Another interesting article came up on my radar this week. This article, entitled “7 Dirty Secrets of the Security Industry” covers what Joshua Corman, principle security strategist for IBM/ISS are the 7 secrets that security vendors don’t want you to know. To read the original article, check out http://www.networkworld.com/cgi-bin/mailto/x.cgi?p...s.html

Like most wonks (including myself) he’s more often wrong than right regarding these secrets. To prove this, let’s take a look at each of these:

Antivirus Certifications are misleading. Corman states that “Certification means a product caught 100% of 25% of the bad stuff”. He doesn’t provide any data to back up this claim, but I don’t have any data either, so let’s give them one to him. The data backing up his claim certainly appears to be a secret.

There is no perimeter. He’s where Corman is dead wrong, as we’ve discussed many times on this site. As we know, there is no “perimeter”, there are multiple perimeters. And using his own words, you’d have to believe in Santa Claus to believe there are no perimeters

Risk analysis threatens vendors. He essentially is saying that if companies analyze their requirements, they won’t buy security software. He’s right and wrong here. In some cases, companies won’t buy security software after doing a risk analysis. In other, and arguably more frequent cases, companies will do a risk analysis and realize that they do need to purchase security software. So, Corman is half right here, but more importantly, half wrong.

There is more to risk than just weak software. Corman gets an A+ for being right about this one. The weakest link in the security chain is your users’ not complying with computing best practices.

Compliance threatens security. Corman makes a somewhat slippery conclusion that if an organization seeks to comply with industry regulations, they will provide attackers key information about what exactly has been done to secure the network and it’s data. As we know here at Windowsecurity.com, regulatory guidelines are so vague that any information an intruder might have about your defenses by using those guidelines is worthless. In fact, the entire process of regulatory compliance forces a company to look at their current security posture, and thus overall improves security due to increased awareness and attempts at due diligence. Here again, Corman is wrong.

Vendor blind spots allowed the Storm worm outbreak to happen. The argument Corman makes here is that AV solutions are not perfect, and also they don’t work if you don’t have them installed. What can I say here? Yes, he’s right. But this is no secret.

Security has grown well past do-it-yourself. Corman says that software needs to be installed and configured. Yep, you bet. And your IT staff can do this themselves. Not only is this not a secret, it’s just incorrect. I know hundreds of companies that manage their own security, and do it well. Again, Corman comes out in the Red on this one.

I’m glad Joshua came up with these secrets and gave a talk about them at Interop in Las Vegas this year. I found them very interesting, and clearly he was trying to stir up the crowd. Sometimes when you stir up the crowd you have to mislead them a bit. Just as when P.T. Barnum told his crowd “this was to the egress!”

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I read an interesting blog post by Chad Perrin at http://blogs.techrepublic.com.com/security/?p=455&...l.e036

What I found interesting about it is that Chad was trying to correct the misconceptions or the attempt to promulgate misconceptions by software vendors, regarding the issue as to whether there is a “perimeter”. Chad’s argument is that there is “a perimeter, kinda”.

It’s fascinating to me to hear these things, since experts in network security have known for years that there is no such thing as “a perimeter”. The fact is that there are, and have always been, multiple perimeters on computer networks. The problem is that people who aren’t in on “the know” still believe in the education nee marketing promulgated by Cisco and other firewall vendors that there is one perimeter — the Internet Edge of the network. This is not true, nor has it ever been true.

Perimeters can be defined in multiple ways, but they always represent a demarcation between security zones. There are multiple ways you can define security zones. For example, you can define a security zone by the level of trust you have in a collection of computer resources, and then place those devices within the same security zone. Or, maybe you should consider your level of mistrust in a collection of computers, based on what the damage would be if one or more of the machines in that collection are compromised. Or you can define your security zones based on the level of trust you have for different levels of users, and define your perimeters based on users inside and outside your organization.

