Performance issues can be related to security issues. Sometimes malware can impact performance on your Servers. But how do you know if it’s malware or maybe a configuration issue? One way to find out is to use the Windows Server 2003 Performance Advisor.

Microsoft Windows Server 2003 Performance Advisor is the latest version of Server Performance Advisor, which is a simple but robust tool that helps you diagnose the root causes of performance problems in a Microsoft Windows Server 2003 deployment. Server Performance Advisor collects performance data and generates comprehensive diagnostic reports that give you the data to easily analyze problems and develop corrective actions.

Microsoft Windows Server 2003 Performance Advisor provides several specialized reports, including a System Overview (focusing on CPU usage, Memory usage, busy files, busy TCP clients, top CPU consumers) and reports for server roles such as Active Directory, Internet Information System (IIS), DNS, Terminal Services, SQL, print spooler, and others.

Download it at:

https://www.microsoft.com/downloads/details.aspx?F...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The Microsoft VHD Test Drive Program provides customers with an enhanced server-based software evaluation experience that’s faster, better supported and more flexible. You can now access the entire catalog of pre-configured Microsoft and partner products and solutions in the VHD format and start evaluating and testing today from www.microsoft.com/vhd.
Forefront codename “Stirling” is an integrated security system that delivers comprehensive, coordinated protection across endpoints, messaging and collaboration servers, and the network edge that is easier to manage and control.
By delivering simplified management and providing critical visibility into threats, vulnerabilities, and configuration risks, “Stirling” helps you reduce costs and achieve greater insight into your enterprise security state.
This fully functional pre-configured VHDs provide you with trial software that will automatically expire after 30 days.
These are preconfigured virtual machines contained within the Virtual Hard Disk (VHD) format. A virtualization product that supports the VHD format is required to use this virtual machine. Microsoft Virtual PC or Microsoft Virtual Server are provided for free and can be used with these VHD based virtual machines. Please refer to the system requirements section for more details.

Get them at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Ever thought about testing your browser security? If not, when you have nothing else to do, check out these Web sites that have free browser security tests:

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Microsoft Forefront Security for Office Communications Server provides fast and effective protection against IM-based malware by including multiple scanning engines from industry-leading security partners and helps reduce corporate liability by blocking IM messages containing inappropriate content.  And when you download the beta software, you’re automatically registered to access valuable beta resources assembled in one convenient Beta Central location.

For more information, check out:

http://technet.microsoft.com/en-us/evalcenter/cc50...1.aspx

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Forefront Client Security is comprehensive anti-malware software from Microsoft that provides unified protection from viruses, spyware, and other current and emerging threats. NAP is a new feature in Windows Server® 2008 that can control network access based on a computer’s compliance with an organization’s health policy. NAP uses system health validators (SHVs) to configure the policies that are used to determine if network access is granted. System health agents (SHAs) provide the information needed to make this determination.

Together, Forefront Client Security and NAP can provide an additional defense-in-depth layer against malicious attacks and give administrators a significant degree of control over the security and health of networked computers.

For more information, check out:

http://technet.microsoft.com/en-us/library/cc512112.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

In today’s IT environment, the ability to comply with regulations and industry standards, such as the Sarbanes Oxley Act, is a source of deep concern for many organizations. In addition, organizations need to manage risks resulting from emerging threats and changing conditions within their IT infrastructures. As a result, organizations need sound methods that they can count on to understand the state of the security settings in their IT infrastructures, assess the compliance of a security baseline, and demonstrate that compliance requirements have been met.

To help organizations address these challenges, Microsoft has created the Security Compliance Management toolkit. The toolkit provides best practices from Microsoft about how to plan, deploy, and monitor a security baseline. In addition, the toolkit provides remediation recommendations to address security baseline issues. The toolkit also offers a proven method that your organization can use to effectively monitor the compliance state of recommended security baselines for Windows Vista®, Windows® XP Service Pack 2 (SP2), and Windows Server® 2003 SP2.

