Don’t miss the chance to win one of three $10,000 Grand Prize server systems for your home, a D-Link DNS-232 2-Bay Network Storage Enclosure, or a $50 Best Buy gift card instantly!

Now, through June 30, 2009, every time you download a different Microsoft Forefront trial software product, you’ll help keep your business safe and have a chance to win big in the Microsoft Forefront Trial Download Sweepstakes.

Follow the instructions below to get started:

1. Click a “Chance to Win!” button below to download any of the 8 eligible Microsoft Forefront free trial products.

2. Follow the link provided in the instructions section of the Download Center page for each eligible product.

3. Complete and submit the online entry form. You will automatically receive one (1) Sweepstakes entry and one (1) Instant Win Game play.

4. Download a different eligible product and get another chance to win great prizes!

All you have to do is download to get a chance to win one of these sweet rigs.

Head on over to:

http://www.microsoft.com/forefront/en/us/trial-sof...e.aspx

to get into the game!

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

As businesses look to drive growth, they need to increase collaboration, sharing and access to information but must do so while protecting their assets and infrastructure. 

Frequently this must be addressed in the context of shrinking budgets and increased regulatory pressure. In response to these business challenges and opportunities, Microsoft is  taking a fundamentally different approach to security.

They call it business ready security.

Read more about the evolution of the Forefront security product suite and Microsoft’s innovative approach to enterprise security at:

http://www.microsoft.com/presspass/features/2009/A...y.mspx

We’ll be covering this topic is much more detail this week, as the Forefront suite continues to gain more members and provide a full, integrated and complete of security products. These are some exciting times for Microsoft security admins and specialists!

Stay tuned!

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

The new Forefront Security for Exchange Server SP1 capacity planning tool helps customers understand what hardware, architecture, and configuration settings will produce recommended system  performance and message throughput results for comprehensive protection of their Exchange Servers.

This tool, an excel spreadsheet with built in workflow, applies to the Forefront Security for Exchange Server SP1 product. The user will be able to plan the details for a new deployment or understand the impact of adding security protection to an existing deployment.

In short, the user will choose their CPU and memory tolerances for deployment, their target reference architecture, their desired protection settings, and their targeted supported user load. Once this is defined, the tool will either recommend scaling up or out on the base recommended hardware for each server role.

Learn more about this tool and download it at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Collective Software, the premier developer for the Microsoft ISA Server platform has partnered with Yubico to release AuthLite, an affordable, integrated multi-factor authentication system designed to secure access to Windows workstations and Microsoft Active Directory network services including VPN, Outlook, SharePoint, and CRM.

“The combination of ease of use, simplicity of configuration, cost-effectiveness, tight integration with ISA and AD, and exquisite security makes AuthLite stand out from the crowd,” said Dr. Thomas Shinder, Microsoft Forefront Security Specialist at Prowess Consulting, and author and commentator at www.isaserver.org and www.windowsecurity.com,  “I highly recommend any company without a current two-factor authentication solution to consider AuthLite.”

Organizations throughout the world use Microsoft Active Directory to provide network services, authenticate users, and manage their IT enterprise. Normally, Windows user accounts are weakly protected with only a single-factor password. Different systems exist to extend this security, but they often require expensive hardware tokens, deployment of reader devices, costly annual service agreements and confusing user training.

Collective Software developed AuthLite to incorporate Yubico’s YubiKey, in addition to the user’s normal password. YubiKey’s one-touch design emulates a USB keyboard to enter strong one-time credentials automatically without expensive hardware or complicated, multiple step logon procedures.

For maximum security and manageability, YubiKey data is stored within Active Directory and authentication is accomplished without relying on an external server on the Internet. The AuthLite software can automatically program each user’s new YubiKey when they visit the Windows “Change Password” screen on their workstation. In this manner, converting any number of users to the AuthLite system is easily done without tedious administrative key provisioning.