The key issue is that communications moving between your different security zones must cross a perimeter device that does the following:

• Controls who can cross the perimeter
• Control what can cross the perimeter
• Control what protocols can cross the perimeter
• Logs who has attempted access across the perimeter
• Logs what applications have attempted access across the perimeter
• Reports on who has accessed what content using what protocols and what time and what day across the perimeter

Only by recognizing that there are multiple perimeters that must be maintained and monitored will you be able to achieve real access control and the ability to perform accurate forensics in the event that there has been a data breach.

Note that this example includes only network perimeters. There are other perimeters that you need to control. The computer hardware perimeters of the CD/DVD drive and burner, the USB port and the FireWire port all represent hardware perimeters that you need to control.

The data itself also represents a perimeter. You need a way to determine who has accessed the data, who the data was sent to, and who copied or printed the data.

Data security is all about security zones and perimeters. That’s why I always get a laugh when I heard about “there is no more perimeter” — that’s right, there never was “a perimeter”, there have always been multiple perimeters.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Ran across a great site today that contains tons of useful information for the Microsoft Security admin — the U.S. Department of Defense Information Assurance Support portal. Here you can find helpful security information such as Security Technical Implementation Guides (STIGs) for Windows and other operating system, including so-called “hardware” operating systems.

The portal is located at:

http://iase.disa.mil/index2.html

On the Security Technical Implementation Guides (STIGS) and Supporting Documents page, you’ll find helpful information including:

• Security Checklists
• Security Readiness Review Evaluation Scripts
• Security Technical Implementation Guides (STIGS)
• DoD General Purpose STIG, Checklist and Tool Compilation CD

If you go to:

http://iase.disa.mil/stigs/stig/index.html

You’ll have direct access to the downloads. If you click the SRRs link, you’ll have access to the Windows Gold Disks, which include tools that you can use to evaluate and configure your environment.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Windows Server 2008 includes the Server Manager, which you can use to install Server Roles and features. One of the major enhancements included with the Windows Server 2008 Server Manager is that when you install roles and features, security best practices are built in and the machine is configured with an optimal security configuration to support the services and features you installed through Server Manager.

So, you’d think there would be no place for the Security Configuration Wizard (SCW) in Windows Server 2008, right? We needed it for Windows Server 2003, since the installation routines for server roles and features didn’t take into account security best practices. But why would we use it in Windows Server 2008?

Well, you can use the Windows Server 2008 Security Configuration Wizard to help keep your server secure by checking for possible vulnerabilities that were introduced after the Server Manager installed the Roles and Features. You can also use the SCW to create policies for roles not installed by using Server Manager (you might have programmatically installed a role or service, which bypasses security best practices).

You can also use SCW to create an apply server security policies when you:

• Modify the configuration of a default component on a Windows Server 2008-based computer. However, using SCW after modifying a role or feature through Server Manager is not a requirement.
• Create and apply policy for server roles not installed through Server Manager, such as Microsoft® SQL Server® or Microsoft Exchange Server. SCW includes policies for many roles and features not installed with Server Manager.
• Define new roles for non-Microsoft applications and create and apply policy for those roles. Run SCW whenever a non-Microsoft application is added or removed. SCW has a public schema for organizations to create new roles

And remember, the SCW also is tightly integrated with the Windows Advanced Firewall, so it takes care of the inbound and outbound access control rules you need for the firewall.

For more information about the Windows Server 2008 SCW, check out:

http://technet2.microsoft.com/windowsserver2008/en...r=true

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

George Ou notes in his blog that Microsoft has recently released a free Secure FTP server for the IIS 7 platform. You can find his post at http://www.formortals.com/Default.aspx?tabid=36&am...yID=39

One thing that I’d like to clarify is a point that George made regarding server certificates. When deploying secure SSL (TLS) servers, you need to install a server certificate. You can use commercial certificates (that you purchase from commercial certificate providers) or you can create your own certificates.