For more information, check out:

http://technet.microsoft.com/en-us/library/cc677002.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

If you’re a regular reader of this blog, you know that I’m a major advocate of security as a defense in depth process. The most important take home message when it comes to the concept of defense in depth is that there are no “magic bullets”, that if you deployed a single or single set of security technologies, you’ll forever be free from security concerns. That will never be the case. In addition, security is a process and something that must be attended to continuously, its not and will never be “set it and forget it”. People in the physical security world know this to be true, and most computer and network security people appreciate this as well.

I recently came across an exceptional article on Defense in Depth, written by famed security strategist, Kai Axford. I’ve had the chance to speak with Kai on a few occasions and it’s clear from speaking with him that he’s one of the most level headed, insightful and eloquent speakers for security computer networks today. If you ever have a chance to listen to one of his talks, you should take advantage of that opportunity. Kai’s positions are thoughtful and he rarely shoots from the hip, and he’s not out to get headlines — he’s out to help you learn how to get more secure.

However, with all that said, there’s one area that I’m hoping that Kai will stay mindful of. If you go to his article Understanding Defense in Depth at http://www.microsoft.com/technet/community/columns...8.mspx and check out the section Layer 3: Perimeter Security (Living on the Edge) Kai mentions Microsoft future plans on “Access Anywhere”. This is related to a new technology Microsoft is working on that will make a computer’s location immaterial in terms of participating in a particular Active Directory domain and the ability to obtain services in the exact same way as they would be available if the machine were directly attached to the network.

From what I understand of the “Access Anywhere” scenario, a computer can be a domain member and be centrally managed in the same way that a desktop machine bolted into the corpnet can be managed and secured. Of course, we can already do this with remote access VPN connections. The difference is that the “Access Anywhere” technology will take advantage of the fact that with IPv6, all network devices can be assigned what IPv4 refers to as a “public address” (referred to as “Global Addresses” in IPv6 lingo). Since NAT devices will no longer an issue with IPv6, there’s no reason that NAT unfriendly protocols (such as Kerberos) can’t be used from anywhere on the Internet. And combine this with IPv6 integrated support for IPsec, and you can potentially extend the corpnet to anywhere in the world without the overhead of a remote access VPN.

The problem, as I see it, is that the Bedouin machine that travels to hotel networks, unsecure home networks, conference center networks, airport networks, and any other unsecure network that you can imagine isn’t quite the same as a machine that is bolted into the corpnet and never leaves the premises.

A lot can happen to machines that leave the corpnet. The machine can be stolen and have spyware installed on it without the victims knowledge. The spyware might even run in a sandbox that protects it from your corporate anti-malware software. Or the machine might be stolen and the intruder uses an offline attack to grab the user credentials, or some other method. Now the intruder has a fully authorized, fully managed machine to connect to the corpnet from anywhere in the world. Or perhaps the machine was connected to a network that had a zero-day worm on it. Since the machine is always connected to the corpnet, there’s no lag time, such as when the user is required to establish a VPN connection to connect to the corpnet. In this scenario, the compromised machine will be able to immediately “share” it’s compromised state with the rest of the corpnet.

The point that I’m trying to make here is that the upcoming “Direct Connect” technology (the underpinnings of the Access Anywhere scenario) should not be taken as a panacea. The security “quality” of a machine that leaves the corpnet will never be the same as one that never leaves the corpnet. The machine that leaves a well managed security environment will never be as “trustable” as a machine that has been promiscuous in itself network connectivity.

However, it could be that this discussion is relatively moot and that we already have a similar situation currently running now in corporate environments. For example, several large companies (which includes Microsoft) give their employees laptops that they can take home and take on the road. Then they bring their “low” security quality machines back to the corpnet. This scenario is essentially the same as the external computer in the Access Anywhere scenario, except that the compromised machines are brought in to directly connect to the corpnet.

