NAP provides several key benefits to an organization's defense-in-depth model. One of these benefits is showcased in our next customer story about using the Microsoft Forefront Integration Kit for NAP.

Alex at Ball State University has been a key NAP partner during the development of the FCS/NAP Integration Kit. A key scenario that was addressed by this Solution Accelerator was the ability to provide computers in labs and kiosks with health checks to ensure that the Forefront Client Security configuration is not tampered with. (It's no surprise that any computer in a public location is more likely to be subject to abuse.) Alex saw the opportunity to add Forefront Client Security, the FCS System Health Agent, and enable NAP for the computers in volatile computer roles.

As a result, Alex can manage these computers' access to the university's LAN and ensure that the FCS anti-malware solution is kept running at all times. Let's look at this scenario a bit closer.

We have a lab computer that can be reimaged quickly when it is suspected to be unhealthy. However, this does not prevent students from tampering with the computer's configuration or borrowing the computer's interface (port) to plug in their own PC.

With the integration of FCS and NAP, the scenario can be mitigated to ensure that if the lab PC has had its FCS installation disabled or damaged, the FCS SHA will restore Forefront Client Security detection capabilities. In the case of an interface moved to a personal PC in a lab environment, the SHA can ensure that an anti-malware solution (Forefront Client Security) is running on the system, and if the PC does not have FCS installed it can be prevented from accessing the university's LAN.

It's great to hear that the Solution Accelerators team was able to help a customer see the value of Forefront Client security. Ball State University is now looking at a broader Forefront Client Security deployment.

Look for our 4th and final installment on May 19th 2008.

We’re hiring and have the several positions open. You can find out more at the Microsoft Careers Take a look at the following jobs listings

Windows Server 2008 introduced a new PC protection technology that provides administrators an answer to a complex problem: How do you make sure that computers that use network resources are healthy? Network Access Protection (NAP) was engineered to provide an answer to this problem. For a more detailed understanding of NAP, go to http://blogs.technet.com/nap/ - Jeff Sigman maintains a remarkable site, with more real life information about NAP than you would ever imagine.

NAP offers many answers and opportunities for client health monitoring. One item worth looking at is a new Solution Accelerator that integrates Forefront Client Security (FCS) and NAP.

Quick Overview of the Microsoft Forefront Integration Kit for NAP

This Solution Accelerator was created to provide Forefront Client Security v1 the ability to work in harmony with NAP.

NAP provides out-of-the-box capability to monitor antivirus solutions using the Windows Security Health Agent (WSHA). However, its ability to distinguish between a full-fledged AV product such as FCS and a generic solution such as Bob and Doug's Famous AV does not exist. The WSHA was created to simply validate that an AV product was registered in Windows Security Center.

If I lost you in the last statement, think of it this way. Bob and Doug's Famous AV product is a fictional tool. However, if I were to write a small Visual Basic app that registered with Security Center as an AV tool, called it Bob and Doug's Famous AV, and installed it on a Windows Vista computer, the little status light in your Security Center (type 'Security Center' in the Start bar to see your Security Center status) would go from Red to Green.

And since the Windows SHA depends on this status, it would validate that an AV tool is installed and running and let you pass your health check.

The Forefront Client Security System Health Agent created by Solution Accelerators provides a much more integrated story. It's FCS-aware, which means that FCS must actually be installed and running properly—no funny stuff.

If you would like to read up on this Accelerator a bit more, you can find a more comprehensive description in this blog:

New Beta Available: Microsoft Forefront Integration Kit for Network Access Protection

The Customer Perspective

As with many projects at Microsoft, the best way to measure success is to have our customers provide us early feedback on our efforts. And feedback we got!

I'd like to highlight a few of the success stories for you.

Andrew from Allina Hospitals & Clinics has been using Forefront Client Security to protect his network assets, and he sought a way to ensure that computers protected by FCS stay protected. The integration with NAP provides this capability. In addition, he found that he can use NAP to provide a level of assurance to network jacks located in public areas such as conference rooms an added level of security.

