Dear reviewers,
Thank you for participating in this blog for the Security Guides. The customer feedback we received helped us build a high-quality Solution Accelerator that meets the needs of IT Professionals like you.
You have worked with our team on multiple reviews, and now have the chance to influence some of the changes we are planning to introduce to the content of the security guides.
Solution Accelerator team is planning to re-engineer the content model used for our security guides. Specifically, we will be changing what content deliverables we produce going forward. We will look at the format, the data presented (in some cases) and how we can reuse common content, packaging considerations and tools to help automate the “get” and “set” of the security settings. We also want to ensure this content model looks to the future, so that we can address new technologies and applications.
Some of the goals for this project are:
· Deliver a consistent and useable delivery presentation for our customers and partners
· Remove the redundant content we produce in our security guides
· Document a extensible content model that can be implemented in a tool
· Provide an automated build and packaging process for all of our security guides
· Create a repeatable security guidance development process
I would like to present a quick 6 question survey to our enterprise customers and partners to help shape the redesign of our security guides and validate the approach. We would really appreciate your feedback. A short, 3-minute survey appears below.
https://connect.microsoft.com/InvitationUse.aspx?ProgramID=2409&InvitationID=SDBL-8F9C-6T4K&SiteID=14
Thanks again for your participation.
Folks, we need your help!
If you're interested in contributing to our efforts to provide the best Solution Accelerators for Compliance, read on.
Generally, organizations that need to comply with regulations such as SOX and PCI DSS use a variety of disparate commercial and internally developed practices and tools. Microsoft is currently building a comprehensive governance, risk, and compliance solution that consists of knowledge, practices, community, and software. We would like to offer you a special opportunity to help shape development of this solution and how Microsoft engages the compliance community.
Participants may do so anonymously or, upon their authorization, be credited in applicable publications. They will be provided with early views of different components and have an opportunity to contribute to the formation of a comprehensive solution to help address IT compliance issues.
We are very interested in learning about how you align technologies to multiple, overlapping regulatory requirements and frameworks as well as what tools and software you use. If you are interested, please take the time to join one of our live meetings we will be holding starting This week.
To participate in the Live meeting please join the team, using Microsoft Connect Microsoft Connect Web site (http://connect.microsoft.com).
Invitation code: oclm-X8PK-YVKH
I wanted to thank Securevantange in making the Security Compliance Management toolkit a success in their world.
Our customers and partners are all very pleased with the new baselines provided in the Security Compliance Management toolkit for DCM along with the ease of customization supported via Config Pack design and guidance. This solution gives customers another great asset for assessing risk and monitoring configuration drift in the enterprise using System Center. From a security auditing and compliance perspective this is the best resource to be released from Microsoft since the regulatory compliance planning guide.
Thanks,
Jeremiah Beckett
President
If your interested in how they are using the Solution Accelerator check them out at:
http://securevantage.spaces.live.com/
Are your PC's antivirus (AV) and antispyware or anti-malware (AM) programs actually running?
If anything should keep you up at night, it's the question of whether your users' desktops and laptops are protected from malware.
Previously we talked about how NAP can provide a defense-in-depth layer to protect your PCs. But if you don't have NAP deployed, what can you do to determine whether your AM solution is up to snuff?
One simple solution is to use command line WMI calls, or script a WMI action to call on Windows Security Center to see if your AM software is installed and running. However, this can be a very difficult task if you have more than two computers to check.
The Solution Accelerators team has solved this issue in the latest release of the Microsoft Assessment and Planning Toolkit version 3.1!
For those of you who aren't familiar with it, the Microsoft Assessment and Planning Toolkit (MAP) is basically a network-wide agent-less tool that can help you quickly find out where your desktops and servers are and then generate status information about their security configuration and state.
The MAP Toolkit combines the strength of agent-less discovery and report generation capabilities from the previous generation (Windows Vista Hardware Assessment) with support for Hyper-V and SQL Server.
The pie-chart below is part of an auto-generated readiness report that illustrates the level of hardware readiness for Windows Vista upgrades across the desktop infrastructure.
The MAP Toolkit 3.1 also provides:
- Windows Vista hardware and device compatibility assessment
- Office 2007 hardware compatibility assessment
- Windows Server 2008 hardware and device compatibility assessment
- Microsoft Application Virtualization hardware compatibility assessment
- SNMP inventory reporting
- Support for Hyper-V and SQL Server
So give it a try, and let us know what you think!
In my last blog I introduced a new Solution Accelerator called the Security Compliance Management toolkit. Today I'd like to help you learn more about this new Accelerator, but in a somewhat indirect way—by discussing a problem space known as configuration drift.
