November 2007 - Posts
The LocalSystem account has been around since Windows NT, yet few administrators really understand it.
Although it is a powerful account, it is often used as a crutch for application developers who don't want to deal with figuring out what security they require. The LocalSystem account has some interesting characteristics that create security risks, especially in multiple domain forests.
First, let's look at a few basic concepts of the LocalSystem account. The account exists on every Windows computer -- whether it is a client workstation, domain controller or server. This account has total control over the computer and cannot be locked out or denied of any privilege.
The characteristics of this account include:
- Access to all processes, including system processes
- Full access to local resources
- Applications that may run in the context of the LocalSystem account
- Pre-defined account in Windows
- Use of the computer account's privileges to access network resources
On a domain controller, the LocalSystem account has full access to Active Directory because a replica exists on the local computer's file system and is, therefore, considered a local resource.
In Windows NT, there was only a single writable copy of the SAM database, and there was no concept of a forest linking domains and domain security together, other than by external trusts. The domain was the security boundary.
This made the LocalSystem account pretty safe. Windows 2000 introduced the concept of a forest and two additional naming contexts or directory partitions: the schema and configuration partitions. These partitions contain information about every DC, every domain and other forest-wide information like replication topology.
Two specific groups in Active Directory have access to this information. The Enterprise Administrators group has access to domain and configuration information, while the Schema Administrators group has access to schema data. The Domain Administrators group has rights to the resources in a specific domain.
Accounts are appropriately given permissions required for domain and forest administration using these groups. However, the LocalSystem account is a bit of a wild card. As previously mentioned, one of the characteristics of the LocalSystem account is that it has full access to Active Directory because replicas of the AD exist on each DC.
The dangers posed by this account on a domain controller are somewhat frightening because they transcend normal delegation design, where we attempt to limit certain accounts in scope of access. For instance, we usually assume that a domain administrator has no access to the schema or configuration partitions.
Read the full article by Gary Olsen at SearchWinIT.com
another great article from the 10 steps blog, this time by Debra Littlejohn Shinder. Debra is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security
Company networks are undergoing so-called “de-perimeterization,” as online collaboration with partners, customers, telecommuters, and others outside the physical LAN becomes more and more important to doing business. At the same time, these users are able to connect to company resources with a wider variety of devices, including smartphones, Blackberries, and other handheld devices.This is great in terms of access, but not so great in terms of security. The old security model is dependent on “border patrol” via firewalls, intrusion detection and prevention systems, DMZs, and other perimeter protection methods. In the new, borderless network, the focus shifts to protection of the data itself.
Here are 10 technologies you should be looking at to help secure your borderless network.
Note: This information is also available as a PDF download.
#1: Strong and multi-factor authentication
User authentication focuses on who is requesting access, rather than where they’re located. But when users can access internal resources from anywhere, it becomes more important than ever to ensure that the authentication process can’t be circumvented.
Strong authentication methods include more than just providing a password; for example, a user might be required to answer multiple challenge questions before being given access to sensitive data. Multi-factor authentication adds another element: The user must provide a card, token (something you have), or biometric identifier, such as a fingerprint or iris scan (something you are), as well as the “something you know” element of passwords and successful answers to questions.
Some companies, such as SafeNet, have developed entire security platforms targeted at protecting borderless networks.
#2: Cross-company identity management
Closely related to authentication is the dilemma of identity management. Identity management systems tie particular people to particular accounts, names, and attributes. The problem with traditional identity management systems is that they work well within the borders of an organization but not as well with users outside the organization. That’s where cross-organization, or federated, identity management comes in.
A federated identity management (FIM) system allows partner companies to authenticate each others’ users. Microsoft’s Identity Integration Server (MIIS) and its successor, Identity Lifecycle Manager (ILM), are examples of products that can provided for federation-wide identity management. Another option is RSA’s Federated Identity Manager.
#3: Host-based security software
A borderless network doesn’t mean the firewall is dead; it’s just moved. Actually, most companies aren’t doing away with their perimeter firewalls — we haven’t gotten quite that de-perimeterized yet. But when those borders aren’t as tight as they used to be, it’s a good idea to install/use host-based firewalls, antivirus, and other security products to catch those threats that make it past the edge firewalls. This gives you a double dose of protection.
The latest versions of Windows client and server operating systems come with firewall and anti-spyware programs built in, and numerous third-party host-based products are available.