Let's say you're concerned that anyone can walk into a conference room and jack in. If there is a virus on this person's computer, it now has the ability to infect your network. NAP provides the ability to create and enforce a simple policy such as "All conference room jacks require that you have an up-to-date installation of Forefront Client Security."

An 802.1x switch will provide NAP with the ability to enforce this health requirement on any computer that used the network port. In fact, all users who fail to comply can be placed into a managed network zone that gives them Internet access but protects the assets of the intranet. What a great idea!

Over the next week or so, I plan to provide several short follow-up blogs that showcase other great deployment stories.

Stay tuned.

Microsoft is pleased to announce the Windows Server 2008 Security Guide, which is now available to download.

Best Practices and Automation Tools to Help You Configure and Deploy Security Settings in Windows Server 2008

Windows Server® 2008 is built from the ground up with security in mind, and was designed to protect your organization from attacks on your network and servers—it’s the most secure Microsoft Windows Server operating system ever. With hundreds of security and privacy setting options, you can fine-tune your deployment of Windows Server 2008, balancing your organization’s needs for security and functionality.

To help you quickly configure, deploy, and manage security settings in Windows Server 2008 across your organization, Microsoft has developed the Windows Server 2008 Security Guide. This new Solution Accelerator provide s IT professionals like you with best practices and automated tools to help strengthen the security of servers running Windows Server 2008.

Based on extensive, real-world experience from customers, government agencies, and Microsoft security experts, the Windows Server 2008 Security Guide lets you choose from two preconfigured security baselines. Both configurations have been thoroughly tested in Microsoft labs, and validated by customers and partners under real-world conditions.

Deploy Your Security Baseline Quickly and Reliably

The Windows Server 2008 Security Guide includes updates in the GPOAccelerator tool to help you quickly establish, test, and deploy your security configuration. The tool creates all the Group Policy objects (GPOs) you need to deploy the security configuration you choose. And because the tool eliminates many manual steps in the deployment process, you get faster and more reliable results.

Key Guide Components

The Windows Server 2008 Security Guide is includes the following components:

·   Executive Overview – A summary for business and technical managers that briefly explains how you can use the guidance and the automated tool for this Solution Accelerator.

·   Server Role Hardening Guidance – A series of chapters in the security guide that offer detailed guidance on how to harden servers running Windows Server 2008 that handle the following server roles: Active Directory Domain Services (AD DS), DHCP, DNS, Web Server (IIS), File, Print, Active Directory Certificate Services (AD CS), Network and Access Services, and Terminal Services.

·   Security Settings Recommendation Appendix - A comprehensive technical reference that explains what every prescribed security setting in the Windows Server 2008 Security Guide does, and provides recommended configurations.

·   Attack Surface Reference Workbook – A resource that lists the changes introduced as server roles are installed on a computer running Windows Server 2008.

·   Security Settings Workbook – A resource that lists all prescribed settings for the two preconfigured security baselines provided by the guide.

·   GPOAccelerator tool – A tool that you can use to automatically create the GPOs recommended by the guide.

Learn About the Guide on TechNet

To learn more about the Windows Server 2008 Security Guide and to download the guide, click here.

To learn more about the GPOAccelerator and to download the tool, click here.

Visit the Security Guidance Page

Interested in other Solution Accelerators for Security and Compliance? Visit the Microsoft Security Guidance page.

I would like to announce the beta release for the Microsoft® Forefront™ Integration Kit for Network Access Protection. We are making this beta release available so that we can get your feedback. With your help, we can ensure that the Kit meets your needs.

What is the Microsoft Forefront Integration Kit for Network Access Protection?

The Microsoft Forefront Integration Kit for Network Access Protection (NAP) provides software components that allow you to integrate NAP and Forefront Client Security. A network administrator can use these components to establish a system health policy that NAP uses to determine whether client computers that run Forefront Client Security comply with the policy before they are allowed access to network resources. The Kit will also provide instructions on how to install the components and configure the system health policy for Forefront Client Security.

What are the benefits?

