Revelations of a Confused Mind : Security

IT Pro Momentum - Now Accepting Applications

shawnt — Tue, 24 Feb 2009 02:13:00 GMT

Okay, folks, I've posted on this before, but the IT Pro Momentum program is really catching fire, and I've decided to readvertise it since there seems to be so much interest. The program is exclusive to people who read Microsoft blogs or attend Microsoft events, and is designed to help anyone who is evaluating new Microsoft software. If you are testing or piloting or even in the very early stages of evaluating any of the folllowing products, shoot me an email with your full name and I'll send you an exclusive invitation.

Windows 7 (Newly ADDED!)
SQL Server 2008
Windows Server 2008
IIS7
Forefront Edge (ISA)
Forefront Client & Server
Virtual Server 2005 R2 SP1 or Windows Server Virtualization
Windows Vista
MOSS 2007
System Center
Windows PowerShell
Network Access Protection

What is the Momentum Program?

Momentum is a Microsoft program focused on supporting “early adopters” – IT professionals who bet on the newest technologies to drive business value for their companies and advance their career.

Is IT Pro Momentum right for you?

Interested in learning more about the newest Microsoft technologies?
Need help to evaluate different Microsoft products and features?
Willing to test and pilot in production Microsoft beta products?
Would like to have access to exclusive forums and Microsoft product support?
Want to share your early adoption experience with the IT Pro community world-wide?

Through the Momentum Portal, participants will have access a number of benefits including:

Free TechNet+ Direct Subscription
In-Depth Technical Content
Managed Forums (Questions answered directly by Microsoft experts)
Help from me
PSS Support Requests

What's in it for you?

Exposure and Career Opportunities
By sharing early adoption successes, IT Pro's receive community recognition and increase their opportunities for networking and career growth.
Your Voice is Heard
Through Momentum, IT Pros establish a direct, two-way communication channel with Microsoft which allows you to provide feedback and influence the future of our products and services.
Reduce Risk of Failure
Momentum benefits such as free TechNet subscription and PSS support requests reduce the risk and complexity of deploying new technologies.
Competitive Advantage – Be the First to Use & Know

Program participants have access to the latest information and cutting-edge technologies developed by Microsoft. You are expected to help out with a short description of your project and the project's success and challenges at the completion of your project.

Does this sound interesting to you? Then click here to get in touch with me.

Now’s the time for you to get involved!

New Microsoft Security Intelligence Report (SIR) Released!

shawnt — Thu, 06 Nov 2008 07:04:15 GMT

The latest version of the Microsoft Security Intelligence Report is now publicly available:

www.microsoft.com/sir

The SIR is a helpful document designed to assist you in determining the current technology threat landscape, especially with regard to Microsoft software. In it you will find assessments of the current security threats, the trends on a per-threat basis, and data to help you identify where your security dollars might best be spent.

In SIR's approx. 145 pages, you will also find:

NEW - The threat ecosystem, narrative section
Security vulnerability disclosures, industry-wide and Microsoft specific
Vulnerability exploits, Microsoft specific
NEW - Browser-based exploits, Microsoft and third-party
Security and privacy breach reports
Malicious and potentially unwanted software trends
Focus on malware and signed code
NEW – specific malware and potentially unwanted software data for 15 locations worldwide (United States, Canada, United Kingdom, Australia, Brazil, France, Germany, China, Hungary, Italy, Japan, Norway, Russia, South Africa, and the Gulf Cooperation Council)

This document is invaluable for CSO's, Directors, and security auditors looking to assess the current security topology for the purposes of allocating budget spend over the coming year. And, actually, the short 15 pg. summary document, which is a truncated version of the larger document and can be found at the same site, is not a bad read for anyone in technology who is interested in understanding today's risks.

www.microsoft.com/sir

New "Wormable" Exploit Discovered Affecting Windows OS's...

shawnt — Thu, 23 Oct 2008 21:51:50 GMT

There was a new critical vulnerability announced today that could lead to remote code execution against Windows Operating Systems. (Specifically, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.) And, unless you are running Windows Vista or Windows Server 2008*, this exploit even works for non-authenticated users - remotely!

