I found an interesting article on the Microsoft Web site on six basic steps a financial services company can take to secure their information. As we’re all aware, identity theft is a major problem affecting all sectors and countries and the financial services sector is the primary one targeted by identify thieves.

The six steps mentioned in the article are:

• Deploy Access Management Systems. These systems allow the financial services company know who has accessed what and when they did so.Without this, there is no audit trail to use to find out what happened and how to fix what went wrong.
• Educate Your Customers About Identity Theft. There are things that IT related controls can’t fix. One of those things is how people handle their private information. Only policies and procedures can help in this case. Educating customers about identity theft, phishing, scam emails and more will help protect the financial services sector company against identity theft
• Secure All Mobile Devices. Mobile devices are the fastest growing type of device connecting to networks today. Security has been an afterthought for many of these devices. You need to make sure that security is a first thought before allowing mobile devices to connect to your financial services sector network
• Implement Safe Hardware Disposal Procedures. There’s data on them thar trashed hard disks! Make sure that you decommission your old machines carefully. Fully wipe hard disks and data cards before disposing them.
• Prevent Insider Attacks. This is the hardest thing to do, since in many cases the data leakage isn’t intentional and it done by authorized users. Encryption using IPsec and EFS helps, and document Rights Management can also be a big help.
• Closely Monitor Outsourced Providers. Without a doubt. the biggest risk to your financial services company comes from outsources. In most cases, financial services institutions have not thoroughly vetted the security infrastructure of the outsourced provider, often with an embarrassing and costly result.

For more information, check out the article at http://www.microsoft.com/uk/business/security/fina...s.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Almost all networks have a DHCP server in place. The DHCP server allows you to automatically assign IP addressing information to hosts on your network. In most cases, there is a DHCP server on each site so that if the WAN link goes down, computers will be able to obtain an IP address. Almost all client systems should be using DHCP to obtain IP addressing information. In most cases, you will want to assign static addresses to your servers.

DHCP therefore is a critical service. If the DHCP server goes down, and there are no other DHCP servers available on the network, clients will not be able to obtain IP addressing information and will no longer be able to connect to other computers on the network. Thus, a downed DHCP server essentially leads to denial of service.

Given how important DHCP is to the integrity of your network communications, you should do some things to help secure your DHCP server to prevent it from being attacked by intruders. Here’s a short list of some of the best things you can do to help secure your DHCP server:

• Dedicate a computer to the DHCP server role. This reduces the attack surface on the server handling this mission critical network service
• Deploy your DHCP server on Server Core. This reduces the overall attack surface on the DHCP server machine
• Remove Rogue DHCP servers. You can use the DHCPLoc command line tool found in the \\Support\Tools folder on the Windows Server 2008 DVD
• Add DHCP reservations and exclusion addresses. One way to assign static addresses to servers is to create DHCP reservations for server addresses. This is one way to manage your static IP address infrastructure. Make sure to create exclusions for these addresses
• Restrict DHCP Security Group Membership. DHCP Administrators have the right to admin the DHCP server. This allows members of this group to manage the DHCP server without needing to be a domain member
• Make DHCP servers members of the DnsUpdateProxy group
• Make sure that the Windows Firewall with Advanced Security is enabled on the machine, allowing only required protocols to be allowed through the machine

These are just some basic things you can do to help increase the security of your DHCP servers.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Microsoft Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2008 from a computer running Windows Vista with SP1. It includes support for remote management of computers running either a Server Core installation or the full installation option of Windows Server 2008. It provides similar functionality to Windows Server 2003 Administration Tools Pack.

After you install this item, you may have to restart your computer. This update is provided to you and licensed under the Windows Vista License Terms.

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

Note that these tools will not work with Windows XP. Also, check the title bar — they run on 86-bit computers

:)

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

One of the most powerful tools in your Microsoft security arsenal is Group Policy. Group Policy allows you to configure over a thousand client and server settings on all members of an Active Directory domain. A large number of these Group Policy settings are directly related to the security configuration of the computers within the domain. In fact, you can use Active Directory Group Policy settings to harden the machines in your domain.

Group Policy settings can be set at several levels. These include:

• Active Directory Site
• Active Directory Domain
• Active Directory Organizational Unit (OU)

Group Policy settings are implemented through the use of Group Policy Objects (GPO). You can create multiple GPOs with different settings. However, the settings in the GPOs are not applied to any users or computer until you link the GPO to a Site, Domain or OU (SDOU).

Because GPOs can be deployed at different levels, and the settings of the different GPOs can be different and potentially conflict with each other, there must be a defined order of precedence. The order of precedence for GPO settings at different levels works this way:

• Local GPO settings are applied first
• Site GPO settings are then applied. If there is a conflict with current settings, the Site GPO settings override previous settings.
• Domain GPO settings are then applied. If there is a conflict with current settings, the Domain GPO settings override previous settings
• Parent (top level) OU settings are then applied. If there is a conflict with current settings, the Top Level GPO settings override previous settings
• Child (sub) OU settings are then applied. If there is a conflict with current settings, the sub OU settings override previous settings

In addition, there can be multiple GPOs linked to a particular computer or user. In this case, you can control the order of precedence by manually setting the order in which those GPOs are applied.