Probably the simplest way to understand configuration drift is to think about those servers in your server room that have been configured with local settings. To illustrate the problem space, let's consider the need to manage a server that requires a custom setting, such as the right to log on locally.
By default, Windows Server 2003 assigns the ability to log on locally as follows:
- Administrators - Permit
- Server Operators - Permit
- Backup Operators - Permit
This is a good representation of who should be able to log on locally to a server. In fact, this configuration is recommended by the Windows Server 2003 Security Guide as one that should be enforced using Group Policy.
The need to restrict which users can access a server locally is a good security measure. However, it can be inconvenient in certain situations—for example, when a server requires service and a non-administrator user needs to perform that service. Typically, one of the following two quick solutions is used:
- Add the user to the Administrators group temporarily, and 'trust' the user will not abuse their new power.
- Create a group for non-Administrator users and assign this group the right to logon locally to the server.
Both are poor methods for managing local access to a server—but both are excellent examples of configuration drift.
So the question is how will you manage one-off changes like this? Also, how can you discover and identify changes that have occurred in a network that may not follow policy?
It's simple to correct a change in one system. However, how can you validate your systems' configurations, and then update or correct any ad-hoc changes that were made? The problem is complex, and difficult to resolve. However, for those of you using System Center Configuration Manager 2007, a feature known as Desired Configuration Manager (DCM) can be used to discover your network's configuration state. Configuration Packs that work with Configuration Manager were designed by the Solution Accelerators – Security and Compliance team (SA-SC), and you can use these Packs to check the configurations for the Windows XP, Windows Vista, and Windows Server 2003 computers in your network.
The one thing that's needed to accomplish such a check is a set of desired configuration values. SA-SC considered this a vital requirement for DCM. When they looked at the security knowledge within the different security guides that they created, it was clear that translating this knowledge to DCM configuration items would be of great value for IT professionals.
In upcoming blogs I'll look more closely at DCM, the required components for exploring configuration drift, and how this can be done effectively for a network. For now, if you haven't looked at the Security Compliance Management toolkit I recommend you take a few minutes to see if it can help you manage configuration drift in your organization.
http://go.microsoft.com/?linkid=9040607
If you have not heard yet, Solution Accelerators has released a great new toolkit!.
Microsoft has created the Security Compliance Management toolkit. The toolkit provides best practices from Microsoft about how to plan, deploy, and monitor a security baseline. In addition, the toolkit provides some information about how to remediate security baseline issues. The toolkit also offers a proven method that your organization can use to effectively monitor the compliance state of recommended security baselines for Windows Vista®, Windows® XP Service Pack 2 (SP2), and Windows Server® 2003 SP2.
Simplify monitoring security baselines in your environment for computers. Monitor the Security compliance state of your IT environment using the DCM feature of Configuration Manager 2007
The toolkit is packed with more than 300 security settings and knowledge needed to setup and monitor Microsoft operating systems.
The Configuration Packs provides the compliance information needed by IT Professionals to verify and validate configuration established after Group Policies are implemented using tools such as the GPOAccelerator. To learn more about Security Compliance Management or Microsoft Desired Configuration Monitor (DCM). http://www.microsoft.com/securitycompliance
In the Solution Accelerators – Security and Compliance (SA-SC) team our intention is to provide customers with the ability to easily adopt Microsoft technologies to create solutions. The idea might sound like a marketing ploy, but the truth is that we DO work hard to make Act Faster, Go Further a meaningful slogan.
Over the past several months this blog has spent time discussing new accelerators that our team has released, but very little time has been spent looking inside the group and its activities.
As a new Product Manager for SA-SC I want to enhance this blog, and provide an ongoing look inside our efforts. I want to give you a chance to see how we work within Microsoft to help our technology become easier to adopt. To start with, I want to talk about some of the work being done by our Compliance project team and their efforts to bridge the gap between technology and compliance.
Compliance Ready Customer-Driven Products
Compliance is a remarkably complex problem for many organizations. Before you can figure out how you can comply with a regulation such as HIPAA, SOX, or PCI-DSS, you need to be able to know what you're trying to secure and why.
The Compliance team has been working diligently to put a face on the many compliance mechanisms.
Compliance Best Practices
One idea that has been getting attention in SAT is the idea of easy-to-use Compliance Best Practices, or CBPs. So the next question worth asking is what are CBPs?
CBPs are " Recommended tasks to help organizations comply with regulations and legislation such as SOX and PCI. IT Pros can create checklists of best practices to help prepare representative data about compliance for auditors, which can help reduce the risk of audit failure. Such best practices are recommended by oversight organizations such as the American Institute of Certified Public Accountants (AICPA) and the International Organization for Standardization (developer of the ISO 27000 standard)."