#4: Application-level security
Application-level security is integrated into the user or business application program and can provide cryptographic services, such as non-repudiation through digital signatures or selective field encryption. This gives you good protection against “insider” attacks (which becomes even more important in the borderless network, where the lines between insider and outsider are blurred).
#5: Policy-based integrity enforcement
When users are connecting to your internal resources from various locations via computers you don’t control, it becomes especially important to ensure the integrity of those systems. You want to be assured that they are running that host-based security software (firewall, antivirus, etc.) and have installed security updates to minimize the chances that an infected remote system will spread malware or attacks to other computers on your network.
To do this, you can use policy-based integrity systems, such as Microsoft’s Network Access Protection (NAP), which is a policy enforcement system built into Windows Server 2008, Vista, and Windows XP Service Pack 3, or Cisco’s Network Admission Control (NAC), which likewise restricts connection of devices that aren’t compliant or trusted.
#6: Data-centric access controls
File-level access controls, such as NTFS permissions, help protect data whether it’s accessed from a remote computer, an internal computer, or the local machine, making protection more data-centric. Access is granted or denied based on individual user accounts or group membership and is not dependent on the physical location of the user.
#7: File-level encryption
Encryption of individual data files can be accomplished using the Encrypting File System (EFS) built into modern Windows operating systems. The latest versions of EFS allow the creator/owner of the file to specify other users who can share/access the encrypted file. EFS is certificate based, and users can export their EFS certificates and private keys to removable media so that it does not remain on the computer when they’re not using it.
Alternatively, third-party data encryption software, such as Cypherix, can be used to encrypt individual files, folders, e-mail messages, etc., including the data on removable media. PGP NetShare is designed to encrypt files and folders used by collaboration teams. Entrust Entelligence Media Security is a file encryption application that will automatically encrypt data saved to specific folders. Many other file encryption products are available.
#8: Full disk encryption
Full disk encryption protects both portable and desktop computers in the borderless network environment by encrypting entire volumes. An example is the BitLocker feature that’s included in Windows Vista Ultimate and Enterprise editions. It can be used in conjunction with a Trusted Platform Module (TPM) hardware chip to prevent someone who steals or gains physical access to a computer from being able to boot the operating system or access the files on the volume, even by booting another instance of an OS.
BitLocker, unlike some disk-level encryption programs, encrypts the operating system partition, not just data partitions. This means the page file and temp files, which often contain copies of data that might be sensitive, are encrypted.
Third-party products, such as SafeGuard’s Easy Hard Disk Encryption, are also available.
#9: End-to-end encryption
File-level and full disk encryption protect the data only while it’s on the hard disk. To protect data when it’s traveling over the network, you can use IPsec, which operates at the network layer of the OSI model and thus requires no changes to or awareness of applications. IPsec can provide data encryption/confidentiality, authentication, or both, using public key encryption and digital certificates. IPsec is an open standard and is supported by modern Windows operating systems.
Data can also be protected in transit over the network by using a higher level encryption protocol, such as SSL/TLS. Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). Also based on public key encryption, SSL/TLS is often used for sending secure data to Web servers.
#10: Rights management
In the borderless network, security problems arise not just in regard to what data can be accessed by whom, but also in regard to what those with legitimate access do with that data once they receive it. Rights management attempts to control what a recipient of an e-mail message or document can do with it.
Windows Rights Management Services (RMS) can restrict the recipient’s ability to save, forward, copy, or change the data and can even set an expiration date so that the recipient can no longer even access the data after a specified time period. This helps prevent security leaks caused by deliberate or inadvertent mishandling of sensitive data.
Cross-company solutions for RMS are available from third-party companies such as GigaTrust.
View Full article...
Hot off the presses, Microsoft IT (aka MSIT) has published a case study around their use of Network Access Protection (aka NAP) --enabled with Windows Server 2008 -- to improve security and host policy compliance on our huge network.
Microsoft Improves Security Policy Compliance with Network Access Protection
Here's a brief synopsis of the paper:
With 71,000 highly mobile users worldwide, Microsoft wanted a new way to measure and improve its 300,000+ client computers’ compliance with corporate security policies. The company deployed Network Access Protection (NAP), a feature of the Windows Server® 2008 operating system, to improve the security policy compliance of its desktop computers, roaming portable computers, visiting portable computers, and unmanaged home computers. Now Microsoft is increasing compliance with security policies and adding efficiency to its security management process. The company also benefits from the scalability of NAP and the flexibility to deploy it for a variety of access scenarios—including virtual private network connections, Internet Protocol security access, and Dynamic Host Configuration Protocol address configurations—with varying levels of implementation.
