Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into the context of typical hygiene of any IT environment.

Let's try to understand, where we stand today. Contrary to a few years back, we unfortunately see more skilled people in the space looking for either fast money or information. The criminals are more skilled and I guess we see the state actors attacking infrastructures as well. The big change, however, is that these attacks are not what they used to be. Today, they are targeted, executed by highly-skilled people with a clear goal and time. There is no rush but you want to get a bang for the buck. They want to make sure that once they penetrate a network, the probability for getting discovered is low and they want to stay in there as long as possible. This often leads to the fact that customers do not know that they are compromised and once they figure it out, they cannot assess the impact as the attacker is on the network longer than the backups of the logs last…

To be clear, this is not to scare anybody, this is the reality we have seen in many, many customer networks across the globe in the last one to two years.

If we look at a typical attack, it often follows similar patterns:

1. The attacker seeks a way to compromise a first computer. This is often done through social engineering, rarely through a sophisticated technical attack. The attacker distributes USB sticks with infected code, he sends a mail to motivate the user to click on a link etc. All very well-known patterns.
2. The user executes the malicious code and installs mainly a remote access software allowing the user to take over the machine. Most probably the user needs admin access to get this done (not always)
3. The attacker downloads the needed tools and gains access to the local cached credentials. Now, the attacker can only do this, if he has administrative privileges – in other words, if the user runs as admin (or the attacker finds a vulnerability locally).
4. From here on the attacker tries to move laterally (to other user machines) until he finds a higher value credential to move towards a higher-value target.
5. This chain often ends with a compromised Domain Administrator and therefore a lost Active Directory.

This describes a fairly typically attack leveraging Pass the Hash. The paper Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques describes this very well. If we look at the mitigations described in this paper and the mitigations, which come from the above mentioned attack pattern, they are actually not too hard to implement – they are in a major part natural for a good network hygiene:

• Restrict and protect high privileged domain accounts
• Restrict and protect local accounts with administrative privileges
• Restrict inbound traffic using the Windows Firewall

These are kind of the key mitigations, however there are some key recommendations in this paper, which should be implemented:

• Remove standard users from the local administrators group: For how long do we already talk about this? User Account Control, which came with Windows Vista, was the technology, which would enable this. It is really, really hard with Windows XP!
• Limit the number and use of privileged domain accounts: To me this goes in the same bucket as the local admin…
• Configure outbound proxies to deny Internet access to privileged accounts: Why should your Domain Administrator be able to access an obscure server somewhere in a foreign country?
• Ensure administrative accounts do not have email accounts: Obvious, no? You would be surprised how often we see admins doing daily business tasks with privileged accounts
• Use remote management tools that do not place reusable credentials on a remote computer's memory: This is a bit harder to do probably but is should and could be done.
• Avoid logons to less secure computers that are potentially compromised
• Update applications and operating systems: Patch, patch, patch. And then keep your software to the latest versions. I will come back to this.
• Secure and manage domain controllers
• Remove LM hashes

That's not too hard to do, isn't it? It should be part of your natural, everyday maintenance of you network, shouldn't it?

One point, which is not mentioned so far is monitoring. This is all about finding the needle in the haystack but it can be done – we (at Microsoft) do it. Why should a machine all of a sudden connect to another country, when it never did it before? There might be reasons for this, but sometimes, there are none. If you read my latest post, you see one of these examples: An Attack via VPN – Really?

Let me add a few final comments:

• A lot of customers we find compromised are surprised that they have unpatched machines (well, some of them have unpatched machines and are not surprised…). Implement a strong patch management process, involving not only the Microsoft product suite. Ours is the easiest to keep up-to-date. I did not say it is easy, I said it is the easiest based on the technology, the update mechanism and the information we provide. That's not only me saying this, a lot of customers telling me this.
• Get off Windows XP! That's probably the number 1 thing which keeps me up at night. There are too many Windows XP out there. Windows XP is more than a decade old! Think back, how you used the Internet a decade ago and then think again about the ability of Windows XP to protect you. It does not anymore. It was a great OS, it is rock-solid and just works – but it is out of date! I have two slides showing the evolution of the Internet and the evolution of the threat landscape as well as the evolution of security in Windows since Windows 95. If you are interested, I am happy to share.
• Implement network isolation: At Microsoft IT, we use IPSec Authentication to segment the network and isolate trusted from less trusted from untrusted systems. This is a technology, which is out there since ages – use it.

Therefore, if you think about network hygiene in 2013, look at the points above and get started. It is basically just normal maintenance of your network. Just do it

Roger

Today is the day we launched Office 2013 officially to the broad market. This is a real cool step forward you should look at:

Go to http://office.microsoft.com and give it a try. For only $8/year you get the ability to have it on up to 5 PCs or Macs (well, I guess you choose PCs J).

