Ohad Plotnik's Forefront Blog

Microsoft released a signature for Win32/Delf.QR

Plotniko — Wed, 08 Feb 2012 13:07:00 GMT

Hello,

Today I sent a virus sample to the Microsoft MMPC team,

That was analyzed as the “TrojanDownloader:Win32/Delf.QR”

The full reply from Microsoft was:

Analysis of the file(s) in Submission ID MMPC12020732034853 is now complete. This is the final email that you will receive regarding this submission.

The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 2/7/2012 11:39:15 AM Pacific Time. Below is the determination for your submission.

======== Submission ID MMPC12020732034853 Submitted Files =============================================

VIRUS.rar [Container]

+---ForeFront.rar [Container]

+---EXE.exe [TrojanDownloader:Win32/Delf.QR]

+---UpdateOffice.rar [Container]

+---UpdateOffice.exe [TrojanDownloader:Win32/Delf.QR]

+---UpdateOffice2.rar [Not Malware]

The following links contain more information regarding the detections listed above: http://go.microsoft.com/...ownloader:Win32/Delf.QR

Your submission was scanned using antimalware definition version 1.119.1519.0. ========

The detections listed above are included in the latest pre-release definition available for download. For more information please visit the pre-release definition update download page available at: http://www.microsoft.com...eReleaseSignatures.aspx Alternatively, detections listed above will be available for users who subscribe to the automatic definition update mechanism in the next regularly scheduled release, as well as users who choose to manually update their definition library available via the MMPC Portal available on: http://www.microsoft.com...al/Definitions/ADL.aspx If you have questions relating to this submission please contact mailto:mmpcres@microsoft.com and reference your submission ID. We would like to find ways to improve our service to you. Please take a few minutes and fill out our short customer survey for this incident.

You can navigate to our short (6 question) survey here: http://www.zoomerang.com/Survey/WEB22CHRC7QCL5/ ============================================= Additional Help For customers who do not have an antivirus solution, Microsoft Security Essentials can be downloaded at no charge here: http://www.microsoft.com/security_essentials/ For more information about updating definitions and answers to other questions, visit the following link: http://www.microsoft.com...red/Help.aspx#new_defns If you need immediate assistance and information on best practices for removing malware in your environment, additional support options are available at the following websites: For IT Professionals - http://support.microsoft.com/gp/securityitpro For Home Users - http://support.microsoft...lt.aspx?pr=securityhome

Thank you,

Microsoft Malware Protection Center

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Security Compliance Manager 2.5 Beta is here!

Plotniko — Fri, 27 Jan 2012 10:11:00 GMT

PING

The latest version the Microsoft Security Compliance Manager (SCM) tool—version 2.5—is now available for beta download and review!

NEW baselines include:

* Exchange Server 2007 SP3 Security Baseline

* Exchange Server 2010 SP2 Security Baseline

Updated client product baselines include:

* Windows 7 SP1 Security Compliance Baseline

* Windows Vista SP2 Security Compliance Baseline

* Windows XP SP3 Security Compliance Baseline

* Office 2010 SP1 Security Baseline

* Internet Explorer 8 Security Compliance Baseline

SCM 2.5 enables you to quickly configure and manage your desktops and laptops, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager.

Get the beta download from Microsoft Connect at https://connect.microsof....aspx?DownloadID=40885.

After you download and become familiar with updates in SCM 2.5, please provide us with your feedback.Your opinion is very important to us. We would especially appreciate your feedback in the following areas:

* Relevance.How relevant is the information for your organization?

* Usefulness.How will you use these product baselines? How does the SCM 2.5 tool provide value?

* Usability. Is the baseline configuration information easy to follow? Can you easily find key content?

* Consistency. Is the content in the security guides consistent with the setting recommendations and
Vulnerability information?

* General Quality. Please provide us with your opinion on the general quality of the product baseline content. Would you recommend SCM 2.5 to colleagues?

