This is basically a very interesting and pretty fundamental question for the society. After 9/11 the US changed the way they work significantly. Just as an example: Airlines had to give the US government information about passengers flying to the US that actually violate the privacy laws in Europe. So, the decision had to be made: Either you violate the laws or you do not fly to the US anymore… What do you do now? Well, the Data Protection Officers actually had to give in.

So, if you look at it from a broader perspective: It is pretty natural that National Intelligence as well as Law Enforcement is looking for as much information as possible to fight crime. And I guess, that successful Law Enforcement and Intelligence Services is something we all would like to have – we want them to protect us. But what are we willing to pay? How far are we letting them invade our privacy? This is the key question and something there is no one answer for.

If you look at this article US spy chief puts security over privacy compared to the comment I made in 2-year old terrorist, it really scares me. I see the dilemma we are in – no doubt. And to be completely honest: I am not sure how far I want to let my privacy go for the sake of my security. I am living in a very safe and secure country – in Switzerland. However I know that the National Police has to work hard to keep it that way. So probably it is as always: As long as nothing happens to me personally, I fight for Privacy. As soon as something happens, I want as much Security as possible.

A problem we all know, don't we: Nobody wants to pay for security but as soon as something happens…

Your view?

Roger

Looking at Jacks comment to my initial post this morning (Securing My Infrastructure: Introduction) it seems that I have to give you some additional information:

So let me start with the goal of this network:

Basically I started to build it on one server to play around with our technology. Soon I had to realize that unless I am running it in a "production-like" style, I will not learn the daily problems and challenges with a certain setup. It is one thing to make an environment to work and another to keep it running. Since then I connected my home PCs to the lab and run it 24*7 – and learned a lot!

Second point is about the physical setup of the servers:

I am actually running three physical servers at the moment running Windows Server 2003 R2 at the moment:

1. My oldest server is the oldest PC I have in the house with a 1.8 GHz CPU and 512 MB of RAM. It is running Windows Server 2008 R2 fully patched and is my ISA Server.
2. The initial server mentioned above. It really rocked when I bought it – well it is quite a time ago J. It has a 2.4 GHz CPU and 2 GB of RAM. I am running a DC on it and Virtual Server 2005 R2 with two Virtual Machines on it (a DFS-server (512 MB) and my MOM/Virtual Server Manager Server (1GB)). It runs pretty smoothly but at its limits.
3. I needed this server as I needed a 64-bit environment. Therefore I put together a third server (and put it in the cellar – my wife really enjoys that). This has two 64bit Core2 CPUs in it (3GHz) and 8 GB of RAM. Additionally I am running a RAID 5 disk stack. This is my Exchange Server. On it I am running Virtual Server 2005 R2 again with 4 Servers (a second DC as a backup for my AD J, a SQL Server, my Forefront Client Security/WSUS server and my SharePoint).

So there are two questions open that come to my mind – probably more, let me know

• Why am I not running Windows Server 2008? This is a valid question. I built some labs with Windows Server 2008 but did not have the appropriate time available to actually start to migrate. I will start with the less critical servers to gain some experience with the migration as soon as it goes RTM (and this is soon). I will not be able to migrate the firewall as ISA Server 2006 will not run on Windows Server 2008. The reason is that we re-designed the IP-Stack on Windows Server 2008.
• Why no Hyper-V? This is the next big step I will do in this environment for sure. My server 2 from above is still a 32-bit. Therefore I will have to add a second 64-bit server and start the migration from there. I will have everything on Hyper-V except for the Firewall (my server 2 will be the new Firewall after the migration). So give me some time here. I will describe certain setups (like the ISA Server) and then tell you more about the migration from physical to virtual machines and from Windows Server 2003 to Windows Server 2008.

Does that make sense?

If there is any question you would like to me address, drop me a mail or a comment.

Looking forward to your feedback

Roger

I think that there is a very good example of how a platform could be offered for victims of cyber crime. There are often questions around: What are my rights? What can I do if something bad happens? Who is here to help?...

www.e-victims-org offers answers to a lot of questions like those and offers help. Ed Gibson, my CSA mate in the UK, is actually on the Advisory Council.

Roger

Jeff released another report: He is looking back into one year of Windows Vista. We had the discussion about the value of vulnerability comparison and I do not want to open another discussion thread about that. But as long as we hear that our products are less secure than others because we have sooo much vulnerabilities, these reports are important for us internally (we know where we stand) and externally to communicate our findings – and they are pretty interesting.

Have a look at the report at Download: Windows Vista One Year Vulnerability Report

Last but not least it was interesting to see that readers of my blog are looking into these things as well: Vista logged fewer vulnerabilities in its first year than XP, Red Hat, Ubuntu, and Apple Mac OS X did in their first years

Roger

As you probably know, some time ago, I asked for feedback and themes you are interested in. Some of you replied to me privately, some with comments and I would like to thank you for the constructive feedback. One of the inputs I got several times is that you would like to get more information how to secure and run an infrastructure – the usual ask for "best practices".

Well, there are a lot of best practices out there. Be it from us on the Microsoft website or from third parties. However, they seem not to fit the need directly for you. So, what can I do? Give you some additional best practice? Well, this will not fulfill your need neither – most probably. And what is the reason for that? Well, you are unique! Your situation is unique, your assets are unique and your risk appetite is unique.

I tried to think of what could be valuable for you and am thinking that I could tell you, how I secure my environment at home in my lab. You will wonder what this has in common with the environment you have in your company. This is a valid question. Let me give you some ideas about the infrastructure I am running in the lab:

The following server roles are on place:

• Domain Controller
• Firewall
• Radius Server
• Mail-Server
• SharePoint
• Database-Server
• File-Server
• NAS
• Operations Manager
• AV-Console
• Patch Management Server
• Virtual Server

And, yes – there are a few clients as well J. So, I am running an IT of the size of a small and medium business – not completely with the same requirements but this is the environment I am trying to collect as much experience as possible and implement a lot of "best practices".

So, I will start to give you some insights into how you could use or technology (did I tell you already that everything is on Microsoft technology?) to secure and operate such an infrastructure. I will do it as long as…

• … you are actually reading it
• … the number of additional attacks I see in the logs does not grow significantly

If there is any question you would like to me address, drop me a mail or a comment.

Looking forward to your feedback

Roger