Designed to help IT pros navigate the ever-changing security threat landscape, these pages map online resources to specific challenges involved with planning and evaluating an organization’s core IT infrastructure.

I’ve found this extremely useful in evaluating what technologies I have at hand in implementing my Microsoft defense in depth infrastructures.

Check it out at:

http://technet.microsoft.com/en-us/security/cc4519...7.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I harp on the issue of defense in depth on this blog on a regular basis. The reason for this is to make it clear to everyone who reads me on a regular basis that there are no magic bullets when it comes to security. You have to take a multilayer approach and then adjust your plan given the relative success and failures you’re experiencing. You can’t ever let your guard down, because you need to stay on your feet to stay the one step ahead of the bad guys because they’re always nipping at your heels.

To help you get that job done, Kai Axford has put together a great defense in depth Webcast series that no Microsoft security administrator should do without. It’s an eight part series and each part is worth watching at least twice.

Here are the links to the series Webcasts:

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won’t Come (Level 200)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 8 of 8): If a Terabyte Falls in the Middle of the (Active Directory) Forest (Level 200)

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Microsoft IT has deployed Microsoft Forefront Client Security on approximately 50,000 computers. In this webcast, we examine Microsoft IT’s experience with Forefront Client Security and discuss the architectural considerations that Microsoft IT made when deploying Forefront Client Security within Microsoft.

Presenter: Shawn Travers, IT Pro Evangelist, Microsoft Corporation

Shawn Travers has presented more than 500 live events to more than 25,000 IT professionals, partners, and resellers. As a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP), Shawn enjoys playing with new technologies; however, he finds helping other IT professionals solve problems and tackle unfamiliar products the most rewarding part of his job.

To register and view the recorded Webcast, please visit:

http://msevents.microsoft.com/CUI/WebCastEventDeta...ode=US

HTH,

Tom

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Join us to learn everything you need to know about remote access and how the Microsoft Intelligent Application Gateway (IAG) provides a highly customizable and easy-to-use solution for secure remote access for all users. We go through key customer scenarios, IAG features and functionality, and the future road map. The IAG product stands out in the single sockets layer (SSL) virtual private network (VPN) market for its focus on strong policy management, end point security, and application optimization.

Presenter: Pradeep Bethi, Technical Solution Professional; Microsoft Corporation

Register and view the recorded Webcast at:

http://msevents.microsoft.com/CUI/WebCastEventDeta...ode=US

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Security by obscurity is an important part of any security defense in depth plan. For example, most secure organizations do not publish RDP servers on the default RDP port of TCP port 3389. Instead, they use another high number port that it unlikely to be scanned in an attacker’s attempt to find potentially vulnerable RDP servers.

Even more useful is to combine security through obscurity with misdirection. For example, you can use a number of tools that enables a machine to listen on a specific port, but once the connection is established to that port, there is no service that can be leveraged to attack the computer. The connection to TCP 3389 turns into a dead end, while legitimate connections made to another machine listening on the alternate RDP port work just fine.

Security through obscurity and misdirection are helpful, because it causes your attacker to waste time and effort. It also helps with reducing the risks of being susceptible to automated attacks. The goal is to frustrate the attacker or the automated exploit so that it moves on to more pliant victims.

However, there are times when security through obscurity doesn’t provide any added value. The classic example is that of renaming the Administrator account. While you’ll see the recommendation in a large number of books and treatises on network security, and even in the Microsoft operating system hardening guides, the relative security benefits gained by renaming the Administrator account is just about nil.

Why? Because what you want to do is prevent an attacker from logging in as administrator. In order to log on as administrator, the attacker needs to know the password. The real security is in the complexity of the password. Any complex password including mixed case letters, symbols and numbers that is at least 16 characters long will never be broken with an over the network attack.

(note that I’m not addressing the issue of when someone has physical access to the computer and tries to perform an offline attack — in that case you need to use BitLocker or sometime disk encryption tools to prevent attacks against the administrator account).

Complex passwords (I prefer not to use the term passphrase, because the term “passphrase” implies that the password has to have some sort of linguistic meaning, which of course it does not) are easy to create. One standard method I use combines a zip code, a phone number and a birth date, with the left most entry being your first initial in lower case and the right most character being your last initial in upper case. For example:

t90250213-696-504501-01-1957S

There you go — a 29 character password that’s ridiculously easy to remember. Of course, you can change the order, and make it birthday, zip code and then phone number, and you can make it even better by separating each element by a character of your choice, such as ^

It would take more time than the universe is assumed to have been in existence to break that password using current technology. So what value is there to changing the name of the administrator account? None, and in fact, changing the name of the administrator account can add to administrative overhead.

Renaming the admin account is a classic example of something that sounds like a good idea, but when you look at the overall security gains, you find that all you’ve accomplished is an increase in administrative overhead without making an realistic improvements in your overall security posture.

