Not being a developer myself, I don’t spend a lot of time searching out information on secure software development. However, I recently found a site that makes secure software development education interesting to non-developers. The site is called Microsoft Hello Secure World. There are a number of useful and interesting presentations that you can watch and listen to on the site, and a virtual lab that you can use to bone on up learning about how to avoid common coding mistakes.

Check it out at:

http://www.microsoft.com/click/hellosecureworld/de...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I’ve written in the past about the areas where you need to implement security. My personal focus is network security, because my primary interest is in network firewalls, especially the ISA Firewall. However, there are many layers that need to be taken care of before you can say that you’ve implemented defense in depth security policy. I would argue that the most important consider is the security of the software deployed. In other words, is the software itself secure?

Building secure software is not magic. It’s the result of hard work and dedication to secure software development principles. Many software developers depend on penetration tests and security bugs found in the software after it is released. But is that the best way to do things?

To build secure software, you have to make sure that the software is created with security in mind. Security needs to be built in during every step in the process. From the planning phase, to the development phase, to the testing phase, to the post release phase, security procedures needs to be built in so that security bugs never appear in the first place.

This is where the Microsoft Security Development Lifecycle (SDL) comes in. The SDL includes a number of processes and procedures that can be used throughout the entire lifecycle of a particular software product. Security isn’t something that’s taken care of at the end of software development, where pen testing is used to find any security vulnerabilities in the software. Instead, security is built in each step of the way, so that a proactive approach is used to prevent vulnerabilities from ever appearing. Of course, pen testing is still used, but if the SDL is properly employed, very little value should come from pen testing.

The figure below shows the number of vulnerabilities for the first year after release between Windows XP and Vista, as well as other operating systems. As you can see, just comparing Windows XP and Vista shows a 50% reduction in vulnerabilities. And when you compare Vista to other operating systems, it’s clear that the SDL makes a profound difference when it comes to creating more secure software.

Some might argue that just counting vulnerabilities is not the best way to measure how secure software is out of the box. I won’t argue for or against that point. However, if you’re choosing between Microsoft and another vendor, just ask the other vendor what policies, processes and procedures they in place that insure that their software is secure by design, and have them compare their processes with the Microsoft SDL. If they can’t answer these questions, or give you The Party Line ( this is FUD, what does Microsoft know about security, etc) then consider the potential (and hidden) security issues with their software.

For a great discussion on this issue, check out:

http://www.microsoft.com/technet/community/columns...8.mspx

For more information on the Security Development Lifecycle:

http://msdn.microsoft.com/en-us/library/ms995349.aspx

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Ran across a great collection of free security utilities, may of which can prove useful to any Windows security administrator.

Check out a list of these free Security Tools at:

http://www.itsecurity.com/features/103-best-free-s...41608/

Note that not all of them are freeware. Some have 30 day trial version that dumb down after the trial period runs out. But there’s still enough on this list that you should find something that will help out your company or home network.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

While most of us consider the installation, configuration and maintenance of security software on the network to be the most daunting task of a network security program, probably the most challenging aspect of security is to get employee buy in. Without the help of your users, many of your technological solutions will fail. However, if you can get your users online with your overall security vision and implementation, you’ll significantly increase the value of your security software investment.

This is where the Microsoft Security Awareness Toolkit can help. Included in the toolkit are a number of resources that you can use to help your users under network security and help motivate them to help maintain the security of the network and the resources it contains.

Tools included in the toolkit include:

• Brochure Templates
• E-Mail Invite Template
• Fact Sheet Templates
• FAQs
• Newsletter Template
• Poster Templates
• PowerPoint Templates
• Quick Reference Card

To download the toolkit, check out:

http://www.microsoft.com/technet/security/understa...s.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Yesterday I wrote about a Web site promoting something called the Home Network Awareness Program. This site claims to be affiliated with the Department of Homeland Security and throughout the site makes it a point to appear as a legitimate community effort to help reduce the risks of terrorism by analyzing network traces of home networks and any available public network. While this is clearly a non-starter and farcical to a seasoned network security admin, people with a less jaundiced eye would easily accept this as a legitimate site.

However, if you check the blog Emery Martin of Brooklyn New York, the founder of the site, you’ll see the following:

“The Neighborhood Network Watch (NNW) aims to address the lack of criticality being leveled at these areas, along with raising public awareness about the security issues with public networks, and revealing the malleable nature of information and data. It aims to do this by taking on the role of a government sanctioned community organization that is a hyperreal manifestation composited from current government agencies and potential future agencies.” (Italics mine)

So, Mr. Martin is using his Web site to impersonate a legitimate government authority to obtain personally identifiable information that is in flight on home and business wired and wireless networks. I think we have an official term for this type of site, it’s called a phishing site. Check out http://www.google.com/search?hl=en&rls=GGLG,GG...=title to see the definitions of phishing and you’ll find that the http://dhsnnw.org site meets these requirements.