In short, this means that this exploit could be turned into a new Internet Worm. In fact, consistent exploit code has already been discovered in limited, targeted attacks, which is precisely why this update is a "zero day" update. It needs to be patched now, folks. Don't delay. Again, the vulnerability can be exploited consistently, remotely, and without authentication. These three factors are not good in combination.

Needless to say, this kind of exploit is potentially very damaging, and the wise administrators among us will reduce their exposure immediately - either by applying the update, or, if updating is not an option due to a lengthy testing and deployment process, then by disabling the computer and server browser services temporarily. Check out this bulletin for more details on how to perform these actions.

For more information and to download the update (Select your OS version): http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

To get the Update directly from Microsoft Update (US Site): http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

* If you are running Windows Vista or Windows Server 2008, the update severity is mitigated by the likelihood that the exploit will only work for authenticated users, even with UAC turned off. Plus, improvements like ASLR (Address Space Layout Randomization) further reduce the ease of exploit. It's nice to see the security investment we made in Windows Vista and Windows Server 2008 paying off in situations like this.

SAVE 15% ON YOUR new TECHNET SUBSCRIPTION with code: TMSAM12

shawnt — Sat, 26 Jul 2008 03:43:00 GMT

Hey folks! Microsoft recently announced a new worldwide subscription code that gets you 15% off a new TechNet subscription. This code is your key to savings, so make sure you enter it when you place your order.

Discount Code: TMSAM12

Order your subscription now!

So, why would I want to subscribe???

TechNet Plus subscriptions are the best way for IT Professionals to test Microsoft software. Period. Why?

Because with a TechNet Plus subscription you get product keys that are good ad infinitum - a.k.a. forever. So, you can install and test your machines without ever having to reinstall. You'll never worry about losing your investment in that testing environment from an infuriating "The evaluation period has expired" pop up message. You can log on in 2048 and it'll still work. That's assuming, of course, that your hardware lasts that long. :)

Oh, and if you opt to go with a TechNet PLUS Single User Subscription, you'll also get the support database (Think "Q" articles) sent to you on DVD every month. So, you could troubleshoot that pesky Exchange Server bug from the first class seat on your flight to Orlando over an ice cold Jack and Coke, which is a bit better than doing it from your office chair if you ask me. :)

If you want to learn more about TechNet Subscriptions, try this: http://technet.microsoft.com/en-us/subscriptions/bb892759.aspx

To order a TechNet subscription, go here: http://technet.microsoft.com/en-us/subscriptions/bb892754.aspx

Remember to use code: TMSAM12

Windows Vista SP1 is Fully Baked!

shawnt — Tue, 05 Feb 2008 23:15:00 GMT

That's right! If you haven't already heard, Windows Vista Service Pack 1 (SP1) is finished, complete, in the can, DONE! As of yesterday, February 4, 2007, SP1 is officially released to manufacturing (RTM) - which means that OEMs (Original Equipment Manufacturers) like Lenovo, Dell, HP, etc, have the final code. However, as Mike Nash, Corporate VP, Windows Product Management, tells us in his blog post, SP1 will not be available to the general public (a.k.a. you) until Mid-March. The reason? Those pesky IHV drivers. It seems some of the installation executables for various Vista drivers are written such that they would need to be reinstalled after upgrading to SP1. We figured John Q. Public wouldn't like that experience, so we are working closely with the IHVs to get the issue fixed. Again, look for general availability in Mid-March with Automatic Updating turned on for SP1 in mid-April. For more information, here's a couple of links for your reading pleasure:

Mike Nash's Post

More About SP1

Sometimes Security through Simplicity Isn't So Simple

shawnt — Fri, 01 Feb 2008 11:14:00 GMT

Dr. Thomas Shinder makes some excellent points about how difficult it can be to enact good security. Even something as seemingly straightforward as installing Windows Server 2008 Core to reduce your attack surface can harbor hidden perils. What hidden perils? Well, misconfigurations are inherently more common when managing a server strictly though the command-line interface (CLI). But, the good doctor says it far more eloquently than me. Check out this post as well as several other high quality posts on Dr Shinder's Windows Security blog.

http://blogs.windowsecurity.com/shinder/2008/01/29/server-core-management-a-potential-security-issue/

ISA Server 2006 Cache Q&A

shawnt — Sat, 05 Jan 2008 00:57:00 GMT

I just got an email from someone who had watched one of my old ISA Server 2006 webcasts. She had a couple of interesting questions, and I thought I'd share the answers to her email with you.

