BitLocker is a new volume encryption technology that allows you to encrypt entire disk volumes. With Vista SP1 and Windows Server 2008, you can encrypt both the boot volume (the one that contains the Windows system files) and data volumes. Vista prior to SP1 only allows you to encrypt the boot volume, but no other volumes.

BitLocker can be used with or without a Trusted Platform Module (TPM) and with or without a USB key. The TPM allows BitLocker to check the integrity of the startup components before booting into the operation system. If you use only the TPM, you can boot up normally without having to authenticate.

However, for a more secure startup routine, you can choose to enable USB key or PIN authentication during boot up. When you enable USB key or PIN authentication on boot up, the user must insert the USB key with his authentication key installed on it or enter a PIN configured during BitLocker setup. Without either of these, the machine won’t boot up. Of course, the best configuration is to use a TPM to confirm the integrity of the startup routine and then use a USB key or PIN for startup authentication.

Before you can get BitLocker up and running, you need to use Vista Enterprise or Ultimate Edition, or Windows Server 2008. The TPM is not a requirement, but without it you won’t have the startup integrity check. If you want to use a USB key, your BIOS must support booting from a USB device. If you just want to use a startup PIN, without USB or TPM, then you don’t need a TPM chip or a USB compliant BIOS.

However, in all cases, you need to configure your hard drives with at least two NTFS partitions. The first partition, which must be at least 1.5 GB is used for the unencrypted startup partition that contains the system files required to start the computer. The second partition is the boot partition, which contains the Windows system files.

What if you have a new Windows Vista computer and your drives haven’t been setup for you? Are you stuck? No. You can use the BitLocker Drive Preparation Tools. This tool will prepare the partitions for you so that you can get BitLocker up and running.

For more information, check out the BitLocker Drive Preparation Tool page at:

http://support.microsoft.com/kb/930063

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

DNS is the cornerstone of any Windows (and any other operating system) network. You need DNS to support Active Directory, to resolve IP addresses from host names, and to perform reverse lookups so that you can get names from IP addresses. There haven’t been too many changes to the Windows Server DNS since Windows 2000 Server, so I wasn’t expecting too much to happen with the Windows Server 2008 DNS server.

Fortunately, I was wrong! There are a few new things included with the Windows Server 2008 DNS server, unfortunately, the feature that just about everybody wanted, the ability to return host records based on source address of the request, wasn’t included. Such a feature would allow you to host both your internal and external zones in a split DNS infrastructure on the same DNS server. As it stands now, if you use Windows DNS servers, you will need two computers (either physical or virtual) to host your internal and external zones for a split DNS.

However, what you do get are the following new things:

Background zone loading: DNS servers that host large DNS zones that are stored in Active Directory Domain Services (AD DS) are able to respond to client queries more quickly when they restart because zone data is now loaded in the background.

IP version 6 (IPv6) support: The DNS Server service now fully supports the longer addresses of the IPv6 specification. You can create quad A (AAAA) host records and IPv6 pointer records. The zone wizard will walk you through creating both IPv4 and IPv6 forward and reverse lookup zones.

Support for read-only domain controllers (RODCs): The DNS Server role in Windows Server 2008 provides primary read-only zones on RODCs. A RODC is a domain controller that contains a read only copy of the Active Directory, so that RODCs can be placed in areas where physical security is more lax, such as branch offices.

Global single names: The GlobalNames zone provides single-label name resolution for large enterprise networks that do not deploy Windows Internet Name Service (WINS). The GlobalNames zone is useful when using DNS name suffixes to provide single-label name resolution is not practical.

Global query block list: Clients of such protocols as the Web Proxy Auto-Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) that rely on DNS name resolution to resolve well-known host names are vulnerable to malicious users who use dynamic update to register host computers that pose as legitimate servers. The DNS Server role in Windows Server 2008 provides a global query block list that can help reduce this vulnerability.