·         Boosts security.  The Kit strengthens your malware defenses by integrating two key Microsoft security technologies: Forefront Client Security and Network Access Protection.

·         Saves time and reduces IT costs.  The Kit’s system health validator (SHV) allows you to quickly establish health policies for Forefront Client Security installations on all network clients. The system health agent (SHA) automatically monitors the health of these installations network-wide, and remediates problems—freeing up scarce IT resources for other tasks.

·         Easy to deploy.  You can install and configure the Kit in just a couple of hours.  

Where do I access the beta?

To learn more about the Kit, sign in to the Microsoft Connect Web site. Or, to join the beta program, click here and complete the beta program survey. Note that you may have to register to get access to the Connect site. You will be notified once you are given access to the beta Web site and can download the beta release. Be aware that in order to deploy the SHA and SHV from this kit, you will need to have NAP and Forefront Client Security deployed. I recommend that you read the Release Notes for the latest beta release information.

Let me know what you think about this Integration Kit. 

I am happy to announce the beta release for the Extranet Collaboration Toolkit for SharePoint. We are making this beta release available in order to get feedback from our customers and partners. With your help, we can ensure that the Extranet Collaboration Toolkit for SharePoint (ECTS) meets your needs.

What is the Extranet Collaboration Toolkit for SharePoint?

The Extranet Collaboration Toolkit for SharePoint provides guidance and tools to deploy a pre-built, customizable SharePoint solution that teams can use to collaborate with those outside the firewall. At the same time, the toolkit helps ensure that sensitive data on these systems is protected.Using this free toolkit, administrators can set up a secure, SharePoint-based extranet collaboration site in a short time.  End users can then use this site to easily create new site collections, posting sharable documents that are centrally located inside the firewall.  The toolkit also enables users to invite internal and external partners to collaborate on documents.  And the toolkit makes it simple for team leads to assign or revoke access rights for any team member.

Once the ECTS is installed, your users can be up and running with a secure, SharePoint-based team site in minutes.  They can easily invite and enable external users to collaborate with them, sharing documents that are centrally located on a SharePoint site inside the firewall.  Administrators can require administrative approval for all new sites and users, or can allow precisely control the information outsiders can access, or they can delegate this control to end users and free up time for other tasks.

Where do I access the Beta?

To get started with the beta, please click here, then click the Downloads link. Note that you may have to register to get access to the Connect site.  On the list of downloads, click the Extranet Collaboration Toolkit for SharePoint. From this page, download all the beta files. I recommend that you read the Release Notes first to learn about any late breaking information related to the ECTS.

 

As a member of the Solution Accelerators - Security and Compliance (SA-SC) team, I’d like to share an observation and ask for some feedback from our readers.

 

The current top 10 SAs (Solution Accelerators) are:

 

1. Business Desktop Deployment 2007
2. Windows Vista Hardware Assessment
3. Windows Server 2003 Security Guide
4. Microsoft Operations Framework (MOF)
5. Windows XP Security Guide
6. Malware Removal Starter Kit: How to Combat Malware Using Windows PE v1.0
7. Windows Server System Reference Architecture
8. Threats and Countermeasures Guide
9. Data Encryption Toolkit for Mobile PCs
10. Microsoft Identity and Access Management Series

 

I think this list is a testament that security knowledge is highly sought after in our community of experts! However, the list includes a number of SAs that have been out for several years, on issues such as hardening Windows XP and Windows 2003. This poses a question: What makes these SAs valuable to you? Are there specific reading styles that make technical guidance better than others?

 

I think it's fair to categorize technical libraries into the following broad categories:

 

11. White papers, which dive into a single technology topic (technical periodicals would also be in this class).
12. User guides, which provide detailed instruction about using or operating technology.
13. Reference guides, which provide some details (like user guides) but provide additional details about a select technology.
14. Curriculum guides, which provide the ins and outs of a topic area to help the reader become proficient with a specific technology. Often refer to user guides and reference guides.

 

(If you think I’ve omitted any categories, please let me know.)

