September 2007 - Posts
This is dedicated to all of you who always mock to the sound of MS Virtual server as a virtualization solution. Computer World has published an article about a set of newly discovered flaws in components of VMware Inc.'s virtual machine software has called attention to some of the security risks associated with the practice of running virtual computers on a single system.
VMware has updated its products to fix the security bugs, disclosed Wednesday, but users who have not updated their software could face serious security risks thanks to a trio of flaws in the DHCP (Dynamic Host Configuration Protocol) server that ships with VMware.
The DHCP software is used to assign IP addresses to the different virtual machines running within VMware, but IBM Corp. researchers discovered that it can be exploited to gain control of the computer. That could be very bad news for someone running a lot of applications on the same VMware box, said Tom Cross, a researcher with IBM's Internet Security Systems group. "By exploiting this vulnerability you get complete control of any of the machines that are running on that virtual environment," he said.
IBM's researchers have developed exploit code for three separate flaws in the DHCP software, all of which are now patched, Cross said.
In order to attack a system, however, an attacker would first need to gain access to software running within the virtual machine. Typically VMware's DHCP server is not configured to be accessible to systems on other machines.
Virtualization software is one of the hottest areas in enterprise IT these days.
for the full article: Computer World
ISA Server was selected the winner in the Software-based Firewall category of the WindowSecurity.com Readers’ Choice Awards. Astaro Security Gateway SA and Symantec Sygate Enterprise Protection were first runner-up and second runner-up.
Results
1st ISA Server 19%
2nd Astaro Security Gateway SA 12%
3rd Symantec Sygate Enterprise Protection 10%
4th Check Point VPN-1 UTM 9%
4th Kerio WinRoute Firewall 9%
5th Blue Coat WinProxy 4%
6th CyberArmor Suite 3%
7th VisNetic Firewall 2%
7th Securepoint Security UTM 2%
7th GB-Ware Software Firewall 2%
Other* 28%
"Our Readers’ Choice Awards give visitors to our site the opportunity to vote for the products they view as the very best in their respective category,” said Sean Buttigieg, WindowSecurity.com manager. “WindowSecurity.com users are specialists in their field who encounter various network security solutions at the workplace. The award serves as a mark of excellence, providing the ultimate recognition from peers within the industry.”
for the full article and interview with Seam Buttigieg.
Microsoft's RRAS team is very happy to announce that SSTP will be first time released to all our TAP and techbeta customers via Vista SP1 beta and Windows Server 2008 RC0 release which was released on Sept 25th, 2007
To get your hands dirty with SSTP, work with your Microsoft TAP contact if you are part of Windows TAP program. If not, you can be a part of Windows techbeta program via enrolling to http://connect.microsoft.com and get the Windows beta bits.
To do a SSTP pilot or lab deployment, all you need is:
1) A machine running Vista SP1 beta or Windows server 2008 RC0 or later - acting as VPN client
2) A machine running Windows server 2008 RC0 or later - acting as VPN server
Please enroll and get your set-up ready.
Here is the SSTP step-by-step guide: http://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea-3fb9d1f37063/deploying%20sstp%20remote%20access%20step%20by%20step%20guide.doc
For more questions on SSTP (including how to deploy SSTP behind NAT and how to debug SSTP specific connection failures) see http://blogs.technet.com/rrasblog/archive/tags/SSTP/default.aspx
another great post by the AD expert Ulf B. Simon-Weidner.
A new option in the GUI of Windows Server 2008, but also possible in any version of Active Directory, you are able to protect any object from accidental deletion. I had to recover a couple productive ADs over the past couple years, and everytime it was because of a accidental deletion. Also I've seen that OUs have been accidentally moved - this happened propably to everyone with files/folders in Windows Explorer - you accidentally got stuck on the mouse-key while hovering over a folder and drop it accidentally on another folder.
So how do you protect objects from accidental deletion in Windows Server 2008? That's easy - first switch on the Advanced View, then go into the properties of the object in question. Here - on the "Object"-Tab - you'll find the new checkbox "Protect Object from accidental deletion".
By default, OUs created in Active Directory-Users and -Computers are protected. However, when you don't create the OU in Active Directory-Users and -Computers or you created them before you got Windows Server 2008 in your domain (how likely - I know 
) the OU will not being protected from accidental deletion.
