I read a very interesting blog post this morning that brought into context a conversation we were having regarding a site to site VPN connection. Before getting into the ISA Firewall and the VPN connection issue, let me boil down what was said in the blog post. The author, Jeff Dray, was recounting an early job interview when he first got into the computer business. One of the questions was “if I were to tell you to enter a certain key sequence that would delete all data in the organization, would you do it?”. Jeff told his potential future boss that he would ask him to repeat the request, clarify the effects of the request, and then if he couldn’t get a reasonable answer, Jeff would go over his interviewer’s head. Apparently this was the right answer, since he got the job.

This was an interesting conversation because it brings to mind that there are people within an organization who may be interested in sabotaging the network in order to bring down a business. In fact, insider threats have taken over from outsider attacks as the major cause of data loss and corruption over the past five years. For this reason I think it’s more important than ever for you to think about the security implications of the requests you get from your superiors, because dumb requests might be more than they seem — they might be conscious attempts to ruin the business by compromising the network. Sort of a electronic form of arson.

Now back to our story about the site to site VPN and the ISA Firewall. Someone mentioned that his boss wanted him to set up a site to site VPN between his home network’s NAT device and the ISA Firewall at the main office. This person came to the mailing list asking for technical details on how to implement this solution. What do you think of this request? Is this a pure technical problem or could there be more insidious issues that lie outside the technical problems?

My first thought was to think of the security issues of this configuration before getting into the technical issues of setting up the site to site VPN. Think about it. The boss wants to connect his unmanaged, unprotected network to the main office through a full site to site VPN. What kind of machines are on the boss’ network? The kids’ laptops? The media center PC? A kitchen computer? How many worms, viruses and Trojans live on his network? What will happen when the company network is completely opened up to this untrusted network?

My first thought was that the boss just didn’t understand the security implications and that the person requesting the technical support should explain these issues to him. A better solution is to create a remote access client VPN connection and then use firewall access controls to control what can be done over the remote access client VPN.

What didn’t occur to me at the time is the possibility that the boss knew exactly what he was doing, and was setting up our admin to take a fall for putting together a solution that would sabotage the network. In this case, I would recommend that the admin do what Jeff Dray did — explain to the boss the security issues, repeat the security issues, determine that the boss understands the security issues and wants to go ahead with the dangerous plan, and then if he does want to go ahead with the dangerous plan, go over his head to confirm that this is company policy in spite of the exceptional risks it imposes to the company’s existence.

Check out Jeff’s blog post at http://blogs.techrepublic.com.com/helpdesk/?p=191&...l.e036 for more insight into this issue.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I’ve written about SSTP in articles on the windowsecurity.com Web site. If you haven’t run into SSTP, its the Windows Server 2008 SSL VPN protocol that provides you full network connectivity using an SSL connection. SSTP also supports Web proxies, so that you can reach your company network through virtually any firewall or Web proxy that allows outbound SSL connections on TCP port 443.

Most companies with VPN servers need them to be highly available. In order to create a highly available VPN server configuration, you can use the Windows Server 2008 Network Load Balancing protocol. NLB enables you to bind a virtual IP address to each member of the NLB array, so that connections are automatically load balanced among all members of the array. In addition, if a member of the array becomes unavailable, connections will disconnect and automatically reconnect to a member of the array that is online.

In order to get this to work, you want to do the following:

• Create a DNS entry that resolves the virtual IP address on the external interfaces of the array members
• Enable NLB on members of the NLB array
• Use the same computer certificate on each member of the array. The certificate must have the same common name as the name used in the request, which is the DNS name that the clients used to connect to the NLB array

That’ it! Have fun with SSTP — one of the most valuable features included with Windows Server 2008.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As mentioned in previous posts on this blog, the Windows Server 2008 read-only domain controller option allows you to install domain controllers in high risk environments where the domain controller might not be in an optimal physical security environment or perhaps there are no users with domain admin privileges at the branch office. With the read-only domain controller (RODC), non-domain admins can be configured to be allowed to log onto the domain controller but aren’t able to make changes to the Active Directory, since the copy of the AD database on the RODC is read-only.

