Security by obscurity is an important part of any security defense in depth plan. For example, most secure organizations do not publish RDP servers on the default RDP port of TCP port 3389. Instead, they use another high number port that it unlikely to be scanned in an attacker’s attempt to find potentially vulnerable RDP servers.

Even more useful is to combine security through obscurity with misdirection. For example, you can use a number of tools that enables a machine to listen on a specific port, but once the connection is established to that port, there is no service that can be leveraged to attack the computer. The connection to TCP 3389 turns into a dead end, while legitimate connections made to another machine listening on the alternate RDP port work just fine.

Security through obscurity and misdirection are helpful, because it causes your attacker to waste time and effort. It also helps with reducing the risks of being susceptible to automated attacks. The goal is to frustrate the attacker or the automated exploit so that it moves on to more pliant victims.

However, there are times when security through obscurity doesn’t provide any added value. The classic example is that of renaming the Administrator account. While you’ll see the recommendation in a large number of books and treatises on network security, and even in the Microsoft operating system hardening guides, the relative security benefits gained by renaming the Administrator account is just about nil.

Why? Because what you want to do is prevent an attacker from logging in as administrator. In order to log on as administrator, the attacker needs to know the password. The real security is in the complexity of the password. Any complex password including mixed case letters, symbols and numbers that is at least 16 characters long will never be broken with an over the network attack.

(note that I’m not addressing the issue of when someone has physical access to the computer and tries to perform an offline attack — in that case you need to use BitLocker or sometime disk encryption tools to prevent attacks against the administrator account).

Complex passwords (I prefer not to use the term passphrase, because the term “passphrase” implies that the password has to have some sort of linguistic meaning, which of course it does not) are easy to create. One standard method I use combines a zip code, a phone number and a birth date, with the left most entry being your first initial in lower case and the right most character being your last initial in upper case. For example:

t90250213-696-504501-01-1957S

There you go — a 29 character password that’s ridiculously easy to remember. Of course, you can change the order, and make it birthday, zip code and then phone number, and you can make it even better by separating each element by a character of your choice, such as ^

It would take more time than the universe is assumed to have been in existence to break that password using current technology. So what value is there to changing the name of the administrator account? None, and in fact, changing the name of the administrator account can add to administrative overhead.

Renaming the admin account is a classic example of something that sounds like a good idea, but when you look at the overall security gains, you find that all you’ve accomplished is an increase in administrative overhead without making an realistic improvements in your overall security posture.

For an in depth discussion on this issue, check out The Great Debate: Security by Obscurity at http://technet.microsoft.com/en-us/magazine/cc5103...9.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

A problem I’ve run into from time to time is that my main workstation at home will reboot itself when I’m out of town. The rebooting isn’t much of a problem, because this is typically related to update Tuesday for updating applications and security configurations. However, it can be a problem because I have applications that run automatically but require that I be logged on for them to run.

I could have someone at home log me on, but often I forget about the problem and the machine has been on for several days without anyone logged on before I discover that no one has been logged on to that machine for days. What would be nice is to have the machine automatically log me on.

However, in order to be secure, the machine should be able to lock the desktop automatically after I’m automatically logged on, so that no one can break into my machine.

So, I needed two solutions:

1. The machine should be able to log me on automatically
2. The machine should be able to automatically lock the desktop after my account logs on

Is there a solution? Yes! Check out this article by Greg Schultz for the solution:

http://blogs.techrepublic.com.com/window-on-window...?p=599

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Whoops! You forgot the password for the local admin account, and didn’t create any other accounts with local administrator privileges. What do you do?

You could try to rebuild, try to restore from a backup where you did know the password, or try some other trick that might work. But what if you could just edit the domain admin password offline and get up and running again?

Is it possible. Yes. by using the Offline NT Password and Registry Editor. Some information about this tool:

• This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista etc system.
• You do not need to know the old password to set a new one.
• It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD or another system.
• Will detect and offer to unlock locked or disabled out user accounts!
• There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.

This tool will provide easy to use menus that allow you to edit the SAM and the local Registry on a computer.

Grab this tool at:

http://home.eunet.no/pnordahl/ntpasswd/

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Anyone who’s been in the Microsoft security space for a while knows that a key component of security is stability and availability. If you run security services on a machine that is not reliable and available, then the security services provided by the machine are of no use, and thus exposes your infrastructure to potential security issues that would not exist if those services had been available.

Given that an increasing number of network security services are being hosted in virtual machines, it’s important that the virtualization environment on which those virtual machines run has been validated by the vendors who’s services you run in a virtualized environment.