However, what's quite interesting is what's being done in the Background: The Security-Descriptor of this object is being modified with a Deny-Entry for Everyone to delete and delete subtree. So it's downward compatible with Windows Server 2003 and Windows 2000, and you are even able to do this either manually or using DSACLS today.
If you want to use DSACLS to protect an OU you can use the following command:
dsacls ou=MyUsers,dc=example,dc=com /d Everyone:SDDT
So if you are creating your OU-Structure with "dsadd ou" you might want to use this command to protect the OU from deletion. The checkbox in the GUI will also reflect this change, however I've seen that it sometimes takes a while or is inconsistently displaying wheter the OU is protected or not, however this might be a bug in the current beta and you should make sure it's protected using the security tab to make sure it's protected.
As I said, you'd be able to do this today as well. And if you want to protect your whole OU-Structure, you can use the following command to protect every OU in the domain:
for /f %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT
If you just want to protect certain levels, you only need to change the dsquery command.
Windows Server 2008 RC0 Enterprise
Windows Server 2008 Release Candidate helps IT professionals to increase the flexibility and reliability of their server infrastructure while offering developers a more robust web and applications platform for building connected applications and services.
Windows Media Services for Windows Server 2008 RC0
These Microsoft Update Standalone Package (MSU) files install the latest version of Windows Media Services and related remote administration tools for the Windows Server 2008 RC0 operating system.
Windows Server 2008 RC0 Datacenter
Windows Server 2008 Release Candidate helps IT professionals to increase the flexibility and reliability of their server infrastructure while offering developers a more robust web and applications platform for building connected applications and services.
Windows Server 2008 RC0 Standard Edition
Windows Server 2008 Release Candidate helps IT professionals to increase the flexibility and reliability of their server infrastructure while offering developers a more robust web and applications platform for building connected applications and services.
Windows Web Server 2008 RC0
Windows Server 2008 Release Candidate helps IT professionals to increase the flexibility and reliability of their server infrastructure while offering developers a more robust web and applications platform for building connected applications and services.
Windows Server 2008 RC0 for Itanium-based Systems
Windows Server 2008 Step-by-Step Guides
These step-by-step guides help IT Professionals learn about and evaluate Windows Server 2008.
These documents are downloadable versions of guides found in the Windows Server 2008 Technical Library. (http://go.microsoft.com/fwlink/?LinkId=86808)
http://www.microsoft.com/downloads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce&DisplayLang=en
Windows Server 2008 Technical Overviews
These technical overviews provide IT Professionals with information about how a Windows Server 2008 technology works. They may also cover design and planning considerations and basic setup and operating instructions.
These documents are downloadable versions of guides found in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=86808).
http://www.microsoft.com/downloads/details.aspx?FamilyID=46dc26d6-af47-43f0-b3de-521831fe09d6&DisplayLang=en
Depending upon the unique aspects of a situation, a multitude of reasons can cause a project to go out of control. Here are some of the most common risk factors.
Note: This list, which is based on the article “How to identify a failing project” by Jason P. Charvat.
#1: Sloppy requirements
Every project depends upon solid user requirements being firmly locked down prior to any work being undertaken. Failure to do so is a leading cause of project failure. Somehow, the trend is that many project teams think they can get started by rushing the requirements-gathering phase. These projects are then eagerly started with incomplete requirements. If you are developing a project using a standard waterfall methodology, any incomplete requirements will have both a negative cost and schedule impact on the project. On iterative development projects, user requirements are still of utmost importance, but they can be negotiated ahead of any actual development.
#2: Schedule slippage
Many times, project schedules spiral out of control when dates and deliverables aren’t aggressively monitored and tracked on a daily basis. All too often, managers leave issues unresolved for days, which then results in schedule overruns. I recommend that that you check project schedules daily.
#3: Budget overrun
Projects that run over budget are sometimes more prone to being canceled because senior executives are concerned about cash going into and out of company coffers. If a project starts showing gradual cost overruns, it’s often still given a chance. But as the losses mount and show no sign of recovery, canceling the project may be necessary. In reality, though, some projects are so critical to business survival that they can’t be stopped. Therefore, the cost overruns are simply absorbed or skillfully transferred elsewhere. This means that project managers must manage their actual budgets against the planned budget and keep their stakeholders aware of any deviation.