The advantage of using commercial certificates is that the commercial certificate providers have their root CA certificates included with Windows operating systems, which is included in the Trusted Root Certification Authorities user and computer certificate stores. This allows your user account and the machine account to trust the certificates presented to you by the secure server that you’re connecting to.

This solves the problem of the dialog box popping up in the browser indicating that you don’t trust the machine and would you like to continue. In addition, many applications will not present you with a dialog box asking if you would like to connect in spite of not trusting the certificate presented to you by the server; instead, the connection just fails.

It doesn’t matter if the commercial certificate is a “brand name” or something like GoDaddy. What does matter is that the commercial CA’s root certificate is in your clients’ Trusted Root Certification Authorities certificate store.

I checked my Windows XP computer’s Trusted Root Certification Authorities store and found GoDaddy’s CA certificate there, as seen in the figure below. So, your GoDaddy certs are as good as any certificate from VeriSign, since GoDaddy is trusted by your client machines.

In contrast, when you create private certificates, you do so because you do NOT want unmanaged machines to connect to your secure resources. In order to trust your private CAs, you have to use other mechanisms, such as Active Directory and Enterprise CAs and autoenrollment.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Tarek Majdalani (known by his friends as Elmajdal) has put up a great article on how to install Hyper-V on a Windows Server 2008 machine. Part 1 is up now, and part 2 should be up sometime next week.

While not trickily a security issue, I think you’ll enjoy Tarek’s articles. He shares my passion for including screenshots with articles, which makes them a lot more fun than reading a bunch of words and trying to figure out command line arguments :)

Check it out at:

http://www.elmajdal.net/Win2k8/Installing_Hyper-V_...I.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

One of your key skills as a Microsoft network security admin is to be able to read network traces. In order to read network traces, you need a way to obtain them. One of the best (and free) network analysis tools available today is the Microsoft Network Monitor. No, I’m not talking about the old Network Monitor included with versions of Systems Management Server (SMS). I’m talking about the new, standalone version, Network Monitor 3.x.

However, you need more than just a network analysis tool. You need parsers that the tool can use to translate the protocols that you’re sniffing. The latest version of SMB, SMB2, hasn’t had a parser for Network Monitor. That is, until now.

Download your new parser for NetMon 3.1 at:

http://blogs.technet.com/netmon/archive/2008/05/06...1.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You know about Network Access Protection (NAP). It’s the new Windows Server 2008 technology that allows you to control what hosts are allowed to connect to your network based on the security configuration of the client systems who try to connect to your network. If the client can’t pass the NAP tests, then it’s not allowed to communicate with hosts on your network, except for those you have allowed them to connect to so that they can remediate.

Forefront Client Security (FCS) is an enterprise grade anti-malware solution that provides for centralized management of malware detection and prevention that also gives you enterprise security status reporting.

Wouldn’t it be great if you could have these two technologies work together? Work together so that you can establish a system health policy that NAP uses to determine whether client computers that run Forefront Client Security comply with the policy before they are allowed access to network resources? Yes it would!

If you agree, then check out the Microsoft Forefront Integration Kit for Network Access Protection at http://blogs.technet.com/secguide/archive/2008/03/...n.aspx

The benefits of the solution include:

• Boosts security.  The Kit strengthens your malware defenses by integrating two key Microsoft security technologies: Forefront Client Security and Network Access Protection.
• Saves time and reduces IT costs.  The Kit’s system health validator (SHV) allows you to quickly establish health policies for Forefront Client Security installations on all network clients. The system health agent (SHA) automatically monitors the health of these installations network-wide, and remediates problems—freeing up scarce IT resources for other tasks.
• Easy to deploy.  You can install and configure the Kit in just a couple of hours.  