Q. How do you clear the cache in ISA Server 2006?

A. To clear the cache, disable the cache through ISA Server Management, and then delete the cache storage file, such as Dir1.cdat (the default name of the ISA Server cache file). There is a cache file in the Urlcache folder on each drive that is configured for caching. After you delete the cache file, enable the cache in ISA Server Management. There is also a sample script that describes how to clear the cache programmatically. For information, see "Deleting Cache Contents" at the Microsoft TechNet Web site. In ISA Server 2006 Enterprise Edition, this tool must be run on each array member.

Q. How does ISA Server 2006 remove cached data?

A. If the cache content file is too full to hold a new object, ISA Server removes older objects from the cache, by using a formula that evaluates age, how often the object is accessed, and size.

Q. Is there any way to see what is in the ISA Server 2006 cache?

A. Try this to view the URLs in the cache in real-time: http://www.microsoft.com/downloads/details.aspx?familyid=b9ecfcd3-c13f-4447-83ed-add9a8ea45db&displaylang=en

How to Create a Standard User Account in Windows Vista

shawnt — Fri, 21 Dec 2007 00:48:00 GMT

Okay, this post is for the less technical among us. As part of a team project, I created a nice, little Camtasia recording a while back to help people make a standard user account in Windows Vista, but I never had the opportunity to publish it. So, since I'm on vacation and I can do whatever I want, I thought I'd post it now. I didn't want the video to go completely to waste, not that it's amazing or anything but it did take me a while to learn Camtasia and put it together. But, first, I'll include a few words about why standard user accounts are important and why they should be used by every single person who logs onto a computer. After that, you can find the links at the bottom of the post.

Standard user accounts (restricted accounts, basic accounts, non-administrator accounts, least-priviledge accounts, or whatever you want to call them) are essential to good security. Whenever anyone is browsing the web or checking email, they should be logged on as a standard user. This way, even viruses that are not detected by your virus scanning software will be unable to infect you. By using a standard user account, you greatly limit your security risk exposure. Malware (spyware, adware, viruses, worms, etc) will not have permissions to install themselves onto your computer, and that's a very good thing. You'll especially, definitely, without a doubt want to use them whenever you are performing high risk activities like, for example, browsing to less-trusted websites or opening attachments to emails that you are not 100% sure of. You shouldn't open those attachments or go to those sites at all, but, if you have to, being logged on as a non-administrator will hugely reduce your risk of infection.

So, what do you do if you need to install a program or change an administrator-level setting? You have two options....either log off and back on as an administrator (usually the first account you created when you bought your computer), or right click on the installation executable or setting and choose "run as administrator" from the drop down list.

Also, if you want to use the new parental controls in Windows Vista, you'll need to create a standard user account for each or your children (and, of course, make sure you set the password on the administrator account to something they don't know and won't be able to guess). When your children log on with their standard user account, they won't be able to turn off parental controls, and you will be able to monitor what sites they are visiting and what they are emailing to friends or writing to each other through instant messenger. You can also restrict what games they can play based upon the game's ESRB rating.

Well, now that you know why standard user accounts are so important, here's a quick video to walk you through the process of creating one. Unfortunately, you may need to click on this link a few times before it works. I've noticed the streaming media server has been a bit glitchy lately. If you can't get it to work, I've got a low fidelity version on MSN's Soapbox Beta.

Vista_Standard_User_Account_Creation - Hi Res (Unreliable, sorry)

Vista_Standard_User_Account_Creation - Low Res (More reliable)

Thanks for checking it out.