For an in depth discussion on this issue, check out The Great Debate: Security by Obscurity at http://technet.microsoft.com/en-us/magazine/cc5103...9.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

A problem I’ve run into from time to time is that my main workstation at home will reboot itself when I’m out of town. The rebooting isn’t much of a problem, because this is typically related to update Tuesday for updating applications and security configurations. However, it can be a problem because I have applications that run automatically but require that I be logged on for them to run.

I could have someone at home log me on, but often I forget about the problem and the machine has been on for several days without anyone logged on before I discover that no one has been logged on to that machine for days. What would be nice is to have the machine automatically log me on.

However, in order to be secure, the machine should be able to lock the desktop automatically after I’m automatically logged on, so that no one can break into my machine.

So, I needed two solutions:

1. The machine should be able to log me on automatically
2. The machine should be able to automatically lock the desktop after my account logs on

Is there a solution? Yes! Check out this article by Greg Schultz for the solution:

http://blogs.techrepublic.com.com/window-on-window...?p=599

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Whoops! You forgot the password for the local admin account, and didn’t create any other accounts with local administrator privileges. What do you do?

You could try to rebuild, try to restore from a backup where you did know the password, or try some other trick that might work. But what if you could just edit the domain admin password offline and get up and running again?

Is it possible. Yes. by using the Offline NT Password and Registry Editor. Some information about this tool:

• This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista etc system.
• You do not need to know the old password to set a new one.
• It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD or another system.
• Will detect and offer to unlock locked or disabled out user accounts!
• There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.

This tool will provide easy to use menus that allow you to edit the SAM and the local Registry on a computer.

Grab this tool at:

http://home.eunet.no/pnordahl/ntpasswd/

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Anyone who’s been in the Microsoft security space for a while knows that a key component of security is stability and availability. If you run security services on a machine that is not reliable and available, then the security services provided by the machine are of no use, and thus exposes your infrastructure to potential security issues that would not exist if those services had been available.

Given that an increasing number of network security services are being hosted in virtual machines, it’s important that the virtualization environment on which those virtual machines run has been validated by the vendors who’s services you run in a virtualized environment.

To this end Microsoft has stepped up to the plate with the Windows Server Virtualization Validation Program. As Microsoft describes this program:

“The Server Virtualization Validation Program (SVVP) is open to any vendor who delivers a virtualization machine solution that hosts Windows Server 2008, Windows 2000 Server Service Pack 4 and Windows Server 2003 Service Pack 2 and subsequent service packs. The virtualization solution can either be hypervisor-based or a hosted solution. The program enables vendors to validate various configurations so that customers of Windows Server can receive technical support in virtualized environments. Customers with validated solutions will benefit from the support provided by Microsoft as a part of the regular Windows Server technical support framework.
The Server Virtualization Validation Program is not a logo program, rather a reference that companies and customers will be able to use in conjunction with their validated solutions”

For more information on the Server Virtualization Validation Program (SVVP) check out:

http://www.windowsservercatalog.com/svvp/

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You’ve probably heard about software restriction policies. These policies are created in Windows Active Directory Group Policy and allow you to deny applications or allow applications at the desktop. Of course, denying “bad” applications using blacklisting is like chasing your tail. You’ll never be able to identify all the “bad” applications users might use. However, whitelisting applications is a realistic goal. The trick is to determine what are your “good” applications.

In the past you might have avoided software restriction policies because you thought it was too hard to determine what applications the users are using and that deploying a dysfunctional software restriction policy could get you into hot water with your users and worse, with your boss.

The good news is that there are number of techniques that you can use to determine what the “good” applications are in your environment. You can then use this information to create your white list applications and configure those into software restriction policies.

For more information on how to detect your white list applications and how to configure the software restriction policy, check out:

http://technet.microsoft.com/en-us/magazine/cc5103...).aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

System Center Mobile Device Manager (MDM) is a new Microsoft technology that helps Windows Mobile 6.1 devices work within the IT infrastructure as trusted and managed members of the enterprise. Historically, this degree of integration was not possible with other mobile device platforms because it raised many security, management, and accountability issues for the enterprise. MDM enables you to use Windows Mobile powered devices as managed business devices in a comprehensive manner that has minimal effect on existing infrastructure.

The goal of MDM is simple: Enable Windows Mobile powered devices to become managed and authenticated members of the IT infrastructure of an organization. The Windows Mobile platform is the ideal platform for this solution. The features of MDM help extend this platform in a manner that is both manageable and protected.

The MDM architecture is based on open industry standards that provide specialized device management (OMA DM), and authenticated and encrypted communications (IPsec, IKEv2, and MOBIKE). When you use these standards together with Windows Server platform services, such as Group Policy and Windows Software Update Server (WSUS), you have a powerful and proven solution that you can apply in a consistent and scalable manner to your company Windows Mobile powered devices.

For more information about MDM and to get an evaluation copy, visit:

http://technet.microsoft.com/en-us/scmdm/bb986596.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)