SQL Server beginners will learn to differentiate between SQL Server database files and SQL Server processes. Explore scenarios for connecting to SQL Server Express databases, enabling and disabling user instances, login permissions, and other security precautions.

Duration: 40 minutes, 59 seconds

Date: 20 March 2006

http://www.asp.net/learn/sql-videos/video-109.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

When testing a new configuration’s security, it’s important that you have the right client software available to make connections to the secure server. Since most test labs are done in a virtual environment, you need to make sure that you have virtual clients available for testing. This usually isn’t an issue for client operating systems, since you can virtualize just about all of them. However, mobile device operating systems aren’t as easy to virtualize. However, if you need to test the security of your Windows Mobile client operating systems are their connections to Exchange Server, you can use the Windows Mobile device emulator.

Check out and download the Windows Mobile device emulator at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

Setup and configuration isn’t very easy — so here’s a link to a good article on how to get the emulator installed and configured:

http://msexchangeteam.com/archive/2007/09/17/447033.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer against the insertion of malicious code into areas of computer memory reserved for non-executable code by implementing a set of hardware and software-enforced technologies called Data Execution Prevention (DEP). Hardware-enforced DEP is a feature of certain processors that prevents the execution of code in memory regions that are marked as data storage. This feature is also known as No-Execute and Execution Protection. Windows XP SP2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows.

For more information on memory protection and how to configure it, check out http://technet.microsoft.com/en-us/library/cc700810.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Virtualization is today’s Big Thing. I’ve been virtualizing my datacenters for almost eight years, so the fact that virtualization is the Big Thing today comes as a bit of a surprise. But at least someone’s been paying attention and now everyone seems to want to get on the virtualization bandwagon. One of the latest trends in the virtualization scene is the virtual appliance. A virtual appliance is a pre-built VM that you can drop onto one of your virtual servers, turn on the VM, do the basic configuration, and there you go!

Virtual appliances are a god-send to the busy network admin. Unlike physical appliances, where you have to find some rack space, and then screw the box into the rack, and then find a switch port and configure VLAN settings for the box, all you need to do with the virtual appliance is copy the file to the virtual server and turn it on. You don’t have to worry about all the hardware tasks, since you’ve already done that for the virtual server on which the virtual appliance runs on.

I noticed that we have a new advertiser over at www.isaserver.org, SpamTitan. SpamTitan is a email anti-malware, AV, anti-spam solution. What’s interesting about this offer is that they’ve made it available as a virtual appliance.You can drop it in as your inbound and outbound SMTP relay. I’ve had a chance over the last day to test it out and it’s an interesting solution. I’ll want to test it out for a few more days before giving you an opinion about the solution, but once I’m sure I understand how everything works and get a better idea of it’s performance characteristics, I’ll let you know.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Here’s a very interesting article on an issue I hadn’t thought too much about in the past — the problem of shared password management. For example, the admin accounts, the firecall accounts, and accounts used by services.

Check out the description of the problem and some approaches to a solution at:

http://technet.microsoft.com/en-us/magazine/cc7459...1.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Starting with the Trustworthy Computing (TwC) directive of January 2002, many software development groups at Microsoft instigated “security pushes” to find ways to improve the security of existing code. However, the reliable delivery of more secure software requires a comprehensive process. To that end Microsoft defined four guiding principles to guide the creation and support of more secure software: Secure by Design; Secure by Default; Secure in Deployment; and Communications (SD3+C). The SDL brings these principles to life, by integrating them into every step of the software development lifecycle.

This page includes information on each of the phases of the SDL and provides links to resources to get your development crew up to speed on how to create secure applications from inception to support:

http://msdn.microsoft.com/en-us/security/cc420639.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

SQL Server has many features that support creating secure database applications. Security features evolve and get strengthened with each new version of SQL Server, so there are enhanced security features in SQL Server 2005 and 2008 that do not exist for SQL Server 2000.

Common security considerations, such as data theft or vandalism, apply regardless of the version of SQL Server you are using. Data integrity should also be considered as a security issue. If data is not protected, it is possible that it could become worthless if ad hoc data manipulation is permitted and the data is inadvertently or maliciously modified with incorrect values or deleted entirely. In addition, there are often legal requirements that must be adhered to, such as the correct storage of confidential information. Storing some kinds of personal data is proscribed entirely, depending on the laws that apply in a particular jurisdiction.

For more information, check out:

http://msdn.microsoft.com/en-us/library/bb669074.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

In this session, we talk about Network Policy Server (NPS) in Windows Server 2008, and how to implement Network Access Protection (NAP). We start with an introduction to the Network Policy Server, and show how it plays a valuable role in maintaining the integrity of an internal computer network. We also explain how to deploy and configure NAP, how NAP works, and how it employs NPS. Learn to enable debug tracing, and how it can be used for monitoring and troubleshooting connectivity problems. Finally, see how to use load balancing and how to set up fallback servers, in addition to various techniques for deploying backup/recovery plans to maintain a high-availability network access system.

