December 2006 - Posts
David Litchfield, one of the most appritiated database experts has recently published a paper addresses the question Which database is more secure? Oracle vs. Microsoft.
This paper examines the differences between the security posture of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers and since fixed by the vendor in question. Only flaws affecting the database server software itself have been considered in compiling this data so issues that affect, for example, Oracle Application Server have not been included.
as a short taste of the article (very recommended for all of you DBA's out there) talks about two graphs (shown in the picture below) that show the number of security flaws in the Oracle and Microsoft database servers that have been discovered and fixed since December 2000 until November 2006. Each block represents a single issue with the sole exception of the single block in Q2 2005 of the Microsoft graph. This represents Service Pack 4 and whilst there are no related security bulletins or bugs listed on bugtraq the author felt it worthy of inclusion.
Security flaws in Oracle Server againt Security Flaws in Microsoft SQL Server.
for more information about the comaprison, read the full article at: http://www.databasesecurity.com/dbsec/comparison.pdf
a month after anouncing the release of RMS Sp2 with all its new abilities, earlier this week microsoft has announced the new sp2 version for the administration toolkit.
The RMS SP2 Administration Toolkit contains additional programs that the RMS team developers created while working on RMS.
those tools are intended and to allow quick and easy modifications and get information about the system.
the new SP2 version does not additional tools but fixes problems with the old tools.
The RMS SP2Administration Toolkit includes the following tools:
for more information and download: http://www.microsoft.com/downloads/details.aspx?familyid=BAE62CFC-D5A7-46D2-9063-0F6885C26B98&displaylang=en
Mike Reavey from the Microsoft Security Response Center has recently reported in the MSRC blog that they are closely monitoring developments related to a public posting of proof of concept code targeting an issue with the Client Server Run-Time Subsystem. The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems. Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and the MSRC has activated their emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft’s customers. Currently the MSRC does not observed any public exploitation or attack activity regarding this issue.
They continue and and say that While they know this is a vulnerability that impacts Windows Vista they still have every confidence that Windows Vista is Microsoft's most secure platform to date. As always, the MSRC encourage everyone to enable a firewall, apply all security updates and install anti-virus and anti-spyware software.
mike stats that Regardless of it being the holiday season the MSRC will be monitoring overall threat conditions for this and any other issue reported to them. If they do see anything that we believe puts Microsoft customers at risk, or significant new developments, they will update everyone through their standard mechanisms .
you can find more info at the MSRC blog at: http://blogs.technet.com/msrc/default.aspx
On November 30, Sophos issued its monthly report on the top ten threats reported to them in November of 2006. As a part of this, Sophos also studied Windows Vista's vulnerability to these malware threats. the windows vista team, as taken those 10 threats and tested against a windows vista system (with default configuration - out-of-the-box).
What theyfound was that if you are using only the software in Windows Vista (e.g., Windows Mail and no add-on security software), then you are immune to all ten of the malware threats that Sophos cited.
If you are using Microsoft Outlook or a third-party email client that blocks execution of known executable formats, then a user running Windows Vista is not vulnerable to eight of the ten malware threats. In the case of the ninth piece of malware, Bagle-Zip, the malware is able to run because it uses the .ZIP file format which some mail programs do not block. In the case of the tenth piece of malware, Mydoom-O, the malware is sometimes able to run because it randomly chooses the file type to which to distribute its payload and sometimes that file type is an executable inside a .ZIP file, which some mail programs do not block. In both cases, this is a function of the e-mail software, not Windows Vista. That said, even when a user receives a mail infected with Bagle-Zip or Mydoom-O in the .ZIP file format, in order for the malware to affect the system, the user must first explicitly open the .ZIP file and then explicitly run the executable file that's contained inside the .ZIP file -- there is no way for this to happen without two steps of user action. If you happen run a third-party email client that does not block known executable formats, then you may also be vulnerable to Netsky-D.
One question you may ask is why isn't this kind of malware scanning built into Windows Vista?
the answer to this question is built in two tiers:
- Microsoft has cleaners that will detect and remove this form of malware that is offered as part of the malicious software removal tool that they distribute each month.
- Microsoft Does offer this kind of "on access" anti-virus software as part of Windows Live OneCare (for home users) and offer server based e-mail security in Microsoft Forefront Security for Exchange Server. In addition, Microsoft is currently running beta testing for an enterprise version of the client software called Microsoft Forefront Client Security.
So as you see (and as jim from the vista team stats), windows is neither foolproof nor perfect; no software from anyone I have seen is. but you can defently see the advancement and improvment they have made regarding the security in your next operating system.
more information on this issue you can find at the Windows vista team blog: http://windowsvistablog.com/blogs/windowsvista/archive/2006/12/19/windows-vista-and-protection-from-malware.aspx
Many of you who had the privlige of implenting MOM2005 in their organization, must know that fine tuning MOM (and for this case, any other Monitoring solution) can be a very prolonged job and requires a deep understanding of all your systems and the way they worked.
Under most circumstances, Management Packs will be applicable for the majority of organizations without any adjustments (such as alert tuning). This document is intended to assist large organizations, with complex deployments, in understanding how to utilize alert tuning to achieve the maximum benefit from MOM 2005 and its Management Packs.
Alert tuning offers increased operational efficiency through:
| • |
A reduction or prevention of service incidents through the use of proactive remedial action. |
| • |
Faster and more effective responses to service incidents. |
| • |
Improved overall availability of services. |
| • |
An increase in user satisfaction. |
Alert Tuning Solution Accelerator:
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/smc/sts05.mspx
In vista there is a GPO called “Display information about previous logons during user logon”
Beware setting this in your environment.