 

To me, it seems that only a couple of categories in this list are really worth reading.

 

When I see technical documentation about a topic I’m interested in, it will end up on my shelf and receive very little attention if it's more than a white paper and not referential. However, there are some gems in the wild.

 

Recently I've been spending some time learning PowerShell, and I came across a book that fits my definition of a white paper (good dive into technology) in a book and is also great reference material. What makes this book successful is its attention to providing good quality reference information while threading the material together with a clear intention of teaching a technology.

 

If you had to classify your best technical reading material, what criteria would you use, and why?

 

I'd love to hear back from you.

 

Frank

 

Oh BTW—the book I referred to was "Windows Powershell in Action" by Bruce Payette.

 

 

 

Employees need to share documents with individuals from other companies, such as partners and suppliers. These documents often contain sensitive information that needs to be kept safe and secure. Microsoft SharePoint products deliver the document collaboration capabilities, but many IT departments have been reluctant to use a SharePoint infrastructure with external parties because of concerns about security and user management.

Project Inverness is an effort to address these concerns. This project will provide authoritative guidance and tools to help your organization set up SharePoint to provide users with the flexibility they need to collaborate easily with external people while simultaneously allowing the security manager to rest assured that confidential data is protected. This Solution Accelerator will be freely downloadable from TechNet.

To help us develop a Solution Accelerator that really helps address our customer's pains, we need customers like you who can review our designs, preview early versions of the guidance and tools, and provide valuable feedback. The benefit to Microsoft is obvious: with your help, we can provide a Solution Accelerator that better meets the needs of our customers. You can also benefit from participating in our development process. You will help ensure the final deliverables meet your specific needs, get early access to the solution accelerator so you can begin planning your implementation, gain access to Microsoft experts, and be acknowledged for your contribution in the final deliverables. In addition, we will provide a nice thank you gift to those users who make a particularly significant contribution to the project.

If you are interested in helping out, please visit https://connect.microsoft.com/InvitationUse.aspx?ProgramID=1657&InvitationID=PRM1-C3FJ-W3FP&SiteID=14 and follow the instructions to enroll in the program.

Thank you,
Bill Canning
Sr. Program Manager
Solution Accelators - Security and Compliance

When you look at Microsoft Windows services, it can be confusing to sort through them and understand which ones you need. In this blog entry I'm going to take a more detailed look at Windows services and see if we can identify any services that might not be needed, or determine whether any are suspicious.

I think that services can be categorized into two different types: server services and client services. Server services are a bit easier to deal with because they typically do not directly interface with local users and should not be installed on a client computer.

Services that probably should not run on a client computer (laptop or desktop):

Services that run on server computers as client services can be a bit harder to identify, because several services might be called by a server service that would be viable on a server. The list in the following table does not list services that could be determined to be viable on a typical server.

Services that you would not expect on a server:

Now that we have a list of services that can be considered for evaluation, it would be nice to somehow automate the process of obtaining service information.

I started to dabble in PowerShell a while ago, and the following example is a perfect illustration of a simple but quick way to obtain service information without having to manually look at services on a device.

Looking for services using PowerShell

If you're not familiar with PowerShell, I recommend you take a look at it. In my book it's the best thing for an administrator since the advent of the automobile! http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

Step 1. Create a check file of service that you want to flag

Create a text file that identifies the services you want to flag. For instance I have a file called c:\temp\base.txt, and its contents are as follows:

Ftp service

telnet service

www service

SMTP service

sql express

sql server

web service

You can use your favorite editing tool such as Notepad.exe to create the file.

Step 2. Use Compare-Object to find the service

From a PowerShell command prompt, run the following command:

Compare-Object $(get-service | foreach { $_.Name } ) $(get-content c:\temp\base.txt) -includeequal  -excludeDifferent

Simple, right?

Other Services

When you run the script it provides you with all kinds of great information. But maybe it's not enough information.

If you run this script I'd be interested in your results. Did  you see something you did not expect? What was it? Have you identified any services that did not make my list? Are you aware of services (third-party, maybe malware) that should be watched for?

