WindowSecurity.com - Monthly Newsletter - June 2015

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.

Take part in the WindowSecurity.com 2015 site survey for your chance to win a Pluralsight Annual Plus subscription

1. Editor's Corner

The hallmark of the Microsoft operating system is its rich, intuitive Graphical User Interface (GUI). The term “Windows”, after all, described Microsoft’s original vision for a GUI and is arguably what made the Microsoft desktop operating system so successful. When Microsoft began making network operating systems (server operating systems) in the early 1990’s, they naturally included the native Windows look and feel. The advantage to having a GUI for any platform is ease of use and administration. A properly designed GUI is easy to use and discoverable, and frees the operator from having to remember countless commands. Times are changing though. Today’s modern datacenter is highly virtualized and the explosion of systems and devices preclude the individual management of each host via GUI. Administrators are using management tools that allow them to configure and manage many hosts at once, and do it remotely. The Server Manager in the latest release of Windows Server 2012 R2 includes this functionality, and PowerShell also supports remoting. Combined with automated deployment and configuration tools, the need for a GUI on each server is rapidly declining. 

--Rich

Windows Server Core

Microsoft first introduced the concept of a GUI-less operating system beginning with Windows Server 2008. The “Server Core” configuration option installed a limited subset of the Windows operating system without a GUI. The first release of Server Core included support for just a few operating system roles. It was also not possible to change the role for Server Core to full server with the GUI if that was required in the future. Migrating from Server Core to full server required a complete wipe and reload of the operating system.

With each release Microsoft has been adding support for more roles, making the Server Core configuration a viable alternative for many workloads. Beginning with Windows Server 2012, the GUI is a role that can be installed or removed at any time. This flexibility allows for the configuration of a server using the GUI, but then allows the administrator to remove the GUI prior to placing the server in to production. This is a common scenario, as often the GUI is never needed after initial configuration.

Microsoft is aggressively pushing the use of Server Core. For example, Server Core is the default installation mode in the latest technical preview of Windows Server 2016. In fact, there are NO options to install the full GUI when performing the initial installation! You can still deploy Windows Server 2016 with the full GUI, but you’ll first have to install the operating system and add the GUI afterward.

So what are the advantages of deploying Windows in core mode? There are actually many. Server Core features a dramatically reduced footprint that saves disk space and improves system startup times. The attack surface is significantly reduced, which from a security perspective is very positive. With the removal of the full GUI and associated unnecessary applications and services (for a server) such as Internet Explorer, a Server Core deployment requires much less servicing (patching) which reduces the need for server reboots and improves system availability and uptime.

There are a number of workloads that can benefit tremendously from Server Core. Infrastructure services such as domain controllers, DNS and DHCP servers, and file and print servers are excellent choices to be deployed on Server Core. Remote access servers (DirectAccess and VPN) are another common workload that can benefit from Server Core. Windows Server 2016 will include an installation mode called Nano Server that will be exponentially leaner than even Server Core! This will be ideal for Hyper-V host servers. It is likely that Microsoft will include support for additional roles on Nano Server in the future, so stay tuned.

Looking ahead, I can say with confidence that the GUI on a server operating system will be a thing of the past in the not too distant future. It will be a legacy component included only for backward compatibility, with the future being GUI-less configuration with remote management by default. It’s time to start learning the command line and becoming familiar with automated deployment and management platforms. And in the end, all of this will be beneficial from a security perspective. Time to get on board and ditch the GUI! 

2. Bulletproof SSL and TLS

With recent revelations of widespread surveillance by government agencies, a strong push is on to encrypt all types of communication regardless of sensitivity. With the popularity and ubiquity of web-based communication, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) have quickly become essential tools to provide the highest level of security and protection for network communication. 

Ivan Ristic, one of the foremost experts in the field of SSL and TLS, recently released a comprehensive guide for deploying secure web servers and applications using SSL and TLS. The book provides a valuable overview of the SSL and TLS protocols along with PKI, and also includes detailed, prescriptive guidance for configuring and deploying systems using SSL and TLS, both Windows and open source.

Order your copy of Bulletproof SSL and TLS today!

Image

Click here to order your copy today!


3. Microsoft Security Bulletins for June 2015

For the month of June Microsoft released 8 security bulletins. 2 are rated critical and 6 important. Affected software includes Internet Explorer, Windows Media Player, Office, Exchange Server, and all supported versions of Windows. Of particular importance this month is MS15-056, a cumulative security update for Internet Explorer that addresses 24 individual vulnerabilities in IE. In addition, it has been reported that Windows kernel vulnerabilities addressed in MS15-061 were used in a successful high profile attack on Kaspersky Labs. For more information about June’s security bulletins click here

4. Microsoft Security Advisories for June 2015

For the month of June, Microsoft released one new security advisory. Security advisory 2962393 addresses a vulnerability in the Juniper Networks Windows in-box Junos Pulse VPN client. In addition, Microsoft updated security advisory 2755801 to address updates for vulnerabilities in the Adobe Flash Player in Internet Explorer.