If you configure this as a domain based policy you will no longer be able to logon as a domain user. You will see the following error:
As opposed to what we should see:
To recover you will need to logon as the local admin and revert the domain policy.
This behavior is by design and this feature will only be supported in a "longhorn-Based" domain with a longhorn DC.
So Thanks to Bink.Nu, we all got a fair warning before we get all our domain accounts locked out of their computers :-)
Unless youve been living under a rock for the past few months you know that microsoft has updated its IE version and the resident browser in now Version 7. those of you whom already tried to implement the browser you must have discovered the diffrent side effects of the enhanced security features.
Windowssecurity has publish a new guide for Configuring Security in IE7, which explains all the new features and functions and how to set them up for everything to actualy work and be secure (at the same time :-))
Enjoy!
http://searchwindowssecurity.techtarget.com/general/0,295582,sid45_gci1233136,00.html?track=NL-480&ad=573652USCA&asrc=EM_NLT_811849&uid=54957
Microsoft has recently publish a Hardening Guide for the RMS Server. the guide includes very useful tips about making you RMS server and services more secure including Client Server Encryption, Application-SQL Encryption, Active Directory Access Restrictions and other good stuff.
Very Recommended!
http://www.microsoft.com/technet/community/columns/sectip/st1206.mspx
You may have already discovered that there are some security updates that are not detectable using the existing SMS Security Update Inventory Tool built on MBSA.
The solution to this issue comes with the SMS Extended Security Update Inventory tool is a scan tool built for helping those who wish to detect and update computers with those Sec-Updates that are not scannable by the MBSA. Like the SMS Software Update Inventory tool, this tool also has the instructions for locating each applicable update, downloading it from Microsoft, and deploying it using SMS . The SMS Extended Security Update Inventory Tool is built on Enterprise Scan Tool (EST) detection technology.
For the list of the un-scanable security updates and download the SMS ESUIT:
http://www.microsoft.com/downloads/details.aspx?FamilyID=2c93da1d-48a0-4e5c-991f-87e08954f61b&DisplayLang=en
To those of you that are now thinking about deploying vista in their organization, i have another section to add to your thinking... :-)
windows Vista's Activation system is not the regular VLK system that would have cancelled the activation (aka Volume Activation 1.0 (VA 1.0)) but the new and improoved Volume Activation 2.0 (VA 2.0).
What this means is Windows Vista operating system will require Volume Licensing customers to use a new type of activation, called Volume Activation.
In Volume Activation 2.0 (VA 2.0) , there will be two types of Volume License Keys: Multiple Activation Keys and Key Management Service.
Multiple Activation Key
The Multiple Activation Key (MAK) activates either individual computers or a group of computers by connecting directly to Microsoft servers over the Internet or by telephone. The keys can be used a limited number of times. This activation limit can be increased by calling your Microsoft Activation Center.
Key Management Service
Your organization can host the Key Management Service (KMS) internally to automatically activate computers running Windows Vista. To use the KMS, you must have a minimum of 25 computers running Windows Vista that are connected together. Computers that have been activated through KMS will be required to reactivate by connecting to your organization's network at least every six months.
Currently the KMS software runs on a local computer running Windows Vista or the Microsoft Windows Server Code Name "Longhorn" operating system. In the future, it will run on the Microsoft Windows Server 2003 operating system.
- you can find more details about the new activation method in: http://www.microsoft.com/licensing/resources/vol/default.mspx
- other technical details about VA2.0 (such as registry keys, KMS configuration, etc) your can find in: http://www.microsoft.com/technet/windowsvista/plan/volact2.mspx
Those of you that had the change to visit the latest "Optimize Your infrastcture" Conference, got to see Nir Chinsky and myself deliving a lecture about the securing messeging platform microsoft offers its customers. at the end of the lecture, I demonstrated a demo the included the IW side and the IT side of working with all the security products.
this demo was originaly presented in Microsoft US and was recoreded there to a WMV.
you can find this demo on the following address:
mms://wm.microsoft.com/ms/windowsserversystem/secure-messaging.wmv
the demo presents use of Forefront Client Security, ISA2006, Sharepoint 2003, RMS (sp1) and all the Antigen family products.
Enjoy!
Before we begin, I must introduce myself to those of you who do not know me (yet… J).
My name is Yaniv Feldman and I am a Security Regional Director at microsoft israel. I've been working in the industry for the last 6 years starting as a PC Tech, through Helpdesk, Trainer, System, Network Administrator and a consultant for Microsoft & Security Solutions.
I've thought of writing a blog for a long time, but I never really found the time to do so, or good stuff I will be able to write on periodically.
So? What is different now and why is he wasting our valuable time you ask? Well, the answer is that now I've managed to collect a lot of technical information as gathered from my experience over the years and from what I've been doing daily, and I believe that some of you that might come back to this blog more than one time will earn some valuable peaces of knowledge about Microsoft security products, securing your systems and other security related issues.
I want to apologize in advance for the times that the posts will slide to management related products, since this is also one of the things I deal with in a daily manner.
After all the introduction, i want to chat a bit about the preparations for the upcoming launch of Windows Vista, Office 2007 and Exchange 2007.
although none of those products seems to be related to security, the three of them are among the first generation of products the was planned with "security-in-mind". if it the vista security features (UAC, IE7 Protection Mode, Bitlocker, etc) and Sharepoint/Office2007 and Exchange 2007 with all the intellectual property protection they offer (new RMS features along with RMS SP2 that became RTM last week).
3 weeks from now, the launch of those products will be held and those of you that will arrive on the day of the event will get the chance to see me lecture on the "Office Track" about IRM and Intellectual property protection.
have some pretty fine demos for you to see and other nice surprises.
hoping to see you all (on the blog again, and on the launch event).