Windows Server 2008 makes the process of creating a RODC easy. All you need is an existing Windows Server 2008 domain controller in place already so that the RODC can create the read-only copy. Then you run the dcpromo command on the machine that will become the RODC and walk through the wizard. At the end of the wizard the machine automatically reboots itself and its a new domain controller in your domain.

Well, almost. The problem with the dcpromo command is that there isn’t any information in the wizard that tells you that you need to update the schema to support the RODC. In order to do this, you need to copy the ADPREP directory from the Windows Server 2008 DVD. After you copy that directory, you need to run the command:

adprep /rodcprep

This step updates the permissions on all the DNS application directory partitions in the forest. This allows them to be replicated successfully by all RODCs that are also DNS servers. In order to run the command, you need to log onto a domain controller as an enterprise admin .

For more information on installing and managing RODCs, check out the Microsoft Step by Step guide at http://technet2.microsoft.com/windowsserver2008/en...r=true

Just a heads up on a security issue that you might run into in the future.

HTH,

Tom

NTFS is the file system of choice on any file server. NTFS permissions are a key element to controlling access to files and folders on any Windows computer. NTFS is also critical to maintaining the integrity of the file system and helps ensure that files and folders don’t become corrupted while on disk.

NTFS has been around since the first version of Windows NT. While we were hoping for a new file system to be available in Windows Server 2008, there are some things to look forward to with improvements in the Windows Server 2008 NTFS file system. Some of these improvements include:

• Transactional NTFS integrates with COM+
• Each NTFS volume is a resource manager. This feature enables a system to be restarted with some volumes “missing” without affecting the recovery on the other volumes.
• A file handle can be closed before the transaction commits or aborts.
• You can view a file as a unit of storage. Partial updates and complete file overwrites are supported. It is not expected that multiple transactions concurrently modify parts of the file—this is not supported.
• Memory mapped I/O works transparently and consistently with the regular file I/O.
• Accessing a remote file using SMB Service and Web-Based Distributed Authoring and Versioning (WebDAV) is supported transparently. The transaction context is carried to the remote node by the system automatically. The transaction itself gets distributed and coordinated for commit or abort.
• Each volume contains its own log. The common log format is used for providing recovery and aborts.

For more information about updates to NTFS check out:

http://technet2.microsoft.com/windowsserver2008/en...r=true

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

One of the least mentioned areas of security, but one of the most important, is configuring a file server correctly. In many cases that I’ve seen, people just set up shares with default permissions and assume that that’s all there is to file server security. Then later they find out that things didn’t work out the way they expected, and files are lost, stolen, copied and deleted by people that shouldn’t even have access to those files.

There’s a lot of planning that goes into putting together a secure and robust file server solution. Things to consider when planning a secure file server include:

• Ensuring the physical security of each file server
• Plan for baseline security on the server operating system and system services
• Plan virus and malware protection for the file servers
• Plan access to shared files and folders, including shares permissions
• Plan for using the Encrypting File System (EFS)
• Plan for Distributed File System (DFS) and File Replication Service (FRS) security
• Plan for cluster security
• Plan for file system auditing

Physical security is something that is often ignored at the branch office. Make sure that your file servers aren’t sitting under the secretary’s desk.

Baseline security can be implemented using the Security Configuration Wizard together with the Windows Server 2003 and Windows Server 2008 security guides at http://www.microsoft.com/downloads/details.aspx?Fa...ang=en and http://www.microsoft.com/downloads/details.aspx?Fa...ang=en 

Malware protection can be implemented using standalone product, or better, an enterprise ready anti-malware solution such as Microsoft Forefront Client Security (http://www.microsoft.com/forefront/clientsecurity/...t.mspx)

Share and NTFS permissions are the most important configuration tasks on a file server. They are probably the most complex. Most organizations will set the top level share permissions for full control, and use NTFS permissions for granular control of file and folder access. If you’re not well versed in NTFS permissions, it’s easy to make a mistake. Take some time to learn about them.

