One of your key skills as a Microsoft network security admin is to be able to read network traces. In order to read network traces, you need a way to obtain them. One of the best (and free) network analysis tools available today is the Microsoft Network Monitor. No, I’m not talking about the old Network Monitor included with versions of Systems Management Server (SMS). I’m talking about the new, standalone version, Network Monitor 3.x.

However, you need more than just a network analysis tool. You need parsers that the tool can use to translate the protocols that you’re sniffing. The latest version of SMB, SMB2, hasn’t had a parser for Network Monitor. That is, until now.

Download your new parser for NetMon 3.1 at:

http://blogs.technet.com/netmon/archive/2008/05/06...1.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You know about Network Access Protection (NAP). It’s the new Windows Server 2008 technology that allows you to control what hosts are allowed to connect to your network based on the security configuration of the client systems who try to connect to your network. If the client can’t pass the NAP tests, then it’s not allowed to communicate with hosts on your network, except for those you have allowed them to connect to so that they can remediate.

Forefront Client Security (FCS) is an enterprise grade anti-malware solution that provides for centralized management of malware detection and prevention that also gives you enterprise security status reporting.

Wouldn’t it be great if you could have these two technologies work together? Work together so that you can establish a system health policy that NAP uses to determine whether client computers that run Forefront Client Security comply with the policy before they are allowed access to network resources? Yes it would!

If you agree, then check out the Microsoft Forefront Integration Kit for Network Access Protection at http://blogs.technet.com/secguide/archive/2008/03/...n.aspx

The benefits of the solution include:

• Boosts security.  The Kit strengthens your malware defenses by integrating two key Microsoft security technologies: Forefront Client Security and Network Access Protection.
• Saves time and reduces IT costs.  The Kit’s system health validator (SHV) allows you to quickly establish health policies for Forefront Client Security installations on all network clients. The system health agent (SHA) automatically monitors the health of these installations network-wide, and remediates problems—freeing up scarce IT resources for other tasks.
• Easy to deploy.  You can install and configure the Kit in just a couple of hours.  

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I ran across an interesting blog post over at http://www.crunchgear.com/2008/05/05/locking-down-...e-tsa/ which refers to ways to protect information on a laptop that might be examined by custom’s agents. As you might know, as a US citizen, your Constitutional Rights do not apply when you’re going through customs. No, this has nothing to do with the Patriot Act, or George Bush or anything you might want to think it’s due to — it’s always been this way.

While the blog post is more focused on how criminals can hide their illegal data from the authorities, there’s a more important question to be concerned with here. Suppose you carry a laptop for your business, and you and your company have clearance to access classified government information. You keep some of that information on your laptop. The customs agent asks to view the contents of your laptop. What should you do? The customs agent does not have your clearance level and therefore must not see that information.

You could try to explain your situation, but that’s not likely to help and most likely would raise the agent’s attention and make him even more interested in the data on your hard disk. Now you’re truly between a rock and a hard place — you’ll net nailed for not cooperating with the customs agent, and you’re going to get nailed by the Federal Agency that you’re working with by exposing classified information to someone without the required clearance.

The same is true even if you’re not working with the government. You could be working in the financial services sector and have information that will impact millions or billions of dollars in the markets. If that information is on your laptop and the agent inspects the contents of your laptop, that agent now has information that can be sold on the gray or black markets that could put your company, and many other’s, at risk.

What should you do? My best advice for you is to never put sensitive information on a laptop. That’s what I do. Laptops are lost and stolen too frequently to make it worth taking a chance on sensitive information being lost due to misplacing my laptop.

However, there are other ways to gain access to sensitive information other than just looking at file contents on the laptop. How about your mail account? I’m sure you saved your user name and password in Outlook so that you won’t have to enter it every time. Now the agent has access to your email account and all the private data contain therein.

Also, you might have a VPN connectoid configured to save your user name and password. Now the agent has access to your entire network and any data that you’re authorized to access there. Now, that can become a very interesting situation.

The VPN and email solutions are easy. Don’t save your passwords. It always shocks me when security admins give in and allow users to save their email passwords locally on a laptop. But too often ease of use (laziness) trumpts security.

For those of you who don’t want to type passwords, there is a solution. For your laptop, just allow the base operating system to be installed. Then, create a virtual machine and place it on a high capacity SD card or USB key. Install all of your applications and files on the virtual machine. Then install VMware or Virtual PC on the laptop. Place the removable media into the laptop, start the virtual machine, and go to town! All data and passwords and other information is saved to the VM. When you shut down the VM and pull the media, no trace is left on the laptop.