So, if there is no way around this problem, what’s the solution? Reperimeterization. I’ve talked quite a bit about reperimeterization on this blog, and you’ll see more of this talk as the “Access Anywhere” technologies come to fruition. I’ll talk more about this solution in a blog post later this week. But even more important to security in an “Anywhere Access” world is Defense in Depth.

“Access Anywhere” will create changes in the concept of perimeter security, but it will also require us all to be even more mindful of the other components of Defense in Depth. Let’s just say that our lives as as network and security admins are looking at becoming more complex, instead of less complex, as users and business decision makers demand the convenience of true “Access Anywhere”

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

There are some things that security specialists take for granted that not everyone thinks about.

This came to the fore for me today when I found out that a list server that runs mailing lists for several organizations that shares proprietary information with one another had been infected with a piece of malware for which almost all anti-malware applications had signatures for at least the last four years.

This also brought to mind that I need to remind you all that you need to be running anti-malware on your servers that accept inbound connections and allow any kind of “write” activity to that server’s file system. This is especially true if the server is an Internet facing device, but also applies to internal servers that never accept any kind of connections from external hosts.

While Windows Server 2008 has gone a long way to providing a high secure default configuration, most companies are using previous versions of Windows, including Windows 2000 Server and Windows Server 2003, where the default configurations were not as robust as the default Windows Server 2008 configuration. So, if you’re running those operating systems, you need to be extra careful to make sure that you’ve locked down the operating system and have anti-malware installed on those machines.

By the way, if you’re looking for a great anti-malware solution for these servers, you can’t do much better than Microsoft Forefront Client Security (FCS). FCS can protect both your clients and servers, and it also provides you an excellent way to viewing the security configuration for all the hosts on your network. For more information on FCS, check out:

http://www.microsoft.com/forefront/clientsecurity/...t.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Someone wrote to me recently about whether it was possible to run a unihomed SSTP VPN server on Windows Server 2008, as the examples I gave in my articles on how to create and configure an SSTP VPN server always had two NICs. Now, while I don’t typically recommend unihomed VPN servers from a security point of view, I can see the rational in terms of wanting to simplify the configuration in the event that there is already a multihomed Internet gateway device in play that doesn’t support SSTP. Heck, even the new Forefront TMG (Threat Management Gateway), which runs on Windows Server 2008 doesn’t support SSTP.

The problem is that when you run the RRAS wizard and choose the VPN option, it expects you to have multiple interfaces. The question then is how do you get around the limitations of the RRAS Wizard?

After installing the Routing and Remote Access Service from the Server Manager in Windows Server 2008, right click the Routing and Remote Access Node in the left pane of the console. When you get to the Configuration page, select the Custom Configuration option.

On the Custom Configuration page, put a checkmark in the VPN Access checkbox and click Next.

Click Finish on the Completing the Routing and Remote Access Server Setup wizard page. You will be asked to start the service, which is what you want to do.

When you check the RRAS configuration, you’ll find that it’s setup with PPTP, SSTP and L2TP/IPsec ports and that the default address assignment method is DHCP. If you don’t have a DHCP server, you’ll have to create a static address pool.

So, if you’re look at this article http://www.windowsecurity.com/articles/Configuring...1.html make sure to substitute these steps for the ones in the article if you want to run unihomed. Everything else should be the same. Well, almost. In the Enable the RRAS Server and Configure it to be a VPN and NAT Server section you do not want to enable the NAT service. Just the VPN, as described in this blog post.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Let’s face it. You introduce security risks to your network any time you deploy a technology that you don’t understand. One of the best examples of this fact is IPv6. Not many people understand IPv6 very well, and all the security implications of IPv6 haven’t been worked out. That will happen sometime when IPv6 is under widespread adoption (probably sometime in the 22rd century).

Until then, you need a way to turn off IPv6 on your clients and servers. IPv6 is enabled by default on Windows Vista and Windows Server 2008. If you’re not using it, you should turn it off. You can turn it off by editing the Registry. Look for the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

When you get there, create a DWORD value named DisabledComponents and set the value to 0xffffffff

If you decide later to implement IPv6, just set that value to 0

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)