Idan & Ohad Plotnik's Forefront Blog

Expanding the areas of knowledge sharing in the blog - Microsoft Identity And Security Blog.

Plotniko — Sun, 05 May 2013 14:14:00 GMT

Hi guys,

So it's been 4 years :)
http://blogs.microsoft.co.il/blogs/plotniko/archive/2009/06.aspx
That I’m writing this blog and sharing the Forefront security \ protection information with you.

My specialty over the years has focused on securing information in the Microsoft environment, and i tried sharing my experience with you.
If so, and with the changes that have happened recently,
I will expand the blog expertise, and focus on the general field of information security in Microsoft including:
The growing field of identity and security -
AD DS security
AD FS
AD LDS
AD RMS
FIM
And more...

Hope you will enjoy my blog,
And that I’ll help you expand your knowledge, install, implement, troubleshoot, explore and develop information security products, in the Microsoft world, and in your Microsoft infrastructure systems.

Thanks,

Ohad Plotnik (Plotniko)

VP Professional Services, MVP
Aorato LTD.
Never been hacked? You’re not looking close enough.
www.Aorato.com

Securing Active Directory

Plotniko — Sun, 05 May 2013 13:25:00 GMT

Hi Guys!

The threat of compromise to IT infrastructures from external attack is rapidly growing and evolving. The Active Directory environment is often the target for these attacks. This article details steps that your organization can take to protect its Active Directory environment.

The document Contains recommendations to enhance the security of Active Directory installations, discusses common attacks against Active Directory and countermeasures to reduce the attack surface, and offers recommendations for recovery.

For the following operating systems:
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

So, Securing Active Directory: An Overview of Best Practices:
http://www.microsoft.com/en-us/download/details.aspx?id=38815&WT.mc_id=rss_alldownloads_all

The Best Practices for Securing Active Directory:
http://www.microsoft.com/en-us/download/details.aspx?id=38785

The chapters:

Executive Summary
Introduction
Avenues to Compromise
Reducing the Active Directory Attack Surface
Monitoring Active Directory for Signs of Compromise
Planning For Compromise
Summary of Best Practices
Appendices

I really recommend the appendices section! You can get a lot of valuable information there.

As part of the protection faze, if your organization is using any monitoring mechanism (SIEM for example), read the "Events to Monitor" appendix.

Just a reminder:

A year and a half ago, we presented the "Hacking and Securing Active Directory" security group meeting:
Hacking & Securing Active Directory:
http://blogs.microsoft.co.il/blogs/plotniko/archive/2011/12/17/hacking-amp-securing-active-directory.aspx

It was a very valuable meeting, and it was great hearing from the community their opinion on AD security today.

We are planning another session like that, I’ll update.

Thanks,

Ohad Plotnik (Plotniko)

VP Professional Services, MVP
Aorato LTD.
Never been hacked? You’re not looking close enough.
www.Aorato.com

Update Rollup 1 for Active Directory Rights Management Services Client 2.0 (KB2821183)

Plotniko — Sun, 14 Apr 2013 08:40:00 GMT

Hi Guys,

So, There is a new update rollup 1 for the AD RMS client 2.0.

Installed and checked in my lab.

FYI:

This update fixes the problems described in KB article 2821183. Active Directory Rights Management Services Client 2.1 (AD RMS Client 2.1) is software designed for your client computers to help protect access to and usage of information flowing through applications that use AD RMS whether installed on your premises or in a Microsoft datacenter. AD RMS Client 2.1 provides numerous updates and bug fixes found in AD RMS Client 2.0. AD RMS Client 2.1 also adds support for automation document protection.

Thanks,

Ohad Plotnik (Plotniko)

VP Professional Services, MVP
Aorato LTD.
Never been hacked? You’re not looking close enough.
www.Aorato.com

Important! Vulnerability in Active Directory Could Lead to Denial of Service (2830914)

Plotniko — Thu, 11 Apr 2013 17:04:00 GMT

Guys!

This vulnerability Is critical!

Affected on AD servers (Domain Controllers) till Windows Server 2012 !

Windows Server 2008 for Itanium-based Systems is not affected.

Please review and take actions:
http://technet.microsoft.com/en-us/security/bulletin/ms13-032

Thanks,

Ohad Plotnik (Plotniko)

VP Professional Services, MVP
Aorato LTD.
Never been hacked? You’re not looking close enough.
www.Aorato.com

FIM 2010 R2 SP1 has been Released!

Plotniko — Wed, 09 Jan 2013 09:05:00 GMT

Hello Forefront Guys,

On the Andreas Kjellman talk at the first annual Oxford Computer Group Redmond Identity, Access & Directory Summit at Microsoft HQ, the SP1 for Forefront Identity Manager 2010 R2 was announced!

Not much information about the changes, Part of the changes in the SP1, including support for 2013 releases (Sharepoint etc'...)

you can download via your MSDN subscriber benefits.

The KB that will be released is KB2772429.

