Microsoft Advanced Threat Analytics (ATA) Technical Preview Installation

Thursday, May 7, 2015

The following article covers the installation process of Microsoft Advanced Threat Analytics (ATA) Technical Preview. For simplify, the ATA Center and the ATA Gateway would be installed on the same server.  However, in a production environment it’s recommended to install each role on a dedicated machine. Microsoft Advanced Threat Analytics (ATA) Technical Preview can be downloaded from the following link.   Prerequisites 1. Review the system and hardware requirements from the following link.   2. Install the latest Windows Update hotfixes. Note: Installation of Windows Server 2012 R2 Update (KB2919355) is a critical step for the success of...

Local Administrator Password Solution (LAPS) Now Available

Monday, May 4, 2015

“Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords. Compromised identical local account credentials could allow elevation of privilege if an attacker uses them to elevate from a local user/administrator to a domain/enterprise administrator. Local administrator...

Recommended Security HTTP Response Headers

Saturday, May 2, 2015

Attached a list of a recommended security HTTP Response Headers:   Access-Control-Allow-Origin – e.g. Access-Control-Allow-Origin: http://test.example.com Access-Control-Expose-Headers Cache-Control Content-Disposition – e.g. Content-Disposition: attachment; filename=myfile.html  Content-Encoding – e.g. Content-Encoding: gzip Content-Length – e.g. Content-Length: 103 Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP – e.g. Content-Security-Policy: default-src 'self'  Content-Security-Policy-Report-Only (For debugging purpose only) – e.g. Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://test.example.com/test.aspx  Content-Type – e.g. Content-Type: text/plain Expires P3P Public-Key-Pins – e.g. Public-Key-Pins: pin-sha384="<sha384>"; pin-sha384="<sha384>"; max-age=15768000; includeSubDomains  Set-Cookie Strict-Transport-Security – e.g. Strict-Transport-Security: max-age=16070400; includeSubDomains X-Content-Type-Options – e.g. X-Content-Type-Options: nosniff X-Download-Options – e.g. X-Download-Options: noopen X-Frame-Options, Frame-Options – e.g. X-Frame-Options: deny...

How to Secure HTTP Cookies

Friday, May 1, 2015

The following article cover the main steps that need to be taken to Secure HTTP Cookies.   Cookie Name = Random Name that change each session (e.g. 256 Bit GUID)Domain = Web Site FQDN (Fully Qualified Domain Name Path = / (or any relative directory)Secure = TrueHttpOnly = TrueExpire = ASAP (As Soon as Possible)   Please Note: 1. Avoid a situations where sensitive information is saved in the HTTP cookie. In special cases, encrypt the the sensitive information that is stored in the HTTP cookie by using AES 256 Bit algorithm. The encryption key should be replaced...

Best Practices On How to Secure HTTP Cache Control Headers

Tuesday, April 28, 2015

The following best practices cover the main settings that need to be set to avoid caching locally a sensitive information such as: credit cards details, authentication cookie, etc.   1. HTTP/1.1 Cache-Control: private, no-cache, no-store, must-revalidate, pre-check=0, post-check=0, max-age=0, s-maxage=0 Expires: 0   2. HTTP/1.0 Pragma: no-cache Note: Its highly recommended to disallow the use of HTTP/1.0 in the client and the server side.   3. HTTP/2 HTTP/2 offer a compliance to HTTP/1.1 standards in a variety of areas. Due this, HTTP/1.1 HTTP Cache Control Headers can be applied to HTTP/2 traffic. However, due the fact that currently HTTP/2...