One thing you'll likely note is MSIT is using IPsec as one of the main enforcement methods for our NAP deployment. This builds on the existing Server and Domain Isolation deployment MSIT completed a few years back.
Why is that important?
Well, if you're looking for things you can start doing today to get your networks ready for the upcoming release of Windows Server 2008, consider evaluating Server and Domain Isolation.
It's already supported on WS03, XP, etc. and can help you layout the enforcement scheme (with added security and compliance value even at this stage) for a future NAP deployment.
Happy reading!
A Windows XP system with Service Pack 1 installed, but with no subsequent patches applied, was hacked in six minutes by a security expert in London, according to C|Net on Tuesday. A Microsoft executive who watched the demonstration found himself both enlightened and fightened.
The Windows computer was not running a firewall or other anti-virus or anti-spyware software. The challenge was to connect, on a local network, and retrieve a text file of passwords. The attack was successful in six minutes and the password file downloaded in 11 minutes.
"If you were in (a cafe with Wi-Fi access), your coffee wouldn't even have cooled down yet," said Sharon Lemon, deputy director of SOCA's e-crime unit at the event sponsored by the UK's Get Safe Online. SOCA is the Serious Organized Crime Agency, a UK government intelligence group.
Another SOCA representative pointed out that the demonstration was "purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it." It's sensible, he added, to have SP2 applied, with all the current patches applied, and be running on a secure wireless network.
"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the (Windows) computer," said Nick McGrath, head of platform strategy for Microsoft. "But the computer was new, not updated, and not patched."
He also siad that Vista is not as "accessible to the average hacker" due to "operating system components."
TMO notes that there are likely many XP computers (and Macs) out there that users have failed to update because they haven't understood the importance or haven't gotten around to it. This demonstration is lesson for all Windows and Mac users; when the vendor publishes a patch, install it.
Source: MacObserver
anyone who is looking the next best thing for your start-up, or just want to learn what are the new highlights of the security market, WindowsSecurity.com's Ricky M. Magalhaes has published an article the details his Security Trends for the year of 2007. the list includes:
-
Physical security
-
Pre-Boot Authentication
-
Encryption
-
End point security
-
Strong authentication
-
VOIP Security
-
Privacy
-
Replication
-
Deepscan application control
-
Personal firewalls
-
Application control
to read the full article: http://www.windowsecurity.com/articles/Security-Market-Trends-2007.html
I recommend that you read the following article on the Panda Labs site, published last Friday. It is a great example of how the low-lifes are thinking outside the box and coming up with very clever ways to get around our various online protections.
"Sometimes, when we speak about social engineering, we think about people at the other side of the phone trying to get our passwords to gain unauthorized access to our accounts. When this data is in their hands, panic spreads: intrusion on companies, espionage, identity theft…all the classic goals of this kind of attacks.
But let’s not forget the underlying reason of social engineering. Therefore, I particularly like the following definition, which I think is the essence of these attacks: “the art and science of getting people to comply with your wishes”.
Under the premise of this thinking, this week at PandaLabs we have discovered a new way to apply this concept. It is very simple and pleasant. You receive a small application on your desktop that shows a woman offering you a striptease."
For the Article @ Panda Labs Website: http://pandalabs.pandasecurity.com/archive/A-new-way-of-social-engineering.aspx
I've recently posted about David Davis's article about How to configure the new Windows Server 2008 advanced firewall MMC snap-in. this week, windowsnetworking.com's David Davis has published a new article that guides you step by step thorugh the configuration of a windows 2008 Advanced Firewall (very similar to the one in Vista) using NETSH CLI.
Netsh advfirewall is the command line tool used for configuring the new Windows 2008 Server Advanced Firewall.
Why use the CLI interface to configure a Windows firewall?
While some people will prefer to use the graphical MMC snap-in to configure the new advanced firewall, others will prefer to do their configuration through the CLI for the following reasons:
- It’s faster – once you learn how to use the netsh advfirewall commands, it will be faster than clicking on the GUI.
- It can be scripted – you could script common functions you perform with this tool.
- Works when GUI is not available – just like other CLI tools, you can use netsh advfirewall when the GUI is not available, such as in Window Server 2008 Core.
Read the full article: http://www.windowsnetworking.com/articles_tutorials/Configure-Windows-2008-Advanced-Firewall-NETSH-CLI.html
allthough this is a security blog, Terminal Services is already a well known subject related to security. Because of this, I tend to scope the TS related blogs and news sites searching for new information on the new TS platform of server 2008.