Presenter:  Blain Barton, IT Pro Evangelist, Microsoft Corporation

In his 12 years at Microsoft, Blain Barton has organized and delivered a wide array of educational programs. He has presented at more than 400 live events and received six top presenter awards in the last several years. Blain has also worked on worldwide original equipment manufacturer (OEM) system engineering and headed up the Microsoft Visual Basic support team. In presentations, Blain is known for getting his audiences personally involved in every demo. He plays the drums in his free time, and he taught professional-level snow skiing in Washington State before moving to Florida, where he currently resides.

Check out the Webcast at:

http://www.microsoft.com/events/series/detail/webc...366207

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Over the last few years virtualization has become increasingly popular. I’ve been virtualizing my datacenters for the last eight years, so the sudden rush to virtualization came as a bit of a surprise to me. However, it was a good surprise, because it showed that I was right to promote virtualization as a management, high availability and disaster recovery solution, even when nobody seemed to care about it.

With all the goodness that virtualization gives, there’s one thing that it doesn’t provide — a security solution. Virtualization is many things to many people, but one thing it’s not is a security solution. This means you need to consider how virtualization affects the security posture of your enterprise.

There are a lot of approaches you can take when designing your virtualized topology. The one I find the most useful is one that works in a non-virtualized infrastructure. You put all machines belonging to the same security zone on the same host machine. Servers that belong to different security zones are put on different host servers.

What this means in practice is that you mirror your network security zones to host servers. There are all types of security zones: anonymous access DMZs, authenticated access DMZs, network services segments, client segments, departmental segments, honeypot segments, and so-forth. The key issue with security zones is that there is a network security device controlling access into and out of the security zone.

So how would we approach this situation in an actual deployment? Let’s take a very simple network, I have the following security zones:

• Network services segment — this contains AD domain controllers, Exchange back-end servers, internal DNS resolvers, and SharePoint servers
• Anonymous access DMZ — this contains public Web servers, public DNS servers, public FTP servers, public media streaming servers, and inbound SMTP relays (Edge Exchange Servers)
• Authenticated access DMZ — this contains resources that require authentication at the firewall before access is allowed to these servers. For example, front-end/client access Exchange Servers, public facing SharePoint servers, and authenticated SMTP relays (used by external users who require SMTP to support POP3 or IMAP4 clients)
• Firewall zone — this zone is separate an distinct from other zones, since the firewall zone has the largest “attacker surface” representing all users on the Internet

Using this model, how many host servers do we require? Since there are 4 security zones, we use 4 different host servers. The goal is to reduce the risk of compromise of high value assets in relatively lower risk security zones by VMs in higher risk security zones. In this way, we don’t put all the VMs in the network services segment host machine at risk of attacks that would take place on VMs located on the public access DMZ host machine.

Keep in mind that we still need to segment these security zones from one another in the same way we did with our non-virtualized environment. What this means is that while we’ve consolidated all the servers located in each zone onto one or more physical host machines, we still need inline network security devices (which can be VMs on separate host machines if you like) to provide network level access controls between the zones. Virtualization doesn’t add any “magic security sauce” to the equation — the same principles of network security and zone segmentation apply. A possible exception to this rule is when you’re using IPsec server and domain isolation to create “virtual” network segments, but that’s another story for a different day.

Most importantly, this answers the question as to whether or not you should run network security devices in a VM. The answer is yes, there’s no problem putting network security devices such as firewalls, remote access VPN servers and SSL VPN gateways in virtual machines, but you have to make sure that you put all of these “edge” devices on a host separate from hosts containing virtual machines belonging to other security zones.

But sometimes a picture is worth a thousand words. Christofer Hoff in his blog entry regarding virtualizing security appliances at http://rationalsecurity.typepad.com/blog/2008/08/f...t.html sums up the entire issue with this picture:

The only thing I would change here is that the top line should read “Every time you deploy a security virtual appliance on the same host as non-security virtual machines….”

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

What is Stirling? Forefront codename “Stirling” is an integrated security system that delivers comprehensive, coordinated protection across endpoints, messaging and collaboration applications, and the network edge that is easier to manage and control.

At release, “Stirling” will include:

• A single management console and dashboard for security configuration and enterprise-wide visibility.

• The next-generation versions of Forefront Client Security, Forefront Security for Exchange Server, Forefront Security for SharePoint, and Internet Security and Acceleration Server (to be renamed Forefront Threat Management Gateway).

Microsoft has published a FAQ on “Stirling” that has information you’ll want to know about. After reading the FAQ, I’m sure you’ll want to download the trial software and give it a go. Check out the FAQ at:

http://www.microsoft.com/forefront/stirling/en/us/...q.aspx

Download the Stirling software at:

http://technet.microsoft.com/en-us/evalcenter/cc33...9.aspx

You can also download preconfigured virtual machines with the “Stirling” software so that you can more quickly get up to speed on what “Stirling” has to offer. The VM download link is on the same page.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)