WindowSecurity.com - Monthly Newsletter - August 2013

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MVP), Sales Engineering Director for Iron Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.

Editor's Corner

There has been a lot of discussion in security circles recently about potential scenarios that might play out after Microsoft officially ends support for the venerable Windows XP operating system on April 8, 2014. Some estimates place the number of XP systems still in service in the hundreds of millions and as high as half a billion, and there is potential for great risk in running Windows XP after support ends as Microsoft will no longer produce security updates for the operating system. If you're still running Windows XP today, it is most certainly time to consider upgrading to a modern operating system like Windows 8. In last month's newsletter I talked about some of the security improvements included in Windows 8. This month I'd like to outline some of the new security features of Microsoft's forthcoming Windows 8.1 release.

--Rich

New Security Features in Windows 8.1

With Microsoft moving at breakneck speed these days with regard to their product release cycle, Microsoft will be releasing Windows 8.1 on October 18, 2013. Although there has only been a little more than a year since Windows 8 was released, there are some significant improvements to security in this new desktop operating system. While Windows 8.1 focused primarily on malware resistance, you'll see that the focus on improving security in the Windows 8.1 release is centered mostly on access control.

Biometrics – Microsoft has focused heavily on providing a first-class biometrics experience in Windows 8.1. There will be a biometric sign-in option for all Windows experiences, including the initial logon, remote access, and all remaining authentication prompts. In addition, Microsoft is enabling "touch to buy" options in Windows 8.1 for the Windows Store, Xbox Music, and Xbox live. Microsoft has been working with OEM hardware providers to ensure that the fingerprint readers are more efficient than they have been in the past too. The fingerprint readers expected to be delivered with Windows 8.1 hardware are now touch as opposed to swipe, making the registration and subsequent authentication process nearly instant. Modern fingerprint readers are also capacitive and have the ability to detect liveness, preventing most common fingerprint spoofing attacks.

Multifactor Authentication – As Trusted Platform Module (TPM) becomes more ubiquitous, security features like virtual smart cards can be much more widely utilized. Windows 8 included support for virtual smart cards, and in Windows 8.1 virtual smart cards can now be deployed to non-domain joined systems. This has significant implications for Bring Your Own Device (BYOD) support, allowing organizations to much more effectively identify, authenticate, and authorize consumer devices used to access corporate data.

Certificate Handling – Certificates are essential for providing confidentiality, integrity, and non-repudiation. However, the security of any solution that uses certificates is only as secure as the certificates are trustworthy. To that end, Microsoft has included a number of advances in Windows 8.1 to ensure that certificates on the client are better protected. Certificates are now encrypted on the device, which prevents them from being exported (and yes, they can be exported even when they are marked as non-exportable!). Preventing certificate theft is important, of course, but ultimately the authenticity of the certificate is key to preventing certain kinds of attacks. To address this issue, Windows 8.1 now features TPM key attestation, allowing for the remote verification of certificates to confirm that a certificate was securely issued and encrypted on the device. In addition, Microsoft now has a cloud-based service that crawls the Internet gathering certificate telemetry for many web sites. This analysis service is used for detecting fraudulent certificates and alerting the owners of those certificates of potential compromise.

Workplace Join – To address the security challenges associated with BYOD, Windows 8.1, working together with Windows Server 2012 R2, now includes Workplace Join. Workplace Join is a feature that allows consumer devices to be joined to the domain. Users that participate in Workplace Join opt-in to having corporate policies enforced on their devices, enabling the coexistence of personal and work-related data on the same device. When a user elects to remove their device from the domain, security administrators can effect selective data wipe on the device, allowing for the removal of corporate data while leaving personal data intact.

Provable PC Health – Another compelling new security feature in Windows 8.1 is a cloud-based service that will be much more adept at detecting rootkits. This new service will gather boot and startup data such as measured boot information, integrity measurements of firmware, version and hash information for OS loader, kernel level files and device drivers, as well as action center status information. The cloud service then provides remote attestation for system state, providing effective mitigation for attacks that attempt to defeat in-place secure boot features. If the system appears to be compromised, the service can make remediate suggestions such as using offline Windows Defender. Also, if there appears to be an identity-related compromise (e.g. keystroke logger detected) then the user will be notified and instructed to perform remediation such as changing their password.

Additional Improvements – Windows Defender has been improved with the Windows 8.1 release. Windows Defender now includes network behavior monitoring, allowing it to identify and block patterns of communication that are commonly used by malicious software. Also, changes in the underlying operating system now allow for the scanning of ActiveX and other binary extensions used by Internet Explorer 11.