Auditing is critical on file servers. You want to know who accessed what document at what time, and you want to know what they did with the document when they accessed it. Auditing can provide you this information.

EFS encrypts files while on disk, so that users who don’t own the document, or who haven’t been given permissions to use the document, can’t access it.

DFS and FRS security is important so that documents can’t be intercepted and altered when being replicated between servers.

For more information on planning and implementing file server security, check out?

http://technet2.microsoft.com/windowsserver/en/lib...r=true

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

One of the major improvements in the Windows Server 2008 Active Directory is the ability to create fine-grained password and account lockout policies. As you might know, in Windows Server 2003 and Windows 2000, you could only create a single password policy and that policy applied to all domain members. Actually, you could use workarounds for this limitation, such as create separate domains for users who required different password policies and configure a trust between those domains, or you could create a custom .dll filter that you would install on each of your domain controllers. Both these solutions had the potential for significantly increasing the complexity of your network, or at least require an enormous amount of administrator overhead to get them to work.

Windows Server 2008 now allows you to create separate password and lockout policies for different users in the domain. This allows you to set strong password policies for users with high privileges (such as domain administrators) and weaker policies for users with limited privileges (such as normal users). Of course, you can create many more than two password and lockout policies. You can create as many as you like.

The problem is, the process for creating these policies is almost as complex as the workarounds you had to use with Windows 2000 and Windows Server 2008. You have to use tools such as ADSIEdit, LD or LDIFDE to make the solution work, and there are many powerful opportunities to create a configuration error that could potentially damage your Active Directory configuration. While Windows Server 2008 has taken great strides at increasing ease of use of many complex functions in previous versions of Windows, it’s clear that support for fine-grained password policies is at the version 0.9 level at this time. This is comparable to the version 0.9 status that I believe is appropriate for the server core deployment option for Windows Server 2008.

This is not to say that you shouldn’t take advantage of this great feature. The good news is that third parties have stepped in to complete the development of this part of Windows Server 2008. There is a tool called PSOMgr that you can download from www.joeware.net/freetools/tools/psomgr This is a command line tool, but makes the configuration a bit easier. If you want a truly professional tool, check out Specops, which provides a MMC snap-in, which you can find at www.specopssoft.com/products/specopspasswordpolicy  There is also a free version on the specops site that you can download and will help you a lot in getting your password policies done without driving yourself made with AD arcana.

If you have a lot of free time and want to see how to create fine-grained password policies using the built-in tools included with Windows Server 2008, check out:

http://technet2.microsoft.com/windowsserver2008/en...r=true

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

A few days ago when going over some of the new and improved security features included with Windows Server 2008, I mentioned an enhanced EFS. What are some of the enhanced EFS features? Check out this list:

• Smart card key storage
• Key caching
• Smart card single sign on
• Per user encryption of offline files
• Improved Group Policy support
• EFS rekeying wizard

EFS encryption keys and certificates can be stored on smart cards, providing stronger protection for the encryption keys since they no longer need to be stored on the machine itself. This is especially useful for protecting laptops or multi-user workstations. Smart cards may also provide ways to improve key management in large enterprises.

You can configure EFS Group Policy to store private keys on smart cards in non-cached or cached mode:

• Non-cached mode. Similar to the traditional way EFS works, all decryption operations requiring the user’s private key are performed on the smart card and the smart card must be plugged into the computer when the operations take place.
• Cached mode. A symmetric key is derived from the user’s private key and cached in protected memory. Encryption and decryption operations involving the user’s key are then replaced with the corresponding symmetric cryptographic operations by using this derived key. This eliminates the need to keep the smart card plugged in at all times.

EFS also provides Group Policy support to require smart cards and to control the caching behavior of users’ keys, to use either cached or non-cached mode.