AuthLite also enables multi-factor logon to offline workstations, VPN services, and Extranet portals. The thin, 2 gram YubiKey can easily be carried on a keychain and used with AuthLite for all secure authentications to the enterprise.

A free evaluation of AuthLite can be downloaded from www.AuthLite.com

YubiKeys can be ordered from www.yubico.com/order

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Nice article by Paul Randal about security issues with SQL Server.

Some pithy excerpts:

“…A less obvious consideration is the security of the desktops of the people who have high-privileged access to SQL Server. If someone has sysadmin access to SQL Server but they leave their Windows desktop unlocked, then all the security in the world isn’t going to prevent someone walking past the unattended system from potentially accessing sensitive data. A more insidious problem would be if someone walked past and changed some data—for instance, a dishonest employee who knows the schema of the human resources database and tries to undetectably change a salary…”

“…As such, a SQL Server service account should not be a high-privileged account (such as Local System or Local Administrator) because if SQL Server is compromised, there is the potential for the Windows system to also be compromised. The services typically run under a built-in account called Network Service, but if SQL Server requires access to other domain resources, a new domain user account should be created with the minimum privileges and resource accesses required. The SQL Server 2008 Books Online topic “Setting Up Windows Service Accounts” provides a comprehensive list of service accounts, required privileges, and resources. Note that if you must change a service account (or anything about it), you should always use the SQL Server Configuration Manager to ensure that all the necessary configuration changes are properly made…”

“…All of this can be accomplished within SQL Server by a comprehensive, hierarchical permissions system where users or roles (called principals) are granted or denied certain specific permissions on certain resources (called securables) such as an object, schema, or database. An overview of the SQL Server permissions hierarchy is illustrated in Figure 4. This also implies that you follow the principle of least privilege. For example, don’t make all database developers members of the db_owner role. Restrict permissions to the public role and only grant permissions to the lowest level (user or role) to minimize direct access. A full discussion of best practices for permissions is beyond the scope of this article, but SQL Server 2008 Books Online includes a section called “Identity and Access Control (Database Engine)” that offers drill-downs into all the concepts….”

Now read the entire article over at:

http://technet.microsoft.com/en-us/magazine/2009.0...l.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

The Security Development Lifecycle (SDL) has significantly improved the security of Microsoft products. With attacks increasingly shifting to the application layer, it is becoming more critical for application developers to implement the SDL.

To support the need for application developers to implement the SDL, Microsoft created the SDL Pro Network. This network includes nine training and consulting companies that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL, the industry-leading software security assurance process.

Head on over to

http://msdn.microsoft.com/en-us/security/dd219581.aspx

for more information about the SDL Pro Network.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

The improvements in Windows 7 and Windows Server 2008 R2 PKI are focused around four core areas:

• Server consolidation. This allows organizations to reduce the total number of certificate authorities (CAs) required to meet their business objectives.
• Improved existing scenarios. This focus is on such elements as offering more complete SCEP (Simple Certificate Enrollment Protocol) support and including a Best Practices Analyzer (BPA).
• Software + Services. This is to enable autonomous enrollment of users and devices for certificates regardless of network boundaries and certificate providers.
• Strong authentication. This area focuses on improvements to the smart card experience, the introduction of the Windows Biometric Framework, and so on.

Check out this article at:

http://technet.microsoft.com/en-us/magazine/2009.0...i.aspx

HTH,

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

As users embrace SharePoint, IT Pros need to be able control the type of files that they are uploading.

While SharePoint provides the ability to block files based on their extension, Forefront Security for SharePoint takes this one step further and inspects the file headers so that renaming a file won’t allow a user to bypass the blocks.