How to Use the Powershell 1.0: A Beginner's Guide

shawnt — Tue, 18 Dec 2007 04:13:00 GMT

If you're already convinced that the Powershell is right for you, skip ahead to the section: "Getting Started with the Windows Powershell". However, if you still need some convincing, read on. So, in case you haven't had a chance to use the Windows Powershell yet, I'm here to tell you - It is a nice powerful tool for automating repetitive tasks in Windows. If you find yourself doing many of the same tasks day after day via the GUI and it's starting to wear you down, you will almost certainly benefit from spending a few minutes learning the Windows Powershell, or at least stealing the scripts from the repository (See Step 5 below)! You don't have to get deep to start saving yourself a lot of clicksteps - just spend a few minutes going through my walkthrough and download one of the sample scripts. I think you'll find you'll be able to give yourself back several hours a week. Check out steps below on how to get started with the Windows Powershell...

Did you know?

The Windows Powershell 1.0 can....

perform what-if analysis (to help you decide if you really do want to run a certain command or script)
perform "do while" and "do until" loops
accept runtime input via the command line. So, for example, you could create a tool to give you information about a specific Windows Service, and it would ask you which Windows Service you were interested in via the command line interface.
autoComplete using the Tab key (so you don't have to remember every noun-verb command - just tab 'til you find the right one.)

The Windows Powershell 1.0 uses...

It's own scripting language. That's right, it's not VB Script, C# or any of the others. It's new. If you want to know why, read the documentation linked to in step 3 below.
the .NET object model, so all output from the Powershell is treated as an object which can be manipulated and piped into other methods
or, actually, is used by the Exchange Management Console. The Exchange functionality in the EMC is just an add-in to the Windows Powershell. It adds Exchange related tasks, like move-mailbox, to the Powershell.

In addition, if you'd like to learn more, please check out the webcast I just delivered on the Windows Powershell 1.0. It should be available in streaming format here in the next few days. It's called "TechNet Webcast: Prepare Yourself for Windows Server 2008 (Part 7 of 8): Windows PowerShell and Manageability Improvements."

Getting started with the Windows Powershell:

DOWNLOAD: Download Powershell 1.0. (It's about a 5.0MB download)
INSTALL: Double-click the downloaded .msu to install the Powershell. There are different .msu's for Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Make sure you get the right one for your OS. (Windows Server 2008 has the Powershell built in.) The Powershell only runs on Windows, so if you need to run it on another OS, you'll need to build a Virtual Machine and install the Powershell into it.
READ: Read the Powershell 1.0 Documentation. The documentation is automatically installed along with Powershell and is very helpful, especially at first. If you've never worked with Powershell before, you'll want to read these. The first thing you should read is "GettingStarted.rtf", which is a nice, easy to follow, 32-page overview. Then, you can graduate to the 116-page "UserGuide.rtf". Finally, if you get past all of that, see the "Other helpful links" at the bottom of this post. If you want to read the documentation without downloading the Powershell, you can find it here: Download the Powershell 1.0 Documentation Pack.
PLAY!: Open a Powershell Command Window and try a few simple, interactive commands (e.g. "write-host This is a test." or "get-childitem <AnyFolderPath>"). It's really quite easy to get used to. I've typed a couple below that you might want to try.
HOW TO RUN SCRIPTS - THE EASY WAY: Now, take your Powershell experience to the next level by running scripts! And, if you ask me, the best way to run scripts is to start with someone else's scripts, and build from there. So, go get some sample scripts from the Microsoft Powershell sample script repository online. Of course, you can write your own scripts from scratch, but the sample scripts are so powerful and easy that I recommend you start there. Don't try to recreate the wheel when you don't have to.

------> Microsoft's Sample Powershell Scripts Repository <------

Alright, Shawn, but how do I run those blasted scripts? I keep getting error messages. Well, here's how...

First, change the executionpolicy setting. The default executionpolicy setting is restricted, and it will prevent all scripts from running, allowing you to run the Powershell only interactively. (If you want to know why we do this, check out the "go" link below just before step 2.) If you want to run scripts, even the ones you create, you'll need to change that setting. Here's how you do that:
- If security is NOT an issue and you want to run all scripts unsigned. (Not recommended):
- If security IS an issue and you want to run signed scripts (signed locally or remotely):
  - PS C:\Users\Administrator> set-executionpolicy remotesigned
  - Check out this TechNet article that talks all about how to properly sign your code and explains the executionpolicy settings in more detail - even gives you the commands you should use: http://go.microsoft.com/fwlink/?LinkID=106498&clcid=0x409
Then, just copy and paste the sample scripts directly from the Microsoft repository website into Notepad. Save the file with any name and a .ps1 extension (you'll need to get rid of the .txt extention as shown in the screenshot below.)
Run the script from the Powershell prompt. For example:

PS c:\Users\Administrator> c:\scripts\ListDesktopSettings.ps1 ****You must type the full path for the script to run****

Now that you've got one script under your belt, you can try some other examples of sample scripts from the website. Here is a list of the available sample scripts.