What’s interesting is that no phishing filters that I work with tagged this site. Maybe it’s too new? Maybe it’s not popular enough? Or maybe the people who search for phishing sites were fooled into thing that it was a legit site too.

The Register did a nice article on debunking this site, which you can find at http://www.theregister.co.uk/2008/04/24/neighborho...asked/  It turns out that Mr. Martin is a graduate student in Interactive Telecommunications at New York University’s Tisch School of the Arts and the site is his Master’s Thesis.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I have been on the road a lot in the last month and haven’t had much time to perform basic computer maintenance on my primary workstation. My workstation is somewhat of a monster of cables and external hard drives, external DVD writers, and a dual wide screen monitor setup. There’s about 4 terabytes connected to this box, including all my research and work materials, virtual machines, and the standard and non-standard applications someone in the info security spaces collects over the years.

The machine runs Windows XP SP2 (yes, I haven’t taken the leap to Vista, mostly because the “Remote Desktops” administrator MMC does not work with Vista) and after running the uptime tool I discovered that it had been running for 42 days. I wasn’t too worried about that uptime, but I was concerned that I hadn’t installed any updates during that time. So I clicked the Windows Update icon in the system tray to get things going. It seemed to take quite a while to get the updates running and after about 15 minutes I saw a pop-up windows come from the tray saying “Your Antivirus Definitions Have Been Updated”. Oh great, Norton decided to install AV definitions and update its application at the same time I was installing Windows Updates.

Well, nothing bad seemed to happen after the restart. About an hour later I needed to reply to an email message and received the error “There is a Problem with the Messaging Interface — please restart Outlook”. I knew this was going to be bad, because when Outlook goes sour its going to be a long day.

I tried to repair Outlook, but received an error that a file was missing from the MSOCache. I tried to reinstall Outlook, but that didn’t work. I considered uninstalling and reinstalling Outlook, but decided to cut my losses (of time, that is) and just restore an image of the machine when it was working.

Since then, Norton AV has updated itself and Outlook still works. I haven’t installed the Microsoft Updates yet. However, I suspect that the unholy confluence of installing Windows Updates and AV Updates did something that had a negative impact Outlook, and maybe other applications if I had taken the time to find out.

Solution? That’s the hard part. I would recommend that you set your AV updates to be manual, but that’s not a good idea. Perhaps I should have set the Windows Updates to automatic? That’s probably the best solution, but again, it doesn’t make sure that that both update installation processes take place at the same time.

At this point, I’ll just have to chalk this up to a “day in the life” of a sysadmin :)

Thanks!

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Someone recently pointed me to a very interesting Web site. While not technically a Microsoft security issue, I thought it would be something that you would be interested in knowing about. The site, www.dhsnnw.org proposes to be affiliated with the US Department of Homeland Security. Note that this site is not a government site. If it were an official US government site, it would be using the .gov top-level domain name.

So, what it is that they do? They recommend that you use open source network sniffing tools to capture in-flight data on not only your own network, but any other network that you can connect to. This includes your neighbors networks’, the Starbucks WLAN, the McDonald’s WLAN, and even password protected networks, if you can find a way to get the password.

The Network Awareness Program even provides you with a nice, step by step guide on how to install and configure your network sniffers — http://www.dhsnnw.org/HNAPDocs/NNW-HNAP-How%20To%2...ic.pdf

But it doesn’t stop there. Not only are you supposed to using the network sniffers to listen to the traffic, you are instructed on how to store the results of your sniffing sessions and then send those results to the Neighborhood Network Watch people. They then claim that they will analyze this information and send you a report about the potential terrorist activity taking place on your network!

Now, I don’t know if this organization is for real, or just part of a colleague student’s undergraduate thesis. What is clear that in many States this type of network espionage is illegal. While I don’t expect networking professionals to fall for this stuff, it’s clear that the site isn’t being targeted at us. Instead, it’s being targeted at hapless end users who aren’t aware that these log files contain the contents of their email communications, instant messenger communications, and any other unencrypted communications (and contents of encrypted communications).