I look forward to sharing more information about CBPs and plan to provide an analysis of one as it becomes available in the near future. The current challenge involves creating a feedback loop—that is, figuring out the best way to ensure that best practice guidance becomes best practice.
Our final Solution Accelerator story is about Napera, a company that provided an interesting twist to the Microsoft Forefront Integration Kit for NAP: a simple-to-use NAP appliance. Napera focuses on organizations with a need for a simple defense-in-depth solution that provides protection against unauthorized network access as well as simple health checks.
Napera has proven that NAP can be made easy for organizations in which simple and low-to-no maintenance is essential.
Todd from Napera has worked with the Forefront Client Security/NAP Integration Kit team, and as a partner he has come to see the potential value of providing his customers a new integration point for FCS and NAP. The Napera solution is an excellent adoption example for Microsoft, and illustrates how Solution Accelerators can pioneer new ways that partners can use Microsoft products.
In this series we've looked at the Solution Accelerator team's ability to foster deployment of three Microsoft products: Windows Server 2008, NAP, and Forefront Client Security.
NAP provides several key benefits to an organization's defense-in-depth model. One of these benefits is showcased in our next customer story about using the Microsoft Forefront Integration Kit for NAP.
Alex at Ball State University has been a key NAP partner during the development of the FCS/NAP Integration Kit. A key scenario that was addressed by this Solution Accelerator was the ability to provide computers in labs and kiosks with health checks to ensure that the Forefront Client Security configuration is not tampered with. (It's no surprise that any computer in a public location is more likely to be subject to abuse.) Alex saw the opportunity to add Forefront Client Security, the FCS System Health Agent, and enable NAP for the computers in volatile computer roles.
As a result, Alex can manage these computers' access to the university's LAN and ensure that the FCS anti-malware solution is kept running at all times. Let's look at this scenario a bit closer.
We have a lab computer that can be reimaged quickly when it is suspected to be unhealthy. However, this does not prevent students from tampering with the computer's configuration or borrowing the computer's interface (port) to plug in their own PC.
With the integration of FCS and NAP, the scenario can be mitigated to ensure that if the lab PC has had its FCS installation disabled or damaged, the FCS SHA will restore Forefront Client Security detection capabilities. In the case of an interface moved to a personal PC in a lab environment, the SHA can ensure that an anti-malware solution (Forefront Client Security) is running on the system, and if the PC does not have FCS installed it can be prevented from accessing the university's LAN.
It's great to hear that the Solution Accelerators team was able to help a customer see the value of Forefront Client security. Ball State University is now looking at a broader Forefront Client Security deployment.
Look for our 4th and final installment on May 19th 2008.
The next installment of the Forefront Client Security/NAP integration story is about one of our partners. In today's blog we will look at a partner who has become and advocate for both NAP and Forefront Client Security (FCS).
Fatih from Blue Ridge Networks is a Microsoft NAP partner who also participated in the beta program for the Microsoft Forefront Integration Kit for NAP. His interest was mainly focused on providing his customers with access to solutions that can bridge the gap between NAP and FCS.
In his own words: "I was able to demonstrate the technology to some of our prospective customers. I recommended deployment of the Forefront Client Security product for one of our customers. It is now certain that we will be deploying this product in the next two months."
The ability to provide a clear path that integrates two Microsoft technologies is a key strategic position that Solution Accelerators prides itself in. As a result, Fatih can provide his customers with real value, both in his services and by providing a leading-edge technology from Microsoft.
In tomorrow's blog we will take a look at a university, and how they plan to use FCS and NAP to change the student experience when connecting to a campus network.
One last thing that I need to mention is that if you are intrested to come work for Microsoft this is your BIG chance.
We’re hiring and have the several positions open. You can find out more at the Microsoft Careers Take a look at the following jobs listings
|
Job Title |
Job ID |
|
Program Manager |
227129 |
|
Program Manager |
225981 |
|
Software Development Engineer |
214656 |
|
Program Manager |
229809 |
Windows Server 2008 introduced a new PC protection technology that provides administrators an answer to a complex problem: How do you make sure that computers that use network resources are healthy? Network Access Protection (NAP) was engineered to provide an answer to this problem. For a more detailed understanding of NAP, go to http://blogs.technet.com/nap/ - Jeff Sigman maintains a remarkable site, with more real life information about NAP than you would ever imagine.
