Republished with the broken link fixed (thank you to the person who told me via messenger). 

In my last blog post Direct Access - A Step by Step Guide I just linked to a paper showing how you can set it up. However, based on that I got questions on both of my blogs how it actually works. Well, this has two aspects: How it works from a user perspective and how it works technically.

Generally, there is one page to start with if you are looking for DirectAccess Information, which is http://technet.microsoft.com/en-us/network/dd420463.aspx. From there you can have a let of different information on the technology.

Let’s start with the user. On http://technet.microsoft.com/en-us/windows/dd572177.aspx there is a good video showing the way it looks like from a user perspective. Or you can access the video as a wmv-file directly from here.

When it comes to the technology, I would like you to look to the Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Let me just quote a few paragraphs from there:

DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network. DirectAccess is built on a foundation of proven, standards-based technologies: Internet Protocol security (IPsec) and Internet Protocol version 6 (IPv6).

DirectAccess uses IPsec to authenticate both the computer and user, allowing IT to manage the computer before the user logs on. Optionally, you can require a smart card for user authentication.

DirectAccess also leverages IPsec to provide encryption for communications across the Internet. You can use IPsec encryption methods such as Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES).

Clients establish an IPsec tunnel for the IPv6 traffic to the DirectAccess server, which acts as a gateway to the intranet. Figure 1 shows a DirectAccess client connecting to a DirectAccess server across the public IPv4 Internet. Clients can connect even if they are behind a firewall.

This is kind of the key thing. If IPSec cannot be established, it falls back to IP-HTTPS but this is all described in the paper above in just a few pages (with a few pictures). I do not want to repeat this here. Just go and read it yourself.

Roger

This morning I opened one of the Swiss Sunday newspapers and Google Chrome made it to the front-page with a “best practice approach” for deploying security updates. In the article itself it was claimed that Chrome is one of the best browsers with regards to security as the deploy patches silently, without letting the user know, even if Chrome is not running and there is no way to disable this. Here are some of similar stories:

• Report: Using silent updates boosts browser security
• Google Chrome... updates without asking.
• Google is Wise, Chrome Updates Silently

Give me a break here.

I am really tired of hearing those things. When Chrome shipped, three things actually hit my inbox:

• Chrome was shipped (in a Beta) with a few pretty significant vulnerabilities in, which were known for quite a while (like the carpet bombing flaw). The excuse by Google was “it is just a beta”. Tell me please, how you would comment if we would have done the same with Windows 7.
• I got quite some mails by angry customers and journalists telling me that Chrome found a way around User Account Control as Chrome installs without UAC kicking in. Journalists called as they claimed to have found “a severe vulnerability”, customers called as they were angry with us as Chrome simply popped up all over the place in their network even though their user were non-admin. Well, well, Chrome simply installs an executable in the user context. Directories which the user has write permissions. So, for sure Chrome can install – really bad practice in my opinion.
• There was a pretty strange paragraph in the EULA which was then removed later.

And now the silent patching. A few years back, when we designed Windows XP SP2 we talked about switching Automatic Updates on by default. This caused a lot of people screaming and telling us that it is unacceptable to switch AU on by default (which we actually do in the meantime). We recently updated the Windows Update client – and it caused a lot of you to scream and tell us that it is unacceptable for us to silently update a component on Windows. And we heard you loud and clear. And now I hear that Chrome is best practice because they silently fix security vulns? And you cannot even switch this off? So, what is the policy the industry shall follow?

I agree that the most secure way for consumers would be to automatically fix security vulns. This is actually what I tell my parents: Simply install security updates. This is for consumers and there is an option. Not having an option is unacceptable – at least for me. Additionally, again for the consumer, having Anti-Malware being part of the Operating System out of the box and enable by default would be desirable. However, this is not acceptable today for competition reasons.

So, what I do not get is why people do not look at these problems holistically and more from a policy perspective rather than from a company by company perspective. Silently installing components without even giving me the option to choose is not acceptable today for me – but I want to have the option to do it if I want.

And finally: I would question the enterprise-readiness of such software. At least, I would never deploy it in an enterprise environment.

Roger

As you might have read, I recently blogged about my infrastructure and the future of a platform towards a better management of compliance – honestly, I actually played with our latest technology .

I wrote about

• Deploying PKI
• Time Sync on Virtual DCs

Now, a necessary and very important next step towards compliance as well as a secure environment is a sound Patch Management process and then – in the second place - the underlying technology. I blogged several times already about Patch Management as I see a lot of companies failing to deliver on this. I recently wrote a post called Patch Management – Cover the whole 9 yards. in there I mention different papers you could/should read:

• Ten Principles of Microsoft Patch Management
• Update Management
• Update Management Process

and I reference Christopher Budd’s Ten Principles of Patch Management:

1. Service packs should form the foundation of your patch management strategy
2. Make Product Support Lifecycle a key element in your strategy
3. Perform risk assessment using the Severity Rating System as a starting point
4. Use mitigating factors to determine applicability and priority
5. Only use workarounds in conjunction with deployment
6. Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article
7. Test updates before deployment
8. Contact Microsoft Customer Support Services if you encounter problems in testing or deployment
9. Use only methods and information recommended for detection and deployment
10. The Security Bulletin is always authoritative

First of all (and you see that in the articles referenced above) it is of outmost importance to have a process in place. Basically the core schema to run such a process is:

I have seen different complexities to deploy such processes. From highly complex to pretty simply and straight-forward ones. The ones of you who know me know, that my preference is KISS (Keep it Simple, Stupid). So, make the process as complex as necessary and as slim as possible.

