One area of security that you can make a big difference is in setting a secure password policy for your company. Password policy is important because unlike simple denial of service attacks, where attacks can take a service offline for a while, a compromised password can allow the attack to impersonate the legitimate user and fully leverage the rights and permissions of that legitimate user. If the user happens to be a high privileged user, then the potential for disaster is high.

There are some things that you can do to help prevent compromised passwords in your firm:

• Make sure that users use passwords that are long enough to thwart hackers. Length of password can depend on the type of user. A user with low privileges could use a 6 character password while an admin should be required to use a password of at least 15 characters
• Force users to use passwords from different character sets. It’s a lot easier to break passwords that just use lower case letters. Harder if they use upper and lower case letters, and exponentially harder if they use upper and lower case letters and numbers. Force users to use at least two character sets when creating passwords
• Make sure that users do not use passwords contained in a hacking dictionary. This will force hackers to use other, more time consuming methods to break your passwords. You will need to scan your password database to check this, and use special tools, such as nFront to make this kind of check
• To be even more effective, force users to not use passwords that are variations of passwords contained in hacking dictionaries. For example, a password of password@password@mom is not effective. Again, a scan of your password database using tools to search for these patterns will needed to confirm that you don’t have users deploying these relatively easy to crack passwords
• Rainbow tables can very quickly crack passwords that are 14 or fewer characters. For this reason, you should turn off LM hashes and also make sure that high value users use passwords that are at least 15 characters. For example, all administrators and C-level employees should have passwords of at least 15 characters.
• Guard against cached log ons on workstations. By default, Windows client systems log credentials of the last 10 log ons. You can configure the Registry to block storage of log on information. In addition, avoid logging on as a domain admin on workstations, which are more likely to be compromised than servers, to prevent caching of domain admin credentials on those machines
• Also, do not provide users local admin access to their machines. This will prevent local admin credentials to be captured from the cache on those machines
• Encourage users to use “passphrases” which are simply long passwords that provide some meaning to the user. For example, users can remember long passwords such as “My first Elementary School was Santa Monica School for the Gifted and Rich in Santa Monica, California, 90250”. That is very long, but shorter than the 127 character limit available in Windows XP and later versions of Windows (actually, these long passwords were supported in Windows 2000). Of course, passwords of this length can be problematic from a typo point of view, but you get the idea.

Those are just a few things you can do to make a more secure password policy. In order to enforce password policies, you can use built in Windows Server 2008 tools. However, built in tools are limited in terms in enforcing the type of password complexity and protection against dictionary attacks. For more robust password policy support, you might want to consider using tools such as nFront from www.nfrontsecurity.com

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I spend a lot of time in this blog talking about server and client OS security. However, there’s a lot more to security than just the server and client operating systems. OK, we also spend a lot of time on network security. But outside of network and OS security what else is there? Application Security. While great strides have been made at increasing OS and network security, application security is improving more slowly. That’s why many of the most effective attacks today are not targeted at the network or OS, but at the networked applications running on the operating system.

One exception to this is Office 2007. Office 2007 applications were developed using the Security Development Lifecycle method of software development. Because of this, they were designed with security in mind from the ground up. Old code was reviewed, triaged and rewritten as required. New features were built from the ground up with security injected at each phase of software development. In addition to the SDL development process, Office 2007 was built with SD3+C: secure in design, secure in development and secure in deployment, with communications channels open to insure ongoing security support and updating.

To help with the secure in deployment, Microsoft has created the Office 2007 Security Guide. This guide shows you how to securely deploy Office, how to make the best use of security features in Office 2007 applications, and how to take advantage of Office 2007 Group Policy extensions to scale your Office 2007 application security.

Check out the Office 2007 Security Guide at:

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Every day, organizations collaborate on key projects with external business partners across the Internet. These project teams regularly share important documents that might contain intellectual property or other information that should be kept secure. Unfortunately, for many organizations the only option is to collaborate using e-mail, which can be both inefficient and is often not a secure method for collaboration.

The External Collaboration Toolkit for SharePoint is intended to help address this situation. It consists of software and guidance that will help you to deploy a customizable solution built on Microsoft Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007 that teams can use to collaborate securely with partners outside the firewall. The toolkit’s familiar SharePoint interface makes the solution easy for project team members to understand and use.

For more information about the External Collaboration Toolkit for SharePoint, check out: http://technet.microsoft.com/en-us/library/cc268155.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

One of the most difficult issues in network security is how to discover that a security incident has taken place and then how to respond to the incident in a timely manner. For example, it’s a common issue where a client system is infected with a piece of malware and no system is in place that informs you that the client has the malware installed. Instead, you might have to wait until a full scan of that machine takes place on perhaps a weekly basis, and then hope the user tells you the results of that scan. Or, if you have an enterprise solution in place, you have a centralized reporting solution that tells you that the machine has a malware infection. In that case, you have to do a lot of manual work to find out who the logged in user was when the machine was infected, how the infection might have taken place, and what that malware might have done to that machine and to other machines during the course of the infection. There is a lot of administrator overhead in this scenario.

But what if you had a solution that was actually able to inform you that a machine is exhibiting suspicious behavior. For example, your firewall is receiving a port scan from a computer, which it had never received a port scan from before. Your firewall could find out the FQDN of the machine that issued the port scan, the name of the process running on that machine that issued the port scan, the logged on user when the suspicious behavior began, and then even take action such as preventing that machine from connecting to the network until you take administrative action of allowing that machine back on to the network.

This kind of proactive monitoring scenario offers you some significant advantages. The major advantage is that you as the security administrator are not really concerned with the technology that detected the possible security issue. What you’re concerned with is the fact that a machine is showing behavior consistent will malware compromise and that action needs to be taken to limit the damage that machine can exert on other machines on the network and possible information leakage from the compromised machine. All this can be taken of for you via policy, giving you time to later look into the details of the situation to see what happened.

Next week I’m going to describe to you a solution that does all of these. And from I understand, there is no other security solution in the world that can so quickly and elegantly provide such a solution. It’s an exciting time to be in the security business, so stay turned for more!

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)