Since customs is only interested in your laptop, all they’re going to see is Windows XP or Vista in an out of the box configuration.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As a MS security admin, you know that probably your biggest challenge today is securing mobile devices. There’s the versions of Windows Mobile, the Blackberry, the iPod, and the other phones that are waiting to connect to your network.

Some of these devices are built with security in mind and support multiple methods that can be used to secure the configuration of the device, secure the data on the device, and secure the connections that the device makes to your corporate network. Other devices aren’t so focused on security and are more focused on “cool”. But regardless of the device, you can be sure that your users are going to ask you to “hook them up”.

In the past you could have told them “no”. But this is getting to be less of an option as these devices are becoming increasingly pervasive. The boss sets the tone. He’s got the cool new Windows Mobile 6 Samsung i760, then a VP comes in with an iPod, and then another senior exec wants the Blackberry to work. Then there’s the mobile sales force, the various network and application admins who don’t want to have to carry a laptop around everywhere.

So how do you do it? Why not learn from the best? Microsoft is well known for giving its users relative free reign over the network, so it’s no surprise that they go out of their way to allow users network access using mobile devices. Join this webcast and find out how Microsoft IT is enabling their mobile workforce via the deployment of the Windows Mobile platform. Microsoft IT fully integrates Windows Mobile features and applications, with both established hardware and infrastructure, and future plans support  master security policy migrations, such as complete two-factor authentication operations.

You can find the Webcast at: http://msevents.microsoft.com/CUI/WebCastEventDeta...ode=US

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Not being a developer myself, I don’t spend a lot of time searching out information on secure software development. However, I recently found a site that makes secure software development education interesting to non-developers. The site is called Microsoft Hello Secure World. There are a number of useful and interesting presentations that you can watch and listen to on the site, and a virtual lab that you can use to bone on up learning about how to avoid common coding mistakes.

Check it out at:

http://www.microsoft.com/click/hellosecureworld/de...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I’ve written in the past about the areas where you need to implement security. My personal focus is network security, because my primary interest is in network firewalls, especially the ISA Firewall. However, there are many layers that need to be taken care of before you can say that you’ve implemented defense in depth security policy. I would argue that the most important consider is the security of the software deployed. In other words, is the software itself secure?

Building secure software is not magic. It’s the result of hard work and dedication to secure software development principles. Many software developers depend on penetration tests and security bugs found in the software after it is released. But is that the best way to do things?

To build secure software, you have to make sure that the software is created with security in mind. Security needs to be built in during every step in the process. From the planning phase, to the development phase, to the testing phase, to the post release phase, security procedures needs to be built in so that security bugs never appear in the first place.

This is where the Microsoft Security Development Lifecycle (SDL) comes in. The SDL includes a number of processes and procedures that can be used throughout the entire lifecycle of a particular software product. Security isn’t something that’s taken care of at the end of software development, where pen testing is used to find any security vulnerabilities in the software. Instead, security is built in each step of the way, so that a proactive approach is used to prevent vulnerabilities from ever appearing. Of course, pen testing is still used, but if the SDL is properly employed, very little value should come from pen testing.

The figure below shows the number of vulnerabilities for the first year after release between Windows XP and Vista, as well as other operating systems. As you can see, just comparing Windows XP and Vista shows a 50% reduction in vulnerabilities. And when you compare Vista to other operating systems, it’s clear that the SDL makes a profound difference when it comes to creating more secure software.

Some might argue that just counting vulnerabilities is not the best way to measure how secure software is out of the box. I won’t argue for or against that point. However, if you’re choosing between Microsoft and another vendor, just ask the other vendor what policies, processes and procedures they in place that insure that their software is secure by design, and have them compare their processes with the Microsoft SDL. If they can’t answer these questions, or give you The Party Line ( this is FUD, what does Microsoft know about security, etc) then consider the potential (and hidden) security issues with their software.

For a great discussion on this issue, check out:

http://www.microsoft.com/technet/community/columns...8.mspx

For more information on the Security Development Lifecycle:

http://msdn.microsoft.com/en-us/library/ms995349.aspx

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Ran across a great collection of free security utilities, may of which can prove useful to any Windows security administrator.

Check out a list of these free Security Tools at:

http://www.itsecurity.com/features/103-best-free-s...41608/

Note that not all of them are freeware. Some have 30 day trial version that dumb down after the trial period runs out. But there’s still enough on this list that you should find something that will help out your company or home network.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

While most of us consider the installation, configuration and maintenance of security software on the network to be the most daunting task of a network security program, probably the most challenging aspect of security is to get employee buy in. Without the help of your users, many of your technological solutions will fail. However, if you can get your users online with your overall security vision and implementation, you’ll significantly increase the value of your security software investment.

