“We are pleased to announce that two of our world-class Forefront security products were honored by Info Security Products Guide with 2008 Global Product Excellence Awards. Microsoft Forefront Security for Exchange Server was honored with the award for “Global Excellence in E-Mail Security Solution,” and the Internet Security & Acceleration (ISA) 2006 Server was honored for “Global Excellence in Firewall Solution.” These two awards are both a testament to the hard work of our development teams, and further proof of the excellence of the Forefront line of security products, along with the many other award nominations gained by Forefront products in the last year…”

For more information, check out:

http://www.microsoft.com/forefront/prodinfo/awards...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I wrote a little about the introduction of Forefront “Stirling” last week, after it had been announced at the RSA conference in San Francisco. If you haven’t heard about Stirling, the short story is that it’s designed to bring together multiple Microsoft security technologies so that you can benefit from the integration of all these technologies and leverage the information gathered by each of them to provide both proactive and fast reactive responses to potential security incidents.

While all this sounds pretty neat, and example would be useful. It’s one thing to say that “integration” and “proactive and reactive intervention” is a good thing, but what do those things really mean?

OK, here’s an example of how Stirling might work in one scenario. Suppose you have the new Forefront Threat Management Gateway (the future version of the ISA Firewall) on the perimeter of your network. The TMG notices that an abnormally large number of TCP connections are being made outbound from one particular host. The TMG will shut down that computer’s access to the Internet in order to prevent the potential exploit from escaping the security zone on which the potentially compromised host is located.

However, Stirling allows us to do much more than that. Because the TMG is part of the Stirling solution, it is able to communicate what it’s detected to other components of the Stirling suite of security technologies. Forefront Client Security is part of the Stirling suite of security solutions. When the TMG detects a potential exploit active on one of the host computers, it can communicate that to Stirling. Now Stirling shares this information with Forefront Client Security, which leads to Forefront Client Security to run an anti-malware scan on that computer in an attempt to remove the exploit.

But it doesn’t stop there! While the TMG was able to stop the machine from communicating with machines in other security zones through the TMG device, the compromised computer can still potentially infect over the network machines in the same security zone, which isn’t perimeterized by the TMG. In this case, Stirling, being aware of the network security issues that TMG informed it about, will be able to activate a Network Access Protection (NAP) policy that will essentially disconnect the compromised machine from the network until the security incident is resolved.

As you can see, the Stirling solution was able to leverage information garnered from one member of the Stirling security suite and enable other security solutions in the suite to take action on the event. And all of this is done automatically and doesn’t incur the delay that would happen if an administrator had to be informed of the issue, and then look up the machine that might have been compromised and then go to that machine and manually run a scan and maybe even disconnect the machine from the network. That manual approach could take minutes or hours, With Stirling, all the incident response steps can take place in a matter of seconds.

This is just one example of what Stirling can do. Keep in mind that this example only included the TMG, NAP and Forefront Client Security pieces of the Stirling suite. Forefront Security for Exchange and Forefront Security Security for SharePoint are also part of the security solution. So you could imagine scenarios where these solutions could be brought into play. If you can’t, don’t worry, I share more scenarios with you in the future in this blog and in future articles on Stirling here at www.windowsecurity.com

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

A recent troubleshooting exercise got me to thinking about a useful tool that you can use to check what ports are listening on your Windows computer. The problem I was having had to do with the VMware server remote console not working. The VMware Server is running on Windows Server 2003 x64 edition. The first thing I checked was the Windows Firewall. It said that there was an exception configured for VMware Remote on TCP port 8333. However, I wasn’t able to connect the VMware remote console to the VMware server.

I thought maybe there was a problem with a VMware remote listener service not working, so I checked the Services applet. I didn’t find anything that suggested a service not starting. I then ran the netstat -nab command and found that there were VMware services listening on multiple ports. One of the ports was TCP 8333, but there were other ports, such as TCP 902 and TCP 912.

