Life on the corporate network is a calm and collected experience for the “bolted in” workstation. That bolted in workstation never leaves the corporate network, and is always protected by the multiplicity of devices and technologies that we use to make sure that the corpnet is secure.

But life is different for the laptop computer. Sure, that corporate issued laptop might be connected to the corpnet and enjoy the Life of Ryan when protected by the full faith and credit of corporate IT, but once that laptop leaves the confirms of your well managed corpnet, that poor thing is on it’s on. That Bedouin laptop will need to fend for itself and try to protect itself from all the bad things out there on other networks.

But how can you help your road warriors win the battles encountered out there on all the unmanaged networks in the world? You need to teach your users how to configure their computers and work with their computers so that they can go it alone and come back to your corpnet uncompromised.

Can it be done? I think so. One good way to get started on this mission is to check out Tony Bradley’s article on the Microsoft.com Web site. The article is titled Going It Alone: How Mobile PCs Protect Themselves Outside of the Network and you can find it at:

http://technet.microsoft.com/en-us/library/cc748609.aspx

Let me know what you think of this article by posting a response on this blog.

Thanks!

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The Infrastructure Planning and Design (IPD) guides are the next version of Windows Server System Reference Architecture. The guides in this series help clarify and streamline design processes for Microsoft infrastructure technologies, with each guide addressing a unique infrastructure technology or scenario.

Among this group of documents is the Selecting the Right NAP Architecture guide. This guide will help you decide what NAP enforcement method is best for you and then guides you through the planning and design phases (helpful, but most of use could use help with implementation too).

Check it out at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Of course, with all of this talk of Vista security, we can’t forget the most interesting and useful piece of Vista security documentation — the Windows Vista Security Guide.You can find the Windows Vista Security Guide over at:

http://www.microsoft.com/downloads/details.aspx?fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The last blog entry pointed to the Vista Kernel article by Mark Russinovich. That was a nice overview of the security features. For a more comprehensive article that provides even more information on why Vista is the most secure client operating system on which to run your applications, check out this article The Advantages of Running Applications on Windows Vista at http://msdn.microsoft.com/en-us/library/bb188739.aspx

That article is great and discusses a great number of topics and technologies that enhance the security provided by the Vista client. Many Windows admins most likely take advantage of only a fraction of the security technologies available in Vista. That’s a shame, as the article shows the tremendous number of options available to you. And when you pair Vista with Windows Server 2008, well, it doesn’t get much more secure than that for client/server communications.

Make sure to check the front page of this site on a regular basis! I recently showed you how to put together a simple proof of concept of domain isolation. Next week I’ll show you how to put together a simple DHCP NAP enforcement solution. While the DHCP NAP enforcement solution is the least impressive in terms of security, it’s the most simple and will allow you to dip your toes into the NAP waters before we get into more interesting NAP scenarios, such as NAP with Heath Certificate enforcement and NAP with the Terminal Services gateway.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Why is Windows Vista the most secure client operating system available on the market today? You need look no further than the Windows Vista Kernel.

Check out this article by Mark Russinovich on the Windows Vista Kernel to see why its worth upgrading just to gain the significant security advantages you’ll see with Windows Vista over Windows XP.

http://technet.microsoft.com/en-us/library/cc748650.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

We all know that at one time in the past that Microsoft was considered the laughing stock of computer and software security. While it’s debatable that Microsoft was really much worse than any other software vendor, the fact is that Microsoft’s large installed base made it the focal point for hackers and malware. Exploits at the time were high viability events that got a lot of media coverage.

That’s seems like a hundred years ago to most of us in the Microsoft security community. While security is always a work in progress, Microsoft has gone from what many thought of as the least secure software company in the world, to what many consider the most secure software company in the world.

It didn’t happen overnight, and it wasn’t magic or the “power of money”. What enabled Microsoft to turn so quickly from unsecure to secure was Bill Gates’ mandate that attention to secure software development would be job one and then the implementation of the Microsoft Security Development Lifecycle or SDL.

The SDL provides processes and procedures that programmers and application developers can use to insure that software is built with security in mind. Security isn’t “bolted on” afterward. Instead, security considerations, threat modeling and fuzz testing is done throughout development so as to minimize the risk of “surprises”.

