You all showed great interest in the Windows Server 2008 Security Guide Beta. Now the "real" version is here. Get it on Technet
Roger
You all showed great interest in the Windows Server 2008 Security Guide Beta. Now the "real" version is here. Get it on Technet
Roger
Well, this is a follow-up of my last posts about how I secure my environment. If you want to read the earlier posts of the series, see at the end of this post.
So, we did the Risk Assessment, now, let's look a little bit closer into my perimeter. Technically I have a "normal" ADSL connection with a static IP-address. However, I decided to use the provided modem only as a bridge and do the dial-up from my firewall, which is – surprise, surprise – an ISA Server2006. This enables me to avoid a NAT-NAT type of configuration and allows me as well to see what is going on on the outside adapter.
Looking at the classical design of a perimeter network, we travel through the world since quite some time and talk about the diminishing importance of the perimeter network or how Steve Riley puts it: "The death of the DMZ" – a concept I implemented in my network.
There are quite some services I am providing on my network to the Internet: I am running a Web Server, a Mail Server (which offers POP, SMTP, RPC over HTTPs, OWA, Exchange Active Sync) and I am exposing all my servers for RDP. Nevertheless I am not running a DMZ nor do I feel bad about it. The way I am working is to use the Reverse Proxy functionality of my firewall. If I would run the classical DMZ-design it is pretty likely that the second firewall would have a lot of ports open (I usually call this a "Router" J). In te setup I chose, I am able to use ISA as my bastion coming from the outside. It does a protocol filter as well as handles the entire authentication whenever a service is used, where I want to have authentication. Like that, nobody will hit my OWA server without being authenticated already. This is one of the big advantages of this setup. Additionally ISA looks into the data and tries to understand whether the packets are valid or not. So, if you send an SMTP command with a clearly invalid size, the packet will be dropped and will never reach my Exchange.
Last but not least, ISA serves as a cache. Initially I was wondering, whether I even should enable caching as we have so few users and enough bandwidth. Since ISA Server 2006 is able to cache Microsoft Update, it definitely makes sense. I configured the WSUS server in a way that the updates are downloaded directly from Microsoft Update. So, every computer in my network will access Microsoft Update and like that, the updates are cached as far as possible on the ISA Server.
Finally, let's have a look at monitoring. I am using System Center Operations Manager (SCOM) to monitor the environment and therefore ISA Server is reporting back to SCOM. Nevertheless the log shows interesting things from time to time:
Recently one of the clients in the network got infected and started to send a lot of bogus traffic. ISA immediately closed the connection and alerted my SCOM (and Forefront cleaned the client):
Things that happen really often are script kiddies looking at probing the firewall like that one (which actually came from the Netherlands):
So, this part up to now was pretty straight forward. However, there is one shortcoming (not of ISA but of other products like Office): As I stated above, I have one fixed IP address. From here I am running different domains (e.g. mail.contoso.com, vpn.contoso.com, www.contoso.com, …) where some of them need SSL. The ones of you knowing ISA and how it works realize that I need a listener, listening on port 443 and authenticating with a certificate taking the role for all the domains that request SSL– to which of the above mentioned names? Well, I issued a certificate with my CA to *.contoso.com. ISA can handle that pretty much without problems but some consuming devices like Outlook 2007 for RPC over HTTPS which fail to authenticate the server. There I had to disable the certificate check – something I would not like to do in production.
As always: If you have anything you would like me to answer, drop me a mail or a comment.
Roger
Other posts in this series:
Additional Information
It once more shows that the criminals are extremely creative in abusing features to do their business: See this article on Techworld
Roger
Sorry for being so late on that but I was enjoying the gorgeous weather in Switzerland and was skiing the last few days.
There were claims end of last week that researchers "cracked" Bitlocker. One of the corresponding articles you can find in eWeek.
What did they actually do? Well, they attacked the key that resides in memory. So, they are attacking a running machine. Let's start with looking into the risks. What do you want to achieve with Bitlocker? You want to make sure that if you lose your notebook, nobody is able to access the data on the disk. So, if the system is shut down, the claimed attack does not work anymore. Now, it comes to the states in between. If a machine is in the sleep state, we consider it running, so yes, it is vulnerable to this attack. We can now argue whether it is a good idea that the standard behavior of a Windows Vista machine is going to sleep if you close the lid. As Bitlocker is not enabled by default, I think we can argue around this but it is not optimal if you protect your machine with Bitlocker. If you find a machine in Hibernate, Bitlocker kicks in during the resume and needs the keys – this means a hibernated machine is not vulnerable to the attack.
What does this mean for you? There is an easy countermeasure to all these attacks: Put your machine to hibernation and you are done.
So, if you want more information on this, go to the Windows Vista blog. Last but not least, we published the Data Encryption Toolkit for Mobile PCs and there is a Bitlocker chapter in it, which you might want to read if you use it.
I am using Bitlocker with TPM – and Hibernation
Roger