Smart card single sign-on (SSO) is used when the user logs on with a smart card and one of the following conditions is true:

• The user does not have a valid EFS encryption key on the computer, and smart cards are required for EFS by policy settings.
• The user has a valid EFS encryption key that resides on the smart card used for logon.

When SSO is used, EFS caches the PIN entered by the user at logon and uses it for EFS operations as well. This means that the user isn’t asked for the PIN when EFS operations take place.

If the smart card used for the logon is removed from the smart card reader before any encryption operations are performed, Single Sign On is disabled. The user will be prompted for a smart card and PIN at the first EFS operation, but not for subsequent operations.

Offline copies of files from remote servers can also be encrypted by using EFS. When this feature is enabled, each file in the offline cache is encrypted with a public key from the user who cached the file. This means that only that user has access to the file, and even local administrators cannot read the file without having access to the user’s private keys.

A number of new Group Policy options have been added to help you define and implement Group Policy for EFS. These include the ability to require smart cards, enforce page file encryption, set minimum key lengths for EFS, enforce encryption of the user’s Documents folder, and prohibit self-signed certificates.

The Encrypting File System rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. It can also be used to migrate users in existing installations from software certificates to smartcards. The wizard can also be used by an administrator or users themselves in recovery situations. It is more efficient than decrypting and reencrypting files.

One of more of these changes and updates makes the Windows Server 2008 EFS worth upgrading to if you want to both simplify and increase security on your network. For more information on EFS, check out:

http://technet2.microsoft.com/windowsserver2008/en...r=true

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

If you have branch offices, you probably have domain controllers located on your branch office networks. The unfortunate thing about branch office networks is that their level of physical security isn’t what you typically find at the main office network. At the main office, the datacenter is protected with two factor authentication, sophisticated alarm systems, and industrial level climate controls. At the branch office, it’s not unusual to find the branch office domain controller under the secretary’s desk or in the lunch room. If someone where to break into the branch office, they could steal the domain controller and perform an offline attack on the AD database.

The problem of physical security is further exacerbated by the fact that often the domain controller is used for other purposes, such as a file server or an Exchange Server. This means that in order for users to perform maintenance on the file or mail server, they need to have domain administrator rights to log on to the domain controller. This gives the inexpert user access to the AD tools, such as Active Directory Users and Computers and Active Directory Sites and Services. The inexpert user can then accidentally delete any object in the AD database.

What’s the solution to this AD problem? The Windows Server 2008 read-only domain controller (RODC). A RODC contains only a read-only copy of the AD, so that users logging onto the RODC can only read information in the AD but cannot change anything. When AD replication takes place, it only take place in one direction — from the writable domain controller to the read-only domain controller.

In addition, the RODC doesn’t contain account information for all the users in the Active Directory. The RODC can be configured to cache or not cache log on credentials for users at the branch office who use that domain controller for log on. In most cases, you will want to enable caching of credentials, so that users can log on when the Internet or WAN link connection goes down. Now, even with cached credentials, if the machine is stolen, an offline attack will only yield the credentials of the users at the branch office, and it’s very unlikely that domain or enterprise administrators will have logged on using the branch office domain controller.

For even further control, should the domain or enterprise admin become aware that the branch office domain controller is stolen, a list of cached accounts is available to him on the writable domain controller at the main office. The domain or enterprise admin can then delete those accounts or reset the passwords from the main office. So even if the offline attack is successful, the results will be of no value to the attacker because the account have changed.

Another nice feature of the RODC is administrative role separation. You can configure the RODC to allow a user to log on using administrator privileges to install drivers, etc., but not allow them to access to any Active Directory components. Also, when you install the DNS service on the RODC, you have a read-only DNS server so the inexpert user can’t make changes in your domain DNS.

I highly recommend the RODC for all branch offices and any other locations where physical security is an issue or you need to enable inexpert users access to a domain controller. For more information about the Windows Server 2008 RODC, check out: http://technet2.microsoft.com/windowsserver2008/en...r=true

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

There are hundreds of improvement in Windows Server 2008 over what we had with Windows Server 2003. But what about security? To begin with, Windows Server 2008 was designed from the ground up using Microsoft’s Security Development Lifecycle method of creating secure software (http://msdn2.microsoft.com/en-us/library/ms995349.aspx).

