWh), or 33 terawatt hours (TWh). That’s equivalent to the electricity used in 2.4 million homes in the United States, with the same GHG emissions as 3.1 million passenger cars using two billion United States gallons of gasoline.
Spam filtering saves 135 TWh of electricity per year. That’s like taking 13 million cars off the road
If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by approximately 75 percent or 25 TWh per year. That’s equivalent to taking 2.3 million cars off the road
The average GHG emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter) in equivalent emissions, but when multiplied by the annual volume of spam, it’s like driving around the Earth 1.6 million times
A year’s email at a typical medium-size business uses 50,000 KWh; more than one fifth of that annual use can be associated with spam
Filtering spam is beneficial, but fighting spam at the source is even better. When McColo, a major source of online spam, was taken offline in late 2008, the energy saved in the ensuing lull — before spammers rebuilt their sending capacity — equated to taking 2.2 million cars off the road
Much of the energy consumption associated with spam (80 percent) comes from end-users deleting spam and searching for legitimate email (false positives). Spam filtering accounts for just 16 percent of spam-related energy use

And that’s just by using Spam-Filters! The whole report can be found here: The Carbon Footprint of Email Spam.

Needless to say that – if you are using Exchange you already have a good Spam-protection out of the box. You even get better with Forefront for Exchange and even better with Stirling:

For Exchange Server 2003 it is the Intelligent Message Filter
In Exchange Server 2007, there are different technologies applied. You find the corresponding information here.
And Forefront: Protecting Your Microsoft Exchange Organization with Microsoft Forefront Security for Exchange Server

I deployed Stirling, the next version of Forefront, on my Exchange Server. I have five active mailboxes (really a huge load ) and a few operational ones. The figures of Sitlring are very interesting:

During the last month, I got 58’636 incoming messages. My Spam-Filter found 57’439 as being Spam, which means that I had a Spam-Rate of 97.96% (and I do not know of any mail I lost in the transit).

If you look at the overview statistics, it looks like this:

The details of the connection filter:

And last but definitely not least, the performance of the filter after the mails passed all the connection-level filters:

What I like with the last statistics is, that the SPAM Confidence Level is either very high or very low but nothing in between. So, the filter gives me a clear message on whether it is SPAM or not. There is close to nothing which is “maybe SPAM” – it is less than 1%!

Roger

Network Access Protection Client for Mac and Linux

rhalbh — Wed, 07 Jan 2009 16:19:27 GMT

This is very exciting news: Unet, one of our NAP partners now delivers a NAP Client for Mac and Linux.

Here are some very cool screenshots from their website:

This is the Windows Client:

Here for Mac:

And finally for Linux:

If you are running mixed environments, you should look into

Roger

Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy

rhalbh — Tue, 14 Oct 2008 11:39:00 GMT

As you know (at least I hope that you do) we introduced Network Access Protection with Windows Server 2008. Thomas Shinder now published an article on WindowsSecurity.com about how to implement NAP and IPSec and Domain Isolation via Group Policies. It is a first part of a very good step-by-step guide:

Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy

Roger

Network Access Protection Design Guide

rhalbh — Fri, 10 Oct 2008 21:02:00 GMT

If you are looking into deploying Network Access Protection, have a look at the recently published Network Access Protection Design Guide

Roger

Some Thoughts on UAC

rhalbh — Mon, 06 Oct 2008 12:27:39 GMT

I blogged several times already on UAC as this has been (and partly still is) a very disputed security feature in Windows Vista (which I still support!). I just found today a not really new blog post on UAC, which I think is worth reading. It is from April this year and is called UAC: Desert Topping, or Floor Wax?