The SDL is part of all software development at Microsoft now and the results of it’s implementation are astounding. All you need to do is check the reductions in security issues with Windows Vista versus previous Windows client versions or Windows Server 2008 compared to previous Windows Server versions.

Microsoft has put together a new landing page for the SDL. You can find it at http://msdn.microsoft.com/en-us/security/cc448177.aspx and get more information about the SDL. Then, when you’re considering purchasing software from Microsoft or another vendor, ask the other vendor for information on their SDL and details on how they implement it, like the information on the Microsoft SDL page.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Server Core is a whole new version of Windows. It is a Windows operating system without Windows. What do I mean ? it means a Windows without the Windows shell and very limited graphical user interface (GUI) functionality. So does it have a GUI functionality ? The answer is yes, but limited. Server Core interface is a command prompt. In this article, I’m going to install Server Core, then will be showing you the limited GUIs that are available with Server Core.   

Read more at:

Installing Windows Server 2008 Server Core

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. The approach taken with ratproxy offers several important advantages over more traditional methods:

• No risk of disruptions. In the default operating mode, tool does not generate a high volume of attack-simulating traffic, and as such may be safely employed against production systems at will, for all types of ad hoc, post-release audits. Active scanners may trigger DoS conditions or persistent XSSes, and hence are poorly suited for live platforms.

• Low effort, high yield. Compared to active scanners or fully manual proxy-based testing, ratproxy assessments take very little time or bandwidth to run, and proceed in an intuitive, distraction-free manner - yet provide a good insight into the inner workings of a product, and the potential security vulnerabilities therein. They also afford a consistent and predictable coverage of user-accessible features.

• Preserved control flow of human interaction. By silently following the browser, the coverage in locations protected by nonces, during other operations valid only under certain circumstances, or during dynamic events such as cross-domain Referer data disclosure, is greatly enhanced. Brute-force crawlers and fuzzers usually have no way to explore these areas in a reliable manner.

• WYSIWYG data on script behavior. Javascript interfaces and event handlers are explored precisely to a degree they are used in the browser, with no need for complex guesswork or simulations. Active scanners often have a significant difficulty exploring JSON responses, XMLHttpRequest() behavior, UI-triggered event data flow, and the like.

• Easy process integration. The proxy can be transparently integrated into an existing manual security testing or interface QA processes without introducing a significant setup or operator training overhead.

For more information, check out:

http://code.google.com/p/ratproxy/wiki/RatproxyDoc

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Security white papers that address the specific security needs of particular industries, such as the professional services and financial services industries.

The Microsoft US National Security Team is composed of strategic security advisors who work with Microsoft customers, partners, MS internal constituencies and the information security industry to promote the adoption of security processes and technologies. The NST also focuses on driving vertical security solutions for a wide range of industries. To this end, the NST has produced a number of white papers that address the specific security needs of particular industries, such as the professional services and financial services industries.

The papers include the following titles:

• Electronic Signature Assurance and the Digital Chain-of-Evidence.docx
• Enabling Secure Collaboration for Professional Services Firms.doc
• Establishing the Foundation of Authenticity for Electronically Stored Information.docx
• Information Protection Strategies For Financial Services.docx
• Optimizing Branch Office Security and Productivity in the Financial Services Sector.doc
• Secure Software Development for the Financial Services Industry.docx
• Securing the Retail Store-Securing the Data.docx

Download these White Papers at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

There are two things you need to do in order to secure you email interactions:

• Enforce Rights Management on Email communications
• Use S/MIME to secure email in transit

Rights Management allows you to control who is allowed to read a specific piece of email. The problem with typical email communications is that once someone receives the message, he can do whatever he wants with it. Print it, forward it, copy it, and more. This clearly isn’t a secure solution. Fortunately, you can use Windows Server 2008 Rights Management Services to project your email communications.

The second thing you need to do to secure you email communication is to encrypt them. The typical email communization today is like a postcard send through snail mail. Anyone with a network sniffer can easily read the contents of your email. Obviously, this is not a secure solution.

You can use certificates and S/MIME encryption to secure your email. However, its not obvious how you do this. Here’s a great article by Matt Clapham and Blake Hutchinson that shows you how to do it:

http://technet.microsoft.com/en-us/magazine/cc5103...).aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)