And what about services like BITS (Background Intelligent Transfer Service) and RPC? Because there's a need to allow Windows Update to run as expected, these services would need to run most of the time.

Finally, do scripts like this one provide value to you? What would you recommend to improve on it?

Protecting yourself from malware can be difficult, especially when it comes to identifying malware in your environment. Malware has become stealthier, and there are so many elements to check for potential infection that you can sometimes overlook? malicious code without recognizing it.

So, how can you effectively find malware on your PC?

You can rely on antivirus and antispyware tools or use online scanners such as the OneCare scanner to find potential infections. But is this enough?

Besides relying on malware tools, can you see yourself using other tools to scan for malware?

Since several of the recent blog entries have been asking malware related questions, I thought it would be prudent to provide something you can take away with you this time around.

Recently I ran across a thread discussion about checking inactive devices in your 'device manager' as a possible way to identify installed rootkits.

I tested this theory by using a command-line version of device manager called DevCon, and found some interesting information , but unfortunately didn’t see anything suspicious to investigate.  

If you’re interested in trying it yourself, you can do so by downloading DevCon from  http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q311272 .

To use the tool:

First dump your devices that are visible to a file.

devcon.exe find * >file1.txt

Then run the tool to list all files visible and hidden.

devcon.exe findall  * >file2.txt

Compare the files.

fc file1.txt file2.txt

Since File compare is limited, I would recommend using a tool such as examdiff, which you can download from: http://www.prestosoft.com/ps.asp?page=edp_examdiff

Try it out, let me know if you find something interesting on a system.

It’s a challenge to protect an organization’s valuable assets against malware. And as malware increases in magnitude and sophistication, it seems that IT security is a journey that really doesn’t have a final destination. Do you find yourself looking over your shoulder and wondering about new threat vectors, where the next attack is coming from, and whether your current safeguards are sufficient?

We really want to know--what is your biggest malware challenge today? We aren’t asking about specific forms of malware. Let’s assume there are a whole bunch of bad things that you need to protect your organization from.  We're interested in learning how you do so and the challenges you face in doing so. Do you use a defense-in-depth strategy to protect clients, servers, and the network edge? If so, what has been the most challenging part of implementing such a strategy? What keeps you awake at night worrying about whether your strategy is sufficient to keep the fox out of the chicken coop?

The Solution Accelerators for Security and Compliance team is starting a new project with a broad focus: Malware Defense-In-Depth. We’re looking for your input to help us determine where to focus our attention. Tell us what would help you the most in developing, implementing, and maintaining a malware defense-in-depth strategy. Tell us what tools you need. Tell us what guidance would be most beneficial. We are very interested in your ideas on this topic. Malware isn’t going to go away, so how can we best help you to defend against it? If you have an opinion on this topic, please post your comments.

Following the success of the Malware Removal Starter Kit, the Solutions Accelerators - Security and Compliance (SA-SC) team has been working to provide a more in depth look at malware. The team would like your input about what you and your peers find beneficial when dealing with malware.

Malware security comes in many flavors, all of which aim to provide layers of defense in depth.  These layers should constitute more than just a firewall and antivirus products. We need to look at a more concise solution. 

The face of malware is changing rapidly, as most of you are aware threats are getting more sophisticated, and complex . Additionally many organizations continue to rely solely on a firewall to provide most security needs.

With this in mind,  we’d like your thoughts on best practices for managing malware; in particular,  which of the following do you think a good malware defense should involve?

o     client-side security

·         Antivirus

·         Antispyware

·         personal firewall

o    Server-side security

·         Hardening

·         limit services

o    Edge security

·         A firewall

·          IDS/IPS

Does this basic solution  provide an adequate technical solution for most organization, or are there key issues that are overlooked?  And when should fledgling companies start their anti-malware efforts, even if they don’t have all the pieces in place for basic anti-malware strategy?  What about Messaging, and IM?

We are interested in hearing your ideas. If you would like to voice your position on malware defense, please let us know.