As you can see, in spite of the fact that there will have been a little more than a year between the release of Windows 8 and Windows 8.1, there has been significant progress made on the security features of Windows 8.1. The biometric experience will be greatly improved, the trustworthiness of the platform will be better, end users and devices will be better authenticated, and new safeguards for corporate data will accelerate BYOD initiatives. The folks in Redmond have certainly been busy, and their efforts will certainly result in a more secure computing experience going forward.

MS Exchange CON 2013 Virtual Conference

Just wanted to let you all know that our sister site MSExchange.org is hosting a Virtual Conference on September 12 where you can get your top MS Exchange questions answered.

Register here

  • Hear from a top analyst from Osterman Research with the latest survey research on MS Exchange top trends and challenges
  • Watch how vendors are solving some of the biggest Exchange Management problems
  • Get answers to your top MS Exchange and MS Exchange 2013 questions with an Exchange MVP

All from the convenience of your office.

Discover answers to questions like:

  • What are the key features of MS Exchange 2013?
  • How can we secure and better control our MS Exchange environment?
  • What are 5 strategies to better manage MS Exchange for 2013 and beyond?

This unique, online conference is limited to 1,000 participants, so register now if you have not already done so!

Windows Server 2012 Security from End to Edge and Beyond

If you're planning to deploy Windows Server 2012 now or in the future, be sure to order your copy of Window Server 2012 Security from End to Edge and Beyond today. Written by veteran security authors Tom Shinder, Deb Shinder, and Yuri Diogenes, this book provides detailed, prescriptive guidance on how to architect, design, plan, and deploy Windows Server 2012 in a secure manner. This book covers all aspects of Windows Server 2012 security, including Active Directory and Certificate Services, Active Directory Federation Services (AD FS), Active Directory Rights Management Services (AD RMS), patch management, Hyper-V, remote access, and application, network, and cloud security.

This book is an essential reference for IT professionals and security administrators everywhere, so order now. You'll be glad you did!

Image

Click here to order your copy today!

Microsoft Security Bulletins for August 2013

For the month of August, Microsoft has released 8 security bulletins, 3 of which are rated as critical. Affected software includes all supported Microsoft client and server operating systems, as well as Microsoft Exchange 2007, 2010, and 2013. There have been a number of reported issues with some of this month's updates. More detail on that later in this newsletter. For more information about August's security bulletins click here.

Security Articles of Interest

  1. As I mentioned earlier, there were a few reported issues with some of the Microsoft security updates this month. MS13-061, which affected Microsoft Exchange, and MS13-066, which affected AD FS 2.0, were both pulled by Microsoft until further notice. Although Microsoft security updates are generally quite stable, these issues underscore the importance of installing any software update in a controlled, non-production environment and testing thoroughly before deploying them in to production.
    http://blogs.technet.com/b/exchange/archive/2013/08/14/exchange-2013-security-update-ms13-061-status-update.aspx

    http://blogs.technet.com/b/askds/archive/2013/08/15/important-announcement-ad-fs-2-0-and-ms13-066.aspx
  2. Does the sound of using an operating system with a perpetual zero-day vulnerability sound appealing to you? I hope not! However, if you are using Windows XP after the end of support date of April 8, 2014 (or more accurately, after the first monthly security update after that!) that is effectively what you will have. After Microsoft ends support for Windows XP next year they will no longer produce security updates for it. That doesn't mean there won't continue to be vulnerabilities, however. In fact, Microsoft themselves will be providing cybercriminals with potential details about XP vulnerabilities by virtue of releasing security updates for their remaining supported operating systems. How is that, you ask? Well, when Microsoft finds a vulnerability in Windows 8, for example, they also test other operating systems to determine if the vulnerability exists there also. In some cases it does, and the security update will be created appropriately. After support ends for Windows XP, that will no longer be the case. Cybercriminals will most certainly reverse engineer new security updates, as they do today, to determine where the affected code is located to develop an exploit for non-patched systems. If the vulnerability exists in Windows XP, and it has in the past, since Windows XP systems will never be patched you have a perpetual zero-day on your hands. Not a good situation!
    http://www.computerworld.com/s/article/9241585/XP_s_retirement_will_be_hacker_heaven

  3. Last month Microsoft announced changes to certificate handling on the Windows platform. This month Microsoft made available an update to further enhance the security of digital certificates by restricting the use of the MD5 hashing algorithm that are part of the Microsoft Root program. The update will be made widely available next year, so now is a good time to begin assessing the impact and being planning remediation efforts from the deployment of this update.
    http://blogs.technet.com/b/srd/archive/2013/08/13/cryptographic-improvements-in-microsoft-windows.aspx