Thanks,

Ohad Plotnik (Plotniko)

Identity and Security Architect, MVP

Foreity LTD – Intelligent Security

Forums.ForefrontSecurity.org

Forefront Product Roadmaps

Plotniko — Wed, 12 Sep 2012 22:09:00 GMT

Hello All,

After a lot of Rumors on end of life for TMG etc'...

Microsoft officially announces today the long-term planning for Forefront products:

"Today, as a result of our effort to better align security and protection solutions with the workloads and applications they protect, Microsoft is announcing changes to the roadmaps of some of the security solutions made available under the Forefront brand." For More Information:

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

Thanks,

Ohad Plotnik (Plotniko)

Identity and Security Architect, MVP

Foreity LTD – Intelligent Security

www.ForefrontSecurity.org

Microsoft protects against the "Flame" Virus !

Plotniko — Wed, 30 May 2012 14:18:00 GMT

Hello,

We are happy to announce that This threat is detected by the Microsoft antivirus engine.
And the Microsoft MMPC updated the signature and it is now protecting from the new threat.

For more information:

http://forums.forefrontsecurity.org/default.aspx?g=posts&m=2980#post2980

Stay Up To Date !

Thanks,

Ohad Plotnik (Plotniko)

Identity and Security Architect, MVP

Foreity LTD – Intelligent Security

www.ForefrontSecurity.org

Active Directory Rights Management Service Client 2.0 is out!

Plotniko — Tue, 29 May 2012 14:56:00 GMT

Hi Security guys,

Microsoft announced the Active Directory Rights Management Service Client 2.0.

AD RMS Client 2.0 is software designed for your client computers
To help protect access to and usage of information flowing through applications that use AD RMS whether installed on your premises or in a Microsoft datacenter.

For more information and download:

http://www.microsoft.com/en-us/download/details.aspx?id=29892

Thanks,

Ohad Plotnik (Plotniko)
Identity and Security Architect, MVP

Foreity LTD – Intelligent Security

www.ForefrontSecurity.org

New Advanced Cyber Threat - Virus "Worm.Win32.Flame"

Plotniko — Tue, 29 May 2012 14:52:00 GMT

Hi Security guys,

I want to update you that Kaspersky labs announce a sophisticated malicious worm, that is actively being used as a cyber-weapon attacking entities in several countries mainly in the Middle East.

For more information:

http://forums.forefrontsecurity.org/default.aspx?g=posts&m=2978#post2978

http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat

Thanks,

Ohad Plotnik (Plotniko)

Identity and Security Architect, MVP

Foreity LTD – Intelligent Security

www.ForefrontSecurity.org

Vulnerability in DNS Server Could Allow Denial of Service MS12-017 - Important

Plotniko — Thu, 15 Mar 2012 13:59:00 GMT

Hello,

his security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.

This security update is rated Important for all supported editions of Windows Server 2003, 32-bit and x64-based editions of Windows Server 2008, and x64-based editions of Windows Server 2008 R2.

Please update your systems ASAP!!!

Info is here:

http://technet.microsoft.com/en-us/security/bulletin/ms12-017

Thanks,

Ohad Plotnik (Plotniko)
Identity and Security Architect, MVP

Foreity LTD – Intelligent Security

www.ForefrontSecurity.org

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege MS12-018 - Important

Plotniko — Thu, 15 Mar 2012 13:57:00 GMT

Hello,

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

This security update is rated Important for all supported releases of Microsoft Windows.

Please update your systems ASAP!!!

Info is here:

http://technet.microsoft.com/en-us/security/bulletin/MS12-018

Thanks,

Ohad Plotnik (Plotniko)
Identity and Security Architect, MVP

Foreity LTD – Intelligent Security

www.ForefrontSecurity.org

Microsoft Security Bulletin MS12-020 Critical Vulnerabilities in Remote Desktop Could Allow Remote Code Execution !!!

Plotniko — Thu, 15 Mar 2012 13:38:00 GMT

Hello,

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol.

The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. This security update is rated Critical for all supported releases of Microsoft Windows.

Please update your systems ASAP!!!

For more information :

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

Thanks,

Ohad Plotnik (Plotniko)
Identity and Security Architect, MVP

Foreity LTD – Intelligent Security

www.ForefrontSecurity.org

Microsoft released a signature for Win32/Delf.QR

Plotniko — Wed, 08 Feb 2012 20:07:00 GMT

Hello,

Today I sent a virus sample to the Microsoft MMPC team,

That was analyzed as the “TrojanDownloader:Win32/Delf.QR”

The full reply from Microsoft was:

Analysis of the file(s) in Submission ID MMPC12020732034853 is now complete. This is the final email that you will receive regarding this submission.

The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 2/7/2012 11:39:15 AM Pacific Time. Below is the determination for your submission.