You can take advantage of this order of precedence by creating an OU design that will support your GPO security configuration as it applies to users and computers. For example, look at the design in the figure below.

As you can see, there is a parent OU for the department. For example, this could be the accounting department. Then there are two sub-OUs: one for Vista users and one for Vista Computers. Linked to the Vista Users OU is a Vista Users Policy. No policy is linked to the Vista Computers OU. Instead, there are two sub-OUs: one for Desktop Computers and one for Laptop Computers. Then two different GPOs are used: a Desktop GPO is linked to the Desktop OU and a Laptop GPO is linked to the Laptop OU.

As you can see from this OU design, it enables you to provide very specific security policies to users and computers. We could have created several more sub-OUs under the Vista Users OU, representing different levels of security that might be applied to different users in the accounting department. We could also have created more Top Level OUs, to support Windows XP.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

So you’re thinking about getting into the small business security scene. Maybe you’ve been managing small business servers or peer to peer networks without an Active Directory infrastructure. No matter what your background, there are some basic tasks that you can carry out that will significantly improve the level of security you can provide to your small business customers. Most of these basic tasks won’t require you to attend years of classes or require a steep learning curve. Remember, that security is a process and that you’ll always be looking for ways to increase security without making it difficult for people to get their jobs done.

Here’s a short list of security measures you can take that will improve the security posture of your customers’ networks:

• Install and update antimalware software on all the machines on the network. There are freeware AV applications you can use and Windows Defender is also free. Use them.
• Use Automatic Updates on all your Windows computers
• Enable the Windows Firewall on all your Windows XP machines, and the Windows Firewall with Advanced Security on all your Windows Vista machines
• Install spam filtering software on all your machines, or if you use a mail server on your network, install spam filtering software on the server. Outlook includes a built-in spam whacker if you use Outlook in cached mode with Exchange
• Restrict physical access to your computer equipment, especially to servers
• Set Share and NTFS permissions on files that are accessible over the network
• Disable or delete user accounts of users who are no longer with the company
• Create and distribute an Internet access policy
• Require the user of strong passwords. This can be forced on users if you have an Active Directory based network
• Install an edge firewall that control what sites users can access. Consider an application layer inspection firewall, such as an ISA Firewall, that can block dangerous content and sites
• Require VPN access for remote access users; consider SSL VPNs for a more secure configuration
• Use WPA2 on all wireless access points
• Create, document and put into practice a regular backup procedure for all critical data on the network

Just these few steps will go a long way at securing your small business network. Many of these tasks will require little effort on your part. Some of them might require that you do some additional reading. If you have any questions on how to perform any of these tasks, let me know! Just write to me at the address in my sig line and I’ll make my answer a blog post that you can read.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Banks work with the US Federal Govt in an arrangement called the “Know Your Customer” program. While the guidelines for Know Your Customer are complex, the goal of the program is to allow the banks to work together with the govt to root out suspicious financial activity by their customers. They know that the banks are more capable than the govt in identifying their customer’s normal activity and activity that seems possibly suspicious.

While I have my concerns about the Know Your Customer program, there is some value in it. There are just too many things that you can’t do from an IT security point of view to control who has access to the data in your organization. In many cases data is breached because people who have legitimate access to that data misuse their access. A recent example is the data security breach of passport information on the Presidential candidates in the US. The people who accessed that information didn’t hack into the system, they had legitimate access and used it. The problem was not a technology problem, it was a policy problem. And there are many data security issues that can only be addressed as policy problems.

Given this fact, you need some way to help figure out, in advance, which users may represent a potential security problem in advance. One way you can approach this problem is to create your own “Know Your Customer” program for your own users. You observe the behavior of your users, and you can encourage your users to observe the behavior of other users and report suspicious computer use to you and your team.

What should you be looking for? Here’s a short list of behaviors that might indicate that a user is a potential security risk:

• The user who overtly makes it clear that he doesn’t care about security policies or procedures
• The user who frequently forgets passwords, loses smarts card, or who has frequent inexplicable computer problems
• The user who takes too high an interest in computer security policies or procedures.
• The user who tries to hide his screen when you walk by
• The user who makes it a point that he would prefer that you don’t come down to his computer and that you just give instructions over the phone
• The user who has a number of encrypted folders on a desktop machine, where the user’s primary job role doesn’t require encrypted folders on the local machine
• The user who brings in a number of “gadgets” that can be used to copy data to and from his computer
• The user who asks other users for their passwords.
• The user who gives out passwords to other users
• The user who always comes in an hour or two early
• The user who always comes in an hour or two late

Remember, these are just general guidelines and the goal is to get a step ahead on a user that might turn out to be a security liability on your network. If you find that there a person shows a number of behaviors that seem suspicious, then you might want to consider extra auditing of that person’s access to data on the network. File and object access auditing for all users and all files on the network is somewhat unrealistic, but when you can target your efforts on suspicious individuals, it makes it easier to track those individuals activity more closely.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Of all the network services that you need to manage on your network, DNS is probably the most important one. It’s also the service that probably accessed more than any other on the network, since just about every machine on the network needs to be able to resolve names to IP addresses. They might need to resolve internal names, names on other private networks, or names of servers on the Internet. Without a functional DNS infrastructure, your network would be dead in its tracks.