In this video, Gordon Ryan shows you how to configure file blocking in Forefront Security for SharePoint.

http://technet.microsoft.com/en-us/security/dd5607...2.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Interesting blog post regarding cloud security from Microsoft Security Specialist Kai Axford. I’ve been spending about 60 hours a week in “the cloud” for the last couple of months and at least one person considers me an “expert” (me) in the area of cloud computing :)

Kai makes the point that perhaps the key security issue in cloud computing is “risk transference”, where the purchaser of a cloud computing solution is merely moving the responsibility for securing the data to the cloud provider, and assumedly, the cloud provider will incur the costs and associated after effects of a security breach.

It would be nice if that were the case, but in my exhaustive research of cloud computing concepts,  offerings, and products over the last two months, I don’t see any cloud computing players, be they in the SaaS, PaaS or IaaS spaces who are ready to take the hit for you. They might rebate you for time lost on their system (based on an agreement regarding systems availability), but they will not incur any losses regarding lost data or more importantly for many businesses interested in cloud computing, the loss of brand equity.

Kai is correct that compliance auditing is going to be a major issue for the big cloud providers and the customers who use them. Amazon and Google are far from transparent regarding their software and hardware infrastructure. Try to get low level details on OS, platform and network security on these two cloud providers infrastructures and you’ll be turned away with your hat in your hand.

Until this situation is rectified, it’s unlikely that anyone will be willing to trust proprietary or regulated information to “the cloud”.

However, as I say that, I think of the number of large companies who are willing to trust the information stored in their corporate email to cloud providers such as Google and Microsoft. How do these companies pass regulatory muster? Perhaps there hasn’t been a test case yet, but when that day comes, the complexion of cloud computing and security may change and with arguably unexpected results.

There are a lot of barriers to cloud computing, with regulatory compliance and risk assignment just being two of those issues. Sure, there are providers such as IBM who promote cloud computing concepts who will be able to easily pass regulatory audits, but that’s because their main focus is to suck your organization into the arms of IBM Global Services so that they can take over a piece of your infrastructure and deploy it on their own hardware and software platform environment in a “private cloud” that they manage for you and it sits next to your corporate infrastructure on your campus, hardly the vision of cloud computing being promoted in the media today.

Of course, I’m ignoring the LotusLive SaaS offering from IBM here, but I don’t think IBM sees LotusLive as being the cash cow that IBM Global Services cloud consulting services is envisioned to be.

For Kai’s take on cloud computing and risk transference, check out his article at:

http://blogs.technet.com/kaiaxford/archive/2009/02...e.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

When it comes to security, things just keep getting better and better for Microsoft security admins. With each iteration of the Windows client and server, we see more security features, and each security feature is more scalable and easier to administer.

Indeed, if you look at the vast improvements and additions to Microsoft platform security and the ever growing stable of Forefront security products, Microsoft has worked hard to earn the right to be called a major security company.

With that in mind, you might be wondering what Microsoft has ready for us in terms of security for the upcoming Windows 7 and Windows Server 2008 R2. While these products have great security stories in and of themselves, it’s the “Better Together” story where MS security really starts to shine.

What are the major Better Together features? Consider these:

• Direct Access – extend your corporate network and managed devices to anywhere in the world. No longer worry about managed devices being outside of IT management controls
• RemoteApp and Remote Desktop – take advantage of presentation virtualization to gain total, centralized control of user desktop and data experiences. And with RDP 7.0, users will benefit from the security advantages of presentation virtualization while retaining the rich client side execution experience for advanced graphics and video support
• AppLocker – while Software Restriction Policies seemed like a good idea, how many of you actually used them? With AppLocker, you’ll be able to get the benefits of Software Restriction Policies without the complexity and hassle.
• Better BitLocker – while SP1 extended the security of BitLocker to non-system partitions, with the new and improved version of BitLocker you’ll be able to take advantage of BitLocker To Go. This will enable you to encrypt removable devices. Nice!

For more information about the security advantages of Windows 7 and Windows Server 2008, check out Deb Shinder’s article at:

http://www.windowsecurity.com/articles/Windows-Ser...r.html

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)