======== Submission ID MMPC12020732034853 Submitted Files =============================================

VIRUS.rar [Container]

+---ForeFront.rar [Container]

+---EXE.exe [TrojanDownloader:Win32/Delf.QR]

+---UpdateOffice.rar [Container]

+---UpdateOffice.exe [TrojanDownloader:Win32/Delf.QR]

+---UpdateOffice2.rar [Not Malware]

The following links contain more information regarding the detections listed above: http://go.microsoft.com/...ownloader:Win32/Delf.QR

Your submission was scanned using antimalware definition version 1.119.1519.0. ========

The detections listed above are included in the latest pre-release definition available for download. For more information please visit the pre-release definition update download page available at: http://www.microsoft.com...eReleaseSignatures.aspx Alternatively, detections listed above will be available for users who subscribe to the automatic definition update mechanism in the next regularly scheduled release, as well as users who choose to manually update their definition library available via the MMPC Portal available on: http://www.microsoft.com...al/Definitions/ADL.aspx If you have questions relating to this submission please contact mailto:mmpcres@microsoft.com and reference your submission ID. We would like to find ways to improve our service to you. Please take a few minutes and fill out our short customer survey for this incident.

You can navigate to our short (6 question) survey here: http://www.zoomerang.com/Survey/WEB22CHRC7QCL5/ ============================================= Additional Help For customers who do not have an antivirus solution, Microsoft Security Essentials can be downloaded at no charge here: http://www.microsoft.com/security_essentials/ For more information about updating definitions and answers to other questions, visit the following link: http://www.microsoft.com...red/Help.aspx#new_defns If you need immediate assistance and information on best practices for removing malware in your environment, additional support options are available at the following websites: For IT Professionals - http://support.microsoft.com/gp/securityitpro For Home Users - http://support.microsoft...lt.aspx?pr=securityhome

Thank you,

Microsoft Malware Protection Center

Thanks,

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

Security Compliance Manager 2.5 Beta is here!

Plotniko — Fri, 27 Jan 2012 17:11:00 GMT

PING

The latest version the Microsoft Security Compliance Manager (SCM) tool—version 2.5—is now available for beta download and review!

NEW baselines include:

* Exchange Server 2007 SP3 Security Baseline

* Exchange Server 2010 SP2 Security Baseline

Updated client product baselines include:

* Windows 7 SP1 Security Compliance Baseline

* Windows Vista SP2 Security Compliance Baseline

* Windows XP SP3 Security Compliance Baseline

* Office 2010 SP1 Security Baseline

* Internet Explorer 8 Security Compliance Baseline

SCM 2.5 enables you to quickly configure and manage your desktops and laptops, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager.

Get the beta download from Microsoft Connect at https://connect.microsof....aspx?DownloadID=40885.

After you download and become familiar with updates in SCM 2.5, please provide us with your feedback.Your opinion is very important to us. We would especially appreciate your feedback in the following areas:

* Relevance.How relevant is the information for your organization?

* Usefulness.How will you use these product baselines? How does the SCM 2.5 tool provide value?

* Usability. Is the baseline configuration information easy to follow? Can you easily find key content?

* Consistency. Is the content in the security guides consistent with the setting recommendations and
Vulnerability information?

* General Quality. Please provide us with your opinion on the general quality of the product baseline content. Would you recommend SCM 2.5 to colleagues?

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org

A Guide to Claims-Based Identity and Access Control, Second Edition eBook

Plotniko — Fri, 27 Jan 2012 17:09:00 GMT

Hello All,

Claims-based identity seeks to control the digital experience and allocate
digital resources based on claims made by one party about another.
A party can be a person, organization, government, website,
web service, or even a device. The very simplest example of a claim is
something that a party says about itself.

As the authors of this book point out, there is nothing new about
the use of claims. As far back as the early days of mainframe computing,
the operating system asked users for passwords and then passed
each new application a “claim” about who was using it. But this world
was based to some extent on wishful thinking because applications
didn’t question what they were told.

As systems became interconnected and more complicated, we
needed ways to identify parties across multiple computers. One way
to do this was for the parties that used applications on one computer
to authenticate to the applications (and/or operating systems) that
ran on the other computers. This mechanism is still widely used—for
example, when logging on to a great number of Web sites.

However, this approach becomes unmanageable when you have
many co-operating systems (as is the case, for example, in the enterprise).
Therefore, specialized services were invented that would register
and authenticate users, and subsequently provide claims about
them to interested applications. Some well-known examples are
NTLM, Kerberos, Public Key Infrastructure (PKI), and the Security
Assertion Markup Language (SAML).

If systems that use claims have been around for so long, how can
claims-based computing be new or important? The answer is a variant
of the old adage, “All tables have legs, but not all legs have tables.” The
claims-based model embraces and subsumes the capabilities of all the
systems that have existed to date, but it also allows many new things
to be accomplished. This book gives a great sense of the resultant
opportunities.

http://www.microsoft.com/download/en/details.aspx?id=28362&WT.mc_id=rss_alldownloads_all

Enjoy :)

Ohad Plotnik (Plotniko)
MVP-Forefront
System&network
Security Architect
ForefrontSecurity.org