To this end Microsoft has stepped up to the plate with the Windows Server Virtualization Validation Program. As Microsoft describes this program:

“The Server Virtualization Validation Program (SVVP) is open to any vendor who delivers a virtualization machine solution that hosts Windows Server 2008, Windows 2000 Server Service Pack 4 and Windows Server 2003 Service Pack 2 and subsequent service packs. The virtualization solution can either be hypervisor-based or a hosted solution. The program enables vendors to validate various configurations so that customers of Windows Server can receive technical support in virtualized environments. Customers with validated solutions will benefit from the support provided by Microsoft as a part of the regular Windows Server technical support framework.
The Server Virtualization Validation Program is not a logo program, rather a reference that companies and customers will be able to use in conjunction with their validated solutions”

For more information on the Server Virtualization Validation Program (SVVP) check out:

http://www.windowsservercatalog.com/svvp/

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You’ve probably heard about software restriction policies. These policies are created in Windows Active Directory Group Policy and allow you to deny applications or allow applications at the desktop. Of course, denying “bad” applications using blacklisting is like chasing your tail. You’ll never be able to identify all the “bad” applications users might use. However, whitelisting applications is a realistic goal. The trick is to determine what are your “good” applications.

In the past you might have avoided software restriction policies because you thought it was too hard to determine what applications the users are using and that deploying a dysfunctional software restriction policy could get you into hot water with your users and worse, with your boss.

The good news is that there are number of techniques that you can use to determine what the “good” applications are in your environment. You can then use this information to create your white list applications and configure those into software restriction policies.

For more information on how to detect your white list applications and how to configure the software restriction policy, check out:

http://technet.microsoft.com/en-us/magazine/cc5103...).aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

System Center Mobile Device Manager (MDM) is a new Microsoft technology that helps Windows Mobile 6.1 devices work within the IT infrastructure as trusted and managed members of the enterprise. Historically, this degree of integration was not possible with other mobile device platforms because it raised many security, management, and accountability issues for the enterprise. MDM enables you to use Windows Mobile powered devices as managed business devices in a comprehensive manner that has minimal effect on existing infrastructure.

The goal of MDM is simple: Enable Windows Mobile powered devices to become managed and authenticated members of the IT infrastructure of an organization. The Windows Mobile platform is the ideal platform for this solution. The features of MDM help extend this platform in a manner that is both manageable and protected.

The MDM architecture is based on open industry standards that provide specialized device management (OMA DM), and authenticated and encrypted communications (IPsec, IKEv2, and MOBIKE). When you use these standards together with Windows Server platform services, such as Group Policy and Windows Software Update Server (WSUS), you have a powerful and proven solution that you can apply in a consistent and scalable manner to your company Windows Mobile powered devices.

For more information about MDM and to get an evaluation copy, visit:

http://technet.microsoft.com/en-us/scmdm/bb986596.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Performance issues can be related to security issues. Sometimes malware can impact performance on your Servers. But how do you know if it’s malware or maybe a configuration issue? One way to find out is to use the Windows Server 2003 Performance Advisor.

Microsoft Windows Server 2003 Performance Advisor is the latest version of Server Performance Advisor, which is a simple but robust tool that helps you diagnose the root causes of performance problems in a Microsoft Windows Server 2003 deployment. Server Performance Advisor collects performance data and generates comprehensive diagnostic reports that give you the data to easily analyze problems and develop corrective actions.

Microsoft Windows Server 2003 Performance Advisor provides several specialized reports, including a System Overview (focusing on CPU usage, Memory usage, busy files, busy TCP clients, top CPU consumers) and reports for server roles such as Active Directory, Internet Information System (IIS), DNS, Terminal Services, SQL, print spooler, and others.

Download it at:

https://www.microsoft.com/downloads/details.aspx?F...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The Microsoft VHD Test Drive Program provides customers with an enhanced server-based software evaluation experience that’s faster, better supported and more flexible. You can now access the entire catalog of pre-configured Microsoft and partner products and solutions in the VHD format and start evaluating and testing today from www.microsoft.com/vhd.
Forefront codename “Stirling” is an integrated security system that delivers comprehensive, coordinated protection across endpoints, messaging and collaboration servers, and the network edge that is easier to manage and control.
By delivering simplified management and providing critical visibility into threats, vulnerabilities, and configuration risks, “Stirling” helps you reduce costs and achieve greater insight into your enterprise security state.
This fully functional pre-configured VHDs provide you with trial software that will automatically expire after 30 days.
These are preconfigured virtual machines contained within the Virtual Hard Disk (VHD) format. A virtualization product that supports the VHD format is required to use this virtual machine. Microsoft Virtual PC or Microsoft Virtual Server are provided for free and can be used with these VHD based virtual machines. Please refer to the system requirements section for more details.

Get them at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Ever thought about testing your browser security? If not, when you have nothing else to do, check out these Web sites that have free browser security tests:

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Microsoft Forefront Security for Office Communications Server provides fast and effective protection against IM-based malware by including multiple scanning engines from industry-leading security partners and helps reduce corporate liability by blocking IM messages containing inappropriate content.  And when you download the beta software, you’re automatically registered to access valuable beta resources assembled in one convenient Beta Central location.

For more information, check out:

http://technet.microsoft.com/en-us/evalcenter/cc50...1.aspx

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)