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I ran across an interesting blog post over at http://www.crunchgear.com/2008/05/05/locking-down-...e-tsa/ which refers to ways to protect information on a laptop that might be examined by custom’s agents. As you might know, as a US citizen, your Constitutional Rights do not apply when you’re going through customs. No, this has nothing to do with the Patriot Act, or George Bush or anything you might want to think it’s due to — it’s always been this way.

While the blog post is more focused on how criminals can hide their illegal data from the authorities, there’s a more important question to be concerned with here. Suppose you carry a laptop for your business, and you and your company have clearance to access classified government information. You keep some of that information on your laptop. The customs agent asks to view the contents of your laptop. What should you do? The customs agent does not have your clearance level and therefore must not see that information.

You could try to explain your situation, but that’s not likely to help and most likely would raise the agent’s attention and make him even more interested in the data on your hard disk. Now you’re truly between a rock and a hard place — you’ll net nailed for not cooperating with the customs agent, and you’re going to get nailed by the Federal Agency that you’re working with by exposing classified information to someone without the required clearance.

The same is true even if you’re not working with the government. You could be working in the financial services sector and have information that will impact millions or billions of dollars in the markets. If that information is on your laptop and the agent inspects the contents of your laptop, that agent now has information that can be sold on the gray or black markets that could put your company, and many other’s, at risk.

What should you do? My best advice for you is to never put sensitive information on a laptop. That’s what I do. Laptops are lost and stolen too frequently to make it worth taking a chance on sensitive information being lost due to misplacing my laptop.

However, there are other ways to gain access to sensitive information other than just looking at file contents on the laptop. How about your mail account? I’m sure you saved your user name and password in Outlook so that you won’t have to enter it every time. Now the agent has access to your email account and all the private data contain therein.

Also, you might have a VPN connectoid configured to save your user name and password. Now the agent has access to your entire network and any data that you’re authorized to access there. Now, that can become a very interesting situation.

The VPN and email solutions are easy. Don’t save your passwords. It always shocks me when security admins give in and allow users to save their email passwords locally on a laptop. But too often ease of use (laziness) trumpts security.

For those of you who don’t want to type passwords, there is a solution. For your laptop, just allow the base operating system to be installed. Then, create a virtual machine and place it on a high capacity SD card or USB key. Install all of your applications and files on the virtual machine. Then install VMware or Virtual PC on the laptop. Place the removable media into the laptop, start the virtual machine, and go to town! All data and passwords and other information is saved to the VM. When you shut down the VM and pull the media, no trace is left on the laptop.

Since customs is only interested in your laptop, all they’re going to see is Windows XP or Vista in an out of the box configuration.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

As a MS security admin, you know that probably your biggest challenge today is securing mobile devices. There’s the versions of Windows Mobile, the Blackberry, the iPod, and the other phones that are waiting to connect to your network.

Some of these devices are built with security in mind and support multiple methods that can be used to secure the configuration of the device, secure the data on the device, and secure the connections that the device makes to your corporate network. Other devices aren’t so focused on security and are more focused on “cool”. But regardless of the device, you can be sure that your users are going to ask you to “hook them up”.

In the past you could have told them “no”. But this is getting to be less of an option as these devices are becoming increasingly pervasive. The boss sets the tone. He’s got the cool new Windows Mobile 6 Samsung i760, then a VP comes in with an iPod, and then another senior exec wants the Blackberry to work. Then there’s the mobile sales force, the various network and application admins who don’t want to have to carry a laptop around everywhere.

So how do you do it? Why not learn from the best? Microsoft is well known for giving its users relative free reign over the network, so it’s no surprise that they go out of their way to allow users network access using mobile devices. Join this webcast and find out how Microsoft IT is enabling their mobile workforce via the deployment of the Windows Mobile platform. Microsoft IT fully integrates Windows Mobile features and applications, with both established hardware and infrastructure, and future plans support  master security policy migrations, such as complete two-factor authentication operations.

You can find the Webcast at: http://msevents.microsoft.com/CUI/WebCastEventDeta...ode=US

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)