#4: Scope creep
When clients insist on ever-increasing changes to the product being developed, scope creep can jeopardize the project. I don’t know of too many project managers who can handle too many changes all at once. An even more difficult situation for a project manager surfaces when new changes are introduced after the project has been launched. This usually drives up the cost, resource requirements, deliverables, and completion time. Scope creep needs to be managed and the project manager needs to have a change control process in place to assess the impact and cost of the change and, possibly, negotiate the change for a future release.
#5: Poor planning and estimation
Those projects that are poorly estimated and planned tend to fail both in cost and schedule, which eventually causes the overall project to fail. Managers tend to start projects without relying on proper analysis and sizing and fail to consult subject matter experts or cost estimators to validate how much project work packages will cost.
#6: Poor documentation
Maintaining inadequate project documentation is cause for concern and should raise the red flag. Lessons learned from many failed projects reveal that there was too little documentation to adequately describe the project in its broader terms and serve as a clear communication channel.
#7: New technology
Projects that require integrating new tools and deploying new vendor applications/devices are always far more difficult because usually, only the vendor engineers clearly understand the limitations and functionality of the products. This results in delays in project schedule and could require weeks or months before the products are stable enough to be deployed. If a project is undertaken using new technology, managers should be aware of the associated risks and plan their schedules accordingly.
#8: Poor communications
One of the biggest reasons why any project goes bad is due to a lack of communication. I have seen many projects fail simply because no one understands what to do and receives no communication regarding current progress. Inevitably, this results in project failure.
#9: Poor decision-making
Decisions that aren’t made at all and decisions that are delayed due to second-guessing are both risk factors. In addition, some decisions are so turned out-of-context as responsibility for them is passed down the line that they end up being made based on faulty information. This doesn’t bode too well for any critical project.
#10: Poor project management
The person managing the project may not have the skills or experience to pull it off. Yes, any project can be stuck with a lame duck manager. In such cases, it may be necessary to stop the project, replace the project manager, make the necessary adjustments, and start again. The departing manager should be given the option to provide his/her version of the story, though, before moving on.
#11: Poor testing
A big culprit on any project is having either too little testing or, in many cases — if a test team is involved — testing too late in the process. Both testing and quality assurance need to be built into the project from the day the project is launched.
View Original article...
I've managed to compose a quick installation procedure for those of you who want to utilize the great free utility from microsoft...
Enjoy!
Pre-Requisites
- IIS 6.0 with ASP.net installed (windows Components).
go to control panel à add/remove programs à Windows Components
check application server and click details.
make sure that application server console and ASP.net are check and then check Internet Information Services and click Details.
make sure that BITS, Common files, Internet Information Services Manager, and then click world wide web service and click details:
make sure that Active server pages and world wide web service are check and click OK twice and click next.
Click Finish. - MMC 3.0 (no need if win2003 sp2 exists).
- .net framework 2.0 (exists as part of windows server R2 or available for download from Microsoft at http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5)
- Microsoft Report Viewer Setup (available for download from Microsoft at http://www.microsoft.com/downloads/details.aspx?familyid=8a166cac-758d-45c8-b637-dd7726e61367)
Wsus3.0 Installation
Install Wsus 3.0 from location: http://www.microsoft.com/downloads/details.aspx?FamilyId=E4A868D7-A820-46A0-B4DB-ED6AA4A336D9
Check I Accept and then click next.
Check the Store updates locally and type D:\Wsus (or any other folder. Recommended not to use your system partition for storing WSUS updates) on the path to save the updates. Then click next.
Chose Install Use and Existing server Database on this computer and leave the path on default (same location as WSUS update). Then click next.
Click Next.
Check "Use existing IIS Default Web Site" and click next.
WSUS Configuration Wizard
After the setup ends, the following screen will open up:
Click Next.
Check the I would like to join box and click Next.
Choose synchronize from Microsoft update, and click next.
In case you have a proxy server on you organization specify proxy settings, else leave all settings at default and click next. It is recommended to set the WSUS to work without a proxy server and allow it a direct connection to the internet (open the appropriate ports on the FW).