Windows Server 2008 was also designed with least privilege in mind, so that each service runs at the absolute least privilege level so that if one service is compromised, the attacker can’t leverage the privileges of the compromised service to attack other components of the operating system. This is referred to as Windows Service Hardening.

In addition, Windows Server 2008 supports a completely new method of deployment, called Server Core. Server Core installs only a small subset of binaries which are required to get the operating system started.

What other new and cool security related technologies are included with Windows Server 2008? Consider these:

• Read only domain controllers (RODCs)
• Active Directory Federation Services (ADFS)
• Active Directory Lightweight Directory Services (AD LDS)
• Directory Service Auditing
• Federated Collaboration
• BitLocker whole volume encryption
• Network Access Protection (NAP)
• Windows Firewall with Advanced Security
• Enhanced Server and Domain Isolation
• Enterprise PKI (PKIView)
• Online Certificate Status Protocol (OSCP)
• Network Device Enrollment Service (NDES)
• V3 Certificate Templates
• Cryptography Next Generation (CNG)
• Terminal Services Gateway
• Terminal Services RemoteApp
• Enhanced EFS
• Enhanced Security Configuration Wizard
• Kerberos enhancements with AES encryption
• Improved Authorization Manager

I’m sure there are many more security improvements, but this list should give you a taste of the improved security environment provided by Windows Server 2008. We’ll cover all these topics and more in upcoming articles I’ll write on the www.windowsecurity.com Web site. It’s going to be a great year for Microsoft security admins!

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

There’s no doubt that SharePoint is the hottest product on Microsoft’s shelves these days. For those of you who don’t know about SharePoint, SharePoint is a document collaboration and sharing solution that allows users within and outside your organization to share documents and other types of information in document libraries. Users can share this information, take advantage of strong versioning controls, and even apply sophisticated Rights Management within and outside the company by taking advantage of Windows Server 2008 Federated Rights Management.

However, SharePoint often can become a security issue, because the antimalware software that you install on your typical file server isn’t able to access the files contained in a SharePoint database. There is also the risk that users will store files, such as MP3s and video files, that can put your company at risk for copyright violations. In addition, users might store information on the SharePoint site that is too sensitive to be exposed to a publicly accessible site. What you need is a way to perform content inspection, file inspection and antimalware controls on your SharePoint sites.

The best answer I’ve found for these problem is Forefront Security for SharePoint. Forefront is a umbrella name for Microsoft’s major security products. If you haven’t run into the Forefront branding before, the following products fall under the Forefront name:

• Forefront Client Security
• Forefront Security for Exchange
• Forefront Security for SharePoint
• Intelligent Application Gateway 2007 (IAG)
• Internet Security and Acceleration Server 2006 (ISA)

I’m sure there will be more Forefront applications in the future, and that some of them currently in the Forefront brand will be changing their names.

Forefront Security for SharePoint manages and integrates multiple antivirus engines to provide protection against the latest threats, helping ensure documents are safe before they are saved to or retrieved from the SharePoint document library.  SharePoint can also perform content inspection by scanning for sensitive information, profanity or other admin defined content inspection policies. Forefront Security for SharePoint also enables you to easily manage configuration and operation, automated antivirus signature updates and reporting at the server and enterprise level.

Those of you who purchase Forefront Security for SharePoint to protect Microsoft Office SharePoint Server 2007 or Microsoft Windows SharePoint Services version 3.0 will also be licensed to use Antigen for SharePoint to protect Microsoft SharePoint Portal Server 2003 and Microsoft Windows SharePoint Services 2.0 environments. This allows you to bring in Forefront Security for SharePoint while you’re in the process of upgrading from previous versions of SharePoint.

For more information about Forefront Security for SharePoint and a downloadable trial version, check out

http://www.microsoft.com/forefront/sharepoint/en/u...t.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)