If you have friends, co-workers, family members or anyone else who might be tricked into participating in this program, please let them know that not only is this a really bad idea, but that they can also expose their personal information to an untrusted stranger and potentially break local laws by following this Web site’s advice.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The question came up last week regarding the relative advantages of SSL versus IPsec VPNs. It’s a good question, since there are still a good number of companies considering the move away from their traditional IPsec based VPNs to an SSL VPN solution. The real question that you need to ask yourself is whether you’re considering moving to an SSL VPN because it seems like everyone else is doing it, or if you’re moving to an SSL VPN because it will provide you additional business value.

There are two important reasons to consider moving to an SSL VPN:

• More reliable access
• Increased security

IPsec VPNs introduce a number of problems that make reliable access from any location problematic. Consider the following:

• Almost all IPsec VPNs require that you install a client application to support the solution. The exception to this is the Microsoft VPN client, which supports L2TP/IPsec out of the box
• NAT devices can complicate access. The IPsec VPN client and server need to support NAT traversal. The Microsoft L2TP/IPsec VPN client supports NAT traversal, but this functionality is broken with Windows XP SP2 and above and often requires a Registry fix to get it to work, something the average end user is not aware of
• Firewalls can complicate IPsec VPN connectivity either because they are not configured to support the IPsec VPN protocols or because they do not support the IPsec NAT traversal protocol

In addition to the reliability issues, IPsec VPNs introduce security problems:

• The typical IPsec VPN remote access solution allows VPN users full access to the network from an unmanaged client.
• The typical IPsec VPN does not support user/group based access controls to corporate network resources after the IPsec VPN connection is established.
• The typical IPsec VPN does not perform application layer inspection. This can allow exploits extant on the VPN clients to be spread to the corporate network.

SSL VPNs are designed to solve the problems of security and reliability to remote access connections. For example, consider the Microsoft IAG 2007 SSL:

• IAG 2007 allows all protocols to be wrapped in an SSL encrypted HTTP header. Almost all firewalls allow outbound connection through TCP 443, therefore ridding yourself of firewall issues.
• NAT traversal isn’t an issue for SSL connections
• The IAG 2007 has a robust endpoint detection feature, so that even unmanaged clients can have their security configuration checked before allowing access — reduced access rights can be configured for clients who don’t pass all security checks
• IAG 2007 allows you to publish only applications — full network access is not allowed. Users access only applications and data that you explicitly allow access to
• IAG 2007 performs robust application layer inspection through the use of positive and negative logic filters. The negative logic filters protect you against known exploits, and positive logic filters protect you again zero-day exploits by allowing only known-good connections
• Users do not need to pre-install client software to access applications and data using the IAG 2007 SSL VPN. A thin client is automatically downloaded when the user connects to the SSL VPN

As you can see, there are significant access reliability and and security advantages to deploying an SSL VPN. The only downside to an SSL VPN solution is the cost. IPsec VPNs are available at commodity prices these days, and the initial cost is relatively low (the ongoing costs can be quite a bit higher, because of the Help Desk time used to troubleshoot IPsec VPN connectivity issues).

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

While clicking around the Microsoft Web site, I ran into a Security Process map that I helped put together about a year ago. The Web team really did a nice job with this map! The goal of the map is to show IT Pros a way to think about network and system security and give them something that was easy to understand and also provide information on Microsoft products and technologies that can be used to help secure the organization.

Check out the Security Process Map at:

http://www.microsoft.com/technet/security/map/defa...t.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Microsoft Forefront Client Security is an enterprise anti-malware and security monitoring system that can support up to 100,000 users. There are both client and server side components that go into the solution. The client side software performs anti-malware checks on a periodic basis, or on demand, depending on the policy you configure on the Forefront Client Security servers. There are several server side components, including the Forefront Client Security reporting server, management server and database server.

Forefront client security can be set up based on your company’s requirements and how many client need to be supported. A small company can use a single server to host all the server side roles. Large companies will need to deploy more servers and may wish to scale up to 6 servers. Even more servers are required when you want to scale up to large numbers nearing the 100,000 “soft” limit.

Because of the number of ways you can deploy the server side components, getting up to speed on Forefront Client Security can seem a little daunting. To get over the learning curve, Microsoft has provided you with two free Forefront Client Security clinics. Each one runs for about two hours. After the clinics you might want to get some more hands on work before deploying Forefront Client Security in your test lab. This is where the hands on labs will help.

For more information on the clinics, check out:

http://technet.microsoft.com/en-us/forefront/clien...4.aspx

For information on the Forefront Client Security labs:

http://technet.microsoft.com/en-us/forefront/clien...5.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)