Active Directory - Sample scripts for managing Active Directory and Active Directory objects.
Applications - Sample scripts for managing software and applications on servers and client computers.
Desktop Management - Sample scripts for managing such things as desktop settings, computer startup and shutdown, and System Restore.
Hardware - Sample scripts for managing and monitoring computer hardware.
Logs - Sample scripts for managing event logs and plain-text log files.
Networking - Sample scripts for managing and monitoring network configurations and network applications.
Operating System - Sample scripts for managing and monitoring the Windows operating system.
Other Directory Services - Sample scripts for managing directory services other than Active Directory.
Printing - Sample scripts for managing printers, print jobs, print servers, and other parts of the Windows printing infrastructure.
Scripting Techniques - Sample scripts demonstrating a wide variety of scripting tips, tricks, and techniques useful to script writers.
Searching Active Directory - Sample scripts for searching Active Directory.
Service Packs and Hot Fixes - Sample scripts for retrieving information about service packs and hot fixes installed on a computer.
Storage - Sample scripts for managing files, folders, file systems, and storage devices.
Terminal Server - Sample scripts for managing Windows Terminal Server.

Well, that's it - by now you should be off and running with the Windows Powershell 1.0. I tried to go through all the basics here just to get everything working, as well as some of the gotchas you might run into. Still, it's a big world once you start to go deep into the Powershell, so here are some more helpful links that will get you to that next echelon. If you have any thoughts or questions, please feel free to post a comment.

Other helpful links:

The Windows Powershell Blog Team Site

The Windows Powershell Script Center

Windows Powershell Help on TechNet - Check it out!

Windows Powershell Owner's Manual - Highly recommend - there is a TON of information very easily accessible from here and it starts you off on the bunny slope.

Thanks!

Check out my Security Viewpoint!

shawnt — Wed, 12 Dec 2007 20:42:23 GMT

I've been published on the TechNet website! If you get a chance, please take a look at my security viewpoint article, "Security: Less is More," when you get a chance. It's a quick read.

http://go.microsoft.com/fwlink/?LinkID=106172&clcid=0x409

Thanks!

FSSMC to RTM on October 10th

shawnt — Thu, 13 Sep 2007 09:55:00 GMT

The Forefront Server Security Management Console (FSSMC) is set to release to manufacturing on October 10th! It will be available solely through Micorosoft's volume licensing program around that time. FSSMC stands to be a very solid and necessary addition to the Forefront suite of products.

For those of you who aren't familiar with the FSSMC, essentially it provides for central configuration, deployment, and updating for all Forefront server security products. It enables IT administrators to manage servers remotely, generate comprehensive reports, and receive outbreak alerts. You might think of it as being very similar to the server-side functionality in FCS (Forefront for Client Security), if you are familar with that functionality.

For those of you who are running or planning to run any combination of Forefront Security for Exchange Server, Forefront Security for SharePoint, Antigen for Exchange, Antigen for SMTP Gateways, or Antigen Spam Manager, you'll want to take a close look at the FSSMC. As an FYI, Forefront Server Security Management Console does not support Sybari Antigen 8.0 or earlier products.

If you are interested in learning more about the features included in the FSSMC, check out: http://www.microsoft.com/forefront/serversecurity/mgmt/features.mspx.

Also, I highly recommend you check out the webcast being put on by Kelli Cook, a security product manager and resident expert on the FSSMC. The webcast will be delivered on October 19, 2007 at 11:30am Pacific Time. For more information and to register, check out: http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032352491&EventCategory=4&culture=en-US&CountryCode=US