January 2007 - Posts
Microsoft Systems Management Server (SMS) 2003 Service Pack 3 (SP3) adds capabilities to enhance the software and hardware inventory functionalities provided in SMS 2003. Enabled through a new library of over 400,000 software titles, SMS SP3 provides rich reporting about installed applications and hardware to help organizations make better business decisions about their IT assets. New capabilities enable:
• License Reporting: New reports enable comparison of Microsoft applications installed with licenses purchased as well as how those titles were obtained (for example: volume licensing, retail, or OEM) for better optimization of software use across the organization and fewer unutilized applications.
• Software Consolidation: View applications by category to better see how many different applications with similar functions and versions are deployed in the organization and make consolidations. The result is accelerated application standardization, a more streamlined support structure, and the ability to maximize volume discounts from software vendors.
• Upgrade Planning: Identify core and non-core applications in order to understand what applications require migration to the new environment. Software consolidation aids upgrade planning by reducing the number of applications that need compatibility testing. Identify hardware assets that need upgrading based on comparisons to published operating system hardware requirements. The result is more efficient planning and streamlined execution for upgrading users to Microsoft Windows XP and Windows Vista.
• Vista Deployment Support - vis Operating System Deployment Feature Pack, Client Installation on Vista and Operating System Updates Via SMS.
For Download and More Details:
http://www.microsoft.com/smserver/evaluation/2003/sp3.mspx
Microsoft is now working on a remote access tunneling protocol for Vista and Longhorn Server that lets client devices securely access networks via a VPN from anywhere on the Internet without concern for typical port blocking issues.
The Secure Socket Tunneling Protocol (SSTP) creates a VPN tunnel that travels over Secure-HTTP, eliminating issues associated with VPN connections based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) that can be blocked by some Web proxies, firewalls and Network Address Translation (NAT) routers that sit between clients and servers.
The protocol, however, is only for remote access and will not support site-to-site VPN tunnels.
Microsoft hopes SSTP will help reduced help desk support calls associated with IPSec VPNs in which connections get blocked by firewalls or routers. In addition, SSTP won’t foster retraining issues because it does not change the end-user VPN controls. The SSTP-based VPN tunnel plugs directly into current interfaces for Microsoft VPN client and server software.
Microsoft plans to ship SSTP support in Vista Service Pack 1 and in Longhorn Server. The ship date for Vista SP1 has not been set, but Longhorn is expected to ship in the second half of this year. SSTP will be included in Longhorn Server Beta 3, which is set to ship in the first half of 2007.
Microsoft officials also say they are working with partners -- the company declined to name -- on adding SSTP to other client devices besides Vista.
SSTP will be part of Microsoft’s Routing and Remote Access Server (RRAS) in Longhorn Server. The protocol is based on Secure Socket Layer (SSL) instead of PPTP or IPSec, and all SSTP traffic will use TCP Port 443.
You can find more information on the Source for this article
Microsoft has finaly uploaded the presentations from the LOVE convention where can find great lectures about all the products and also... me :-) talking about Intellectual property protection.
my lecture is availble thorugh:
mms://213.8.193.29/msnvideo/microsoft/microsoft/vista/office/windows_part_6_edited.wmv
you can find other lectures here:
http://host.msn.co.il/Microsoft/vista/open_main.html
Enjoy!!
One aspect of network security that is frustrating for many administrators is that they have no control over the configuration of remote computers. Although the corporate network might be running a highly secure configuration, there is presently nothing to prevent remote user from connecting to the corporate network using a computer that is infested with viruses or that contains outdated patches. Longhorn Server’s Network Access Protection feature will change all this. In this article series, I will introduce you to Network Access Protection and show you how it works.
WindowsNetworking.com's Brain Posey recently published part 2 of the article that explains what is and how to configure a NAP topology in a normal organizaiton based on Longhorn Server/Vista Client.
Read and Use :-)
http://www.windowsnetworking.com/articles_tutorials/Introduction-Network-Access-Protection-Part1.html
http://www.windowsnetworking.com/articles_tutorials/Introduction-Network-Access-Protection-Part2.html
Windows Vista™ is the first Microsoft desktop operating system that is fully compliant with the goals of Trustworthy Computing. Windows Vista Services Hardening, a specific implementation of the Trustworthy Computing Secure by Default principle is an important new capability that is designed to thwart errant service behavior that much of today's malware can currently perform. Service Hardening helps Microsoft take huge steps in changing the default behavior and security profile of Windows services.
Technet Magazine Issue January 2007, publishes an article that states microsoft views about services hardening in windows vista and specifies specific steps that security people can do to make their new WinVista more secure.
for more information, read the article.