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

A Guide to Claims-Based Identity and Access Control, Second Edition eBook

Plotniko — Fri, 27 Jan 2012 10:09:00 GMT

Hello All,

Claims-based identity seeks to control the digital experience and allocate
digital resources based on claims made by one party about another.
A party can be a person, organization, government, website,
web service, or even a device. The very simplest example of a claim is
something that a party says about itself.

As the authors of this book point out, there is nothing new about
the use of claims. As far back as the early days of mainframe computing,
the operating system asked users for passwords and then passed
each new application a “claim” about who was using it. But this world
was based to some extent on wishful thinking because applications
didn’t question what they were told.

As systems became interconnected and more complicated, we
needed ways to identify parties across multiple computers. One way
to do this was for the parties that used applications on one computer
to authenticate to the applications (and/or operating systems) that
ran on the other computers. This mechanism is still widely used—for
example, when logging on to a great number of Web sites.

However, this approach becomes unmanageable when you have
many co-operating systems (as is the case, for example, in the enterprise).
Therefore, specialized services were invented that would register
and authenticate users, and subsequently provide claims about
them to interested applications. Some well-known examples are
NTLM, Kerberos, Public Key Infrastructure (PKI), and the Security
Assertion Markup Language (SAML).

If systems that use claims have been around for so long, how can
claims-based computing be new or important? The answer is a variant
of the old adage, “All tables have legs, but not all legs have tables.” The
claims-based model embraces and subsumes the capabilities of all the
systems that have existed to date, but it also allows many new things
to be accomplished. This book gives a great sense of the resultant
opportunities.

http://www.microsoft.com/download/en/details.aspx?id=28362&WT.mc_id=rss_alldownloads_all

Enjoy :)

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Hotfix Rollup 4 for Microsoft Forefront Protection for Exchange is HERE!

Plotniko — Sun, 15 Jan 2012 00:21:00 GMT

Hello All!

Microsoft has released Hotfix Rollup 4 for Forefront Protection 2010 for Exchange.

http://support.microsoft.com/kb/2619883

This article contains information about how to obtain the hotfix rollup and about the issues that are fixed by the hotfix rollup.
Issues that are fixed in Hotfix Rollup 4 for Forefront Protection 2010 for Exchange:

1. Email is sent to the Forefront Protection for Exchange UNDELIVERABLE folder instead of being delivered

2. UNC and proxy credentials are stored in clear text in the Forefront Protection for Exchange file system

3. The Forefront Protection for Exchange FSEMachinePrep.exe fails with a fatal error

4. The external sender does not receive the expected

5. Forefront Protection for Exchange generated notification

6. Forefront Protection for Exchange generates a notification with a blank subject line

7. Forefront Protection for Exchange virus engine updates fail between the passive node and active node in CCR clusters
Forefront Protection for Exchange only accepts 7-digit License Agreement numbers

8. Email queues at startup on an Exchange server running Forefront Protection for Exchange

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
Blog: blogs.microsoft.co.il/blogs/Plotniko

Hacking & Securing Active Directory

Plotniko — Sat, 17 Dec 2011 13:11:00 GMT

Hello!

We have the honor to invite you to the Israel Security User Group December 2011 meeting - Hacking & Securing Active Directory.

Date: 20.12.11

Time: 18:00

Location: Microsoft Israel – Hapnina 2 Raanana Israel

This event will show the audience a high level overview for taking strategic decisions about planning and securing Active Directory infrastructure in an enterprise environment.Active Directory is the foundation upon which the rest of Windows security and services depends. Active Directory (AD) is the infrastructure behind the other security and services infrastructures, such as Exchange, Lync, PKI, identity management, Network Access Protection, Group Policy and more and more...The event will provide Network \ System-Infrastructure \ Application \ development professionals with an overview necessary to Understand, Hack, design, Implement and support a variety of network services, security measures and securing protocols needed in an Active Directory managed network.