Even though we could disputed whether UAC in some forms is a security boundary or not (this is addressed in the post), I think it gives some very interesting views on the debate about UAC

Roger

Why I do not like e-voting (part 3)

rhalbh — Sun, 05 Oct 2008 14:24:30 GMT

It goes on and on and on: Read this one Judge Suppresses Report on Voting Machine Security

Roger

Insights into Windows 7 Engineering

rhalbh — Tue, 19 Aug 2008 00:13:00 GMT

Are you interested to learn how Windows 7 (next version of Windows) is engineered? Are you willing to get in touch with the engineering team? Then read their blog: Engineering Windows 7

Roger

Some Thoughts on Today’s Bulletins

rhalbh — Tue, 08 Jul 2008 23:39:00 GMT

As always: It is the second Tuesday of the months and we released the Security Updates. However, this month is special from one perspective: We released an update for the DNS resolver, which is released simultaneously by a lot of DNS vendors with the same vulnerability. Here are some technical details about this vulnerability on the SWI blog: MS08-037 : More entropy for the DNS resolver . If you want to get some additional details on the vulnerabilities we fixed, the SWI blog might be a very good source: Security Vulnerability Research & Defense

Roger

On-Premise vs. On-Demand (or SaaS) – A Quocirca Report

rhalbh — Wed, 04 Jun 2008 10:00:00 GMT

I was made aware of a pretty good report on Software as a Service Quocirca did in collaboration with Microsoft. It is not the kind of "new, what you never heard before"-thing but I personally think that it is a good investment of time to get an overview of Software as a Service and some additional views and thoughts on it.

The report can be found here: On-premise and on-demand and you have to go through a free registration in order to get access to the full report

Roger

Windows Server 2008 PKI and Certificate Security

rhalbh — Tue, 03 Jun 2008 21:01:00 GMT

Fresh out of press (ok, it is out since beginning of April but I just saw it now): Brian Komar, the well-known author of several PKI books on Windows Server just released a new book called Windows Server 2008 PKI and Certificate Security. If you are planning a Windows Server 2008 PKI, this is a must-read (at least knowing Brian's books J).

Here is the abstract:

Get in-depth guidance for designing and implementing certificate-based security solutions—straight from PKI expert Brian Komar. No need to buy or outsource costly PKI services when you can use the robust PKI and certificate-based security services already built into Windows Server 2008! This in-depth reference teaches you how to design and implement even the most demanding certificate-based security solutions for wireless networking, smart card authentication, VPNs, secure email, Web SSL, EFS, and code-signing applications using Windows Server PKI and certificate services. A principal PKI consultant to Microsoft, Brian shows you how to incorporate best practices, avoid common design and implementation mistakes, help minimize risk, and optimize security administration.

Roger

The “successful” attack on Cardspace

rhalbh — Mon, 02 Jun 2008 10:38:10 GMT

I guess you read it as it was pretty wide-spread in the press in the last few days: On the Insecurity of Microsoft's Identity Metasystem CardSpace.

Well, is there any official Microsoft reaction to it? No, not yet and if you look a little bit more in depth into it, I doubt that there will be. Why? Because the whole setup is ridiculous – at least in my opinion. To cut it short: If you ignore all the warnings of the OS and pull down all the protection shields we built into Windows Vista, then it is possible to attack Cardspace. This is true. Is it making me nervous? Not really.

There are mainly two things that you have to do to make the attack successful before you can steal the Cardspace token: Spoof DNS and "compromise" the Root Cetificate Store. Hmm, we all know that attacking a DNS could be possible (even though they do not include it into their presentation) you need the help of the user as well in order to get a certificate in the Trusted Root store or trick a Certificate Provider into issuing a cert to you for a website you do not own. They failed to show in their "proof of concept" how they bring a root cert into the store without having serious support from the user.

Is this a Cardspace vulnerability? I let you decide it.

Kim Cameron posted twice now on this claimed vulnerability:

You know that we take vulnerabilities in our software serious. But what these students have done publically now is – with all due respect for their work – irresponsible. It might be cool for them to blame Microsoft and show vulnerabilities in our software – but if you do it, please make sure that you at least make the bar of a vulnerability without needing the in-depth help of the user.

Roger