I’ll do a short article in the future on how to create the Global single names zone. Its pretty simple and it will allow you to rid yourself of WINS servers on your network if you don’t have any NetBIOS applications still running in your organization.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

If you use Wpad for browser autodiscovery or ISATAP routers, you might find that you’re having troubles resolving the name WPAD or ISATAP on your network. You might have configured a manual DNS entry for reach of these names, but no matter what you do, you can’t seem to get clients to resolve those names correctly against your Windows Server 2008 DNS server. What’s up with that?

The problem is that Windows Server 2008 introduces a new feature, called the DNS Server Global Query Block list. This is a list of names that when queries are made for to the Windows Server 2008 DNS server, the DNS server will not resolve and will return to the client that there is no record for that host, even if there is a record.

The reasons why Microsoft decided to do this was to prevent potentially malicious clients from registering these names in the dynamic DNS. For example, a user could bring up a computer with the name wpad and that name would be registered in the DNS. Then when users who have their browsers configured to use autodiscovery start their browsers, they will resolve the name wpad to the IP address of the computer that registered the name wpad, and the browsers will use that IP address as its proxy server. If you have a malicious user doing this, the attacker could redirect the browse to obtain wpad information that includes malicious code. Not good.

That same is true for ISATAP clients seeking the name of an IPv6 ISATAP router.

Note that this only happens if wpad or isatap entries have not already been deployed on your network. For example, if you upgrade a Windows Server 2003 computer that had a DNS server installed and already had a wpad entry in it, the upgraded machine will not place wpad on the block list. Same for isatap. Also, if the DNS server is a secondary, or part of an AD-integrated DNS, then the wpad entry will not be removed when the DNS records replicate to the new Windows Server 2008 DNS server.

While wpad and isatap are the only two names included in the block list by default, you do have the option to add more names to the Global Queries Block List. You also have the option to remove either or both wpad or isatap from the block list. You use the Windows Server 2008 dnscmd command to make these changes.

For more information on the Windows Server 2008 DNS Query Block List, check out:

http://technet.microsoft.com/en-us/network/bb629410.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

With the introduction of Windows Server 2008, there is a lot more work that has to be done at the command line. While I consider this to be an unfortunate situation in general, I can whine all I want but I don’t think things are going to change, so we’re all going to have to get used to it. One of the side effects of command line management is having to enter long strings of command line options and the typos that ensure.

Perhaps even more challenging than typos is just trying to remember the long strings with all the switches and values. I’m sure you’ve seen it at many demos — the TechNet presenter has a collection of text files on his desktop that he uses to copy and paste the command line argument. These guys use the product everyday in their demos and even they can’t remember all the PowerShell and other commands.

Well, there’s nothing I can do to help you with your memory, and there’s nothing I can do to help your fingers not make typos, but there is something that I can do to help you copying and pasting text into files that you’ll use to help with your 169 character PowerShell command. That tool is called PureText 2.0.

You can use PureText to copy just the text from a Web page or document that contains that long command line string into a text file and it removes the formatting that might make the command not work. In addition, it adds a keyboard shortcut (WINDOWS+V) to paste the pure text into your text file. This is really helpful when you need to copy that interminable string of PowerShell characters from the Exchange Server Help file into a text file.

While not strictly a security tool, it will help you with your command line management of security settings. It should be especially helpful when managing a Server Core installation.

Download it at:

http://stevemiller.net/PureText/

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The ISA Server Best Practices Analyzer Tool is designed for administrators who want to determine the overall health of their ISA Server computers and to diagnose current problems. The tool scans the configuration settings of the local ISA Server computer and reports issues that do not conform to the recommended best practices.

The ISA Server Best Practices Analyzer (BPA) is a diagnostic tool that automatically performs specific tests on configuration data collected on the local ISA Server computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

The ISA Server Best Practices Analyzer is supplied with two supplemental tools.