Main subjects that will be covered on the event:

• Introduction to Securing and Hacking ADIT Challenges Business Needs

• AD Components - AD Architecture

• Authentication Authorization and SSO

• AD protocols- Weaknesses and vulnerabilities

• Application Layer, Network Layer, Infrastructure Layer and Physical Attacks

• Application Layer, Network Layer, Infrastructure Layer and Physical Defenses

Live Demos…

Lecturing in the event:

Idan Plotnik Identity and Security Engineer, Forefront MVP

Ohad Plotnik-Security User group leader Identity and Security Architect, Forefront MVP

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Microsoft Windows Active Directory Single Sign On Authentication Spoofing Vulnerability

Plotniko — Fri, 18 Nov 2011 06:37:00 GMT

Hello all,

While installing and implementing Active Directory Federation Services at one of our customers site, i came across this Vulnerability, Pay attention and defend yourselves

http://www.securityfocus.com/bid/37215

http://technet.microsoft.com/en-us/security/bulletin/MS09-070

http://xforce.iss.net/xforce/xfdb/54425

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Microsoft Safety Scanner

Plotniko — Sun, 13 Nov 2011 10:13:00 GMT

Hello World,

Following is a great security TIP:

Do you think your PC has a virus?

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.

The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.

For real-time protection that helps to guard your home or small business PCs against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

http://www.microsoft.com/security/scanner/en-us/default.aspx

Enjoy :)

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Forefront Protection Server Management Console (FPSMC) Ports

Plotniko — Mon, 31 Oct 2011 11:53:00 GMT

Hello all,

After some of you asking, i was thinking it will be better to post it here,
The Forefront Protection Server Management Console (FPSMC) is requiring these ports to be open to function properly:

80
HTTP port. Enables communication between the web browser and FPSMC, as well as all HTTP communication from FPSMC to the internet.

445
Required for FPSMC agent deployment (unidirectional: FPSMC server to the managed computer)

8815
The deployment agent listens on this port on a managed server to receive commands from the FPSMC agent (unidirectional: FPSMC server to the managed computer).

8816
The push installer listens on this port on the managed servers (unidirectional: FPSMC server to the managed computer).

8817
The NotificationService on the FPSMC server listens on this port to receive data (such as quarantine and stats) from the managed servers.

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Next Release of Windows Intune Now Available! - PC MANAGEMENT & SECURITY IN THE CLOUD

Plotniko — Wed, 26 Oct 2011 20:27:00 GMT

Hello all!

Next Release of Windows Intune Now Available! - PC MANAGEMENT & SECURITY IN THE CLOUD

Perform security and management tasks remotely from a web-based console.
Help secure PCs from malware and virus threats with endpoint protection.
Deploy most updates and line of business applications through the cloud.
Greater performance and security with available Windows 7 Enterprise upgrade.

Get Free 30 Day Trial Now

http://www.microsoft.com/en-us/windows/windowsintune/pc-management.aspx
Enjoy :)

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Windows 8 client and server versions Developer Preview are now available for download!

Plotniko — Sun, 23 Oct 2011 13:46:00 GMT

Hello!

FYI... The Windows 8 Developer Preview is a pre-beta version of Windows 8 for developers. These downloads include prerelease software that may change without notice. The software is provided as is, and you bear the risk of using it. It may not be stable, operate correctly or work the way the final version of the software will. It should not be used in a production environment. The features and functionality in the prerelease software may not appear in the final version. Some product features and functionality may require advanced or additional hardware, or installation of other software.

http://msdn.microsoft.com/en-us/windows/apps/br229516

On: http://msdn.microsoft.com/en-us/subscriptions/default.aspx You can also download a preview of Windows Server (MSDN subscribers only)

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Forefront Unified Acces Gateway 2010...? From now on..."Windows server 8"

Plotniko — Sun, 23 Oct 2011 12:59:00 GMT

Hey,

As some articles and forums says, you can also read here, FYI:

Enterprises require easily managed remote access solutions for end users connecting to private or public clouds. Most remote access solutions require changes in user behavior because the remote access connection must be manually initiated. Additionally, enterprises have difficulty managing remote machines and ensuring they remain compliant with enterprise policies. The hybrid cloud extends an enterprise’s data center to span both private and public clouds, and presents new opportunities for remote access solutions. With Windows Server 8, partners can build and package remote access appliances to meet customer requirements including policy compliance and simplified user behavior, thereby driving down support costs. In this session, we will demonstrate how remote access appliances provide customer value by simplifying deployment logistics and offering enhanced feature support. New functionality including simplified configuration, new monitoring capabilities, highly available and scale, remote provisioning of clients and cloud based cross-premise connectivity will be highlighted.