NAP offers many answers and opportunities for client health monitoring. One item worth looking at is a new Solution Accelerator that integrates Forefront Client Security (FCS) and NAP.
Quick Overview of the Microsoft Forefront Integration Kit for NAP
This Solution Accelerator was created to provide Forefront Client Security v1 the ability to work in harmony with NAP.
NAP provides out-of-the-box capability to monitor antivirus solutions using the Windows Security Health Agent (WSHA). However, its ability to distinguish between a full-fledged AV product such as FCS and a generic solution such as Bob and Doug's Famous AV does not exist. The WSHA was created to simply validate that an AV product was registered in Windows Security Center.
If I lost you in the last statement, think of it this way. Bob and Doug's Famous AV product is a fictional tool. However, if I were to write a small Visual Basic app that registered with Security Center as an AV tool, called it Bob and Doug's Famous AV, and installed it on a Windows Vista computer, the little status light in your Security Center (type 'Security Center' in the Start bar to see your Security Center status) would go from Red to Green.
And since the Windows SHA depends on this status, it would validate that an AV tool is installed and running and let you pass your health check.
The Forefront Client Security System Health Agent created by Solution Accelerators provides a much more integrated story. It's FCS-aware, which means that FCS must actually be installed and running properly—no funny stuff.
If you would like to read up on this Accelerator a bit more, you can find a more comprehensive description in this blog:
New Beta Available: Microsoft Forefront Integration Kit for Network Access Protection
The Customer Perspective
As with many projects at Microsoft, the best way to measure success is to have our customers provide us early feedback on our efforts. And feedback we got!
I'd like to highlight a few of the success stories for you.
Andrew from Allina Hospitals & Clinics has been using Forefront Client Security to protect his network assets, and he sought a way to ensure that computers protected by FCS stay protected. The integration with NAP provides this capability. In addition, he found that he can use NAP to provide a level of assurance to network jacks located in public areas such as conference rooms an added level of security.
Let's say you're concerned that anyone can walk into a conference room and jack in. If there is a virus on this person's computer, it now has the ability to infect your network. NAP provides the ability to create and enforce a simple policy such as "All conference room jacks require that you have an up-to-date installation of Forefront Client Security."
An 802.1x switch will provide NAP with the ability to enforce this health requirement on any computer that used the network port. In fact, all users who fail to comply can be placed into a managed network zone that gives them Internet access but protects the assets of the intranet. What a great idea!
Over the next week or so, I plan to provide several short follow-up blogs that showcase other great deployment stories.
Stay tuned.
Microsoft is pleased to announce the Windows Server 2008 Security Guide, which is now available to download.
Best Practices and Automation Tools to Help You Configure and Deploy Security Settings in Windows Server 2008
Windows Server® 2008 is built from the ground up with security in mind, and was designed to protect your organization from attacks on your network and servers—it’s the most secure Microsoft Windows Server operating system ever. With hundreds of security and privacy setting options, you can fine-tune your deployment of Windows Server 2008, balancing your organization’s needs for security and functionality.
To help you quickly configure, deploy, and manage security settings in Windows Server 2008 across your organization, Microsoft has developed the Windows Server 2008 Security Guide. This new Solution Accelerator provide s IT professionals like you with best practices and automated tools to help strengthen the security of servers running Windows Server 2008.
Based on extensive, real-world experience from customers, government agencies, and Microsoft security experts, the Windows Server 2008 Security Guide lets you choose from two preconfigured security baselines. Both configurations have been thoroughly tested in Microsoft labs, and validated by customers and partners under real-world conditions.
Deploy Your Security Baseline Quickly and Reliably
The Windows Server 2008 Security Guide includes updates in the GPOAccelerator tool to help you quickly establish, test, and deploy your security configuration. The tool creates all the Group Policy objects (GPOs) you need to deploy the security configuration you choose. And because the tool eliminates many manual steps in the deployment process, you get faster and more reliable results.
Key Guide Components
The Windows Server 2008 Security Guide is includes the following components:
· Executive Overview – A summary for business and technical managers that briefly explains how you can use the guidance and the automated tool for this Solution Accelerator.
· Server Role Hardening Guidance – A series of chapters in the security guide that offer detailed guidance on how to harden servers running Windows Server 2008 that handle the following server roles: Active Directory Domain Services (AD DS), DHCP, DNS, Web Server (IIS), File, Print, Active Directory Certificate Services (AD CS), Network and Access Services, and Terminal Services.
· Security Settings Recommendation Appendix - A comprehensive technical reference that explains what every prescribed security setting in the Windows Server 2008 Security Guide does, and provides recommended configurations.