This means that your DNS infrastructure needs to be highly available. In order to make your DNS highly available, the first step is to make it secure. Here are a few recommendations for creating a secure DNS infrastructure:

• Deploy your DNS servers on a Server Core
• Use Read-only Domain Controllers to protect zones by making them read-only
• Put your DNS servers on your domain controllers (internal zones only)
• Configure your internal zones to support only secure dynamic updates from domain member computers
• Be careful regarding zone transfers. Manually configure what machines should be allowed to accept zone transfers, especially for public DNS servers
• Separate servers for internal and external access. Do not put external DNS server in private network security zones
• Use firewalls to segregate internal and external DNS servers into public and private security zones
• Disable recursion on public DNS servers
• Enable recursion only on DNS resolvers intended for that purpose
• Delete public root-hints files on machines not designed for public name resolution
• Configure private root-hints files for your internal DNS namespace
• Configure your DNS servers to protect against cache pollution

Those are some useful things you can do to begin to protect your DNS servers. Of course, you also want to make sure you keep your DNS servers fully updated with Microsoft Update.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

In a recent blog post I lamented the fact that some components of the Windows Server 2008 weren’t actually feature complete in the sense that there were no viable user interfaces to configure many important parts of Windows Server 2008. One of these incomplete features was the ability to configure a granular password policy. While it’s possible to use built-in Windows Server 2008 tools to configure granular password policies, the procedure is arduously complex and easily lends itself to configuration errors, which is not something you want to see when creating a security policy.

I mentioned a tool that you could use to simplify the process. This tool Specops Password Policy Basic. Well, Jakob Heidelberg must have been thinking the same thing and wrote a great article on how to use specops to configure granular password policy.

Check out Jakob’s great article at:

http://www.windowsecurity.com/articles/Configuring...8.html

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As you probably already know, when a file is deleted from a hard disk, the actual file contents are not deleted. Instead, the space used by the file on the hard disk is “deallocated”, meaning that the clusters on the disk being used by that file are marked as available for writing future files. However, the actual data remains on the disk until a new file occupies the space used by the old file.

This is a problem if you thought you deleted a file that you don’t want anyone ever to have access to. The reason for that is that it’s relatively easy to use commercial and freeware tools to find the data stored in this deallocated clusters. If someone gains access to your disk, they can use these tools to find all types of interesting information, such as the contents of your private emails, your contacts, and documents of any kind that might contain sensitive information, such as tax returns and credit card information. In addition, passwords that might have been stored in deleted documents could also be retrieved.

Another situation where you definitely don’t want any data remaining on the disk is when you decommission a computer. Since the computer will no longer be used by you or your company, you want to make sure that whatever took place on the machine’s disk is never available to any subsequent owners of that computer or the disk contained in that computer.

You can solve the problem of “deallocated” data still living on the disk by using the free tool, cipher.exe. Cipher was initially used as a way to manage EFS, but a far more useful aspect of Cipher is using it to delete the deallocated data on disk. You can use Cipher to delete individual files, folders or the entire hard disk.

For details on how to delete the entire contents of the hard disk, check out http://technet.microsoft.com/en-us/library/bb490177.aspx

For details on how to delete files and folders, check out: http://support.microsoft.com/kb/315672

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You thought these things only happen to someone else. You’re careful to never open suspicious email attachments, you don’t go to dangerous Web sites, you don’t download from Usenet, and you don’t install non-commercial software on your computer. But somehow, some way, your computer is infected with a particularly hostile piece of malware that refuses to relent to your AV and anti-spyware applications.

This is when you’re likely going to need to do an offline scan in order to rid yourself of the dreaded malware. The good news is that you may not need to spend a lot of money in order to get a working offline scanning solution to your malware problem. Your offline scanning kit can be based on a Windows PE (preinstallation environment) and you can combine that kit with a collection of your favorite, free antimalware tools.

The basic steps include the following:

• Install the Windows Automated Installation Kit
• Download the malware-scanning tools and utilities
• Create the Malware Removal Starter Kit CD-ROM
• Use the Malware Removal starter Kit to scan your computer

Microsoft has tested this solution using Avast! Virus Cleaner, McAfee AVERT Stinger, the Malicious Software Removal Tool (MSRT) and Spybot - Search & Destroy.

For more details on how to create your Offline Scan Kit for removing malware, check out http://www.microsoft.com/technet/security/guidance...1.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)