  4. In early August, Microsoft released security advisory 2876146 to address a known weakness in the PEAP-MS-CHAPv2 authentication protocol commonly used by Windows phones for Wi-Fi authentication. Wi-Fi security is always challenging, and in cases like this the usability features of automatically connecting to Wi-Fi hotspots to which you've connected to previously can be exploited by an attacker masquerading as a known access point. Not selecting the option to automatically connect can be somewhat helpful, but if the attacker is broadcasting an SSID that that you know and/or trust, it will be difficult to detect this attack. To prevent this scenario from occurring, using a private access point such as internet sharing on your phone or a dedicated cellular hotspot with a unique SSID is probably your best defense.
    http://technet.microsoft.com/en-us/security/advisory/2876146

  5. A recently published research report from the Microsoft Security Engineering Center (MSEC) and the Microsoft Security Response Center (MSRC) aimed at observing the longer-term impact of security mitigations indicates that Microsoft's efforts are reducing software vulnerabilities has been producing positive results. The study shows that the number of remote code execution (RCE) vulnerabilities has been steadily declining in recent years, and that most often vulnerabilities are exploited only after a security update is made available, an indication that cybercriminals are reverse engineering security updates in an effort to identify these vulnerabilities and develop attacks against systems that have not yet been updated. The report also shows that stack corruption vulnerabilities are down, and that "use after free" vulnerabilities are increasingly common, along with exploits that bypass mitigation technologies like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). You can download the report in PDF format here:
    http://download.microsoft.com/download/F/D/F/FDFBE532-91F2-4216-9916-2620967CEAF4/Software%20Vulnerability%20Exploitation%20Trends.pdf

  6. This whitepaper from Bit9 sheds light on one of the most prevalent security risks on the Internet today – Java. Java is nearly ubiquitous in spite of the fact that very few web sites require it these days. Unfortunately for us security administrators, it has proven to be quite vulnerable to security exploits and difficult to manage from an update perspective. Making matters worse, updating to a new version often leaves an older, vulnerability-ridden version in place for attackers to exploit. With the security advances being made by Microsoft at the operating system level, third party software in general, and Java in particular, are an increasingly popular target. Read this eye-opening report about the risks associated with Java, and then start planning to remove it from your environment as soon as possible. You'll be glad you did!
    https://www.bit9.com/download/reports/Java%20Vulnerabilities%20Write%20Once,%20Pwn%20Anywhere.pdf

  7. A recently discovered variant of the Rovnix bootkit revealed a private TCP/IP stack is now part of the malware. Bootkits and rootkits are particularly insidious, as they have the ability to alter the operating system at such a low level as to make their detection nearly impossible. In the case of this recent discovery, including a TCP/IP implementation that is separate from the operating system allows the malware to communicate on the network without the ability to be detected on the host itself. To reduce the impact of this and similar attacks, strong egress filtering should be employed. Authenticating proxies are excellent deterrents in situations like these, as this malware would most likely be attempting to communicate anonymously.
    http://blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx

  8. Cloud infrastructures provide many benefits, not the least of which is security. In fact, it appears that the NSA has come to realize this, recently stating that a migration to cloud-based services will yield a 90% reduction in administrative staff. An improved security posture is not one of the first benefits that comes to mind when considering the deployment of a cloud infrastructure, but with extreme automation being one of the tenets of a well-designed cloud, it's not surprising that the number of administrators can easily be reduced, which is always a good thing.
    http://arstechnica.com/information-technology/2013/08/nsa-directors-answer-to-security-first-lay-off-sysadmins/

WindowSecurity.com Articles of Interest

  1. Video: Change Management for Active Directory – Part 1
  2. Big Data: The Security Perspective – Part 1
  3. Pass-The-Hash: Protect your Windows Computers! – Part 1

Windows Security Tip of the Month

Controlling access to sensitive domain security groups is always a challenge. The domain administrators group is the most common, but there are other groups that might also be problematic. For example, many years ago I recall struggling to control the membership of a special group that had near unlimited access to the Internet through my organization's secure web gateway. In addition to other security administrators adding themselves and their colleagues to this group, help desk administrators would often inadvertently add users to the group as well. A solution to the problem is to use Restricted Groups. Restricted groups can be a simple and effective way to ensure the accurate membership of sensitive security groups in your domain. For more information about restricted groups, click here.