Enjoy

Roger

A lot of customers are asking us about Direct Access and how you can implement it. Erez Ben Ari (a Senior Support Escalation Engineer at Microsoft) and Bala Natarajan (a Program Manager in our Windows division) wrote a book on that called Windows Server 2012 Unified Remote Access Planning and Deployment. This is the abstract:

DirectAccess, introduced in Windows Server 2008 R2, has been a ground breaking VPN-like connectivity solution, adopted by thousands of organizations worldwide. Allowing organizations to deploy without manually configuring every client and providing always-on connectivity has made this technology world-famous. Now, with Windows Server 2012, this has been made even easier to deploy, with a new friendly user interface, easy-start wizard and built in support tools.

With Unified Remote Access, Windows server 2012 offers a unique way to provide remote access that is seamless and easier to deploy than traditional VPN solutions.

With URA, the successor to DirectAccess, your users can have full network connectivity that is always-on. If you have deployed Windows Server 2012 or are planning to, this book will help you implement Unified Remote Access from concept to completion in no time!

Unified Remote Access, the successor to DirectAccess, offers a new approach to remote access, as well as several deployment scenarios to best suit your organization and needs. This book will take you through the design, planning, implementation and support for URA, from start to finish.

"Windows Server 2012 Unified Remote Access Planning and Deployment" starts by exploring the mechanisms and infrastructure that are the backbone of URA, and then explores the various available scenarios and options. As you go through them, you will easily understand the ideal deployment for your own organization, and be ready to deploy quickly and easily. Whether you are looking into the simplest deployment, or a complex, multi-site or cloud scenario, "Windows Server 2012 Unified Remote Access Planning and Deployment" will provide all the answers and tools you will need to complete a successful deployment.

So, if you are interested… The link above allows you to buy J

Roger

It seems that it is an eternity ago – and it is. Pretty much three years ago, Doug Cavit and me published a paper called the Cloud Computing Security Considerations. Even though it is three years, the paper is still worth reading as the content still applies. What we basically said was, that if you look at the Cloud, there are five areas of Considerations:

• Compliance and Risk Management: Organizations shifting part of their business to the cloud are still responsible for compliance, risk, and security management.
• Identity and Access Management: Identities may come from different providers, and providers must be able to federate from on-premise to the cloud, as well as to enable collaboration across organization and country borders.
• Service Integrity: Cloud-based services should be engineered and operated with security in mind, and the operational processes should be integrated into the organization's security management.
• Endpoint Integrity: As cloud-based services originate–and are then consumed–on-premise, the security, compliance, and integrity of the endpoint have to be part of any security consideration.
• Information Protection: Cloud services require reliable processes for protecting information before, during, and after the transaction.

In such a context, identity is one of the key challenges. Our statement was fairly clear (and still is) that if you move to the Cloud, you definitely should not use a provider, you cannot federate your identity to as you do not want to add an additional identity for your user and you will definitely want to control the process. Imagine the situation, where you have to lay-off an employee and this user still has access to you public cloud through any PC connected to the Internet.

This led us to an interesting paradox: We needed a directory in the Cloud to run Windows Azure and Office365 but most probably it will be the last server a customer switches off… Really? Well, think again. Maybe you want to consume something like "Identity as a Service"?

Our French team released a paper called: Active Directory from on-premises to the cloud. From the abstract:

Identity management, provisioning, role management, and authentication are key services both on-premises and through the (hybrid) cloud. With the Bring Your Own Apps (BYOA) for the cloud and Software as a Service (SaaS) applications, the desire to better collaborate a la Facebook with the "social" enterprise, the need to support and integrate with social networks, which lead to a Bring Your Own Identity (BYOI) trend, identity becomes a service where identity "bridges" in the cloud talk to on-premises directories or the directories themselves move and/or are located in the cloud.

Active Directory (AD) is a Microsoft brand for identity related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). Windows Azure AD is AD reimagined for the cloud, designed to solve for you the new identity and access challenges that come with the shift to a cloud-centric, multi-tenant world.

Windows Azure AD can be truly seen as an Identity Management as a Service (IDMaaS) cloud multi-tenant service. This goes far beyond taking AD and simply running it within a VM in Windows Azure.

This document is intended for IT professionals, system architects, and developers who are interested in understanding the various options for managing and using identities in their (hybrid) cloud environment based on the AD foundation and how to leverage the related capabilities. AD, AD in Windows Azure and Windows Azure AD are indeed useful for slightly different scenarios.

Enjoy

Roger

I was just made aware of a case study, which is a really interesting "attack" on a US company via VPN. It is sometimes not like it seems…

You should read this: Case Study: Pro-active Log Review Might Be A Good Idea

Roger