In the connect to upstream server page, click start connecting. After the server has finished the initial sync, the next button will be available. Click next.
In the choose language window, choose English and Hebrew (or any other language of your choice) and click next.
On the choose products page, check the products you wish to sync (default, windows – all version, office – all versions, Exchange – all versions). Then click next.
On the choose classifications page, choose all classifications and click next.
On the sync schedule page, choose synchronize automatically when first sync is at 12:00:00AM and the sync per day setting is set to 24. Then click next.
On the finished page, check both checkboxes and click finish.
WSUS initial configuration
On the Update service administrator console that opens when the setup ends, click options and on the options tab. On the options window, click automatic approvals.
On the automatic approval window, check the default automatic approval rule (automaticly approves critical and security updates) and click new rule if you wish to add additional auto-approve rules for specific products or classifications.
On the add rule wizard specify any other auto approve rules that you wish by product or classification.
On the choose product window, check only forefront-forefront client security and click ok.
Back on the add rule window under step 3, type rule name (ex. FCS Update rule) and click ok twice.
Defining WSUS Update Policy (GPO)
Open Group Policy Management Console (GPMC). Start -> Run -> write gpmc.msc -> OK.
Right click on the Group policy objects container and click new.
Write the policy name and click OK.
Expand the group policy objects container and then right-click the object you have just created and click edit.
Expand the Computer configuration -> Administrative Templates -> Windows Components -> Windows Update.
Now configure the following options:
- Configure Automatic Updates
- On the specify internet Microsoft update service location, enter the netbios name that your internal clients will need to address when connecting to the wsus server.
Recommended settings
- Client Side targeting Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service.
If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
note: in order for this to work, you need to create groups in the WSUS server.
- Reschedule automatic updates scheduled installations Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.
If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started.
- No auto-restart Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.
- Automatic updates detection frequency Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.
If the status is set to Enabled, Windows will check for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours.
- Allow automatic updates immediate installation Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.
If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.
- Allow non-administrators to receive update notifications pecifies whether, when logged on, non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.
If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.
After finished configuring the GPO, go back to the GPMC console and link the GPO to the OU that contains the computer objects you wish to work with the WSUS server. Do this by right clicking the OU and choosing link an existing GPO.
Ryan Naraine recently put together a photo gallery that describes 10 free security tools you might want to look into, and I just PDFed it for those who want to download the info in one consolidated document. The gallery includes one product that has since become defunct (Active Virus Shield), so I substituted another tool that received a secondary mention in his gallery (LinkScanner Lite). Here’s a list of all the products discussed in the download:
#1: Secunia Personal Software Inspector
#2: OpenDNS
#3: Haute Secure
#4: LinkScanner Lite
#5: GMER anti-rootkit
#6: Netcraft Toolbar
#7: File Shredder
#8: CCleaner
#9: PC Decrapifier
#10: NoScript for Firefox
What additional tools do you think belong on this list?
Microsoft is starting to release some tools to validate system configurations and verify server application/driver compliance for the Windows Server 2008 logo and certification program.
http://www.innovateonwindowsserver.com/learnbuild.aspx
What does this mean for you? It means you now have a tool that you can use to take a snapshot of your server, save the output to a snapshot file, and then compare it to another snapshot from the same system, or another system all together and compare the differences.
Windows System state analyzer tool
Helps create snapshots of the computer—some of which include fixed drives, services, drivers and the registry. Users can create two snapshots at different points in time and compare them to view differences. A detailed report could be generated at the end of a compare operation.
Source: Brad Rutkowski's Blog
I think the first post speaks for itself:
Welcome to a new blog from Microsoft. The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com. Microsoft employs some of the best hackers in the world and actively recruits them and develops them. They work on all kinds of projects, whether it be in development, research, testing, management and of course security. Of course, there is controversy even in the word " hacker " but I don't think that should stop us from using it in the manner I think is the most appropriate. At his or her core, a true hacker is someone who is curious and wants to learn how systems work. This can and of course at Microsoft is done in an ethical, legal manner.