And again, i join the round of applause to Gadi Meir who Re-Upd the issue of Admin Privileges and the use of them. As a security expert, I've encountered several occasions that use of administrator permissions has allowed malware, root kits and viruses destroy an entire network from the inside (and i am not talking on a Small SBS with 20 clients...).
although I've also encountered tailored programs that were built to work only with administrator permissions, I've managed to find a secure solution for those as well (using a terminal Server that went through a very strict hardening process), except for having those custom applications re-written (which was also made by some of my customers after realizing what damage this could make to them and to their customers).
Granting end-users administrative privileges makes individual computers and networks vulnerable to malware and increases total cost of ownership because users can make unapproved system changes. Malware can exploit the system-level privileges provided to the local administrator—damaging files, changing system configurations, and even transmitting confidential data outside the network. Unfortunately, deploying computers in a locked-down state by requiring users to operate in standard user mode severely limits user productivity. Without local administrative rights, many applications will not function properly, because they are designed to write to system locations during normal operation.
after all that, I was still able to realize why it was difficult for users (and especially IT Pros) to use a limited user and the that is exactly why in previous version of windows the majority of user accounts are configured as a member of the local administrator's group, because administrator privileges are required to install, update, and run many software applications without conflicts and to perform typical system-level tasks. Even the simplest operation, such as clicking the taskbar clock to view a calendar, requires administrator privileges.
But not anymore! Windows Vista provides a simple and secure mechanism for running end-user accounts with standard user privileges, while eliminating the need for administrator privileges when performing many common tasks, such as installing a printer driver or connecting to a secure wireless network. This fundamental shift provides security at the OS level by preventing malware and root kits from damaging company-wide files and settings.
The main goal of User Account Control is to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode. This limitation minimizes the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected their computer.
With User Account Control, IT administrators can run most applications, components and processes with a limited privilege, but have "elevation potential" for specific administrative tasks and application functions. Conversely, when users encountered system task that requires administrator privileges, such as attempting to install an application, Windows Vista will notify the user and require administrator authorization. This type of prompting helps ensure that users do not accidentally make modifications to their desktops. It also helps eliminate the ability for malware to invoke administrator privileges without a user's knowledge.
In Windows Vista, Standard User accounts have been given additional privileges that users require to perform common tasks, without needing helpdesk support. These privileges have been determined to have minimal system impact and potential for risk, though administrators will also have the ability to restrict these permissions if they prefer. New permissions for standard user accounts in Windows Vista include:
- View system clock and calendar
- Change time zone
- Install Wired Equivalent Privacy (WEP) to connect to secure wireless networks
- Change power management settings
- Add printers and other devices that have the required drivers installed on computer or have been allowed by an IT administrator in Group Policy
- Install ActiveX Controls from sites approved by an IT administrator
- Create and configure a Virtual Private Network connection
- Install critical Windows Updates
Additionally, disk defragmentation is now an automatically scheduled process in Windows Vista, so users will not have a need to initiate that action.
This is the way UAC Works:
Microsoft understands that although this change is a must (from a security point of view), some customers will find it hard to accept and getting use to. to make the transfer as smooth as possible, the guys in UAC team have published a set of guides that explains how to configure, customize and develop third-party applications to use the new capabilities windows vista offers with the UAC.
Among those links you can find the following:
For IT Professionals
For Developers
For the Community
For those of you with Software Assurance agreements - this is now available for download via the MS Volume Licensing site.
|
Microsoft SoftGrid |
Microsoft Asset Inventory Service |
Microsoft Advanced Group Policy Management |
Microsoft Diagnostics and Recovery Toolset |
More info: http://www.microsoft.com/windowsvista/getready/optimizeddesktop.mspx
WindowsSecurity.com's Martin Kiaer updates us about one of the most exciting security features in Vista is Windows BitLocker drive encryption. BitLocker is a full-volume encryption tool that supports custom protection and authentication methods. However the user and support experience can be a mixed blessing, depending on which protection and authentication methods you choose.
In this article you will find a walkthrough for best-practice step-by-step approach on how to install and configure BitLocker in Windows Vista.
http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part1.html
Windows Vista includes some important changes from earlier Windows operating systems in regards to Group Policy (GP). Windows Security.com's Jakob H. Heidelberg wrote this article that introduces you to how ADM files evolved into multi-lingual files by the use of XML (ADMX/ADML files) and the Central Store with all its glory.
Welcome to the constantly expanding Microsoft Group Policy universe.
http://www.windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part1.html
http://www.windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part2.html
http://www.windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-Part3.html