• The ISA Data Packager enables you to create a single .cab file containing ISA Server diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.
• BPA2Visio generates a Microsoft Office Visio® 2003 or Visio 2007 diagram of your network topology as seen from an ISA Server computer or any Windows computer based on output from the ISA Server Best Practices Analyzer Tool

Download it today at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As you might know, Windows Server 2008 has an installation option called Server Core. A Server Core installation is one that includes a small subset of the binaries that are included with a full Windows Server installation and provides just enough functionality so that the core operating system can run. The goal of the Server Core installation is to reduce the overall attack surface and to reduce the need for updates that aren’t required on a server for components that it doesn’t use.

There is no user interface on Server Core. Everything is done locally at the command prompt, or remotely using an RDP session or by using Windows Remote Shell (WinRS, which is like the Windows Server 2008 version of SSH). Actually, there are a few user interfaces. You can access notepad.exe and regedit.exe so that you can manage the long command line arguments and answer files you need to get the initial configuration of server core running. Also, Task Manager is available.

When installing and doing the initial configuration of Server Core, I was kind of jazzed about doing the initial configuration tasks from the command line. While I’ll never be able to commit to memory the procedures required for initial configuration tasks and post installation tasks, Microsoft has done a good job at documenting everything in their Server Core Step by Step Guide which you can find at http://technet2.microsoft.com/windowsserver2008/en...r=true  The only problem is that if you can’t access this guide, you better print it out, or else you’ll never remember all the things you need to do from the command line if you install a Server Core less than once a week.

That said, the guide does a really good job at walking you through the installation and configuration. You can tell that they worked on this for a while and actually listened to users who were trying to do a variety of configuration steps. Almost everything you can think of what you want to do with Server Core is included in the step by step guide.

I also found that it was easy to get the remote MMCs working once you configured the Windows Firewall on the Server Core machine to allow the connections. DHCP, DNS, Disk Management, Active Directory, and others worked a treat. However, profound dismay, disillusionment, disappointment and pure amazement took place when I found out that you cannot use the IIS 7 console to remotely manage the Web server role on Server Core. You have to use the command line tool appcmd.exe to perform all management of the IIS Web server role on the server core machine.

Why would they do this? Microsoft worked hard to make a very sophisticated upgrade to the IIS MMC, one that provides much better functionality and usability than previous versions. After all the good work they did, why did they through it out the window for Server Core installations? The reason, from what I’m told, is that the IIS MMC depends on the .NET managed code, and Server Core does not support .NET.

So, just to let you know, if you plan to manage a Web Server on Server Core, you’re going to need to spend quite a bit of time getting up to speed on appcmd.exe. For more information on using appcmd.exe, check out http://www.iis.net/articles/view.aspx/IIS7/Use-IIS...md-exe It’s extraordinarily complex and I suspect that it will be a bit unnerving for more than a few people who would like to manage IIS.

Hopefully, Microsoft will release a service pack in the future that will enable remote MMC management for IIS — until then, consider using a full installation of Windows Server 2008 for any Web server deployment. The theoretical gains from the reduced attack surface will be lost due to the complexity of management and the possibility of security misconfiguration due to the obscure management interface. For all other supported roles on Server Core, I definitely suggest going with the Server Core option.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Physical security is something that doesn’t get enough attention. I don’t mean that it doesn’t get enough attention in the Microsoft security literature or among Windows security admins. What I mean to say is that in practice, people don’t pay enough attention to physical security. It never ceases to amaze me how often people visiting a client or partner site will leave their laptops sitting out in the middle of a conference room while going out for lunch or just a cup of coffee. Or how many people I’ve seen leave their laptops in a hotel room, trusting that the hotel staff will not steal the computer or that someone using a very light amount of social engineering wouldn’t be able to get into the room to steal the laptop.