· Attack Surface Reference Workbook – A resource that lists the changes introduced as server roles are installed on a computer running Windows Server 2008.
· Security Settings Workbook – A resource that lists all prescribed settings for the two preconfigured security baselines provided by the guide.
· GPOAccelerator tool – A tool that you can use to automatically create the GPOs recommended by the guide.
Learn About the Guide on TechNet
To learn more about the Windows Server 2008 Security Guide and to download the guide, click here.
To learn more about the GPOAccelerator and to download the tool, click here.
Visit the Security Guidance Page
Interested in other Solution Accelerators for Security and Compliance? Visit the Microsoft Security Guidance page.
I would like to announce the beta release for the Microsoft® Forefront™ Integration Kit for Network Access Protection. We are making this beta release available so that we can get your feedback. With your help, we can ensure that the Kit meets your needs.
What is the Microsoft Forefront Integration Kit for Network Access Protection?
The Microsoft Forefront Integration Kit for Network Access Protection (NAP) provides software components that allow you to integrate NAP and Forefront Client Security. A network administrator can use these components to establish a system health policy that NAP uses to determine whether client computers that run Forefront Client Security comply with the policy before they are allowed access to network resources. The Kit will also provide instructions on how to install the components and configure the system health policy for Forefront Client Security.
What are the benefits?
· Boosts security. The Kit strengthens your malware defenses by integrating two key Microsoft security technologies: Forefront Client Security and Network Access Protection.
· Saves time and reduces IT costs. The Kit’s system health validator (SHV) allows you to quickly establish health policies for Forefront Client Security installations on all network clients. The system health agent (SHA) automatically monitors the health of these installations network-wide, and remediates problems—freeing up scarce IT resources for other tasks.
· Easy to deploy. You can install and configure the Kit in just a couple of hours.
Where do I access the beta?
To learn more about the Kit, sign in to the Microsoft Connect Web site. Or, to join the beta program, click here and complete the beta program survey. Note that you may have to register to get access to the Connect site. You will be notified once you are given access to the beta Web site and can download the beta release. Be aware that in order to deploy the SHA and SHV from this kit, you will need to have NAP and Forefront Client Security deployed. I recommend that you read the Release Notes for the latest beta release information.
Let me know what you think about this Integration Kit.
I am happy to announce the release of the External Collaboration Toolkit for SharePoint!
What is the External Collaboration Toolkit for SharePoint?
The External Collaboration Toolkit for SharePoint provides guidance and tools to deploy a pre-built, customizable SharePoint solution that teams can use to collaborate with those outside the firewall. At the same time, the toolkit helps ensure that sensitive data on these systems is protected.
Once the ECTS is installed, your users can be up and running with a secure, SharePoint-based team site in minutes. They can easily invite external users to collaborate, sharing documents that are centrally located on a SharePoint site inside the firewall. Administrators can require administrative approval for all new sites and users, or they can delegate this control to end users and free up time for other tasks.
Where do I access the External Collaboration Toolkit for SharePoint?
The ECTS is available now at http://www.microsoft.com/collabkit.
I am happy to announce the beta release for the Extranet Collaboration Toolkit for SharePoint. We are making this beta release available in order to get feedback from our customers and partners. With your help, we can ensure that the Extranet Collaboration Toolkit for SharePoint (ECTS) meets your needs.
What is the Extranet Collaboration Toolkit for SharePoint?
The Extranet Collaboration Toolkit for SharePoint provides guidance and tools to deploy a pre-built, customizable SharePoint solution that teams can use to collaborate with those outside the firewall. At the same time, the toolkit helps ensure that sensitive data on these systems is protected.Using this free toolkit, administrators can set up a secure, SharePoint-based extranet collaboration site in a short time. End users can then use this site to easily create new site collections, posting sharable documents that are centrally located inside the firewall. The toolkit also enables users to invite internal and external partners to collaborate on documents. And the toolkit makes it simple for team leads to assign or revoke access rights for any team member.
Once the ECTS is installed, your users can be up and running with a secure, SharePoint-based team site in minutes. They can easily invite and enable external users to collaborate with them, sharing documents that are centrally located on a SharePoint site inside the firewall. Administrators can require administrative approval for all new sites and users, or can allow precisely control the information outsiders can access, or they can delegate this control to end users and free up time for other tasks.
Where do I access the Beta?
To get started with the beta, please click here, then click the Downloads link. Note that you may have to register to get access to the Connect site. On the list of downloads, click the Extranet Collaboration Toolkit for SharePoint. From this page, download all the beta files. I recommend that you read the Release Notes first to learn about any late breaking information related to the ECTS.