5. Security Articles of Interest

  1. This month Microsoft released their semi-annual Security Intelligence Report (SIR). Volume 18 of the SIR covers July to December 2014 (2H2014). The report includes valuable and detailed information about the current threat landscape and successful attacks on the Microsoft ecosystem. This report is required reading for anyone involved with information security.
    http://www.microsoft.com/sir/

  2. Included in the latest Microsoft SIR is a feature article entitled “The Life and Times of an Exploit”. Research indicates that the speed at which commercial exploit kits are taking advantage of newly disclosed vulnerabilities is rapidly increasing. As security administrators we’ll need to continue to be diligent with system updates and press to deploy patches sooner rather than later.
    http://blogs.microsoft.com/cybertrust/2015/05/18/the-life-and-times-of-an-exploit/

  3. Another vulnerability affecting SSL and TLS is putting the security of web browsers and SSL VPNs at risk. Dubbed “Logjam”, this latest flaw is similar to the FREAK attack and has to do with the way some SSL/TLS stacks handle the Diffie-Hellman key exchange. While not trivial to exploit, organizations would be wise to mitigate this issue as soon as possible.
    https://threatpost.com/new-logjam-attack-on-diffie-hellman-threatens-security-of-browsers-vpns/112916
    https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/

  4. Microsoft’s public cloud platform, Azure, is continuing to gain momentum with regard to security and compliance. A while back, Azure became the first public cloud computing platform to conform to ISO/IEC 27018. Recently Azure added a number of important certifications including US Defense Information Systems Agency (DISA) Level 2, Japan Financial Industry Information Systems (FISC), New Zealand Government Chief Information Officer (GCIO), and Singapore Multi-Tier Cloud Security Standard (MTCS) Level 3 certifications.
    http://azure.microsoft.com/blog/2015/06/11/microsoft-azure-adds-global-array-of-new-certifications-including-us-dod-disa-level-2/

  5. Yes, the cloud seems to be getting a lot of attention these days. However, if you’re building your own on-premises private cloud you’ll be happy to know that the Windows Server 2012 R2 cryptographic modules are now validated FIPS 140-1 and FIPS 140-2.
    http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

  6. In an effort to providing continuing protection for its customers, Microsoft’s Malware Protection Center recently added three new malware families to their Malicious Software Removal Tool (MSRT) in the month of June.
    http://blogs.technet.com/b/mmpc/archive/2015/06/09/msrt-june-2015-brobandel.aspx

  7. As I outlined in last month’s WindowSecurity.com monthly newsletter, Windows 10 is going to include a number of important new security features. Also beginning with Windows 10, application developers can actively participate in malware defense through the use of the new Antimalware Scan Interface (AMSI) included in Windows 10.
    http://blogs.technet.com/b/mmpc/archive/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses.aspx

  8. Beginning with Windows 10, Microsoft is fundamentally changing the way it updates its operating systems and applications. To encourage the adoption of the latest updates, Microsoft will likely be limiting the availability of updates for outdated versions. While organizations don’t have to be the first ones to apply updates, they will have to move at some point in the future or risk being out of support. 
    http://www.computerworld.com/article/2935363/microsoft-windows/microsoft-swings-security-patch-stick-to-keep-customers-up-to-date-on-windows-10.html

6. WindowSecurity.com Articles of Interest

  1. Developing and Assessing your DLP Strategy - Part 4
  2. Product Review: Netwrix Auditor v7.0
  3. Video: Granting Elevated Privileges to users in Active Directory - Part 2
  4. Developing and Assessing your DLP Strategy - Part 3

7. Windows Security Tip of the Month

Windows Server Core, the installation configuration that does not include a full Graphical User Interface (GUI) is going to be the default option going forward starting with Windows Server 2016. In Server Core mode, all administration will have to be performed either at the command line on the host, or remotely using WMI, PowerShell, or remote system administration tools. To perform remote administration of a Windows Server 2016 server using a GUI, administrators will need to download and install the Remote Server Administration Tools (RSAT). Although installing the GUI on the server is still an option, in the future it may not be. It’s best to get on board with performing remote administration using these tools today. The RSAT for Windows 10 Technical Preview can be found here.