Since netstat gave me some hints, I was able to run a query on google:

VMware “virtual server” “remote console” 902

I got lucky, since I used 902 first. A Web page came up showing the default port used by the remote console for VMware Virtual Server, which is TCP port 902. I created an exception for TCP port 902 in the Windows Firewall and BAM! everything worked great.

When you run the netstat command with the -nab switch, you get information about what TCP and UDP ports the machine is listening on. You also get information about what PID (Process ID) and service is using the port. For example:

C:\Documents and Settings\Administrator>netstat -nab

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
[System]

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 676
RpcSs
[svchost.exe]

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]

TCP 0.0.0.0:902 0.0.0.0:0 LISTENING 1352
[vmware-authd.exe]

TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 1352
[vmware-authd.exe]

TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 436
[lsass.exe]

TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 2104
TermService
[svchost.exe]

TCP 0.0.0.0:8222 0.0.0.0:0 LISTENING 4
[System]

TCP 0.0.0.0:8333 0.0.0.0:0 LISTENING 4
[System]

TCP 127.0.0.1:1037 0.0.0.0:0 LISTENING 2200
[alg.exe]

TCP 192.168.138.1:139 0.0.0.0:0 LISTENING 4
[System]

TCP 192.168.1.1:139 0.0.0.0:0 LISTENING 4
[System]

TCP 192.168.111.1:139 0.0.0.0:0 LISTENING 4
[System]

TCP 127.0.0.1:912 127.0.0.1:1050 ESTABLISHED 1352
[vmware-authd.exe]

TCP 127.0.0.1:912 127.0.0.1:1038 ESTABLISHED 1352
[vmware-authd.exe]

TCP 127.0.0.1:912 127.0.0.1:1039 ESTABLISHED 1352
[vmware-authd.exe]

TCP 127.0.0.1:912 127.0.0.1:1046 ESTABLISHED 1352
[vmware-authd.exe]

TCP 127.0.0.1:912 127.0.0.1:1049 ESTABLISHED 1352
[vmware-authd.exe]

TCP 127.0.0.1:912 127.0.0.1:1047 ESTABLISHED 1352
[vmware-authd.exe]

TCP 127.0.0.1:1038 127.0.0.1:912 ESTABLISHED 2252
[vmware-vmx.exe]

TCP 127.0.0.1:1039 127.0.0.1:912 ESTABLISHED 2012
[vmserverdWin32.exe]

TCP 127.0.0.1:1046 127.0.0.1:912 ESTABLISHED 1372
[vmware-vmx.exe]

TCP 127.0.0.1:1047 127.0.0.1:912 ESTABLISHED 2012
[vmserverdWin32.exe]

TCP 127.0.0.1:1049 127.0.0.1:912 ESTABLISHED 244
[vmware-vmx.exe]

TCP 127.0.0.1:1050 127.0.0.1:912 ESTABLISHED 2012

Next time you’re having connectivity issues or want to do a quick network security audit on a Windows host, remember to check out the netstat command.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Almost every company, including Microsoft has made this slip up. Today your OWA, OMA, and Exchange ActiveSync remote access solution is working fine, and then the next day, POW!, it’s not working any more. You try to figure out if it’s a problem with the Exchange Server, the firewall or something else in the network path. Finally, you do some network analysis and check the log files and you realize that your server certificate on the Exchange Server or on the firewall that is front-ending for the Exchange Server has expired. The fix is as easy as renewing the certificate or getting a new one.

One nice thing about the ISA Firewall is that when you configure the ISA Firewall to publish Web servers, such as the Exchange Web services, it generates an alert and sends you a reminder that your certificates are going to expire in the near future. For example, ISA 2004 will start reminding you 45 days in advance, giving your plenty of time to get that certificate renewed and installed on the ISA firewall.

If you haven’t done so already, check all the Web servers that require SSL connections in your company and make a note of when the certificates are due to expire. Then create an Outlook appointment in your calendar to remind you to renew those certificates at least a month in advance. Just this one little planning activity will go a long way toward preventing what can become a major fire drill in your organization.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Last week I had a chance to share my views on the value of reperimeterization with the folks at TechEd Israel, which was held in Eilat. I’m always a bit nervous about discussing reperimeterization because I’ve been talking about the concept for years, and there always seems to be a bit of fear and loathing among the audience when the topic comes up. Why? The issues always seem to revolve around the complexity of setup and maintenance of the reperimeterization solution.