Its for this reason that hundreds of thousands of laptops are stolen each year. These laptops contain valuable data, either personal data or your company’s data. Think about the information you store on your laptop and then think about what if someone were able to steal your laptop and gain access to the information on your hard disk. Also, think about what the intruder would be able to do with applications. Many of you have Outlook configured to not ask for a password on start-up. What will the intruder do with complete access to your email account?

While you might think that losing a laptop is something that happens to other people, the fact is that it’s not true. Many of the brightest minds in the industry have lost their laptops and sometimes with painful results. So what you can you do protect yourself against the results of a lost laptop? Encryption. Encryption will reduce your loss to only lost productivity and the price of the hardware and software.

Windows gives you two powerful encryption options:

• Encrypting File System
• BitLocker

The Encrypting File System or EFS has been around since Windows 2000. Using EFS, you can encrypt individual files or folders on your computer. For example, you can encrypt your entire “My Documents” folder using EFS or your user profile folder.

The problem with EFS is that there may be sensitive information located on other parts of the hard disk that you’re not even aware of. In that case, you need something more comprehensive than EFS. This is where BitLocker comes into play. With Windows Vista SP1 and Windows Server 2008, you will be able to encrypt entire disk volumes. It can be the system volume, or any other volume on the machine. Vista prior to SP1 supported encrypting only the boot volume (containing the system files).

If these options sound attractive to you (and they should), then you can get up to speed quickly on how to encrypt information on your hard disk using EFS or BitLocker by using the Data Encryption Toolkit for Mobile PCs put out by Microsoft.

You can download this kit over at http://www.microsoft.com/technet/security/guidance...tlight

Let me know what you think of the kit and if you have any questions.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

IPsec is one of the most important technologies that you can use to secure your network. IPsec has been available in Windows since Windows 2000, but not as many networks admins use it as they should, mostly because IPsec is hard to configure and even harder to troubleshoot. Some of the configuration problems have been solved in Windows Server 2008 and Windows Vista, as the Advanced Windows Firewall included in these products make it much easier to configure and manage.

However, troubleshooting IPsec can and is a problem even for the most experienced Microsoft network admins and security administrators. There are a lot of moving parts in IPsec and getting just one of them wrong will whack your entire IPsec house of cards. Microsoft knows about this problem, and has provided you with a new tool, the Microsoft IPsec Diagnostic Tool.

Microsoft IPsec Diagnostic Tool checks for common network problems on the host machine and if found, suggests repair commands. Further, it collects IPsec policy information on the system and parses the IPsec logs to deduce why a failure might have happened. Beyond IPsec, it offers trace collection for VPN, NAP client, Windows Firewall, Group policy updates, Wireless and System events. The Diagnostic Report generated by the tool is conclusive and is derived from the system logs collected by the tool during its analysis phase. These logs are self sufficient to diagnose any network related issues. For further assistance, the logs can be shared with Network Administrators or Microsoft support.

Download the tool at: http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As a network or security admin, you are probably aware of the recent push for software as a service (SaaS). The SaaS proponents are big on the advantages of SaaS — you no longer have to worry about managing your own infrastructure, which they play out as a good thing, since for most firms, IT isn’t their core competency. SaaS fans will say that there’s no reason to host your Web, File, Mail, Database and other services. They can take care of all this for you. They have the expertise to install, configure, manage and maintain your IT infrastructure , and do it off-site, so you don’t even need to worry about housing your resources.

It sounds too good to be true. Never again will you need to worry about maintaining that mail server. No more backup worries, no more concerns over disk space, no more late night calls on a corrupted mailbox or mail store. Same for the file, database, and line of business servers. All you need to worry about is the Internet connection at your office and away you go.

The problem is that when something sounds too good to be true, it probably is. For example, Amazon has a highly available solution called S3. Their infrastructure is amazing and if anyone can provide “dial tone” service, it’s going to be Amazon. However, as noted in this blog post http://blogs.zdnet.com/projectfailures/?p=602 not even Amazon could keep things going.