This is where the Microsoft Security Awareness Toolkit can help. Included in the toolkit are a number of resources that you can use to help your users under network security and help motivate them to help maintain the security of the network and the resources it contains.

Tools included in the toolkit include:

• Brochure Templates
• E-Mail Invite Template
• Fact Sheet Templates
• FAQs
• Newsletter Template
• Poster Templates
• PowerPoint Templates
• Quick Reference Card

To download the toolkit, check out:

http://www.microsoft.com/technet/security/understa...s.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Yesterday I wrote about a Web site promoting something called the Home Network Awareness Program. This site claims to be affiliated with the Department of Homeland Security and throughout the site makes it a point to appear as a legitimate community effort to help reduce the risks of terrorism by analyzing network traces of home networks and any available public network. While this is clearly a non-starter and farcical to a seasoned network security admin, people with a less jaundiced eye would easily accept this as a legitimate site.

However, if you check the blog Emery Martin of Brooklyn New York, the founder of the site, you’ll see the following:

“The Neighborhood Network Watch (NNW) aims to address the lack of criticality being leveled at these areas, along with raising public awareness about the security issues with public networks, and revealing the malleable nature of information and data. It aims to do this by taking on the role of a government sanctioned community organization that is a hyperreal manifestation composited from current government agencies and potential future agencies.” (Italics mine)

So, Mr. Martin is using his Web site to impersonate a legitimate government authority to obtain personally identifiable information that is in flight on home and business wired and wireless networks. I think we have an official term for this type of site, it’s called a phishing site. Check out http://www.google.com/search?hl=en&rls=GGLG,GG...=title to see the definitions of phishing and you’ll find that the http://dhsnnw.org site meets these requirements.

What’s interesting is that no phishing filters that I work with tagged this site. Maybe it’s too new? Maybe it’s not popular enough? Or maybe the people who search for phishing sites were fooled into thing that it was a legit site too.

The Register did a nice article on debunking this site, which you can find at http://www.theregister.co.uk/2008/04/24/neighborho...asked/  It turns out that Mr. Martin is a graduate student in Interactive Telecommunications at New York University’s Tisch School of the Arts and the site is his Master’s Thesis.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I have been on the road a lot in the last month and haven’t had much time to perform basic computer maintenance on my primary workstation. My workstation is somewhat of a monster of cables and external hard drives, external DVD writers, and a dual wide screen monitor setup. There’s about 4 terabytes connected to this box, including all my research and work materials, virtual machines, and the standard and non-standard applications someone in the info security spaces collects over the years.

The machine runs Windows XP SP2 (yes, I haven’t taken the leap to Vista, mostly because the “Remote Desktops” administrator MMC does not work with Vista) and after running the uptime tool I discovered that it had been running for 42 days. I wasn’t too worried about that uptime, but I was concerned that I hadn’t installed any updates during that time. So I clicked the Windows Update icon in the system tray to get things going. It seemed to take quite a while to get the updates running and after about 15 minutes I saw a pop-up windows come from the tray saying “Your Antivirus Definitions Have Been Updated”. Oh great, Norton decided to install AV definitions and update its application at the same time I was installing Windows Updates.

Well, nothing bad seemed to happen after the restart. About an hour later I needed to reply to an email message and received the error “There is a Problem with the Messaging Interface — please restart Outlook”. I knew this was going to be bad, because when Outlook goes sour its going to be a long day.

I tried to repair Outlook, but received an error that a file was missing from the MSOCache. I tried to reinstall Outlook, but that didn’t work. I considered uninstalling and reinstalling Outlook, but decided to cut my losses (of time, that is) and just restore an image of the machine when it was working.

Since then, Norton AV has updated itself and Outlook still works. I haven’t installed the Microsoft Updates yet. However, I suspect that the unholy confluence of installing Windows Updates and AV Updates did something that had a negative impact Outlook, and maybe other applications if I had taken the time to find out.

Solution? That’s the hard part. I would recommend that you set your AV updates to be manual, but that’s not a good idea. Perhaps I should have set the Windows Updates to automatic? That’s probably the best solution, but again, it doesn’t make sure that that both update installation processes take place at the same time.

At this point, I’ll just have to chalk this up to a “day in the life” of a sysadmin :)

Thanks!

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)