I’ve talked a bit about reperimeterization a bit on this blog. If you haven’t read my previous entries, the concept of reperimeterization has as its goal the logical or physical separation between assets that belong to different “security zones”. Assets that belong to a security zone of lower trust should be logically or physically separated from those of higher trust. Or, another approach is to separate assets of higher value from those of lower value. The key is to create multiple perimeters, where monitoring, logging and reporting can take place between the perimeters. This provides you an audit and forensics trail in the event that a data breach takes place between any two perimeters.

While the concept makes sense to me and a few others that I’ve shared these ideas with, many others see the process as painfully complex. They say that the complexity of the solution will lead to an increased risk of errors, which could create a seriously security problem. My response has always been that the moderate increase in complexity leads to a much greater increase in security, and provides the auditing and reporting that is so critical in an increasingly regulated environment.

In fact, industry regulatory compliance issues may be the most compelling reason to implement a reperimeterization solution. For example, suppose you put together a network based on the old concept of “external untrusted, internal trusted”. This is the most common network security model in use today, and unfortunately it is based on a threat model that was valid almost a decade ago. Today’s network threat model has changed significantly, in that your greatest risk of attack is now from insiders, not from intruders entering your network from the Internet.

Now imagine that your network was attacked from the inside. The File Server on your network was compromised by someone who shouldn’t have had access to that server at all. The file server and the attacker were both on the same “trusted” internal network, so you didn’t have any access controls preventing the attacker from reaching that file server. In addition, the same attacker was able to compromise the SQL server. Again, the SQL server is located on the same “trusted” internal network as the attacker.

Next thing you know you’re in front of the administrative law judge for the FEC or FTC or any other regulatory body to which your company is beholden. The judge just heard from an expert witness who described how a correctly reperimeterized network would have prevented the data breach. You are asked why you hadn’t implemented a reperimeterization plan for your network. Do you think the judge is going to be convinced that “it’s too hard” or “it’s too complex” is a viable answer to why you didn’t do it? I don’t think so.

However, there may be other ways to create a virtual reperimeterization plan. I’ll talk about that in my next blog post. Until then, I’d like you to think about the value of reperimeterization and whether the potential complexity is worth the increased security it can provide your organization.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

If you didn’t have a chance to go to RSA, you can still find out a lot about what Microsoft had to offer in the security space by visiting the Microsoft RSA Blogs.

Check out the Microsoft RSA Blogs at:

http://blogs.msdn.com/rsa2008/

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Last week Microsoft announced the beta release of its integrated network security solution, code-named Stirling. Stirling will allow you to integrate multiple Microsoft security products in the Forefront line of security solutions. Stirling will tie together information coming from:

• Forefront Threat Management Gateway (TMG)
• Forefront Client Security
• Forefront Security for Exchange
• Forefront Security for SharePoint

All of these applications monitor various parts of your network and keep there own log files. What if you could gather the information obtained from each of these products and put them into a central location? OK, that would be great, but that’s not enough. What you really want is a product that will be able to take the information gather by each of these products and have the solution dynamically respond to a threat situation. That’s right. The solution should be able to carry out initial incident response procedures when an incident is detected by any of these solutions. Well, that’s what Stirling is all about.

In future postings, I’ll give you some examples of how Stirling and the Forefront suite of security applications can significantly enhance the security of your network by acting as a dynamically responding security solution.

Until then, read up on Stirling at:

http://www.microsoft.com/presspass/features/2007/j...t.mspx

And download your own beta version of Stirling at:

http://technet.microsoft.com/en-us/evalcenter/cc33...9.aspx

I’m telling you now that this is going to be a very hot product and the sooner you get to know how it works and how it will empower you as a security administrator for Microsoft Networks, the better. I’ll make sure we have plenty of articles on Windowsecurity.com so that you’ll get off to a good start!