There are two major problems with SaaS:

• Availability
• Security

The availability problem is directly related to unreliability of the Internet. As we all know, Internet connections go down on a regular basis. The Internet is not a dial-tone service. While there have been great strides made in the last ten years regarding the reliability of the Internet, it’s still far from the 99.999+% uptime that we need to make sure that there isn’t a significant hit on the fiscal bottom line due to the outages.

Those outages can cost you thousands, tens of thousands, hundreds of thousands or even millions of dollars each time they take place. And you have no control over fixing the problem — you can’t send your own employees out to fix the problem now. You’re going to depend upon the kindness of strangers, who may have other problems they need to deal with before putting your datacenter back on line.

Now, you can argue that a solution to this problem is to mirror your datacenter at the SaaS provider. When the SaaS provider goes down, no problem. You have you local datacenter to depend on and work will continue transparently. If that’s the solution, why pay for SaaS at all? Aren’t you back to hosting your own resources again? If you’re going to host your own resources, why not continue to do so and take out the SaaS middleman?

The security problem is even more distressing. While availability can be problematic, depending on how often the service goes down and the duration of the outages, the security problem can quickly become disastrous. Why? Because the SaaS providers are essentially one giant attack surface waiting to be plumbed by the bad guys.

The nice thing about each business managing its own infrastructure is that all the infrastructures are different and distributed among hundreds of thousands of locations. The amount of time it would take dedicated teams of attackers to reach even several hundred of these networks makes it impossible to do significant damage to large numbers of business in a single blow. However, imagine that there were ten large SaaS providers, hosting IT resources for tens of thousands of companies per provider. A dedicated team, or collection of teams, could easily compromise thousands of businesses in a single blow because the methodology required to compromise a single SaaS would give them access to all the resources to all the companies that they provide services.

Biodiversity is a good thing — it keeps populations strong by preventing a single attacker (for example, viruses and bacteria) from destroying an entire species. The same goes for networks. SaaS has the potential of significantly reducing infrastructure diversity, and thus makes it must easier for a single attack to bring down the entire infrastructure hosting resources for hundreds or thousands of companies. When the shoe drops on your SaaS provider, it won’t only be you, but many of the companies that you depend on that will also be nailed.

Time will tell. There are advantages to consolidation, there’s no doubt about that. Virtualization, like SaaS, has similar issues. The problem with consolidation is that you significantly increase the risks that come from a single point of failure. It’ll be these single point of failure issues that will determine the long term success of SaaS.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Reductions reflect GFI’s belief in providing quality solutions at unbeatable prices

London, UK, 14 February, 2008 – GFI Software, an international developer of network security, content security and messaging software, announced today that it has cut its prices on the majority of products by up to 45%. This is being done to reflect GFI’s longstanding belief in providing companies in the SMB sphere with quality products at unbeatable prices.

Thanks to these new pricing bands, customers can benefit from top quality solutions that address the security and messaging requirements of small and medium sized businesses around the world but at prices that not only suit an SMB’s budget but are unbeatable in the marketplace.

Apart from reduced prices GFI will also be offering:
• Free ReportPacks with every product
• Software Maintenance Agreement (SMA) included for the first year with every product
• Anti-spam and phishing updates included for the first year with GFI MailEssentials
• New purchasing options for GFI LANguard
• …and more.

The reductions apply to these products:
GFI MailEssentials – Anti-spam and anti-phishing
GFI MailSecurity – Email security with multiple anti-virus engines
GFI MailEssentials/GFI MailSecurity suite – Total anti-virus and anti-spam protection
GFI MailArchiver – Email archiving and management
GFI FAXmaker – Hassle-free fax server
GFI EventsManager – Event monitoring, management and archiving

Details of the pricing changes can be seen in the following presentation: http://www.gfi.com/newpricing/newpricing_eur.ppt or here: http://www.gfi.com/newpricing/.

The pricing changes are effective February 14, 2008.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)