Enabling the hybrid cloud using remote access appliances
http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-668T

So, probably with next version of windows server you will get all of it on one package and no more UAG...

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

IT Time: TechNet Radio–Interview with Curtis Parker from the Forefront Online Protection team!

Plotniko — Sun, 23 Oct 2011 12:54:00 GMT

Hi!

I would like to share with you a great Interview with Curtis Parker from the Forefront Online Protection team:

FYI...
Its IT Time and in today’s episode, Blain Barton and John Baker welcome Curtis Parker from the Forefront Online Protection team. Tune in as Curtis gives us a tour of Forefront’s new features for Exchange, as he explains how Office 365 customers can simplify the management and security experience through this innovative service.
http://blogs.technet.com/b/blainbar/archive/2011/09/20/it-time-technet-radio-interview-with-curtis-parker-from-the-forefront-online-protection-team.aspx

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

The Compliant Cloud - webcast

Plotniko — Sun, 23 Oct 2011 12:52:00 GMT

Hello,

I would like to share a great webcast with you guys,
The benefits of cloud computing are many - speed, flexibility, increased expertise, shared workload and reduced costs - but so are the risks. What are the threats to cloud security? Which parties assume responsibility for securing the environment? What about the data? Which type of cloud deployment offers superior security benefits?
______________________________________
Attend this webinar to learn more about those cloudy issues as well as:
1. Maintaining the confidentiality of data in the cloud
2. Retro-fitting for aging compliance requirements
3. Balancing technology momentum with regulatory inertia
4. Maintaining security and compliance while implementing forward-looking technology
5. Tracking global standards such as the Payment Card Industry Data Security Standard
http://www.brighttalk.com/webcast/188/35875

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

TMG SP2 and UAG SP Update 1 released !!!

Plotniko — Sun, 23 Oct 2011 12:50:00 GMT

PING all,

TMG SP2 and UAG SP Update 1 is now out:

Forefront Unified Access Gateway (UAG) Service Pack 1 (SP1) Update 1
http://www.microsoft.com/download/en/details.aspx?id=27604&WT.mc_id=rss_alldownloads_all
Overview
The following is provided by Forefront UAG Update 1:

• Lync web services publishing—Forefront UAG now supports publishing Lync web services
• Dynamics CRM 2011 publishing—Forefront UAG now supports publishing Dynamics CRM 2011
• SharePoint 2010 with Office Web Apps—Forefront UAG now supports publishing SharePoint 2010 with Office Web Apps
• Improved browser support—Forefront UAG now supports more web browsers than in previous releases
_______________________________________________________

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
http://www.microsoft.com/download/en/details.aspx?id=27603&WT.mc_id=rss_alldownloads_all
Overview
The service pack includes the following new functionality and feature improvements:

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.
Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.

Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution

Plotniko — Sun, 23 Oct 2011 12:39:00 GMT

Hello all,

I would like to share with you a new Vulnerabilities in Microsoft Forefront Unified Access Gateway that can Cause Remote Code Execution!

Microsoft Security Bulletin MS11-079 - Important

General Information

Executive Summary

This security update resolves five privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow remote code execution if a user visits an affected Web site using a specially crafted URL. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

This security update is rated Important for all supported versions of Microsoft Forefront Unified Access Gateway 2010. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that UAG handles specially crafted requests, modifying the MicrosoftClient.JAR file, and adding exception handling around the null value of the UAG Web server. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues. Microsoft Knowledge Base Article 2544641 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.

http://technet.microsoft.com/en-us/security/bulletin/MS11-079

*ForefrontSecurity.org post:
http://forums.forefrontsecurity.org/default.aspx?g=posts&m=2740#post2740

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org