So, once you have the process in place and take a conscious decision, the question is about deployment and reporting.

So, let’s talk about technology now.

In order to get an overview over the state of your computers, you might use the Microsoft Baseline Security Analyzer. This is an excellent tool to scan your Windows machines and get an overview of the security state of the machines. It might not deliver the same level of sophistication as very expensive tools, but the difference is: We provide it for free and – in my opinion – it gives you a good starting point to look at vulnerabilities including the level of Security Updates of a given PCs. Here is an example of one of these assessments:

But this does not really resolve your base problem about the Security Update compliance of the computers on your network as well as the distribution of them. From my point of view, there are different options to do so:

• If you are a small and medium business, one of the coolest solutions for you to go is System Center Essentials. It is System Center Configuration Manager, System Center Operations Manager and Windows Server Update Services in one package. However, it is limited to 30 servers and 500 clients. If you are in this limit, it rocks.
• System Center Configuration Manager: If you already use this technology to distribute software and configurations, leverage this.
• Windows Server Update Services: It is kind of unbelievable but this is free! So, to be clear – we do not charge for it! You can download and install it and it scales even for large Enterprises (did I tell you already that it is free ?).
• A third-party solution

I am using WSUS and am more than happy with it. The way I am organized is, that I get regularly a mail from WSUS with the current state of “the nation”:

As I am mail-driven, this allows me to see, what I have to do with regards to WSUS. I then can log-on to my WSUS server to get more granular reports:

From here on, I can decide, which actions I want to take, based on detailed reports I can get by clicking one of the texts in the UI:

BTW: this machine is patched in the meantime – so do not even think about it

Even if you cannot enforce the security update level technically that way (and we will talk about Network Access Protection in a later post), it at least helps you to understand, where you stand and what you have to do in order to get compliant.

Again (as I did so often) my call to action to you: Make sure that you have a straight-forward process in place and then use technology (like WSUS) to deploy the updates and ensure that you have deployed them correctly!

Roger

You might remember it: January 15th, 2002 Bill Gates wrote the famous memo on Trustworthy Computing to all the employees at Microsoft. This was probably one of the biggest initiatives at Microsoft and radically changed the way we develop software (and much, much more). I remember when I was the first time on stage talking about Trustworthy Computing in 2002. I said that this is an industry initiative and not something for Microsoft only. A lot of people just smiled at me and told me that this was just another try to get out of our responsibility and blame the industry for our problems. However, we came a long way since then.

If you look at Bill’s memo back in 2002, there are a few remarkable statements in there, when it comes to the industry collaboration piece. He said that “We must lead the industry to a whole new level of Trustworthiness in computing.” and “It’s about smart software, services and industry-wide cooperation.”

So, we started to introduce a processes we called the Security Development Lifecycle at Microsoft. The process on a high level looks pretty familiar (I hope at least):

The effect of this process was pretty impressive. Let’s look at a few key figures from our latest Security Intelligence Report. If we investigate the Security Bulletins we had to release in H1 2008 and compare the impact on Windows Vista and Windows XP, it looks like that:

And our overall share of the industry-wide vulnerabilities dropped constantly:

It definitely had an effect on us – but we always wanted to share what we are doing within Microsoft to help you as developer to profit from what learned.  So, we made SDL available since quite a while as books, trainings etc. Today we go an addition step to help to reduce the other 97% of the industry-wide vulnerabilities as well.

Today we announce the availability of a template for Visual Studio, where you can integrate SDL in Visual Studio Team System – and I tell you, this is really, really cool. And as always with such initiatives it is for free!

As a teaser, here are a few screenshots:

This is the guidance page on SDL – kind of your starting point 

To run your project, you have a dashboard view

and last but definitely not least you have an overview over the SDL requirements

and there is much, much more!

Now, I leave the word to the real pros. Read the blog post by our SDL team: Making Secure Code Easier

I wish you all a lot of success implementing SDL and let’s reduce the industry-wide vulnerabilities

And – by the way – did I tell you already that we make it available for FREE ?

Roger

Our Security Research and Defense team blogged on the PowerPoint security update we published on Tuesday. There are a few things which were not “business as usual”:

• The update for the Windows version of PowerPoint went out before the Mac version. The reason is that we did not want to hold the Windows-version which could protect a big majority of our customers
• We removed support for the PowerPoint 4 converter to reduce the attack surface significantly
• We addressed 14 (!) vulnerabilities in PowerPoint (do not tell me that we are not transparent with these things) – only one is publically attacked at the moment.

Read the details yourself: MS09-017: An out-of-the-ordinary PowerPoint security update 

Roger