The TS Team blog has published yesterday a schedule of web casts for november that will provide in-depth knowledge of the new platofrm for TS in 2008. you are more then welcome to register and learn about the new amazing advantegs like Web Gateway, RemoteApp, Session Broker, easy print and much more.
http://www.microsoft.com/events/series/windowsserver2008.aspx?tab=webcasts&id=42565
Presentation Virtualization with Terminal Services
Live Webcasts
TechNet Webcast: The Significance of the Windows Server 2008 Terminal Services Release to Market (Level 200)
Thursday, November 8, 2007
8:00 A.M.–9:30 A.M. Pacific Time
TechNet Webcast: Windows Server 2008 Terminal Services Session Broker (Level 300)
Tuesday, November 13, 2007
1:00 P.M.–2:30 P.M. Pacific Time
TechNet Webcast: Deploying Remote Programs with Windows Server 2008 Terminal Services (Level 300)
Wednesday, November 14, 2007
8:00 A.M.–9:30 A.M. Pacific Time
TechNet Webcast: Remote Desktop Protocol as a Presentation Remoting Platform (Level 300)
Wednesday, November 14, 2007
1:00 P.M.–2:30 P.M. Pacific Time
TechNet Webcast: Windows Server 2008 Terminal Services RemoteApp and Web Access (Level 300)
Tuesday, November 20, 2007
1:00 P.M.–2:30 P.M. Pacific Time
TechNet Webcast: Developing for Windows Server 2008 Terminal Services (Level 300)
Monday, November 26, 2007
9:30 A.M.–11:00 A.M. Pacific Time
TechNet Webcast: Terminal Services Easy Print (Level 300)
Tuesday, November 27, 2007
11:30 A.M.–1:00 P.M. Pacific Time
TechNet Webcast: Windows Server 2008 Terminal Services Security and Authentication (Level 300)
Wednesday, November 28, 2007
9:30 A.M.–11:00 A.M. Pacific Time
NAP Team's Jeff Sigman (Senior Program Manager) has posted on the NAP Blog some Q&A regarding the XP SP3 Impemntation with network access protection.
Questions
Jeff’s (brilliant) Answers
Q: How do I get a copy of the BETA?
While it is on MSConnect, it is easier just to email me to get a copy. I have US-English and Language Neutral versions from the April 2007 Beta release. Remember, this is a BETA and is not officially supported (i.e. no QFEs); see XP SP3 info below.
Q: How will this actually release officially?
ONLY via Windows XP Service Pack 3.
Q: When will XP SP3 RTM?
1H CY2008
Q: Will you please ship it outside of SP3?
I am sorry, no.
Q: Why won’t you ship it outside of SP3?
In brief, the risk and cost to Windows was too high. NAP on XP changes 19+ core OS files (e.g. RAS, Wireless, EAP, etc) and we wouldn’t get the same testing coverage outside of SP3. Also, OOB releases are notoriously expensive to sustain. The code base would have to be maintained, orthogonally to XP itself, for 10+ years (i.e. MSRC’s). Wow.
Q: How does the XP client compare with Vista?
Read my cool blog post.
Q: Is it true that you brought all the great Vista Wired 802.1x features to XP?
Very true. Many customers have wanted Group Policy configuration for Wired 802.1x on XP. NAP gave us the needed business justification to pull it off in XP SP3.
Q: Will the NAP Client release for any other Microsoft O/S’s?
Not at this time. No support for Windows Bob, 3.x, 9x, ME, 2000 and/or 2003.
Q: What about Linux, Mac, etc?
Oh yeah baby, we have Linux right now. Mac is nearly here. This is the dude making it all happen.
Q: What administration tools are available in the XP Client?
Only the command-line (netsh.exe nap). The MMC was written in managed code and isn’t available on XP. Also, our assumption is that Group Policy / script is good enough for XP.
Q: What Active Directory schema changes are required, if any?
NAP, in general, does NOT require any AD schema updates. NAP fits in well with existing Server 2000/2003 deployments and simply requires a minimum of ONE Server 2008 computer (NAP Server / NPS).
However, in order to manage Vista (and XP SP3) Wired 802.1x settings a schema update may be required. If you are using Server 2008 AD, it is included. Server 2003 AD requires an updated schema.
Q: Will XP NAP honor my GP configuration settings just like Vista NAP (i.e. NAPAgent, QECs, etc)?
Yup!