We employ " white hat hackers " who spend their time pentesting and code reviewing applications and software looking for weaknesses and vulnerabilities so that others don't once we've released that code into the wild. We employ many many smart testers who know more about some of our software then perhaps the architects who designed it. We also employ some of the top researchers in their industry, dedicated people working on the bleeding edge of whats going to be common place in the next 5 or 10 years of computing. So yes, Microsoft does have hackers, and its time to introduce you to some of them and show you what it is, exactly that they do.
Generally most of the content you'll read and people you'll meet on this blog will be somehow related to security but not all by any stretch.
The new hackers @ Microsoft Blog
Enforcing Group Policy Security Settings (including some in-depth Registry “hacks”), and some of the most common scenarios where security settings do not behave as they appear.
There are numerous security settings that can be configured in a single Group Policy Object. These settings range from controlling the Administrator account to controlling the LDAP client signing requirements. With so many security settings, it is important to understand how the function and where there might be a behavior that is not as obvious as you would imagine.
In December 2004 Derek belber wrote an article on “Enforcing Group Policy Security Settings” which can give you some detailed insight on how security settings can be enforced in a standard environment. In this article, Derek will expand on this concept (with some in-depth Registry “hacks”), as well as go into some of the most common scenarios where security settings do not behave as they appear.
read more in the full guide for Unique Group Policy Security Settings by Derek Melber
The new features of the Windows Server 2008 Advanced Firewall and how to configure this powerful host-based firewall using the new MMC snap-in.
Since its inception, the Windows Server 2003 SP1 firewall has been a basic, inbound-only, host based, stateful firewall. With Windows Server 2008, the built-in firewall has been dramatically improved.
want to learn how to utilize this great new ability, read more on David Davis's new guide for configuring the new Windows Server 2008 advanced firewall MMC snap-in.
Internet Information Services 7.0 (IIS 7.0) is Microsoft’s latest version of their web server. IIS has been included with Windows Server since Windows 2000 Server as a Windows Component and since Windows NT as an option. IIS 7.0 is available with Windows Vista and Windows Server 2008, which is scheduled for release in Q1 2008. IIS 7.0 has gone through a major overhaul and has been completely redesigned from scratch. This has been done to make the most flexible and secure platform for web and application hosting.
IIS 7.0 has been designed to be the most secure and flexible web and application platform from Microsoft. Microsoft has redesigned IIS from the ground and during this process the IIS team has focused on 5 major areas:
Peter Schmidt, who is a very respcted proffesional in all subjects related to Windows Infra and IIS in perticular has published an introduction guide to all these new capablities...
Introduction to Internet Information Services 7.0
For all of you who are planning getting into Server 2008/IIS 7.0, this would be a great place for you to start....
Microsoft has issued hotfix 936729 for customers with FCS servers showing one or more of the following:
Symptom 1
When you enable SpyNet, FCS Management Server uses a blank proxy value as the default value.
Note See the "More Information" section for a description of the changes that have been made to the SpyNet setting.
Symptom 2
When you set the Ignore override policy setting, the client computer still receives notifications about potentially unwanted software. However, no alert is generated on the FCS management server based on the notification.
Note See the "More Information" section for a description of the changes that have been made to the way that FCS Management Server handles policies that include threat-level overrides.
Symptom 3
Updates and hotfixes cannot be uninstalled on the FCS management server.
Symptom 4
You cannot reinstall any FCS role after you install FCS server-side updates or hotfixes.
in this case, you should contact Microsoft (or use this automated procedure) for receiving the hotfix.
Microsoft has released product updates for Microsoft Internet Security and Acceleration (ISA) Server 2006 and Intelligent Application Gateway (IAG) 2007.
IAG 2007 Service Pack 1 will help businesses deploy a more secure and scalable solution for remote access that meets the needs of their growing base of mobile users through Windows Vista client support and select feature enhancements, with improved platform performance, stability, and security.
ISA Server 2006 Supportability Update provides enhanced troubleshooting tools and improved log viewer functionality to ISA Server 2006 Standard and Enterprise Editions.
on a more personal note, I've had the opportunity to talk a little bit with the ISA team about the logs a few months ago, while they were working on ISA 2004 SP3, which featured the advanced logging options for the first time. I must say that as a security architect and as someone that installs and troubleshoots at least 3 ISA servers per week (:-)) I am very happy with the progress. a small step for ISA, a giant leap for man kind (or anyone else that handles ISA).
More Posts
Next page »