Thanks!

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Large organizations have a number of options when it comes to creating and enforcing security policies. In many cases, large companies will outsource this task and take advantage of templates and procedures that have been highly codified by a company specialized in creating security policies and enabling you to keep track of policy compliance. Smaller companies don’t have this option because of the large capital expenditures required to contract with these large service providers.

However, there are a collection of security policies that any Microsoft shop can put in place that will help improve the overall security posture of any small or medium sized business. For example, consider the following:

• Make sure that employees keep their Windows operating system and Office applications and other business applications up to date with the latest security updates. Enabling Microsoft Update will automatically make sure that Microsoft applications are updated.
• Require strong passwords (those that contain numbers, letters, and characters), but don’t require that employees change them every two weeks: 45 to 90 days is a standard range. You can use the Windows Server 2008 password policies to ensure that passwords are complex and are changed on a regular basis
• Make sure your policies are based on the concept of least privilege. Least privilege means that users and even administrators have access to resources they need to get their jobs done, and nothing more.
• Make sure that your policies include clear statements on the results of non-compliance and confirm that upper management and legal supports these statements. There’s no better way to see failure of security policies than not backing them up with punitive actions when they’re violated.
• Security requirements will continuously change. Make sure that you schedule a regular review of your security policies, such as twice a year, and update your policies documents as required. During this review you may decide that you need to invest in additional security related software or hardware. Include budget considerations during these review periods.
• Different jobs require different levels of access. Make sure that when employees change positions within the company that their access is governed by their current positions, not by those of positions previously held by the users. You can leverage Active Directory Security Groups to accomplish this goal
• Make sure to deprovision user accounts before a user leaves the company. This helps insure that a disgruntled former employee isn’t able to leverage his credentials to change, delete or copy data from corporate servers.
• Insider attacks are the most common and harmful attacks seen on networks today. Often these attacks aren’t malicious, but are due to users have access to information they should not have, or due to inadequate access controls placed on file, Web and database servers. Make sure you conduct a comprehensive review of where your data is stored, and who has access to that data and remove access from users who clearly do not need access to that data in order to do their jobs
• Many users will need access to data while out of the office. Make sure you deploy a remote access solution, such as ISA Server 2006 or the Intelligent Application Gateway 2007 to provide a secure remote access solution that enables least privilege connections for roving users

By employing just this small group of policies, you’ll find that you have significantly increased the overall security posture of your organization and reduced the risk of data destruction, compromise and loss.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The SMS Extended Security Update Inventory tool is a scan tool built for the sole purpose of helping security administrators determine SMS client computers that may need security updates that are not detectable using the existing SMS Security Update Inventory Tool that is built on MBSA.

Like the SMS Software Update Inventory tool, this tool also has the instructions for locating each applicable update, downloading it from Microsoft, and deploying it using SMS . The SMS Extended Security Update Inventory Tool is built on Enterprise Scan Tool (EST) detection technology. For more information about the exact detection capabilities of EST and how it differs from MBSA, see Microsoft Knowledge Base Article 894193 at http://support.microsoft.com/kb/894193 For more information on the SMS Extended Security Update Inventory Tool, see the user guide and release notes included with the download.

Download the Extended Security Update Inventory Tool at http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The Microsoft US National Security Team is composed of strategic security advisors who work with Microsoft customers, partners, MS internal constituencies and the information security industry to promote the adoption of security processes and technologies. The National Security Team also focuses on driving vertical security solutions for a wide range of industries. To this end, the NST has produced a number of white papers that address the specific security needs of particular industries, such as the professional services and financial services industries.

I took a couple of days to go through each of these white papers, and they provide a clarity of thought and actionable guidance for CxO level readers that surpasses just about anything I’ve ever encountered on the Microsoft.com Web site. I also found that these papers are extremely helpful to the Microsoft IT decision maker. Just the sections on MS security technologies and the operational difficulties with outsourcing made the time dedicated to reading these papers a worthwhile investment.

To download these papers, check out:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)